Posted on

Securing Home Wi-Fi

Almost everyone knows that they should secure their home wi-fi network, but many people don’t realize that in addition to your wi-fi password, you should also set the password for your home network router. I promised at my presentation at the Ferndale Public Library on personal computer security that I would explain why and how to change your router password. This blog fulfills that promise.

On Saturday March 7 and 14, 3:00 pm , I will repeat the Ferndale presentations I gave on personal computer security and privacy online at the Lynden Public Library.

Your Wi-Fi Network Password

Today, establishing a password for your network is almost automatic. When you set up your home network with your network service provider, like Comcast, you are prompted to use a password, often printed on a label stuck to the modem-router combination supplied by your network service provider.

I suggest you change the supplied password to one of your own choice for two reasons: first if your provider has a dishonest employee (let’s face it – that does happen on rare occasions) they won’t have access to your network password. Consequently, if your provider has to work on your system, they’ll have to ask for the password. That may be a slight inconvenience, but I prefer it that way. The risk to using a unique network password supplied by your network service provider is not great, but setting your own password is easy, so I prefer to avoid the small risk.

Second, the provider-supplied password is random and hard to remember. Your home network press word is one you have to use infrequently but you do have to use it when you add a new device. I prefer a password I can remember instead of having to find the sticker, write the password down on paper, use it, then remember to destroy the paper so a neighbor kid won’t pick it up and run up my wi-fi bill streaming bandwidth-hog video games. A long nonsense phrase can be both hard to crack and easy to remember. Choose a phrase that doesn’t get hits on Google searches, like “3horsesdrank2muchcarrotjuice!”.

I would not try to store your wi-fi network password in a password manager. You might be able to do it, but it will probably be too awkward to bother with. Most password managers are not designed to interact with wi-fi sign-ons. Choose your phrase and write it down, then store the paper in a safe place. Unless you are gaga for network gizmos, you’ll only use your network password a few times a year, so you might forget it. If you have a home safe for your important papers, that might be a good storage choice. You should be aware that stolen wi-fi is a master hacker’s network access of choice. They’ve been known to use directional antennas to pick up insecure or loosely secured wi-fi from blocks away.

As a side note, your router may have a button you can push to avoid having to look up and type in the network password when you add a new device. This method is not totally secure if you have an attentive hacker in your vicinity. I choose not to use the button.

If you think you are being victimized by bandwidth thieves, change your network password and set up a device white list on your router. I’ll explain what I mean by a white list in another blog.

Having set your network password, there is another password that you should take care of: your router password. Router passwords are not part of your first line of defense. A hacker must first break into your network in order to make use of your router password, but if you leave the default password on your router , which it will be if you don’t change it, a hacker who breaches your network can do much more damage than one who can’t get to your router.

Routers

Your router is your connection to the Internet. It is a specialized computer that routes messages to and from the computers on your home wi-fi network to the rest of the network. As computers go, a home router is very good at what it does, but it could be replaced by an ordinary personal computer running special programs. Early home networks were often implemented by designating a PC as the local network router and loading it with routing software and extra network interface cards, but home routers are now so cheap and convenient, I don’t think anyone does that anymore. Today, most home routers are a combination device comprised of a modem, which transforms incoming signals on the wire connection to something usable by the home network, a wireless radio transmitter-receiver, and a router.

Typically, you access your home router today by logging on through a web browser. After you log on, you can change the way your home network interacts with the network and your network provider. The default settings on your router fairly effectively protect you from intrusion from the outside. Fresh out of the box, home routers are set up so that all interaction with computers outside the home network must originate from inside the home network. Although it may seem like the outside world is always sending you stuff, almost without exception, a computer on your home network has initiated an interaction and the outside world is responding to its requests. This fundamental pattern can be changed in many ways by changing the configuration of the router, sometimes for good reason. For example, some group interactive games require a different communications pattern. But criminals would like nothing better than to be able to send messages to your home devices at will. A bad guy with your router password could fix it so you can’t get to your own network or arrange to use your network to attack others. Changing your router’s password to something only you know ensures that only you can mess with it.

Changing a Router Password

Changing a router password is not difficult, but it could take you into unfamiliar territory. You may want to call in an expert to help you out. Never change anything but the router password if you do not fully understand what you are changing.

Overview

Here are the steps:

  1. Find your router default administrator name from the documentation that came with the router. Usually, the name is “admin” and the password is “password”, but not always.
  2. Determine the router IP address.
  3. Bring up the router in your web browser and enter the admin name and password.
  4. Navigate to the place where you can change the password.
  5. Change the password.
  6. Store it in your password manager. (Password managers handle router passwords just fine because you access them through your web browser.)

How To Determine Router IP Address

You can determine the router address from any device on your home network because the most basic requirement for connecting to the Internet is knowing the address of the router that controls the Internet connection. Some devices are easier than others. On a Windows 10 desktop, laptop, or tablet, bring up Settings (the gear symbol). Select Network & Internet, which will open the “Status” page. Towards the bottom of the page select “View your network properties.” You will see a page something like this:

Windows refers to the router IP address as the “Default Gateway.” On Apple, you can do something similar going to “System Preferences” and clicking on the “Network” icon and look for the “Router” label.

Router IP addresses are often “10.0.0.1” or “198.168.0.1”. If you want to skip finding the correct address, odds are good that you will get your router by trying these. If both fail, try “10.0.1.1” or “198.168.1.1”. Beyond those guesses, I’d take the long way and look up network properties.

Access Router with Web Browser

All you have to do is type your router IP address into the address line in your web browser, like this:

What will appear on the screen will depend on the router. You will probably be challenged for a username and password. If you haven’t changed them, they will be the factory-set default for the router. You can look them up in the documentation for your router. Most likely, they are “admin” and “password” or something equally obvious. You are likely to find documentation for your router, or router-modem combination online. Look for the make and model on the physical device and search online.

Change Router Password

At this point, you are on your own with your router documentation, although the steps to change the password will probably be obvious. If you use a password manager, it will probably offer to generate a random password and store it for you. I would consider taking the offer.

While you are logged on to your router, take a look around, although I would be cautious about changing anything unless you know what you are doing. Your router is the control center for your home network and the key to home network security. An intruder with access can open your network up to all sorts of mischief. That is why changing from the default password, which is accessible to anyone, is so important.

Posted on

Ferndale Library Talks on Computer Security and Privacy

Last Saturday, 2/1/20, I gave a presentation on Personal Cybersecurity to a full house in the Ferndale Library main meeting room. The librarians had to chase us out because my grandson Christopher and I were still answering questions at five pm when the library closed. If you missed the first presentation, or want a chance to ask more questions, Chris and I are scheduled to give the same presentation at the Lynden Public Library on Saturday, March 7 2020 at three pm. (Notice that the Lynden presentation will be a half hour earlier than Ferndale.)

See the slides from the presentation and links to resources.

This Saturday (2/8/20 3:30p) I will be talking about a closely related subject, Online Privacy, again in the Ferndale Meeting Room. Online security and privacy are closely related subjects that sometimes overlap, but privacy is often harder to understand and the legal boundaries are less clear. Computer security is mostly about traditional criminal activities like fraud and theft in the computing environment. Online privacy, on the other hand, often involves activities that were legal before computing began to amplify the effects of these activities, which have now taken on sinister implications. As a result, current privacy legalities are less clear. Instead of criminals, privacy issues often involve legitimate businesses and disturbing situations where no current law is broken. In this presentation, I will clarify what is recorded today when you go online and live your daily life, what is done with the record, and what you can do to exercise some control. This presentation will be repeated in Lynden at three pm on Saturday, March 14 2020.

Posted on

Browser Wars and Privacy

A new round of the perennial browser wars has begun. Google Chrome is the current hands-down victor, but don’t be surprised if that changes. The new battleground is privacy. Google will have to fight hard to retain its majority market share. But will our privacy increase? I doubt it. The reason is a long story.

Current Standings

The main browser contenders are Google Chrome, Mozilla Firefox, and Apple Safari. In May 2019, the worldwide standings on all platforms were Chrome 63%, Safari 16% and Firefox 5%. To a certain extent, those numbers represent the distribution of smartphones. Google Android is the most prevalent and the default browser on Android is Chrome. Safari is the default on Apple iPhones. Firefox trails in part because it is not the default anywhere and users have to take the time and trouble to install it. On desktops and laptops in the US, Chrome still runs laps on Firefox and Safari at 64%. Microsoft Internet Explorer and Edge combined, the defaults on Windows computers, come in around 20%, Firefox and Safari trail at around 8%.

Depending on how much consumers value their privacy, these standings may change in months to come.

Last week, the Washington Post lambasted Google Chrome on privacy. Mozilla Firefox has been touting its security and privacy features regularly for the past few months and they have steadily improved their performance to keep up with Chrome.

History

The war used to be the world vs. Microsoft Internet Explorer (IE). The old battle was fought over performance, features, and standards compatibility. Microsoft in the late 90s and early 2000s was feeling safe in its control of the personal computer market; they took an indifferent stance toward emerging browser standards and chose to go their own way with IE, forcing web site developers to write different codes for IE, while following widely accepted standards for the rest. Most consumers were unaware, but it drove engineers crazy.

Eventually, Chrome, Firefox, and Safari moved ahead of IE. Microsoft, in those days, was complacent on web performance, behind the curve on web security, and fighting anti-monopoly suits. Google, Mozilla, and Apple were striving hard to improve performance, security, and adding features while conforming to standards. As a longtime competitor and partner, I can say that Microsoft engineers are second to none, but they floundered in the browser wars and eventually lost to the contenders. Chrome came off as the big winner by concentrating on performance.

Chrome is still the browser performance champion, but their lead is so small, it’s hard for most users to distinguish between the performance of any of the browsers today. I suspect Microsoft struggles because old IE special features are still required by some important customers, which puts constraints on IE that the other browsers don’t face.

The Privacy Battle

In this battle, Firefox appears to have the high ground. Most of Google’s revenue comes from selling ads that are targeted by the information it collects on the habits of the users of its free services like Google search, Gmail, and Chrome. When Chrome ups its privacy game, Google’s potential corporate revenue goes down. This places Google on a razor edge: abuse privacy and the public will quit using its services; increase privacy and ad-targeting gets fuzzy, which will cause revenues to drop.

Mozilla, as a non-profit, has no direct stake in targeting ads and therefore appears to be free to pursue privacy for its users, but it’s complicated.

Even Non-Profits Need Revenue

Mozilla’s 2017 audit states that a large share of its revenue comes from search engines, which pay Mozilla a small amount for each search directed to the search engine. Mozilla has had contracts with Google, Bing, and Yahoo at various times to default searches to these engines. Their current contract default search engine is Google. The auditors note that cancellation of these default search contracts is a substantial risk to Mozilla. Google pays Mozilla with money made from targeted advertising. Therefore, if browsing gets too private, Mozilla still stands to lose revenue. Not as directly as Google, but they are still at risk.

Google, as a public corporation, must keep their revenues up to satisfy their stockholders. Mozilla is a non-profit, but their engineers and other employees do not work for free. To continue to thrive, Mozilla must compete with public corporations for these employees with adequate facilities and wages.

Caution

What does this mean for the public? The high-tech network world is subtly connected and intertwined. TANSTAAFL. There ain’t no such thing as a free lunch. Most free services today are either loss-leaders for paid services, or they are bankrolled by selling data on the habits of the service users. Even when it appears that they are not. Until that basic fact changes, your privacy is on the market.

No matter which browser you choose, it is up to you to select privacy options that correspond to the level of privacy you want.

Posted on

Be Careful With Remote Access

Connected devices on the Internet of Things are cool. I have a friend who looks in on his cats on Whidbey Island with his phone from our house in Ferndale. I love my Bluetooth mouse and being able to start the oven preheating from my office upstairs with my phone. But I wouldn’t want a stranger to have the same access.


To be safe, you must take precautions.

Today, or very soon, most of the electric appliances and many other devices that people interact with will be connected to computer networks. At our house, my wife’s car (not my old truck), our kitchen range and its hood, the dishwasher and the microwave are all set up to connect wirelessly to a computer network (the Internet). We can expect more connected appliances to appear on the market soon. In fact, some claim that it will soon be difficult to acquire any electrical appliances that are not connected to computer networks. Why? Because remote wireless computer control has become a cheap feature for manufacturers to add these days. Unfortunately, connectivity has become less safe in the process.

What has changed

In olden times, say 2010, when a refrigerator manufacturer decided to add remote wireless computer monitoring or control to a new model, they would hire a team of electrical and software engineers to design a chip, circuitry, and control software to embed. The team would come up with a tidy little system that would do exactly what the manufacturer intended. No more, no less.

That’s not how it’s done today. Instead, they buy standard, off-the-shelf components and snap them together. One of those components is likely to be the equivalent of an entire personal computer, complete with a wireless interface and capabilities similar to a typical desktop of a couple decades ago. A complete computer is now cheaper to embed than a custom designed minimal component. Unfortunately, these embedded computers are as easy, sometimes easier, to hack as any desktop, laptop, or phone today.

In my book, Personal Cybersecurity, available at the Ferndale Public Library, I cited the case of an electric teakettle that was easily hacked into by “war drivers” cruising the neighborhood looking for open wireless networks to exploit. That was two years ago. Those kind of exploits are more plentiful and easier today.

Using a cheap little circuit board with an entire PC on board, manufacturers can build the device cheaply and figure out how to use the computing and connectivity later. They can add new features after the device has been manufactured using standard programming. This has a downside. Hacking a refrigerator used to require specialized knowledge of custom controllers and software written in assembler for processors that only a few engineers ever heard of. Now, the code is in high level languages on hardware that is taught in high schools.

For example, Amazon has published simple methods for placing a devices with embedded computers under voice control through their Alexa product. I expect projects like Alexa controlled electric whoozits are showing up at high school science fairs. If Alexa can easily be made to control something, there is a good chance that a hacker can too.

On top of that, a small manufacturer has little or no incentive or expertise to build security into their network-controlled toasters. Companies like Microsoft, Apple, Google, and Facebook have regulators, reputations, and stockholders to hold them accountable to public opinion. A rash of house fires from hacked Apple toasters would send Apple stock into a tailspin, the lights would burn all night in Cupertino, and fixes would be issued in days. You might not even realize that a fix was made. Companies like Apple work that way.

But for a small, no-brand appliance manufacturer, odds are great that nothing would happen. These companies, often located in China or southeast Asia, manufacture a batch of appliances, sell no-brand batches to secondary vendors who label the devices and sell them to the consumer. The department store that sold the hacked toasters and the company that designed and manufactured them may only be loosely and temporarily connected. The manufacturer retains no knowledge of what happened to the vulnerable devices or how to contact the final owners. The seller may be accountable but that’s little comfort after the house burns down.

What can you do to be safe?

•    Read the specifications and manuals for electrical appliances carefully. Be aware of the device’s networking capabilities, especially wireless connections. The FCC requires all radio transmitting and receiving devices to register. An FCC id number is a clue that the device can connect to a computer network, including the Internet.

•    If you don’t have a good use for remote connection of a device, turn the remote connection facility off. If you can’t turn remote access off, consider replacing the item. Chalk the expense up to lessons learned and sleep a little more soundly.

•     You may have a good use for connectivity. Surveillance cameras that you can access from your phone are an example. When properly secured, the risk of being hacked can be managed.

•    Before you buy, research. You can often find security-oriented reviews. Read the documentation on the device. If secure access to the device is not documented, don’t buy it. Find an equivalent device that is secured. Follow the security recommendations.

•    Many of these devices come with a default username like “admin” and a password like “password.” You must change these. The password is most important. Use a strong password. A long random sequence of upper- and lower-case letters, numbers, and symbols is best. The easier a password is to remember, the easier for a determined hacker to crack. Record the password safely. I use a password manager. Writing it down in a safe place is good too. If you lose the password, you may “brick” (permanently disable) the device.

•    Use caution with Bluetooth devices. Most are easy to eavesdrop on. Bluetooth can be secure, but it is often a hassle and manufacturers often skip security over convenience. I’ve written about Bluetooth security here.