Securing Your Wi-Fi Computer and Network

"Social" Engineering "Social" Engineeringis a term for tricking a person into revealing their password or other confidential information. A classic social engineering trick is to send email claiming to be a system administrator. The email will claim to need your password for some important system administration work, and ask you to email it back. Often, the email will appear to be from a real system administrator, and be sent to everyone on a network, hoping that at least one or two users will fall for the trick. You can also be scammed for your password via telephone. In fact, theft of credit card information or identity information via "dumpster diving" (or from a restaurant credit card receipt) are examples of social engineering that do not involve technology or the Internet. Another common trick used by social engineers is sometimes called "shoulder surfing." This is when someone reads your login information, password, or other confidential information over your shoulder. Wi-Fi users are particularly vulnerable to shoulder surfing. The best defense is to be alert and very careful if you think someone may be looking over your shoulder. If you think someone has read your password, you should change it (or get it changed) immediately. For example, if you think someone may have read your T-Mobile Hotspot password over your shoulder as you entered it in a crowded hotel lobby, you can use the T-Mobile personal preference page to change your password, or contact T-Mobile technical support right away by email or telephone. If somebody is watching you when you type in your password, you should move away, or ask them not to look while you log in. It's not polite to read someone else's password, so you shouldn't worry about being impolite yourself when you ask someone not to read it. Physical Lockdown The physical theft of mobile computers is a pretty big problem, with around 400,000 laptops a year stolen in the United States. Like other kinds of computer crimes and security breaches, in a great many physical mobile computer thefts insiders are responsible. Typical insiders include employees, temporary workers, and contractors. The moral is to be leery about leaving your laptop lying around, either in the office or when you are traveling. This sounds like pretty obvious advice, but what if you just don't want to lug it around with you—for example, to go on a bathroom break during a convention? A common and relatively inexpensive security device to deal with this kind of situation is the cable lock. The manufacturer of the cable lock provides a way of attaching the lock to the computer. (Often the lock plugs into a port on the laptop, with a security mechanism preventing its removal without the key). The cable then loops around a stationary item, such as a desk leg. Cable locks can be had for as little as $20 to $30. Probably the best known cable lock manufacturer is Kensington, www.kensington.com. In some cases, the manufacturer of the cable lock guarantees the laptop attached with the cable lock. The problem with cable locks is that they can easily be cut using bolt cutters available in any hardware store. To add another level of security, you can use a cable lock alarm, such as the Defcon, made by Targus. Targus, www.targus.com, best known for its mobile computer cases, makes a number of different cable lock alarms for as little as $40. These alarms make a huge racket when the cable is tampered with. Targus also makes a PC Card, the Targus Defcon Motion Data Protection (MDP) card, that slips into the PC slot on your laptop. This card, which sells for about $100, provides double-barreled protection. First, it sounds a loud alarm in response to motion (so it works as a physical theft inhibitor). The card also encrypts the computer, with PIN access (this encryption inhibits data theft as well as physical theft). When the alarm has been triggered (because the card encounters unauthorized motion), a second, 16-digit PIN is required to gain access to the computer's operating system and files. If you are going to be carrying around important, confidential data on your Wi-Fi–enabled mobile computer, this sounds like a pretty good investment to me! There are quite a few solutions along the lines of the Targus MDP card that get more and more complex. Some of these schemes include biometric scanning devices—to authenticate you as the owner of your mobile computer. In other schemes, wireless technology is used to maintain a series of "leases" that keeps the mobile computer going. If the mobile computer fails to obtain a lease for a certain period of time, it stops working, and encryption is engaged. With these schemes, generally a cell phone call can also trigger arming of the defense mechanisms. Companies that sell sophisticated defense systems along these lines include CoreStreet, Digital Persona, Keyware, RSA Security, and Vasco. Using Password Protection In a mobile computer equipped with Wi-Fi, you can (and should) password-protect operating systems such as Windows XP. This makes it a great deal more difficult (although not always impossible) to boot up your computer without knowing the password. You can also set a password in the BIOS of most computers. This provides a better level of security than an operating system password, but it is also not absolute. To set a BIOS password, you must enter the BIOS screens for your computer. This is done during the boot-up process when you've turned the computer on, generally by pressing a key (such as the Delete key) or key combination while the computer is booting up. File Sharing We tell our children that sharing is good, but when it comes to computers, running with sharing turned on can pose a security risk. If you are connecting to a Wi-Fi network—or any network—and sharing is turned on, anyone else on the network can read your files across the network. For that matter, your files can be altered or deleted across the network, as well. How Real Is the Threat? Make no mistake, the threat is real. If you compare a wireless network with a conventional wired network, essentially the security risks posed by the two are the same with one big exception. The big exception is that a wireless network provides no physical security. Essentially anyone can tap into a wireless network. In comparison, to hack a wired network you need a physical connection to the network's wiring. Attacks from the Internet are a threat to both wired and wireless networks. But otherwise, no one can attack a wired network without gaining admittance to your premises. Wireless networks are vulnerable to attacks from people who are not on your physical premises. This means that protection cannot be obtained by physical security measures, but only by implementing appropriate internal management and security measures. A lock on your door should inhibit someone who would like to access your wired network, but it is meaningless to the security of your wireless network. What Steps Should You Take? The steps you should take depend on how important the security of your personal network is to you. Some people will feel it more important than others to implement comprehensive security measures. But some of the basic security measures you can take are easy, and involve little (or no) trouble to set up and little extra trouble on the part of network users. So everyone should take at least some security measures