Showing posts with label VPN. Show all posts
Showing posts with label VPN. Show all posts

Thursday, September 20, 2018

Wi-Fi security: How to stay safe while connected



Wireless security has two components: Authentication and secrecy. And, in theory, responsibility for network security lies with both operators and users.
  • Operators of Wi-Fi (or WLAN) access points should make sure that only those authorized can access the network and consume its resources. In more specific cases, an operator might want to know what each user does on the network and limit the number of devices they can access.
  • Users of Wi-Fi networks should also have the ability to authenticate it themselves, although they rarely do. When connecting to a network, you mostly have no guarantee you are connecting to the entity you think you are connecting to.
  • It’s important for both users and operators to have the ability to secure communications while they are traversing the air. Otherwise, anyone within reach of the signal would be able to eavesdrop on the connections and possibly inject data.
Ideally, all communications should at all times be encrypted. Due to what we consider a pretty serious design flaw, however, data sent between the router and your device is only encrypted if there is a password set. It’s important to note, though, that the password is not the key used to encrypt the data. Instead, a new key is negotiated for each user and session.

Authenticating Wi-Fi networks

It is theoretically possible to encrypt all data even without setting a password, but current Wi-Fi standards don’t have this ability (the newly released WPA3 standard does). As such, you should always set a password to your network, even if you later print the password on signs for everyone in the building to see.
Primarily, passwords are used for authentication (only users that know a password can log into the network). But, as everybody uses the same password there is little to prevent people from sharing it with outsiders and (non-authorized) friends. Some apps even make password sharing possible between a large number of strangers.
While far more complicated from an administration perspective, It is possible to create individual accounts with unique passwords for each authorized user or device. Additionally, this setup also makes it possible to track unique users around the building or network and eject them from the system.
It is also possible to use certificates to authenticate your connection to the correct router. These certificates, however, have to be verified through another secure channel and this feature is rarely used.

Wi-Fi standards and security

The standard known as Wi-Fi is defined under IEEE 802.11. It has been amended frequently to account for new bands, frequencies, and changes in technology (such as authentication and encryption).
Currently, there are two primary standards to secure Wi-Fi and encrypt connections: WEP and WPA.
WEP (Wired Equivalent Privacy, often also wrongly called Wireless Encryption Protocol), released in 1997, was, for a time, the only standard available. And, due to U.S. export controls, it was intentionally weak and insecure. As soon as the U.S. removed these restrictions, WEP was superseded by WPA and WPA2 (Wi-Fi Protected Access) in 2004.
WPA and WPA2 were released together, with WPA as an intermediate solution for hardware that couldn’t support WPA2. Since 2012, WPA is considered broken and defunct.

WPA3 is here, but it’s not ready

Specifications for WPA3 were announced in early 2018, but the standard is still not commonly available in software packages and hardware. WPA3 increases security and privacy, for example by encrypting all connections by default, and offers perfect forward secrecy.
WPA2 is increasingly considered broken, as demonstrated by the KRACK attacks or other techniques that allow anyone to obtain Wi-Fi passwords easily.

How to protect your Wi-Fi network

  • As the operator of a Wi-Fi access point, you should always use WPA2 as it is still the most robust standard.
  • Enable encryption on your network to make sure all your guests and users benefit from encrypted data while in transit between your router and their device.
  • Change the passwords to your router’s admin interface to make it difficult for anybody to mess with your network and install spyware and malware on it.
  • If you are worried about unauthorized access to your network, change passwords frequently and consider creating unique username and passwords for each user.
  • If you are worried about your guests doing nefarious things through your internet connection, consider installing a VPN on your router to avoid being blamed for the actions of your guests.
  • As the user of a Wi-Fi network, you should prefer encrypted connections over unencrypted ones. Use a browser extension with HTTPS Everywhere for greater end-to-end encryption.
  • Use a VPN for your phone or laptop to fully encrypt your data as it passes the airwaves, the Wi-Fi router, and the ISP.



Tuesday, May 29, 2018

Is Your Router Vulnerable to VPNFilter Malware?

Below is a list of routers vulnerable to VPNFilter, malware that can brick your device.
The Justice Department last week urged everyone with a small office home office (SOHO) or NAS device to reboot their gadgets immediately in order to thwart VPNFilter, a new strain of malware that can brick your router.
SecurityWatchThe FBI seized a domain used to send commands to the infected devices, but it can't hurt to reboot anyway.
As Symantec outlines, VPNFilter is "a multi-staged piece of malware." Stage 1 makes the connection, Stage 2 delivers the goods, and Stage 3 acts as plugins for Stage 2. "These include a packet sniffer for spying on traffic that is routed through the device, including theft of website credentials and monitoring of Modbus SCADA protocols. Another Stage 3 module allows Stage 2 to communicate using Tor."
VPNFilter "is unlike most other IoT threats because it is capable of maintaining a persistent presence on an infected device, even after a reboot," Symantec says.
Still, "rebooting will remove Stage 2 and any Stage 3 elements present on the device, [temporarily removing] the destructive component of VPNFilter. However, if infected, the continuing presence of Stage 1 means that Stages 2 and 3 can be reinstalled by the attackers."
Those who believe they're infected should do a hard reset, which restores factory settings. Look for a small reset button on your device, though this will wipe any credentials you have stored on the device.
Below is a list of routers Symantec identified as vulnerable to VPNFilter. MikroTik tells Symantec that VPNFilter likely proliferated via a bug in MikroTik RouterOS software, which it patched in March 2017. "Upgrading RouterOS software deletes VPNFilter, any other third-party files and patches the vulnerability," Symantec says.
  • Linksys E1200
  • Linksys E2500
  • Linksys WRVS4400N
  • Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
  • Netgear DGN2200
  • Netgear R6400
  • Netgear R7000
  • Netgear R8000
  • Netgear WNR1000
  • Netgear WNR2000
  • QNAP TS251
  • QNAP TS439 Pro
  • Other QNAP NAS devices running QTS software
  • TP-Link R600VPN
"No other vendors, including Cisco, have been observed as infected by VPNFilter, but our research continues," according to Cisco Talos, which first reported the bug.
To date, Cisco Talos estimates that at least 500,000 in at least 54 countries have been hit by VPNFilter.
The feds are pinning this attack on Fancy Bear, a hacking group also known as APT28 and Sofacy Group, among other monikers. The group is notorious for attacking governments across the world and stealing confidential files from the Democratic National Committee during the 2016 election.


via PCMag