IT Legends – Tech in Connecticut

So I was installing Windows XP Professional in a virtual machine today and I was able to grab this image from the install.

I love when it says when you insert a floppy, cd, ZIP disk, etc it will detect the kind of content and then, for your convenience, automatically start the appropriate program.  In other words, we’ll be virus-ready and malware-prone just for you!  This is one of the ways Conficker spread.  Haha.  Remember kids, usability is the enemy of security.

So I was helping my friend Keith (a.k.a 4-eyes) with some weird wireless router thing.  Every time he tried to put a password on his wireless network, it would stop working for wired and wireless connections.  It was just weird.  So, here’s what we did to fix it:

1. Verified he had the latest firmware for his router (Linksys WRT54G version 2.2)
2. Established wireless security for WPA2 Personal (TKIP + AES) – (don’t use WEP – it doesn’t truly secure anything)
3. After this, his wired PC wouldn’t work anymore – at least it wouldn’t do DNS anymore.  So I changed the router to assign OpenDNS servers to the machines.
4. Changed the wireless channel from 6 (default) to 1 – there are a lot of people in Keith’s neighborhood that are on channel 6.  Take a look at my post about wireless routers for information on why this causes a problem.

Anyway, he was able to use wireless if he didn’t put any security encryption on it.  The danger of this is that anyone with a little bit of know how (easily found on Google search) could potentially read all the traffic his laptop would send to the router – this is just how radio works (actually, this is possible with WEP encryption, too.  So use WPA or WPA2 with a strong password).  People could then use the information to get access to his online banking site, paypal.com, or any number of other things he may not want them to have access to.  The potential danger is pretty high.  The likelihood of Keith getting attacked is, let’s be honest, small in his neighborhood.  However, its like leaving your home without locking the door.  If you get robbed while you’re away and there are no signs of forced entry, you are going to feel like a tool.

Also – you’re paying for your connection.  Not having your connection secured means anyone that can pick up the signal can use your Internet.  They might slow you down or make you liable for illicit activity on your network that you had nothing to do with.  They aren’t helping you share the burden or the responsibility, why should you make it available to them?

OK, so I use a nice VPN solution that works through every public WiFi I’ve ever encountered.  Great – no problem (which one you ask?  My Astaro Security Gateway…  but its implementing OpenVPN which is open source so anyone could set their own up withour the UTM).  So I’m not too concerned about running my Virtual Desktop (Windows XP Pro, virtualized onto VMware Server 2.0) because the connection from my laptop to the Virtual Desktop is encrypted.  So when using non-encrypted public WiFi, the traffic that others can see freely is encrypted.

Enter the All Ways On Wireless at the Ronald Reagan International Trade Center in Washington, DC.  Its a pay-for public WiFi, I’m not against paying for it.  Its actually running quite nicely and the regular, non-VPN enabled all-day pass works just fine with my VPN (another reason I like OpenVPN).  However, when I went to purchase my day of access, it led me to a non-encrypted web page to type in my credit card details.  Seeing as the radio frequency traffic between my laptop and the wireless access point is not encrypted and completely open to anyone that knows how to look, I essentially broadcast my credit card details out for that potential someone to steal.

Be wary of public wifi access spots that make you enter credit card details without leading you to a secure web page (that’s when you see https:// in the address bar, or that little padlock in the status bar of your browser).  I don’t think my details are now in the hands of some nefarious identity theif, but its a lot more possible now that I’ve given them out over unencrypted radio transfer.  Someone taking this information wouldn’t even be recorded as a data breach in the All Ways On Wireless financial system – since essentially they didn’t hack into their database they just listened to the freely broadcast, unencrypted traffic.

When will companies start taking security of information more seriously?  I tried to go to their website (www.allwayson.net) but strangely enough, you can’t even get to their website from their own public wifi gateway.  I wonder if its even up anymore, or if it changed and noone set up any forwarding address.

OK, so if you program your GPS’s home feature to your actual home, you’re just giving thieves a better chance to know when you’re not around.  Consider yourself in the commuter lot, they might know you’re gone for about 8 hours at least.  Perfect time to smash and grab your GPS and “go home” to take your things.  Or maybe not the commuter lot, but a busy mall parking lot during Christmas season, or a stadium gaming event.  If you want to enter your home address, list it as a favorite with a different name, like your dog’s name or better someone else’s name entirely.  I was thinking Leroy Jenkins would be a good name.  It can also lead to identity theft if they don’t want to steal your stuff, just your finances.  Take a gander here.

In a previous post about not runing anti virus, I mentioned that you shouldn’t go to shady, possibly suspect sites.  Well, how do you determine one?  I am by no means the guru on this, a lot of it is gut feel.  Recently I had to get a replacement battery for a laptop for a friend of mine.  I was trying to locate one at a decent price and I turned up with a page that was not looking very professional.  The page was supposedly for a local shop somewhere in USA that also sold its stuff online, so it looked like an in-house web job by a programmer that doesn’t know much about Web Interfaces.  That’s okay, the site worked alright and I was able to find what I thought I needed.  But I was suspect that it just might have been a phishing or identifty-theft site.  So, operating under the assumption that scam sites are usually short-lived and don’t have any history to them, I looked it up.  There’s an archiving project for the Internet called the Way Back Machine by the folks at The Internet Archive (which I learned about from listening to The Tech Guy – not for this purpose but because they were talking about some changes coming in copyright laws.).  I checked what the site looked like a few years ago, and I figured if it were truly a phishing/scam site it would not have existing then, or if it did it would have been very different.  Anyhow, the site I was looking at had a long history of promoting the exact same thing.  Also a quick Google search on the site address with “scam” turned up nothing.  Just in case, I also put in the company’s name.  It all appeared to be legit.

This isn’t the end-all guide to checking the credibility of a website, but give it a shot if you come into something you question.