Home network security email

 

You probably don’t think much about your home network. When it’s working correctly, you usually don’t need to. It’s worthwhile, though, to make sure that your network is secure, and that there’s a good barrier between what’s inside and outside your network. This can seem daunting, but taken a step at a time it is not too difficult. Your network will probably consist of one to three devices, fulfilling the roles of modem, router, wireless access, and firewall. You may need to look around to find the needed settings for each role, but they should all be there somewhere.

 

First, if your equipment is more than a couple years old, you should consider replacing it. You will almost certainly notice a boost in performance, as well as better security. If your internet provider supplied your equipment, they will probably give you updated equipment for the asking. Otherwise, there are many great options for relatively little money.

 

Before starting, you should write down the manufacturer and model number for each device. You’re going to need to find the manual for each device online, and record the default username and password. I recommend finding the procedure for a factory reset, just in case something goes wrong. The manual will also tell you the management address, which you will type into your internet browser. This is most commonly 192.168.1.1, but may differ according to the device. Once you pull up the management site, you’ll need to make a number of changes. The device may need to reboot between changes, so allow 45 minutes or so for the whole process.

 

  • Change the default password

This is the most critical step, and the one most often forgotten. If you do not change the default password of your network equipment, there is a good chance that your device will be hacked. One side of your equipment is on the internet, so it can be probed from anywhere to see if passwords have been changed.

 

  • Update the firmware

The manufacturer will patch security problems as they are identified. These are applied through firmware updates. You should check for updates every few months, at least. There should be an easy way in the management page to check for and apply these.

 

  • Disable remote management

Remote management allows you to change your device setting from the internet. Unless there is a specific reason you want to do this, you should turn the feature off.

 

  • Disable Universal Plug and Play (uPnP)

Universal Plug and Play is a feature meant to allow certain devices and applications to get through your firewall. It has a number of known vulnerabilities, however. Unless there is a specific reason you need this service, you should disable it.

  • Wifi settings

There are a number of settings needed to secure your wireless network. Most importantly, you should make sure you are using WPA2 encryption with a strong password. Without encryption, someone can easily monitor everything that goes over your wireless network from a quarter mile away. Make sure a good password protects your network. You should also change your network name (also called SSID) to something other than the default. You should avoid using identifying information. Finally, you should disable WPS. This is a service meant to make connecting easier, but it has some significant security flaws.

 

This may seem like a lot of work, but it will go much faster than you may expect. Once it’s done you will have a fairly secure home network, and you won’t have to think about it again other than occasional checks for firmware updates.

 

Resources:

United States Computer Emergency Response Team

 

Password security email

Welcome to the third letter in my series of information security tips!

 

It’s time to talk about passwords. You know them. You hate them. We’re stuck with them. I’d be willing to bet that almost all of you have many poor passwords that are duplicated across a whole bunch of sites. Shame on you! Full disclosure: I did, too, until last week, when I went through the entire list and changed old and duplicate passwords in anticipation of this email. So do as I say…

 

Fortunately, there is a shortcut to good password management. It’s called a password manager!  I use one called LastPass. It stores my passwords, protected by one super-strong password that I have written down in a safe place so that I can never forget it. I can retreive my passwords from anywhere using a web browser or an app on my phone, and it will let me know if I have duplicate passwords, old passwords, passwords that have been compromised online, or other vulnerabilities. It will even generate random passwords for me, and since it can automatically fill in the passwords in websites it can make the passwords especially strong (and hard to remember).

 

I strongly recommend using a password manager. LastPass is great, and free. There are other reputable options as well. There’s really no reason not to start using one.

 

If you do decide to manage your passwords manually, there is a recommended way to produce secure but memorable passwords. Pick a long phrase and create a variation on it. For example, if you start with “A long time ago, in a galaxy far, far away,” you might create the password ALongta@44away. That’s a pretty good password, and you can probably remember it pretty quickly. For more detail on this method and passwords in general, see this link.

 

Another security feature you should be aware of is two-factor authentication. This means you need a password as well as another way to authenticate. This may be signing in from a known computer or receiving a code on a known email address or phone number. While this can be a hassle, it is definitely worthwhile on your critical accounts. Two-factor authentication is now mandatory on many financial accounts, in fact. You can often turn on two-factor authentication for accounts such as Google, Paypal, and Ebay, for example. It will be an option in the settings, and you should seriously consider enabling it.

 

United States Computer Emergency Response Team

 

Phishing security email

Sent to my teachers and staff, names and addresses changed:

Welcome to the second letter in my series of information security tips!

Phishing is an attempt to get your information, including financial information, by masquerading as someone else. It most often takes the form of an email purporting to be from a trusted source. Take, for example, this recent actual example from right here at Cliff Valley.

From: Head of School [mailto:head@school.org]

Sent: Wednesday, May 06, 2015 12:08 PM

To: Finance

Subject: Request

Hi Finance,

 Hope you are having a splendid day. I want you to quickly email me the details you will need to help me  process an outgoing wire transfer to another bank.

I will appreciate a swift email response.

Thanks.

Head of School

Finance recognized this as suspicious right away. But look at all the things this phishing attempt got right. It’s a well-written email, apparently from Head of School’s actual email address, with a perfectly reasonable request. There are also number of red flags here, such as the slightly stilted language, the vagueness, and a few formatting issues. But place this email in an environment where people don’t know each other as well, and it seems pretty convincing! If Finance weren’t so sharp, the email response would go to the phisher (the actual return address is different from the one appearing in the email, a process known as spoofing), and money would quickly disappear from Cliff Valley’s bank account to an untraceable account.  A phishing attempt that is targeted at specific people, like this one, is called “spear-phishing,” and can be very effective.

Phishing attempts happen all the time! Check your spam or junk mail folder, and it will likely be filled with mail apparently from your bank, FedEx, and social media sites. These may look exactly like actual email from these sites and may have links that lead to legitimate looking sites as well. There may not be any obvious warning signs that they’re phishing attempts.

Fortunately, there is an easy and foolproof way to protect yourself from these. NEVER follow a link from an email to a financial site. Just type the site’s name directly into the browser (do not cut and paste), and you can be sure to end up at the legitimate site. If you think you may have followed a suspicious link by mistake, you should log in to the legitimate site as soon as possible and change your password. Fortunately, most phishing attempts are easy to spot when you are looking for them. It’s important to be vigilant, however!

Security Emails to Staff

A number of recent news items have convinced me I need to begin a series of cyber-security related emails at school. I’ll post those messages here, as well. I began with a recent news story.


Friday’s Scary Internet Attack

Last Friday, huge swaths of the internet were unavailable for much of the day. The outage was due to a Distributed Denial of Service attack, or DDoS. To over-simplify a bit, it involves sending a flood of messages to a computer to overwhelm it. This is usually a computer serving websites or email, for example. “Distributed” just means it comes from many computers at once, usually machines compromised by malicious hackers. This type of attack is well known, and has been around for a decade or more.

Two aspects Friday’s attack make it different. First, the devices launching the DDoS were not unprotected home computers, as is typically the case. Instead, they were what is known as the Internet of Things (IoT). They were DVRs, baby monitors, and internet connected cameras; new consumer products that connect easily to the internet. These devices frequently have poor security. In this case, tens of millions of devices were involved in the attack.

Second, the target of the attack was not a specific website, but part of the Internet’s infrastructure. The attack was aimed at a major DNS server hub. DNS is what allows you to type in a human-friendly address, such as fool.org, instead of a machine-friendly address, such as 151.101.193.143. DNS in one of the oldest parts of the internet and was built without modern security in mind, making it vulnerable to attack.

A third detail, which may be the scariest, is that the software to carry out this sort of attack was just released to the public, practically guaranteeing it will become a common occurrence. It’s now possible for just about anyone to launch this kind of attack if they have a minimal proficiency with computer hacking.

While this attack was against the central infrastructure of the internet, it was made possible by poor security of internet devices everywhere. It’s a scary reminder of the importance of keeping your online life secure, for your own safety as well as the safety of everyone else. In the coming weeks I’ll be sending some emails with ways to protect yourself and your devices. Please take a few minutes read them. With just a little effort, we can avoid the scariest tricks this Halloween! Thanks,

Thom

Other sources:

NYTimes report

A more technical explanation, by a respected security professional.

Lockpicking in Computer Science

6-cs-lockpicking

I picked up a new hobby at Defcon this year. It turns out that there is a lot of crossover between the lockpicking and hacker communities. It looked so fun I thought I had to give it a try. And when I began talking about security in my computer science class, I picked a lock as an illustration of a point I was making. I’m not sure if the point was received or not, but the kids were VERY interested in the lockpicking! So of course that became a carrot. If we could get through the material in hoped to get through, I would show them how it’s done. A couple weeks later, I found the time to try it during a study session. The kids went nuts for it! Well over half the class managed to pick a simple padlock over the next couple of days, and some of them have stuck with it. I’ve had at least three pick standard home-use five-pin tumblers (inspiring me to up my own game!), and I’ve heard from a couple that they have ordered their own picks and practice locks already.

I’m not aware of lockpicking being on the curriculum at any school. And I’d be hard pressed to justify adding it. But I’m a strong believer that if the kids are passionate enough about something to spend their own time learning it, then it is well worth the time to support that.

It’s really difficult to tell what will excite a particular child, and sometimes the most unexpected things will become fads. When my own son attended this school, a teacher introduced him to the Rubix cube. It became his obsession for a couple years. He spent countless hours researching and practicing, and finally achieved a time of around 20 seconds. All of this was completely on his own. This knowledge will probably not get him ahead in life, but his ability to learn on his own and become passionate about it certainly will.

So while I’m really excited about teaching the kids as much computer science as I can manage to pack in, and while I’m convinced that they can’t get enough of reading, writing, and math, I’m really glad that I could spend a few hours on something that might be completely impractical and not on any standards. Because sometimes, that’s where the important learning happens!

 

Final Breakout activity

I finished off my computer science unit with a breakout activity that I thought went very well. I broke each class into four-person teams, and game each of them a locked box. The only clue on the box was a long string of 0s and 1s I attached with a label maker. The students eventually figured out they need to translate the binary into ASCII, which gave them the combination to the lock (the first class actually figured out they could get the contents out of the cheap Harbor Freight box without actually opening the lock. I fixed this later by packing more stuff into it!). Inside the box was a hard drive, with a sticky note challenging them to guess the password. It also contained a decoding wheel, which we’d used doing ciphers earlier. The students installed the drive into a computer (computers were conveniently stashed nearby) and attached all the peripherals. When they boot it, they were met with a password screen, and had to guess. This was the trickiest part, since all the groups were trying to decode random things to find a password. I’d hoped they’d get my earlier hint and try to actually guess common passwords, which they eventually did.

The only file visible on the computer screen was a secrets.txt file, which contained a ciphered text and a cryptic clue the students needed to google for the key. This went very smoothly, and almost all groups were able to decode the Vigenere cipher pretty quickly (a victory for me, since I’d tried unsuccessfully to teach it in the past!). The cipher instructed them to find another searchable piece of information, and deliver it and a flower to the front desk. I was just curious to see how the groups would handle the flower. Some picked one outside, one group brought a flower-shaped pen. No one thought just to draw one. Once everything was delivered, each group member got their 3D-printed “I Survived Computer Science” medal.

I got lucky in that the activity took up about the right amount of time. The last group finished with about ten minutes left in the hour-fifteen minute class. That left just a bit of time for clean-up! When I surveyed the students, later, they said this was one of their favorite parts of the class, so I’ll definitely be trying it again. 6-cs-final-project

Some days I can’t believe I get paid for this

It’s the first day back for my 6th grade computer science class, and I couldn’t be happier. After a couple years of tweaking the format, and moving some of the technology (google apps) down into some lower grades, I’ve had the best first class ever. I just can’t wait to get into some of the lessons I have planned. Here is the basic outline of what I’m going to cover.

 

6th Grade CS

Boot Camp

Getting up and running with documents, printing, logging in, yada yada yada I know you all know this stuff already but we kinda have to cover it anyway I promise I’ll move quickly but we have to make sure everyone knows the basics.

Digital Citizenship

Passwords

Search

Potential pitfalls with posting online

Good practices for posting online

Hardware

What is a computer, anyway?

Taking it apart – computer dissection

All about computer memory. I think.

Giving your computer the boot – how your computer starts up.

Networking

Let’s do lunch! Or, what’s a network?

All the wires!

What’s the internet? And where is it, anyway?

Way too many acronyms – how it works, and how to fix it (sometimes).

Data!

Binary numbers, or how to count to 1.

Ascii, and you will receive. Turning numbers into text.

Pictures, movies, sounds!

Copyright, or copy-wrong?

Cryptography

How to make sure no one else knows you’re writing a love-letter!

Some things we may do along the way

Programming

Presentation software

Logic gates – how computers work at a really, really, really small level

Super Secret Grand Challenge