Little Common Sense Problem

Wi-Fi Security Threat You May Not Realize Is Hunting You There’s an old trick out there to catch all the new dogs that come into town. The screenshot is taken in the middle of the busy Brooklyn neighborhood, in the middle of the day. Do you see the danger already?

If not – here’s a little hint: there are Time Warner Wi-Fi hot spots in New York, but they are in Manhattan and Queens, not Brooklyn. Something else – the location of the spot where I got this reading is exactly out of reach the only 3 available Optimum Wi-Fi hot spots on their map, so I definitely did not expect to see 69% of signal power – more like 10 – 20%. So what the heck is going on with all three networks, including XFinity Wi-Fi, having the same signal strength? Someone had set up a rogue router that poses as XFinity WiFi, Optimum WiFi and Time Warner WiFi at the same time to capture your data. Those network SSIDs you’re seeing – all fake.

If you bought any recent laptop, chances are you have your firewall set up and enabled and it will take some time and dedication to break into your laptop. Not to say it’s impossible – it’s just requires time and effort and knowing you’re actually there. With fake Wi-Fi hot spots, you can set up a script that will capture anything you send over rogue Wi-Fi network automatically, so anyone connected through is just voluntarily giving up their data to someone who’s willing to listen. Since your device will most likely connect to a known Wi-Fi automatically – it will hook you up with fake one just as easy, without you even realizing it. No time, no effort – everything just happens automatically as long as the rogue SSIDs match those of real SSIDs of public networks. It’s like you’re shouting all your secrets and passwords in the middle of the street: if anyone listens close enough – you’re going to have a problem.

How to prevent this? Make sure your device – be it laptop, iPhone or iPad – asks for your explicit permission to connect to Wi-Fi that’s not your at your home or at work. Before you go someplace – check what Wi-Fi options are available and don’t use those that seem to good to be true. Apply some common sense to the situation and don’t fall into the trap of fake Wi-Fi hot spot, or it may prove to be too hot.


Protecting WordPress

In order to protect your WordPress installation the following steps are mandatory.

Step 1: Read this post from Matt Cutts on protecting your WordPress installation. If you don’t know what the .htaccess file is or does – read this or this.

Step 2: If you have access t0 cPanel or any other hosting management script installed – login to your hosting management console and turn off indexes for your web directory. If you don’t know what I am talking about – make sure you repeat step 2 from the article mentioned above for all folders where no index.php file exists.

Step 3: Instead of denying IPs you can simply password-protect the /wp-admin/ directory. On my installations it has weird effect of redirecting straight to index page instead of asking for login/password. Even better – no password to remember and you still can use one of the blog editors to upload content.


Why Trusted Platform Module won’t protect you

Trusted Platform Module Recently I was asked a very good question on Trusted Platform Module. Question stated that once the hard drive is removed from the system, there is nothing that prevents attacker to break decryption (even brute force it) and obtain data no matter how secure it is.

Pretty much all the protection applied in contemporary systems is built upon the thesis that any data is decipherable either by using LOTS of computer power or LOTS of time which makes data either too expensive to obtain in such a way or obsolete by the time it is deciphered.

Obtaining data from any hard drive is very expensive and time-consuming process. Unless you keep a little too much information on it – no one gives a damn. Basically, targeted attacks only make sense if attacker has enough reasons to believe that certain laptop possesses certain value. In all other cases – it’s cheaper to get “stuff” through other means.

That’s the primary reason for spam and phishing attacks – because it is cheaper and more productive to attack the weakest link in security chain. Such link happens to be a human, since most successful attacks use social engineering rather than brute forcing your password. Why break if you can ask and get it?

Generally speaking, most of security rules in place are impenetrable enough that fraudsters avert their efforts from brute force and other types of high-tech attacks and pursue scamming and phishing. Penetrating current security measures requires very high levels of knowledge and intelligence as well as knowing insides and outs of particular system one plans to attack. However, crafting fake bank web site and sending zillions of fake notifications to “update your account info” requires way less time, knowledge and costs almost nothing. The financial outcomes, however, are significant enough to make such attacks more feasible and more numerous.