How concerned should I be in light of the recent cyber attacks? Is my cable modem an “open resolver”? Can it be highjacked?
The short answer: I have configured most of my clients’ routers to distribute addresses for DNS servers provided by the OpenDNS project. Read on to learn how that protects you.
I had never considered the possibility of a hacked cable box, I suppose mostly because I’ve never heard a geek mention it. I just did a googling of “hack cable modem,” resulting only in discussions of how one might rejigger one’s own modem to elevate the connection speed or get free Internet, both of which appear to be quite prosecutable offenses.
I’m no hacker, but I have a decent handle on small-network security, and I have difficulty imagining the purposes to which a miscreant might put a cable modem. It can’t send data by itself, and your own local network is protected by the router that sits behind the modem.
So, onto discussion of the recent cyber attacks against Spamhaus.
As this article explains, the attack is actually performed on vulnerable DNS servers, such as those run by less vigilant Internet service providers around the world.
What’s a DNS server?
DNS is not hard to understand — it can be thought of as the phonebook of the Internet. When you ask your web browser to go to www.i-wish-elliot-spitzer-hadnt-been-such-a-schmuck.com…well, let’s use www.google.com as a shorter example…your browser first asks your computer what DNS servers it should use to look up the address.
In my house, my computer sends my browser to the OpenDNS Project’s servers 126.96.36.199 or 188.8.131.52. (We always have a second server as a backup in case the first one isn’t available.)
Then my browser asks the OpenDNS server where to find www.google.com. It receives a numerical reply, the IP address of Google’s Web server. Then the browser goes to that IP address and asks for whatever web-page information the server cares to give it.
How does this help hackers?
To understand the recent malfeasance, it’s called a Denial of Service (DoS) attack. This is one example:
Imagine someone hijacks one of these vulnerable DNS servers, so that when you ask for Google.com, you actually get directed to some other Web server. Now imagine everyone using that ISP’s servers having every single one of their browser requests directed to the same Web server. The unsuspecting server would get barraged by requests, and would have to start turning some of them away — denial of service.
Service breaks down, customers get angry, service loses money, attack successful.
The big ISPs in America protected themselves against these attacks a few years back. But even before that, when the attacks first reared their heads, I looked into the proscribed ways to protect oneself, and immediately started plugging in the OpenDNS servers into all my clients’ routers. Crisis averted, at least for us.
Hackers employ several methods to affect a DoS. As I understand it, the goal is not direct monetary gain, but perhaps a hobbling of an adversary, or even an expression of protest. DoS is a typical weapon of the hacker collective Anonymous.
As you can see on the OpenDNS page, using their servers offers other benefits and features, including faster replies to queries and configurable web-content filtering for those with tender sensibilities.
Bonus nerdy information
Google actually started its own public DNS service a little while ago. You can use the servers 184.108.40.206 and 220.127.116.11 in place of the OpenDNS servers.
They have put up a page explaining DNS security in more depth.
I hope you find this information in any way helpful or reassuring.
If you got my last newsletter, you know that this is the year when we all — the whole internet-using universe — become targets for bad hackers. We’ve already learned how they will try to get at our Macs. Now we need to look at how our online accounts and identities are vulnerable. Please at least read the first section, on passwords.
Got GSP? Picking a Good, Strong Password
You know how, recently, you might see a spate of emails from a friend that you know are junk — invitations to off-shore pharmacies and the like? And then that same friend emails everyone in his or her address book, to the effect of, “Sorry, someone hijacked my email!”?
Well, that happened because your friend had a password that was too simple, too easy to crack, and someone cracked it and took control of the mailbox.
This intrusion is not just an inconvenience to your friend and the people in their inbox. If someone has your email password, they can get passwords to ALL of your other online accounts, including possibly banking. And hackers make money — more than you might think — by acquiring access to things like passwords, online accounts, credit card numbers, etc. (Hackers commit other kinds of crimes, too, but let’s continue.)
How do they do it? I’m not a hacker, but I can abstract it: The bad guys have their computers scan the internet for, say, @gmail.com addresses. Then they point other software at the Gmail servers, and run software to try to log in to known accounts by guessing all the possible password permutations. Unless you’re famous and being specifically targeted, they’re not researching the names of your kids and pets. They just run through the dictionary, and common names, and number sequences (e.g., “1234”), and their bots work really fast. If your password is more simple than what I’ve outlined below, they can guess it.
Here’s a real disconcerting site, which I found by googling “crack gmail password.” There are others.
So, I’ve already posted this, but it’s well worth restating: Please — as in, umm, now — please create a Good, Strong Password for your email and any other important online accounts.
A Good, Strong Password contains:
- at least 10 characters of both letters and numbers
- at least 1 capital letter, preferably in the middle
- at least one non-alphanumeric character, preferably in the middle
- no recognizable names or words.
Microsoft words their recommendations slightly differently, and offers one tip for creating a password. I like their suggestion of choosing a memorable phrase and building the password from there. I even think that choosing a full sentence with capitals and punctuation might be a good way to remember the password; a bunch of recognizable words would be safe-ish. I also like passwords that are easy to type, as long as they don’t contain keys in order, such as “fghj.” Here are some other tips.
I have met every different kind of personality when it comes to creating and remembering passwords. And believe me, I have every sympathy for people who feel they have more important things to do with their brains. Unfortunately, we have come to a time when, from here on out, you either keep your digital stuff locked tight, or you get your life messed with.
The natural question that follows is, how do I keep up with all my passwords? Fortunately, your Mac has an excellent built-in device for this, called the keychain. Several software packages are also available for Macs and PCs. Check out my full write-up on the keychain and other options.
Do the It’s-Really-Me Two-Step
There is another method to lock your ID even tighter. It’s called “two-factor” or “two-step” authentication. Not every service offers it, and I won’t lie and say it ain’t for those who like to keep technology simple. But Google has rolled it out, even to their free accounts, and it is as smooth as I could expect something like this to be.
You dance the Google two-step like this: When you sign into a new computer — or every 30 days on your usual computers — besides accepting your password, Google sends you a text message with a code. You have to enter that code on the Google web site to continue.
Also, for all your other apps that access your account, such as an email or calendar program, Google will generate a single-use “application” password that you only have to enter once; it will get stored by your computer or phone, and if said device gets stolen, you can revoke permission.
“Gosh, this sounds like fun!” you’re saying. You can’t wait for us to come over and show you this awesome new computery thing. Just wait! There’s more…
Google offers a couple of backup verification methods in case you can’t get a text: You can receive a voicemail with the code, or your phone can run an app that generates a code for you, or you can carry a piece of paper with 10 “backup” codes on it. Really, I’m not kidding.
They also will do a retinal scan and test your DNA against a sample they keep in a cryo-vault… OK, that time I was kidding.
Enabling Two-Step Verification for your Google account is in your Account Settings. It’s a bit of a process, and I recommend reading carefully each step of the way.
Facebook also does this login two-step now, which is good because 750,000,000 accounts are a terrifically big honey pot, and we all know someone whose account got hacked. Go to the Account Security section in Account Settings, and make it look like this:
Facebook should already know your cell number, and will text you a code to enter.
I dearly wish more services were doing the two-step. Yahoo, Amazon, eBay, Apple iTunes — they should all get on this bandwagon. But the smart ones are at least starting to require Good, Strong Passwords.
Welcome to the Age of the Hack. Don’t shoot the messenger.
Note: The recommendations, opinions, and prescriptions are just one man’s view on creating a basic secure network. There are infinite ways to do this dependably, and these are the ones I think are easiest and most cost-effective.
I’m setting up my home network. I would like to allow connections with just one computer from outside the firewall, via VPN, and not allow any other incoming browser or FTP or any other sessions. What hardware can accomplish this?
First of all, it’s worth reading this explanation of home networking.
In many ways, any proper router, including an Apple Airport device, provides a firewall when you don’t open ANY holes in its network configuration. When a router or server manufacturer promotes its “firewall” as a feature, they mean that you can configure those holes more specifically.
Definition: Here, I use “holes” as English for “ports,” which on a network are numerical openings in a firewall, through which network traffic is allowed to pass. We might open those ports using a protocol called NAT (network address translation). With NAT, I can say, just for example, “When I am away from home, I want to securely access my home network with a web browser, to see my security cameras.” So I set my router to direct all traffic on port 443 (the secure web browsing port, or HTTPS) to the network address — the IP address — of my security system.
You might, for example, schedule certain ports to be open at certain times of the day, or direct certain traffic to one IP on your network, in case you did indeed want to have a web or FTP server. A firewall might also let you restrict outgoing traffic to specific ports, and will also keep a log — at a detail level you specify — of incoming and outgoing traffic.
In your case, I’m seeing that you want all holes blocked, except for those that would permit the VPN. A VPN allows you to establish a tunnel through the firewall — a tunnel that encrypts all the traffic going through it.
Can I achieve this with a VPN installed on Mac mini?
Yes, combined with a good router.
If I do not have a dedicated firewall, what is keeping the bad guys out?
See above. One of the most important strategies in security is not to turn services ON. Older Windows machines, especially before XP Service Pack 2, seemed to me to be wide freakin’ open out of the box, advertising their presence on a network and too easily offering basic file sharing, even without requiring a password. Macs are not that open straight off, but their firewall is not on by default, so whenever you turn on a service — iTunes music sharing, for example — it does not request permission to open a port, which does happen when you have the firewall on. The firewall on the Mac also includes logging.
On a laptop or other mobile device, I usually turn almost all services fully off. But It’s nice to have some services turned on on some desktop computers. It would be a shame, for example, to have music or photo sharing turned off on the machine where those things mainly reside.
So here’s the HEADLINE: To maintain good security, the most absolutely crucial technique is to lock down all services with good passwords, and use as many different passwords as you can safely store and readily access.
“Good,” in this case, means letters (some capitalized), numbers, and a special character or two. Learn where and how to change your passwords, and do so regularly. Don’t write them down. Your Mac stores passwords, certificates, and private notes in a well-encrypted file, the keychain, and that’s the best place for them. There’s also software called 1Password that’s worth a look.
Learn to manage passwords and you’ve learned to manage your security.
I am renovating my house, and I want to wire most of the rooms with Ethernet.
That is a fantastic idea, for several reasons: It increases the resale value of your house just like a good electrical or HVAC system does. It’s also important to realize that, while wireless networking is cool and all, there is nothing as reliable as a cable.
I have more information, and a table to help calculate the costs of setting up your network posted at Google Docs, right here.
Last year, I wrote about some folks in San Antonio who lost a couple of iMacs to theft. The SAPD reports that crime went up last year from 2006, and I have heard, secondhand, from a crime-statistician that there has been a marked increase again in 2008.
It goes without saying that portable computers are even more vulnerable than desktops, and it’s inconvenient to use on them the security cables I mentioned in the previous post.
So here are a few software-plus-service packages that people should know about. One of them you may already be using:
Back to My Mac
Since Leopard came out, the MobileMe-né-.Mac service has offered a feature called Back to My Mac. I’m not going to dwell on this, because it is one of the least reliable things Apple has ever produced, but it is worth mentioning that it did help one user reclaim her stolen MacBook.
Paid services: MacPhoneHome and Undercover
These are really cool services, and quite inexpensive. I really like that they involve one-time fees, with no monitoring charges. The first one, MacPhoneHome, has been around for awhile, along with its cousin PCPhoneHome. They purport success, and the $30 tag is great. But my main man Erick recently uncovered Undercover, which has a phenomenal feature set, and is clearly designed by Mac lovers. I’m sure both of these services would have roughly the same chance of recovering your property — may you never have to find out — but Undercover just feels like a better product.
I also won’t spend much time here either, ‘cos it would have to get technical. Quick definition: Dynamic DNS uses a free service such as dyndns.com to translate an IP address — be it your home or office internet’s ever-changing IP, or whichever connection your laptop happens to be using a the moment — into a hostname, e.g. johnqmacbook.dyndns.org. So I have a program called DNSUpdate continually reporting my MacBook Pro’s external IP address to DynDNS. It’s a system-level process that starts at bootup, so the hope is that, if someone swiped my laptop and fired it up, it would reports its address, and just maybe Johnny Law could work with the relevant internet service provider to track down that last-known location. It’s a long shot, but the other services discussed here partially bet on the same probability.
A little while back, the offices of two of my clients got broken into, only a couple of days apart. The similarities were weird! Both doctors’ offices, and both got 2 iMacs ripped off from the front desk.
This started to read like a Dickens novel: In one office, we had daily backups running to a server, and that office ran out the next day and got new machines (ultimately reimbursed by insurance). We restored from their backups, and they were back in business. In the other office, they had ignored warnings about backing up, and they had to re-input months of data. Some files, including pictures, could never be reproduced.
But in both cases, the entire situation could have been averted if security cables had been attached to the machines in the first place. Almost any computer — certainly any Mac — and many peripherals such as external hard drives come with little holes in the chassis that accommodate a security lock standardized by the peripheral manufacturer Kensington. Several companies make cables that fit into these holes, and are locked by key or combination.
It is nearly impossible to force the lock out of the hole without ruining the computer’s case (and thus its resale value), and most would-be burlgars don’t carry the bolt cutters necessary to sever the cables.
Here are some Amazon links to cables by Kensington and Targus. I bought a couple of each, and they’re fine. Be careful, as this one by Belkin (a company I usually like a lot for its quality and lifetime warranties) doesn’t fit some locks.
All of my home Macs, and their backup drives, are now locked down to their furniture, and I have a cable with me always for my laptop, in case I need to walk away from it in a busy environment.
Happy — and secure — computing!