VIII. Remote

What is “Remote Access” ?

• Using someone elses computers (hotel or even at a friend’s house)
• Traveling with devices that can be stolen
• Using someone elses Wireless networks (Coffee shop, hotel, airport)
• Unauthorized use of your own Wireless network
• PROBLEM: Remote users (travellers) are not educated on remote use CNN report on Remote Access

What does it mean to say a computer “isn’t secure”?  It means the computer (or network) doesn’t have the minimum configuration to make it hard enough for the criminal to go elsewhere.  The device can not  be trusted because one or more of the following exists:

• The data stored on the computer is not protected from change, theft, deletion or can’t be kept confidential.
• The software on the computer is not upgraded or patched to the currently known safest configuration
• The device is not known to be free of malicious software that could copy or delete accounts, passwords, personal data or other sensitive information.
• The computer or network (either wireless or wired) may allow data passing through to be copied, viewed, re-routed, altered or manipulated by unauthorized people.

In many cases, information being sent isn’t that important–it’s “just email” that doesn’t have any sensitive information in it.  The conflict arises when it becomes so convenient and comfortable to use that we forget it isn’t safe for sensitive information.  Crooks know human nature better than most, and they take advantage of the desire for convenience.   Criminals will deliberately go to a hotel computer kiosk and install keystroke loggers that send account information back to the criminal.  They will sit in public places (airports, coffee shops, libraries, hotels, etc)  with laptops configured to “sniff” or copy the data being transmitted over a wireless network on to their hard drive, then take it home to analyze.  Often they’ll wait several months and then use the compromised accounts and passwords when the victim has forgotten when they could have had their information stolen.

Wireless is more insecure because the transmissions are broadcast, like a radio, to anyone within broadcast range, not just the person using the wireless service.  That distance can be tens of feet in a city to miles in the desert.  When the wireless standards were written security wasn’t a concern.  As wireless has become more widespread additional standards have been written to try to correct what wasn’t done in the beginning.  Therefor there are multiple ways to configure wireless, some less secure than others.   The vast majority of wireless networks being used either at home or in businesses do not have the additional security and encryption configuration to keep casual snoopers out.  The earliest additional security configuration for wireless was Wireless Equivalency Protocol (WEP) which can be compromised in a few minutes.  Wi-Fi Protected Access (WPA) followed WEP but it can also be broken in minutes.  The latest Wireless configuration is WPA2, but it can also be broken although it may take a couple of hours.  Wireless computing is not to be as trusted as wired computing either at home or at work or when traveling.  If using wireless be hyper vigilant about what information is either on the portable device or what sensitive information could be compromised.

When away from home or work, physical security of the computer becomes much more important.  Tens of thousands of laptops are stolen from airports each year.  One of the largest data breaches in history occurred because a laptop containing PII of 26 million veterans was taken home and was stolen from home.

• Use a VPN (virtual private network) which is an encrypted session between you and the work (or home) computer at the other end of the VPN.  A VPN prevents someone from reading what is sent within the encrypted session, but if malware is already present at either end, then the malware is sent (albeit encrypted) through the VPN to the computer at the other end!
• On portable computers make sure that the hard drives are encrypted so that even if they are stolen or compromised, data cannot be read from them.
• Never use a hotels’ common computers or a computer kiosk in a public place; virtually all of them have keystroke loggers on them.
• If using personal equipment on someone elses wireless network, assume it is insecure
• Don’t sent senstive information
• Scan the computer when returning home.
• Disable a laptop’s wireless network when not using it.
• Disable smartphone wireless and bluetooth when not using it (also prolongs battery life)

Secure Home Wi-Fi! 

A home Wi-Fi is tied to an individual’s Internet Service Provider (ISP) account.  If a neighbor downloads child pornography, illegal music or videos through your Wi-Fi connection, your name is the one that the ISP will give the police.

• Change the default router web configuration administrative password to something long (>14 characters, the longer the better) and set a long password for devices to connect to the Wireless Router network.
• Record the passwords.  [Free AES 256 encryption digital password “safes” are KeePass (pc), Keeper (iPhone/Android-pay only if you use cloud storage)]  Wireless routers seem to need to be reset periodically or devices lose contact with them and you need to know the password to reconnect.
• Select WPA2 encryption
• For the SSID name use something general.  Do not use your house number,  last name, phone, family names, hobbies,  or anything that can point to whom the router belongs.  (Use animals, colors, insects, clothing, etc.)
• In the configuration, uncheck “Broadcast SSID”.  That way your neighbors won’t see your network.  You will know the name and be able to type it in but they won’t. (There are pros and cons of doing this; if disabled your devices spend more time looking for your router signal).
• Add the specific MAC addresses that are allowed to use the wireless router and deny all others.  MAC addresses can be found on smartphones etc and look like 01:ab:c3:44:5d;0f (use 0-9 numbers and letters a-f)
• Unplug or shut off the Wi-Fi router when not using it.

For Enterprise-Class Wi-Fi (with Active Directory) implementing Wi-Fi,  here is a good summary

What’s the next thing on the block for Wi-Fi? 

• SUPER WI-FI!    … Which can travel over much greater distances and uses the spectrum of unused television channels to broadcast.   http://www.geek.com/articles/chips/houston-grandmother-first-to-use-new-super-wi-fi-technology-20110424/
• 4G — What is 4G?   4G stands for Fourth Generation of Cellular Communication.  There is not yet an industry standard on what 4G is and there is no true 4G service yet.  True 4G should have 10 times the speed of current 3G, enhanced security standards as well as an IP addressing system and reduced signal loss.   Areas with strong 4G coverage could use it for cableless home Internet access or Internet access on the move without needing a wireless hotspot.   Sprint and AT&T marketing departments call their WiMax or HSPA+ network, 4G.  T-Mobile & Verizon call their’s Long Term Evolution Advanced (LTE-A) .  All have what they say is 4G but they’re really just enhanced 3G, that is poised to use 4G when it is ready.     Securing 4G for businesses is another issue:   http://www.networkworld.com/news/2010/062110-securing-4g-smartphones.html and will have to include the following:
• Securing data — it will be critical for all smartphones to have remote wipe to delete all data on lost devices (right now only iPhone and Blackberry have this capability).
• Encryption — smartphones will need to use strong SSL VPNs and encryption of data on  the devices
• IT departments will need to define what applications are allowed on company phones
• Smart access based on a combination of identity, endpoint characteristics and behavior, multifactor strong identification, strong SSL VPN capability with customizable access based on the device.
• Anti-malware for smartphones that doesn’t eat up the battery.  Androids present the biggest problem since Google doesn’t monitor the application writing standards like Apple and Blackberry do.

-Rugged is  understanding the different threats involved away from work or home, when using a portable computer (laptop, smartphone, tablet) or someone else’s computer.