Thursday, November 29, 2012

The Email That Hacks You: Securing the Home Network

I’ve written about this before, but a report this week on yet another way to exploit unsuspecting home Internet users seemed like a good excuse to update my blog.

A security researcher at Acunetix wrote this week about a simple way he found to hack some common home WiFi routers. He based his research on the fact that many email programs will automatically download and display embedded email. Most programs can be configured to not do this, and I can’t knock the convenience of not having to expressly download images to see what someone I know and trust sent. But this behavior can be abused: in his research, instead of embedding the location of an image file in his email, he embedded a link to his home router, crafted to log in with the default password and issue some commands. As far as the email client knew, it was an image, so it tried to load the link. As far as the router knew, the mail client was a legitimate user, supplying the legitimate password, and so it let the command go through.

What I wrote 2 years ago is still a pretty good foundation. I look at home security as having 4 legs: installing the latest software patches; a firewall to keep bad stuff from coming in; a web filter to keep from getting to bad stuff; and an antivirus program to deal with the bad stuff that will (not might) get through. To that I would add one more: lock the door (in other words, be intelligent in the use of passwords, and never leave the default password on anything of value).

Windows and Mac OS both have an auto-update feature that will automatically install any patches and software updates for the operating system (and in the case of Windows, for Microsoft products such as Internet Explorer and Office). Ditto for iPhone iOS and Android. Other products have similar features - just make sure they are turned on. Some of the more common products you may have that need to be updated regularly are Firefox, Chrome, iTunes, Adobe Reader, Adobe Flash, and Java. Patches frequently fix bugs that attackers exploit to do things with a computer that you did not intend. Some of the more famous virus and worm events could have been prevented by simply installing patches already available from the vendors.

If you have a wireless network (also known as a wireless router or wireless access point), it almost certainly has a built-in firewall. If not, Windows has a built-in firewall that you can turn on by going to the control panel and opening the "Windows Security Center" panel. More and more entertainment devices are becoming Internet-aware, though (tablet PCs, game consoles such as the Wii or Playstation; set-top boxes such as Roku or Tivo; Blu-Ray players, and now even televisions themselves). If these devices are connected straight to the Internet, they can become targets for hackers. If at all possible, they should be connected through either a wireless router, or through a hard-wired router that has a built-in firewall. Oh, and on the topic of wireless networks, make sure the wireless access itself is secure!

The above attack relies on the home router having the vendor’s default password. Simply changing that password to something not easily guessed would thwart that particular attack. Some routers add a second layer of security in the form of a “captcha,” or additional (sometimes hard-to-read) text it displays for you to type back in. As simple and silly as that seems, the human brain is so far much better at pattern recognition than any electronic device.

A web filter is commonly found on library and school computers, and frequently on corporate networks as well. It is intended to prevent access to inappropriate content, but in many cases will also prevent access to sites known to host malware. K9 Web Protection offers a free web filter for use on personal computers - I run it on every system in my home. For mobile devices, I have found Norton Family to be pretty useful. The free version is good basic web filtering, and for $50 per year it adds monitoring of SMS/text messaging, apps, and video downloads. It prevents me and my family from accidentally stumbling into things we don't want to see, but it has also dramatically cut the amount of malware we see on our computers.

I also started using a tool called “OpenDNS” as one more layer of web filtering. DNS, or Domain Name Resolution, is how your computer knows that www.google.com is actually “74.125.224.242.” It happens silently in the background and is usually ignored unless it stops working. Most routers can either accept the default DNS server provided by your Internet provider, or take a specific DNS server you provide. OpenDNS FamilyShield is a free service that simply doesn’t resolve website addresses that go to known “adult” content (more accurately, it resolves such websites to a benign address that says “you can’t go there.”) It’s not perfect, but it’s one layer in the chain, and it is completely transparent.

Next, run an antivirus program on your computer (even a Mac - Apple has a reputation for not having malware problems, but it is not necessarily true. There are viruses and worms on Macs and iPads, and they are gaining popularity among hackers). Microsoft's free Security Essentials is pretty good, and you can't beat free. On the subject, pay attention to the antivirus program you have installed, and know what it looks like - a common malware theme the past few years is to pretend to be a new antivirus program that has detected malicious software on your PC.

Lastly, use common sense with passwords. Don’t use the same password for every site – and especially don’t use the same password for sites that deal with anything you consider sensitive (such as financial institutions, medical providers, email, Facebook – what someone considers sensitive may vary from person to person!).

I personally have one low-security password I use for sites that don’t matter to me, and use a password management program to keep track of more secure, unique passwords for sites I do care about. There are lots to choose from; I like LastPass because it is free for PC use – but there is a paid version that adds support for mobile devices.

These are only the the bare minimums, but are a solid foundation for a secure home network. Some places to go for more education:



Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen