Ferrari Mailing List: Re: OT -- quality of HDMI cable Vs Wireless?

[Rick Moseley (ramosel]

George,

Sure... See bullet one below for starters.  Usually (as you mention) you have financial records on your computers at home and they are usually tied to the home network so they can get to the internet.  Having a wifi access point (AP) is just a way for those of the "nefarious" bent to get into your system.  Having wifi devices you use outside the house then bring back into the house is another way hackers can get to you.  

Strong password...  fictional phrase sorta like assault rifle.  It used to be passwords were set into 7 character hashes, so a good password exceeded 14 characters.  As an NSA security guy used to say in his seminars, a long easy to remember password is better than a shorter complicated password  (ie  YellowBrickRoad is a better password than Dki73@jt$K).  Why? You can remember the long easy password and not have it written down.  Yes, in corp. environments people used to (and probably still do) write them on post-its and keep them under their keyboards....  So long password still applies for system passwords but generally when someone is "warring" your wifi they are getting the whole password anyway so the length is not so critical there anymore.   For more on this look to someone like Darren Kitchen (Hak5Darren) online and he's made some amazing youtube videos that show you how to perform such hacks as "man in the middle" where you use off the shelf apps on a Linux laptop  and can sit around any public wifi and collect the passwords.  Basically, they monitor your communication while online.  They can interrupt your connection and when it reconnects, it resends the password and they have it.   Well, if they can do it on public wifi they can do it on the private too. 

So, what do you do for your wifi?  Some thoughts in no particular order.  Some will sound Greek I'm sure:

• If your router lets you do MAC filtering, use it... but the really sophisticated hacker can spoof MAC addresses too
• Still, use a password in excess of 14 characters.  It forces those doing brute force attacks to take much longer.  They'll move on to someone less cautious.  Its sorta like using "the club" on your steering wheel.  Not really a deterrent but the lazy thief will leave you alone and go after the car next to yours that doesn't have one.
  
• segment your network (smart switch or virtual addressing).  Keep the wireless routers on a separate segment than the main computers.  This way if your wifi gets hacked they can't get to the main PCs.  If your devices you take in public get compromised they can't infect or allow access to PCs on the other parts of the network
  
• Same goes for your wired or wireless IP cameras (they host out so they too are vulnerable)
• run a UTM on your network entry point (dsl, cable, satellite)  Unified Threat Manager.  This can be software on your main router or a software based router running on a PC ( an old PC used as a UTM will still be faster and have more memory than even the best consumer grade "plastic box" routers on the market). 
• run VPN software on your mobile devices.  Any time your are on public wifi you should be running a VPN.  Safest way to protect your data stream from being compromised.  Often times with compression turned on its even faster too.
• DON'T leave your wifi devices online when you are at a hotel.  Use them, turn off wifi when you are done.  Leaving a mobile device online all night in a hotel is the most common place devices get hacked
  

There is more than can fit here but these are some basics.  I run a pfSense box at home behind my DSL terminal adapter (modem).  It runs Suricata as a real time network scanner.  Through a smart switch I run 4 separate network segments and heavily control the traffic between them.   My little nobody house network in the mountains gets hit on by the Chinese and the RBN (Russian Business Networks) on average 2500 times a day.   SO DOES EVERY ONE OF YOURS!!!  Your systems just don't show you.   Sooner or later they'll find a hack that works or probably already have if you run a plastic box.  Bottom line, you have to compromise or stack security.  The only true secure network is UNPLUGGED.  Our government is doing little or nothing to limit our exposure to these attacks.

Here's just a handful of Emerging Threats from this morning's log...  I don't run any sort of a sql server... but they have found a weakness and they are hunting.  I removed my IP address from the data but left the origins there.   Go ahead, take a look... they'll have obscure pathways that either timeout or take you offshore.

02/03/15
07:11:36     2     TCP     Potentially Bad Traffic     218.77.79.38
Icon Reverse Resolve with DNS        36689    
Icon Reverse Resolve with DNS       1433     1:2010935
       ET POLICY Suspicious inbound to MSSQL port 1433
02/03/15
06:51:40     2     TCP     Potentially Bad Traffic     66.240.192.138
Icon Reverse Resolve with DNS        1590    
Icon Reverse Resolve with DNS       5432     1:2010939
       ET POLICY Suspicious inbound to PostgreSQL port 5432
02/03/15
06:50:54     2     UDP     Attempted Information Leak     62.210.188.66
Icon Reverse Resolve with DNS        5093    
Icon Reverse Resolve with DNS       5060     1:2008578
       ET SCAN Sipvicious Scan
02/03/15
06:50:54     2     UDP     Attempted Information Leak     62.210.188.66
Icon Reverse Resolve with DNS        5093    
Icon Reverse Resolve with DNS       5060     1:2011716
       ET SCAN Sipvicious User-Agent Detected (friendly-scanner)
02/03/15
06:10:35     2     UDP     Attempted Information Leak     62.210.188.66
Icon Reverse Resolve with DNS        5098    
Icon Reverse Resolve with DNS       5060     1:2008578
       ET SCAN Sipvicious Scan
02/03/15
06:10:35     2     UDP     Attempted Information Leak     62.210.188.66
Icon Reverse Resolve with DNS        5098    
Icon Reverse Resolve with DNS       5060     1:2011716
       ET SCAN Sipvicious User-Agent Detected (friendly-scanner)
02/03/15
05:44:10     2     TCP     Attempted Information Leak     61.240.144.66
Icon Reverse Resolve with DNS        60000    
Icon Reverse Resolve with DNS       11211     1:2009582
       ET SCAN NMAP -sS window 1024
02/03/15
04:52:53     2     TCP     Potentially Bad Traffic     117.21.173.177
Icon Reverse Resolve with DNS        6000    
Icon Reverse Resolve with DNS       1433     1:2010935
       ET POLICY Suspicious inbound to MSSQL port 1433
02/03/15
04:02:09     2     TCP     Potentially Bad Traffic     66.240.192.138
Icon Reverse Resolve with DNS        15715    
Icon Reverse Resolve with DNS       3306     1:2010937
       ET POLICY Suspicious inbound to mySQL port 3306
02/03/15
03:40:34     2     TCP     Potentially Bad Traffic     61.160.224.129
Icon Reverse Resolve with DNS        48142    
Icon Reverse Resolve with DNS       3306     1:2010937
       ET POLICY Suspicious inbound to mySQL port 3306
02/03/15
03:23:30     2     UDP     Attempted Information Leak     212.83.132.65
Icon Reverse Resolve with DNS        5115    
Icon Reverse Resolve with DNS       5060     1:2008578
       ET SCAN Sipvicious Scan

---

From: George <ygpz4re [at] hotmail.com>
To: Rick Moseley <ramosel [at] pacbell.net>
Cc: The FerrariList <ferrari [at] ferrarilist.com>
Sent: Tuesday, February 3, 2015 4:52 AM
Subject: Re: [Ferrari] OT -- quality of HDMI cable Vs Wireless?

> <snip> The problem with most wifi devices is they don't have robust security. If you are like Stephen and I and live in the country it's not such a big issue. If you have close neighbors... Ya pays your money, ya takes your chances. Wifi is just so easy to hack. I could go on for days how to configure wifi security and the really bright boys can still get into your network in less than a minute. 
> 
> Rick

Rick,

I know why *I* want secure wifi, but I wonder if you would expand on your reasoning for its importance.  Mainly, I'm wondering if there's reasoning I haven't taken into account.

FWIW - we just got a new wifi router - Apple Airport Time Capsule (3TB).  Chose it for both the backup storage and the 802.11ac wifi.  Before, w/ an "n" (I believe) wifi router (provided by Comcast, our POS ISP), our iPads could barely keep connected, when only about 30' away (granted, this 30' would be in a straight line from upstairs to router location downstairs - but still!).  W/ the 11ac router, we can go anywhere in the house and maintain a strong signal.  Besides a strong wifi password, are there other steps I can take to strengthen the security?  Note that, while online banking is part of my regular routine, I do not keep the computer powered on when not in use, nor do I store any other financial  info on it.  Also, I do *NOT* use iPads or phones for anything financial...  Now, the wife on the other hand.....

Thanks!

George P.

_________________________________________________________________
To unsubscribe or modify your subscription options, please visit:
http://lists.ferrarilist.com/mailman/options/ferrari/ramosel%40pacbell.net

Sponsored by BooyahMedia.com
and F1 Headlines
http://www.F1Headlines.com/