I Am. When? - Tech

Proverbs Web Calendar 2.1

nospam@example.com (Andrew Maxim) — Mon, 17 Aug 2009 07:40:00 -0700

Sometime around the end of 2001 I volunteered myself to write a script for team NHB's website, which was the Half-Life TFC clan that I competed with at the time. The web server the script would be running on was Linux based, thus the script had to be written in PHP and capable of using text files or a mySQL database to store the information. It was to be used to show the team's schedule for practices, competitions, etc. I suppose Perl was an option at the time, but even in 2001 PHP was a phenomenal programming language.

That script eventually became the Proverbs Web Calendar 1.0 and was released publicly Dec 31, 2001 on the Proverbs, LLC website; back then located at www.proverbs.biz. After a few updates, one major security flaw, and a few bug fixes over the course of several months, something I was definitely not expecting happened: the calendar became a popular download. Immensely popular.

At the time, around May of 2002, the websites touting the "most popular web event calendar" were bragging about 10,000+ downloads per year. Five months after the initial release and I was seeing 5000+ downloads a month, not to mention being inundated with questions, comments and suggestions from users of the calendar. I was particular amazed at the number of overseas users that were writing to me for help or with suggestions.

All of those suggestions, a few code snippets other developers submitted and some modifications of my own became Proverbs Web Calendar 2.0, released in December of 2004. This was a complete rewrite of the prior web calendar and was one of my first attempts at using classes in PHP. Thanks to the suggestions and help from a couple Dutch and German college students, this was also my first foray into a multilingual application.

Here we are over four years since I last touched the web calendar and almost eight years since its inception. In all that time the calendar has been downloaded over 200,000 times, been ported by other developers to additional platforms and toolkits, as well as having been outright stolen and rebranded by a few other companies. To my surprise it is still downloaded on a regular basis and I continue to receive the occasional question or two regarding the calendar; mostly having to do with the calendar not working correctly with newer web browsers and CSS2.

On that note, everyone will be happy to know that I finally got off my ass and took a look at the code this past weekend. A few tweaks here, a couple rewrites there, a new file or two, the removal of a couple files and for the first time in four years there is a new version released. Not wanting to load my computer down with a ton of different Internet browsers, I only tested with IE6, IE8 and FF3.5. I imagine the calendar should, once again, behave correctly with the majority of modern browsers, but let me know if you hit any problems (I am aware FF3.5 scrolls too far in the schedule page, but that is a FF issue with CSS2).

Anyway, I now proudly present the Proverbs Web Calendar version 2.1. Enjoy.

Computer Security 101 - Part 8 - Malware

nospam@example.com (Andrew Maxim) — Mon, 27 Jul 2009 17:00:00 -0700

I might as well just come right out and say it upfront, during Part 2 of this series on Computer Security I lied when I spoke about the most common methods a malicious person uses to get a user's password. In this day and age of rapid information and application sharing, the number one method of gathering user passwords is through viruses and spyware. I would hazard a guess that it is also the number one method of gathering information for identity theft as well.

I am sure that some organization or another has put together specific definitions of what constitutes a virus versus a bot versus something else. For simplicity sake I'll provide my own definitions:

Virus - any malicious program capable of automatic self replication between computer systems, either through network links or removable media. Viruses can range from harmless pranks to programs that destroy computer files.

Spyware - any computer application or portion of an application that is designed to gather personally identifiable information from a computer. This can range from gathering the information on what websites you visit to recording usernames and passwords entered into various programs or websites.

Adware - any computer application designed to automatically display advertisements on your computer or redirect your web browser to alternate (competitor's) websites from the page you intended.

Bot - any computer application designed to perform nondestructive tasks on a computer system without the user's intervention. Bots can range from small programs that download and install other programs automatically (without the user's knowledge) to programs that perform coordinated attacks on Internet websites.

There will be a test on these definitions later, but to make things easier until you have each committed to memory we will just lump all of the different bad computer programs together and call them Malware. There are a few different ways that Malware can wind up on your computer: you could install it without knowing as part of another application (usually happens because you illegally downloaded something using Limewire or as part of a Torrent file), you could unintentionally install it thinking it was something else (again, Limewire or Torrents, but also email attachments and popups on websites), it could be automatically installed from a website through an active exploit in another application already running (Flash player, Firefox, etc) or it could replicate itself through removable media.

So how do you stop all these little bugs from getting on your computer? As luck would have it, I put together a list of simple methods to ensure your computer stays bug free, in order of effectiveness. In case you got confused by that last bit stating "in order of effectiveness", let me make it easy on you, DO ALL OF THE FOLLOWING. Or keep paying people like me gobs of money to clean your computer for you.

1. Follow the instructions outlined in the article Computer Security 101 - Part 6 - User Permissions.
2. Install and regularly scan using a reliable Antivirus program on your computer. For home use I currently recommend Trend Micro, for corporate I recommend Symantec Antivirus Corporate Edition (Endpoint Protection).
3. Install and regularly scan using a reliable Antispyware program. Many of the antivirus programs are including other forms of malware in their detection base, but having something dedicated to spyware detection and removal is still a good call. For either home or corporate I recommend Spybot Search & Destroy.
4. Check for and install updates and security patches for all programs on your computer. Microsoft can do this automatically for Microsoft programs (Microsoft Update) as can other applications, but some programs like Flash or Shockwave players need to be updated manually. Update and update often.
5. Do not go to mainstream social networking sites that allow user uploadable content (Facebook, MySpace, etc). If you go to these sites you will get Malware infections. Period.
6. Do not open email attachments from people you do not know. Do not open compressed file attachments (ZIP, RAR, etc) from anyone.
7. Do not share removable media with people or between multiple computers. Think of your thumbdrive in the same terms you do safe-sex and ask yourself, "Do I really want to put my thumbdrive into that computer without knowing where the computer has been?"
8. Rule #7 goes for downloading online content through programs like Limewire or Bit-Torrent files. You do not know where those files have been and are just asking for trouble.
9. Follow the instructions outlined in the article Computer Security 101 - Part 6 - User Permissions.
10. Do not go to mainstream social networking sites that allow user uploadable content (Facebook, MySpace, etc). If you go to these sites you will get Malware infections. Exclamation Mark.

On the subject of antivirus programs, there are many on the market. Some people hate the ones I have mentioned screaming "bloatware" or sighting some review from a fringe computer magazine. These are the same people who think Firefox is inherently safer than Internet Explorer. Facts do not affect these people, and thank the gods for that because I make a killing off cleaning the malware from their machines after they install some fringe antivirus program (I now charge double per hour on their repeat cleanings when they refuse to listen and install some free antivirus program instead).

A note on antispyware programs as well. Spybot Search & Destroy is one of the exceptions to the rule on "you get what you pay for," because it is free and it outperforms every other program on the market. Despite being free, they do accept donations and I strongly encourage you to make a small donation just so we can keep this great product around. Just make sure you download it from the Safer-Networking.org website and not just whatever website Google search pulls up.

These are the basics that will help keep your computer safe from Malware, although really it comes down to a bit of common sense. Unfortunately, people rarely use common sense when it comes to their computer systems and that is why I continue to make the big bucks.

Stay safe out there.

Computer Security 101 - Part 7 - Personal Firewall

nospam@example.com (Andrew Maxim) — Fri, 10 Jul 2009 16:09:00 -0700

I already covered firewalls during part 3 of my computer security series, but now that we are focusing on desktop security we once again have to review the subject. For part 3 the firewall topic was in regards to the perimeter, or network; which is usually a hardware based device. In part 7 the topic is desktop or personal firewalls.

I won't bore everyone by going into detail on firewalls again, but if you have not done so already, please read the original topic Computer Security 101 - Part 3 - Firewalls. Instead, I will be covering the importance of having a separate personal firewall on each and every desktop computer.

To most people, including many industry professionals, a personal firewall is considered overly redundant. There is a hardware based firewall keeping your network secure already, why would someone want a firewall running on their local computer? It is also an extra application running on the computer, taking up resources and slowing everything down. So why have one?

Because I said so. Ha! Seriously, there are many reasons to include a personal firewall in your arsenal for computer security, the primary reason being internal threats. There are a few hundred sets of statistics out there that show the number one source of attack for any company is an internal user. Add to those statistics the attacks brought about by malicious software installed on a computer and you will start seeing numbers over 90% where attacks are from internal network threats.

Speaking of those malicious pieces of software, the days of people trying to destroy data using viruses are long gone. Rather than destroy data, the people who create these malicious programs are usually looking to accomplish one of three goals:

1. retrieve personal data from a computer; any computer. These are not targeted attacks, but rather shotgun blasts of quantity over quality.
2. turn a computer into a mindless drone to perpetrate additional malicious activities. This could range from using an infected computer to attack the Microsoft web servers as part of a mass coordinated DoS attack, to storing child porn on the computer for retrieval by other people.
3. further installations. Often the initial piece of malware that infects a computer is nothing more than a simple program designed to install additional programs. This allows the initial software to be small and appear relatively harmless to many antivirus and antispyware applications, but once a computer is infected, the downloads start commencing.

Perimeter firewalls, even application layer firewalls, do not fully protect against these types of activities, especially firewalls setup incorrectly (you did read the part 3 entry, right?). It is a piece of software on the desktop that becomes the threat, and so it is at the desktop level where the threat can best be mitigated. A personal firewall is one of the mitigaters.

Setting up a personal firewall is easy, especially considering most operating systems come with one already installed. For home use, just deny everything and prompt for overrides (but please read each prompt before approving the override). At the enterprise level, it is easy to deploy firewall settings across multiple computers utilizing group policy objects or the like. Simple, easy, and efficient. For a millionth of a second in application delay, you get a computer that is much more secure from not only external threats, but the far more common internal ones. And that is what it is all about.

Computer Security 101 - Part 6 - User Permissions

nospam@example.com (Andrew Maxim) — Thu, 25 Jun 2009 23:32:00 -0700

I skipped ahead in Part 2 of my Computer Security 101 entries to cover passwords, or rather passphrases, despite it falling out of line with an outside-in approach to security. Entering into the actual desktop arena, I am going to skip ahead of a few items to cover the important field of User Permissions.

Assuming you have followed the best practices I have outlined previously in parts 1 thru 5, in order to gain access to a desktop a malicious person would need to either bypass your firewall, hack your wireless, plug a hard-line into your network or be sitting directly at a workstation. From there they would then need to begin cracking the various passphrases on your computer or network to do any major damage. While these are all possibilities, they fall in the realm of highly improbable; again, assuming you have followed the prior posted best practices. Instead the real threat comes from you: the user.

I'm not referring to malicious users, but rather the unintentional threats presented by your own daily activities, curiosity and, to a lesser extent, lack of knowledge. It is here that the greatest potential for attack on a computer system lies. It is here that most breaches in a system occur. Here be users.

User permissions are probably the most under managed and over looked area of computer security, both at the home computing level and within enterprise organizations. Users break things. Users also bring in spyware, adware and viruses. The sad thing is that with proper user permissions most problems can be averted.

I will give an example of just how effective proper user permissions can be:

A while back my daughter had started to use my laptop to work on school projects. Being a person in general and a teenager in particular, she used the laptop for other things as well, such as going to her MySpace page. One thing lead to another and I was removing all sorts of spyware and trojan viruses from that laptop by the time she left that weekend. Yes, one weekend and the laptop was a cesspool.

Now, to put things in perspective this laptop was running the latest in enterprise level virus scanning software, as well as several anti-malware programs. All software and definitions were up to date. Yet, in a short 48 hours it was covered with all sorts of nasty little buggers. The reason? The account she was using had administrator level permissions. That was it; that was the security breach.

Mind you, the rest of my home network kept that laptop from "spreading the disease" or becoming a bot for malicious users, but it was a reminder to myself as to just how important user permissions can be. Since that time she has been setup with a user level account and there has not been a single instance of reinfection. If that is not enough convincing, let me point out that because she has effectively commandeered this laptop, the only account to logon for weeks at a time is hers. She is also not one to update the virus definitions, nor can she with her user permission level (as I said, enterprise antivirus software). But the laptop remains clean as a whistle, all thanks to reduced user permissions.

The lesson to be had here is that everyone should be performing their day to day computer activities with a computer account granted as minimal of permissions as possible. In the Windows environment this means being part of the "User Group", as opposed to the default in a home computer that dumps accounts automatically into the "Administrators Group."

To be completely clear, when I say "everyone," I mean everyone. At the home level a simple user account should be used for 99.999% of your activities. At the corporate level, every employee should be performing their work using a simple user account. This includes department heads, vice presidents, and even IT personnel. Especially IT personnel and most especially developers. 99.999% of all your activities at your desktop can be accomplished using a standard user account.

In order to cover the 0.001% of the time where less restrictive permissions are required, companies have an IT staff to handle things. And those IT personnel should have a second account with appropriate permissions to be used strictly for performing these 0.001% tasks. Home computers should be setup in the same manner as IT personnel: one User level account for everything and one Administrator level account for stuff not covered by everything.

I have heard all sorts of complaints and excuses in the past as to why "so-and-so" is a local administrator on their desktop, or why a developer needs to be an administrator, or why it is inconvenient to have to switch user accounts. To these excuses I say a nice resounding "Bull Shit."

Inconvenient is a home user having to spend $65 an hour to clean all the malware off their computer. Inconvenient is trying to fix your credit after your identity has been stolen. Inconvenient is having your company blacklisted on Spamhaus because a developer's computer is sending out spam thanks to a virus. Inconvenient is having to explain to your customers how their personally identifiable information might have been lost as part of a recent security breach. Inconvenient is going before a judge to explain your company's negligence. These things are inconvenient; having to log off your computer and back on with a different account to install new software is not.

There are other areas of user permissions aside from the simple User versus Administrator, but that really becomes a case by case kind of thing. The best rule to follow is to start off with the most restrictive level of permissions for each person possible and then tweak things as needed. You might get yelled at for a person's lack of access to something, but you are not going to get subpoenaed; and any yelling stops when you fix the problem.

Computer Security 101 - Parts 1 thru 5 - FAQ

nospam@example.com (Andrew Maxim) — Thu, 11 Jun 2009 16:30:00 -0700

Using the outside-in approach to computer security, we are now at a point to begin covering the actual computer systems. Before we get to that, I thought it prudent to put up a simple FAQ covering the common questions and/or concerns from parts 1 thru five 5. Well, really 2 thru 5, seeing as part 1 was the introduction.

This FAQ mostly covers home network security and does not replace reading the actual articles in this series, or getting help from a professional if you are completely inept in the field of computers.

1. Why are passwords important?
Passwords provide a means of proving your identity to a computer system. Without having this method of identification, everyone could pretend to be anyone they wished and the world would quickly fall into chaos, until someone finally pretended to be the guy with permissions to launch nuclear missiles; at which point the world would just end. This is all very bad.

2. How do passwords help protect me?
As mentioned in item 1, passwords provide a means of identifying you as you, rather than someone pretending to be you. Secondly, passwords are used in some systems to encrypt data so that if someone were to look at a file without the password it would appear as gibberish.

3. What is a complex password?
While the exact measurement of a complex password is system specific, the general rule requires that a password contain at least eight (8) total characters. Of those eight characters at least one must be an uppercase letter, at least one must be a lowercase letter, and one must be a number or other non-alphabetical character. This is the base guidelines, and to be honest are quite antiquated. Realistically, a password should contain at least 13 characters, with the other rules staying the same.

4. How often should I change my password?
Passwords should be changed at least once every three months, depending on what the password is for. Passwords used for more sensitive information should be changed more often than passwords used for nonsense; as an example the password to your online bank account should be changed at least once every two months, while the password for your Netflix account would not be as critical and could be changed every three months (unless you save credit card information in your Netflix account at which time it becomes more critical). Your passwords should also be changed anytime you suspect any of your accounts to have been hacked or your computer becomes infected with a virus/spyware (once the virus has been completely removed).

5. Can I write down my passwords?
Do you leave the keys to your car dangling from the door handle in the bad section of town? That was a rhetorical question. The answer is NO.

6. How do you expect me to remember all these complex passwords that change so often?
I don't. I expect you to use passphrases instead.

7. What is a passphrase?
Passphrases are sentences, phrases, exclamations or questions that are used in place of complex passwords. Passphrases are easier to make complex and are generally much easier to remember. "My6catsareallSiamese!" Often passphrases can include spaces, making them even easier to type. "My 6 cats are all Siamese!"

8. What is a firewall?
A firewall is a device (hardware or software based) that restricts certain types of traffic from entering or leaving a network.

9. Why do I need a firewall?
There are bad people in the world who think it is fun to screw up other people's lives. There are also people who want to steal from you. And then there are people who are just nosey and want to snoop. If these people can get to your computer they can do all sorts of bad things such as deleting all your files, stealing your bank account and credit card information, stealing incriminating files from your computer (nude photos, etc), or just using your computer to send out spam email messages. Firewalls can help keep these people from getting to your computer from the Internet.

10. Why should I restrict outbound traffic on my firewall?
There are many ways for bad people to get to your computer and firewalls do not stop all of them (i.e. malware and viruses). Once your computer is infected with a simple piece of malware it can be used to download more dangerous software from the Internet. The malware can also turn your computer into a tool for the bad guys, such as by using your computer to send out spam email messages or attack other computers. If you have ever wondered why it is so hard to catch the bad guys on the Internet, it is because they use "innocent" people's computers to do their dirty work. Restricting outgoing traffic across a firewall can help stop these things from happening.

11. What ports do I need to allow for email?
Some ISPs use alternate, or nonstandard, port numbers for their email, but for most you will need to allow outbound traffic on port 25 for SMTP and port 110 for POP3 (both are used, the first to send, the second to receive emails). You should also restrict which external Internet addresses (IP Addresses) these ports are allowed to connect with, so that you don't inadvertently allow the bad people to use your computer to send out spam emails (see question 9 above).

12. My wireless router came with WEP enabled, isn't this secure?
No. WEP is not secure. WEP is akin to locking the screen door on your house and thinking no one can break in.

13. What security option should I use on my wireless router?
WPA2 (Wi-Fi Protected Access 2) with AES (Advanced Encryption Standard) is currently the most secure wireless option. If you have a very old wireless device that does not support WPA2, your next best option is WPA, although you should check with the manufacturer for firmware updates to bring it up to WPA2, failing that you should replace your wireless device.

14. What is the SSID?
Service Set Identifier. The SSID is a nice friendly name used to identify a wireless network. This allows you to connect to "MrMoms Network" instead of some long convoluted string of hexadecimal characters.

15. Why should I turn off SSID broadcasting?
In order to connect to a wireless network, you have to know the SSID. When the SSID is broadcast, everyone in range is told what it is. By disabling SSID broadcasting you have added an additional level of protection to your wireless network and helped to prevent nosey people from "just browsing" through your network.

16. My son/daughter/niece/nephew/neighbor's kid said I don't need to do X.
Not really a question, but if X is something I said to do above or in one of the related articles: your son, daughter, niece, nephew or neighbor's kid is an idiot. If they happen to be a CISSP and have a better alternative solution to put into place, then by all means listen to them. Otherwise, I stand by my calling that precious little bundle of joy an idiot and adamantly state that you should not listen to them.

Computer Security 101 - Part 5 - Wireless

nospam@example.com (Andrew Maxim) — Wed, 06 May 2009 19:56:00 -0700

Odds are in favor of there being a wireless network in your home or at your work. Actually, odds are in favor of there being a wireless network located at both your home and work. Even if you are one of the oddball people who do not have a wireless network setup, there is probably one broadcasting into your home or office from nearby. Wireless networks are almost everywhere and the numbers are continuing to multiply fast. Exponentially even.

In the dark ages of wireless (about a year and a half ago) there was about an 80% chance that any given wireless network was completely unsecured. Now I would gauge it at around 70% of wireless networks having inadequate security and 40% remain completely unsecured. Yes, I pulled those numbers out of my proverbial ass; but if I count the number of wireless networks that I come into contact with daily (that are outside of my control), those numbers are just about dead on.

While 40% down from 80% shows that there has been a drastic improvement in wireless security awareness over the past couple years, it is still enough to keep a person up at night. As with all things security related, I blame a lack of knowledge and lack of caring as the reasons those numbers are not down to under 10%. So let's start with the reasons for not only securing your wireless network, but ensuring it is secured properly.

1) Illegal Activities - In today's world where everything can be tracked and traced in some manner or another, it just makes sense to not use your own Internet connection if you are going to perform some sort of illegal activity. Hackers know this. Pedophiles know this. My former IT Director who tried to bring down the company network after he was fired knew this. Instead of using their own Internet connections to perform these illegal activities, they connect to one of the many unsecured wireless networks and let their activities get traced back to some unsuspecting dupe (that would be you). Of course they would have to be smart enough to change their computer name and MAC address to not get caught, but that is another story.

2) All Your Base Are - Continuing the thoughts from reason #1 above into why adequate security is necessary; if someone is going to attempt to break into a network illegally using the Internet and they are smart enough to use someone else's Internet connection to do so, I am willing to bet the farm that they are smart enough to hack a WEP secured wireless network. Although saying "WEP" and "secured" really is an oxymoron.

3) Easy Network Access - The easiest method to gain unauthorized access to a company network is through social engineering. The second easiest method, and easiest method for a home network, is through unsecured wireless. Why not just start asking people driving past if they would like to come inside and use your computer?

4) Internet Bandwidth - The speed you access the Internet is not unlimited, despite how much faster your cable modem is versus your previous AOL dialup. The more traffic running across that connection, the slower your web surfing is going to be. There are also plenty of Internet service providers who are looking at changing their billing model to include over-bandwidth pricing; meaning if you use more than what they consider your fair share of the Internet, you pay more. Now why would I want to jack up my Internet bill downloading all those adult movies when I can just attach to your wireless and make you pay the bill?

The list goes on, but these are some of the bigger reasons for properly securing your wireless network. The really nice thing is that securing a wireless network is about the easiest thing you can do. The bad thing is all the oddball circumstances that crop up in the course of normal business that have kept many companies from securing their wireless access. Being a heck of a nice guy I will cover both sides: the straight forward secured wireless network and securing a wireless network under oddball requirements. But first up, let's take a look at the various methods available to secure a wireless network.

Turn Wireless Off - I would like to say I am surprised at the number of people and companies who have a wireless network and do not even know it. Rogue Wireless Networks. I am not really surprised because I know the sheer number of devices that arrive from the manufacturer with wireless turned on. Purchase a new router for your home network? Probably has wireless built in and turned on. Have a DSL Internet connection? The new DSL modems have built in firewalls, switches AND wireless; and wireless is turned on by default. Basically, turn off wireless on each device you have if it is not needed. If you are not positive beyond any reasonable doubt that it is needed, turn it off. Something will either stop working or someone will complain if it really was needed.

Segment Wireless Networks - Hopefully you have read my previous entry entitled Computer Security 101 - Part 4 - LAN. If you haven't, go read it now. Very few businesses use wireless networks for daily operations. Very few homes do for that matter. Wireless is either accidentally left on or is put into place to meet some need or another. Usually that need is Internet access for someone with a laptop who has enough pull to make your life miserable. The beauty here is that they do not need access to your entire network, just a small section of it. Through network segmentation (you did read the article I just listed, right?) you can limit the access that particular wireless network has to your overall network and effectively mitigate many security threats in doing so.

Disable SSID Broadcast - According to some silly 802.11 standard or another, wireless devices send out a broadcast beacon. Part of this broadcast beacon is the SSID (also the channel number, but if you see the broadcast you already know the channel number because, well, you see the broadcast. See how silly 802.11 standards can be?). In order to connect to that wireless device, you need to know the SSID. If you turn off the broadcasting of that SSID you require anyone who wants to connect to your wireless network to already know the SSID. Ingenious, right? Of course you also need to set the SSID to something not easily guessed, but we'll get to that in a minute.

MAC Address Filtering - A MAC (Media Access Control) address is a hardcoded 12 character hexadecimal code set into all Ethernet devices by the manufacturer that are required to be unique for each device (another one of those IEEE standards). Most wireless devices have the ability to limit which MAC addresses are allowed to talk to it. If a device connects with a MAC address not on the list, it ignores the device. Pretty simple. Except MAC addresses are easy to spoof (pretend to be). MAC Address Filtering is a pain to setup because it needs to be maintained and is lacking on its own. In combination with other methods of wireless security it will help to protect your network, but it is still an administrative nightmare to maintain for a business and rarely worth the extra protection provided.

WEP Security - Wired Equivalent Privacy. Useless security option. Really. Most of the new DSL modems I have seen recently have WEP turned on by default (along with wireless) so the company can pretend to have cared about your network security and not get sued. Of course any computer security person would shred that argument in court, so they are depending on people's ignorance to save them from a lawsuit when someone hacks the wireless network they left on by default. WEP is useless.

WPA and WPA2 - Wi-Fi Protected Access. Another set of those 802.11 standards. WPA is the old standard that made use of TKIP (Temporal Key Integrity Protocol); and was designed to replace WEP without much fuss. Unfortunately, people were able to crack the WPA-TKIP standard in 2008. Luckily, the Wi-Fi Alliance people adopted a new 802.11 standard in 2006 that became known as WPA2-AES (Advanced Encryption Standard). The difference between the two standards really is in the encryption algorithms used. Basically, use WPA2.

Pre-Shared Key (PSK) or Personal Mode - Pre-Shared Keys were introduced with WEP and carried forward into WPA and WPA2. It is a passphrase set on any wireless access point that is used to partially encrypt the data sent wirelessly. I say partially, because the encryption actually changes once the connection is established. You can read up on the entire 802.11 IEEE standards if you really care about useless information, or just want to hit that homerun during your next technical interview. Anyway, all wireless devices are supposed to support PSK and it is more than adequate for personal home networks (hence the Personal Mode pseudonym) and even most businesses; assuming the passphrase is sufficiently complex (getting to that in just another moment).

RADIUS Server or Enterprise Mode - Sometimes mistakenly called EAP or Extensible Authentication Protocol (PSK above is a flavor of EAP, hence the mistakenly part). Enterprise mode uses a RADIUS server like Microsoft IAS or Cisco ACS to provide the authentication methods for wireless connections. A pre-shared key still exists between the RADIUS server and the wireless device, but it expires after a preset period of time and is changed out automatically. This is the mode to use for any business with a RADIUS server.

Strong Passphrases - Every wireless device has at least three passphrases that can be set. The first is the one used to access the wireless device in order to make configuration changes. The second is the SSID. The third is the Pre-Shared Key (may not be used though). Treat each of these as a secure passphrase. Each of these passphrases should be unique from one another. Each of these passphrases should be exactly that, a passphrase instead of a password. Each of these passphrases should be complex in nature, meaning include at least one upper case letter, one lower case letter and one number or symbol. Each of these passphrases should be at least 16 characters long. Do not use your name or your company's name for any of these passphrases. Read my entry entitled Computer Security 101 - Part 2 - Passwords if you have not done so already.

Wireless security is constantly changing and improving, as well as having previous methods become weakened or obsolete. A few years ago you would probably have been told an eight (8) character password was sufficient to protect against a brute force attack, two years ago it would have been 13 characters, now I personally recommend 16 character complex passphrases (thanks in part to GPU offloading). There are also newer features put forward by the Wi-Fi Alliance that will automatically configure wireless security between devices using various methods. All that being said, let's actually cover the concrete security methods that should be put in place.

First thing is first. Shutdown all wireless access points and routers that are absolutely not needed. Move onto the next step if you are doing all this for your home or a small office (two paragraphs down); otherwise grab yourself a laptop with a wireless card and start walking your perimeter. You will want a wireless card that supports at least 802.11 b and 802.11 g network standards; 802.11 n is currently an added bonus, but is increasingly becoming a requirement. As you walk around refresh the available wireless network screen and see what you see. Write down each and every wireless network you find and the locations you find it in. Write down the SSID if it is available. Write down the security level (WPA2-AES, WPA-TKIP, etc) that each wireless network lists as being used. Connect to unsecured wireless networks and see if it is part of your network or perhaps something from the Starbucks next door. There are free tools available on the Internet to help in all this (mostly for Linux, but still plenty for Windows), just don't spend any money.

Now that you have identified all the Rogue airwaves (not necessarily Rogue Networks) in your company space, see what you can identify. Use a little common sense in this practice. If a wireless network is strongest in the eastern region of your building, talk to the departments in that area. If there are other companies in the Eastern region, see if they are running wireless. Pretty simple stuff. Once you identify all that you can identify, the rest is considered a Rogue Network and needs to be found. Again, there are freely available software applications and instructions elsewhere on the Internet (like making a focused antenna with a Pringles can). Find these Rogue Networks (assuming they are actually on your company’s network) and eliminate them.

Assuming you need a wireless network to not be shutoff, the next thing to do is setup an actual secured wireless network. The best possible combination of security layers available is to segment the wireless network (at work, probably not home), use WPA2-AES protocols, disable SSID broadcast, and use strong passphrases (complex and 16 characters or longer). A company that has a RADIUS server should make use of Enterprise mode WPA2. Discuss with whoever handles your RADIUS server as to which EAP types are available. Everyone else has to use EAP-PSK, or Personal mode; again with a strong passphrase. MAC Address filtering provides very little added benefit at this point, so ignore it. It would be like putting an umbrella over a submarine to protect against the rain.

There. Done. That is currently the best configuration available for an active wireless network setup. The problem is each device (laptop, PDA, tablet, etc) that is going to connect to the wireless network must be setup now. This is generally not a big deal as it requires each device to only be setup once (set-and-forget). The real problem comes from C-level executives who believe they are tech-savvy and, worse still, salespeople (regardless of their tech level).

Both of these groups of people generally have no idea why they need an IT department to begin with. All those damn geeks do is make things more complicated than it needs to be. They do not want to call IT when their 4 year old is using mommy's laptop in the office and needs wireless access, or when a salesperson has a client in who needs to check their email. This is where wireless becomes unsecure once again. Ideally there is a strong CIO (CSO would be even better) who will insist that policy is policy and the wireless has to remain secure. Even without that CIO you still have a few things you can do to keep your network secure.

The first thing to do in the above scenario is to pick a good location for the "open" wireless. Conference rooms near the center of a building between floors two and five are excellent choices (first floor gets the most non-work traffic. Too high up in a building and, because of signal bounce, you can become a radio station broadcasting to the world). Picking locations like this for open wireless access points will reduce the likelihood of outside persons gaining access to your wireless network. Some wireless routers and access points offer further assistance here by allowing the signal broadcast strength to be reduced, thus decreasing the distance available to connect to the wireless network. Almost every sales person or C-level exec will be satisfied with someone telling them "There is wireless available in the third floor conference room," as opposed to not at all.

The next step is to segment the open wireless network from the rest of the network. As much as is possible that is. A little guided research is required to discover what the use of the wireless network will be. Leading questions are great here such as, "I can setup the third floor conference room for wireless Internet access. Will that work for your sales team?" The answer will be "yes" and you can segment that wireless network from everything but Internet access.

The last step is to turn off the wireless. A good majority of commercially available wireless routers have some sort of scheduling built-in. This can range from allowing wireless access during certain times on certain days, to perhaps blocking certain Internet protocols (block any any) during certain times of the day. These functions can be used to restrict the wireless access to business hours only, which increase the wireless security level slightly (only the truly bold are going to connect illegally to a wireless network when the IT staff is there and alert).

Under normal circumstances the obvious choice is to put into place the most secure wireless settings possible. Failing that, virtually ever business scenario for not having restricted wireless access can be mitigated by combining the various methods of securing a wireless network listed above. A little thought process combined with a few leading questions and you can once again sleep soundly at night.