Thursday, October 15, 2015

Stay Secure on Public WiFi

With data plans becoming more expensive and less optimal, it has become critical to use WiFi to avoid high phone bills and to provide a better experience with streaming media, uploading, downloading, etc.. Most people know this already so when there is free WiFi available they connect without hesitation. Coffee shops are the most common but now they are popping up everywhere including libraries, airports, retail stores, and so on. These networks are insecure and you really should not be using them until the security improves. But since I know you are going to anyway, here are some tips for improving your security while using these open WiFi networks.

Use a VPN

A VPN (Virtual Private Network) creates a secure tunnel between your device and the VPN provider. Any traffic going in or out of your device (Internet, Outlook, RDP, etc.) will be forced through the tunnel (which is encrypted and secure). There are many good VPN providers but the key is finding one you can trust. They are typically a subscription service that can range anywhere from $3/month to $20/month but its well worth the money. Additionally, most of them have their own mobile app for Android and iPhone which is pretty awesome. Using a VPN is the best thing you can do to improve your security on open WiFi networks.


Disable Network Discovery & Sharing (Windows Users)

When you first connect to the open WiFi, if you haven't connected there before you will be prompted by Windows to select the type of network you are connecting to: Home, Work, or Public. The option you choose is important because this setting determines the level of trust on the network. For example, selecting the Home Network option tells Windows that you are on a private and secure network and to trust the other computers on the network. Windows will attempt to find other computers on the network and will also advertise your computer on the network. Always select Public Network when using open WiFi networks. This automatically disables network discovery and sharing.



Uncheck "Connect Automatically"

When you connect to a WiFi network for the first time, the box "Connect Automatically" is checked by default. This is because most people don't want to re-type the password each time they connect to that WiFi network. So what if someone spoofs the network and your device automatically connects to them? Everything will seem normal except the attacker is sniffing all your passwords and spying on you. You want to ensure your device is connecting to the correct WiFi network so uncheck this box and deal with typing in the password each time. In Mac OS X it is called "Remember networks this computer has joined".

Windows:



Mac (AirPort Settings):




Avoid Sensitive Websites

Avoid accessing sensitive websites such as financial sites, work sites, etc. Even if you are using a VPN or connecting to a site that is using HTTPS, it doesn't mean you are 100% secure. So why risk it? Do you really need to check your bank accounts while having a cup of coffee at Starbucks? It can wait, avoid sensitive sites.


Use "HTTPS Everywhere"

HTTPS Everywhere is a Chrome and FireFox add-on that forces encryption between you and several major websites. This is a fantastic add-on but you shouldn't rely on it entirely for your browsing security. Use this in conjunction with a VPN.

In conclusion, my best recommendation is to avoid these "free" and open WiFi networks altogether but if you absolutely need to connect then follow the recommendations in the post. It will greatly improve your security but remember, there is no such thing as being 100% secure.

Thursday, October 8, 2015

Android Lock Screen Security

If offered a choice between security and convenience, what would you choose? Many people would choose convenience over security because security can be very inconvenient and people just don't want to deal with that. But sometimes you need to sacrifice convenience to protect yourself.

The lock screen is the gateway to your Android device, just like the login screen is the gateway to your laptop. Many people overlook the importance of locking it down because it is inconvenient or they are ignorant. Would you allow your laptop to display your emails on the lock screen of your computer? Would you secure your laptop with a four digit PIN? Probably not, and your phone is no different.

Here are some tips for securing your Android lock screen:

Use a Strong Password instead of PIN or Pattern

In your security settings, you can choose to enable a Screen Lock. Android offers many choices for a screen lock including Swipe, Pattern, PIN, Face Unlock, and Password. Of these choices, using a strong password is the best and most secure option available to you. Patterns can easily be compromised by tilting the device and viewing the finger marks. Additionally, people tend to use patterns related to them (i.e., William using "W" for his pattern) and simple to guess patterns. PIN's are also a bad choice because the are short and only contain numbers. With passwords, you can create a strong password which is not bullet proof but is definitely more secure than a pattern, PIN, or facial recognition. Refer to my previous post "How to Create Strong Passwords" to assist you with this.



Automatically Lock - Immediately

In the security settings, under Screen Lock, there is an option to "Automatically Lock". This should be set to lock "Immediately". Why does this matter? Well, lets say your phone is set to lock after 5 minutes rather than immediately. This means when you lock your screen you can unlock your phone again within 5 minutes without entering your password. So what happens if you set down your phone and someone steals it? If they access your phone within that 5 minute time period, the thief will be able to remove the security, access all your apps and resources, and ultimately own your device.



Hide Sensitive Notification Content

Android notification content is displayed on your lock screen by default (starting with version 5.0). This means each time you receive a text message for example, you can read some or all of the message right from your lock screen without even unlocking your phone. Pretty convenient but what if you receive a text message for accessing your online bank account? Or what if you receive a confidential text message from your work? If your phone displays this content on the lock screen, anyone can view it by simply picking up your phone. You want to change this setting to "Hide sensitive notification content". This will allow you to continue receiving notification content on you lock screen but it will hide the content form text messages, emails, and other notifications that may contain sensitive information. You can change this setting under Sound & Notification in your phone settings.




Google has been working on improving the overall security of their Android operating system to provide security by default and security without the expense of convenience. Though they have made good progress, there are security settings that remain a choice for the end user. It is important that you review these settings and make good decisions when it comes to security. Use good judgement.


Thursday, October 1, 2015

How to Create Strong Passwords

Currently hackers can process thousands of randomly generated passwords in a matter of minutes. In a recent study a security research group was successfully able to crack over 14,000 password hashes in only 16 minutes! So how easy can your password can be cracked? Well, it depends on how strong your password is. This post offers some guidelines for creating strong passwords, how to remember them, and how to store them securely.

First off, there is no such thing as an impenetrable password. Any password can be cracked. So look at it this way, the longer and stronger your password is the longer and harder it will be to crack. Think about it. If you are a hacker and you have 900 password hashes, and the first 850 of them are using things like "password123" or "billybob1951", why waste your time cracking a strong password that could take weeks to crack when you can spend five minutes cracking these easy ones. Hackers are knocking on the door, all they need is someone (anyone) to open the door. 

So lets start with the general password rules:
  1. Should be a minimum of 10 characters long (but again, the longer you make it the better).
  2. Should contain at least 1 special character (#, !, &, *, etc.).
  3. Should contain at least a mix of numbers, upper and lower case letters.
  4. Avoid repeating characters (mypassword7777).
  5. Avoid dictionary words, names, etc. (ilovepizza2001 = awful password).
  6. Avoid using words that describe you (pets names, SSN, birth date, etc.). 
  7. Avoid using the same password(s) for different websites and applications (if one website password is compromised, all your websites are compromised). 
But if I create strong passwords, how will I remember them? First, create your passwords based on sentences or phrases that you will remember:

Example:
"I live at 233 Park Street" = "!L!v3@233P@rkStr33t"

Or you can use a password generator such as strongpasswordgenerator.com to create you a strong password based on the criteria you select:


Now if you follow these guidelines and are creating all these strong passwords, chances are you are not going to remember them and you are going to have a hard time managing them. So what do you do? Use a password vault such as LastPass or KeePass. With a password vault, you only have to remember one password (which lets you into your vault). Then you can store all your usernames and passwords in one place. 

Password vaults are generally free and are a good method for storing your passwords securely. You simply copy and paste your passwords into websites, applications, etc. Some password vaults can even populate your username and password automatically into the website or application with the click of a button. 

Bottom line, creating strong passwords is very important. It is incredibly easy to guess and crack passwords. This guide will help you create strong passwords and there are options for remembering and storing these passwords. Find what works for you and you will be better off than most people, in a world dominated by technology.