JC Dill

This is a lot of information! Can you summarize?

The most important thing is to simply Think About What You Are Doing.

• Where are you logging in?
• Is it secure? If not, can you secure it?
• What type of information are you sending?
• If the transmission isn’t secure, is it OK if someone else sees your data?

Are backups important?

YES! It is very important to backup your computer regularly. It is especially important to backup a laptop computer before you take it somewhere where the risk of theft or intrusion is higher than normal, such as at a conference. If you don’t have time or backup space to backup all your data, you should at least backup:

• Critical work files
• Email address book
• Media files that can’t be replaced (e.g. personal photos, personal videos)
• Saved email

There are many ways to backup your data. You can backup to an external hard drive, a network server, to a CD or DVD, or to portable media (Compact Flash, Thumb Drive, etc.). The important thing is that the backup isn’t on the laptop or carried with you. If your laptop has 2 hard drives, backing up from one drive to the other protects your data from a hard drive failure, but it doesn’t protect your data if your laptop is stolen, or hacked.

What about physical security?

Most physical security risks regarding taking and using a laptop at a conference can be mitigated by using common sense:

1. Don’t leave your laptop unattended on a table while you:
• Use the bathroom
• Step outside to take/make a phone call
• Get food/drinks
2. Watch out for shoulder surfing when entering your password.
3. Watch out for someone snatching your laptop bag during check-in.

Is it important to use secure passwords?

Yes! All your passwords should be at least 6 characters long and consist of a mix of letters and numbers, and also use punctuation characters when allowed by the system.

Is it important to use different passwords for my logins?

Yes! You need to be very careful about logging into any other site if your username and/or password you use on a “not so important” site is the same as the username and/or password you use on an important site. Even when the username is different, when you use the same password on both unencrypted and encrypted logins a skilled sniffer/hacker can usually figure out what username you might use on an encrypted login network, and then try various usernames along with the passwords that you sent in the clear when you logged in to an unencrypted site.

Can you help me with managing my passwords?

It is a common practice to create a standard username/password pair to use for “insecure” logins only so that if this password is sniffed, it won’t give access to more critical sites. For instance, you may use a username and password like

blueiris1980 / bumbleb33

for logging in to relatively unimportant and insecure sites such as when you login to post to a friend’s blog. You may elect to use the same username for your own blog, but it is VERY important to use a different and very secure password, such as:

blueiris1980 / m0r3s3cure$bcuz

Use your “more secure” password ONLY on sites where you can be certain your login is thru https, and never on sites where you have checked “remember me” and are logged in automatically, unless you are certain that the automatic login uses https.

Consider taking the time right now to make a list of all the sites you login to where you need to use a really secure login, and making a new password to use on those sites and those sites alone, and then go and update your password on those sites right away.

What about when I login to IM chat services?

Even if the login is encrypted, messages sent on IM and Chat services like AOL Instant Messenger (AIM), MSN, Yahoo! IM etc. are typically sent “in the clear” – don’t engage in IM conversations unless you are OK with anyone else “over hearing” what you say in IM chat sessions. Think of IM sessions as being like postcards, anyone else can see what you write.

How do I know if my email is secure?

When you use an email client (Outlook, Eudora, Thunderbird, Mac Mail, etc.) to read your email, you should configure your logins for sending and receiving email to use secure (encrypted) protocols. Then your email transmissions will be secure no matter if you are using a secure or insecure network.

• To receive email (via POP) use port 995.
• To receive email (via IMAP) use port 993.
• To send email (via SMTP) use port 587 or port 465.

Check your ISP’s email support page or email or call your ISP for instructions on how to configure your software to use these secure ports and protocols.

Helpful sites:

Gmail has a very helpful support site that shows how to configure most common email client software to use secure protocols to connect to gmail:

http://mail.google.com/support/bin/topic.py?topic=1555

If your ISP doesn’t have a support site with similar information, you can try using the gmail instructions with your ISP login information, and see if it “just works”. Often, it does!

If your ISP doesn’t support secure protocols, ask if they have a secure webmail page you can use when you are using an insecure wireless network. A secure webpage will use https in the URL when you login.

If your ISP doesn’t offer any secure method to send or receive email, consider changing to an ISP that does. One solution is to use Gmail. If you need a Gmail invitation, just ask!

What if I use a web browser (webmail) to read my email?

Using a browser such as IE, Safari, or Firefox (rather than email client) to check your email using a webpage is called Webmail.

Make sure your webmail bookmark uses https, and that there is a locked padlock icon on the bottom of your browser window. If you checked “remember me” on your webmail webpage so that you don’t have to login each time you go to that webpage, be sure that your bookmarked access page uses https so that your login cookie is sent over an encrypted session.

Make sure the session remains secure (continues to use https) after your login. If it doesn’t remain secure, then while your login itself is secure, the contents of your email are NOT secure – don’t check email using an insecure network if you wouldn’t want everyone else in the area to be able to read any of the email you send or receive.

How do I know if my browser connection is secure?

Your browser will display a locked padlock icon to show when a particular webpage is secure and the data transmitted to that page is safe from a hacker sniffing the network data. However, just because you see a locked padlock on your browser, it doesn’t mean that the other software on your computer (such as your email software, your IM software, etc.) is secure.

When your login AND your session use https (and you see a locked padlock in the browser window) then all your transmissions are secure. If not, then you should carefully consider if it’s safe to login when you are on an insecure network.

What types of websites matter?

The most important sites to be careful about are sites that have your financial information:

Your bank website.
Payment sites (such as PayPal).
Shopping sites (such as eBay, Amazon).

Be very careful about clicking on any links in email that take you to sites of this nature. A best practice is to NEVER click on ANY links in email that claim to log you into a site like this – if the email is a phish, then the link doesn’t go where you think it goes. Merely by clicking on the link you are exposing information to the phishers (that your address is a real address, that you read the email they sent you, that you clicked on a link) and if you login to the site then you give the phisher your account information and bad things WILL happen.

What about logging into my blog?

Other sites to be careful about are sites where you have administrative rights, such as your blog! You should also be careful with any site you login to, such as social networks (myspace, friendster, tribe), web forums, other people’s blogs, etc. Also be alert for invisible logins. Many people have a customized homepage on a service like my.yahoo.com – when you go to my.yahoo.com you are logged in automatically because your browser passes a cookie to the Yahoo server. This cookie is transmitted over an unencrypted session and can be sniffed. If sniffed, then someone else can configure their computer to send the cookie and trick the server into giving them your page. Fortunately, Yahoo requires you to enter your password if you want to change anything significant on your account, but other sites may give anyone with the right cookie complete access to your account. For best security you should remove the checkmark for “remember me”, and then login (using https) each time you visit ANY site that delivers a personalized page to logged-in users.

This is the first in a series of blog posts about Network Security issues for WiFi users.

Why should I worry about security when using a wireless network?

When you connect your computer to the internet, anyone on your local network can “sniff the network traffic” and read the information anyone else sends or receives. If you use dialup the only computer on your local network is you so you don’t have to worry about network security. If you use DSL or Cable services and you share that service with other computers in your home or office, generally all those computers can see (and sniff) all the network traffic. If you use a wireless connection, ANYONE can sniff the traffic! Even if the wireless connection uses encryption – if the data on the network is interesting enough to a hacker, a determined hacker can usually determine how to connect to the wireless network and sniff the traffic.

What is network traffic?

Network traffic means anything you send or receive over the internet and includes email, website logins, banking data, login cookies, IM (instant messaging), and other information you probably want to keep private rather than let unknown people access. Even when you think you are among friends and trustworthy people you never know who might be a wolf in sheep’s clothing or who might be sniffing the wireless traffic from somewhere out of sight (e.g. from a parked car in the parking lot behind a fence or parked on the street).

How can I tell when I am logged into an insecure network?

All wireless networks are insecure networks. Some are more insecure than others. Whenever a wireless (WiFi) network doesn’t require a username and password in the wireless network connection dialog to get a connection then it is a very insecure wireless network – a hacker can connect and sniff the traffic transmitted over this network with no effort at all.

When you get a network connection and then have to login to a webpage to actually use the network, the mere act of logging in doesn’t confer any security to the network connection. 99% of the time when you login to use a WiFi network like tMobile, MetroFi, a network at an airport, or conference, you are logging in to an insecure wireless network.

When you must enter a “network key” to get a network connection (often called a WAP key or WEP key), the network connection restricted, however all users on the network can usually still sniff other user’s traffic, and a determined hacker can usually figure out the network key and get access to the network.

The wireless network at BlogHer will be an insecure network. This type of network is easiest for conference users to use. With that ease of use come safety concerns.

OK, so I understand that the network is insecure. How do I stay safe while using an insecure network?

Be aware of the secure or insecure nature of all of your connections (web, email, IM, etc.) and adjust or adapt your network use accordingly. We will cover these one by one in the following blog entries.