The nightmare began online and ended with federal agents storming a house in suburban Blaine, Minnesota. The agents had only an IP address associated with child pornography downloads and even a death threat against Vice President Joe Biden. By contacting the Internet service provider associated with that IP address, the agents acquired the user’s physical address. That sort of tracking was very successful back in the days when everyone still had a wired connection to their modems or routers. At that time, each IP address could be physically traced to a given machine.
But today most people use wireless connections within their homes. Wireless allows everyone inside to move around the house with mobile devices and remain connected to the Internet. And if you’re not careful, it also allows neighbors to access that same signal. In this case the federal agents stormed the wrong house in Minnesota. They really wanted the house next door to it.
In 2010, Barry Vincent Ardolf pleaded guilty to charges of hacking, identity theft, possession of child pornography, and making threats against Vice President Biden. Court records show that the trouble between Ardolf and his neighbor began when the neighbor, who was in fact a lawyer and was not named, filed a police report saying that Ardolf allegedly “inappropriately touched and kissed” the lawyer’s toddler on the mouth.1
Ardolf then used the IP address of his neighbor’s wireless home router to open Yahoo and Myspace accounts in his victim’s name. It was from these fake accounts that Ardolf launched a campaign to embarrass and cause legal troubles for the lawyer.
Many ISPs now provide their home routers with wireless capabilities built in.2 Some ISPs, such as Comcast, are creating a second open Wi-Fi service over which you have limited control. For example, you may be able to change a few settings, such as the ability to turn it off. You should be aware of it. Someone in a van parked in front of your house might be using your free wireless. Although you don’t have to pay extra for that, you might still notice a slight degradation in Wi-Fi speed if there is heavy use of the second signal. You can disable Comcast’s Xfinity Home Hotspot if you don’t think you will ever need to give visitors to your home free Internet access.3
While built-in wireless is great for getting you up and running with a new service, often these broadband routers are not configured properly and can create problems when they are not secured. For one thing, unsecured wireless access could provide a digital point of entry into your home, as it did for Ardolf. While intruders might not be after your digital files, they might be looking to cause problems nonetheless.
Ardolf was no computer genius. He confessed in court that he didn’t know the difference between WEP (wired equivalent privacy) encryption, which was what the neighbor’s router used, and WPA (Wi-Fi protected access) encryption, which is much more secure. He was just angry. This is just one more reason why you should take a moment to consider the security of your own household wireless network. You never know when an angry neighbor might try to use your home network against you.
If someone does do something bad on your home network, there is some protection for the router owner. According to the EFF, federal judges have rejected BitTorrent lawsuits brought by copyright holders because the defendants successfully claimed that someone else downloaded the movies using their wireless networks.4 The EFF states that an IP address is not a person, meaning that wireless subscribers may not be responsible for the actions of others using their wireless networks.5
Although computer forensics will clear an innocent person whose Wi-Fi was used in the commission of a felony—as it did in the case of the Minnesota lawyer—why go through all that?
Even if you use a telephone-based dial-up modem or a cable-based ASM (any-source multicast) router (available from Cisco and Belkin, among others), these devices have had their share of software and configuration problems.
First and foremost, download the latest firmware (software installed in a hardware device). You can do that by accessing the router’s configuration screen (see below) or by visiting the manufacturer’s website and searching for updates for your particular make and model. Do this as often as possible. One easy way to update your router’s firmware is to buy a new one every year. This can get expensive, but it will ensure that you have the latest and greatest firmware. Second, update your router’s configuration settings. You don’t want the default settings.
But first: what’s in a name? More than you think. Common to both the ISP-provided router and a router you bought at Best Buy is the naming. All wireless routers broadcast by default what’s called a service set identifier (SSID).6 The SSID is commonly the name and model of your router, e.g., “Linksys WRT54GL.” If you look at the available wireless connections in your area, you’ll see what I mean.
Broadcasting the default SSID out to the world may mask the fact that the Wi-Fi signal is actually coming from a specific household, but it also allows someone on the street to know the exact make and model of the router you own. Why is that bad? That person might also know the vulnerabilities of that make and model and be able to exploit them.
So how do you change the name of the router and update its firmware?
Accessing the router is easy; you do so from your Internet browser. If you don’t have the instructions for your router, there’s an online list of URLs that tells you what to type into your browser window so you can connect directly to the router on your home network.7 After typing in the local URL (you’re just talking to the router, remember, not to the Internet at large), you should see a log-in screen. So what’s the username and password for the log-in?
Turns out there’s a list of default log-ins published on the Internet as well.8 In the Linksys example above, the username is blank and the password is “admin.” Needless to say, once you’re inside the router’s configuration screen, you should immediately change its default password, following the advice I gave you earlier about creating unique and strong passwords (see here) or using a password manager.
Remember to store this password in your password manager or write it down, as you probably won’t need to access your router very often. Should you forget the password (really, how often are you going to be in the configuration screen for your router?), don’t worry. There is a physical reset button that will restore the default settings. However, in conducting a physical, or hard, reset, you will also have to reenter all the configuration settings I’m about to explain below. So write down the router settings or take screenshots and print them out whenever you establish router settings that are different from the default. These screenshots will be valuable when you need to reconfigure your router.
I suggest you change “Linksys WRT54GL” to something innocuous, such as “HP Inkjet,” so it won’t be obvious to strangers which house the Wi-Fi signal might be coming from. I often use a generic name, such as the name of my apartment complex or even the name of my neighbor.
There is also an option to hide your SSID entirely. That means others will not be able to easily see it listed as a wireless network connection.
While you’re inside your basic router configuration settings, there are several types of wireless security to consider. These are generally not enabled by default. And not all wireless encryption is created equal, nor is it supported by all devices.
The most basic form of wireless encryption, wired equivalent privacy (WEP), is useless. If you see it as an option, don’t even consider it. WEP has been cracked for years, and is therefore no longer recommended. Only old routers and devices still offer it as a legacy option. Instead, choose one of the newer, stronger encryption standards, such as Wi-Fi protected access, or WPA. WPA2 is even more secure.
Turning on encryption at the router means that the devices connecting to it will also need to match encryption settings. Most new devices automatically sense the type of encryption being used, but older models still require you to indicate manually which encryption level you are using. Always use the highest level possible. You’re only as secure as your weakest link, so make sure to max out the oldest device in terms of its available encryption.
Enabling WPA2 means that when you connect your laptop or mobile device, you will also need to set it to WPA2, although some new operating systems will recognize the type of encryption automatically. Modern operating systems on your phone or laptop will identify the Wi-Fi available in your area. Your SSID broadcast (now “HP Inkjet”) should appear on the list at or close to the top. Padlock icons within the list of available Wi-Fi connections (usually overlaid upon the strength of each connection) indicate which Wi-Fi connections require passwords (yours should now have a padlock).
From the list of available connections, click on your own SSID. You should be prompted to enter a password—be sure to make it at least fifteen characters. Or use a password manager to create a complex password. In order to connect to your password-protected Wi-Fi, you will have to type in that password at least once on each device in order to connect, so a password manager might not work in all cases, particularly when you have to remember the complex password and type it in later yourself. Each device—including your “smart” refrigerator and digital TV—will all use the one router password you have chosen when you set the encryption on your router. You will need to do this once for every device that accesses your home or office Wi-Fi, but you won’t have to do it again unless you change your home network password or acquire a new device.
You can also go one step further and limit Wi-Fi connections only to the devices you specify. This is known as whitelisting. With this process you grant access to (whitelist) some devices and forbid (blacklist) everything else. This will require you to enter your device’s media access control address, or MAC address. It will also mean that when you next upgrade your cell phone, you’ll have to add it to the MAC address in your router before it will connect.9 This address is unique to every device; indeed, the first three sets of characters (octets) are the manufacturer’s code, and the final three are unique to the product. The router will reject any device whose hardware MAC has not been previously stored. That said, a hacker tool called aircrack-ng can reveal the authorized MAC address of a currently connected user and then an attacker can spoof the MAC address to connect to the wireless router. Just like hidden wireless SSIDs, it’s trivial to bypass MAC address filtering.
Finding the MAC address on your device is relatively easy. In Windows, go to the Start button, type “CMD,” click “Command Prompt,” and at the inverted caret, type “IPCONFIG.” The machine will return a long list of data, but the MAC address should be there, and it will consist of twelve hexadecimal characters with every two characters separated by a colon. For Apple products it is even easier. Go to the Apple icon, select “System Preferences,” and go to “Network.” Then click the network device on the left panel and go to Advanced>Hardware, and you will see the MAC address. For some older Apple products, the procedure is: Apple icon>System Preferences>Networks>Built-in Ethernet. You can find the MAC address for your iPhone by selecting Settings>General>About and looking under “Wi-Fi Address.” For an Android phone, go to Settings>About Phone>Status, and look under “Wi-Fi MAC address.” These directions may change based on the device and model you are using.
With these twelve-digit MAC addresses in hand, you will now need to tell the router to allow only these devices and block everything else. There are a few downsides. If a guest comes over and wants to connect to your home network, you will have to decide whether to give one of your devices and its password to that person or simply turn off MAC address filtering by reentering the router configuration screen. Also, there are times when you might want to change the MAC address of a device (see here); if you don’t change it back, you might not be able to connect to your MAC-restricted Wi-Fi network at home or work. Fortunately, rebooting the device restores the original MAC address in most cases.
To make connecting any new device to a home router easy, the Wi-Fi Alliance, a group of vendors eager to spread the use of Wi-Fi technologies, created Wi-Fi protected setup (WPS). WPS was advertised as a way for anyone—I mean anyone—to securely set up a mobile device at home or in the office. In reality, though, it’s not very secure.
WPS is typically a button that you push on the router. Other methods include use of a PIN and near field communication (NFC). Simply put, you activate the WPS feature, and it communicates with any new devices you have in your home or office, automatically synchronizing them to work with your Wi-Fi network.
Sounds great. However, if the router is out in “public”—say, in your living room—then anyone can touch the WPS button and join your home network.
Even without physical access, an online attacker can use brute force to guess your WPS PIN. It could take several hours, but it’s still a viable attack method, one you should protect yourself against by immediately turning off WPS on the router.
Another WPS attack method is known as Pixie Dust. This is an offline attack and affects only a few chip makers, including Ralink, Realtek, and Broadcom. Pixie Dust works by helping hackers gain access to the passwords on wireless routers. Basically the tool is very straightforward and can gain access to a device in seconds or hours depending on the complexity of the chosen or generated WPS PIN.10 For example, one such program, Reaver, can crack a WPS-enabled router within several hours.
In general, it’s a good idea to turn off WPS. You can simply connect each new mobile device to your network by typing in whatever password you’ve assigned for access.
So you have prevented, through the use of encryption and strong passwords, the use of your home wireless router network by others. Does that mean that no one can get inside your home network or even digitally see inside your home? Not entirely.
When high school sophomore Blake Robbins was called into the principal’s office of his suburban Philadelphia school, he had no idea he was about to be reprimanded for “improper behavior”—at home. The Lower Merion School District, outside Philadelphia, had given all its high school students, including Robbins, new MacBooks to use for their course work. What the school district didn’t tell the students was that software designed to recover the devices in the event they were lost could also be used to monitor all 2,300 students’ behavior while they were in view of the laptops’ webcams.
Robbins’s alleged offense? Pill popping. The Robbins family, through their lawyer, maintained all along that the boy was simply eating Mike and Ike candy while doing his homework.
Why was this even an issue?
The school district maintains it activated the theft-tracking software only after one of its laptops was stolen. Theft-tracking software works like this: when someone using the software reports that his or her laptop has been stolen, the school can log on to a website and see images from the stolen laptop’s webcam as well as hear sounds from the microphone. A school administrator could then monitor the laptop and take pictures as needed. This way the device can be located and returned and the guilty party can be identified. However, in this case it was alleged that school officials were turning on this feature to spy on the students while they were at home.
The webcam on Robbins’s school-issued Mac laptop recorded hundreds of photos, including some of the boy asleep in his bed. For other students it was worse. According to court testimony, the school had even more pictures of some students, a few of whom were “partially undressed.” This might have continued unnoticed by the students had Robbins not been reprimanded for something he allegedly did at home.
Robbins, along with a former student, Jalil Hasan—who had nearly five hundred images taken of him and four hundred images of his computer screen captured, revealing his online activity and the sites he visited—sued the school district. Robbins received $175,000 and Hasan $10,000.11 The district also paid almost half a million dollars to cover the boys’ legal expenses. In total the school district had to pay out, through its insurer, around $1.4 million.
It’s easy for malicious software to activate the webcam and microphone on a traditional PC without the user knowing it. And this is true on a mobile device as well. In this case it was a deliberate action. But all too often it is not. One quick fix is to put tape over the webcam on your laptop until you intend to use it again.
In the fall of 2014, Sophie Curtis, a reporter for the London-based Telegraph, received a LinkedIn connection request in an e-mail that appeared to come from someone who worked at her newspaper. It was the kind of e-mail that Sophie received all the time, and as a professional courtesy she didn’t think twice about accepting it from a colleague. A couple of weeks later she received an e-mail that appeared to be from an anonymous whistle-blower organization that was about to release sensitive documents. As a reporter who had covered groups such as Anonymous and WikiLeaks, she had received e-mails like this before, and she was curious about the request. The file attachment looked like a standard file, so she clicked to open it.
Immediately she realized something was wrong. Windows Defender, the security program that comes with every copy of Windows, started issuing warnings on her desktop. And the warnings kept piling up on the screen.
Curtis, like a lot of people today, had been tricked into clicking on an attachment that she thought was an ordinary file. While pretending to have information she wanted to see, the file downloaded and unpacked a series of other files that allowed the remote attacker to take complete control over her computer. The malicious software even took a picture of her with her own webcam. In it her face bears a look of sheer frustration as she tries to understand how someone could’ve taken over her computer.
Actually Curtis knew full well who had taken over her computer. As an experiment, a few months earlier she had hired a penetration tester, or pen tester. Someone like me. Individuals and companies hire professional hackers to try to break into a company’s computer network to see where they need fortification. In Curtis’s case, the process was spread out over several months.
At the start of jobs like this, I always try to get as much information about the client as I can. I spend time learning about his or her life and online habits. I track the client’s public posts to Twitter, Facebook, and, yes, even LinkedIn. Which is exactly what Sophie Curtis’s pen tester did. Amid all her e-mails was one carefully constructed message—the first one sent by her pen tester. The pen tester knew that she worked as a reporter and knew that she was open to e-mail solicitations from previously unknown individuals. In that first case Curtis later wrote that there was not enough context for her to be interested in interviewing a particular person for a future story. But she was impressed by the amount of research the hacker and his colleagues at the security company did.
Curtis said: “They were able to use Twitter to find out my work e-mail address, as well as some of my recent locations and the name of a regular social night I attend with other journalists. From objects in the background of one of the photos I had posted on Twitter they were able to discover what mobile phone I used to use, and the fact that my fiancé used to smoke roll-ups (it was an old photo), as well as the fact he likes cycling.”12 Any one of these details could have been the basis for another e-mail.
There’s also a new Artificial Intelligence–based tool announced at the DEF CON 2016 conference that will analyze a target’s tweets. It will then construct a spear-phishing e-mail based on their personal interests.13 So be careful when clicking links within a tweet.
Indeed, often it is the little things—the odd comment posted here or there, the unique knickknack on the shelf behind you in a photo, the T-shirt from a camp you once attended—that provide crucial personal information that you would never have intended to share publicly. We may consider these one-off moments harmless, but the more details an attacker can learn about you, the better he can trick you into opening up e-mail attachments, and take over your online world.
Curtis points out that the pen-test team ended their attack there. Had they been real criminal hackers, the fun and games might have continued for some time, perhaps with the bad guys gaining access to her social media accounts, her office network at the Telegraph, even her financial accounts. And most likely they would have done it in such a way that Curtis might not have known her computer had been compromised; most attacks do not immediately trigger Windows Defender or antivirus software. Some attackers get in and persist for months or years before the user has any clue that he or she has been hacked. And it’s not just your laptop: an e-mail-triggered attack could also be launched from a jailbroken iPhone or an Android mobile device.
While Google and other e-mail providers scan your messages to prevent the transmission of malware and the spread of online pornography—and to collect advertising data—they do not necessarily scan for fraud. Like privacy, the standard for which, as I’ve said, is different for everyone, fraud is hard to quantify. And we don’t always recognize it, even when it’s staring us in the face.
Within the body of Curtis’s fake LinkedIn e-mail was a one-by-one-inch pixel, a tiny dot of an image, invisible to the eye, like those I said could be found on websites and used to track you online. When that tiny dot calls out, it tells a tracking server in a remote location, which could be anywhere in the world, what time you opened the e-mail, how long it remained on the screen, and on what device you opened it. It can also tell whether you saved, forwarded, or deleted the message. In addition, if the scenario used by the pen-test team had been real, the attacker might have included a link through which Curtis could have visited a fake LinkedIn page. This page would resemble a real one in every respect except that it would be hosted on a different server, perhaps in another country.
For an advertiser, this Web bug can be used to gather information about (and therefore profile) the recipient. For attackers, it can be used to obtain the technical details they need to design their next attack, which would include a way to get inside your computer. For example, if you are running an old version of a browser, there may be bugs that can be exploited.
So the second e-mail Curtis received from the pen testers included an attachment, a compressed document set to exploit a vulnerability in the software that was used to open the file (e.g., Adobe Acrobat). When we speak of malware, most people think of the computer viruses of the early 2000s, when a single infected e-mail could spread additional infected e-mails to everyone on a contact list. These types of mass-infection attacks are less common today, in part because of changes to e-mail software itself. Instead the most dangerous malware today is much more subtle and often targeted and tailored to an individual. As it was in the case of Sophie Curtis. The pen testers used a special form of phishing called spear phishing, designed to target a specific person.
Phishing is the criminally fraudulent process of trying to obtain sensitive information such as usernames, passwords, and credit card or bank information. It has been used against CFOs who are duped into wiring large sums of money because the “CEO” has authorized the transfer. Usually, the phishing e-mail or text message includes an action item such as clicking a link or opening up an attachment. In Curtis’s case the intent was to plant malware on her computer for the purpose of illustrating how easy it is for someone to do this.
One of the most famous phishing schemes was Operation Aurora, in which a phishing e-mail was sent to Chinese employees of Google. The idea was to infect their machines in China in order to gain access to the internal network at Google’s world headquarters, in Mountain View, California. This the attackers did, getting dangerously close to the source code for Google’s search engine. Google wasn’t alone. Companies such as Adobe reported similar intrusions. As a result Google briefly pulled its operations from China.14
Whenever we get a LinkedIn or Facebook request, our guard is down. Perhaps because we trust those sites, we also trust their e-mail messages. And yet, as we have seen, anyone can craft a message that looks legitimate. In person, we can usually sense when someone is wearing a fake mustache or hair implants or speaking in a false voice; we have centuries’ worth of evolutionary instincts to help us detect deception without thinking about it. Those instincts don’t apply online, at least not for most of us. Sophie Curtis was a reporter; it was her job to be curious and skeptical, to follow leads and check facts. She could have looked through the Telegraph’s employee list to see who the person on LinkedIn was and learned that the e-mail was probably fake. But she didn’t. And the reality is that most of us are equally unguarded.
An attacker who is phishing will have some but not all of your personal information—the little bit he has serves as his bait. For example, a phisher might send you an e-mail including the last four digits of your credit card number to establish trust, then go on to ask for even more information. Sometimes the four digits are incorrect, and the phisher will ask that you make any necessary corrections in your response. Don’t do it. In short, don’t interact with a phisher. In general do not respond to any requests for personal information, even if they seem trustworthy. Instead, contact the requester in a separate e-mail (if you have the address) or text (if you have the cell-phone number).
The more concerning phishing attack is one that’s used to trick a target into doing an action item that directly exploits his or her computer, giving the attacker full control. That’s what I do in social engineering engagements. Credential harvesting is also a popular line of attack, where a person’s username and password are captured, but the real danger of spear phishing is gaining access to the target’s computer system and network.
What if you did interact with a phisher and as a result lost all the data—all the personal photographs and private documents—on your infected PC or mobile device? That’s what happened to author Alina Simone’s mother. Writing in the New York Times, Simone described what it was like for her mother—who was not technologically inclined—to be up against a sophisticated enemy who was using something called ransomware.15
In 2014 a wave of extortionist malware hit the Internet, targeting individuals and corporations alike. Cryptowall is one example: it encrypts your entire hard drive, locking you out of every file until you pay the attacker to give you the key to unlock your files. Unless you have a full backup, the contents of your traditional PC or Android device will be inaccessible until you pay the ransom.
Don’t want to pay? The extortion letter that appears on the display screen states that the key to unlock the files will be destroyed within a certain amount of time. Often there is a countdown clock included. If you don’t pay, the deadline is sometimes extended, although the price increases with each delay.
In general you should avoid clicking on e-mail attachments (unless you open them in Google Quick View or Google Docs). Still, there are other ways in which Cryptowall spreads—banner ads on websites, for example. Just viewing a page with an infected banner ad can infect your traditional PC—this is called a drive-by because you didn’t actively click on the ad. Here’s where having ad-removal plug-ins such as Adblock Plus in your browser is really effective.
In the first six months of 2015, the FBI’s Internet Crime Complaint Center (IC3) recorded nearly one thousand cases of Cryptowall 3.0, with losses estimated to be around $18 million. This figure includes ransom that was paid, the cost to IT departments and repair shops, and lost productivity. In some cases the encrypted files contain personally identifiable information such as Social Security numbers, which may qualify the attack as a data breach and thus incur more costs.
Although the key to unlock the files can always be purchased for a flat fee of $500 to $1000, those who are infected typically try other means—such as breaking the encryption themselves—to remove the ransomware. That’s what Simone’s mother tried. When she finally called her daughter, they were almost out of time.
Almost everyone who tries to break the ransomware encryption fails. The encryption is really strong and requires more powerful computers and more time to break it than most people have at their disposal. So the victims usually pay. According to Simone, the Dickson County, Tennessee, sheriff’s office paid in November 2014 a Cryptowall ransom to unlock 72,000 autopsy reports, witness statements, crime scene photographs, and other documents.
The hackers often demand payment in Bitcoin, meaning that many average people will have a hard time paying.16 Bitcoin, as I mentioned, is a decentralized, peer-to-peer virtual currency, and most people do not have Bitcoin wallets available for withdrawal.
Throughout the Times piece, Simone reminds readers that they should never pay the ransom—yet she did just that in the end. In fact the FBI now advises people whose computers are infected with ransomware to simply pay up. Joseph Bonavolonta, the assistant special agent in charge of the FBI’s cyber and counterintelligence program in Boston, said, “To be honest, we often advise people just to pay the ransom.” He said not even the FBI is able to crack the ultrasecure encryption used by the ransomware authors, and he added that because so many people have paid the attackers, the $500 cost has remained fairly consistent over the years.17 The FBI later came out to say it’s up to the individual companies to decide whether to pay or contact other security professionals.
Simone’s mother, who had never purchased an app in her life, called her daughter at the eleventh hour only because she needed to figure out how to pay with the virtual currency. Simone said she found a Bitcoin ATM in Manhattan from which, after a software glitch and a service call to the ATM owner, she ultimately made the payment. At that day’s exchange rate, each Bitcoin was a bit more than $500.
Whether these extortionists receive their payment in Bitcoin or in cash, they remain anonymous, although technically there are ways of tracing both forms of payment. Transactions conducted online using Bitcoin can be connected to the purchaser—but not easily. The question is, who is going to put forth the time and effort to pursue these criminals?
In the next chapter I will describe what can happen when you connect to the Internet via public Wi-Fi. From a privacy perspective you want the anonymity of a public Wi-Fi but at the same time you will need to take precautions.