Jason Palmer, CPA, CITP

Cyber Insurance Auditing

Hurricane Tech – Keeping the Lights On with a Portable Generator

By 4 Comments

“You never really appreciate something until it is gone” has never been truer then when the Power goes out and you are sitting in the dark.   Fully charged notebook computers, cell phones, iPads, tablet computers, battery backed up telephone service, uninterruptable power supplies, and flashlights will only get you so far.  When the batteries run down, your technology and communications go dark and without electricity, it might as well be the Stone Age.

Without Power, the food in your Refrigerator and Freezer is at risk to spoil.  Even if you have a heating system that uses a pilot light, without electricity, there is nothing to power the circulator pumps (hydrostatic baseboard or radiator) or fan (forced hot air.)  Many modern day gas ovens and gas stoves have shifted to electronic ignition start which also requires electricity.  At least with a gas stove burner, you can light it with a match but usually not the gas oven.

One saving grace of Natural Gas is that if you have a gas fired hot water heater with a pilot light, you will usually have Hot Water assuming your water is gravity fed and does not rely on a pump as it does in many apartment buildings.

Solution – A portable generator which runs on either gasoline or liquid propane.  Gasoline powered portable generators are the most common and are the focus of this article.

With a reasonably sized portable generator rated at 5,500 watts or more (preferably with an approximate 50% surge starting watts rating of about 8,500 watts), you can easily power a Refrigerator, Freezer, Heating System, a Flat Panel 46” TV Set, (up to 3,000 watts for these four items), Cable/FiOS Set-top Box/Internet Modem/Router, a Computer, charge your portable electronic devices, and a few lights (which add another 1,500 to 2,000 watts for these remaining items.)  This is an estimate based on a combined average continuous wattage load (the amount of electricity required to keep the devices on and running) and surge starting watts which is the additional energy required for the compressors in the Refrigerator and Freezer or fan motor in the Heating System to start.

I know this from my personal experience as during the aftermath of Hurricane/Tropical Storm Sandy, I had a Generac Wheelhouse 5,500 watt Generator with 8,500 surge watts and had all of the above running for eight days.

IMPORTANT:  A portable generator is an emergency, temporary installation and you should only connect the minimum number of devices necessary for “life safety” and bare bones comfort.  A 5,500 watt portable generator provides only about 10% to 15% of the amount of electricity normally provided to your home by the Utility Company.

NOTE:  The average amount of watts required to run various appliances and devices can usually be found on a chart in the user’s manual of the generator or on the Internet.

My generator had a five gallon fuel tank.  With all of the above running mostly 24/7, the burn rate of fuel was approximately one gallon every 1.5 to 2 hours.  More specifically, with the tank topped off so its’ actual capacity was slightly more than five gallons, I had to add fuel about every ten hours.  That is a burn rate of about 96 gallons per seven days. (7 days x 24 hours x 1.75 hours/gallon.)

Most quality portable generators are rated to run “24 hours straight, 7 days a week” without issue – provided that proper maintenance is performed.  It is usually recommended that the Oil level be checked at least daily and be changed every 24 to a maximum of 48 hours especially when running the generator continuously – as I did during the power outage.  Selecting the proper grade and viscosity of Oil for winter (in my case a 5W30) or summer (an SAE 30) can make all the difference between the generator starting on the “first pull” (if pull start) or “the press of the starter button” (if electric start) or not starting at all.  (Tip:  If your generator fuel tank has a vent cap, it should be open when operating.)

NOTE: Each engine manufacture has specific recommendations for Oil and Fluids.  Make sure to READ THE MAINTENANCE MANUAL for the proper fluid specifications!

Observation and math become very important in “keeping the lights on” and maintaining peak performance of the generator.  You need to track the run-time which is the number of hours the generator is on for proper maintenance, the fuel consumption which is the amount of gas the generator is burning per hour based on the load, (the amount of electricity your home is using), and the amount of gas you have remaining to determine how long you actually can “keep the lights on.”   Load will not be constant and the amount of fuel the generator is burning can vary throughout the day depending on what devices are in use and being powered by the generator.

To put this in perspective, for my house, each day required approximately 13 to 15 gallons of gasoline which is three, five gallon containers per day.  Given that a Storm can last a full day or two, and that you may not be able to get out the day after the Storm, as was the case with Sandy, you would need to have about 36 gallons of gas on-hand to last the three days.

Yes, that means that I had seven, five gallon containers filled with gasoline on the day before Hurricane/Tropical Storm Sandy arrived. The Long Island Power Authority made it clear that not only were they virtually guaranteeing the loss of power but that “power could be out for up to five or ten days.”  Keep in mind, as the Northeast experienced; when you don’t have power, it is highly probably that the gas station does not have power either.  And, to make matters worse, the Refineries, Storage Depots, and Delivery System Infrastructure were all affected by the Storm compounding the crisis.

Again as seen in the Northeast after both Hurricane Irene and Hurricane/Tropical Storm Sandy, many people did not heed the warning that Power would be disrupted and waited until AFTER they lost power to go looking for a generator.  Obviously, there were shortages of generators, gas cans, and the most important commodity, the gas itself.

If you cannot evacuate to a Shelter and you cannot afford have all of your food spoil, the time to purchase a portable generator is BEFORE the Storm.  Make sure you have enough fuel for two to three days along with Oil and Fluids to maintain the generator properly.

Having a portable generator can make a widespread power outage an inconvenience instead of a potentially serious life threatening situation.

CRITICAL SAFETY NOTE:  Connecting devices to the generator that have standard electrical plugs, the type that fit in to the outlets in your home, can be done safely with properly rated 12 gauge grounded (three prong) extension cords.  Just unplug the device from the wall outlet and plug in to the extension cord. Follow all manufacturer instructions and load ratings!

CONNECTING YOUR HEATING SYSTEM MAY REQUIRE THE ASSISTANCE OF A LICENSED, PROFESSIONAL ELECTRICIAN TO INSTALL A SPECIAL TRANSFER SWITCH.  FAILURE TO MAKE PROPER AND SAFE CONNECTIONS TO THE GENERATOR MAY RESULT IN RISK OF FIRE, SERIOUS INJURY, OR DEATH.

Hurricane Tech – Uninterruptable Power Supplies

By Leave a Comment

An Uninterruptable Power Supply or UPS, provides electrical power to a device when Utility Power fails.  It does this by using an inverter that converts the direct current (DC) provided by a series of Batteries in to alternating current (AC), the type found in a electrical outlets in your home or office.

There are two basic types of UPS devices:

A Stand-by UPS, which has a 2ms to 4ms delay in sensing loss of Utility Power and switching over from the Utility Power to Battery Power for the protected equipment; and a True On-line UPS, where instead of a Switch between the Utility Power and the Battery Power, the UPS is always providing perfectly filtered Battery Power to the protected equipment. (i.e. a Computer, Router, Network Switch, etc.)

In an On-line UPS, the Utility Power continuously charges the Battery that in turn sends electrical current through the Inverter to the protected equipment.  Think straight line:  Utility Power, Battery, Inverter, Protected Equipment for an On-line UPS.  For a Stand-by UPS, think of a fork in the road: Utility Power OR Battery Power to Inverter to the Protected Equipment.

The key advantage of a True On-line UPS is that the since the power to the protected equipment is always passing through the Battery to the Inverter, the quality of the power is stable and perfect.  This can be especially important when your Power Source is unstable, such as that produced by a Generator instead of normal Utility Power.

A Stand-by UPS is suitable for infrequent Utility Power Outages as a fail-safe to allow you time to properly shut-down your Computer – either automatically if supported by the software of the UPS or manually by you.  Or, to keep protected equipment, like a phone system, operational until the Batteries in the UPS run down.

Most Stand-By UPS units do NOT have any form of Power Conditioning.  This means that if you are in an area with frequent Utility Power fluctuations, as in the lights in your home of office “dim” or appear to oscillate throughout the day, your equipment is getting “dirty power.”  This potentially damages the electronics in your equipment and may cause premature failure.  If the Utility Power actually dips below a certain level for a few milliseconds, the Stand-by UPS will kick in and flip over to Battery Power.  One specific thing to watch for is if you hear the Stand-by UPS frequently cycling between Utility Power and Battery Power.  When a UPS is “on-battery” usually there is both a visual indicator, an audible alarm, and most certainly a soft “hum” from the Inverter.

As stated, electricity produced by a Generator is very dirty.  The power output of the Generator is significantly affected by the amount of load placed on the Generator.  The more devices you have plugged in, the greater the draw of electricity or load, the harder the Generator has to work, the greater the fluctuation in the quality of power.  The same visual effect can be seen with lights attached to a Generator.  When a heavy load device, such as a Refrigerator, Freezer, or Air Conditioner, being powered by a Generator turns-on, you can audibly hear the Generator increase in speed to attempt to produce a higher “Surge” output of electricity to meet the demand.  At the same time, you can see the lights dim or if you have a computer monitor or TV Set, the picture momentarily flicker.

To counteract the “dirty power” effect of a Generator, always use a True On-line UPS which will provide power conditioning and filtering to provide “clean power” to protect your most critical and expensive electronic devices.  This would include Flat Panel TV’s, Internet Routers, Network Switches, Set-Top Boxes, Phone Systems, and Desktop or Server Computers.

When using a Generator as the Power Source, reserve the use of a Stand-by UPS for any device that has a charger, like a Notebook Computer or Phone Charger where you want to be able to continue to charge the devices when the Generator is off for maintenance or refueling.   A Stand-By UPS is also useful for temporary Lighting and non-critical, low draw loads, such as the electronic starter on Gas Range, a Hot Water Heater, or a Thermostats.

The only exception to the above is for mechanical loads such as Refrigerators, Freezers, Air Conditioners and Forced Air Heating/Cooling Systems.  Or, in the case of Electronics, high load devices like Laser Printers, Copiers, and Fax Machines.  In general, these devices should never be plugged in to Uninterruptible Power Supply units unless the UPS is specifically designed to handle these types of higher demand loads.  These devices should be plugged directly in to the Power Source, either Utility Power or the Generator.

Hurricane Tech – Advantage of Verizon FiOS vs Cablevision

By Leave a Comment

One of the key advantages of having Verizon’s Fiber Optic Service (FiOS) for your Telephone service is that all of the equipment from the Central Telephone Office up to your home is completely powered by Verizon.  This is a significant difference from Cablevision which relies on the Utility Company to provide electricity to power its’ equipment on the Utility Poles.

When the Power goes out, Verizon is 100% self-reliant.  Verizon takes responsibility for making sure that all of its’ FiOS transmission equipment is properly powered by using a combination of backup electrical generators and battery backup units.  Verizon trucks will periodically visit Transmission equipment locations to re-charge batteries so that equipment stays fully operational when Utility power is out.  Even if it is days before Utility power is restored, there is a high degree of probability, short of physical damage to the FiOS transmission lines, that FiOS Services will stay operational.

With Cablevision, all Services start to fail shortly after Utility power is lost as the batteries in the Transmission Equipment drain to zero.  Once the Cablevision equipment batteries run-down, Services cannot be restored until Utility Power is restored.  (This is true for most Cable Providers, not just Cablevision.)

Important Note:  In both the case of Verizon FiOS and Cablevision, there is a piece of equipment installed in your home or office that requires “electricity” to work.  In the case of Verizon FiOS, this is called an “O.N.T.” or Optical Network Terminal.  For Cablevision, this is usually a Cable Modem.  (This is true for most Cable Providers, not just Cablevision.)

As discussed in my article, “Hurricane Tech – Powering your Land Line Phone Service”, with a properly installed Backup Battery, Telephone Service will remain operational, on average, for up to eight hours provided that your respective provider: Verizon FiOS or Cablevision has their Transmission Equipment powered and functioning.  If you add a decent size Uninterruptible Power Supply (UPS) of approximately a 1,500watt rating, you may get almost a full twelve hours of Internet and TV Service in addition to the Telephone service.

Case in point:  During Hurricane Irene, I lost power and even though I had a Generator to power my Cable Modem, within a few hours all of my Cablevision Services failed – No Telephone, No TV, No Internet – because Cablevision relies on Utility Power for its’ Transmission equipment on the poles.  My Cable modem had power but the Transmission facilities between my home and Cablevision were dead.

In the aftermath of Hurricane Irene, even though power was out for several days, my neighbors who had Generators had their Verizon FiOS Telephone, TV, and Internet without issue.  In my case, even when Utility Power was restored it was another week before Cablevision services returned.

Considering the connected world I live in and the fact that I am in the “Technology Consulting” business, I thought it would make sense to hedge my bets against the next natural disaster and install Verizon FiOS alongside Cablevision so that I would have both for redundancy.  I had no idea at the time of my decision how fortuitous a move that would be.

On October 18th, 2012, just two weeks before Hurricane/Tropical Storm Sandy hit, I had the Verizon FiOS Ultimate Triple Play deal installed.  In the middle of Sandy, at approximately 9:30am on Monday, October 29th, my super reliable, traditional Copper Telephone Service, that usually always survives severe storms, failed.  It was not until around 5:45pm that Utility Power failed.  Since my phone system had a battery backup unit, as did my Verizon FiOS and Cable modem, I still had Telephone Service.  I powered up the Portable Gasoline powered Generator and TV and Internet immediately returned on my Verizon FiOS set-top box and Internet Router.  As expected, my Cablevision TV and Internet service had failed.

Remarkably, even though our area was without Utility power for over eight days, Verizon FiOS remained fully operational and completely without issue.  It was not until Utility Power was restored that any Cablevision services returned (TV, Phone, Internet) and then once they did, they went out the following day again for another twelve hours.

The reason Verizon FiOS was operational was because Verizon completely controls the Power for its Transmission equipment and is 100% self-sufficient.  Again, it is important to note that I had a Generator to keep the Verizon FiOS equipment in my home, the ONT, “powered” with electricity.

The combination of an extremely robust infrastructure, as designed and built by Verizon, along with my own Disaster Recovery Preparedness, (a Generator), allowed me to stay fully “connected” to the outside world during Hurrican/Tropical Storm Sandy and beyond.  With a working Verizon FiOS Triple Play package of Phone, TV, and Internet – including WiFi, I was able to receive critical Life Safety information from News Stations as well as the Suffolk County and Huntington Township Telephone and Email Emergency Alert Communications.

Verizon FiOs – It’s the next best thing to the reliability of Copper.

Hurricane Tech – Powering your Land Line Phone Service

By 1 Comment

In the old days, Telephone Service was provided by a pair of copper wires that were directly connected between your home or office and the Telephone Company Central Office.  It was the responsibility of the Telephone Company Central Office to provide dial-tone, line voltage, and ring voltage to that copper pair – the power that made the phone work.  As many of us remember in the days before the Internet, even if the Utility Power was out, we could still make and receive phone calls.  Telephone sets had mechanical bells completely powered by the electricity provided from the Telephone Company Central Office.

Fast forward to the modern day and the POTS line (Plain Old Telephone Service – an affectionate name for traditional copper phone line service) is fast becoming extinct.  Cable companies are moving customers away from traditional analog copper and over to digital VoIP (Voice Over IP) services provided through a Cable Modem.  Voice is now a digital data service and an ATA (Analog Telephone Adapter – usually built in to the Cable Modem) converts that digital data in to the same two wire pair that your telephone can use.

As Cable companies convince you to give up your “almost guaranteed to work in a power outage POTS lines” they quietly tell you, “If you lose Utility Power, a battery in our Cable Modem will keep your phone working for between four and six hours.”  What they fail to remind you of is that if that Battery is not periodically checked to make sure it is properly charging and still functioning, when the Utility Power goes out, so will your telephone service.

To make matters worse, almost everyone uses either cordless or corded phone that has a base station that requires electricity to operate.  Even if the Battery in the Cable Modem is providing Dial-Tone, it is of no value if your Telephone requires Utility Power to operate.

It is a catastrophe waiting to happen.  For those of you thinking, “Well I will just use my cell phone.”  In a severe storm, especially if Utility Power is off in the area, it will only be a matter of time before the Cell Towers lose power and exhaust their backup power sources and shut-down as well.  Even if the Cell Towers remain operational, your Cell Phone Battery will eventually run down.

Solution:  Proper Planning.

First – If you have your Telephone Service through a Cable Company, make sure that your Cable Modem, which usually provides your Telephone Service, has the “Power Failure Battery” installed.  If your Cable Modem provides Telephone Service and does NOT have a built in Battery Backup, ask the Cable Company to exchange out your equipment for a model that does have a Built-in Battery Backup. Note: Some Cable Companies provide a free UPS in place of a Built-in Battery Backup for the Cable Modem.

Second – If your Cable Modem already has a Built-in Battery Backup, make sure you check it at least once a month to verify that the Built-in Battery Backup is properly charging and functioning.  If you are not sure how to verify the health of the Battery, ask your Cable Company. Usually there will be a series of lights: Charging, On-Battery, and Replace Battery.

Third – Make sure you have a traditional Line Powered Telephone.  A Line Powered Telephone is one that does NOT have an electrical plug – only an RJ11 telephone “silver satin” cord that plugs in to the wall jack. It is O.K. if the phone takes batteries for functions like Caller ID.  NOTE:  Some phones that do require Utility Power A/C electricity have a “Power Failure” mode where even though the ringer may not ring, you can still pick-up the receiver and make an outbound telephone call.  This is not optimal but acceptable for being able to dial 911 for an emergency.

Fourth – As an alternative to the Built-in Battery for the Cable Modem and a Line Powered Telephone, you can purchase a decent size Uninterruptable Power Supply (UPS) Battery Backup Unit.  The higher the Wattage, the longer the unit will power your Cable Modem and Telephone Base Station – both of which have electrical plugs which can be connected directly to the UPS.  This may be an expensive option in that a 1500 Watt rated unit, which can power the above situation for four to six hours, can cost upwards of $200.  This also assumes that your Telephone and your Cable modem are in close proximity and can both reach the UPS to be plugged in.

In summary, if you do not have the luxury of having both Traditional POTS lines, that will work without Utility Power, and VoIP lines, then make sure you are able to provide some kind of Power (Internal Battery or UPS) to both your Cable Modem and to your Telephone to keep your VoIP service working.

Securing your Home Network – Close the Ad-Hoc Wi-Fi® Backdoor

By Leave a Comment

In an effort to make data sharing easy, many Wi-Fi® devices support both Infrastructure Mode connections and Ad-Hoc peer-to-peer connections.  Infrastructure mode is most common and is when a Wi-Fi® device connects directly to a Wi-Fi® Router or Access Point. (See my article on “Wi-Fi® – Wireless Router vs. Wireless Access Point.”)  There is another type of connection, known as an “Ad-Hoc” peer-to-peer connection which enables two Wi-Fi® capable devices to connect directly to each other without going through your Home or Office Wi-Fi® network.

Ad-Hoc peer-to-peer connections are very common with Apple Mac Computers, iPhones, and iPads.  Almost any two Apple devices will “find” each other automatically and if security permissions are not set correctly, will immediately share their resources.  This will occur regardless of if the Apple devices are connected over hard-wire Ethernet or Wi-Fi®.  Visible resources on your computer can include the entire hard drive, specific folders, external devices like printers and specifically, access to your Home or Office Wi-Fi® network – which may not be your intention – to share.

When the Ad-Hoc sharing capability of a Wi-Fi® computer or device is configured properly, it can be beneficial as it designed to allow guests to access your Printer.  In addition, Ad-Hoc peer-to-peer networking may be enabled to share a PUBLIC folder specifically to allow for the exchange of documents, photos, and files.

The security risk is that if you have a computer attached to your Home or Office network and the Wi-Fi® Ad-Hoc peer-to-peer network support is turned “On” without any security engaged, you risk unauthorized access to your files and Network.  Both Mac and Windows based Computers as well as many other Tablets, Smartphones, Printers, and Wi-Fi® enabled devices support Ad-Hoc Wi-Fi® peer-to-peer networks.  In fact, many Wi-Fi® enabled printers make Ad-Hoc connections directly to the Computer bypassing your Home or Office Wi-Fi® network completely.  Printer manufacturers do this as it eliminates the need to know your Wi-Fi® SSID (network name) and access password.  The Printer setup software takes care of creating the connection from the printer to each computer via an Ad-Hoc peer-to-peer network without any assistance from the user.

Protecting yourself and your network is easy:  Unless you specifically need Ad-Hoc peer-to-peer network support on your computer, TURN IT OFF!  The risk is not just from someone connecting to your Computer or Wi-Fi® enabled device while in your Home or Office, but anywhere.

The next time you are in a public place with many Wi-Fi® users around you, look closely at the “Available Wireless Networks” list of networks you can join.  Notice that many will say “Ad-Hoc.”  Each of these Computers or Wi-Fi® enabled devices is at risk for having almost anyone potentially access the data on the device especially if the Security options have not been properly configured.  Any network listed that has a “lock” symbol or says it is “closed” is properly secured.

To turn-off or configure Ad-Hoc peer-to-peer network, do the following:

On a Mac, go to “System Preferences” – “Sharing” and UN-CHECK all of the boxes.  If you do require sharing of resources such as Files, the DVD Drive, or Printers, then make sure to properly configure Group or User level access to these resources.

On a PC running Windows XP, go to “Network Connections” – the “Wireless Connection” – “Advanced” “Networks to Access” options and click the Radio Button “Allow Access Point – Infrastructure Networks Only.”  (This is the same general section to both create and share the Resources from your Windows XP computer via an Ad-Hoc peer-to-peer network as well as to restrict your ability to connect to one.)  For Windows 7, go to “Control Panel” and select “Manage Wireless Networks” and the instructions are similar.  Using your favorite Search Engine, use the term “ad-hoc networks Windows XP  (or Windows 7) to find numerous tutorials.

Summary:  Turn off “Ad-Hoc” peer-to-peer networking unless you absolutely need it.  If you do need it, make sure to review which resources are shared and properly secure the guest access, specific user name, or group with a strong, complex password. (See my article, “A Complex Password may not be a Strong Password.”)

Securing the Home Network – Wi-Fi® Protected Setup™

By Leave a Comment

Almost every modern day Wi-Fi® Router and Access Point supports Wi-Fi® Protected Setup™ which is an optional hardware method for quickly enabling security on a Wi-Fi® network.  As you may recall, you have the option of manually naming your network with an SSID (Service Set Identifier) and specifying the specific password to be used by devices to connect. (See my article on “Securing the Home Network – Wi-Fi® Security.”)

Using the hardware based Wi-Fi® Protected Setup™ can be much faster than going in to the setup pages of the Router or Access Point.  It is far simpler and easier to “press a button” than to have to navigate through the configuration screens or even use a vendor provided setup program.  This does assume that all of the Internet enabled devices that you want to connect to your Wi-Fi® network support the Wi-Fi® Protected Setup™ feature.

To create a secure connection using Wi-Fi® Protected Setup™, you press a button (appropriately marked on the Router or Access Point), it usually flashes for a short period of time and then you press the equivalent Wi-Fi® Protected Setup™ button on your Internet enabled device or click on a soft button in the configuration screen of your Internet enabled device. Either way, in a matter of minutes, you have created a random SSID (network name) and random passphrase using WPA2 secure encryption to create a connection between your Router or Access Point and your Internet enabled device.

An alternative implementation of the Wi-Fi® Protected Setup™ is a predetermined “Personal Identification Number” (PIN) code that is usually printed on a sticker on the Router or Access Point.  If the Internet enabled device you want to connect does not have a Wi-Fi® Protected Setup™, you can enter in the PIN code from the sticker on the Router or Access Point in to the appropriate setup screen and accomplish the same automated setup.

In some cases, especially with Verizon FiOS Wi-Fi® Routers, both the SSID (network name) and Password (Passphrase) are written on a sticker attached to the Router.  No additional configuration of the Router is necessary.  You simply enter in the predefined SSID and Password to your Internet enabled device (Home Computers, Printers; Cell Phones, Tablets, Gaming Computers and other Internet enabled devices like Blu-Ray Players and Internet enable Flat Panel TV Sets), and you will be securely connected to your new Wi-Fi® network.

Security Note:  Unfortunately, in December 2011 a gentleman named Stefan Viehböck determined that the Wi-Fi® Protected Setup™ PIN could be guessed in a brute force attack of a Wi-Fi® Protected Setup™ Router or Access Point in an average of four hours.  This is due to a design flaw that enables an attacker to know when the first half of the eight digit PIN is correct.  Since there is no lockout after failed attempts at guessing the PIN, the attacker can more easily determine that the first half of the eight digit PIN is correct.  In addition, the fact that the last digit is checksum for the other seven digits, it takes only approximately 11,000 attempts to crack the PIN code completely.  For more details, read the United States Computer Emergency Response Team (CERT) Vulnerability Note: VU#72355 and Alert (TA12-006A) “Wi-Fi Protected Setup (WPS) Vulnerable to Brute-Force Attack”

It is for this reason that CERT recommends that Wi-Fi® Protected Setup™ NOT be used and that it be specifically “disabled” in the affected Routers and Access Points.  A few manufactures have corrected the design flaw and updated the firmware (programming) in their Routers and Access Points but many have not.

Keep in mind that your Wi-Fi® Router or Access Point would have to be the target of a specific attack for this to be an issue.  More likely, you would be the target of someone randomly testing their hacking skills than of someone specifically trying to gain access to your home Wi-Fi® network.  The risk of your Wi-Fi® Protected Setup™ is minimal.  To be absolutely safe, turn off the “Wi-Fi® Protected Setup™” completely and manually configure your Wi-Fi® Network Security.  (See my article on “Securing the Home Network – Wi-Fi® Security.”)

Securing the Home Network – Show me your MAC ID please

By Leave a Comment

Every network device has a MAC (Media Access Control) address.  This unique twelve hexadecimal digit identifier is similar to either a phone number or social security number for your network equipment.  No two should ever be identical.  This number is usually stored permanently in the device.  It is usually displayed on a label on the device in the form of: 00:23:6C:7F:38:43 or it can be displayed in the network information screen of the device.

If you want added assurance that only devices with “proper id” are allowed on to your Wi-Fi®  network, you can explicitly enter the MAC address of each of your Wi-Fi®  connected network devices in to your Wi-Fi® Router or Access Point, such as your Wi-Fi® (or Wired) Home Computers, Printers; Cell Phones, Tablets, Gaming Computers and Internet enabled devices like Blu-Ray Players and Internet enable Flat Panel TV Sets.

Even if a user has the proper SSID (Wi-Fi® Network Name) and Password, if the MAC address is not listed in the table in your Router or Access Point of “permitted MAC addresses” access will be denied and the device will not be able to connect.

The ability to configure MAC address restrictions is usually in the “Advanced Security Setup” area of your Router, Access Point, or Switch.  Almost all Wi-Fi® Routers and Access Points support MAC Address connection tables and restrictions.

Only higher end Wired Routers and Switches offering some form of Management have the MAC Address restriction capability.  Not to worry, the likelihood that someone you don’t know is directly plugging in via a “Wired” connection to your network in your home without your permission or knowledge is very small.

Technical Note:  In some cases, there are legitimate reasons why a network device would broadcast a MAC address different from the one permanently assigned.  This is called MAC Spoofing.  Some earlier Internet connection types required that the Cable or xDSL modem, the device that converts the signal from outside your home to Ethernet, be in “bridge” mode, or for all practical purposes, invisible.  In these situations, the Cable or xDSL modem would actually broadcast the MAC Address of your Computer instead of its’ own MAC Address.

Security Note:  MAC Spoofing can also be used for bad purposes and is not a fool proof security method.  It is just an added layer of security.  Even if you have a MAC Address permission table set for both your Wi-Fi® Router and any Access Points, almost anyone, with a reasonable amount of skill, can Spoof, or duplicate a legitimate MAC address which could allow them access to your Wi-Fi® network PROVIDED THAT they also know the correct SSID (network name) AND Password.  That is three layers of security instead of two.

In general, if you are extremely concerned about securing the access to your Wi-Fi® enabled network, setting the MAC Address of each Wi-Fi® enabled device in your Wi-Fi® Router and/or Access Points for your Primary (“Private”) Wi-Fi®  network will provide an added level of assurance that only legitimate, authorized devices are connecting to your network.  (For a discussion on Primary/Private vs. Secondary/Guest Wi-Fi® networks, see my article, “Securing the Home Network – Guest Wi-Fi® Networks”)

Securing the Home Network – Guest Wi-Fi® Networks

By Leave a Comment

The newest Wi-Fi® Routers support both a Primary “Private” and a Secondary “Guest” Wi-Fi® network.  This allows you to have two separate SSID’s, (the names of your Wi-Fi® networks), at the same time.  Specifically, the Primary Private Wi-Fi® network would be for your exclusive use and connect all of your Wi-Fi® or Wired Home Computers, Printers; Cell Phones, Tablets, Gaming Computers and Internet enabled devices like Blu-Ray Players and Internet enable Flat Panel TV Sets to each other and the Internet.

The Secondary Guest Wi-Fi® network would connect visiting Internet enabled devices, like Tablets, Notebook Computers, Smartphones, and Gaming Computers ONLY to the Internet.  After all, you have no idea where those Internet enabled devices have been nor can you be sure they have been practicing “Safe Computing” with proper Antivirus and Firewall software installed.

Guests are given a different SSID and password to access the alternate, dedicated Wi-Fi® “Internet Only Access” network in your home.  You may be wondering, “If it is a Guest Wi-Fi® network, why do I need to set a password at all?”  Answer:  You do not want to be providing “Free” Internet access to your neighbors and more specifically, anyone who just happens to be passing by.

If you already have a Wi-Fi® Router installed and it does not support both Primary Private and Secondary Guest networks, you have two options:  upgrade your Router or purchase an Access Point.  The advantage of purchasing a new Wi-Fi® Router that supports both Primary and a Secondary network is that most likely it will also be Dual Band.  This means that it operates at both the 2.4Ghz and 5Ghz spectrums.  (See my article on “Understanding the Wi-Fi® 802.11 Network Standard” for more details.)  The 5Ghz spectrum is less crowded and may give you better Wi-Fi® performance in your home.

If you purchase an Access Point to create a Secondary Guest Wi-Fi® network, most support the option to configure in “AP Isolation Mode.”  This means that Wi-Fi® connected devices cannot see other Wi-Fi® connected devices on the same Wi-Fi® (SSID) network but they can see all of the devices on the Wired network.   For example, with AP Isolation Mode enabled, two Wi-Fi® connected Notebook computers will not see or be able to connect to each other to share files but both would be able to see a Printer physically connected with an Ethernet (wired) cable to the Network Router.   If every device in your home is connected via Wi-Fi® to your Primary Private Wi-Fi® network, then adding an Access Point is a good solution to create a Secondary Guest Wi-Fi® network.

If you have devices in your home attached to your Primary Private Wi-Fi® Network and you also have devices connected via Ethernet (wired) cables, then you need to configure the specific physical Ethernet port that your Guest Access Point is connected to on the Local Area Network side of the Router to only connect to the Internet/Wide Area Network of the Router.  This completely isolates Guest Wi-Fi® connections through the Access Point exclusively to the Internet.  Otherwise, your Guests will be able to see any device that is connected via an Ethernet (wired) cable to your network.

Securing the Home Network – Wi-Fi® Security

By Leave a Comment

Most Cable and Phone Company Internet providers are installing Routers with Wi-Fi® capability.  Unfortunately, not all Carriers take Wireless Security seriously.  Many early Carrier Wi-Fi® Router installations did not set any network security at all.   To be fair, many early Wi-Fi® enabled Computers did not properly support the newly defined security methods so it was easier to just leave the Security Features off.  Modern day Internet Enabled devices no longer have these issues so you should make sure that your Wi-Fi® Router has its’ Security Features enabled.

Public Wi-Fi® HotSpots are great and extremely convenient.  Your Home or Office should not be one as this could allow anyone who connects to your Wi-Fi® network to potentially access your computers and their files without your knowledge or permission.

The best and easiest way to secure your Wireless Router’s Wi-Fi® network capability is to set strong and complex password [See my article on “A Complex Password may not be a Strong Password”] and to select the highest grade of encryption supported.  For most modern day Wi-Fi® Routers, that is WPA2 or WPA encryption.  Older Wi-Fi® Routers may only support WEP Encryption, which is sub-optimal as any determined hacker can break the encryption fairly quickly using readily available tools found on the Internet.

An important security tip is to make sure that the SSID, (the name of your Wi-Fi® network), does not personally identify your home or small office.  Try to select a name that completely not associated with your family, likes, favorite vacation spots or anything else that might identify your Wi-Fi® network to someone who might be trying to locate and access your network without authorization.

The logic is simple:  If the hacker cannot see or find you, it makes it that much more difficult to compromise your network.  Instead of selecting an SSID name like “Palmer-Home” select something for like “Butterfly.”  Someone passing by and scanning for Wi-Fi® Routers broadcasting SSID’s would have no reason to believe that the Wi-Fi® network named, “Butterfly” is associated with me.  (And neither does anyone reading this article at that is not an SSID that I use.)

An even more secure option is to turn off the broadcasting of the SSID completely.  To a user “Scanning for Wi-Fi® Networks”, your network will be invisible.  Anyone who wants to connect to your Wi-Fi® network will need to explicitly enter the SSID Network Name and Security Key provided by you.

 

Securing your Email – Assigning and Using a Digital Certificate for Secure Email in Thunderbird

By 1 Comment

Thunderbird Secure EmailIn order to use a Digital Certificate for Secure Email, you need to install the Certificate in to Thunderbird.  Installing the Certificate is straightforward.  Unfortunately, to use PGP – Public Key and Private Key Encryption in Thunderbird takes a little bit of effort to setup and install.

The steps are clearly defined with Screen Shots at the Thunderbird Documentation Site:

https://support.mozillamessaging.com/en-US/kb/digitally-signing-and-encrypting-messages

In short, Thunderbird uses the PGP (Pretty Good Privacy) Protocol to Encrypt and Digitally Sign email messages implemented through Open Source software.  The two required components are GnuPG: (GNU Privacy Guard): a free software implementation of the commercial version of PGP and the free Enigmail Thunderbird add-on.  (An add-on is small helper application software program that “adds-on” specific functionality.)
To learn more about Public Key and Private Key encryption read my article, “Securing your Email – Understanding Public Key and Private Key Encryption.”

In the documentation referenced above, you download the appropriate version of GnuPG for Windows, Mac, or Linux, the follow the instructions for installing the Enigmail Add-on.

Next, you create your Public Key and Private Key using a Key Generation Wizard.  Then you have the option of setting your configuration to sign all of your outgoing Email with your Digital Signature or on a per message basis.  This operates pretty much the same way in every Email client regardless of vendor.

Digitally signing a messages is as easy as selecting, “Sign Message” from the NEW OpenPGP tab on your Thunderbird Menu Bar.  Same holds true for “Encrypting” a message.

As with all Public Key and Private Key encryption, when you Digitally Sign an email, you must make sure to attach your Public Key with your message. This allows the Recipient to save your Public Key so that they can encrypt an email message to you.  It also allows them to Authenticate an email Digitally Signed by you.

When you receive an email encrypted with your Public Key, you will use your Private Key Passphrase to decrypt the message and read it.  Once both you and your Recipient have each other’s Public Key’s you can start to send and receive Encrypted and Digitally Signed email at will.

The Thunderbird OpenPGP add-on makes Digitally Signing, sending and receiving Encypted Email a breeze.

GnuPG Project Information
http://www.gnupg.org/

Enigmail Information
http://www.enigmail.net