A guide to the risks that come with being online and securing your home network against hackers.
Hacking still has that semi-romantic feel to it that it did back in eighties. A Wargames like fascination with being able to crack into a super secure server on your home system, complete with green text on a black background, discarded pizza boxes, and countless mugs of unfinished coffee.
However, the reality is far darker. As we’ve seen in the past it’s not just government departments, missile silos, or corrupt dictators that get on the wrong side of hackers, it’s more often normal folk like us.
There have been some pretty high profile hacking cases in recent years, the most infamous of late being the various celebrities who have had their pictures and videos stolen from their cloud accounts. These are the ones that hit the headlines, but these handful of hacking incidents are nothing compared to the millions of attempts that occur every day to the rest of us.
Related: How to become anonymous online
According to the Trustwave 2013 Global Security Report (goo.gl/y3hBsE), there was a recorded 12.6 million victims of hacking and identity theft in a 12 month period through 2012 to 2013. A number which roughly equates to one person being hacked every three seconds, or so.
Related: How to remote desktop to another PC
In 2012, 98% of all hacking attacks were credit card, or payment data theft used in fraudulent online or at the till transactions. Over $21 billion (£13 billion) was estimated to be have been lost to identity theft from hackers, with a potential loss averaging $4,900 (£3,041) per household.
The checklist of items the hacker tends to go for are usernames, passwords, PINs, National Insurance numbers, phone and utility account numbers, bank and credit card details, employee numbers, driving licence and passport numbers, insurance documentation and account numbers, and any other financial background account details.
How they get this data ranges from acquiring remote access to your computer, SQL injections to a popular website, spoofing a banking or other financial website, remote code execution, exploits in website trust certificates, physical theft, and through social media.
On the subject of social media there are some interesting numbers associated with it. According to sources, 16% of people under the age of 19 were the victims of a controlled phishing scam, and 72% were victims when they followed links posted by their friends. Furthermore, 68% of all social media users share their birthday information publically. 63% shared the schools, colleges and universities they attended. An amazing 18% of users publically share their phone numbers, and 12% share the names of their pets (more on this later).
Related: Best laptop
If these numbers aren’t scary enough, there’s the fact that 19% of all Wi-Fi users worldwide are still using WEP encryption for their home network security. And, 89% of all public Wi-Fi hotspots are unsecured, unmonitored, and available all day, every day.
And finally, it’s estimated that 10% of all spam emails are malicious and contain some kind of injection code designed to infiltrate your system if they are opened. And a further 7% of all spam emails contain a link to a website that has been designed to steal information or download some element to gain access to your locally stored data.
What to do
We have put together a number of steps to help you try and prevent someone from hacking into your personal space, whether that’s in the cloud or on the computer in front of you.
Naturally you can take all these steps to the extreme and live in an electro-shielded, anti-spy cage complete with tinfoil hat and lead-lined roof. However, that’s not really an option for most people. There is though, a happy medium where you can do everything you reasonably can to protect yourself and, more importantly re-educate yourself to spot potential hacking attempts and successfully monitor the security of your home network.
Starting with the home network there are a number of easy steps we can take to stop the hacker from gaining entry to your systems. Most of these steps you probably already do, and some are surprisingly simple.
Change router administrator passwords
This is one of the most common points of entry for someone to gain access to your home network. The router you received from your ISP may well be up to date and offer the best possible forms of encryption, but they generally all come with a set number of WiFi SSIDs and wireless keys – usually printed on the rear of the router.
It doesn’t take much of a genius to trawl the less reputable sections of the internet and obtain a list of SSIDs and wireless keys used by that particular ISP. The fact that your router is near permanently advertising itself as a BTHomeHUB, Sky, TalkTalk or whatever model doesn’t help much either.
Related: Best free antivirus
The canny hacker can therefore gain access to the router, establish a connection, and even use the list of default passwords, such as login: Admin, password:1234, in order to get into the inner workings of the router itself. Therefore, it’s best to change the default router usernames and passwords to something a little more complex and personal.
Check wireless encryption
Most routers come with a level of encryption already active, but there are some examples where the default state of encryption may be extremely weak, or worse still, completely open.
If there’s a padlock next to your wireless network, as seen from scanning for wireless networks on a computer, then you at least have some encryption active. If you then access the administration layer of your router and it tells you that the encryption method is anything other than WPA2, then you’ll need to change it pretty sharpish.
WEP is the older standard of wireless encryption and as such can be cracked in less than fifteen minutes through a number of clever tools, all of which are freely available. WPA and WPA2 aren’t perfect either, but the encryption is generally tough enough to dissuade any street level hacker.
Use MAC address filtering
Every network interface has a unique identifier known as a MAC (Media Access Code) address, regardless of whether it’s a computer, tablet, phone, or games console.
The idea behind MAC address filtering is simple enough. You obtain the MAC addresses of your devices at home and enter them into the router so that only those unique identifiers are able to connect to your network.
Obviously, if you have a significant number of network capable devices this could take some time. But in theory you should be a lot more secure against a hacker in a car outside your house with a laptop perched on their knees.
Unfortunately MAC addresses can be hacked and spoofed, so while the lesser hacker may give up the more determined one will simply bypass it. Think of MAC address filtering as putting a thorny rose bush up against the garden gate; it may stop most opportunists from entering your garden, but those who really want to get in there will find a way.
Disable SSID broadcast
There are two schools of thought when it comes to hiding your network SSID. The first recommends hiding your router’s SSID from the public view, with the idea that invisibility to those around you makes you somehow immune to their attempts.
For the most part it’s good advice, but those against hiding network SSID say that anyone with half a hacking brain is already using some sort of SSID sniffer, and should they come across a hidden network it’ll pique their interest more than your neighbour who isn’t hiding it.
It’s worth considering both sides of the argument. Are you successfully hidden by being invisible, or is the best hiding place in plain sight?
Use static IP addresses
By default your router will automatically assign an IP address to any device that connects to it, so the pair, and the rest of the network, can communicate successfully.
DHCP (Dynamic Host Configuration Protocol) is the name for this feature, and it makes perfect sense. After all, who wants to have to add new IP addresses to new devices every time they connect to your network?
On the other hand, anyone who gains access to your router will now have a valid IP address which allows it to communicate with your network. So to some degree it’s worth considering opting out of DHCP controlled IP addresses and instead configuring your devices and computers to use something like 10.10.0.0 as their range of IP addresses.
Like most good anti-hacking attempts though, this will only slow the intruder down.
This simple network protection act is one of the best, if done correctly.
Believe it or not, by moving your router to the centre of your house, or more to the rear (depending on where your closest neighbours or the road is), you are limiting the range of your wireless broadcast signal.
Most routers are located in the front room where the master phone socket usually is. This means the router can reach most corners of the house, and to some degree beyond the house. If someone was moving down the road, for example, sampling wireless networks then they would come across yours as they passed your house.
If the router is situated in a more central location, away from the front window, then the signal may be too weak to get a successful reading without having to stand on your porch.
Switch off the router when you’re not using it
Most people will already do this anyway. Since no one is using the router, what’s the point of wasting electricity?
However, a lot of people simply have their router powered on all the time, regardless of whether they are in the house or not. Granted there are those who will be running a server, or downloading something while at work or asleep, but the vast majority just keep it on.
If you’re not using the internet or any other home network resource, it’s a good idea to power off the router. And if you’re away for an extended period, then do the same.
Beyond the home hardware
Home network security is one thing, and frankly it’s not all that often you’ll get a team of hackers travelling down your street with the intent of gaining access to you and your neighbour’s home networks.
Where most of us fall foul in terms of hacking is when we’re online and surfing happily without a care in the world.
Passwords are the single weakest point of entry for the online hacker. Face it, how many of us use the same password for pretty much every website we visit? Most of us even use the same password for access to a forum that we use for our online banking, which is quite shocking really.
Using the same password on every site you visit is like giving someone the skeleton key to your digital life. We know it’s awkward having different passwords for different places, but when you stop and think logically about it, doing so leaves you incredibly vulnerable to those who have ill intentions with regards to your identity and bank balance.
Also, where passwords are concerned, using ‘12345’, ‘password’, or ‘qwerty’ isn’t going to stop someone from gaining access. And passwords such as ‘P4ssw0rd’ aren’t much better either. Furthermore, as we mentioned earlier, using the names of your pets may seem like a good idea, maybe even mixing their names with the date of your birth as well sounds like a solid plan, but if you then go and plaster Mr Tiddles, Fluffly, or Thumper’s names all over the public-facing side of social media along with ‘it’s my birthday today, yippee’ then you’ve just seriously negated any chance of your passwords from remaining secret.
Security questions and two-phase, or two-step, verification password techniques are now being employed by a number of credible sites. What this means is that you basically enter more than one password to log into your account. Most online banking is done this way now, and sometimes includes a visual verification such as a pre-selected thumbnail image from a range that the user can click on to verify who they are.
If you have trouble coming up with passwords yourself, then there are a number of password managers available that can help you create highly secure combinations of letters, numbers, and special symbols unique for every website you visit. What’s more they’ll even store them for you in the program itself in case you forget what they are:
KeepPass – A free open-source password manager which can help you keep track of your passwords across numerous sites, while still being safely locked away in a secure database.
LastPass for Safari for Mac – A free plugin for Safari and Mac users, LastPass allows you to create a single username and password while securely entering the correct details.
Kaspersky Password Manager – A fully automated and powerful password manager that can store your username and password details, then enter them into the site for you while remaining encrypted throughout.
Either way, human beings are the weakest link in the secure password chain so any help you can get isn’t a bad thing.
Don’t share so much
Lance Ulanoff, the chief editor at Mashable, recently said. “I hate to say it, but the reality is people need to share a little bit less.”
While there’s nothing wrong with letting our friends and family know what we’re up to via social media, we have to consider the fact that they may not be the only ones watching. Facebook and Twitter often come under fire regarding public newsfeeds where you have to run through several clicks before you can limit the views for your own timeline.
It’s worth taking the time to double-check, and check back often, the security settings on all your social media sites. Are the things you’re posting on your timeline or feeds viewable by friends only, or friends of friends? Has it mysteriously been reverted back to public viewing? Are you sure you want to display that picture of your cool desktop wallpaper complete with conky-like network information in the corner?
As we said before publically announcing private details, like when you’re on holiday and for how long, the names and birthdays of you, your partner, your children, pets and so on, isn’t a particularly wise thing to do. But we’re all guilty of it.
Security in the cloud
The newsworthy hacking events of Jennifer Lawrence and her celebrity colleagues has nailed home to the average user the fact that cloud storage isn’t quite as secure as they initially thought.
Every device, either Android, Microsoft, or Apple, is capable of backing up your photos to its own particular cloud storage solution – sometimes it’s even a default setting. Most of the time the cloud solutions used are so secure that anyone trying to hack into them will have a pretty rough time of it, and no doubt bring down the wrathful vengeance of Google or Apple upon themselves. How the celebrity photos and videos were obtained is something you’ll have to find out for yourselves, but if storing stuff on the cloud is alarming you there are a couple of choices.
The first is to encrypt everything locally on your computer before uploading it to the cloud. This will take time, we’ll grant you, but it means only you’ll be able to decrypt them. Secondly, you could always compress everything first, using Winzip/Winrar etc., then password the compressed file. Breaking a password compressed file takes far longer than it’s actually worth, providing you’re not a celebrity, so most hackers won’t bother.
Finally, there are cloud storage solutions that encrypt the data on the device before uploading it to the also fully encrypted servers. The likes of SpiderOak and Tresorit already do this.
Use a VPN
When you connect to the internet you do so through the IP address given to you by your ISP (your external IP address that is). Essentially this address is a batch that the ISP own, and everywhere you go on the internet that address is highlighted and can be traced right back to your ISP and in particular, you.
If you opt to take out an account with a Virtual Private Network service, like CyberGhost or HMA! or TOR, then the IP address you use will come from the VPN’s servers, which are located around the world. So the website you visit will highlight your IP address as coming from Iceland, where in actual fact you’re located in Barrow-in-Furness, or wherever.
It’s not perfect, but it’s certainly a level of protection that’s worth looking into.
Of the millions of emails sent and received by the hour only a handful are ever encrypted. Most internet users have one of the free webmail accounts, such as Google or Yahoo, and although there is some level of encryption involved it’s generally not enough to stop a determined hacker.
If you want total encryption of your email, or webmail, you’re going to have to use one of the many encryption programs available that work as a third party tool in conjunction with an email client.
There are plenty around, and they work with Thunderbird, Outlook, Pegasus, and countless other clients. Also, there are web-based encryption tools available, like FireGPG, which will install inside of Firefox or other browsers and encrypt web pages and more importantly any emails sent via a webmail service.
Despite all of the above, the very fact that you’re online makes you a potential target. It’s no use sitting back and saying “they’ll have no interest in me”, when it’s you the hacker wants to target. After all, you’re easy to get to, easy to hack, and won’t launch a huge international campaign should you get hacked.
In other words, it pays to be aware of the risks and how to ensure against them.
Routers Under Attack: Current Security Flaws and How to Fix Them
How is it possible for users to lose hundreds of dollars in anomalous online bank transfers when all of their gadgets have security software installed?
Last year, user Y, who is based in Brazil, lost R$600 (US$191.02, as of January 30, 2017) as a side effect of information theft. Upon discovering this, Y immediately called an IT technician to find the root cause. The technician originally chalked up the incident to Y accessing a fake website. But since no malware was found in the devices connected to the network, he then reviewed the home router settings. What he found was interesting: even though the home router did not expose any remote management interface to the internet, the DNS settings were still modified. As a solution, the IT technician reset and reconfigured the home router to stop cybercriminals from making further bank transfers.
In another case, user X noticed R$3,000 (US$955.11, as of January 30, 2017) was deducted from her account last January 2016. Her home router was also infected with a malicious DNS-changing malware. But instead of bank websites, cybercriminals redirected her to spoofed pages of third-party sites used by banks, such as Google Adsense™ and JQuery.
Routers often have unsecure configurations that make them susceptible to malware attacks similar to the real-world cases we presented above. For one, security flaws exist in the operating system, firmware, and web applications of routers. Attackers can simply use these vulnerabilities as entry points to further compromise the home network. In fact, there are a few tools and websites that cybercriminals use to find vulnerable routers and obtain exploits for their attacks. Below is an example of such website:
Figure 1. A trading website that displays a list of home router exploits (Click to enlarge)
Predefined credentials in routers make it easy for web-based scripts to bypass device authentication mechanisms and allow cybercriminals to perform brute-force attacks. Web-based scripts are an effective tactic to infiltrate routers. Another security gap are remote administration features in router firmware that cybercriminals can abuse to function as “built-in backdoors.” This could lead to a plethora of problems: remote code execution, modified router settings to redirect to phishing or malicious pages, and man-in-the-middle attacks, among others. Vendors should make it a point to find and remove these backdoors in their products before attackers do.
Are home routers safe?
It’s easy to overlook router security in a home setting since most home router attacks are isolated cases or have very minimal effect on a user’s bandwidth. Unless a user experiences attacks like the ones mentioned above, router security is the least of a user’s concerns. This can be a problematic mindset moving forward. What home users need to understand is that home routers serve as a gateway in and out of their home. All the information coming from the internet will have to pass through it. Routers are their private property, and any form of compromise is like a form of trespassing. Some router threats that take advantage of its communications with connected devices can even make home users unwitting accomplices to cybercriminal activities.
Case in point, the Mirai botnet took advantage of unsecure IoT devices for different attacks last year. When the source code was leaked in a hacking forum, we saw new Mirai strains in the wild. Affected entities like small and medium-sized businesses (SMBs) may have to deal with business disruption, damaged reputation, or even productivity and profit loss.
Figure 2. Top countries affected by Mirai (August 2016- December 2016) (Click to enlarge)
Mirai uses a predefined list of default credentials to infect devices. Knowing this, it is essential for home users to change router passwords. This measure can provide an additional layer of security. As we mentioned in our 2017 Security Predictions, the likelihood of Mirai-like threats used in distributed denial-of-service (DDoS) attacks may increase this year, so it’s necessary to take precautions.
Apart from botnet clients, other threats like rootkits that specifically infect Linux can also be dangerous to routers. Voice over IP (VoIP) fraud, which taps the telephony service in routers, could amount to additional charges in a user’s phone or internet bills.
How can home users protect their routers?
The first step in protecting home routers is choosing reliable ones. Some routers, like that of ASUS, are now bundled with security features. Trend Micro recently partnered with the brand to address home network security risks. ASUS routers come with features like deep packet inspection and web threat protection that filter threats before they reach users’ devices.
Aside from selecting a secure router, users should also change the default router password to thwart brute-force attacks. Regular checking of DNS settings can also aid users and SMBs to spot anything suspicious in their network. If a user’s router has a firewall, they should enable it as another form of protection against threats.
To better understand router threats and to learn how to secure your home network, read our research paper, Securing Your Home Routers: Understanding Attacks and Defense Strategies.
Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware: