If you have started with us on the first part, then you know we used a commonly used analogy that security geeks use called "the three states of data" and translated those definitions to a more commonly understood analogy that the rest of us have learned called "the three states of Matter". If you don't know what I'm talking about then you should probably go read part one of this series. We then classified all our data in a list according to what type of data we had that fit one of the three states of data.
In part 2 we dealt with the data we had that fit into the solid state of matter. This was data that was not in motion such as is in hard drives and flash drives. We discussed the easiest method of encrypting the data which was using TrueCrypt. We then examined the options available and the balance between total security and ease of use. If you missed this part then go catch up by reading Part 2 of a beginner's security series.
Now that we have dealt with the "solid" data, let's deal with the more complicated form data can take. In our analogy the next state of matter is the liquid form. As listed in our list we made in part 1 of a beginners security series, this includes: Bluetooth, infrared, Wi-Fi, and wired Ethernet. In this part, we will be focusing particularly on the connections. The applications that use these connections will be the subject of part 4.
To begin lets further define what we mean by data in the liquid form when this definition is applied to Bluetooth, Infrared, and Wi-Fi. It is easier to deal with these wireless formats together rather than separately. Wired Ethernet will be addressed later in this article.
Data that is in liquid form and is moved by Bluetooth, Infrared, and Wi-Fi methods.
To further understand data in this category we should look at some of the properties and effects that data in the liquid form has.
Wi-Fi, Bluetooth, and infrared should be dealt with together because, although they send data using different standards the underlying medium that they use reacts similarly. For our purposes let's imagine a puddle of water on a flat surface. The key here is to understand that the puddle can move anywhere it wants on the flat surface. It can be as big or as small as we want. Think of it in terms as increasing or decreasing the strength of your transmitter. A transmitter can be thought of in terms of a wireless router, the radio in your device, or the light emitting diode for infrared. If an external force exerts force against it, such as wind, tilting the surface, or drawing your finger through it, the puddle of water will distort from its original shape. This is what happens when we apply "standards" to this medium, whether the standard is, environmental, or man made, these are the rules that make our data move the direction we chose.
The medium I keep referring to, the table top: is air. Now for the exclusions to keep it simple, yes, radio wave and some forms of light waves can cross hard surfaces like buildings and such but I intend to simplify. For that reason I will exclude that from the thought process. I want to remind you and I to keep it simple (KISS).
Now that we have covered how our data can be manipulated and formed, or even joined with other paddles to make larger puddles. By the way in case you haven't guessed the puddles are networks.
Let's look at how the data within the puddle interacts with other data. Imagine drops of water falling into a puddle of water. The drops of water can be thought of data you send from your device. As the data is added to the puddle, concentric rings radiate away.
Readers with radio transmitter training will note the similarities to the wave pattern form radiating from an antenna. Don't complicate the subject, but yes on purpose.
The radiating rigs interact with all the other devices/data in the puddle. It's because of this integration that makes it easy for our data to be compromised. The solution is to send our data in a different language. That language is encryption.
The options we have for encrypting data on our connections are different because of industry standards that have been applied to enable devices from two or more, different manufactures to be able to communicate with each other. Let's look at each of our connections separately to see what can be done.
Infrared is an older technology used for short/medium range data communication (up to 1 meter). Infrared has been used by a variety of devices for a variety of types of communication. Infrared is largely a forgotten form of communications namely because of the problems of copyright, patents, and proprietary use contracts. The age old questions of economics for manufactures and software developers have largely stagnated further development in the adoption of the security of infrared. Infrared may make a comeback for devices such as cameras etc. we shall see if manufactures adopt the technology.
For our purposes of considering how to secure our infrared connections, we must address infrared's current vulnerabilities. Infrared's current vulnerability is many fold. The major vulnerably are third Party interception of signal, and the unauthorized access of device by others. The connection itself at the hardware level cannot be changed because of the standards hard coded on the chips themselves. Therefore until the IrDA produces standards that allow the initiation of encryption at the hardware level we are left with only three options for securing the infrared connection.
SECURING THE INFRARED CONNECTION
The three ways we can secure our infrared connection are:
- Turn off the hardware in the setting menu.
This is the most secure way to secure this connection. If you don't intend to use this connection this is the same as closing the door and locking it. Security specialists call this the physical security option. This option is also the best way to mess up your computer, so don't execute this unless you know what you are doing.
To access the systems menu on your computer you will need to find out how to access this menu from your user manual. It will usually be something like restarting your computer and pressing ALT DELETE. The setting is usually contained in the advanced tab or where the parallel and comm. Ports are configured.
2. Use a piece of electrical tape and block the IR port on your device.
This is the easiest way to secure the connection. If you are planning on doing any of the Infrared projects on Lifehacker like this or this one, then taping off the port is probably the best way to handle this connection. When you need this connection just remove the tape to use the port.
3. Encrypt the files before you send your files
This is the least secure option since it does not address all of the vulnerabilities of the connection. The vulnerably that this option does not address is the possibility of device access. This does however stop the possibility of your data falling into the wrong hands.
Bluetooth is a wireless technology based on radio frequencies in the 2400–2480 MHz short wave spectrum. Bluetooth was originally by SonyErricson in 1994 and was originally meant as a replacement for RS-232 cables therefore overcoming the synchronization problems encountered with wireless technology during that time period. Since then Bluetooth has come under the control of the Bluetooth special interest group. The Technology is subject to several patents' that must be implemented and any new device using the standards must be approved by the Bluetooth Special Interest Group to be marketed under the name "Bluetooth".
Bluetooth as an industry standard is controlled and or governed in the same manner as infrared technology in the sense that it in the past has been stymied in the security world by the same reasons that infrared is stymied. Currently the Special Interest Group for Bluetooth has come under considerable pressure from US government agencies such as the NSA and government focus groups to implement better security.
Bluetooth from a security stand point has gone through a several revisions with the most significant V2.1 fixing many of the vulnerabilities that earlier versions had. Currently Bluetooth has standards that implement security protocols such as frequency hopping, pin/password, and encryption. The problem is that the user does not have total control over the implementation nor because of patent restriction. There are recommendations for Bluetooth security written for organizations and users by NIST a US government agency can be obtained here.
Bluetooth attacks have been addressed on LifeHacker Here; there are several named attacks that you should become aware of:
BLUETOOTH NAMED ATTACKS
- Bluesnarfing is the theft of information from the actual device by making a connection to the device.
- Blue jacking is the sending of requested data to another device. It is sometimes mistaken for Bluesnarfing.
- Blue bugging is when an attacker tricks the device in to lowering its security levels so that an attacker can create a backdoor which the attacker can use to control the device for various nefarious actions.
- Pod slurping is the unauthorized downloading of large amounts of data using the USB protocol. Since Bluetooth was designed to be a cable replacement technology, pod slurping is able to be carried out using Bluetooth.
Implementing Bluetooth security
Implementing Bluetooth security is largely dependent on two factors, the device manufacture designing the correct amount of security protocols into the device, and the user acquiring good habits. There are basic things you can implement, which I will list below and there are even greater actions you can take to improve your security in the Bluetooth environment that are listed in the NIST documentation. The NIST documentation takes some understanding to implement and is geared toward the corporate environment rather than the single user.
Bluetooth security basic actions
- Always make sure your Bluetooth connection is off when you are not using it. If there is no way to turn the Bluetooth off at the software level on the device then the device should be powered off.
- Make sure when the device is on it is not in discovery mode. This is the mode that allows other devices to find your device.
- Always pair devices in areas that are not public. Standing in the middle of the shopping mall is not public.
- Exchanging pins/keys should not be done in public areas.
- Always keep devices close together when transferring data by OBEX protocols.
- Use devices that implement the correct level of security for what you are doing.
Bluetooth parting words
Number six on our list deserves a little more explanation. Some devices do not allow the user to enforce a certain level of security. You will need to make the determination yourself as to how safe you want to be. A good example is a Bluetooth ear piece. Some ear pieces such as the Blue Armour from bio metric associates which can be bought for about $100.00 dollars will establish a DOD certified "secured Line". If that is too much security for your purposes the you could always go with one of the newer devices that was recommended in the Life Hacker Hivefive call or the follow up article here. There are other devices that implement security such as this keyboard recommended on Life Hacker here. If you are new to the Bluetooth headsets here is a "how to" written on life hacker.
Wi-Fi standards are governed by a professional organization named the Institute of Electrical and Electronics Engineers (IEEE). The IEEE maintains standards called the IEEE 802.11. This standard governs how Wi-Fi devices access each other. Wi-Fi operates the 2.4,3.6, 5 and 60 GHz frequency bands. The trademark "WIFI" is owned by The WI-FI alliance and imposes additional requirements to devices bearing the certified trademark. Again it should become apparent to the reader that Wi-Fi standards are heavily influenced by Manufacture driven organizations such as The Wi-Fi Alliance. But we do have options that allow us to break away from such corporate limitation by using Tomato or DD-WRT to replace the manufacture installed operating system of our routers.
Here are two articles from the Lifehacker staff that explains the pros and cons as well as how to get started on these projects:
Once you have decided to replace your routers operating system for better security, there are some basic security tasks that should be done as your next step. Meline Penola wrote a great all inclusive post. Have a look at it and follow her suggestions:
The thing that affects the security of Wi-Fi is the fact of how closely wired Ethernet is tied to Wi-Fi. A change in Ethernet standards can have Dramatic effects on your Wi-Fi protocols. For that Reason I am recommending this section of LifeHacker's night school:
For those of you looking for a more advanced way to secure your router then you should have a look at setting up FreeRadius. This requires in most cases a spare computer to act as a server for authentication purposes. Setting up a freeRadius system is outside of the scope of this beginner's article.
The next and last section of this article will deal with wired Ethernet networks.
Remember a little bit ago we talked about Wi-Fi and Bluetooth and how the data is like a puddle? Also recall that anything touching or inside the puddle of water could receive data. To understand wired Ethernet let's take that puddle of water and place it inside a container with two open ends. This would most likely be called a pipe! Such as:
For our purposes we will refer to the pipe as a cable since there are many similarities between the two. The water inside the cable is really low voltage electricity and it's because of that fact we can work with it without an electrician's license. That still does not mean it's harmless, it just means don't put it near real water or high voltage outlets.
Wired Ethernet is also referred to as Cat5, Cat5e, Cat6, Wired Networks or just Cabling. It has been around much longer than the other means of transferring data from one point to another that we have talked about. There are many, many specifications that state they are the Authority on how to do things. The one that sticks out the most is the Institute of Electrical and Electronics Engineers also referred to as the IEEE, they have been around the longest and usually have the most information available in tech speak, if your into that sort of thing.
How do you secure your data in network cable?
Since cabling has been around for so long, there is a lot to learn, so much in fact that Lifehacker has put together night school course on networking for your home. I recommend that you go take that course because it will give you a good foundation.
It can be accessed Here: Lifehacker Night School: know your network.
When you have completed that then have a look at a much more cable centric post about cabling your home and cable speeds here: how to wire your house with cat5-or cat6 Ethernet cable.
And for those of you who are the on the advance side of things you can look into setting up a network with Kerberos / PKI / IPSec. Using these will secure your network on cabling second to switching to fiber optics.
That's it for data taking the form of water, next time we will deal with the last form our data can take and that is vapor or cloud.
Water ripple by Sergiu Bacioiu from Romania under cc 2.0 generic license from Wikimedia
Water Trough Flowing Water Water Pipe Stone Sink pixabay sited under public domain license