Keep Out the Bad Guys!
     

 
The InSSIDer Wireless Network Scanner in Operation.

You’ve seen it in the news: A large organization is “hacked.” The Bad Guys steal credit and debit card numbers, PINs and even CVV codes.

I’m sure you’ve heard about the recent incident involving Target, Neiman Marcus and some others. More than 100 million customers (that’s the count as of this writing) were affected. Many learned of it when the criminals started using that information to make illegal purchases. Their banks had to cancel existing cards and send new ones, right in the middle of holiday shopping. In fact, the week before Christmas, my wife and I were behind a customer at a local store who had learned of the “hacking” when his bank called to ask why he was buying exercise equipment 1,000 miles away!

The post-mortem is still being done on the Target incident, so let’s go back a few years.

In 2007, the parent company for TJ Maxx Stores (TJX) was hacked and millions of customers were affected. This case is especially interesting to me because of what the post-mortem concluded: The hackers initially gained access through an older wireless network at one of their stores. The store was using WEP (Wired Equivalent Privacy), which can be cracked easily.

Even worse, TJ Maxx apparently used “One Big Network” at the time. By gaining access through that one weak point at one store, the Bad Guys eventually were able to hack into many other systems across the company. Result: disaster.

You might think this has nothing to do with radio, but I beg to differ. As I was preparing this article, a story broke about how someone hacked the RDS being transmitted by some Michigan (public) radio stations. They only learned about the profane text after listeners called and emailed. It can happen to you, so read on.

Limit Wireless Access

Some of this is obvious, but it’s worth repeating.

First, only use wireless when you absolutely need to. While I’ll admit that it’s not likely that someone could hack your network through a printer or scanner, why even risk it? Many of these devices come with wireless turned on by default nowadays. I disable it and use wired Ethernet as a matter of principle. The wire gives better performance, anyway.

 
The author scans a portion of his audio network with the Angry IP Scanner.

Second, if you have wireless networking in your facilities, make sure that you’re using the best encryption with a good password. Currently that would be WPA2 (Wi-Fi Protected Access, version 2). Change the SSID (the “network name”) from the default and change the password from time to time — especially after an employee termination.

Read that documentation and look at your configuration. If your unit won’t do WPA2 encryption, replace it. In fact, if your wireless router is more than a few years old, you probably ought to upgrade it anyway. If it has the so-called Wi-Fi Protected Setup (WPS) or “Wi-Fi Simple Config,” disable that. These have known security holes. If you can’t disable it, you definitely need to replace that router with one that will allow you to do so.

Third, and this is a big one: Watch for unauthorized access points that are installed by employees! Wireless devices are cheap and readily available. An employee who wants Internet on his tablet might pick one up at Wal-Mart on the way to work. To make matters worse, he or she probably won’t even bother to use encryption and a good password (because it’s such a pain to enter all that gibberish in an iPad, y’know?). Next thing you know, without your knowledge or consent, you’ve got a wireless unit broadcasting in the clear, exposing your network’s innards to anyone within range.

There are nice “sniff-and-scan” programs available online, including WebStumbler for Windows, Kismet for Linux and KisMAC for Mac OS. The weapon of choice for Windows, Mac OS and Android is inSSIDer (www.inssider.com). The basic version is $20. But if nothing else, you should regularly check the “available networks” screen on your laptop, smartphone or tablet to see if anything new has popped up. If so, investigate.

Fourth, on the subject of range, limit the signal if possible. If the wireless device allows you to adjust the power, don’t just set it to maximum without thinking. Make it as low as you can tolerate to further discourage hackers who might sit in the parking lot with a laptop and a “sniffer.” Choose a good physical location that limits the signal outside of your facility, too — an interior room, rather than an outside wall.

Finally, stay informed. You should occasionally do Web searches on the model number for your wireless unit to see if there are known issues. If there are upgrades available, install them.

Control ALL Network Access

But don’t stop there. Learn to think like a Bad Guy. (Don’t do it out loud, though, or management will wonder about you.) Remember the number one, primary rule of security: If you can get into it, a determined Bad Guy can get into it as well.

Your job is to keep out the hackers and crackers while still allowing yourself entry. The first step is limiting physical access. Most of us don’t spend enough time on this. But if you walk around your facility, I guarantee that there are unattended workstations open to anyone, left that way by the previous user. He/she didn’t bother to log out. You need to establish a firm rule about that.

If anyone complains, get management on your side. Explain that this is no different from leaving a door unlocked when the building is unattended. Secure those systems!

Just as you should scan your wireless network for unauthorized users, you should occasionally scan your network for PCs that might have been added without your knowledge. For this, the tool of choice is the Angry IP Scanner, available for Windows, Linux and Mac. You can download it at angryip.org for free.

Change The Defaults

I mentioned the employee who might insert a wireless access point without even bothering to use a password. But we need to make sure that we aren’t doing the equivalent with our systems in general.

Therefore, the next step is to change your settings from the defaults. Don’t think, “Aw, no one will hack my Nanobridge M5. I’m just using it for a few hours to network from the main building to the garage.” If it can be hacked, it could be hacked. The fact that it has never been targeted before doesn’t mean that you’re safe for all time.

This isn’t a hard and fast rule; it will require some thought for each application. Always change the passwords, account names, IP address and other settings from those provided by the factory or vendor. Do this across the board and before you put any unit or server into service.

For example, Virtual Network Computing (VNC), which many of us use to access our systems at night and on weekends, uses ports 5900–5910 by default. Change that to some random number above 20,000. Ultr@VNC, a popular free program that we use (see www.ultravnc.com), allows you to do this in the primary setup screen.

Likewise with Secure Shell (SSH), Telnet, FTP and many other popular network services. There’s not much you can do about standards like HTTP (port 80) and incoming email (port 25). Anyone who wants to go to your website or send you an email expects to use those ports. But whenever you can change these values, you should.

How important is this? It adds another layer of security. Back when we were running UltraVNC on the default 5900, our logs showed constant attempts to crack the password. The same was true of our SSH servers when they were on the default (port 22). Our logs were filled with hacker attempts. Seriously. We had page after page of lines like, “incorrect password from [strange IP address in Bulgaria].” Once we changed these to random numbers in the 20,000–40,000 range, the cracking attempts ceased.

The one thing in our favor is that criminals, generally speaking, are lazy. Just as a thief is less likely to break into a home with secure windows and deadbolt locks, most hackers will try you a few times, then move on to easier targets. Scanning every possible IP address or port takes a lot of time. They’re going to go for the low-hanging fruit.

Our job is to avoid being that fruit.

Use A Good Password

Finally, use good passwords. This is tricky, because if you make it too difficult, your coworkers will write the password on a sticky note and plaster it to the computer! (Thanks to our editor Michael LeClair, who pointed that one out to me a few years ago.)

I’ve mentioned this previously, but my preferred method to generate a password is to use an easily-remembered phrase like, “My mother lives at 120 South Street in Podunk.” Take the first character of each word: “Mmla1SSiP.” That’s easy to remember but very difficult to crack, because it’s the recommended mix of uppercase, lowercase and numbers.

Now all you have to do is discourage them from writing out that phrase every time they use the password … and leaving that scrap of paper on the desk while they go to the restroom!

Summary

Don’t assume that just because you’ve never been cracked, you won’t be. Sure, I doubt that you are a high-priority target for serious hackers (most of them are after big money, like in the Target incident). But don’t get complacent.

In this article, I’ve especially focused on securing your network, and wireless in particular. But do more research. Do some Web searches, post queries online. Take this threat seriously and you won’t be surprised and dismayed one day to find out someone did hack into your systems.

The problem in our specific case is exacerbated by one sad fact: Most of our equipment doesn’t use secure or encrypted communications by default. At best, we have “security by obscurity” — the vendor might use a proprietary scheme to shoot data across the network. But in the specific case of RDS and PAD, those standards are well-known and are published on the Internet. Even worse, the text is transmitted in clear — that is, you can actually read the ASCII text as it transmits.

We’re not sure what happened in the Michigan Radio case yet, but I imagine that it was an “inside” job, in the sense that someone was able to get “inside” that network. Once they had access, all they needed was the IP address of the RDS encoder. At that point, they could easily “swamp” it with profane text strings, drowning out the legitimate data coming from the studios.

Until next time!

Stephen Poole is market chief of Crawford Broadcasting in Alabama and a frequent Radio World contributor.


Rating People: 0   Average Rating:     
Comment List:

On avoiding dictionary attacks, I've run sshblack for many years. It watches logs and blocks IP addresses on an excessive number of login failures. This reduces these from thousands a day to less than 10. I also have another scriptbthat immediately emails me on any ssh login in case someone WERE able to get in (no one has). Harold
By Harold Hallikainen on 4/25/2014

Post your comment

Your Name:  Required
Your Mail:       Your email will not be published.
Your Site:    

max. 800 characters


Posts are reviewed before publication, typically the next business morning. Radio World encourages multiple viewpoints, though a post will be blocked if it contains abusive language, or is repetitive or spam. Thank you for commenting!