Wi-Fi HotSpot Security Wireless Guardian Secure
As a professional freelance writer, I end up using wireless hotspots to work from coffee shops. While, I use a secured network whenever possible, many WiFi hotspots do not have any security enabled because it makes them easier to use. Although it seems like no one would bother, the reality is that wireless access points are easily compromised – even those that do have some form of WEP or WPA security enabled on the wireless access point. Using websites that have secure SSL connections can help keep usernames and passwords secure.
Unfortunately, that does nothing to secure all of those applications on laptops that log-in automatically by remembering usernames and passwords. It is also all too common to be in the middle of something, get in the flow, and end up entering a username and password before even thinking about whether or not there was a HTTPS in the URL.
The only reasonable solution is to setup an encrypted connection that captures all incoming and outgoing network traffic from the laptop so that there can be no mistakes or slips in security. Unfortunately, there are not a lot of options available in this arena. This is especially true for WiFi hotspot security protection that can be setup on the fly without pre-configuring a server somewhere to be waiting for your call.
Hotspot Shield by Anchor Free offers a free VPN connection that provides the fully encrypted security solution needed to safely use WiFi hotspots. However, it is “ad supported” which means that not only will part of your precious laptop screen real estate be eaten up by ads, thereby making your viewable monitor area even smaller, but it also means that your connection ends up being slower because those advertisements are given first priority by the VPN application.
WiFi Guardian Wireless HotSpot Security
I was excited to find WiFi Guardian, a free wireless hotspot VPN encryption program that connects to its own third-party servers to provide network security. Like HotSpot Shield, WiFi Guardian provides complete network interception making by web surfing and email secure as well as closing off the ability to hack in via installed software programs that automatically update.
The best part is that WiFi Guardian comes with a free 3-day trial. After three days, you have to pay $49.95 per year, but even a one-day free trial is good enough to secure your laptop for an impromptu coffee shop office setup. Most other VPN software comes with a specific data limit trial instead. That means that you have to make sure your computer isn’t doing anything behind the scenes that could be eating up your free trial period like downloading CD covers or synchronizing your bookmarks or files.
There is one bizarre thing that concerns me. The VPN application requires you to register a username and password to create an account. No problem there. However, the password field can only contain letters, no numbers or symbols.
What kind of security is that?
The most basic of all security is using strong passwords. Anyone setting up special software for security purposes would already be very familiar with using strong passwords. It begs the question about how seriously the WiFi Guardian developers take security when they not only allow, but require users to setup weak passwords on their accounts.
Needless to say, I will be uninstalling the software after my free trial period is up.
Has anyone else used WiFi Guardian? What have your experiences been like? Would you trust a security company that uses weak passwords?
Leave your answers in the comments, or shoot me an email.
New PayPal Security Key – Extra Security For People Who Are Probably Safe
PayPal is looking at a new security option to help safeguard its accounts from the frequent phishing attempts leveled at its users. The additional security comes in the form of a small electronic gadget that is sized to be on a keychain, like this one used by Purdue University. This electronic security key generates new numbers every 30 seconds. In order to log into your account, you would have to enter both your regular password and the numbers shown on the device.
It is like your username and password are your ATM card, and the numbers on the security key are your PIN number. Only, it’s even better because your PIN is constantly changing. Basically, in order to do anything, a thief would have to get your card and your keys. (Now imagine a similar security key device that requires a code to unlock the display and you are getting to security that is pretty much unbeatable except by government agencies.)
The idea is that even if a hacker or phisher were able to get your username and password, they would be useless without the numbers on the electronic key. If they managed to get the username, password, and numbers, they would only be good for 30 seconds.
On the one hand, this is great security. In fact, some method of combining this type of technology with something like OpenID so that it could be used on every website, would pretty much shut down phishing and password theft and cracking as we know it.
On the other hand, the PayPal security key is basically designed to stop phishing attacks where the hacker tricks the user into divulging their username and password. Not surprisingly, these methods work best on those who are the least security aware, or those who have the least understanding of website security. While those who are most concerned with security are likely to be vigilant and thus only fooled by the most sophisticated techniques.
In other words, this security device would best protect the people who are the least likely to get one, and do the least to protect the people who are most likely to get one.
And, while we’re at it, what about people with multiple PayPal accounts (a personal, and a business one, for example)? What about business accounts? If the guy with the number key device is out sick or on vacation, what then?
The bizarre part is the number of security improvements that could be made without requiring someone to order, buy, and keep track of another piece of hardware. ING’s online banking at ING Direct, for example, requires a user to choose an image and a phrase that validates that they are indeed looking at the REAL ING Direct login page before entering a password.
The image and passphrase display over a graphical numeric keypad where the user enters their PIN. Any phishing attempt would fail immediately when the user noticed that the picture and words that are always there are suddenly missing or different.
Even better, entering the password PIN requires clicking the numbers on the screen, so not even a keylogger can capture the password.
PayPal doesn’t even offer this basic security and its next move is an electronic security key?
I know I would feel much more comfortable if when I clicked a button to pay with PayPal if I could see some sort of validation that this isn’t an elaborate deception that looks like I’m entering my PayPal username and password into my PayPal account when I am actually entering it into a form designed to look exactly like the original. All you have to do to pull of the scam on even the security savvy is a way to make the address in the URL bar say "PayPal" since that is the only means of validation PayPal currently offers.
Maybe PayPal should start by implementing some of the basics, and THEN worry about taking it to the next level.
News From Microsoft
So far this morning, I’ve stumbled across some updates from Microsoft that impact me or some of the freelance articles I’m writing (or scheduled to write).
First, Microsoft is no longer accepting beta participants for its Security Essentials program. Security Essentials is a multi-dimensional securities application, but for the average home user, it is a free virus scanner with free virus definition updates. While there are other utilities like this out there, this one would presumably come with technical support from Microsoft which could make it a viable option for businesses. No word on how this would, or would not, impact the other major security vendors out there.
Next, I found out that Dell is offering the same kind of migration assistance and upgrade tools as pretty much every other first-tier PC manufacturer, but for some reason, they get a pretty extensive and flowery write-up in the Windows Blog. Wonder if there is a marketing deal there, or if Microsoft is just showing some love, or if the Windows team is handing out a little payback for what appears to be some pretty hefty testing work done by Dell during the Windows 7 beta and Windows 7 RC periods.
And lastly, the same Windows Blog apparently is reading my thoughts while I’m laying in bed. Last night I was going through what the differences are between XP Mode and Med-V , other than that Med-V only is available to business clients with Software Assurance licenses or other enterprise licensing. Looks like I can use this post as the jumping off point for a nice freelance computer article.
This isn’t news, but I was using Internet Explorer a bit this morning and was thinking that it would be really great if I could customize this page that opens whenever you open a new tab in IE 8. Not that I can change what page appears when you open a new tab, I know I can do that, but rather that I could change / add to what links are information are displayed on this page:
I’ll haven’t done much with IE 8 other than upgrade to it so that I have the least insecure Internet browser Microsoft makes, so with a little digging, maybe I’ll find that I can do exactly what I want.
Cheers.
Cannot Delete Admin Account in WordPress
To secure your WordPress blog, many experts will recommend that you create a new WordPress administrator account and delete the default WordPress admin account. The idea is that since every WordPress installation comes with an admin user, you’ve given away half of the battle for security. Automated hacker bots can come at your WordPress blog by using the default admin username and then all they have to try and get is the password.
Deleting the admin account removes it as a target for hackers. They can try all day long with automated or non-automated attacks to hack the admin account, but if it isn’t there, they’ll never get in that way.
There is a small glitch that most people fail to mention.
If you have already setup your WordPress blog before deciding to remove the admin account, chance are that WordPress won’t let you delete the admin account when you try and click delete.
Why won’t WordPress let you delete the admin account?
Because under Settings –> General there is a field where you enter an email address. That email address is the administrative email address contact. You cannot delete the account that the administrator email account is assigned to.
So, take one more step and switch the admin email address to match the one you setup with the new admin account. Then, you can go back to the Users screen and delete the admin account without any trouble.
FYI – If you have not created another User account and assigned it administrator rights, you won’t be able to delete the default admin account either. In WordPress, there always has to be at least one admin account, so you have to create the new admin account first, and then delete the old default administrator account.
