Security Alert: Port 32764

SECURITY ALERT! Make sure that your Internet router isn’t exposing port 32764. It has been revealed to be a major security hazard, potentially leaking your router admin data and wireless encryption key to hackers. Use the link below to check your port status. Make sure the result on the probe below is STEALTH or CLOSED. If the result of the port scan is OPEN, you should log in to your router administration and change your settings to block that port immediately.

I’ve heard about this security alert two weeks in a row on one of my favorite podcasts, Security Now with Steve Gibson. If you want to hear the details, this was discussed on the latest episode 438. The conversation about this security alert begins at precisely 52:10 in the show.

Check your port: bit.ly/port32764

Wi-Fi WPS Security Flaw Exposed

I listen to a terrific podcast by Steve Gibson and Leo Laporte about digital security called Security Now. A new security scare is making the rounds that everyone with a wireless router needs to address as soon as possible. Complete details about this flaw were outlined on Security Now episode 335.

A recently discovered flaw in the execution of WPS (Wi-Fi Protected Setup) makes it relatively easy for a nearby hacker to circumvent your wireless security settings and gain access to your network. The fact is, every router that bears a seal of certification from the Wi-Fi Alliance ships with WPS enabled by default! In essence, that means that every router that has been sold in the past several years is potentially vulnerable to attack.

I am not a security expert, so I am not going to delve into the dirty details of how a router with WPS enabled can be compromised. I simply want to get the word out to everyone. Fortunately, an attack on WPS must be made within the wireless signal range of your router, so attacks in this form cannot originate from long range across the Internet.

The bottom line is that everyone should immediately visit the settings page for your router and disable WPS!

You can do an online search for this security flaw to find out more information. At the time of this writing, a reasonably good article detailing the GPS security flaw can be read at TechLogon.

It is assumed that router manufacturers will eventually update the firmware of their products to correct this flaw in WPS. That said, WPS itself is a system designed to let a novice user create a secure wireless network with little knowledge or effort. Anyone who takes computing and networking seriously would never use WPS in the first place, so I recommend that all users disable the feature and leave it disabled permanently.

While I am on the topic of Wi-Fi security, I want to add that everyone should have their wireless home network secured using WPA2 encryption with a password key that is at least 12 characters in length. Obviously, you should never use the name of your wireless network (SSID) as your security password. Personally, I use a complex 16-character password, which I think is sufficient.

TrueCrypt File Encryption

I’ve often wondered how to go about encrypting a particular file or folder on my computer, but always figured the process to be so daunting as to not bother to ever try. A recent article on the subject in my PC World magazine has shed some light on the matter. I’m going to fill you in on my experience that I’ve gained thus far. Keep in mind that I am not attempting to encrypt the contents of an entire drive, and I am not encrypting data on removable storage devices. I can’t speak to those scenarios in any way at this time.

I reviewed three possibilities for my approach. First, I’m a Mac user and looked into the FileVault encryption that is built into OS X. That solution is very easy, but it wants to encrypt my whole account user folder. In that scenario, logging into the OS decrypts all of the data. I worry that may slow down my computer, and that isn’t what I was going for in the first place.

Second, I researched the popular PGP encryption solutions. Their products all appear to go above and beyond my needs. PGP adds email and instant message encryption to their desktop offering. I don’t need any of that, and PGP’s products are all pretty costly for my taste, ringing in at $99. I’ve heard good things about PGP overall, but I am not looking to spend that kind of money on my project.

Third, and my favorite solution, is a free open-source application called TrueCrypt. TrueCrypt is available for Windows, Mac, and Linux! It’s free and easy to use. You create an encrypted volume that is stored as a single file on your computer. That file can have any file extension you want, or none at all. You can hide it anywhere you like, and the program won’t memorize locations if you ask it not to. Opening the contents of your volume is achieved by mounting the volume, which allows you to use it with a drive letter of its own. Dismounting the volume encrypts all of the data again. I’ve had a wonderful experience using this program. One downside for me is that I wish the program was faster at dismounting my volume, though speed will most certainly vary depending on your system. On my Windows PC, dismounting was nearly instant.

TrueCrypt was definitely the way to go for my needs. The program can also encrypt an entire drive as well. It does exactly what I want it to, with ease. It’s fast, secure, and completely free!

WordPress Security Scan Plugin

Recently, after upgrading to WP 2.61, I installed a plugin called WP Security Scan. If you’re running a website with WordPress, it is certainly worth installing. I did, and was blown away at the lack of security that my blog was exposed to. This little plugin lets you know where you need to make alterations. I very highly recommend it to everyone using WordPress!

Do Not Use Ad-Aware 2008

Absolutely under no circumstances install or use Lavasoft Ad-Aware 2008. After some recent slowdowns on my Dell laptop with XP, I installed Ad-Aware 2008 to scan for spyware. I have used versions of this software in the past, and I can tell you that something is terribly wrong with this new product. After it was done scanning, I checked the process manager in Windows to find that Ad-Aware was sucking down over 700MB of memory. After terminating the program, another mysterious Ad-Aware system process would start—over and over again. I simply could not get rid of it. Every time that process started, it would start out consuming 128MB of RAM, and grow sharply every 2 to 3 seconds. I uninstalled this piece of crap and erased every last trace of it. It seems Ad-Aware is just as bad, or worse, than the rogue applications it is supposed to be eliminating.

Password Limitations Abound

This past weekend, I set out to create a strong, complex password for my favorite log-ins. I did so, and went about changing my passwords online. I soon ran across several sites that had a 10-character limit on passwords. In total, three to four sites on my list had this limit. Even worse, the website for managing my AT&T Wireless bill only allows an 8-character password.

Fortunately, most of the sites I visited have a 20-character limit. That is way more than I will use, but a good number to use as a ceiling. Limiting passwords these days to 8-10 digits is surprising to me.