Archive for the ‘Computer security’ Category

h1

Some musings on Powerline adapters

July 12, 2021

I’ve been using a set of Powerline adapters in my home for several years. I’ve also recommended Powerline to several of my friends and family to solve networking problems in their homes. But they’re not a panacea for all ills. There are some idiosyncrasies which I discuss here. I hope this proves useful to someone.

Note: I’m writing from a UK perspective. While not a qualified electrician, I’m familiar with UK domestic power wiring (240V). I also have a passing acquaintance with European (Portuguese and Danish, 220V) and US (110V) domestic wiring.

What is Powerline?

Powerline (also known as Homeplug) is a technology that uses the mains power cables in your home to carry computer network signals to deliver a network – usually your broadband connection – to places in your home that are otherwise hard to reach. The signals are carried by a high-frequency radio signal over the copper electrical cables in the wall. It’s a technology designed only for domestic networks. It’s not intended for commercial use.

You plug an Ethernet cable from your router, or a point on your existing network, into one Powerline adapter which is plugged into an electric wall power socket. Then you plug a second adapter into a power socket somewhere else in your home and run an Ethernet cable from it to your remote device, which could be a computer, a wireless access point, a TV or a switch to which you connect other computing devices.

Example of the use of Powerline in a home

What types of Powerline adapters are there?

There are different versions for different power systems including US power plugs, UK power plugs, European (Schuko) power plugs and Australian power plugs.

There are versions that occupy a power socket, and there are versions which present a power socket when they’re plugged in; these are known as “pass through” adapters.

A pair of Powerline pass through adapters (UK version)

And there are different speed adapters. The lowest speed, the original versions, were labelled 200 Megabits per second (Mbps). There are 400Mbps, 500Mbps, 600Mbps, 1000Mbps, 1200Mbps and 2000Mbps versions. But in real life I’ve been unable to achieve anything near the claimed maximum speed, so I’d suggest you use a higher speed version than the network you’re trying to connect. I’m using 2000Mbps adapters to carry a 74Mbps network; my neighbour is using much less expensive 600Mbps adapters to carry a 12Mbps network.

And there are lots of manufacturers. In principle, adapters should all inter-operate, but the whole network will drop back to the speed of the slowest adapter, and each manufacturer has slightly different ways of setting up and configuring devices, so it’s generally easiest to use a set of adapters of the same speed all from the same manufacturer if you can. I’ve deployed TP-Link devices and I’m very happy with the build quality, reliability, operation, configuration and performance.

Some adapters offer more than one Ethernet port, so you can use them as a mini switch, connecting more than one device. Some adapters have a WiFi access point built in, so you can instantly set up a new WiFi network without any other devices, or you can use Powerline adapters to extend an existing WiFi network.

This pair of adapters shows one that combines both multiple Ethernet ports and a wireless access point

Decide how you want to use Powerline in your home and then select appropriate devices.

Will Powerline work on any home electric circuit?

To get the best performance you should plug the Powerline adapters directly into a wall socket – extension cables and particularly surge protection devices will attenuate the signal or even filter it out altogether.

Furthermore, it’s recommended that adapters are plugged into the same electrical circuit. Some houses have a separate circuit (ring main in the UK) upstairs from the one downstairs, and some houses which have been extended may have a separate circuit in the new build from the original building. Almost all houses have a separate circuit for sockets in the kitchen.

This doesn’t mean they won’t work across circuits, but they may not. Much seems to depend on how the circuits are protected. Older fused circuits appear to allow Powerline adapters to work across circuits; mini circuit breakers (MCBs) also seem to work, but residual current devices (RCDs) are more problematic. You may need to borrow a pair of adapters from a friend and try them, or make sure you can return the Powerline adapters to your supplier if they don’t work in your home.

Will Powerline work across phases?

In the UK, almost all domestic properties are supplied with single-phase power, but in other countries three-phase is more usual. Powerline adapters aren’t designed to work across phases, so if you’re trying to use them in a three-phase installation you may need to try and rearrange the circuits so the sockets you are trying to connect are both on the same phase. Consult an electrician.

You may be able to use an additional pair of Powerline adapters to bridge phases – I discuss this in more detail later. If you’re in the USA you may be more likely to get them to work across phases – that’s because you are very likely to have a 3-phase 110V installation and a high-power device that bridges two or even three phases. This may allow the Powerline signals to pass. There’s no hard and fast rule about whether they’ll work or not. You’ll just have to try it.

Are there any problems using Powerline?

Because the signal is carried on domestic wiring by high-frequency radio it may interfere with other devices – radio hams have reported Powerline causing interference with their radio equipment Also Powerline itself can be affected by interference from other devices plugged into the power network – I’ve seen reports that microwave ovens cause interference to the Powerline network when they’re operating.

Is my Powerline network secure?

All Powerline adapters are secured with a private key. They are configured by default with a standard key, so out of the box all adapters should work together, even those from different manufacturers.

It’s unlikely that your signal will pass your electric meter. It is also unlikely to pass onto another electrical phase, so it’s very unlikely that your neighbour will be able to connect to your network. But if you live in an apartment block, or in a shared house, then it may be advisable to change the encryption on your network to avoid possible eavesdropping.

All Powerline adapters support this. You can force one of your adapters to generate a new, random, private key and then pair the others with it. Consult your user’s manual on how to do this as each manufacturer, and even different models, may do it differently.

Can I use more than two adapters?

Yes, you can. If you’re using the default configuration you can simply plug in another adapter. If you’ve changed the encryption you will need to pair the new adapter with one of the existing adapters. Again, consult your user manual(s) on how to do that.

My experience is that adding a third and a fourth adapter worked fine, but more than that degraded performance significantly. I currently use three on my home network. They are all on the same electrical circuit, and with broadband speed at the router of 74Mbps I can achieve a 70Mbps connection at each of the remote adapters.

If I can’t get them to work well across electrical circuits, can I bridge them?

You can, but I’ve tried it in my home and my experience suggests that the performance may still be significantly reduced.

You will need to find a socket on one circuit that’s physically close to a socket on the other circuit, plug a Powerline adapter into each of these, and connect them together with an Ethernet cable.

However, to avoid creating a network loop, which will cause problems, you must arrange that the adapters on one circuit are unable to communicate with those on the other circuit via the electric cabling. To do this pair one set of adapters with a new private key (see above and refer to your user manual). You’ll end up with two adapters on one circuit using default encryption, and two adapters on the other circuit, paired together using a new random private key. Then you connect an adapter on one circuit by Ethernet cable to an adapter on the other circuit, creating a bridge.

I believe it is possible to use a specialist connector to bridge circuits at the fuse box/consumer unit, but I’ve only seen devices that do this for 110V US circuits. I’ve not found a UK 240V or a European 220V version.

Is Powerline better than wireless networking?

This depends on the situation, but in my opinion, yes. My networking mantra is, “If you can wire it, wire it”. Connecting networks with physical cables is more reliable, more secure, and usually more performant than wireless.

But if you have multiple electrical circuits and have problems getting Powerline to work effectively then short of running an Ethernet cable round your house – which can be messy and expensive – wireless may be the better solution.

I use both. I prefer Powerline, but I have a room which is on an electrical circuit which won’t work reliably with Powerline from my router no matter how it’s connected. So I’ve installed a wireless repeater to get a decent bandwidth signal to the smart TV in that room.

h1

Protect your email with a strong, unique password

April 24, 2020

Some of my friends have asked me recently about computer security, passwords, scams and malware. One thought he had a virus infection on his computer, another had been reposting hoaxes about WhatsApp messages while yet another had received one of these “we’ve got all your details, we’ve videoed you with your own webcam doing embarrassing things; if you don’t pay us money we’ll send the footage to all your contacts” emails. The reason he was particularly concerned was the email included one of his own passwords.

Of course it was a scam; it turned out the scammers had probably got his email and password from the LinkedIn security breach. So I confirmed with him that this wasn’t his email password and then reassured him it was a scam. He changed his email password just to be on the safe side.

Keep your email secure

Before anything like this happens to you, the most important piece of advice I would offer is: make sure your email password is UNIQUE (i.e. you’ve not used it for any other account, anywhere else, ever) and strong (8 or more characters and a mix of at least uppercase letters, lowercase letters and numbers). If it’s not, then I suggest you change it as soon as you can.

Computer with chains and a lock

It’s unwise to use your children’s names and dates of birth. Don’t use “password” “qwerty” or “1234567890” (which are some of the most commonly used passwords).

Why your email?

Because email is the way you reset every other password. If someone hacks into your email account they can change that password, then access every other account you have by going to the website and clicking the “I’ve forgotten my password” link. The site then emails them a reset link. Worse, they could log into your email and automatically forward your emails to themselves, so you don’t know anything’s wrong, but they receive a copy of any email sent to you.

So your email password is, perhaps after your bank, the most important password you use. And it doesn’t require your email provider to be hacked. If a major website is compromised (recent security breaches in the UK include Tesco.com and Carphone Warehouse) the first thing the hackers will do is try each password on the email account associated with it… and if you’ve used the same password for both, then the hackers have access to your email.

How to make a password strong but memorable

My preferred technique is to pick the title of a favourite book, album or song and use that as the key. Let’s consider, for example:

All I Want for Christmas is You by Mariah Carey.

(I don’t use this, nor should you, it’s just an example)

Take the initial letters capitalised as in a normal sentence:

AIwfCiy

Substitute some of the letters. For example you could change the “C” of Christmas to X for Xmas, “for” to 4 and “you” to u:

AIw4Xiu

It’s still too short, so add the initials of the artist – MC:

AIw4XiuMC

There you have a pretty strong, apparently random, 9-character password, but because you know the passphrase, you can remember it every time. No one will guess it, nor will it fall to a brute-force “dictionary” attack where hackers try every word in the dictionary.

Some sites require your password to include a special character, if that’s the case you can insert a %, & or @ between the song and the artist:

AIw4Xiu%MC

There you go, the almost perfect password.

Could I make it even more secure?

Yes, you could use what’s known as “Two Factor Authentication” or 2FA. Your online bank already uses this so you’re probably familiar with the concept. When you login you need to provide a second password, or a code texted to your phone. Maybe your bank’s sent you a special authentication device such as the Barclays PINsentry below, or you use an “Authenticator” app which generates a one-time random code. There are several authentication apps. Microsoft includes one in Office 365 (now Microsoft 365)Google has one, and Authy is one of the independent ones.

Sites including PayPal, Twitter and Amazon support the use of Authentication apps for 2FA. Many sites offer a 2FA capability and it’s a good idea to enable it if it’s available.

Barclays PINsentry security device

Barclays PINsentry for two-factor authentication

How to remember all those passwords

Ideally every password you use should be strong and unique, but that’s hard, especially as our memories fade with age. Writing them down, while not a great idea, is better than using the same password everywhere. Use a little notebook and keep it somewhere safe at home – that’s far more secure than re-using passwords. Someone would have to break into your house to get it, and if they do that they’re much more likely to steal the telly! Whatever you do don’t write your passwords on a sticky note on your computer!

Better still, use a Password Manager such as LastPass (there’s a free version for web, PC, Mac, iPhone and Android†) or 1Password (small annual fee) which can securely store all your passwords, generate new unique random ones and fill them in on your phone or computer as you need them. They have extensions for your favourite browser, and you can also access them securely from anywhere when you’re away from home (unlike the notebook under your bed). With a Password Manager you don’t need to remember, or even know, any password other than the master password for the app. Whatever you do, make that strong, unique and don’t forget it!

Should I change my passwords regularly?

It’s fair to say that the IT security industry is divided on this. Provided your password remains strong and unique then there’s benefit in doing so, and some systems require you to do so periodically. The problem is that many of us have lots of accounts, and trying to think of multiple memorable, unique, strong passwords regularly is hard. So many people, when forced to change their password, just use the same set over and over again, or they use the same password but include a number in it and increment the number each time. So being forced to change your password regularly may actually reduce rather than improve your security. Use a Password Manager and you can change your password regularly – in fact some of them will do it for you automatically!

What happens if the Password Manager site is breached?

Yeah, it has happened. Password Managers are, like antivirus software, a prime target for hackers. But it wasn’t a problem because the way Password Managers work is your passwords are securely encrypted with your master password as a key before being stored in the (yet further encrypted) Password Manager database, and are only ever decrypted, as you need them, on the device you’re using. Even the Password Manager doesn’t know your Master Password. So if the Password Manager site is compromised, all the hackers are likely to get is a list of encrypted records, none of which are any use to them.

They must know my password, how else do I log in?

When you first set up your password, the site does something called salting and hashing. Salting adds a string of characters (which may be very long and is usually unique to your user account) to your password before it’s hashed – a type of strong one-way encryption*. The resulting string can’t be reversed, so it’s impossible to work out your password from the salted & hashed string.

All this processing is done on your computer before the result is stored, so your password is never transmitted over the Internet. When you log in, your computer repeats the process and transmits the result which is compared with the stored version. If they match, you’ve entered the correct password and you’re allowed in. If they don’t, you’ve got it wrong. But at no point is your password known to, or stored by the system.

Even if a hacker managed to get hold of your unique salt and the hashing algorithms (as some are reported to have done in the LastPass breach) they’d still wouldn’t have your Master Password, so they’d have to guess it and try salting & hashing it to gain access to your passwords – which is why its still important to make sure your Master Password is strong and unique.

Clever eh? This salting and hashing system is used by many major Internet sites, not just Password Managers. It’s preferred because it doesn’t require the storage of any passwords in clear and it avoids transmitting passwords in clear over the internet. I suspect Tesco and Carphone Warehouse are using it now. If they’re not, they should be.

So keep your passwords, especially your email password, unique and strong, and use a Password Manager, then you can just ignore those scammers!

* For the purists, yes I know it’s not the same as encryption, but this isn’t the place to go into the details of the difference between encryption and hashing.

Update: As of March 17th 2021, LastPass Free is available only on EITHER computer (PC, Mac and Laptop) OR on mobile (phone, tablet and watch) but not both. In order to get it on both you have to upgrade to one of the paid plans such as Premium, Families or Teams. Still good value IMHO.