CTO Tech Blog

Have you ever tried to connect to a wireless network and noticed how often you see a network called Linksys or netgear?  Businesses and homes are connecting to the Internet with many devices in addition to computers.  In homes we often see game systems, security systems, and even appliances connecting to transmit grocery lists.  While some newer homes are wired for computer connections throughout, older homes are not which leaves you restricted to where and what you can connect.  The most common solution to this problem is the addition of a wireless access point (WAP) or wireless router.  These devices are easy to install and can be up and running with default settings in a matter of a few minutes.  Unfortunately the default settings on these devices are well known and have no security.  Without security on a WAP any user can connect and use your network.  This is commonly referred to as hijacking.  While you may not see any immediate harm in this, there are risks.  At the very least the hijacker could use your connection do download from the Internet, possibly causing excess usage charges being levied against the owner.  At the more extreme end of the spectrum, the hijacker could possibly access personal information stored on other computers in the network or use the connection for illegal activity that could leave the network owner liable in some manner.

All of these devices do have a number of security features available that simply need to be turned on and configured.  With a little understanding of some of the features and terminology anyone can close the security holes to help thwart would be hijackers.  The first step in securing a wireless device is to set a password on the admin account that is difficult to guess without being so complex that the owner can’t access it.  Now that only the owner of the device can access the configuration you can change some settings for how devices can connect and even restrict what devices can connect.  When you first try to connect to a wireless network you see a name (or in many cases a list of network names in your area) which is called the service set identifier or SSID.  Typically you would set this to something more descriptive of the network so that it is clear to people looking for it.  Changing the SSID is similar to painting your house.  It personalizes it, but doesn’t effectively change its function.  To add security you can actually tell the WAP not to broadcast the SSID, which means that people looking for wireless networks will not see this one.  The next step is to add wireless security in the form of an access password and/or encryption.  You will probably see a number of security options such as WEP and WPA listed in your device and a number of options within each of these.  Wired equivalent privacy (WEP) was the original standard for wireless security and may have to be used if there are older devices connecting that don’t support newer standards.  A better option, if it is supported by all devices that you want to use wireless, is Wi-fi protected access (WPA or WPA2).  This newer standard is more secure without adding complexity.  Detailed explanations of each of the options within the encryption families is beyond the scope of this blog, but suffice it to say that any setting on the WAP must match a setting on the device that is connecting.  One further layer of security is MAC authentication.  Media access control (MAC) addresses are distinct numbers assigned to any device that can connect to a network.  MAC authentication allows a WAP to keep a list of MAC addresses that it will allow to connect to itself.  You typically need to manually enter the address of each device that connects on the WAP in addition to any other security settings you have implemented.

The best security settings for wireless networks would mean that a potential hijacker would have to know your SSID, your encryption scheme, the security passphrase or key, and have the ability to determine and spoof (the computer term for forgery) an authorized MAC address.

Inspiration for writing sometimes comes from odd places.  This week I had a lot of time to observe many of the ways computers and information technology are used by doctors and hospitals while spending an unplanned day in their company.  That, combined with my own experience installing and maintaining networks and electronic medical records (EMR) software for hospitals and clinics, seemed to be a good basis for this week's blog.

When I started working with healthcare over 10 years ago, computers were starting to come in to hospitals where they were used mainly for patient record transcription and some patient information.  Most of what was entered in to a computer would be printed and filed along with to typed and handwritten records.  Over time applications started to become available to assist with operating room booking, provincial health insurance submissions, and some specific diagnostic databases to assist physicians. In addition, the growing IT departments in hospitals would use databases to keep track of assets including medical instruments, beds, and even the computers themselves.  Many people had a vision of eliminating paper records in favour of electronic records, real time tracking and locating of assets such as heart monitors, and doctors carrying personal digital assistants (PDAs) or tablets to create and retrieve patient records and diagnostic information.  The hospitals were leading the charge by purchasing applications and systems to help manage many aspects of operating a hospital.  Security was and is a major focus for the It staff who implement and manage these systems which presented more challenges.  Security inherently adds complexity to any system which in turn decreases productivity and people's willingness to use the systems.  For hospitals, where doctors typically have a private practice as well as their use of hospital facilities, they need access to patient information in both locations but need to maintain the security and confidentiality of those records.  Private practices, if they even have computers, use many different software applications with different methods of access which causes more management challenges for hospital IT staff from a security perspective.

There have been two schools of thought regarding patient records in the medical community.  On the one hand, there are many benefits to using a standard common format for storing and sharing patient information.  Easy and rapid access to patient information would improve healthcare.  The provincial governments in BC and Alberta, among others, are proponents of this type of standard.  On the other hand, there is a sense of ownership that doctors have for patient information.  Giving someone easy access to information may cause too much reliance on this information and remove some elements of critical diagnoses.  Open sharing of patient information could have begin to eliminate the idea of family physicians who often know more about their patients than can be expressed in a document.  My experience yesterday showed me both sides of the coin.  We were at two private clinics and two hospitals where we saw technology assisting in many ways from locating the patient after I parked my car; to electronic medical imaging that could be transported easily and quickly from one location to another; to the mesh of communication that got us through a large and cumbersome system with relative speed.  Through the whole experience we noted that staff was well informed and informative as well as sensitive to us as people.

In the end, the body being the amazing machine that it is, the problem rectified itself in the nick of time and saved us the risk and stress of surgery.  While I did see many opportunities for IT to help further in the process, in our case I was grateful for the time taken to do some things manually.  During that time the body keeps fighting on its own and in this case won the battle.

I doubt I have any American Readers, but my Canadian audience will know that tomorrow is Remembrance Day.  Last Friday I woke up to the news of an army major who went on a shooting rampage after hearing that he was about to be deployed to Afghanistan.  I wondered about the irony of training a man to kill people only to have him turn against his peers.  I have heard some suggestions regarding his state of mind, but none of us will ever truly understand what drove him to do what he did.  I am thankful that my own brother who served in the military never had to see “action” and think of my grandfather who died when I was eight, but to me will be remembered as a retired Sergeant from WW2.  Both of them served in very different militaries than what we have today.

This is a technology blog, so why am I talking about war and honouring those who served?  War making has become one of the biggest drivers of innovation in technology.  Today’s Internet was created to connect educational institutions and driven part from a need to connect military minds across the US in the form of ARPANET.  The satellite imaging that many of us use from Google’s Satellite View has been collected from military images that were only recently released to the public sector.  And many of the security technologies that are used by businesses are based on, if not actual, military and government encryption schemes.  Aerospace, medicine and other industries have also been enhanced my military technologies.  I am not an advocate of war in any way, but wars have happened without asking my permission, so I try to look at any good that comes out of it.  We all know that there are people in the world who will take advantage of others so it’s good to see that there are other people developing technologies that help protect us.  Data encryption schemes protect our personal information and assets such as bank accounts from those who would try to steal.  Imaging technologies like Google’s mapping technologies help emergency personnel locate those in need of medical care more quickly.  I’m sure at this point there are a number of other technologies still being developed by the military, and hope that they will one day become part of the vast pool of resources available to the public domain that help improve our lives and health.  I think that the best way to honour someone who served to protect our country is to look at the lasting improvements that they have given us.

Email is a wonderful tool for communication, both at work and at home.  It's almost as common today to ask for someone's email address as their phone number.  Unfortunately most, if not all, of us have received some form of spam in our mailboxes as well as our intended communications.

Spam is officially known as unsolicited commercial email or UCE.  The more common term "spam" was reportedly borrowed from a Monty Pithon's Flying Circus comedy sketch of the same name.  The connection presumably being the annoying nature and apparent unavoidability of UCE and the similar use of the popular Hormel Foods canned ham in the sketch.  Unlike the food product, email spam comes in a variety of flavours.  Commonly we see prosthetic and drug advertising emails that use constantly changing techniques to attempt to thwart spam filters.  These messages frequently have return email addresses that are non existent or that have been hijacked from some innocent party (sender spoofing).  I'll walk through some methods of sending spam and discuss some techniques to help reduce the amount of spam you receive.

Since spammers, the people who originate spam email, need to protect themselves from being identified and blocked by intended recipients they have had to find ways to send a large number of emails from various locations in a very short period of time.  The most common method of doing this is to use an open mail relay somewhere on the Internet.  An open relay is a mail server that will forward email from anyone (or anyone who knows how to get around security measures) to any potential recipient on the Internet.   In the early days of spamming the sender would usually create a new email account on a large free mail hosting service such as Yahoo! or AOL and send emails to a large list of recipients.  As the hosting companies clamped down on this type of activity they began to use complex scripts with multiple open relay servers and large lists of recipients.  Today most commercial email providers block relaying, but many smaller companies who host their own email servers often don't have the technical skills required to turn off relaying while still allowing their users to send and receive emails that they need to.  The lists of email addresses that spammers send to are created using various methods.  Some companies sell lists of email addresses gathered from their web site.  Since email is sent unencrypted over the Internet, the addresses can often be gathered by "listening" to traffic between servers.  Sometimes they will even send email to random names in an email domain (a domain is the part after the @ in an email address) and see which ones don't bounce back to them (directory harvesting).

A few methods to help avoid spam are to not enter your email address in web forms or use it to enter draws.  In cases where you need to do this, consider creating a "spam account" with one of the online email providers like Yahoo! or GMail.  Use this account when you're dealing with companies on the web that you don't know.  If your Internet provider offers a spam filtering solution it may be worth subscribing to it.  On a larger network where email is hosted in house, an anti spam appliance or dedicated server software are the best defence as they offload the traffic from the mail server.  Some PC based spam filters work well, but they usually need a subscription to keep up to date so they can continue to work effectively.  Spammers are constantly changing their methods so new defences need to be defined and applied.  Junk mailboxes and blacklists that are built into applications such as Microsoft Outlook also help, but they tend to rely on filtering by the sender and these days the sender is changed with every mailing that goes out.

Just make sure you put my email address on your white list.