|
Protecting Your Home Network: They ARE Out To Get You
by Gurney Halleck
Very few computers are stand-alone today. Even a basic dial-up
Internet connection constitutes a network. As broadband becomes
more popular, always-on connections create new risks for the home
network. Many home users have the bandwidth and computing power
equal to small businesses but lack the expertise to maintain and
configure their systems. Recent attacks have shown the ever
increasing exploitation of misconfigured and poorly maintained
home systems as spreading points for worms and Denial of Service
(DoS) attacks.
The Excuses
Ask anyone involved in computer security and they will tell you
that they've heard these excuses time and time again. If you have
ever used words like these to avoid being concerned about computer
security, you should reevaluate your position.
- I'm too small/boring, they wouldn't be interested in me.
They are interested in everyone and
everything. They will joyride on your computer and use it
as a launching point for attacking other computers, including
the government and the military. Now, more often than not,
They is a computer program that never gets tired or bored
and will attack and invade any computer that it can talk to. You
can never be too small or too boring to avoid an attack.
I don't have anything to lose on my computer.
Do you balance your check book or do you taxes with your
computer? Do you have bank account numbers, social security
numbers, credit card numbers, names and addresses on your
computer? Do you have personal and private correspondence on
your computer? What if someone used your computer and your email
account to send embarrassing or abusive emails to your friends
and business associates? Reconsider. Do you still have nothing
to lose?
My Internet provider protects me, right?
Basically, No. Unless you are paying for it, it is very
unlikely that your service provider is doing anything to protect
your computer from network attacks. Service providers are very
apprehensive (to say the least) when it comes to policing their
own networks. Doing so would set a precedent that could leave
them vulnerable to legal action and could cause them to lose
their status as a Common Carrier
My DSL/Cable modem says it's a firewall. I'm OK.
It seems like everyone is calling their network device
or product a firewall these days. Very few of these would be
considered a firewall by modern security standards. At best they
are filtering routers with very loose and minimal filtering
rules. At worst, the are back doors into your home
network. Professionally maintained firewalls costing thousands
of dollars are penetrated daily, how do you think your $99
DSL/Cable modem would fair against an attacker like this?
I have a virus checker so I'm safe.
It may sound like a stupid question, but is it running?
Very often people install virus checkers but turn them off for
various reasons or have never bothered to set them up properly
to scan on a regular basis. When is the last time you updated
the virus signature file? There are well over 40,000 known
viruses and this value is expected to double every year. It is
critical the you follow your vendor's recommendation concerning
signature file updates.
Your Computer
While there are literally hundreds of operating systems available
the three most common in use at home are Microsoft Windows,
Macintosh and Unix-like (Linux, *BSD). They each have specific
risks. There is no single secure operating system. A highly locked
down and maintained Windows NT system could be more secure than an
unpatched and misconfigured Unix system. While there are certain
inherent security advantages or disadvantages for each operating
system, the vast majority of security problems are due to poor
maintenance and misconfiguration.
- Microsoft Windows
Windows 3.x; Windows 95,98,ME; Windows NT,2000, XP
Dangers: Viruses, Worms, and Trojans. Email
attachments. Document macro-viruses, Internet downloads,
Active content (ActiveX, Java, JavaScript). Win 3.x,9x,ME -
User=Administrator. Drive and folder sharing. Web servers
(IIS), Mail clients (Outlook, Eudora), Browsers (IE), Poor
password encryption, on and on and on...
Apple
Mac OS (through OS9)
Dangers: Document macro-viruses, Internet downloads, Active
content, Folder sharing, Web servers. User=Administrator
Unix and Unix Like
Linux, BSD, Mac OSX
Dangers: Misconfiguration, FTP servers, Mail servers, Other
servers, Multi-user Platform.
Your Network
Only a few years ago, dial-up was basically the only choice for
home user Internet connectivity. Now there is a multitude of high
speed, always-on, Internet options. Each option carries its own
set of risks. Home users should be aware of the specific risks of
each network type so that they can pick a technology that fits
their security comfort zone. Special attention should be given
broadcast types of networking (cable modem, wireless) where the
data can be intercepted by other users of the network system.
- Dial-up
Characteristics: Traditional telephone dial-up with
modem. Low speed network on demand. Point-to-Point. Dynamic
IP.
Dangers: Downloads, Email attachments, Active Web pages,
Human error.
Cable Modem
Characteristics: High speed, always on. Shared
bandwidth. Dynamic IP.
Dangers: You share your data with your neighbors. DoS
and other Attacks, File sharing, Web severs and other server
applications. Compromise and subversion for automated attacks
(DDoS, CodeRed, and Nimda). High speed. Always-on.
DSL and Variants
Characteristics: High speed, always
on. Point-to-Point. Dynamic and Static IP.
Dangers: DoS and other Attacks, File sharing, Web severs
and other server applications. Compromise and subversion for
automated attacks (DDoS, CodeRed, Nimda). High
speed. Always-on.
Wireless
Characteristics: Medium speed always-on. Dynamic
IP. Peer-to-Peer or Access Point. Ad hoc networking. (802.11b and
variants, Bluetooth, Ricochet)
Dangers: Broadcast (data is shared with anyone in
range), Encryption very weak (compromised), Access controls
poorly implemented. Special considerations for mobile devices
(laptops, handhelds) - Connections can be made while the system
is asleep or while being transported. Always-on.
Satellite and Microwave
Characteristics: Medium to high speed, always on. Dynamic or
Fixed IP. Shared Bandwidth.
Dangers: Broadcast (data is shared with anyone in
range), no encryption, Broadcast range is very large (city or
geographical region), high speed, always-on.
Hybrid Home Networks
Characteristics: Internet connection using high speed
provider. Multiple home computers sharing bandwidth via ethernet
or wireless. Home computers behind router with fixed, dynamic or
private IP assignments
Dangers: Combined dangers of constituent parts.
Protective Measures
Each user has to tailor their level of security. There is always a
trade off of security vs. convenience. The following are suggested
protective measures. For some these may be too restrictive but for
others they my be too lax. You will need to find your own security
comfort point.
- Viruses, Worms, Trojans
Install and activate virus protection software. Update
virus signature file as recommended by the vendor. Scan (or
enable auto scan) email attachments and network downloads. Do
not open email attachment unless you trust their
origin. Download software only from trusted sources.
Data Loss (disaster, robbery, human error)
Back up important data files to floppy, tape, CD-R,
removable media. Store like other important documents (safe,
safety box). Keep installation media for operating system and
applications
Passwords
Use strong passwords: 8+ alpha-numeric characters, no
dictionary words (even non-English). Do not use the same
password on Windows and Unix systems. Do not leave password
visible (written under keyboard, sticky notes on monitor). If
you have a lot of passwords: write them down, seal in an
envelope and store in a safe place or have a trusted third party
hold them for you.
Web Browsers (IE, Netscape)
Use the latest version. Disable auto-execution of
downloaded files. Disable or limit the use of ActiveX, Java,
and JavaScript. Disable or limit the use of plug-ins (Flash,
RealMedia, others) Disable anything less that 128 bit encryption
for SSL. Manually verify SSL certificates when connecting to
secure sites
Email Clients (Outlook, Eudora, Netscape Mail)
Use the latest version. Disable auto-execution of
attachments. Disable active content in emails
(JavaScript). Disable HTML viewing if possible. Do not open
attachments from untrusted sources. Scan attachments with a
virus scanner. Delete email, with out viewing, from unknown
senders.
Operating System
Apply patches, updates and hotfixes. Read vendor
security advisories.
Applications
Apply patches, updates and hotfixes. Read vendor
security advisories.
Privacy and Encryption
As you travel the Internet you leave tracks and traces of your
activity. Concerns about privacy extend from identity theft to
spam lists. As in security, one needs to determine a privacy
comfort zone.
Protecting Your Privacy On-Line
Very few things are actually free. Most on-line freebies require
you to provide information about yourself. Before providing this
information you should consider how it will be used. Review the
site's privacy statement and determine with who and under what
circumstances your information will be shared.
Most sites reserve the right to modify their privacy policy
without notification. As on-line companies merge, are bought or
become bankrupt the control and policies of their customer
databases change. Customer data is now considered a corporate
asset and is bought and sold as such.
You should never share bank account numbers, credit card
numbers, pin numbers, passwords or your Social Security number
either on-line or over the phone with people that don't absolutely
require it. There are several good links below regarding when and
with who you should share your Social Security number. Your full
name, address and Social Security number are the only things that
a criminal needs to commit identity theft.
Browser Cookies and Web Bugs
Browser cookies receive a lot of attention in regards to on-line
privacy. Unfortunately, cookies are a minor concern when it comes
to web based tracking. There are many legitimate uses for browser
cookies but Web Bugs (see links below) are exclusively used for
on-line tracking and are much more difficult to control.
HTTP is a stateless protocol. In other words, when you connect
to a web server it doesn't remember the last time you connected or
what you asked for. Cookies allow the web server to remember who
you are and what you've asked for. This is useful for logging in
users and allowing users to customize their home pages on services
like my.yahoo.com, my.netscape.com and others. Unfortunately they
can also be used to track your activity on the site or across
multiple sites. The good thing about cookies is that most web
browsers allow you to control which cookies you want to accept and
to whom you want to share your cookies. You can also delete your
browsers cookie file.
Web Bugs are more insidious. They are often invisible images
files, either 1pixel x 1pixel images or transparent GIF
images. Web Bugs can also include web site banner ads. They can
be located on web pages, included in HTML formatted email or HTML
formatted news group or discussion messages. Web Bugs can
identify:
- The IP address of the computer that fetched the Web bug
- The URL of the page that the Web bug is located on
- The URL of the Web bug image
- The time the Web bug was viewed
- The type of browser that fetched the Web bug image
- A previously set cookie value
When Web Bugs are used in HTML formatted email they are used to
verify that the email was received and when it was read by the
recipient. It can identify the IP of the recipient and determine
if the email was forwarded from the original mail box it was sent
to. When synchronized with a cookie, it can be used to determine if
the recipient clicked through the email to the senders web
page.
In general, it is very difficult to block web bugs since you
would have to block the loading of all images in the web browser
and email client.
Encryption
When dealing with sensitive information either stored on disk
or sent via email, encryption should be considered. Encryption
algorithms scramble data in such a way that it is extremely
difficult to recover the original data unless you know a secret
key. There are two basic types of encryption methods in use:
- Secret Key Encryption
Secret Key encryption (symmetric encryption) is usually
familiar to most people. This type of encryption uses one key or
pass phrase to both lock and unlock the message. This form of
encryption is often used when encrypting files on a disk since
the person that encrypted the file is often the same person that
decrypts the file. The problem with secret key encryption is
that the key must be kept a secret. When sharing an encrypted
file with someone else, the secret key must be given to the
other person in a secure manner. Usually we want to share an
encrypted document over an untrusted communication line.
(e.g. email) Since we don't trust the communication line it does
us no good to share the secret key over this line. The secret
key must be transmitted out of band (out side the normal
communication channel) and in a secure manner.
Public Key Encryption
Public Key encryption (asymmetric encryption) helps us solve
the key exchange problem that is encountered with Secret Key
encryption. With Public Key encryption there are two keys, a
public key and a private key. The public key is used to encrypt
the message and the private key is used to decrypt the
message. The two keys are mathematically related such that it is
extremely difficult to figure out the secret key if you know the
public key. Because of this, you can freely share your public
key allowing anyone to encrypt messages to you and keep your
secret key secret assuring that you are the only one that can
decrypt the message. When two people each have a set of keys
they can exchange both the encrypted messages and their public
keys over an untrusted communication line (e.g. email) and be
secure as long as they protect their secret keys.
Probably the best known encryption package is PGP (Pretty Good
Privacy) originally developed by Phil Zimmerman and now owned by
Network Associates. PGP provides Public Key encryption for
exchanging email and Secret Key encryption (PGP Disk) for securing
files on a local disk drive. PGP is available for Windows, Mac and
Unix.
Also available is GNUPG (GNU Privacy Guard). GNUPG is a
free/open source product that was developed using the OpenPGP
standard (Phil Zimmerman now works on OpenPGP). It is available in
binary form for Windows, Mac and Unix. The source code is also
available.
SSL
SSL uses Public Key encryption to secure data between your web
browser and a web server. When transferring sensitive data;
credit card numbers, passwords, personal information; SSL should
be used. SSL URLs start with https:// instead of http:// and
browsers usually indicate that an SSL session is in progress by
displaying a closed padlock or a color change. (check with your
browser vendor to see how it indicates a SSL session) It is
important that you already be in a secure SSL session before you
enter data. Some sites may only start the SSL session after you
transmit your username and password allowing them to be sent
unencrypted.
When connecting to a SSL protected site, your browser is
presented with an electronic certificate for the web site. This
certificate identifies the site to the browser. The certificate
is signed by a trusted third party, a Certificate Authority
(CA), like Verisign or Entrust. Many certificate signers can be
identified by your browser automatically. If a signer can not be
identified, the browser will ask you if you want to accept or
deny the certificate. A certificate is only as trustworthy as
the signer (CA). For some CAs, all you need is a valid credit to
get a signed certificate. A valid, signed certificate is not an
indication of trust, only that a company was able to provide a
minimal level of identification (a valid credit card number) at
the time the certificate was issued. Even if a certificate
is automatically accepted by your browser, you may want to
manually check your SSL certificates and their signers.
When a browser connects to a web server with SSL, the browser
and the server negotiate what type of encryption algorithm and
key length they will use for the connection. Most web browsers
allow you to select the encryption algorithm and key length
allowed for an SSL session. It is generally accepted that at key
length of 40 bits or less, and the DES encryption algorithm with
a 56 bit key, are both insecure. Algorithms with key lengths of
greater than 40 bits (128 bit RC2, RC4) and Triple DES (168 bit
Triple DES) should be used. After disabling the less secure
algorithms you may be surprised that some sites don't support
this higher level of encryption. You should ask them why
they don't.
Encryption Snake Oil
In the words of Bruce Schneier (www.counterpane.com):
The problem with bad security is that it looks just like good
security. You can't tell the difference by looking at the
finished product. Both make the same security claims; both have
the same functionality. Both might even use the same algorithms:
triple-DES, 1024-bit RSA, etc. Both might use the same
protocols, implement the same standards, and have been endorsed
by the same industry groups. Yet one is secure and the other is
insecure.
As you might guess, encryption algorithms are very complicated
mathematical equations. Without a good understanding of how they
work and the proper ways to implement them, even the best
intentioned encryption software may be worse than useless. A false
sense of security can be more dangerous than a healthy dose of
paranoia. Encryption that is included in word processors, spread
sheets and other office applications are notoriously weak and are
solved trivially. Always look for independent reviews of encryption
and security packages before making a choice.
Watch Your Back End
When implemented properly, encryption is extremely effective at
securing network communication. But just as the chain is only as
strong as the weakest link, the security of your information
can't be assured solely by strong encryption. Repeatedly, credit
card and personal information is exposed not through failings of
encryption systems but by poor system configuration and
management. These back end systems are the ones that store and
manage the personal information that you submit. If these
systems are not secure, you are in more danger than if you had
not used an encrypted communication link.
The Human Element
We are all taught to trust other people, especially those who
appear to know what they are talking about or appear to be in a
position of authority. Most people want to be helpful too. We
are often willing to bend the rules a little to help out someone
who appears to be having trouble or difficulties. Unfortunately,
there are those that prey on the trust and kindness of others.
You Are The Weakest Link!
Social Engineering is the art of persuading others to comply
with your wants. The Social Engineer (A.K.A. the Con Artist) is
out to extract information from you or convince you to take
actions that can compromise your personal security to their
advantage. They may represent themselves as a knowledgeable
computer technician or a system administrator for your ISP. They
may appear to be confused users of your system that desperately
needs help. Contact could be through email, over the phone or
even in person. They may try to pry information out of you in
the name of your own personal security and benefit. Regardless
of their appearance or reasons, you need to follow your own
policies for releasing personal and sensitive information no
matter how they may prey on your sympathy or fears.
Summary
Now that you have heard the bad news and are scared witless, here is
the good news: You can take positive steps to improve the
security of your home network.
The 10 Things To Do To Solve 99% Of Your Security
Problems
- Keep Current
- Update your operating system and applications when
security fixes are available.
- Backup
- Backup your data regularly. Verify that your backups
work. Store backups in a safe place.
- Virus Protection
- Install and configure virus protection software. Update
virus signature file per vendor instructions and at regular
intervals.
- No Sharing
- Turn of file sharing. If you don't need to be a web,
FTP, or file server, turn off these services.
- Delete Unknown Attachments/Email/Programs
- If you don't know what it is or don't trust the source
of the email, delete it. Don't use pirated software or
software from sites you don't trust.
- Beware Active Web Content
- Try turning off Java, JavaScript and ActiveX. If you can
survive without them or turn them on only when needed, do
so. Avoid unnecessary plug-ins. Turn off auto-execution of
downloads
- Use Strong Encryption
- Disable weak (<128 bit) SSL. Manually verify SSL
certificates. Encrypt sensitive email and documents.
- Keep Personal Information Private
- Avoid giving out email, name, address and phone
numbers. Never provide your Social Security number or Bank
Account numbers to those who don't need them. Pass on the
on-line freebies. Beware of on-line scams. Don't discuss
personal information in public forums.
- Self Audit
- Go through your files and records. Delete or move off
your system the ones that you don't need or aren't
using. Check with your software vendor for updates. Verify
that your virus software is up to date. Review your policies
about sharing personal or sensitive information. Check to
see if there has been any security or privacy policy changes
with the vendors or web sites that you do business with or
have accounts with. Verify that you have your backups,
original installation media and software licenses stored in
a secure place. Figure out where your weaknesses are and
make a plan to improve your personal security.
- Get Educated
- Check out the security and privacy sites listed. Learn
what you can about how your system works and how it is
configured. Make educated decisions about security vs.
convenience issues. Find out what your software vendor is
doing (or not doing) to support your security and
privacy. Be aware of new legislation that may impact your
security or privacy.
On-Line References
Computer Security Sites
CERIAS: http://www.cerias.purdue.edu/
CERT: http://www.cert.org/
Sans Institute: http://www.sans.org/
Securityfocus: http://www.securityfocus.com/
Home Network Security
CERT Home Network Security: http://www.cert.org/tech_tips/home_networks.html
Eleven Easy Ways to Protect Yourself (while shopping on-line): http://home.netscape.com/security/basics/elevenways.html
Vendor Pages
Microsoft Security Page: http://www.microsoft.com/security/
Apple Security Page: http://www.apple.com/support/security/
Redhat Linux Security Page: http://www.redhat.com/apps/support/errata/
Sun Security Page: http://www.sun.com/products-n-solutions/software/security/
Netscape, Understanding Security and Privacy: http://www.netscape.com/security/basics/index.html
Mailing Lists
Bugtraq: http://www.securityfocus.com
NTBugtraq: http://www.ntbugtraq.com/
CERT Advisories: http://www.cert.org/contact_cert/certmaillist.html
Windows Specific
Windows Security Guide: http://www.winguides.com/security/
NTSecurity: http://www.ntsecurity.net/
Encryption
Network Associates PGP: http://www.pgp.com/
GNU Privacy Guard (GNUPG): http://www.gnupg.org/
Counterpane: http://www.counterpane.com/
Crypto-Gram Newsletter, Snake Oil: http://www.counterpane.com/crypto-gram-9902.html
Avoiding bogus encryption products: Snake Oil FAQ: http://www.faqs.org/faqs/cryptography-faq/snake-oil/
Privacy
Electronic Frontier Foundation (EFF): http://www.eff.org/
Electronic Privacy Information Center (EPIC): http://www.epic.org/
Privacy and Your Social Security Number: http://www.cpsr.org/cpsr/privacy/ssn/ssn.faq.html
Your (Social Security) Number And Card: http://www.ssa.gov/pubs/10002.html
Web Bug Basics: http://www.privacyfoundation.org/resources/webbug.asp
Cookie Central: http://www.cookiecentral.com
Home Networking
DSL Reports:http://www.dslreports.com/
The Navas Group: http://navasgrp.home.att.net/
Last modified: Sun Oct 31 20:18:12 PST 2004
|
|