BlackKnife Security Associates
Home Services Contacts About

Protecting Your Home Network: They ARE Out To Get You

by Gurney Halleck

Very few computers are stand-alone today. Even a basic dial-up Internet connection constitutes a network. As broadband becomes more popular, always-on connections create new risks for the home network. Many home users have the bandwidth and computing power equal to small businesses but lack the expertise to maintain and configure their systems. Recent attacks have shown the ever increasing exploitation of misconfigured and poorly maintained home systems as spreading points for worms and Denial of Service (DoS) attacks.

The Excuses

Ask anyone involved in computer security and they will tell you that they've heard these excuses time and time again. If you have ever used words like these to avoid being concerned about computer security, you should reevaluate your position.
I'm too small/boring, they wouldn't be interested in me.

They are interested in everyone and everything. They will joyride on your computer and use it as a launching point for attacking other computers, including the government and the military. Now, more often than not, They is a computer program that never gets tired or bored and will attack and invade any computer that it can talk to. You can never be too small or too boring to avoid an attack.

I don't have anything to lose on my computer.

Do you balance your check book or do you taxes with your computer? Do you have bank account numbers, social security numbers, credit card numbers, names and addresses on your computer? Do you have personal and private correspondence on your computer? What if someone used your computer and your email account to send embarrassing or abusive emails to your friends and business associates? Reconsider. Do you still have nothing to lose?

My Internet provider protects me, right?

Basically, No. Unless you are paying for it, it is very unlikely that your service provider is doing anything to protect your computer from network attacks. Service providers are very apprehensive (to say the least) when it comes to policing their own networks. Doing so would set a precedent that could leave them vulnerable to legal action and could cause them to lose their status as a Common Carrier

My DSL/Cable modem says it's a firewall. I'm OK.

It seems like everyone is calling their network device or product a firewall these days. Very few of these would be considered a firewall by modern security standards. At best they are filtering routers with very loose and minimal filtering rules. At worst, the are back doors into your home network. Professionally maintained firewalls costing thousands of dollars are penetrated daily, how do you think your $99 DSL/Cable modem would fair against an attacker like this?

I have a virus checker so I'm safe.

It may sound like a stupid question, but is it running? Very often people install virus checkers but turn them off for various reasons or have never bothered to set them up properly to scan on a regular basis. When is the last time you updated the virus signature file? There are well over 40,000 known viruses and this value is expected to double every year. It is critical the you follow your vendor's recommendation concerning signature file updates.

Your Computer

While there are literally hundreds of operating systems available the three most common in use at home are Microsoft Windows, Macintosh and Unix-like (Linux, *BSD). They each have specific risks. There is no single secure operating system. A highly locked down and maintained Windows NT system could be more secure than an unpatched and misconfigured Unix system. While there are certain inherent security advantages or disadvantages for each operating system, the vast majority of security problems are due to poor maintenance and misconfiguration.
Microsoft Windows

Windows 3.x; Windows 95,98,ME; Windows NT,2000, XP

Dangers: Viruses, Worms, and Trojans. Email attachments. Document macro-viruses, Internet downloads, Active content (ActiveX, Java, JavaScript). Win 3.x,9x,ME - User=Administrator. Drive and folder sharing. Web servers (IIS), Mail clients (Outlook, Eudora), Browsers (IE), Poor password encryption, on and on and on...

Apple

Mac OS (through OS9)

Dangers: Document macro-viruses, Internet downloads, Active content, Folder sharing, Web servers. User=Administrator

Unix and Unix Like

Linux, BSD, Mac OSX

Dangers: Misconfiguration, FTP servers, Mail servers, Other servers, Multi-user Platform.

Your Network

Only a few years ago, dial-up was basically the only choice for home user Internet connectivity. Now there is a multitude of high speed, always-on, Internet options. Each option carries its own set of risks. Home users should be aware of the specific risks of each network type so that they can pick a technology that fits their security comfort zone. Special attention should be given broadcast types of networking (cable modem, wireless) where the data can be intercepted by other users of the network system.
Dial-up

Characteristics: Traditional telephone dial-up with modem. Low speed network on demand. Point-to-Point. Dynamic IP.

Dangers: Downloads, Email attachments, Active Web pages, Human error.

Cable Modem

Characteristics: High speed, always on. Shared bandwidth. Dynamic IP.

Dangers: You share your data with your neighbors. DoS and other Attacks, File sharing, Web severs and other server applications. Compromise and subversion for automated attacks (DDoS, CodeRed, and Nimda). High speed. Always-on.

DSL and Variants

Characteristics: High speed, always on. Point-to-Point. Dynamic and Static IP.

Dangers: DoS and other Attacks, File sharing, Web severs and other server applications. Compromise and subversion for automated attacks (DDoS, CodeRed, Nimda). High speed. Always-on.

Wireless

Characteristics: Medium speed always-on. Dynamic IP. Peer-to-Peer or Access Point. Ad hoc networking. (802.11b and variants, Bluetooth, Ricochet)

Dangers: Broadcast (data is shared with anyone in range), Encryption very weak (compromised), Access controls poorly implemented. Special considerations for mobile devices (laptops, handhelds) - Connections can be made while the system is asleep or while being transported. Always-on.

Satellite and Microwave

Characteristics: Medium to high speed, always on. Dynamic or Fixed IP. Shared Bandwidth.

Dangers: Broadcast (data is shared with anyone in range), no encryption, Broadcast range is very large (city or geographical region), high speed, always-on.

Hybrid Home Networks

Characteristics: Internet connection using high speed provider. Multiple home computers sharing bandwidth via ethernet or wireless. Home computers behind router with fixed, dynamic or private IP assignments

Dangers: Combined dangers of constituent parts.

Protective Measures

Each user has to tailor their level of security. There is always a trade off of security vs. convenience. The following are suggested protective measures. For some these may be too restrictive but for others they my be too lax. You will need to find your own security comfort point.
Viruses, Worms, Trojans

Install and activate virus protection software. Update virus signature file as recommended by the vendor. Scan (or enable auto scan) email attachments and network downloads. Do not open email attachment unless you trust their origin. Download software only from trusted sources.

Data Loss (disaster, robbery, human error)

Back up important data files to floppy, tape, CD-R, removable media. Store like other important documents (safe, safety box). Keep installation media for operating system and applications

Passwords

Use strong passwords: 8+ alpha-numeric characters, no dictionary words (even non-English). Do not use the same password on Windows and Unix systems. Do not leave password visible (written under keyboard, sticky notes on monitor). If you have a lot of passwords: write them down, seal in an envelope and store in a safe place or have a trusted third party hold them for you.

Web Browsers (IE, Netscape)

Use the latest version. Disable auto-execution of downloaded files. Disable or limit the use of ActiveX, Java, and JavaScript. Disable or limit the use of plug-ins (Flash, RealMedia, others) Disable anything less that 128 bit encryption for SSL. Manually verify SSL certificates when connecting to secure sites

Email Clients (Outlook, Eudora, Netscape Mail)

Use the latest version. Disable auto-execution of attachments. Disable active content in emails (JavaScript). Disable HTML viewing if possible. Do not open attachments from untrusted sources. Scan attachments with a virus scanner. Delete email, with out viewing, from unknown senders.

Operating System

Apply patches, updates and hotfixes. Read vendor security advisories.

Applications

Apply patches, updates and hotfixes. Read vendor security advisories.

Privacy and Encryption

As you travel the Internet you leave tracks and traces of your activity. Concerns about privacy extend from identity theft to spam lists. As in security, one needs to determine a privacy comfort zone.

Protecting Your Privacy On-Line

Very few things are actually free. Most on-line freebies require you to provide information about yourself. Before providing this information you should consider how it will be used. Review the site's privacy statement and determine with who and under what circumstances your information will be shared.

Most sites reserve the right to modify their privacy policy without notification. As on-line companies merge, are bought or become bankrupt the control and policies of their customer databases change. Customer data is now considered a corporate asset and is bought and sold as such.

You should never share bank account numbers, credit card numbers, pin numbers, passwords or your Social Security number either on-line or over the phone with people that don't absolutely require it. There are several good links below regarding when and with who you should share your Social Security number. Your full name, address and Social Security number are the only things that a criminal needs to commit identity theft.

Browser Cookies and Web Bugs

Browser cookies receive a lot of attention in regards to on-line privacy. Unfortunately, cookies are a minor concern when it comes to web based tracking. There are many legitimate uses for browser cookies but Web Bugs (see links below) are exclusively used for on-line tracking and are much more difficult to control.

HTTP is a stateless protocol. In other words, when you connect to a web server it doesn't remember the last time you connected or what you asked for. Cookies allow the web server to remember who you are and what you've asked for. This is useful for logging in users and allowing users to customize their home pages on services like my.yahoo.com, my.netscape.com and others. Unfortunately they can also be used to track your activity on the site or across multiple sites. The good thing about cookies is that most web browsers allow you to control which cookies you want to accept and to whom you want to share your cookies. You can also delete your browsers cookie file.

Web Bugs are more insidious. They are often invisible images files, either 1pixel x 1pixel images or transparent GIF images. Web Bugs can also include web site banner ads. They can be located on web pages, included in HTML formatted email or HTML formatted news group or discussion messages. Web Bugs can identify:

  • The IP address of the computer that fetched the Web bug
  • The URL of the page that the Web bug is located on
  • The URL of the Web bug image
  • The time the Web bug was viewed
  • The type of browser that fetched the Web bug image
  • A previously set cookie value

When Web Bugs are used in HTML formatted email they are used to verify that the email was received and when it was read by the recipient. It can identify the IP of the recipient and determine if the email was forwarded from the original mail box it was sent to. When synchronized with a cookie, it can be used to determine if the recipient clicked through the email to the senders web page.

In general, it is very difficult to block web bugs since you would have to block the loading of all images in the web browser and email client.

Encryption

When dealing with sensitive information either stored on disk or sent via email, encryption should be considered. Encryption algorithms scramble data in such a way that it is extremely difficult to recover the original data unless you know a secret key. There are two basic types of encryption methods in use:

Secret Key Encryption

Secret Key encryption (symmetric encryption) is usually familiar to most people. This type of encryption uses one key or pass phrase to both lock and unlock the message. This form of encryption is often used when encrypting files on a disk since the person that encrypted the file is often the same person that decrypts the file. The problem with secret key encryption is that the key must be kept a secret. When sharing an encrypted file with someone else, the secret key must be given to the other person in a secure manner. Usually we want to share an encrypted document over an untrusted communication line. (e.g. email) Since we don't trust the communication line it does us no good to share the secret key over this line. The secret key must be transmitted out of band (out side the normal communication channel) and in a secure manner.

Public Key Encryption

Public Key encryption (asymmetric encryption) helps us solve the key exchange problem that is encountered with Secret Key encryption. With Public Key encryption there are two keys, a public key and a private key. The public key is used to encrypt the message and the private key is used to decrypt the message. The two keys are mathematically related such that it is extremely difficult to figure out the secret key if you know the public key. Because of this, you can freely share your public key allowing anyone to encrypt messages to you and keep your secret key secret assuring that you are the only one that can decrypt the message. When two people each have a set of keys they can exchange both the encrypted messages and their public keys over an untrusted communication line (e.g. email) and be secure as long as they protect their secret keys.

Probably the best known encryption package is PGP (Pretty Good Privacy) originally developed by Phil Zimmerman and now owned by Network Associates. PGP provides Public Key encryption for exchanging email and Secret Key encryption (PGP Disk) for securing files on a local disk drive. PGP is available for Windows, Mac and Unix.

Also available is GNUPG (GNU Privacy Guard). GNUPG is a free/open source product that was developed using the OpenPGP standard (Phil Zimmerman now works on OpenPGP). It is available in binary form for Windows, Mac and Unix. The source code is also available.

SSL

SSL uses Public Key encryption to secure data between your web browser and a web server. When transferring sensitive data; credit card numbers, passwords, personal information; SSL should be used. SSL URLs start with https:// instead of http:// and browsers usually indicate that an SSL session is in progress by displaying a closed padlock or a color change. (check with your browser vendor to see how it indicates a SSL session) It is important that you already be in a secure SSL session before you enter data. Some sites may only start the SSL session after you transmit your username and password allowing them to be sent unencrypted.

When connecting to a SSL protected site, your browser is presented with an electronic certificate for the web site. This certificate identifies the site to the browser. The certificate is signed by a trusted third party, a Certificate Authority (CA), like Verisign or Entrust. Many certificate signers can be identified by your browser automatically. If a signer can not be identified, the browser will ask you if you want to accept or deny the certificate. A certificate is only as trustworthy as the signer (CA). For some CAs, all you need is a valid credit to get a signed certificate. A valid, signed certificate is not an indication of trust, only that a company was able to provide a minimal level of identification (a valid credit card number) at the time the certificate was issued. Even if a certificate is automatically accepted by your browser, you may want to manually check your SSL certificates and their signers.

When a browser connects to a web server with SSL, the browser and the server negotiate what type of encryption algorithm and key length they will use for the connection. Most web browsers allow you to select the encryption algorithm and key length allowed for an SSL session. It is generally accepted that at key length of 40 bits or less, and the DES encryption algorithm with a 56 bit key, are both insecure. Algorithms with key lengths of greater than 40 bits (128 bit RC2, RC4) and Triple DES (168 bit Triple DES) should be used. After disabling the less secure algorithms you may be surprised that some sites don't support this higher level of encryption. You should ask them why they don't.

Encryption Snake Oil

In the words of Bruce Schneier (www.counterpane.com):

The problem with bad security is that it looks just like good security. You can't tell the difference by looking at the finished product. Both make the same security claims; both have the same functionality. Both might even use the same algorithms: triple-DES, 1024-bit RSA, etc. Both might use the same protocols, implement the same standards, and have been endorsed by the same industry groups. Yet one is secure and the other is insecure.

As you might guess, encryption algorithms are very complicated mathematical equations. Without a good understanding of how they work and the proper ways to implement them, even the best intentioned encryption software may be worse than useless. A false sense of security can be more dangerous than a healthy dose of paranoia. Encryption that is included in word processors, spread sheets and other office applications are notoriously weak and are solved trivially. Always look for independent reviews of encryption and security packages before making a choice.

Watch Your Back End

When implemented properly, encryption is extremely effective at securing network communication. But just as the chain is only as strong as the weakest link, the security of your information can't be assured solely by strong encryption. Repeatedly, credit card and personal information is exposed not through failings of encryption systems but by poor system configuration and management. These back end systems are the ones that store and manage the personal information that you submit. If these systems are not secure, you are in more danger than if you had not used an encrypted communication link.

The Human Element

We are all taught to trust other people, especially those who appear to know what they are talking about or appear to be in a position of authority. Most people want to be helpful too. We are often willing to bend the rules a little to help out someone who appears to be having trouble or difficulties. Unfortunately, there are those that prey on the trust and kindness of others.

You Are The Weakest Link!

Social Engineering is the art of persuading others to comply with your wants. The Social Engineer (A.K.A. the Con Artist) is out to extract information from you or convince you to take actions that can compromise your personal security to their advantage. They may represent themselves as a knowledgeable computer technician or a system administrator for your ISP. They may appear to be confused users of your system that desperately needs help. Contact could be through email, over the phone or even in person. They may try to pry information out of you in the name of your own personal security and benefit. Regardless of their appearance or reasons, you need to follow your own policies for releasing personal and sensitive information no matter how they may prey on your sympathy or fears.

Summary

Now that you have heard the bad news and are scared witless, here is the good news: You can take positive steps to improve the security of your home network.

The 10 Things To Do To Solve 99% Of Your Security Problems

  1. Keep Current
    Update your operating system and applications when security fixes are available.
  2. Backup
    Backup your data regularly. Verify that your backups work. Store backups in a safe place.
  3. Virus Protection
    Install and configure virus protection software. Update virus signature file per vendor instructions and at regular intervals.
  4. No Sharing
    Turn of file sharing. If you don't need to be a web, FTP, or file server, turn off these services.
  5. Delete Unknown Attachments/Email/Programs
    If you don't know what it is or don't trust the source of the email, delete it. Don't use pirated software or software from sites you don't trust.
  6. Beware Active Web Content
    Try turning off Java, JavaScript and ActiveX. If you can survive without them or turn them on only when needed, do so. Avoid unnecessary plug-ins. Turn off auto-execution of downloads
  7. Use Strong Encryption
    Disable weak (<128 bit) SSL. Manually verify SSL certificates. Encrypt sensitive email and documents.
  8. Keep Personal Information Private
    Avoid giving out email, name, address and phone numbers. Never provide your Social Security number or Bank Account numbers to those who don't need them. Pass on the on-line freebies. Beware of on-line scams. Don't discuss personal information in public forums.
  9. Self Audit
    Go through your files and records. Delete or move off your system the ones that you don't need or aren't using. Check with your software vendor for updates. Verify that your virus software is up to date. Review your policies about sharing personal or sensitive information. Check to see if there has been any security or privacy policy changes with the vendors or web sites that you do business with or have accounts with. Verify that you have your backups, original installation media and software licenses stored in a secure place. Figure out where your weaknesses are and make a plan to improve your personal security.
  10. Get Educated
    Check out the security and privacy sites listed. Learn what you can about how your system works and how it is configured. Make educated decisions about security vs. convenience issues. Find out what your software vendor is doing (or not doing) to support your security and privacy. Be aware of new legislation that may impact your security or privacy.

On-Line References

Computer Security Sites

CERIAS: http://www.cerias.purdue.edu/
CERT: http://www.cert.org/
Sans Institute: http://www.sans.org/
Securityfocus: http://www.securityfocus.com/

Home Network Security

CERT Home Network Security: http://www.cert.org/tech_tips/home_networks.html
Eleven Easy Ways to Protect Yourself (while shopping on-line): http://home.netscape.com/security/basics/elevenways.html

Vendor Pages

Microsoft Security Page: http://www.microsoft.com/security/
Apple Security Page: http://www.apple.com/support/security/
Redhat Linux Security Page: http://www.redhat.com/apps/support/errata/
Sun Security Page: http://www.sun.com/products-n-solutions/software/security/
Netscape, Understanding Security and Privacy: http://www.netscape.com/security/basics/index.html

Mailing Lists

Bugtraq: http://www.securityfocus.com
NTBugtraq: http://www.ntbugtraq.com/
CERT Advisories: http://www.cert.org/contact_cert/certmaillist.html

Windows Specific

Windows Security Guide: http://www.winguides.com/security/
NTSecurity: http://www.ntsecurity.net/

Encryption

Network Associates PGP: http://www.pgp.com/
GNU Privacy Guard (GNUPG): http://www.gnupg.org/
Counterpane: http://www.counterpane.com/
Crypto-Gram Newsletter, Snake Oil: http://www.counterpane.com/crypto-gram-9902.html
Avoiding bogus encryption products: Snake Oil FAQ: http://www.faqs.org/faqs/cryptography-faq/snake-oil/

Privacy

Electronic Frontier Foundation (EFF): http://www.eff.org/
Electronic Privacy Information Center (EPIC): http://www.epic.org/
Privacy and Your Social Security Number: http://www.cpsr.org/cpsr/privacy/ssn/ssn.faq.html
Your (Social Security) Number And Card: http://www.ssa.gov/pubs/10002.html
Web Bug Basics: http://www.privacyfoundation.org/resources/webbug.asp
Cookie Central: http://www.cookiecentral.com

Home Networking

DSL Reports:http://www.dslreports.com/
The Navas Group: http://navasgrp.home.att.net/

Last modified: Sun Oct 31 20:18:12 PST 2004


©BlackKnife Security Associates