April, 2008

Your Wallet is the Best Password Manager

Although I use them for sites that don’t require much security, password managers are something I generally stay away from. Why? Because they store the information on my hard drive or a website, both of which could be compromised by a determined hacker. Even a relatively unsophisticated hacker could exploit an unpatched vulnerability leaving my passwords open to inspection. My personal security policy is to make it as hard as possible for someone to get to my passwords.

I write them down and keep them in my wallet.

Yes, that is the most secure “password manager” there is. No one can get to your wallet from the Internet or your PC. Passwords written on a piece of paper and stored in your wallet are nearly impossible to compromise–someone would have to steal your wallet (or you’d have to lose it) to get at them. How likely is that? I’m 55 years old and have never lost my wallet or had one stolen. Just be sure not to write down your username with the passwords.

If Your Laptop is Stolen, Will Your Identity be Stolen?

We frequently hear news of a laptop holding sensitive information having been stolen. Bad in itself, but the reports often note that the information was unencrypted. Doubly bad. The news rarely focuses on personal laptop thefts, however because there’s no news value in reporting the loss of Joe Citizen’s personal files; nothing of value there, they think. But Joe’s entire life savings may soon be wiped out if he has ever used that laptop for online banking or other financial transactions.

Recently, a friend of mine (who shall remain nameless for security reasons) had his laptop stolen out of his car. Fortunately, he had just purchased it and there was nothing of value on it, but there could have been–he’s an oil company executive. Modern thieves know that if they can get their hands on a computer holding sensitive information — particularly bank or credit card information — they can sell that computer for tens or hundreds of times the value of the hardware. The hardware is virtually worthless to them. From the thief’s point of view, any laptop sitting on the seat or floor of a decent car or a desktop PC in a middle class home office could belong to someone who has access to valuable information.

But, if the data is encrypted, the thief is out of luck.

I’ll cover physical security later. For now, I present Maxim #7:

If you store sensitive information on a PC or laptop, even if it’s only personal information, encrypt the folders or drives where the information is stored and use an unguessable passphrase as the encryption key.

Top Five Personal Firewalls

How well does your personal firewall protect you? GRC’s Leak Test, PCFlank, and Bob Sundling’s TooLeaky all provide a quick way to check your personal firewall to see if it effectively blocks outbound connections. But if you really want to know how well your firewall protects you against a whole host of known attacks, check out Matousec’s Firewall Challenge website. Here are the top five based on Matousec’s extensive testing:

1. Comodo Firewall Pro 3.0.21.329 (Free)
2. Online Armor Personal Firewall 2.1.0.119 ($40, Free version available)
3. ProSecurity 1.43 ($30 single PC home user, $40 household)
4. Outpost Firewall Pro 2008 6.0.2302.264.0490 ($40/year for 3 home PCs)
5. Kaspersky Internet Security 7.0.1.325 ($80/year for 3 PCs)

The top two, Comodo and Online Armor, scored 100% on the tests. I’m using Comodo from now on.

Tighten Security With Your Hosts File

Using a HOSTS file to block access to malicious or unwanted web sites is an old trick and it’s excellent protection against malware. I’ve been using the mvps.org hosts file for about five years, and I have never been infected with any malware, despite, for testing purposes, intentionally visiting sites known to host it. The thing just works. It’s a great way to add an additional layer of security to your machine. You’ll also notice that many of those annoying ads no longer display in your browser.

Today, I found a cool utility that will let you download, install, and update your HOSTS file directly from the mvps.org site: Hosts File Updater, a freeware program by FaltronSoft. This single 16K executable checks the mvps.org site for a new version of the HOSTS file. If it finds one, it asks you if you want to update. Give your permission and the program backs up your existing HOSTS file and downloads and installs the new one. It also automatically sets the file to read-only, a nice feature.

How to Prevent DNS Rebinding Attacks

There’s nothing new about the DNS rebinding attack, but it’s in the news again. Dan Kaminsky, Director of Penetration Testing for IOActive has shown a video of the attack in action at the RSA 2008 Conference. I first addressed this problem more than a year ago in a Lockergnome posting, and just recently in this Security Corner article. Both of those articles say the same thing: Change the default password on routers, switches, and any other configurable device on your network.

There’s another thing you can do: Use OpenDNS; they block known phishing and malware-infested sites, thereby making your web surfing more secure. They also just released a nifty tool called FixMyLinksys that makes it easy for anyone to change the default password and enable OpenDNS. An article at DarkReading.com had this to say about OpenDNS:

…“This will stop all the automated attacks that Dan is showing at the RSA conference today. It’s easy and is done over the Web,” says David Ulevitch, CEO of OpenDNS.

OpenDNS also launched a new type of DNS filter today that protects users from a DNS response from a malicious server. “In short, a DNS response from a malicious server that resolves to a host inside your network would get blocked,” Ulevitch says.

I’ve been using OpenDNS for some time; I’m glad to see they’ve addressed this issue directly.

Make Your Own Paper Enigma Machine

The Enigma cipher machine was a very cool electromechanical device for producing polyalphabetic ciphers that reached it’s heyday during World War II. The original surviving devices are all in museums or private collections, but you can make a paper version. This site: http://mckoss.com/Crypto/Enigma.htm will let you print one out and play with it.

Using the paper version is tedious, though, so you might want to check out this cool simulation that you can install on your PC. There’s also an online Flash-based simulation.

Have fun!

Are You a Security “No” Man or a Security “Yes” Man?

We security wonks always seem to be put into a position of having to say “no.” That makes us unpopular with the I’m-not-hurting-anything crowd who insist on checking their webmail, IMing their friends, and running assorted and sundry downloaded and web-based applications (but only on their time, of course). Maybe they’re right on some level; many of those things are benign and don’t represent security threats. But there are also potentially dangerous applications such as peer-to-peer (P2P) file sharing that can expose your network to hackers via an open P2P connection (See P2P Leads to Major Leak at Citigroup Unit and Pfizer Falls Victim to P2P Hack).  What’s one to do?

Start saying “Yes.” You read that right. Look at it from the user’s standpoint: A blanket prohibition against anything and everything usually foments rebellion on the part of some and they’ll do whatever they want to do with wild abandon. Your network is less secure as a result. But, if you develop policies that allow webmail, online shopping, and IM instead of blocking them at the gateway, while prohibiting the potentially dangerous stuff, you just might find the users starting to ask you if it’s OK to do certain things.

And they just might listen to you if you say “No.”