Some of these tips may very well be “everybody knows” types of things, but I find that these are often the things that get overlooked. That’s why I’m publishing them as computer security maxims. Take a look at the recent furor surrounding the cold boot attack against disk encryption . That was an “everbody knows,” too.
I get questions all the over at Ask the Geek about using a mail client’s message preview feature. Opinions vary, of course, but for this geek, it’s a bad idea. In order to preview a message, it has to be opened or rendered by the HTML engine. Think about how a PC can be infected by a malicious web site and you’ll immediately understand the danger: The same malicious programs can exist in scripts in HTML messages. It’s a serious security risk.
Security Maxim #6: Always disable any message preview or auto-open features in your e-mail client. View messages as text-only until you know they are safe.
A while back, I wrote an article entitled “Will You Be Used As a Weapon Against Your Own Country?” The flip side of that is being used as a weapon for your own country. It seems the United States Air Force is looking for a few good cyber warriors. From The Register:
In a document [PDF here] released this week, the US Air Force is laying out plans for a new cyber command, which is scheduled to become operational in October . It tries to make the case that the ability to wage war and parry attacks over electronic networks is crucial to maintaining national security.
The document does a good job of making the case:
Mastery of cyberspace is essential to America’s national security. Controlling cyberspace is the prerequisite to effective operations across all strategic and operational domains—securing freedom from attack and freedom to attack.
You have to bear in mind how the Air Force defines cyberspace:
Cyberspace encompasses the electromagnetic spectrum with its distinctive physical properties and those of the man-made electronic systems created to operate across the domain.
This would encompass the entire radio spectrum as well as well as”wired” cyberspace. The Internet, of course, also relies on wireless technology. And much of military command and control relies on radio communications, so the concept makes sense. Communications must be maintained at all costs. This involves mastering many electronic technologies and even, perhaps, physical signaling methods for use in the event an electromagnetic bomb disrupts electronic transmissions.
The Air Force Cyber Command is certainly no place for the technologically challenged, but for those of us who love and understand technology, it could be a great career.
Geek warriors: now that’s one for the books.
True computer and network security takes a lot of work to implement and it takes a lot of work to use. Despite training (if any) and admonitions by their supervisors and the IT department, the lazy create simple, easily-guessable passwords, write them down, and post them on sticky notes right in their cubicle or on their monitor. Even though we IT folks enforce password complexity policies, the effort is wasted if the user post their passwords in plain sight.
Maybe I’m dreaming, but I think that even the lazy can take the time to come up with serious passwords and take measures to make them memorable and/or write them down in a secure way. My article on generating secure passwords describes a method of doing this; it takes a bit of work at first, but once implemented, it’s a simple system that even the lazy can appreciate. (You may guess that I’m no fan of password managers or stored passwords and your guess would be right.)
If more of us IT geeks put more work into developing simple password generation and mnemomic systems for the lazy users, perhaps our networks would be more secure; perhaps not, but it can’t hurt now, can it?
According to researchers at Princeton University, it’s possible to recover encryption keys from memory for some time after a computer is powered down. Their paper, “Lest We Remember: Cold Boot Attacks on Encryption Keys,” begins with this abstract:
Contrary to popular assumption, DRAMs used in most modern computers retain their contents for seconds to minutes after power is lost, even at operating temperatures and even if removed from a motherboard. Although DRAMs become less reliable when they are not refreshed, they are not immediately erased, and their contents persist sufficiently for malicious (or forensic) acquisition of usable full-system memory images. We show that this phenomenon limits the ability of an operating system to protect cryptographic key material from an attacker with physical access. We use cold reboots to mount attacks on popular disk encryption systems — BitLocker, FileVault, dm-crypt, and TrueCrypt — using no special devices or materials. We experimentally characterize the extent and predictability of memory remanence and report that remanence times can be increased dramatically with simple techniques. We offer new algorithms for finding cryptographic keys in memory images and for correcting errors caused by bit decay. Though we discuss several strategies for partially mitigating these risks, we know of no simple remedy that would eliminate them
Check out the researchers’ video demo of the attack:
[kml_flashembed movie="http://www.youtube.com/v/JDaicPIgn9U" width="425" height="350" wmode="transparent" /]
While I don’t consider this a great concern for the average user, it’s a real problem in terms of corporate espionage and national security.
Aside from simply never using standby modes or screen locking, possible solutions would be for encryption programs to require two-factor authentication or for operating systems to securely erase memory as part of the shutdown routine. This article at SANS Internet Storm Center gives further insight into the issue.
Sometimes, it’s a good thing to take a breather from the routine, to venture off into something more fun than the serious day-to-day concerns of network and computer security. One of my interests is cryptography, especially its history, and I love to play around with cryptograms in the daily newspaper, even though they’re just simple substitution ciphers (though there are some puzzle books out there that use polyalphabetic and transposition ciphers).
There’s no question that computers have taken cryptography well out of the realm of human-generated codes and ciphers. Done properly, modern encryption systems produce output that appears to be nothing more than random noise to a human–and no human will ever be able to break those ciphertexts without the help of powerful computers. Yet, there are human-generated ciphers that haven’t been cracked. One of those is the D’Agapeyeff cipher, which appears as “…a cryptogram upon which the reader is invited to test his skill” in the first edition of “Codes & Ciphers, ” written by Alexander D’Agapeyeff, published by Oxford University Press in April, 1939.
The book is an elementary text on classic encryption methods and the cryptogram is placed on the final page of the final chapter which details methods of decryption of the various types of ciphers. Here’s the cryptogram as it appears in the book (this was omitted from later editions for reasons unkown):
75628 28591 62916 48164 91748 58464 74748 28483 81638 18174
74826 26475 83828 49175 74658 37575 75936 36565 81638 17585
75756 46282 92857 46382 75748 38165 81848 56485 64858 56382
72628 36281 81728 16463 75828 16483 63828 58163 63630 47481
91918 46385 84656 48565 62946 26285 91859 17491 72756 46575
71658 36264 74818 28462 82649 18193 65626 48484 91838 57491
81657 27483 83858 28364 62726 26562 83759 27263 82827 27283
82858 47582 81837 28462 82837 58164 75748 58162 92000
I assumed (correctly, I think–see this article) that two numbers represent one letter and that this was some sort of simple substitution cipher. I divided the cryptogram thus, omitting the three zeros that are obviously nulls:
75 62 82 85 91 62 91 64 81 64 91 74 85 84 64 74 74 82 84 83 81 63 81 81 74
74 82 62 64 75 83 82 84 91 75 74 65 83 75 75 75 93 63 65 65 81 63 81 75 85
75 75 64 62 82 92 85 74 63 82 75 74 83 81 65 81 84 85 64 85 64 85 85 63 82
72 62 83 62 81 81 72 81 64 63 75 82 81 64 83 63 82 85 81 63 63 63 04 74 81
91 91 84 63 85 84 65 64 85 65 62 94 62 62 85 91 85 91 74 91 72 75 64 65 75
71 65 83 62 64 74 81 82 84 62 82 64 91 81 93 65 62 64 84 84 91 83 85 74 91
81 65 72 74 83 83 85 82 83 64 62 72 62 65 62 83 75 92 72 63 82 82 72 72 83
82 85 84 75 82 81 83 72 84 62 82 83 75 81 64 75 74 85 81 62 92
You can see that no pair begins with a number less than six and no pair ends with a number greater than five. This suggests a matrix like this:
1 2 3 4 5
6a b c d e
Using this hypothetical grid, 61 is “a,” 65 is “e,” etc. That’s as far as I’ve managed to go.
Anyone else like to play with this?
OK. So you’ve installed a NAT router, you’ve changed the default login and passsword, and you’ve used an unguessable password. You’ve done everything right so far. However, you still may be vulnerable; in fact, you probably are, even if you keep your operating system patched. In a Lockergnome posting last year, I wrote:
To say nothing of Microsoft Windows, there are few, if any, application software packages that are free of security vulnerabilities. The SANS Institute publishes its Top 20 Internet Security Attack Targets on a regular basis and Secunia currently lists 14,043 pieces of software and operating systems with vulnerabilities.
Not surprising, Secunia reports that as of this date, the above number has increase by more than 3,300:
Our database currently includes 17,406 pieces of software and operating systems.
It probably won’t surprise you that Microsoft leads the list, but that is by no means the only source of security vulnerabilities out there. The truth is, if you’re on the ‘Net and running any unpatched software, you’re a target; I can look at my firewall logs and identify what vulnerabilities are being targeted on my machine. Many of these holes have long since been patched and there’s no excuse for your not having patched them.
So much for the bad news. The good news is that most reputable software companies, when informed of a vulnerability by security researchers, promptly issue a software patch to fix it. These are widely available to the public for free download or through update features built into the software packages. Windows and other software packages allow you to enable automatic updates (which you should do).
I give you Security Maxim #5: A vital part of PC security is keeping up with software patches for ALL of the software on your system, not just the operating system. Where it is available, use the software’s automatic updates feature.
In my last post, I stressed the importance of changing the default username and passwords of all configurable network devices. That’s good advice. But a weak password, one that is easily guessable, is almost as bad as no password. Far too many people use a password that’s obvious; i.e., given some basic information about the person, a determined hacker could easily guess it without too much effort.
I have two clients, both of which generate some serious confidential data, who set up initial passwords for new users in the form password.2008 or changeme. (Thankfully, I recently convinced both of these clients to implement password policies!) I’ve been able to use basic observation and small talk to guess users’ passwords about 20% of the time. The first thing I try is a blank password–you’d be surprised how often that works, especially for home users. Next, I’ll try the user name, the spouse’s name or “password.” I may try a couple of other things, like “123456,” “asdfjkl;” or, believe it or not, “********.” Usually, though, I just ask them for the password and they give it to me.
According to Wikepedia there are several things many people use as passwords that results in their being predictable:
Repeated research has demonstrated that around 40% of user-chosen passwords are readily guessable because of the use of these patterns:
- blank (none)
- the word “password”, “passcode”, “admin” and their derivates
- the user’s name or login name
- the name of their significant other or another relative
- their birthplace or date of birth
- a pet’s name
- automobile license plate number
- a simple modification of one of the preceding, such as suffixing a digit or reversing the order of the letters.
- a row of letters from a standard keyboard layout (eg, the qwerty keyboard — qwerty itself, asdf, or qwertyuiop)
So, if you want to protect your router and the other devices on your network, never use anything from the above list and apply Security Maxim #4: Use an unguessable, or difficult-to-guess password always.
Next time: How you can do everything right and still be vulnerable to attack.
Last time, I stressed having a NAT router–or router/firewall–between your PC and the Internet as a first line of defense. This is without question the first, most important security step, but it can be useless unless you have it properly configured; in fact, omitting one crucial first step can leave you even more vulnerable to attack that you would be without the device.
So, put this on your list as Security Maxim #3: Always change the default username and password of any configurable device you put on your home network.
Next time: You’ve changed your default router password; you still may be vulnerable.
The other day, I gave you what I consider to be the most basic security maxim, one on which I base all of my security practices: The best security measures are completely useless if you invite attackers into your PCs or networks.
Windows users will remember back before Windows XP Service Pack 2 was released that simply plugging your computer into your cable or DSL modem was almost certain to result in your being compromised in short order. (Who can forget the havoc that Sasser and other worms wreaked before Microsoft wised up and finally turned the firewall on by default?) Running naked with all ports open to the world is a gold-gilt invitation to every criminal and mischief maker on the Internet, and while running a software firewall is a good idea, it’s not nearly enough–crackers already know how to take down XP’s firewall.
Consider this: every IP address owned and/or issued by your Internet Service Provider, no matter who that may be, is constantly being targeted by hackers that are scanning the’Net or worms that are infecting the ‘Net. The IP address assigned to me by my cable Internet provider has been scanned or probed 46 times in the last hour; this goes on 24 hours a day, seven days a week. I certainly don’t want my PC’s software firewall subjected to this kind of thing; yet, most people, not knowing any better, plug their computer directly into the broadband modem. Why do this when there is an inexpensive, simple, yet effective first line of defense available at any big box electronics or office supply superstore–a router?
Through the beauty of Network Address Translation (NAT), even the cheapest router becomes an effective hardware firewall, virtually making your PC invisible to the ‘Net. NAT Router Security Solutions by Steve Gibson of “Security Now!” explains NAT in detail. Here’s one of his illustrations from that article:
I must mention that except for one, simple configuration change that is absolutely essential, these simple devices work fine right out of the box. The average user can plug it in and not have to worry about a complicated setup process.
So, here’s Security Maxim #2: A first, important step in securing your PC is to install and configure a NAT router.
(Note: I first posted this maxim nearly a year ago at Ask the Geek, Too. The article was entitled, How to Secure Your Computer: Maxim #2 (or, How Not to Invite Attackers Into Your PCs and Networks). Since then, many routers now contain built-in firewalls, so do double-duty and are even more secure.)
Next time: the one, most overlooked configuration option that can render your router or firewall useless and make you even more vulnerable than you were without it.
Your comments are welcome!
The good folks at IT Knowledge Exchange and TechTarget have granted me the privilege of sharing my views on computer and network security with you. I’m proud to have this opportunity and I thank them for the opportunity.
Having worked in IT in various capacities since the early 1980′s, I’ve seen the need for security evolve from simple protection against viruses to the need for complex security policies designed to combat multiple attack vectors. These days, it takes constant vigilance to stay ahead of criminal hackers, to say nothing of terrorists; moreover, clueless users are often unwitting accomplices in security breaches. (See my article “Will You Be Used As a Weapon Against Your Own Country?“)
Today’s Internet is reminiscent of the Wild, Wild, West, only now it’s the Wild, Wild Web: Make a mistake, and you could be virtually dead before sundown, your identity stolen, your financial resources drained, your reputation ruined. Protecting yourself online seems like a daunting task, especially for the average home computer user; however, it’s not as hard as it seems, given some common sense and an understanding of basic security principles.
My goal for this blog is to provide simple, sound advice, news, and tips that will help you be more secure in your computing both at home and at the office. And the first piece of advice I’ll give you is one I consider the most basic principle of computer security, the first in my series of computer security maxims, Maxim #1: The best security measures are completely useless if you invite attackers into your PCs or networks.
In this blog, we’ll be exploring how not to invite attackers into your PCs and networks as well as a myriad of other topics. I hope you’ll join me in my explorations and ruminations, and I look forward to your comments and contributions.