Personal Internet Self Defense 2004

Personal Internet Self-Defense 2003: Security and Privacy for the New Millennium Robert C. Jones, M.D. LtCol, USAF, Medical Corps Staff Anesthesiologist Andrews Air Force Base, Maryland E-mail: rob@notbob.com Web site: http://notbob.com

Disclaimer/Disclosure

This talk represents my own views, not those of the USAF, the DoD, or anyone else.

I am a Microsoft shareholder.

I am a Palm shareholder.

Far from a controlling interest in either!

Nobody paid me anything to write or present this.

The opinions/content on external URLs belong to the authors, not myself, the USAF, or the DoD.

The Dirty Truth: “ Internet technologies are not designed to be secure. They're designed to be interactive... ...we as consumers are not taking the responsibility...to learn basics about using this stuff” Russ Cooper, editor of the NT Bugtraq mailing list (www.securityadvice.com), in http://cnn.com/TECH/computing/9909/28/ms.security.idg/index.html

You can’t afford perfect security “ The only secure computer is one that is unplugged, locked in a secure vault that only one person knows the combination to, and that person died last year.” Eckel, G and Steen, W., Intranet Working , New Riders, 1996, p. 419 CIA XXIII Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.

What this talk is about

Basic Internet self-defense for average users

How to protect your privacy on the internet

Where to learn more about Net security

My own personal opinions (not the USAF)‏

What this talk is NOT about

Advanced intrusion detection and response

How to hide nuclear secrets behind photocopiers

Advanced TCP/IP networking and protocols

Anyone else’s opinions (especially the USAF)‏

What is Internet Security?

For that matter, what is the Internet?

“ Information protection is not a technology issue. It is a people issue and therefore the people need to be educated.”

Personal Internet Self-Defense 2003 Geza Szenes CISSP, Computer Security Awareness: A Case Study , SANS 99 http://www.sans.org/newlook/misc/Final_szenes.pdf

What do people need ?

Physical Security 2003

Theft (especially portables)‏

locks, vigilance in airport X-ray lines/queues

Electrical problems

UPS protects against brownouts & surges

Electrical problems

Lack of reliable current backup

Backup regularly to reliable media; net backup

Electrical problems

Lack of reliable current backup

C & C: Coffee and Cats

Don’t drink and compute; keep fans clean

Passwords 2003

Pick Good Passwords

Avoid Bad Passwords

Protect Passwords

Change Passwords

Passwords 2003

Good Passwords

At least 8 characters (more if possible)‏

Mix of capital and small letters

Mix of letters and numbers

At least one special character ($#@!*^*)‏

Based on complex passphrase

tB0ntB?t1stFq!

Passwords 2003

Bad Passwords

Anything having to do with you

Any part of your social security number

Your birthday

Your kids’ birthdays

Relating to your hobbies

Less than 8 characters

Anything in a dictionary

Fictional characters (Gandalf, Frodo, Bilbo)‏

Passwords 2003

Pick Good Passwords

Avoid Bad Passwords

Protect Passwords

Don’t share them, don’t write them down

Passwords 2003

Pick Good Passwords

Avoid Bad Passwords

Protect Passwords

Change Passwords

Change is good; automatic change is better?

Too frequent change = bad passwords

Antivirus Defense 2003

Install antivirus software FIRST

Update antivirus software regularly

Check for Operating System (OS) patches monthly (more frequently if serious security holes arise)‏

Scan all downloaded files and attachments

Beware of viruses, trojans, spyware…

Terms of Endangerment

Virus: Self-replicating computer code with variable adverse effect (“payload”) [Example: Melissa macro virus]

Trojan: Sneaky program which, once activated by user, causes harm to computer, privacy, or both [Example: Back Orifice 2000 (BO2K)]

Spyware: Programs that connect to internet and report personal data regarding user [Example: RealNetworks Jukebox]

Check for Operating System (OS) patches monthly (more frequently if serious security holes arise)‏

Beware of viruses, trojans, spyware…

Blaster Worm (2003)‏

Blaster-B variant exploits hole in MS Windows XP and 2000 (DCOM RPC)‏

Patch had been available for weeks…people just never bother to patch their systems!

ALL Operating Systems (OSes) need to be patched frequently to plug security holes (yes, even Linux!)‏

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.b.worm.htm l Jeffrey Lee Parsons, alleged Blaster Variant B creator

Patch your OS at least monthly

(Radical) Disable M$ Outlook/Outlook Express

MS Outlook = Danger! “ I'm on record as saying that Outlook is a security hole that also happens to be an e-mail client.” Steven J. Vaughan-Nichols ZDNet News May 4, 2000 http://www.zdnet.com/sp/stories/column/0,4712,2562098,00.html

The Melissa Virus

E-mail  Productivity Suite integration exploit

Yet another...

Browser Security 2003

Disable routine ActiveX and Java/Javascript

How Secure is ActiveX?

“ The problem with ActiveX security, according to analysts, developers, and IS managers alike, is that there is no security with ActiveX. ”

--Paul Festa, CNET News.com, 18 Feb 98

http://news.cnet.com/news/0-1003-201-326605-0.html

Disable ActiveX and Java/Javascript

Use the maximum security setting you can stand

Upgrade encryption to 128 bits minimum

40 bits is standard…and insecure.

How to check your encryption strength

Upgrade encryption to 128 bits minimum

Update browser regularly to get bug fixes

But beware of version X.0 of anything

Don’t be an unpaid beta tester!

“ Time to market and functionality always beat out security. Always. Always.”

--David Bradley, UC Berkeley, 25 August 99

Privacy 2003: Endangered Species

“ You have zero privacy now. Get over it.”

-- SUN CEO Scott McNealy, February 99, when asked by a reporter about Jini’s tracking of users across networks

Privacy 2003: Endangered Species

“ Like murder, privacy invasion is most frequently committed by those close to us.”

--Rob Jones, M.D. , Dec 1999

Privacy 2003: Basic

Assume workplace internet use is monitored

Privacy 2003: Basic

E-mail, surfing should be boss/CEO-acceptable

Privacy 2003: Basic

Beware of prying eyes

“ Shoulder-surfing” on airplanes, ATM machines

Privacy 2003: Basic

Lock your workstation when you are away

Password-protected screen saver or log off

Privacy 2003: Basic

Lock your workstation when you are away

Password-protect sensitive documents

Not cracker-proof, but will deter average snoop

Privacy 2003: Advanced

Use strong encryption for sensitive information

PGP, RSA, IDEA, Blowfish (DES is cracked)‏

“ The primary benefit of public key cryptography is that it allows people who have no preexisting security arrangement to exchange messages securely.” Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved. CIA XXIII from Introduction to Cryptography , Network Associates, 1999

Con your OS (GUID, ComputerName,Workgroup)‏

Pleased to meet you. Hope you guess my name.

Office 97 and the Personal ID/Global User ID... get the fix here: http://officeupdate.microsoft.com/Articles/privacy.htm Unique number derived, in part, from network card MAC address

Nuke intrusive information on your hard drive

Cookies and History and Cache, oh my!

Cookies are bad for your wealth

Nuke intrusive information on your hard drive

Use anon proxies for private web browsing

ZKS Freedom, Anonymizer, etc .

How anon proxy servers work Web Server X Anon Proxy Server Your computer “ this is joeschmoe@joesisp.com” “ this is nobody@ anonproxy.net” Web page + cookies Web page - cookies

Turn off file and print sharing

unless you want the Internet to be your LAN

Especially important with cable modem or xDSL

oh, one more thing...

What is spam?

Not the Hormel ® Luncheon Meat (SPAM™)‏

Unsolicited Bulk e-mail

Junk Usenet posts

(New) Instant Messaging spam

Why spam is bad.

" Spamming is the scourge of electronic-mail and newsgroups on the Internet. ... Spammers are, in effect, taking resources away from users and service suppliers without compensation and without authorization. "

- - Vint Cerf, Senior Vice President, MCI and (unlike Al Gore) acknowleged "Father of the Internet”, as quoted on http://www.cauce.org/problem.html

This is your Inbox

This is your Inbox with e-mail

This is your Inbox with spam Job Offer Love letter from Salma Hayek

Spam = Theft!

Key aspect is unauthorized theft of services

bandwidth, hard dive space, per-minute costs, time

Spam = Theft!

Costs shifted to recipients, not senders

Unlike junk snail mail; 47 USC 227: no junk faxes

Spam = Theft!

Costs shifted to recipients, not senders

Content neutral…not a freedom of speech issue!

Violation of Acceptable Use Policies/TOSes

Violation of U.S. state laws (WA, VA…)‏

Violation of Austrian federal law

http://www.pcwelt.de/ausgabe/99_07/n090799011.HTM

Anti-Spam 2003

Munge

[email_address] SPAMBL 0 CK isp.com

Anti-Spam 2003

Munge

Filter

E-mail filter rules; Usenet killfiles; IRC #ignore

Anti-Spam 2003

Munge

Filter

Use throwaways

Get free e-mail accounts for net registrations

Anti-Spam 2003

Munge

Filter

Use throwaways

Complain

E-mail spammers’ ISPs; be polite to sysops

What is a firewall?

Firewalls are like medieval moats:

Restrict people to entering at one controlled point

Prevent attackers from getting close to your other defenses

Restrict people to leaving at one controlled point

--Chapman and Zwicky, Building Internet Firewalls, O’Reilly, 1995, p 17

port 25 (smtp)‏ port 8080 (http)‏ port 119 (nntp)‏ port 6667 (IRC)‏ port 23 (telnet)‏ TCP/IP Hi, I’m 102.74.145.234 Hello, I’m 214.90.1.43 Everyday computer conversations use many “ports” CIA XXIII Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.

port 8080 (http)‏ Firewall Your computer port 6667 (IRC)‏ Firewalls implement your security decisions port 25 (smtp)‏ port 25 (smtp)‏ Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved. CIA XXIII

What a Firewall Can Do

Serves as focus for security decisions

Enforces security policy

Logs internet activity efficiently

Limits damage to your network

--Chapman and Zwicky, Building Internet Firewalls, O’Reilly, 1995, pp 19-20

What a Firewall Can’t Do

Can’t protect against insiders

Can’t protect you against connections that don’t pass through it

Can’t protect against completely new threats

Can’t protect you from viruses/trojans

--Chapman and Zwicky, Building Internet Firewalls, O’Reilly, 1995, pp 19-20

Do you need a firewall?

Home user vs. Business user

Dynamic internet IP address vs. Static IP address

Unix/Linux OS vs. any flavor of Windows

Unix/Linux OS vs. any flavor of Windows

Dialup modem vs. always-on Broadband

Types of Firewalls

Software

Hardware

Types of Firewalls

Software

NetworkICE BlackICE Defender

Zonelabs ZoneAlarm (free for personal use)‏

Norton Internet Security 200x

Others…

Hardware

NOTE: As of January, 2002, ZoneAlarm (not Black ICE) is the only leading software firewall that looks at OUTGOING packets from your machine (thus catching Trojans, spyware, and backdoors installed by your ISP’s software)‏ On the other hand, BlackICE tracks attackers back through the Net…freeware ZoneAlarm doesn’t (although the upgrade, ZA Pro, does)‏ Updated 10 Jan 02

Types of Firewalls

Software

Hardware

SonicWall

Watchguard SOHO

Your own Linux box with custom ipchains… etc.

Remember…

A poorly-administered firewall is worse than none at all!

From comp.security.firewalls newsgroup:

"JArelXXXX" <jarelXXXX@aol.com> wrote in message

news:20000822182824.13689.00000745@ng-mg1.aol.com...

> The company I work for is evaluating the possibility of outsourcing the

> administration of the FirewallVPN…

> I have just been appointed responsability (sic) of administering their firewall,

> however they do not want to send me to any type of training . They feel

> that once I get the training I will leave.

Continuing Security Education 2003

Friends?

Friends?

The worst source. Virus hoaxes and urban legends galore

Friends?

3-Space Mass Media?

Friends?

3-Space Mass Media?

24 hours to 3 months behind; Generally clueless with regard to non-web Net events

Friends?

3-Space Mass Media?

Books?

Excellent source for fundamentals; usually 1-5 years behind

The Tao of Network Security 1994-1999: Information Access

The Tao of Network Security 1994-1999: Information Access 2000-2005: Information Denial

Security 2004 Preview

Online Resources

Physical Security

Targus (notebook locks, alarms): http://www.targus.com/

American Power Conversion (UPS): http://www.apc.com/

TrippLite (UPS) : http://www.tripplite.com/

Iomega (backup hardware, software): http://www.iomega.com/

Castlewood (backup hardware, software): http://www.castlewood.com/

Xdrive (online backup): http://www.xdrive.com/

iBackup (online backup): http://www.ibackup.com/

Online Resources

Password Security

Picking good passwords

http://www.itis.gatech.edu/doc/passwd.html

http://www.alw.nih.gov/Security/Docs/passwd.html

Top 10 Bad passwords

http://www.knowledgeclicks.com/security/articles/11999/top10badpasswords.htm

Online Resources

Antivirus Security

Symantec Antivirus Research Center: http://www.sarc.com/

McAfee Antivirus Center: http://www.mcafee.com/centers/anti-virus/

Aladdin E-safe Antivirus/Firewall: http://www.aladdin.co.il/

Qualcomm Eudora E-mail: http://www.eudora.com/

Online Resources

Browser Security

Microsoft IE: http://www.microsoft.com/windows/ie/default.htm

Microsoft Security Advisor: http://www.microsoft.com/security/default.asp

Netscape Communicator: http://www.netscape.com/download/index.html

Opera: http://www.opera.com/

Sam Spade for Windows: http://samspade.org/ssw/

Check your security with Shields Up! http://grc.com/default.htm

Online Resources

Privacy Protection

The Electronic Frontier Foundation: http://www.eff.org/

EPIC: http://www.epic.org/privacy/tools.html

PGP: http://www.pgp.com/

NSClean/IEClean: http://www.nsclean.com/

Microsoft Hotmail (for throwaways): http://www.hotmail.com/

Anonymizer: http:/www.anonymizer.com/

Zero Knowledge Systems Freedom: http://www.freedom.net/

Hushmail: http://www.hushmail.com/

Online Resources

Anti-Spam Activism

Junkbusters: http://www.junkbusters.com/

Spam.abuse.net: http://spam.abuse.net/

Coalition Against Unsolicited Commercial E-mail: http://www.cauce.org/

F.R.E.E.: http://www.spamfree.org/

The Spam-L FAQ: http://oasis.ot.com/~dmuth/spam-l/

The E-mail Spam FAQ: http://ddi.digital.net/~gandalf/spamfaq.html

The Munging FAQ: http://members.aol.com/emailfaq/mungfaq.html

Online Resources

Learning the Lingo (Usenet, IRC, IM)‏

news.announce.newusers: http://www.netannounce.org/news.announce.newusers

The Net-Abuse FAQ: http://www.cybernothing.org/faqs/net-abuse-faq.html

mIRC IRC FAQ: http://www.mirc.com/ircintro.html

NewIRCusers.com: http://www.newircusers.com/

ICQ IM Security: http://www.icq.com/features/security/

IM Security: http://www.pcmag.com/article2/0,4149,1217889,00.asp

Online Resources

Firewalls

Symantec Norton Internet Security: http://www.symantec.com/

ZoneLabs ZoneAlarm: http://www.zonelabs.com/

Internet Firewalls FAQ: http://www.interhack.net/pubs/fwfaq/

Keeping your site comfortably secure: an introduction to internet firewalls: http://cs-www.ncsl.nist.gov/publications/nistpubs/800-10/

Some Hardware Firewall Vendors: http://www.thegild.com/firewall/

Linux Firewall HOWTO: http://www.linuxdoc.org/HOWTO/Firewall-HOWTO.html

Online Resources

Continuing Security Education

The SANS Institute: http://www.sans.org/

Internet Storm Center: http://isc.sans.org/

C|Net News.com: http://news.com.com/ (follow security tab)‏

AntiOnline: http://www.antionline.com/index.php

ISTS: http://news.ists.dartmouth.edu/

ISS X-Force: http://xforce.iss.net/

2600: http://www.2600.com/

Offline Resources

Books/Articles

Cheswick, WR, Bellovin, SM, Firewalls and Internet Security: Repelling the Wily Hacker , New York: Addison-Wesley Publishing Company 1994. ISBN 0-201-63357-4

Gilster, Paul, Finding it on the Internet , New York: John Wiley & Sons, Inc., 1994. ISBN 0-471-03857-1

Wolff , Michael (ed.), Your Personal Netspy: How You Can Access the Facts and Cover Your Tracks Using the Internet and Online Services , New York: Wolff New Media LLC, 1996. ISBN 0-679-77029-1

Offline Resources

Books/Articles

Knightmare, The, Secrets of a Super Hacker , Port Townsend, WA: Loompanics Unlimited, 1994. ISBN 1-55950-106-5

Zimmerman, Philip R., The Official PGP User's Guide , Cambridge, Mass: M.I.T. Press, 1996. ISBN 0-262-74017-6

Wayner, Peter, Disappearing Cryptography: Being and Nothingness on the Net , Boston: Academic Press Professional, 1996. ISBN 0-12-738671-8

O'Malley, Chris, Snoops: Welcome to a small town called the internet, where everyone knows your business , Popular Science, Jan 97, p. 56

Offline Resources

Books/Articles

Schwartz, Alan and Garfinkel, Simson, Stopping Spam , Cambridge: O’Reilly, 1998. ISBN 1-56592-388-X

Communications of the ACM 42(7), July 1999, various authors: Defensive Information Warfare

Communications of the ACM 42(2), Feb. 1999, various authors: Internet Privacy: the Quest for Anonymity

Honeycutt, Jerry; Pike,Mary Ann, et al. , Special Edition: Using the Internet , 3rd Edition, Indianapolis, IN: Que® Corporation, 1996. ISBN 0-7897-0846-9

Offline Resources

Books/Articles

Weiss, Aaron, The Complete Idiot's Guide to Protecting Yourself on the Internet , Indianapolis, IN: Que® Corporation, 1995. ISBN 1-56761-593-7

Griffith, Samuel B.(trans), Sun Tzu: The Art of War , New York: Oxford University Press, 1963 ISBN 0-19-501476-6

Lane, Carole A, Naked in Cyberspace: How to Find Personal Information Online , Wilton, CT: Pemberton Press c/o Online Inc., 1997 ISBN 0-910965-17-X

Offline Resources

Books/Articles

Chapman, D. Brent and Zwicky, Elizabeth D., Building Internet Firewalls , Sebastopol, CA: O'Reilly & Associates, 1995. ISBN 1-156592-124-0

Icove, David, Seger, Karl, and VonStorch, William, Computer Crime: A Crimefighter's Handbook , Sebastopol, CA: O'Reilly & Associates, 1995. ISBN 1-56592-086-4