1 / 56

Computer Security for the Appropriately Paranoid

Computer Security for the Appropriately Paranoid. A Broad Overview Joseph Kashi, MS, JD. Data Security. Several Different Problem Areas. Wireless security Internet security Wired network security . Identity theft issues Confidentiality

lynley
Download Presentation

Computer Security for the Appropriately Paranoid

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Computer Securityfor the Appropriately Paranoid A Broad Overview Joseph Kashi, MS, JD

  2. Data Security

  3. Several Different Problem Areas Wireless security Internet security Wired network security

  4. Identity theft issues • Confidentiality • Any wireless device can be undetectably intercepted given time • Federal law enforcement agencies report that wireless and embedded devices are often targets

  5. Mobile Devices • Notebook computers • flash drives • Wireless networks • Bluetooth – phones, networks, printers • GSM cell phones • PDAs and BlackBerry

  6. Electronic Data Loss • Includes identity theft, losses from which topped $48 billion loss in 2008 despite federal statutes • Can be more damaging because usually not known ever or for many months in case of breach of confidentiality, identity theft or credit damage

  7. Physical Loss or Compromise • Data loss can be devastating – Gulf War plans were a classic example • Physical loss affects not only data but entire network security • Upside – You know it’s compromised and can react accordingly

  8. Short-Term vs. Long Term • Wireless will be the basic network standard in 7 or 8 years • Avoid if possible for next 18-24 months – certainly no confidential data • Wait for new 802.11i hardware

  9. Curse of the Defaults • For ease of set up, most wireless devices ships with all security turned off as basic default • Most users never enable any security • Security never complete – at best slows down and deters intruders

  10. Hidden Dangers • Wi-Fi default is connect to any nearby computer as part of ad hoc network • Windows XP default is to bridge between mobile Wi-Fi device and any other connected network interface, possibly exposing your entire network

  11. Initial Wi-Fi Setup • Change your router setup password to something other than the published default • Change your SSID to a non-obvious and unpublished name

  12. Add Security to Net Setup • Most small networks use basic MS file and printer sharing protocols - these are totally insecure • Default is no password and standard network name

  13. Small Net Setup • Choose a non-obvious workgroup name • Avoid Microsoft defaults such as MSHOME • Don’t settle for the first working network configuration which by default has no security, to aid lay setup

  14. Router Setup • Access and configure your Wi-Fi router with a direct Ethernet cable connection • Use Internet Explorer and standard IP address 192.168.0.1. or 192.168.1.1 • These are published and known

  15. Router Setup • Enable security - some studies found more than 2/3 of all Wi-Fi networks made no changes at all to totally insecure defaults • Your aim is to close, at least partially, and otherwise totally open door

  16. Locating the Wi-Fi Router • Set up a “DMZ” using a second firewall to protect the internal hard-wired LAN • Place all Wi-Fi and Internet connections outside the hard-wired network’s firewall • Locate the Wi-Fi router to minimize leakage of signal outside office

  17. Router Setup • Don’t advertise – disable the wireless SSID broadcast known as beaconing • Do this only after you have completely setup all computers that are to connection to your Wi-Fi network

  18. Enable Security • There are several possibilities – default is no security • WEP, a “Weak” encryption with many basic vulnerabilities • WPA needs same upgraded hardware

  19. WEP Encryption • Lowest common denominator, but with serious systemic weakness • Keys easily vulnerable to cracking regardless of key length • Rotating keys helps but awkward

  20. MAC Address Filtering • Every Ethernet device has an unique identifier known as a MAC • MAC filtering lists allowed or blocked Ethernet devices – not much help if WEP • Easily fooled - done by most routers, firewalls and hacker freeware

  21. Access Restrictions • Newer routers also act as network hubs and allow security policies that can limit undesired types and times of network usage • Some benefit but require some knowledge to set up

  22. WPA Encryption • More secure but less open interim follow on to WEP – keys are automatically and securely rotated • Requires new WPA capable hardware, all of which should be the same brand and model, with upgraded firmware

  23. Hardware Firewall • Adds some protection against hacking through the wired Internet connection • Generally useful and unobtrusive unless using VPN tunnel or other means of remote access • Use XP and 802.1X

  24. Basic Hardening Tips • Change ALL defaults on ALL devices • Check for possibly conflicting access points and peer to peer networks – these may be an unguarded backdoor. • Enable at least WEP • Search for rogue LANs with notebook

  25. Other Hardening Tips • If possible, reduce router transmission power to minimum that works • Install network traffic transmission monitoring hardware/software • Upgrade older Wi-Fi hardware – the network runs at the lowest common denominator

  26. The Future is 802.11i • Secure wireless connection - strong hardware encryption and authentication • New industry standard not fully gelled • Requires total Wi-Fi network rebuild with new 802.11i hardware throughout entire network

  27. Long Term Fixes • More powerful handsets with stronger encryption • New versions of WAPI that fix obvious security holes (www.wapiforum.org) • UL-style security ratings for wireless and Internet security products and services (www.ICSA.net)

  28. Virtual Private Networks • These offer some additional security, particularly with private tunneling software protocols for wireless users • Look for good performance and lower future costs as DSL networks become more common • DSL networks a new approach that could extend to wireless

  29. Until Then • Treat wireless devices like a cell phone • Wireless known to be possibly insecure • Most confidential data, such as litigation strategy, should not be sent wireless

  30. Other Security Tips • Call back vs.. direct dial in • Intrusion detection software: Black Ice • Set security configuration and user rights carefully • Change security passwords regularly

  31. Internet Security Tips • Instant messaging = insecure • Internet itself is definitely more secure than wireless due to packet routing • PGP encryption - easy but not fool-proof • Encrypt passwords and logins, use an authentication server w/ digital signature

  32. Internet Security Tips • Dynamic Vs. Static IP networks - low cost option for DSL users • Firewalls- Linksys Ethernet switch, DSL router and hardware firewall. • DSL and other inexpensive broadband network routers include hardware firewalls that can block incoming calls

  33. Internet Security Tips • Commercial personal software firewall such as McAfee Firewall seems very effective • Avoid downloading and using highly interactive programs from untrusted sources. Some programs send data surreptitiously or are insecure, e.g. ICQ

  34. Curse of the Defaults • For ease of set up, most wireless devices ships with all security turned off as basic default • Most users never enable any security • Security never complete – at best slows down and deters intruders

  35. Mobile Wi-Fi Woes • Mobile computers often set to “ad hoc” network wireless mode, which can connect with any nearby computer • We saw examples of inadvertent penetration at yesterday’s Wi-Fi session • Always install Wi-Fi as “infrastructure mode”

  36. Wi-Fi Is Insecure • Many cracking programs available free • War-driving and War-chalking • Default installations are totally insecure

  37. Does PDA Mean“Portable Disaster Area”? Some Practical Thoughts about Mobile Security

  38. Cell Phone Woes • The most primitive portable device - cells are insecure. • GSM security model cracked as early as 1998. • Loaning a phone or GSM card for even a few minutes can compromise your security

  39. PDAs • PDAs that depend upon Wi-Fi access have the same security problems as notebook computers • BlackBerry is a proprietary format that can be made substantially more secure • You need to fix a PDA’s basic Wi-Fi and Bluetooth security holes

  40. Mobile Security Holes • Wi-Fi and/or Bluetooth typically installed in notebook computers – hundreds of millions sold each year • Usually enabled by default even when not used • A major but non-obvious security hole – I physically turn off power to my wireless devices

  41. Bluetooth Security Model • Theoretically, Bluetooth is not a bad security model but security is unfortunately optional • Trusted and locked down device pairing possible

  42. Bluetooth Today • Bluetooth sets initially were very low power and hard to intercept • Newer models have more power and can be intercepted to 100 meters or more

  43. Bluetooth Security Holes • IEEE has recently published on Web a variety of papers describing proven methods of easily cracking Bluetooth transmissions – even industry group admits security holes • Programs like Blue Stumbler and SNARF attack are available on the web

  44. Bluetooth Holes Part 2 • Windows servers often configure to connect to all Bluetooth devices in range – a major security breach • Former employees can take connection data

  45. Bluetooth Holes Part 3 • Phone cards or unsecured headsets may be borrowed and company connection data and security compromised • Windows registry retains all connection data for all devices ever used

  46. Bluetooth Networks • “Piconets” sometimes set up automatically that can allow anyone in range to see your files • Discloses your embedded link security information • Worse if you also have other simultaneous network access

  47. Protecting Bluetooth – Part 1 • Never use “unit” authentication keys • Always use “combination” authentication keys with manual PIN input • Use a longer PIN – minimal 4 digit PIN easily cracked by brute force challenges

  48. Protecting Bluetooth Part 2 • Auto PIN number generation is insecure and allows device impersonation • Never establish device pairing or first meeting in a public or other non-secure environment • Eavesdropping feasible – link data disclosed to third parties

  49. Protecting Bluetooth Part 3 • Always enable security mode on all devices • You are only as secure as the weakest link that may transmit connection information • Mode 3 security should be used if possible

  50. Protecting Bluetooth Part 4 • Use only trusted devices • Turn off device pairing mode

More Related