Download - Introductory Computer Security 2009
-
7/30/2019 Introductory Computer Security 2009
1/56
Computer Securityfor the Appropriately
Paranoid
A Broad Overview
Joseph Kashi, MS, JD
-
7/30/2019 Introductory Computer Security 2009
2/56
Data Security
-
7/30/2019 Introductory Computer Security 2009
3/56
Several Different Problem Areas
Wireless security
Internet security
Wired network security
-
7/30/2019 Introductory Computer Security 2009
4/56
Identity theft issues
Confidentiality
Any wireless device can beundetectably intercepted given time
Federal law enforcement agencies
report that wireless and embedded
devices are often targets
-
7/30/2019 Introductory Computer Security 2009
5/56
Mobile Devices
Notebook computers
flash drives
Wireless networks
Bluetooth phones, networks,printers
GSM cell phones
PDAs and BlackBerry
-
7/30/2019 Introductory Computer Security 2009
6/56
Electronic Data Loss
Includes identity theft, losses fromwhich topped $48 billion loss in2008 despite federal statutes
Can be more damaging becauseusually not known ever or for
many months in case of breach ofconfidentiality, identity theft orcredit damage
-
7/30/2019 Introductory Computer Security 2009
7/56
Physical Loss or Compromise
Data loss can be devastating GulfWar plans were a classic example
Physical loss affects not only databut entire network security
Upside You know its compromisedand can react accordingly
-
7/30/2019 Introductory Computer Security 2009
8/56
Short-Term vs. Long Term
Wireless will be the basic networkstandard in 7 or 8 years
Avoid if possible for next 18-24months certainly no confidentialdata
Wait for new 802.11i hardware
-
7/30/2019 Introductory Computer Security 2009
9/56
Curse of the Defaults
For ease of set up, most wirelessdevices ships with all securityturned off as basic default
Most users never enable anysecurity
Security never complete at bestslows down and deters intruders
-
7/30/2019 Introductory Computer Security 2009
10/56
Hidden Dangers
Wi-Fi default is connect to anynearby computer as part of ad hocnetwork
Windows XP default is to bridgebetween mobile Wi-Fi device and any
other connected network interface,possibly exposing your entirenetwork
-
7/30/2019 Introductory Computer Security 2009
11/56
Initial Wi-Fi Setup
Change your router setuppassword to something other thanthe published default
Change your SSID to a non-obvious and unpublished name
-
7/30/2019 Introductory Computer Security 2009
12/56
Add Security to Net Setup
Most small networks use basic MSfile and printer sharing protocols -these are totally insecure
Default is no password and standardnetwork name
-
7/30/2019 Introductory Computer Security 2009
13/56
Small Net Setup
Choose a non-obvious workgroupname
Avoid Microsoft defaults such asMSHOME
Dont settle for the first working
network configuration which bydefault has no security, to aid laysetup
-
7/30/2019 Introductory Computer Security 2009
14/56
Router Setup
Access and configure your Wi-Firouter with a direct Ethernet cableconnection
Use Internet Explorer and standardIP address 192.168.0.1. or
192.168.1.1
These are published and known
-
7/30/2019 Introductory Computer Security 2009
15/56
Router Setup
Enable security - some studiesfound more than 2/3 of all Wi-Finetworks made no changes at all to
totally insecure defaults
Your aim is to close, at leastpartially, and otherwise totally opendoor
-
7/30/2019 Introductory Computer Security 2009
16/56
Locating the Wi-Fi Router
Set up a DMZ using a secondfirewall to protect the internalhard-wired LAN
Place all Wi-Fi and Internetconnections outside the hard-wired
networks firewall
Locate the Wi-Fi router to minimize
leakage of signal outside office
-
7/30/2019 Introductory Computer Security 2009
17/56
Router Setup
Dont advertise disable the wirelessSSID broadcast known as beaconing
Do this only after you havecompletely setup all computers thatare to connection to your Wi-Finetwork
-
7/30/2019 Introductory Computer Security 2009
18/56
Enable Security
There are several possibilities default is no security
WEP, a Weak encryption withmany basic vulnerabilities
WPA needs same upgradedhardware
-
7/30/2019 Introductory Computer Security 2009
19/56
WEP Encryption
Lowest common denominator, butwith serious systemic weakness
Keys easily vulnerable to crackingregardless of key length
Rotating keys helps but awkward
-
7/30/2019 Introductory Computer Security 2009
20/56
MAC Address Filtering
Every Ethernet device has an uniqueidentifier known as a MAC
MAC filtering lists allowed or blockedEthernet devices not much help ifWEP
Easily fooled - done by most routers,firewalls and hacker freeware
-
7/30/2019 Introductory Computer Security 2009
21/56
Access Restrictions
Newer routers also act as networkhubs and allow security policies thatcan limit undesired types and times
of network usage
Some benefit but require someknowledge to set up
-
7/30/2019 Introductory Computer Security 2009
22/56
WPA Encryption
More secure but less open interimfollow on to WEP keys areautomatically and securelyrotated
Requires new WPA capablehardware, all of which should bethe same brand and model, withupgraded firmware
-
7/30/2019 Introductory Computer Security 2009
23/56
Hardware Firewall
Adds some protection againsthacking through the wired Internetconnection
Generally useful and unobtrusiveunless using VPN tunnel or othermeans of remote access
Use XP and 802.1X
-
7/30/2019 Introductory Computer Security 2009
24/56
Basic Hardening Tips Change ALL defaults on ALL devices
Check for possibly conflictingaccess points and peer to peernetworks these may be an
unguarded backdoor.
Enable at least WEP
Search for rogue LANs withnotebook
-
7/30/2019 Introductory Computer Security 2009
25/56
Other Hardening Tips
If possible, reduce router
transmission power to minimumthat works
Install network traffic transmissionmonitoring hardware/software
Upgrade older Wi-Fi hardware thenetwork runs at the lowestcommon denominator
-
7/30/2019 Introductory Computer Security 2009
26/56
The Future is 802.11i
Secure wireless connection -strong hardware encryption andauthentication
New industry standard not fullygelled
Requires total Wi-Fi networkrebuild with new 802.11i hardwarethroughout entire network
-
7/30/2019 Introductory Computer Security 2009
27/56
Long Term Fixes
More powerful handsets with strongerencryption
New versions of WAPI that fix obvioussecurity holes (www.wapiforum.org)
UL-style security ratings for wireless
and Internet security products and
services (www.ICSA.net)
-
7/30/2019 Introductory Computer Security 2009
28/56
Virtual Private Networks
These offer some additional security,particularly with private tunneling
software protocols for wireless users
Look for good performance and lower
future costs as DSL networks become
more common
DSL networks a new approach that
could extend to wireless
-
7/30/2019 Introductory Computer Security 2009
29/56
Until Then
Treat wireless devices like a cell phone
Wireless known to be possibly insecure
Most confidential data, such as litigation
strategy, should not be sent wireless
-
7/30/2019 Introductory Computer Security 2009
30/56
Other Security Tips
Call back vs.. direct dial in
Intrusion detection software: Black Ice
Set security configuration and user
rights carefully
Change security passwords regularly
-
7/30/2019 Introductory Computer Security 2009
31/56
Internet Security Tips
Instant messaging = insecure
Internet itself is definitely more secure
than wireless due to packet routing
PGP encryption - easy but not fool-proof
Encrypt passwords and logins, use an
authentication server w/ digital signature
-
7/30/2019 Introductory Computer Security 2009
32/56
Internet Security Tips
Dynamic Vs. Static IP networks - lowcost option for DSL users
Firewalls- Linksys Ethernet switch, DSLrouter and hardware firewall.
DSL and other inexpensive broadband
network routers include hardware
firewalls that can block incoming calls
-
7/30/2019 Introductory Computer Security 2009
33/56
Internet Security Tips
Commercial personal software firewallsuch as McAfee Firewall seems very
effective
Avoid downloading and using highly
interactive programs from untrusted
sources. Some programs send datasurreptitiously or are insecure, e.g. ICQ
-
7/30/2019 Introductory Computer Security 2009
34/56
Curse of the Defaults
For ease of set up, most wirelessdevices ships with all securityturned off as basic default
Most users never enable anysecurity
Security never complete at bestslows down and deters intruders
-
7/30/2019 Introductory Computer Security 2009
35/56
Mobile Wi-Fi Woes
Mobile computers often set to ad
hoc network wireless mode, whichcan connect with any nearbycomputer
We saw examples of inadvertentpenetration at yesterdays Wi-Fisession
Always install Wi-Fi asinfrastructure mode
-
7/30/2019 Introductory Computer Security 2009
36/56
Wi-Fi Is Insecure
Many cracking programs availablefree
War-driving and War-chalking
Default installations are totally
insecure
-
7/30/2019 Introductory Computer Security 2009
37/56
Does PDA MeanPortable Disaster
Area?Some Practical Thoughts
about Mobile Security
-
7/30/2019 Introductory Computer Security 2009
38/56
Cell Phone Woes
The most primitive portable device
- cells are insecure.
GSM security model cracked as
early as 1998.
Loaning a phone or GSM card for
even a few minutes cancompromise your security
PDA
-
7/30/2019 Introductory Computer Security 2009
39/56
PDAs PDAs that depend upon Wi-Fi
access have the same securityproblems as notebook computers
BlackBerry is a proprietary formatthat can be made substantiallymore secure
You need to fix a PDAs basic Wi-Fiand Bluetooth security holes
-
7/30/2019 Introductory Computer Security 2009
40/56
Mobile Security Holes
Wi-Fi and/or Bluetooth typicallyinstalled in notebook computers hundreds of millions sold each year
Usually enabled by default evenwhen not used
A major but non-obvious securityhole I physically turn off power tomy wireless devices
-
7/30/2019 Introductory Computer Security 2009
41/56
Bluetooth Security Model
Theoretically, Bluetooth is not abad security model but security isunfortunately optional
Trusted and locked down devicepairing possible
-
7/30/2019 Introductory Computer Security 2009
42/56
Bluetooth Today
Bluetooth sets initially were verylow power and hard to intercept
Newer models have more power
and can be intercepted to 100meters or more
-
7/30/2019 Introductory Computer Security 2009
43/56
Bluetooth Security Holes
IEEE has recently published onWeb a variety of papers describingproven methods of easily crackingBluetooth transmissions even
industry group admits securityholes
Programs like Blue Stumbler andSNARF attack are available on theweb
-
7/30/2019 Introductory Computer Security 2009
44/56
Bluetooth Holes Part 2
Windows servers often configure toconnect to all Bluetooth devices inrange a major security breach
Former employees can takeconnection data
-
7/30/2019 Introductory Computer Security 2009
45/56
Bluetooth Holes Part 3
Phone cards or unsecuredheadsets may be borrowed andcompany connection data and
security compromised
Windows registry retains all
connection data for all devicesever used
-
7/30/2019 Introductory Computer Security 2009
46/56
Bluetooth NetworksPiconets sometimes set up
automatically that can allowanyone in range to see your files
Discloses your embedded linksecurity information
Worse if you also have othersimultaneous network access
P i Bl h P 1
-
7/30/2019 Introductory Computer Security 2009
47/56
Protecting Bluetooth Part 1
Never use unit authenticationkeys
Always use combinationauthentication keys with manualPIN input
Use a longer PIN minimal 4 digitPIN easily cracked by brute forcechallenges
P t ti Bl t th P t 2
-
7/30/2019 Introductory Computer Security 2009
48/56
Protecting Bluetooth Part 2
Auto PIN number generation isinsecure and allows deviceimpersonation
Never establish device pairing orfirst meeting in a public or othernon-secure environment
Eavesdropping feasible link datadisclosed to third parties
P t ti Bl t th P t 3
-
7/30/2019 Introductory Computer Security 2009
49/56
Protecting Bluetooth Part 3
Always enable security mode on alldevices
You are only as secure as the
weakest link that may transmitconnection information
Mode 3 security should be used ifpossible
-
7/30/2019 Introductory Computer Security 2009
50/56
Protecting Bluetooth Part 4
Use only trusted devices
Turn off device pairing mode
-
7/30/2019 Introductory Computer Security 2009
51/56
Protecting Bluetooth Part 5
Bluetooth headsets should usebroadband mode and then turn offpairing mode
Use access policies
12 St t M bil S it
-
7/30/2019 Introductory Computer Security 2009
52/56
12 Steps to Mobile Security
Install anti-virus, firewall and anti-intrusion software (Norton, ZoneAlarm)
Turn off computers and PDAs whennot in use disable all unusedwireless devices including
Bluetooth, Wi-Fi, IR
Keep Windows security patchescurrent
12 St P t 2
-
7/30/2019 Introductory Computer Security 2009
53/56
12 Steps - Part 2
Turn off network bridging betweenwireless and hard wired networks
Use a hard-wired network with ahardware firewall when not mobile
Enable all possible 802.11 security
12 St P t 3
-
7/30/2019 Introductory Computer Security 2009
54/56
12 Steps Part 3
Always turn off network file andprinter sharing when mobile
NEVERestablish Bluetoothpairings and trusted relationshipsin a non-secure area
authenticate in private and thenturn off pairing mode
-
7/30/2019 Introductory Computer Security 2009
55/56
12 Steps Part 4
Avoid ad hoc network modes
Use WPA and 802.1X if possible withyour Wi-Fi hardware
-
7/30/2019 Introductory Computer Security 2009
56/56
And Number 12
Remember that all mobile andwireless devices, including Wi-Fi andBluetooth, are always potentially
insecure.
ACT ACCORDINGLY