Computer Security for the Appropriately Paranoid

A Broad Overview
Joseph Kashi, MS, JD

Data Security

Several Different Problem Areas

Wireless security Internet security

Wired network security

Identity theft issues

Confidentiality Any wireless device can be undetectably intercepted given time Federal law enforcement agencies report that wireless and embedded devices are often targets

Mobile Devices

Notebook computers flash drives Wireless networks Bluetooth phones, networks, printers GSM cell phones PDAs and BlackBerry

Electronic Data Loss

Includes identity theft, losses from which topped $48 billion loss in 2008 despite federal statutes

Can be more damaging because usually not known ever or for many months in case of breach of confidentiality, identity theft or credit damage

Physical Loss or Compromise

Data loss can be devastating Gulf War plans were a classic example Physical loss affects not only data but entire network security Upside You know its compromised and can react accordingly

Short-Term vs. Long Term

Wireless will be the basic network standard in 7 or 8 years Avoid if possible for next 18-24 months certainly no confidential data

Wait for new 802.11i hardware

Curse of the Defaults

For ease of set up, most wireless devices ships with all security turned off as basic default Most users never enable any security Security never complete at best slows down and deters intruders

Hidden Dangers

Wi-Fi default is connect to any nearby computer as part of ad hoc network

Windows XP default is to bridge between mobile Wi-Fi device and any other connected network interface, possibly exposing your entire network

Initial Wi-Fi Setup

Change your router setup password to something other than the published default Change your SSID to a nonobvious and unpublished name

Add Security to Net Setup

Most small networks use basic MS file and printer sharing protocols these are totally insecure Default is no password and standard network name

Small Net Setup

Choose a non-obvious workgroup name Avoid Microsoft defaults such as MSHOME Dont settle for the first working network configuration which by default has no security, to aid lay setup

Router Setup

Access and configure your Wi-Fi router with a direct Ethernet cable connection

Use Internet Explorer and standard IP address 192.168.0.1. or 192.168.1.1

These are published and known

Router Setup

Enable security - some studies found more than 2/3 of all Wi-Fi networks made no changes at all to totally insecure defaults Your aim is to close, at least partially, and otherwise totally open door

Locating the Wi-Fi Router

Set up a DMZ using a second firewall to protect the internal hard-wired LAN

Place all Wi-Fi and Internet connections outside the hard-wired networks firewall
Locate the Wi-Fi router to minimize leakage of signal outside office

Router Setup

Dont advertise disable the wireless SSID broadcast known as beaconing Do this only after you have completely setup all computers that are to connection to your Wi-Fi network

Enable Security

There are several possibilities default is no security WEP, a Weak encryption with many basic vulnerabilities WPA needs same upgraded hardware

WEP Encryption

Lowest common denominator, but with serious systemic weakness Keys easily vulnerable to cracking regardless of key length

Rotating keys helps but awkward

MAC Address Filtering

Every Ethernet device has an unique identifier known as a MAC MAC filtering lists allowed or blocked Ethernet devices not much help if WEP Easily fooled - done by most routers, firewalls and hacker freeware

Access Restrictions

Newer routers also act as network hubs and allow security policies that can limit undesired types and times of network usage Some benefit but require some knowledge to set up

WPA Encryption

More secure but less open interim follow on to WEP keys are automatically and securely rotated
Requires new WPA capable hardware, all of which should be the same brand and model, with upgraded firmware

Hardware Firewall

Adds some protection against hacking through the wired Internet connection Generally useful and unobtrusive unless using VPN tunnel or other means of remote access Use XP and 802.1X

Basic Hardening Tips

Change ALL defaults on ALL devices

Check for possibly conflicting access points and peer to peer networks these may be an unguarded backdoor.
Enable at least WEP Search for rogue LANs with notebook

Other Hardening Tips

If possible, reduce router transmission power to minimum that works Install network traffic transmission monitoring hardware/software Upgrade older Wi-Fi hardware the network runs at the lowest common denominator

The Future is 802.11i

Secure wireless connection strong hardware encryption and authentication

New industry standard not fully gelled Requires total Wi-Fi network rebuild with new 802.11i hardware throughout entire network

Long Term Fixes

More powerful handsets with stronger encryption New versions of WAPI that fix obvious security holes (www.wapiforum.org)

UL-style security ratings for wireless and Internet security products and services (www.ICSA.net)

Virtual Private Networks

These offer some additional security, particularly with private tunneling software protocols for wireless users

Look for good performance and lower future costs as DSL networks become more common
DSL networks a new approach that could extend to wireless

Until Then

Treat wireless devices like a cell phone Wireless known to be possibly insecure Most confidential data, such as litigation strategy, should not be sent wireless

Other Security Tips

Call back vs.. direct dial in Intrusion detection software: Black Ice Set security configuration and user rights carefully Change security passwords regularly

Internet Security Tips

Instant messaging = insecure Internet itself is definitely more secure than wireless due to packet routing PGP encryption - easy but not fool-proof Encrypt passwords and logins, use an authentication server w/ digital signature

Internet Security Tips

Dynamic Vs. Static IP networks - low cost option for DSL users Firewalls- Linksys Ethernet switch, DSL router and hardware firewall.

DSL and other inexpensive broadband network routers include hardware firewalls that can block incoming calls

Internet Security Tips

Commercial personal software firewall such as McAfee Firewall seems very effective

Avoid downloading and using highly interactive programs from untrusted sources. Some programs send data surreptitiously or are insecure, e.g. ICQ

Curse of the Defaults

For ease of set up, most wireless devices ships with all security turned off as basic default

Most users never enable any security Security never complete at best slows down and deters intruders

Mobile Wi-Fi Woes

Mobile computers often set to ad hoc network wireless mode, which can connect with any nearby computer

We saw examples of inadvertent penetration at yesterdays Wi-Fi session

Always install Wi-Fi as infrastructure mode

Wi-Fi Is Insecure

Many cracking programs available free War-driving and War-chalking Default installations are totally insecure

Does PDA Mean Portable Disaster Area?

Some Practical Thoughts about Mobile Security

Cell Phone Woes

The most primitive portable device - cells are insecure. GSM security model cracked as early as 1998. Loaning a phone or GSM card for even a few minutes can compromise your security

PDAs

PDAs that depend upon Wi-Fi access have the same security problems as notebook computers BlackBerry is a proprietary format that can be made substantially more secure You need to fix a PDAs basic Wi-Fi and Bluetooth security holes

Mobile Security Holes

Wi-Fi and/or Bluetooth typically installed in notebook computers hundreds of millions sold each year Usually enabled by default even when not used A major but non-obvious security hole I physically turn off power to my wireless devices

Bluetooth Security Model

Theoretically, Bluetooth is not a bad security model but security is unfortunately optional

Trusted and locked down device pairing possible

Bluetooth Today

Bluetooth sets initially were very low power and hard to intercept Newer models have more power and can be intercepted to 100 meters or more

Bluetooth Security Holes

IEEE has recently published on Web a variety of papers describing proven methods of easily cracking Bluetooth transmissions even industry group admits security holes Programs like Blue Stumbler and SNARF attack are available on the web

Bluetooth Holes Part 2

Windows servers often configure to connect to all Bluetooth devices in range a major security breach Former employees can take connection data

Bluetooth Holes Part 3

Phone cards or unsecured headsets may be borrowed and company connection data and security compromised Windows registry retains all connection data for all devices ever used

Bluetooth Networks

Piconets sometimes set up automatically that can allow anyone in range to see your files Discloses your embedded link security information Worse if you also have other simultaneous network access

Protecting Bluetooth Part 1

Never use unit authentication keys Always use combination authentication keys with manual PIN input

Use a longer PIN minimal 4 digit PIN easily cracked by brute force challenges

Protecting Bluetooth Part 2

Auto PIN number generation is insecure and allows device impersonation Never establish device pairing or first meeting in a public or other non-secure environment Eavesdropping feasible link data disclosed to third parties

Protecting Bluetooth Part 3

Always enable security mode on all devices You are only as secure as the weakest link that may transmit connection information Mode 3 security should be used if possible

Protecting Bluetooth Part 4

Use only trusted devices

Turn off device pairing mode

Protecting Bluetooth Part 5

Bluetooth headsets should use broadband mode and then turn off pairing mode Use access policies

12 Steps to Mobile Security

Install anti-virus, firewall and antiintrusion software (Norton, Zone Alarm)

Turn off computers and PDAs when not in use disable all unused wireless devices including Bluetooth, Wi-Fi, IR
Keep Windows security patches

12 Steps - Part 2

Turn off network bridging between wireless and hard wired networks Use a hard-wired network with a hardware firewall when not mobile Enable all possible 802.11 security

12 Steps Part 3

Always turn off network file and printer sharing when mobile

NEVER establish Bluetooth

pairings and trusted relationships in a non-secure area authenticate in private and then turn off pairing mode

12 Steps Part 4

Avoid ad hoc network modes Use WPA and 802.1X if possible with your Wi-Fi hardware

And Number 12

Remember that all mobile and wireless devices, including Wi-Fi and Bluetooth, are always potentially insecure.

ACT ACCORDINGLY