introductory computer security 2009

7/30/2019 Introductory Computer Security 2009

1/56

Computer Securityfor the Appropriately

Paranoid

A Broad Overview

Joseph Kashi, MS, JD


2/56

Data Security


3/56

Several Different Problem Areas

Wireless security

Internet security

Wired network security


4/56

Identity theft issues

Confidentiality

Any wireless device can beundetectably intercepted given time

Federal law enforcement agencies

report that wireless and embedded

devices are often targets


5/56

Mobile Devices

Notebook computers

flash drives

Wireless networks

Bluetooth phones, networks,printers

GSM cell phones

PDAs and BlackBerry


6/56

Electronic Data Loss

Includes identity theft, losses fromwhich topped $48 billion loss in2008 despite federal statutes

Can be more damaging becauseusually not known ever or for

many months in case of breach ofconfidentiality, identity theft orcredit damage


7/56

Physical Loss or Compromise

Data loss can be devastating GulfWar plans were a classic example

Physical loss affects not only databut entire network security

Upside You know its compromisedand can react accordingly


8/56

Short-Term vs. Long Term

Wireless will be the basic networkstandard in 7 or 8 years

Avoid if possible for next 18-24months certainly no confidentialdata

Wait for new 802.11i hardware


9/56

Curse of the Defaults

For ease of set up, most wirelessdevices ships with all securityturned off as basic default

Most users never enable anysecurity

Security never complete at bestslows down and deters intruders


10/56

Hidden Dangers

Wi-Fi default is connect to anynearby computer as part of ad hocnetwork

Windows XP default is to bridgebetween mobile Wi-Fi device and any

other connected network interface,possibly exposing your entirenetwork


11/56

Initial Wi-Fi Setup

Change your router setuppassword to something other thanthe published default

Change your SSID to a non-obvious and unpublished name


12/56

Add Security to Net Setup

Most small networks use basic MSfile and printer sharing protocols -these are totally insecure

Default is no password and standardnetwork name


13/56

Small Net Setup

Choose a non-obvious workgroupname

Avoid Microsoft defaults such asMSHOME

Dont settle for the first working

network configuration which bydefault has no security, to aid laysetup


14/56

Router Setup

Access and configure your Wi-Firouter with a direct Ethernet cableconnection

Use Internet Explorer and standardIP address 192.168.0.1. or

192.168.1.1

These are published and known


15/56

Router Setup

Enable security - some studiesfound more than 2/3 of all Wi-Finetworks made no changes at all to

totally insecure defaults

Your aim is to close, at leastpartially, and otherwise totally opendoor


16/56

Locating the Wi-Fi Router

Set up a DMZ using a secondfirewall to protect the internalhard-wired LAN

Place all Wi-Fi and Internetconnections outside the hard-wired

networks firewall

Locate the Wi-Fi router to minimize

leakage of signal outside office


17/56

Router Setup

Dont advertise disable the wirelessSSID broadcast known as beaconing

Do this only after you havecompletely setup all computers thatare to connection to your Wi-Finetwork


18/56

Enable Security

There are several possibilities default is no security

WEP, a Weak encryption withmany basic vulnerabilities

WPA needs same upgradedhardware


19/56

WEP Encryption

Lowest common denominator, butwith serious systemic weakness

Keys easily vulnerable to crackingregardless of key length

Rotating keys helps but awkward


20/56

MAC Address Filtering

Every Ethernet device has an uniqueidentifier known as a MAC

MAC filtering lists allowed or blockedEthernet devices not much help ifWEP

Easily fooled - done by most routers,firewalls and hacker freeware


21/56

Access Restrictions

Newer routers also act as networkhubs and allow security policies thatcan limit undesired types and times

of network usage

Some benefit but require someknowledge to set up


22/56

WPA Encryption

More secure but less open interimfollow on to WEP keys areautomatically and securelyrotated

Requires new WPA capablehardware, all of which should bethe same brand and model, withupgraded firmware


23/56

Hardware Firewall

Adds some protection againsthacking through the wired Internetconnection

Generally useful and unobtrusiveunless using VPN tunnel or othermeans of remote access

Use XP and 802.1X


24/56

Basic Hardening Tips Change ALL defaults on ALL devices

Check for possibly conflictingaccess points and peer to peernetworks these may be an

unguarded backdoor.

Enable at least WEP

Search for rogue LANs withnotebook


25/56

Other Hardening Tips

If possible, reduce router

transmission power to minimumthat works

Install network traffic transmissionmonitoring hardware/software

Upgrade older Wi-Fi hardware thenetwork runs at the lowestcommon denominator


26/56

The Future is 802.11i

Secure wireless connection -strong hardware encryption andauthentication

New industry standard not fullygelled

Requires total Wi-Fi networkrebuild with new 802.11i hardwarethroughout entire network


27/56

Long Term Fixes

More powerful handsets with strongerencryption

New versions of WAPI that fix obvioussecurity holes (www.wapiforum.org)

UL-style security ratings for wireless

and Internet security products and

services (www.ICSA.net)


28/56

Virtual Private Networks

These offer some additional security,particularly with private tunneling

software protocols for wireless users

Look for good performance and lower

future costs as DSL networks become

more common

DSL networks a new approach that

could extend to wireless


29/56

Until Then

Treat wireless devices like a cell phone

Wireless known to be possibly insecure

Most confidential data, such as litigation

strategy, should not be sent wireless


30/56

Other Security Tips

Call back vs.. direct dial in

Intrusion detection software: Black Ice

Set security configuration and user

rights carefully

Change security passwords regularly


31/56

Internet Security Tips

Instant messaging = insecure

Internet itself is definitely more secure

than wireless due to packet routing

PGP encryption - easy but not fool-proof

Encrypt passwords and logins, use an

authentication server w/ digital signature


32/56


Dynamic Vs. Static IP networks - lowcost option for DSL users

Firewalls- Linksys Ethernet switch, DSLrouter and hardware firewall.

DSL and other inexpensive broadband

network routers include hardware

firewalls that can block incoming calls


33/56


Commercial personal software firewallsuch as McAfee Firewall seems very

effective

Avoid downloading and using highly

interactive programs from untrusted

sources. Some programs send datasurreptitiously or are insecure, e.g. ICQ


34/56

Curse of the Defaults

For ease of set up, most wirelessdevices ships with all securityturned off as basic default

Most users never enable anysecurity

Security never complete at bestslows down and deters intruders


35/56

Mobile Wi-Fi Woes

Mobile computers often set to ad

hoc network wireless mode, whichcan connect with any nearbycomputer

We saw examples of inadvertentpenetration at yesterdays Wi-Fisession

Always install Wi-Fi asinfrastructure mode


36/56

Wi-Fi Is Insecure

Many cracking programs availablefree

War-driving and War-chalking

Default installations are totally

insecure


37/56

Does PDA MeanPortable Disaster

Area?Some Practical Thoughts

about Mobile Security


38/56

Cell Phone Woes

The most primitive portable device

- cells are insecure.

GSM security model cracked as

early as 1998.

Loaning a phone or GSM card for

even a few minutes cancompromise your security

PDA


39/56

PDAs PDAs that depend upon Wi-Fi

access have the same securityproblems as notebook computers

BlackBerry is a proprietary formatthat can be made substantiallymore secure

You need to fix a PDAs basic Wi-Fiand Bluetooth security holes


40/56

Mobile Security Holes

Wi-Fi and/or Bluetooth typicallyinstalled in notebook computers hundreds of millions sold each year

Usually enabled by default evenwhen not used

A major but non-obvious securityhole I physically turn off power tomy wireless devices


41/56

Bluetooth Security Model

Theoretically, Bluetooth is not abad security model but security isunfortunately optional

Trusted and locked down devicepairing possible


42/56

Bluetooth Today

Bluetooth sets initially were verylow power and hard to intercept

Newer models have more power

and can be intercepted to 100meters or more


43/56

Bluetooth Security Holes

IEEE has recently published onWeb a variety of papers describingproven methods of easily crackingBluetooth transmissions even

industry group admits securityholes

Programs like Blue Stumbler andSNARF attack are available on theweb


44/56

Bluetooth Holes Part 2

Windows servers often configure toconnect to all Bluetooth devices inrange a major security breach

Former employees can takeconnection data


45/56

Bluetooth Holes Part 3

Phone cards or unsecuredheadsets may be borrowed andcompany connection data and

security compromised

Windows registry retains all

connection data for all devicesever used


46/56

Bluetooth NetworksPiconets sometimes set up

automatically that can allowanyone in range to see your files

Discloses your embedded linksecurity information

Worse if you also have othersimultaneous network access

P i Bl h P 1


47/56

Protecting Bluetooth Part 1

Never use unit authenticationkeys

Always use combinationauthentication keys with manualPIN input

Use a longer PIN minimal 4 digitPIN easily cracked by brute forcechallenges

P t ti Bl t th P t 2


48/56


Auto PIN number generation isinsecure and allows deviceimpersonation

Never establish device pairing orfirst meeting in a public or othernon-secure environment

Eavesdropping feasible link datadisclosed to third parties

P t ti Bl t th P t 3


49/56


Always enable security mode on alldevices

You are only as secure as the

weakest link that may transmitconnection information

Mode 3 security should be used ifpossible


50/56


Use only trusted devices

Turn off device pairing mode


51/56


Bluetooth headsets should usebroadband mode and then turn offpairing mode

Use access policies

12 St t M bil S it


52/56

12 Steps to Mobile Security

Install anti-virus, firewall and anti-intrusion software (Norton, ZoneAlarm)

Turn off computers and PDAs whennot in use disable all unusedwireless devices including

Bluetooth, Wi-Fi, IR

Keep Windows security patchescurrent

12 St P t 2


53/56

12 Steps - Part 2

Turn off network bridging betweenwireless and hard wired networks

Use a hard-wired network with ahardware firewall when not mobile

Enable all possible 802.11 security

12 St P t 3


54/56

12 Steps Part 3

Always turn off network file andprinter sharing when mobile

NEVERestablish Bluetoothpairings and trusted relationshipsin a non-secure area

authenticate in private and thenturn off pairing mode


55/56

12 Steps Part 4

Avoid ad hoc network modes

Use WPA and 802.1X if possible withyour Wi-Fi hardware


56/56

And Number 12

Remember that all mobile andwireless devices, including Wi-Fi andBluetooth, are always potentially

insecure.

ACT ACCORDINGLY

introductory computer security 2009

Documents