Personal Internet Self-defense 2004
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Personal Internet Self-defense 2004 as PDF for free.
More details
- Words: 4,629
- Pages: 153
Personal Internet Self-Defense 2003: Security and Privacy for the New Millennium Robert C. Jones, M.D. LtCol, USAF, Medical Corps Staff Anesthesiologist Andrews Air Force Base, Maryland E-mail: [email protected] Web site: http://notbob.com Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Disclaimer/Disclosure This talk represents my own views, not those of the USAF, the DoD, or anyone else. ● I am a Microsoft shareholder. ● I am a Palm shareholder. ●
→Far from a controlling interest in either!
Nobody paid me anything to write or present this. ● The opinions/content on external URLs belong to the authors, not myself, the USAF, or the DoD. ●
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIIIII
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIIII
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
Do you feel like this?
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
The Dirty Truth: “Internet technologies are not designed to be secure. They're designed to be interactive... ...we as consumers are not taking the responsibility...to learn basics about using this stuff” Russ Cooper, editor of the NT Bugtraq mailing list (www.securityadvice.com), in http://cnn.com/TECH/computing/9909/28/ms.security.idg/index.html
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
You can’t afford perfect security
“The only secure computer is one that is unplugged, locked in a secure vault that only one person knows the combination to, and that person died last year.” Eckel, G and Steen, W., Intranet Working, New Riders, 1996, p. 419 Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
...but can you really afford this?
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
What this talk is about ●
Basic Internet self-defense for average users
●
How to protect your privacy on the internet
●
Where to learn more about Net security
●
My own personal opinions (not the USAF)
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
What this talk is NOT about ●
Advanced intrusion detection and response
●
How to hide nuclear secrets behind photocopiers
●
Advanced TCP/IP networking and protocols
●
Anyone else’s opinions (especially the USAF)
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
What is Internet Security?
●
For that matter, what is the Internet?
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
newsreader
web2mail Mail2News http logon to web e-mail service
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
Personal Internet Self-Defense 2003
“Information protection is not a technology issue. It is a people issue and therefore the people need to be educated.” Geza Szenes CISSP, Computer Security Awareness: A Case Study, SANS 99 http://www.sans.org/newlook/misc/Final_szenes.pdf
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
What do people need?
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Maslow’s Hierarchy of Needs
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
The Security Pyramid
Guru Confidence Privacy Needs Workstation Needs Basic Security Needs Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
Physical Security 2003 ●
Theft (especially portables)
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Physical Security 2003 ●
Theft (especially portables) →locks, vigilance in airport X-ray lines/queues
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Physical Security 2003 ●
Theft (especially portables)
●
Electrical problems →UPS protects against brownouts & surges
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Physical Security 2003 ●
Theft (especially portables)
●
Electrical problems
●
Lack of reliable current backup →Backup regularly to reliable media; net backup
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Physical Security 2003 ●
Theft (especially portables)
●
Electrical problems
●
Lack of reliable current backup
●
C & C: Coffee and Cats →Don’t drink and compute; keep fans clean
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
Passwords 2003 ●
Pick Good Passwords
●
Avoid Bad Passwords
●
Protect Passwords
●
Change Passwords
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Passwords 2003 ●
Good Passwords →At least 8 characters (more if possible) →Mix of capital and small letters →Mix of letters and numbers →At least one special character ($#@!*^*) →Based on complex passphrase – tB0ntB?t1stFq!
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Passwords 2003 ●
Bad Passwords →Anything having to do with you – Any part of your social security number – Your birthday – Your kids’ birthdays – Relating to your hobbies
→Less than 8 characters →Anything in a dictionary →Fictional characters (Gandalf, Frodo, Bilbo) Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Passwords 2003 ●
Pick Good Passwords
●
Avoid Bad Passwords
●
Protect Passwords →Don’t share them, don’t write them down
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
Passwords 2003 ●
Pick Good Passwords
●
Avoid Bad Passwords
●
Protect Passwords
●
Change Passwords →Change is good; automatic change is better?
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
Too frequent change = bad passwords
CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
Antivirus Defense 2003 ●
Install antivirus software FIRST
●
Update antivirus software regularly
●
Check for Operating System (OS) patches monthly (more frequently if serious security holes arise)
●
Scan all downloaded files and attachments →Beware of viruses, trojans, spyware…
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Terms of Endangerment Virus: Self-replicating computer code with variable adverse effect (“payload”) [Example: Melissa macro virus] ● Trojan: Sneaky program which, once activated by user, causes harm to computer, privacy, or both [Example: Back Orifice 2000 (BO2K)] ● Spyware: Programs that connect to internet and report personal data regarding user [Example: RealNetworks Jukebox] ●
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Antivirus Defense 2003 ●
Install antivirus software FIRST
●
Update antivirus software regularly
●
Check for Operating System (OS) patches monthly (more frequently if serious security holes arise)
●
Scan all downloaded files and attachments →Beware of viruses, trojans, spyware…
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Blaster Worm (2003) ●
●
●
Blaster-B variant exploits hole in MS Windows XP and 2000 (DCOM RPC) Patch had been available for weeks… people just never bother to patch their systems! ALL Operating Systems (OSes) need to be patched frequently to plug security holes (yes, even Linux!)
Jeffrey Lee Parsons, alleged Blaster Variant B creator Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.b.worm.htm
CIA XXIII
Antivirus Defense 2003 ●
Install antivirus software FIRST
●
Update antivirus software regularly
●
Patch your OS at least monthly
●
Scan all downloaded files and attachments
●
(Radical) Disable M$ Outlook/Outlook Express
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
MS Outlook = Danger! “I'm on record as saying that Outlook is a security hole that also happens to be an e-mail client.” Steven J. Vaughan-Nichols ZDNet News May 4, 2000 http://www.zdnet.com/sp/stories/column/0,4712,2562098,00.html
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
The Melissa Virus Yet another... E-mail↔Productivity Suite integration exploit
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
Browser Security 2003 ●
Disable routine ActiveX and Java/Javascript
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
How Secure is ActiveX? “The problem with ActiveX security, according to analysts, developers, and IS managers alike, is that there is no security with ActiveX.” --Paul Festa, CNET News.com, 18 Feb 98 http://news.cnet.com/news/0-1003-201-326605-0.html Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
Browser Security 2003 ●
Disable ActiveX and Java/Javascript
●
Use the maximum security setting you can stand
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
MSIE 4.72.x
(note: Fixed in MSIE versions 5.x) Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
How to tell when your browser settings are correct...
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
Browser Security 2003 ●
Disable ActiveX and Java/Javascript
●
Use the maximum security setting you can stand
●
Upgrade encryption to 128 bits minimum →40 bits is standard…and insecure.
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
How to check your encryption strength
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Browser Security 2003 ●
Disable ActiveX and Java/Javascript
●
Use the maximum security setting you can stand
●
Upgrade encryption to 128 bits minimum
●
Update browser regularly to get bug fixes → But beware of version X.0 of anything
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Don’t be an unpaid beta tester!
“Time to market and functionality always beat out security. Always. Always.” --David Bradley, UC Berkeley, 25 August 99
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
Privacy 2003: Endangered Species
“You have zero privacy now. Get over it.” -- SUN CEO Scott McNealy, February 99, when asked by a reporter about Jini’s tracking of users across networks
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Privacy 2003: Endangered Species
“Like murder, privacy invasion is most frequently committed by those close to us.” --Rob Jones, M.D., Dec 1999
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Privacy 2003: Basic ●
Assume workplace internet use is monitored
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Privacy 2003: Basic ●
Assume workplace internet use is monitored →E-mail, surfing should be boss/CEO-acceptable
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Privacy 2003: Basic ●
Assume workplace internet use is monitored
●
Beware of prying eyes →“Shoulder-surfing” on airplanes, ATM machines
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Privacy 2003: Basic ●
Assume workplace internet use is monitored
●
Beware of prying eyes
●
Lock your workstation when you are away →Password-protected screen saver or log off
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Privacy 2003: Basic ●
Assume workplace internet use is monitored
●
Beware of prying eyes
●
Lock your workstation when you are away
●
Password-protect sensitive documents →Not cracker-proof, but will deter average snoop
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
Privacy 2003: Advanced ●
Use strong encryption for sensitive information →PGP, RSA, IDEA, Blowfish (DES is cracked)
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
from Introduction to Cryptography, Network Associates, 1999 Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
“The primary benefit of public key cryptography is that it allows people who have no preexisting security arrangement to exchange messages securely.” from Introduction to Cryptography, Network Associates, 1999 Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
Privacy 2003: Advanced ●
Use strong encryption for sensitive information
●
Con your OS (GUID, ComputerName,Workgroup) →Pleased to meet you. Hope you guess my name.
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Why does my software have to know my name? start | run | regedit | edit | find | your_name
be careful...regedit can ruin your computer if you change stuff unwisely...always back up first
Office 97 and the Personal ID/Global User ID...
Unique number derived, in part, from network card MAC address
get the fix here: http://officeupdate.microsoft.com/Articles/privacy.htm
Privacy 2003: Advanced ●
Use strong encryption for sensitive information
●
Con your OS (GUID, ComputerName,Workgroup)
●
Nuke intrusive information on your hard drive →Cookies and History and Cache, oh my!
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Cookies are bad for your wealth
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
Privacy 2003: Advanced ●
Use strong encryption for sensitive information
●
Con your OS (GUID, ComputerName,Workgroup)
●
Nuke intrusive information on your hard drive
●
Use anon proxies for private web browsing → ZKS Freedom, Anonymizer, etc.
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
How anon proxy servers work Your computer
Anon Proxy Server Web page
Web page
- cookies
+ cookies
“this is joeschmoe@ joesisp.com”
“this is nobody@ anonproxy. net”
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
Web Server X
CIA XXIII
oh, one more thing...
Turn off file and print sharing
•unless you want the Internet to be your LAN •Especially important with cable modem or xDSL
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
What is spam? ●
Not the Hormel® Luncheon Meat (SPAM™)
●
Unsolicited Bulk e-mail
●
Junk Usenet posts
●
(New) Instant Messaging spam
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Why spam is bad. "Spamming is the scourge of electronic-mail and newsgroups on the Internet. ... Spammers are, in effect, taking resources away from users and service suppliers without compensation and without authorization." -- Vint Cerf, Senior Vice President, MCI and (unlike Al Gore) acknowleged "Father of the Internet”, as quoted on http://www.cauce.org/problem.html
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
This is your Inbox
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
This is your Inbox with e-mail
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
This is your Inbox with spam Love letter from Salma Hayek Job Offer
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Spam = Theft! ●
Key aspect is unauthorized theft of services →bandwidth, hard dive space, per-minute costs, time
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Spam = Theft! ●
Key aspect is unauthorized theft of services
●
Costs shifted to recipients, not senders →Unlike junk snail mail; 47 USC 227: no junk faxes
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Spam = Theft! ●
Key aspect is unauthorized theft of services
●
Costs shifted to recipients, not senders
●
Content neutral…not a freedom of speech issue! →Violation of Acceptable Use Policies/TOSes →Violation of U.S. state laws (WA, VA…) →Violation of Austrian federal law – http://www.pcwelt.de/ausgabe/99_07/n090799011.HTM
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Anti-Spam 2003 ●
Munge →[email protected]
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Anti-Spam 2003 ●
Munge
●
Filter →E-mail filter rules; Usenet killfiles; IRC #ignore
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Anti-Spam 2003 ●
Munge
●
Filter
●
Use throwaways →Get free e-mail accounts for net registrations
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Anti-Spam 2003 ●
Munge
●
Filter
●
Use throwaways
●
Complain →E-mail spammers’ ISPs; be polite to sysops
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
What is a firewall?
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Beaumaris Castle Ynys Môn Cymru
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
What is a firewall? ●
Firewalls are like medieval moats: →Restrict people to entering at one controlled point →Prevent attackers from getting close to your other defenses →Restrict people to leaving at one controlled point
--Chapman and Zwicky, Building Internet Firewalls, O’Reilly, 1995, p 17
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Hi, I’m 102.74.145.234
TCP/IP
Hello, I’m 214.90.1.43
port 23 (telnet) port 25 (smtp) port 119 (nntp) port 6667 (IRC) port 8080 (http)
Everyday computer conversations use many “ports” Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
Firewall
Your computer
port 25 (smtp) port 25 (smtp) port 6667 (IRC) port 8080 (http)
Firewalls implement your security decisions Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
What a Firewall Can Do ●
Serves as focus for security decisions
●
Enforces security policy
●
Logs internet activity efficiently
●
Limits damage to your network --Chapman and Zwicky, Building Internet Firewalls, O’Reilly, 1995, pp 19-20
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
What a Firewall Can’t Do ●
Can’t protect against insiders
●
Can’t protect you against connections that don’t pass through it
●
Can’t protect against completely new threats
●
Can’t protect you from viruses/trojans --Chapman and Zwicky, Building Internet Firewalls, O’Reilly, 1995, pp 19-20
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Firewalls can’t protect you from SE! (Social Engineering)
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
Do you need a firewall? ●
Home user vs. Business user
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Do you need a firewall? ●
Home user vs. Business user
●
Dynamic internet IP address vs. Static IP address
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Do you need a firewall? ●
Home user vs. Business user
●
Dynamic internet IP address vs. Static IP address
●
Unix/Linux OS vs. any flavor of Windows
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Do you need a firewall? ●
Home user vs. Business user
●
Dynamic internet IP address vs. Static IP address
●
Unix/Linux OS vs. any flavor of Windows
●
Dialup modem vs. always-on Broadband
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Fat pipes make juicy targets!
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
Types of Firewalls ●
Software
●
Hardware
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Types of Firewalls ●
Software →NetworkICE BlackICE Defender →Zonelabs ZoneAlarm (free for personal use) →Norton Internet Security 200x →Others…
●
Hardware
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
BlackICE Defender attack list (against my dialup sessions)
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
Automatic reverse IP address lookup on attacker reveals...
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
Zonelabs ZoneAlarm (freeware for personal use)
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
Zonelabs ZoneAlarm Alert Example
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
NOTE: Updated 10 Jan 02
As of January, 2002, ZoneAlarm (not Black ICE) is the only leading software firewall that looks at OUTGOING packets from your machine (thus catching Trojans, spyware, and backdoors installed by your ISP’s software) On the other hand, BlackICE tracks attackers back through the Net…freeware ZoneAlarm doesn’t (although the upgrade, ZA Pro, does)
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Types of Firewalls ●
Software
●
Hardware →SonicWall →Watchguard SOHO →Your own Linux box with custom ipchains…etc.
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Remember… A poorly-administered firewall is worse than none at all! ● From comp.security.firewalls newsgroup: ●
"JArelXXXX" <[email protected]> wrote in message news:[email protected]... > The company I work for is evaluating the possibility of outsourcing the > administration of the Firewall\VPN… > I have just been appointed responsability (sic) of administering their firewall, > however they do not want to send me to any type of training. They feel > that once I get the training I will leave. Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
Continuing Security Education 2003 ●
Friends?
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Continuing Security Education 2003 ●
Friends? →The worst source. Virus hoaxes and urban legends galore
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Continuing Security Education 2003 ●
Friends?
●
3-Space Mass Media?
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Continuing Security Education 2003 ●
Friends?
●
3-Space Mass Media? →24 hours to 3 months behind; Generally clueless with regard to non-web Net events
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Continuing Security Education 2003 ●
Friends?
●
3-Space Mass Media?
●
Books? →Excellent source for fundamentals; usually 1-5 years behind
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
The Tao of Network Security
1994-1999: Information Access
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
The Tao of Network Security
1994-1999:
2000-2005:
Information Access
Information Denial
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Security 2004 Preview
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
Online Resources Physical Security •Targus (notebook locks, alarms): http://www.targus.com/ •American Power Conversion (UPS): http://www.apc.com/ •TrippLite (UPS) : http://www.tripplite.com/ •Iomega (backup hardware, software): http://www.iomega.com/ •Castlewood (backup hardware, software): http://www.castlewood.com/ •Xdrive (online backup): http://www.xdrive.com/ •iBackup (online backup): http://www.ibackup.com/ Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Online Resources Password Security •Picking good passwords → http://www.itis.gatech.edu/doc/passwd.html →http://www.alw.nih.gov/Security/Docs/passwd.html •Top 10 Bad passwords →http://www.knowledgeclicks.com/security/articles/11999 /top10badpasswords.htm Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Online Resources Antivirus Security •Symantec Antivirus Research Center: http://www.sarc.com/ •McAfee Antivirus Center: http://www.mcafee.com/centers/anti-virus/ •Aladdin E-safe Antivirus/Firewall: http://www.aladdin.co.il/ •Qualcomm Eudora E-mail: http://www.eudora.com/
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Online Resources Browser Security •Microsoft IE: http://www.microsoft.com/windows/ie/default.htm •Microsoft Security Advisor: http://www.microsoft.com/security/default.asp •Netscape Communicator: http://www.netscape.com/download/index.html •Opera: http://www.opera.com/ •Sam Spade for Windows: http://samspade.org/ssw/ •Check your security with Shields Up! http://grc.com/default.htm Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Online Resources Privacy Protection •The Electronic Frontier Foundation: http://www.eff.org/ •EPIC: http://www.epic.org/privacy/tools.html •PGP: http://www.pgp.com/ •NSClean/IEClean: http://www.nsclean.com/ •Microsoft Hotmail (for throwaways): http://www.hotmail.com/ •Anonymizer: http:/www.anonymizer.com/ •Zero Knowledge Systems Freedom: http://www.freedom.net/ •Hushmail: http://www.hushmail.com/ Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Online Resources Anti-Spam Activism •Junkbusters: http://www.junkbusters.com/ •Spam.abuse.net: http://spam.abuse.net/ •Coalition Against Unsolicited Commercial E-mail: http://www.cauce.org/ •F.R.E.E.: http://www.spamfree.org/ •The Spam-L FAQ: http://oasis.ot.com/~dmuth/spam-l/ •The E-mail Spam FAQ: http://ddi.digital.net/~gandalf/spamfaq.html •The Munging FAQ: http://members.aol.com/emailfaq/mungfaq.html Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Online Resources Learning the Lingo (Usenet, IRC, IM) •news.announce.newusers: http://www.netannounce.org/news.announce.newusers •The Net-Abuse FAQ: http://www.cybernothing.org/faqs/net-abuse-faq.html •mIRC IRC FAQ: http://www.mirc.com/ircintro.html •NewIRCusers.com: http://www.newircusers.com/ •ICQ IM Security: http://www.icq.com/features/security/ •IM Security: http://www.pcmag.com/article2/0,4149,1217889,00.asp
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Online Resources Firewalls •Symantec Norton Internet Security: http://www.symantec.com/ •ZoneLabs ZoneAlarm: http://www.zonelabs.com/ •Internet Firewalls FAQ: http://www.interhack.net/pubs/fwfaq/ •Keeping your site comfortably secure: an introduction to internet firewalls: http://cs-www.ncsl.nist.gov/publications/nistpubs/800-10/ •Some Hardware Firewall Vendors: http://www.thegild.com/firewall/ •Linux Firewall HOWTO: http://www.linuxdoc.org/HOWTO/FirewallHOWTO.html Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Online Resources Continuing Security Education •The SANS Institute: http://www.sans.org/ •Internet Storm Center: http://isc.sans.org/ •C|Net News.com: http://news.com.com/ (follow security tab) •AntiOnline: http://www.antionline.com/index.php •ISTS: http://news.ists.dartmouth.edu/ •ISS X-Force: http://xforce.iss.net/ •2600: http://www.2600.com/ Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
Offline Resources Books/Articles • Cheswick, WR, Bellovin, SM, Firewalls and Internet Security: Repelling the Wily Hacker, New York: Addison-Wesley Publishing Company 1994. ISBN 0-201-63357-4 • Gilster, Paul, Finding it on the Internet, New York: John Wiley & Sons, Inc., 1994. ISBN 0-471-03857-1 • Wolff , Michael (ed.), Your Personal Netspy: How You Can Access the Facts and Cover Your Tracks Using the Internet and Online Services, New York: Wolff New Media LLC, 1996. ISBN 0-679-77029-1 Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Offline Resources Books/Articles • Knightmare, The, Secrets of a Super Hacker, Port Townsend, WA: Loompanics Unlimited, 1994. ISBN 1-55950-106-5 • Zimmerman, Philip R., The Official PGP User's Guide, Cambridge, Mass: M.I.T. Press, 1996. ISBN 0-262-74017-6 • Wayner, Peter, Disappearing Cryptography: Being and Nothingness on the Net, Boston: Academic Press Professional, 1996. ISBN 0-12-738671-8 • O'Malley, Chris, Snoops: Welcome to a small town called the internet, where everyone knows your business, Popular Science, Jan 97, p. 56 Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Offline Resources Books/Articles • Schwartz, Alan and Garfinkel, Simson, Stopping Spam, Cambridge: O’Reilly, 1998. ISBN 1-56592-388-X • Communications of the ACM 42(7), July 1999, various authors: Defensive Information Warfare • Communications of the ACM 42(2), Feb. 1999, various authors: Internet Privacy: the Quest for Anonymity • Honeycutt, Jerry; Pike,Mary Ann, et al., Special Edition: Using the Internet, 3rd Edition, Indianapolis, IN: Que® Corporation, 1996. ISBN 0-7897-0846-9 Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Offline Resources Books/Articles • Weiss, Aaron, The Complete Idiot's Guide to Protecting Yourself on the Internet, Indianapolis, IN: Que® Corporation, 1995. ISBN 156761-593-7 • Griffith, Samuel B.(trans), Sun Tzu: The Art of War, New York: Oxford University Press, 1963 ISBN 0-19-501476-6 • Lane, Carole A, Naked in Cyberspace: How to Find Personal Information Online, Wilton, CT: Pemberton Press c/o Online Inc., 1997 ISBN 0-910965-17-X
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Offline Resources Books/Articles • Chapman, D. Brent and Zwicky, Elizabeth D., Building Internet Firewalls, Sebastopol, CA: O'Reilly & Associates, 1995. ISBN 1156592-124-0 • Icove, David, Seger, Karl, and VonStorch, William, Computer Crime: A Crimefighter's Handbook, Sebastopol, CA: O'Reilly & Associates, 1995. ISBN 1-56592-086-4 • Anonymous, Maximum Security, Second Edition, Indianapolis: Sams, 1998. ISBN 0-672-31341-3
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
CIA XXIII
Disclaimer/Disclosure This talk represents my own views, not those of the USAF, the DoD, or anyone else. ● I am a Microsoft shareholder. ● I am a Palm shareholder. ●
→Far from a controlling interest in either!
Nobody paid me anything to write or present this. ● The opinions/content on external URLs belong to the authors, not myself, the USAF, or the DoD. ●
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIIIII
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIIII
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
Do you feel like this?
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
The Dirty Truth: “Internet technologies are not designed to be secure. They're designed to be interactive... ...we as consumers are not taking the responsibility...to learn basics about using this stuff” Russ Cooper, editor of the NT Bugtraq mailing list (www.securityadvice.com), in http://cnn.com/TECH/computing/9909/28/ms.security.idg/index.html
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
You can’t afford perfect security
“The only secure computer is one that is unplugged, locked in a secure vault that only one person knows the combination to, and that person died last year.” Eckel, G and Steen, W., Intranet Working, New Riders, 1996, p. 419 Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
...but can you really afford this?
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
What this talk is about ●
Basic Internet self-defense for average users
●
How to protect your privacy on the internet
●
Where to learn more about Net security
●
My own personal opinions (not the USAF)
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
What this talk is NOT about ●
Advanced intrusion detection and response
●
How to hide nuclear secrets behind photocopiers
●
Advanced TCP/IP networking and protocols
●
Anyone else’s opinions (especially the USAF)
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
What is Internet Security?
●
For that matter, what is the Internet?
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
newsreader
web2mail Mail2News http logon to web e-mail service
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
Personal Internet Self-Defense 2003
“Information protection is not a technology issue. It is a people issue and therefore the people need to be educated.” Geza Szenes CISSP, Computer Security Awareness: A Case Study, SANS 99 http://www.sans.org/newlook/misc/Final_szenes.pdf
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
What do people need?
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Maslow’s Hierarchy of Needs
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
The Security Pyramid
Guru Confidence Privacy Needs Workstation Needs Basic Security Needs Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
Physical Security 2003 ●
Theft (especially portables)
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Physical Security 2003 ●
Theft (especially portables) →locks, vigilance in airport X-ray lines/queues
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Physical Security 2003 ●
Theft (especially portables)
●
Electrical problems →UPS protects against brownouts & surges
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Physical Security 2003 ●
Theft (especially portables)
●
Electrical problems
●
Lack of reliable current backup →Backup regularly to reliable media; net backup
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Physical Security 2003 ●
Theft (especially portables)
●
Electrical problems
●
Lack of reliable current backup
●
C & C: Coffee and Cats →Don’t drink and compute; keep fans clean
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
Passwords 2003 ●
Pick Good Passwords
●
Avoid Bad Passwords
●
Protect Passwords
●
Change Passwords
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Passwords 2003 ●
Good Passwords →At least 8 characters (more if possible) →Mix of capital and small letters →Mix of letters and numbers →At least one special character ($#@!*^*) →Based on complex passphrase – tB0ntB?t1stFq!
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Passwords 2003 ●
Bad Passwords →Anything having to do with you – Any part of your social security number – Your birthday – Your kids’ birthdays – Relating to your hobbies
→Less than 8 characters →Anything in a dictionary →Fictional characters (Gandalf, Frodo, Bilbo) Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Passwords 2003 ●
Pick Good Passwords
●
Avoid Bad Passwords
●
Protect Passwords →Don’t share them, don’t write them down
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
Passwords 2003 ●
Pick Good Passwords
●
Avoid Bad Passwords
●
Protect Passwords
●
Change Passwords →Change is good; automatic change is better?
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
Too frequent change = bad passwords
CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
Antivirus Defense 2003 ●
Install antivirus software FIRST
●
Update antivirus software regularly
●
Check for Operating System (OS) patches monthly (more frequently if serious security holes arise)
●
Scan all downloaded files and attachments →Beware of viruses, trojans, spyware…
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Terms of Endangerment Virus: Self-replicating computer code with variable adverse effect (“payload”) [Example: Melissa macro virus] ● Trojan: Sneaky program which, once activated by user, causes harm to computer, privacy, or both [Example: Back Orifice 2000 (BO2K)] ● Spyware: Programs that connect to internet and report personal data regarding user [Example: RealNetworks Jukebox] ●
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Antivirus Defense 2003 ●
Install antivirus software FIRST
●
Update antivirus software regularly
●
Check for Operating System (OS) patches monthly (more frequently if serious security holes arise)
●
Scan all downloaded files and attachments →Beware of viruses, trojans, spyware…
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Blaster Worm (2003) ●
●
●
Blaster-B variant exploits hole in MS Windows XP and 2000 (DCOM RPC) Patch had been available for weeks… people just never bother to patch their systems! ALL Operating Systems (OSes) need to be patched frequently to plug security holes (yes, even Linux!)
Jeffrey Lee Parsons, alleged Blaster Variant B creator Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.b.worm.htm
CIA XXIII
Antivirus Defense 2003 ●
Install antivirus software FIRST
●
Update antivirus software regularly
●
Patch your OS at least monthly
●
Scan all downloaded files and attachments
●
(Radical) Disable M$ Outlook/Outlook Express
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
MS Outlook = Danger! “I'm on record as saying that Outlook is a security hole that also happens to be an e-mail client.” Steven J. Vaughan-Nichols ZDNet News May 4, 2000 http://www.zdnet.com/sp/stories/column/0,4712,2562098,00.html
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
The Melissa Virus Yet another... E-mail↔Productivity Suite integration exploit
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
Browser Security 2003 ●
Disable routine ActiveX and Java/Javascript
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
How Secure is ActiveX? “The problem with ActiveX security, according to analysts, developers, and IS managers alike, is that there is no security with ActiveX.” --Paul Festa, CNET News.com, 18 Feb 98 http://news.cnet.com/news/0-1003-201-326605-0.html Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
Browser Security 2003 ●
Disable ActiveX and Java/Javascript
●
Use the maximum security setting you can stand
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
MSIE 4.72.x
(note: Fixed in MSIE versions 5.x) Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
How to tell when your browser settings are correct...
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
Browser Security 2003 ●
Disable ActiveX and Java/Javascript
●
Use the maximum security setting you can stand
●
Upgrade encryption to 128 bits minimum →40 bits is standard…and insecure.
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
How to check your encryption strength
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Browser Security 2003 ●
Disable ActiveX and Java/Javascript
●
Use the maximum security setting you can stand
●
Upgrade encryption to 128 bits minimum
●
Update browser regularly to get bug fixes → But beware of version X.0 of anything
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Don’t be an unpaid beta tester!
“Time to market and functionality always beat out security. Always. Always.” --David Bradley, UC Berkeley, 25 August 99
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
Privacy 2003: Endangered Species
“You have zero privacy now. Get over it.” -- SUN CEO Scott McNealy, February 99, when asked by a reporter about Jini’s tracking of users across networks
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Privacy 2003: Endangered Species
“Like murder, privacy invasion is most frequently committed by those close to us.” --Rob Jones, M.D., Dec 1999
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Privacy 2003: Basic ●
Assume workplace internet use is monitored
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Privacy 2003: Basic ●
Assume workplace internet use is monitored →E-mail, surfing should be boss/CEO-acceptable
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Privacy 2003: Basic ●
Assume workplace internet use is monitored
●
Beware of prying eyes →“Shoulder-surfing” on airplanes, ATM machines
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Privacy 2003: Basic ●
Assume workplace internet use is monitored
●
Beware of prying eyes
●
Lock your workstation when you are away →Password-protected screen saver or log off
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Privacy 2003: Basic ●
Assume workplace internet use is monitored
●
Beware of prying eyes
●
Lock your workstation when you are away
●
Password-protect sensitive documents →Not cracker-proof, but will deter average snoop
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
Privacy 2003: Advanced ●
Use strong encryption for sensitive information →PGP, RSA, IDEA, Blowfish (DES is cracked)
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
from Introduction to Cryptography, Network Associates, 1999 Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
“The primary benefit of public key cryptography is that it allows people who have no preexisting security arrangement to exchange messages securely.” from Introduction to Cryptography, Network Associates, 1999 Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
Privacy 2003: Advanced ●
Use strong encryption for sensitive information
●
Con your OS (GUID, ComputerName,Workgroup) →Pleased to meet you. Hope you guess my name.
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Why does my software have to know my name? start | run | regedit | edit | find | your_name
be careful...regedit can ruin your computer if you change stuff unwisely...always back up first
Office 97 and the Personal ID/Global User ID...
Unique number derived, in part, from network card MAC address
get the fix here: http://officeupdate.microsoft.com/Articles/privacy.htm
Privacy 2003: Advanced ●
Use strong encryption for sensitive information
●
Con your OS (GUID, ComputerName,Workgroup)
●
Nuke intrusive information on your hard drive →Cookies and History and Cache, oh my!
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Cookies are bad for your wealth
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
Privacy 2003: Advanced ●
Use strong encryption for sensitive information
●
Con your OS (GUID, ComputerName,Workgroup)
●
Nuke intrusive information on your hard drive
●
Use anon proxies for private web browsing → ZKS Freedom, Anonymizer, etc.
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
How anon proxy servers work Your computer
Anon Proxy Server Web page
Web page
- cookies
+ cookies
“this is joeschmoe@ joesisp.com”
“this is nobody@ anonproxy. net”
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
Web Server X
CIA XXIII
oh, one more thing...
Turn off file and print sharing
•unless you want the Internet to be your LAN •Especially important with cable modem or xDSL
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
What is spam? ●
Not the Hormel® Luncheon Meat (SPAM™)
●
Unsolicited Bulk e-mail
●
Junk Usenet posts
●
(New) Instant Messaging spam
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Why spam is bad. "Spamming is the scourge of electronic-mail and newsgroups on the Internet. ... Spammers are, in effect, taking resources away from users and service suppliers without compensation and without authorization." -- Vint Cerf, Senior Vice President, MCI and (unlike Al Gore) acknowleged "Father of the Internet”, as quoted on http://www.cauce.org/problem.html
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
This is your Inbox
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
This is your Inbox with e-mail
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
This is your Inbox with spam Love letter from Salma Hayek Job Offer
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Spam = Theft! ●
Key aspect is unauthorized theft of services →bandwidth, hard dive space, per-minute costs, time
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Spam = Theft! ●
Key aspect is unauthorized theft of services
●
Costs shifted to recipients, not senders →Unlike junk snail mail; 47 USC 227: no junk faxes
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Spam = Theft! ●
Key aspect is unauthorized theft of services
●
Costs shifted to recipients, not senders
●
Content neutral…not a freedom of speech issue! →Violation of Acceptable Use Policies/TOSes →Violation of U.S. state laws (WA, VA…) →Violation of Austrian federal law – http://www.pcwelt.de/ausgabe/99_07/n090799011.HTM
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Anti-Spam 2003 ●
Munge →[email protected]
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Anti-Spam 2003 ●
Munge
●
Filter →E-mail filter rules; Usenet killfiles; IRC #ignore
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Anti-Spam 2003 ●
Munge
●
Filter
●
Use throwaways →Get free e-mail accounts for net registrations
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Anti-Spam 2003 ●
Munge
●
Filter
●
Use throwaways
●
Complain →E-mail spammers’ ISPs; be polite to sysops
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
What is a firewall?
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Beaumaris Castle Ynys Môn Cymru
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
What is a firewall? ●
Firewalls are like medieval moats: →Restrict people to entering at one controlled point →Prevent attackers from getting close to your other defenses →Restrict people to leaving at one controlled point
--Chapman and Zwicky, Building Internet Firewalls, O’Reilly, 1995, p 17
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Hi, I’m 102.74.145.234
TCP/IP
Hello, I’m 214.90.1.43
port 23 (telnet) port 25 (smtp) port 119 (nntp) port 6667 (IRC) port 8080 (http)
Everyday computer conversations use many “ports” Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
Firewall
Your computer
port 25 (smtp) port 25 (smtp) port 6667 (IRC) port 8080 (http)
Firewalls implement your security decisions Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
What a Firewall Can Do ●
Serves as focus for security decisions
●
Enforces security policy
●
Logs internet activity efficiently
●
Limits damage to your network --Chapman and Zwicky, Building Internet Firewalls, O’Reilly, 1995, pp 19-20
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
What a Firewall Can’t Do ●
Can’t protect against insiders
●
Can’t protect you against connections that don’t pass through it
●
Can’t protect against completely new threats
●
Can’t protect you from viruses/trojans --Chapman and Zwicky, Building Internet Firewalls, O’Reilly, 1995, pp 19-20
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Firewalls can’t protect you from SE! (Social Engineering)
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
Do you need a firewall? ●
Home user vs. Business user
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Do you need a firewall? ●
Home user vs. Business user
●
Dynamic internet IP address vs. Static IP address
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Do you need a firewall? ●
Home user vs. Business user
●
Dynamic internet IP address vs. Static IP address
●
Unix/Linux OS vs. any flavor of Windows
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Do you need a firewall? ●
Home user vs. Business user
●
Dynamic internet IP address vs. Static IP address
●
Unix/Linux OS vs. any flavor of Windows
●
Dialup modem vs. always-on Broadband
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Fat pipes make juicy targets!
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
Types of Firewalls ●
Software
●
Hardware
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Types of Firewalls ●
Software →NetworkICE BlackICE Defender →Zonelabs ZoneAlarm (free for personal use) →Norton Internet Security 200x →Others…
●
Hardware
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
BlackICE Defender attack list (against my dialup sessions)
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
Automatic reverse IP address lookup on attacker reveals...
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
Zonelabs ZoneAlarm (freeware for personal use)
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
Zonelabs ZoneAlarm Alert Example
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
NOTE: Updated 10 Jan 02
As of January, 2002, ZoneAlarm (not Black ICE) is the only leading software firewall that looks at OUTGOING packets from your machine (thus catching Trojans, spyware, and backdoors installed by your ISP’s software) On the other hand, BlackICE tracks attackers back through the Net…freeware ZoneAlarm doesn’t (although the upgrade, ZA Pro, does)
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Types of Firewalls ●
Software
●
Hardware →SonicWall →Watchguard SOHO →Your own Linux box with custom ipchains…etc.
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Remember… A poorly-administered firewall is worse than none at all! ● From comp.security.firewalls newsgroup: ●
"JArelXXXX" <[email protected]> wrote in message news:[email protected]... > The company I work for is evaluating the possibility of outsourcing the > administration of the Firewall\VPN… > I have just been appointed responsability (sic) of administering their firewall, > however they do not want to send me to any type of training. They feel > that once I get the training I will leave. Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
Continuing Security Education 2003 ●
Friends?
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Continuing Security Education 2003 ●
Friends? →The worst source. Virus hoaxes and urban legends galore
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Continuing Security Education 2003 ●
Friends?
●
3-Space Mass Media?
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Continuing Security Education 2003 ●
Friends?
●
3-Space Mass Media? →24 hours to 3 months behind; Generally clueless with regard to non-web Net events
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Continuing Security Education 2003 ●
Friends?
●
3-Space Mass Media?
●
Books? →Excellent source for fundamentals; usually 1-5 years behind
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
The Tao of Network Security
1994-1999: Information Access
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
The Tao of Network Security
1994-1999:
2000-2005:
Information Access
Information Denial
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Security 2004 Preview
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
Online Resources Physical Security •Targus (notebook locks, alarms): http://www.targus.com/ •American Power Conversion (UPS): http://www.apc.com/ •TrippLite (UPS) : http://www.tripplite.com/ •Iomega (backup hardware, software): http://www.iomega.com/ •Castlewood (backup hardware, software): http://www.castlewood.com/ •Xdrive (online backup): http://www.xdrive.com/ •iBackup (online backup): http://www.ibackup.com/ Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Online Resources Password Security •Picking good passwords → http://www.itis.gatech.edu/doc/passwd.html →http://www.alw.nih.gov/Security/Docs/passwd.html •Top 10 Bad passwords →http://www.knowledgeclicks.com/security/articles/11999 /top10badpasswords.htm Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Online Resources Antivirus Security •Symantec Antivirus Research Center: http://www.sarc.com/ •McAfee Antivirus Center: http://www.mcafee.com/centers/anti-virus/ •Aladdin E-safe Antivirus/Firewall: http://www.aladdin.co.il/ •Qualcomm Eudora E-mail: http://www.eudora.com/
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Online Resources Browser Security •Microsoft IE: http://www.microsoft.com/windows/ie/default.htm •Microsoft Security Advisor: http://www.microsoft.com/security/default.asp •Netscape Communicator: http://www.netscape.com/download/index.html •Opera: http://www.opera.com/ •Sam Spade for Windows: http://samspade.org/ssw/ •Check your security with Shields Up! http://grc.com/default.htm Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Online Resources Privacy Protection •The Electronic Frontier Foundation: http://www.eff.org/ •EPIC: http://www.epic.org/privacy/tools.html •PGP: http://www.pgp.com/ •NSClean/IEClean: http://www.nsclean.com/ •Microsoft Hotmail (for throwaways): http://www.hotmail.com/ •Anonymizer: http:/www.anonymizer.com/ •Zero Knowledge Systems Freedom: http://www.freedom.net/ •Hushmail: http://www.hushmail.com/ Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Online Resources Anti-Spam Activism •Junkbusters: http://www.junkbusters.com/ •Spam.abuse.net: http://spam.abuse.net/ •Coalition Against Unsolicited Commercial E-mail: http://www.cauce.org/ •F.R.E.E.: http://www.spamfree.org/ •The Spam-L FAQ: http://oasis.ot.com/~dmuth/spam-l/ •The E-mail Spam FAQ: http://ddi.digital.net/~gandalf/spamfaq.html •The Munging FAQ: http://members.aol.com/emailfaq/mungfaq.html Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Online Resources Learning the Lingo (Usenet, IRC, IM) •news.announce.newusers: http://www.netannounce.org/news.announce.newusers •The Net-Abuse FAQ: http://www.cybernothing.org/faqs/net-abuse-faq.html •mIRC IRC FAQ: http://www.mirc.com/ircintro.html •NewIRCusers.com: http://www.newircusers.com/ •ICQ IM Security: http://www.icq.com/features/security/ •IM Security: http://www.pcmag.com/article2/0,4149,1217889,00.asp
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Online Resources Firewalls •Symantec Norton Internet Security: http://www.symantec.com/ •ZoneLabs ZoneAlarm: http://www.zonelabs.com/ •Internet Firewalls FAQ: http://www.interhack.net/pubs/fwfaq/ •Keeping your site comfortably secure: an introduction to internet firewalls: http://cs-www.ncsl.nist.gov/publications/nistpubs/800-10/ •Some Hardware Firewall Vendors: http://www.thegild.com/firewall/ •Linux Firewall HOWTO: http://www.linuxdoc.org/HOWTO/FirewallHOWTO.html Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Online Resources Continuing Security Education •The SANS Institute: http://www.sans.org/ •Internet Storm Center: http://isc.sans.org/ •C|Net News.com: http://news.com.com/ (follow security tab) •AntiOnline: http://www.antionline.com/index.php •ISTS: http://news.ists.dartmouth.edu/ •ISS X-Force: http://xforce.iss.net/ •2600: http://www.2600.com/ Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.
CIA XXIII
Offline Resources Books/Articles • Cheswick, WR, Bellovin, SM, Firewalls and Internet Security: Repelling the Wily Hacker, New York: Addison-Wesley Publishing Company 1994. ISBN 0-201-63357-4 • Gilster, Paul, Finding it on the Internet, New York: John Wiley & Sons, Inc., 1994. ISBN 0-471-03857-1 • Wolff , Michael (ed.), Your Personal Netspy: How You Can Access the Facts and Cover Your Tracks Using the Internet and Online Services, New York: Wolff New Media LLC, 1996. ISBN 0-679-77029-1 Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Offline Resources Books/Articles • Knightmare, The, Secrets of a Super Hacker, Port Townsend, WA: Loompanics Unlimited, 1994. ISBN 1-55950-106-5 • Zimmerman, Philip R., The Official PGP User's Guide, Cambridge, Mass: M.I.T. Press, 1996. ISBN 0-262-74017-6 • Wayner, Peter, Disappearing Cryptography: Being and Nothingness on the Net, Boston: Academic Press Professional, 1996. ISBN 0-12-738671-8 • O'Malley, Chris, Snoops: Welcome to a small town called the internet, where everyone knows your business, Popular Science, Jan 97, p. 56 Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Offline Resources Books/Articles • Schwartz, Alan and Garfinkel, Simson, Stopping Spam, Cambridge: O’Reilly, 1998. ISBN 1-56592-388-X • Communications of the ACM 42(7), July 1999, various authors: Defensive Information Warfare • Communications of the ACM 42(2), Feb. 1999, various authors: Internet Privacy: the Quest for Anonymity • Honeycutt, Jerry; Pike,Mary Ann, et al., Special Edition: Using the Internet, 3rd Edition, Indianapolis, IN: Que® Corporation, 1996. ISBN 0-7897-0846-9 Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Offline Resources Books/Articles • Weiss, Aaron, The Complete Idiot's Guide to Protecting Yourself on the Internet, Indianapolis, IN: Que® Corporation, 1995. ISBN 156761-593-7 • Griffith, Samuel B.(trans), Sun Tzu: The Art of War, New York: Oxford University Press, 1963 ISBN 0-19-501476-6 • Lane, Carole A, Naked in Cyberspace: How to Find Personal Information Online, Wilton, CT: Pemberton Press c/o Online Inc., 1997 ISBN 0-910965-17-X
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Offline Resources Books/Articles • Chapman, D. Brent and Zwicky, Elizabeth D., Building Internet Firewalls, Sebastopol, CA: O'Reilly & Associates, 1995. ISBN 1156592-124-0 • Icove, David, Seger, Karl, and VonStorch, William, Computer Crime: A Crimefighter's Handbook, Sebastopol, CA: O'Reilly & Associates, 1995. ISBN 1-56592-086-4 • Anonymous, Maximum Security, Second Edition, Indianapolis: Sams, 1998. ISBN 0-672-31341-3
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIII
Related Documents
Personal Internet Self-defense 2004
November 2019 31
Pengenalan Internet (2004)
May 2020 13
To De Personal Docente 2004
May 2020 7
Personal
April 2020 49
Personal
December 2019 78
Personal
May 2020 32More Documents from "Jennifer J. Strang"
Splash Corporation
May 2020 28
Neo Realism.c
May 2020 27
1) We Can Set Up Collection Centre For Clothes At
June 2020 28
Ad 1
November 2019 37
How-to-retrieve-online-bill.pdf
May 2020 25