Personal Internet Self-defense 2004

Personal Internet Self-Defense 2003: Security and Privacy for the New Millennium Robert C. Jones, M.D. LtCol, USAF, Medical Corps Staff Anesthesiologist Andrews Air Force Base, Maryland E-mail: [email protected] Web site: http://notbob.com Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

Disclaimer/Disclosure This talk represents my own views, not those of the USAF, the DoD, or anyone else. ● I am a Microsoft shareholder. ● I am a Palm shareholder. ●

→Far from a controlling interest in either!

Nobody paid me anything to write or present this. ● The opinions/content on external URLs belong to the authors, not myself, the USAF, or the DoD. ●

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIIIII

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIIII

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA

Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.

CIA XXIII

Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.

CIA XXIII

Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.

CIA XXIII

Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.

CIA XXIII

Do you feel like this?

Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.

CIA XXIII

The Dirty Truth: “Internet technologies are not designed to be secure. They're designed to be interactive... ...we as consumers are not taking the responsibility...to learn basics about using this stuff” Russ Cooper, editor of the NT Bugtraq mailing list (www.securityadvice.com), in http://cnn.com/TECH/computing/9909/28/ms.security.idg/index.html

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

You can’t afford perfect security

“The only secure computer is one that is unplugged, locked in a secure vault that only one person knows the combination to, and that person died last year.” Eckel, G and Steen, W., Intranet Working, New Riders, 1996, p. 419 Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.

CIA XXIII

...but can you really afford this?

Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.

CIA XXIII

What this talk is about ●

Basic Internet self-defense for average users

●

How to protect your privacy on the internet

●

Where to learn more about Net security

●

My own personal opinions (not the USAF)

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

What this talk is NOT about ●

Advanced intrusion detection and response

●

How to hide nuclear secrets behind photocopiers

●

Advanced TCP/IP networking and protocols

●

Anyone else’s opinions (especially the USAF)

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

What is Internet Security?

●

For that matter, what is the Internet?

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

newsreader

web2mail Mail2News http logon to web e-mail service

Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.

CIA XXIII

Personal Internet Self-Defense 2003

“Information protection is not a technology issue. It is a people issue and therefore the people need to be educated.” Geza Szenes CISSP, Computer Security Awareness: A Case Study, SANS 99 http://www.sans.org/newlook/misc/Final_szenes.pdf

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

What do people need?

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

Maslow’s Hierarchy of Needs

Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.

CIA XXIII

The Security Pyramid

Guru Confidence Privacy Needs Workstation Needs Basic Security Needs Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.

CIA XXIII

Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.

CIA XXIII

Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.

CIA XXIII

Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.

CIA XXIII

Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.

CIA XXIII

Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.

CIA XXIII

Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.

CIA XXIII

Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.

CIA XXIII

Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.

CIA XXIII

Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.

CIA XXIII

Physical Security 2003 ●

Theft (especially portables)

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

Physical Security 2003 ●

Theft (especially portables) →locks, vigilance in airport X-ray lines/queues

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

Physical Security 2003 ●

Theft (especially portables)

●

Electrical problems →UPS protects against brownouts & surges

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

Physical Security 2003 ●

Theft (especially portables)

●

Electrical problems

●

Lack of reliable current backup →Backup regularly to reliable media; net backup

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

Physical Security 2003 ●

Theft (especially portables)

●

Electrical problems

●

Lack of reliable current backup

●

C & C: Coffee and Cats →Don’t drink and compute; keep fans clean

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.

CIA XXIII

Passwords 2003 ●

Pick Good Passwords

●

Avoid Bad Passwords

●

Protect Passwords

●

Change Passwords

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

Passwords 2003 ●

Good Passwords →At least 8 characters (more if possible) →Mix of capital and small letters →Mix of letters and numbers →At least one special character ($#@!*^*) →Based on complex passphrase – tB0ntB?t1stFq!

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

Passwords 2003 ●

Bad Passwords →Anything having to do with you – Any part of your social security number – Your birthday – Your kids’ birthdays – Relating to your hobbies

→Less than 8 characters →Anything in a dictionary →Fictional characters (Gandalf, Frodo, Bilbo) Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

Passwords 2003 ●

Pick Good Passwords

●

Avoid Bad Passwords

●

Protect Passwords →Don’t share them, don’t write them down

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.

CIA XXIII

Passwords 2003 ●

Pick Good Passwords

●

Avoid Bad Passwords

●

Protect Passwords

●

Change Passwords →Change is good; automatic change is better?

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

Too frequent change = bad passwords

CIA XXIII

Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.

CIA XXIII

Antivirus Defense 2003 ●

Install antivirus software FIRST

●

Update antivirus software regularly

●

Check for Operating System (OS) patches monthly (more frequently if serious security holes arise)

●

Scan all downloaded files and attachments →Beware of viruses, trojans, spyware…

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

Terms of Endangerment Virus: Self-replicating computer code with variable adverse effect (“payload”) [Example: Melissa macro virus] ● Trojan: Sneaky program which, once activated by user, causes harm to computer, privacy, or both [Example: Back Orifice 2000 (BO2K)] ● Spyware: Programs that connect to internet and report personal data regarding user [Example: RealNetworks Jukebox] ●

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

Antivirus Defense 2003 ●

Install antivirus software FIRST

●

Update antivirus software regularly

●

Check for Operating System (OS) patches monthly (more frequently if serious security holes arise)

●

Scan all downloaded files and attachments →Beware of viruses, trojans, spyware…

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

Blaster Worm (2003) ●

●

●

Blaster-B variant exploits hole in MS Windows XP and 2000 (DCOM RPC) Patch had been available for weeks… people just never bother to patch their systems! ALL Operating Systems (OSes) need to be patched frequently to plug security holes (yes, even Linux!)

Jeffrey Lee Parsons, alleged Blaster Variant B creator Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.b.worm.htm

CIA XXIII

Antivirus Defense 2003 ●

Install antivirus software FIRST

●

Update antivirus software regularly

●

Patch your OS at least monthly

●

Scan all downloaded files and attachments

●

(Radical) Disable M$ Outlook/Outlook Express

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

MS Outlook = Danger! “I'm on record as saying that Outlook is a security hole that also happens to be an e-mail client.” Steven J. Vaughan-Nichols ZDNet News May 4, 2000 http://www.zdnet.com/sp/stories/column/0,4712,2562098,00.html

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

The Melissa Virus Yet another... E-mail↔Productivity Suite integration exploit

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.

CIA XXIII

Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.

CIA XXIII

Browser Security 2003 ●

Disable routine ActiveX and Java/Javascript

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

How Secure is ActiveX? “The problem with ActiveX security, according to analysts, developers, and IS managers alike, is that there is no security with ActiveX.” --Paul Festa, CNET News.com, 18 Feb 98 http://news.cnet.com/news/0-1003-201-326605-0.html Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.

CIA XXIII

Browser Security 2003 ●

Disable ActiveX and Java/Javascript

●

Use the maximum security setting you can stand

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

MSIE 4.72.x

(note: Fixed in MSIE versions 5.x) Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.

CIA XXIII

How to tell when your browser settings are correct...

Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.

CIA XXIII

Browser Security 2003 ●

Disable ActiveX and Java/Javascript

●

Use the maximum security setting you can stand

●

Upgrade encryption to 128 bits minimum →40 bits is standard…and insecure.

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

How to check your encryption strength

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

Browser Security 2003 ●

Disable ActiveX and Java/Javascript

●

Use the maximum security setting you can stand

●

Upgrade encryption to 128 bits minimum

●

Update browser regularly to get bug fixes → But beware of version X.0 of anything

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

Don’t be an unpaid beta tester!

“Time to market and functionality always beat out security. Always. Always.” --David Bradley, UC Berkeley, 25 August 99

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.

CIA XXIII

Privacy 2003: Endangered Species

“You have zero privacy now. Get over it.” -- SUN CEO Scott McNealy, February 99, when asked by a reporter about Jini’s tracking of users across networks

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

Privacy 2003: Endangered Species

“Like murder, privacy invasion is most frequently committed by those close to us.” --Rob Jones, M.D., Dec 1999

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

Privacy 2003: Basic ●

Assume workplace internet use is monitored

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

Privacy 2003: Basic ●

Assume workplace internet use is monitored →E-mail, surfing should be boss/CEO-acceptable

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

Privacy 2003: Basic ●

Assume workplace internet use is monitored

●

Beware of prying eyes →“Shoulder-surfing” on airplanes, ATM machines

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

Privacy 2003: Basic ●

Assume workplace internet use is monitored

●

Beware of prying eyes

●

Lock your workstation when you are away →Password-protected screen saver or log off

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

Privacy 2003: Basic ●

Assume workplace internet use is monitored

●

Beware of prying eyes

●

Lock your workstation when you are away

●

Password-protect sensitive documents →Not cracker-proof, but will deter average snoop

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.

CIA XXIII

Privacy 2003: Advanced ●

Use strong encryption for sensitive information →PGP, RSA, IDEA, Blowfish (DES is cracked)

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

from Introduction to Cryptography, Network Associates, 1999 Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.

CIA XXIII

“The primary benefit of public key cryptography is that it allows people who have no preexisting security arrangement to exchange messages securely.” from Introduction to Cryptography, Network Associates, 1999 Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.

CIA XXIII

Privacy 2003: Advanced ●

Use strong encryption for sensitive information

●

Con your OS (GUID, ComputerName,Workgroup) →Pleased to meet you. Hope you guess my name.

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

Why does my software have to know my name? start | run | regedit | edit | find | your_name

be careful...regedit can ruin your computer if you change stuff unwisely...always back up first

Office 97 and the Personal ID/Global User ID...

Unique number derived, in part, from network card MAC address

get the fix here: http://officeupdate.microsoft.com/Articles/privacy.htm

Privacy 2003: Advanced ●

Use strong encryption for sensitive information

●

Con your OS (GUID, ComputerName,Workgroup)

●

Nuke intrusive information on your hard drive →Cookies and History and Cache, oh my!

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

Cookies are bad for your wealth

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.

CIA XXIII

Privacy 2003: Advanced ●

Use strong encryption for sensitive information

●

Con your OS (GUID, ComputerName,Workgroup)

●

Nuke intrusive information on your hard drive

●

Use anon proxies for private web browsing → ZKS Freedom, Anonymizer, etc.

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

How anon proxy servers work Your computer

Anon Proxy Server Web page

Web page

- cookies

+ cookies

“this is joeschmoe@ joesisp.com”

“this is nobody@ anonproxy. net”

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

Web Server X

CIA XXIII

oh, one more thing...

Turn off file and print sharing

•unless you want the Internet to be your LAN •Especially important with cable modem or xDSL

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.

CIA XXIII

Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.

CIA XXIII

What is spam? ●

Not the Hormel® Luncheon Meat (SPAM™)

●

Unsolicited Bulk e-mail

●

Junk Usenet posts

●

(New) Instant Messaging spam

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

Why spam is bad. "Spamming is the scourge of electronic-mail and newsgroups on the Internet. ... Spammers are, in effect, taking resources away from users and service suppliers without compensation and without authorization." -- Vint Cerf, Senior Vice President, MCI and (unlike Al Gore) acknowleged "Father of the Internet”, as quoted on http://www.cauce.org/problem.html

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

This is your Inbox

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

This is your Inbox with e-mail

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

This is your Inbox with spam Love letter from Salma Hayek Job Offer

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

Spam = Theft! ●

Key aspect is unauthorized theft of services →bandwidth, hard dive space, per-minute costs, time

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

Spam = Theft! ●

Key aspect is unauthorized theft of services

●

Costs shifted to recipients, not senders →Unlike junk snail mail; 47 USC 227: no junk faxes

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

Spam = Theft! ●

Key aspect is unauthorized theft of services

●

Costs shifted to recipients, not senders

●

Content neutral…not a freedom of speech issue! →Violation of Acceptable Use Policies/TOSes →Violation of U.S. state laws (WA, VA…) →Violation of Austrian federal law – http://www.pcwelt.de/ausgabe/99_07/n090799011.HTM

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

Anti-Spam 2003 ●

Munge →[email protected]

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

Anti-Spam 2003 ●

Munge

●

Filter →E-mail filter rules; Usenet killfiles; IRC #ignore

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

Anti-Spam 2003 ●

Munge

●

Filter

●

Use throwaways →Get free e-mail accounts for net registrations

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

Anti-Spam 2003 ●

Munge

●

Filter

●

Use throwaways

●

Complain →E-mail spammers’ ISPs; be polite to sysops

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.

CIA XXIII

What is a firewall?

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

Beaumaris Castle Ynys Môn Cymru

Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.

CIA XXIII

What is a firewall? ●

Firewalls are like medieval moats: →Restrict people to entering at one controlled point →Prevent attackers from getting close to your other defenses →Restrict people to leaving at one controlled point

--Chapman and Zwicky, Building Internet Firewalls, O’Reilly, 1995, p 17

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

Hi, I’m 102.74.145.234

TCP/IP

Hello, I’m 214.90.1.43

port 23 (telnet) port 25 (smtp) port 119 (nntp) port 6667 (IRC) port 8080 (http)

Everyday computer conversations use many “ports” Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.

CIA XXIII

Firewall

Your computer

port 25 (smtp) port 25 (smtp) port 6667 (IRC) port 8080 (http)

Firewalls implement your security decisions Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.

CIA XXIII

What a Firewall Can Do ●

Serves as focus for security decisions

●

Enforces security policy

●

Logs internet activity efficiently

●

Limits damage to your network --Chapman and Zwicky, Building Internet Firewalls, O’Reilly, 1995, pp 19-20

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

What a Firewall Can’t Do ●

Can’t protect against insiders

●

Can’t protect you against connections that don’t pass through it

●

Can’t protect against completely new threats

●

Can’t protect you from viruses/trojans --Chapman and Zwicky, Building Internet Firewalls, O’Reilly, 1995, pp 19-20

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

Firewalls can’t protect you from SE! (Social Engineering)

Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.

CIA XXIII

Do you need a firewall? ●

Home user vs. Business user

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

Do you need a firewall? ●

Home user vs. Business user

●

Dynamic internet IP address vs. Static IP address

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

Do you need a firewall? ●

Home user vs. Business user

●

Dynamic internet IP address vs. Static IP address

●

Unix/Linux OS vs. any flavor of Windows

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

Do you need a firewall? ●

Home user vs. Business user

●

Dynamic internet IP address vs. Static IP address

●

Unix/Linux OS vs. any flavor of Windows

●

Dialup modem vs. always-on Broadband

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

Fat pipes make juicy targets!

Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.

CIA XXIII

Types of Firewalls ●

Software

●

Hardware

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

Types of Firewalls ●

Software →NetworkICE BlackICE Defender →Zonelabs ZoneAlarm (free for personal use) →Norton Internet Security 200x →Others…

●

Hardware

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

BlackICE Defender attack list (against my dialup sessions)

Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.

CIA XXIII

Automatic reverse IP address lookup on attacker reveals...

Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.

CIA XXIII

Zonelabs ZoneAlarm (freeware for personal use)

Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.

CIA XXIII

Zonelabs ZoneAlarm Alert Example

Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.

CIA XXIII

NOTE: Updated 10 Jan 02

As of January, 2002, ZoneAlarm (not Black ICE) is the only leading software firewall that looks at OUTGOING packets from your machine (thus catching Trojans, spyware, and backdoors installed by your ISP’s software) On the other hand, BlackICE tracks attackers back through the Net…freeware ZoneAlarm doesn’t (although the upgrade, ZA Pro, does)

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

Types of Firewalls ●

Software

●

Hardware →SonicWall →Watchguard SOHO →Your own Linux box with custom ipchains…etc.

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

Remember… A poorly-administered firewall is worse than none at all! ● From comp.security.firewalls newsgroup: ●

"JArelXXXX" <[email protected]> wrote in message news:[email protected]... > The company I work for is evaluating the possibility of outsourcing the > administration of the Firewall\VPN… > I have just been appointed responsability (sic) of administering their firewall, > however they do not want to send me to any type of training. They feel > that once I get the training I will leave. Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.

CIA XXIII

Continuing Security Education 2003 ●

Friends?

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

Continuing Security Education 2003 ●

Friends? →The worst source. Virus hoaxes and urban legends galore

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

Continuing Security Education 2003 ●

Friends?

●

3-Space Mass Media?

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

Continuing Security Education 2003 ●

Friends?

●

3-Space Mass Media? →24 hours to 3 months behind; Generally clueless with regard to non-web Net events

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

Continuing Security Education 2003 ●

Friends?

●

3-Space Mass Media?

●

Books? →Excellent source for fundamentals; usually 1-5 years behind

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.

CIA XXIII

The Tao of Network Security

1994-1999: Information Access

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

The Tao of Network Security

1994-1999:

2000-2005:

Information Access

Information Denial

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

Security 2004 Preview

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.

CIA XXIII

Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.

CIA XXIII

Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.

CIA XXIII

Online Resources Physical Security •Targus (notebook locks, alarms): http://www.targus.com/ •American Power Conversion (UPS): http://www.apc.com/ •TrippLite (UPS) : http://www.tripplite.com/ •Iomega (backup hardware, software): http://www.iomega.com/ •Castlewood (backup hardware, software): http://www.castlewood.com/ •Xdrive (online backup): http://www.xdrive.com/ •iBackup (online backup): http://www.ibackup.com/ Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

Online Resources Password Security •Picking good passwords → http://www.itis.gatech.edu/doc/passwd.html →http://www.alw.nih.gov/Security/Docs/passwd.html •Top 10 Bad passwords →http://www.knowledgeclicks.com/security/articles/11999 /top10badpasswords.htm Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

Online Resources Antivirus Security •Symantec Antivirus Research Center: http://www.sarc.com/ •McAfee Antivirus Center: http://www.mcafee.com/centers/anti-virus/ •Aladdin E-safe Antivirus/Firewall: http://www.aladdin.co.il/ •Qualcomm Eudora E-mail: http://www.eudora.com/

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

Online Resources Browser Security •Microsoft IE: http://www.microsoft.com/windows/ie/default.htm •Microsoft Security Advisor: http://www.microsoft.com/security/default.asp •Netscape Communicator: http://www.netscape.com/download/index.html •Opera: http://www.opera.com/ •Sam Spade for Windows: http://samspade.org/ssw/ •Check your security with Shields Up! http://grc.com/default.htm Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

Online Resources Privacy Protection •The Electronic Frontier Foundation: http://www.eff.org/ •EPIC: http://www.epic.org/privacy/tools.html •PGP: http://www.pgp.com/ •NSClean/IEClean: http://www.nsclean.com/ •Microsoft Hotmail (for throwaways): http://www.hotmail.com/ •Anonymizer: http:/www.anonymizer.com/ •Zero Knowledge Systems Freedom: http://www.freedom.net/ •Hushmail: http://www.hushmail.com/ Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

Online Resources Anti-Spam Activism •Junkbusters: http://www.junkbusters.com/ •Spam.abuse.net: http://spam.abuse.net/ •Coalition Against Unsolicited Commercial E-mail: http://www.cauce.org/ •F.R.E.E.: http://www.spamfree.org/ •The Spam-L FAQ: http://oasis.ot.com/~dmuth/spam-l/ •The E-mail Spam FAQ: http://ddi.digital.net/~gandalf/spamfaq.html •The Munging FAQ: http://members.aol.com/emailfaq/mungfaq.html Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

Online Resources Learning the Lingo (Usenet, IRC, IM) •news.announce.newusers: http://www.netannounce.org/news.announce.newusers •The Net-Abuse FAQ: http://www.cybernothing.org/faqs/net-abuse-faq.html •mIRC IRC FAQ: http://www.mirc.com/ircintro.html •NewIRCusers.com: http://www.newircusers.com/ •ICQ IM Security: http://www.icq.com/features/security/ •IM Security: http://www.pcmag.com/article2/0,4149,1217889,00.asp

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

Online Resources Firewalls •Symantec Norton Internet Security: http://www.symantec.com/ •ZoneLabs ZoneAlarm: http://www.zonelabs.com/ •Internet Firewalls FAQ: http://www.interhack.net/pubs/fwfaq/ •Keeping your site comfortably secure: an introduction to internet firewalls: http://cs-www.ncsl.nist.gov/publications/nistpubs/800-10/ •Some Hardware Firewall Vendors: http://www.thegild.com/firewall/ •Linux Firewall HOWTO: http://www.linuxdoc.org/HOWTO/FirewallHOWTO.html Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

Online Resources Continuing Security Education •The SANS Institute: http://www.sans.org/ •Internet Storm Center: http://isc.sans.org/ •C|Net News.com: http://news.com.com/ (follow security tab) •AntiOnline: http://www.antionline.com/index.php •ISTS: http://news.ists.dartmouth.edu/ •ISS X-Force: http://xforce.iss.net/ •2600: http://www.2600.com/ Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.

CIA XXIII

Offline Resources Books/Articles • Cheswick, WR, Bellovin, SM, Firewalls and Internet Security: Repelling the Wily Hacker, New York: Addison-Wesley Publishing Company 1994. ISBN 0-201-63357-4 • Gilster, Paul, Finding it on the Internet, New York: John Wiley & Sons, Inc., 1994. ISBN 0-471-03857-1 • Wolff , Michael (ed.), Your Personal Netspy: How You Can Access the Facts and Cover Your Tracks Using the Internet and Online Services, New York: Wolff New Media LLC, 1996. ISBN 0-679-77029-1 Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

Offline Resources Books/Articles • Knightmare, The, Secrets of a Super Hacker, Port Townsend, WA: Loompanics Unlimited, 1994. ISBN 1-55950-106-5 • Zimmerman, Philip R., The Official PGP User's Guide, Cambridge, Mass: M.I.T. Press, 1996. ISBN 0-262-74017-6 • Wayner, Peter, Disappearing Cryptography: Being and Nothingness on the Net, Boston: Academic Press Professional, 1996. ISBN 0-12-738671-8 • O'Malley, Chris, Snoops: Welcome to a small town called the internet, where everyone knows your business, Popular Science, Jan 97, p. 56 Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

Offline Resources Books/Articles • Schwartz, Alan and Garfinkel, Simson, Stopping Spam, Cambridge: O’Reilly, 1998. ISBN 1-56592-388-X • Communications of the ACM 42(7), July 1999, various authors: Defensive Information Warfare • Communications of the ACM 42(2), Feb. 1999, various authors: Internet Privacy: the Quest for Anonymity • Honeycutt, Jerry; Pike,Mary Ann, et al., Special Edition: Using the Internet, 3rd Edition, Indianapolis, IN: Que® Corporation, 1996. ISBN 0-7897-0846-9 Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

Offline Resources Books/Articles • Weiss, Aaron, The Complete Idiot's Guide to Protecting Yourself on the Internet, Indianapolis, IN: Que® Corporation, 1995. ISBN 156761-593-7 • Griffith, Samuel B.(trans), Sun Tzu: The Art of War, New York: Oxford University Press, 1963 ISBN 0-19-501476-6 • Lane, Carole A, Naked in Cyberspace: How to Find Personal Information Online, Wilton, CT: Pemberton Press c/o Online Inc., 1997 ISBN 0-910965-17-X

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII

Offline Resources Books/Articles • Chapman, D. Brent and Zwicky, Elizabeth D., Building Internet Firewalls, Sebastopol, CA: O'Reilly & Associates, 1995. ISBN 1156592-124-0 • Icove, David, Seger, Karl, and VonStorch, William, Computer Crime: A Crimefighter's Handbook, Sebastopol, CA: O'Reilly & Associates, 1995. ISBN 1-56592-086-4 • Anonymous, Maximum Security, Second Edition, Indianapolis: Sams, 1998. ISBN 0-672-31341-3

Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved.

CIA XXIII