Primer on Security Issues
The purpose of this post is to provide an overview of security issues that you need to be aware of in various contexts.
One can think of technology security issues in a similar manner to non-technical security issues. For example, your front door is typically locked from the outside, but not the inside. Firewalls built within routers behave the same way, they prevent network connections from being established from the outside, but allow computers within the network to establish connections outside.
When we discuss or access sensitive topics (like finance), we hold the discussion in a manner that others can’t listen in. When the kids were growing up, my wife and I would have these discussions in our bed room with the door closed so that even the kids couldn’t overhear. That was our version of the “Cone of Silence’ (for all those Get Smart fans). That’s why using SSL for on-line purchasing or finance is crucial.
We secure our valuables, such as our wallets, checkbook, etc, when we travel. We need to do the same for our devices, as well as use passwords and encrypt disks/devices.
Now’s a good time to state that there is no perfect security, in life or in technology. Security decisions in technology are trade-offs between threats, cost and usability. As a result, you need to understand the various threats and apply best practices to them. Also, there are a number of security issues in this post, I’ll touch on some of the most crucial. Additional posts will be added later with more information and more detail about securing your systems and network.
This is also a good time to mention that security is not my specialty, though I understand security concepts as they apply to various technologies.
So all that said, let’s dive in and expand on this topic in the context of various environments that you and your family likely operate within.
The front door (metaphorically)
You want to keep the bad guys out so they can’t access the inside your network but also so they can’t hold open the door for others to enter or use your network and computers to attack others. The principal method to do this is to place a router between your external connection and your network. Why is this important?
Your Internet connection is provided by an Internet Service Provider (ISP) most likely DSL, cable or FiOS. ISPs are assigned blocks of IP addresses which are well known by the bad guys. They also know the various default ports for listening. Chances are that most of the well-defined listening ports (e.g., 80 for HTTP, 25 for SMTP, or 161 for SNMP) associated with the IP assigned to you are probed thousands of times per day attempting to to get in. Assume someone is trying the door knob or windows constantly waiting for that moment that you unlock the door or window. Routers prevent this from happening which is why even if you only have one computer on the connection you need a router. If you’ve run a computer (particularly Windows) without protection on the net, even for just a few minutes, assume it has been compromised especially if you’ve enabled file sharing.
So how do routers help? First, they only allow data connections between computers/devices on the inside and the outside that were requested from the inside. Any requests from the outside would not only be blocked, but from the requester’s perspective, it would be as if the given IP address and port is inactive. This can be configured to allow certain connections, like HTTP connections on say port 80 if you’re running a web service from your home network, but that would mean that you’d need to insure that your server is configured in such a manner as to not allow unfettered access to your network.
Next, routers use a technology called NAT or network address translation. With NAT, all your devices are configured with IP addresses that are local and not visible or accessible outside your network. Common local addresses are: 192.168.xxx.xxx and 10.xxx.xxx.xxx (where “xxx” is replaced with a number from 0-255). Let’s say you want to browse to a site, the router will make the request for you, using the public IP address assigned to you by your ISP, keeping track of which device made the request. As connections are made and data flows, the outside agency only knows about the public address and the router makes the connection to the internal address, getting the data to and from the right device.
Unauthorized access in your home network.
So, you have a well-configured router, so the front door is secure, however you could still have unauthorized access to your network. This could occur by snooping on your home network traffic or actually attaching onto your network. For fully wired networks (I.e., no wireless capability) this means do not allow anyone to access your internal network unless you’re comfortable you understand what they have done. Don’t let someone attach a device to your network unless you requested it. Be careful with contractors accessing your network. That said, this really isn’t a big issue for wired networks, but keep it in mind.
For wireless networks, it’s a huge issue since the radio signal isn’t contained to your home but leaks outside of it. To protect your home network, you need to configure your wire access point to use a strong encryption with a hard to break passcode (which is used to generate the encryption key). For more information on securing your home network, see Overview of Home Networking.
One related and somewhat sensitive issue. Don’t give your network credentials to friends and family members who you don’t trust. Your kid’s buddy comes over and wants this wireless credentials to access the Net. You don’t know their buddy and though your son or daughter vouches for the kid, you could be opening your network up to be hacked or a virus. Modern routers have “guest” capabilities, which will allow you to provide guests to your home access to the Internet without permitting them on your internal network. Keep in mind: Though they are not on your internal network, there are still activities that your guest can do that can cause you a problem, like downloading movies and music illegally. Guest accounts still use the same public IP address that your regular network uses, which is how your ISP and other entities (like music publishers) identify customers that use too much bandwidth or are engaged in illegal activities. You’re ultimately responsible for what happens on that public address, so be clear about what can and can not be done on your network even if only allowing access to your guest account.
Viruses, Trojan horses and other malware
On a secured network, the only way a bad guy can get in is to trick a user to let them in. This is done through malicious software or malware. Malware is defined as any software installed on a device that allows the device or computer to operate in an undesirable manner to achieve some benefit to the malware writer. This is the classic fox in he henhouse issue. Once a beachhead is established within your network, computers on your network can be “turned” to cause all sorts of havoc to your systems and to others in the wider net.
This is a topic I’ll delve into in more detail in future posts. However, keep the following in mind: If you’re running MS Windows, always run a commercial antivirus program such as McAfee or Norton. For Macs, there have not been many viruses on the Mac, but it’s still not a bad idea to run something. The big boys (e.g., McAfee and Norton) have Mac solutions also. Personally, I run ClamAV on my Macs.
For devices, the issue is thornier, since there really isn’t antivirus software for devices. However, the concept is if you only run software available via the appropriate store (e.g., Apple App Store), the device should be OK. All bets are off with devices that are jail-broken, which allows software to be loaded and run from outside this circle of trust. Smart phone and tablet security is rapidly evolving and I suspect over time we will start to see issues with devices.
Also, it’s crucial to exercise good practices like never clicking on a link in an email message unless you are very sure it’s real. You are better off copying the link from the email, then pasting the link in a web page. TIP: If you have a smart phone, you might do the copy-n-paste on your smart phone since it’s highly probable that if it is a malware link, it’s designed for a Windows system. Another good practice for Macs and Windows 7 is never permit software to be installed on your machine unless you initiated that installation. Both systems will ask you whenever they detect software getting installed and will ask you if it’s all right to do so. Never “just click yes” on these requests by default.
All of this is for naught if someone breaks into your home and steals the computer or disk with all your data on it, or finds the sheet of paper with all your passwords and URLs listed.
First, securing your home is crucial. I know someone who never locks their doors. I know others who lock their doors but are in high crime areas without an alarm system. 20 years ago, a break-in was disruptive, emotionally troubling, but in the end, if no one was hurt, it was just stuff. In the 21st century, a break-in can mean so much more.
So, let’s assume physical entry is accomplished, then you need to insure that whatever the burglar finds is useless to him/her. I have the following suggestions:
- Passwords – There are simply too many different standards for login names and passwords which results in multiple passwords that must be remembered. As a result, most folks I know have a list of login credentials somewhere in their home or on their computers. I’d recommend having the list in one place and storing the list in an encrypted file or filesystem that you only open when you need the information so if someone steals the computer or disk it’s on, they’ll not be able to read the file. You can also use an on-line password manager (subject for a future posting) in lieu of a local list. However, whatever you do, you’ll still have at least one password that you’d need to know (and if you’re not around someone else will need to know).
- Sensitive data – Be sure that financial records, credentials for your wireless router and other sensitive data is protected. My recommendation is to again create an encrypted filesystem to store that information. To create a OSX (Mac) encrypted container, see this Macworld article. On Windows see this article. For an encryption solution that works on both Mac and Windows, I use the OpenSource product Truecrypt.
- Paper – Any paper copies of sensitive information should be protected the old fashion way by locking or hiding. I’d recommend a bank safe deposit box, but insure that you have enough family members on the account to be able to retrieve the list if something happens to you.
When traveling, you’ll need to take additional precautions:
- Laptops/devices– Just about everyone carries some form of computer, be it smart phone, tablet and/or laptop. To help secure them:
- First and foremost, protect them like your wallet. Keep them in a protect pocket or bag that you are hanging on to. Be particularly careful in crowded spaces, where it can be pick-pocketed, bag-snatched or simply snatched from your hands while using it.
- Be sure you have a strong password on the device or laptop. For smart phones, this is a tradeoff between security and convenience. A strong password (one with upper and lower letters, plus at least one number and at least one special character, 8 more in length) is a pain when making a call. You can use a simpler password if your phone supports a limit to the number of tries. On iPhones and iPads, set general->Passcode lock->Erase Data to ON, which will erase your phone after 10 consecutive failures to log in.
- For Laptops, encrypt the entire drive. What you’re protecting here is a hacker removing the disk from the machine and mounting it on another computer where he/she can access your data without your login creds. To encrypt a drive on OSX Lion, use FileVault 2. For Windows 7, use BitLocker. For both, you can use TrueCrypt. Once done, drive encryption is easy to use since you don’t need to do anything extra to get to your data, just log in. Be sure to secure the key at home if you need it. Even on your home desktop, whole-drive encryption is a powerful mechanism for protecting your data. A couple caveats: First, you need a machine that can handle the extra processing required to encrypt/decrypt constantly. For that reason, using full drive encryption is probably not worth it for older versions of OSX and Windows. As always, insure that your encryption passcode is strong.
- Public Networks– On the road, you need to assume that all connections, be they coffee shop WI-FI, hotel wireless or hotel wired connections are compromised. There are the following concerns:
- If you plan to read email, purchase on-line or do banking, then you’ll need to connect securely (frankly this isn’t any different than at home). This typically means encrypting your connection which in the web world means either Secure Sockets Layer (SSL) for email and web connections or Virtual Private Network (VPN) for encrypting your entire session. BTW, these technologies are not mutually exclusive. Even if you are using a VPN, you’ll want to use SSL for a banking connection. When connecting via a browser, always look for evidence that you’re connecting securely, either a “lock” icon or that the address starts with “https:”.
- Be sure that directory and file sharing is OFF. If you are on a public network, others can access that laptop folder you use to share data between your various computers at home. Most people forget this one (me included).
- Also, be sure that your device/laptop’s name and description doesn’t have any sensitive identifying information. A lot of folks use their names either in their computer name or description or other identifying information.
- Cellular Networks – If you’re connecting via EDGE, 3G, or 4G, you don’t need to worry about the connection to the cell provider’s servers, they’re encrypted. However, like any data that will be shipped through the Internet, keep in mind that it is in the clear, so again you need to have a SSL or VPN connection for secure connections sensitive transactions like banking or on-line purchasing.
On-line services (or services in-the-cloud)
There are a number of very useful services that reside in what’s called the Cloud. Cloud services are services that are provided on the Net or as they say “within the network cloud”. For these on-line services, you need to be concerned about a couple things.
First, like any other sensitive connection, the connection to the server needs to be encrypted (likely via SSL). Next, how is the data stored? Is it encrypted or stored in the clear? Service providers like to store in the clear since it allows them to use technologies to de-duplicate data that is identical, which means to store data that is identical only one time.
Finally, how is the data transmitted to various servers that the service provider owns? Is the data protected on their internal network or (more importantly) when using a public backbone or Net.
Most reputable services will make this information available to you so you can make your decision about the use of the service. One note here: Apple has not provided this information for their new iCloud service, which is why I’m being careful about what I put up in this particular cloud service.
- Password guidelines
- Mobile device security — Here’s a good article about mobile device security by the Higher Education Information Security Council.
- Home Network Security — Here is a comprehensive article on Home Network Security by the CERT Coordination Center at the Software Engineering Institute at Carnegie Mellon University.
- Whole disk Encryption and privacy — The Electronic Frontier Foundation (EFF) recommends that all computers use whole disk encryption for privacy as well as data security.
- Public Networks – PC Magazine offers 10 Tips for Public Wi-Fi Hotspot Security for Windows 7, though the concepts are applicable to OSX for Macs.