Computer Security for the Appropriately Paranoid A Broad Overview Joseph Kashi, MS, JD

Data Security

Several Different Problem Areas Wireless security Wireless security Internet security Internet security Wired network security Wired network security

Identity theft issues Identity theft issues Confidentiality Confidentiality Any wireless device can be undetectably intercepted given time Any wireless device can be undetectably intercepted given time Federal law enforcement agencies report that wireless and embedded devices are often targets Federal law enforcement agencies report that wireless and embedded devices are often targets

Mobile Devices Notebook computers Notebook computers flash drives flash drives Wireless networks Wireless networks Bluetooth – phones, networks, printers Bluetooth – phones, networks, printers GSM cell phones GSM cell phones PDAs and BlackBerry PDAs and BlackBerry

Electronic Data Loss Includes identity theft, losses from which topped $48 billion loss in 2008 despite federal statutes Includes identity theft, losses from which topped $48 billion loss in 2008 despite federal statutes Can be more damaging because usually not known ever or for many months in case of breach of confidentiality, identity theft or credit damage Can be more damaging because usually not known ever or for many months in case of breach of confidentiality, identity theft or credit damage

Physical Loss or Compromise Data loss can be devastating – Gulf War plans were a classic example Data loss can be devastating – Gulf War plans were a classic example Physical loss affects not only data but entire network security Physical loss affects not only data but entire network security Upside – You know it’s compromised and can react accordingly Upside – You know it’s compromised and can react accordingly

Short-Term vs. Long Term Wireless will be the basic network standard in 7 or 8 years Wireless will be the basic network standard in 7 or 8 years Avoid if possible for next months – certainly no confidential data Avoid if possible for next months – certainly no confidential data Wait for new i hardware Wait for new i hardware

Curse of the Defaults For ease of set up, most wireless devices ships with all security turned off as basic default For ease of set up, most wireless devices ships with all security turned off as basic default Most users never enable any security Most users never enable any security Security never complete – at best slows down and deters intruders Security never complete – at best slows down and deters intruders

Hidden Dangers Wi-Fi default is connect to any nearby computer as part of ad hoc network Wi-Fi default is connect to any nearby computer as part of ad hoc network Windows XP default is to bridge between mobile Wi-Fi device and any other connected network interface, possibly exposing your entire network Windows XP default is to bridge between mobile Wi-Fi device and any other connected network interface, possibly exposing your entire network

Initial Wi-Fi Setup Change your router setup password to something other than the published default Change your router setup password to something other than the published default Change your SSID to a non- obvious and unpublished name Change your SSID to a non- obvious and unpublished name

Add Security to Net Setup Most small networks use basic MS file and printer sharing protocols - these are totally insecure Most small networks use basic MS file and printer sharing protocols - these are totally insecure Default is no password and standard network name Default is no password and standard network name

Small Net Setup Choose a non-obvious workgroup name Choose a non-obvious workgroup name Avoid Microsoft defaults such as MSHOME Avoid Microsoft defaults such as MSHOME Don’t settle for the first working network configuration which by default has no security, to aid lay setup Don’t settle for the first working network configuration which by default has no security, to aid lay setup

Router Setup Access and configure your Wi-Fi router with a direct Ethernet cable connection Access and configure your Wi-Fi router with a direct Ethernet cable connection Use Internet Explorer and standard IP address or Use Internet Explorer and standard IP address or These are published and known These are published and known

Router Setup Enable security - some studies found more than 2/3 of all Wi-Fi networks made no changes at all to totally insecure defaults Enable security - some studies found more than 2/3 of all Wi-Fi networks made no changes at all to totally insecure defaults Your aim is to close, at least partially, and otherwise totally open door Your aim is to close, at least partially, and otherwise totally open door

Locating the Wi-Fi Router Set up a “DMZ” using a second firewall to protect the internal hard-wired LAN Set up a “DMZ” using a second firewall to protect the internal hard-wired LAN Place all Wi-Fi and Internet connections outside the hard-wired network’s firewall Place all Wi-Fi and Internet connections outside the hard-wired network’s firewall Locate the Wi-Fi router to minimize leakage of signal outside office Locate the Wi-Fi router to minimize leakage of signal outside office

Router Setup Don’t advertise – disable the wireless SSID broadcast known as beaconing Don’t advertise – disable the wireless SSID broadcast known as beaconing Do this only after you have completely setup all computers that are to connection to your Wi-Fi network Do this only after you have completely setup all computers that are to connection to your Wi-Fi network

Enable Security There are several possibilities – default is no security There are several possibilities – default is no security WEP, a “Weak” encryption with many basic vulnerabilities WEP, a “Weak” encryption with many basic vulnerabilities WPA needs same upgraded hardware WPA needs same upgraded hardware

WEP Encryption Lowest common denominator, but with serious systemic weakness Lowest common denominator, but with serious systemic weakness Keys easily vulnerable to cracking regardless of key length Keys easily vulnerable to cracking regardless of key length Rotating keys helps but awkward Rotating keys helps but awkward

MAC Address Filtering Every Ethernet device has an unique identifier known as a MAC Every Ethernet device has an unique identifier known as a MAC MAC filtering lists allowed or blocked Ethernet devices – not much help if WEP MAC filtering lists allowed or blocked Ethernet devices – not much help if WEP Easily fooled - done by most routers, firewalls and hacker freeware Easily fooled - done by most routers, firewalls and hacker freeware

Access Restrictions Newer routers also act as network hubs and allow security policies that can limit undesired types and times of network usage Newer routers also act as network hubs and allow security policies that can limit undesired types and times of network usage Some benefit but require some knowledge to set up Some benefit but require some knowledge to set up

WPA Encryption More secure but less open interim follow on to WEP – keys are automatically and securely rotated More secure but less open interim follow on to WEP – keys are automatically and securely rotated Requires new WPA capable hardware, all of which should be the same brand and model, with upgraded firmware Requires new WPA capable hardware, all of which should be the same brand and model, with upgraded firmware

Hardware Firewall Adds some protection against hacking through the wired Internet connection Adds some protection against hacking through the wired Internet connection Generally useful and unobtrusive unless using VPN tunnel or other means of remote access Generally useful and unobtrusive unless using VPN tunnel or other means of remote access Use XP and 802.1X Use XP and 802.1X

Basic Hardening Tips Change ALL defaults on ALL devices Change ALL defaults on ALL devices Check for possibly conflicting access points and peer to peer networks – these may be an unguarded backdoor. Check for possibly conflicting access points and peer to peer networks – these may be an unguarded backdoor. Enable at least WEP Enable at least WEP Search for rogue LANs with notebook Search for rogue LANs with notebook

Other Hardening Tips If possible, reduce router transmission power to minimum that works If possible, reduce router transmission power to minimum that works Install network traffic transmission monitoring hardware/software Install network traffic transmission monitoring hardware/software Upgrade older Wi-Fi hardware – the network runs at the lowest common denominator Upgrade older Wi-Fi hardware – the network runs at the lowest common denominator

The Future is i Secure wireless connection - strong hardware encryption and authentication Secure wireless connection - strong hardware encryption and authentication New industry standard not fully gelled New industry standard not fully gelled Requires total Wi-Fi network rebuild with new i hardware throughout entire network Requires total Wi-Fi network rebuild with new i hardware throughout entire network

Long Term Fixes More powerful handsets with stronger encryption More powerful handsets with stronger encryption New versions of WAPI that fix obvious security holes ( New versions of WAPI that fix obvious security holes ( UL-style security ratings for wireless and Internet security products and services ( UL-style security ratings for wireless and Internet security products and services (

Virtual Private Networks These offer some additional security, particularly with private tunneling software protocols for wireless users These offer some additional security, particularly with private tunneling software protocols for wireless users Look for good performance and lower future costs as DSL networks become more common Look for good performance and lower future costs as DSL networks become more common DSL networks a new approach that could extend to wireless DSL networks a new approach that could extend to wireless

Until Then Treat wireless devices like a cell phone Treat wireless devices like a cell phone Wireless known to be possibly insecure Wireless known to be possibly insecure Most confidential data, such as litigation strategy, should not be sent wireless Most confidential data, such as litigation strategy, should not be sent wireless

Other Security Tips Call back vs.. direct dial in Call back vs.. direct dial in Intrusion detection software: Black Ice Intrusion detection software: Black Ice Set security configuration and user rights carefully Set security configuration and user rights carefully Change security passwords regularly Change security passwords regularly

Internet Security Tips Instant messaging = insecure Instant messaging = insecure Internet itself is definitely more secure than wireless due to packet routing Internet itself is definitely more secure than wireless due to packet routing PGP encryption - easy but not fool-proof PGP encryption - easy but not fool-proof Encrypt passwords and logins, use an authentication server w/ digital signature Encrypt passwords and logins, use an authentication server w/ digital signature

Internet Security Tips Dynamic Vs. Static IP networks - low cost option for DSL users Dynamic Vs. Static IP networks - low cost option for DSL users Firewalls- Linksys Ethernet switch, DSL router and hardware firewall. Firewalls- Linksys Ethernet switch, DSL router and hardware firewall. DSL and other inexpensive broadband network routers include hardware firewalls that can block incoming calls DSL and other inexpensive broadband network routers include hardware firewalls that can block incoming calls

Internet Security Tips Commercial personal software firewall such as McAfee Firewall seems very effective Commercial personal software firewall such as McAfee Firewall seems very effective Avoid downloading and using highly interactive programs from untrusted sources. Some programs send data surreptitiously or are insecure, e.g. ICQ Avoid downloading and using highly interactive programs from untrusted sources. Some programs send data surreptitiously or are insecure, e.g. ICQ

Curse of the Defaults For ease of set up, most wireless devices ships with all security turned off as basic default For ease of set up, most wireless devices ships with all security turned off as basic default Most users never enable any security Most users never enable any security Security never complete – at best slows down and deters intruders Security never complete – at best slows down and deters intruders

Mobile Wi-Fi Woes Mobile computers often set to “ad hoc” network wireless mode, which can connect with any nearby computer Mobile computers often set to “ad hoc” network wireless mode, which can connect with any nearby computer We saw examples of inadvertent penetration at yesterday’s Wi-Fi session We saw examples of inadvertent penetration at yesterday’s Wi-Fi session Always install Wi-Fi as “infrastructure mode” Always install Wi-Fi as “infrastructure mode”

Wi-Fi Is Insecure Many cracking programs available free Many cracking programs available free War-driving and War-chalking War-driving and War-chalking Default installations are totally insecure Default installations are totally insecure

Does PDA Mean “Portable Disaster Area”? Some Practical Thoughts about Mobile Security

Cell Phone Woes The most primitive portable device - cells are insecure. The most primitive portable device - cells are insecure. GSM security model cracked as early as GSM security model cracked as early as Loaning a phone or GSM card for even a few minutes can compromise your security Loaning a phone or GSM card for even a few minutes can compromise your security

PDAs PDAs that depend upon Wi-Fi access have the same security problems as notebook computers PDAs that depend upon Wi-Fi access have the same security problems as notebook computers BlackBerry is a proprietary format that can be made substantially more secure BlackBerry is a proprietary format that can be made substantially more secure You need to fix a PDA’s basic Wi-Fi and Bluetooth security holes You need to fix a PDA’s basic Wi-Fi and Bluetooth security holes

Mobile Security Holes Wi-Fi and/or Bluetooth typically installed in notebook computers – hundreds of millions sold each year Wi-Fi and/or Bluetooth typically installed in notebook computers – hundreds of millions sold each year Usually enabled by default even when not used Usually enabled by default even when not used A major but non-obvious security hole – I physically turn off power to my wireless devices A major but non-obvious security hole – I physically turn off power to my wireless devices

Bluetooth Security Model Theoretically, Bluetooth is not a bad security model but security is unfortunately optional Theoretically, Bluetooth is not a bad security model but security is unfortunately optional Trusted and locked down device pairing possible Trusted and locked down device pairing possible

Bluetooth Today Bluetooth sets initially were very low power and hard to intercept Bluetooth sets initially were very low power and hard to intercept Newer models have more power and can be intercepted to 100 meters or more Newer models have more power and can be intercepted to 100 meters or more

Bluetooth Security Holes IEEE has recently published on Web a variety of papers describing proven methods of easily cracking Bluetooth transmissions – even industry group admits security holes IEEE has recently published on Web a variety of papers describing proven methods of easily cracking Bluetooth transmissions – even industry group admits security holes Programs like Blue Stumbler and SNARF attack are available on the web Programs like Blue Stumbler and SNARF attack are available on the web

Bluetooth Holes Part 2 Windows servers often configure to connect to all Bluetooth devices in range – a major security breach Windows servers often configure to connect to all Bluetooth devices in range – a major security breach Former employees can take connection data Former employees can take connection data

Bluetooth Holes Part 3 Phone cards or unsecured headsets may be borrowed and company connection data and security compromised Phone cards or unsecured headsets may be borrowed and company connection data and security compromised Windows registry retains all connection data for all devices ever used Windows registry retains all connection data for all devices ever used

Bluetooth Networks “Piconets” sometimes set up automatically that can allow anyone in range to see your files “Piconets” sometimes set up automatically that can allow anyone in range to see your files Discloses your embedded link security information Discloses your embedded link security information Worse if you also have other simultaneous network access Worse if you also have other simultaneous network access

Protecting Bluetooth – Part 1 Never use “unit” authentication keys Never use “unit” authentication keys Always use “combination” authentication keys with manual PIN input Always use “combination” authentication keys with manual PIN input Use a longer PIN – minimal 4 digit PIN easily cracked by brute force challenges Use a longer PIN – minimal 4 digit PIN easily cracked by brute force challenges

Protecting Bluetooth Part 2 Auto PIN number generation is insecure and allows device impersonation Auto PIN number generation is insecure and allows device impersonation Never establish device pairing or first meeting in a public or other non-secure environment Never establish device pairing or first meeting in a public or other non-secure environment Eavesdropping feasible – link data disclosed to third parties Eavesdropping feasible – link data disclosed to third parties

Protecting Bluetooth Part 3 Always enable security mode on all devices Always enable security mode on all devices You are only as secure as the weakest link that may transmit connection information You are only as secure as the weakest link that may transmit connection information Mode 3 security should be used if possible Mode 3 security should be used if possible

Protecting Bluetooth Part 4 Use only trusted devices Use only trusted devices Turn off device pairing mode Turn off device pairing mode

Protecting Bluetooth Part 5 Bluetooth headsets should use broadband mode and then turn off pairing mode Bluetooth headsets should use broadband mode and then turn off pairing mode Use access policies Use access policies

12 Steps to Mobile Security Install anti-virus, firewall and anti- intrusion software (Norton, Zone Alarm) Install anti-virus, firewall and anti- intrusion software (Norton, Zone Alarm) Turn off computers and PDAs when not in use – disable all unused wireless devices including Bluetooth, Wi-Fi, IR Turn off computers and PDAs when not in use – disable all unused wireless devices including Bluetooth, Wi-Fi, IR Keep Windows security patches current Keep Windows security patches current

12 Steps - Part 2 Turn off network bridging between wireless and hard wired networks Turn off network bridging between wireless and hard wired networks Use a hard-wired network with a hardware firewall when not mobile Use a hard-wired network with a hardware firewall when not mobile Enable all possible security Enable all possible security

12 Steps Part 3 Always turn off network file and printer sharing when mobile Always turn off network file and printer sharing when mobile NEVER establish Bluetooth pairings and trusted relationships in a non-secure area – authenticate in private and then turn off pairing mode NEVER establish Bluetooth pairings and trusted relationships in a non-secure area – authenticate in private and then turn off pairing mode

12 Steps – Part 4 Avoid “ad hoc” network modes Avoid “ad hoc” network modes Use WPA and 802.1X if possible with your Wi-Fi hardware Use WPA and 802.1X if possible with your Wi-Fi hardware

And – Number 12 Remember that all mobile and wireless devices, including Wi-Fi and Bluetooth, are always potentially insecure. Remember that all mobile and wireless devices, including Wi-Fi and Bluetooth, are always potentially insecure. ACT ACCORDINGLY ACT ACCORDINGLY