An iStumbler white paper by Alf Watt.
iStumbler Recommends that you adopt an Open Stance security policy. Open Stance means securing your computer and it's applications so that it can be safely connected to any network at any time. We advocate the use of open networks, public addressing and secure application layer protocols which are designed to provide reliable privacy and secure authentication while allowing the full use of existing internet services.
The Open Stance security policy specifically rejects the use of encrypted networks, virtual private networks, firewalls and other technology which is designed to create a safe network context in which insecure applications and protocols can be used with reduced risk. These half-solutions are in fact making security on the internet worse every year, as they allow sloppy security in software development practices to continue and create an Internet of walled-off networks containing extremely vulnerable machines.
Open Stance is not appropriate to all situations, it's intended to protect personal users on public networks not as a replacement for enterprise or business security.
Why should you adopt the open stance? Especially when every other security article you've every read has said that you must have firewalls encrypted network and anti-virus software installed. The short answer is that even after taking these precautions many users are still finding themselves at the mercy of the latest infections and constantly revealed security problems which become harder and harder to avoid. Recent security problems found in image processing libraries, which are used by the vast majority of programs on several platforms, are a perfect example of unanticipated threats which are able to circumvent the latest defensive measures.
Open Stance relies not on prophylactic devices for security but on preventative methods which encourage you to take responsibility for the security if your devices instead of relying on software agents to 'clean up' your system for you.
Security is an expansive topic, in order to discuss the issues involved it's helpful to look at three distinct aspects of the big picture:
Physical security involves the protection of real objects and property. While there is little that software can do to improve physical security for average users there are systems which mitigate risks related to having a laptop or other computer stolen by securing sensitive data.
Preventing your personal information from falling into the wrong hands is more critical than ever. Social Security numbers, bank account details, birth records and many other types of personal information can be very valuable. Unfortunately most of the copies of this information are out of your control, they reside in large corporate databases which have high perimeter security but which can fall prey to the attacks outlined here if the information is copied on to laptops or other portable devices.
Determining that a given corespondent is who they say who they are is a difficult job. From wax seals to digital signatures the technology has advanced but vendors have not come up with a secure and usable system for confirmative identification of internet users.
Security threats come in several flavors, we'll have a look at those most often faced by laptop users outside of an office network. While there are other types of attack these are the ones which are most likely to be faced by laptop users on public networks.
Physical theft of a laptop or any other device with large amounts of storage can lead to massive loss of data and identifying information. The best mitigation strategy is encrypted storage, which prevents the thief from recovering any sensitive information.
Catching packets as they flow by on the wire or in the air is the least intrusive way to get ahold of sensitive information. From the early days of alligator clips on telegraph wires to the modern protocol analyzers which readily provide plain text output from unencrypted network connections the ability to listen in has kept pace with the ability to communicate.
Until recently the concern about eavesdropping was a local one, police would need to physically clip wires in order to listen and network based intruders would need access to the physical network (i.e. the wiring) which tends to have the same security level as physical files and is therefor easy to understand. Wireless changes this picture as it allows for a remote intercept by a passive listener which leaves no trace in the target system. The recent NSA wiretap scandal also sheds light on the problem of trusted networks, the listener in the best position to eavesdrop is the common carrier.
Details of personal identity can be used by unauthorized parties to secure services and credit under the name of an innocent victim. When credit cards and other reputation based systems are involved these details are almost always acquired from a government or corporate database using various means discussed here.
On a more local scale session hijacking can result in the short-term access to privileged services and information by way of intercepting a HTTP cookie or session URL from an insecure web site. Exposure of this types is usually limited but it can lead to other sensitive information being disclosed.
Perhaps the most insidious attack is the attempt to gain '0wnership' of many hundreds of remote computers through the use of trojan horse software. These compromised machines can be turned to any number of nefarious purposes as part of a bot-net. This is a serious problem for owners of insecure computers on home DSL lines which are always connected to the internet and can be compromised and herded into bot-nets forming powerful distributed systems suitable for launching denial or service attacks and hosting phishing and pharming sites.
Looking at the information that needs securing and the present threats we can formulate a few simple rules for securing your computer.
Listeners are processes which listen for incoming network connections. For a personal computer used to read mail, surf the web and create and edit office documents there should be exactly zero listeners.
Network services open ports which are one the vectors along which worms can travel to infect a computer. Only run network services if you need them and make every effort to secure them. On a Mac OS system you can make very good use of another remote computer using just SSH
Limit the use of administrative privilege, which gives you the ability to really make a mess of your computer.
OS Vendors provide various methods for securing sensitive information, it's a very good idea to encrypt anything you wouldn't want someone who stole or purchased the device later to recover.
Virus and Trojan horse infections rely on a vector to move themselves to your computer. The term is borrowed from epidemieology where it refers to the way in which a virus infects it's host, malaria for e.g. uses mosquitos as one vector of infection.
The two most common vectors for computer infection are Internet Explorer and Outlook, replacing these two pieces of software with Firefox and Thunderbird can almost completely eliminate the problem of virus, spyware and adware trojan infections.
Public networks are not trustworthy. Read the headlines and you'll quickly see that AT&T is giving access to your traffic for NSA analysis, hotspots are like watering holes on the savanna, everybody comes to drink and predators lurk on the fringes. Since you can't always control or trust the networks you're using the key is to use security applications. This is referred to as end to end security and it can provide you with privacy even when you are using your computer on an open wifi network at the coffee shop down the street.
SPOP and IMAPS provide transport security for checking your email, use them to keep your email private from local eavesdroppers and to prevent the loss of your username and password. Sending email is a very different issue, you can secure the connection to your SMTP server but the mail will be stored in plain-text on the mail server, which means that your ISP (and potentially the NSA) can read all your mail, coming and going.
Unfortunately email is not a private medium, it's essentially the same as sending a postcard through the mail. Most of the time only the recipient reads it but anyone who handles it along the way can easily turn it over and see it's contents.
There are solutions to securing your email but they rely on public-key cryptography which has not yet achieved the ease of use necessary for widespread adoption. Several problems need to be solved around the issuance and distribution of public keys.
Web pages come in two flavors, plain-text and secure, you can tell the difference from the protocol portion of the url, which comes before the colon: http://plaintext.com or https://secure.com. When a web site uses the https protocol all the traffic is secure between you and the server hosting the page. When a site uses plain http the text of the web page and any responses that you send to it are sent in plain-text.
For browsing and read the web http is generally acceptable, but when you are providing or looking at sensitive information then https is necessary to prevent eavesdroppers from intercepting your traffic.
Most chat clients and protocols are insecure and all messages are routed through a central server which is in a position to log or intercept all messages. There are some commercial chat solutions which apply public-key cryptography to secure messages but they have the same problems as email.
Peer to Peer networks are inherently public, don't share anything you wouldn't want to be associated with. This is especially imprint now that the RIAA is trolling P2P networks looking for 'stolen' networks. Once an RIAA scanner identifies that you have some britney spears in your shared folder it logs your IP address and issues a subpoena to your ISP so that they can forward your information to the settlement center.
There is no shortage of articles, tv reports and other white- papers which tell you to turn on encryption for your wireless network. This type of encryption has some advantages for corporate users but for most home users with only one computer the easiest, best performing and most security solution is to leave your wireless network open.
While WEP and WPA personal have a minimal impact on network performance they don't do a very good job of protecting your privacy from other legitimate network users since everyone shares the same key and can read each others traffic. Thus you have to trust everyone who joins your network. This is broken since you not only have to trust the particular user but you also that their computer is not unknowingly infected.
Wireless encryption only prevents a nearby eaves dropper from listening in on your traffic, it does not protect your data once it reaches the global Internet where it can be intercepted at one of the intermediate switches. This used to be a theoretical problem but the NSA wiretap reporting shows that there is a real threat to privacy when you're not using the
Good Encryption is expensive, WPA Enterprise which provides individual keys for each user as well as constantly rotating key values takes as much at 15% of the available bandwidth form an 802.11g network. Considering that your traffic is still open to inspection when it reaches the internet users pay a very high price in bandwidth and latency for very little protection.
Once your computers and applications are secured it possible to take the final step and open up your own network to public use. As long as there is no reason to suspect abuse (you live upstairs from a coffee shop for e.g.) you can now safely open up your network for visitors, neighbors and people in the
A typical DSL connection is issues one static or dynamic routable address. For most wireless users this address is used by their wireless access point which allocates and performs Network Address Translation for a private network (numbered 10.x.x.x, 192.168.x.x or 172.x.x.x). While this is convenient since you don't have to manually configure each computer added to the network it is very difficult to connect directly to a computer inside the private network from the the public internet.
Enabling WEP security is a very good way to indicate that a particular network is private but there is no flag for indicating that a network should be publicly accessible. Adding '.public' to the end of your network name helps to indicate that the network is available for public access: myhouse.public for e.g..
Firewalls are appropriate to situations where the cost of administration is greater than the cost of the information that they protect. With personal firewalls the cost is fairly low but so is the objective value of the information (subjectively it's very valuable but to an outside observer there is probably not much of real interest). Costs begin to accrue when the user want's to do more with their computer, running P2P applications, personal file sharing for a home network, direct transfer of files using chat clients are all impacted by firewalls. In order to get these services users must configure their firewall to properly allow the desired traffic to pass through. This is difficult for most users who don't have a lot of experience managing internet services.
In the end, there is no difference to an attacker between an closed port and a filtered port which the firewall protects. Close all your ports and you can turn off the firewall since there will be no open ports to filter.
Copyright © 2006, Alf Watt (alf@istumbler.net).
All rights reserved.
Redistribution and use permitted under BSD License in
license.txt.