InfoSec - Security in a wired world

‎14-06-2008

Much has been made lately of information security breaches... TJX, HMRC, HSBC to name a few have all come under the media spotlight - and they're just the ones we get to hear about. Behind every high-profile data loss there are a hundred or more that slip by under the radar, and most of them are people at home, blissfully unaware that their computer has been compromised and their identity stolen. Blissful, that is, until their next credit card or bank statement comes through. By then, it's too late. So how do we protect ourselves in the Digital Age? Well, there are a few things we can all do - both to protect our identities on-line, and the more sensitive data we own. First, though, it's worth a quick review of what your identity is. Who are you? Your online presence may be small, or it may be great. You may have your own blog, you may be a member of a great many forums, you may be on FaceBook, eBay, linked-in, and MySpace. Or you may simply share your email address with close friends and family. Your Internet identity, therefore, is wholly your own to make, share and protect. Be careful how much information you publish about yourself, though - dates of birth, addresses, etc form your personal identity. How many times have you called your bank, or your insurance company, and they've asked you for your address and date of birth? Fortress You! Protecting your personal identity is half of the battle - the other half is protecting your access, keeping the PC or Mac you use to connect safe from the dangers of the outside world. Want to know how much you're being scanned - every day? Enable logging on your router or firewall, or if you run a Linux firewall - such as Smoothwall - check the kernel logs. You'll be surprised to see exactly how much traffic hits your router that never gets to your PC. That's not the end of the story, though. Like the elephant-gun effect, hit your router with enough traffic and eventually something will get through. Something your router has open - because you have UPnP enabled and your router has kindly opened some ports for you, or because you've put your PC in a DMZ to help you host network games, or because you want to run your own web/mail/whatever server and have opened up ports yourself. If you must open your computer to the Internet, don't keep any personal data on it and don't use it for logging into your bank, building society, or anywhere that requires your authentication (such as the PlusNet portal, your Yahoo! mail account, etc). Keep your personal details and your open systems separate, and you're almost there. Protect, Scan and Patch. Having your personal data on your machine may not necessarily be the worst thing in the world to do. Obviously don't do it if you can help it, but there are ways you can protect the sensitive data you hold on your computer. PGP, or the open-source GPG software is the first step on this road. Encrypt your data, and use a VERY strong passphrase and encryption algorithm, and any data people grab from you will be useless to them - without the use of a seriously beefy system and a few years to crack it open. Protecting your data is a good start, but you also need to protect the machine it lives on. Firewall/routers, and the firewall component provided by your friendly neighbourhood ISP are great, but they don't go the whole way - they never can. Understanding this is the next step, and installing personal firewall software is the answer. Host-based firewalls are the next level of security for your home or business - be that Comodo, ZoneAlarm, or IPTables. It isn't enough to simply install it though, if all you do is click 'Allow' on any popups it throws up. Each pop-up from your firewall software is an attempt by somebody or something to gain access - either to your computer, or from your computer to some outside resource. Don't be misled by the difference, either. It's just as important to protect your outgoing connections as it is to protect your incoming ones - viruses and trojans frequently establish connections from your computer to deliver your data to a waiting hacker. So install and USE your firewall software. The next step is to install some good Anti-Spyware and Anti-Virus software. Pay for them if you can, or get reputable free software if you can't. Be wary of wolves in sheep's clothing, though - some trojan/spyware authors have been known to embed their software into supposedly anti-spyware solutions. The same rule applies to these applications as applies to firewall software. Don't just install them and forget them, run regular scans - the more complete the better - and scan all your downloads, automatically if possible. Finally there are patches, upgrades and security fixes. If Windows says there are updates available, install them. They're available because somebody has found a new vulnerability, or there's a bug which will cause data leakage, or some other such problem which may compromise your system and undo all the hard work you've gone through to protect yourself. The same goes, of course, for Linux, OS X, Solaris, and any other operating system you run (unless you wrote it yourself, in which case you should probably scan your own work regularly, too). Keeping your system up to date will keep your fortress strong and your defences up. You are the weakest link. Security is all about finding the weakest link, and making it strong. Hackers will always go for the low-hanging fruit, and the weakest link in the chain is the point at which you're most vulnerable. Protection of your data, your hardware and your software will protect you from the opportunists and the amateurs. This will also deter the more determined hacker, but remember new vulnerabilities and exploits are being discovered all the time. Don't sit back and think you're safe - keep on top of it, make sure you update your virus and spyware definitions/signatures regularly, update your software with any security and bug fixes that become available, and wherever possible don't open yourself up to incoming traffic where you don't need to. Protect that which is most valuable, and secure the rest. If you don't, you may find the walls of your fortress start to crumble, and the cracks will grow from the weakest point.

Dan · ‎19-06-2008

You've said nothing that's untrue, but the difficulty is that a significant number of people do not know how to secure themselves. It's too difficult for many people. I have a software firewall, an a/v, spyware checker and firewall on my computer and generally frequently update software. the only attacks i've ever had were under my control because i knew what i was doing and what risks i was taking. a significant number of people won't know. they won't know how to update their a/v if it doesnt update automatically, they won't know or understand firewalls and what's a good or bad firewall configuration. if it's too difficult it will get ignored. a bit like maths - everyone knows it's important but if people start talking about simultaneous equations a significant number of people will switch off, and ignore the fact that anyone ever mentioned them in the first place. too difficult for a lot of people to get their head around. talk about security, people know it's important but many won't know what to do. i read an article the other day, can't remember where, but it was about computers being different to any other goods that we're likely to buy. buy a fridge and it just works. buy a tv and switch it on, it just works. computers should just work when you buy them, they should be really simply to set-up, use and maintain. they're one of the most important objects in people's lives now yet they are the most difficult thing to manage for most people. why am i rambling? your blog is a perfect example of what people need to do, but getting them to do it is the really hard bit. i don't think we can rely on people to secure themselves. i know someone who ignored their zonealarm alerts because they didn't understand them. i also know someone who turned off their a/v because it was slowing down their pc. i also know someone who goes to dodgy websites known to host viruses. i also know...... education is important, very important. but when it's hard (like simultaneous equations for some people) it's almost impossible to rely on some people to get it right. I'd personally like to see ISPs take some of the burden off end-users. Either put the answers on the back of the maths exam paper or just fill in the answers for the difficult questions - or even ensure that no-one ever needs to worry about it in their lives. a difficult nut to crack, but a good blog! (from what i can remember, i enjoyed simultaneous equations but hopefully you'll get my point.)

glennog · ‎19-06-2008

I take your point about the complexity of what I have described, but my root point is one of personal responsibility. ISPs can only go so far in the fight against spyware, adware and malicious attackers. While this may be a Good Thing for the less technically able, it amounts to a delegation of responsibility for one's most personal details - indeed their whole identity. You mention people you know who have clicked 'Allow' on everything their Zone Alarm throws up, turned off their Anti-Virus. I know people like that, too. Unfortunately for them it resulted in their identities being stolen and their credit cards being abused. Regarding the computer as a consumer product, making the comparison it to a fridge, washing machine, etc may be a little too idealistic. I would rather compare it to a car, motorbike or even a bicycle. These things, while in the main are just 'buy and use' items, they do require a certain level of maintenance. You wouldn't buy a car and never put oil in it, or never send it off for a service, for example. Similarly I wouldn't expect to buy a PC, with security products pre-installed, and never keep it up to date. You're right, of course, in that it is certainly a difficult nut to crack. There is a balance to be struck between the techno-geek and the technically challenged. As the computer has become a key part of our everyday lives, its ease of use has become greater. The security aspect, however, has not kept pace with this simplification. As ISPs we may be able to offer some help, and relieve the burden, but this should not be seen by the customers of such a service as the complete answer to their security problem. Awareness and education are, as you say, the key. Certainly it may be difficult for those who don't understand the concepts, but ultimately a persons identity is their responsibility. I am considering writing up a few more blog articles on the various products available, what they do and how to use them. Hopefully this will be of benefit to the community. If anybody has views on any of the security products available, or if you'd like to see anything reviewed here, I'd love to hear about it.