cia xxiii copyright (c) 2003 robert c. jones, m.d. all rights reserved. personal internet...

Personal Internet Self-Defense 2003: Personal Internet Self-Defense 2003: Security and Privacy for the New MillenniumSecurity and Privacy for the New Millennium

Robert C. Jones, M.D.Robert C. Jones, M.D.

LtCol, USAF, Medical CorpsLtCol, USAF, Medical Corps

Staff Anesthesiologist Staff Anesthesiologist

Andrews Air Force Base, MarylandAndrews Air Force Base, Maryland

E-mail: rob@notbob.comE-mail: rob@notbob.com

Web site: http://notbob.comWeb site: http://notbob.com

Disclaimer/Disclosure

This talk represents my own views, not those of the USAF, the DoD, or anyone else.

I am a Microsoft shareholder. I am a Palm shareholder.

Far from a controlling interest in either! Nobody paid me anything to write or present this. The opinions/content on external URLs belong to

the authors, not myself, the USAF, or the DoD.

CIA CIA XXIIIIIXXIIIII

Do you feel like this?

The Dirty Truth:

““Internet technologies are not designed to be secure. Internet technologies are not designed to be secure. They're designed to be interactive... They're designed to be interactive...

...we as consumers are not taking the ...we as consumers are not taking the responsibility...to learn basics about using this stuff” responsibility...to learn basics about using this stuff”

Russ Cooper, editor of the NT Bugtraq mailing list (www.securityadvice.com), inRuss Cooper, editor of the NT Bugtraq mailing list (www.securityadvice.com), in http://cnn.com/TECH/computing/9909/28/ms.security.idg/index.htmlhttp://cnn.com/TECH/computing/9909/28/ms.security.idg/index.html

You can’t afford perfect security

““The only secure computer is one that is The only secure computer is one that is unplugged, locked in a secure vault that unplugged, locked in a secure vault that only one person knows the combination only one person knows the combination to, and that person died last year.”to, and that person died last year.”

Eckel, G and Steen, W., Eckel, G and Steen, W., Intranet WorkingIntranet Working, New Riders, 1996, p. 419, New Riders, 1996, p. 419CIA XXIIICIA XXIIICopyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.

...but can you really afford this?

What this talk is about

Basic Internet self-defense for average users

How to protect your privacy on the internet

Where to learn more about Net security

My own personal opinions (not the USAF)

What this talk is NOT about

Advanced intrusion detection and response

How to hide nuclear secrets behind photocopiers

Advanced TCP/IP networking and protocols

Anyone else’s opinions (especially the USAF)

What is Internet Security?

For that matter, what is the Internet?

Mail2News

http logon to web e-mail service

newsreader

web2mail

“Information protection is not a technology issue. It is a people issue and therefore the people need to be educated.”

Geza Szenes CISSP, Geza Szenes CISSP, Computer Security Awareness: A Case StudyComputer Security Awareness: A Case Study, SANS 99, SANS 99http://www.sans.org/newlook/misc/Final_szenes.pdf

Personal Internet Self-Defense 2003Personal Internet Self-Defense 2003

What do people need?

Maslow’s Hierarchy of NeedsMaslow’s Hierarchy of Needs

Basic Security NeedsBasic Security Needs

Workstation NeedsWorkstation Needs

Privacy NeedsPrivacy Needs

ConfidenceConfidence

GuruGuru

The Security PyramidThe Security Pyramid

Physical Security 2003

Theft (especially portables)

Theft (especially portables)locks, vigilance in airport X-ray lines/queues

Electrical problemsUPS protects against brownouts & surges

Electrical problems

Lack of reliable current backupBackup regularly to reliable media; net backup

Electrical problems

Lack of reliable current backup

C & C: Coffee and CatsDon’t drink and compute; keep fans clean

Passwords 2003

Pick Good Passwords

Avoid Bad Passwords

Protect Passwords

Change Passwords

Passwords 2003

Good PasswordsAt least 8 characters (more if possible)Mix of capital and small lettersMix of letters and numbersAt least one special character ($#@!*^*)Based on complex passphrase

– tB0ntB?t1stFq!

Passwords 2003

Bad PasswordsAnything having to do with you

– Any part of your social security number– Your birthday– Your kids’ birthdays– Relating to your hobbies

Less than 8 charactersAnything in a dictionaryFictional characters (Gandalf, Frodo, Bilbo)

Passwords 2003

Pick Good Passwords

Avoid Bad Passwords

Protect PasswordsDon’t share them, don’t write them down

Passwords 2003

Pick Good Passwords

Avoid Bad Passwords

Protect Passwords

Change PasswordsChange is good; automatic change is better?

Too frequent change = bad passwordsToo frequent change = bad passwords

Antivirus Defense 2003

Install antivirus software FIRST

Update antivirus software regularly

Check for Operating System (OS) patches monthly (more frequently if serious security holes arise)

Scan all downloaded files and attachmentsBeware of viruses, trojans, spyware…

Terms of Endangerment

Virus: Self-replicating computer code with variable adverse effect (“payload”) [Example: Melissa macro virus]

Trojan: Sneaky program which, once activated by user, causes harm to computer, privacy, or both [Example: Back Orifice 2000 (BO2K)]

Spyware: Programs that connect to internet and report personal data regarding user [Example: RealNetworks Jukebox]

Check for Operating System (OS) patches monthly (more frequently if serious security holes arise)

Scan all downloaded files and attachmentsBeware of viruses, trojans, spyware…

Blaster Worm (2003)

Blaster-B variant exploits hole in MS Windows XP and 2000 (DCOM RPC)

Patch had been available for weeks…people just never bother to patch their systems!

ALL Operating Systems (OSes) need to be patched frequently to plug security holes (yes, even Linux!)

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.b.worm.htm l l

Jeffrey Lee Parsons, alleged Blaster Jeffrey Lee Parsons, alleged Blaster Variant B creatorVariant B creator

Patch your OS at least monthly

Scan all downloaded files and attachments

(Radical) Disable M$ Outlook/Outlook Express

MS Outlook = Danger!

““I'm on record as saying that Outlook is I'm on record as saying that Outlook is a security hole that also happens to be a security hole that also happens to be an e-mail client.” an e-mail client.”

Steven J. Vaughan-NicholsSteven J. Vaughan-NicholsZDNet NewsZDNet NewsMay 4, 2000May 4, 2000

http://www.zdnet.com/sp/stories/column/0,4712,2562098,00.html

The Melissa VirusThe Melissa Virus

E-mailProductivity Suite integration exploit

Yet another...Yet another...

Browser Security 2003

Disable routine ActiveX and Java/Javascript

How Secure is ActiveX?How Secure is ActiveX?

“The problem with ActiveX security, The problem with ActiveX security, according to analysts, developers, and according to analysts, developers, and IS managers alike, is that IS managers alike, is that there is no there is no security with ActiveX.security with ActiveX.””

--Paul Festa, CNET News.com, 18 Feb 98http://news.cnet.com/news/0-1003-201-326605-0.html

Disable ActiveX and Java/Javascript

Use the maximum security setting you can stand

MSIE 4.72.xMSIE 4.72.x

CIA XXIIICIA XXIII

How to tell when your browser settings are correct...How to tell when your browser settings are correct...

Upgrade encryption to 128 bits minimum40 bits is standard…and insecure.

How to check your encryption strength

Upgrade encryption to 128 bits minimum

Update browser regularly to get bug fixes But beware of version X.0 of anything

Don’t be an unpaid beta tester!

“Time to market and functionality always beat out security. Always. Always.”

--David Bradley, UC Berkeley, 25 August 99

Privacy 2003: Endangered Species

“You have zero privacy now. Get over it.”

-- SUN CEO Scott McNealy, February 99, when asked by a reporter about Jini’s tracking of users across networks

Privacy 2003: Endangered Species

“Like murder, privacy invasion is most frequently committed by those close to us.”

--Rob Jones, M.D., Dec 1999

Privacy 2003: Basic

Assume workplace internet use is monitored

Privacy 2003: Basic

Assume workplace internet use is monitoredE-mail, surfing should be boss/CEO-acceptable

Privacy 2003: Basic

Beware of prying eyes“Shoulder-surfing” on airplanes, ATM machines

Privacy 2003: Basic

Beware of prying eyes

Lock your workstation when you are away Password-protected screen saver or log off

Privacy 2003: Basic

Beware of prying eyes

Lock your workstation when you are away

Password-protect sensitive documentsNot cracker-proof, but will deter average snoop

Privacy 2003: Advanced

Use strong encryption for sensitive information PGP, RSA, IDEA, Blowfish (DES is cracked)

fromfrom Introduction to Cryptography Introduction to Cryptography, Network Associates, 1999, Network Associates, 1999Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved. CIA XXIIICIA XXIII

“The primary benefit of public key cryptography is that it allows people who have no preexisting security arrangement to exchange messages securely.”

Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved.Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved. CIA XXIIICIA XXIIIfromfrom Introduction to Cryptography Introduction to Cryptography, Network Associates, 1999, Network Associates, 1999

Use strong encryption for sensitive information

Con your OS (GUID, ComputerName,Workgroup)Pleased to meet you. Hope you guess my name.

Why does my software have to know my name?Why does my software have to know my name?

be careful...regedit can ruin your computer if you change stuff unwisely...always back up firstbe careful...regedit can ruin your computer if you change stuff unwisely...always back up first

Office 97 and the Personal ID/Global User ID...Office 97 and the Personal ID/Global User ID...

get the fix here: get the fix here: http://officeupdate.microsoft.com/Articles/privacy.htm

Unique number derived, in part, from network card MAC addressUnique number derived, in part, from network card MAC address

Con your OS (GUID, ComputerName,Workgroup)

Nuke intrusive information on your hard driveCookies and History and Cache, oh my!

Cookies are bad for your wealth

Con your OS (GUID, ComputerName,Workgroup)

Nuke intrusive information on your hard drive

Use anon proxies for private web browsing ZKS Freedom, Anonymizer, etc.

How anon proxy servers work

Web Server XWeb Server XAnon Proxy ServerAnon Proxy ServerYour computerYour computer

““this is this is joeschmoe@joeschmoe@joesisp.com”joesisp.com”

““this is this is nobody@ nobody@ anonproxy.anonproxy.net”net”

Web page Web page

+ cookies+ cookies

Web page Web page

- cookies- cookies

Turn off file and print sharing

•unless you want the Internet to be your LANunless you want the Internet to be your LAN

•Especially important with cable modem or xDSLEspecially important with cable modem or xDSL

oh, one more thing...oh, one more thing...

What is spam?

Not the Hormel® Luncheon Meat (SPAM™)

Unsolicited Bulk e-mail

Junk Usenet posts

(New) Instant Messaging spam

Why spam is bad.

"Spamming is the scourge of electronic-mail and newsgroups on the Internet. ... Spammers are, in effect, taking resources away from users and service suppliers without compensation and without authorization."

-- Vint Cerf, Senior Vice President, MCIand (unlike Al Gore) acknowleged "Father of the Internet”, as quoted on http://www.cauce.org/problem.html

This is your Inbox

This is your Inbox with e-mail

This is your Inbox with spam

Job OfferJob Offer

Love letter from Love letter from Salma Hayek Salma Hayek

Spam = Theft!

Key aspect is unauthorized theft of servicesbandwidth, hard dive space, per-minute costs, time

Spam = Theft!

Key aspect is unauthorized theft of services

Costs shifted to recipients, not sendersUnlike junk snail mail; 47 USC 227: no junk faxes

Spam = Theft!

Key aspect is unauthorized theft of services

Costs shifted to recipients, not senders

Content neutral…not a freedom of speech issue!Violation of Acceptable Use Policies/TOSesViolation of U.S. state laws (WA, VA…)Violation of Austrian federal law

– http://www.pcwelt.de/ausgabe/99_07/n090799011.HTM

Anti-Spam 2003

Mungeyourname@yourSPAMBL0CKisp.com

Anti-Spam 2003

FilterE-mail filter rules; Usenet killfiles; IRC #ignore

Anti-Spam 2003

Filter

Use throwawaysGet free e-mail accounts for net registrations

Anti-Spam 2003

Filter

Use throwaways

ComplainE-mail spammers’ ISPs; be polite to sysops

What is a firewall?

Beaumaris CastleBeaumaris Castle

Ynys MônYnys Môn

Cymru Cymru

What is a firewall?

Firewalls are like medieval moats:

Restrict people to entering at one controlled pointPrevent attackers from getting close to your other defensesRestrict people to leaving at one controlled point

--Chapman and Zwicky, Building Internet Firewalls, O’Reilly, 1995, p 17--Chapman and Zwicky, Building Internet Firewalls, O’Reilly, 1995, p 17

port 25 (smtp)

port 8080 (http)

port 119 (nntp)

port 6667 (IRC)

port 23 (telnet)

TCP/IPHi, I’m 102.74.145.234 Hello, I’m 214.90.1.43

port 8080 (http)

FirewallFirewall Your computerYour computer

port 6667 (IRC)

Firewalls implement your security decisionsFirewalls implement your security decisions

port 25 (smtp)port 25 (smtp)

What a Firewall Can Do

Serves as focus for security decisions

Enforces security policy

Logs internet activity efficiently

Limits damage to your network

--Chapman and Zwicky, Building Internet Firewalls, O’Reilly, 1995, pp 19-20--Chapman and Zwicky, Building Internet Firewalls, O’Reilly, 1995, pp 19-20

What a Firewall Can’t Do

Can’t protect against insiders

Can’t protect you against connections that don’t pass through it

Can’t protect against completely new threats

Can’t protect you from viruses/trojans--Chapman and Zwicky, Building Internet Firewalls, O’Reilly, 1995, pp 19-20--Chapman and Zwicky, Building Internet Firewalls, O’Reilly, 1995, pp 19-20

CIA XXIIICIA XXIII

Firewalls can’t protect you from SE!Firewalls can’t protect you from SE!((SSocial ocial EEngineering)ngineering)

Do you need a firewall?

Home user vs. Business user

Dynamic internet IP address vs. Static IP address

Unix/Linux OS vs. any flavor of Windows

Dialup modem vs. always-on Broadband

CIA XXIIICIA XXIII

Fat pipes make juicy targets!Fat pipes make juicy targets!

Types of Firewalls

Software

Hardware

Types of Firewalls

SoftwareNetworkICE BlackICE DefenderZonelabs ZoneAlarm (free for personal use)Norton Internet Security 200xOthers…

Hardware

BlackICE Defender attack list (against my dialup sessions)BlackICE Defender attack list (against my dialup sessions)

Automatic reverse IP address lookup on attacker reveals...Automatic reverse IP address lookup on attacker reveals...

Zonelabs ZoneAlarm (freeware for personal use)Zonelabs ZoneAlarm (freeware for personal use)

Zonelabs ZoneAlarm Alert ExampleZonelabs ZoneAlarm Alert Example

NOTE:NOTE:

As of January, 2002, ZoneAlarm (not Black ICE) is the only As of January, 2002, ZoneAlarm (not Black ICE) is the only leading software firewall that looks at OUTGOING packets leading software firewall that looks at OUTGOING packets from your machine (thus catching Trojans, spyware, and from your machine (thus catching Trojans, spyware, and backdoors installed by your ISP’s software)backdoors installed by your ISP’s software)

On the other hand, BlackICE tracks attackers back through On the other hand, BlackICE tracks attackers back through the Net…freeware ZoneAlarm doesn’t (although the upgrade, the Net…freeware ZoneAlarm doesn’t (although the upgrade, ZA Pro, does)ZA Pro, does)

Updated 10 Jan 02Updated 10 Jan 02

Types of Firewalls

Software

HardwareSonicWall Watchguard SOHOYour own Linux box with custom ipchains…etc.

Remember…

A poorly-administered firewall is worse than none at all!

From comp.security.firewalls newsgroup:"JArelXXXX" <jarelXXXX@aol.com> wrote in message

news:20000822182824.13689.00000745@ng-mg1.aol.com...

> The company I work for is evaluating the possibility of outsourcing the

> administration of the Firewall\VPN…

> I have just been appointed responsability (sic) of administering their firewall,

> however they do not want to send me to any type of training. They feel

> that once I get the training I will leave.

Continuing Security Education 2003

Friends?

Friends?The worst source. Virus hoaxes and urban

legends galore

Friends?

3-Space Mass Media?

Friends?

3-Space Mass Media?24 hours to 3 months behind; Generally

clueless with regard to non-web Net events

Friends?

3-Space Mass Media?

Books?Excellent source for fundamentals; usually 1-5 years behind

The Tao of Network Security

1994-1999:1994-1999:

Information Information AccessAccess

The Tao of Network Security

1994-1999:1994-1999:

Information Information AccessAccess

2000-2005:2000-2005:

Information Information DenialDenial

Security 2004 Preview

Online Resources

Physical Security•Targus (notebook locks, alarms): http://www.targus.com/

•American Power Conversion (UPS): http://www.apc.com/

•TrippLite (UPS) : http://www.tripplite.com/

•Iomega (backup hardware, software): http://www.iomega.com/

•Castlewood (backup hardware, software): http://www.castlewood.com/

•Xdrive (online backup): http://www.xdrive.com/

•iBackup (online backup): http://www.ibackup.com/

Online Resources

Password Security•Picking good passwords

http://www.itis.gatech.edu/doc/passwd.html

http://www.alw.nih.gov/Security/Docs/passwd.html

Top 10 Bad passwords

http://www.knowledgeclicks.com/security/articles/11999/top10badpasswords.htm

Online Resources

Antivirus Security

•Symantec Antivirus Research Center: http://www.sarc.com/

•McAfee Antivirus Center: http://www.mcafee.com/centers/anti-virus/

•Aladdin E-safe Antivirus/Firewall: http://www.aladdin.co.il/

•Qualcomm Eudora E-mail: http://www.eudora.com/

Online Resources

Browser Security

•Microsoft IE: http://www.microsoft.com/windows/ie/default.htm

•Microsoft Security Advisor: http://www.microsoft.com/security/default.asp

•Netscape Communicator: http://www.netscape.com/download/index.html

•Opera: http://www.opera.com/

•Sam Spade for Windows: http://samspade.org/ssw/

•Check your security with Shields Up! http://grc.com/default.htm

Online Resources

Privacy Protection•The Electronic Frontier Foundation: http://www.eff.org/

•EPIC: http://www.epic.org/privacy/tools.html

•PGP: http://www.pgp.com/

NSClean/IEClean: http://www.nsclean.com/

Microsoft Hotmail (for throwaways): http://www.hotmail.com/

Anonymizer: http:/www.anonymizer.com/

Zero Knowledge Systems Freedom: http://www.freedom.net/

Hushmail: http://www.hushmail.com/

Online Resources

Anti-Spam Activism

•Junkbusters: http://www.junkbusters.com/

•Spam.abuse.net: http://spam.abuse.net/

•Coalition Against Unsolicited Commercial E-mail: http://www.cauce.org/

•F.R.E.E.: http://www.spamfree.org/

The Spam-L FAQ: http://oasis.ot.com/~dmuth/spam-l/

The E-mail Spam FAQ: http://ddi.digital.net/~gandalf/spamfaq.html

The Munging FAQ: http://members.aol.com/emailfaq/mungfaq.html

Online Resources

Learning the Lingo (Usenet, IRC, IM)

•news.announce.newusers: http://www.netannounce.org/news.announce.newusers

•The Net-Abuse FAQ: http://www.cybernothing.org/faqs/net-abuse-faq.html

•mIRC IRC FAQ: http://www.mirc.com/ircintro.html

•NewIRCusers.com: http://www.newircusers.com/

•ICQ IM Security: http://www.icq.com/features/security/

•IM Security: http://www.pcmag.com/article2/0,4149,1217889,00.asp

Online Resources

Firewalls

•Symantec Norton Internet Security: http://www.symantec.com/

•ZoneLabs ZoneAlarm: http://www.zonelabs.com/

•Internet Firewalls FAQ: http://www.interhack.net/pubs/fwfaq/

•Keeping your site comfortably secure: an introduction to internet firewalls: http://cs-www.ncsl.nist.gov/publications/nistpubs/800-10/

•Some Hardware Firewall Vendors: http://www.thegild.com/firewall/

•Linux Firewall HOWTO: http://www.linuxdoc.org/HOWTO/Firewall-HOWTO.html

Online Resources

Continuing Security Education

•The SANS Institute: http://www.sans.org/

•Internet Storm Center: http://isc.sans.org/

•C|Net News.com: http://news.com.com/ (follow security tab)

•AntiOnline: http://www.antionline.com/index.php

•ISTS: http://news.ists.dartmouth.edu/

•ISS X-Force: http://xforce.iss.net/

•2600: http://www.2600.com/

Offline Resources

Books/Articles

Cheswick, WR, Bellovin, SM, Firewalls and Internet Security: Repelling the Wily Hacker, New York: Addison-Wesley Publishing Company 1994. ISBN 0-201-63357-4

Gilster, Paul, Finding it on the Internet, New York: John Wiley & Sons, Inc., 1994. ISBN 0-471-03857-1

Wolff , Michael (ed.), Your Personal Netspy: How You Can Access the Facts and Cover Your Tracks Using the Internet and Online Services, New York: Wolff New Media LLC, 1996. ISBN 0-679-77029-1

Offline Resources

Books/Articles

Knightmare, The, Secrets of a Super Hacker, Port Townsend, WA: Loompanics Unlimited, 1994. ISBN 1-55950-106-5

Zimmerman, Philip R., The Official PGP User's Guide, Cambridge, Mass: M.I.T. Press, 1996. ISBN 0-262-74017-6

Wayner, Peter, Disappearing Cryptography: Being and Nothingness on the Net, Boston: Academic Press Professional, 1996. ISBN 0-12-738671-8

O'Malley, Chris, Snoops: Welcome to a small town called the internet, where everyone knows your business, Popular Science, Jan 97, p. 56

Offline Resources

Books/Articles

Schwartz, Alan and Garfinkel, Simson, Stopping Spam, Cambridge: O’Reilly, 1998. ISBN 1-56592-388-X

Communications of the ACM 42(7), July 1999, various authors: Defensive Information Warfare

Communications of the ACM 42(2), Feb. 1999, various authors: Internet Privacy: the Quest for Anonymity

Honeycutt, Jerry; Pike,Mary Ann, et al., Special Edition: Using the Internet, 3rd Edition, Indianapolis, IN: Que® Corporation, 1996. ISBN 0-7897-0846-9

Offline Resources

Books/Articles

Weiss, Aaron, The Complete Idiot's Guide to Protecting Yourself on the Internet, Indianapolis, IN: Que® Corporation, 1995. ISBN 1-56761-593-7

Griffith, Samuel B.(trans), Sun Tzu: The Art of War, New York: Oxford University Press, 1963 ISBN 0-19-501476-6

Lane, Carole A, Naked in Cyberspace: How to Find Personal Information Online, Wilton, CT: Pemberton Press c/o Online Inc., 1997 ISBN 0-910965-17-X

Offline Resources

Books/Articles

Chapman, D. Brent and Zwicky, Elizabeth D., Building Internet Firewalls, Sebastopol, CA: O'Reilly & Associates, 1995. ISBN 1-156592-124-0

Icove, David, Seger, Karl, and VonStorch, William, Computer Crime: A Crimefighter's Handbook, Sebastopol, CA: O'Reilly & Associates, 1995. ISBN 1-56592-086-4

Anonymous, Maximum Security, Second Edition, Indianapolis: Sams, 1998. ISBN 0-672-31341-3

cia xxiii copyright (c) 2003 robert c. jones, m.d. all rights reserved. personal internet...

Documents

no. xxiii

plantilla power xxiii

xxiii atlantis cup

ugamunc xxiii general assembly, third committee · ugamunc...

sais review vol. xxiii no. 1 (winter-spring 2003) coffee...

openmat xxiii

thacia xxiii - Начало

portada 297 xxiii

xxiii puentes atirantados

chapter xxiii - everglades.fiu.edu

xxiii olympic winter games -...

xxiii sell

xxiii meĐunarodni simpozijum iz oblasti celuloze, …...

john xxiii college john xxiii college ... - ricoh.com.au

cia - wikileaks cia military psychology

user's manual for the cia records search tool (crest) - 2003...

xxiii Санкт-Петербургская...

cia procedural manual · title: cia procedural manual...

xxiii semana monografica

java.arh.pub.rojava.arh.pub.ro/en/database/oracle/oracle-database/12.2/... ·...