Personal Internet Self-Defense 2004

Personal Internet Self-Defense 2003:
Security and Privacy for the New Millennium
Robert C. Jones, M.D.

LtCol, USAF, Medical Corps
Staff Anesthesiologist
Andrews Air Force Base, Maryland
E-mail: rob@notbob.com
Web site: http://notbob.com
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIII
Disclaimer/Disclosure
● This talk represents my own views, not those of the

USAF, the DoD, or anyone else.
● I am a Microsoft shareholder.
● I am a Palm shareholder.
→Far from a controlling interest in either!
● Nobody paid me anything to write or present this.
● The opinions/content on external URLs belong to
the authors, not myself, the USAF, or the DoD.
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIIIII
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved. CIA XXIII
Do you feel like this?
The Dirty Truth:
“Internet technologies are not designed to be secure.

They're designed to be interactive...
...we as consumers are not taking the

responsibility...to learn basics about using this stuff”
Russ Cooper, editor of the NT Bugtraq mailing list (www.securityadvice.com), in

http://cnn.com/TECH/computing/9909/28/ms.security.idg/index.html
You can’t afford perfect security
“The only secure computer is one that is

unplugged, locked in a secure vault that
only one person knows the combination
to, and that person died last year.”
Eckel, G and Steen, W., Intranet Working, New Riders, 1996, p. 419
...but can you really afford this?
What this talk is about
● Basic Internet self-defense for average users
● How to protect your privacy on the internet
● Where to learn more about Net security
● My own personal opinions (not the USAF)

What this talk is NOT about
● Advanced intrusion detection and response
● How to hide nuclear secrets behind

photocopiers
● Advanced TCP/IP networking and protocols
● Anyone else’s opinions (especially the USAF)

What is Internet Security?
● For that matter, what is the Internet?
newsreader
web2mail Mail2News
http logon to web

e-mail service
Personal Internet Self-Defense 2003
“Information protection is not a

technology issue. It is a people
issue and therefore the people
need to be educated.”
Geza Szenes CISSP, Computer Security Awareness: A Case Study, SANS 99
http://www.sans.org/newlook/misc/Final_szenes.pdf
What do people need?
Maslow’s Hierarchy of Needs
The Security Pyramid
Guru
Confidence
Privacy Needs
Workstation Needs
Basic Security Needs
Physical Security 2003
● Theft (especially portables)

→locks, vigilance in airport X-ray lines/queues
● Electrical problems
→UPS protects against brownouts & surges
● Lack of reliable current backup

→Backup regularly to reliable media; net backup
● Lack of reliable current backup
● C & C: Coffee and Cats

→Don’t drink and compute; keep fans clean
Passwords 2003
● Pick Good Passwords
● Avoid Bad Passwords
● Protect Passwords
● Change Passwords
Passwords 2003
● Good Passwords
→At least 8 characters (more if possible)
→Mix of capital and small letters
→Mix of letters and numbers
→At least one special character ($#@!*^*)
→Based on complex passphrase
– tB0ntB?t1stFq!
Passwords 2003
● Bad Passwords
→Anything having to do with you
– Any part of your social security number
– Your birthday
– Your kids’ birthdays
– Relating to your hobbies
→Less than 8 characters
→Anything in a dictionary
→Fictional characters (Gandalf, Frodo, Bilbo)
Passwords 2003
→Don’t share them, don’t write them down
Passwords 2003
● Change Passwords
→Change is good; automatic change is better?
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. Too frequent change = bad passwords CIA XXIII
Antivirus Defense 2003
● Install antivirus software FIRST
● Update antivirus software regularly
● Check for Operating System (OS) patches monthly

(more frequently if serious security holes arise)
● Scan all downloaded files and attachments

→Beware of viruses, trojans, spyware…
Terms of Endangerment
● Virus: Self-replicating computer code with

variable adverse effect (“payload”) [Example:
Melissa macro virus]
● Trojan: Sneaky program which, once activated
by user, causes harm to computer, privacy, or
both [Example: Back Orifice 2000 (BO2K)]
● Spyware: Programs that connect to internet and
report personal data regarding user [Example:
RealNetworks Jukebox]
● Check for Operating System (OS) patches monthly

(more frequently if serious security holes arise)

→Beware of viruses, trojans, spyware…
Blaster Worm (2003)
● Blaster-B variant exploits hole in MS

Windows XP and 2000 (DCOM RPC)
● Patch had been available for weeks…
people just never bother to patch their
systems!
● ALL Operating Systems (OSes) need
to be patched frequently to plug
security holes (yes, even Linux!)
Jeffrey Lee Parsons, alleged Blaster
Variant B creator
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.b.worm.htm CIA XXIII
● Patch your OS at least monthly
● (Radical) Disable M$ Outlook/Outlook Express

MS Outlook = Danger!
“I'm on record as saying that Outlook is

a security hole that also happens to be
an e-mail client.”
Steven J. Vaughan-Nichols
ZDNet News
May 4, 2000
http://www.zdnet.com/sp/stories/column/0,4712,2562098,00.html
The Melissa Virus
Yet another...
E-mail↔Productivity Suite integration exploit
Browser Security 2003
● Disable routine ActiveX and Java/Javascript
How Secure is ActiveX?
“The problem with ActiveX security,

according to analysts, developers, and
IS managers alike, is that there is no
security with ActiveX.”
--Paul Festa, CNET News.com, 18 Feb 98

http://news.cnet.com/news/0-1003-201-326605-0.html
● Disable ActiveX and Java/Javascript
● Use the maximum security setting you can stand
MSIE 4.72.x
(note: Fixed in MSIE versions 5.x)

How to tell when your browser settings are correct...
● Upgrade encryption to 128 bits minimum

→40 bits is standard…and insecure.
How to check your encryption strength
● Upgrade encryption to 128 bits minimum
● Update browser regularly to get bug fixes

→ But beware of version X.0 of anything
Don’t be an unpaid beta tester!
“Time to market and functionality always

beat out security. Always. Always.”
--David Bradley, UC Berkeley, 25 August 99
Privacy 2003: Endangered Species
“You have zero privacy now. Get over it.”
-- SUN CEO Scott McNealy, February 99, when

asked by a reporter about Jini’s tracking of users
across networks
Privacy 2003: Endangered Species
“Like murder, privacy invasion is most

frequently committed by those close to us.”
--Rob Jones, M.D., Dec 1999
Privacy 2003: Basic
● Assume workplace internet use is monitored
Privacy 2003: Basic

→E-mail, surfing should be boss/CEO-acceptable
Privacy 2003: Basic
● Beware of prying eyes

→“Shoulder-surfing” on airplanes, ATM machines
Privacy 2003: Basic
● Lock your workstation when you are away

→Password-protected screen saver or log off
Privacy 2003: Basic
● Lock your workstation when you are away
● Password-protect sensitive documents

→Not cracker-proof, but will deter average snoop
Privacy 2003: Advanced
● Use strong encryption for sensitive information

→PGP, RSA, IDEA, Blowfish (DES is cracked)
from Introduction to Cryptography, Network Associates, 1999
“The primary benefit of public key cryptography is that it allows people
who have no preexisting security arrangement to exchange messages
securely.”
from Introduction to Cryptography, Network Associates, 1999
● Con your OS (GUID, ComputerName,Workgroup)

→Pleased to meet you. Hope you guess my name.
Why does my software have to know my name?
start | run | regedit | edit | find | your_name
be careful...regedit can ruin your computer if you change stuff unwisely...always back up first
Office 97 and the Personal ID/Global User ID...
Unique number derived, in part, from network card MAC address
get the fix here: http://officeupdate.microsoft.com/Articles/privacy.htm

● Nuke intrusive information on your hard drive

→Cookies and History and Cache, oh my!
Cookies are bad for your wealth
● Nuke intrusive information on your hard drive
● Use anon proxies for private web browsing

→ ZKS Freedom, Anonymizer, etc.
How anon proxy servers work
Anon Proxy Server Web Server X

Your computer
Web page Web page
- cookies + cookies
“this is “this is
joeschmoe@ nobody@
joesisp.com” anonproxy.
net”
oh, one more thing...
Turn off file and print sharing
•unless you want the Internet to be your LAN

•Especially important with cable modem or xDSL
What is spam?
● Not the Hormel® Luncheon Meat (SPAM™)
● Unsolicited Bulk e-mail
● Junk Usenet posts
● (New) Instant Messaging spam

Why spam is bad.
"Spamming is the scourge of electronic-mail and

newsgroups on the Internet. ... Spammers are, in
effect, taking resources away from users and
service suppliers without compensation and
without authorization."
-- Vint Cerf, Senior Vice President, MCI
and (unlike Al Gore) acknowleged "Father of the Internet”, as
quoted on http://www.cauce.org/problem.html
This is your Inbox
This is your Inbox with e-mail
This is your Inbox with spam
Love letter from

Salma Hayek
Job Offer
Spam = Theft!
● Key aspect is unauthorized theft of services
→bandwidth, hard dive space, per-minute costs, time
Spam = Theft!
● Costs shifted to recipients, not senders

→Unlike junk snail mail; 47 USC 227: no junk faxes
Spam = Theft!
● Costs shifted to recipients, not senders
● Content neutral…not a freedom of speech issue!

→Violation of Acceptable Use Policies/TOSes
→Violation of U.S. state laws (WA, VA…)
→Violation of Austrian federal law
– http://www.pcwelt.de/ausgabe/99_07/n090799011.HTM
Anti-Spam 2003
● Munge
→yourname@yourSPAMBL0CKisp.com
Anti-Spam 2003
● Munge
● Filter
→E-mail filter rules; Usenet killfiles; IRC #ignore
Anti-Spam 2003
● Munge
● Filter
● Use throwaways
→Get free e-mail accounts for net registrations
Anti-Spam 2003
● Munge
● Filter
● Use throwaways
● Complain
→E-mail spammers’ ISPs; be polite to sysops
What is a firewall?
Beaumaris Castle
Ynys Môn
Cymru
What is a firewall?
● Firewalls are like medieval moats:
→Restrict people to entering at one controlled point

→Prevent attackers from getting close to your other defenses
→Restrict people to leaving at one controlled point
--Chapman and Zwicky, Building Internet Firewalls, O’Reilly, 1995, p 17
TCP/IP
Hi, I’m 102.74.145.234 Hello, I’m 214.90.1.43
port 23 (telnet)
port 25 (smtp)
port 119 (nntp)
port 6667 (IRC)

port 8080 (http)
Everyday computer conversations use many “ports”

Firewall Your computer
port 25 (smtp)
port 25 (smtp)
port 6667 (IRC)
port 8080 (http)
Firewalls implement your security decisions
What a Firewall Can Do
● Serves as focus for security decisions
● Enforces security policy
● Logs internet activity efficiently
● Limits damage to your network
--Chapman and Zwicky, Building Internet Firewalls, O’Reilly, 1995, pp 19-20

What a Firewall Can’t Do
● Can’t protect against insiders
● Can’t protect you against connections that

don’t pass through it
● Can’t protect against completely new threats
● Can’t protect you from viruses/trojans

--Chapman and Zwicky, Building Internet Firewalls, O’Reilly, 1995, pp 19-20
Firewalls can’t protect you from SE!
(Social Engineering)
Do you need a firewall?
● Home user vs. Business user
● Dynamic internet IP address vs. Static IP address
● Unix/Linux OS vs. any flavor of Windows
● Unix/Linux OS vs. any flavor of Windows
● Dialup modem vs. always-on Broadband

Fat pipes make juicy targets!
Types of Firewalls
● Software
● Hardware
Types of Firewalls
● Software
→NetworkICE BlackICE Defender
→Zonelabs ZoneAlarm (free for personal use)
→Norton Internet Security 200x
→Others…
● Hardware
BlackICE Defender attack list (against my dialup sessions)
Automatic reverse IP address lookup on attacker reveals...
Zonelabs ZoneAlarm (freeware for personal use)
Zonelabs ZoneAlarm Alert Example
NOTE:
Updated 10 Jan 02
As of January, 2002, ZoneAlarm (not Black ICE) is the only

leading software firewall that looks at OUTGOING packets
from your machine (thus catching Trojans, spyware, and
backdoors installed by your ISP’s software)
On the other hand, BlackICE tracks attackers back through

the Net…freeware ZoneAlarm doesn’t (although the upgrade,
ZA Pro, does)
Types of Firewalls
● Software
● Hardware
→SonicWall
→Watchguard SOHO
→Your own Linux box with custom ipchains…etc.
Remember…
● A poorly-administered firewall is worse than

none at all!
● From comp.security.firewalls newsgroup:
"JArelXXXX" <jarelXXXX@aol.com> wrote in message
news:20000822182824.13689.00000745@ng-mg1.aol.com...
> The company I work for is evaluating the possibility of outsourcing the
> administration of the Firewall\VPN…
> I have just been appointed responsability (sic) of administering their firewall,
> however they do not want to send me to any type of training. They feel
> that once I get the training I will leave.
Continuing Security Education 2003
● Friends?
● Friends?
→The worst source. Virus hoaxes and urban
legends galore
● Friends?
● 3-Space Mass Media?
● Friends?

→24 hours to 3 months behind; Generally
clueless with regard to non-web Net events
● Friends?
● Books?
→Excellent source for fundamentals; usually 1-5
years behind
The Tao of Network Security
1994-1999:
Information
Access
The Tao of Network Security
1994-1999: 2000-2005:
Information Information
Access Denial
Security 2004 Preview
Online Resources
Physical Security
•Targus (notebook locks, alarms): http://www.targus.com/
•American Power Conversion (UPS): http://www.apc.com/
•TrippLite (UPS) : http://www.tripplite.com/
•Iomega (backup hardware, software): http://www.iomega.com/
•Castlewood (backup hardware, software): http://www.castlewood.com/
•Xdrive (online backup): http://www.xdrive.com/
•iBackup (online backup): http://www.ibackup.com/
Online Resources
Password Security
•Picking good passwords
→ http://www.itis.gatech.edu/doc/passwd.html
→http://www.alw.nih.gov/Security/Docs/passwd.html
•Top 10 Bad passwords

→http://www.knowledgeclicks.com/security/articles/11999
/top10badpasswords.htm
Online Resources
Antivirus Security
•Symantec Antivirus Research Center: http://www.sarc.com/

•McAfee Antivirus Center: http://www.mcafee.com/centers/anti-virus/
•Aladdin E-safe Antivirus/Firewall: http://www.aladdin.co.il/
•Qualcomm Eudora E-mail: http://www.eudora.com/
Online Resources
Browser Security
•Microsoft IE: http://www.microsoft.com/windows/ie/default.htm
•Microsoft Security Advisor: http://www.microsoft.com/security/default.asp
•Netscape Communicator: http://www.netscape.com/download/index.html
•Opera: http://www.opera.com/
•Sam Spade for Windows: http://samspade.org/ssw/
•Check your security with Shields Up! http://grc.com/default.htm
Online Resources
Privacy Protection
•The Electronic Frontier Foundation: http://www.eff.org/
•EPIC: http://www.epic.org/privacy/tools.html
•PGP: http://www.pgp.com/
•NSClean/IEClean: http://www.nsclean.com/
•Microsoft Hotmail (for throwaways): http://www.hotmail.com/
•Anonymizer: http:/www.anonymizer.com/
•Zero Knowledge Systems Freedom: http://www.freedom.net/
•Hushmail: http://www.hushmail.com/
Online Resources
Anti-Spam Activism
•Junkbusters: http://www.junkbusters.com/
•Spam.abuse.net: http://spam.abuse.net/
•Coalition Against Unsolicited Commercial E-mail: http://www.cauce.org/
•F.R.E.E.: http://www.spamfree.org/
•The Spam-L FAQ: http://oasis.ot.com/~dmuth/spam-l/
•The E-mail Spam FAQ: http://ddi.digital.net/~gandalf/spamfaq.html
•The Munging FAQ: http://members.aol.com/emailfaq/mungfaq.html
Online Resources
Learning the Lingo (Usenet, IRC, IM)

•news.announce.newusers: http://www.netannounce.org/news.announce.newusers
•The Net-Abuse FAQ: http://www.cybernothing.org/faqs/net-abuse-faq.html
•mIRC IRC FAQ: http://www.mirc.com/ircintro.html
•NewIRCusers.com: http://www.newircusers.com/
•ICQ IM Security: http://www.icq.com/features/security/
•IM Security: http://www.pcmag.com/article2/0,4149,1217889,00.asp
Online Resources
Firewalls
•Symantec Norton Internet Security: http://www.symantec.com/
•ZoneLabs ZoneAlarm: http://www.zonelabs.com/
•Internet Firewalls FAQ: http://www.interhack.net/pubs/fwfaq/
•Keeping your site comfortably secure: an introduction to internet firewalls:
http://cs-www.ncsl.nist.gov/publications/nistpubs/800-10/
•Some Hardware Firewall Vendors: http://www.thegild.com/firewall/
•Linux Firewall HOWTO: http://www.linuxdoc.org/HOWTO/Firewall-
HOWTO.html
Online Resources
Continuing Security Education

•The SANS Institute: http://www.sans.org/
•Internet Storm Center: http://isc.sans.org/
•C|Net News.com: http://news.com.com/ (follow security tab)
•AntiOnline: http://www.antionline.com/index.php
•ISTS: http://news.ists.dartmouth.edu/
•ISS X-Force: http://xforce.iss.net/
•2600: http://www.2600.com/
Offline Resources
Books/Articles
• Cheswick, WR, Bellovin, SM, Firewalls and Internet Security:
Repelling the Wily Hacker, New York: Addison-Wesley
Publishing Company 1994. ISBN 0-201-63357-4
• Gilster, Paul, Finding it on the Internet, New York: John Wiley
& Sons, Inc., 1994. ISBN 0-471-03857-1
• Wolff , Michael (ed.), Your Personal Netspy: How You Can
Access the Facts and Cover Your Tracks Using the Internet and
Online Services, New York: Wolff New Media LLC, 1996.
ISBN 0-679-77029-1
Offline Resources
Books/Articles
• Knightmare, The, Secrets of a Super Hacker, Port Townsend,
WA: Loompanics Unlimited, 1994. ISBN 1-55950-106-5
• Zimmerman, Philip R., The Official PGP User's Guide,
Cambridge, Mass: M.I.T. Press, 1996. ISBN 0-262-74017-6
• Wayner, Peter, Disappearing Cryptography: Being and
Nothingness on the Net, Boston: Academic Press Professional,
1996. ISBN 0-12-738671-8
• O'Malley, Chris, Snoops: Welcome to a small town called the
internet, where everyone knows your business, Popular Science,
Jan 97, p. 56
Offline Resources
Books/Articles
• Schwartz, Alan and Garfinkel, Simson, Stopping Spam, Cambridge:
O’Reilly, 1998. ISBN 1-56592-388-X
• Communications of the ACM 42(7), July 1999, various authors:
Defensive Information Warfare
• Communications of the ACM 42(2), Feb. 1999, various authors:
Internet Privacy: the Quest for Anonymity
• Honeycutt, Jerry; Pike,Mary Ann, et al., Special Edition: Using the
Internet, 3rd Edition, Indianapolis, IN: Que® Corporation, 1996. ISBN
0-7897-0846-9
Offline Resources
Books/Articles
• Weiss, Aaron, The Complete Idiot's Guide to Protecting Yourself on
the Internet, Indianapolis, IN: Que® Corporation, 1995. ISBN 1-
56761-593-7
• Griffith, Samuel B.(trans), Sun Tzu: The Art of War, New York:
Oxford University Press, 1963 ISBN 0-19-501476-6
• Lane, Carole A, Naked in Cyberspace: How to Find Personal
Information Online, Wilton, CT: Pemberton Press c/o Online Inc.,
1997 ISBN 0-910965-17-X
Offline Resources
Books/Articles
• Chapman, D. Brent and Zwicky, Elizabeth D., Building Internet
Firewalls, Sebastopol, CA: O'Reilly & Associates, 1995. ISBN 1-
156592-124-0
• Icove, David, Seger, Karl, and VonStorch, William, Computer
Crime: A Crimefighter's Handbook, Sebastopol, CA: O'Reilly &
Associates, 1995. ISBN 1-56592-086-4
• Anonymous, Maximum Security, Second Edition, Indianapolis:
Sams, 1998. ISBN 0-672-31341-3

Personal Internet Self-Defense 2004

Încărcat de

Informații document

Descriere originală:

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Personal Internet Self-Defense 2004

Încărcat de

Drepturi de autor:

Formate disponibile

Personal Internet Self-Defense 2003:

Security and Privacy for the New Millennium

Robert C. Jones, M.D.

● This talk represents my own views, not those of the

“Internet technologies are not designed to be secure.

...we as consumers are not taking the

Russ Cooper, editor of the NT Bugtraq mailing list (www.securityadvice.com), in

“The only secure computer is one that is

● Basic Internet self-defense for average users

● How to protect your privacy on the internet

● Where to learn more about Net security

● My own personal opinions (not the USAF)

● Advanced intrusion detection and response

● How to hide nuclear secrets behind

● Advanced TCP/IP networking and protocols

● Anyone else’s opinions (especially the USAF)

● For that matter, what is the Internet?

http logon to web

“Information protection is not a

Basic Security Needs

● Theft (especially portables)

● Theft (especially portables)

● Theft (especially portables)

● Theft (especially portables)

● Lack of reliable current backup

● Theft (especially portables)

● Lack of reliable current backup

● C & C: Coffee and Cats

● Pick Good Passwords

● Avoid Bad Passwords

● Pick Good Passwords

● Avoid Bad Passwords

● Pick Good Passwords

● Avoid Bad Passwords

● Install antivirus software FIRST

● Update antivirus software regularly

● Check for Operating System (OS) patches monthly

● Scan all downloaded files and attachments

● Virus: Self-replicating computer code with

● Install antivirus software FIRST

● Update antivirus software regularly

● Check for Operating System (OS) patches monthly

● Scan all downloaded files and attachments

● Blaster-B variant exploits hole in MS

● Install antivirus software FIRST

● Update antivirus software regularly

● Patch your OS at least monthly

● Scan all downloaded files and attachments

● (Radical) Disable M$ Outlook/Outlook Express

“I'm on record as saying that Outlook is

E-mail↔Productivity Suite integration exploit

● Disable routine ActiveX and Java/Javascript

“The problem with ActiveX security,

--Paul Festa, CNET News.com, 18 Feb 98

● Disable ActiveX and Java/Javascript

● Use the maximum security setting you can stand

(note: Fixed in MSIE versions 5.x)

● Disable ActiveX and Java/Javascript

● Use the maximum security setting you can stand

● Upgrade encryption to 128 bits minimum

● Disable ActiveX and Java/Javascript

● Use the maximum security setting you can stand

● Upgrade encryption to 128 bits minimum