Documente Academic
Documente Profesional
Documente Cultură
E-mail: rob@notbob.com
Web site: http://notbob.com
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIII
Disclaimer/Disclosure
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved. CIA XXIII
The Dirty Truth:
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIII
You can’t afford perfect security
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved. CIA XXIII
What this talk is about
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIII
newsreader
web2mail Mail2News
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved. CIA XXIII
Personal Internet Self-Defense 2003
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIII
What do people need?
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIII
Maslow’s Hierarchy of Needs
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved. CIA XXIII
The Security Pyramid
Guru
Confidence
Privacy Needs
Workstation Needs
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved. CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved. CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved. CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved. CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved. CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved. CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved. CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved. CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved. CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved. CIA XXIII
Physical Security 2003
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIII
Physical Security 2003
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIII
Physical Security 2003
● Electrical problems
→UPS protects against brownouts & surges
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIII
Physical Security 2003
● Electrical problems
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIII
Physical Security 2003
● Electrical problems
● Protect Passwords
● Change Passwords
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIII
Passwords 2003
● Good Passwords
→At least 8 characters (more if possible)
→Mix of capital and small letters
→Mix of letters and numbers
→At least one special character ($#@!*^*)
→Based on complex passphrase
– tB0ntB?t1stFq!
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIII
Passwords 2003
● Bad Passwords
→Anything having to do with you
– Any part of your social security number
– Your birthday
– Your kids’ birthdays
– Relating to your hobbies
→Less than 8 characters
→Anything in a dictionary
→Fictional characters (Gandalf, Frodo, Bilbo)
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIII
Passwords 2003
● Protect Passwords
→Don’t share them, don’t write them down
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved. CIA XXIII
Passwords 2003
● Protect Passwords
● Change Passwords
→Change is good; automatic change is better?
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. Too frequent change = bad passwords CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved. CIA XXIII
Antivirus Defense 2003
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIII
Terms of Endangerment
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIII
Blaster Worm (2003)
http://www.zdnet.com/sp/stories/column/0,4712,2562098,00.html
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIII
The Melissa Virus
Yet another...
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved. CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved. CIA XXIII
Browser Security 2003
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIII
How Secure is ActiveX?
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIII
MSIE 4.72.x
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved. CIA XXIII
Browser Security 2003
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIII
How to check your encryption strength
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIII
Browser Security 2003
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved. CIA XXIII
Privacy 2003: Endangered Species
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIII
Privacy 2003: Endangered Species
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIII
Privacy 2003: Basic
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIII
Privacy 2003: Basic
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIII
Privacy 2003: Basic
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIII
Privacy 2003: Basic
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIII
Privacy 2003: Basic
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIII
from Introduction to Cryptography, Network Associates, 1999
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved. CIA XXIII
“The primary benefit of public key cryptography is that it allows people
who have no preexisting security arrangement to exchange messages
securely.”
from Introduction to Cryptography, Network Associates, 1999
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved. CIA XXIII
Privacy 2003: Advanced
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIII
Why does my software have to know my name?
start | run | regedit | edit | find | your_name
be careful...regedit can ruin your computer if you change stuff unwisely...always back up first
Office 97 and the Personal ID/Global User ID...
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIII
Cookies are bad for your wealth
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved. CIA XXIII
Privacy 2003: Advanced
“this is “this is
joeschmoe@ nobody@
joesisp.com” anonproxy.
net”
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIII
oh, one more thing...
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved. CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved. CIA XXIII
What is spam?
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIII
This is your Inbox
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIII
This is your Inbox with e-mail
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIII
This is your Inbox with spam
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIII
Spam = Theft!
● Key aspect is unauthorized theft of services
→bandwidth, hard dive space, per-minute costs, time
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIII
Spam = Theft!
● Key aspect is unauthorized theft of services
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIII
Spam = Theft!
● Key aspect is unauthorized theft of services
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIII
Anti-Spam 2003
● Munge
→yourname@yourSPAMBL0CKisp.com
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIII
Anti-Spam 2003
● Munge
● Filter
→E-mail filter rules; Usenet killfiles; IRC #ignore
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIII
Anti-Spam 2003
● Munge
● Filter
● Use throwaways
→Get free e-mail accounts for net registrations
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIII
Anti-Spam 2003
● Munge
● Filter
● Use throwaways
● Complain
→E-mail spammers’ ISPs; be polite to sysops
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved. CIA XXIII
What is a firewall?
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIII
Beaumaris Castle
Ynys Môn
Cymru
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved. CIA XXIII
What is a firewall?
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIII
TCP/IP
Hi, I’m 102.74.145.234 Hello, I’m 214.90.1.43
port 23 (telnet)
port 25 (smtp)
port 119 (nntp)
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved. CIA XXIII
What a Firewall Can Do
● Serves as focus for security decisions
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIII
Do you need a firewall?
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIII
Do you need a firewall?
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIII
Do you need a firewall?
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved. CIA XXIII
Types of Firewalls
● Software
● Hardware
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIII
Types of Firewalls
● Software
→NetworkICE BlackICE Defender
→Zonelabs ZoneAlarm (free for personal use)
→Norton Internet Security 200x
→Others…
● Hardware
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIII
BlackICE Defender attack list (against my dialup sessions)
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved. CIA XXIII
Automatic reverse IP address lookup on attacker reveals...
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved. CIA XXIII
Zonelabs ZoneAlarm (freeware for personal use)
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved. CIA XXIII
Zonelabs ZoneAlarm Alert Example
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved. CIA XXIII
NOTE:
Updated 10 Jan 02
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIII
Types of Firewalls
● Software
● Hardware
→SonicWall
→Watchguard SOHO
→Your own Linux box with custom ipchains…etc.
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIII
Remember…
> The company I work for is evaluating the possibility of outsourcing the
> administration of the Firewall\VPN…
> I have just been appointed responsability (sic) of administering their firewall,
> however they do not want to send me to any type of training. They feel
> that once I get the training I will leave.
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved. CIA XXIII
Continuing Security Education 2003
● Friends?
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIII
Continuing Security Education 2003
● Friends?
→The worst source. Virus hoaxes and urban
legends galore
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIII
Continuing Security Education 2003
● Friends?
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIII
Continuing Security Education 2003
● Friends?
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIII
Continuing Security Education 2003
● Friends?
● Books?
→Excellent source for fundamentals; usually 1-5
years behind
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved. CIA XXIII
The Tao of Network Security
1994-1999:
Information
Access
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIII
The Tao of Network Security
1994-1999: 2000-2005:
Information Information
Access Denial
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIII
Security 2004 Preview
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved. CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved. CIA XXIII
Copyright (C) 2003 Robert C. Jones, M.D.. All Rights Reserved. CIA XXIII
Online Resources
Physical Security
•Targus (notebook locks, alarms): http://www.targus.com/
•American Power Conversion (UPS): http://www.apc.com/
•TrippLite (UPS) : http://www.tripplite.com/
•Iomega (backup hardware, software): http://www.iomega.com/
•Castlewood (backup hardware, software): http://www.castlewood.com/
•Xdrive (online backup): http://www.xdrive.com/
•iBackup (online backup): http://www.ibackup.com/
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIII
Online Resources
Password Security
•Picking good passwords
→ http://www.itis.gatech.edu/doc/passwd.html
→http://www.alw.nih.gov/Security/Docs/passwd.html
Antivirus Security
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIII
Online Resources
Browser Security
•Microsoft IE: http://www.microsoft.com/windows/ie/default.htm
•Microsoft Security Advisor: http://www.microsoft.com/security/default.asp
•Netscape Communicator: http://www.netscape.com/download/index.html
•Opera: http://www.opera.com/
•Sam Spade for Windows: http://samspade.org/ssw/
•Check your security with Shields Up! http://grc.com/default.htm
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIII
Online Resources
Privacy Protection
•The Electronic Frontier Foundation: http://www.eff.org/
•EPIC: http://www.epic.org/privacy/tools.html
•PGP: http://www.pgp.com/
•NSClean/IEClean: http://www.nsclean.com/
•Microsoft Hotmail (for throwaways): http://www.hotmail.com/
•Anonymizer: http:/www.anonymizer.com/
•Zero Knowledge Systems Freedom: http://www.freedom.net/
•Hushmail: http://www.hushmail.com/
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIII
Online Resources
Anti-Spam Activism
•Junkbusters: http://www.junkbusters.com/
•Spam.abuse.net: http://spam.abuse.net/
•Coalition Against Unsolicited Commercial E-mail: http://www.cauce.org/
•F.R.E.E.: http://www.spamfree.org/
•The Spam-L FAQ: http://oasis.ot.com/~dmuth/spam-l/
•The E-mail Spam FAQ: http://ddi.digital.net/~gandalf/spamfaq.html
•The Munging FAQ: http://members.aol.com/emailfaq/mungfaq.html
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIII
Online Resources
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIII
Online Resources
Firewalls
•Symantec Norton Internet Security: http://www.symantec.com/
•ZoneLabs ZoneAlarm: http://www.zonelabs.com/
•Internet Firewalls FAQ: http://www.interhack.net/pubs/fwfaq/
•Keeping your site comfortably secure: an introduction to internet firewalls:
http://cs-www.ncsl.nist.gov/publications/nistpubs/800-10/
•Some Hardware Firewall Vendors: http://www.thegild.com/firewall/
•Linux Firewall HOWTO: http://www.linuxdoc.org/HOWTO/Firewall-
HOWTO.html
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIII
Online Resources
Books/Articles
• Cheswick, WR, Bellovin, SM, Firewalls and Internet Security:
Repelling the Wily Hacker, New York: Addison-Wesley
Publishing Company 1994. ISBN 0-201-63357-4
• Gilster, Paul, Finding it on the Internet, New York: John Wiley
& Sons, Inc., 1994. ISBN 0-471-03857-1
• Wolff , Michael (ed.), Your Personal Netspy: How You Can
Access the Facts and Cover Your Tracks Using the Internet and
Online Services, New York: Wolff New Media LLC, 1996.
ISBN 0-679-77029-1
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIII
Offline Resources
Books/Articles
• Knightmare, The, Secrets of a Super Hacker, Port Townsend,
WA: Loompanics Unlimited, 1994. ISBN 1-55950-106-5
• Zimmerman, Philip R., The Official PGP User's Guide,
Cambridge, Mass: M.I.T. Press, 1996. ISBN 0-262-74017-6
• Wayner, Peter, Disappearing Cryptography: Being and
Nothingness on the Net, Boston: Academic Press Professional,
1996. ISBN 0-12-738671-8
• O'Malley, Chris, Snoops: Welcome to a small town called the
internet, where everyone knows your business, Popular Science,
Jan 97, p. 56
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIII
Offline Resources
Books/Articles
• Schwartz, Alan and Garfinkel, Simson, Stopping Spam, Cambridge:
O’Reilly, 1998. ISBN 1-56592-388-X
• Communications of the ACM 42(7), July 1999, various authors:
Defensive Information Warfare
• Communications of the ACM 42(2), Feb. 1999, various authors:
Internet Privacy: the Quest for Anonymity
• Honeycutt, Jerry; Pike,Mary Ann, et al., Special Edition: Using the
Internet, 3rd Edition, Indianapolis, IN: Que® Corporation, 1996. ISBN
0-7897-0846-9
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIII
Offline Resources
Books/Articles
• Weiss, Aaron, The Complete Idiot's Guide to Protecting Yourself on
the Internet, Indianapolis, IN: Que® Corporation, 1995. ISBN 1-
56761-593-7
• Griffith, Samuel B.(trans), Sun Tzu: The Art of War, New York:
Oxford University Press, 1963 ISBN 0-19-501476-6
• Lane, Carole A, Naked in Cyberspace: How to Find Personal
Information Online, Wilton, CT: Pemberton Press c/o Online Inc.,
1997 ISBN 0-910965-17-X
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIII
Offline Resources
Books/Articles
• Chapman, D. Brent and Zwicky, Elizabeth D., Building Internet
Firewalls, Sebastopol, CA: O'Reilly & Associates, 1995. ISBN 1-
156592-124-0
• Icove, David, Seger, Karl, and VonStorch, William, Computer
Crime: A Crimefighter's Handbook, Sebastopol, CA: O'Reilly &
Associates, 1995. ISBN 1-56592-086-4
• Anonymous, Maximum Security, Second Edition, Indianapolis:
Sams, 1998. ISBN 0-672-31341-3
Copyright (C) 2003 Robert C. Jones, M.D. All Rights Reserved. CIA XXIII