October 2011 Computer security
The October 15 meeting of the TIA featured Professor J. Douglas Birdwell of the UTK Electrical Engineering Department. The topic was Computer Security. Professor Birdwell is a Past-President of the Control Systems Society.
Doug said if you are in The University of Tennessee system and you start a Windows machine in that environment and if you do not have protection, your computer will be compromised within minutes. He asked the attendees “How many of you are using Windows?” and “How many of you have a password longer then 14 characters?” He informed everyone that there is software that will crack most Windows passwords. Passwords less then 14 characters take about 5 minutes to crack. Passwords with more than 14 characters can still be cracked, but it takes much longer.
We need to protect our information. There is information warfare going on all around us. Targets are mostly economic / commercial: theft of information & intellectual property. It is not just hackers: companies and countries do it. Large networks / organizations target both individuals and commercial/government entities to obtain user identities, accounts, and private information. The information and resources that you use both personally and professionally to manage your affairs and successfully compete are at risk. There are targeted email messages to individuals to get information.
Number 1 on the list is thefts. Laptops are often stolen and if your data is not encrypted, the thief will have it. It does not mater what operating system you use. It takes only seconds to get into unprotected computers. Don’t let your computer out of your site.
There is malware on websites that can infect your computer when you visit a web page (no clicking required). Spoofing of web sites, especially by foreign governments, can trick you into divulging your login credentials. Active-X & other executable code used on web sites are dangerous.
All e-mail needs to be secured. Never open an attachment or click a link in an email without knowing who it is from and what it is. Disable automatic execution of code (Active X) contained in emails. Anti-virus email scanning is essential but does not catch everything. Unencrypted traffic between your computer and your email server (e.g., ISP) can be intercepted. Use Secure Socket Layer (SSL) or Transport Layer Security (TLS) link protocol for both incoming & outgoing email if it is supported. Use credential-based encryption (public/private key encryption) for sensitive emails. Most e-mail clients support this. Some email clients offer security and some don’t. Most email providers support SSL.
Packet sniffing can be used to obtain unencrypted information. Never share a password. Be certain of identities before disclosing or discussing sensitive information. This is so called spear-fishing. A child, spouse, or parent can visit an infested web site and compromise your computer. You may have sensitive info in your computer, such as inventions, design information, new ideas, Attorney/client privileged and confidential communications, Financial data, Employees’ personal information, marketing/contact information, information from others subject to Non-Disclosure Agreements (NDA)s or information that must be protected by federal or state law. If your laptop is stolen or got hacked into remotely any unencrypted data can be copied. It only takes seconds to “bug” an unprotected computer (e.g., hotel rooms, and airport security personnel or customs inspections at foreign ports of entry). If your computer is compromised you are liable for that sensitive information.
Protect yourself by securing your physical environment by controlling physical access to your computer. Use disk drives with hardware encryption. Unencrypted drive can be read by another computer. A computer can be booted up with a rogue’s operating system form a CD/DVD or USB drive to gain access to data and break passwords. Change and password protect the Basic Input/Output System (BIOS) setting on your computer.
- Use strong passwords, including BIOS and disk drives.
- Do not use any dictionary word or string of dictionary words and numbers.
- Include words with numbers substituted for specific letters.
- No names from family members, pets, addresses, birthdays, or anything else that has a connection with you.
- Any password less than 12 characters can be cracked in minutes.
- Do not use any password that is used to gain access to more than one account, computer, or other resource.
- Do not write down password anywhere just try to remember it.
- If you write down the password some where someone will find it.
- Use at least one upper case letter (A-Z), one lower case letter (a-z), one number (0-9), one symbol (of 32), and blank => 95 possible characters.
- Use at least 12 characters (so there are 9512 = 5.4x1023 possible passwords; 16 characters => 4.4x1031 possible passwords) – use >14 for Windows or force NT passwords.
- Use each password to access only one resource, and never write it down or give it to anyone.
Unfortunately, Windows uses exceptionally weak passwords. Free programs exist which readily crack most Windows passwords (e.g., opfcrack) http://ophcrack.sourceforge.net/. All one need do is reboot your Windows computer from an opfcrack CD or DVD and let it run (usually for only a few minutes). To protect yourself, force Windows to disable its use of “LM Hash” – easiest way is by using more than 14 characters in your password.
If you have trouble remembering even one long sequence of randomly chosen symbols an alternative is to use a password manager. It stores encrypted copy of each password. It uses one master password to generate the encryption key. Encrypted copies can be in the Cloud and can be accessible from all of your devices. Example for some password mangers are LastPass, this is a cloud base free or premium service. 1Password is another that easily integrates with Apple products. KeePass is an open source program, but it is more difficult to use. You must decide if the convenience is worth the risk
Use hardware-based full disk encryption, especially on mobile devices. Vendors include Seagate Technology, Hitachi, Western Digital, Samsung, Toshiba and also solid-state drive vendors such as Samsung. These drives typically have zero degradation in performance. Data At Rest protection – information can not be read from the drive without encryption key (pass phrase) unless drive is already on and unlocked. Cryptographic Data Erasure – deletion of key information from drive & controller ensures data can not be recovered from the drive. User must order their computer with hardware based disk encryption or replace the drives themself. Software solutions exist (e.g. TrueCrypt), but performance suffers. Interface is typically via the BIOS settings, which introduces some problems like old BIOS may not allow for sufficiently long keys. Mac OS X is problematic, since MAC has no BIOS. Every laptop should use these drives. Set both the User Password and the Supervisor Password if both options are available. The password may be limited to 8 characters, so it is important to use a random sequence containing UC & LC letters, digits, and symbols. Do not write it down, and do not forget it. Unfortunately, BIOS passwords are not very secure. A Google search for "bypass BIOS password" will turn up numerous pages of suggestions.
Computers use many ways to communicate with other computers or devices like wired networks (“Ethernet” copper or optical cable), wireless networks (802.11a/b/g/n/…), Bluetooth (short range wireless), 3G/4G wireless packet data service provided by cellular phone companies such as AT&T, Verizon, Sprint, etc. Infrared (“IR”) is short-range and line of sight communication. WiMax (metropolitan wireless).
Computers communicate by exposing an interface (Internet Protocol, or “IP” address) on a connected network and “ports” (connectors on which specific types of services are offered), for example,
- 18.104.22.168:80 – HTTP (Web service) on the host computer at IP address 22.214.171.124.
- 126.96.36.199:22 – Secure shell or copy (SSH service) at 188.8.131.52
You can find a list of UDP and TCP port numbers on Wikipedia. http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers Every exposed interface and port is a potential vulnerability. Incoming data stream may exploit a vulnerability in the computer’s software, either as it arrives or when you open an email attachment or click a link in a browser (as examples). A compromised computer may export sensitive data from your computer or network using an established port. A common ploy is to use encrypted transmission on port 443, which simulates HTTPS (secure Web service) traffic. Protect computer ports by protecting the networks they connect to.
Protect your networks with firewalls and encryption. Never connect a new (non-hardened) computer to an open network. Windows, in particular, can be compromised in seconds if not properly protected. Implement a firewall at the borders of your networks. Firewalls allow only specified network traffic into your network from an external untrusted network (use “deny unless permitted” policies). Firewalls allow you to specify which services (ports) can communicate from your network, and to specific hosts. Use Network Address Translation (NAT) to hide details (IP addresses and MAC addresses) in your network. Firewalls are easy to configure and manage and are transparent to computer users (so long as they don’t violate the rules you establish!). If you do not have a hardware firewall, go buy one and set it up now – this is your first line of defense. Routers with built-in firewalls are less then $150.00, such as Netgear FV318, D-Link DFL-860E or DSL-2740B, Linksys BEFSX41 or E1200, and Apple Airport Extreme.
A typical Wireless home & office networks are 802.11a/b/g/n – the last letter refers to the maximum speed. Wireless routers typically support three types of networks: open, WEP, and WPA/WPA2. Never set up an OPEN or WEP network. OPEN means anyone can connect to it, and anyone can view all the network traffic. WEP is an encryption protocol but is easily compromised. Use WPA/WPA2 (or, for larger installations, one of its enterprise-level variants) Choose a network password using the guidelines given earlier. You can specify the MAC addresses of trusted devices that are allowed to connect if you wish for an added layer of security. For additional security, you can hide the SSID, which is the name of the network and is needed to negotiate a connection.
If you have a secure office or home network use Virtual Private Network (VPN) / Encrypted Tunneling technologies for any remote access, you can use a VPN tunnel to route traffic through that network when traveling. All traffic is encrypted, making mobile wireless access safer. Traffic is contained within the VPN stream so a listener can not determine what you are doing (web, mail, application, etc). You can use SSH/SCP (secure shell / secure copy) to set up the VPN tunnel. OpenSSH is free (installed on Mac OS X & most Linux/UNIX distributions also available for Windows). Many firewalls support VPN tunnels – but methods & protocols are usually specific to the brand (e.g., Cisco, Sonicwall, Netgear, …) Most typically require a client or add-on application or service on your computer.
Computers need protection against three categories of threats.
- Attacks against exposed ports.
- Viruses in email attachments and other files
- Rogue software on web sites.
Lock down unnecessary ports & turn off unneeded services. Install and use anti-virus software. Use features of modern browsers (Firefox, IE, Chrome) to warn you about rogue web sites. Keep everything up to date (auto-update services). Exercise caution. Disable communications ports and configure ports to allow only necessary traffic..
Install and use US-based anti-virus products and web browser features to screen web sites. Avoid if necessary non-US based anti-virus products. The two biggest players in US AV software are Symantec and McAfee. An alternative is Microsoft’s Security Essentials (which is free). Keep everything up to date.
Use a separate computer for travel with only the files and applications you need for your trip. Use Hardware-based disk encryption, strong passwords including BIOS password protection. Enable any firewall & AV protection in the OS Windows: Firewall and Anti-Virus; Linux and UNIX: lokkit command or IP Tables.
For Mac OS X Goto System Preferences in Security & Privacy turn Firewall (ON), and under Advanced (Block all Incoming Connections)
Don’t use Windows unless necessary (90+% of all malware targets Windows). Physically disable all data ports not used (put epoxy in unused USB ports for maximum protection.
On travel computers use a light computer like a netbook with an encrypted drive, Linux, LibraOffice (reads/writes Word/Excel/PPT file formats), Acrobat Reader, Firefox web browser, Thunderbird mail client, unneeded network ports disabled (IP Tables). Take only what you need when you travel.
If you have been hacked, isolate but do not automatically power off the computer. Seek advice (legal, law enforcement, professional). Do forensic analysis that is what was compromised & who did it? Get professional help. In some situations, this must be a law enforcement agency. Notify law enforcement (FBI if DOE/DOD or foreign entities are involved). Legal notification requirements may apply if private personal data of others is compromised. There may be contractual notification requirements (Federal contracts, NDAs). Protect your financial assets (bank & investment accounts). Keep this from happening again.
The bad news is, if you are using a computer running any version of Windows and you have not been following these guidelines (especially with no firewall or anti-virus), there is a good chance your computer is running one or more key logging programs, which send information to 3rd parties, perhaps a virus or two, and maybe software that is sending virus-laden emails to folks on your contact lists & address books. The older the computer and the older the version of Windows, the worse the problem. Sometimes the best approach may be a clean installation of Windows. However, it is possible to clean these infected computers in many cases, but not all.
See below references:
Removal of Key Loggers:
Microsoft Security Center :
Windows Security Guides:
OpenSSH Interoperability for Windows:
- Knoppix live (bootable) Linux CD with numerous tools