[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On 02/11/12 12:48, Neil Winchurst wrote: > Thanks for all the responses. Not so simple, just as I thought. So > things are only going to get worse. And the government is always > thinking of ways to spy on us. > > Education is the way to go, but not just in schools perhaps. I have a > rather hazy understanding of what I should be doing as a minimum to be > reasonably secure. So some suggestions from our more knowledgeable list > members could be useful for many of us I believe. > > Thanks > > Neil > Excellent, computer security - my favourite subject! I'm primarily a sysadmin, but partly through necessity and partly through personal interest, I've always been very, very interested and involved in the security and hacking aspects of IT ever since I was first taught to gain administrative access to company's PABX switchboard systems using nothing but a handset, a phonebook and the Siemens telecoms engineer manual way back at my first proper job. It was amazingly simple - we scanned the phonebook for an obvious commerical/company phone block, say 0207 299 5000, knowing that the entire block 5000-6000 'belonged' to an obvious entity like a council department or a large business. We'd never even need to wardial the entire range, as we knew that probing the initial 5000-5010 set manually would yield the default master numbers, typically reserved for virtual trunking, admin dial-in and remote voicemail retrieval lines. Back then, PABXs were trivial to fingerprint once you were familiar with them - the pre-recorded messages, default settings and the command sequences (pressing ##1 or **1) to access administrative functions would often give the game away within moments of commencing recon, and then we'd grab the relevant service manual from our collection and dig out the default passwords and settings to get full admin - depressingly often the dreaded 1234 or 1111 combination. Once in you could do almost anything - nuke trunks (DOS), retrieve and delete voicemails (data theft) and change the CEOs voicemail greeting (mischief). This was back in the dial-up days: you could also set yourself up on some systems with private redirect numbers, free international conference calls and of course modem access. At that stage, I was still learning phreaking - it would take me a while to progress to the stage where I realised that the ultimate goal of hacking telecoms systems was really to get access to the computer systems that were running on them. And that proved to be surprisingly easy. Fast forward ~15 years and back on topic: IT security is no better now than it was then. In fact, it's worse: the increasingly converged internet is a chaotic mess of technologies, standards and systems that serves as a vast battleground for cynical corporations, state agents, professional hackers, loose collections of griefers (anonymous, etc) and a million and one other hostiles, absolutely *NONE* of whom have your best interests at heart. I feel a bit sorry for all 'normal' people who just want to enjoy this great resource in peace and safety because it's flatly impossible now - the internet is a warzone. Government control and corporate interests have largely sabotaged the early spirit of cooperation and freedom that initially existed: you are all being logged, datamined, censored, fingerprinted. In my opinion, Neil has exactly hit the nail on the head above even though I think he was probably being flippant - "the government is always thinking of ways to spy on us". Take this lesson to heart: the internet is very, very hostile and we're all targets, 100% of the time. So, properly back on topic, how does a denizen of this list secure themselves, presumably being principally a linux user? Well, just for a start, please disavow yourself of any ideas that you are more secure because you are using linux or that linux is even a 'safe' (or even 'safer') OS, because it isn't. Linux certainly wasn't initially built with security in mind, as someone else pointed out, what security it did or does have came mostly accidentally through it's inheritance of a *nix style environment, mostly more skilled users and of course, open source code. The truth is, if you know what you're doing, a properly configured Windows, Mac, AIX or whatever box can be hardened much more than a poorly maintained linux system. The reverse is of course true as well. If one checks the CVE and other historical records you'll see that linux consistently has *more* critical flaws exposed than windows - admittedly, they are generally found and fixed much faster though. Unfortunately, unless you're a security guru or a helpless obsessive (I'm the latter...) and only build from source (which you can read), subscribe to every security list, have friends who are professional hackers/government spooks and happen to be Theo De Raadt's best mate you aren't going to get perfect security. What you can do: 1: safe habits - this is the most critical. Things like no re-using passwords (*EVER*). No dodgy websites. No free porn sites. No gambling sites. Nuke all browser caches on exit. Etc, etc. 2: stay updated - every single day, first thing, run an update. If any software becomes unmaintained, secure it in a VM or sandbox. Preferably get rid of it. 3: don't run unnecessary services. Don't need NFS, telnet, rsh, etc? Disable them all. Same goes for samba, cups, ssh - all of this listens on the network. 4: NEVER EVER use an outdated OS that isn't receiving patches. This is suicidal. 5: don't trust anything upstream, starting with your ISP and ISP supplied router (they are your greatest enemy in some respects) 6: use a firewall on every system. I can't believe some of you guys aren't running iptables/ufw on your boxes. Are you insane? 7: logging. use syslogd, nagios, whatever you like. But log everything for when you need to know what went wrong. 8: secure your root account and all super user privs: never allow sudoers access to all commands without passwords AND logging. 9: check your permissions - this is usually the number one mistake for linux users. A bad sudo chmod -R will screw you. 10: mandatory access control - effectively, this means SELinux. Some words of explanation - firstly, enable your firewall for god's sake. For Debian flavoured systems, just "sudo apt-get install gufw" and then "gksudo gufw" will bring you up a nice little GUI. Allow any ports you must have access to (typically 22 for inbound SSH is all you need on a home PC, if that), hit the "on" button and you're done. There is no reason whatsover why you shouldn't have done this already - Fedora, Arch and all the other systems have similar and typically easy basic firewall setups that are easily googled. A related word on your biggest issue - the router your ISP gave you. People have already been rightly cursing the Virgin SuperHub (although funnily enough, I'm behind one right now and it hasn't given me any problems). These routers are routinely re-flashed with firmware by your ISP that you can't read, evaluate or trust (if you have any sense) and they are the sole gateway of all your network traffic. See GNUcitizen and others for a frightening primer and just how trivial it can be to hack and control these routers remotely with default backdoors included by your ISP or just straight coding errors. In Brazil currently, approximately 4.5 million standard issue consumer routers have been compromised by hacker gangs and DNS modifications used to attack the owners - this has happened routinely all over the world and is continuing now. Bear in mind that your ISP is also logging and datamining you and that either they or a company they sell it to will inevitably leak that data at some point - they'll also cough it up for the government at the drop of a hat. Do NOT trust your router: firstly, turn of UPnP, any remote management functions and WPS (instantly hackable). Ensure you are using WPA2 if you are using wireless, preferably Radius server backed but TKIP will do. Most importantly, if possible, change the provided DNS servers (many routers are locked to the ISP's these days) - ISP DNS obey government ordered censorship and typically break the RFC-compliant NXDOMAIN response you should get with a redirect to a fucking search page (opendns also follow this hateful practice). As I've advised before, you really should have at least one machine on your network providing proper DNS - i.e., a caching, resolving, recursive and *validating* service that gets DNS direct from the DNS root servers, all secured over DNSSEC. Anything else is failure, and you're immediately open to all and any abuse unless you're memorising the IPs for every internet resource you ever use. Nobody has learnt from the Kaminsky DNS timing attack of a few years back it seems - DNSSEC is now officially implemented right from the root servers but hardly anyone is using it (debian.org does!) which makes my head hurt. Similarly, SSL/TLS is mostly broken because people are idiots (see the CRIME and BEAST attacks), ignore security bulletins and don't implement it correctly, leaving the majority of SSL using sites vulnerable. I have an almost endless list of epic security fails from recent memory alone, any one of which should put the fear of god into you: the infamous "telnet running by default and accessible as root without password" flaw in Solaris (sure, you don't run Solaris at home but your bank, insurance company and telco do). The idiot who commented out half of the security checking in debian's source tree resulting in years of insecure SSH key generation. The h00lyshit local (linux) exploit. A nasty French security company called Vupen are already claiming to have a fully working windows 8/IE10 remote exploit bypassing ASLR, DEP and sandboxing which they are of course selling to anyone with the cash. OpenVMS, OpenBSD and z/VM have all been exploited and they're the world's most secure systems. And then you have Stuxnet, Flame... Java is also totally compromised, again, and thanks to Oracle won't be receiving any out-of-plan updates either so remember that every single JBoss and other crappy middleware java layer installation out there on commercial systems you may use can ruin you. In short, we're all screwed. It's not so much if you're vulnerable, it's just how vulnerable you are. Even for security nuts like me, there is only so much I can do to mitigate the attack surface because off all the other weak chains in the links above me: a hostile government and legal environment, a sneaky and snooping ISP, companies that want to monetize my privacy at any cost, broken DNS/SSL infrastructure, etc. What I have been saying applies merely to ordinary users - if you are unlucky enough to be an admin and are running server systems accessible from the internet, you really have a lot to deal with. Securing Apache is a game of whack-a-mole. Mail servers are pure torture to keep out of trouble. Ask any of the server admins on this list about the horrors they see daily in their logs - it's not uncommon to do things like just block all of China! And of course, internal users are the biggest problem anyway. Don't forget linux won't protect you from CSRF/XSRF attacks or a million forms of website abuse. Use firefox, set it's security options properly and use at a minimum the ghostery, adblock, noscript, requestpolicy and firebug addons. Turn your local firewall on, and log everything. Install SELinux where possible. Disable every unwanted service. Never use unencrypted versions of services that should be encrypted - I'm sorry, but if you're using FTP when SFTP exists you are an idiot. Same for http/https, DNS/DNSSEC and insecure SSL/TLS versions. The weaknesses are known and documented, secure fixed versions exist so why the hell aren't people using them? Use strong encryption for *everything*. Subscribe to at least one security mailing list and read it every day (full disclosure is chaotic and unmoderated, but still a good start). Use throwaway accounts for anything trivial. Protect your real identity at all costs. Use SSH tunnels and/or VPNs for remote access. Maintain your own self-signed certs religiously - the repeated state level molestation of certificate authorities (DigiNotar anyone? Iranian government issuing their own google certs? etc) means you have to be wary. Make sure you have a couple of secure, deniable backup plans - you do have Tor installed and configured right? And access to at least one other internet connection from a different ISP in case your primary goes down? It would be bad if you get hacked and badly need to revoke a cert, shutdown a host or change a root password and all you've got is the crappy, flaky 3G connection on your phone... Well, this turned out to be an even more rambling, paranoid post than I usually manage so my apologies, and congratulations if you made it this far. Most of you are probably thinking I'm either a paranoid schizophrenic or living in a delusional and dystopian cyberpunk fantasy but I'd like to gently point out that not only is everything I said correct, but I can happily dig out references for everything you can't be bothered looking up yourself. If it's any help, I'd be happy to put my money where my mouth is and give specific, detailed security advice to anyone who asks for it otherwise I'm just another internet blowhard :] Regards -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq