============================================================ T H E S E C U R I T Y O U T P O S T B U L L E T I N ============================================================ December 7, 1999 | Vol. 1, #01 | http://www.securityoutpost.com Contents 1. FEATURE: Watching the Watchers -- A User's Guide to Extreme Paranoia 2. TIPS: Backup, Lock Down, Encrypt, Educate, Enjoy 3. THREATS: Defacements, Explorer, Macros, Port Scans, Y2K 4. TOOLS: Password Safe ============================================================ A service of PC Guardian ... San Rafael, California "Protecting Computers & Data Worldwide" ... Since 1984 ============================================================ ------------------------------------ 1. FEATURE: Watching the Watchers -- A User's Guide to Extreme Paranoia ------------------------------------ Every day seems to bring dramatic reports of some new network or computer security problem. A mini-industry of computer security sites, news sites, and Internet mailing lists is committed to exposing every bug, virus, vulnerability, and root exploit. Law enforcement and computer security research institutes publicize the tremendous losses caused by information security breaches, from stolen intellectual property to denial-of-service. Computer security vendors are naturally willing adjuncts to this feeding frenzy as they step up with improved virus checkers and entirely new classes of must-have corporate security products like intrusion detection software. Much of this sound and fury is entirely self-serving. Security web sites want to sell ads. Law enforcement wants more budget and expanded surveillance powers. Security vendors want sales. While some of this activity serves the broader purpose of heightened public awareness, much of what passes as security reporting ends up distorting reality. Incessant and repetitive reports about computer risks carry their own risks: The Reality Distortion Syndrome -- While security news stories constantly harp on the real and imagined dangers of Internet-based systems crackers, who seem to be everywhere and nowhere at once, the banal reality is that most computer security threats are from insiders ... disgruntled employees, bored employees, curious employees, careless employees. Reality distortion is dangerous in so far as it leads people to expend time and resources on relatively low-risk vulnerabilities (network break-ins) while ignoring high-risk factors like employee alienation. The Security Fascist Syndrome -- Managers armed with a distorted view of reality sometimes layer on so much security that users can't get their work done. This is an obvious business problem. But it also creates its own risks: inappropriately tight security measures invite users to come up with workarounds. A "no-net" policy, for example, can motivate employees to set up their own rogue net connections using cheap modems and dialup accounts. There are few things more dangerous to corporate computer security than proliferating dialup accounts, each of which provides an entry point for intruders. Security is something to do right before someone does it wrong for you. The Despair Syndrome -- Any security expert will tell you that there's no such thing as perfect computer security. You can put your sensitive information on a computer, encrypt it, turn the computer off, and place it in a subterranean vault: maybe your opponent will rent an earthmover, hire a safe-cracker, and bring a diesel power supply along with a laptop equipped with brute-force cracking software. When one considers the flood of bad computer security news, the impossibility of perfect security, and the perceived expense of computer security safeguards, it becomes all too easy to throw up your hands and give up in despair. ------------------------------------ 2. TIPS: Backup, Lock Down, Encrypt, Educate, Enjoy ------------------------------------ It's best to keep an even keel, descending into neither paranoia or existential despair. Here are some steps you can take to ensure security without relying on either the buzz about the latest net.hack or security fascism: * BACKUP! Backup often. Backup to remote sites. Backup in multiple formats. Even the worse infosecurity conflagration can be contained if you have a complete, up-to-date backup. Routine is critical here. A backup schedule can be as simple as copying a day's work to a Zip disk or as complex as on-the-fly backups of critical online data. Be sure not to rely on any one backup medium or format. If you use Zip disks, make a few backups to floppy in case your Zip drive is suffering from an insidious undetected read/write glitch. If you backup using tape, use CD-RWs sometimes, and vice versa. * LOCK DOWN! Modern science can count the number of atoms in the universe (10^77 excluding dark matter) but no one knows how many computers are stolen every year. Public-access computers and laptops are particularly prone to the "walking computer" syndrome. If you have machines exposed out in the open, lock 'em down with cables attached to nearby pieces of big furniture. Check out the wide selection of anti-theft devices at http://www.pcguardian.com/hardware/anti_theft.html?so101 * ENCRYPT! If you have confidential data on a machine that 1) more than one person uses or 2) is connected to the Internet, encrypt that data now. Crypto software can provide defense-in-depth: even if your computer is stolen, the data will be safe if it's been properly encrypted. Take care in selecting an encryption program. Crypto software is notoriously difficult to produce: Be wary of "snake-oil" crypto vendors that make claims about "military-grade" security or "secret algorithms." PC Guardian offers a complete line of reputable crypto products -- based on the public Blowfish algorithm -- for protecting files, folders, and even entire hard drives. For more information, see http://www.pcguardian.com/software/encryption.html?so101 A great starting point in evaluating data protection products is Encryption Plus Folders Lite, which transparently encrypts and decrypts the contents of a single folder. You can download a free copy at http://www.pcguardian.com/folders_download.html?so101 * EDUCATE! Educate yourself about computer security. Educate others. If you're an expert, share your knowledge. If you're a security novice, learn whatever you can. If you're responsible for the security of an organization, be sure to develop and promulgate a clear and clearly-defined security policy. You can find computer security resources and links at http://www.pcguardian.com/portal/index.html?so101 If you're interested in computer security policy, consult the Site Security Handbook at http://www.faqs.org/rfcs/rfc2196.html * ENJOY! Most people don't intuitively associate securing computer systems with anything remotely enjoyable. Clearly, activities like hassling with a backup program are not like visiting an amusement park or getting a back massage. On the other hand, many have compared computer security to a game -- a game played against unknown opponents at unknown times and places -- but a game nonetheless. Cat and mouse. Spy vs. spy. Others look at security as a kind of puzzle, like the cryptograms on the comics page of the newspaper, only with more at stake. But think of it this way: Security may be hard work, but there's a big payoff when you can relax knowing that data -- personal records, business plans, etc. -- is safe. ------------------------------------ 3. THREATS: Defacements, Explorer, Macros, Port Scans, Y2K ------------------------------------ Reasoned analysis of threats - their importance, their scope -- is a good alternative to total paranoia. In this section, we'll look at some recent computer security threats and ask two simple questions: how widespread is the threat, and how serious is it? Here are five threats that have made the news lately: * Web site defacements -- Script kiddies love to break into web sites and deface home pages. Attrition.org does an excellent job of archiving these.[1] * Internet Explorer (IE) vulnerabilities -- IE security holes are found practically every week. Microsoft's Active Scripting and ActiveX controls are particularly vulnerable. These probably never should have been implemented in the first place. The problem is compounded by the decision to integrate IE into the operating system.[2] * macro viruses -- Another Microsoft-spawned problem. It's a neat trick: Let's implement a technology that turns every document into a potential virus vector. The problem could be easily solved by stripping this gratuitous functionality out of products for the majority of customers who don't need it.[3] * port scanning -- A port is an abstraction that enables a process on one machine to communicate with a process on another machine over a network. Open ports are potential vulnerabilities since by definition they "listen for" or accept connections from random machines on the net. A variety of tools can scan hosts for open ports. These can help security personnel -- and crackers -- find vulnerabilities. Internet-connected systems get port scanned constantly. Some feel that port scanning in and of itself is both harmless and legal. Others believe port scans represent unethical preludes to attacks, the equivalent of the burglar who goes from door to door looking for one that's unlocked.[4] * Y2K security vulnerabilities -- January 1, 2000 is an excellent opportunity to launch an attack on computer systems. The footprint of the attack has a good chance of being missed amongst widespread system and power failures. The bad guys know this. The good guys are too busy averting TEOTWAWKI (The End Of The World As We Know It). Many trade organizations and companies are trying to reassure the public about Y2K compliance, but they may be underestimating the amount of malicious mischief planned for 01/01/2000.[3] Here's a relative ranking, from one to five stars, of the scale of each threat (indicating how many systems might be affected) and the seriousness of the threat (indicating the potential impact on an affected system): scale | seriousness | total | threat -------------------------------------------------------- **** *** 7 stars IE vulnerabilities ** **** 6 stars Y2K vulnerabilities **** ** 6 stars macro viruses ** * 3 stars port scanning * ** 3 stars web site defacements [1] See http://attrition.org/mirror/attrition/ [2] See http://www.microsoft.com/security/products/ie.asp [3] Microsoft is offering free anti-virus software through 12/31/99 at http://www.microsoft.com/y2k/antivirus/AntiVirus.htm [4] For information on the nmap scanning tool, see http://www.insecure.org/nmap/ ------------------------------------ 4. TOOLS: Password Safe ------------------------------------ We're in the midst of a password explosion. Passwords are required to access everything from ATM machines to web sites. A good password is both easy to remember and hard to guess. Unfortunately, a password that's easy to remember (your license plate number) is also easy to guess. So there are no good passwords, really. You can write down your passwords but that makes them available to anyone who can see your list. You can use the same password across systems but that provides a rogue operator with an easy way into your accounts. Given that passwords have to be unique and hard to guess, but can't be written down, how can one manage the growing collection of passwords necessary to navigate day-to-day cyberlife? The Password Safe program from Counterpane Systems provides a convenient and secure place to stash commonly used passwords. Counterpane is Bruce Schneier's company; Schneier is the author of the Blowfish and Twofish cryptographic algorithms as well as an all-around technical wizard. Password Safe allows to you enter username and password combinations, which are then stored in an encrypted database. Double-clicking an entry copies the password to the clipboard, allowing you to paste it into an authentication prompt. This straightforward and secure program can solve your password quandaries, at least until you forget the "combination" to your "safe". In that case you're, as they say, SOL. Still, it's easier to remember one password than two dozen. To download Password Safe, visit: http://www.counterpane.com/download.html http://filedudes.ionsys.com/win95/password/passsafe.html ============================================================ The Security Outpost Bulletin is published monthly by PC Guardian. For information about our quality encryption software and anti-theft devices, please visit us at http://www.pcguardian.com/index.html?so101 ============================================================ FEEDBACK OR QUESTIONS Contact the author directly: Seth T. Ross Director of Security Publications & Resources PC Guardian 1133 East Francisco Blvd. San Rafael, CA 94901 +1 415-459-0190 x143 sross@pcguardian.com ============================================================ Please mail this newsletter to someone you care about. Copyright 1999 PC Guardian. All rights reserved. ============================================================