Xinophobia

Links to those who have been fighting the good fight:

Internet Storm Center: isc.sans.org

And to those who watch:

Internet Health Report(US only): www.internetpulse.net
CERTStation: www.certstation.com

I would also recommend a basic home computer security suite:

Avast (www.avast.com) – Antivirus
Ad-Aware (www.lavasoft.com) – Antispyware
ZoneAlarm (www.zonealarm.com) – Firewall

These programs are all free for personal, non-commercial use. While it will certainly not stop all threats, it offers decent security with a minimal maintenance burden. Use this as a starting point and select better choices based on user experience level and personal preference. I would recommend declining any paid upgrades.

For more layers of defense:

Encryption:
PGP Desktop (www.pgp.com)
PGP allows you to encrypt files and also send encrypted email. This provides excellent security against casual eavesdroppers. The trial package has limited functionality after 30 days but remains sufficient for home use.

Software proxy and onion router:
Vidalia (www.vidalia-project.net)
Vidalia will allow you to anonymously access websites. It provides some limited ability to access sites that have been blocked locally (i.e. by government or corporate mandate).

Full disk encryption:
TrueCrypt (www.truecrypt.org)
TrueCrypt provides on-the-fly full disk encryption. I will be testing the lastest version in the near future.

Network Security Operating System:
BackTrack (www.remote-exploit.org/backtrack.html)
BackTrack is filled with tools for those interested in testing their own network defenses.

You can quickly test your status using some internet-based scanners:

Symantec: security.symantec.com
Shields Up: https://www.grc.com/x/ne.dll?bh0bkyd2

For maximum effectiveness, remember to update and scan regularly!

I would also be happy to hear about any options/tools that are particularly good!

In the first story, a man is charged with hacking USC. He claims to have been trying to warn USC of a security vulnerability. http://www.informationweek.com/news/security/cybercrime/showArticle.jhtml?articleID=187201428

In the second story, an attacker potentially compromises data on 800,000 user accounts at UCLA. Presumably, UCLA received no warning. http://www.informationweek.com/news/security/showArticle.jhtml?articleID=196603485

Would USC have suffered the same fate if they were not warned? Would they have been better off if they were given the time and opportunity to fix the problem on their own?

In the next post, I am going to give out links some of my favorite InfoSec sites and tools. Like any tool, it is not intrinsically Good or Bad. It is not the tool that has the intent but the wielder thereof.

Granted, the following links are likely to be well-known. Many of the people who use them will not be swayed by my words. But for those who are new to the field, I offer the following guidance:

The electronic world is just as real and as important as the physical one. In some ways, it is even more complicated than Real Life because there are few hard and fast rules that will apply to every situation.

1) Respect others. Any site or system or network you interact with was built by the effort and resources of a real person. Others you interact with online are real people.
2) Minimize your impact. Computing resources are finite and each user should take what they need and no more. For a specific example: do not crush a Tor relay with your BitTorrent traffic of stolen movies.
3) Be aware of applicable laws and regulations. Something that may be legal in your home country may not be while you are travelling.
4) Act in good faith. A server misconfiguration that allows you access to private files is not an invitation to do so. You may even want to inform the server admin.

When you encounter those ever-so-frequent grey areas, put yourself in the other person’s position. Think about what you would want and not just from a technical perspective.

Think about the first story. USC is not just another host with a vulnerability. It is an educational institution with a full-time mission. It is, in some aspects, a very large business. It is run by a group of people who wish to sleep soundly at night. It may have some very trigger happy executives or an overly protective legal team. These entities, regardless of whether you think they are doing the right thing or not, all have a say in what happens on their systems.

Think broadly and carefully the next time you find yourself in that no-man’s land of legal and technical ambiguity.

The strategy here is going to change a little bit. My original assumption about the Internet access control mechanisms was that the rules would be fairly static. This has proven to not be the case. Given the upcoming Olympic Games, I believe that access is going to be much less restrictive than usual and that changes will be made very quickly.

As of 7/12/08:

Domains not reachable:

- facebook.com (was reachable on 6/29/08)
- icanhascheezburger.com (was previously able to load site without pictures but now totally unreachable)
- uncyclopedia.com
- torproject.org
- dit-inc.us

Domains reachable:

- cnn.com
- bbc.co.uk
- xkcd.com
- wikipedia.org

The combination of Privoxy+Tor is again successful in accessing the blocked sites.
I chose to use this method because of its usability: free, well-integrated into popular browsers, and easy to setup.

However, there are several importants caveats to using tor:

- The network as it exists will not support connections requiring a lot of bandwidth (i.e. bittorrent, massive file transfers, etc.). It will work but it will be extremely slow. I need to stress that such usage will also have a negative impact on other tor users.
- The software is experimental and should not be relied upon for strong anonymity.
- The most reliable source for software and updates (torproject.org) is not reachable without a working copy of Tor.
- Very few entry nodes are reachable. This raises some serious questions about the immediate security and long-term viability of Tor.

In my 80 hours or so logged into a functional circuit, I have seen only three distinct entry nodes. From a security standpoint, it is easy to believe that these entry nodes are planted or otherwise compromised to allow monitoring. Even if the entries are legitimate, it wouldn’t be hard to shutdown the network entirely. I leave this as an exercise to the reader.

There is an interesting paper on timing attacks for any onion router network:
Low-Resource Routing Attacks Against Anonymous Systems by Kevin Bauer, Damon McCoy, Dirk Grunwald, Tadayoshi Kohno, Douglas Sicker
http://www.cs.colorado.edu/department/publications/reports/docs/CU-CS-1025-07.pdf

There are many alternatives to Tor which I will decline to list here. One that I am investigating is FreeGate: dit-inc.us.

I encourage readers to have a plan of action in case Internet access is restricted in their area. What tools do you have immediately available to facilitate a breakout? If you don’t usually encrypt communications (i.e. pgp or some variant), will you want/need to? How many of your contacts will you be able to reach via other means (secure or not)?

…to stop undesirables from accessing the internet is to provide sporadic and unstable internet service.

This situation is likely to continue for another 48 hours. I’ll try to stock up on posts. I’m actually about five days behind on posts. Coincidentally, I also get about five hours of sleep every night.