Saturday, June 15, 2013

Security Paranoia

The hullabaloo around the world-wide, blanket NSA phone, chat and email logging of the last few weeks has been a boon for computer security, since it made everyone think about it.  OK, not quite everyone, but hopefully every computer geek thought at least a little bit about security!
http://www.guardian.co.uk/world/the-nsa-files

The whole sorry mess is turning into a modern day enactment of Franz Kafka's Der Prozess (The Trial), where a man is tried by a secret court with a secret charge and eventually executed, without him or anybody else being any the wiser about what it was that he supposedly did wrong.

Of course, all serious computer security professionals knew about all the spy-vs-spy stuff all along, but convincing Joe Public, or just a normal middle manager, that you are not a crazy paranoid deluded fool, is very difficult.  The current spate of news articles and government fancy footwork, denials, retractions and debate, now makes it a lot easier to talk about computer security and some people will actually listen too.



In order to ensure computer security, you should be somewhat paranoid.  You got to assume that every data byte you send out on the internet is recorded by at least five different three letter agencies (and criminal syndicates) the world over.  You should think of every angle and you should not make any assumptions about security, but rather attempt to verify and test everything.
 
The practical problem is how - how can one person, or a small team, possibly test and verify everything in a computer net?

Co-operation With Security Agencies

It is in the interest of all technology companies to work closely with their local security agencies.  That is the right thing to do.

Years ago, I worked at a small phone company that manufactured VoIP equipment and one day we received a visit from a friendly man in black, who asked us to add a backdoor to our equipment and of course we did.  We did exactly what was asked.  It was the right thing to do.

The problem is what you as a small company IT Geek should do to ensure security in your organization, given that your equipment is sourced from all over the world and therefore full of back doors leading to various security agencies and others that are not loyal to your country?

NSA Keys

The open co-operation between Microsoft and the NSA goes back to Windows 1995 and very likely long before:
http://www.heise.de/tp/artikel/5/5263/1.html
http://edition.cnn.com/TECH/computing/9909/03/windows.nsa.02/

The NSA key could potentially be used to subvert the security of any Windows 95 and Windows NT user.

It appears that nowadays the NSA is a little more subtle.

NSA Stuxnet

The Stuxnet worm released in 2010, was aimed at the Iranian uranium enrichment program and used long term security flaws in MS Windows to damage uranium hexafluoride centrifuges:
http://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet
https://www.symantec.com/security_response/writeup.jsp?docid=2010-071400-3123-99

The current thinking is that Microsoft deliberately delayed certain security fixes in order to assist with the Stuxnet deployment.  Microsoft is an American company and obviously it was in their interest to do so and one could argue that it was in the interest of pretty much everybody on the planet.

Microsoft is infamous for its slow reaction to security flaws:
http://news.bbc.co.uk/2/hi/technology/4907588.stm
http://www.zdnet.com/google-security-flaws-not-fixed-in-a-week-should-be-made-public-7000016124/

The problem with a delayed response to security issues, is that as soon as someone was exploited, he may investigate and then use that exploit against others.  It would be very naive to assume that only the 'good guys' will know about these flaws.

Microsoft Internet Explorer is also famous for being the only web browser program repeatedly warned against by multiple government agencies:
https://www.kb.cert.org/vuls/id/713878
http://www.softwaretop100.org/german-and-french-governments-advise-against-using-ie

Of course, Microsoft is not the only evildoer in this game.  Sony is unique in that it raised the ire of every government on the planet in 2005 with their well meaning, but totally misguided and easily exploited root-kit fiasco:
https://www.eff.org/press/archives/2005/11/09
http://www.pcworld.com/article/125838/article.html

Cross Purposes

There is an ancient proverb attributed to both Sun Tsu and Arabian philosophers: "The enemy of my enemy is my friend".

Free and Open software including Linux and BSD are used by military organizations the world over.  Many of these organizations have virtually unlimited funding and are serious contributors to the Linux kernel development and they would be at constant logger heads with each other, if each would try to subvert the system for their own exclusive good.

In contrast, Microsoft is said to favour the NSA with early bug reports:
https://www.techdirt.com/articles/20130614/02110223467/microsoft-said-to-give-zero-day-exploits-to-us-government-before-it-patches-them.shtml

The Linux and BSD development processes are wide open, and bug report databases are available to everybody, not just to a select few, which levels the playing field:
https://bugzilla.redhat.com/index.cgi
http://www.debian.org/Bugs/

Essentially, the various contributors to Linux and BSD have to play ball, or go home and it is this openness of the development cycle, more than anything else, that ensures a high level of trust in Free and Open software.

Get Started on the Right path

So this is the answer: Employ Linux and BSD systems wherever possible in your organization, especially at key choke points in the network and benefit from the multitude of security audits performed by government users the world over.

You have to run your own computer network penetration and information leakage tests too, but you got to start with a Free and Open system that is designed to be secure, otherwise you would put yourself at a terrible and unnecessary disadvantage.

Also, do use a password manager, such as KeepassX, to enable you to use different passwords for everything. If you are paranoid about password managers, see this: http://www.ssi.gouv.fr/fr/produits-et-prestataires/produits-certifies-cspn/certificat_cspn_2010_07.html

IT Security Guidance

Any organization has limited resources and the key to avoid squandering those resources on the wrong solutions, is the Threat Risk Assessment:
http://www.cse-cst.gc.ca/its-sti/publications/tra-emr/

Once you have done the above groundwork, then you can start to think of a plan to secure your system, but not before.

More valuable guidance is available here:
http://www.cse-cst.gc.ca/its-sti/publications/index-eng.html

Now go and fix your computer network!

No comments:

Post a Comment

On topic comments are welcome. Junk will be deleted.