Skip to main content

Security Paranoia

The hullabaloo around the world-wide, blanket NSA phone, chat and email logging of the last few weeks has been a boon for computer security, since it made everyone think about it.  OK, not quite everyone, but hopefully every computer geek thought at least a little bit about security!
http://www.guardian.co.uk/world/the-nsa-files

The whole sorry mess is turning into a modern day enactment of Franz Kafka's Der Prozess (The Trial), where a man is tried by a secret court with a secret charge and eventually executed, without him or anybody else being any the wiser about what it was that he supposedly did wrong.

Of course, all serious computer security professionals knew about all the spy-vs-spy stuff all along, but convincing Joe Public, or just a normal middle manager, that you are not a crazy paranoid deluded fool, is very difficult.  The current spate of news articles and government fancy footwork, denials, retractions and debate, now makes it a lot easier to talk about computer security and some people will actually listen too.



In order to ensure computer security, you should be somewhat paranoid.  You got to assume that every data byte you send out on the internet is recorded by at least five different three letter agencies (and criminal syndicates) the world over.  You should think of every angle and you should not make any assumptions about security, but rather attempt to verify and test everything.
 
The practical problem is how - how can one person, or a small team, possibly test and verify everything in a computer net?

Co-operation With Security Agencies

It is in the interest of all technology companies to work closely with their local security agencies.  That is the right thing to do.

Years ago, I worked at a small phone company that manufactured VoIP equipment and one day we received a visit from a friendly man in black, who asked us to add a backdoor to our equipment and of course we did.  We did exactly what was asked.  It was the right thing to do.

The problem is what you as a small company IT Geek should do to ensure security in your organization, given that your equipment is sourced from all over the world and therefore full of back doors leading to various security agencies and others that are not loyal to your country?

NSA Keys

The open co-operation between Microsoft and the NSA goes back to Windows 1995 and very likely long before:
http://www.heise.de/tp/artikel/5/5263/1.html
http://edition.cnn.com/TECH/computing/9909/03/windows.nsa.02/

The NSA key could potentially be used to subvert the security of any Windows 95 and Windows NT user.

It appears that nowadays the NSA is a little more subtle.

NSA Stuxnet

The Stuxnet worm released in 2010, was aimed at the Iranian uranium enrichment program and used long term security flaws in MS Windows to damage uranium hexafluoride centrifuges:
http://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet
https://www.symantec.com/security_response/writeup.jsp?docid=2010-071400-3123-99

The current thinking is that Microsoft deliberately delayed certain security fixes in order to assist with the Stuxnet deployment.  Microsoft is an American company and obviously it was in their interest to do so and one could argue that it was in the interest of pretty much everybody on the planet.

Microsoft is infamous for its slow reaction to security flaws:
http://news.bbc.co.uk/2/hi/technology/4907588.stm
http://www.zdnet.com/google-security-flaws-not-fixed-in-a-week-should-be-made-public-7000016124/

The problem with a delayed response to security issues, is that as soon as someone was exploited, he may investigate and then use that exploit against others.  It would be very naive to assume that only the 'good guys' will know about these flaws.

Microsoft Internet Explorer is also famous for being the only web browser program repeatedly warned against by multiple government agencies:
https://www.kb.cert.org/vuls/id/713878
http://www.softwaretop100.org/german-and-french-governments-advise-against-using-ie

Of course, Microsoft is not the only evildoer in this game.  Sony is unique in that it raised the ire of every government on the planet in 2005 with their well meaning, but totally misguided and easily exploited root-kit fiasco:
https://www.eff.org/press/archives/2005/11/09
http://www.pcworld.com/article/125838/article.html

Cross Purposes

There is an ancient proverb attributed to both Sun Tsu and Arabian philosophers: "The enemy of my enemy is my friend".

Free and Open software including Linux and BSD are used by military organizations the world over.  Many of these organizations have virtually unlimited funding and are serious contributors to the Linux kernel development and they would be at constant logger heads with each other, if each would try to subvert the system for their own exclusive good.

In contrast, Microsoft is said to favour the NSA with early bug reports:
https://www.techdirt.com/articles/20130614/02110223467/microsoft-said-to-give-zero-day-exploits-to-us-government-before-it-patches-them.shtml

The Linux and BSD development processes are wide open, and bug report databases are available to everybody, not just to a select few, which levels the playing field:
https://bugzilla.redhat.com/index.cgi
http://www.debian.org/Bugs/

Essentially, the various contributors to Linux and BSD have to play ball, or go home and it is this openness of the development cycle, more than anything else, that ensures a high level of trust in Free and Open software.

Get Started on the Right path

So this is the answer: Employ Linux and BSD systems wherever possible in your organization, especially at key choke points in the network and benefit from the multitude of security audits performed by government users the world over.

You have to run your own computer network penetration and information leakage tests too, but you got to start with a Free and Open system that is designed to be secure, otherwise you would put yourself at a terrible and unnecessary disadvantage.

Also, do use a password manager, such as KeepassX, to enable you to use different passwords for everything. If you are paranoid about password managers, see this: http://www.ssi.gouv.fr/fr/produits-et-prestataires/produits-certifies-cspn/certificat_cspn_2010_07.html

IT Security Guidance

Any organization has limited resources and the key to avoid squandering those resources on the wrong solutions, is the Threat Risk Assessment:
http://www.cse-cst.gc.ca/its-sti/publications/tra-emr/

Once you have done the above groundwork, then you can start to think of a plan to secure your system, but not before.

More valuable guidance is available here:
http://www.cse-cst.gc.ca/its-sti/publications/index-eng.html

Now go and fix your computer network!

Comments

Popular posts from this blog

Parasitic Quadrifilar Helical Antenna

This article was reprinted in OSCAR News, March 2018:  http://www.amsat-uk.org If you want to receive Satellite Weather Pictures , then you need a decent antenna, otherwise you will receive more noise than picture. For polar orbit satellites, one needs an antenna with a mushroom shaped radiation pattern .  It needs to have strong gain towards the horizon where the satellites are distant, less gain upwards where they are close and as little as possible downwards, which would be wasted and a source of noise.  Most satellites are spin stabilized and therefore the antenna also needs circular polarization, otherwise the received signal will flutter as the antennas rotate through nulls. The helical antenna, first proposed by Kraus in 1948, is the natural solution to circular polarized satellite communications.  It is a simple twisted wire - there seems to be nothing to it.  Various papers have been published on helix antennas, so the operation is pretty well understood. Therefore,

Patch Antenna Design with NEC2

The older free Numerical Electromagnetic Code version 2 (NEC2) from Lawrence Livermore Lab assumes an air dielectric.  This makes it hard (but not impossible) for a radio amateur to experiment with Printed Circuit Board Patch antennas and micro strip lines. Air Spaced Patch Antenna Radiation Pattern You could use the free ASAP simulation program , which handles thin dielectrics, you could shell out a few hundred Dollars for a copy of NEC4 , You could buy GEMACS if you live in the USA, or you could add distributed capacitors to a NEC2 model with LD cards (hook up one capacitor in the middle of each element.), but that is far too much money/trouble for most. More information on driving an array antenna can be found here: https://www.aeronetworks.ca/2019/03/driving-quad-patch-array-antenna.htm l Air Dielectric Patch   The obvious lazy solution is to accept the limitation and make an air dielectric patch antenna. An advantage of using air dielectric, is that the antenn

Weather Satellite Turnstile Antennas for the 2 meter Band

NEC2, 2 m band, 146 MHz, Yagi Turnstile Simulation and Build This article describes a Turnstile Antenna for the 2 meter band, 146 MHz amateur satcom, 137 MHz NOAA and Russian Meteor weather satellites.  Weather satellite reception is described here .  A quadrifilar helical antenna is described here .   Engineering, is the art of making what you need,  from what you can get. Radiation Pattern of the Three Element Yagi-Uda Antenna Once one combine and cross two Yagis, the pattern becomes distinctly twisted. The right hand polarization actually becomes visible in the radiation pattern plot, which I found really cool. Radiation Pattern of Six Element Turnstile Antenna Only a true RF Geek can appreciate the twisted invisible inner beauty of a herring bone antenna... Six Element Turnstile Antenna Essentially, it is three crosses on a stick.  The driven elements are broken in the middle at the drive points.  The other elements can go straight throug