Skip to main content

Security Paranoia

The hullabaloo around the world-wide, blanket NSA phone, chat and email logging of the last few weeks has been a boon for computer security, since it made everyone think about it.  OK, not quite everyone, but hopefully every computer geek thought at least a little bit about security!
http://www.guardian.co.uk/world/the-nsa-files

The whole sorry mess is turning into a modern day enactment of Franz Kafka's Der Prozess (The Trial), where a man is tried by a secret court with a secret charge and eventually executed, without him or anybody else being any the wiser about what it was that he supposedly did wrong.

Of course, all serious computer security professionals knew about all the spy-vs-spy stuff all along, but convincing Joe Public, or just a normal middle manager, that you are not a crazy paranoid deluded fool, is very difficult.  The current spate of news articles and government fancy footwork, denials, retractions and debate, now makes it a lot easier to talk about computer security and some people will actually listen too.



In order to ensure computer security, you should be somewhat paranoid.  You got to assume that every data byte you send out on the internet is recorded by at least five different three letter agencies (and criminal syndicates) the world over.  You should think of every angle and you should not make any assumptions about security, but rather attempt to verify and test everything.
 
The practical problem is how - how can one person, or a small team, possibly test and verify everything in a computer net?

Co-operation With Security Agencies

It is in the interest of all technology companies to work closely with their local security agencies.  That is the right thing to do.

Years ago, I worked at a small phone company that manufactured VoIP equipment and one day we received a visit from a friendly man in black, who asked us to add a backdoor to our equipment and of course we did.  We did exactly what was asked.  It was the right thing to do.

The problem is what you as a small company IT Geek should do to ensure security in your organization, given that your equipment is sourced from all over the world and therefore full of back doors leading to various security agencies and others that are not loyal to your country?

NSA Keys

The open co-operation between Microsoft and the NSA goes back to Windows 1995 and very likely long before:
http://www.heise.de/tp/artikel/5/5263/1.html
http://edition.cnn.com/TECH/computing/9909/03/windows.nsa.02/

The NSA key could potentially be used to subvert the security of any Windows 95 and Windows NT user.

It appears that nowadays the NSA is a little more subtle.

NSA Stuxnet

The Stuxnet worm released in 2010, was aimed at the Iranian uranium enrichment program and used long term security flaws in MS Windows to damage uranium hexafluoride centrifuges:
http://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet
https://www.symantec.com/security_response/writeup.jsp?docid=2010-071400-3123-99

The current thinking is that Microsoft deliberately delayed certain security fixes in order to assist with the Stuxnet deployment.  Microsoft is an American company and obviously it was in their interest to do so and one could argue that it was in the interest of pretty much everybody on the planet.

Microsoft is infamous for its slow reaction to security flaws:
http://news.bbc.co.uk/2/hi/technology/4907588.stm
http://www.zdnet.com/google-security-flaws-not-fixed-in-a-week-should-be-made-public-7000016124/

The problem with a delayed response to security issues, is that as soon as someone was exploited, he may investigate and then use that exploit against others.  It would be very naive to assume that only the 'good guys' will know about these flaws.

Microsoft Internet Explorer is also famous for being the only web browser program repeatedly warned against by multiple government agencies:
https://www.kb.cert.org/vuls/id/713878
http://www.softwaretop100.org/german-and-french-governments-advise-against-using-ie

Of course, Microsoft is not the only evildoer in this game.  Sony is unique in that it raised the ire of every government on the planet in 2005 with their well meaning, but totally misguided and easily exploited root-kit fiasco:
https://www.eff.org/press/archives/2005/11/09
http://www.pcworld.com/article/125838/article.html

Cross Purposes

There is an ancient proverb attributed to both Sun Tsu and Arabian philosophers: "The enemy of my enemy is my friend".

Free and Open software including Linux and BSD are used by military organizations the world over.  Many of these organizations have virtually unlimited funding and are serious contributors to the Linux kernel development and they would be at constant logger heads with each other, if each would try to subvert the system for their own exclusive good.

In contrast, Microsoft is said to favour the NSA with early bug reports:
https://www.techdirt.com/articles/20130614/02110223467/microsoft-said-to-give-zero-day-exploits-to-us-government-before-it-patches-them.shtml

The Linux and BSD development processes are wide open, and bug report databases are available to everybody, not just to a select few, which levels the playing field:
https://bugzilla.redhat.com/index.cgi
http://www.debian.org/Bugs/

Essentially, the various contributors to Linux and BSD have to play ball, or go home and it is this openness of the development cycle, more than anything else, that ensures a high level of trust in Free and Open software.

Get Started on the Right path

So this is the answer: Employ Linux and BSD systems wherever possible in your organization, especially at key choke points in the network and benefit from the multitude of security audits performed by government users the world over.

You have to run your own computer network penetration and information leakage tests too, but you got to start with a Free and Open system that is designed to be secure, otherwise you would put yourself at a terrible and unnecessary disadvantage.

Also, do use a password manager, such as KeepassX, to enable you to use different passwords for everything. If you are paranoid about password managers, see this: http://www.ssi.gouv.fr/fr/produits-et-prestataires/produits-certifies-cspn/certificat_cspn_2010_07.html

IT Security Guidance

Any organization has limited resources and the key to avoid squandering those resources on the wrong solutions, is the Threat Risk Assessment:
http://www.cse-cst.gc.ca/its-sti/publications/tra-emr/

Once you have done the above groundwork, then you can start to think of a plan to secure your system, but not before.

More valuable guidance is available here:
http://www.cse-cst.gc.ca/its-sti/publications/index-eng.html

Now go and fix your computer network!

Comments

Popular posts from this blog

Parasitic Quadrifilar Helical Antenna

This article was reprinted in OSCAR News, March 2018:  http://www.amsat-uk.org If you want to receive Satellite Weather Pictures , then you need a decent antenna, otherwise you will receive more noise than picture. For polar orbit satellites, one needs an antenna with a mushroom shaped radiation pattern .  It needs to have strong gain towards the horizon where the satellites are distant, less gain upwards where they are close and as little as possible downwards, which would be wasted and a source of noise.  Most satellites are spin stabilized and therefore the antenna also needs circular polarization, otherwise the received signal will flutter as the antennas rotate through nulls. The helical antenna, first proposed by Kraus in 1948, is the natural solution to circular polarized satellite communications.  It is a simple twisted wire - there seems to be nothing to it.  Various papers have been published on helix antennas, so the operation is pretty well ...

To C or not to C, That is the Question

As most would know, the Kernighan and Ritchie C Programming Language is an improved version of B, which is a simplified version of BCPL, which is derived from ALGOL, which is the Ur computer language that started the whole madness, when Adam needed an operating system for his Abacus, to count Eve's apples in the garden of Eden in Iraq.  The result is that C is my favourite, most hated computer language , which I use for everything. At university, I learned FORTRAN with punch cards on a Sperry-Univac, in order to run SPICE, to simulate an operational amplifier.  Computers rapidly lost their glamour after that era! Nobody taught me C.  I bought the book and figured it out myself. Over time, I wrote a couple of assemblers, a linker-locator, various low level debuggers and schedulers and I even fixed a bug in a C compiler - not because I wanted to, but because I had to, to get the job done!   Much of my software work was down in the weeds with DSP and radio modems...

Unlock CRA PDF Forms

Unlock Canada Revenue Agency PDF Forms It appears that there is a relatively new PDF feature to prevent casual copying and saving of a file and that some programs save PDF files with these foolish features active by default.  Many forms from the Canada Revenue Agency are locked in this way, which makes it difficult to do one's taxes, since one can fill the form, but cannot save it.  One can only print the form.  It should be possible to print to a file or export it to a new PDF file, but it is far better to reset the annoying anti-taxpayer flags, since the 'printed' form cannot be edited easily any more and I always manage to make a mistake or three that need to be corrected after review. If there is a Linux (virtual) machine handy, install qpdf and use it to reset the silly flags: $ su - password # dnf update # dnf install qpdf # exit $ qpdf --decrypt lockedfile.pdf unlockedfile.pdf One doesn't need a password to unlock these flags, so the fix is instant. La voila! He...