Security, Computer Computer Philosophy, Security, Cyberwar, Computer Crime, Malware, Passwords, Two Factor Authentication, 2FA, December 15, 2018
Rules * New accounts should use a unique username, email address and password * Passwords should be 16 characters, this is short enough I could type it in if I had to. * Change Passwords every time I get to a site that is using an old or standard password. * Use two factor authentication where possible, but you have to make sure there is a backup mechanism, that everything is not lost of your token breaks. Google authenticator allows me to input the private key manually and I can save that independently, preferably not online. * I want to eliminate use of Thumb Drives. They are lost too easily for me. Too hard to know what is on them. * If its complicated, there is probably a hole in it. Security should be understandable. * Never believe your internal network is secure. * Never believe that your computer is secure. * Never believe that a sight you are visiting is secure
Computer Philosophy * I don’t want to buy new desktop computers. They are expensive use too much power, things fail like hardisks, fans, graphics cards. * I want to have my disks online * I want small disks in my laptops, iPads * Intel NUCs are OK * Mac Mini’s are OK. * Laptops are OK. * iPads are OK. * I do want big monitors * I do want my good trackballs and keyboards.
Two Factor Authentication, 2FA * I like hardware tokens, since they are truly separate, “Something you have”. * The problem with hardware tokens, is you can lose them or they can be damaged or their batteries go dead. * Hardware tokens have been breached. The RSA breach forced us at L3 to swap out ALL tokens. There is a vulnerability to worry about. * I like Google Authenticator/OATH. While it is not a true second factor, I can recreate all the token generators if a computer is damaged. * There is an additional risk with Google Authenticator/OATH, that you have a copy of the private key you have to keep secure.
The Cloud * Anything going to or from the cloud needs to be encrypted * Any data in the cloud needs to be encrypted at rest. * Maybe more general, any data needs to be encrypted at rest * All public protocols web, aviation (TCAS, ACARS, ADS-B), telephony (SS7), banking (Swift), need to have strong authentication and encryption. I think there is a crisis coming on these protocols. * Do I want a VPN provider, or my own OpenVPN server out on Internet? Or are Opera’s desktop VPN and/or TOR sufficient for a VPN?
Networking * I think everything that goes over networks, Car Can Bus networks, Airplane 1394, Fibre Channel, ARINC429, 1553, anything over the Internet has to be encrypted and signed. You just can’t prevent man in the middle if you don’t do that. The one that personally bothers me is TCAS resolution advisories. TCAS replies can be spoofed and planes will maneuver based on TCAS replies.
Why its not going to get better soon * Windows is a mess, there is no uniform way to know that all your installed programs are up to date and secure. * Things that you don’t have good control over, like National Instruments libraries are putting all sorts of directories in your path, DLLs into the system, opening ports, etc. You can not practically know where all this stuff is. * GSM is broken, reddit found out the hard way that two factor via phone is not secure. * The current wave of processor bugs, Meltdown, Spector, Port Smash, Row Hammer, just keep coming. How long will it be before we have a processor that is secure against these attacks? Remember they were able to weaponize Row Hammer, and change page table entries so they could break out of VPS and gain access to other VPS instances. * The idea of FPGA Malware, Intel or PowerPC or ARM Microcode Malware, ASIC Malware is fascinating and its just starting. Attacks only get stronger. The idea or FPGA Malware or Microcode Malware or Graphics Card Shader Malware is fascinating to me. I look back on my computer career and there was a time we just blindly trusted the operating system we booted. There was no security, no administrator, no curator of applications. Even the early Internet, I would just download programs from USENET and never thought about Malware. I remember when people would put raw Windows disk shares on the Internet. * The computers are so complex, the OS’s are so complex, programs are so complex, we can’t know that a computer doesn’t have Malware on it. * More and more hand waving in security, certification, as time goes on, because nobody can stomach the amount of work it would take to validate even small programs. * More and more system administrators lean on “We don’t see anything wrong” rather than knowing. * Everyone wants to Bring Your Own Device, BYOD, to work. The idea of securing that, is really troubling. * The amount of personal devices is exploding. * We are seeing waves of Routers, IOT devices, old computers, that just don’t get patched, and are being used to create botnets. * Companies have little incentive to fix or update, potentially vulnerable Routers, IOT devices, old computers. They just want to get on to selling you something new. Even Google with my Nexus 6. This goes from cars, to computers, to cell phones, to IOT devices. People want to sell you Internet connected devices, but don’t have intentions of maintaining and updating the devices. * Super Micro news article, Can you hide a malicious chip on a board? I think it would be pretty likely you could. Hide it as a filter chip or transformer or Pay chip. * I find bugs in my own code all the time, how can you protect 8 million lines of code (JSF)? * Criminals are making money and getting away with it. Ransomware, Fake Microsoft Support, Fake IRS, Fake Police, using technology like VOIP to hide their tracks. They have a lot of incentive to expand the use of malicious technology. * An attacker needs one crack in the security. We, on the other hand, need to make sure every crack is protected. The complexity of protecting everything, gives an advantage to the attacker.
Cryptography * We want well understood algorithms, proprietary or closed source algorithms we have know way of knowing if they are easily vulnerable. * It shouldn’t matter if the algorithm is publicly known. * It shouldn’t matter if an attacker has both unencrypted text and the matching encrypted text * It shouldn’t matter if an attacker can see the entire encrypted conversation, including the first time key exchange. * It shouldn’t matter if the same text, the same data, is sent over the channel multiple times. * It would be ideal, if I didn’t have to hold onto any secrets, like when GRC squirrel gives websites no secrets to keep. * The governments will get back doors put in our encryption, get over it.
My computers, Next Steps * I think I want Back to My Mac turned off * I think in general, I want to avoid remoting back to my computers. I need to put anything I need out on a secure share on the Internet, protected by multiple factors, on a provider that has a great deal to lose if there is a security breach, Apple, Google, Dropbox. * I want my Apples to disconnect the network when they go to sleep, I like how Qubes does this. * I need to think about what to do about Apple discontinuing Time Capsule. * I need to get a router in front of centosi * I need to get Email certificates on cloneofcyrix and centosi * I need to get the disks encrypted on cloneofcyrix and centosi * I need to get better logs for centosi * I need to work on cleaning up the log entries that are happening on cloneofcyrix * Every piece of computer equipment I have is going to die. Need to plan for it. * Every cloud service I use has the potential of going out of business. I need to plan for it. * Most of these Internet services, cloud services will go out of business. Like we’ve seen many times before. Data can end up exposed on the Internet when a company goes out of business. * Turn on the IOS offloading app function. If an unused app is not loaded on the iPad, we know its not running code. Safe guards against old applications doing nefarious things. * I should get a free subscription to ProtonVPN * Try to buy services and computers from US based companies. Other nation states have an interest in spying on the US and its people. * DNS Crypt or DNS over SSL or DNS over TLS * I need to get comfortable with ecryptfs
Advice for Friends and Relatives * Make a password for every site * Write it down in a book * Be very skeptical on the Web or anybody who calls you * Don’t open a link that you didn’t intentionally go for.