OK, I'm going to take a little break from my web standards beat and talk about something else this time around, namely security. It has been on my mind since I just moved into a new home this past week and there was much to do. I had a locksmith change all the locks and install deadbolts on the doors, and install a charlie bar on the sliding glass door. ADT installed an alarm. There are smoke detectors, and a carbon monoxide detector, for security from harm. I also checked all the window locks, and when I installed the window unit air conditioners I make sure to fasten them in place rather securely. I'll probably do some more, like motion sensitive lights in the back yard, etc. That's all well and good, and it is the kind of stuff a lot of people do when they move into a home. They want to make sure the home is safe and secure, for them and their family, as well as their material possessions. I used to be a lot more lax about such things - then I got burgled. I was lucky, it was a couple of kids and they were more interested in the cookies in my kitchen than my computers, A/V system, etc. I think I lost a camera and a Discman, and I had to clean up since they tossed the place. But it was a wake-up call, and that's when I got an alarm, and started paying more attention to my locks, windows, etc. (It also spurred me to actually insure my stuff.)
That's nice and all, but this entry isn't actually about locks and alarms, at least not physical ones. I say the above because my neighbors seem to have an attitude similar to mine. I bet they all lock their doors when they're out, and they don't leave windows wide open where anyone can climb in. They take the same basic precautions I've taken. So why don't they approach their digital homes with the same care?
See, one of the first things I did after moving in and setting up my Speakeasy DSL link was to fire up NetStumbler. I was just sitting in my living room, and I picked up five 11g networks and one 11b network. Only one 11g network was running encryption. The fact that I picked up the networks means they all still has SSID broadcast enabled. There could be more running with SSID broadcast disabled, I wasn't that curious. I was able to connect to other networks readily. Most of them were still using the default SSID, like 'linksys'. (There is another reason to check on things with NetStumbler. I discovered all of the networks in range were using channel 6. That makes for a lot of RF overlap. So I switched mine to channel 1, and my connection improved.)
It isn't that hard to secure a WiFi network. I always change the SSID away from the default. I turn off SSID broadcast so my network won't show up by default when someone (like me) goes looking for one. And I run encryption - I'd prefer to be running WPA, but since I have a TiVo using 11g, and they only support up to 128-bit WEP, that's what I'm using currently. Once I finish setting things up I will probably also set the access control list on my gateway to limit access by MAC address too.
Now, I know none of that makes things 100% secure. Turning off SSID broadcast just makes it harder to find the network and to connect (since you need to know the SSID), but it can still be done. WEP is far from perfect, hence it is being replaced by WPA, but it does raise the bar for an attacker. And MAC addresses can be spoofed, but again, it means more work. If someone really wanted to get on my network I'm sure they could do it, but if they want to get on a network, I'm surrounded by a lot of much lower hanging fruit. Good locks deter a thief, but if they really want in they can smash the window. But the higher you raise that bar, the more likely they are to look for easier pickings.
Even if someone gets on my network, the individual machines run software firewalls, and I run a purely switched network so a sniffer on one machine can't see traffic for the others. I also try to use secure protocols. I never use telnet, I use SSH. I very rarely use FTP, I use SFTP. Again, I must confess to a painful lesson. Back around 1999, maybe 2000, I was dragging my feet on switching from telnet to SSH for remote shell connections. I hadn't found an SSH client I really liked for Windows and there were 'more important' things to deal with. I mean, I'd been using telnet since 1989 without any trouble. (These days I use SecureCRT and SecureFX because I prefer their design. Yes, commercial software - I don't always use free ware, sometimes I find something worth paying for instead. IMHO, of course.) Back then I was living with a couple of friends, and switches were still very expensive, so we had a hubbed network. One of my friends had a Linux box that got root-kitted, and a sniffer was installed. So my passwords got captured from my telnet sessions, and my main shell account was trashed. I switched to SSH the next day, much chagrined. Sometimes it takes a swift kick in the posterior, but hopefully others can learn from my mistakes. FTP has the same vulnerabilities as telnet, the passwords are sent in the clear. If an FTP connection to your web host is sniffed, they can login as you. That's why I also use SFTP on all of my servers. The only time I use FTP is when I have to connect to someone else's server, and they don't support SFTP. And I never use it with a password I care about.
In one of my past lives I was a "VPN & Internet Security Services Product Specialist" for GTE Internetworking. In other words, I was a domain expert on the managed VPN and firewall products we sold, and I designed secure networks for a number of clients as a backstop for our field engineers. At the time I also became a CISSP, though I let that expire a while back. A big part of my job was just explaining why things should be secured, or why certain things customers wanted to do were bad ideas. We had one client who really wanted a VPN to protect their data in transit, but didn't see why he needed firewalls to protect his networks. If anything, that's completely backwards. If you have a big pile of valuable data sitting there in the open, why would anyone go through the trouble to try to intercept it in transit? I think I finally got the point across with the metaphor of using an armed courier to protect a package in transit, and then leaving it sitting on a desk in a public area where anyone could pick it up. I'd be like a bank using an armored car to move money, then leaving it piled in the lobby with the doors open.
It was also common for customers to view firewalls as silver bullets. You install a firewall and you're safe forever and ever. Bunk. You need to keep the software updated, and firewalls have a nasty tendency of accumulating holes over time. You open a little hole for one thing, and it isn't so bad. Except over time so many 'little holes' are opened that the firewall is swiss cheese. A central tenet of security is that which is not explicitly permitted should be implicitly denied. Start off with everything blocked, then allow only those things you really need. If you need to enable something for a project, and the project is completed, turn off those darn rules. Another important aspect is monitoring. A firewall, like locks on your home, will slow someone down. But if they have all the time they need to work on it, odds are they'll find a way in. Checking your firewall logs for suspicious activity is like hearing the doorknob rattling. You know someone is trying to get in, and you can make an appropriate response. The same is true for your web server logs. Everyone checks their logs to see what kind of traffic they're getting, but while you're in there look for suspicious activity as well.
If you run your own server you may want to look at software such as Tripwire. It allows you to monitor your server for unusual activity - changes to config files, permissions, etc. The fingerprints of a successful system violation. It won't help keep someone out, but, like a security camera, it will help track what they did and what needs to be repaired or replaced. Maybe I'll do another entry at some point as a high level look at intrusion detection.
A whole other area to get into would be file security, such as UNIX file permissions. That would probably be a full entry itself, and this is already another tome (and it is already 01:14), so I'll save that for now. Memo to myself...
Since this is about security, and I do pimp Firefox every chance I get, it is only fair I mention there was an update to Firefox this week which includes security fixes - Get Firefox 1.0.6 now. 1.0.6 is basically an update to last week's 1.0.5. 1.0.5 was the security fix release, but it broke some extensions, and 1.0.6 resolves that. Also, a major security flaw was discovered in Greasemonkey, a popular Firefox extension. Note that this only applies to you if you've installed the extension, and it doesn't reflect on the browser at all - the flaw is in the extension's code. But if you have installed it, go read the article I linked - now.
OK, that's it, or more than enough really, for now. I'm never really quite sure where these things are going to go when I start writing them. I keep a list of potential ideas and when I finally get around to writing one I either have something in mind from recent experience, or I pull something off the list that catches my eye, and I just start writing. So I end up writing, re-writing, and editing a lot as things gel into a (semi-)coherent form. Thanks for reading. Until next time. Practice safe hex!
PS. Yes, I did deliberately plug Speakeasy up there. I've been a customer for over three years now and they've had fantastic service. They also cater to geeks and those who want to host servers, etc. Unlike most of the cable modem and telco DSL services I've seen, they offer static IP addresses, multiple IPs are available if you want them, they don't block any ports, and they offer high-speed up-links. Most services are designed for surfers and have fat down-links, and tiny up-links. No, I don't get anything from them, I just really like their service and support. And they bundle free roaming dial up, so when I'm on the road (and there isn't WiFi about) I always have a way online.