Slashdot Mirror
Just How Paranoid Are You?
An anonymous reader writes "We all understand the need for security in a corporate environment. Personal computers, however, typically don't have nearly the amount of sensitive information (or it's at least less damaging if found). How far do you go to protect your computer? I recently went overboard on securing my information (at least as secure as Windows XP can be). I have a hardware firewall (GTA GB500), 30 character password, and all remotely personal information stored on a 256bit AES encrypted volume. How far do you go to protect your information against 'Big Brother' or even your family/friends?"
Security against 'Big Brother' is a myth, especially given that it is very easy for authorities all over the world to label someone a "terrorist", or a "person of interest", and lock him/her up for years without any oversight.
S
Oh yeah, guess all those security vulnerabilites listed on securityfocus are just bogus, eh?
How about unpublished exploits? All those take care of too?
Actually the above post illustrates a problem- giving highly technical advice to the masses. The above post is imformative, but I don't think it addresses the correct audience. What do you do for a family that does not include a security professional in the household? "Don't let your children's friends have unlimited access to the computer" might be more appropriate
Why do you think only "corporate" (which seem to be big iron since you contrast it to "personal computers") have sensitive data?
What about doctors? Lawyers? Accountants? Schools? Bookstores? etc.
If you've been paying attention to the news you'll know that every so often somebody buys a used computer disk and finds the results of STD tests (including AIDS) for tens of thousands of people. Or the name, address and credit card information for thousands of customers.
The loss of this information may not cause the DJIA to drop 10%, but it can be devastating to the people involved. But security is often lax since it's "only" a PC and it never occurs to these people that their computers may be stolen precisely because of the confidential information on the disk.
Even home users can face a difficult situation if they take their work home. They have a duty to protect that information... then they work on those files on virus-ridden systems. Today's viruses seem to focus on spam and stealing credit card numbers, but it's not hard to imagine more sophisticated attackers looking for other information.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Ok, how many admins out there who take backup tapes home as your offsite solution?
This may be modded as funny, but is actually quite interesting. I know of a number (at least I know they used to) of sysadmins whose offsite backup was at home. This included some organizations with fairly substantial interests in limiting the access to their information. It should be company policy to properly pay for and establish a secure off site location for backups that are not in insecure locations like peoples homes. This should include any company that backs up information related to personnel information like SS#'s and such. For lots of companies or research institutions with just research info that is not sensitive, backups at home can be wholy appropriate.
Visit Jonesblog and say hello.
You seem to be missing perhaps the most fundamental aspect of security: "Make your data secure enough such that it is not worth anyone's time to get past the security measures".
Note that this does not mean make your data as humanly secure as possible. If it takes six months of brute force time to break my encryption, I don't mind. I don't have anything that is worth the trouble. So I'm not going to create hurdles for myself by securing it further.
If you have more valuable data, then make it as much harder to get to it. Going overboard will not gain you anything, other than a hassle.
Yes, big brother can storm my house, and torture the information out of me. But it's not worth their trouble. It perhaps would be worth it if I had no security measures and conducted all my Internet transactions in plain text. So I just use a few simple measures to make sure it's not that easy.
Beetle B.
Easy.
Right-click on the network icon in the system tray then select "Disable". Seems easier to me than having to bring up a console, enter 25 characters, and hit return.
I'm no Microsoft fan but come on, ya gotta pick your battles a little better than this.
Never underestimate the power of human stupidity -RAH
Of course, that's not the only blunder. A cracker under the name "The Cheshire Catalyst" broke into a network service they were demonstrating, and started piping songs onto the computer screen in the TV studio.
These security breaches got the kind of publicity few crackers could ever hope to achieve today. A live television audience of maybe 7-8 million, and next to zero chance that the camera is going to pull away?
One important lesson I learned, over these incidents, is that security is rarely accidental. Nor is it something you can consider seperately from the rest of the design. Designing something to be consistant and uniform means that errors will stick out like a sore thumb. In terms of security, or reliability, elegence is everything.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
They look much harder at AC posts then us rambling registered users who normally have nothing interesting to say...
:-)
There is no saftey in anonymity, only mediocrity. People are always looking to see who hides behind the mask even as they step over the unwashed masses.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
You right click on the connection's system tray icon and click disable.
OK, now perform that action in a shell script.
/smartass
You've just given me, and everyone else, a detailed list of attacks which will not work against you (saves us time, thank you!), and presuming that you've given an exhaustive list, you've also told us what holes are in your methods and where they are. You've given us some hints as to your software packages (Qmail, FWReport, IPTables, Apache, mostly non-windows machines) so we can go look up bug reports and exploits for them...
Who says any of the rest of this information is not easy to determine?
lets see:
Apache is kept reasonably up to date.
FWReport is a report generator. Not directly exploitable. All it does is send me reports, and I wrote it and released it open source (as advertised on the web site), so you would expect me to be running it, right? I am sure you would expect Theo to be running OpenBSD too, right?
Qmail.... When was the last time there was an exploit in Qmail?
Look.... If you use Netcraft, you can see I am using Apache. Not saying so does not mean people can't find out. If you use Netcraft, you can even see I am running Linux.
Hmmm.... and if you check port 110, it is open and you can look up the welcome message to see I am in fact running Qmail. So I have saved you, what? 10 minutes online with Google and Netcraft by telling you this information? How hard is it to determine this information? How hard is it to obscure this information?
In essence, nothing I said is anything I could keep secret anyway from an attacker who would even do light recon.
Now.... Beyond the basics (here is where I won't tell you details but can tell you principles and design ideas):
1) If a program fails and is compromised, that should provide as little access to anything else as possible.
2) If I have to require passwords on one remotely accessible resource, these passwords should not be reusable on another group of such resources.
It is all about defence in depth and providing as many obstacles as possible to cause damage to me and my business, and containing the damage so that we can gracefully recover with a minimum of downtime. I won't share details. But I think we can all agree on the goals (these goals have been discussed in other whitepapers I have written, so again, this is public information).
LedgerSMB: Open source Accounting/ERP
If they have physical access, they can just reset the BIOS... Plus you probably have floppy or CD set as boot first, in which case a simple bootable floppy or CD could circumvent all your elaborate security.
MacroHard - Boning you in a big way! (TM)
Yeah, don't tell them. I love the way people respect and fear me just because I use bash and cmd.exe.
/dev/urandom" on a green terminal to make dummies think you are doing real work...
Seriously, some people are very impressed by CLIs. Especially green ones. Try "cat
# cat
Damn, my RAM is full of llamas.