Security for the Paranoid

Stephenmg writes "In Security for the Paranoid, Mark Burnett talks about his computer security methods after other Security profesionals say he is too Paranoid. 'Paranoia is the key to success in the security world. Is it time to worry when other security professionals consider you too paranoid? I require my kids to use at least 14 character passwords on our home network and I'm considering issuing them smart cards.' I don't see anything wrong with his methods."

Mark is Paranoid, but Trusting of Microsoft?

[xmas2003]

While being paranoid is argueably good (although Mark may be a bit extreme compared to most), I did wonder a bit about one comment near the end of the article which was: "And I install hotfixes the day Microsoft releases them" which seems to put an awful lot of trust in Microsoft (or any other vendor for that matter) not to release a patch that has problems.

Re:Mark is Paranoid, but Trusting of Microsoft?

[sysera]

I thought this was odd too. But then again people think I'm strange for not allowing product Linux machines to update automatically with package managers over an unsecured network or via an outside source.

Re:Mark is Paranoid, but Trusting of Microsoft?

[pegr]

Beat me to it. I was just about to post "He runs Windows, the fucking pouser."

Precisly correct. He does all this to "feel good" without understanding the threat. Does he check his firewall logs daily? Did he disable LM hashes on his Windows box? (If not, the 14 char password is really just two sevens...)

I've always maintained that strict adherence to protocol is the last bastion for the truly evil and truly stupid...

Re:Mark is Paranoid, but Trusting of Microsoft?

[nharmon]

Not really necessary:

FTFA: "I do my Internet browsing from a locked down VMWare box that has no rights on my network."

All that he needs to do is revert to a previously known-good vmware image.

smart cards?

[VolciMaster]

for a home network? Paranoia is understandable, but smart cards on a home network? and 14 character passwords inside your house. OK, on the outside, that makes some sense. But what kind of secrets do you internally that you need that level of paranoia. If the entire network is open to the outside world, that a different matter, but what could possibly be so important that your kids need 14 character passwords to protect it inside your home?

Not quite right

[norfolkboy]

Well, I can see the guys reasons.

However, information security has to be appropriate to the data you wish to protect.

A system that annoys users by making it hard to access the information (long passwords changed weekly for example) will just leave you with a static store of information.

The information will never be *USED*. There will be no point in having it.

Use security appropirate to your data. He IS paranoid, and - offtopic: sounds a bit of a nob.

I know for sure if I was one of his kids, I wouldn't WANT to connect to his network!

what a pseudo-fool (in a nice way)

[yagu]

..., No one else, not even my wife, knows my network password....,

... is about the only part of his screed that could make sense to me. Not because one should not divulge a password to one's wife, but because keeping passwords entirely private is good policy. Almost everything else about his life strikes me as goofy. If you read any of the "hacker" books, hacking and gaining access to people's stuff isn't about cracking passwords, it's about social engineering and dishonest behavior, most of which the author's behaviors won't prevent. But, if it makes him feel better.... (I wouldn't want to live on his network.)

I worked at a large company and called the administrator of their unix mainframe and complained that /usr/bin and /bin both didn't even have execute privelege so I couldn't even see what commands existed. The administrator dressed me down and explained they did that for security reasons so people couldn't hack in. He went on to tell me about the giant breach on that system from outside hackers and hence, the very tight "security". I gently reminded him the "breach" actually occurred with those very same directory permissions.... and they didn't prevent the hack. Sigh...

Re:what a pseudo-fool (in a nice way)

[DarkHelmet]

Most of my internet traffic goes through at least three firewalls. Is that too paranoid?

One router, and one software firewall constitutes two firewalls. If he wanted his home office network to be separated by his family's computers, having a third firewall makes sense.

After all, if his kids inadvertently get a virus, why let it spread on the network? (depending on the virus, of course)

Sometimes I have a "Password Day" where I change every password I own on the same day, just in case someone might happen to have one of my passwords. I frequently change my passwords after traveling.

Fair enough. If you have something like keepass, going down the list of passwords isn't too hard. Then again, I wouldn't change the password of something stupid and insignificant (like a dating site account) very often, especially if it's a strong password that I don't use anywhere else.

I use very long passwords for everything, even with the lamest accounts I have.

If you have keepass, why not?

I require my kids to use at least 14 character passwords on our home network and I'm considering issuing them smart cards. No one else, not even my wife, knows my network password.

Why the hell not? Shouldn't you be teaching your children good security practices anyway?

I don't just throw out shredded documents; I spread the shredded bits into my garden to use as mulch.

Oh yeah... Just what I want... my backyard to be flooded with little bits of paper. Lovely.

I used to tell my clients to set files in their web content directories to read only. Some thought this was too extreme and too much of a hassle, but then along came a worm named Code Red that failed on all the clients who followed my advice.

And linux people have known this for how long?

I use a unique, secret e-mail address for each sensitive online account I have. I have always done that. I guess this would look paranoid to most people, but when I get e-mails from my bank, I can check the address the e-mail address they used to see if they sent it to the secret address.

Does this matter? The only real concern here is phishing. If your bank sends you an email, you TYPE IN THE URL YOURSELF. That is good security.

Plus, he doesn't mention who his emails are with? A hotmail or yahoo account? Bad choice. If you're really serious about mail security (and not spam), why not have one email account on its own dedicated machine... running qmail... with iptables blocking all incoming ports but 25 and 22 (but limit port 22 to your private IP). Check your mail locally using pine, so that POP3 or IMAP isn't open.

I keep my PC's turned around so I can tell if anyone has installed a hardware keylogger.

If you're running keepass, you don't need to worry about that for sniffing of passwords. Just copy and paste your password in.

I never check in luggage when I fly.

Does this matter if your laptop is WITH you?

I do my Internet browsing from a locked down VMWare box that has no rights on my network.

If your office documents are important enough, why not? If you work from home, if you have the money and the space, why not do work on a separate machine with limited rights / access? Or the other way around?

I use terrafly.com to see what others might be able to see about my home.

Crackheaded. If someone knows your address, there's a lot more they can find out about your house than what's on an aerial map.

It takes five passwords to boot up my laptop and check my e-mail. One of those passwords is over 50 characters long.

BIOS, OS, Email Account? What are the other two? Also, passwords should be out of the range of brute force crackers. Not insanely unreachable. 20 characters should do it.

I also delete unused services on my server

Re:what a pseudo-fool (in a nice way)

[syousef]

..., No one else, not even my wife, knows my network password...., ... is about the only part of his screed that could make sense to me.

If your partner wants to hurt you badly enough, your password isn't going to stop her/him. Most partners know enough about the other person that they could have them arrested. Good thing is it works both ways.

Smart cards

[alecks]

Speaking of smart cards, anyone know where how to obtain a simple smart card home solution? All resources i've found are for large enterprize distributions... i'm only looking for 2 or 3 smart cards..

paranoid my ass

[wardk]

mark me troll if you must. but I see this as a legitmate question....

if he's so damn paranoid, what the hell is he using windows for?

too paranooid

[MetalliQaZ]

I think you can be too paranoid. I seem to remember a story a while ago about security measures that were overly invasive. Require 14 character password with non-alpha characters, and get your users putting their passwords on their monitors with post-it notes.

Its true, you never seem to realize your folly until its too late and your data is gone, but in my case, my home network isn't so important to me that I think its worth so much security that it interferes with my enjoyment or productivity.

Usually my stance is that I let the foil-hat wearing scurity gurus have their toys, but I continue to look for the solution that is "good enough" and that conforms to MY wishes, not theirs.

-d

Security,,,for the average user?

[nebaz]

The guy uses 5 passwords for his laptop, and I am sure that is fine for him.

Security for the sake of security, for example, can sometimes backfire.

For example, a company I used to work for had this policy that you had to change your password every 30 days, have at least 1 special character, one capital, one number, etc.

This was on an intranet, and most people hated this feature.

Most people ended up using a system like
Jul@1996 for their password. Mon

Kind of defeats the whole purpose of security.

I tend to think one should use security proportional to sensitivity on certain matters, knowing that nothing is perfectly secure.

But enforcing 'security' for the sake of security, especially random, and unsupported 'security' can make the average user resentful, and the process much less secure.

Err.... Overdoing it, maybe?

[MrAnnoyanceToYou]

This is an interesting article, but brings up one little thing for me about security - when you go this far out, you make yourself a target. The first thing I thought at the end of the article was, "man, I'd love to show this guy." And I didn't think along the same lines he did. I thought small focused high-speed cameras placed under the neighbors' eaves, I thought replacing his keyboard with a snooped replica... Again, social engineering and hitting someone where they are not looking seems to be the key to any cracking, not technical powerhousing. And pronouncing to the world that you use three firewalls is just asking for trouble.

I'm not a cracker, I'm not even much of a hacker, but I'm naturally sneaky bastich. (TM) And as real sneaky bastiches know, you don't ever stand in someone's face and tell them to you're going to beat the crap out of them, you wait until they turn around.

I try to be a nice guy despite my tendencies, but still... This kind of article reminds me of the French and their lines.

Read Dawkins, any studies on altruism...

[John+Seminal]

And this guy is set up very secure.

Is he mentally ill? Let's just say he doesn't sound like the type of person I'd want to have a beer with.

In fact, he sounds a lot more like the type of person who has food, water & weapons buried in the woods for the coming Apocalypse.

In any population, you will have a percentage of people who are very alturistic, they will sacrifice for everyone else. And you have some people who are so paranoid they will always hide and run. This is required for a species to continue.

For example, say you have birds. Say that 5 out of 100 birds will signal when a predator comes in range. Chances are greater those birds will be eaten, since it is making itself more known to the preditor. Now in that same 100 birds, say you have 5 that always hide, run, and are very paranoid. They have the greatest chance of continuing the species line.

If we all get soft, and say nuclear war does break out, in any form, the guy who has a chamber 50 feet under the ground with a room filled with water and food, and another room with oxygen tanks, he might be what's left to start the gene pool over again.

Instead of critisizing him as mentally ill, maybe you can add some of your distinct expretesse and help build a better shelter. One where 2 people can hold out longer, maybe making some filtration system for well water, adding lights with the correct wavelegnth to let plants grow underground and make natural oxygen. Then you will both survive, and your altruistic genes will get passed on too.

Re:Read Dawkins, any studies on altruism...

[Fjornir]

You forgot the greedy birds which signal predator when there's no predator in order to get at the food first. People do it too -- just look at Bush/Cheney signaling Iraq with WMDs just so Halliburton can eat well...

High Cognitive Cost == Low Compliance

[count0]

This guy doesn't get it. Security is much more about people, not about 50 character passwords and redundant firewalls. Social engineering is much more of an issue than triple firewalls.

14 Character pwds for his kids, on his home network, that isn't connected to the outside (his VMware box is for internet). Yeah, that's useful.

He reminds me of the guy in town who advertises websites that a backwards compatible to Netscape 1.2 - very shrill, gets some attention, but is really clueless.

What a freaker

[Percy_Blakeney]

This guy needs to get out more. Some of my favorite parts:

Most of my internet traffic goes through at least three firewalls. Is that too paranoid?

Almost definitely, yes.

Sure, the threat might not be real. No one may ever actually want what you have on your PC. But does that really matter?

Yes, it does. Welcome to the real world, where you have finite resources and impatient users. If you only have X amount of resources, do you spend them on protecting things that are a target or on things that nobody cares about?

Its not that I think someone is trying to hack me, but I also don't think someone is not trying to hack me.

So, can anyone tell me exactly what he's thinking? It seems like he doesn't even know.

It takes five passwords to boot up my laptop and check my e-mail. One of those passwords is over 50 characters long.

50 characters long? Why stop there? Why not 128 characters long? Why not memorize your entire public and private keys?

I think that this fact alone -- that he has a 50-character password -- shows that he's not playing with a full deck of cards.

Bad patches are the least of your problems.

[MarkByers]

From a security perspective, it is not the patches which crash your computer or destroy data that are a problem. They are just annoying. Reinstall, restore your data from a back up, and you are ready to go again.

The problem comes from bugs with exploits in the wild, but no patches yet.

Unpatched IE vulnerabilities
Unpatched Windows XP Vulnerabilities

Re:14 character password?

[OglinTatas]

One of my pet peeves is security systems that force an unreasonable UPPER limit on password length. There is one system here at work that requires a 6-8 digit password. Even worse, another system requires a 5 digit "PIN" when really they mean a 5 and only 5 character password.

Why this really is annoying to me is because I use a 4 tier password system. Tier 1 is for my bank accounts, when that is changed the password is reused for tier 2 applications--my passwords on my home computers. Tier 2 password becomes tier 3, my email, and those passwords become tier 4, i.e. all my passwords at work. That way I only have to remember 4 passwords at any one time (and 2 truncated ones) and no sticky note security.

Re:Microsoft is not the problem

[b1t+r0t]

Someone could just buy his kids a six pack in exchange for their passwords.

A six pack? You're thinking way too big. Wasn't there a study a few months ago where it was shown that like 60% or more of users would disclose their passwords in exchange for chocolate?

"Hey kid, want some candy?"

Re:oww

[NullProg]

Second, 3 firewalls? for a home network?
He didn't state what type, but I can guess...

1) Software Based firewall (Possibly two if you don't trust the first.
2) Wireless AP to internal network Firewall.
3) Internet firewall.

I have two of these on my home network (for the windows client), ZoneAlarm + Hardware. When I install a wireless access point I will then add another one to firewall that segement.

Enjoy.

Re:Convenience != 1/Security

[coyote-san]

I would argue that inconvenient security is not secure. People will find ways around it, sometimes in the worst possible way from a security standpoint.

Good security should be relatively unintrusive. E.g., your security badge includes a java button, you need it and your password to log on. (I'm not sure if jbuttons are wireless, but if not substitute some smart device that is.) Once you're logged in a kerberos TGT is written to your badge. You can then access most secured functions because they quietly get the ticket from your badge. You could set up the system so your tickets (not TGT) only live for 10-15 seconds - you walk away from your desk to go to the bathroom or "coincidently" run into that cutie at the water fountain and the ticket can't be renewed and the applications are disabled (and screen blanked?) until you return. Then you have to repeat your password (since somebody might have taken the badge off your still-warm body) and everything is as you left it.

If you need special rights you provide the password for another TGT, one with a short lifetime. Think 'sudo' as an analogy.

It's far more secure than having to maintain a separate username/password for multiple applications, yet simultaneously far more convenient. Nobody will complain, esp. if badges are required or they're already used to get through doors. Most people won't even understand how the badge around their neck gives them access to their workstation (and possibly others when working with others).

A slightly weaker version uses a USB dongle attached to your keys. Nobody walks away from their car keys for long.

Pet peeve:

[Kphrak]

Paranoid admins who like to practice "information denial techniques" on their systems, making them essentially unfixable. The thinking is, "We don't want a hacker to have any information about our network. We don't want him to even know what kind of system he's on if he ever does get in. So we've got to hide as much system stuff as possible."

We've got quite a few of those here, most of who have had "security at ANY COST" drilled into them by the higherups. Here are a few gems:

• One of my managers from a few years back forbid putting manpages on any DMZ systems. Just in case a hacker got in and needed to know how to use a command. Of course, if it's 3AM and we're working on something esoteric in there, we wouldn't have to walk to another system to check the manpages. We keep all the commandline args in our heads. And manpages, as we all know, are secret information -- they're not available on Google. No sir.
• The other day, someone asked me how we could hide the route info in our outgoing email headers indicating that internal servers (192.168, etc) were sending mail to our mail gateway. Best if no one has any clue what mail servers sent the mail. At least they didn't ask me to spoof all senders to secret@myorg.gov -- I was expecting that, by that point.
• Our password policy requires a password that has letters, alphanumeric chars, and numbers. Every thirty days, you've got to change your password. OK, that's not so bad. But wait, there's more! It remembers your last three passwords and won't let you use them. Up to a short time ago, if you entered a password wrong three consecutive times, it locked you out of all systems on the network until further notice. The potential DOS is left as an exercise for the reader.
• A short time ago, one of our admins created a "locked down" DMZ system incorporating the minimum amount of packages he could use. Something went haywire in our network connectivity using an update program, so I tried to do some troubleshooting. Telnet to the remote server on port 80 to see if we could get HTTP connectivity? Nope, telnet (the CLIENT) was gone. How 'bout snoop? Nope, I couldn't watch network packets short of going into the room and plugging in an ethernet tap. I ended up doing the same stuff from another system in the DMZ that had not been locked down in this fashion.

I'm sure there's another super-paranoid person on this topic who may flame me for this and say I'm a rotten admin for keeping any debugging tools on a system. But a lot of people forget that 50% of security is keeping the bad guys out, and the other 50% is allowing the good guys to do their job without a huge hassle. Sure, having people logging in via telnet, or allowing "password" as a password sucks. But timely patching, keeping an eye on your system services, EDUCATING YOUR USERS, and having a good firewall policy will keep far more trouble out than instituting the Fourth Reich on a production system.

Re:This guy is a moron

[flyingsquid]

I always thought that paranoids were the absolute height of egomania, since you have to think pretty highly of yourself to think that you're worth the effort.

Yeah, conspiracy and paranoia are oddly appealing. It's so much nicer to believe that the governments, corporations, and secret networks are out to get you than to believe that nobody really gives a shit whether you live or die, and that your failures are either the result of an unordered universe, or worse, your own damn fault.

B#llsh!t Paranoia is egotism

[redelm]

"Absolute security at all costs" means zero functionality at high cost.

More important is a credible threat, probability and loss analysis, compared with a list of countermeasures and their costs.

Otherwise, it's just the cops featherbedding, just like the CIA did over the strength of the USSR -- even just before the collapse and perestroika.

Don't give in to fear.

Re:I wouldn't want him as my ISO

[jjohnson]

I actually wonder if the ironic point he's making is that security consultants demand stupidity from corporations that no one would tolerate on a personal level. Consider:

I try to run my own network the same way I tell my clients to.

Then he goes on to present a stupid laundry list of excessive security measures that are, by implication, what he's telling his clients to do. It's obvious that, personally, they're ridiculous, so why wouldn't they also be ridiculous in a corporate environment?