Just How Paranoid Are You?

An anonymous reader writes "We all understand the need for security in a corporate environment. Personal computers, however, typically don't have nearly the amount of sensitive information (or it's at least less damaging if found). How far do you go to protect your computer? I recently went overboard on securing my information (at least as secure as Windows XP can be). I have a hardware firewall (GTA GB500), 30 character password, and all remotely personal information stored on a 256bit AES encrypted volume. How far do you go to protect your information against 'Big Brother' or even your family/friends?"

Physical access!

[BWJones]

The most critical item any computer security professional will tell you to take care of: Physical access. If you have a concern, this is your first line of defense and in fact, most top secret installations have considerable resources dedicated to physical access. Next down the line in terms of security risk will be issues related to physical access that again most top secret installations have resolved by disallowing any removable media in or around secured systems. After that comes any issues of network security because your greatest security risk is internal access.

You should not be carrying any sensitive work related items or data home, but if you have personal stuff (or a home business with IT critical information) you wish to secure, short of establishing a computer "vault" with limited access in your home (actually had one once for a project I was working on), you need to start with a secure OS. This does not mean Windows, unless you can afford a "hardened" version and are skilled at management. In fact, I would say from your question that all of the things you are already doing are the absolute minimum if you are using Windows. If you are truly this paranoid and keep sensitive info on your personal computer, and you obviously have a connection to the Internet, it should also mean, physically removing the Internet connection from your computer at times when you do not need it. Multi-casting OS capable machines like certain flavors *NIX are helpful here, so you dont have to deal with Windows network wizard every time you connect back up (if you use certain settings for your network). Wireless should be a no-no as well. IF you are really (read pathologically or are doing something quite illegal) paranoid, you could also build a Faraday cage around your room and charge it to reduce risk of TEMPEST related probes, but again if this is a concern, someone simply breaking in (again access) is often easier and cheaper.

When you are actually connected to the Internet, a hardware firewall is an absolute necessity. Network address translation will help limit some attacks. And aside from all the other things you are doing (strong passwords, encryption etc....), I would strongly urge you to constantly pay attention to your logs. Your most important data will be gleaned from the logs in terms of who is attacking, their strategies for attacking, when and where.

Not that paranoid

[Anonymous Coward]

have a hardware firewall (GTA GB500),

30 character password, and all remotely personal information stored on a 256bit AES encrypted volume.

You can't be that paranoid if you go telling everyone who reads /. that your password is 30 characters long. I mean, you've practically given it away.

The usual stuff

[upside]

- Home server(s) on a DMZ - Ntop on the router/fw to keep track of network usage - Filter outbound connections, too - Mixture of *BSD and Linux on network and server equipment. - Peerguardian when using P2P software. - Up to date virus scan. - Don't use IE or Outlook Express.

Re:Physical access!

[drinkypoo]

Hardware firewall? What, it's built all from gates and has no code on it? There's no such thing. A linksys befsr41 is a "hardware firewall" because it's a dedicated firewall appliance, right? It runs Linux. A PIX 520, that's a hardware firewall, yes? They cost a lot new and they come in a 4U case. Woops, it's an intel PC.

A firewall that's not on a trusted host, that's a necessity. It doesn't really matter if it's a Nokia box or monowall, what matters is that you configure it correctly and keep it updated. I'm thinking about setting up a transparent bridging firewall so my wall doesn't even have to have IP addresses.

Careful with swap and temp files

[homer_ca]

"and all remotely personal information stored on a 256bit AES encrypted volume."

Windows will leave temp files all over the place and your pagefile could have any data that was kept in RAM. The superparanoid run Linux w/ an encrypted root partition and Windows inside a VM from an encrypted disk image.

Weak, Until Wireless Intruder :(

[kannibal_klown]

I had weak security on my desktops at home. I would share out a lot of folders since I bouce around like 3 PC's (and a Mac) when doing stuff for work or just roaming around wirelessly with my laptop.

That is, until the other week. I live in a suburban area with a fairly big lawn. I have wireless on and some weak security on the wireless router since I figured nobody lived close enough to my house that was computer literate. Security through geography.

Then I noticed someone had accessed some files; a computer name that wasn't any of mine or anyone else in the house. I wasn't happy. I found out a neighbor someone reached my wireless router from across the street and accessed some files (didn't check to see if they browsed the internet on my dime).

Since then, I've been more security-aware. I still have wireless on (for the convenience) but have a white-list set up and 128bit encryption.

I shared fewer folders, and kicked it up a notch; explicitly saying which user's could access the files.

I turned on File Valut (or whatever) on my PowerBook just in case.

I'm not that tight security wise, but my neighbor ain't getting through now.

As for the regular stuff to watch out for: I constantly scan for viruses and run ad-aware for spy ware. I sit behind my router's firewall and a software firewall of some sort (either the OS's or 3rd party for my work laptop).

My security system

[einhverfr]

Physical access is a concern. But I work from home and have my servers here (my business is currently home-based). So simple things like locking doors etc.

The first question is how you identify what threats you are protecting yourself from. My list includes viruses, script kiddiez, and the occasional person who has moderate resources and wants to break into my network. I am not too worried about tempest probes because the it would take a lot of time to get enough information off my systes this way to be of use, but I am more concerned about vandalism and damage.

So here are my mechanisms:

1) Keep door locked when not at home.
2) Hardware firewall on old Acer Advantage. Kernel does not support loadable kernel modules (which makes it a pain to change a network card, as the kernel must be recompiled). Firewall runs IPTables and logs most denied traffic.
3) Daily and monthly reports of firewall activity are sent to my inbox via cron and FWReport. FWReport leans towards false-positives, bit it gives you an idea of what "may" be happening.
4) Remote access requires SSH and public key authentication. Remote access is not possible via password.
5) Email servers run Qmail.
6) Most servers are jailed.
7) Most logs are set to "append only"
8) Servers run minimal configurations with a minimum of extensions. For example, Apache does not run any modules not currently required.
9) Windows is not generally allowed on the network.

Re:Physical access!

[Anonymous Coward]

> Then came the draining. Gack. What looked like 2 tablespoons
> of pus ran from my nose,

Dude. Yuck.

Re:Esay easy easy

[pclminion]

In other words, you rely on obscurity.

Re:Physical access!

[torinth]

Now, how do you bring down a network interface in Microsoft Windows with a single command?

You right click on the connection's system tray icon and click disable.

Smartass.

Re:Physical access!

[Anonymous Coward]

> There's a Vancouver in Washington as well?

Yes. [vancouver.wa.us]

Re:Keyloggers

[wfberg]

I have a hardware firewall (GTA GB500), 30 character password, and all remotely personal information stored on a 256bit AES encrypted volume.

Call me ignorant but wouldn't one simple phishing/keylogging software to get your password and its all for nothing?

Or go one better; install the keyghost [keyghost.com] keystroke-logging keyboard-dongle (other brands are available).

Note that storing your information on an encrypted partition does fuck all to protect you from virusses or spyware that choose to spam X:\goatporn.jpg to your entire adressbook.

And then there's the omniscient swapfile. Did you encrypt the swapfile?

Notice that the article poster mentions his system is "as safe as XP will let him make it", but strangely no mention of the windows "syskey" option. Also no mention of hardware encryption for his hard drive [firewiremax.com].

Not to mention that all of that is moot if you're planning on running for public office, and you might be worried about your ISP/google's logs ever resurfacing from that one night you and your buddies were drunk and surfing the web for goat porn..

Re:Paranoia quotes

[sn0wflake]

Quote from Nirvana's Territorial Pissing song;

Just because you're paranoid
Doesn't mean they're not after you

Re:Relocate serve to DMZ

[Lodragandraoidh]

In firewall terms a DMZ is a subnet off the firewall that will allow traffic to enter your network from the outside. This is the best way to provide services to external entities without compromising the rest of your network.

See this faq to learn more about how firewalls work [interhack.net].

Re:Physical access!

[cresquin]

wire an electromagnet above your hard-drive connected to a car battery, and install a switch on the front of your case.

poop hits fan, switch gets flipped, data goes bye-bye.

Re:Physical access!

[Anonymous Coward]

There are such things as HW firewalls, eg. Fortinet.

Re:Use linux!

[NuclearDog]

Rule number two about 'sercurity': Get rid of Linux and install BSD.

ND

Re:Brute force what?

[dexterpexter]

The problem with the 30 character password in this case is that (a little known fact) Windows actually breaks it into seven or eight character passwords and then encrypts those. So, your 30 character password is only as good as four or five passwords...which are even further compromised if any of those blocks resemble a dictionary word.

Jack the Ripper (for physical access) or Cain & Abel (over the network) can grab most seven-character passwords in seconds.

Yes, long passwords are better in theory, so I agree with you. But, some systems remove a lot of the long-password advantage when they break the passwords into blocks and then encrypt them.

Re:Physical access!

[jakupovic]

Ok, I'm gonna bite how about http://www.ntcompatible.com/thread29224-1.html

basically "netsh interface set interface name="Local Area Connection" admin=DISABLED"

Re:Physical access!

[kd5ujz]

c:\>ipconfig /release 'connection'

Re:Careful with swap and temp files

[theLOUDroom]

Windows will leave temp files all over the place and your pagefile could have any data that was kept in RAM. The superparanoid run Linux w/ an encrypted root partition and Windows inside a VM from an encrypted disk image.

Amazingly, this is the first post I've noticed that points out this obovious flaw.

256 bit AES is silly if those encrypted files are being read normally on a computer with an unencrypted swap file.

It's like going out, buying the most expensive lock you can get, and putting it on a cardboard box.

Re:Your information can be too secure

[Anonymous Coward]

To snoop into his private life that he might have wished to remain private? I can't think of a legitimate reason except to go snooping.

Actually, there are plenty of reasons. If one is married and shares all of their relavant information with a spouse, then maybe the information is just redundant, but if one lives and banks solo, then it's more complicated.

My brother died this summer, and we had to hack into his laptop. However, my brother did not receive paper copies of *any* of his bills or statements, and my family and I didn't even know what at institutions he held accounts. He had multiple frequent-flier/frequent-traveler accounts, and even a trip planned and paid for (with 3 separate hotel stays).

Yes, all of those institutions were perfectly happy to cancel/refund his reservations with a death certificate, but we would never have been able to prepare his taxes (this year), pay his last credit card bills, or even *notify* the relavant banks without considerable time, effort, and detective work, if we hadn't been able to get into his Quicken data.

Re:Physical access!

[crazyphilman]

When I think of "hardware firewall" I think of a device which stores its software and rules in static ROM which (hopefully) can't be flashed from the LAN side. This is more secure because A) it's not a machine you're actually working on, and B) there's nothing really THERE except for the operating software, and that would be kind of tricky to hack, C) it can be set up so that nobody can really initiate anything from the LAN port anyway.

What I do at my apartment is this:

I have a hardware firewall the size of a paperback book, a D-Link that's fully patched, with rules that won't allow any incoming traffic and which logs everything I didn't initiate and periodically emails me the logs when they fill up;

My computer is a mil-spec Panasonic CF-28 laptop, water resistant and shockproof, with an armored LCD and a silicone-mounted hard drive in a stainless steel caddy;

My operating system is Slackware Linux which I've hardened. It isn't running any services anyone can try to connect to, and it's running a paranoid iptables firewall which drops all packets I didn't specifically ask for, logging everything sneaky. It's fully patched, and I have different accounts I use for accessing the internet and doing other work (if I'm going to program or write, I disconnect the ethernet cable and log in with my other userid).

I use an up to date Mozilla or Firefox exclusively, and I have software installation disabled (I only enable it when I'm going to get something from the Mozilla site).

For mail, I use kmail, set up so it doesn't automatically display HTML -- I have to choose to view HTML if I know the sender.

I *think* I've thought about just about everything, but who knows? Of course, if something weird happens, I've got good backups so I can rebuild my system in an evening.

Re:Firey death to the intruders!

[CyborgWarrior]

Even if you do not have them set to boot first, then resetting the BIOS will on most machines set them to boot first. And even if there is no drive installed, physical access means you could just as well plug one in, or heck, why not just plug the hard drive into a different computer?! When you think of the things that you can actually do with physical access, you begin to see how important that layer of security really is. And it can be something as simple as a locked door to anything as complex as the "computer vault" or beyond.