Just How Paranoid Are You? 931
An anonymous reader writes "We all understand the need for security in a corporate environment. Personal computers, however, typically don't have nearly the amount of sensitive information (or it's at least less damaging if found). How far do you go to protect your computer? I recently went overboard on securing my information (at least as secure as Windows XP can be). I have a hardware firewall (GTA GB500), 30 character password, and all remotely personal information stored on a 256bit AES encrypted volume. How far do you go to protect your information against 'Big Brother' or even your family/friends?"
Physical access! (Score:5, Informative)
You should not be carrying any sensitive work related items or data home, but if you have personal stuff (or a home business with IT critical information) you wish to secure, short of establishing a computer "vault" with limited access in your home (actually had one once for a project I was working on), you need to start with a secure OS. This does not mean Windows, unless you can afford a "hardened" version and are skilled at management. In fact, I would say from your question that all of the things you are already doing are the absolute minimum if you are using Windows. If you are truly this paranoid and keep sensitive info on your personal computer, and you obviously have a connection to the Internet, it should also mean, physically removing the Internet connection from your computer at times when you do not need it. Multi-casting OS capable machines like certain flavors *NIX are helpful here, so you dont have to deal with Windows network wizard every time you connect back up (if you use certain settings for your network). Wireless should be a no-no as well. IF you are really (read pathologically or are doing something quite illegal) paranoid, you could also build a Faraday cage around your room and charge it to reduce risk of TEMPEST related probes, but again if this is a concern, someone simply breaking in (again access) is often easier and cheaper.
When you are actually connected to the Internet, a hardware firewall is an absolute necessity. Network address translation will help limit some attacks. And aside from all the other things you are doing (strong passwords, encryption etc....), I would strongly urge you to constantly pay attention to your logs. Your most important data will be gleaned from the logs in terms of who is attacking, their strategies for attacking, when and where.
Not that paranoid (Score:1, Informative)
You can't be that paranoid if you go telling everyone who reads
The usual stuff (Score:3, Informative)
Re:Physical access! (Score:5, Informative)
A firewall that's not on a trusted host, that's a necessity. It doesn't really matter if it's a Nokia box or monowall, what matters is that you configure it correctly and keep it updated. I'm thinking about setting up a transparent bridging firewall so my wall doesn't even have to have IP addresses.
Careful with swap and temp files (Score:4, Informative)
Windows will leave temp files all over the place and your pagefile could have any data that was kept in RAM. The superparanoid run Linux w/ an encrypted root partition and Windows inside a VM from an encrypted disk image.
Weak, Until Wireless Intruder :( (Score:3, Informative)
That is, until the other week. I live in a suburban area with a fairly big lawn. I have wireless on and some weak security on the wireless router since I figured nobody lived close enough to my house that was computer literate. Security through geography.
Then I noticed someone had accessed some files; a computer name that wasn't any of mine or anyone else in the house. I wasn't happy. I found out a neighbor someone reached my wireless router from across the street and accessed some files (didn't check to see if they browsed the internet on my dime).
Since then, I've been more security-aware. I still have wireless on (for the convenience) but have a white-list set up and 128bit encryption.
I shared fewer folders, and kicked it up a notch; explicitly saying which user's could access the files.
I turned on File Valut (or whatever) on my PowerBook just in case.
I'm not that tight security wise, but my neighbor ain't getting through now.
As for the regular stuff to watch out for: I constantly scan for viruses and run ad-aware for spy ware. I sit behind my router's firewall and a software firewall of some sort (either the OS's or 3rd party for my work laptop).
My security system (Score:5, Informative)
The first question is how you identify what threats you are protecting yourself from. My list includes viruses, script kiddiez, and the occasional person who has moderate resources and wants to break into my network. I am not too worried about tempest probes because the it would take a lot of time to get enough information off my systes this way to be of use, but I am more concerned about vandalism and damage.
So here are my mechanisms:
1) Keep door locked when not at home.
2) Hardware firewall on old Acer Advantage. Kernel does not support loadable kernel modules (which makes it a pain to change a network card, as the kernel must be recompiled). Firewall runs IPTables and logs most denied traffic.
3) Daily and monthly reports of firewall activity are sent to my inbox via cron and FWReport. FWReport leans towards false-positives, bit it gives you an idea of what "may" be happening.
4) Remote access requires SSH and public key authentication. Remote access is not possible via password.
5) Email servers run Qmail.
6) Most servers are jailed.
7) Most logs are set to "append only"
8) Servers run minimal configurations with a minimum of extensions. For example, Apache does not run any modules not currently required.
9) Windows is not generally allowed on the network.
Re:Physical access! (Score:1, Informative)
> of pus ran from my nose,
Dude. Yuck.
Re:Esay easy easy (Score:3, Informative)
Re:Physical access! (Score:2, Informative)
You right click on the connection's system tray icon and click disable.
Smartass.
Re:Physical access! (Score:1, Informative)
Yes. [vancouver.wa.us]
Re:Keyloggers (Score:3, Informative)
Call me ignorant but wouldn't one simple phishing/keylogging software to get your password and its all for nothing?
Or go one better; install the keyghost [keyghost.com] keystroke-logging keyboard-dongle (other brands are available).
Note that storing your information on an encrypted partition does fuck all to protect you from virusses or spyware that choose to spam X:\goatporn.jpg to your entire adressbook.
And then there's the omniscient swapfile. Did you encrypt the swapfile?
Notice that the article poster mentions his system is "as safe as XP will let him make it", but strangely no mention of the windows "syskey" option. Also no mention of hardware encryption for his hard drive [firewiremax.com].
Not to mention that all of that is moot if you're planning on running for public office, and you might be worried about your ISP/google's logs ever resurfacing from that one night you and your buddies were drunk and surfing the web for goat porn..
Re:Paranoia quotes (Score:2, Informative)
Just because you're paranoid
Doesn't mean they're not after you
Re:Relocate serve to DMZ (Score:3, Informative)
See this faq to learn more about how firewalls work [interhack.net].
Re:Physical access! (Score:2, Informative)
poop hits fan, switch gets flipped, data goes bye-bye.
Re:Physical access! (Score:1, Informative)
Re:Use linux! (Score:2, Informative)
ND
Re:Brute force what? (Score:3, Informative)
Jack the Ripper (for physical access) or Cain & Abel (over the network) can grab most seven-character passwords in seconds.
Yes, long passwords are better in theory, so I agree with you. But, some systems remove a lot of the long-password advantage when they break the passwords into blocks and then encrypt them.
Re:Physical access! (Score:3, Informative)
basically "netsh interface set interface name="Local Area Connection" admin=DISABLED"
Re:Physical access! (Score:2, Informative)
Re:Careful with swap and temp files (Score:3, Informative)
Amazingly, this is the first post I've noticed that points out this obovious flaw.
256 bit AES is silly if those encrypted files are being read normally on a computer with an unencrypted swap file.
It's like going out, buying the most expensive lock you can get, and putting it on a cardboard box.
Re:Your information can be too secure (Score:2, Informative)
Actually, there are plenty of reasons. If one is married and shares all of their relavant information with a spouse, then maybe the information is just redundant, but if one lives and banks solo, then it's more complicated.
My brother died this summer, and we had to hack into his laptop. However, my brother did not receive paper copies of *any* of his bills or statements, and my family and I didn't even know what at institutions he held accounts. He had multiple frequent-flier/frequent-traveler accounts, and even a trip planned and paid for (with 3 separate hotel stays).
Yes, all of those institutions were perfectly happy to cancel/refund his reservations with a death certificate, but we would never have been able to prepare his taxes (this year), pay his last credit card bills, or even *notify* the relavant banks without considerable time, effort, and detective work, if we hadn't been able to get into his Quicken data.
Re:Physical access! (Score:4, Informative)
What I do at my apartment is this:
I have a hardware firewall the size of a paperback book, a D-Link that's fully patched, with rules that won't allow any incoming traffic and which logs everything I didn't initiate and periodically emails me the logs when they fill up;
My computer is a mil-spec Panasonic CF-28 laptop, water resistant and shockproof, with an armored LCD and a silicone-mounted hard drive in a stainless steel caddy;
My operating system is Slackware Linux which I've hardened. It isn't running any services anyone can try to connect to, and it's running a paranoid iptables firewall which drops all packets I didn't specifically ask for, logging everything sneaky. It's fully patched, and I have different accounts I use for accessing the internet and doing other work (if I'm going to program or write, I disconnect the ethernet cable and log in with my other userid).
I use an up to date Mozilla or Firefox exclusively, and I have software installation disabled (I only enable it when I'm going to get something from the Mozilla site).
For mail, I use kmail, set up so it doesn't automatically display HTML -- I have to choose to view HTML if I know the sender.
I *think* I've thought about just about everything, but who knows? Of course, if something weird happens, I've got good backups so I can rebuild my system in an evening.
Re:Firey death to the intruders! (Score:2, Informative)