[security-news] Bulletin #10 - November 11, 2002
security-news-admin at lists.resist.ca
security-news-admin at lists.resist.ca
Mon Nov 11 20:06:39 PST 2002
***************************************************************
Security-news <security-news at resist.ca>
A security bulletin for autonomous resistance movements
Produced by the folks who bring you http://security.tao.ca
***************************************************************
November 11, 2002
This week we're adding a new section called "Reading Material" to
highlight interesting books, magazines and other publications that
happen to come our way and relate to the whole activism and security
theme of this newsletter. Please forward any suggestions of reading
material you would like to see reviewed here to secure at resist.ca.
**********************************
Security-news: Issue #10 - Contents
**********************************
* Security tip of the week: Wireless Keyboards
* Reading Material: CAQ 74 & Covert Entry (book)
* News & Analysis: How Hard Would It Be To Trace the Sniper's Phone
Calls?
* News & Analysis: JOINING FORCES How planners are partnering with
local police, convention facilities and city officials to stage secure
events
* How to: Internet anonymity for Linux newbies
*****
Security Tip of the Week: Wireless keyboards
*****
Wireless keyboards are just some of the many wireless peripherals
becoming popular these days - but don't be so quick to switch without
first checking the security implications. Last week it was discovered
HP's wireless keyboards can transmit data to other computers in faraway
buildings. If you are currently using one of these, or other wireless
keyboard, be aware that if the signal emission range is too wide, you
could be broadcasting everything you type.
*****
Reading Material: CAQ No74 & Covert Entry (book)
*****
Covert Action Quarterly No 74 - has lots of good stuff as usual - a
good article in this issue exposing the links between George Soros and
the CIA which certainly begs the question of why radical organizations
would take money from the Soros foundation. Also an article on the
decimation of Posse Comitatus law in the United States (this was the
law that forbid US military services from taking a role in internal
policing) - happening under the guise of anti-terrorism but really
being directed at anti-globalization activists.
Covert Entry: Spies, Lies and Crims Inside Canada's Secret Service
Andrew Mitrovica
Random House - November 2002 release
This book is based on the testimony and tales of an
agent-turned-whistleblower who worked for CSIS (Canadian Security
Intelligence Service) for ten years. John Farrel, who worked with the
mail intercept program, and Special Operational Services, comes forward
to tell his tale of unlawful behaviour on behalf of Canada's spy
agency. Although Mitrovica comes at the story from anything but a
progressive angle (he is outraged about taxpayer waste in the face of
real terrorist threats), there are some telling moments in the story
that illuminate the type of surveillance methods used during both major
and minor investigations. If anything - Covert Entry provides an
interesting look inside some of the operations of Canada's espionage
agency and the methods by which agents collect data on their targets -
and is a worthwhile and quick read. It's only out in hardcover
currently (and likely not available in the US), but worth tracking down
a copy of.
*****
News & Analysis: How Hard Would It Be To Trace the Sniper's Phone Calls?
By Brendan I. Koerner
Thursday, October 24, 2002
*****
Police arrested two men Thursday morning in connection with Washington,
D.C.-area sniper shootings. Someone claiming to be the sniper placed
several phone calls to police earlier this week. How easy is it for
cops to trace a phone call?
Contrary to what pulp screenwriters seem to believe, it's pretty darn
easy nowadays. Tracing problems are a relic of manual switchboards,
which required operators to physically connect circuits. In order to
track down a caller's location, police needed 10-20 minutes to figure
out the maze of circuits. This is where the cinematic stereotype of
"Keep 'em talking" comes from - shorter calls could only be traced back
part of the way, to a nearby switching station rather than the source
phone.
Digital switches have sped up the process. Beginning in the mid-1980s,
phone companies began using electronic switching systems, which can
automatically identify any caller's number within a fraction of a
second. Those numbers can then be correlated with information from an
automatic location indicator to find the phone's address. There is no
foolproof way to avoid tracing on an ESS network when making a
direct-dial call. (And don't think for a second that hitting *67, which
masks your number to Caller ID boxes, can foil a police trace; it only
works against civilians.)
Some local phone companies allow users to trace calls through a feature
called *57. Users hang up, wait 10 seconds, and then press *57. The
caller's information is immediately forwarded to the phone company's
computers, where it can later be accessed by the police. But the
feature isn't available everywhere, and in some cases it won't trace
calls made with calling cards or through operator assistance.
Mobile phones have proven harder to trace over recent years, but that is
changing, too. The Federal Communications Commission has ordered that,
by 2006, all cell-phone networks must feature location-tracking
technology, ostensibly to assist 911 operators. As a result, many new
mobiles now come equipped with chips that link them into the Global
Positioning Satellite system. Triangulation using coordinates from
adjacent cell-phone towers is another effective tracing technique.
Tracing a phone call is only half the investigative battle, of course.
Few suspects, alas, are dumb enough to stay put after placing a
taunting call to the cops.
Next question?
*****
News & Analysis: JOINING FORCES How planners are partnering with local
police, convention facilities and city officials to stage secure events
By Cheryl-Anne Sturken Photograph by Joseph Pluchino
http://www.meetings-conventions.com/issues/0902/features/feature1.html
*****
In the summer of 1968, a young police cadet in Chicago was just
starting to learn the ropes while antiwar protesters and baton-wielding
patrol officers clashed in downtown Chicago. Charles Ramsey did not
take part in the notorious street battles associated with the
Democratic National Convention that August, but the experience left an
impression on him that would help steer his career. Today, as chief of
police for Washington, D.C.’s Metropolitan Police Department, Ramsey
works proactively to prevent such mayhem. Lessons learned preserving
the peace at high-profile events in the nation’s capital have made him
a nationally respected consultant on how to handle crowds and provide
security at meetings of all kinds.
“Our goals are always the same,” Ramsey says. “We want to protect the
rights of conference attendees to participate in their meetings — and
protect the freedom of any demonstrators to exercise their
Constitutional rights.”
Of the thousands of events held annually across the country, relatively
few are of a nature apt to incite protests. Yet, many citywides that
draw attendees by the thousands — or tens of thousands — do need
law-enforcement assistance in areas like traffic control and on-site
security. For planners of these mammoth events, a city’s local police
department becomes a crucial partner, from the early stages through the
event’s conclusion.
Start early
“It is absolutely critical to involve the security expertise of the
local police force from the very beginning,” says Cynthia Beckman,
chief operating officer of conventions and meetings for the Washington,
D.C.-based Biotechnology Industry Organization. Beckman has been
conferring with Chief Ramsey since this past June in planning her
group’s annual convention, known as BIO 2003, to be held in the capital
next June. “Early planning negates the need for a request for emergency
police assistance,” she says, noting that additional security can be
expensive.
Lt. Eric Rubin of the Denver Police Department knows all about the
strategic value of early planning. This past May, he coordinated
law-enforcement measures when the city hosted the biennial conference
of the Paris-based International Chamber of Commerce — an event for
which his department spent a full year training.
ICC drew 600 delegates from around the world; it also drew 1,000
protesters. Some 700 police officers worked around the clock in 12-hour
shifts, covering a three-block radius around the Denver Marriott City
Center hotel, where the delegates were housed.
“It took time to get everything in place,” recalls Rubin. “There was a
lot of paperwork; everything had to be in writing. We planned for the
worst and hoped for the best — and that’s what we got. Not a single
arrest was made.”
First steps
The planners’ initial point of contact should be the head of security
at the convention center. This person is directly plugged in to the
community and its various law-enforcement factions.
“From the start, convention center officials and staff are an integral
part of the security plan,” says Beckman. “We create strong
relationships with them to efficiently share information and increase
awareness of potential problems.”
In these initial conversations, says Gladys Jones, head of security for
the Washington (D.C.) Convention Center, “We will ask a number of
questions and then determine the event’s threat level. Then we will
tell you, ‘This is your threat level, and this is what we feel
comfortable with having in place.’”
After meeting with Beckman and her staff earlier this year, Jones flew
to Toronto in June to observe how that city’s police handled the BIO
2002 convention. Having firsthand knowledge of an event is critical to
formulating a plan, says Jones, who even attended seminars at the
convention to get a feel for issues the group was facing.
The convention center’s security expert also knows which local and
state law-enforcement agencies have jurisdiction at the facility. “Most
people don’t realize that because our convention center lies within the
district of the Port of San Diego, the harbor police force has
jurisdiction over it,” says Carol Wallace, president and CEO of the San
Diego Convention Center. “But the center sits in the city, so planners
also have to work with the San Diego Police Department on security
issues.”
At times, an outside law-enforcement agency might need to be involved,
says Don Ahl, director of safety and security for the Las Vegas
Convention & Visitors Authority. For instance, for the Shot Show, a
trade event for hunters and ammunition makers, there might be issues to
be discussed with the Bureau of Alcohol, Tobacco and Firearms, he says.
History matters
“We exchange an incredible amount of information with the police,” says
Jack Wilkerson, vice president of business and finance and convention
manager for the Nashville, Tenn.-based Southern Baptist Convention. “I
keep very detailed historical reports on the security aspect of every
one of our conventions — who protested, what group did what, how many
there were.”
Wilkerson expects protesters — the level of disruption is what he aims
to control. During the SBC’s annual convention in St. Louis this past
June, 12 protesters condemning the religious group’s conservative
social positions infiltrated the America’s Center and disrupted the
president’s keynote speech before a gathering of 9,000. The dozen
antagonists were immediately arrested by police on hand, as were 38
others creating a disturbance outside the center.
In the process of sharing information, planners should never assume any
detail is inconsequential, sources agree. Think beyond mere numbers,
dates and the agenda. Even if the event itself is not a target of
protests, a controversial speaker, attendee or exhibitor might well be.
“Some of the things I need to know about a group are how they perceive
themselves, whether the CEO has ever received threats and what it is
that they perceive as a threat,” says Gladys Jones.
“We have a mandatory meeting with the Las Vegas Metropolitan Police to
let them know who is attending our event and who might attract
attention,” says Ernae Mothershed, a spokesperson for the Woodland
Hills, Calif.-based Men’s Apparel Guild in California. Mothershed’s
group meets twice a year in Las Vegas for a four-day trade show that
typically attracts from 80,000 to 100,000 attendees and exhibitors,
along with many celebrities.
“We tell the police if media is coming and if any of the celebrities
are bringing their own security,” Mothershed adds.
Such details are critical to police. “We always want to be prepared,”
says Sgt. Justin McCaffrey, in the intelligence division of the New
York City Police Department. “We never want to scramble.” McCaffrey was
involved in planning elaborate security for the World Economic Forum,
which the Big Apple hosted without incident this past February.
Creating a plan
“As a meeting planner,” says BIO’s Cynthia Beckman, “it is my
responsibility to ensure that our security plan is based on a
thoughtful, complete risk assessment.” Such assessments are developed
by local law enforcement in a variety of ways.
• Agency networking. Many cities establish special-event task forces to
develop and monitor security plans for sensitive events. Some, like San
Diego and Washington, D.C., coordinate the task force’s efforts through
the mayor’s office. Others, such as Las Vegas, maintain a events team
on the police force.
San Diego’s Mayor Dick Murphy created a task force of representatives
from a dozen city agencies to develop a security plan for both the BIO
2001 event and the 2000 Republican National Convention. Mandatory
monthly meetings were held in his office.
In Washington, D.C., some three dozen local, federal and specialized
agencies are part of a special-event task force created by Mayor
Anthony Williams. Says Peter LaPort, director of emergency management
for the city and leader of the task force, “We will advise you of all
the hurdles and hoops you have to jump through.”
A former New York City deputy commissioner who lost several colleagues
and friends on Sept. 11, LaPort says the tragedy has created a much
more “intense interaction” between his and other agencies. “We even
have a representative from the hotel association, because they are now
part of the disaster recovery plan for the city, as is the convention
center.”
For his part, D.C.’s Mayor Williams is aiming to add a greater medical
element to the task force. “We are working closely with the private
sector medical organizations that are vital to responding to an
emergency, such as the American Red Cross and the Washington Area
Hospital Association,” he says.
• Intelligence gathering. Local law enforcement does not rely entirely
on the information provided by event coordinators; the agencies often
research an event’s history themselves.
“A group will tell you what happened internally at the convention
center,” says Capt. Terry Sult of the Charlotte-Mecklenburg Police
Department in Charlotte, Va., “but we will check with the police
departments of other cities where a group has met to find out what
happened externally.”
“I hold regular conference calls with other police executives in the
region to share intelligence and provide updates,” says Chief Ramsey,
who last year unveiled D.C.’s newest tool in event security, the Joint
Operations Command Center. “It is a crucial resource for collecting,
evaluating, analyzing and disseminating intelligence and other
information,” he says.
The Web, notes Lt. Rubin, is a valuable window on activist planning. “A
significant number of groups with an ax to grind will blatantly
advertise when and where they are protesting and encourage others to
join them,” he says. “It’s their legal right, but it also helps us to
understand what might occur and to be better prepared.”
• Community outreach. Critical to an event’s security, say police, is
actively reaching out to a community to let citizens know what they can
expect to happen. And that means reaching out to potential protesters
as well, says Chief David Bejarano of the San Diego Police Department.
“We are very candid with the protesters we identify. We tell them we
recognize they have a Fifth Amendment right, but we make it clear that
if they cross the line into criminal activity, we will take swift
action,” he says.
• Accommodating protesters. Often, cities will establish designated
areas outside the center where demonstrators can express their views.
In San Diego, Chief Bejarano gave protesters at BIO 2001 an area “close
enough to protest, but not close enough to disrupt the proceedings.” To
coordinate who held court and when, his office spread the word that
anyone could sign up for one-hour slots to address the crowd. “It was
pretty peaceful,” says Bejarano.
• Setting the tone. A heavy police presence might deter protesters, but
it also can work against the event. “You have to draw the line between
being intrusive and being transparent,” says Dick MacKnight, assistant
to the president at ICC’s Denver headquarters. “The Denver police did a
wonderful job. You never felt like you were under siege or being
guarded.”
• Using the force. Every city has its own particular rules governing
law enforcement’s role at events. However, several areas generally
require police approval and implementation.
• Traffic control. When several thousand conventioneers descend on a
city, shuttles from the convention center to hotels can snarl traffic
on already congested streets. Talk to police about attendee
transportation plans; often, they’ll suggest alternative routes.
“Sometimes the police will say, ‘You don’t want to go that route,
because traffic gets backed up at that intersection at this time of the
day,’” says the Southern Baptist Convention’s Wilkerson.
• Putting up barriers. Installing barricades outside the convention
center might seem like a wise move, but there are a number of issues to
consider — including exactly where, when and how they can be placed.
For the ICC conference in Denver, the police erected barriers in a
three-block radius around the Denver Marriott City Center. But because
the perimeter fell within private property, the department had to get a
signed release from every citizen affected.
• Permits. When staging a parade, using loudspeakers outside, setting
off fireworks or serving alcohol in a public place, event producers
must seek police assistance. “If your event is staying within the
confines of the Jacob Javits Center, you don’t need any special
permits,” says New York City’s Sgt. McCaffrey. “But if you want to have
a parade on 10th Avenue and shut down some streets, you are going to
need a permit.”
Better ask early, he adds. “We won’t allow two events to take place at
the same time, because it clogs traffic and stretches our resources.
And many annual events have first right.”
• Post-convention police report. Ask the police to create a dossier on
what services and security details they recommended and implemented for
the event, along with their assessment of how the plan worked. This can
be utilized in another city for a future event, saving the police there
a lot of legwork.
Who pays for what
High-profile events can place a tremendous financial strain on a city.
San Diego shelled out $3.5 million in police support for BIO 2001. The
tab for Denver for the ICC conference came to $900,000. In deciding
whether to host an event, city officials say they carefully weigh what
they stand to gain. Chief Bejarano came under fire from San Diego media
for his department’s hefty spending. Yet, he says, “There is a
trade-off. When you host a major event, there is the benefit of a large
number of dollars going back into the city.” In fact, BIO 2001
generated about $14 million in hotel and sales taxes and
conventioneers’ spending, says Scott Barnett, executive director of the
San Diego County Taxpayers Association.
Toronto’s Economic Development Commission estimated that BIO 2002
poured nearly US$20 million into city coffers. (No figures were
available on what it cost in added police protection because of the
event.)
The security needs of more mainstream events, however, are individually
evaluated by police departments, who negotiate with the event organizer
to determine who covers what.
• Protection with a price tag. “Security costs depend on risk
assessment, the complexity of the program, convention center layout,
hotel locations, off-site venues and the size of the police force,”
says Cynthia Beckman. “The more on-duty police officers a host city
will make available for the BIO meeting, the less our overall security
costs.”
“We try to look at the size of the event and a whole host of dynamics,”
says Capt. Sult in Charlotte, Va. “If we find there will be a traffic
control issue, we may request the event organizers pay for the officers
needed to handle that traffic. If something unforeseen happens, then we
will absorb the cost.”
“Small events that want to hire off-duty police officers will have to
pay for them themselves,” says Lt. Rubin.
In Las Vegas, any request for police services, with the exception of
covering protesters, comes out of a show organizer’s pocket, according
to special-events officer Sgt. Linda Atkinson. “All of our overtime
comes from whoever is sponsoring the event,” she notes.
• At no extra charge. Before spending money to have officers control
traffic at peak convention hours or monitor an outdoor event, planners
should find out what the local police are willing to provide at no
cost. For instance, “We have a series of cameras set up around downtown
whose initial use was crime prevention,” says Sult. “We have discovered
they help us dramatically with traffic issues at the convention center.
We can identify potential gridlock and then electronically adjust the
traffic light.”
• Attendees on the alert. The better prepared attendees are, the
smoother the execution of the security process. “We notify attendees to
avoid any surprises,” says Beckman. “You want them to remember the
importance of wearing their badges, of carrying photo identification
and arriving early.”
Unreasonable demands
Law enforcement has to toe the legal line and balance public safety
issues with a community’s best interests. The upshot: Some requests
simply won’t be met.
• Searches. “We are not private guards,” says Lt. Rubin. “Everything we
do must be based on Constitutional rights. We will not search people.”
• Door checks. “We are not going to put people at the door to check
tickets,” says Sgt. McCaffrey.
• K-9 units. “If you have a high profile speaker, we might send a
bomb-sniffing dog, but it is not guaranteed,” says McCaffrey. He
suggests planners work with a security consultant who can provide that
service. But, he cautions, think twice before insisting on it, because
it will prove costly. “If the speaker comes at 8 a.m., the dogs will
have to be in at 6 a.m. to check out the room, and then you will have
to pay for a guard to seal off the room and guard it until the speaker
comes,” says McCaffrey.
• Street closures. “We will never allow the Strip to be blocked off,”
says Sgt. Atkinson of Las Vegas. And, she adds, street closures come
with their own sub-requirements that need to be considered, like
permits for portable toilets and fees for litter collection.
• Police escorts. “Unless you’re the president, you don’t get a blue
light escort,” says Capt. Sult. “And we never make parking-regulation
exceptions. People are always asking us to look the other way — and we
don’t.”
*****
How to: Internet anonymity for Linux newbies
By Thomas C Greene in Washington
28/08/2002 - https://theregister.co.uk
*****
One of the most attractive things about Linux is the number of
installation options one is presented with and how tempting it is to
customize. But for a newbie, in terms of Web security and PC hygiene,
that's also the worst thing about it. The fact is, Windows is easier
than Linux for a casual user to make fairly secure, whereas Linux is
easier than Windows for a power user to make xvery secure.
For most home PC users, fairly secure is perfectly adequate, and that's
what we'll be concentrating on below. In a week or two I'll get into
details for power users, but for now I'm going to concentrate on a
particular presumed reader: a home user who's fairly new to the Linux
desktop, who's using a packaged distro, and who's not intimately
familiar with PC security -- a 'recovering Windows user', let's say.
Fortunately, Linux is a wise investment; you already have, or can
easily find for free, virtually everything you need to make it secure.
There's no need to buy hundreds of dollars' worth of security utilities
and services, though you do need to learn how to use what you've got.
But before we get to the Internet security matters promised in the
headline, we have some housecleaning to do.
Options up the butt
For those just getting started with Linux, it's easy to end up with a
number of unnecessary services and daemons running, some (not all) of
which may make your box less secure. You've got IRC servers, telnet
servers, print servers, font servers, mail servers, remote admin
servers, Web servers, FTP servers, you name it. The installation
options can be overwhelming; and if you're new to all this, it's a safe
bet that you've got a few things going that you're not even aware of.
The first thing I'd recommend is running a security scanner like SAINT
or Nessus, which are typically packaged free with many distros, against
localhost. This can reveal a number of things you never imagined you
had available on your machine. Most distros also have some sort of GUI
control interface which will make it reasonably easy to turn off what
you don't need. With SuSE, the distro I prefer, this is called the
'runlevel editor', available via the YaST2 control center. It likely
has the same or a similar name in the distro you're using.
Alternatively you can have a look at /etc/init.d and peruse a list of
what's being loaded (just make sure you know exactly what these scripts
do before you start editing or deleting). Shutting off unnecessary
services is the most basic first step in tightening up your machine, so
take a good look at what you'vegot, and get rid of the extraneous
nonsense. If you don't know what something is, Google on it and get hip.
Users are safer
One simple thing you can do to avoid remote compromises is to stay off
the Net when you're in the root account. Running IM and IRC clients as
root is positively self destructive. Ditto for opening mail attachments
and HTML mail as root. By choosing Linux you've already made yourself a
lot less likely to get infected by a worm or virus or a malicious
script than a Windows user, so be sure to maximize that advantage. Do
all your on-line business from a user account, and save the root
account for off-line tweaking and tinkering.
Of course this discipline means little if your file permissions are
sloppy. There are lots of commands you can issue from the shell which
are relevant here, but since we're assuming a relative newbie, we'll
try to avoid too much of that. For those interested in what's possible
from the command line, I recommend the book "Linux in a Nutshell" (pun
apparently intended) from O'Reilly Publishing. It's an excellent desk
reference of shell commands. Of course, just by typing a command
followed by --help you'll get the same information, but it is nice to
have it all compiled in a handy hardcopy form.
There are a couple of ways you can set permissions with the GUI and save
yourself a lot of repetitive typing. One is to use Krusader or Nautilus
and simply right-click on a directory, and go to 'properties'. If
you're root, you can make sure that user a can't access user b's files.
But don't go wild here: there are numerous directories, config files,
executables, etc., that users need access to for Linux to run properly.
If you're at a loss to select which directories and files need strict
permissions and which don't, then your distro probably has some sort of
interface with a menu of pre-set rules which you can choose from and
apply globally as root. This will usually be called something like
'security settings', and the options will usually be named something
like 'easy, secure and paranoid'. 'Secure' is probably as far as you
need to go. Chances are this will forbid root logins except via the
command line, so it's best to get all your tinkering done beforehand in
the root GUI account, where things are more familiar to recovering
Windoze users. After that, you'll have to open a shell or supply the
root password to the distro's 'control center' from your user account.
This is definitely the right way to run a Linux machine so long as
you're basically satisfied with how it's set up.
In many households, several people may have user accounts on the same
box. Consider carefully whether these people are friends, or mere
flatmates and acquaintances. If you're using a machine you don't own,
then you have to ask yourself whether or not you trust the owner. If
you don't trust root personally, then don't use his kit for anything
you wouldn't document and publish freely. Root knows everything you do
on his machine. Worse, and far more likely, he may be a well-meaning
idiot who maintains a totally insecure machine connected 24/7 to the
Net.
Conversely, if you are root and the box is shared, make sure you trust
the people using it. Giving a user account to someone you're sketchy
about is a security risk, much like leaving them in your office or
bedroom unsupervised. They may know more than you about how to
compromise a machine from within, which is a lot easier than
compromising it from without.
The best thing to do with a shared machine is to encrypt files you want
to keep private. So get familiar with GnuPG. Just remember that root
has access to your private and public keys, and can run a keystroke
logger on the box and get your crypto passphrase. So as I said, if you
don't trust root, don't use his machine for anything private. Period.
Is he a mere acquaintance? Is he a loyal little soldier of your
employer? Then screw him. Crypto is useless in that situation. Ditto
for all computer equipment you use at work, in public libraries, or
Internet cafes.
On the other hand, if you're the machine's owner and you trust your
users, or you're a user and you trust the owner, then you should
encrypt, though you must be careful to choose a strong passphrase: a
nice, long one combining upper and lower-case letters, numbers and
special characters. Use a phrase that's easy to remember but extremely
difficult to guess or bruteforce. I recommend using a short,
grammatically-valid sentence that makes no sense, like 'sleazy bricks
applaud sideways'. Now misspell some of the words and substitute
characters in a way that's easy to remember, so it looks something like
this: 'sl33Z1E bR1 at k$ apPL4ud s!d3w^yz'. Note that we've substituted
numbers and special characters that, at least vaguely, resemble the
letters they're standing in for to make it easier to memorize.
You should also make a backup of your GPG keys and revocation certs,
and store that on removable media in a safe place. It's also a good
idea to submit your public key and, if ever necessary, your revocation
cert, to a keyserver. If you don't know what I'm talking about, then
follow that GnuPG link above and start reading. This is a good thing,
and it's free. Use it.
Your account passwords, especially the root password, should be long
and hard, and you should use MD5 encryption for them and set a time of
ten or fifteen seconds between unsuccessul logins to prevent brute
force and dictionary attacks (you'll find these options in the
'security settings' interface). Don't use a root password of fewer than
ten characters, and always combine upper and lower-case letters,
numbers and special characters.
But since there are a number of ways into any machine, the most
important thing of all is your crypto passphrase. Put the time and
effort into devising and memorizing one which, like our example, is
very troublesome to crack. And make sure you have strict file
permissions on the .gnupg directories. Only root and the specific
relevant users should have access.
Hygiene
Every computer collects files the way a kitchen drawer collects junk.
Over time, many of these become irrelevant, yet they may contain
information one would like to keep private. A good rule of thumb is,
never encrypt when you can wipe. The last thing you need is a directory
full of useless, irrelevant files. This only makes it more
time-consuming to manage sensibly the ones you do need. Go through
your personal files regularly and use a proper wipe utility to erase
the ones you no longer need. Understand that deleting is nothing; to
get rid of a file you have to wipe it. Those files you wish to archive
should be encrypted and copied to a separate directory or removable
media, and their originals wiped. The easiest way to do a proper wipe
is using Krusader or Nautilus and selecting 'shred' instead of 'delete'.
Another notorious junk collector is the Linux swap partition, a
holdover from the days when RAM was expensive and difficult to buy in
fat chunks. It's possible to encrypt it, but probably a bit over the
top for a primer like this and certainly a performance damper. A
simpler approach is to do away with it. I'm running a 2.4.18 kernel
with 512MB of RAM and no swap partition, and I can't detect any
performance hit. Indeed, if anything the system runs better than it
did. If you can afford it, and nowadays it's easy, I recommend
strapping on extra RAM and just not swapping memory to disk. You never
know what's going to end up there, or how long it's going to remain.
Crypto programs are supposed to protect memory blocks used and not swap
them out. So what? Are you absolutely
certain there's no way the designers the program you're using could
have made some obscure mistake which in turn could leave traces of
crucial data in the swap file?
I didn't think so.
The IP battle zone
Now you've purged your Linux box of unnecessary daemons, you've set
your file permissions sensibly, you're working happily from a user
account, and you've got encryption protecting your digital sanctum
sanctorum. It's time to protect yourself from worms and rootkits and
malicious sites and evil scripts and the on-line pestilence of kiddiots
trying to break into your box and Web merchants who couldn't secure a
bowling ball much less your personal data on their lame II$ machine and
nosey Feds and incompetent ISPs and so-called 'Trust Authorities' who
have idiotically sold digital certs to hackers.
Maybe you should buy a hardware firewall, or an Intrusion Detection
System (IDS), or an e-mail virus scanner, or an anonymous proxy service?
Or maybe you should just use your head and stop worrying. Here's how:
There are two things you need to have, and two things you need to do.
The first thing you need to have is a packet filter, otherwise known as
a firewall. Well, you've got one: in the 2.2.x kernel it's called
ipchains and in the 2.4.x kernel iptables. The frontends are called
Bastille on Mandrake (which adjusts other security options as well) and
SuSE Firewall-2 on, what else, SuSE. (Most everyone can use Bastille,
by the way.) I don't play with Dead Rat, so you guys will have to
figure out what yours is called. Now configure it and shut off
everything unless you're running a server (and if you're a newbie you
really
shouldn't be doing that just yet).
The next thing you need to have is a proxy. Quite simply, a proxy is a
remote machine through which you connect to the Net, which forwards
your IP traffic, and which you then appear to be originating from. When
you contact a Web site via an anonymous proxy, it's the proxy's IP
which shows in their logs. There are huge lists of free public proxies
you can use, but most will be dead by the time you find them. Just
Google on 'free proxy list' and you'll find them easily, for what
that's worth.
I like a Socks proxy when I can get one because they're non-caching and
a lot of IP clients support them. But they're very hard to find and
they never last long. Once they start getting popular the admins always
figure out why their bandwidth use is going through the roof and
pass-protect them. Bastards.
On the other hand, HTTP Proxies can be chained for additional Web
anonymity. This is accomplished by constructing a URL thus and copying
it into your browser's address field:
http://firstproxy:portnumber/http://secondproxy:portnumber/
http://thirdproxy:portnumber/http://www.destination.com
There are no spaces in the above configuration. This can be done in
addition to any proxy you've loaded in your browser normally with its
setup options.
Take a look at this older article, related to Windows, in which finding
and using proxies is elaborated. The information is fairly general, and
may well be of value to a Linux user.
Because public proxies are uncertain, this is one area where spending a
bit of money may be worthwhile. Anonymizer.com has a proxy service
which uses SSH tunneling, which, unlike most security services, is IMHO
worth the investment.
Here's how it works: you use SSH (Secure Shell) to log in to
Anonymizer's proxy server. This means that your ISP can't sniff your
traffic to the proxy effectively because it will be encrypted. Once
you're on the proxy, everything you send and receive from it will be
anonymous. Only Anonymizer.com will be able to associate you with the
data you've sent and fetched. That's not perfect, but it's not bad.
They have a serious financial interest in protecting your anonymity. I
would assume that they'd only respond to a court order signed by a
judge. If they blow that, and it gets out, they'll be out of business
in a haeartbeat.
Unfortunately, they have little in the way of Linux support available,
but through trial and error I've managed to use this service
successfully. You can forward ports to the Anonymizer proxy and use SSH
tunneling for your HTTP, FTP, POP and SMTP clients.
The way to log in is by busting out a root shell, logging in as root,
and typing [ssh -2 -L 80:cyberpass.net:80 -L 25:smtp.yourmail.com:25 -L
110:pop.yourmail.com:110 cyberpass.net -l yourpass] where yourpass is
your pw on the Anonymizer proxy at cyberpass.net.
Now you need to set up your e-mail client and browser to use these
forwarded ports. For the browser, in proxy settings, enter a proxy of
localhost and a port of 80 for HTTP and FTP. In your FTP client, do the
same. In your mail client, in 'network', enter localhost and port 25
for SMTP and localhost and port 110 for POP. Now you should be cool.
Ah, but as for your IRC client, pray. You can select an HTTP proxy, but
it probably will fail. My favorite Linux IRC client is Xchat, but it
returns the error, 'proxy traversal failed' when i use it in
conjunction with the Anonymizer HTTP proxy. I e-mailed the x-chat guy
z at xchat.org and/or zed at xchat.org asking for insight, but he or she
neglected to reply. Perhaps you should email them too and ask what's up.
On the other hand, ICQ seems to have no problem with this, if you're
using Gaim, for example. IRC will fail, but ICQ will accept the proxy.
That's a good thing -- not a perfect thing, but a good thing.
Once you've got this proxy set up and running with SSH and port
forwarding, you can use your browser with the Anonymizer Web proxy and
their anonymous e-mail for an extra layer of distance from the Net.
I've been using the service for several days now, and I like it. That's
all I'm saying. Whether you should too is not my call.
There's one item causing me some concern which I must reveal. While
surfing the Net with an SSH connection to the Anonymizer proxy at
cyberpass.net, with Java and JavaScript disabled in my browser, but not
using the Anonymizer Web proxy, I found that ShieldsUp at grc.com and
its mighty nanoprobes were able to get my true IP address because
there's no SSL support so far as I know. For browsing I can always use
the Anonymizer Web proxy, fine. But for the rest of my services I want
to know that the SSH proxy alone is secure. After experimenting with it
for a few days, I'm not confident that it is.
Nevertheless, I like it. I just don't trust it completely, and neither
should you.
So much for the two things you need to have. Now let's discuss the two
things you need to do. The first thing you need to do is disable Java
and JavaScript in your browser, and HTML rendering in your e-mail
client. Unlike Windows, Linux makes this easy. It will leave you safe
from a vast number of malicious scripts. From time to time it will be
necessary to enable Java and Javascript for access to certain Web
sites. Turn it on when you need it, and turn it off when you're
finished. Think of it as a tax on your Internet security. Always keep
it off unless you need it, or use a Web proxy which supports it.
The second thing you need to do is shut off your modem when your box is
not in active Internet service. There are reasons why you might want to
leave the machine running 24/7, all right; but there's no reason to
leave it connected to the Net when you go away on holiday. We satirized
the PathLock Internet timer; but that doesn't mean there's no reason to
disconnect from the WibblyWobbly when it's of no use to you. Make it a
habit.
As for your browser, run it tight. Don't allow Java and JavaScript
except where necessary; don't allow the browser to save form-data;
don't allow it to save passwords to important sites like your bank.
Wipe your cookies, browser cache, URL history and typed URLs regularly.
Never add a kiddie-porn BBS to your bookmarks. Get my drift?
Paranoia without anxiety
It's healthy to be paranoid, but grossly unhealthy and quite
unnecessary to be riddled with anxiety. By using common sense and
layers of protection, you can make yourself an unattractive target. By
being paranoid in a healthy way, I mean quite simply that you must
never trust anything.
I definitely don't mean 'be afraid'. There's a whole anti-virus and
computer-security indu$try devoted to frightening you with constant
reference to imminent threats to your on-line privacy and integrity.
It's very much in their financial interest that you be frightened at
all times and that new threats surface regularly to revive that
profitable public-anxiety as older threats fade into memory. Who gives
a shit about Melissa? Phear nimda...
And all the while, the word these parasites throw around most often is
'trust'. I'll pay fifty dollars US (no shit) to the first Reg reader
who forwards me an unedited press release from a security vendor in
which the word 'trust' is absent. But here's the truth -- the kernel of
the security industry's filthy little secret: the only reason you're
vulnerable is because you trust.
So for God's sake stop doing it. Don't trust your firewall; don't trust
your proxy; don't trust crypto; don't trust SSL or SSH; don't trust
your software vendor; don't trust files you get from anywhere,
including your friends and 'official' download sites; don't trust
patches; don't trust your file-wipe utility. Hell, don't trust me.
Trust only what you're absolutely certain of.
In the past month or two we've seen a back-doored version of SSH; we've
seen that SSL, universally trusted for secure Web transactions, is
vulnerable; we've seen a PGP plugin for Outlook that coughs up your
passphrase, not due to a flaw in the algorithm or cryptosystem, but
because the application is susceptible to a buffer overflow. We've also
seen a man-in-the-middle attack against PGP and GPG. You've got three
layers there, algorithm, cryptosystem and application, any one of which
might be broken in any number of ways. Do you know how to spot a flaw
in a complex piece of software like that?
I didn't think so.
And then of course there are key loggers, packet sniffers, Trojans,
rootkits, and the 0-day remote exploits which only a handful of people
know about and for which there are no patches, and for which there may
never be any patches.
Stop the insanity
By all means use security utilities, but never trust them fully. Layer
them, apply common sense, and always assume that no matter what you do,
there will always be several ways to compromise your privacy and
security. The whole game is to leave the smallest footprint possible on
the Web, never to trust other people's equipment, and to make your box
a pain in the neck to crack so that ninety-five per cent of attackers
will simply move on to one of the millions of easier targets hooked up
out there. But be assured that nothing will make a compromise
impossible except keeping your computer in a locked, heavy-duty vault
with no Internet access, which of course is no fun at all.
But to compute and to surf the Web without anxiety, there's an easy
answer: simply refuse to trust your machine, any network whether local
or remote, any security device or service, any crypto scheme, any
Draconian laws against hacking, any ridiculous claims of 'Trustworthy
Computing', any shiny digital certificate, any 'Trust Authority', any
local client, or any remote host with any scrap of data you simply
can't afford to lose control of.
Now you're paranoid in a healthy way, and blissfully free from anxiety.
Your computer, his network server, their shopping cart -- these things
aren't the digital equivalent of bank vaults. So don't listen to the
marketing-department drivel about how 'secure' these things can be
made. Never -- absolutely never -- treat these things as if they were
the digital equivalent of bank vaults, and move on and enjoy your life.
You'll find that the air smells fresher, that food tastes better, and
that you wake every day with more energy and confidence than you've had
in years.
If you're sensible and cautious, applying the common-sense suggestions
we've just considered, the odds against getting compromised will be
very much in your favor. But just remember that, regardless of the
odds, it's mad to wager something you can't afford to lose. Your
credit-card number is no big deal: your total liability is fifty bucks
and you can get a new one in a week or so. Your credit card number,
Social Security number, name, date of birth and address packaged all
together is a far greater worry, so never give out more information
than absolutely necessary to complete a transaction. Never allow
merchant sites to store such information. If they insist on it, do
business elsewhere. Don't let your browser save form-data, or passwords
to important Web sites like your bank. Use a packet-filter and a proxy.
Wipe your browser history, URL history, page cache and cookies
regularly. If your browser doesn't make all of those steps easy for
you, use a different one. You've got the power of the Penguin behind
you; you've got alternatives. Shop around for a good browser.
Personally, I like Mozilla. That doesn't mean you have to.
Now tighten up that machine, get on-line, and relax and enjoy the ride.
Security-news note: We've removed a paragraph at the end here which
advises people not to even bother using crypto on a laptop because it
might get stolen. That's exactly the reson *to* use crypto on a laptop
- so that if it gets stolen, your user data at least remains
unintelligible to the thief.
***************************************************************
Security-news <security-news at resist.ca>
Good computer security is no substitute for good sense!
To sub or unsub - http://resist.ca/mailman/listinfo/security-news
***************************************************************
More information about the security-news
mailing list