DefenseinDepth

1
Defense-in-Depth
Securing Your System Using a Layered Security
Approach

• By
• Richard Hammer
• LANL
• LA-UR-08-2558

2
Overview

• Relative Risks
• Threat Vectors
• What attackers need us to do
• Things Everyone Can do
• Client protections Summary

3
Goal!

• Secure your system so you
• Do not lose your identity if system is stolen
• Feel comfortable storing and processing personal,
  financial, business, and sensitive information
• Feel comfortable making online transactions

4
Old and New Threats
5
What attackers need from us!

• Need us to execute a program
• Need us to NOT securely configure our programs
• Need us to NOT pay attention
• Need us to NOT patch
• Need us to be careless, gullible or curious
• Need us to NOT understand the technology
• Its that easy because we allow it to be that
  easy
• Frank Abagnale

6
Things we all can learn to DO!

• Compute as an Unprivileged User if possible
• Understand E-mail
• Understand Web Browsing
• Encrypt our Data
• Know what is connecting in/out
• Actually do it!

7
Hackers do not like unprivileged users

• They cannot change system settings
• They cannot install programs that change system
  settings
• They cannot undo security settings
• Reboot will normally put system back into secure
  state again.

8
Which is more secure?

• Storing your credit card in your wallet
• Or
• Storing your credit card number on your computer

9
Protecting data at rest (Powered Off)

• Physical Security
• Encryption
• Nothing else will work
• Remove the disk
• Reset password
• Boot off cracker media
• T up a Macintosh

10
Harddrive/File Encryption

• Truecrypt, Guardian Edge, WinMagic, PGP,
  Pointsec, Cypherix, Calibex, TrueCrypt, Many
  more!
• Hardware
• Fortezza
• Harddrives
• Windows EFS/BitLocker
• Apple FileVault
• Bcrypt
• Entrust ICE
• Entrust PGP

11
Apple FileVault
12
Built-in Windows encryption
13
System Up and You Are Logged In(Includes Sleep
Mode)

• No longer protecting Data
• Full disk encryption
• Hardware encryption
• Windows EFS/BitLocker or FileVault
• Protecting data until password entered
• Encrypted Disk Image (MacOSX)
• Entrust, PGP, TrueCrypt, Bcrypt
• Other 3rd party encryption products

14
Entrust/PGP File Encrypt Options
15
Goals of Cryptosystems!

• Ensure
• Confidentiality
• Integrity
• Authentication
• Non-Repudiation

16
Cryptosystems Problems?

• You might lock yourself out forever!
• Key Management
• Key Distribution
• Password/Passphrase Protection
• Cant encrypt/decrypt offline?
• Speed?
• Export? (GOV export authorized)

17
What will Defeat Encryption

• Not protecting the password
• Sleep mode and fast switching
• Freeze spray, shutdown/leave
• Malware
• Keyboard Loggers
• E-mail Infections
• Not paying attention to warning messages
• Backups

18
Understanding e-mail

• Clear text e-mail is completely unreliable.
• How do you recognize bogus e-mail?
• What is URL redirection?
• How do you protect yourself?
• Outlook?

19
Why you should not Trust Clear Text e-mail

• Do not know who sent it
• Do not know who sees it
• Do not know where it went
• Do not know who read it
• Do not know if content changed
• Still on server, backups?
• Sys Admins have full access

20
Encrypting e-mail?

• Only Intended Recipients can read messages or
  open files
• Data has not been modified
• Data is from the expected source
• Not seen on the wire
• Not just SSL/TLS to server
• PGP/SMIME/Entrust

21
Entrust Encryption Example?
22
PGP/SMIME Encryption Example?
23
SMIME/PGP/Entrust e-mail
24
Phishing right here in LA!

• Guy Lisella
• Anytime they ask for personal information, its
  a scam.
• Legitimate businesses will NEVER ASK for personal
  information to be transmitted over clear text
  e-mail!
• If unsure, call them.

25
How do you recognize bogus e-mail?

• Do you know the sender?
• Is the offer too good to be true?
• Embedded links that point to an address that
  doesnt appear right.
• Your email address is not listed on the TO or
  CC.
• The FROM Return-Path dont match.
• Unexpected attachments.

26
What is wrong?
27
Understanding URLs/Redirection

• http//computername.domainname/directoryname/index
  file.html
• Where you thought you were going
• http//www.dncu.com/login.aspx?update
• http//63.214.247.170/login.aspx?update
• Where you are redirected
• http//www.dncu.org.hi-position.com/register/login
  .html
• Computer name www
• Domainname dncu.org.hi-position.com
• IP Address No longer registered, but was
  202.168.210.1XX
• Directory register
• Index file login.html

28
Look at the e-mail header

• Eudora Blah, Blah, Blah
• Outlook View Options or Right Click Options
• Webmail Click on Full Headers
• Thunderbird Menu Bar, VIEW/HEADER, ALL

29
Give me the money?
30
Stop Right There!
31
E-mail client configuration

• Do NOT auto execute anything
• Do NOT automatically download HTML graphics
• Do NOT display graphics in message
• Do NOT allow executable html content
• Do NOT display emotions as a graphic
• Do NOT use Microsoft viewer.

32
Entourage Settings
33
Before and After (Mac Mail)
ltDisplay Remote Images in HTML Messagegt
34
Whats Wrong? Unknown sender, not addressed to
me, has an attachment I did not expect.
35
Virus protection caught it three weeks later,
dont be the first to open it!
36
Which is more secure?

• Paying for a dinner with a credit card
• Or
• Online purchase

37
Compare the two!
38
Web Browser Security

• Understand how it works
• SSL/TSL
• Privacy Settings
• Security Settings
• Warn me is always a good option when not sure
• Scripts
• Understand Threats
• Internet Explorer?

39
Web Access (SSL/TLS)

• SSL Developed by Netscape (1994)
• Certificate Exchange
• System to System
• Certificate Authority
• Should only use SSL 3.0 or TLS 1.0
• Is it secure?
• Redirection
• Man-in-Middle Attack

40
Keeping Track of State

• SessionID
• https//ucfy.ucop.edu/ucfy/BaseServletjsessionid
  0000q9ZvjIPe7xWTjxeftFjTqBy-1
• Cookie
• Persistent
• Non- Persistent
• Hidden Form Element

41
Firefox Security Settings
42
Man-in-Middle
43
Warning, should I proceed?
44
Secure ???
45
Clearing Privacy Settings (Firefox)
ltToolsgtltOptionsgt
46
Security Settings (Firefox)
ltToolsgtltOptionsgt
47
Firefox - noscript
ltToolsgtltOptionsgt
48
Firefox noscript (2)
49
Secure Web Transactions

• Open New Browser
• Ensure SSLv3/TLS
• You initiate connection
• Only go to sites associated with transaction
• Use noscript and only allow needed scripts
• Pay attention to error messages
• Logout when done
• Close browser and clear settings

50
Personal Application layer firewalls

• ZoneAlarm
• Little Snitch/Apple Firewall combo
• In/Out protection
• Can distinguish between different programs
  connecting out on same port
• Will teach you which applications really connect
  out from your system

51
Connecting out, Really?
52
Same Port, different program
53
Client Protection Summary

• User vs Admin Privilege
• Virus Protection
• Spyware/Adaware Protection
• Keep Systems Applications patched
• Backup your data
• Secure Program Settings, dont Auto execute and
  turn off autoplay.

54
Client Protection Summary

• DO NOT open attachments unless you expect them.
• Dont click on embedded links
• Pay attention to warning messages
• POP-UP blockers
• Clear privacy settings
• noscript

55
Client Protection Summary

• If its too good to be TRUE, it is!
• When configuring programs keep personal
  information to a minimum.
• Remove programs you dont need
• Stay away from shady web sites
• One-time Credit Card Numbers
• Shutdown when not using
• Disconnect from network if you dont need to be
  on it.

56
Client Protection Summary

• Encrypt sensitive information
• Application Layer Personal Firewall
• Outlook and Internet Explorer
• Consider replacing these programs.
• Keep them patched.

57

Educate Yourself!