pilobilus.net a website that might grow on you

ComSec 101: An Introduction to Network Security

Here Be Pyrates

© 2013 SF Kinney, released under CC BY-NC-ND 3.0 License
http://creativecommons.org/licenses/by-nc-nd/3.0/

In the 20+ years the Internet has existed, many security issues have not changed: Everyone still believes they know all about computer security, and most of what they know is still wrong. The networks are still infested with failing computers, supporting malware ecosystems that degrade service for all users. Non-working security tools ("snake oil") continue to sell at a brisk pace. Everybody still lies, especially commercial software vendors and "certified technicians" (a.k.a. outside sales reps) trained by them. But other things have changed substantially: Surveillance, profiling, and covert manipulation of network users has reached and passed levels that were the stuff of paranoid fantasy 20 years ago, and the noose of network censorship is beginning to draw closed. The Hackers are no threat at all, compared to the Corporate and State actors who have taken control of the public networks. Today, network security is about more than locking hostile parties out of your computer: It means asserting ownership over your property in digital space, and taking back the freedoms that have already been stolen from you by criminals great and small. This is easier than it sounds, when you know the fundamentals.

The information presented here provides a starting point and logical framework for building your own understanding of computer security, developing your own network security policies and "best practices," and enforcing them on a daily basis. No one but you knows exactly what information and communications you are defending, who your potential adversaries are, what motivates them, and what resources they have. There are no one size fits all security solutions, so no one but you can make final decisions about what tools and strategies you will use to protect your assets.

If you spot any substantial errors in this guide, please let me know: Any corrections I make will be credited. If you believe you have learned anything useful here, please pass this document on to others. When any user adopts more effective security practice on the network, all network users benefit. Have fun and be safe.

Security in Context

Perfect or absolute network security is not possible. Security is a spending contest: If it costs an adversary more than it is worth to him to compromise your assets, you win. If it costs you more to secure an asset than the asset is worth to you, you lose.

Defending digital assets is usually orders of magnitude cheaper than attacking them, if the defender uses effective tools and strategies from the beginning. As Lao Tzu said, "It is easy to solve a large problem while it is still small."

Network Security Axioms

  • Everything is under control; your control or someone else's.
  • A trusted system is one that can break your security model.
  • A hardened perimeter is easily broken; a hardened system, not so much.
  • The laws of nations are easily broken; the laws of physics, not so much.
  • In God we trust, all others provide full source code for peer review.
  • Given enough observers, all bugs are shallow.
  • To make a system stronger, attack it.
  • Physical access can compromise any network security model.
  • A failed data backup may cost more than a successful break-in.
  • An unexamined assumption is a ticking time bomb.
  • User refusal is the principal barrier to secure networking.

System Security

Network security is only as reliable as the security of the actual computers involved in network communication. In practical terms, this requires use of a UNIX class operating system such as GNU/Linux or FreeBSD on every machine that hosts any valuable data or performs any security related network functions.

The security of UNIX derives from its file system architecture, where all data, devices, and processes on the system are treated as files. Each "file" has an explicitly defined owner. Access to any file is restricted to the user account that owns it. Other users are granted access only as explicitly authorized by a file's owner, or by root, the super-user account that controls the whole file system. The power to read a file, alter a file, or execute a file as a program is explicitly defined on a per-user basis. Along with data stored on disk, UNIX treats allocated memory blocks, running processes, data streams, etc. as files. The root account is the final authority assigning these permissions, and is used for system administration only.

The UNIX file system architecture amounts to a system of internal firewalls, and it makes UNIX systems immune to all viruses and most malware*. Attacking a properly configured UNIX class operating system on the network is difficult, expensive, and has a low probability of success. The UNIX security model proactively forbids all actions that are not necessary to perform authorized tasks. The objectives of UNIX security are to reduce security incidents to the smallest attainable number, and to limit the damage from security incidents as far as possible.

* Clam AV and similar virus scanners are available for UNIX systems, such as mail servers, where they are used to test files received from untrusted sources for re-transmission to vulnerable Microsoft systems. Some promoters have misrepresented this as "proof" that Linux and other UNIX based systems do need antivirus software.

In strong contrast to the simple, effective security architecture of UNIX systems, Microsoft's DOS/NT systems are permissive by default. Instead of a consistent global security architecture, Microsoft uses a collection of ad-hoc restrictions in an effort to prevent specific classes of malicious action by users and the processes they launch. All of the ~100 million botnet installations presently running on the public Internet are running on compromised Microsoft operating systems. Anti-virus software, PC firewalls and similar add-ons can, at best, partially mitigate the inherent insecurity of Microsoft systems. Tens to hundreds of thousands of Microsoft operating systems are compromised daily via inexpensive automated attacks. The Microsoft security model reactively blocks specific attacks in response to observed security breaches. The objective of Microsoft's security model is to maintain the highest rates of failure, repair and replacement that the market will bear.

Microsoft is widely suspected of installing back doors into its operating systems, and has recently been caught conducting active surveillance of Skype users. It is easy for a vendor to sabotage 'proprietary trade secret' software, and difficult to detect or prove that it has been done - a "good" back door looks like an honest programming error.

Apple's OSX operating systems are based on BSD UNIX, which makes them orders of magnitude more stable and secure than Microsoft operating systems. OSX is not BSD, and has no significant history of use on commercial network servers, so little is known about its performance in a hostile network environment. Although Apple makes source code available, OSX receives much less peer review, documentation, and community support for network security than Free and Open operating systems like GNU/Linux and FreeBSD. The relatively small hacker community associated with OSX is much more interested in illegally "reverse jailbreaking" OSX to run on cheap commodity hardware, than in auditing its security features and running penetration tests against it. Recent security incidents with OSX are not as significant as press accounts would have us believe, but they do indicate an increase in attacks against the OSX platform.

Apple is well positioned to break the user's security and openly does so via DRM and censorship at the software and network service levels. OSX keeps a permanent forensic record of all files downloaded by all applications. iPhone owners can "securely encrypt" the data stored on these devices but Apple can and does routinely break this encryption on demand, indicating that the tool has a deliberately installed back door. Apple's hip, cool, progressive image falls apart if one looks too closely.

Anonymity and Counter-Censorship

Proof of identity, such as proof that a given message was sent by a certain person, or proof that a piece of software was written by the owner of a certain public cipher key, is a core function in network security. However, the opposite case - concealment of identity - is also an important network security function.

The Internet's infrastructure is a vast array of privately owned computers controlled by their Corporate owners and monitored by a diverse collection of State agencies. A rational security model must assume that all network communications may be monitored and recorded by potentially hostile parties, and that any network connection may be subject to deliberate interruption a.k.a. censorship. In some instances a user may choose to reveal his or her identity and the destination and content of his or her message traffic to the whole world. In other instances the authorship, content and/or destination of message traffic may be private or confidential, and protected from public exposure through encryption and/or anonymized mix networking. Those who do not understand and possess the tools for encrypted and anonymized communications have no choice about exposing their identities and every detail of everything they do or say on the network, and no way to publish or read censored materials: These are fundamental security failures.

Mix networking conceals the origin and destination of messages passing over the public Internet by encrypting messages in multiple layers and sending them through a series of mix routers. At each router in this chain the outermost layer of encryption is removed by the router, revealing an encrypted message, and the address of the next mix router in the chain to forward the encrypted message to. The first router in the chain knows which user is sending an anonymous message, but does not know the content or destination of that message. When the message arrives at the last router in the chain, that router knows the destination address and (in some instances) the message content, but not the sender's identity. Routers in the chain between the points of entry and exit do not know the origin, content, or final destination of the message.

This is a basic description of anonymous mix networking as performed by the now obsolete Cypherpunk Remailer network. Modern mix networking technology provides methods for two-way communication, including anonymous web browsing. Today's principal mix networks are TOR, i2p, Freenet and the Mixmaster and Mixminion remailers. The global mix network infrastructure consists of privately owned systems running Free Software tools that provide counter-surveillance and counter-censorship services in the public interest. The resulting confidential networks are sometimes called "darknets."

An unknown number of routers in all mix networks are operated by law enforcement and military intelligence services of various nations, both to conceal their own confidential network traffic and to conduct a variety of attacks against the anonymity of other users. Whether and how far to trust the security of anonymous mix networks is an open question for all users. Court records describe cases where anonymous mix users disclosed their identities to investigators by revealing too much personal information when communicating with informants via anonymous mix channels. No Court records, and nothing in any leaked documents from NSA or other sources, suggests that any anonymous mix protocol has ever been broken. However, network anonymity is an ongoing arms race against very powerful adversaries and the protection provided against State actors by mix networking should not be considered absolute.

Anonymous network protocols should not be confused with pseudo-anonymous networking. A commercial VPN provider or confidential mail service has all the information on hand to identify any user in response to a Court order, or to inadvertently disclose the identities of all their users in the event of a security breach. Whether and how far to trust such services depends entirely on your security model: Who are you defending the data in question from, what methods of attack are available to them, and what are the potential consequences in the event your identity and activities are compromised? Pseudo-anonymous networking may be appropriate for some applications but not others.

Cryptography and Security

Encryption and digital signatures are the bedrock of network security, providing essential building blocks for practical security protocols. Encryption protects data from unintentional exposure. Digital signatures verify both the authorship and integrity of data. To date, modern digital encryption can not be broken and digital signatures can not be forged - although either can be compromised by incorrect usage, or defeated by attacking the computers that perform these functions.

Crypto security depends on several factors: The user must understand the basic principles well enough to make informed decisions about which tools and protocols to use, which purposes to use them for, and how far to trust the security provided. The tools in question must use well known and widely tested and attacked cipher and hash functions; there is no rational basis for assigning any trust to untested or secret cryptographic tools. As a practical rule, the full source code of the actual programs must be published for public review as a partial defense against programmer error or deliberate sabotage. To prevent 3rd party sabotage, the user must verify the author's digital signature on any security tool before installation and use - and never install or use unsigned tools. The user must also consider that no security tool can be more secure than the hardware and operating system it is running on, and that no secret message remains secret after it is transmitted to another user whose system has been compromised.

Symmetric ciphers employ the same key to encrypt and decrypt data. This is a straightforward process where a unique, user-created key governs a complex mathematical function used to scramble the original data, and only the same key and function can restore the data to its original form. Well known symmetric ciphers include 3DES, AES and Blowfish. Ciphers with numerical suffixes, i.e. AES 256 and AES 512, are variants of the same cipher that accept different key lengths in binary notation; AES 256 uses a 256 bit key, AES 512 uses a 512 bit key. Every bit (binary digit) added to the length of a key doubles its effective strength against an attack that just tries all possible combinations; larger keys are usually desirable.

Asymmetric a.k.a. Public Key ciphers employ two keys which are generated in pairs, one to encrypt and one to decrypt data. The uniquely valuable feature of asymmetric ciphers is that party A can openly publish a public key, which parties B, C, D etc. can then use to encrypt messages that only A can decrypt, because only A has the private component of the key pair. A widely used analogy compares this to distributing an unlimited supply of open padlocks that can be used to secure any container, while one person keeps the only key that opens these locks. Asymmetric ciphers include RSA and El Gamal. The ownership of public keys can be confirmed by verifying the key fingerprint with the key's owner face to face (a reliable method), or indirectly by verifying a digital signature added to the key in question by a trusted third party (a potential trouble source).

Message digests a.k.a. hashes, are fixed length numerical values calculated from the entire body of a larger data set such as the text of an e-mail message, a downloaded program file, or a CD ISO file. A digital signature is made by calculating a hash for the data to be signed, then encrypting that hash with the private key of the person making the signature. To verify the signature, the signer's public key is used to decrypt the hash. If the decrypted hash matches that of the signed data, two things are proven: The owner of the private key in question signed the data, and the data in question is a bit-for-bit perfect copy of the data that was signed.

Secure File Storage

The first widely available encryption tool was Pretty Good Privacy. PGP was created by Phil Zimmermann and released to the public in 1991 at risk of Federal prosecution under the Arms Export Control Act; this is why Cypherpunks sometimes refer to cryptographic tools as "mathematical munitions." Commercial versions of PGP are still available, but today's industry standard is GPG, the GNU Privacy Guard. GPG does symmetric (single key) and asymmetric (public key) encryption of text and files, makes and verifies digital signatures and manages collections of keys. As noted above, cryptographic software is mission critical for network security and must include full source code for peer review. Current commercial versions of PGP are closed source, which disqualifies these products from most uses.

GPG enables the user to encrypt individual files, but as a practical matter one can not do this with working directories full of files that may be considered private or confidential. "On the fly" encryption that locks down whole directories, partitions, or hard drives solves this problem neatly. The content of encrypted partitions or containers is inaccessible until the user enters his or her pass phrase to unlock them. When unlocked, encrypted file systems look and act like normal hard drives or directory trees. When an encrypted container is mounted, its key is stored in system memory and a special driver encrypts files being written to the container as they enter, and decrypts files as they are read out of the container. In the event of a system failure or unexpected loss of power, the key is lost from memory leaving the encrypted container closed and locked.

Modern operating systems include built in crypto utilities that can be turned on to encrypt any user account's "home directory" i.e. file storage space. How far to trust this is largely a product of how far one trusts the operating system itself. (See above regarding the back door in Apple's iPhone data encryption tool.) On any system, if the pass phrase used is too short it will not resist a brute force attack. Virtual system memory, a.k.a. the swap space on the hard drive, may contain sensitive data and should itself be encrypted to prevent its contents from being recovered. On a Debian based GNU/Linux system, typing "sudo ecryptfs-setup-swap" at the command terminal will permanently activate this feature if it is not already installed and turned on.

Truecrypt is often used for making secure backups on external hard drives and/or in large container files burned to CD or DVD. It also does this very clever trick: Truecrypt enables the user to create a hidden container inside a container. This feature was first proposed by Julian Assange, who called it "Rubber Hose" in reference to rubber hose cryptography: One may be forced to give up the key to the outer container, without revealing the existence of an inner one.

In May of 2014, Truecrypt's developers abruptly abandoned the project and rather dramatically announced that it "may contain unfixed security issues." An independent code audit project examining Truecrypt has released a preliminary report that includes no surprises or critical security advisories. Archives of all Truecrypt versions have appeared, and at least one team is now forming to take over maintenance and development of Truecrypt.

Hardware Level Attacks

New computers with the Windows 8 logo on them include "Secure Boot," a hardware level attack against the end user who purchases the device. The Windows 8 logo on the outside means that the motherboard inside has been sabotaged to lock out all operating systems except those authorized and digitally signed by Microsoft. These sabotaged units can not run standard maintenance and repair tools and can not run important network security tools such as the TAILS Live USB operating system. "Secure Boot" also prevents a computer's owner from installing any operating system that is capable of secure operation in a hostile network environment. The most practical solution: Do no purchase any product with a "Windows 8" logo on its case or box, and spread the word. Microsoft can strong-arm PC makers into selling broken computers, but they can not force us to buy them.

Microsoft's most ambitious hardware level attack against its customers was called Palladium and later renamed Longhorn. This was a hardware enforced split-level operating system with the machine's owner locked in a restricted sandbox, remotely accessible and fully controlled by Microsoft and its chosen partners in industry and government. This Trusted Computing Platform used advanced crypto protocols to prevent the owners of Longhorn-equipped machines from observing, altering or disabling the remote monitoring, censorship and control functions. For unknown reasons - possibly legal and diplomatic issues - this project was abandoned at the 11th hour. A version of Longhorn without remote surveillance and control functions was hastily built on top of the MS Server 2003 operating system, and rolled out as "Vista" one year behind schedule.

Microsoft is not the only player in the hadrware sabotage game. The popular and very expensive Barracuda network firewall appliance is presented as a way to protect insecure Microsoft systems on a LAN from the dangers of the Internet. It also happens to have hard-coded backdoors enabling Barracuda Networks, Inc. and its chosen corporate and State partners to log in with root access and observe, modify, or even fully reprogram the appliance at will. The owner of the firewall box can not turn this off. Admins who are not comfortable with a factory-rooted firewall box might be interested in clearOS or Smoothwall, Free operating systems with vendor support available by subscription, that turn an unused spare PC into a powerful, configurable, and much more trustworthy firewall appliance. Finding reliable replacements for Cisco appliances with hard coded factory back doors may be more challenging. Per report, "Cisco is a very enthusiastic partner to the Intelligence Community---one of those sensitive relationships managed through the NSA Special Source Operations office."

Further Reading and Practical Exercises

1. Read "A Call to Cryptographic Arms," the introduction to Cypherpunks by Julian Assange (2012), for an overview of the social and political implications of global network surveillance and censorship today:

http://cryptome.org/2012/12/assange-crypto-arms.htm
http://www.orbooks.com/catalog/cypherpunks

Learn about the scope and depth of State and commercial network surveillance and manipulation. This includes routine user tracking and profiling by national intelligence services, and in the private sector by search engines, advertising contractors, social media providers and others. Starting points include:

http://finance.yahoo.com/news/phone-firms-sell-data-customers-231300766.html
http://www.bloomberg.com/news/2013-06-14/u-s-agencies-said-to-swap-data-with-thousands-of-firms.html
http://www.brookings.edu/research/papers/2011/12/14-digital-storage-villasenor
http://www.youtube.com/watch?v=DIGdWsxHJlM
http://tinyurl.com/bigbrother-bigfacebook
https://en.wikipedia.org/wiki/Filter_bubble
https://en.wikipedia.org/wiki/Stellar_wind_%28code_name%29
https://w2.eff.org/Privacy/TIA/
http://wiki.echelon2.org/wiki/Romas/COIN

2. Learn about browser plugins and specialty search engines that neutralize most of the routine user tracking and profiling, a.k.a. in-depth intelligence collection, conducted by Corporate actors:

https://addons.mozilla.org/en-US/firefox/addon/noscript/
https://addons.mozilla.org/en-US/firefox/addon/ghostery/
https://addons.mozilla.org/en-US/firefox/addon/adblock-plus/
https://addons.mozilla.org/en-US/firefox/addon/redirect-cleaner/
https://www.eff.org/https-everywhere
https://duckduckgo.com/

3. If you are presently using Microsoft operating systems, start practical work toward transition to using more secure and reliable operating systems. Learning your way around a new operating system may include temporarily dual booting with two operating systems on one machine, acquiring a new (or used) computer for your new operating system, or simply replacing the insecure operating system straight away.

Download and burn a Linux Live CD or DVD and boot a computer using this disc, to start exploring the potentials of Free and Open computing. If the computer does not automatically boot from the CD or DVD, see this how-to doc. Bear in mind that running a complex operating system directly from a CD or DVD provides very slow and limited functionality compared to running the same OS as a normal installation on the hard drive. Booting from a Live CD or DVD does not affect the existing operating system installed on the computer. Check out the user manual for Linux Mint, currently the best Linux distribution for beginners IMNSHO, with complete instructions:

http://www.linuxmint.com/documentation/user-guide/Cinnamon/english_17.0.pdf

4. Obtain and study how to docs on general network security. These are among the best that are currently available, and cover basic to advanced topics in practical detail:

http://en.flossmanuals.net/_booki/basic-internet-security/basic-internet-security.pdf
http://en.flossmanuals.net/_booki/bypassing-censorship/bypassing-censorship.pdf

5. Get GPG, the industry standard tool for e-mail encryption and digital signatures. GPG, like its predecessor PGP, provides a full set of tools for both symmetric and public key ciphers and for making and reading digital signatures. Learn about how it works, and practice communicating with more experienced users until your results are consistently reliable. GPG is available for all operating systems, as is the Enigmail plugin that conveniently integrates it with the Mozilla Thunderbird email program. If you are using a webmail service like GMail or Yahoo!, or an e-mail account provided by your ISP, you might want to get a real e-mail account of your own from a service like usermail.com.

http://www.gnupg.org
ftp://ftp.pgpi.org/pub/pgp/6.5/docs/english/IntroToCrypto.pdf
http://www.enigmail.net/documentation/quickstart.php
http://www.madboa.com/geek/gpg-quickstart/

6. Learn about network anonymity tools, try them out and explore their potentials and limitations. As mentioned above, these tools enable users to pick and choose what parts of their Internet activity are open to surveillance, and enable them to both read and publish "censored" documents.

The TOR Browser Bundle is an E-Z end user application for anonymized networking. TOR has four principal functions: 1) Defeating network censorship. 2) Defeating network surveillance. 3) Access to hidden web servers with .onion domain names. 4) Hosting hidden .onion websites. According to PFC Bradley Manning's report, the U.S. Army still uses TOR when conducting open source intelligence gathering on the Internet.

TOR SECURITY ISSUE - Posted September 6, 2013: The TOR Network is apparently under attack from a large scale actor who presently owns 3/4 of the client nodes in the TOR network. Until proven otherwise - or the attack stops - it must be assumed that a major State actor (most likely the U.S., Israel, China or Russia) may be able to identify nearly all TOR users and match their IP addresses to their exit node traffic. The TOR Project believes that this attack is the work of an ordinary Windows botnet, and they may be right. See How to handle millions of new Tor clients on the TOR Blog.

Even if one makes the most pessimistic assumptions, TOR remains useful. It will continue to punch through school, corporate and even national network firewalls. TOR negates surveillance by network service providers and makes users effectively invisible to surveillance and profiling by corporate actors. TOR will continue to reliably protect wireless connections at public venues from eavesdropping or manipulation by J. Random Hacker. But TOR users who have reason to believe that the NSA or another State actor would ever actually do anything with information collected about their TOR-cloaked activities, such as share it with a law enforcement agency or hostile government, or deny/revoke a security clearance, should adjust their security model accordingly.

https://www.torproject.org

I2P, a.k.a. the "Invisible Internet Protocol," is a darknet that does not connect to the open public Internet. I2P is principally used for anonymous file transmission via bit torrent, and publishing easily configured user-made websites. The i2p network also includes forums and news services. Most consider the security of the i2p protocol equal or superior to that of the TOR network. Setting up i2p requires the user to RTFM (Read The Fine Manual), but should not be difficult for anyone who is comfortable installing software.

http://www.i2p2.de

Freenet includes both an anonymizing network protocol, hosting for websites and forums, its own version of USENET and distributed file storage via hard drive space donated by users. The files stored by Freenet on users' hard drives are encrypted and anonymized, protecting users against prosecution for "possession of illegal ones and zeros." The Freenet router requires settings similar to i2p when installed. Unlike TOR and i2p, Freenet is a processor intensive application. Many users report that it does not work and play well with other desktop computer applications.

https://freenetproject.org

7. Recently there has been another major outbreak of idiocy in the online press about "how to make a secure password." All anyone needs to know about passwords, and cryptographic pass phrases, is summed up in one word: Diceware. Replace speculation with fact, opinion with knowledge, and guesswork with reliable procedure:

http://diceware.com

Re-using a password all over the place is a Very Bad Thing, except in cases where you just don't care whether it keeps intruders out. An attacker who succeeds in stealing the password for one service, will try it on all accounts the user has on other services. The corporate network of leading Federal security contractor HBGary was completely trashed because its CEO re-used his password. One's most frequently used passwords will eventually be memorized though simple repetition. For less frequently used credentials, Bruce Schneier's Password Safe is a good bet. Because Libre Office and Open Office use the Blowfish cipher to encrypt password protected documents, an ODT word processor document locked down with a strong pass phrase provides a highly portable, cross-platform solution for secure storage of login credentials and other key personal data.

In Conclusion

No matter where you live, no matter who you are, you have a right to free speech and free association, a right to remain silent, and a right to say "no" to arbitrary search and seizure. Any private or State actor who violates these rights commits a crime by dong so. The Cypherpunk and Hacker communities provide tools and education enabling you to exercise and defend these rights in the world of networked computing, even in the presence of powerful adversaries. The tools are free as in beer (no charge), free as in speech (open source) and free as in Freedom (community property per GPL-model licenses). We are told that these tools are "hard to use" and impose major sacrifices on their users. As a lazy, ignorant, but very demanding user, I find the convenience and reliability of Free Software downright luxurious compared to commercial alternatives. Your mileage may vary.

Your comments and suggestions are always welcome, and of course confidential service is always available: 3B291D0B.asc is my public GPG key, please include your key ID if you prefer encrypted correspondence.