Sunday, June 22, 2014

How Secure is Your part of the Internet?

Problems with Internet security have been much in the news lately as our homes have been getting more and more connected to the Internet with the growth of the Internet of Things. Please note that I'm one of those people who make a distinction between the terms hacker and cracker.

Image borrowed, without permission, from http://ariefuchulz.blogspot.com/2012/02/hacker-vs-cracker.html, apparently the blog of Arief ucHulz.

A specific recent report that caught my eye:

Until We Fix Our Connected Homes, Crackers Will Keep Screaming At Babies

The simple conclusions offered by that article is that if your home is connected to the Internet, to be secure you should:

  1. Take care to set secure passwords on all your devices. Leaving the manufacturer's defaults are just asking for intruders to come by.
  2. Register your devices with their manufacturer so the manufacturer can get in touch with you about security updates. Unsaid is that such registration will open up your e-mail inbox to a likely flood of promotional e-mail (a.k.a. spam).
  3. Keep your device's firmware/software up to date. Unsaid is that not all devices can accommodate updates, and not all manufacturers put much effort into providing updates on old products. Maybe the manufacturer no longer makes that product. Maybe the manufacturer no longer supports that product. Maybe the manufacturer has gone out of business.

The article mentioned briefly that the homeowner had "secured" their home's router that connected their home devices to the Internet. I wished that article had explored that statement in a little more depth. "Securing" a router is quite an essay topic in itself. If you have a router connecting your home to the Internet, please stop and consider how secure is it?

  1. Have you set a secure password so only you have administrator access to your router?
  2. Assuming your router provides you with Wifi (wireless Internet connectivity), have you configured the router to have a serious, non-default password protecting your Wifi network from intruders? There's more than one choice available for Wifi Encryption. Which Wifi encryption option have you picked? If you picked WEP, you'd be well-advised to switch to WPA2. There's freely available software that anyone with a notebook PC within range of your Wifi signal can run (e.g. Automatically crack Wifi with only 30 seconds work. I offer the link as an example, but haven't actually tried to follow that page's instructions myself). The software needs only to listen to your WEP-encrypted traffic for a short time and it will then reveal what the password is that your Wifi network is using. In other words, WEP encryption isn't at all secure if faced with anyone who wants to intrude on your wireless network.
  3. And now we get to the hard question: What is your router configured to do with incoming traffic from the Internet? If the router rejects all packets coming from the outside world, it isn't going to be much use. If you use your browser to visit a web page, you send out packets requesting the web page and web page's server sends back packets that tell your browser what the web page says. If you configured your router to reject those outside packets, you'd likely be most unhappy with your router's behavior.

    Most routers will let you accept only traffic that comes in reply to packets that you sent out to the Internet and that covers most cases. But there are ugly cases where, for example, you initiate an FTP connection and the remote FTP server replies using a different port than the one that you used to initiate the connection. If your router is configured to reject packets that don't look like replies to traffic that you initiated, you're likely going to have trouble doing FTP file transfers.

    A stickier problem is do you ever want to access your home Internet from elsewhere? For example, some folks have home security systems (or perhaps a baby monitor) and want to be able to check in on it from their travel PC while away from home. Almost certainly that requires the router to be configured to allow outside Internet traffic, traffic that isn't in reply to inside-traffic, to come into your home. How secure is your home network to outside traffic coming from a wannabe intruder?

You can try to secure your home, device by device.

Consider, for example, the HP Inkjet printer in my home, an HP 7410 all-in-one printer/scanner/copier with built in Wifi capability. When we first set it up, we put it in a room that didn't have wired ethernet available so we configured it to use that built in wireless capability. Worked wonderfully. Then as I became aware of how easy it was to break WEP encryption, I decided to reconfigure our home router to use WPA2 encryption. Surprise! The HP 7410 printer's built in Wifi support only knew how to handle WEP, not WPA2. I looked into how to upgrade the firmware of the printer, but so far as I can see, the firmware of that printer is permanent, not updateable. Now, for all I know, I could go out and get a new printer that has WPA2 support, and probably has other advantages like, perhaps a faster printer speed and just maybe less expensive ink. (well, I can dream, can't I?). But this printer still works fine, so I'd feel guilty throwing it away just because it doesn't support secure Wifi. So, instead, I grumbled and bought a long Cat-5 cable so I could have a wired ethernet connection from the router to the room with the printer. For less than $10 we also added a wired 8-port 100-base-T ethernet "switch" to that room so we could easily connect all the devices in that room to the wired network. I talked a bit more about my home network back in January. See: Adventures in Home Networking

Barry Shein, one of the early pioneers of the Internet as we know it today, recently posted this note to Facebook:

Internet security is so bad because it was never particularly designed to be secure.

I've been on the net since the 1970s, involved in its technology and politics. I don't remember anyone ever saying or promising "and it has to be secure, right?" until the 1990s.

What happened is in the 1990s a bunch of people figured out how to make A LOT OF MONEY off the net, or save a lot of money, same thing.

But most of their plans required the net to be secure.

So security became a BIG ISSUE. Ok.

It's like coming to a river in your car and thinking hmm, maybe I can just slap some wings on this thing and fly across.

The power of the net is that it enables everyone to share information very easily and very widely.

Now, re-read that sentence with security in mind.

If you aren't uncomfortable yet, I've got more for you to read. Shortly before Barry posted that cautionary note on Facebook quoted up above, he posted on Facebook:

If you try to engage me in a conversation about computer and network security and I don't know for a fact you're an expert I'm going to check whether you read this article. And if you haven't I will politely ice you out.

Everything is Broken

Now there are many different opinions as to what you should do. I don't have the energy or time this morning to track down exact references for what Richard Stallman suggests, but at the risk of mis-reporting what he has in mind, I'll tell you what I think he has said:

  1. Don't trust software that you can't examine and modify on your own.
  2. Don't allow untrusted 3rd parties to have control of the software on your devices. e.g. allowing auto-updates of your PC by Microsoft, Apple,Adobe, Oracle (Java) and Google (Chrome, Android) is imprudent. Even if you trusted the software after careful evaluation of it yesterday, how do you even know what the software you are running today will do?

The trouble with "trust no one!" is that you are cutting yourself off from much of the world. And even if you insist on only running software where you can examine the source code, you likely are only fooling yourself. There's too much software in layers and layers for you to have any hope of being able to detect security problems. Security problems can be quite subtle and hard to recognize. Consider for example the recent brouhaha over the security of OpenSSL in its Debian implementation. The source code was all open and freely available, but it took years for anyone to notice that a security bug had been introduced into the code. The xkcd comic had some good jibes at the security of other open-source systems: http://xkcd.com/424/.

I'll go so far as to suggest that if you refuse to allow auto-update of the software on your devices, you are doomed to never being able to keep anywhere close to current on the latest security updates. There are just too many of them and they come out too often to try to track them by hand. And you'll have a hard time convincing me that the reason you insist on tracking them by hand is you want to research what each one is about before you install it. Good luck with that!

And then there's the problem of web-services like dropbox, gmail, Google drive, Google docs, Facebook, ... Pearltrees, and the list goes on. Generally, you don't get to see the source code that implements those services, and often you have no control over when that service implementation is updated. At some point you have to decide which suppliers you are willing to trust. Stallman will tell you that Facebook surely doesn't belong on that trusted list. My wife has no Facebook account and insists that no one should share her picture or name there. Her children don't buy into that "no Facebook" policy because it would cut them off from keeping in touch with their friends.

I could go on and on, suggesting that you look into "Virtual Private Networks" for securely allowing connections from the outside Internet into your home. But you pretty much have to trust somebody to do the right things to protect you.

But who can you trust? 12 biggest baddest [known] software backdoors of all time. "all time" in that title underestimates what the future could hold. And the article isn't very keen to point out that it is only talking about known backdoors. Goodness knows what unknown backdoors are lurking out there.

In closing, here's a 17 minute TED talk that defends "hackers" as a necessary part of the Internet eco-system. The talk doesn't draw a distinction between hackers and crackers, but so it goes.

Hackers: The Internet's Immune System.