[sf-lug] addendum to " update from computer newbie"

[Rick Moen]

Quoting jim stockford (jim at well.com):

> But if you power your router off when you're not using it, you're
> about as safe as you can get.

Hmm.  See bottom of message.

> As Rick said, don't bother with firewalls, especially if, as John
> said, you have a router.

The magic protective router is actually exactly as good, and exactly as
bad, as the magic "firewall" (set of address/port filters).  

As Bruce Schneier says, "Security is a process, not a product."  If you
think security resides _at all_ in merely buying something, or adding
something, or switching a script on, then you're fooling yourself.

> It's only moderately unwise to hook an unprotected computer to the net
> and then configure it. 

More specifically, before you connect a newly installed system to the
Internet, you should make sure you know what services are visible on it,
and turn them off if you suspect they're vulnerable.   This really tends
not to be a significant problem with Linux boxes, unless you do
something utterly daft like, in 2006, install a default installation of
Red Hat Linux 6.2 (released September 2000) and immediately connect it
to the raw Internet.

(Just to be really clear:  RH 6.2 should not be installed AT ALL at this
late date.  Nor should RH9, even.  Old distributions are hazardous, and
should be scrupulously discarded rather than used.)


> There are claims of a few attacks per hour on any and every computer
> node on the internet. 

And that and $1.50 will get you a ride on Muni.  ;->  Practically all
"attacks on computer nodes on the Internet" are pathetic automated bots
attempting to find low-hanging fruit resulting from people being
unbelievably negligent, e.g., deliberately disabling their distros'
semi-automated maintenance regimes or leaving ssh daemons enabled with
easily guessed username/password pairs.  (The latter having been said,
you have more to worry about from people using _strong_ passwords on
other systems along with yours.  See:
http://linuxmafia.com/faq/Security/breakin-without-remote-vulnerability.html
for how VA Linux Systems^W^W^W an unnamed technology firm screwed itself
in this area.)


> But if you've got a little router on the DSL, I'd say you're safe.

You'd look pretty silly saying this if, say, somebody sends your Web
browser some unsafe Javascript via TCP port 80, and it wreaks some bit
of havoc on your machine.  That little router doesn't block port 80, doe
it?  If it did, you'd not be able to brose the (unencrypted) Web.

> Most attacks are username-password blitzes.

Bad logic:  Generally speaking, most attacks are pathetic.  One of the
many ways to go astray in security is to count "attacks", and assess
risk accordingly.  Risk is not in the least proportionate to volume of
attack, you see.

> Have long passwords (more than eight characters) and mixed case with
> at least one numeral and at least one punctuation character--go for
> more-than-ten- character passwords to really increase security.

OK, here's one full scenario that plays hob with that (reasonable, but
not sufficient) recommendation:  Let's say you're a system administrator
working at VA Linux Systems^W^W^W a prominent technical firm.  One day,
you SSH out from the crown-jewels corporate LAN to
shells.sourceforge.net^W^W^W^W^W^W a public shell server operated by the
company but where a large number of members of the public have shell
accounts.  Then, you make the fatal error of doing an SSH or SCP back
into your corporate LAN, thereby using your 8+ digit, mixed case,
letters and numbers SSH login password and username _on_ the public
shell server.

Why fatal?  Because, unbeknownst to you, some bad guy at a university
had managed to crack root access on a university Unix machine, and
installed a "trojaned" copy of the ssh client, one that conveyed
secretly to himself the security tokens of all subsequent outbound SSH
sessions.  An innocent college student at that university had done
exactly that, SSHing to his developer account on the technical firm's
public shell server.  The bad guy now possessed a stolen set of
credentials to impersonate the college student's legitimate access to
the shell server.

The bad guy thus SSHed into the shell server -- some months before the
sysadmin made his fatal error.  Now, he had plenty of time, because his
presence _looked_ legitimate:  He appeared to _be_ the college-student
developer.  Taking plenty of time, he studied the shell server from the
inside, and eventually found a vulnerable bit of privileged software
that the company hadn't upgraded yet.  He used a canned attack against
that software, and used it to crack root.  Now, he "owned" the shell
server -- and of course followed up by installing a trojaned
/usr/bin/ssh (SSH client) there, too.

The sysadmin then blithely made his fatal mistake.  A day later, the bad
guy realised, reading his new stolen credentials, that he could now
impersonate the blundering sysadmin, _going right into_ the corporate
LAN.  He did so, broke into everything else he could find, and finally,
out of boredom, opened an IRC session on the secret internal-company IRC
server and mocked the CIO as incompetent.

Much unhappiness ensued, but this story is already long enough.  The
point is that, even if the sysadmin followed all of your guidelines, 
and even if he'd switched to public-key keypairs instead of passwords,
he'd still compromised his entire corporation because of not thinking
about the implications of SSHing (or SCPing) _into_ a sensitive
corporate network from a machine he had no reason to trust.

Moral:  There's really no substitute for understanding what's going on,
and people who say "DSL routers" or "firewalls" are a magic talisman are
mistaken.


> Don't have "joe" accounts.

Good advice -- but the term "joe account" usually refers to easily
guessable usernames that _also_ have easily guessable passwords.
E.g., if your system includes username/password guest/guest, and you
even sometimes have sshd enabled, you'd better make sure it's a username
disallowed for incoming ssh.  ;->

> If I followed my advice, my login would be jstockford or some such.

An interesting problem:  Any user who has personal Web space probably
cannot benefit from an unusual username.  Consider my personal Web
pages: They're at http://linuxmafia.com/~rick/ .  Now, if I wanted to, I
could switch from username "rick" to username "rumplestiltskin".  But
then anyhow harvesting usernames from the Web would eventually come
across http://linuxmafia.com/~rumplestiltskin/ , you see, and I wouldn't
really have gained much.

> Keep your computer off except when you're using it.

This is often suggested, but really reducing the amount of time your
machine is connected doesn't do much in itself -- nor does being on a
slow modem line instead of broadband.  Vulnerable is bad even for ten
minutes on a 9600bps PPP line.  ;->

Really, the measures you're suggesting _aren't_ the ones that work.  
I've already posted URLs to my own screeds on the subject.  Here's 
Marcus J. Ranum explaining the fundamentals about as well as anyone ever
has:  http://www.ranum.com/security/computer_security/editorials/master-tzu/

I link to that from one of Moen's Laws of Security:
http://linuxmafia.com/~rick/lexicon.html#moenslaw-security3