Posted on by erinzj

Networks and Security Topics

Hi, I’m Erin.  I’m a student taking a computer science course and our assignment for this module was to create a focused blog (answer some questions and respond to an article) on networks and security topics.

Part 1 – Review Your Password Security

  • How many online accounts do you have that are secured with passwords?
    1. I currently have approximately 40 password-secured online accounts.
  • How many of these accounts are using the same password?
    1. None of my accounts use the same password.
  • How many of your passwords contain words that can be found somewhere in your Facebook page or contain personal information?
    1. None of my passwords contain this type of information.
  • How often do you change your three main account passwords?
    1. Quarterly (approximately every 90 days).
  • How strong are your three main online passwords and your password to login to your own computer?
    1. Using Silent Circle’s password strength algorithm, my passwords for my three most sensitive sites have a crack-rate of over 4 years. The password for my computer also has a crack-rate of over 4 years.
  • List five things that make your password safer.
    1. Avoid using dictionary words
    2. Use passwords/passphrases longer than 14 characters
    3. Mix letter cases (upper and lower), numbers, and symbols
    4. Avoid using words/phrases closely related to your life or descriptive of the account you’re trying to protect.
    5. Change passwords regularly.
  • Conduct a password strength test using your list.
    1. I used a copy of Silent Circle’s password strength algorithm found at: http://andrew.hedges.name/experiments/password-strength/
  • How safe are your passwords? Do your passwords match up to your list or are you missing some elements of security?
    1. My passwords are considered quite difficult to crack (safe). All of my passwords fit the criteria in the list above.
  • What would you give yourself as a password security grade for each of your three main passwords?
    1. I would give each of my passwords a grade of “secure.”
  • What changes should you make to create a safer computing environment?
    1. I currently store my passwords on a file on my computer. While I feel that my computer is fairly secure, I could easily keep a hard-copy of my password list (because I can’t remember them all…) in my fireproof safe, and not maintain a digital-copy that could be accessed were my system ever compromised.

Part 2 – How secure is your wireless network?

  • Did you change your network (SSID) name? If no, why not? And will you now consider a change?
    1. Yes, I changed my network name.
  • Did you disable the SSID broadcast? If no, why not? And will you now consider a change?
    1. Yes, I disabled SSID broadcast.
  • Did you change the default password on your router? If no, why not? And will you now consider a change?
    1. Yes, my router password changes semi-annually.
  • Did you turn on security protocols such as WEP or WPA? If no, why not? And will you now consider a change?
    1. Yes, my router supports WPA2.
  • Did you create a security passphrase for the protocol? If no, why not? And will you now consider a change?
    1. Yes, but I’m not telling you what it is…
  • Do you restrict access to the network to only certain MAC addresses? If no, why not? And will you consider a change?
    1. Yes, I authorize MAC addresses.
  • Do you limit your signal range? If you are in a neighborhood or building with close neighbors, this can be a good idea. Would this change be appropriate for you?
    1. Yes, I have my router set at the middle range so I can get signal in every room of my house and also out on the porch/garden area. Bringing my router to its low-range does not give me adequate coverage in my home.
  • Have you applied firmware upgrades? If no, why not? And will you now consider a change?
    1. Yes, I check monthly for firmware upgrades, and update the firmware whenever there is a new update.

Part 3 – Explore Something New

The following is in response to the article “The NSA and Snowden: Securing the All-Seeing Eye” by: Bob Toxen:

 

In 2013, Edward Snowden leaked over 200,000 top-secret (and above) classified documents from National Security Agency (NSA) servers to reporters.  He smuggled the document copies out of the secure facility in Hawaii on a thumb drive, causing what may be “the most damaging breach of secrets in U.S. history” (Toxen 44).

Snowden did not, however, mastermind some incredible feat of espionage.  He saw an opportunity in the weaknesses of the securities set up within the NSA and used the opportunity to make his stand.  Surprisingly, the government agency responsible for national security had an incredibly antiquated understanding of computer security.  People within the NSA argued that, as a system administrator, Snowden had passwords that gave him work-around access to documents that he didn’t have appropriate clearance for.  Apparently, the NSA was not aware of 30 years’ worth of technology and techniques keeping system administrators from stealing data.  They also were apparently not aware of some fairly simple and standard security measures that would have thwarted Snowden’s efforts: most of which have been in use for over a decade (Toxen 44-46)!

Implementing a technique like “Islands of Security” would keep a single system administrator from accessing the entire system.  The technique is implemented as a safeguard, should someone infiltrate the network.  The different parts of the network are treated like individual “islands” that don’t trust any of the other “islands.”  Each different segment of the network (each system) will have its own root passwords, user passwords, levels of encryption, etc.  Each system should be encrypted and have encrypted backups (Toxen 46).

Adding physical security to each island-system also protects the network from attack.  This security technique involves caging the separate island-systems and video cameras for server-room surveillance.  The video recordings can be stored for a long time.  The cages can be dual-locked with each key being controlled by a different individual.  This means two people would have to be present to open the cage and access the computer. (Toxen 46)

Toxen says the next security measure is to prevent unauthorized copying.  Disable the ability to use thumb drives and blank DVDs (47).  This also includes unauthorized recording devices, cameras, phones, etc.  Metal detectors set up at the doors can detect these items being brought in.  Most of the techniques to implement this prevention are inexpensive.

Two-factor authentication is the practice of using two identifying constructs to gain access to something.  For example, in order to get access to your bank account at an ATM, you need your ATM card (factor 1: something you have), and your PIN (factor 2: something you know).  Snowden’s ability to access accounts with a higher clearance level than what he had violated two-factor authentication.  He had his passwords (factor 1: something you know), but didn’t have the appropriate clearance (factor 2: something you have).  Further security increases can add biometrics (something you are) which can scan finger prints or iris patters and define you as you (Toxen 47).

The NSA was not using Orange Book, a specification that they created for handling multi-level security classifications.  An important concept of Orange Book is not trusting any single system administrator.  Two-person authorization decreases the tendency of dishonest acts, because you’ve always got someone watching you.  The NSA has 1,000 system administrators.  If they were to hire (at the time of this writing) 1,000 more systems administrators to watch the administrators already there, the NSA budget would have increased in payroll by 1% (Toxen 47-48).

Along with logging and monitoring events, so the NSA knows who’s accessing what classified documents, they should also not allow system administrators to work remotely from home over the internet.  Classified material should stay classified, and the farther away from the secured building it is, the farther away from staying classified it is.  And while they’re at it, if we stop remotely accessing the system to keep classified materials in the secured building, removable media needs to stay in the building, too.  Ultimately, the idea here is not allowing the classified materials to leave (Toxen 48).

Encrypt everything.  Theft can be prevented with public-key encryption, in which the files are encrypted with the public-key, but the secret-key (private-key) is necessary to decrypt the files.  Since no system administrator would have both keys something as simple as this would make a smuggled thumb drive virtually worthless.  Furthermore, the NSA should have planned for a potential breach, and had security measures in place to respond to a break-in.  They also should have had quarterly security audits performed by a third party to help them identify any areas of potential weakness (Toxen 49).

Perhaps the most interesting part of this article, for me, was the side bar on Constitutionality.  Snowden is one of the most well-known whistle-blowers of the common age.  He leaked NSA documents to the press to expose the continuous violations of the Fourth Amendment on the American people.  He is still in exile in Russia, because of doing something he thought was morally and ethically correct.  Unfortunately for him, it was still stealing secrets (espionage) and very illegal!

What surprised me was the judicial response to numerous cases brought up as a result of the Snowden/NSA breach.  Only one judge cited in this side bar ruled in favor of the NSA’s secret surveillance of the American people.  He cited the Patriot Act and stated that people wouldn’t have had the information if Edward Snowden hadn’t broken the law.  The other three judges cited in this section, however, saw a clear violation of Fourth Amendment rights in the NSA’s secret telephone surveillance (Toxen 50-51).

References:

Toxen, Bob. “The NSA and Snowden: Securing the All-Seeing Eye.” Communications of the ACM 57.5 (2014): 44-51. Academic Search Premier. Web. 27 May 2014.

 

Definition:

Two-factor authentication: an extra layer of security achieved by asking the user to use more than one thing to identify him/herself.  Examples include an ATM card and PIN at an ATM to access banking information (something the user has and something the user knows); a password and a fingerprint scan (something the user knows and something the user is); etc.