Tag Archives: security

More secure than my bank’s web site?

Someone once said – and I got this quote from the computer game Sid Meier’s Alpha Centauri, so I’m not sure if they got it from elsewhere – “The pinnacle of military deployment approaches the formless, for if it is formless, then even the deepest spy cannot discern it nor the wise make plans against it.”. I would modify that wisdom to apply to information security: The pinnacle of secure information is the nonexistent, for if it is nonexistent, then even the deepest spy cannot leak it nor the most talented cracker steal it.

I mentioned in a previous post that I was setting up a new web site, dragonsmoke. I set it up because I want to run my own web server at home. Like much of what I create, the final product (the content being served) is less important than the process of creating it (setting up a secure server).

I have been using various automated testing tools to harden my server’s security. The first one I discovered, and the one that has been most helpful so far, is Qualys SSL Labs’ SSL Server Test. I have taken a repetetive-testing approach to web site security: first I got the site running with a Let’s Encrypt HTTPS certificate, then I ran the test, then I fixed whatever it told me to fix, then I ran the test again, and so on. Now I have an A+ rating on that test. A+ is great, but I want perfect.

Out of curiosity, I also ran the SSL Server Test against my bank’s web site: its overall score was identical to mine, A+ but could be better. I did notice one small area where my site did better: On the advice of security expert Steve Gibson, I use OCSP Must Staple. I can see no reason not to; it’s so easy to set up.

I think my score will improve slightly when dragonsmoke gets added to the HSTS preload list. I’ve submitted it for inclusion, now I just have to wait.

The second automated test I discovered was Observatory by Mozilla. It recommended some HTTP headers that I’d never heard of before, which I could configure my web server to send. So that’s a plus. Now dragonsmoke has an A+ rating here too, but again not a perfect score.

I’ve put all this effort into encrypting connections to my web site, making it really hard for any MITM to see or modify any of the data sent between client and server. The most important step in creating information security is not the encryption, though: it is the data itself. The less data there is, the less likely it is for important data to leak. I know that a bank may need to send and receive lots of potentially interesting data: credit card details, names, passwords, PINs, phone numbers, you name it. Dragonsmoke does not need that info, so it provides no means for users to enter that info. No data is collected at all. That is how I know that my site is more secure against data theft than my bank’s site.

I still want perfect scores though. Just because my site is small and niche does not mean I will settle for less.

Apps I Use: Security Software & Hardware (Part 1)

In light of the recent huge DDoS attack against Dyn, which Brian Krebs reports (getting his information from Flashpoint) were apparently carried out using a Mirai-powered botnet, I thought it appropriate to highlight some of the security software and hardware I use to try to ensure that my devices don’t become part of the botnet.

My first layer of defense at home is my router. My current router is in serious need of replacement – its software is buggy and it requires reboots approximately once every month or two (far too frequent for a home router, if you ask me). That said, it’s still useful and here’s why:

  • port forwarding: Several of my devices use SSH to automatically synchronize files across my home network. I know SSH is overkill for that kind of thing, but it’s easy to set up. Two of those devices are Raspberry Pis, low-power computers which I run mostly-headless (I can connect a monitor and keyboard if needed) and I use SSH to control them from my laptop or phone. My point is, none of these things need to receive SSH connections over the Internet, so my router doesn’t forward the standard SSH port to any of them. One of the Pis is, on the other hand, used as a BitTorrent seedbox – other BitTorrent peers can connect to it most easily if I make at least one port of my choosing accessible from the Internet.
  • An unencrypted Wi-Fi network for guests: Until yesterday I ran two wireless networks from the same router: one with strong encryption for my family’s use, and one with no encryption for the convenience of guests and strangers. This separation of networks was to ensure that friends could access the Internet quickly if all they wanted was to watch cat videos on YouTube but would still have to talk to me if they wanted to network with my computers. The principle of least privilege is a key component of good computer security. Now I have chosen to disable the guest network to ensure that strangers’ devices can’t unintentionally use my Internet connection to join a botnet. There is little point in simply enabling encryption on the guest network because then guests would have to ask me for a password, the avoidance of which is the reason the guest network existed in the first place.

I am about to order a new router, specifically a Turris Omnia. It’s very expensive at $246 + shipping, but I hope it’s worth the price. Here are features I plan to use and which are not offered by the router I have:

  • “Advanced network monitoring”: I’ve been experiencing a frustrating problem lately: DNS servers are very slow to respond, sometimes timing out. The problem happens randomly throughout the 24-hour day, not all the time. It lasts for only a few minutes. It only happens at home (no problems when I’m at school, so far). It affects every computer on my home network. It probably isn’t related to the DDoS attack I mentioned earlier because this started at least a week earlier. I can find no way to troubleshoot the problem using my current hardware: my router doesn’t offer any kind of network monitoring/traffic analysis feature, and I can’t insert any of my computers between the router and modem because all of my computers have only one wired ethernet port. If I had a computer with two ethernet ports, then theoretically I could transparently capture and analyze every packet using Wireshark. Michael DeCesare described the problem well: “Moving beyond the acknowledged need to be better at patching devices, we must then ask if devices are protected by a robust perimeter security solution and are continuously monitored for suspicious behavior.”. My router is my perimeter security solution, and the one I have does not monitor for suspicious behavior.
  • “Active bandwidth measurement” [source]: Potentially useful for troubleshooting, but mostly I’d just watch the colorful graphs.
  • Software updates for the lifetime of the device: “Omnia offers unattended automatic updates to core components of the system for the lifetime of the device.” [source]. Even if the promised automatic updates never happen, this router runs an open source operating system. I could potentially install my own updated copy. I could potentially write my own updates. Imagine that! Being able to fix things yourself rather than waiting for some monolithic corporation to get around to it! Not that I expect to ever actually write my own updates – I’m busy enough with other programming projects – but I like knowing that it’s a possibility. My current router runs a closed-source OS and hasn’t received any updates for a long time. A lack of bug fixes can be a serious security problem, especially for something as central to your network as your router.
  • A “distributed adaptive firewall” [source]: I haven’t yet found any other router that advertises a feature like this. Read the source for a description; I’m not going to copy it here. While this sounds like a feature that would be useless for a small network like mine, I’m choosing to assume that it will be useful. One of the biggest mistakes you can make in the field of network security is to assume that just because you’re small/unknown, you must therefore be a low-priority target and you don’t have to worry about anything. It is laziness like that which makes you so valuable to crackers: they can easily crack into your systems, then use those compromised systems to DDoS larger targets.

Now, on to the devices themselves. This is an overview, not a complete list. Specific apps may be discussed in future posts.

  • Game consoles: My family has a Nintendo Wii, some DSs, and various other gaming devices. There is no anti-malware software available for these. None at all. We turn these off when not using them, but even that may not be enough: they’re not really off, just in a low-power state that allows them to download software updates. And I don’t think they’ve gotten any updates lately. Which means they are constantly connected to the Internet and running potentially unpatched software.
  • PDAs: As I’ve said before, I use the term “personal digital assistant” to refer to smartphones, tablets, and ebook readers. We’ve got a mix of Android, Ios, and Ubuntu devices. None have firewall or antivirus software installed (Can you recommend some security software? Leave a comment!). I tried to install AFWall+ on my Android phone, but couldn’t run it because it needs root.
  • “Real” computers: Again, different computers have different software. Raspbian on the Pis, Ubuntu and a few versions of Windows on the other computers. Our Windows computers run Norton Security Suite because it’s provided for free by our ISP. On Ubuntu and Raspbian I use Gufw as a firewall and do daily virus scans with ClamAV.