Sunday, January 27, 2013

Data Privacy Day Prep Part 5: Network Security

Data Privacy Day is one of my favorite holidays and falls on this upcoming Monday. Every year, for the days leading up to it, I like to talk and publish reminders about. I normally post this on the Bethesda forums, where I'm quite active, but now that I have a blog, why not also add it on here? Here's part 5; it's about Network Security. It's long, so maybe read it in chunks. It'll always be here for you to refer to later :P

The goal of Data Privacy Day is to make people more informed about their data and privacy. I hope you find some of this information useful and put it into action. Security and privacy are constantly evolving items, and what cuts it today may not in the future, but this should be a good springboard to boost your security and privacy for Data Privacy Day and the years to come. As always, the level of security you need will differ from others, so you need to figure out what level is good for your needs. Some things, though, are universally applicable to all, such as a good password system. Another thing to remember is that even if you follow the best of security practices, it may not be enough to stay safe if a company who has poor security practices gets hacked (and after the summer of 2011 hacks and the ones that followed in 2012, I think we are all familiar with that).

An important definition:

  •  Man-in-the-Middle attack: Any attack wherein someone intercepts data you receive and send to someone else by acting as a relay ("in the middle"). This can be done in numerous ways (arp and DNS poisoning being two common methods, though many other methods exist) but the end effect is the same: your information and communication is compromised. Your passwords can be stolen and your sessions hijacked. This threat is an increasingly common problem on wireless networks, and can even affect mobile telecommunication networks (for around $500 and enough know-how is the current going rate, FYI).


Your local network is an important point of security. A properly set up one will allow easy sharing and collaboration while simultaneously keeping out those who would intrude on it from the outside. This section will cover your local network, your local computer, and how to protect your computer and privacy when on public networks.

Your Wired Network

For a wired network, you don't have as much to worry about. Make sure not to use the DMZ your router allows: this is a black hole for security and offers nothing over properly forwarded ports. Any forwarded port should have a distinct purpose, otherwise don't forward them. Disable remote/WAN administration (might be buried in there somewhere). Make sure to keep the router nice and updated with any new firmware releases (better yet, use custom firmware like DD-WRT, OpenWRT, or Tomato), as they patch various security flaws. Next you should change the username/password for logging into your router. Finally make sure your router firewall is enabled; it's one of the nicest features they have. While not necessary, disabling UPnP can add a little more security by closing any vulnerabilities it may have that are unpatched and keeping rogue software for dynamically forwarding ports. Being careful is simpler and more friendly, though.

Your Wireless Network

Wireless networks are another thing. On top of all the above, you NEED to be using WPA2 with AES. Nothing else is secure!!!! Well, nothing you can reasonably implement, at least. This checklist is pretty good; the only two things I disagree with are using MAC filtering and disabling SSID broadcasting. If someone knows how to crack a WEP key, they can easily find out how to spoof a MAC address or uncover an invisible network. Both also come with significant disadvantages while offering no real security. As mentioned in that checklist, make your WPA2 key very complex. You don't need to worry about forgetting it: write it down and stick it to your router. If someone is in your house, your WPA2 password isn't going to keep them out of your network. If you want to be secure with your WPA2 key, consider using the same password strategies mentioned in the passwords section.

 But what about your WEP-only devices? I've not tried it yet myself, but here is a guide on how to set up a virtual wireless network for your WEP devices. Other options are to set up a wireless access point with WEP for when you want to use your DS/other WEP-only devices, and just unplug the WAP when not using it. Everything else will be on your normal WPA2 connection.

 A very new happening in attacking WPA/WPA2 networks is to ignore trying to break the WPA/WPA2 encryption and instead have the router give you the password. A common feature included in many modern routers is Wi-Fi Protected Setup (WPS). Unfortunately, this is a weakness as it is a simple (generally hardcoded) PIN that is very easy to brute-force. Lifehacker did a full rundown of this attack vector and the primary tool to abuse it (Reaver), which I suggest you read so you can stop it from happening to you. A redditer created a wonderful spreadsheet of many common household routers and whether they are vulnerable to Reaver and whether you can disable WPS on them (some routers cannot have the feature disabled even if there is an option on the web interface to do so). One thing to immunize yourself against this attack is to flash a custom firmware on the router, such as DD-WRT. Many custom firmwares do not have support for WPS, so it nullifies this vulnerability.

Your Computer (localhost)

Your computer can leak information out of your local network if you are not careful. The browser section covered many of the most common leaks, but if you computer is infected with a keylogger or other malware, data may be leaked and all of your network security can be bypassed. Likewise, on an open network, someone may try to break into your computer over the network. There are a few things you can do to mitigate these risks:

 Keep your Operating System updated. It's easy to fall into the cycle of not getting the latest updates for your OS. These often patch security holes that can be exploited. Along the same lines, keep your software updated, especially major programs and anything that uses the Internet. Along these lines is NOT using an unsupported OS. Windows Vista Home and Ultimate editions reach end of support this year in April, so upgrade before then or it'll only be a matter of time before an unpatched hole allows for unassisted malware installation on your computer due to running an unsupported OS.

 Just as important to keeping your OS updated, is keeping your software updated. Key programs that should be kept updated are your Antivirus/antimalware/firewall solutions, your web browser of choice, your pdf viewer, Java (if installed), Microsoft Office (if installed, can be updated through Windows update), and your media player.

 Use a password! Windows passwords are trivial to overwrite if someone has access to your PC (which is where encryption comes in), but they are VERY useful in keeping other, unwanted people on the network out of your shared folders. You should also, of course, disable shared folders on public wifi networks.

 Install a firewall. Your router has one, but when on open networks like your laptop may often connect to, your router firewall won't be of any help. With Windows Vista/7, the built in firewall is pretty good (and can be improved with Windows7FirewallControl -- which works with Vista/XP as well). The best free one is Comodo's Firewall. the Defense+ feature also is a basic HIPS program (Host-based Intrusion Prevention System) that will stop rogue programs from doing naughty things. This does an excellent job on keeping keyloggers, trojans, and worms from sending data out from your computer (keyloggers can also be effectively nulled with the use of a password manager such as KeePass and LastPass). Lately Comodo has been getting bloated, a good HIPS-based alternative is PrivateFirewall.

 Keep your antivirus/antimalware/antispyware solutions up-to-date and scan as you feel needed. Whther you run full-fledged real-time protection antivirus + antimalware solution, or a free antivirus and something to occaionally scan with like Malwarebytes, it's better to have it on your system now and not need it then need it and not have it. Some malware make it near-impossible to install antimalware programs and/or update them successfully. Instantly being able to do a scan after you think you've been compromised is a very nice thing. The next-best thing is to instantly shut down your computer and use live rescue CDs like Kaspersky offers (there's tons of them). Antivirus/antimalware/antispyware, whether proactive or retroactive, should always be considered your last line of defense.

 Disable file sharing when you don't need it. This is of particular importance when on public wifi. In Windows 7 this is done simply by going Control Panel > Network and Sharing Center > Change Advanced Sharing Settings (left panel item). Expand the Public profile. Turn off Network Discovery (not really necessary, it doesn't offer any real security), Turn off File and Printer Sharing, and Turn off Public Folder Sharing. Save the changes and exit. Next, disable your administrative shares. Disabling shares you don't need is important for those "oops" moments when you connect to a network and accidentally make it a home or work network instead of of a public one.

Shared and Public Computers

Shared and public computers are of particular risk. With shared computers, it's possible someone else using it has unwittingly installed some privacy-invading software or may try to snoop your files. On public computers you never know if there's a keylogger or some other malice acts going on. It's best to do your best to minimize your risks on these computers. With shared computers, you should verify that other user accounts cannot access your data by checking folder permissions and make sure other accounts don't have read (or execute) access. Another thing you can do is set up email alerts for whenever someone logs in to your computer. It may be handy if you think someone is snooping around. I personally prefer blat for sending emails from the command line on Windows, though sendemail is fine too. SendEmail is also available for Mac OS X and Linux, and the instructions given there will mostly apply, but you'll need to create a shell script to run them on those platforms and set it to run at start-up. An alternative program for Linux and Mac OS X is ssmtp, which I find a bit simpler than sendemail. Here are some instructions on ssmtp's basic set up and some Mac OS X instructions.

 Public computers are especially scary because there's so much unknown about them. The best bet is to reboot into Linux if possible. It's not always possible with public computers, but when it is it'll provide you the best option. A privacy and security-minded Linux distro is Tails. Of course, booting into Linux isn't always possible on public PCs (being able to do it is actually a really bad sign) so instead you may have to make due with some portable apps. I'd recommend avoid using passwords when possible, and using only accounts with two-factor authentication otherwise. Definitely use a portable version of your web browser of choice all tricked out with your favorite privacy plugins. Only save stuff to the usb stick and only run stuff from it. Pretend every program on the computer is a poisonous snake trying to eat your mouse (pointer). Besides that, there isn't much you can do besides following some good practices.

Foreign (public) Wireless Networks

Foreign, public wireless networks are a war zone, especially the open ones. Ones properly protected and configured with 802.1x (aka, WPA2 Enterprise) can be safe networks, but assume that any 802.1x network is poorly configured and multiple people have the same key you do and can see your traffic. Man-in-the-Middle attacks happen with more and more frequency, and the skill required to initiate them is at an all-time low (can be done with just a smartphone). There are two primary technologies you can use to secure your roaming on such networks: SSH Tunnels and Virtual Private Networks (VPNs).


 1. For all server installs, you will need to know the pubic IP of your server. This can be done by visiting on your server. Better is to set up no-ip on your server (the computer running SSH or your VPN) and use their free dynamic dns service (it'll work even if your home IP changes). No-ip is so simple, it hardly warrants directions, but no-ip provides them for a simple setup anyway. You will need to do this for PPTP VPN servers and SSH servers.

 2. You will also need to set a static IP for your server. This is simple enough

Static IP - Mac OS X

Static IP - Linux (various)

Static IP - Windows XP/Vista/7

 3. A simple tool to use to see if an ARP poisoning attack is happening on the public wifi is DecaffeinatID. It keeps track of the default gateway MAC address and will alert you if it changes.
SSH Tunnels

An SSH tunnel is a simple, yet effective way to protect your web browsing (and select other traffic) while on public wifi when properly configured and relatively simple to set up. Setting up an ssh server is simple on Mac OS X and Linux; windows is simple after installing a program. Your tunnel will be a SOCKS proxy, and Firefox with QuickProxy makes switching to that proxy simple to secure your web browsing traffic (I recommend using Firefox because of QuickProxy, and also because Firefox can be configured to send DNS requests through the tunnel, something I've yet to find out how to do in Opera or Chrome).

 NOTE: You may wish to get email alerts whenever someone logs in via SSH to your server. It's simple to do. These instructions apply to openssh, so should work for both Linux (assuming OpenSSH is your SSH Server) and Mac OS X. If you use my recommended program of BitVise for Windows, you'll have an option to run a program after successful logins, so you'd just create a batch file that uses either sendemail or blat to send the email.

 First, you need access to an SSH server to log into and create the tunnel. This computer needs to be located at home and always on.

 Mac OS X: Enable Remote Login for Mac OS X

 You will then need to forward port 22 from your Mac on your router so you can access the ssh while on the go. Locate your router on PortForward and follow the instructions for SSH.

 Linux: Simply install OpenSSH (or your SSH server of choice). Your distro should have sufficient instructions on how to activate key-based authentication and disable keyboard authentication in their documentation. It won't be any different than the instructions for Mac OS X if you use OpenSSH. Then likewise forward port 22 from your Linux PC on your router so you can access the ssh while on the go. Locate your router on PortForward and follow the instructions for SSH.

 Windows: Windows lacks a built-in SSH server, though there is a very good free (for personal use) SSH Server provided by BitVise. It offers very fine-grained controls, public key authentication, virtual users, jailing, and everything else you could want in an SSH server. If you have any questions, feel free to ask me as I'm very familiar with BitVise's SSH server. Don't forget to forward your port, though.
 I HIGHLY suggest setting up key-based authentication for SSH to prevent brute-force attacks on your SSH server. Then just disable keyboard-authentication. (the instructions are for PuTTY as it's fairly cross-platform and allows for me to just post a single set of instructions. Feel free to use any client you wish, though).

Now that your server is configured, time to configure your client (probably your laptop). I will do my instructions through PuTTY (for simplicity once again) so download and install putty. On Mac OS X, you will need to use MacPorts to get putty

 Launch Putty. Type the dynamic DNS (or IP) address into the Hostname/IP box. Looks like this

 Under Connections in SSH, select tunnels. Change Enter in 7070 for the destination (technically any port will do, I just always use 7070 because it's easy for me to remember), set it as Dynamic and Auto. Click the Add button. Looks like this.

 It isn't absolutely necessary, but I highly suggest saving this configuration, which requires going back to the session panel. Enter some title in the "saved sessions" box (like sockstunnel) and hit Save. Now in the future you will just have to select sockstunnel and click load.

 Now click the open button. A window that looks like a command prompt will open up and ask for your username, so enter it. If using keyboard authentication, enter your password. If using key-based authentication with a passphrase, enter your passphrase (the earlier linked howtoforge guide for key-based logins with putty explained how to load a key into putty). Leave this window open.

 Now we configure Firefox. Download QuickProxy as this makes things simpler (you'll be able to switch to your proxy with the click of a button).

 In Firefox go Tools>Options. Go to Advanced. In Advanced, go to the Network tab. Under "Connections" click the settings button. Select "Manual Proxy Settings". Enter a SOCKS Host of and a port of 7070. It should look like this. Change back to "No Proxy" and OK out of all open windows.

 One more thing needs to be changed: go to about:config. Enter in socks as your filter. Change network.proxy.socks_remote_dns to true. Should look like this.

 Now Firefox can be configured to use the proxy (when logged into the SSH server in putty) by just hitting the QuickProxy button.

 When you're done using your SSH tunnel, disable the proxy by once again clicking the QuickProxy button and type "logout" ("exit" if it's a BitVise server running on Windows) into the putty terminal window to end the session. 

 Windows has a basic VPN built-in that used the Point-to-Point Tunneling Protocol. It is limited in that you can only have one remote connection, it uses your Windows password (so it must be strong), and it won't work when the CLIENT is behind old or improperly configured routers. From a security standpoint, PPTP has been broken, and can be broken by someone proficient with the right tools, but from a average user standpoint, people getting their MitM on are going after easy fish, and short of someone coming after you in particular, PPTP should be sufficiently secure. Also in its favor: it's simple to set up.

 Server configuration:

 NOTE: both guides also include information on port forwarding for PPTP, which involces port forwarding TCP 1723 and enabling PPTP Passthrough -- this second part is important because PPTP uses a non-TCP/UDP protocol: GRE. You may have to look around a bit to find where PPTP Passthrough is on your router (GRE is also the reason why PPTP won't work when the client is behind some old routers, as they drop the GRE packet before it leaves the network).

 1. PPTP Server on Windows XP

 2. PPTP Server on Windows 7 (Vista is almost identical)

 Client configuration:

 3. PPTP client on Windows XP

 4. PPTP client on Windows 7 (Vista is almost identical)

 5. PPTP client on Mac OS X

 6. PPTP client on Linux (GNOME)

Make sure to always test that your PPTP VPN tunnel is being used as the default gateway. This is default behavior for Windows clients.

Hamachi VPN with Privoxy and ProXPN Free

Finally, the last option is to use Hamachi VPN and Privoxy. It's a cross-platform solution and Lifehacker has a write-up on how to do it here.

 A managed, simple, free VPN service is ProXPN Free. Note that you are using their service, so they are your exit point. To me, this is less ideal as you do not control the exit point. Also, you have to use their [proprietary] VPN implementation, as the free service does not include PPTP access. Their free service VPN implementation is incompatible with all other VPN clients I know of. Still, for simplicity it wins hands-down and it will protect you from Man-in-the-Middle Attacks on public wifi.

 That's all for this section. By following some of these tips, your public wifi browsing is now secured. and you have much less to worry about.


Post a Comment