Friday, November 7, 2014

Week 7: Internet Security/Internet Insecurity

Internet security is a tree branch of computer security specifically related to the Internet, often involving browser security but also network security on a more general level as it applies to other applications or operating systems on a whole. Its objective is to establish rules and measures to use against attacks over the Internet.The Internet represents an insecure channel for exchanging information leading to a high risk of intrusion or fraud, such as phishing.Different methods have been used to protect the transfer of data, including encryption.

Network layer security

TCP/IP which stands for Transmission Control Protocol (TCP) and Internet Protocol (IP) aka Internet protocol suite can be made secure with the help of cryptographic methods and protocols. These protocols include Secure Sockets Layer (SSL), succeeded by Transport Layer Security (TLS) for web traffic, Pretty Good Privacy (PGP) for email, and IPsec for the network layer security.

Internet Protocol Security (IPsec)

Main article: IPsec
This protocol is designed to protect communication in a secure manner using TCP/IP aka Internet protocol suite. It is a set of security extensions developed by the Internet Task force IETF, and it provides security and authentication at the IP layer by transforming data using encryption. Two main types of transformation that form the basis of IPsec: the Authentication Header (AH) and ESP. These two protocols provide data integrity, data origin authentication, and anti-replay service. These protocols can be used alone or in combination to provide the desired set of security services for the Internet Protocol (IP) layer.
The basic components of the IPsec security architecture are described in terms of the following functionalities:
  • Security protocols for AH and ESP
  • Security association for policy management and traffic processing
  • Manual and automatic key management for the internet key exchange (IKE)
  • Algorithms for authentication and encryption
The set of security services provided at the IP layer includes access control, data origin integrity, protection against replays, and confidentiality. The algorithm allows these sets to work independently without affecting other parts of the implementation. The IPsec implementation is operated in a host or security gateway environment giving protection to IP traffic.


Security token

Some online sites offer customers the ability to use a six-digit code which randomly changes every 30–60 seconds on a security token. The keys on the security token have built in mathematical computations and manipulate numbers based on the current time built into the device. This means that every thirty seconds there is only a certain array of numbers possible which would be correct to validate access to the online account. The website that the user is logging into would be made aware of that devices' serial number and would know the computation and correct time built into the device to verify that the number given is indeed one of the handful of six-digit numbers that works in that given 30-60 second cycle. After 30–60 seconds the device will present a new random six-digit number which can log into the website.

When Tim Berners-Lee was designing the technology that has transformed our world, he looked for a noun that would describe what he had in mind. The one he eventually settled on was "web", which is how the world wide web got its name.
To its inventor, the noun must have seemed perfectly apposite: it described the intricate, organic linking of sites and pages that he had in mind. But "web" has other, metaphorical, connotations. Webs are things that spiders weave with the aim of capturing prey. And if you want a metaphor for thinking about where we are now with networked technology, here's one to ponder.
Imagine a gigantic, global web in which are trapped upwards of two billion flies. Most of those unfortunate creatures don't know – yet – that they are trapped. After all, they wandered cheerfully, willingly, into the web. Some of them even imagine that they could escape if they wanted to.
We are those insects. The only way of escaping our predicament is to renounce the world in the way that Trappist monks once did. Since we're not going to do that, we have to face the reality: we're trapped in a system in which everything we do is monitored and logged and in which privacy is a thing of the past. Everything that you do with modern communications equipment leaves a digital trail. And this trail is followed assiduously not just by giant corporations, but also by governments and their security services – as vividly illustrated by the revelations of Edward Snowden.
What's astonishing is how unconcerned many people appear to be about this. Is it because they are unaware of the extent and comprehensiveness of the surveillance? Or is it some weird manifestation of Stockholm syndrome – that strange condition in which prisoners exhibit positive feelings towards their captors? What we've learned above all from the Snowden leaks is that the scale and capability of the NSA surveillance are much greater than anyone imagined. Most people had assumed that most non-encrypted communications were vulnerable and some speculated that some encrypted communications (eg Skype) had a hidden backdoor for the NSA. But nobody realised that, as the latest revelations showed, allthe encryption technologies routinely used to protect online transactions (https, SSL, VPN and 4G encryption), plus anything going through Google, Microsoft, Facebook and Yahoo, have been cracked.
What this means is that no form of electronic communication handled by commercial companies can now be assumed to be secure. In that sense, the NSA has really fouled the nest of the US internet industry . And it is even suspected that about 90% of communications routed through the TOR network are using encryption that may also have been hacked by the NSA. What can you do if you're someone who feels uneasy about being caught in this web? The honest answer is that there's no comprehensive solution: if you are going to use telephones (mobile or landline) and theinternet then you are going to leave a trail. But there are things you can do to make your communications less insecure and your trail harder to follow. Here are 10 ideas you might consider.

Email

Rethink your email setup. Assume that all "free" email and webmail services (Gmail etc) are suspect. Be prepared to pay for a service, such as Fastmail,that is not based in the US – though some of its servers are in New York with backups in Norway. (My hunch is that more non-US email services will appear as entrepreneurs spot the business opportunity created by the Snowden revelations.) It would also be worth checking that your organisation has not quietly outsourced its email and IT systems to Google or Microsoft – as many UK organisations (including newspapers and universities) have.
The real difficulty with email is that while there are ways of keeping the content of messages private (see encryption), the "metadata" that goes with the message (the "envelope", as it were) can be very revealing, and there's no way of encrypting that because its needed by the internet routing system and is available to most security services without a warrant.

Encryption

Encryption used to be the sole province of geeks and mathematicians, but a lot has changed in recent years. In particular, various publicly available tools have taken the rocket science out of encrypting (and decrypting) email and files. GPG for Mail, for example, is an open source plug-in for the Apple Mail program that makes it easy to encrypt, decrypt, sign and verify emails using the OpenPGP standard. And for protecting files, newer versions of Apple's OS X operating system come with FileVault, a program that encrypts the hard drive of a computer. Those running Microsoft Windows have a similar program. This software will scramble your data, but won't protect you from government authorities demanding your encryption key under the Regulation of Investigatory Powers Act (2000), which is why some aficionados recommend TrueCrypt, a program with some very interesting facilities, which might have been useful toDavid Miranda.

Web browsing

Since browsing is probably what internet users do most, it's worth taking browser security and privacy seriously. If you're unhappy that your clickstream (the log of the sites you visit) is in effect public property as far as the security services are concerned, you might consider using freely available tools such as Tor Browser to obscure your clickstream. And to protect yourself against the amazingly brazen efforts by commercial companies to track your online behaviour you should, at the very minimum, configure your browser so that it repels many of these would-be boarders.

Cloud services

The message of the Snowden revelations is that you should avoid all cloud services (Dropbox, iCloud, Evernote, etc) that are based in the US, the UK, France and other jurisdictions known to be tolerant of NSA-style snooping. Your working assumption should be that anything stored on such systems is potentially accessible by others. And if you must entrust data to them, make sure it's encrypted.

File storage and archiving

An option that an increasing numbers of people are exploring is running their own personal cloud service using products such as PogoPlug andTransporter that provide Dropbox-type facilities, but on internet connected drives that you own and control. And if you carry around confidential data on a USB stick, make sure it's encrypted using TrueCrypt.

Social networking

Delete your Facebook account. Why do the CIA's work for it? And if you must use it, don't put your date of birth on your profile. Why give identity thieves an even break? And remember that, no matter what your privacy settings, you don't have control over information about you that is posted by your "friends".

Location data

Avoid using services such as FourSquare that require location information.

Wireless services

Have Bluetooth off by default in all your mobile devices. Only switch it on when you explicitly need to use it. Otherwise you'll find that even a dustbin can snoop on it. Similarly, beware of using open wifi in public places. At the very minimum, make sure that any site you interact with uses HTTPS rather than unencrypted HTTP connections. If you don't then anyone nearby can use Firesheep to see everything you're doing.

Personal security

Forget password, think passphrase – ie a meaningless sentence that you will remember – and do some transformations on it (first and third letters of every word maybe) so that you can generate a stronger password from it every time. Or use a password-management app like LastPass or1Password. And if a service offers multi-factor authentication, make use of it.

10 Search engines

All the big search engines track your search history and build profiles on you to serve you personalised results based on your search history. if you want to escape from this "filter bubble" you need to switch to a search engine that does not track your inquiries. The most obvious one is the bizarrely named but quite effective DuckDuckGo.



Video on internet security:




No comments:

Post a Comment