How to Secure Everything, Series Part 1

By | July 4, 2015

Personal information security is a must these days.  Frequently, stories are published about corporations being hacked and millions of people become victims in a blink of an eye.  Largely, these stories are due to 2 things, an active threat from an enemy and a vulnerability that remains unpatched due to one reason or another.  The focus of this article is not what the large conglomerates can do about security.  The focus is what the individuals can do so that they are not compromised by the range of our enemies.  We cannot trust anyone but ourselves to keep our systems safe.  If you know nothing about encryption, VPNs, strong passwords, WPA1/2, WEP, or firewalls,  read on.  This series of articles is for you.

First things first, and a disclaimer.  There is no such thing as being 100% secure.  That is a myth.  Security is a never-ending goal.  It is a game of cat and mouse.   The best defense is one that is better than the offense.  The defenses employed need to be at least one step ahead of the threat.  My disclaimer is that you may still get hacked following all my protocols.  Additionally, the implementation, configuration and proper maintenance of these systems is your responsibility, not mine.

Free Wi-Fi at a café, hotel or store:
1) Vulnerabilities:
a. If there is no password or encryption (WPA or better) your signal is open and anyone with a listening device can monitor and intercept all of your traffic.
b. If there is a password or encryption, anyone on the network can monitor and intercept all of your traffic.
2) Threats:
a. Anyone within 300 ft of you.
b. Anyone on the network, seen or unseen, local, or hundreds of miles away.  You don’t know the extent of that network or where your traffic is being routed.
3) Countermeasures:
a. Establish a VPN (Virtual Private Network) connection which uses the “Free Wifi” connection to encrypt your data from your location to the VPN Server.
4) Implementation:
a. Find an old computer, no longer needed.  Install a lightweight Linux system on it and put it in your DMZ.  The DMZ is common geek-slang for an area of your network facing the wild wild world (aka world wide web).  The configuration of the DMZ depends on your specific network hardware at home.  Most modern routers have this option as many gaming systems (Wii, Xbox, PS#, et al) require to be placed in the DMZ.  Yes, the DMZ is useful for something other than gaming:  Personal Security.
b. Install OpenVPN or an equivalent on the server.
c. Install OpenVPN clients on your mobile hardware (tablets, smart phones, laptops, et cetera).
d. When you are on the “Free Wifi,” once connected, establish your VPN connection.  This will route all your traffic through the VPN and encrypt it to your home.  The difference in your connection speed should be negligible due to the fact that your up/download speed at home is generally faster than what is available on the “Free Wifi” networks.
e. If a decent computer is used for the Linux DMZ system, configure and use X2Go.  X2Go allows end-to-end encryption as in the above method, but remotes the entire desktop from that Linux system to your mobile device.  Your mobile device then becomes what is referred to as a “Thin Client” processing only the remotely displayed desktop.  Personal note:  I love this method, as all my files are there, safe, not with me, but at my secure location. Installation and configuration of X2Go is trivial (easy).  The drawback to this method is that you will be using a Linux Desktop (which is a plus for me) and not a Microsoft, Apple or Android product.  The benefit is a uniform experience that is secure and dependable.

NOTE:  If you have any open network shares on your system, you are still vulnerable.  You should always disable sharing and have a strong password on everything, by default.  Not having a password will allow a program to execute itself without any permissions issues.  Having a weak password will allow the program to defeat the permission issue with a “Dictionary” attack.

Email: 
Several volumes could be written on email security.  As a society, the lack of knowledge and insight into this area, a cornerstone use of network communications, is astounding.
1) Vulnerabilities:
a. Forwarding emails:  Commonly, when forwarding emails, addresses from co-recipients are left and forwarded along with the email
b. Private data:  Personal data that you would not shout in a public area is commonly sent in an email.  Unless you explicitly encrypt the email, it is sent in plain text and can be read by anyone with a sniffer (a listening device).
c. Dangerous embedded code in attachments:  That awesome picture of Jesus can contain code, when viewed, will execute and attempt to infect anyone that opens the email.  Likewise, the same can be said for any attachment sent through an email that you have not personally created or can guarantee the source.
2) Threats:
a. Anyone with a sniffer on the network from the point of origin to destination.
3) Countermeasures:
a. As a rule, never forward emails.  If you must, clean the email up.  Delete all email addresses in the email.  Copy and Paste the contents into another clean email.  Scan all attachments and embedded objects with an updated antivirus scanner.  If sending to multiple addresses:  Put your email address in the To: field and all other addresses in the BCC: field (Blind Carbon Copy).  The email server will route your email to all the addressees, but strip out the other addresses.  You may have to configure your email client to show the BCC: field.  It’s there.  Trust me.  Figure out how to use it (Google is your friend) and implement.
b. If you must send private data through an email, encryption is mandatory.  This requires some setup, on your end and the recipient’s.  Search for a product call GnuPG (GNU Privacy Guard).  It is a FOSS (Free and Open Source Software) product that allows computers to encrypt emails.  You will have to install this software and encrypt your email.  The recipient must do the same to be able to decrypt your email.
c. As a rule, never forward attachments that you cannot guarantee authenticity.  If required, save to a local drive, scan with an updated antivirus client, reconstruct the email and follow protocols discussed in 3)a. above.
4) Implementation:
a. GnuPG:  Installation and configuration must occur on both the sender and the recipient.  Encryption keys, public and private, must be produced and registered with a server (I use MIT).
b. Realize that just because you have an https:// prefix to your web-based email, this doesn’t mean your email is encrypted.  The connection to the email server is encrypted, but likely, that email is going to be sent in clear text.
c. Sign and encrypt every personal email.

The next installment will examine security options of SMS (text messaging), chat clients (AIM, Skype), and smartphones.
Thanks for reading,
Jay