In my primary blog, I recently wrote about
detecting traffic over a network connection for malicious activity as
well as the importance of checking log files for any unlawful
activity that an intruder may have made. As anyone should know,
relationships to information security (InfoSec) can be categorized in
two ways: offense and defense. Obviously, one's defenses against
scumbags is going to be far more in-depth than offenses however, it's
important to understand the offensive measures one should at least
consider when working with any network whether connected to an
Internet access point or a closed circuit network (CCN). To review my
previous post regarding network traffic monitoring, look for the
title “Consequences” in the menu at the right.
Any time a person connects their device to any
network, the assumption should be made that somewhere on that network
is a device monitoring, and possibly harvesting, any information
being sent across that network. The unfortunate truth of this is that
it is far more common than most people would suspect. We take for
granted our connections to communicate with one another that we have
a secure path of communication between us and our recipient when in
fact the truth is far from this. Even if a person is the sole
administrator of the network, this is not a guarantee that at
some point, someone has not compromised that network without us
knowing it. This is why network monitoring and periodic log file
checking is important. Even when we do a complete scan of the entire
network and all nodes on that network, unless the person is on a CCN
with no Internet connection, the possibility is always going to be
there. A person would have to have complete control over a closed
system to insure the security of communication between nodes and this
condition is both rare and unlikely.
Lets take a look at a graphic that can help bring
this point across visually to better understand what's going on. The
first is the average small home network and the second is the average
company network. Of course, any given network can have a variety of
configuration options, these are just basic examples.
Any device on either of these networks could
potentially be monitoring any and all traffic that travels from one
node (device) to another. As the network administrator, it is very
important to monitor the flow of traffic so that any anomalies can be
mitigated such as an infected device siphoning data without the users
knowledge or a device which has been compromised and is being used as
part of a botnet. However, there is a significant difference between
monitoring the flow of data and monitoring the “data” itself. The
ultimate goals here is to insure the integrity of the network and
each node on that network while also allowing for the privacy of the
users depending on circumstances surrounding the network application.
In most cases with a home network, very little is
done to monitor traffic across the lines and security precautions are
left to each user to manage their own devices and communications. The
“last mile” ISP assumes “some” responsibility such as
blocking certain ports, like #25 for example, to help prevent
prominent malicious activity to their subscribers and firewall
software built into modems helps stop lower level malicious intruders
from infecting home networks. Users on the network are left to manage
security on their own devices which typically comes in the form of
firewalls and security software such as Norton or McAfee. These
levels of security do a pretty good job, in most cases, and for the
majority of users the rest is “Plug and Pray”.
Aside from the more modern “Bring Your Own
Device”(BYOD) business model, the company owns all the hardware
provided and actively monitors network activity on the average
business network. From the workstation to exiting the network at the
modem, the company assumes full responsibility for all communications
and security precautions necessary to keep the corrupt out and the
network clean of malware. Companies who have their “act together”
will provide technology agreements to new employees who acknowledge
that there should be “NO” expectation of privacy while using
company owned technology or company owned networks. This has been the
standard for many years with the exception of arguments over email privacy and the “Work from Home” employee. The more employees
there are, the more obfuscated technology and network security
becomes.
Offensively, what any user wants to insure is that
communications that move to the outside of the local area network
(LAN) are maintained as both secure and private. What this means is
that we want to make sure that no one else on the network is
intercepting or harvesting our communications. It is both possible,
and unfortunately common, for bad actors with network credentials to
act as “Man In The Middle” of our communications. In such
situations, if an email is sent from one device, it is first
intercepted by someone else on the network, read or possibly
modified, then sent on to the intended recipient. The recipient
replies but that reply is intercepted and read or modified then sent
on. In more advanced situations, a person can even assume the
identity of what would be a trusted individual to try and dupe the
victim into divulging information. This is exactly the situation we
want to take offensive measures against and prevent from happening.
If possible, we even want to catch the corrupt and bring them to
justice as well for those who are capable and so inclined to do so
however, that is beyond the scope of this particular article.
The easiest offensive measure anyone can do is to
start using The Onion Router (TOR) Browser. The benefit to using this
browser over others is to create an encrypted connection from ones
workspace to the outside world which then “bunny hops” between a
number of servers from differing countries before allowing the user
to explore the Internet to browse. This action provides a level of
security to prevent eavesdropping on browsing activity, another well
known administrative intervention on privacy. If ones workplace
prevents the use of the TOR Browser then we can deduce that browsing
activity is actively being monitored. The downside to using this very
secure browser is the response speed and that some servers will
refuse to connect to hidden activity. Some would argue that only
those who are trying to hide unlawful activity use such technology
while the other side of the coin argues that such technology is used
as a preventative measure against privacy invasion. For those
considering, it is wise to research for ones self then make an
educated decision.
An alternative to using the TOR Browser is to
acquire services from a VPN provider. VPN services allow for one to
connect their device through a provisioned server located elsewhere
so that all data transmission is encrypted from the user's device to
that server then to proceed on to its intended destination as normal.
This method is becoming more common as people are becoming more aware
that many organizations are choosing to monitor, harvest, and in some
cases MITM user communications for their own self gain. The following
graphic shows how a VPN service works in a simplified manner.
VPN services are actually pretty cheap in
comparison to the advantages they provide. By using such services,
anytime a person is in a remote location that requires access through
an unknown network, one can almost guarantee a significantly improved
level of privacy and security from their network activity. The image
above shows a simplified version of this. The laptop establishes an
encrypted connection between itself and the VPN server and then
access the Internet from that remote location. Any device between the
laptop and the server which may try to monitor or intercept data only
sees encrypted streams which are indecipherable and appear as a
garbled mess. In most cases, less than $10 a month for a subscription
fee will provide a more than adequate secure connection.
For the more technology inclined, or those who
utilize their own servers such as from companies like DigitalOcean,
Rackspace, or Amazon, one can simply establish a port forwarding
connection between their device and their remote server. This
technique is essentially the same as subscribing to a service but
requires a little more technical “know how” to establish the same
level of connection. While requiring a bit more wok from the user,
the cost can be reduced to as little as $6 a month or less to rent a
remote server instance suitable for the task. Many people who utilize
this level of secure communications often use their home devices as
way points for their communications when out and about. In
establishing this type of way point, one must consider the
implications of possible security breaches to their home devices as
their ability to connect remotely also includes the potential for a
malicious individual to break in. In any case, one must always weigh
their threat level with caution and examine all positive and negative
possibilities.
Aside from establishing a secure connection to
transmit data across, one can also focus on the security of the data
itself. At this point, we begin to consider applying technologies
that can insure our communications arrive at their destination
undefiled, and in tact, from our device to our recipients. It is at
this point we would have to include some level of encryption or
digital signature which can be verified by the recipient as good or
valid. This level of security requires active participation from both
parties. While it's entirely possible to digitally sign
communications at the user end and still have that communication be
read at the recipient end without validation, doing so negates the
security advantage of the applied technologies. In my years of
experience with encrypted communications, I have found that an
extremely small percentage of the general public is knowledgeable or
capable of applying such security technologies and thus one should
not assume a recipients compliance to verify against such protocols
regardless of application.
Lets consider a few scenarios in which encrypted
communication can and should be applied by default as well as the
benefits and pitfalls of applying such technologies. Applying
technologies such as GnuPG to encrypt ones communication prior to
being sent across any network is as easy as installing a program then
following step-by-step instructions. Decades ago, this was a lengthy
and complicated task that only a very small few who worked at the
highest security levels would consider applying. However, in light of
recent events and thanks to developers, applying such security
technologies has advanced to a level of ease that even young school
children can master and apply. The following are only a couple of
examples where encryption of communications or applying a verifiable
digital signature can be beneficial to the average user who
understands and is aware of the pitfalls associated with insecure
networks.
The average public school actively monitors all
communications across their networks. They look for signs of
harassment, illegal activity, emotionally troubled students, and
academic integrity (cheating). In an “ideal” world, this would be
the extent to which monitoring of communications would be active to
insure the integrity of the administration and the student body.
However, network administrators are human just like anyone else and
are just as prone to corruption as anyone else. We must always
remember that “hard access is full access” and a corrupt
administrator (even in a public school) can access most forms of data
at varying levels as well as cover their tracks from supervisors if
necessary. Suppose a “good friend” of one of the schools network
administrators has trouble with their boyfriend who cheated on her
and wants to get “even”? Suppose a corrupt administrator wants
the position as an instructor that pays better? What if a failing
student absolutely “needs” to pass a certain class or a corrupt
instructor is passing students who in all reality shouldn't be? The
list of possibilities can go on for a long time. What can we do to
protect ourselves from corruption at the network administration level
in a public school?
One could potentially change to a different
school. This may be an option for some, but in many cases, changing
schools is not an option as the next closest school may be too far
away. Maybe file a complaint with the school? This may be an option
but don't count on the complaint getting too far unless one has
undeniable, conclusive evidence to support their claim. Public school
network administrators are part of a labor union. The labor unions
assign individuals to act as defense attorneys to protect jobs, even
in the case of corruption. The best one could expect from a complaint
might be a slap on the wrist to the administrator unless the
collected evidence is compelling enough to elicit real legal action
by way of attorney. One must also consider that the corruption may go
as high as the school president in some cases. It's unfortunate and
may seem the “odds are against” but taking offensive precautions
can help prevent such atrocities.
One simple precaution a person can take is to
digitally sign communications used in public schools. Digitally
signing can at least certify that any communication from ones device
was in fact originated from that person and delivered across the
network to its recipient unmodified from its original form. Any
individual with the public key of the author can verify the integrity
of the communication. Should the verification process fail, then
evidence shows conclusively that the communication has been tampered
with sometime during transmission. Digitally signing, and not fully
encrypting, allows “plain text” communications to be stored and
potentially reviewed should any problems arise that would require
review of communications between two parties. Only digitally signed
communications can be considered as trustworthy since unsigned
communications are, for all intensive purposes, suspect of forgery.
One should also be wary of digital communication platforms provided
that do not provide a means of digitally signing communications. Many
public school administrations pass on providing these securities as
they are “options” to their adopted platforms to which they feel
the added technology and expense are unnecessary. In essence, it
tilts the security in favor of possible corruption within the system.
Another scenario includes communications between
government entities and contractors. Competing contractors, corrupt
employees, foreign governments, or possibly even ISP personnel could
potentially intercept communications between two points.
Communications could be modified to tilt in a competitor's favor or
for the financial gain of said entities. In such a scenario, fully
encrypted communications would be more beneficial. Remember the news
article of the cell carrier employee who monitored the US President's
instant messaging contacts? Realistically, there is little one can do
to protect their personal or business interests against such
corruption other than taking offensive precautions with our
information to insure private communication with their intended
recipient. In comparison, ones digital communications are like
sending a message through the mail on either a post card or in a
security envelop. The choice is ultimately up to the sender to the
degree that they determine what their security needs are and what
their proposed threat level is.
Ultimately each company or individual must decide
for themselves what level of communication security is appropriate
for them. There is an old saying within the technology field that
states “security and simplicity are not good bedfellows”. The
greater level of offensive security is always going to mean a
decrease in user simplicity and one must always give way for the
other. Often, ignorance to the possibility gives way to simplicity
until a person actually experiences the ramifications associated with
not applying the necessary level of security. In most cases, and with
most people, it's a “live and learn” scenario. Just the “thought”
of the scenarios proposed are enough to make a person's stomach turn
and more times than not we have to have faith that these types of
things are not happening. The unfortunate truth is that they
happen more frequently than many would want to admit or even think
about.
For further reading and understanding of applying
digitally signed or encrypted communications, read the following blog
post or research “the benefits of digitally signing or encrypting”.
http://roguehorse-how-to.blogspot.com/2015/01/basic-security.html
