» Sun May 13, 2012 7:03 am Sections:
Day 1: http://www.gamesas.com/topic/1337235-data-privacy-day-day-1/
Day 2: http://www.gamesas.com/topic/1337699-data-privacy-day-day-2/
Day 3: http://www.gamesas.com/topic/1338134-data-privacy-day-day-3/
Day 4: http://www.gamesas.com/topic/1338605-data-privacy-day-day-4/
Day 5: http://www.gamesas.com/topic/1339018-data-privacy-day-day-5/
Day 6: Set up OpenVPN on Windows and Final Remarks
The goal, as always, is to make you more informed about your data and your privacy. I hope you find some of this information useful and put it into action. Security and privacy are constantly evolving items, and what cuts it today may not in the future, but this should be a good springboard to boost your security and privacy for Data Privacy Day and the years to come. As always, the level of security you need will differ from others, so you need to figure out what level is good for your needs. Some things, though, are universally applicable to all, such as a good Password system. Another thing to remember is that even if you follow the best of security practices, it may not be enough to stay safe if a company who has poor security practices gets hacked (and after this summer, I think we are all familiar with that)
Important definition for this section:
- Man-in-the-Middle attack: Any attack wherein someone intercepts data you receive and send to someone else by acting as a relay ("in the middle"). This can be done in numerous ways (arp and DNS poisoning being two common methods, though many other methods exist) but the end effect is the same: your information and communication is compromised. Your passwords can be stolen and your sessions hijacked. This threat is an increasingly common problem on wireless networks, and can even affect mobile telecommunication networks (for around $500 and enough know-how is the current going rate, FYI).
Networks
Your local network is an important point of security. A properly set up one will allow easy sharing and collaboration while simulatenously keeping out those who would intrude on it from the outside. This section will cover your local network, your local computer, and how to protect your computer and privacy when on public networks.
Your Wired Network
For a wired network, you don't have as much to worry about. Make sure not to use the DMZ your router allows: this is a black hole for security and offers nothing over properly forwarded ports. Any forwarded port should have a distinct purpose, otherwise don't forward them. Disable remote/WAN administration (might be buried in there somewhere). Make sure to keep the router nice and updated with any new firmware releases (better yet, use custom firmware like http://www.dd-wrt.com/site/index, http://openwrt.org/, or http://www.polarcloud.com/tomato), as they patch various security flaws. Next you should chenge the username/password for logging into your router. Not doing so is quite insecure. Finally make sure your router firewall is enabled, it's one of the nicest features they have. While not necessary, disabling UPnP can add a little more security by closing any vulnerabilities it may have that are unpatched. Keeping your router up to date is simpler and more friendly, though.
Your Wireless Network
Wireless networks are another thing. On top of all the above, you NEED to be using WPA2 with AES. Nothing else is secure!!!! Well, nothing you can reasonably implement, at least. http://blog.jdpfu.com/pages/wifi-security (the only two things I disagree with are using MAC filtering and disabling SSID broadcasting: If someone knows how to crack a WEP key, they can easily find out how to spoof a MAC address or uncover an invisible network. Both also come with significant disadvantages while offering no real security). As mentioned in that checklist, make your WPA2 key VERY complex. You don't need to worry about forgetting it: write it down and stick it to your router. If someone is in your house, your WPA2 password isn't going to keep them out of your network (if you want to be secure with your WPA2 key, use the same password strategies mentioned in the passwords section).
But what about your WEP-only devices? I've not tried it yet myself, but http://viidev.blogspot.com/2008/05/secure-wep-network-for-nintendo-ds.html. Other options are to set up a wireless access point with WEP for when you want to use your DS/other WEP-only devices, and just unplug the WAP when not using it. Everything else will be on your normal WPA2 connection.
A very new happening in attacking WPA/WPA2 networks is to ignore trying to break the WPA/WPA2 encryption and instead have the router give you the password. A common feature included in many modern routers is Wi-Fi Protected Setup (WPS). Unfortunately, this is a weakness as it is a simple (generally hardcoded) PIN that is very easy to bruteforce. http://lifehacker.com/5873407/how-to-crack-a-wi+fi-networks-wpa-password-with-reaver, which I suggest you read so you can stop it from happening to you. A redditer created https://docs.google.com/spreadsheet/lv?key=0Ags-JmeLMFP2dFp2dkhJZGIxTTFkdFpEUDNSSHZEN3c (some routers cannot have the feature disabled even if there is an option on the web interface to do so). One thing to immunize yourself against this attack is to flash a custom firmware on the router, such as DD-WRT. Many custom firmwares do not have support for WPS, so it nullifies this vulnerability.
Your Computer (localhost 
)
Your computer can leak information out of your local network if you are not careful. The browser section covered many of the most common leaks, but if you computer is infected with a keylogger or other malware, data may be leaked and all of your network security can be bypassed. Likewise, on an open network, someone may try to break into your computer over the network. There are a few things you can do to mitigate these risks:
Keep your Operating System updated. It's easy to fall into the cycle of not getting the latest updates for your OS. These often patch security holes that can be exploited. Along the same lines, keep your software updated, especially major programs and anything that uses the Internet. Along these lines is NOT using an unsupported OS. Windows Vista Home and Ultimate editions reach end of support this year in April, so upgrade before then or it'll only be a matter of time before an unpatched hole allows for unassisted malware installation on your computer due to running an unsupported OS.
Just as important to keeping your OS updated, is keeping your software updated. Key programs that should be kept updated are your Antivirus/antimalware/firewall solutions, your web browser of choice, your pdf viewer, Java (if installed), Microsoft Office (if installed, can be updated through Windows update), and your media player.
Use a password! Windows Passwords are trivial to overwrite if someone has access to your PC (which is where encryption comes in), but they are VERY useful in keeping other, unwanted people on the network out of your shared folders. You should also, of course, disable shared folders on public wifi networks.
Install a firewall. Your router has one, but when on open networks like your laptop may often connect to, your router firewall won't be of any help. With Windows Vista/7, the built in firewall is pretty good (and can be improved with http://www.sphinx-soft.com/Vista/index.html -- which works with Vista/XP as well). The best free one is Comodo's Firewall. the Defense+ feature also is a basic HIPS program (Host-based Intrusion Prevention System) that will stop rogue programs from doing naughty things. This does an excellent job on keeping keyloggers, trojans, and worms from sending data out from your computer (keyloggers can also be effectively nulled with the use of a password manager such as KeePass and LastPass).
Keep your antivirus/antimalware/antispyware solutions up-to-date and scan as you feel needed. Whther you run full-fledged real-time protection antivirus + antimalware solution, or a free antivirus and something to occaionally scan with like Malwarebytes, it's better to have it on your system now and not need it then need it and not have it. Some malware make it near-impossible to install antimalware programs and/or update them successfully. Instantly being able to do a scan after you think you've been compromised is a very nice thing. The next-best thing is to instantly shut down your computer and use live rescue CDs like http://support.kaspersky.com/viruses/rescuedisk offers. Antivirus/antimalware/antispyware, whether proactive or retroactive, should always be considered your last line of defense.
Disable file sharing when you don't need it. This is of particular importance when on public wifi. In Windows 7 this is done simply by going Control Panel -> Network and Sharing Center -> Change Advanced Sharing Settings (left panel item). Expand the Public profile. Turn off Network Discovery (not really necessary, it doesn't offer any real security), Turn off File and Printer Sharing, and Turn off Public Folder Sharing. http://i19.photobucket.com/albums/b195/DEFRON/OpenVPN/advancedsharingsettings.jpg. Save the changes and exit. Next, disable your http://www.sysprobs.com/disable-administrative-shares-windows-7-lets-data-secret. Disabling shares you don't need is important for those "oops" moments when you connect to a network and accidentally make it a home or work network insteado of a public one.
Foreign (public) Wireless Networks.
Foreign, public wireless networks are a warzone. Especially the open ones. Ones properly protected and configured with 802.1x networks (aka, WPA2 Enterprise), but assume that any 802.1x network is poorly configured and multiple people have the same key you do and can see your traffic. Man-in-the-Middle attacks happen with more and more frequency, and the skill required to initiate them is at ann all-time low (and can be done with just a smartphone). There are two primary technologies you can use to secure your roaming on such networks: SSH Tunnels and Virtual Private Networks, aka VPNs.
NOTES:
1. For all server installs, you will need to know the pubic IP of your server. This can be done by visiting http://www.whatismyip.com/ on your server. Better is to http://www.no-ip.com/ (as it'll work even if your home IP changes). no-ip is so simple, it hardly warrants directions, but http://www.no-ip.com/getting_started.php. You will need to do this for PPTP VPN servers and SSH servers.
2. You will also need to set a static IP for your server. This is simple enough
http://portforward.com/networking/static-Mac10.4.htm
http://www.cyberciti.biz/faq/linux-configure-a-static-ip-address-tutorial/
http://www.howtogeek.com/howto/19249/how-to-assign-a-static-ip-address-in-xp-vista-or-windows-7/
SSH Tunnels
An SSH tunnel is a simple, yet effective way to protect your web browsing (and select other traffic) while on public wifi when properly configured and relatively simple to set up (setting up an ssh server is simple on Mac OS X and Linux). Your tunnel will be a SOCKS proxy, and Firefox with https://addons.mozilla.org/en-US/firefox/addon/quickproxy/ makes switching to that proxy simple to secure your web browsing traffic (I recommend using Firefox because of QuickProxy, and also because Firefox can be configured to send DNS requests through the tunnel, something I've yet to find out how to do in Opera or Chrome).
First, you need access to an SSH server to log into and create the tunnel. This computer needs to be located at home and always on.
Mac OS X: http://osxdaily.com/2011/09/30/remote-login-ssh-server-mac-os-x/
http://www.howtoforge.com/ssh_key_based_logins_putty. (the instructions are for PuTTY as it's fairly cross-platform and allows for me to just post a single set of instructions (this is for guide simplicity) Feel free to use any client you wish, though).
You will then need to forward port 22 from your Mac on your router so you can access the ssh while on the go. http://portforward.com/.
Linux: Simply install OpenSSH (or your SSH server of choice). Your distro should have sufficient instructions on how to activate key-based authentication and disable keyboard authentication in their documentation. It won't be any different than the instructions for Mac OS X if you use OpenSSH. Then likewise forward port 22 from your Linux PC on your router so you can access the ssh while on the go. http://portforward.com/.
Windows: Windows lacks a built-in SSH server, though a few ports for OpenSSH on Windows exists. If you are interested in this, I suggest looking up CopSSH or MobaSSH.
Now that your server is configured, time to configure your client (your laptop). I will do my instructions through PuTTY (for simplicity once again) so http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html. On Mac OS X, you will need to http://www.dotresults.com/2009/10/28/how-to-install-putty-on-os-x/
Launch Putty. Type the dynamic DNS (or IP) address into the Hostname/IP box. http://i19.photobucket.com/albums/b195/DEFRON/OpenVPN/puttysetup1.jpg
Under Connections in SSH, select tunnels. Change Enter in 7070 for the destination (technically any port will do, I just always use 7070 because it's easy for me to remember), set it as Dynamic and Auto. Click the Add button. http://i19.photobucket.com/albums/b195/DEFRON/OpenVPN/puttysetup2.jpg
It isn't absolutely necessary, but I highly suggest saving this configuration, which requires going back to the session panel. Enter some title in the "saved sessions" box (like sockstunnel) and hit Save. Now in the future you will just have to select sockstunnel and click load. http://i19.photobucket.com/albums/b195/DEFRON/OpenVPN/puttysettings3.jpg
Now click the open button. A window that looks like a command prompt will open up and ask for your username, so enter it. If using keyboard authentication, enter your password. If using key-based authentication with a passphrase, enter your passphrase (the earlier linked howtoforge guide for key-based logins with putty explained how to load a key into putty). Leave this window open.
Now we configure Firefox. https://addons.mozilla.org/en-US/firefox/addon/quickproxy/ as this makes things simpler (you'll be able to switch to your proxy with the click of a button).
In Firefox go Tools->Options. Go to Advanced. In Advanced, go to the Network tab. Under "Connections" click the settings button. Select "Manual Proxy Settings". Enter a SOCKS Host of 127.0.0.1 and a port of 7070. http://i19.photobucket.com/albums/b195/DEFRON/OpenVPN/firefoxsettings.jpg. Change back to "No Proxy" and OK out of all open windows.
One more thing needs to be changed: go to about:config. Enter in socks as your filter. Change network.proxy.socks_remote_dns to true. http://i19.photobucket.com/albums/b195/DEFRON/OpenVPN/firefoxsettings2.jpg
Now Firefox can be configured to use the proxy (when logged into the SSH server in putty) by just hitting the QuickProxy button.
When you're done using your SSH tunnel, disable the proxy by once again clicking the QuickProxy button and type "logout" into the putty terminal window to end the session.
PPTP VPN
Windows has a basic VPN built-in that used the Point-to-Point Tunneling Protocol. It is limited in that you can only have one remote connection, it uses your Windows password (so it must be strong), and it won't work when the CLIENT is behind old or improperly configured routers. From a security standpoint, PPTP has been broken, and can be broken by someone proficient with the right tools, but from a real-world standpoint, people getting their MitM on are going after easy fish, and short of someone coming after you in particular, PPTP should be sufficiently secure. Also in its favor: it's simple to set up.
Server configuration:
NOTE: both guides also include information on port forwarding for PPTP, which involces port forwarding TCP 1723 and enabling PPTP Passthrough -- this second part is important because PPTP uses a non-TCP/UDP protocol: GRE. You may have to look around a bit to find where PPTP Passthrough is on your router (GRE is also the reason why PPTP won't work when the client is behind some old routers, as they drop the GRE packet before it leaves the network).
1. http://www.home-network-help.com/pptp-vpn-server.html
2. http://www.groovypost.com/howto/microsoft/setup-vpn-pptp-host-on-home-windows-7/
Client configuration:
3. http://www.home-network-help.com/pptp-vpn-client.html
4. http://www.home-network-help.com/windows-7-pptp-vpn.html
5. http://www.bol.ucla.edu/services/vpn/pptp/docs/macosx.html
6. http://tipotheday.com/2007/11/28/connect-to-windows-vpn-server-pptp-with-ubuntu-gutsy/
Make sure to always test that your PPTP VPN tunnel is being used as the default gateway. This is default behavior for Windows clients.
Hamachi VPN with Privoxy and ProXPN Free
Finally the last option is to use Hamachi VPN and Privoxy. It's a cross-platform solution and http://lifehacker.com/5763170/how-to-secure-and-encrypt-your-web-browsing-on-public-networks-with-hamachi-and-privoxy
A managed, simple free VPN service is https://proxpn.com/. Note that you are using their service, so they are your exit point. To me, this is less ideal as you do not control the exit point. Also, you have to use their [proprietary] VPN implementation, as the free service does not include PPTP access and their free service VPN implementation is incompatible with all other VPN clients I know of. Still, for simplicity it wins hands-down and it will protect you from Man-in-the-Middle Attacks.
That's all for this section. By following some of these tips, your public wifi browsing is now secured. and you have much less to worry about. If you didn't like these solutions, or need a more robust solution, tomorrow will cover how to install OpenVPN on Windows.
