The Security Mentor

Microsoft hires some of the smartest people I know. Really smart people can explain technical concepts in plain language, and Microsoft’s security team did just that in a white paper called “The Ten Immutable Laws of Security”. The list came out in 2000, but the advice is timeless. The ten laws are worth remembering, and if you want help remembering them Microsoft has them in the form of a screensaver . Microsoft has some good commentary along with each of the ten laws, but there’s more to be said about each of them. Here they are, somewhat paraphrased, with my own commentary replacing Microsoft’s.
Run software from a bad guy, and you’ve given away your computer.
That’s the “don’t take candy from strangers” principle. Keep this in mind, and you can avoid a lot of trouble. On a typical desktop machine, running a program requires as much trust from you as handing over the keys to your car.
The practical problem you run into if you try to live by this principle is that it’s too hard to tell when you’re running a program. Browsing to a Web page may run Javascript code. So may reading a piece of HTML email, depending on the settings in your email program. So can previewing a piece of HTML email. Double-clicking a file either opens a document or executes a program in the file, depending on the file’s extension. Everybody knows what a .EXE is, but normal people with non-computer jobs can’t be expected to know that a .PIF or a .SCR may be a program. To make matters worse, virus authors know several tricks to keep an extension from showing up on the screen. There’s a security hole waiting to happen as long as random software is allowed complete access to the computer.
Microsoft addressed this problem starting with Windows 2000. If you run as a normal user instead of running as Administrator, and if you installed to an NTFS volume, then you can’t modify the system files and therefore any virus running on your account can’t either. On the other hand it can still send out embarrassing email or wreck your documents.
The open source world has a potentially more powerful solution. They have a program called systrace, which was originally developed for the ultraparanoid OpenBSD operating system and has been ported to Linux. You can use systrace to specify in great detail what a program is and isn’t allowed to do. For example, you could restrict your mail program so that it could only save files in certain directories, could only read certain files, and so on. Systrace can watch a program’s normal behavior and build a set of permissions that allow routine operation but nothing more.
Allow operating system changes from a bad guy, and you’ve given away your computer.
That looks redundant to the first law but it really isn’t. You can partly protect yourself from evil application software by logging in to a non-Administrator account. But you have to be logged in as an Administrator to install system software.
Use extra care to get system software from trustworthy sources. Email is not a trustworthy source; quite a few people got burned when bad guys sent around forged email that seemed to come from Microsoft and claimed to contain a “system update”. Of course the program attached to the forged email was a worm and not a system update.
Device drivers are system software. Have you seen a Blue Screen of Death recently? That’s an operating system crash. If you’re running newer versions of Windows, usually Microsoft’s code was running OK and a buggy device driver caused the blue screen.
Make sure to get device drivers and driver updates direct from the manufacturer.
Let a bad guy tinker with your computer, and you’ve given it away.
There’s no substitute for physical security. Did you know that there are free programs that allow a person to change the Administrator password of a Windows machine from a boot disk, without knowing the original password? Did you know that there are keystroke recorders that fit inside the keyboard cable, look like RF suppressors, and can log everything you type including all your passwords? Allow a stranger more than a couple of minutes alone with your computer, and you’re showing a lot of trust.
Let a bad guy put software up on your web site, and you’ve given it away.
You don’t take candy from strangers. Don’t let strangers give candy to your website visitors.
Use dumb passwords, and you’ve wiped out your security.
Password guessing programs are really good these days. They can try every word in the dictionary, make substitutions like “$” for “s’ (so “pre$ident” is a weak password), and many come equipped with lists of commonly chosen passwords. Some even have the complete text of all the Star Wars episodes. And they can try tens millions of passwords every second.
The strongest passwords that are still halfway memorable are random phrases built from a word list like the one on Diceware . You pick the words by rolling dice. A four-word phrase is all the security a normal person needs. Check first whether your operating system or application allows long passwords. Microsoft began allowing 127 characters in passwords with Windows 2000. Linux and the BSD’s allow long ones as well. Mac OS X prior to 10.3 only uses the first 8 characters in a login password.
Forget lines from songs, and things like that. They’re too easy to include in a password guessing program. Ditto keyboard patterns.
Here’s my personal heresy. If it’s too hard to remember, write it down. How much is access to your computer worth? If it’s less than a hundred dollars, just carry the password in your wallet. If you do home banking, then your passwords are worth more and you should store them wherever you keep valuables. In any event you are more at risk with a simple password than with a written password in a protected place.
At least, please, please change all the default passwords for your firewall, wireless access point and so on!
Hire the wrong administrator, and you’ve given your computers away.
That one really doesn’t apply to the home user, but give it some thought at work. An undertrained or overworked system administrator can hurt you just as much as a criminal one.
Encryption doesn’t protect your data.
Seriously. All it does, when you think about it, is change the problem from keeping your data secret to the problem of keeping your decryption key secret. That’s an easier problem but still a difficult one.
The most common mass market encryption programs protect decryption keys with a password. Pick a good one.
Encryption can actually endanger your data. What happens if the only person with the key(s) gets fired, hit by a bus, or can’t drive in to your backup site after the big earthquake? Then all your data and all your backups are useless.
Think encryption through carefully if you’re going to use it for anything important.
If you run your computer with an outdated virus scanner, you’ve given it away.
The virus you’re most likely to get is a brand new one that’s just starting to circulate. Unless you’re updating frequently, your antivirus software won’t recognize it. Some antivirus software may catch it anyway, but running software like that will waste your time with false positives.
Set your antivirus software to update automatically, pay the subscription fee to keep the updates coming, and check whether the updates are actually happening.
You’re not anonymous, no matter how hard you try.
You can make yourself harder to find, but not impossible to find. In the worst case, someone could identify you by your writing style with computerized text analysis, and all the anonymizing technology in the world wouldn’t save you.
Which brings us to Microsoft’s tenth commandment:
Technology isn’t going to save us.
Locks and alarms didn’t end crime in the physical world, and security technology won’t end crime in cyberspace. Crime is like that wrinkle in the carpet that you can shift around but never get rid of. Your mil-spec firewall doesn’t make a difference to that nice man in Nigeria who wants to wire you a few million dollars. Your street smarts and alertness will make the difference.