Re: Security Questions

To: "Thomas H. George,,," <georgeacct@spininternet.com>
Cc: Debian-User <debian-user@lists.debian.org>
Subject: Re: Security Questions
From: Neal Lippman <nl@lippman.org>
Date: 06 Apr 2003 10:56:35 -0400
Message-id: <[🔎] 1049640996.23683.16.camel@gandalf>
In-reply-to: <[🔎] 3E90352B.6040602@spininternet.com>
References: <[🔎] 3E90352B.6040602@spininternet.com>

A few answers, but first a question: How do you know that your network
has definitely been compromised? If the only evidence you have is that
your daughter received returned emails she didn't send, how to you know
that someone didn't generate those emails elsewhere, spoofing her email
address and reply-to header? You could gain some insight by looking at
the emails more carefully; if the emails were bounced by a mail relay
along the way and returned, then you can see by the headers if the
originated at your normal smtp (outgoing) server or not, which would
give you some information. Just a thought.

Assuming your network IS compromised (and even if it isn't), remember
that a wireless network cannot be 100% secured with current
implementations, but you can do a lot to limit breaches: employ WEP
encryption, disable SSID broadcasting, set up your router to allow
access only by specified MAC addresses (this is the hardware address
encoding into every ethernet interface, not the IP address used by the
corresponding computer), and so on. There was an excellent article on
wireless LAN security on arstechnica.com a few months ago that you
should read.

My personal preference for dealing with a compromised system is to fully
wipe the HD (repartition and reformat) and reinstall everything. There
are, I suppose, other approaches you can use - for instance, if you
compared the size, timestamp, and contents of every "system" file on a
suspected system to those on a clean distribution and found no
mismatches, it would be unlikely at a root kit was installed. I have
seen occasional references to scripts that can do this here and there,
but don't recall any of them offhand. Another approach is to build a
"snapshot" of the entire system (file name, timestamp, permissions,
size, uid.gid, etc) into a file. YOu can then periodically compare the
state of the current system to the saved database (stored, of course,
offline to avoid being changed by a malicious intruder) and that would
tell you if the system has been changed or not. That doesn't help you
here, but does help to detect a later breach. (Remember, if you do
something like this, that every time you apt-get
install/remove/update/upgrade/dist-upgrade you change the system, so you
need to run the scanner to verify system intregity before any apt-get -
to ensure the system is ok before you start -, and again after the
apt-get in order to create a new snapshot).

Lastly, bear in mind that as long as you allow an "unsecured" system
behind your firewall (your grandson's computer) there is no way to
ensure the security of your network.

Good luck.

On Sun, 2003-04-06 at 10:09, Thomas H. George,,, wrote:
> I have read Security-Quickstart-HOWTO.
> 
> I believe my home network has been compromised (my daughter received 
> returned emails she neversent) and plan to take drastic action.  The 
> network consists of DSL modem, a wireless router and four computers.  I 
> have no concerns about the family members and the houses in the 
> neighborhood are widely separated so it is very unlikely that the 
> wireless connection has been used by outsiders.  The DSL link to the 
> internet is my concern.  Here are my quesions:
> 
> 1.  How to erase hard drives?  I plan to pull one computer off line and 
> reinstall Debian Woody and Windows from CD's (Regretably I still need 
> Windows for a few applications).  Is reinstallation enough or must, and 
> can, the hard drives be wiped clean of any residual programs?
> 
> 2.  What is the best Firewall?  I have an old Compaq 486 machine with no 
> math coprocessor.  I assume I can install two ethernet cards (I believe 
> it has two PCI slots, must look though), load Woody, set up iptables and 
> a sniffer and place it between the DSL modem and the wireless router.   
> When I am ready to put this firewall in place I have all the computers 
> off line.  I will bring up the one that has its operating systems and 
> applications reinstsalled from CD's and download all the security 
> updates from Debian and Microsoft.  The procedure can then be repeated 
> for the other computers.
> 
> 3.  DHCP or static addresses?  I have been using static addresses.  I 
> believe I have seen in the references that it is possible to set the 
> wireless router to receive and transmit to these addresses only?  If so, 
> is this the best approach?
> 
> 4.  How to deal with a rogue computer?  The fly in this ointment is my 
> grandson's laptop, a gift from his father (my daughter's ex-husband). 
>  It came with XP Professional and I don't have the CD's to reistall it. 
>  My grandson likes to go on the internet and also use our wireless 
> network to print his homework on one of the printers attached to the 
> fixed computers.  Would it work and not compromise the system if I give 
> it a static address and instruct the other computer's on the network to 
> refuse any transmissions from this address?  And could I then attach one 
> of the printers to the computer serving as the firewall and allow all 
> the computers on the network to use this printer without cmpromising the 
> system? 
> 
> I would greatly appreciate responses to the above questions and any 
> recommendations of alternate and, or additonal steps to secure the network.
> 
> Tom George
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-user-request@lists.debian.org 
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>

Reply to:

References:
- Security Questions
  - From: "Thomas H. George,,," <georgeacct@spininternet.com>

Prev by Date: Re: Security Questions
Next by Date: Re: default run level
Previous by thread: Re: Security Questions
Next by thread: Re: Security Questions
Index(es):
- Date
- Thread