I apologize for the delay in getting the next post out. I can assure you the CIA hasn’t had me assassinated. At least not yet, you never know what madness the US will try next.
Speaking of CIA sponsored assassination teams, what if I told you the former terrorist kingpin Osama bin Laden actually did something right?
I’m not going to try to defend his actions, that would be impossible. Instead, I’m going to tell you how to take a lesson out of his play book to help you keep a low profile.
Security through obscurity
The basis of security through obscurity is relying on concealment to hide vulnerabilities. Osama bin Laden relied on security through obscurity by hiding in a rather obscure area of Pakistan, which gave him a measure of safety. Obviously he would have a tougher time staying under the radar if he suddenly decided to walk the streets of New York City or London.
There are a number of arguments in computer science that roughly state that systems should be secure even if everything about the system is public knowledge. This is the only way to truly guarantee security. Arguments like that are perfectly valid, but sometimes you don’t have to reveal everything about your system, and I honestly don’t think that you should.
You may be familiar with “port scans.” Simply put, what happens during a port scan is a computer’s ports (the channels through which a computer communicates on a network) are individually probed to see if they are open or not. If they are open, that can generally mean that some program is “listening” to that port and so you know that it’s running. Some common ports are 80 for HTTP and 443 for HTTPS.
Applications tend to run on their default ports, so if I do a port scan then I can generate a rather nice list of applications that are likely to be running. If I have an exploit for an application that runs on port 1234, and I see you have that port open and I can conclude that you likely are running that application and I can arrange to send the exploit to your computer.
Now I own your system.
Running applications on non default ports can cause all sorts of headaches, and it’s frankly really difficult to do well.
Control your environment
Thankfully, there are things you can do to minimize your risks. Treat each application you install as another channel an attacker can use. Get rid of applications you don’t use anymore. Strongly consider removing Java and Flash from your system. These two applications are the source of the vast majority of exploits. If you do choose to keep these two on your computer, you must update them as soon as updates are available. Exploits and patches for Flash and Java happen very quickly, and it’s a lot of work to stay on top of. I normally don’t like things that automatically update, but seriously consider setting Flash and Java to autoupdate.
The important of open source
I love open source. Software that has had it’s source code released (as happens in the case of open source) tends to be much more secure. When you have dozens, hundreds, or thousands of people looking at the source code, errors are noticed and patched right away. When the source code is closed (like almost all Microsoft products) errors are harder to find and are easier to exploit.
Make it a point to use at much open source software is possible. I’m not going to get into a philosophical rant about why I think software should be free, but both from a practical and a cost perspective open source software is the way to go.
Osama’s digital mistake
Osama got the hiding thing right (well, at least for 10 years), but he still forgot something simple: encryption. If he had properly encrypted his files then all of the data that was gathered by the US Navy Seals would have been useless. Alas, he wasn’t wise enough to encrypt his data, and a lot of useful and actionable information was extracted from the USB drives, memory cards, and hard drives that were recovered on site.
Encryption has gotten to the point where it’s silly not to use it. It’s extremely easy to do, takes almost no time, and is almost transparent to the end user. I’ve even show you how to do it with Windows 7 and Mac OSX.
Encrypt your files.
Senior Editor, CryptoFort.com