Some computers are too important to be networked

There is a common defensive computing thread in two recent stories.

In the first story, Newsweek reports that both presidential candidates had their campaign computers hacked from afar. As they put it:

The computer systems of both the Obama and McCain campaigns were victims of a sophisticated cyberattack by an unknown "foreign entity," prompting a federal investigation, both the FBI and the Secret Service came to the campaign with an ominous warning: "You have a problem way bigger than what you understand," an agent told Obama's team. "You have been compromised, and a serious amount of files have been loaded off your system." ... Officials at the FBI and the White House told the Obama campaign that they believed a foreign entity or organization sought to gather information... "

The second story involves a former Intel employee who allegedly stole trade secrets. As CNET's Stephanie Condon writes, the employee resigned, yet continued on the Intel payroll for a few weeks (perhaps working off vacation time). During this transition period, he started working for Intel rival AMD, yet he remained in possession of his Intel laptop and still had access to Intel's computer network. The FBI later found him in possession of "top secret" Intel files worth more than $1 billion in research and development costs.

The lesson is clear. If you have really valuable or sensitive files, don't make them remotely accessible. Cut the wire. Some files should never be available off-site.

If this means buying a new computer just to hold really sensitive files, it's money well spent.

A couple years ago, I heard someone from the hacker group 2600 give out this same advice on their radio show, Off The Hook. It made sense back then and makes even more sense now.

Windows passwords are easily hacked. Instead of relying on a Windows password for local physical security, set both a power-on password and, if the computer supports it, a hard disk password. Whole disk encryption is another option, but one that involves much more work to implement.

If you put sensitive files on a laptop computer, then consider storing it in a safe when not in use. If you have a small safe, get a small laptop or a Netbook.

Laptops need more than just cutting the Ethernet wire. To begin with, turn off the Wi-Fi radio (there is probably a switch or a function key for this). If the laptop has Bluetooth, physically turn that off too.

Then, turn off the networking features in the operating system.

On Windows, turn off file sharing for every network adapter and turn off every network protocol. Then, disable all the network adapters.

Finally, disable the underlying Windows services that handle networking. On Windows XP this would be: Wireless Zero Configuration, Server, Computer Browser, Workstation and SSDP Discovery. Then since, the machine will be off-line forever, there are quite a few other Windows XP services that won't be needed and can be disabled: Automatic Updates, Distributed Link Tracking Client, Distributed Transaction Coordinator, Net Logon, NetMeeting Remote Desktop Sharing, Network DDE, Network DDE DSDM, Network Location Awareness (NLA), Network Provisioning Service, Remote Desktop Help Session Manager, Remote Registry and WebClient. The laptop I'm writing this on also has an Infrared Monitor service. I don't know what it's for, but I keep it disabled.

All told, this isn't much work and doesn't involve much expense. Yet, it's great insurance and can leave your sensitive files better defended than those at Intel and each presidential campaign.

See a summary of all my Defensive Computing postings.

[mynameiscoffey]

I hear about things like this all the time, I don't know why companies continue to allow this.

Might want to add heavily restricting the USB Mass Storage Devices. I've seen people walk off with sensitive information on their iPods before.

[htan68]

Infrared is can be use to transfer data to other devices with infrared support.

[cheddazneez]

"Windows passwords are easily hacked. Instead of relying on a Windows password for local physical security, set both a power-on password and, if the computer supports it, a hard disk password. Whole disk encryption is another option, but one that involves much more work to implement."

Boot level authentication or full hard disk encryption will only protect the machine and data if the computer is compromised when shutoff (like a stolen laptop). Once you are booted into Windows, these types of measures will provide little to no help.

Your Windows password will remain weak. In this sense, the second best measure that can be taken behind the obvious "abstinence" of remote access would be a 2 or 3 factor authentication approach, something you have (physical token - smart card, OTP app on cell phone, etc), something you know (PIN), and for extreme security (3FA), something you are (some sort of biometrics)...

[mhinnewyork]

Good point about boot level authentication and full hard disk encryption only being useful if the computer is powered off. I should have mentioned that. Michael Horowitz

[TheBrewerySysop]

Though most of the hack tools (if not all; I don't pretend to be an expert or even a very good hacker) require you to boot into something else, so the passwords make sense. Though correct me if I'm wrong, can't you jumper a pin on most BIOS to reset them to factory defaults (i.e. no longer have a password)? If so, then drive encryption is really the way to go.

Regarding the jumper pin to reset the BIOS - this was true years ago, but is no longer possible on newer laptops.

[cheesehead2]

These are all terrific suggestions. I have a problem with the assumption that it has to be this way. Sun was right - the network is the computer. The article goes through a lot of guidance in how to make your computer a dead brick. Besides, the most valuable stuff for them to sift through is communications (email). Therefore, the computer isn't even a target. This is why the military has separate networks and protects the gateways. There are two issues here.
1) Windows is too expensive. What is your time and security worth? Windows is a POS that is fantastically high maintenance and therefore expensive. Microsoft for 15 years now has shown contempt for security. They're trying to bolt it no now, but it still doesn't work. The fact that there has NOT been some world wide class action lawsuit for their delivery of products that don't work and are WILLFULLY insecure is something I will never understand. Basically, you could do everything suggested above, or simply get a different operating system. Pretty much ANY other operating system (cp/m) it more secure.
2) The network is the computer. What's the point of having a computer you're not going to use? Very little can be done on the hardware side, but the article has some reasonable suggestions. I encrypt my home directory and personal swap on the hard drive. Every OS has that available. I save sensitive files in my home directory and put large files and different "media" directory (pictures, music) for performance. Depending on the level of encryption, that serves as a very effective deterrent for people stealing the data. However, one someone has physical access, all network and software security bets are off. The main problem is software security. If you software is insecure, get different software.

For this and many reasons, many years ago I made a decision to not own windows. I do my best not to use it. This one decision has brought so much peace to my life. No random crashes. No pressure to run the latest updates to apply the newest bugs. No constant worry and expense of maintaining a operating system just to deal with security issues. I have LOTS of free time that was once spent rebooting and patching. Sure I don't have everything I want (hardware drivers are the biggest issue - you can't just get a device and expect it should work)., and I still have to tolerate windows computers once and a while, but my computers now last longer, are more productive, and are therefore more affordable.

[celticbrewer]

Those are good methods to isolate your data. But, c'mon- what's the point of isolated data if you can't have people working on it and using it? Any computer with internet access is a target. Firewall or not, there's a way in. Critical services and information need to be on an internal network without any path outside- either via the internet or on physical media (from thumbdrives to prints/faxes).

[mhinnewyork]

Agreed. I was thinking of a small business that might, for example, run their payroll on a dedicated computer that is never connected to the Internet. But your point about an internal network that is never directly connected to the outside world is the same concept, just scaled up. Michael Horowitz

[ivorycruncher]

Haven't you seen Mission Impossible with Tom Cruise? Even the Fort Knox of standalone non-connected computers can be hacked. ;)

[mhinnewyork]

The idea that a foreign entity hacked into the computers of a presidential campaign, and did it remotely, is right out of a movie. Michael Horowitz

[alh42]

The problem is... Information isn't like some gold bar, information is worthless if you lock it up.

For the information to be worth anything to the organization, you have to let people access it, use it, and develop it.

Information only has a worth when put into the mind of a human, it doesn't do any good on a harddisk in a vault.

So you will always have the access problem as long as people insist on monopolizing information.

[mhinnewyork]

Your point is valid. There are extremes and each extreme is sub-optimal. In the cases I mentioned though, it appears that sensitive files were too shared. There needs to be a happy medium. Michael Horowitz

[supertramped]

Perhaps instead of having an isolated computer one could store important information and files on an external Hard Drive and then "secure" the hard drive when not in use... Therefore providing an easier and far more affordable way of protecting the "valuables" but not making this so called "brick" of a computer to be stored away with very little usability options... Just my contribution...