From the It Takes a Thief department:
The most highly skilled, best funded, most capable covert digital-data collection agency in the U.S. has issued a set of best practices on how businesses and consumers can keep their data safe (from agencies other than it).
The National Security Agency has put out a set of recommendations (PDF) with a series of surprisingly doable, surprisingly banal security recommendations.
The National Security Agency (NSA), created to eavesdrop on the radio and telecommunications systems of the USSR, Communist China and other Cold War opponents of the U.S., still leads signal-intelligence gathering for the U.S.
It used to do that primarily through the ECHELON network of satellite- and land-based listening stations.
These days it listens in on cell-phone networks, satellite phones, wired and wireless Internet connections and data mines through records of Internet activity worldwide.
The group once jokingly for its extraordinary level of secrecy, isn't supposed to spy on people within the U.S.
It has apparently done so in the past and may be doing it now, however, under restriction-easing rules such as The Patriot Act, which were designed to make it easier for law enforcement to chase terrorists.
Because of the level of secrecy about a group once jokingly referred to inside the beltway as "No Such Agency" because no one who knew about it was supposed to admit it existed, it's impossible to know exactly what its abilities are and on whom it is listening.
So, when the ultimate black-box agency comes out with a set of security recommendations, you'd think they'd be more sophisticated than "install your patches" and "change the default password."
They are, but not by much:
- Migrate to a modern OS and hardware platform – 64-bit versions of Windows are much harder to crack and ship with most of their security settings set to "On." Be sure to set Windows Update to Automatic.
- Install a comprehensive host-based security suite – Host-based intrusion prevention (HIPS), anti-virus, anti-phishing and safe browsing provide layered defense. Cloud-based reputation-protection services keep a history of your updates, attacks and incidents with malware, improving your protection.
- Limit use of the administrator account – Don't give the janitor Root on the Domain Controller.
- Use a web browser with sandboxing capabilities – The sandbox can contain some malware; most browsers that have one also auto-update their security. Products that move the browser into a virtual machine would provide more protection, and are starting to appear commercially "but are not ready for mass consumer use."
- Update to a PDF reader with sandboxing capabilities – Same deal as with the browsers. Blocking embedded URLs is a good way to start.
- Migrate to MS Office 2007 or later – Older suites don't support file formats based on XML, which doesn't allow code to execute when the document opens. The "Protected View" in Office 2010 is a read-only mode that also limits the scope of malware in an Office document.
- Keep application software up to date – You knew that one was coming.
- Encrypt your whole hard drive – Most corporations don't do this because end users break them, forget passwords, or store documents outside the encrypted volumes, usually because the extra step or two required to access encrypted files is too much of a pain. Good luck getting them to cooperate en masse, but this one provides a huge security boost.
All the advice is run-of-the-mill except this:
Implement an alternate DNS provider -- using your ISP as your primary DNS doesn't usually give you extra security such as the ability to blacklist dangerous web sites. Open-source or commercial DNS providers.
Anyone who's done it knows messing with the DNS settings on your PC can FUBAR you faster than almost any other DIY project that doesn't involve randomly deleting things from the Registry. Follow the instructions and print off the 800-number for Google support before you start.
Operational Security (OPSEC)/Internet Behavior Recommendations:
Considering its whole purpose is to take advantage of people who don't do these things (and even those who do), you'd think this section would be the most important in the NSA's network-of-fear brochure.
Like the rest, most of the recommendations are the things most people already know, but don't follow:
- Hotspots and kiosks – "Susceptible to adversarial activity," which makes digital espionage sound much more exciting than some creepy guy with a sniffer vacuuming up your passwords while you sit in Starbucks browsing English Translation sites trying to figure out what Venti means.
- Exchanging Home and Work Content – Don't leave anything on the bus; don't forward secret stuff through email. Email isn't encrypted, so anyone with access to a router between you and your correspondent can read yours as it flies by.
- Storage of personal information on the Internet – There's no problem with this. Really. Sony's data-breach debacle notwithstanding. And Epsilon's. And TJMaxx. And Epsilon. And TJMaxx. Texas. Verizon. OmniCare. Sony, again. And a third time.
- Basically: Don't put secret stuff on social networking sites; use secure or encrypted (HTTPS, SSL) Internet links when you do your online banking; use different usernames for home and work emails so it's harder for Adversaries to find you, and use encrypted connections for those, too. Use passwords complex enough that you can't remember them, but don't write them down. Change them frequently.
- Smartphone pictures are dangerous? – GPS metadata attached to your smartphone photos can give away where you were at any given time, so be careful of that when you post or mail photos. I would assume the photo itself would also give away where you were when you took it, but who's the security expert, here. That's right, the NSA.
Way down at the bottom, the NSA guidelines actually give some unusual recommendations that are pretty useful, but far more complex than most people are willing to look into:
- Limit the MAC addresses that can sign onto your wireless LAN so you don't get freeloaders or hackers riding along with you.
- Limit the transmit power of the wireless router so it doesn't spray Internet all over the neighborhood. All you need is enough for a good signal where you are yourself.
- Hide the SSID, the name of your wireless router, or at least change it from the default, which can tell potential hackers what kind of router it is and give them a leg up on cracking it.
- Disable scripting in the Web browser – forget it. You'll never see anything you want to see online again. Try NoScript on FireFox or NotScript on Chrome to pick the scripts or sites you want to block.
- Enable Data Execution Prevention – DEP essentially prevents anything from running that's not installed in the regions of memory able to run code. That limits buffer overflows, code buried in pages in memory and other exploits. It conflicts with some commercial apps, but not many. It's been around for a long time for Linux and MacOS, though only showed up in Windows with the debut of Vista and in Service Pack 3 for XP.
None of this guarantees the NSA won't be able to listen in to you, or that your data will be safe from hackers to break in to gaming sites, shopping sites or others to whom you give your credit-card info.
They do serve the same purpose as locking the doors to your car and not leaving a laptop out on the seat. They make it harder for someone to make you a victim and try to keep you from being so conspicuous that Adversaries decide you're a choice target.
Let the government do that instead.
Here's another link to the PDF with the full text on the NSA security recommendations.