That is why security experts aren’t surprised by the Sony story. We know people who do penetration testing for a living — real, no-holds-barred attacks that mimic a full-on assault by a dogged, expert attacker — and we know that the expert always gets in. Against a sufficiently skilled, funded and motivated attacker, all networks are vulnerable.
A quote from Bruce Schneier, probably the leading cryptologist on the planet, and whose blog I regularly read.
I’ve blogged before about computer security, and the ramifications of the NASA, Google, Sony, Target, Home Depot, JP Morgan, etc. attacks are apparent. The bad guys are winning. The market is ripe for a secure computing platform.
If I was a lawyer advising a client with a questionable criminal liability, or a person in absolute need of privacy, I’d recommend the following:
Do NOT use free anonymity services such as TOR if you are transferring sensitive information. Countless persons in government and journalists across the world have made this mistake. Ever heard of WikiLeaks – they got their start by creating TOR end nodes and snooping data.
Use a Live DVD like Amnesic Incognito Live System or Ubuntu Linux for anonymous browsing. It’s fairly simple to burn an Ubuntu DVD and to boot your laptop device from the DVD. The live system does not save any cache or browsing history to your hard disk.
Use a VPN to transmit sensitive information. There are two VPN types – SSL VPN and IPSEC VPN. Either will do. I’d suggest subscribing to a VPN service whose infrastructure is hosted outside of the government’s reach. StrongVPN has host servers located in several friendly Caribbean nations.
Use different anonymous proxy tunnels through your VPN if you plan to access a website or service regularly and wish to remain anonymous. These services have the same limitations as Tor though and shouldn’t be used for transferring sensitive information. I explain a bit more below.
There are countless SSL/TLS encryption schemes, countless SSL/TLS software implementations, and each configuration can be potentially distinguished depending on the application software stack, operating system, hardware, etc. in use. The permutations among these configurations is large enough to distinguish a browser client.
Yesterday I read an article on a NASA security breach. Apparently, Chinese hackers hacked into the NASA Jet Propulsion laboratory and gained full network access. Incredibly NASA’s networks are insecure despite hackers gaining access to satellites a few years back. Its obvious current network intrusion prevention and detection methods are inadequate.
Corporations and government agencies across the board are failing to prevent security breaches. Perhaps the same methods used by NASA for developing interstellar hardware should be used in the IT realm. If 8080 microprocessors are still used in hardware designs due to their known reliability, perhaps IT software systems should be judged for their reliability not their features.
I currently run Ubuntu Linux on my laptop and I’m fairly comfortable with OS security. I feel it’s impossible to be completely secure. If the right people intend to hack your system there are a million vulnerabilities on the net, and another million yet to be discovered or revealed. The National Security Agency supports a secure Linux kernel; however, mainstream Linux support for the secure kernel is limited.