Kyle Brandt

People rely on computers more than ever and are using them to manage finances and sensitive information. Although many internet sites are implementing features to protect us, unless certain basic precautions (such as changing passwords and keeping our passwords updated) are adhered to, their efforts are greatly undermined. I am trying to come up with some reasonable practices to protect myself an extra degree. I have drafted out some personal practices roughly based on the U.S. Government’s definitions of the different levels of classified information:

Top Secret
All data (the entire drive) is encrypted with a high level of encryption (private key with pass phrase, keys and pass phrases are periodically rotated.) In no way is the computer networked. All deleted data and swap files are wiped with 30 passes. Physical security preferred. Make no paper copies of information.
Secret
Sensitive data is stored on encrypted partition. Password protected, passwords periodically rotated. Data may be stored on portable devices and devices may be networked.
Confidential
Data on publicly accessible (Internet) servers, password protected and passwords periodically rotated. Servers are to only be accessed through channels known to be encrypted. Do not use public terminals or hot spots. All email with confidential information should be encrypted using public key encryption.
Restricted
On publicly accessible servers, sites do not provide option for encrypted channels but are password protected. These sites should only be accessed from networks that are likely secure. Due to nature of possible password interception, passwords are to be frequently changed.
Unclassified
Any publicly published information, not protected in any way.

General Habits: Under no circumstances duplicate passwords between levels, reusing passwords on the same level is acceptable. Avoid using public terminals and hot spots. Only use secure passwords (long, symbols and numbers, capital and lowercase) and don’t chose the option to “save passwords” unless you know that the passwords are encrypted, and then only at “Restricted” and below. Always keep the operating system and anti-virus updated with latest material from vendors.

Using this system you should only have to know at the most three passwords and a two pass phrases at any given time (and maybe 2 PINs (Voicemail and Debit Card)). I would think most people probably don’t even have anything they would need to keep ‘Top Secret.’ And one can enumerate their own information and accounts and decide what belongs in each level. I’d be interested if anyone would suggest any changes?

When a person accesses a public wireless access point, a hotspot, they are often very susceptible to having their browsing session spied on. There are several good posts, that have been out there for a while, that instruct how to prevent this using SSH tunneling. Two of these posts are:

• Lifehacker: Encrypt your web browsing session
• James Stassburg: HOWTO: Tunneling HTTP over SSH with DD-WRT, DynDNS and Putty

However, I figured since every set up is a bit different, it wouldn’t hurt to give another working example. This is meant to be an example for users with different levels of computing / networking knowledge, and not strictly a step by step how-to since my setup is probably a bit abnormal. My set-up also encrypts the DNS information, meaning if someone is listening, not only will they not be able to see the data on the websites I am viewing/sending, they also will not even be able to tell which sites I am visiting*.

My current home network has two Wireless Access Points (Linksys WRT54GL), the first is using Sveasoft’s Alchemy firmware, and the second using DD-WRT. These are alternate firmwares that expand the capabilities of the WRT54GL router. The Sveasoft router is my gateway to the internet. The DD-WRT router is running in client bridged mode***. Client Bridged mode allows me to connect devices to the DD-WRT router in a way that makes the Sveasoft router essentially think that the devices are connected to it itself–this is the Bridge aspect. However, the DD-WRT router gets its own IP , and I can run an ssh server on it–The client aspect.

A Diagram of what my set-up looks like when browsing from Starbucks (or any public hotspot):

1. Have the following installed:
   • An SSH client on your Laptop: Ubuntu Comes with one, for Windows I suggest Putty, See Strassburg’s how-to.
   • DD-WRT firmware on your router, only one router is needed, DD-WRT could be installed on the router that is the gateway to the internet on your home network (the equivalent to the Sveasoft router in my above diagram).
     • Another option is to have a computer on your home network running the SSH service, this computer could be linux or windows. DD-WRT is not the easiest thing to get installed, so if you have a home computer, it might be best to chose this option.
2. Start the SSH service (aka sshd, ssh daemon) on the dd-wrt router.
   • Adminstration Tab: Services Tab: Secure Shell: Check Enable SSHd
     • I think if your DD-WRT router is the gateway on your local network, then instead you would enable remote ssh on the Administration Tab: Management Tab. Since I am connected to the internet through another router, as far as the DD-WRT router is concerned I am connecting from the gateway (My sveasoft router), so I am already on the local network, hence it doesn’t think what I am doing is remote access.
3. On the DD-WRT router, if it is not the gateway, under Setup : Basic Setup, enter your ISP’s DNS server. Or, as I do, you can use the OpenDNS DNS server (See their homepage for the IP address. This step is only required if you want your DNS requests to be encrypted as well).
4. If the SSH server is not running on the gateway (As in my my case), enable port forwarding to the ssh server on the gateway. So on my Sveasoft router, I go to Applications and Gaming Tab: Port Fowarding. And open the port 22 (Or whatever port the SSH service is running on) to the IP address of the SSH server. On my layout it would be 192.168.1.50, the IP of the DD-WRT router.
5. Go to Starbucks with your laptop and get a Chai Latte, make sure you know the internet IP of your home network before you leave home. If your ip is not static, see Strassburg’s how-to on setting up DYNdns, this will allow you to have a name to connect to that should keep track of your home network IP, Sveasoft’s firmware and DD-WRT are both capable of this.
6. If using Ubuntu Fiesty Fawn, or most Linux distributions: Type “ssh -ND localhost:5555 root@123.123.123.123″ in the terminal of your laptop without quotes. 5555 can be different port but I will use it for these purposes. 123.123.123.123 should be substituted with your actual home network IP address. “root” is the user name you would use with DD-WRT by default, you should definitely have a different account if you are using a different SSH server for security reasons. It should just hang there after you enter your password.
7. In Firefox, go to preferences, advanced, network settings. Select Manual Proxy Configuration, and under SOCKS host enter “localhost” without quotes, and then for the port enter 5555, or whatever port you used in the the command for step 6.
8. In Firefox, type about:config in the address bar. Find network.proxy.socks_remote_dns and click it so it set to True. This will make your DNS requests encrypted as well.
9. Fire up Wireshark as a root user and make sure the packets are actually being encrypted as you browse.
10. Enjoy your browsing and chai latte. Please note, with this how to, only the internet activity from Firefox is being routed to your home network encrypted, nothing else is.

*This is one short coming of Strassburg’s How-To.
** Not entirely true, I do of course use encryption on my own wireless network.
*** My explanation of client bridge mode isn’t entirely accurate, but for my purposes, it essentially works the way I have described above, see: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=68