Feeds

Security for the paranoid

Even a paranoid can have enemies

  • alert
  • submit to reddit

The Power of One eBook: Top reasons to choose HP BladeSystem

Comment Paranoia is the key to success in the security world. Is it time to worry when other security professionals consider you too paranoid?

"You can't ever find a place that's nice and peaceful, because there isn't any. You may think there is, but once you get there, when you're not looking, somebody'll sneak up and write F*** you right under your nose." --J. D. Salinger, American Novelist

Something strange happened to me recently: a friend told me I was too paranoid when it comes to security. It was strange because he was the third person to tell me that in a couple weeks. Sure, I expect most people to call me paranoid, but these were all colleagues in the security industry. Is it time to worry when security professionals consider you too paranoid?

Most of my internet traffic goes through at least three firewalls. Is that too paranoid?

The first thing I did was try to understand the word paranoia. After checking a few dictionaries I found that it was a psychotic disorder characterized by delusions of persecution, grandeur, or excessive distrust. What is a delusion? It's a false belief held despite evidence to the contrary.

Are extreme security measures acting on false threats that don't really exist? Some consider some of my security strategies a bit extreme. I call it meticulous precaution. Sure, the threat might not be real. No one may ever actually want what you have on your PC. But does that really matter? Does the threat have to be real to warrant strong security?

Sometimes I have a "Password Day" where I change every password I own on the same day, just in case someone might happen to have one of my passwords. I frequently change my passwords after traveling.

Its not that I think someone is trying to hack me, but I also don't think someone is not trying to hack me. That's really not the point. There's no need to analyze the threat of every situation. Just practice strong security always and you should be okay.

I frequently see people posting PGP signed e-mails to security mailing lists. It's not that these people are afraid of someone actually spoofing fake comments from them on the latest CGI flaw; they just make it a practice to sign every e-mail, no matter how trivial it might be. Sure, these people are signing e-mails when it's really not important, but I doubt they get caught not signing when it is important. If you always practice the best security, you never have to worry about mediocre security.

I use very long passwords for everything, even with the lamest accounts I have. I require my kids to use at least 14 character passwords on our home network and I'm considering issuing them smart cards. No one else, not even my wife, knows my network password.

I don't just throw out shredded documents; I spread the shredded bits into my garden to use as mulch.

I don't do it because I think someone is going to go through my trash to reassemble bits of my research notes. I do it because it's good security. I try to run my own network the same way I tell my clients to.

Is this prudent and sensible proactive security or is it mental illness? Do you need a threat to practice the defense? I used to tell my clients to set files in their web content directories to read only. Some thought this was too extreme and too much of a hassle, but then along came a worm named Code Red that failed on all the clients who followed my advice.

I use a unique, secret email address for each sensitive online account I have. I have always done that. I guess this would look paranoid to most people, but when I get e-mails from my bank, I can check the address the e-mail address they used to see if they sent it to the secret address.

Of all the changes Microsoft has made towards security in the last few years, the most notable in my opinion is that they now secure against threats that to many seem minor or that might not even exist. Is it insane and delusional for them to protect themselves from threats that haven't even been invented yet? Is it a senseless preoccupation to defend the inner layers rather than just focusing on hardening the outside?

I keep my PC's turned around so I can tell if anyone has installed a hardware keylogger.

I never check in luggage when I fly.

I do my Internet browsing from a locked down VMWare box that has no rights on my network.

I use terrafly.com to see what others might be able to see about my home.

It takes five passwords to boot up my laptop and check my e-mail.

One of those passwords is over 50 characters long.

I also delete unused services on my servers. I block unused ports. And I install hotfixes the day Microsoft releases them.

Henry Kissinger said that "Even a paranoid can have enemies." The fact is that we don't know all the current and future threats so we might as well treat everything as high security. I do, but then perhaps I'm just paranoid.

Copyright © 2005, SecurityFocus logo

Mark Burnett is an independent researcher, consultant, and writer specializing in Windows security. He is the author of Hacking the Code: ASP.NET Web Application Security (Syngress), co-author of the best-selling book Stealing The Network: How to Own the Box (Syngress), and co-author of Maximum Windows 2000 Security (SAMS Publishing). He is a contributor and technical editor for Special Ops: Host and Network Security for Microsoft, UNIX, and Oracle. Mark speaks at various security conferences and has published articles in Windows IT Pro Magazine (formerly Windows & .NET Magazine), Redmond Magazine, Information Security, Windows Web Solutions, Security Administrator and various other print and online publications. Mark is a Microsoft Windows Server Most Valued Professional for Internet Information Services.

Related stories

Microsoft reveals hardware security plans
Credit card firms push cybersecurity
PC-cillin killed my PC

Designing a Defense for Mobile Applications

More from The Register

next story
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.