Privacy Defended

Gary Bahadur, cofounder and Chief Information Officer of Foundstone, Inc., has been providing security consulting and training services to Foundstone's clients for the past two years. He implements the technical infrastructure necessary to provide services to Foundstone's clients. Prior to starting Foundstone with his partners, he performed security consulting and training services for Fortune 500 companies as a consultant and manager for Price Waterhouse and Ernst & Young. Bahadur has been involved with numerous ethical hacking tests and network reviews covering various firewalls, Unix, Windows NT, Novell networks, Web servers, Internet connectivity, and SAP security during the past seven years. He has helped develop methodologies for network security reviews and security classes. He is a frequent speaker at security conferences and writes for a number of security-related publications. Bahadur holds a Bachelor of Science degree in information systems/finance from New York University and is a Certified Information Systems Security Professional (CISSP). He can be reached at gary@privacydefended.com or gary@foundstone.com. William Chan is a cofounder and the Vice President for Educational Services at Foundstone, Inc. He is responsible for managing and delivering Foundstone's "Ultimate Hacking" series of classes. These classes have been well-received by several hundred security professionals from the private sector as well as from security practitioners in the government and the military. Chan has been involved with information security and privacy for the past 10 years. He has performed numerous security consulting engagements, advising clients on security and privacy-related issues. He has worked primarily in the financial services industry and has spent several years providing consulting services to a wide variety of organizations. Chan holds a Bachelor of Science degree in computer science from Rensselaer Polytechnic Institute and a Master of Science in information systems from Pace University. He is also a Certified Information Systems Security Professional. He can be reached at william@privacydefended.com or william@foundstone.com. Chris Weber is a security consultant for Foundstone, Inc. He is adept in many facets of information technology and secure network computing. He has performed numerous ethical hacking tests, security architecture reviews, and secure application analyses. Prior to working at Foundstone, he worked for VisionAir, performing enterprise network assessments and mission-critical system implementations for some of the largest police departments in the U.S. Weber's public work includes course development and advisory board membership at the SANS Institute. He has also been a security tutorial honoraria speaker at the USENIX 10th Annual Security Symposium in 2001 and a co-instructor at the Computer Security Institute's 2001 Network Security conference in New Orleans. Weber holds a Bachelor of Science in information systems and marketing from the University of North Carolina at Wilmington. He can be reached at chris@privacydefended.com or chris.weber@foundstone.com. "And progress is not intelligently planned, It's the facade of our heritage, the odor of our land..." Greg Graffin, 1989

(NOTE: Each chapter concludes with a Summary.)

Introduction.


What's So Special About This Book? The Problem. The Cause. The Solution. Here to Help.

I. LIFE IN THE DIGITAL AGE: WHY WE WANT AND NEED PRIVACY.

1. The Quest for Privacy in the Information Age.


Growth Factors. The Cost of Privacy. Case Study: Online Identity Search. Points of Disclosure. Appendix Descriptions. Future Trends.

2. Defining Privacy: Social and Legal Aspects.


The Historical Right to Privacy. The Path to Privacy. Security Versus Privacy. Privacy Laws. Privacy Cases. Privacy Compromise. Privacy Violation Consequences. Privacy Policy Best Practices.

3. Privacy Organizations and Initiatives.


Privacy Organizations. New Initiatives.

II. THE ENEMY IS OUT THERE: THREATS TO INDIVIDUAL PRIVACY.

4. Legal Threats to Individual Privacy.


Reasons for Privacy Laws. Threats to Privacy. Individual Threats to Privacy. Government Threats to Privacy. Business Threats to Privacy. Technologies for Legal Privacy Invasion.

5. Illegal Threats to Individual Privacy.


Hackers. Business Threats. Credit Card Theft. Spyware. Government Threats. Identity Theft. Fraud.

III. DANGEROUS TERRITORY: PROTECTING YOUR PRIVACY IN THE ONLINE ENVIRONMENT.

6. Understanding the Online Environment: Addresses, Domains, and Anonymity.


IP, Anyone? TCP/IP Addresses. The Domain Name System. Anonymity on the Internet. Current Trends.

7. Understanding the Online Environment: Web Surfing and Online Payment Systems.


Site and Portal Registrations. The Web of Marketing. Third-Party Content. Can You Trust Them? Contests and Freebies. Precautions for Web Surfing. Cookies. Web Bugs: Nasty Little Critters? Solutions: Web Surfing, Personal Information, Web Bugs, and More. Spyware. Shopping on the Internet.

8. E-mail Security.


The Mechanics of E-mail. The Dangers of E-mail. Where Does E-mail Go, and Who Can Access It? Spoofing and Spamming. Viruses, Trojans, and Worms. Pretty Good Privacy: Encrypted, Sealed, and Signed E-mail. E-mail Solutions. Secure Web-Based E-mail Solutions: Yahoo!/Zixit Mail, HushMail, and LokMail. Looking for More E-mail Solutions? Alternatives to PGP.

IV. GROUND ZERO: SECURING YOUR PC AGAINST A HOSTILE WORLD.

9. Securing Your Internet Transactions with SSL and Digital Certificates.


What Is SSL? Why Do We Use SSL? A Brief History of SSL. SSL Technically Speaking. Key Lengths and Encryption Strength. Configuring Your Web Browser for SSL. SSL Doesn't Protect Everything. Attacks on SSL. What Are Digital Certificates? What Are Digital Signatures? The Almighty Certificate Authority. Problems with Certificates.

10. Understanding Your PC Operating System and Its Security Features.


Footprinting Analysis. Vulnerability Information and Resources. Physical Security. Controlling Logical Computer Access. Patches and Updates. User Accounts and File Security. Security Resources: Share-Level and User-Level. Using Policy Editor and Enforcing Password Security. Password-Protecting the Screensaver. Service Packs. Windows NT Passwords. The Windows NT Audit Policy. Users and Groups. NTFS File and Directory Settings. Sharing Folders. The Windows NT Registry. Encrypting File Systems. File and Directory Settings. Lockdown Steps. Local Security Policy. Port Restrictions. IPSec. Unix/Linux. SSL, HTTPS, S-HTTP, S/MIME, and SSH. Other Tips for Your Home PC.

11. Securing Your Standalone PC: Broadband Connections.


Threats Recapped. Cable Access. Digital Subscriber Line. Dial-Up ISPs. DSL Versus Cable Versus Dial-Up. Personal Firewalls. Comparison Chart. Feature Comparison.

12. Securing Your Standalone PC: Viruses, Chat, and Encryption.


Virus Infections. Privacy and Instant Messaging. Home Encryption. Threats. Encryption Systems. Securing Files on the System. Product Comparison: Personal File Encryption. Encryption Algorithms. Password Examples. The Dark Side of Encryption.

13. Securing Your Home Network.


The Growth of Home Networking. Broadband Connectivity. The Need for Home Networks. Problems with Home Networks. Network Design. Firewall Configuration: WinRoute. Additional Internal Network Protection. Messaging Services. Secure Filter Rule Settings. Troubleshooting Potential Problems. The Ideal Firewall. Traffic Analysis. Why Test Network Security? Security Testing Procedures. Security Checklist.

V. NEW TARGETS OF OPPORTUNITY: PROTECTING PRIVACY BEYOND THE PC.

14. Securing Your Privacy Using Other Digital Devices.


PDAs. Viruses, Trojan Horses, and Malware. Mobile Phones. Bluetooth. Research In Motion's Blackberry. Backup and Other Options. The Wireless Threat. The Benefits of Wireless Technology. How Does Wireless Work? Basic Security Features. Disadvantages of Wireless. How Your Security and Privacy Are at Risk. What Kinds of Attacks Are Out There? Wired Equivalent Privacy Weaknesses. Misconfiguration. Sniffing, Interception, and Monitoring. How Can You Protect Yourself? Sample Wireless Products.

VI. FIGHTING BACK: WHAT TO DO IF YOUR PRIVACY IS COMPROMISED.

15. Parental Controls.


Benefits to Children. Threats to Children. Implementing Controls. Third-Party Products. Government Involvement.

16. Guarding Your System Against Hacking.


What Is a System Compromise? What Is Intrusion Detection? Collecting Evidence. Detecting a Compromise. Security Maintenance Measures. Defining Baseline Security Standards.

VII - APPENDIXES.

Appendix A. Personal Firewall Software.
Appendix B. Antivirus and Anti-Trojan Horse Software.
Appendix C. Parental Control Technology.
Appendix D. Encryption and Privacy Software.
Appendix E. Selected References.
Index.