Be Your Own Security Expert

From Restart Wiki
Jump to: navigation, search

Security tips we should all be following, and also encouraging those who come to Restart Parties to follow.

Very often we see laptops at Restart Parties which have become virtually unusable on account of an accumulation of unwanted or malicious programs (malware) to the extent that the users are ready to throw them out even though the hardware may still have years of life left in it. Additionally, the owner may or may not be aware or concerned that the malware could be infringing their privacy or stealing credentials for the purposes of fraud.

Key Messages

  • Run supported software and install all updates promptly. (Ditch Windows XP! Here's how, for free.)
  • Never, ever, EVER open attachments or click on links in unsolicited emails. It's trivially easy to forge the sender's name and email address.
  • Use unique passwords for all sites, especially for banking, shopping, email and social media.

Summary

Modern computers and mobile devices store vast amounts of information, some of it sensitive, and yet more of our data is in "the cloud", held by corporations such as Facebook and Google. Just as we've learned that keeping a front door key under the door mat might not be a good idea, there are important and not always obvious lessons we need to learn about keeping our digital lives safe. The basics are covered here.

The first section following this should be understandable by anyone, but later sections may assume you're comfortable with setting up and configuring your device.

Security Top Tips

Google carried out research comparing the top security tips given by security experts with the top security measures general users believed were important, and found worrying differences, as shown below.

Non-Security Expert Security Expert
1 Use antivirus software
Free antivirus products are available so certainly use one. But they can give you a false sense of security since they are far from infallible. Virus authors continually evolve their wares, testing them against a whole slew of antivirus products to ensure they can slip under your radar.
Install software updates
Malware generally gets its foothold through unpatched vulnerabilities. People sometimes worry that updates might break something. You might want to wait a few days to give the vendor time to pull a bad patch but no more. Professionals are unanimous that proactive defence by installing updates is much better than reactive defence using antivirus.
2 Use strong passwords
Yes of course use strong passwords, but just as important, don't reuse them across multiple sites.
Use unique passwords
If one site leaks your password the bad guys will try it on many other sites to see what else they can compromise.
3 Change passwords often
This is an age-old myth that has been accepted as fact in many circles. If you know or suspect that your password might have been compromised, change it as soon as you can, but if it's hard to think of a good password you can remember, it's still harder to think of a new good one every few months. Whilst changing your password is of some value, if it's leaked you may still be at risk for a number of weeks. Much better to choose a really good one, take care of it and stick with it.
Use 2-factor authentication
A password is "something you know" - a secret that can easily escape. The bar is raised very considerably by requiring you to demonstrate your possession of "something you have" (such as a token or a mobile phone) or "something you are" (such as a fingerprint or iris scan).
4 Only visit websites you know
Oh for the good old days when you could feel reasonably safe if you steered clear of dodgy sites such as porn, gambling and hacking. Today, even the most reputable websites have been known to host 3rd party ads containing malicious content, and the bad guys regularly perform automated scans for vulnerable sites which they can infect, which could include your local football club or that of a national newspaper. Now do you understand why patching is the top of the list?
Use strong passwords
Yes of course use strong passwords, and strong means long. Making your password just a few characters longer strengthens it more than using upper and lower case, numbers and symbols.
5 Don't share personal information
Of course, be careful what you share online and who you share it with, especially personal information which could lead to identity theft or the discovery of the answers to the "secret questions" many sites use for lost password recovery. But sensibly used, social networks can be fun and a good way of keeping up with friends and relations.
Use a password manager
People often worry that to use a password manager is to put all their eggs in one basket. Well, it is, and make sure you use a widely recommended one, but with a really good master password the benefit is overwhelming. Never again struggle to remember a website's password or be tempted to choose a weak one or one shared among different sites, and let the password manager choose totally random and completely unguessable passwords for you.

What have you got to worry about?

People often say that they have nothing of value on their computer so why should they worry? In fact you have more than you think, as described in this blog posting. And don't forget that your smartphone is a fully fledged computer too.

  • Your address book or contacts list is a primary target. With this, an attacker can send malicious emails to all your friends, making them appear to come from yourself. Some of your friends may then fall for social engineering tricks, click on links or open attachments in these emails.
  • Login credentials to online banking, PayPal and shopping or auction sites can and will be used to defraud you.
  • Login credentials to your email account can be used in the same ways as your address book, but worse. With full control of your email an attacker will be able to reset the passwords to many different websites.
  • Login credentials to social networking sites can be used to send malicious messages to your friends in your name.
  • Your computer may contain enough personal information to facilitate identity theft, particularly if the attacker can gain access to your social networking sites. He may be able to complement the information he gains from your computer with information from other sources.
  • Your computer may be recruited into a bot net. This is a large collection of compromised computers under the control of the attacker (the "bot herder") and used to attack websites or send out large quantities of malicious emails. Not only will your computer then be engaging in criminal activity, but it will be running slow and swamping your network connection with traffic.
  • You may be infected by ransomware. This encrypts all your files and demands payment for the decryption key.

Do your own risk assessment

Risk assessment is a key part of a security professional's job. To properly defend yourself you need to understand your adversary, his motivation and capability, your own weaknesses, and what you have to lose. For the non-specialist, you just have to sit down and think about it, with a little guidance given here.

For most people there are two kinds of threat to consider:

  • Untargeted attacks. These are mostly criminals who have no idea who you are, but if they can get a foothold on your computer they will steal whatever they can make money out of. If your computer is well defended (easier said than done) and none of the tools in their toolkit work they will generally move on to the next target.
Some people are concerned about bulk data collection by intelligence services (those of their own country or of another that their data may pass through or be stored in). The intelligence services themselves will argue that if you've got nothing to hide you've got nothing to worry about, but some people are deeply suspicious of any invasion of privacy by the state and the possibility that innocent facts might be put together to draw unwarranted implications of guilt. Make up your own mind.
  • Targeted attacks. If you have a public profile of any sort you may be specifically targeted. Journalists may be concerned about law enforcement trying to identify their sources. Public figures or anyone in the news may be targeted by journalists. Politicians and those working in politically sensitive areas may be targeted by state-sponsored attackers. Social and environmental activists are target of physical and digital surveillance. Individuals or companies in possession of valuable intellectual property or whose wealth is known may be targeted. If some important pieces of your personal information required for identity theft can be found from public sources you might be targeted for the remaining pieces. If some indiscretion has made you susceptible to blackmail that too could make you a target.

The Low-down

Unsolicited emails

If you receive an unsolicited email, clicking a link in it or opening an attachment can really spoil your day. This is probably the commonest way to get infected with something bad.

Such emails are normally part of a "phishing" campaign in which malicious emails are sent to large numbers of email addresses. Sometimes they are very crude, simply containing a link you may be tempted to click, just out of curiosity. Other times they may be quite cunning, e.g. making out there is a package addressed to you awaiting delivery. Since forging the sender's address in an email is trivially easy, the email may even appear to come from someone you know if their contacts list has been compromised.

To avoid getting caught, you should treat all emails you weren't expecting with the greatest of suspicion unless you are quite certain the sender is genuine.

Also, make sure your system is fully patched and updated in order to eliminate (as far as possible) the vulnerabilities a malicious email might try to exploit.

Passwords and Authentication

Passwords Managers

If you find choosing a good password hard, then choosing a different one for each site and remembering them is completely unrealistic for normal human beings. This is why you need a password manager. Yes, in a sense it's like putting all your eggs in one basket, and you want to choose a good basket, but the alternative is like stuffing them in your pockets.

Some password managers store your password database in the cloud, allowing you to access it from multiple devices. This is fine provided it's encrypted before it leaves your computer, and the password or key is not shared with the cloud provider.

Some provide browser integration, automatically filling in login details in web pages. This is very convenient but it has proven difficult to make browser integration completely secure. Against this there is the considerable advantage that it won't be fooled into filling in your password at a fake banking (or other) site - which you could quite easily be.

Some password managers support 2-factor authentication (see later). Properly used, this can make them very strong indeed.

You may have read about vulnerabilities in some password managers. No software is completely secure, and the important thing is whether they have been speedily fixed.

Lastpass and Keypass are two respected password managers.

Choosing a Password

With a password manager you still have you choose one master password. Make it your best one ever!

First of all, recognise that different people's brains work differently, so a scheme that works for someone who is very visual may not work for someone else who thinks more in words than pictures. Choose a scheme that works for you.

First of all, what not to do:

  • Don't use a name or dictionary word, however obscure, and in whatever language. If it's ever been written down by anyone it'll be in a hacker's password cracking dictionary. If your favourite search engine has heard of it, you need to think again.
  • Don't imagine that changing letters to similar-looking numbers or symbols (i=1, e=3, a=@, o=0 etc.) will make a good password out of a bad one. Hackers will try all such combinations.
  • Don't imagine that adding a digit (or two) or a symbol will buy you much. Just a few characters more in length will help you more.
  • Don't use a well know quotation or line from a song lyric without substantially modifying it.

Here are a few simple strategies to help you. Most depend on stringing together a few words or nonsense syllables.

  • Think of a scene you have witnessed and choose a few words describing it, e.g. PaintSpillMess2012 for your worst ever DIY disaster. Try to avoid a word order that would appear in a common sentence.
  • If you have that sort of brain, you might find a sequence of nonsense syllables relatively easy to remember, such as blipstogstaf. It's likely to help if it's easily pronounceable, and maybe if some of the syllables conjure up associations for you.
  • A variation of the above is to invent a fictitious name, such as Slippy Digglestig. Perhaps you can even build up a picture of her in your mind to help you remember her name!
  • Rhyming nonsense words can be fairly easy for some people to remember. Maybe even think of a tune they would fit to, e.g. Bingle Bongle Tiggle Tug to the first 4 notes of the Westminster chime. The repetition of letter groups means that such a password needs to be a little longer than some of the others.
  • Take the first letter of each word of a sentence or phrase. But make sure it's not a well known quotation or saying, and preferably one that is significant to you alone, or it might not be as good as you think. You might imagine that tbatstdgagitw is pretty good until you Google for it (326 hits - tomorrow it should be 327).

2-factor and 2-step Authentication

A password is something you know. If someone gets to know it or can guess it you're stuffed. So 2-factor authentication requires that you also prove your possession of something you have, such as a token or bank card, or something you are, such as your fingerprint or your iris scan. This raises the bar very considerably.

In 2-step authentication, you are sent a one-time code by text message. This is a lot better than a password on its own, but the phone networks are not secure and a criminal in possession of your password may be able to divert the text message to his own phone. It has proven relatively easy for criminals to perform a "SIM swap", pretending to your network provider to be you, so as to transfer your number to a SIM in their possession. They will now get all your text messages.

Reduce your attack surface

Each piece of software on your system could contain security vulnerabilities so it makes sense to uninstall things you don't need. This is critically important when it comes to browser plug-ins as these can often be directly invoked by websites you might visit.

In particular, uninstall the Java plugin if you have it. It is required by a tiny number of websites and has a poor security record.

Likewise, Flash has been plagued by problems, often exploited by malicious Flash-based adverts. Google for instructions for setting it to click-to-play in your favourite browser if you find you still need it.

Antivirus actually increases your attack surface considerably since it has to safely examine every type of file there is. If you feel you need to defend against the most sophisticated of attackers then arguably you could be safer without, instead relying on extreme caution and vigilance. But that's hard to keep up all the time. For most people, only concerned about random and untargeted attacks, it is probably still worth having since your adversary won't know which of a variety of products you might be using.

Backups

The importance of regular backups cannot be overstated. Many people don't learn the lesson until they lose something vital through a hard disk crash, an accidental deletion or data corruption, loss or theft of their computer, or ransomeware which encrypts their data.

You can regularly copy important files to a memory stick, but the chances are you will have forgotten to do so when disaster strikes, and if your house burns down you probably will have lost both your computer and your memory stick (not to mention your house).

Best practice is to follow the 3-2-1 principle:

  • Keep 3 copies of your data
  • Keep your data on 2 different computers or storage devices
  • Keep 1 of those copies off-site, e.g. using an online backup service or on a memory stick with a trusted friend.

Windows provides a backup utility. Get yourself a memory stick or external hard drive to use with this. You can select which files and folders to back up.

Wikipedia contains a list of many online backup services. These generally work in the background, continuously sending files to a remote server as they are updated. This means you don't have to think about it, but nevertheless, make a point of regularly checking it. When your hard disk crashes you might find it stopped working several months ago!

Some online backup services offer a limited amount of storage for free. If you are concerned about privacy, use one which offers "zero knowledge" encryption. This means that the data is encrypted before it leaves your computer. Since you have the only copy of the encryption key the online service itself has no way to decrypt it.

Data Destruction

When you dispose of a computer, hard disk or memory stick, be sure that it contains no sensitive personal data. Simply deleting files or even reformatting a disk or memory stick leaves most of the data still recoverable using simple and freely available tools.

If you are selling it or giving it away you should use a disk wiping tool, of which there are several freely available. An urban legend would have it that up to 35 overwrites might be needed to completely erase your data. If you were James Bond on a mission to save the planet from an evil empire you might choose 2 overwrites, but even that is probably overkill.

If the disk to be wiped is not your system disk, you can use Ccleaner. Under Tools, choose Disk Wiper.

To wipe a computer's system disk you can either pull it and mount it on a separate computer as a 2nd disk or with a USB adapter, or you can wipe it in the computer itself with a tool which runs from bootable USB media or from a CD. DBAN is a Linux-based utility which comes as a bootable disk image. CMRR SecureErase is a utility which can run from a bootable DOS disk and uses a built in function of modern hard disks to effect a complete erasure.

If you don't want to reuse the disk the quickest and safest option is to physically smash it with a big hammer. In modern disk drives the disk itself is often made of glass which will generally shatter into many pieces. Your job is done if you can hear them rattling about inside. If not, unscrew the lid and hit the disk directly, but be aware that if it's glass it may disintegrate into dangerous flying shards.

In the case of an SSD (solid state disk) or memory stick, the way that it stores data in order to even out wear makes it impossible to be sure you've overwritten it all. Smashing it with a hammer until you are convinced individual storage chips are cracked is the only sure way of putting your data beyond reach.

Encryption

Sensitive data may be at risk any time it's outside your full control. Broadly, there are two situation to think about:

  • Data at rest: on a storage medium such as a hard disk or memory stick which may be lost or stolen.
  • Data in transit: any time it passes over a public network it's susceptible to interception.

In both cases, encryption is strongly recommended if compromise of the data could cause you loss, harm or embarrassment.

There are two kinds of encryption:

  • In symmetric encryption there is just one secret key and the encryption process is run in reverse using the same key in order to decrypt the data. But all is lost if that secret key is compromised.
  • Asymmetric encryption uses a pair of complementary keys, a public key for encryption and a private key for decryption. The private key is only known by the recipient of the message and cannot be derived from the public key.

Data at Rest

Depending on your operating system you may be able to flag folders holding sensitive data as to be encrypted. There are utilities which do much the same by creating a file which behaves as a secure encrypted vault. This is very easy and simple, but any time you view or edit the data it's likely that fragments (at least) of that data will be left in temporary files or free space on your hard disk in unencrypted form.

Full disk encryption is much safer, but to be quite safe you must encrypt the disk before writing any sensitive data to it.

Bitlocker is available on some versions of Windows, and provides full disk encryption. A free alternative is Veracrypt. Remember that your data is only safe when your laptop is switched off or hibernated. If you lose it whilst booted up or simply suspended, the encryption key will be in memory and can in principle be extracted.

For a memory stick or external hard drive you can use Bitlocker, Veracrypt and others to create an encrypted vault. This should be created so as to occupy all available space so as to ensure no unencrypted data can be written to it. These tools generally allocate a new drive letter through which you can see the decrypted data.

When choosing a password (from which many of these tools derive the encryption key), bear in mind that an attacker in possession of your data can spend as long as he likes trying to crack it, unlike a login password which may lock the account after a few failed tries. For personal data where the loss could lead to financial fraud, a sensible minimum is probably a password length of 20 characters and not made of dictionary words or names.

Data in Transit

When accessing a website with https prefix, your data is automatically encrypted, but not all pages on the site may use https.

Emails are not generally encrypted, and the sender and recipient obviously cannot be, otherwise it could never be delivered to its destination. The easiest way to send a file securely by email is by selecting AES encryption in a compression utility such as Winzip or the free 7-Zip utility. Make sure you send the encryption password to the recipient by a different means, e.g. by text message, post, or in a face-to-face meeting.

If you use an email program that manages your email using POP3 or IMAP (for receiving) and SMTP (for sending), ensure that you use the SSL (encrypted) variants of those protocols otherwise your email password is at risk.

Public Networks

Public WiFi networks such as in cafés and hotels are very useful, both in saving your mobile data allowance and in providing connectivity were the mobile signal is poor. But there's a catch.

Using simple and freely available tools, anyone else on the same WiFi network can intercept all of your data. If any of what you are doing is in any way sensitive then you must be sure that it's encrypted, i.e. using https or web pages (including webmail) or SSL for POP3/IMAP/SMTP email if you use it. In the case of apps on your smartphone or tablet, it may not be easy to tell whether the data is encrypted. Using a public WiFi network without encryption can easily lead to compromise of your email or social media accounts.

The alternative is to use a VPN. This creates a secure encrypted pipe through which your data passes between your device and a VPN server, keeping it safe from anyone else on the same WiFi network. The VPN server then launches your data out onto the Internet. You can sign up to a commercial VPN service such as proXPN (free for a basic account), or if you're up for a technical challenge you can set up your own. Your home router may have the capability to run a VPN server or you can set one up using a Raspberry Pi or some other spare computer. Kate Russell takes you through the process in a feature she did for the BBC Click programme.

Finally, beware of rogue WiFi hotspots. As you walk around far from home your smartphone may still be sending out connection requests for your home WiFi. If your home WiFi is set to hide the SSID this is the only way it can connect (which is why this is not a good idea). Using software running on a laptop or even a smart phone it's very easy for an attacker to listen out for these requests and instantly pop up a WiFi hotspot with the same SSID. Your device will automatically connect and all your data will pass through the attacker's hands!

Physical Security

Your technical security might be great, but it's all be in vain if your device or memory stick is simply lost or stolen, unless every bit of sensitive data on it is strongly encrypted with an uncrackable key.

Laptops and mobile devices are highly attractive to thieves, and whilst most often they will only be interested in selling the device on for its hardware value you will never know where your data has gone. Never leave it unattended in a public place or in an unlocked car - it can be snatched in an instant. Even locked in the boot of your car while you pay for fuel, an opportunist may see you as the sort of person likely to be carrying a laptop and force your boot. It has been known. In a hotel room it may be stolen or tampered with by a maid while you are having breakfast.

If you regularly use a laptop away from home then a Kensington lock is a good investment. This is a steel cable by which you can secure it to a radiator, a piece of furniture or a fixed point in the boot of your car.

Physical searches and particularly border crossings can put the physical security of your computer or mobile at risk. New, wide-available tools allow for rapid copying of personal data from smartphones. The EFF is currently tracking "invasive digital border searches" in the US.

Social Engineering

This is another non-technical threat which can take too many forms to list. Beware of any unsolicited emails, phone calls, door step callers or in fact any other approaches. Some are relatively easy to spot once you know such as cold callers or emails claiming to be from Microsoft or a service provider, suggesting you have a courier delivery awaiting or offering a business or financial opportunity. Others practising social engineering may be highly skilled in their art, charming and very convincing, having researched your background, interests and contacts. Always exercise a healthy suspicion. If something sounds too good to be true, it probably is!

Further Resources

Get Safe Online is a great site giving excellent advice aimed at non-technical users.

Surveillance Self Defence produced by the Electronic Frontier Foundation also gives a wealth of advice, with an emphasis on how to protect yourself if you're a protester, dissident or journalist concerned about overreaching surveillance by government or law enforcement. Much of it, nevertheless, equally applicable to the average citizen.

If you really want to become an expert, head over to Cybrary where you can find free security training courses up to professional level. Another site highly regarded by professionals is the SANS Institute, having a huge archive of material in their Resouces section.