3DSC BONUS DAY: INFOSEC RESOURCES

The Thirty-Day Security Challenge has come to an end.  Let’s quickly rundown what we covered: in week one we focused on securing your local machine.  You updated it, set up standard user accounts, did a security and privacy checkup, and scanned it with antivirus and antimalware.  Week two brought password managers, the first of Account Security Tuesdays, and internet browser security.  The fourth week introduced two-factor authentication, VPNs, and smartphone security.  During the fourth we week shifted to some personal privacy tasks like locking down social media content and requesting a credit freeze. If you did all (or most) of these tasks your security should be excellent.  Even if you only did a few of these tasks you are almost certainly much better off than when you started.  Unfortunately, security is never a finished job.  New threats are constantly emerging, and new technologies are developed to mitigate them.  Staying on top of security can be a challenge – especially if you don’t know where to look.  That is why I wanted to close this out with some additional infosec esources.  I have listed them in roughly my order of preference.

  • Reddit Privacy (https://www.reddit.com/r/privacy):  Reddit is essentially the front page of the Internet, and the privacy sub-Reddit is my favorite among all my infosec resources.  It is an unending and constantly updated collection of links to breaking and recent news.  The Privacy sub-Reddit is a great infosec resource for finding out about new tools and techniques, new attacks, political stories that impact things like encyrption and privacy, and more.
  • Ars Technica Security & Hacktivism (http://arstechnica.com/security/):  Ars is one of the most trustworthy and high-quality infosec resources available (in my opinion).  Articles appearing on Ars are exceptionally well researched and vetted, and much more in depth than mainstream news sources.
  • Krebs On Security (https://krebsonsecurity.com/):  Fourteen-year Washington Post veteran reporter Brian Krebs delves deeply into the world of cybercrime – and blogs about it.  This isn’t a great site to catch up on all the latest stories, but it is worth perusing occasionally as Krebs breaks stories that few others are looking for.
  • Naked Security (https://nakedsecurity.sophos.com/):  Written by Sophos (the anti-malware company), Naked Security covers a range of stories.  Most deal with new attacks and attackers, but many also offer security advice.
  • EFF Surveillance Self Defense (https://ssd.eff.org/):  This is not a news site.  Rather, it is devoted to high-quality tutorials on security topics.  Take a look at the list of topics – there is something that will interest everyone.  Ok, not every one…but definitely every security geek.

I hope you get some use out of these infosec resources.  Thanks again to all of you who participated in the challenge!  As I said Sunday, I will be pushing out an after-action review in a little over a week, so don’t forget to send me your comments, complaints, and suggestions, as well as your success stories!

3DSC Day 30: Recruit Others

Today is the final day of the Thirty-Day Security Challenge!  To round out the Challenge I am going to issue another on-going task: recruit others to use encryption and increase their security.  Some of you have probably been doing doing this throughout.  There are plenty of good reasons to recruit others.

  1. Increase your own security.  A majority of your messaging probably occurs with just few other people.  These people are your “inner circle”.  They are your closest friends and family members.  Convincing these people in your life to use Signal, Wickr, and ProtonMail means most of your communications are now secure.  These are also the people you probably have the most access to.
  2. Make security more common.  Increasing the number of people using encryption makes encryption more common.  Making it more common makes it more approachable to the layman.  More encrypted traffic also makes encryption by itself less suspicious.  If enough people use security tools it can also create herd immunity.  For example, assume you regularly share files with a group of friends and family members.  Keeping their computers secure helps your computer stay secure.  If their computers are malware free you have just lowered your own exposure.
  3. Increase your own knowledge.  There is no better way to solidify something learned than to teach it to someone else.  In doing so you will also probably encounter some problems but don’t let that scare you off.  Problems are excellent opportunities to troubleshoot and learn even more.

How do I recruit others?  I recently wrote a blog post about how to convince others to use encryption.  Once you recruit othes, you will have to teach them.  If you need help going through mechanics, The Thirty-Day Security Challenge posts will still be here.  You can send them here to read them themselves, or use the Challenge posts as a guide to help them learn.  I should also point out that my books, Your Ultimate Security Guide: Windows 7 and Your Ultimate Security Guide: iOS are intended for exactly this purpose.

Thank you to everyone who contributed comments, emailed me, and followed along!  I hope you enjoyd this and got something out of it.  I really enjoyed being able interact with you, and really appreciate your participation!

ProtonMail is now out of beta.  Waiting periods for accounts are no longer required.  Additionally, full-fledged iOS and Android apps are now available.  This should make it much easier to convince others to use this service.

3DSC Day 29: Unique Usernames

Today is the final “Account Security Tuesday” in the Thirty-Day Security Challenge!  Today I challenge you to create unique usernames for all your online accounts.  Like changing passwords and adding two-factor authentication, you don’t have to do this all at once.  Do it one account at a time, at normal logins.  Why does this matter as a security measure?  There are several reasons:

  1. If someone is targeting your account, he or she has to know where to begin.  If my account is jcarroll@___.com, an attacker’s job is halfway done.  He or she knows exactly which account to begin brute-forcing.  If, on the other hand, my account is U37CUIB9L1ZV3A@___.com, he or she will have a much harder time finding the correct account to attack.  This is the most important security reason for unique usernames.
  2. If a company’s database is spilled it will not be immediately apparent that any particular account is yours.  For example, if a dating site spills its user database, you probably do not want your true name, or true-name-associated email address to appear on that list.
  3. Usernames can leak information about you.  If my username is jcarroll1975@___.com, it is a pretty safe bet I was born in 1975.  Some individuals go much further, including months and even exact dates of birth.  It would be preferable to choose a username that has absolutely nothing to do with you or any personal information about you.

So what should you use for your unique usernames?  There are several options:

  • Random generation.  This is the best option, but not all sites allow it.  Randomly generated usernames have no tie to you or your personal information.  I recommend using a random username on any account that does allow it.
  • Blur Masked Email Address.  This option is a close second.  If you have to use an email address, use a Blur address.  Emails will still be forwarded to you, but the address will have no apparent connection to you.
  • 33Mail Address.  Of the three listed here this is my least favorite option.  Though it still protects your “real” email account, frequent use of your custom domain creates linkage between accounts.  Used frequently and predictably enough it can also become easy to guess your usernames.  However, these accounts are excellent when you need to set up an account on the fly, like a retail loyalty account (and you can usually change it later).  33Mail accounts are also good when you have to verbally convey a username or email address.  Randomly generated usernames and Blur addresses are much harder to convey verbally.

This is definitely an “advanced” security technique.  Few, including those in the security community, use unique usernames.  However, it will drastically increase the security of your accounts.  Especially when used in tandem with strong, unique passwords, and two-factor authentication.

3DSC Day 28: Backup Your Files

In January I suffered a catastrophic malfunction of my main hard drive.  After returning from a work trip I settled in to check email only to find my computer unwilling to boot.  This is not the first time I have broken a computer.  Fortunately this time I was prepared.  The step that saved me in this instance is today’s task: backup your files.

Local Backups:  Local backups are stored offline, in your home or office.  These backups are typically stored on an external or networked-attached hard drive.  They protect you very well against the most common reasons for data loss like hard drive failure.  Local backups will not protect your data against larger data loss events.  If your house is flooded, burns down, or is struck by a tornado, your data is probably gone, too.  There are some major advantages to local backups though.

Local backups can be incredibly up-to-date.  This is especially true if they are automated and occur over Wi-Fi, like Apple’s Time Capsule.  Backups that require user involvement, like plugging in a hard drive and running manually may occur less frequently.  The other major advantage of local backups is security.  Backups that are only stored in your home are much, much safer from data breaches than those stored in the cloud.  Cloud backups have some serious advantages, though.

I recommend creating a local backup, even if you choose to do an additional offsite backup (offsite backups are described below).  The tools and techniques you use will vary depend on your operating system.

  • Windows systems: There are several methods you can use to backup a Windows machine.  If you only wish to backup select files, check out CryptSync (described below in Offsite Backups).  If you wish to use Windows’ built-in tools, you should first encrypt a hard drive using VeraCrypt or BitLocker.  Use Windows Backup and Restore (Windows 7) or File History (Windows 8/10) to backup data to the encrypted drive. The Windows tools work but are very basic.  If you desire a more feature-rich tool, check out Genie9 Timeline Pro.  I used it for a long time with great results; look for a full review in the near future.
  • OS X: I strongly recommend using Mac’s built in Time Machine backup utility.  Time Machine backups can be secured with AES-128 encryption.  Their transmittal via Wi-Fi is also encrypted.  Additionally, Time Machine is seamlessly integrated and user-friendly.

Offsite Backups:  The biggest advantage to offsite backups: they are impervious to local disasters.  It doesn’t matter if a power surge fries all your electronics or your house is leveled by a hurricane.  Your data is still stored on a cloud server somewhere and is recoverable.  This is a double-edged sword though.  Your data is stored offsite, on a machine that you do not control.  It may be vulnerable to data breaches or rogue employees.  Even if you delete it, you have no assurance it is really gone.  You are placing your trust in a faceless company.

While I do not backup to the cloud, there are ways you can do so more securely.  First, you can encrypt your files before uploading them.  The program I prefer for this in Windows is called CryptSync.  CryptSync lets you choose an original folder and a destination folder.  It will duplicate the files in the original, encrypt them, and place them in the destination folder.  If you are using something like Dropbox, you can assign your Dropbox folder as CryptSync’s Destination folder.  Due to Dropbox’s terms of service and privacy policy, this is the ONLY way I recommend using their service.  The same goes for Google Drive and other mainstream cloud storage providers.

Windows and Mac offer the ability to backup to OneDrive and iCloud, respectively.  While I would consider using iCloud, I recommend strongly against using OneDrive.  Windows’ increasingly heavy-handed data collection (rolled out with Win10) makes me distrustful.  As does their privacy policy.  I would reservedly recommend iCloud based on Apple’s improved security and strong stance on privacy.

Final Thought: No matter what you choose, use something.  I have lost both personal and work-related data before.  It is not a situation I would wish on anyone.  And, protect your backup with strong encryption.  It contains everything your computer does, and should be equally protected.

3DSC: What Happens Next?

In three short days the Thirty-Day Security Challenge will come to an end.  This will be something of a relief for me (I do have books to get back to, after all), but I have also thoroughly enjoyed it and my interaction with all of you!  So what happens next?  In two weeks I am going to submit an after-action review of The Challenge.  I will try to correct any errors, any topics that weren’t explained to your satisfaction, etc.  To do this, I need your help!

I want your criticism.  I would truly like to have your feedback on how you think this went.  While I appreciate your praise greatly (it really kept me going through this month), what I really need now is your criticism.  What could I have done better?  What did I really screw up?  Could this have been better logistically, i.e. would you have preferred different options for how to follow?  Did you want more pictures and screenshots?  If you have any gripe with this, I want to hear it.  (That said, I would also like to hear it if you got something meaninful and helpful from this.)  You may be wondering why I want your criticism; it is because there are…

More challenges to come.  Though I don’t see another challenge this big coming anytime soon, I have some shorter ones planned, in the five- to ten-day range.  I want to make them better, so tell me what you want to see.  In the next year I hope to do “mini”-challenges on mobile device security, a couple of intermediate computer security topics, and a few other things that are just loose ideas at this point.  If there something specific you’d like to see covered, feel free to let me know.  During this challenge you have given me several ideas for posts that you will be seeing in coming weeks, like:

  • How to Respond WHEN Your Data is Breached
  • Privacy & Security Comparison: Cloud Storage Providers
  • Digital Security for Digital Natives: Ingraining Security in Children
  • YubiKey Product Review

In addition to covering specific techniques, I plan to spend some time this year deep-diving threat modeling.  This is a topic that has been driven home to me time and time again, but that gets precious little attention in the infosec community.  Look for an introductory article in the next couple of weeks, and roughly an article a month on a specific model.

A new segment called Lock Safari is coming.  I also intend to introduce a new recurring segment I am tentatively calling “Lock Safari”, an admittedly and breathtakingly unoriginal name.  I am very interested in locks – especially high-security locks – and want to post some pictures I’ve captured in the wild.  This section may also include photos of other physical security measures, both good and bad, as the mood strikes me.

Thank you.  It’s not over yet, but I’ll say it now – thank you to everyone who has participated in the Thirty-Day Security Challenge!  Whether you commented, emailed, signed up for the mailing list, or just lurked – it is greatly appreciated!  I met some really cool people and got some great feedback.  Thank you!

Justin

3DSC Days 26 & 27: Full Disk Encryption

Last weekend I wrote about file-level encryption.  This is an excellent way to protect sensitive files, but it isn’t perfect.  First, the learning curve is slightly steeper.  It takes time to open VeraCrypt, find the volume you want to open, and mount it.   Worse, unencrypted versions of your files are very likely stored on your hard drive.  These versions may be compromised by an attacker.  A more comprehensive form of encryption is this weekend’s task: implement full disk encryption (FDE).

Full disk encryption has several huge advantages.  It encrypts your entire hard drive, including your operating system.  This means that your computer cannot be booted without your password.  This means that an attacker with physical access cannot turn your computer on and tamper with your OS or programs.  It also means that all of your files are encrypted and secure.  And, believe it or not, full disk encyption is easier to use: you enter a password just before startup.  That’s it – no programs to learn, no volumes to find and mount, etc.  The only negative is that setting it up (in Windows) can be somewhat daunting.

SPECIAL CONSIDERATIONS: READ THIS BEFORE YOU BEGIN!

Regardless of your operating system, there are some special considerations before you take this step.  First, though there is vanishingly little risk inherent in enabling full disk encryption, that still adds up to some risk.  Let me be clear: take this step at your own risk.  Do your homework before you begin! This is more important if using a third-party application like VeraCrypt. I have encrypted dozens of personal and work computers with TrueCrypt and VeraCrypt, and assisted scores more students with their machines, and have only encountered one issue.  It was correctable but took some time and patience.

You should also know that this process may take several hours to complete, so plan accordingly.  Depending on the size of your hard drive and speed of your processor, this time may be considerable (up to several hours).  All the of the encryption methods mentioned here have a recovery mechanism.  With BitLocker and FileVault this will be a code.  For VeraCrypt you will be required to burn a “recovery disk”.  You should carefully safeguard this recovery mechanism.  It should also go without saying that you should be one-hundred percent certain you can remember your chosen password before you begin encrypting.  Forgetting your password means your data will be totally unrecoverable.

OPERATING SYSTEM SPECIFICS

Windows 7:  For Windows 7 systems I recommend using VeraCrypt if you do not have BitLocker.  I migrated to VeraCrypt a few months ago due to a bug discovered in TrueCrypt.  You will need the ability to burn a CD (the VeraCrypt Rescue Disk) prior to beginning the process.  Before beginning the process I recommend thoroughly familiarizing yourself with the process through the VeraCrypt User’s Guide (p. 32 and 33).

OS X:  Mac computers come with FileVault II built right in.  This is an excellent full disk encryption solution.  To enable it open System Preferences, Security & Privacy, FileVault.  Click “Turn On FileVault” and enter your user password.  You will be prompted to record your Recovery Key, and the encryption process will begin.

Windows 10:  This is where things get a little complicated.  If your Windows 10 system comes with BitLocker enabled, I recommend using it.  A very thorough guide from Windows on the features of BitLocker can be found here.  VeraCrypt will work on Windows 10 (I have successfully used it) but it will not work on ALL instances of Windows 10.  If VeraCrypt fails (due to a GPT issue) you may be able to revert the installation to BIOS, but this is a fairly complicated process.  I am sorry to report that I do not have better guidance to offer at this time.

3DSC Day 25: Social Media Privacy

This week has focused on some privacy-centric aspects of security.  This is because security and privacy are integrally linked.  There can be no true security without privacy, and vice-versa.  Your social media is accessed and sold to advertisers and data aggregators.  It can indicate when you are at home and when you aren’t.  Location data can let others know where you live.  Information obtained through your Facebook page can be used to socially engineer you, one of your family members, or a customer service rep.  Today’s task will carry on with the privacy theme of this week by asking you to tighten up your social media privacy.  Some of this work can be done by adjusting settings.  However, privacy while participating in social networks mostly consists of modifying your behavior.

Realistic Best Practices:  The absolute best social media privacy practices are to delete your content and close your account(s).  I talked about some tools that can help with this in this post.  I understand that this will be an unacceptable proposition for most.  A more realistic approach for most is to limit the information you make available on social networks.  This will have a bigger impact to your social media privacy than settings will.  You can do this in several ways, all of which add up to much greater privacy and security:

  • Limit the information you upload.  Many use social networks as a way of staying in touch with friends and family, and I understand this.  However, you should reconsider the content you upload to a public audience.  Photos of your children, your home and the valuables in it, or the photos from the beach while you are on vacation may all make you a target.
  • Selectively remove information.  Take a look at your social media from an attacker’s point of view.  Is there information (including status updates, photos, lists of “friends”, Tweets, etc.) that you would not want a burglar, stalker, or unstable ex to see?  If so, you may want to start selectively deleting these items.  The less information that is on your page, the more private and secure you will be.
  • Adjust privacy settings.  Because there are literally hundreds of combinations of settings for Facebook alone, I am not going to go into specifics here.  However, resources like AdjustYourPrivacy can help.  AdjustYourPrivacy has direct links to the privacy settings of most social networks.  It can also allow you to view your Facebook and Google + accounts as they are seen by a complete stranger.  In general you should make your accounts as private as possible.  This won’t make it impossible (or even especially difficult) for someone with the right skills to view your content, but your account will no longer be the lowest-hanging fruit.
  • Restrict Mobile Apps.  If you use mobile social networking apps, limit the information they have access to (I talked about app permissions here).  In my opinion it is especially important to restrict location data which can reveal where you live, work, and frequent.  You may also want to limit access to your contacts,

Security Settings: You should also make sure to tend to each account’s security settings.  Most social networks allow passwords that are plenty long, even though few probably use long passwords.  You should also use two-factor authentication.  Two-factor is supported by some of the most popular social networks including Facebook, LinkedIn, Tumblr, and Twitter. Check https://twofactorauth.org to find out if your preferred network offers it.

3DSC Day 24: Credit Freeze

Identity theft is an incredibly invasive and potentially devastating form of crime.  It can cost tens of thousands of dollars, ruin credit, and consume countless hours of time.  One of the best tools for preventing identity theft is what is known as a credit freeze (sometimes called a security freeze).  A credit freeze is free for residents of many states, and to victims of identity theft.  For the rest this will cost only $5 or $10, depending on the laws in your state.  You can find out your state’s credit freeze laws here.  Today’s task is to request a credit freeze for yourself and all members of your family, including your children.  If your children have a social security number they, too are vulnerable to identity theft.

  • What is a credit freeze?  A credit freeze prevents the credit bureaus from issuing new lines of credit without your explicit consent.  Your account is “frozen” which protects you in several ways.  Most obviously no one can spend money in your name.  A freeze also makes it impossible for potential creditors to pull your credit report.  This protects your physical address and other personal information contained in the report.  Potential creditors can’t even see your credit score, which will automatically get rid of pre-approved credit offers in your name.
  • What if I need a new line of credit?  If you need a new line of credit you can temporarily (or permanently) lift the freeze.  You do so by calling the appropriate credit bureau and requesting the freeze be lifted.  Before the freeze is lifted you will have to verify your identity.  This is done through an PIN you are given when the freeze is placed.   Temporary lifts generally last 24-hours, after which the freeze is back in place and your credit is once again protected.
  • How do I get a credit freeze?  You can request one through the three credit bureaus: Equifax, Experian, and Transunion.  You should request a freeze through all three of these bureaus, as any of the three may be queried.  The exact procedures for each will vary slightly, so follow the directions on each bureau’s site.

You should also request your annual credit report to ensure no credit has been opened in your name without your knowledge.  The ONLY site through which you should do so is https://www.annualcreditreport.com/index.action.  There are very few measures you can take to protect your identity that will be as effective as a credit freeze and proactive credit monitoring.  This includes, in my opinion, signing up for paid credit/ID monitoring services.

3DSC Day 23: Email Masking

Giving out your email address can introduce some vulnerabilities.  While most of these are privacy concerns, there are some security concerns with this, as well.  Your email address is attached to your true-name and “real” accounts.  This allows advertisers, data-aggregators, and hackers to see linkage between your accounts.  Security-wise, your email address is your username for some services.  If an attacker tries to hack one of your accounts, he or she probably already knows your username.  It is a good idea to avoid giving out your real email address.  How do you do this an still get mail?  Today’s task is to use an email masking service.  There are several such services out there, and two that I recommend: Blur and 33Mail.

Blur: Free Blur accounts offer masked emails that look like this:  592647eb@opayq.com.  My favorite feature about these is they leak no information about you.  To use a Blur masked email address, set up a free Blur account.  Click on the “Masked Email” icon.  In the popup enter what the email address is to be used for.  It doesn’t have to be too descriptive but it should be something will remember.  Premium Blur accounts offer a number of other features including masked phone numbers and credit cards.  I wrote about it here.

Email Masking

33Mail:  This email masking service works a little differently.  You create an account and are given a custom domain.  For instance, if I choose “securityguide” as my username, my custom URL will be @securityguide.33mail.com†.  Once my account is created I can make up email addresses on-the-fly; as long as they are sent to ___@securityguide.33mail.com, they will be forwarded to my real email address.

How to use them:  Both of these email masking services will allow you to give out a disposable email address, and will forward mail to your real account.  Neither requires you to login to the forwarding account to get your mail.  If an email address starts to receive spam with either service you can login in and turn that address off.  I recommend using both, and here’s why.  I like Blur best because the addresses do not create linkage between accounts.  All of your 33Mail addresses, however, will share a common custom domain that can link all your accounts together.  It is also possible to spam 33Mail accounts.  If someone knows your custom domain they can send emails to an infinite array of addresses.  So what is the benefit of 33Mail?

Blur masked emails must be set up in advance.  Because they are random, they are also difficult to remember.  33Mail addresses can be made up instantly.  Did you stop into an open-house and feel compelled to give your email address?  No problem – openhouse@securityguide.33mail.com.  I admit a general preference for Blur addresses.  Blur’s security is much better (they support very long passwords and two-factor authentication), but 33Mail is undeniably handy.

†Please do not send emails to these addresses; I do not actually own “@securityguide.33mail.com”.

3DSC Day 22: Close Unused Accounts

Today is the third installment of what I have officially dubbed Account Security Tuesday!  Last Tuesday I asked you to set up two-factor authentication on your accounts.  The previous Tuesday I asked you to begin changing the passwords on them.  Today I am going to ask you to to take an additional step: identify and close unused accounts. At this point you may be wondering why I am so concerned with securing your online accounts.  There are a few reasons, but the most important is they are the most exposed.  Your computer is very unlikely to be breached relative to an online account that is exposed to thousands of hackers every day.

Most of us probably have an old account or two that we don’t log into any longer.  It might be an old email account, that cobwebbed MySpace page, or an abandoned bulletin board profile. It might be a bank account you no longer use, or an ecommerce account you set up for a onetime purchase. Regardless, if we used accurate information in the account it is still out there and still at risk.  In fact, it may even be at greater risk since you aren’t logging in regularly and monitoring it.  Let’s fix that.

Two weeks ago I asked you to begin changing your passwords.  The ones that have changed are probably in your password manager now.  Any account that you have not logged into in the last two weeks is possibly (probably?) not one that you really need.  I’m not making judgments on what you need and don’t – that is up to you.  All of us also probably have a few accounts that we only log into monthly.  However, if it isn’t necessary, and if you can, close them.  Two resources that can help you close unused accounts are Account Killer and Just Delete Me.

If you can’t close and old account, there are still some steps you can take to improve your security.  First login and change all the information to false information.  Your name, birthday, your hometown – everything EXCEPT your email address (we will deal with that next Tuesday.  In the meantime you still want to be notified if a breach occurs or someone attempts to log into your account).  If you can delete or unlink content like photos, blog posts, etc., do it.  Next, secure the account with a good, strong password, and if possible, two-factor authentication.