vertner.net

Security 101

Protect this house!Protect this house!

I often discuss computer security issues amongst friends, family, and coworkers and a consistent thing that comes up is: “How do I best secure myself?” Here are a few key points I always bring up:

  1. Do you you close to a lot of others (an apartment or dorm)? Do you travel overseas? Who might want to exploit you?

  2. What do you want to do with your computer/phone/etc? Business? Pleasure? What kind of software do you prefer?

  3. What kind of bad habits do you need to break?

Let’s start this discussion with the two broad categories of attackers and how they effect your security plan.

Know Thy Enemy

This is the one that most people are asking about. “How do I secure my laptop/phone/hard drive/privacy/etc?” I always come back with, “What’s your threat model?” If you don’t understand who or what your potential adversary might be and how you might be exploited, you don’t really know how to defend yourself. The electronic security problems of a political dissident in China are very different from a housewife in the suburbs of Chicago. I usually put attackers into two main categories: the determined attacker and the casual attacker.

The Determined Attacker

This guy is targeting you. He is limited only by time and money. If his limits are high enough, he will get you. Assume that he has already compromised you and shape your traffic accordingly. This is typically a corporate or government-sponsored attacker whose goal is gathering information. Fortunately, despite our fantasies otherwise, he’s rarely going to be after somebody that does not present a clear danger or have some sort of intelligence value. Depending on your work, traveling overseas is the time where this is most likely to be a concern. Forget physical security, because he can either bypass it through technique (lock-picking), access (search warrant, good relationship with hotel staff), or brute force (breaking a window or door down).

You don’t want to end up here; research domestic laws before traveling. (c) 2009 OriYou don’t want to end up here; research domestic laws before traveling. © 2009 Ori

The good news is that while this guy might have the keys to a lot of castles, he may also be the most restricted in actually using them for anything other than information gathering. Always look up domestic surveillance laws when traveling overseas and tailor your communication appropriately; assume that somebody may be monitoring you, but unless you’re useful, they’ll move on quickly. You should be considerably more concerned if you are breaking domestic laws, which could include bypassing governmental monitoring/filtering mechanisms.

The other good news is that many of the techniques that can foil our next foe can frustrate this one. That may highlight you as a more interesting target for exploitation, but it’s equally possible that they will move on to a softer target.

The Casual Attacker

This is the guy you’re likely looking to foil. He’s the one sniffing unencrypted wifi traffic in your hotel, hoping to pick up a password or two. He’s the one that goes through the trash, looking for personally-identifiable information. He’s the guy who downloaded the latest password dump off of a hacked web site and is busily peeling usernames and passwords out and trying them on banking and e-mail sites. Identity theft, fraud, and ultimately monetization are his goals, but he’s looking for the low-hanging fruit; the soft targets. He’s also the easiest to foil, through encryption, proper handling of personally-identifiable information, physical security, and password construction.

Know Thyself

Now that you know your two types of attackers and how you might be exploited, it’s time to look at yourself. What kind of devices are you using? Phone? Tablet? Laptop? Desktop? What kind of software are you using? Do you use a lot of social media? Even if you’re using a VPN on your laptop, do you have it enabled on your phone? Are you paying attention to when you’re submitting information on an unsecured web site?

  • Encryption. Start with your local device and work your way out. Encrypt your hard drive, encrypt your wireless transmissions (WPA2), encrypt all network traffic across untrusted networks (VPN), and ensure that all access to web sites with sensitive information is over an encrypted (TLS/SSL) connection. The more encryption, the better; never think that just one layer is enough.

  • Wireless. If you aren’t using a device’s wireless function (bluetooth, wifi, cellular, NFC, etc) for any period of time, disable it. Think of each of them as open doors until you lock them.

Little plastic keys to debtor’s prisonLittle plastic keys to debtor’s prison

  • Personal Information. If the information on it can be used to apply for a credit card or bypass identity verification methods for password recovery, destroy it. This can include birthplace, date of birth, social security number, the last four digits of a credit card number, and others. Once you’re somewhere trusted, shred or burn it. If you absolutely must dispose of that information in an untrusted location, try to dispose of it across multiple bins at multiple times; the more wet and disgusting, the better. Toilets are your friend for disposing of torn-up receipts.

  • Physical Security. Lock your locks. Don’t leave electronics or personal information out in the open. Don’t trust hotels. The casual may go around looking for items of value lying in the open or checking for unlocked doors, but will rarely bypass anything reasonably secured. If you’re concerned about exploitation of your wireless signals, how powerful are those signals and how close are you to others who can receive them? You may not have to worry as much about your wifi in a rural setting as you do in a dorm or hotel room.

The Secret to Online Safety: Lies, Random Characters, and a Password ManagerThe Secret to Online Safety: Lies, Random Characters, and a Password Manager

  • Passwords. Do not reuse them. Do not store them in an unprotected location. Do not reuse them. Did I mention not to reuse them? Seriously, though, no matter what clever scheme you have come up with for your passwords, the easier it is for you to remember, the easier it is for someone else to figure them out. Ars Technica did a couple of fantastic articles on password cracking and best practices; they are definitely worth the read as a primer. Ultimately it comes down to changing how you work and using a good password manager with a single long, complex, and memorable password to access a vault of all of your accounts’ 20-character pseudo-random individualized passwords. It’s a lifesaver.

… but Don’t Forget to Live

I usually break it down to folks like this: you lock the door to your house before you go to sleep and you shut the garage, but you don’t have a razor-wire perimeter and bars on the windows. Why? Because you need to live with it. We’re all human and we don’t follow good security practices unless they are easy. As we discussed, you’ll never really stop the determined attacker, but the casual isn’t really that difficult to harden yourself against. The best security practice in the world is worthless if you don’t use it, so take an honest look at your current habits and curb the ones that make you the soft target.

There honestly isn’t a one-size-fits-all answer. What works for me is unnecessary for you or doesn’t fit how you use your data. The best solutions are always tailored. Hopefully this article serves as a good starting guide at what to look at before asking critical questions of your personal security practices.

Comments