Security: 17 Things
I spend a lot of time giving information security advice, such as why RMF (Risk Management Framework) is too top-heavy for implementing risk management practices in small or R&D-focused organizations, what the right Apache SSL settings really are or how static analysis can help improve C code. What I'm asked for the most though isn't any of those things; it's the everyday stuff that even non-technical people can do to protect themselves from the looming but nebulous threat of an information security accident.
This article does not attempt to make you an information security guru or provide everything needed for those who are special targets. This is a list you can use to secure yourself, your significant other and your non-techie loved ones from the majority of the most-common and easiest-to-pull-off types of crime and cruelty. It's based on a talk regularly given by myself and my colleague Craig Jackson at Indiana University's Center for Applied Cybersecurity Research. We do our best to offer steps to follow that are easy and accessible but also high impact. Lots of good advice didn't make this list, either because it's not yet easy enough for the non-technically-inclined, or it's expensive, or it isn't quite as valuable as we want it to be before we add to the infosec burden of non-computing-nerds.
Lock your computer. Lock your phone. Lock them whether you are leaving the building or just stepping away for a minute. At first, this seems annoying, but once you get used to it, unlocking screens becomes as automatic as unlocking your car or your front door. Meanwhile, if you don't lock your devices, anyone who walks up to them has access to all of your logged-in accounts and can impersonate you easily or steal private information.
Full-disk encryption (FDE) is a little bit of a misnomer. For Linux geeks, it may be helpful to know that this is generally done at the partition level, not the physical disk in practice. All that non-technical users need to know is this: if you do not use FDE, anyone who picks up your device, even if it's locked, even if it's powered off and can't be powered back on, can attach its storage to another machine—a machine that doesn't care about your privacy—and get everything with very little effort.
This is not just a Linux thing. All major operating systems now offer FDE. Current versions of Linux (RHEL, Gentoo, Debian/Ubuntu, Slackware and all their various derivatives plus some others) offer FDE via LUKS (Linux Universal Key System) and dmcrypt, in most cases without you having to do more than give a strong passphrase in an install dialog. Windows has Bitlocker, or if you're on a budget, there's VeraCrypt. (Note: there are still some open questions about VeraCrypt security vs. state actors, but if you can't get Bitlocker, VeraCrypt is at least good enough to thwart the common laptop thief.)
macOS has built-in encryption that even can be done retroactively, post-install. Both iOS (iPhones and iPads) and Android (most other smartphones and tablets) have built-in FDE as well.
Regardless of what OS you are on, you absolutely must record your FDE passphrase somewhere secure. You can't recover a device for which you've lost that passphrase.
Phones are the most commonly lost devices, and they can carry a staggering amount of information about you, not to mention access to bank accounts, online accounts and more. Both iOS and Android offer remote device managers that can be turned on via your Apple account or Google Play account, respectively. Although this level of access may have downsides in edge cases where it's not appropriate to use Google's or Apple's services at all, generally it's a huge win to be able to locate a lost device remotely or wipe it when you're sure it's gone.
Ransomware is becoming more popular and more profitable. The best defense is "I can wipe and re-install from back-up; I don't need to pay." Unfortunately, too many people don't keep backups at all or don't test them to ensure that they work and that any ransomware intrusion into backups would be noticed before it's too late. Backups (bonus points for off-site backups) also protect you from fire, spills, thefts and failed storage devices.
Apply security updates regularly, and when it comes to end-of-life (EOL) software, just say no.
When a security bug gets patched, it is publicly known, and if not already being exploited in the wild, it will be seen in mass, untargeted attacks within 6–24 hours. That's right: 6–24 hours before random nobodies with IP addresses start getting hit. Failing to apply patches promptly means guaranteeing the bad guys have a way into your system.
End-of-life software is software that is no longer maintained by anyone. So no matter how bad the vulnerability, it won't be fixed. Just say no.
Never log in as root or the equivalent unless you really need that level of privilege to perform an administrative task.
Ideally, your kids and their terrible flash game with the penguins are not on the same device as your tax returns, but if they must be, give them their own user accounts to create as much separation as possible. Operating systems attempt to keep users from impacting one another's data and settings, so use this protection to your advantage. You may trust your spouse, but do you trust every app and document he or she runs and opens?
If at all possible, keep completely separate devices for the sensitive stuff and the things less likely to have scrutiny from a security perspective. I have a work laptop and a personal laptop. My gaming computer is not only a third machine entirely, but it lives on a completely separate subnet at home where it can't talk to anything I care about.
If you don't notice a theft until six months later, you are in a vastly different position from if you notice it within 30 days. Check your bank and credit card statements. Make sure you don't see any unrecognized transactions. Set up automated alerts where possible.
At least here in the US, credit and debit cards are regulated very differently. If your credit card is the subject of a theft or fraud, your liability is capped at $50. That's the most you lose; the bank, payment processors and retailers get to argue over the rest. If you find yourself in that position with your debit card, it's generally up to your bank and any specific, written contract you have with it. In many cases, you could end up on the hook for any fraudulent spending that occurs.
Here's another US-centric piece of advice. Freezing your credit with all three credit bureaus will greatly reduce your exposure to identity theft or the theft of your tax return, or the risk of being left with someone else's bad debt. Why make it easy on scammers? You can unfreeze as needed using the code you received at freeze time when you are ready to take out a loan or a line of credit. It's especially important to do this for minors and children, as they are attractive targets for identity theft.
You can remember only a finite number of passwords, and the more complex those passwords become, the fewer you can remember. LastPass and Password Safe are decent options for password managers, but others are worthy of consideration as well. The point is to make sure you aren't limited to the number and quality of passwords that you can remember easily, and that you keep your sanity.
For non-technical people who just can't get into the password manager workflow, a small notebook with all of their passwords in it kept in a reasonably secure location, such as a household safe or lockbox, is still more secure than storing passwords on computers in plain-text files or Google Docs, and also more secure than recycling the same passwords over and over.
Now that you are storing passwords safely, you should never, ever recycle one. If one service that you use loses its password database, you don't want that to give away your passwords on the other services you use. It's an all-too-common pattern.
Your shiny new password manager probably can generate these for you. A strong password or passphrase will have at least 24 characters in a mix of uppercase and lowercase, with some digits and symbols as well. If your password looks like this, it will be nearly impossible to remember, but your password manager will type it for you:
gaegie7o@oth8Aic8xeigei5%eozieF7
So, if for some reason you must memorize (for example, for your computer's FDE), use a passphrase, like this:
14cute Canaries are nevertheLess LOUD*-64
Just a thought: I am not responsible for anything that gets stolen if you actually use password or passphrase examples from a magazine.
Your goal is to resist human guessing. Consider that most human guessing is done by someone who knows you well enough to have at least seriously trolled your social-media life, if not met you and gotten to know you personally—and also make sure that computerized guessing is slow enough that an attack likely would be noticed before your account is compromised.
Two-factor authentication (2FA), sometimes called multi-factor authentication (MFA), is the easiest, most powerful weapon against account compromise because it vastly raises the complexity of what an attacker has to accomplish. Without 2FA, if your computer gets a piece of keylogging malware, if someone looks over your shoulder at a coffee shop and sees your password, if you lose your password notebook, or if a password database falls off a truck somewhere, your account is done. It's compromised. End of story.
However, with two-factor authentication, none of those things alone can compromise an account. Two-factor authentication uses two unrelated things—usually something you know (like a password) and something you have (like a phone or a hardware token)—to log in to an account. The types of attacks that make it easy to steal your password (such as a virus on your computer or a break-in on a server) aren't the same kind of attacks that make it easy to steal your second factor (such as pickpocketing your mobile phone or your keys).
My preferred form of 2FA is using a simple FIDO U2F device, such as a Yubikey 4, kept on your keyring to pop in to a phone or computer when you log in. This special key is no good without your account password, and your account password is no good without the key. There's a secret crypto key inside the key. When it plugs in to a USB port, the port powers it up, and it can send a response without giving out your secret key. Even if your computer has a virus and you stick this key in, the key still can protect you. It's just so hard to get this wrong. It's like a house key; if it's still on your keyring, you're probably okay. (Note that if you used the simple password function of a Yubikey instead of its FIDO or other private-key-based features, malware could still observe that password being entered by the key.)
If you can't do that, try TOTP (Time-based One Time Passcode), such as Google Authenticator or FreeOTP running on a smartphone, which generates a temporary passcode for you when you want to log in. SMS two-factor is pretty bad, because SMS messages can be easy to observe in many cases. Biometrics also are bad, because you leave your fingerprints everywhere you go! Even an iris scan is scary; who's going to give you a new eye when a company loses its password database? Don't go there.
Most breaches begin with humans doing something they should not. What we call "social engineering" among hackers is the same thing that any old con artist of any other generation did: try to look legitimate and ask, or get people to act in a hurry out of fear or absentmindedness when they don't realize they are giving up something of value.
Dumpster-diving is a time-honored tradition. Shred or burn documents and destroy hard disks or other digital storage when you are done with them. Don't give out your personal information unless you are sure of why you are doing so, that it is necessary, and that you are giving it to someone you trust. When you read an email, imagine a stranger walking up to you in a big city saying the same thing. Is this something you should trust? Would you give strangers on the street your financial info if they said you just won a prize? I hope not, but people do this with malicious emails and websites every day.
Never give out any of your passwords. Any system you log in to has a system administrator who can get at your data or reset your password if something has gone wrong. Don't believe "support" people who ask for your password.
Assuming that the parties to an email aren't all using end-to-end encryption, at least the senders' and receivers' email servers can read your email, as can the people who own and maintain them. In the typical case, many internet waypoints in between can read it as well, and you don't control which waypoints see your mail.
Even when email is encrypted, it's like a sealed letter: anyone can still see the outside of the envelope, including the to/from information, size and postmark date.
Would you risk sending passwords, credit card numbers, Social Security Numbers or other sensitive information on a postcard to an unsecured (not locked) mailbox on the street? I didn't think so. A post card is open for anyone to read, and you don't really know how many hands it will pass through on the way to its destination. Email is the same.
More cool toys are being connected to networks every day: toothbrushes, dolls, bathroom scales, thermostats, kitchen appliances and so on. However, few of them are examined for security at any point in their design, and even fewer receive updates for their entire lifespans. At the best of times, they leak data about you: when your house is empty, what your children are doing, your health and more. All too often, these insecure devices are easily broken into and give an intruder ready access to everything else in your home, from security cameras to your refrigerator.
This doesn't mean never allow a network-connected device into your home; just think before you do. Ask yourself if this really needs your WiFi password. Ask who is maintaining it and for how long after you buy it. Ask what kind of data it has, and ask yourself what is the worst-case scenario if that data gets out. Think about what else is on your network with that device.
If you are reading Linux Journal, chances are you have some sort of handle on technology in general, if not security in particular. You probably have people in your life who do not. All the regulation and formal education in the world cannot match a person who cares about you saying "Here, let me help. I want you to be safe."
Keep in mind that "network nannies" are easy to circumvent and won't be in place on every computing device your child sees. Kids learn to protect themselves by doing so under the guidance of a patient adult, and young children are generally more receptive than teens. If you teach your kids to protect themselves early, you can spare yourself some arguments later and be more likely to succeed. My son, at four, learned to plonk (ignore) rude or mean people on the internet. He used to yell "PLONK!" really loudly when he did it. As a teenager, he still responds to toxicity by ignoring instead of engaging, without really thinking about it. That's the benefit of teaching them when they are little.
Seniors are often at greater risk than kids, as they have a bigger learning curve when dealing with tech. Take the time to help them select things that you easily can help them use, and help them use those things safely.
Have concrete goals; "be safe" is too vague to ask of anyone. This list of 17 things, especially if you chip away one or two at a time, should be within anyone's grasp. It's not everything one could possibly do, but it's a reasonable place to start. Be the person who gets someone you love started.