Day 59 - A list of things to improve your security online

17 Apr 2017 Tweet 100daysofwriting · cryptography · lists · security

A new day, a new attack on HTTPS.

Can you tell which is phishing?

You can't. That's the problem with Unicode look-a-like character substitution. https://t.co/431d4dNwGT pic.twitter.com/r18CLNCXcE

— Michael Coates (@_mwc) April 15, 2017

Checking certificates is a great practice, and almost always I stop after opening a certificate and looking at the certificate signing chain. That tells most of the story. Specifically, when using some other computer, it tells you whether the computer’s owner is trying to fake some certificate sign by putting a malicious Gmail certificate on the computer and effectively implementing a MITM attack. It’s as simple as installing MITM Proxy which automatically creates a certificate and adds it to /etc/ssl/certs.

The best way to avoid this is to not login on any unknown device, at all. There are some guidelines like these that I have learned from experience, and although listing them all down is going to be next to impossible, I can try.

1. DO use Google Authenticator for 2-Factor Authentication. Use it for all the accounts that tell the world who you are: Email, Twitter (THEY IMPLEMENTED IT!), LastPass, GitHub, Digital Ocean, Slack. (Those are a few of the services I use 2FA for)

2. DON’T login to your core accounts on an unknown computer. There could be anything ranging from a hardware keylogger that you didn’t notice, a software keylogger which can be installed in 2 minutes on Windows or a malicious SSL MITM attacker who went to the pain of faking a certificate chain to reduce your suspicions. JUST DON’T. To download or share files, read the next point.

3. DO setup a publicly viewable Google Drive folder and create a shortlink for that folder and add it to your contacts. Whenever you want to download something on a strange computer, use your phone to put it on the public folder, download it and then delete it from Drive.

4. DO use DuckDuckGo. They don’t track you, they don’t even ask you to sign in. If you must use Google because sometimes DDG just doesn’t cut it, open Incognito and use !google before your query. That way the searches are not tied to your account and you can save yourself from targetted advertising based on your searches.

5. DO use a VPN whenever using Public WiFi. Something as simple as Surfeasy is enough to thwart people trying to spy on you using simple things like Wireshark. I know hardly anything about the myriad list of tools available out there to spy on people who are using a public network. Using a VPN should preclude some really basic attacks.

6. DON’T enter your Bank Password or anything related to Internet Banking WITHOUT first checking the SSL certificate of the website. If chrome shows the green bar, don’t stop there. Press CTRL+SHIFT+I, open the certificate and atleast look at the certificate. Look at the spelling of the website (Our brain does this weird thing where https://onlinsbi.com looks so so similar to https://onlinesbi.com. I used to be terrified of this particular attack.

7. DO use STRONG PASSWORDS. This is a no-brainer, really, but I still feel like I must say this. 8 character long passwords are the bare minimum and just don’t cut it. Something as simple as thc-hydra has bruteforcing options for passwords that are this small.

8. DO use LONG RSA keys. If possible, use Elliptic Curve keys. In any case, your default RSA key should ideally be 4096 bits long. This guide will help you upgrade your keys

9. DO have a small Pendrive that has your RSA keys, PGP keys (Who uses PGP anymore?), your 2FA recovery codes. Take it with you whenever you are going on a sufficiently long trip. Remember to use LUKS and encrypt the partition that has all this data. Otherwise, you are just inviting trouble.

10. DO uninstall openssh-server from your main computer. It’s an annoying package that doesn’t come pre-installed in Ubuntu, but if you ended up installing it somehow, uninstall it right now! sshd is one of those tunnels into your machine you didn’t even know existed until someone walked right in and stole files from you.

11. DO follow Security and Cryptography blogs using something like Feedly. The best two out there right now are cryptographyengineering.com and Bruce Schneier on Security. If you use Twitter a lot, follow some Security driven accounts like Filippo, @SwiftOnSecurity, and @evacide. I know I follow a lot more people who are in the industry, but I can’t seem to remember them. I would like to create a Twitter list of these people and then, pass that list around. (That list probably already exists?)

12. DO follow Cryptography news closely and go beyond the mainstream media to find out exactly what the attack is. Media headlines are generally click-baity and say things like The NSA can now see your bank passwords when the actual attack is an attack on HTTPS which requires a particular set of conditions to be met, and these conditions are never really met for most people. This is just a random example. My point is: Go beyond the mainstream media, go to the paper / article that the attacker published, read through it, think about it, and finally, take measures to preclude it.

13. DO use Full Disk Encryption on your Ubuntu main computer. It’s a pain to setup, you probably are going to have to take a whole backup and then encrypt and copy back to your disk. I did it when I re-installed Ubuntu. Do it right away, it is well worth it. If you don’t do it right now, definitely do it the next time you upgrade your operating system.

14. DO tape your webcam.

That list is no way complete. I am sure I must have missed some major point that I really wanted to tell people about, but didn’t include in this list. I won’t be editing this list though, I will probably publish a better version of this list in a couple months, if I have something more to say.

The bottomline is: do your best to close all the doors and windows and air-conditioning ducts that enter your online apartment. If you leave doors open, people will try to get in. If you close most of the doors, they will be discouraged, and (hopefully) leave you alone and target someone who is more vulnerable. And if you find that a door has been inadvertently left open, TAKE ACTION! Inaction now and regret later are a toxic combination, and the helplessness when you realise that you could have and should have taken steps after you have been attacked doesn’t help. It’s a bad bad feeling.

POST #59 is OVER

P.S. I am pretty sure this is one of the most coherent posts in this series. I have been writing this post for the past 45 minutes.