At MISTI in 2013 I was on the closing panel with Alex Hutton (at the time CSO of Zions Bank) and Chris Nickerson (a “red teamer”) – the topic was the distressing state of internet security. Hint: it’s distressing. Somewhere in the course of the panel I decided to do a “show of hands poll” and asked everyone in the room:
How many of you use the google 2 factor authentication on your gmail account?

Alex and Chris and I raised our hands. One lady on the corner of the room raised her hand. A ballroom full of IT security and audit professionals generally don’t use free, high quality authentication – well, that tells you everything you need to know about the state of internet security. People keep saying things like “no matter what we do, we get owned anyway!” except that, you know, they refuse to do the most obvious, basic stuff – not even the free stuff. Have you heard about the Ben and Jerry’s diet? That’s the one where you eat a gallon of ice cream every day and complain about your weight. If you complain enough you may burn off some calories.

Here’s a Roadmap:

1. Turn on Two Factor authentication on your crucial systems: email, paypal, ebay, amazon – anything that involves your money. If one of your crucial systems doesn’t offer two factor authentication, then use a different system that does not suck. This dramatically raises the difficulty of attacking your account. Now that you can transfer your cell phone number when you change providers or accounts, there’s no reason not to take advantage of your phone as an authenticator – either through something like the google authentication app, or simply having a code SMS’d to your phone as part of your monthly login process.
2. Use a password vault for your passwords. The value of a password vault is not that you can use a 20-character password (that’s easy) but that you can use a different 15-character password for every system: if your account on that knitting patterns site gets compromised, the password is not the same as the one on your amazon.com account. This also dramatically raises the difficulty of attacking your account.
3. Do your backups. This is a topic I will eventually do a separate post on, but: have a USB external drive that you sync important stuff to regularly, and when it’s not in use it’s powered off. This will dramatically reduce the chance of you losing any data by accident or as a result of a cryptolocker attack.
4. Don’t fall for phishing scams, document attachments, etc. This is mostly a matter of not clicking on links in your email or opening attachments or obeying the message from your CEO saying “please enter the following command at your windows prompt – FORMAT C: /Y”  Because humans are fallible, this does not dramatically raise the difficulty of attacking your account, but it does help a bit.
5. Don’t browse the internet or read your email with a privileged account. Create a user account on your windows system that is a normal unprivileged account and do your browsing and emailing from there. This dramatically raises the difficulty of exploiting a successful penetration of your account.
6. Use an email client that’s not horribly stupid if you can. I use Mozilla Thunderbird because a) it has good built in bayesian spam filtering, b) it uses your spam filters to build an adaptive model of which messages it should and shouldn’t show dynamic content from c) it also builds an adaptive whitelist model – if I send you email regularly, your replies are not likely to be spam filled with links to driveby malware. This dramatically improves your security. Or, you can use Outlook – in which case why are you reading this?
7. Browse using an ad blocker and a script whitelister. For one thing, your web experience will be much faster (I’m on metered bandwidth thanks to Verizon’s blood-sucking rural broadband and when I turn my ad blocker off, my bandwidth usage jumps 35%)  My particular incantation is: Firefox, Ad Blocker Pro, Noscript. On iShinies I use Safari and 1Blocker. This dramatically improves your security.
8. Extra Credit: If you have a way of vectoring emails to your SMS text, or otherwise red-flagging them, red-flag all emails involving account management: password changes, new machines being authorized, or new two factor authentication devices being added.
9. Extra Credit: Do not install Java or Flash on your machine. This dramatically improves your security.
10. Extra Credit: Do not install Adobe PDF reader on your machine. Instead, go buy a copy of Corel PDF Fusion, which is way better and faster anyway. It’s $34. Not having Adobe reader on your machine dramatically improves your security.
11. Extra Credit: Have one system you use for gaming and browsing and farting around on, and another you use for work. Your work machine should spend a lot of its time powered off. Being powered off dramatically improves your security.
12. Extra Credit: Use AppLocker to whitelist your non-privileged browsing/emailing account so that it can only do those things and pretty much nothing else. If, like many of us, you are the “IT Department” for an aging parent or a child, deprivileged accounts plus parental controls (which is an interface on top of AppLocker) is a very very good approach.

Discussion

Each of the suggestions above will reduce the likelihood of you getting compromised by a good 50-70%* – by the time you do all that, you’ll be a hard target, indeed. If you’re protecting a secret identity, you should have a dedicated laptop or an iPad with a keyboard, that you do nothing else with. If you’re blogging anonymously or whatever, do not browse to any other sites using that device. Install TrueCrypt on your user partition and dekey it if you’re ever crossing an international border.

When you boost your security you want to think not just about making it harder to get hacked, but also to detect attempted hacks. That’s where turning the two factor on is important: it’s not just two factor – it embeds an enrollment process in which you’re also registering which system you use. This is super duper uber important because if your password somehow gets compromised, your attacker now has to figure out how to avoid you getting an SMS from google saying “please enter this code to authorize your new machine …”  That tells you it’s WTF time. If you ever get a “password reset?” email don’t just click on links it because the link may be bogus – that’s a favorite phishing technique. You should only ever get password reset emails when you’re, you know, resetting your password.

The way the two factor works is great: you enroll your cellphone with the site and when you want to make a credential change to your account from then on, you’ll get an SMS txt with a code that you enter into a page on the site. That tells them not only that you have your password but you have your cellphone. Raising the bar to the point where your attacker has to have your cellphone – that’s raising it about as high as it can go.

Typically you can also set two factor authentication to require the code once a month. The site stores a cookie in your browser that expires monthly (or whatever) and if you ever try to go to the site from a new machine without the cookie, it’ll do the SMS code check. That means if someone gets your password and tries to use it from another location, you’ll get a notification that a new system is trying to enroll – which means you know your password has been compromised and it’s time to get busy with the code check and password change cycle.

Do not waste your time thinking about passwords. Passwords are a losing game** and as anyone who’s seen WARGAMES knows, it’s best not to play those at all. When I need to set up a new password on something I pop up Lastpass, generate a 16-character random password, copy and paste it into the window, paste it into Lastpass, and forget about it. If I need the password a month later, I just copy and paste it again. The easiest way to set something like Lastpass up is to use the “I forgot my password” re-enrollment process on every site you use, then just re-enroll with a random password and forget about it. Here’s the thing: your passwords are more secure if they are different than if they are long, or not written down. If I have my 16-character password on a post-it note (or even in notepad on my desktop so I can copy and paste it!) stuck on my computer, you have to come to my house in order to read it. Now, the FBI will do that. Your typical hacker won’t. Then we’re down to talking about threat models and “who are you afraid of” and that sort of thing.

The Cloud

Do not fear putting your email out in the cloud, i.e.: at Google or Apple or wherever. For one thing, that makes it easy for the FBI to get them without having to smash in your door or hack your computer – it’s all very genteel. I’m sort of kidding.

Here’s the thing: if all the suggestions I made above for securing your email endpoint sound bad – the list of things you should be doing to set up a secure server is a lot worse. If you don’t intend to be a professional system administrator and do log analysis and vulnerability management on your server, then let Google or Apple or whoever do it. They’ve screwed up, of course, but they’ve got the energy and time to fix it, which most of us don’t. The vast majority of vulnerable systems on the internet are exploitable with well-known vulnerabilities that have been published for months or weeks – sometimes years. It doesn’t matter if it’s your personal @clintonemail server or your corporate server – servers are a target and there are lots and lots of robotic hack-o-matics that will check for the exploit and break in regardless of whether you’re important or not. The large cloud systems have already dealt with those, or they wouldn’t be large cloud systems for very long.

If you’re moderately paranoid (me! me!) you can have your email reader client pull down and delete messages off your server – don’t leave your messages to pile up on the server; we call that “evidence.” Use a pop client like Thunderbird and have it poll the messages down every 15 minutes and delete them. The downside of this is that if you mangle your local email archive, it’s gone. On the other hand, I suspect there are a lot of people at the DNC who wish they had a single place where they could mangle their local email and make it gone. Gosh, that Hillary Clinton sure is naive about technology, huh?

Short form: unless you want to be a professional server administrator, leave your email in the cloud.

Ugh

And… This is why I am extremely irritated by things like the DNC breach or the Clintonemail.com server kerfuffle. None of this nonsense needs to happen. Especially not for the High and Mighty. Set them up with a dedicated system that’s configured to do the right thing, and hand it to them. That, by the way, was what the State Department tried to do with Hillary Clinton except her definition of “the right thing” was different from theirs – she didn’t want record management. As my accountant once said “there are only two kinds of people in hell: those who were caught in the act, and those who kept records.”***

You get some weird counter-intuitive tradeoffs when you start to realize that having your passwords stored in the clear in notepad on your iPhone is more secure than having a 35-character password that some DNC administrator idiot emails to everyone: “HEY THE NEW SECURE PASSWORD IS ‘DIEBERNIEDIEDIEDIE’ EVERYONE USE THAT.”

If you’ve designed your security so that emailing around passwords is something you may even want to do, you’re doing it wrong. That’s one reason I get sniffy when the FBI says “the {Chinese, Russians, North Koreans} did it!” because I’m pretty sure that an australian shepherd dog could hack some of these organizations, their basic security practices are so bad. The FSB does not need to dust off an elite hacker team to come after an organization that’s so stupid you can probably hack them by sending them an email appearing to come from a fund-raiser, that contains a spread-sheet, which contains a trojan horse. A poodle could hack these people.

If you follow the roadmap above, I guarantee you you’re safe from the poodles and probably the FBI as well.****

---

(* More actually, but when I’m making up numbers I try to be conservative unless I’m running for office.)

(** I swear I have been saying exactly those words over and over since 1992. So much for progress.)

(*** Now amended to “3 kinds…” and “… those who have accountants.”)

(**** Because the FBI will cheat. They’ll just drop a national security letter on your landlord and walk into your apartment while you’re out, then install a keylogger in your computer and come back for it in two weeks.)