Low-hanging Security/Privacy for the Lazy 2016!
Keeping a good security and privacy is tough work. There's always a trade-off between effort and achieved security. In this blog post I'll mention small things that a ``normal'' person should be able to perform — that still increase the overall security of that user's data.
Choose your Liege
Bruce Schneier talks about the comeback of feudal security: you choose your liege lord and depend upon him for providing security. You pledge yourself to Google, Facebook or Apple. Your liege protects his servers (with your data) and might defend your data/emails in a legal court — for which I as a private person would not have the monies — but for that it gets access to all your data. Choose your liege carefully and only have few of them. For me Google is essential. It's hosted mail service gets all my possible password reminder/reset emails. If it gets compromised, it's game over for me. Similar for me is LastPass. Identify those main trust anchors and use secure and unique passwords for them. If possible enable two-factor-authentication (2FA). This forces an attacker to not just steal your password in cyberspace, but she would also need to steal a second factor (i.e. phone or RSA token) in the physical world. Few "private" hackers will escalate to this level.
Physical Host Security
The next step is physical device security, i.e. what happens if an attacker has short-term access to your computer. The most basic setup is to enable hard-drive encryption. This raises the effort to get your data. But then, if an attacker has access to your hardware he could add a backdoor to the unencrypted boot partition, (UEFI) BIOS or firmware (see evil maid attacks. To prevent that SecureBoot would be needed, but it is only partially supported by Linux and Windows. Macs have no protection whatsoever. Oh, by the way, you still have to trust all your hardware vendors.
When it comes to operating system security, the most important thing is to update often.
Secure your Web-Browser
The next logical step is to secure your browser. I'd strongly suggest to user Firefox/Chromium and then install some basic plugins:
- Privacy Badger: this reduces some of the tracking widgets/bugs/codes that are delivered by most websites
- HTTPS everywhere: if you're using HTTPS an attacker cannot eavesdrop on your communication by just connecting to the same WLAN/network. This plugin automatically switches communication to HTTPS if possible.
- LastPass: this is a web-based password manager. This allows for unique automatically generated passwords for each used website. If your LastPass-stored passwords get lost, you'll have to reset those through your mail account so don't store your mail account password in LastPass. Giving all your passwords to a third-party is controversial but LastPass has a good security history and I trust LastPass more to keep my passwords secure than I'd trust every website where I've created an account.
Secure your Communication
The next step is to improve communication (transport-level) security. I am using a VPN for that (in my case Private Access Security which claim that they do not store any logging information; I get some referral fee if you're using the link to create a new account). The basic idea is that all traffic transported over the VPN is private between your computer and the VPN provider. This mostly thaws attacks by your provider and your country's content provider mafia. You have to trust the VPN provider though; but then, your data should already have been encrypted (i.e. through HTTPS everywhere).
Please use GnuPG for your emails. With it only the mail's receiver is able to read the information within the email. If you remember the initial liege lord discussion: with GPG even your liege cannot read your sent/received emails (but still can gather with whom you were communicating with). GPG has a bit of a learning curve, I'd suggest to go to a nearby crypto party, i.e. those are the events for Austria.
GPG uses two matching keys: a secret-key that only the owner should know and a public key that can be.. well.. be made public. If you remember the ``evil maid'' attack — i.e. an attacker ` with short-term access to your computer — storing the secret key unsecured on your computer compromises the overall security. The solution for this are secure tokens, i.e. YubiKeys. With this token you can transfer your secret-key upon the token (which connects via USB) and then take only the token with you. An attacker with short-term access to your computer now cannot get your private key; an attacker with access to the token can use the secret-key but cannot duplicate it and is thus limited.
For mobile security it's complicated. I applaud Google and Apple for trying to go dark. Encryption on this level always has the problem of reduced battery run-time and performance. My mobile check-list is:
- use an regularly updated open-source operating system. That's CyanogenMod for me, you can check here for device support. Update often.
- Use Signal for messaging. If interested into technical details read their news blog.
- If performance allows it (mostly down to having a 64-bit ARM CPU, i.e. ARM A53 or A57) enable full-disk encryption. If that is too slow, look into the remote device wiping facilities of your chosen platform. You'll have to accept that your data will be compromised if your device is stolen by an attacker but at least you can improve the "device lost" use-case.
- On Android, install Firefox with all the prior mentioned security and privacy plugins
Most of the listed possibilities are free to use; the only ones that you'll need money for are the VPN account and hardware tokens (i.e. YubiKey). Those are not mandatory. Sometimes you can get a free VPN account from your university. How much is your privacy worth to you? If you don't take any step at all the answer is "nothing". You'll get what you deserve.