Upgrading My Personal Digital Security




With all of the data breaches happening such as Equifax, the update on the Yahoo breach that happened a while back, etc, it’s been on my project to do list to go in and work on my own personal security.

With all of the data breaches happening such as Equifax, the update on the Yahoo breach that happened a while back, etc, it’s been on my project to do list to go in and work on my own personal security.

I used to be really good at protecting myself online but you know, you get busy and/or lazy, start using the same password everywhere, disabling two factor because it’s a pain and so on.

LastPass

So where did I start? The very first step I took was to dust off my LastPass account and go through all of my online services and replace all of my passwords with randomly generated passwords (up to 100 characters where accepted) from the service.

Then it was time to secure LastPass. Since it now contains all of my passwords for all of my accounts, the last thing I want is someone to gain access to my account. For that, I ordered myself a new Yubikey. For those of you that don’t know, a Yubikey is a small usb device that looks like a usb flash drive but instead, every time you hit the button on the Yubikey, it omits a 44 character, one time password that the service then checks with the Yubico servers to verify that the code is authentic. So as a consequence, in order to get into my LastPass account, you need my username, password as well as physical access to my Yubikey.

Two Factor Authentication

The second thing I did was to turn on second factor authentication wherever possible.

What I found was a lot of services only offered two factor authentication via SMS which isn’t exactly the best way to implement two factor since it’s been proven that text messages can be sniffed out of the air and read, however it’s definitely better than no two factor at all.

Where it was offered, I turned on two factor authentication via Yubikey. Very few services offered it as an option but it was great to see that Google, Facebook and Dropbox all have it as an option.

Amazon Web Services

Most of my servers and databases are hosted with Amazon Web Services. I was fairly surprised that they don’t support YubiKeys as multi-factor authentication. So instead, I ordered one the devices that they recommend from Gemalto called a Safenet Display Card. It’s a credit card sized device that generates a six digit pin when you activate it. Once again, now in order to gain access to my AWS account, you’ll need my username, password and access to the display card.

Backup Codes

When you turn on second factor authentication, most services give you a list off “backup codes” that you can use to override the second factor device just in case your device gets destroyed or lost.

What you’re SUPPOSED to do is actually print the codes out and store them in a safe place. But since I absolutely LOATHE paper, I stored them all in a text file, put them all onto a flash drive and made arrangements with my best friend (who lives in an entirely different county) to physically store the flash drive in a fire/water proof safe in her apartment. This way the codes are entirely offline and are protected against nature disasters.

Local Security

This section I particularly went crazy with, mostly because I wanted to ensure that if my laptop ever got stolen, it would be completely unusable to the thief.

Since I use Ubuntu, it offers two different ways to encrypt your data.

Full Disk Encryption

When you install most distributions of Linux, they give you the option to encrypt the entire hard drive. So when you boot up the machine, before you even get to the username and password prompt, you need to enter a password to decrypt the hard drive. With the Yubikey, you can program the second “slot” to store a static password up to 38 characters. So that’s what I did and used that static password as the entire hard drive decryption key. Mostly because I’m lazy and didn’t want to enter multiple passwords whenever I turn on my computer or reboot.

Home Directory Encryption

Most Linux distributions offer to encrypt just your home directory where people store the majority of their documents.

This is usually the easiest way to do it just because it uses the password for your local account as the decryption key.

I went ahead and turned that on as well so the files in my home directory are double encrypted, once by the full disk encryption and once by the home directory encryption.

External Hard Drive Encryption

I always have a four terabyte external hard drive connected to my laptop for all my big files.

In Linux, you can have a drive formatted to be fully encrypted with the LUKS algorithm requiring you to enter a password when you connect the drive in order for the data to be decrypted. Yep, turned that on.

BIOS

The very first thing I changed in the BIOS was to change the boot order from CD/DVD then USB device then hard disk to hard disk first so someone can’t boot from a live DVD or flash drive.

Then I disabled the boot menu option so someone can’t change the boot order without going into the BIOS.

Of course I then put a password in the BIOS so someone can’t change anything on it without the password.

Lastly, not every BIOS has this option but my Thinkpad does, but a tamper detection mechanism. So that whenever a hardware change is detected, you must confirm the change in the BIOS for it to boot, which of course requires the BIOS password. This makes it where even if the thief is smart enough to take out the hard drive and put a different one in, it still requires a password making the laptop completely unusable.

Conclusion

Securing your data is absolutely a pain in the ass. However, we live in a time where it is now a must. Would you rather be slightly inconvenienced now or wait until your identity is compromised?


Safari has Gotten Password Management Nailed

Some of you may know that I’m doing an experiment where I’m trying to use my iPad Pro as my primary computer for a year.
One of the things that I was pleasantly surprised about is Safari’s built in password manager. Every time I go to create a new account somewhere on my iPad,

Safari has this nice button above the keyboard saying, “Suggest Password” and it generates a long, random password for me.

Now, I’m a big fan of Lastpass and 1 Password but they fail my “dad test”. My dad test being: is this easy enough that I could get my dad to use it? And unfortunately, I still don’t think that password managers have gotten mobile right. Nonetheless, I don’t know anybody that aren’t tech people that are willing to pay for an additional subscription (no matter how cheap) for something that makes their life harder.

But I really think that Apple did it right. They made it simple, free and secure. I sincerely hope that other browsers can follow!

Electronic Frontier Foundation’s Let’s Encrypt

In the early days of my business, one of the first services that we offered was web development and design, to be quite honest because it was fairly easy to sell at a large profit margin. However, with me being me and having an intense background in system and server administration, we not only designed and developed the websites, we would also provide the hosting and maintenance for those sites.
All well and good except that some of those websites had either e-commerce built into the site or collected sensitive information from their customers or patrons. So it was a must to use SSL certificates to secure the data while in transport from the user’s browser to our servers (I’ll get into securing and encrypting that data at rest some other day). Back when we were doing it, you had to go find a trusted certificate authority that you actually trusted such as Verisign or Norton that usually came out to a few hundred dollars every year, generate your public and private certificates on your server then getting them to work with whichever web server you had. It was a mess. By far the thing that I hated doing the most for web hosting.

That’s why I was so stoked when I found out about a year and a half ago that The Electronic Frontier Foundation (EFF), in an effort to make SSL connections the new default, not only was becoming a certificate authority, they developed a tool called Lets Encrypt that makes it ridiculously simple to enable SSL on your website. All you have to do is go to https://letsencrypt.org, choose your operating system and web server and it will download the appropriate script. Oh yeah, it’s completely free!

Since Let’s Encrypt has came out, I have used it for every web server that I’ve set up whether it needs it or not. It literally on takes about five minutes to setup so why not?

PFSense: My Go To Firewall for SMB

Given that I’m an open source junky, it should be no surprise that PFSense is without a doubt, my favorite firewall for both home and small business use.
During the last three years of my business, instead of buying a Cisco SMB or a Sonicwall firewall, what I’ve done is buy a refurbished Dell Poweredge server with typically around 16 gb of memory and usually a RAID array that has the usable capacity of 500 gb for around $200-$300 and popping PFSense on it.

Aside from it being completely open source, some of the things that I love about it are:

  • It being rock solid given its FreeBSD foundation
  • It’s bandwidth monitoring and rule-based policies
  • VPN built in with both OpenVPN and IPSec
  • Web caching built in with Squid
  • Web content filtering to block people from visiting unwanted or inappropriate websites
  • It’s on-demand virus scanning, blocking viruses and malware before it reaches the client’s computer
  • Limit traffic by country
  • A programmable intrusion detection system
  • VLANs completely built in

I could go on and on and on. There are literally hundreds of available plugins that extend the core of PFSense’s functionality. Knock on wood but I’ve had some PFSense servers running for years without issue. I know that a Poweredge server is a bit overkill for a firewall for a small business, but at that price, why the hell not?

Turning on two factor authentication on your Google Account

Those that know me, know that I’m a huge fan of two factor authentication. For those that don’t know what two factor authentication is, it’s where when you sign into an online account, you enter your username and password to login as always, but when you login, you usually get sent a text message with a six digit code that you need to verify before you can access your account.
This way, even if your password gets compromised, another person cannot access your account without having access to your phone.

To turn on two factor authentication on your Google account:

  1. Go to http://gmail.com and sign in
  2. Select your avatar on the upper right hand corner (to the right of your email address) and select My Account
  3. Select Signing in to Google under “Sign-in & Security”
  4. Select Two-Step Verification
  5. Google will once again ask for your password, go ahead and enter it
  6. It will then ask for your phone number, type it in and click Next
  7. A verification code will be sent to your phone, type in that code and hit Next
  8. Finally click “Turn On”

And you’re done! Now every time you sign in from a new computer or device, you’ll need to verify that it’s truly you by entering the verification code. Most online services now offer two factor authentication such as Facebook, Twitter, Dropbox and most banks, I highly recommend turning it on wherever possible.