A Reasonable 80/20 Approach to Personal Data Security

February 20th, 2017 Permalink

Security of online accounts is a tough topic these days. It is beyond the capacity of most people to adequately defend accounts and computing resources against the resources of determined state agencies, but equally that usually isn't on the agenda. Fortunately. Yet. The more prosaic, but still very serious threats are those involving hijack of critical accounts and data: email, phone, bank, brokerage, cloud provider, and so forth. How to best defend against this without having to become an expert in cryptography and memorization?

The Death of Privacy

Privacy is intimately related to security - you can't have secret tokens if nothing is private - but in the sense that most people care about, meaning everyday personal communications, it isn't really the focus here. If you use Facebook, Gmail, Skype, the plain old telephone system, instant messaging systems, and so forth, you have to assume that everything you send is permanently recorded somewhere. The NSA has it, any law enforcement office will get it on request, the major service providers such as those already named will have it, and the historians of 2117 will definitely have anything that passed through those major service providers, and probably the NSA databases as well. There is no practical way to avoid this without getting everyone you know onto the same distributed, encrypted platform, lacking any sort of central authority that can be compromised by the powers that be, and that isn't going to happen any time soon.

In the sense that privacy is involved here, it is the privacy of having secret tokens remain secret, as best as is possible with a reasonable amount of effort. Again, determined state actors can bypass near any reasonable precautions available to the average individual, via evil maid or rubber hose approaches in most cases, and via very sophisticated technical means in a range of others, so that also isn't really a topic for discussion here. Defenses are thus focused on reducing risk for the more common scenarios involving malicious breach of accounts for theft or other similar purposes.

The Goal: No One Loss is Disastrous

The basic high-level goal is to arrange your accounts, computing devices, and security such that the loss or compromise of any one item is not disastrous, that it only requires the expenditure of work to recover from. Consider that for most people, theft and compromise of the primary mobile phone can be leveraged into attacks on all of their critical financial accounts, never mind their communications. The same goes for registered domains and email accounts, but even more so: most password resets can be negotiated via email, and in the case of Gmail people tend to have years of historical data in there for an attacker to comb through in order to list accounts for further targeting. Similar, loss of a personal machine with an unencrypted disk means compromise of the data on it, and a large number of people still do not use full disk encryption. It is possible to do better than this, and with only a reasonable level of effort.

The Scenario

For the sake of argument, let us say that the scope of protection here applies to the machines and accounts belonging to a single individual. They are as follows:

  • Laptop.
  • Primary mobile phone, used as a point of contact for all accounts.
  • A personal mail server and domain, hosting a primary email account, used for all online accounts.
  • An Amazon Web Services (AWS) account for the mail server.
  • A domain registrar account for the personal email domain.
  • Bank, brokerage, and other critical accounts.
  • A near infinite number of other online and third party accounts collected over the years.

Password Management

Use Secure Passphrases

Use passphrases that are long enough to be very secure, but still memorable. The four word phrase approach is a good one, chaining together four uncommon words of five letters or more. This produces very secure passphrases, and even more so if you throw in a deliberate misspelling or two. Never share a passphrase between any two services: use a different passphrase for each account.

Maintain an Encrypted Password Database

All account access details for machines and personal accounts are stored on the laptop in a local password database such as Keepass. There are online services that offer similar functionality, but using them adds an entirely unnecessary additional risk of compromise, as such services are an attractive target for attackers. Use a passphrase for the password database that is different from the passphrase used to access the laptop: the first purpose of an encrypted password database with a different password is to provide some additional security against theft of or unauthorized access to the laptop while it is open. In this case, the attacker cannot then use that opportunity to gain all account credentials.

With the same goal in mind, do not set up any of the fancy integrations that some password databases offer, such as the Keepass auto-type feature. Do not use the form autofill tools available in web browsers. Aside from these options being considerably less secure in many cases (again, consider the abrupt theft of an open laptop), it is helpful for the process of memorization to manually type credentials when needed.

Synchronize the Password Database to an Online Location

The other important use for a password database is to make it much easier to restore access to accounts following loss of the laptop, while traveling, and so forth. To enable this, set up a synchronization of the encrypted database with an easily accessible remote location, which can be S3, Dropbox, a location on a personal website, or similar. This doesn't have to be at all sophisticated, so long as it works. A simple shell script to upload the file daily would do the job.

Passphrases, not PINs

Use a passphrase to lock your mobile device, not any of the other much less secure options, such as PIN, biometrics, and so forth. For some types of device, this is already required as a part of using full disk encryption. The objective is to ensure that protections against unauthorized access cannot easily be brute-forced or otherwise bypassed, and only a passphrase guarantees that.

Required Memorization

The strategy outlined in this post requires memorization of, at minimum, three separate passphrases and one URL. This is a lot easier than it sounds if you follow the four word phrase approach. Four unusual words in combination are fairly easy to remember, as link memorization strategies emerge naturally for this case. The passphrases are as follows:

  • Passphrase for the mobile phone.
  • Passphrase for the laptop and its backups.
  • Passphrase for an encrypted password database.
  • URL for a synced or uploaded copy of the password database.

Additionally, it will probably make life easier to memorize the passphrase for the primary mail account, but this is not strictly necessary. It is always possible to download the encrypted database and dig it out of there, but it is less convenient to have to do so.

Encrypt All Computing Devices

Ensure that all computing devices use full disk encryption with access requiring entry of a passphrase. The passphrase for the encryption, which must be entered on startup, can be the same as the passphrase for your main administrator account on the device. There isn't much of a gain in most circumstances from making them different, so this removes one additional necessary memorization. Hopefully it is obvious as to why encryption is very beneficial: when a device is stolen, absent encryption all of the information it contains becomes trivially available to even unskilled attackers, something that may well cause a lot of harm if it falls into the wrong hands.

Full disk encryption is easy to set up in modern Windows via BitLocker, provided you have a variant in which that feature is enabled, though be careful not to provide the passphrase to Microsoft for backup, which is unfortunately one of the default options. An open alternative is VeraCrypt. In Linux full disk encryption via LUKS generally must be set up when the drive is first formatted, but is straightforwardly secure. These are of course far from the only options, but it is generally a good plan to go with the simple, built-in modes where they are available.

When it comes to the mobile world, modern Android and iOS devices are by default encrypted, but on older Android models you may have to choose to enable it. In all cases there are many good recipes and troubleshooting guides out there; just search for those relevant to your device and its operating system.

Set up Encrypted Backups, Local and Remote

To guard against the loss of the laptop and all of its critical data, run local and remote encrypted backups using a tool such as Duplicity or Ubuntu's Deja Dup. It is rarely necessary to backup everything on a drive - just your personal data and settings, the stuff that is truly impossible to recreate or reinstall. Where to put the remote backups? AWS Simple Storage Service (S3) is a great location, reliable and supported out of the box by many tools. In your AWS account, create a suitable single-purpose IAM account with a role that allows nothing more than reading from and writing to the backup location in S3. Create an access key pair for that user, and then configure the backup tool of choice in the laptop with the access keys.

There are many paid options for remote backups if you don't want to manage your own remote storage service, but when assessing them always ensure that encryption happens locally, and that the service in question has no control over keys and passphrases. An example of a high-quality, reputable paid service is Tarsnap. Reading their documentation should provide a good overview of the basics, and help in assessing other services.

For local encrypted backups, buy an external USB SSD drive of the appropriate size. These are now comparatively inexpensive, even in the largest sizes. Most of these now come with some form of backup software, but it isn't hard to ditch that, format and encrypt the drive youself, and set up a tool to back up to it on a regular basis. Here you can use the same passphrase as for the laptop disk encryption, as nothing is gained in most scenarios by using a different passphrase. Plug the disk in to the laptop, and just don't forget to remount it by entering the password whenever you have to restart. The peace of mind offered by a local backup is considerable, and it will make recovery a lot easier if the laptop is lost to technical or mechanical issues rather than theft, fire, and so forth.

Two-Factor Authentication for all Critical Accounts

Two-factor authentication (2FA) is a critical part of ensuring that compromise of your primary phone or email doesn't then immediately lead to compromise of all important accounts. This means that successful login to a service supporting 2FA requires both credentials and some form of token generated by a dedicated hardware device, or by software such as Authy or Google Authenticator installed on a device, e.g. your mobile phone. If either 2FA device or credentials alone are stolen, the attacker still has no access. Since most attackers are remote these days, and their efforts focused on getting access to specific single accounts, this sort of setup can limit their ability to further exploit any initial account compromise.

Phone and email compromise is a serious threat, and continues to happen on a regular basis in the wild. It is comparatively easy for competent attackers to take control of and transfer your phone number, for example, at which point they can start to gain access to all accounts that use tokens sent via SMS as a means of authentication while recovering passwords.

As the above example should make clear, not all 2FA is equal. In a world in which the phone companies are terrible at ensuring security of ownership over a phone number, which is pretty much the world we live in, 2FA that works by sending SMS isn't very useful. Attackers find it easy enough to social engineer the transfer of phone numbers that 2FA or password reset via SMS arguably makes an account with an otherwise strong password less secure against many classes of attacker. Equally, many services implement 2FA in ways that make it easy to bypass given control over the account holder's primary phone or email account; look carefully at the password and 2FA reset options on your critical accounts. Ideally it should impossible to bypass 2FA without the account credentials, and impossible to change the account credentials without the 2FA. Unfortunately that is not always the case; many services put too much trust in ownership of phone and email.

In summary:

  • Set up 2FA for all critical account, and for preference all the others that support it as well.
  • This especially includes web access to your primary email account, and supporting registrar and cloud provider accounts.
  • Always record the 2FA seed in your encrypted password database, to allow easy setup for multiple or replacement 2FA devices.
  • Disable password recovery via SMS where possible.
  • If a critical service such as a bank only offers 2FA via SMS, or allows some form of 2FA bypass via SMS or email without password authentication, switch to another provider.
  • Look carefully at the password and 2FA reset options on your critical accounts.

It doesn't much matter whether you use 2FA software on your primary mobile device or keep a separate dedicated 2FA device. Both options have pluses and minuses, but that depends on the circumstances.

Protect Your Phone Account as Best as is Possible

Many phone companies will allow you to (a) add an annotation to your account to declare the number you are using should never be ported to another company, and (b) add a password to the account that you will have to provide to customer service representatives when making changes. This helps to minimize the chance that an attacker can use social engineering to redirect your number to a system under his or her control, and thus use it as the starting point to gain control over other accounts that have the phone number as a point of contact.

If these are not options for your phone company, find a better phone company.

Personal Mail Server and Primary Email Account

Running your own mail server in the cloud removes some of the concerns surrounding privacy, compromise, and loss of control over a Gmail or other provider email account. That comes at the cost of having to stay on top of security issues, such as exploits in mail software, domain management, and so forth. When it comes to setting up a mail server, there are good guides out there, such as the one here at Ex Ratione, and tools that are easier for a neophyte to work with, such as Mail-in-a-Box. I'd recommend setting up in AWS, since as noted above you may already be using S3 to store encrypted backups, and AWS IP ranges typically have fewer issues with deliverability of mail than those of the other leading providers.

Running a personal mail server opens up a range of opportunities to lock things down to make the setup more secure. You could, for example, restrict all IMAP, POP, and HTTP/S access to specific IP addresses. You can add the 2FA implementation that pleases you best to the webmail application. My mail server recipe uses Roundcube for webmail, and there is a 2Steps verification plugin for Roundcube.

Domain Name Security Practices

Loss of control over the domain used for your primary email address is a damaging type of attack. Fortunately this is a lot harder for attackers to pull off these days, but it still happens.

  • Use a domain registrar that supports 2FA.
  • Always use the domain lock feature offered by registrars. Make sure that the lock is set on, and remains on.

Mail Client Configuration

It is a good idea to use your local mail client to remove mail from the server as soon as it arrives, rather than leaving it in place. Why offer an attacker more reading material than you have to? People do like to have access to mail from both laptop and mobile device, however. This isn't hard to arrange via POP or IMAP access; configure the mail client in the mobile device not to delete mail from the server, and the the mail client in the laptop to delete mail from the server after a few days or weeks. Access via POP or IMAP from a mobile device does mean that less can be done to lock down access to a mail server, however.

Be Prepared to Recreate the Server

Be ready and prepared to destroy and recreate the mail server instance at short notice, using new access credentials. At the very least, write down your setup recipe. When using a cloud service such as AWS, backup images can be taken, but in the event of a compromise, restoring from a backup is probably unsafe, as it is next to impossible to determine when the compromise first occurred, and how broad the scope is: just access, or access plus installation of malware? The most cost-effective approach is to destroy and rebuild the server instance with new credentials.

Laptop and Device Security Practices

What follows here is by no means a comprehensive list; it is intended to hit some of the high points in the present environment of threats and attacks, both remote and local.

Screen and Application Lock

Set up screen locking on laptops and mobile devices to occur fairly rapidly, after a few minutes. Practice the habit of locking the screen even if getting up for only a few moments. This narrows the window of opportunity for unauthorized access to the machine while it is open.

On mobile devices, it is typically the default behavior that the content of messages and other private information is visible on a locked screen. Turn this off in the device settings. Further, ensure that on a mobile device the screen is unlocked via passphrase, the same one you used to encrypt it, rather than the much less secure PIN code or swiping pattern.

Never Leave a Computing Device Unattended in Public

Quite aside from the prospect of someone walking off with your machinery while you look the other way, even if you lock the device, how do you know that it wasn't subjected to a poison USB attack, or that your password entry wasn't watched via camera and then recreated? You don't. This sort of thing is currently rare, but will become more common over time. You should not leave a phone or laptop unattended for exactly the same sorts of reasons as you should not leave a wallet unattended.

Use a Firewall and Other Necessary Security Assurance Software

Use a firewall that locks down all incoming access attempts by default. This is more or less the standard setup on most machines these days, but always check to make sure that a firewall is in place and configured to restrict all access before connecting to any new network.

If on Windows, ensure that the built-in security scan and antivirus software (presently Windows Defender) is running and correctly configured. It is still the case that there is less of a requirement for analogous software for Linux, but a number of viable options exist if you feel the need.

Email Client Applications

One of the worst commonplace things that can happen is for an attacker to get hold of your mobile device or laptop while it is running and unlocked - hence the notes above on cutting down the lock period to be much shorter than the usual default. The ideal situation for mail usage is that every access requires passphrase entry, but few mail clients work well in this mode. Further, given the way most people engage with email, typing a passphrase on each access goes some way beyond adding merely a little extra inconvenience. Using a mail client with a cached passphrase does mean, however, that an attacker has immediate control of your primary email if they can obtain access while the laptop or device is unlocked. This is something to consider.

Cover the Camera Lens on the Laptop

While not directly related to any of the rest of this discussion, I think a fair-sized fraction of the population are by now at least a little concerned about built-in cameras and their silent compromise. Duct tape works just fine for most machines. Cut a small square and press it on over the lens. Or buy one of those fancy stick-on sliding covers. Either way, put in place something that isn't a software switch to ensure cutoff.

Avoid Reuse of USB Devices

USB drives and USB firmware have become prominent vectors for malware in recent years. Since there are other viable methods of conveniently sharing files, use those instead. Do not reuse USB devices, passing them between machines. It is an unnecessary risk.

Web Browser Security Practices

Web browsers are a primary vector for a variety of malware and remote attacks these days, and much of that exposure is through compromised advertising systems. There are plenty of guides out there when it comes to hardening your browser against this and other forms of attack, so no need to go into great depth here. A few important points:

  • Use one or more comprehensive, actively supported content blockers, such as the combination of Ghostery and uBlock Origin.
  • On mobile devices it is possible to use content blockers; there are new good content blocking applications in recent iOS versions and in Android it is possible to install Firefox, which allows the same add-ons as the desktop version.
  • In all cases, mobile or otherwise, the default setup lacks effective content blockers, so you will have to install them.
  • Do not use password managers that integrate with the browser. Do not have the browser remember credentials. What if someone gains access to your machine while it is unlocked?
  • Whether browsing the web or using some other form of network connection, unencrypted connections cannot be trusted. Never enter any sort of personal information or account credentials unless the connection is encrypted. Pay attention to warning notices, as they are indictors that a network is trying to subvert an encrypted connection. Stop using that network if this happens.
  • Consider using add-ons such as HTTPS Everywhere to help ensure that connections are always encrypted where possible.

Mobile Application Security Practices

The same caveat about automatic logins and remembered credentials also applies to mobile applications. Don't let applications automatically log in to services and accounts. You will regret it if the mobile device is taken from you while unlocked.

Everyday Banking Practices

This discussion is focused on everyday banking activities in the US, but similar exploitable systems exist in other banking systems. The Automated Clearing House (ACH) used in the US to transfer funds might not be the least secure methodology of pushing money around, but it is certainly up there as a contender. Most people have ACH connections set up between their bank accounts and a range of services and accounts: brokerages, utility companies, other banks, and so forth, meaning that the necessary tools for fraudulent transactions are spread fairly wide and across a range of organizations with poor security practices. It is a bad idea to use an ACH-connected account as a place to park money, and a bad idea to have strong links between this account and any other account in the same bank in which you are parking money. For example, in the US most banks offer overdraft protection, allowing a draw for funds on a checking account to then also draw on an associated savings account if it runs over.

Banks will generally fix issues and the consequences of fraud or exploit when they occur. But sometimes they will not, and the larger the amount of money involved, the more likely it is to wind up in the hands of lawyers for an extended period of time. Better not to get stuck with this situation in the first place.

One easily managed approach is to maintain a single checking account for all ACH purposes, so that it can be sacrificed with minimal cost in time and money in case of exploit. That account should have little money in it: the minimum balance to avoid fees, and whatever is needed to allow the various automated payments to flow. There should be no way for this account to draw on funds in other places if drained, such as the above mentioned overdraft protection. If you must park money in a bank rather than a brokerage (where you'll generally get a better rate), keep another disconnected account for money parking purposes, preferably at a different bank.

When Travelling Across Borders

The world is presently undergoing a trend of ever-increasing authoritarianism when it comes what the powers that be think is appropriate behavior towards travelers at national borders and points of entry. Even in supposedly more enlightened locales, both foreigners and citizens are being forced to unlock devices so that their contents can be copied, under threat of imprisonment, or, just as bad, to be pressured into giving up credentials to online accounts. Given the security setup outlined in this post, the following seems wise when crossing borders, assuming a round trip from home to a foreign destination and back again:

  • Ensure that your encrypted password and account details database is uploaded to an accessible but unpublished location. E.g. a memorized key in a public S3 bucket in your AWS account.
  • Leave your mobile devices, 2FA devices, and laptop at home, shut down to prevent them emptying out your email account for the moment.
  • For preference, travel without a phone or other mobile device.
  • If a phone is required while traveling, buy a temporary device, such as a no-contract phone with a prepaid plan. Use it for nothing other than phone calls. Don't bother locking it. Discard it if it is out of your sight for any period of time.
  • When arrived at your destination, buy a temporary laptop and phone. Apply full disk encryption, add necessary 2FA software, download the password database, and resync the 2FA for the accounts you plan on using while there.
  • Format or destroy and then discard the computing devices before returning.
  • When going back home, follow the same procedure as when leaving, only in reverse.
  • If detained at a border, be polite, follow reasonable instructions, but refuse to provide any account credentials if they are demanded. Better to burn time and be denied entry than to give up access to accounts, critical or otherwise.

Losses, Compromises, and Checklists for Recovery

Given various forms of loss and compromise, what should be done to recover, given the security setup described here? It is important to figure this out in advance, because it is quite possible to set up a system of accounts, backups, 2FA, and memorization in which you are locked out from recovery if exactly the wrong thing fails.

Loss of Remote Backups

  • Recreate the backups.
  • If the entire service hosting the backups has become unavailable in some way, switch to another service.

Loss of Local Backups

  • Recreate the backup setup if the external drive still works.
  • Otherwise get another drive and recreate the backups.

Loss of Primary Mobile Phone

  • Borrow a phone and notify the phone company as soon as possible.
  • The phone is encrypted and password protected, so all data should be safe if it was locked.
  • Get a new phone for your current phone number, and set it up in the same way as the lost phone.
  • If using the phone for 2FA, then resync or recreate the 2FA setup in all of your accounts that use 2FA.

Unauthorized Access to Primary Mobile Phone

  • If you still have possession of the phone, turn it off and do not use it further. It is next to impossible for an average individual to determine whether or not it now contains either software or hardware malware, such as keyloggers or similar.
  • If the phone is used to access email, and has stored credentials for the email account, then immediately change the password for the primary email account. Access to the primary email is the greatest immediate threat here.
  • Then follow the steps above for loss of the phone.
  • Assess the contents of the phone for the possibility of their use in further compromise, such as email history, and take further steps accordingly.

Loss of Primary Mobile Phone Number

Loss of a phone number can happen if it is transferred to another provider without consent, such as via a social engineering attack against the network provider.

  • Immediately remove the number from all accounts it is associated with.
  • Inform the provider of the loss of control of the number, and attempt to get it reversed. Assume that this may not be successful, or may take too long.
  • Obtain a new phone number from the provider and associate it with your mobile phone.
  • Update all accounts to add the new number.

Loss of Dedicated 2FA Device

  • Get a new 2FA device, and resync or recreate the 2FA setup in all of your accounts that use 2FA.

Loss of Laptop

  • The laptop is encrypted and password protected, so all data should be safe if it was locked.
  • Obtain a new laptop, and recreate the setup described here. Restore the last backup.
  • If the local backup is also lost, you will need to obtain the uploaded password database, or have memorized the passphrase for the remote backup location (e.g. AWS S3, so the AWS account passphrase) in order to obtain access again.

Unauthorized Access to Laptop

  • If you still have possession of the laptop, turn it off and do not use it further. It is next to impossible for an average individual to determine whether or not it now contains either software or hardware malware, such as keyloggers or similar.
  • Using another machine, immediately change your email password. Access to the primary email on the part of the attacker is one of the most important threats here.
  • Then follow the steps above for loss of the laptop.
  • Assess the information in the laptop for the likelihood of further compromise - particularly email history, financial information, personal information that could be used for identity theft, and so forth. Take further steps accordingly.

Third Party Service Suffers a Data Breach

  • Change the password for your account with the service, reset the 2FA.
  • Consider changing to another service provider.

Loss of Control Over Primary Email Domain

Loss of control of a domain can occur through a social engineering or other attack against a domain registrar. This is less common than it used to be, but still a threat.

  • Inform the registrar, and get them started on a process of remediation. Assume that this may not be successful, or may take too long.
  • Register a backup domain, and configure your mail server to use it in addition to the primary domain, now lost. Alternative, use an backup email account registered with a provider such as Gmail.
  • Update all accounts to use the new backup primary email address.
  • Inform all parties that need to know about this hopefully temporary change.

Unauthorized Access to Primary Email Account or Mail Server

Determining the nature of unauthorized access can be challenging, and for that matter so can determined whether unauthorized access actually occurred. Erring on the side of caution is usually better.

  • Destroy and recreate the mail server.
  • If specific flaws can be identified, patch them.
  • Change the email passphrase, and resync the 2FA.

Summary of Vulnerabilities

In this model just about the worst of the commonplace attacks to fall victim to is for an an attacker to gain access to the unlocked phone or laptop, at which point they have quite a lot of personal information at their fingertips, and likely immediate access to the primary email account. This is the circumstance to avoid if at all possible. Never leave a computing device unattended in public, and develop good habits when it comes to locking the device whenever you turn away. Consider using a secondary laptop if you must work in public, one that only contains data relating to the current task. File sharing services make this sort of setup fairly easy to manage, but it is still easy enough even if you don't want to involve third parties in moving data between your devices.

Most other commonplace forms of loss or attack, such as theft of credentials due to a security breach at an online service, or theft of a locked device, should be limited in their consequences by some combination of encryption and 2FA. The outcome should be reduced to the drudgery of updating account credentials or resyncing 2FA tokens.

As noted at the outset, there is little here that will defend adequately against sophisticated groups with the resources to gain physical access to your machines, and place keyloggers, apply cold boot attacks, and so forth, or authorities that can simply arrest you and lock you up until you cooperate. This post also has little to say about privacy of communications; you will have to look elsewhere for resources on these topics.