May 20, 2018

Online threats, risks, and mitigations

Have you wondered exactly how security risks arise on the Internet and what you can do about them? Here is a short summary of the more common threats, the risks that they cause, and mitigations for those risks.

For a bit more how-to information, see my previous blog post: Core security advice for general users

General notes:
  • Most of the risks listed below can lead to theft of data, identity theft, financial theft, impersonation, takeover of your accounts, your dog running away, etc. 
  • "Long, random, unique passwords": This means that each password is truly random, at least, say, 25 characters long, and is never used for more than one site. The only way to do this is to use a password manager. Use a stand-alone password manager, not one built into your browser. 
  • "Zero knowledge" service: The service is designed so that your data is encrypted on your device before it leaves the device for the cloud, and the encryption key used is never sent to the cloud. In this way, if your (encrypted) files in the cloud are stolen, they will be unreadable by the attacker. 
  • Multi-factor authentication (MFA): These are the common second-factor options, from most secure to least secure: 
  1. Cryptographically strong, e.g., U2F 
  2. TOTP (e.g., Google Authenticator, Authy), HOTP 
  3. Email 
  4. SMS, phone call 
  • Be aware that it's possible to phish a TOTP code, although this is a lot harder than phishing a password. 
  • "Pay attention!" is good advice all the time.

Threat
(You can't control this)
Risk
(What can happen to you)
Mitigation
(You control this = What you can do)
Theft of your device: computer tablet, phone, etc. Theft of all data on device Full device encryption (full disk encryption): Strong password or PIN Set auto-erase after ~10 incorrect guesses
Phishing to website with similar name to real one; attack vector is often email Theft of credentials and other personal data via fake website Pay attention! Always fill your credential on a webpage using your password manager (instead of typing them in): it will refuse to fill your credentials into invalid domains
MFA: if you (foolishly) paste your credentials into the site, an attacker still won't have your second factor (e.g., TOTP code).
Phishing to website with internationalized domain name (IDN) homographic name (see IDN homograph attack); attack vector is often email Theft of credentials and other personal data via fake website As just above, plus:
Chrome browser: built in, no action required + Pay attention!
Firefox browser: about:config: set network.IDN_show_punycode to True + Pay attention!
Password guessing on weak passwords Theft of all data in the cloud service Long, random passwords (which are infeasible to guess)
MFA
Theft of credentials from Internet service provider (SP), e.g., via break-in to SP's networkCase 1: SP stores the credentials properly (hashed and salted, etc.): Attacker breaks (the easy-to-break) hashed passwords, then uses them on that site and others (because people reuse passwords between sites) Long, random passwords (which are infeasible to break)
MFA -- although attacker might have MFA data too (e.g., TOTP seed)
Case 2: SP doesn't store the credentials properly: Attacker retrieves passwords, then uses them on that site and other sites (because people reuse passwords between sites) Unique passwords
MFA -- although attacker might have MFA data too (e.g., TOTP seed)
Theft of personal data directly from Internet SP providing cloud storage, backup, etc., e.g., via break-in to SP's networkTheft of all data in the cloud service Use zero knowledge services (instead of non-zero knowledge services)
Long, random passwords (which create strong encryption keys)
Various threats above (phishing, password guessing, Theft of credentials from Internet SP, etc.) Takeover of your email account -- then takeover of all accounts that use that email account as the owner/recovery email address Use an email provider that pays attention to security
Use a different (second) email address as the ownership/recovery email address for all your important accounts, instead of using your regular email address
Long, random, unique passwords
MFA
Various threats from browsersMalware in ads, various risks from open networks (e.g., open Wi-Fi), etc.Use security type browser extensions such as HTTPS Everywhere, uBlock Origin, and Privacy Badger.