October 15, 2020

Security hygiene for a small professional office

I was going to email these security hygiene recommendations to a lawyer setting up a new office but I realized that others would benefit too.   These recommendations are roughly in priority order.  See my other blog entries for more detail on many of these.

  1. Password manager: You and your employees and contractors should (really, must) use one, e.g., LastPass or 1Password.  For every important account, change its password to long (~30 chars) and random (and therefore unique) and store the password in the password manager.  Never reuse passwords.
  2. Second factor authentication (2FA): Enable it on all accounts where it's available.  The 6-digit Google Authenticator type (called TOTP) is better than SMS/text, but if only SMS/text is available, use it.  Google Authenticator is OK but it's better to use Authy as it installs on all your devices and makes device recovery much easier.  Enable 2FA on your password manager but read this first: Don't get locked out of your password manager.
  3. Security and privacy awareness training: Ensure that you and your employees and contractors are all very aware of: how social engineering in general, phishing, vishing, business email compromise, and other attacks work, and know how to be resistant; and privacy laws and their requirements for protecting and managing personal information.  Roll this out in concert with the password manager and 2FA, as they may require user training anyway.
  4. Email account security: Ensure all email accounts are really secure (long, random password and 2FA): if any email account gets hacked, the attacker (using password recovery mechanisms) can take over all other accounts that are tied to it.
  5. Data backup: Ensure your data is backed up to the cloud -- e.g., CrashPlan, Sync.com (ensure your plan has at least 180-day retention), or Backblaze -- and also backed up to an external drive.  Ensure the external drive has full disk encryption. 
  6. Device hardening: Ensure all devices are recent enough that they are still getting regular security updates; stop using any devices that are too old.  Put strong passwords/PINs on computers and mobile devices.  For Windows, makes sure you have Windows 10 Pro and then turn on BitLocker, which is full disk encryption; for Macs, ensure File Vault 2 is encrypting your main drive.  On computers use quality security extensions on all browsers (e.g., HTTPS Everywhere, Privacy Badger, and uBlock Origin) and set the OS firewall to block all incoming traffic.  Don't plug in USB devices that have been out of your control.
  7. Cloud services: Be aware that most cloud services (Google Drive, OneDrive, Dropbox, iCloud, etc., many backup services, and almost all value-added services) store your data in such a way that if the service gets hacked, the attacked could get your data.  But there are services that store your data more securely, using end-to-end encryption, e.g., Sync.com and CrashPlan.
  8. File transfer security: Email by itself is not a secure way to send personal information or sensitive information. Secure alternatives include encrypting files with 7-Zip (and AES encryption) before emailing them, using Sync.com to share folders (Team Shares) or files (set Enhanced Privacy and a password on the Link, and send the password some way other than email), or use an end-to-end encrypted messaging service like Signal.

October 14, 2020

Cybersecurity talk online at Community Futures Small Business Week

I'm honored to be speaking at the Small Business Week event hosted by the Okanagan Community Futures organizations.  It's a three-day online event, October 20 to 22.

My talk -- "Cybersecurity: The bare essentials to implement right now" -- will be in the afternoon of October 21, and will be aimed at small businesses and professionals.

August 31, 2020

Don't get locked out of your password manager

Let's say you're security conscious so you do all these reasonable things:

  • use a password manager such as LastPass
  • use a TOTP-type 2FA app/service such as Authy
  • have multiple devices so you have Authy synced between them all, using Authy's Backups Password
  • use a long random string as your Authy Backups Password, so you store it in LastPass (and of course can't remember it)
  • enable 2FA on LastPass using Authy.

Well, you've just created a cross-dependency between LastPass and Authy:

  • you can't log into LastPass without getting a 2FA code from Authy; and 
  • you can't log into Authy (meaning, connect it to the Authy online service) without getting your Authy Backups Password, which is stored in LastPass.
(Note that with LastPass, you can temporary turn off 2FA via an email verification process; but you can't do this with 1Password.  To verify the 2FA disabling, you have to be able to sign into the email account that you've configured for recovery of LastPass.  So if that email account password is random and in LastPass, you have a different cross-dependency.)

What could go wrong?  

Everything is fine as long as your device is working normally.  LastPass remembers your 2FA code for quite a while (several months, maybe?) and Authy remembers your login (meaning, its connection to the online service) forever.

But if somethings happens -- your LastPass 2FA times out, you get logged out of Authy, either of these apps needs to be reinstalled, everything on your device needs to be reinstalled, etc. -- that's when you'll notice, and be bitten by, the cross-dependency.

(As a side note, it's always better to have LastPass and Authy installed and working on more than one device.  That way, if something goes wrong on one device, you can use one of your other devices instead.)

What can you do?

The best way around this cross-dependency is to have your important login-related information stored somewhere else.  I highly recommend that you have some other backup that doesn't depend in any way on LastPass or Authy or even your computer or mobile devices.  Think of it as a fail-safe or last-resort backup.

That other backup should contain critical information like:

  • userid/password for LastPass
  • userid/password for Authy
  • userid/password for Google or Apple (depending on your mobile devices)
  • userid/password for the email account use use to own/recover other accounts
  • userid/password for your cloud-based backup/sync service(s)
  • mobile device login PINs
  • computer login password
  • BitLocker recovery password (if you have a Windows computer)

But where?

 I have three suggestions for how/where to store that backup:

  1. Print it out on paper:
    • Keep a table of the critical login-related information in your accounts file and print it out on paper.  Yes, the old-fashioned flat white stuff.
    • If you can print it out without service names or userids -- so it's just a list of passwords -- that's even better (in case someone finds it or you lose it), but be absolutely certain that you could look at the page in a year and be able to figure out what each password is for, and that you'll remember what the userids are. 
    • You could compromise and include just the first letter of the service name beside each password; also include the userids (or a short form of them that you will recognize) if you're not absolutely sure you'll remember them.
    • Hide the page somewhere really good. 
    • Put an entry in your calendar to update and reprint the list every, say, 3 months.  At the same time refresh your memory on all the information that you haven't printed out (service name, userids, etc.).
  2. Store it on a full-drive encrypted USB flash drive:
    • VeraCrypt (https://www.veracrypt.fr/en/) is the best way I’m aware of to do this full-drive encryption.  It creates an encrypted virtual drive inside the flash drive.
    • With VeraCrypt you'll then have a completely standalone backup that you can decrypt on any computer in the world (after you download and install VeraCrypt on that computer). 
    • If you get a big enough flash drive, e.g., 256 MB, you can backup all your computer files there. 
    • The downside is that with VeraCrypt you'll have to choose and remember a(nother) password to encrypt/decrypt the virtual drive.  (Don't reuse an existing password for this -- create a new one.)
    • You don't need to hide the flash drive -- because you've chosen a strong password -- but putting it in a (supposedly) fireproof safe would be good.
    • Put an entry in your calendar to update the flash drive with your latest files every, say, 3 months. 
  3. Store it in a second LastPass account:
    • This is more complicated so may not be right for everyone.
    • Create a second LastPass account.
    • Don't enable 2FA on it so there is no cross-dependency with Authy or anything else.
    • The account needs to have (i.e., be owned by) a different email address, of course, but ideally choose an email address that you don't use for anything else, isn't publicly visible, and that no one else knows about.  You should probably create a new one just for this.
    • Choose a really strong password since there's no 2FA to provide additional protection for the account.

How to choose?

Here are some considerations when you're deciding which of the three schemes to go with:

  • Scheme #1 is the simplest, but it's potentially readable by an attacker, and it's at the mercy of local physical threats like fire, water damage from fire, theft, etc.  If you're traveling, the page is risky to bring along.
  • Scheme #2 has the benefit of backing up all your files at the same time (if you want), and can't be read if someone finds it, but it too is subject to some of the above local physical threats as well as to EMP.  :)  You can bring the flash drive with you when traveling.
  • Scheme #3 is in the cloud so is not subject to local physical threats, but it's dependent on a third-party.  It's also accessible over the Internet, just by knowing the userid and password -- both a benefit and a risk.  There's nothing you need to bring when traveling.

Availability (of your data, your systems, etc.) is a key pillar of information security, and resilience is necessary for availability.  If you implement one or more of these three fail-safe backup schemes, you’ll be a lot more resilient to the nasty shocks that can hit your digital life.

June 6, 2020

Cybersecurity Hygiene slides

Earlier this week I presented an information security talk via Zoom to the Okanagan Young Professionals Collective.  The OYP Collective is sponsored by the Central Okanagan Economic Development Commission (COEDC).

Unlike most of my talks this one was aimed entirely at individuals, although with a for pointers small business too.  Of course all the security controls that I presented fully apply to businesses of all sizes.

Here is the PDF of my presentation. And this is the TL;DR in case you want to start taking action (and I hope you will):
  1. Ensure you/family/team are resistant to social engineering
  2. Get a password manager and stop typing your passwords
  3. Change all passwords to unique, starting with most important
  4. Get a TOTP authenticator and use it wherever supported
  5. Ensure your main email account is damned secure
  6. Back up your data (encrypted) to the cloud and locally
  7. Harden all your devices: updates, strong PINs/PWs, FDE, ...
  8. Train yourself/family/team on security & privacy, keep learning

May 25, 2020

Security hygiene general suggestions

I typed this up for a couple of clients and thought I'd share it here too.

1. Password manager: Get one and use it, and passwords, properly.  LastPass is a good one.  See:  https://www.gsharratt.com/2020/03/set-up-password-manager-nice-covid-19.html.  Using passwords properly includes never reusing them and using long random strings (e.g., 30 chars) for (almost) every password.  

1.a. With LastPass, set up Emergency Access to and from a trusted other person's LastPass account. 

2. Two-factor authentication: Start using Authy on important accounts,.  See:  https://www.gsharratt.com/2020/03/set-up-password-manager-nice-covid-19.html

2.a. Set up 2FA for your password manager.  But see this first: https://www.gsharratt.com/2020/08/dont-get-locked-out.html

3. Background on Internet storage and backup (and zero knowledge):  https://www.gsharratt.com/2016/07/are-your-cloud-backup-and-storage.html

4. Backup: Use (zero knowledge) cloud backup if possible.  Best and most expensive is CrashPlan (see item #3 above), next is Blackblaze (a bit less secure, a bit less expensive -- https://www.backblaze.com/), and next is Sync.com (not quite as good for backup but great for syncing files between devices -- see item #3 above).  This backup will run automatically always or every day (your choice) and you'll never have to think about backup again.  It's a good idea to keep doing your local monthly backup too.  (Sync gives you 5 GB for free.)

5. Strongly consider encrypting your computer drive and your backup drive.  Unless they are encrypted, if someone steals your computer or your backup drive, they can access all your data.  See the link just below.  File Vault 2 comes with Macs.  On Windows, BitLocker requires that you have Windows 10 Pro (not Home).  BitLocker also gives you encryption of external drives and flash drives.  Store you BitLocker recovery password in your password manager.

6. Make sure you have a strong PIN on your phone/tablet, 8+ digits, and turn on auto-wipe after 10 wrong guesses.

7. Make sue you have a strong password on your computer, 12+ characters and as random-looking as possible.

May 6, 2020

Set up TOTP two-factor authentication - another nice COVID-19 project

Now that you've all wisely used some of your pandemic spare time to start using a password manager – as recommended by my previous post -- it's time to move to the next step: using two-factor authentication.  This isn't as much fun as watching Netflix, but with a bit of learning and one-time effort, you can help avoid some pain in the future by reducing the chance of being hacked.  Instead of jumping to the punch line -- action to take -- I've tried to first explain why what I’m suggesting is important.  This is a long story but I've added some TL;DR summaries throughout to help make the material below more digestible.

If you always use your password manager to log into online services and if all your passwords are strong and unique, then:
  • your passwords won't be guessed or brute-forced,
  • your passwords won't be phished, and
  • if your password is part of a credential spill (an attacker breaks into an online service and steals the file containing all their users' userids and passwords), it (your password) probably won't be cracked (whereas weak passwords definitely will be). (If that service stored passwords properly, yours won't be cracked, but if not it could be. You have little control over this.)
Congratulations!  You've protected yourself from the biggest attacks: phishing and (most) credential spills.  Both of these can lead to account takeover not only of the service in question but also of multiple other accounts by way of credential stuffing, where an attacker tries a known userid-password combination on a large list of online services.  Most people – not you, of course – reuse passwords like there's no tomorrow, making credential stuffing a very worthwhile attack.

But what it you don't use your password manager religiously and are not disciplined with your passwords?  That is, you continue to:
  • use some weak passwords,
  • to reuse some passwords,
  • to not use your password manager for at least some accounts, and/or
  • to paste some passwords yourself into login forms
In that case you're still susceptible to phishing attacks and credential spills, so two-factor authentication (2FA) can provide you some additional protection.

Don't think, though, that by being very careful you can avoid the need for 2FA.  Even security professionals, who are vigilant with their practices and passwords, will generally use 2FA wherever it's offered by an online service.  They know that mistakes are easy to make and that defense in depth – having more than one security measure protecting something – is a very good idea.

(There is another type of attack: keyloggers, a form of malware (usually).  2FA might provide some protection against keyloggers, but in general, once a device of yours is compromised with malware, you're in big trouble no matter what you do. )

The bottom line is to always:
  • choose strong and unique passwords for your online services;
  • use a password manager to manage your account credentials (userids and passwords) and to autofill your credentials into login forms; and
  • use 2FA, on all services that support it.
TL;DR: Use 2FA on all your online services that support it.

That was a long-winded "why" that hopefully has convinced you that you need to use 2FA.  So now on to the "what".  We'll start with the difference between "two-factor authentication" (2FA) and another term you may have heard of, "two-step authentication" (2SA) (or "two-step verification", 2SV).

To substantially simply the story, the "first factor" of authentication is usually your password -- something you know – and the "second factor" of authentication (2FA) is either a physical object whose ownership you can prove – something you have – or some biometric aspect of your body – something you are.  If instead of a second factor -- a physical object or a biometric -- you use some other input into authentication, that's called a "second step" of authentication (2SA). 

A second factor is harder to compromise and so provides stronger protection than a second step, but the latter is often good enough and is always better than just using a password.  It's important to note that it's not always agreed on whether a particular thing is a second factor or a second step – so the difference is a continuum, not black and white. 
The rest of this post will use only the term 2FA, but in it I’m including the entire 2FA/2SA continuum.

By the way, you'll also see the term "multi-factor authentication" (MFA).  MFA is a more general term than 2FA in that all 2FA is MFA, but all MFA is not 2FA, because MFA encompasses more complex combinations of authentication inputs than 2FA does. This post deals with the simpler case of 2FA.

TL;DR: In general, use whatever is available on a particular online service, whether it's called 2FA, 2SA, 2SV, or MFA.  (I'll call it "2FA" below for simplicity.)

There is a wide range of types of 2FA used across online services.  Most services support only one type but some support more than one.  If you have a choice for a particular service, how do you know which to pick?
The types of 2FA can be ranked very roughly as follows, from most secure (#1) to least secure (#7):
  1. biometric (you likely won't see this for authenticating to online services since biometrics should not go to the cloud for security reasons)
  2. hardware token or security key (e.g., U2F, YubiKey)
  3. push verification (e.g., Google Prompt, Apple trusted device, Microsoft Authenticator)
  4. TOTP authenticator app (e.g., Google Authenticator, Authy)
  5. email verification
  6. SMS (text) verification
  7. phone call verification
If an online service gives you a choice, simply choose the type highest up the list.
The three types that you are most likely to be able to use are hardware token, push verification, and TOTP authenticator app.  Hardware tokens are very secure but not that convenient, because you need to always carry a physical token with you.  The push notification type is very secure but for consumers it is mostly limited to apps/services from companies like Google, Apple, and Microsoft.  The authenticator app type is much more widely available and is quite secure.  Authenticator apps typically generate 6-digit codes that change every 30 seconds, a scheme called Time-based One-Time Password (TOTP).

SMS and phone call 2FA are the least secure and should be avoided unless there is no other alternative.  Before you decide to use SMS or phone call 2FA, recognize that they won't work if you put a different SIM card in your phone when traveling.

With TOTP 2FA you're not invincible!  Be aware that using an authenticator app provides some but not complete protection from phishing, because TOTP codes can be phished (as with passwords).  Your combined best and most convenient protection against a range of threats is using a password manager and an authenticator app.

TL;DR: For most services, use a TOTP authenticator app to add 2FA.

There are, very roughly, a dozen different authenticator apps available on any OS platform, so how to choose one?  The great-grandparent is Google Authenticator, and most services, when they offer 2FA using an authenticator app, will use the term "Google Authenticator".  So most users will choose that app -- but you could choose any of the dozen apps available, because they all generate the same TOTP codes.

This list will help to explain the differences between the types of TOTP authenticator apps.  I've only shown the most popular ones.  (These "types" are my own cooked-up classification scheme.)
  • Type 1: Single-device, mobile only: Google Authenticator (see Note 1 below)
  • Type 2: Multi-device, mobile only: Microsoft Authenticator, LastPass Authenticator, 1Password Authenticator
  • Type 3: Multi-device, cross-platform: Authy
A Type 1 app is installed on a single mobile device (usually a phone), so if you lose that device or buy a new device, you need to go into every online service you had set up with it, to run through the 2FA recovery process to reconnect the service to a new device.  That's painful.

A Type 2 app is a great improvement in that the data is backed up to the cloud: so you can easily move your online services' use of 2FA over to another device.  But Type 2 apps are only available for mobile devices, which is an inconvenience.  

A Type 3 app backs up data to the cloud like Type 2 and is available on most all mobile and desktop platforms.  With a Type 3 app you can install it on all your devices and access your TOTP codes from any device at any time.

Authy (https://authy.com/) is the only Type 3 app available and is my suggestion for most people (outside of enterprises) and most online services.  You can learn more about Authy and how to use it in this excellent article:  https://thewirecutter.com/reviews/best-two-factor-authentication-app/

Alternatively, the other four apps are fine to use as long as your understand their limitations.  In particular, the 1Password Authenticator -- because it's integrated into the 1Password service (which is arguably a negative for security) -- can't be used to provide 2FA for the 1Password service itself; so you'd still need to use anther authenticator app, like Authy, for that.

TL;DR: Use Authy for services for which you want to use TOTP 2FA.

To use Authy, install the Authy app on all your devices (computers, phones, and tablets), set up a Backups Password using one Authy app, and enter that password into all the other Authy apps on all your devices, so that your Authy apps all sync with each other and your TOTP codes are available from all devices.  

Then, to add Authy 2FA for an online service, log into the online service on a computer and trigger the 2FA setup process.  This will display a QR code on your screen, and you'll use the Authy app on a phone or tablet to scan it.  The TOTP code for that online service will become immediately available in the Authy app on every one of your devices.

Authy is a zero-knowledge service, which means that all the 2FA data about your online services is stored in Authy's cloud service in such a way that Authy itself (or an attacker breaking into their cloud service) cannot access it – only you can – as long as you choose a strong Backups Password.  So, as you would for any password, choose a long random string and store it in your password manager.  

But – and this is important -- also store it somewhere else.  Or print it out and save the sheet somewhere secure.  Otherwise, you can paint yourself into a "recovery corner".  To wit: you'll use Authy 2FA to protect your password manager, so logging into your password manager is dependent on Authy; and you'll store the Authy Backups Password in your password manager, so reinstalling Authy is dependent on your password manager.  

Imagine that you then go traveling with only your phone and for some reason (loss, theft, failure, etc.) have to reinstall your apps (this is a type of recovery process).  Just knowing your password manager's master password won't be good enough (as it was before you added 2FA), and you'll be stuck in that recovery corner.  There are many ways to address this (I listed two above), but you need to pick one and implement it ahead of time.

A related issue: to create an Authy account you'll need to provide both an email address and a phone number; and for recovery purposes the phone number is the more important of the two.  Make sure that you have access to that phone number when you're traveling, in case you need to reinstall the Authy app.  If you normally get a local SIM card when you travel, make sure you take your home SIM card with you (if that's the phone numbers you used to set up your Authy account).  If you can, use a VoIP number for Authy instead of cell number, and you'll avoid this issue -- a Google Voice number is a great choice.

TL;DR: Install Authy on all your devices; carefully choose which phone number to use; and plan ahead for recovery.

Finally, what online services should you use Authy with?  Once you start checking your accounts for 2FA or not, you'll notice that it's generally your important online services that offer 2FA, and the unimportant ones tend not to.  (By the way, this website offers a great way to quickly check on any online service's level of support for 2FA:  https://twofactorauth.org/)

So set up 2FA on all your online services that support it, but start the migration with your most important services – usually your password manager and your email accounts (and not your bank accounts as you might imagine).  Any email account that you use as the ownership email address (or the security email address) for any of your online services is very important to protect.  That's because if an attacker can take over such an email account, they can usually take over (using the password recovery process) any online service that is tied to that email address.

TL;DR: Set up Authy first on your password manager and main email account(s).

We're done! If you use a password manager and do so properly, if you set long random passwords on all (or at least your important) accounts, and if you set up 2FA (such as Authy) on all accounts that support it, you'll be resistant to many of today's online security threats, and way ahead of most people.

Note 1:  2020-05-07: Google has added an import/export feature to the Android version of Google Authenticator.  It's not the same functionality as Authy.  See: https://security.googleblog.com/2020/05/introducing-portability-of-google.html