0bfuscated

Practical Online Security

Internet security practices have changed a lot in the 25+ years I’ve been around these parts, but one thing will always hold true: People are lazy! Even if you’re not lazy, anyone can make a mistake, especially if they don’t think it is one. It’s not even about being lazy in most cases, it’s just human nature to balance convenience and efficiency for day-to-day tasks.

Any time someone can use minimal efforts, they probably will if there’s not a perceivable risk. We can see this most drastically looking back to 2009 with the RockYou data breach. In this data breach, you can see two glaring issues: the company incorrectly stored user data as plain text, and users used incredibly insecure passwords such as 123456, 111111, password, qwerty, etc. because they were easy.

Now, these days we have most companies enforcing minimum security practices like requiring upper / lower case letters, a number, and maybe a symbol if you’re lucky, and many users are starting to take security more seriously. That’s great in theory, but trust me when I say, I’ve seen my fair share of “Password1!” out in the wild, and there are still reports of unencrypted user data being leaked to the public quite frequently. On top of that, let’s hope the company is the one to tell you about it and not the news outlets, but what can you even do about companies losing our data? You best option is to try and minimize the splash and limit any collateral damage by practicing good security habits.

Here are some quick links to the topics that we’ll dig into a below to help you make some decisions:

1. Security Self-Assessments (e.g. Are you a target?)

As much as nobody wants to be a nobody, you have to consider who you are. Are you a high value target? Are you just a normal person using the internet? I know this sounds harsh, and don’t get me wrong, everyone has something to gain, lose, and be exploited over, sometimes you can even just be a low-hanging fruit for some threat actor under the right circumstances. There is an epidemic of scam emails and calls that usually end up targeting the elderly or technically illiterate, but chances are that’s not who is reading this post. Some of those scams can be circumvented with methods from this post, but in general don’t click / download / open anything and don’t hand over your login details and you’ll be safe from them.

On the other hand, if you work for some Fortune 500, Government Agency, or have a high-profile job title, you may find yourself targeted more often and by more dangerous threat actors. Usually these companies will have tighter security practices and force them on the users, but as we established in the beginning, people are lazy and make mistakes. A very prominent example of this is with the recent breach at LastPass, a password management company that is all about account security.

In August of 2022, a DevOps Engineer had their home computer compromised which led to a data breach at the company because he was using his personal computer to access work-related services. To think, someone well versed in everything covered here, and more, succumbed to the very thing the company is working to negate. It can happen to anyone. Here’s the catch to the story… they a high value target, not some random user who had nothing to lose, purposefully targeted because of their company, because of their position, and what they had access to at work. A vulnerability in an unrelated software that the employee happened to be using and it was exploited. The Darknet Diaries podcast has a great episode about the LinkedIn password leak from 2012 which has some pretty haunting parallels to the LastPass incident. It can get a bit technical at times, but they give a lot of insight into security incidents and the world we live in.

In most cases, you just need to try and avoid getting caught in wide-cast nets from low-effort attacks, unless you are in a position where you might be a target, but it’s important to know where you stand and what precautions you need to be taking. That said, it never hurts to be more secure than you need to be, as long as it’s not excessively inconvenient to your everyday life and activities.

2. Password Security / Password Managers

I get it, I just got through saying a major password management service just got breached, they were even using two-factor authentication (we’ll get there later, hang in there), it doesn’t inspire confidence in the services. I feel you on this, I was a LastPass user and recently made the switch to BitWarden because of a bad track record of incidents by LastPass. In this case, as far as we’ve been informed, everything was encrypted and in most cases there shouldn’t be any worry. Plus, you change your password every 30-90 days anyway, right? …Right?

Another case where users can end up being at fault, you really need to change your passwords regularly, that limits the liability of leaks like this where data is encrypted and may take time to crack (in the cases where it’s theoretically possible). I’m not perfect about this either, although I’m making the effort to correct this as much as possible, I have my fair share of old and reused passwords and I’m not good about changing them either. All things considered, I’m a fairly low value target, so I’m not worried about the accounts that are affected, but I’m chipping away at resetting passwords.

Let’s talk about your options for password managers.

  • LastPass – We’ve established I wouldn’t recommend LastPass anymore. I love their services and apps, they’re incredibly feature rich, but between the security concerns and cutting features and functionality from free accounts, you should look elsewhere.
  • BitWarden – My personal choice at the moment. I originally chose it because they have the option and I was going to self-host a server on my home network. At the end of the day I used their online services because it was more convenient, they tend to be more technically oriented for those who are knowledgeable or are “Power Users”, but overall I haven’t had any complaints so far.
  • 1Password – Another solid choice that’s an online service, I don’t have much input on their services as I have not used them, but they seem to have a good security track record and I would feel safe using them.
  • KeePass – Different from the other options on this list, this is a file-based and local option, but I would argue this may be too advanced for most people. It requires you to deal with files, syncing, backups, multiple third-party apps / programs to deal with different features, and a lot of manual configuration. It’s perfectly usable on a basic level, but if used incorrectly it has a much higher threshold for user error. I use it as a backup for my password vault and some other use cases I’ll get into later, but overall I would not recommend for most people.

3. Two-factor / Multi-factor Authentication Options

Here’s where it starts to get more complicated… password managers are pretty straightforward. Sign up, enter passwords, use a browser extension or app to log in. EVERYWHERE has passwords, that’s just how it works. The problem with Two-factor authentication (2fa) or multi-factor authentication (mfa) is the options aren’t always clear and not every company / website will have what you intend to use, if any at all! To be clear, mfa is the same authentication types as 2fa, just more of them, and is used instead of saying 3fa, 4fa, etc.

You have a few kinds of 2fa options:

  • SMS / Phone Verification
  • Email Verification
  • App based authentication (Authy, Duo, Google authenticator, Microsoft authenticator, Yubico authenticator)
  • Hardware security keys (Yubikey)

You’re probably most familiar with SMS (text) verification, where you get a code texted to you and you enter it to be able to log in. It’s better than nothing, but definitely the most insecure option in most cases. Here’s another good Darknet Diaries episode that talks about SIM-swapping. It’s less common of a problem these days, but it’s still a real threat and should be considered.

Email verification is better, as long as you’re being good about your password security, but if you are reusing passwords or your email is comprised then it won’t make a difference. If you’re using a services that only offers email or SMS, make sure your password security is good and go with email verification.

App based authentication is a good choice when it’s available, but not everywhere supports it. 2fa.directory is a cool site that has a list of many websites and companies and shows what 2fa options they provide. The problem is, many of them only support SMS and email (if that), even banks! If it’s available, they’re a good option, but you need to make sure to keep your backup codes safe in case you no longer have access to the app. See what fits your needs and requirements the best, but most of the apps are the same. Duo and Authy have cloud backups for their app, which is nice, as does LastPass but I still cannot recommend them. The other option is the Yubico Authenticator, which is more unique, but let’s establish what a Yubikey is before getting into how their authenticator app works.

The Yubikey is a hardware security key that, depending on the configuration you select, supports different USB types, NFC tap, Biometrics, etc. and you can check out your options and the pricing over on their store page. These are filled to the brim with cool technologies, but we’ll just look at the more common ones. Back to the Yubico Authenticator app, which uses the Yubikey to store the 2fa data instead of within the app or in online backups, so you can use it across multiple platforms, without an account. This could be seen as a pro or a con depending on your perspective, but I’d rather have my data in my hand than in the cloud. Just like the other options, you have backup codes, but another unique feature is you can set up multiple keys with the same codes. You can keep on with you, and another one in a safe place in case one is lost, or multiple people can access the accounts.

Some sites also support the Yubikey itself as a form of 2fa without the need of an app, just log in and you’ll be prompted to plug in the key and follow the instructions to authenticate. Some sites even support a passwordless login with the keys, but those are rare at this point in time. You can also use it to log into and lock down a computer so it can’t be used without it.

The last feature for the Yubikey I’ll put here is the option for a “static password” to be stored on the key. In addition to the one-time passwords used to authenticate into accounts that come standard with the key, the static password is configured in the Yubikey Manager program and you can enter or generate a password that will always trigger the same output. Using this, you can use it by itself for a specific account or combo it with other passwords for even more security! In this way, even if your password manager was compromised, they might only have part of the password if the Yubikey holds the other half.

As for early 2023, the price for Yubikeys has increased and starts at $50 per key, which makes this a harder option to get into. You really should buy two of these if you’re going to use them, since having a backup is highly recommended in case you lose one. It may be worth waiting for some kind of sale unless you feel you really need to set these up. One big note here, make sure you’re buying genuine keys and check them before you use them over on the verification tool on the Yubico website.

There are other security keys that aren’t from Yubico, but information and coverage on these products hard to find. If you were going to go with a hardware security key, I’d recommend sticking with Yubico until this kind of platform is more mature.

A very important note: make sure to disable any 2fa options you don’t intend to use on an account, otherwise they can become a security risk. You could have 2fa apps and a Yubikey, but if email or SMS verification is enabled on your account, the authentication apps and Yubikeys can be bypassed in most cases.

4. Limiting Your Digital Footprint

In general, it’s good to limit the exposure of your personal information as much as possible. This is Internet Safety 101, but with the popularity of social media platforms, some people tend to forget, overlook, or just don’t know. It can compromise your security questions, make it easier to track you and find you online, and even help compromise passwords in some cases.

Unfortunately, with most services having online portals, logins, etc. there’s not much you can do to avoid it these days. One practice that I have is I don’t add my banking or financial passwords to my online password manager and wherever possible avoid using first and last names in the username where an email is not being used.

Having an email as your name in some form or another is more professional, but using it as a primary address is also a security risk in some ways, it definitely gets more eyes on it than something random or generic. I get 15-20 spam emails a day because of the firstname+lastname configuration of my primary email, and I find that my other emails don’t tend to have that problem quite as heavily.

5. Choices I’ve Made & What I’d Do Differently

When I started my setup, it was a lot different than it is now. It’s one of the reasons I used LastPass, have a couple of Yubikeys, and 25 year old habits that I’m still trying to break. Like I said at the beginning, people are lazy, and I’m no exception. Right now, this is my current setup:

  • 2 Yubikeys
  • Yubico Authenticator
  • BitWarden Password Manager (autofill off)
  • Apricorn Aegis 3Z Flash Drive as sort of a “cold storage” backup
  • Keepass to keep more sensitive passwords, backup codes, and as a Bitwarden vault backup

If I was starting over fresh, what would I do? I’d keep most of it the same, but probably skip the Yubikeys and go with something like Duo or Authy that has cloud backups for my authenticator. I don’t utilize a lot of the features on my Yubikey at this time, combined with the fact it’s so limited. I bought mine before the price increase, but I don’t think I’d want to drop the $100 on a pair if I didn’t already have them.

I like my Apricorn USB drive, but it wasn’t a necessary purchase, and comes with some caveats like having to make sure it gets charged every 90 days. If you did a lot of traveling or needed secure access to your files frequently, it might be nice to have something a bit more secure, robust, and waterproof, but overall it may be better to encrypt a cheap flash drive so it’s easier to copy and transfer as needed. You really shouldn’t use a USB drive as a long term backup anyway, but it’s an option. Here’s a cool video about some other gadgets you might find interesting. I’m not a cryptocurrency guy, but the cold storage wallets are a nice idea as well.

Security is inconvenient, but very necessary in our modern world. This is just an overview of a lot of products and practices, but if you’d like to discuss more about it or have me go in depth with some specific products, let me know!

I’ll be coming back and updating this as I have time and have more thoughts, but for now that’s my take on the matter

-Matt

Posted

in

,

by

matt

Tags:

, , , , , , ,

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *