In a continuation of my suite on threat modeling, this post will address email threat modeling specifically. Selecting an email provider (or set of email providers) can be difficult if privacy and security are your chief concerns. Gmail is abyssmal when it comes to privacy, but even paid providers struggle to match its security. Selecting an email provider for sensitive communications should be done based on your threat model(s), and you may end up maintaining several accounts for different purposes. It is my hope that these threat models will provide some clarity into what threat(s) each email provider defends you against. I also hope this helps you choose a setup that you are comfortable with. Continue reading “Email Threat Models”
In Part I of this mini-series on Gmail Two Step Verification, we covered enabling two-factor with SMS messages. In today’s post we will delve into some additional options. These options offer some additional convenience and flexibility, as well as increased security.
Backup Codes: Backup codes are unique, 10-digit codes that can be used to gain access to your account if you lose your phone. This is a safety feature, and a fairly good one. After enabling two step verification you should generate these! To do so navigate back to your sign-in options (My Account >> Sign-in and security >> Two Step Verification). Scroll down to Backup Options. You have the option to choose a backup phone or create backup codes. If you wish to use a backup phone, ensure it belongs to a trusted party like your spouse. Otherwise, click “Backup codes”.
A pop-up will appear displaying your backup codes. You can print them, save them to a .txt file, or copy and paste them. I prefer to copy and paste them into the “Notes” section of my password manager entry. Regardless of where you choose to store them, they should be stored securely. An attacker can use these codes to gain access to your account.
Authenticator App: The next option we will look at is using an authenticator app rather than receiving SMS messages. Text messages work great, but may be less secure. If your phone account is hacked, the attacker can forward your messages (including your two-factor codes) to his phone. Also, if you are in an area with no reception or overseas, you will be unable to log into your account. Before you begin you need to install a two-factor authenticator app on your device that utilizes the TOTP (Time-based, One-Time Password) protocol. I recommend using Google Authenticator (Android, iOS) or Authy (Android, iOS). You are now ready to begin. To enable this feature login to your account. Navigate to My Account >> Sign-in and security >> Two Step Verification. Just below your second factor (your phone) will be an option to “SET UP ADDITIONAL SECOND STEP“. Click this option and select “Authenticator app“.
The next screen will display a QR code that you must scan with your authenticator app.
At this point, open the app on your mobile device. For this example I used Google Authenticator but the process is similar for Authy. Tap “Begin Setup“. On the next screen tap “Scan Barcode“. It will request access to your camera; allow this. The app will scan the QR code which will add the account. Your phone’s screen should now display your second authentication factor.
Back in your browser, you will now be prompted to enter the code you app generated. This is to make sure everything was setup correctly. Enter the code and click “Verify“.
Gmail Two Step verification should now be setup with the app as your default second factor.
I am a strong proponent of two-factor authentication. It greatly reduces the chance of an attacker getting into your account. I have recommended it here on the blog, and in my books. Only recently did I realized I have not posted explicit instructions for how to set it up. Since Gmail is one of the most popular email providers today, I will begin with it. Using Gmail also has an additional benefit: it has almost every two-factor option possible. Learning on Gmail is a good way to learn how to set two-factor authentication generally. If you do not have a Gmail account, this would be a good reason to set one up – it is an excellent learning tool. This post will be a step-by-step tutorial for setting up Gmail Two Step Verification, and will be the first of four parts. This part will cover the basic setup. Part 2 will discuss some intermediate topics like backup codes and using Authenticator. Part 3 will discuss using the “Security Key” and revoking trusted machines. Part 4 will cover “App Passwords”.
To begin using Gmail Two Step Verification, login to your Gmail account. Next, click your avatar in the upper-right corner of the interface and click the blue “My Account” button.
Gmail Two Step Verification requires that you provide a phone number. This will be used to send your verification codes. Enter you phone number on the next screen. Select text (SMS) message or voice calls. I recommend text messages unless you have a good reason for wanting voice verification.
After clicking “TURN ON”, Gmail Two Step Verification is enabled. When you log into your Gmail account you will be prompted to enter your username and password. Before being allowed into your inbox, you will also have to enter the one-time code that will be texted to you. Note the red box indicating “Don’t ask again on this computer”. You should uncheck this box on any computers you do not trust.
Stay tuned for Part II of this mini-series, where we will get into some more advanced features of Gmail Two Step Verification!
Today is going to be a little bit different that most because today I am going to ask you to spend a little money. Today’s task is to purchase a virtual private network service. A virtual private network (VPN) is one of those things that I just could not live without. After using one for so many years it feels like wearing a seatbelt – I can go on without it, but I’m going to have a nagging feeling the whole time.
So what exactly is a VPN? A VPN works like this: you install a program on your computer and smartphone. When activated the program will create an encrypted “tunnel” to a remote server, also owned and/or operated by the VPN provider. Your traffic will be encrypted to and from this remote server. This has two benefits:
- Security: If you are worried about your local traffic being captured and analyzed, worry no more. All of your traffic will be encrypted and protected from hackers, internet service providers, nosy owners of public Wi-Fi hotspots, and your company IT guy. Your VPN will also defeat trackers like Verizon’s supercookies. It is hard to overstate the security benefits of using a VPN, especially when you are connected to an untrusted network.
- Privacy: VPNs also offer you a great deal of privacy. When you connect to a VPN server your traffic appears to originate from that server. This means that websites that are attempting to track your physical location and browsing history (via your IP address) will have a much harder time doing so. Additionally, all your traffic that exits the VPN server exits alongside the traffic of other users, making it less distinct and not obviously yours.
Although there are tons of free VPN services available, there are lots of good reasons NOT to use a free virtual private network. Running a VPN service is expensive business with a lot of overhead, and free ones have to be financed in some way. Some free VPNs are little more than data collection mechanisms for gathering subscribers’ data. For example Facebook paid $120,000,000.00 for Onavo, a company that offers a free VPN and data compression app. One imagines Facebook did so to serve the needs of Facebook and will receive a return on that investment, probably in data collected from users. One free VPN even sold user bandwidth that was subsequently used in botnet and DDoS attacks.
The virtual private network service that I recommend is Private Internet Access. Private Internet Access (PIA) has a lot of things going for it that I really like. First, PIA has over 3,000 servers. Though you are only allowed to choose what region you would like to connect to (US Midwest, US Texas, US East, etc.) there are numerous servers in each “region”. This allows PIA to load balance so traffic is not slowed by heavy use on any single server. Next, PIA uses the OpenVPN encryption protocol which offers the best VPN encryption currently available. A single PIA subscription offers unlimited bandwidth and allows you to connect up to five devices simultaneously. This is enough for many small families to connect most of their devices with a single plan. Finally, PIA is extremely user friendly and available for Android, iOS, Mac OS X, and Windows devices.
To use Private Internet Access (or many other paid VPNs) follow the steps below:
- Purchase a subscription. A year is only $39.95 which averages out to $3.33 per month. You can pay for your PIA subscription with all major credit cards, PayPal, BitCoins, or even with major retailer gift cards. Have an old, half-used REI gift card from last Christmas? It’s probably worth at least a month or two of PIA service. After you have purchased a subscription you will be emailed your login credentials.
- Download the PIA app on your computer, phone, and other devices you wish to protect (I have previously written specifically about PIA for iOS).
- Enter your credentials on the app and connect. That’s it.
PIA does offer some advanced user settings, like the ability to change encryption, SHA, and handshake protocols as shown in the screen grab below, but the default options are solid.
FULL DISCLOSURE: this blog has an affiliate relationship with PIA. This means I receive a small commission for every subscription sold through this site. However, I do not push PIA because of this; I push PIA because I believe in the product and use it myself. There are numerous other VPN providers with which I could partner but I do not because they have yet to earn my trust. That being said, there are many very good, reputable VPN providers out there. If you are uncomfortable with PIA I encourage you to do your own research. Some other virtual private networks that I have experience with and would personally recommend (and DO NOT have an affilate relationship with) include AirVPN, blackVPN, and CyberGhost.
This weekend’s project is to check up on your Wi-Fi security. This shouldn’t take you more than an hour or so, and you will have to reconnect all your devices to the internet. But once it is done correctly you shouldn’t have to go through the hassle again for a long time.
Login to your router: The first thing you will have to do is figure out how to get into your router’s settings. First this will require connecting the router. Typically you connect by opening your web browser and typing the router’s IP address into the address bar. How you do this will depend on whether you own or rent your wireless router. Regardless of whether you own or rent, I recommend that you get an Ethernet cable to connect your computer and your router, because one setting we will change later will disable your ability to modify the router’s settings without being physically connected to it.
- Own: If you own your router and have never changed the login credentials, look the defaults up online. If you can’t find defaults for your router, you always have the option to reset the router totally by holding the reset button for 30 seconds (removing power won’t clear out the old settings). Links for default credentials and login IPs for the most popular home routers are:
- Rent: If you rent your router from your internet service provider, the management credentials are likely on a label on the router. If not, you may have to call your ISP to find the managment credentials.
Once you have logged into the router you can begin modifying its settings. The specifics of each router’s menus will vary but the principles presented here should be available on all manufacturers’ products.
Change the management credentials: One of the first steps you should take is to change your router’s management credentials. This will prevent someone from connecting to it remotely, logging into it, and making changes to your settings, subverting your wi-fi security settings. Use your password manager to generate a good, strong password and store it there.
Disable remote management: Only do so at this point if you are connected via an Ethernet cable. If you are connected wirelessly you will not be able to make any further changes to the router. If you don’t have an Ethernet cable and don’t wish to buy one, save this step for last. If you do make this change prematurely, or wish to modify settings later, you can always reset the router back to defaults and start over.
Encrypt the signal: This is perhaps the most important setting you can change to increase your wi-fi security. Select WPA2 encryption. If your router does not support the WPA2 protocol consider upgrading it immediately.
Disable Wi-Fi Protected Setup (WPS): Wi-Fi Protected Setup allows you to quickly connect devices when you have physical access to the router. You press the button while a device is attempting to connect, and it connects. This works great in theory but in reality this protocol is broken (and has been for a long time) and can allow anyone to view your Wi-Fi traffic.
Change your SSID: Your SSID (your network’s visible name) should not leak information about you or your residence. It should be either generic or misleading. I would not want someone to drive up my driveway and be able to see my family’s last name by merely looking at the name of the Wi-Fi network. There are good arguments to be made for not using common network names. Your Wi-Fi network should not be super common, but it shouldn’t give away information about you, either. I also recently wrote about hiding your SSID as a Wi-Fi security measure. I leave it to you to come to your own conclusion.
One other thing to consider when naming your network: include the suffix “_nomap”. This will ensure that Google will not index your Wi-Fi network along with your home address. As an example, if your Wi-Fi network is “FamilyWiFi” change it to FamilyWiFi_nomap”.
Today we have crossed a new landmark: after this task you have completed one-third of the Thirty-Day Security Challenge! Congratulations!
Yesterday we installed Mozilla Firefox. We made some changes to Firefox’s settings to evade online tracking and limit the browsing data that is stored locally on your device. Today we will increase Firefox’s security further by installing some security add-ons. Add-ons are small plug-ins that that enhance an existing piece of software. To install these add-ons follow the link provided. On the resulting webpage click the green “Add to Firefox” button.
There is a slight chance that you have some other add-ons in Firefox already. You should think twice about these. They are probably not security add-ons. Add-ons like those from Amazon.com and Facebook do not enhance your privacy. Instead they give these services access to your browser. Consider removing any add-on that does not improve your privacy or security.
Better Privacy: This simple add-on is designed to delete flash cookies. Flash cookies, sometimes called Locally Shared Objects (LSOs) are more sophisticated than conventional cookies. Flash cookies allow much more detailed tracking of your online behavior. Better Privacy runs in the background when you close Firefox and deletes flash cookies from your browser.
Disconnect: Disconnect is an anti-tracking application. It is very lightweight and prevents websites from tracking your behavior and serving you certain requests. I like Disconnect because it is incredibly lightweight but still very capable. According to Disconnect your pages will load 27% faster when using the add-on. This is because tracking requests and adds consume bandwidth. When they are blocked this bandwidth is yours once again. Once Disconnect is installed you don’t have to do anything. Disconnect will silently protect you in the background.
HTTPS Everywhere: Many websites offer an encrypted (SSL) login page. Unfortunately, many of these pages revert to a plain-text connection after you have logged in. This can allow your ISP or a hacker to see what you are doing. To prevent this, HTTPS Everywhere attempts to force an encrypted connection during your entire session, on any website that is capable of a secure connection. HTTPS Everywhere is written by the Electronic Frontier Foundation (EFF), an advocacy group for online privacy.
Yesterday we began to shift our focus outward when we began changing online account passwords. Today we will continue this shift by installing Firefox and modifying some of its settings. Browser security and privacy settings play a big role in how easily websites can track you. Firefox gives you the maximum flexibility to control these settings to your benefit. It also has one other huge benefit that other browsers do not, and we will discuss this later tomorrow.
The first step in this process is to download Firefox if you do not already use it. Next, install the program on your computer. Once it is up and running, open “Preferences”. To access Preferences click on the “hamburger icon” in the upper left of the interface. The Preferences menu will have eight tabs listed down the left-hand side of your screen. This tutorial will only deal with those that are most relevant to improving your browser security and privacy.
Privacy Settings: This is where most of the real work will happen to increase browser security and privacy. First, under Tracking, uncheck the box labeled “Request that sites not track you”. Though checking this box would allow Firefox to send a Do Not Track request to websites, the sites you visit have no obligation to honor this request. I do recommend that you leave the Tracking Protection box checked. Tracking protection is provided by Disconnect, a company we will see again later this week.
Next, go to the History section. The changes made here are incredibly important. After modifying these settings, Firefox will not save anything between browsing sessions. This makes it much more difficult for sites to track your browsing behavior, and minimizes the browsing history that is stored locally on your computer. Under “Firefox will:” drop-down, select “Use custom settings for history”. This will allow you to choose exactly what Firefox “remembers” or purges when you close it. Choose the settings that mirror those shown in the image below.
Next, click the “Settings” outlined in red in the above image. This will open an additional dialogue allowing you to choose specific items to be purged when you close Firefox. I recommend that you check all of these options as shown below.
Security Settings: Set up these settings to mirror the image shown below. Ensure to check “Warn me when sites attempt to install add-ons” (add-ons will be discussed tomorrow). Uncheck both “Block reported attack sites” and “Block reported web forgeries”. Both of these protections require that your browsing data be available to Mozilla for review. I do not feel that this is in the best interest of your privacy.
Next, uncheck “Remember logins for sites” and “Use a master password”. Because we now use a password manager it is unnecessary for Firefox (or any other browser) to remember our logins. Firefox does not store this information securely. If you have used this feature in the past you may wish to click “Saved Logins” button. This will allow you to view these logins and migrate them into your password manager. Once you have done so, delete all of them from Firefox.
Today you have taken huge steps to increase your internet browser security and privacy. Over the next two days we will take some additional steps to increase this even further, making you much more secure and private online.
A news story broke this week about a hack against the download site of Linux Mint (the official blog post is available here). Mint is a very popular, entry-level Linux operating system. The attacker hacked Mint’s site and redirected the download link to a modified version of the .iso file. The modified version had/has a backdoor installed via the Tsunami malware suite. This hack affected Linux Mint version 17.3/Cinnamon, but the backdoored version appears to have only been available for a short time. This is obviously bad news for anyone who downloaded and installed an affected version of this OS (17.3/Cinnamon), but there are some big-picture takeaways to be gleaned from this story. This is not just a story about Mint; it is also a story about file validation and the lack thereof.
- People don’t verify file integrity. Just a couple of weeks ago I posted about the importance of verifying file integrity, and I have written about file validation in my books. The attacks that would make one vulnerable to a tainted file may seem far-fetched, but this is a prolific, real-world example. Adding insult to injury, downloaded versions could have been clearly identified using a checksum or PGP signature. It is doubtful that many downloaders took the time to perform this step.
- It is *almost* understandable that they don’t. High-profile instances of attacks like these are incredibly rare. It is almost forgivable that people don’t validate file downloads before executing them. On the other hand the potential consequences of working on a compromised OS are grave. It is also worth pointing out that we have no idea how prolific NON-publicized instances of attacks like these are. Targeted, undiscovered, and hence un-publicized attacks of this nature are the ones that keep me up at night.
- The Mint team responded. Kind of. Sadly, the Linux Mint Blog responded officially to this incident by posting MD5 checksums (shown in the photo below). I have written about this before and hate to beat a dead horse but MD5 is insecure and should not be trusted for file validation. I’m glad they did something, but in the wake of an actual attack one would assume they would go to great lengths to verify file integrity in the future. MD5 is NOT “great lengths”, but rather a mild, half-hearted response. This is the most disappointing thing about this attack in my opinion.
My checksums will be updated this week to include SHA-256 and SHA-512 checksums for the affected version of Linux Mint.
If you read just about any article about Wi-Fi security the question of hiding/not hiding your Wi-Fi SSID (Service Set Identifier) will almost inevitably come up. The SSID is the Wi-Fi router’s “name”, and it is what you click on when you wish to connect to that network. Most of these articles will say that hiding your SSID is counterproductive as it will make you more interesting to a hacker. In full fairness, this also includes my own writing. In both the Windows 7 and iOS editions of Your Ultimate Security Guide I recommended NOT hiding your SSID. I had some reasoning for recommending this: in my estimation it amounts to profile elevation. Like sending a Do Not Track request to a website, a hidden SSID makes you more distinctive than everyone around you.
But does hiding your Wi-Fi SSID alone really make you a more attractive target? To quote the inimitable Ulysses Everett McGill of O’ Brother Where Art Thou?, “it’s a fool who looks for logic in the chambers of the human heart.” To unequivocally say that an attacker will target you just because your SSID is hidden may not be tell the whole story, or may simply be dead wrong. Criminals are not known for following the same set of mental processes that guide the actions of the average, law-abiding individual. Sure, it may make you the more interesting target because you may seem like the more challenging target. But just as equally, it may not. The hacker may be looking for soft, langorous targets. Or perhaps he or she is after a specific target that is not you.
I think the reason this is constantly brought up is that SSID hiding has been placed in the “security” category of features for Wi-Fi networks. I contend that this is not a security feature at all. Choosing not to broadcast your SSID is, in my opinion, merely a choice about how “noisy” you want your network to be. While hiding your SSID cannot protect you from Anonymous, it do a few things. It can prevent your neighbors from seeing your network, and prevent kids in the waiting room at your practice from connecting to it. Again, it will absolutely not prevent a determined adversary from finding your network. There are various tools including inSSIDer and Kismet that will find these networks with ease.
My bottom line is this:
- Hiding your Wi-Fi SSID network is a personal preference that is essentially neutral as a security measure. It doesn’t necessarily make you less secure or a more attractive target, though it might based on factors that we can’t begin to model (i.e. human unpredictability).
- Hiding your SSID for security reasons is ineffective and an example of security-through-obscurity. If you are hiding your SSID as a security measure you should reconsider.
There are meaningful security measures you can take for your Wi-Fi network. The best and strongest of these is to ensure that your signal is encrypted with WPA2. The WPA2 protocol is actually very good (do not use WEP or WPA). It offers much, much more protectiong than silencing your Wi-Fi SSID. Another meaningful measure is to use a virtual private network; this will protect your traffic regardless of the security of your Wi-Fi. It will also protect it at a much deeper level, and provide you with a bunch of other benefits. We will delve much more deeply into Wi-Fi security in the upcoming Thirty-Day Security Challenge, so stay with me!
Signal Private Messenger is a free application, and my new favorite encrypted communication solution. Signal supports both voice and instant messaging (texting) in a single app. It is incredibly easy to use, and convince others to use. There is no complicated setup and no username or password to create and remember. This app is incredibly intuitive and resembles native phone and texting applications.
Signal uses your phone’s Wi-Fi or data connection. Signal has replaced the legacy RedPhone and TextSecure apps for Android and merged them into a single platform. To use Signal Private Messenger simply install the application. You will be prompted to enter your telephone number for verification. I have successfully used a Google Voice number for this, even though Signal specifically warns that GV numbers will not work. Full disclosure: I have also seen GV numbers fail. This is the ONLY reason for which I use a Google Voice number. I have no problem with this because the number is only used as an identifier and no data is sent though Google after the initial verification message. The app will verify the number by sending you a code that you must enter into the application. No other personal information is required or requested.
If you allow Signal Private Messenger to access your contacts it will identify the ones who have Signal installed. There is one slight downside to the way Signal identifies its users: in order for others to contact you via Signal they must have the telephone number you used to register the app in their contacts. This requires that you give out this number to others with whom you wish to use Signal. For this reason I recommend setting up a Google Voice number that is used only for Signal, and giving that number out to friend, family, and business contacts that are likely to use Signal (or be persuaded to), rather than giving out your real phone number. I will post in the future about why giving out your real phone number may be a bad idea.
Signal’s interface is almost disconcertingly simple. Tapping the “+” icon in the upper right of the interface a list of your contacts who have Signal installed. Tapping one of these contacts will open a new message to that contact. From there you can send a text message, photo, or video, or type the handset icon to initiate a voice call. In the search bar on this screen you may input a telephone number, which Signal will then search to see if the number has the app installed. Once a call is initiated a more typical phone interface is displayed with some standard phone options to mute the call or use the phone’s speaker.
The call interface will also display two random words. The words displayed will change with each voice call but should match on both handsets involved in the call. These words are used to ensure the call is not being tampered with by a man-in-the-middle. If an attacker were to successfully get in the middle of a call each phone would display different authentication words. This is becasue each handset would establish a key with the attacker rather than the intended recipeint’s handset . I recommend ALWAYS validating these words at the beginning of each conversation made over Signal. This is especially important before engaging in sensitive communications. The messaging portion of the application is likewise incredibly simple. Messages are composed and set like they are in any other messaging application. Attaching a file is as simple as tapping the paperclip icon beside the compose pane. Signal also supports group messaging.
Signal is one of the best privacy-enhancing applications available (especially considering its cost) and I strongly encourage its use. It’s encryption utilizes the “axolotl ratchet”, a system of perfect forward secrecy. Perfect forward secrecy means that each message is encrypted with a unique, ephemeral key. If one message is decrypted it has no impact on the others since each has a unique key.
As pointed out by the grugq, however, Signal does leak a great deal of metadata about you. This includes your contact list, who you talk to, and the frequency with which you talk to them. This metadata is certainly no worse than that generated by your normal telephone conversations. It is also not any worse than that created by other encrypted messaging applications. For this reason it may not be suitable for defeating certain threat models. For encrypting your day-to-day comms that would otherwise be made through insecure means, Signal is a major upgrade. Signal is funded by donations and grants, and much of the work in developing and maintaining the app is done by volunteers.