It is currently Tue Dec 03, 2024 9:47 am

How do you... you know... security?

If you have something technology-related to share and don't feel like cluttering up General Chat, post it here. Anything is fair game and anything highly technical is preferred.

How do you... you know... security?

Postby Zancarius » Fri Sep 11, 2015 12:14 am

I get this question rarely, or something very near to it, and from time to time I come up with different answers for different people. The reason for this, I believe, is because I'm torn between two responses. Do I provide the person asking the question with an answer for how they should do security, or are they trying to figure out how I do security for my own systems? Honestly, every time I'm asked, I can't really think of a good enough answer for that. It's always so dependent upon context, for one, and for two, it's probably a circumstance we've all encountered from time to time: Asking out of curiosity or for further information.

There's only one small problem regardless of the motive: What I do and what you do are two different things. It's not so much because of our relative experiences or where such experiences differ but by necessity. If you're not interested in understanding why certain things are more (or less) secure than others, what you choose to do is necessarily different from what I choose to do. Neither option is necessarily perfect (again, it depends on needs), but I do find the volume of misinformation out there to be somewhat surprising.

There's also some discussion to be made regarding the differences between risk avoidance and risk mitigation, but I'm not sure I want to derail this into a question of philosophy or start splitting hairs over semantics. The terms should be pretty obvious, and I'll preface this by saying that most of what security entails is almost always going to be mitigation rather than avoidance. You can avoid most threats easily, except for the unknowns, but it's the unseen and unknown threats that will nail you every time. Thus, this essay focuses mostly on practices I adhere to that are primarily mitigation (with some avoidance tossed in for good measure). But remember: Just because I do it doesn't mean you should, too!

Anyway, I'm reminded of this discussion because of an article I read almost two months ago outlining the differences between security experts and power users and how they behave versus regular users. After some reflection, I realize how much applies to me (no antivirus, religious patching, password managers). But I'm also acutely aware that the article itself is a bit link-baity (I guess that's a necessity these days, isn't it?). There needs to be an awful lot more subtext than the Ars Technica article provides, but I can't imagine delving into it while simultaneously keeping this already lengthy essay, well, slightly less lengthy.

So here's the rub. I don't "do" security the way you do. I never will. Likewise, you'll probably never do it the way I do. That's the nature of the beast. I don't think antiviruses are particularly effective tools anymore, they're too easily defeated, and oftentimes a deny-by-default policy truly is the best security. Though, I'm not sure I would recommend the average user go without one simply because antiviruses are good at helping prevent people from picking the poisonous low-hanging fruit off the malware tree.

My Security - What I do for me

First off, I don't always use Windows. I use Linux. Bonus points for being a member of an exceedingly small market share that's unlikely to be targeted simply on the merit of being a Linux desktop user. Well, with one exception: Linux servers are well sought after among the underworld, because they're usually on stable, always-on connections and are great for attackers' command-and-control infrastructure--so maybe those bonus points aren't all positive. Either way, I'm not going to run into the same risks a Windows user encounters in the wild. That's just the way the game works.

Second, I patch. A lot. I update, update, update, update, update. I try to keep up with the latest advisories, too, but failing that I find it's easier to stay up to date than spend a few hours researching things I don't have time for. Sure, software that affects me directly is usually something I pay attention to (as well as libraries), but anything else tends to be ignored or filed away for later use. Pre-emptive patching helps plug one of the primary vectors of attack, and this is heavily aided by the fact that I use Arch Linux, a rolling release distribution. As soon as new versions are available, Arch rolls out an update within a day or two. Another bonus point. Maybe a minus for the fact that new updates aren't always well behaved, sometimes break things, and may introduce new bugs.

I guess you trade one problem for another.

I also avoid questionable sites as best as possible. It's not easy to do, and it's not always plausible, but it's about the only advice I give others that I follow myself. Sometimes I have to examine a possibly infected site to determine if, in fact, it is infected, what it's infected with, and what mitigations are possible. For that, I usually use a virtual machine (some details here under VirtualBox).

Generally, I think browsing is a bit like sex: The best way to avoid catching a disease is to avoid screwing everything with two (or more) legs and a questionable disposition. Likewise, the best way to avoid malware is to avoid questionable sites. See? Easy!

Side note: In a hilarious twist of fate, some recent studies have found that porn sites are, on average, less likely to suffer from a malware infection than your average forum or news site. On the surface, it seems to be a startling revolution until you consider that it's exceedingly difficult to make money legitimately if you're infecting all of your clientele. Perhaps the bad reputation such sites had a decade ago has something to do with it, and as far as I know, it's only limited to "mainstream" high traffic sites. If you're into edgy stuff with Japanese tentacles or furry midgets, you're on your own (and I feel really bad for your browser... but that's another story).

Getting back to the primary thread of thought, I can't say that using Linux is necessarily the best (or only) way to use risk mitigation to your advantage. It's not always practical, and you guys know that I do use Windows from time to time anyway since (sadly) not everything is available on non-Windows platforms. For that purpose, the rest of what I do might be of interest to you since it's more applicable to Windows users.

Here's the kicker: I do roughly the same thing under Windows that I do in Linux. Why not, right? It works. Not even joking.

Windows 10 ships with Windows Defender enabled by default, and I have a confession to make. I hate it. It thrashes the disk, it scans literally everything it shouldn't be scanning at the worst possible time (oh, hey, Guild Wars 2 is taking forever to load, I wonder why...), and from my own experiences, Windows Defender is a mediocre antivirus package. But here's something you might find appalling: I don't use antivirus software anymore. It impacts disk throughput too much, often eats up far too much memory, and a bad update can peg a CPU core or two when you're trying to get something done. Even Avira has its terrible moments, and I've noticed it'll increase load times in GW2 by about a third or more. (Remember: The real time protection means that the antivirus hooks into the Windows executable and DLL loaders, scanning them in real time--so some data has to be read twice.)

So, I disable Windows Defender and run bareback. So to speak.

Unfortunately, the only way to turn off Windows Defender completely in Windows 10 is to use the group policy editor (winkey+r or start -> run if you can find your run menu and type "gpedit.msc"), navigate to Local Computer Policy / Administrative Templates / Windows Components / Windows Defender, double-click "turn off Windows Defender" and set the value to "enabled." There is literally no other way, short of installing other antivirus software, to disable Windows Defender. The PC settings dialog will only allow you to turn it off temporarily for a short time, but the group policy editor lets you disable it permanently.

Obviously, one of the shortcomings of not using antivirus software is that downloading third party software becomes a bit like Russian roulette. Everything out there could be a landmine, and it's true that without such protection, I'm one installer away from getting zinged. Strangely, I'm okay with that, because again--if you're careful with what you download and where you download it--your chance of getting zinged with something nefarious is almost nil. And if you're paranoid, you can just upload software you've downloaded to cloud scanning services like Virus Total, which scans binaries against 50+ antivirus packages currently on the market. I don't think anything more than that is necessary. Since I don't make a habit of installing everything I run into, I'm pretty happy with that option.

Another habit of mine that I can't recommend strongly enough is to install and use a good password manager like KeePass. The rationale here is that humans are absolutely terrible at remembering things exactly, unlike computers, and I would prefer to offload the cognitive effort to a tool that was almost purpose built for this sort of thing. Computers are insanely good at remembering everything you tell them, and they do so with startling accuracy. So why fight with it?

As I wrote in the other post about software, the biggest problem with passwords is that most passwords people are good at remembering are inherently bad because they're automatically weak. I guarantee you that the overwhelming majority of passwords most people use are this way: Things like "asdf," "abcd", "12345," or even colors like "purple" are extremely common passwords. Others use some permutation of their names, their logins, or similar. More enterprising individuals might use an algorithm that protects them from casual attacks but would be powerless if their algorithms were made public. Worse, in most password surveys I've seen, the average length is around 5 characters (not inches, characters, you dirty bastards). This is bad, because with less than 10,000 passwords a day, it wouldn't take much more than two or three weeks to crack such an account. It could even be done while flying under the radar by sending password requests once every 5, 10, or 15 seconds. And since not all sites log password failures, and not all sites throttle password failures, brute forcing suddenly becomes an option. More importantly, if you have access to the hashed passwords, many short passwords could be cracked in less than a week with modest hardware. (Unless it's Sony, in which case everything was stored in plain text--shameful!)

Add to that the fact that tons of software out there uses high speed known weak hashing algorithms like MD5 or SHA1, and you'll quickly see what I mean. Most forums software, and many PHP-based sites for that matter, use some permutation of MD5 and a salt. With around 10 characters or less, a couple of GPUs tied together running an MD5 cracker could easily go through a couple billion passwords a second--and probably several orders of magnitude more with much newer hardware. In general, anything around 8 characters or fewer can be completely brute forced when stored with a weak algorithm in about 5 days. As hardware progresses, this period is only going to shrink (if it hasn't already). The plus side is that developers are becoming better educated with regards to security, and many software packages are moving to stronger, more difficult to brute force algorithms like bcrypt. But not everyone is on board yet. phpBB has been using PHPASS for quite some time now which provides bcrypt as an option, but this wasn't always the case.

Which reminds me: When I next update phpBB, I may force a password change just to guarantee everyone has an updated, strongly hashed password.

So, until everyone adopts bcrypt, use a password manager. Actually, scratch that. Use a password manager regardless of the strength of the site's hashing algorithm. You should also create passwords of at least 16 characters in length (I recommend 20). The biggest obstacle you're likely to encounter when using generated passwords is that many sites refuse to use ones more than 16 characters, and I've even seen a few that won't accept anything over 12. However, if you're using a password manager, you can create a disposable password for that site matching their awful requirements, and if it's compromised, it won't affect any of your other accounts.

I have more information to share on the matter in this post, and the topic is certainly one of those ones that requires a much lengthier discussion than I'm willing to type out here. Maybe I'll save that for another day.

The next most important thing to do in Windows is something most people aren't willing to even try because they either don't know enough about it or they quickly get annoyed by the limitations it imposes. However, I can't stress this enough: Always create two users on your computer, at a minimum: One should be an administrative account, and the other should be your regular (unprivileged) user account. Your regular, every day knock-about account should only be created as a "standard user," no administrative access, and you should only elevate your privileges when you absolutely need to. Never log into your administrative account except to install software or change settings you can't gain access to otherwise. Yes, this is slightly inconvenient, but it does mean that if your standard user account is ever compromised, the damage it can do is fairly limited. Not all software likes to work under regular accounts, or sometimes it's buggy, but remember: We're talking about using your operating system responsibly. This means you're going to encounter some inconvenience along the way--a bit like having to remember to always lock your front door.

Thinking about it another way: If you're using an administrative account, sure, you have Windows' UAC popping up with that annoying prompt whenever an administrative action is needed. But here's the thing: It's trivial to bypass in software, and tons of malware does exactly that. With a standard account, Windows won't grant it permission until an administrative account is selected and a password is typed in. Of course, there are ways around that (local privilege escalation exploits, suckering the user to enter their credentials anyway, key loggers, the works...), but it certainly DOES protect you from most drive-by installers. It may not protect you from key loggers or trojans that run as you, but if you make a habit of downloading software containing those, there probably isn't much that can be done anyway short of buying a jar of Vaseline...

Finally, another thing I do in Windows: Patch, patch, patch, patch, patch! Keep a clean system, and update like crazy. Software in this day and age moves fast. Keep it updated. If you don't want to get caught with your pants down, the only way to avoid it is to buy a belt. Likewise, patch your software. Things like Adobe Flash are notorious for dozens of zero-day exploits, and patching isn't likely to help there, but if you keep it updated, you can at least mitigate the fallout that can occur when a particularly nasty bug gets spread around like flu in a daycare.

Oh, and one last tip that applies to both Windows and Linux. It's a controversial one for some, but I never leave home without it: Whenever I install Firefox or create a new profile (these days, I just migrate my profiles from one install to the next), I always, always, always install two extensions: NoScript and FlashBlock. With these two addons, you're mostly guaranteed to mitigate your attack surface via scripting attacks and Flash. It won't make your browser absolutely bullet proof, but it will definitely reduce the likelihood of an exploit taking you by surprise.

You'll notice I don't use (or recommend) AdBlockers. That's really for two reasons: One, I think they're far too bloated for what they do, and two, I actually do like to enable the ad sites on domains I frequent because I like free content (and three, in my experience, they don't always work). Enabling ads on sites seems to be an opinion that is in the minority these days since there's a huge push against online advertising, but since I don't want to pay a $3 monthly subscription for 100+ sites (that is, $3 per site), I'm okay with them getting ad revenue from me. Does this expose me to a slightly greater attack surface than if I blocked everything outright? Absolutely. But again, remember this: Security is about risk management (avoidance and mitigation) and you have to decide what risks you're willing to take.

So what would I recommend to other people? It depends on how savvy you are, how risk adverse you are, and how willing you are to take things into your own hands. But let's assume that you're none of the above: You just want to use a computer for gaming (or another purpose) and protect yourself without needing to know much more than strictly necessary.

Your recommendations

This is where it's highly contextual. I can't tell everyone what works best for them. So pick something you're comfortable with among the above and the following (below):

In most cases, if you're not especially savvy or you're generally afraid of downloading something malicious, I would recommend using a good antivirus package. Don't bother with Windows Defender (seriously). While it's certainly improved over the years, the real time monitoring commonly thrashes disks, and its detection engine isn't stellar. I've seen it miss a few obviously bad files from time to time where someone's computer quickly became infected while Defender was blissfully unaware. Instead, use Avira or AVG at a minimum. I can't really recommend most other commercial engines since most of them are bloated, and if it were up to me, I'd probably fork over the cash for a copy of Avira Pro. McAfee is garbage, as is Norton, and many others. I've heard reasonably good things from the one with the androids on the cover (ESET?) and paid-for versions of some of the other freebies, but for the most part, the antivirus world is a crap-shoot. Maybe even snake oil.

I'd also recommend segregating your user accounts as best as you can, but for most people that's impractical. I know users who would have freaked out if Windows ever asked for a password to another account just so they could install something ("I don't know who this 'administrator' guy is, but he keeps asking for a password--when I find him, I'm gonna..."). And in some cases, it's a trade off with convenience that people aren't willing to accept. In this industry, you trade convenience for security. Which is more important to you?

I'll even let you in on a little secret about me here: This is a trade off I wasn't willing to make with Windows until recently. Only with this last clean install of Windows 10 did I finally decide to do with Windows what I've been doing with Linux since I started using *nix-based OSes: Stay away from administrator accounts unless you need to do administrative things! It's easy under Linux. It's tough under Windows. I'm not gonna lie... Privilege separation "just works" in the Unix world. In Windows, it's a bit like bowling drunk.

(Granted, I've never been drunk, and I've only ever bowled once. I didn't like bowling, either, so let's just roll with the analogy even if it's terrible.)

Finally, the most pertinent advice I have for anyone regardless of experience level is the same thing you've heard time and time again: Don't go to questionable sites. If you can't avoid it, use a strong browser, use NoScript, use FlashBlock, or install a virtual machine to do your work in. It doesn't matter, just do something!

And lastly, be careful what you install. You might be surprised to know that the top ten downloads on C|Net's download.com have, from time to time, harbored malware, adware, or spyware. Even presumably trustworthy sites aren't always trustworthy, so the best bet is to simply play it safe. It's not hard to do, but it does take some planning.

Stay safe out there.
I gave that lich a phylactery shard. Liches love phylactery shards.
User avatar
Zancarius
Site Admin
 
Posts: 3907
Joined: Wed Jul 05, 2006 3:06 pm
Location: New Mexico
Gender: Male

Re: How do you... you know... security?

Postby Zancarius » Fri Sep 11, 2015 3:03 pm

Updated and revised after realizing that writing when I'm tired doesn't always work out too well.

Also, if you have some practices you'd like to share or some questions for any of us, post them here!
I gave that lich a phylactery shard. Liches love phylactery shards.
User avatar
Zancarius
Site Admin
 
Posts: 3907
Joined: Wed Jul 05, 2006 3:06 pm
Location: New Mexico
Gender: Male

Re: How do you... you know... security?

Postby Zancarius » Mon Sep 14, 2015 11:13 pm

Along the lines of password managers, I ran into an interesting discussion today. Apparently some folks at the Blackhat conference are planning to release information about an "exploit" with LastPass, a browser-based password manager. I'll grant them that one of the primary weaknesses, and arguably the only one worth considering, with password managers is their inability to defend against weak master passwords or master passwords that have been compromised.

But that's not really the issue I take with this notion. My problem with this is that services like LastPass' premium (cloud-based) offering, and their browser extension in general, really go counter to the principles of isolation, or "siloing" your data. (This applies to Apples iCloud offerings, too.)

In short: If you concede control, you've lost control.

My advice is two-fold. First, don't use cloud-based password services. It's convenient, certainly, because you can easily share all of your passwords among every device. But by sharing them, by conceding control to a third party, you no longer have control of your passwords. The act of storing your passwords on systems you do not control (like the cloud) increases your attack surface, and all it takes is the compromise (or theft) of a single connected device to lose all of your carefully stored passwords.

Don't do this.

Second, if you're security conscious, you really ought to avoid browser-based password storage extensions. Indeed, you should avoid storing passwords in your browser period. Web browsers aren't like those we knew of 10-15 years ago, when they were relatively lightweight, and did one thing. Modern web browsers are essentially a pseudo-operating system, complete with their own extensions (or apps). While substantial effort has been made to improve security, preventing extensions from reading information they're not authorized to read, the truth is that once you've installed and run third party code you're already exposing your browser to a third party. It's inconvenient to have to load a separate application, copy that password, and paste it into a password field, but it's by and far the most security-conscious option.

It could be argued that password storage in-browser isn't much different from using a specialized application, because if your system is stolen, both of these systems would be presented with the same risk of theft. That's true, but it ignores the extensibility of modern browsers and their greater attack surface. Purpose-built applications with no networking code (except, perhaps, for version-checking) that do one and only one thing are inherently more secure.

Of course, if you have a laptop that's stolen, you have to assume that all of your passwords are already compromised. Any existing sessions you have active on websites, email, etc., will also be compromised. I'd delve into more detail, but I think that's a subject for separate discussion, though it does highlight the importance of risk mitigation. At a very minimum, users of password managers should keep a backup copy of their password archive on a USB drive, external backup, or elsewhere. In many cases, your source archive will remain secure for a short while (if the password cannot easily be brute-forced), and will provide you with enough information to determine which sites you've accessed, stored credentials for, and which will require changes to your old (now-stolen) password(s). With a password manager, the idea isn't so much to eliminate the risk of theft as much as it is to merely delay the would-be thief long enough to change and thus invalidate your stolen credentials.

Obviously, password managers have limited countermeasures at their disposal when physical access is a concern. It's important to be aware of this when selecting one, creating a password repository, and selecting a master password. Strong passwords may make it essentially impossible to break into your password archive (provided there are no known attacks against the key mechanisms used), but I'm reluctant to say that they completely eliminate the possibility. Technology will always be improving, and future advances in areas like quantum cryptography may serve to weaken the overall key space of a given cipher algorithm. No matter how you store your passwords, I think it's important to plan ahead, and be prepared to reset your most important credentials should they be stolen.

TL;DR: Don't use cloud password storage, shy away from browser extensions that do the same thing, don't store your passwords in the browser period, and try to use a stand alone application for password management. Also, keep backups, and plan ahead for contingencies in case your archives are compromised.
I gave that lich a phylactery shard. Liches love phylactery shards.
User avatar
Zancarius
Site Admin
 
Posts: 3907
Joined: Wed Jul 05, 2006 3:06 pm
Location: New Mexico
Gender: Male


Return to Technology Lounge

Who is online

Users browsing this forum: No registered users and 3 guests

cron