Tim's Blog

Information, Technology, Security, and other stuff.

Protecting Your Network

Published 2015-01-30

Have you considered how your data would be compromised?

What would an attacker need to do to take over your accounts? Your identity?

What about getting into your home network? How hard would it really be for them?

Probably pretty easy.

Yeah, we can apply good practices for our accounts. We can throw on Multi-Factor Authentication Technologies. We can use strong randomly generated passwords so they can't be looked up in Hash tables. We can run Antivirus software. We can run Firewalls.

From an Enterprise network perspective we get even more tools available, but even more vectors of attack.

In the end, you need to remind yourself that somebody ~~may~~ will get past all of those layers. Never trust that a system is protected. A perimeter can always be broken, given enough time and determination.

Even Multi-Factor Authentication can be circumvented by attackers using social engineering to get phone numbers transferred to different SIMs under their control. Shudder in the realisation that you're not really safe at all. And anything encrypted isn't safe forever. Sure, AES256 may be currently safe from compromise for now, it won't be in the future. It's computationally hard, but not impossible.

And of course, attackers won't try to break the algorithms. They just try to attack the systems creating & accessing the encrypted files.

So apply the mindset of making it hard to get to your data. Take comfort in making it really hard. So hard that it's not worth it, even to those with near-unlimited resources.

I've slowly constructed a system of protecting my accounts and machines. But recently I started to question how safe it truly is, so I've come up with a few practices/ideas to try to mitigate some of this risk.

Protect your Email

For almost everyone, email is the key entry point for compromise.

A malicious user gets a hold of an email account, and they've got every other account associated with that email address. All an attacker needs to do is request a password reset (forgotten password) through a service (like Facebook, Twitter) and it's over. They key to that account is now owned by them, and they can usually change the address that all future password resets are sent to to ensure you really can't get back into it.

Yeah, sure, some services will alert the account holder to a compromise via an SMS or emailing a secondary address. But what if it's too late? What happens if you get the notification on your phone at 1AM, and you don't see anything until 8AM? An attacker has had a field day in those few hours of glorious slumber you've been having, and by the time you realise something's up they've taken over everything and gotten whatever valuable piece of information they're after.

Layered Email

Safety from attacks on email isn't something we can really fix until the problem of associating email addresses with identities is solved. But we can work with what options we have available now. For one, Email Providers like Google or Microsoft will offer an email pulling service to get email from old accounts that you may have. You can leverage this to your advantage.

Create a bunch of email addresses (with a random password generator to better protect the accounts) and then have all the email pulled into your main account. Try to operate a different address for each account type you need as much as possible. At a minimum do it for your more valuable accounts.

Now you will have layers of accounts that attackers need to traverse through, significantly increasing the difficulty in compromising your identity.

Make sure you pull, not push, as then there's no blatant clues as to where the email is going once it arrives in the throwaway address. And of course make sure the email pulled is deleted from the source, so that it's always empty. If it's deleted, then you can be assured that there's then only a small window of opportunity for those emails sitting there to be exposed.

Keep Your Identity Email Address a Secret

This is pretty hard to do, but if you can keep your "identity" email address a secret, then you'll add another layer of difficulty to an attacker.

This may be impossible to do after a while, but ideally you want to at least keep that address away from your high-profile targets. People with desirable twitter accounts or domain names should be practising this.

At a bare minimum, it's best at least to separate your email accounts into two: An identity account and a correspondence account.

Use a Password Manager

Password managers aren't perfect, but they're better than trying to remember passwords yourself. Just like most security solutions, it's a layer of protection, not a silver bullet.

A password manager offers an additional risk of being a central point of failure, so you need to keep safe from that. Ensure you keep an alternative process to get to the passwords offline, or if you have lost your machine. Most password manager products will offer an offline mode, and a way to export your passwords into an offline file (if you're using a cloud solution).

I also like to make things harder for attackers by never letting my Password Managers "remember" the master password. It can get frustrating to have to put it in each time I boot my machine, but at least I have the piece of mind that it won't be captured by somebody finding a way to start up my machine.

Encrypt your Drives

I wish this was an opt-out thing with computers now.

Turn on whatever encryption product is available. They're free with Operating Systems like Windows (BitLocker) and OSX (FileVault). Sure, you can argue that they can't be trusted because the source is not available or a back-door has been engineered into it, but that shouldn't be your concern. Worry about the thief who steals your laptop.

Make sure as well that the Operating System drive is encrypted. If someone is knowing what they're doing, then they may be able to recover encryption keys for external drives from the unencrypted OS. Better safe than sorry.

Just like the Password Managers, make sure you have to put your password in to unlock the drive. I keep my desktop and server requiring their passwords to boot, so as soon as they're turned off they're effectively useless to a thief.

I don't like the TPM-based mode of Bitlocker, as it just unlocks the drive automatically as long as the hardware doesn't change. I don't really get the point in that, as the machine can then be attacked once its booted.

Own your Keys

Yeah, those cloud encryption services may be great for convenience, but if the provider is managing your keys for you, then you might as well not bother having it at all. All it takes is some social engineering for the account holding the keys to be compromised, and then you've lost all control.

Boxcryptor is a fantastic product which offers both managed and a self-managed options. I love when products do this. Selecting self-managed is the superior choice. And where possible, try to generate keys with something other than the product that will use them. It's great you can just generate SSH keys when you make an AWS machine, but it's better to provide the public key to Amazon. Just take that extra precaution.

Again, with encryption services, never let the product "store" the password to start the application if it offers you. Make sure you have to enter it every time.

Follow a Solid Backup Strategy

Some attackers will simply wipe your machines, or install malware like Cryptolocker to hold you ransom.

A solid backup strategy will save you here. Make sure backups go to location that isn't the machine that's backing up. Design a Backup Strategy. Cryptolocker was devious in that it also would attempt to encrypt local and network attached drives, so be aware.

Never Forget

Definitely the hardest part. You need to keep reviewing your protections in place for your network, as everything in the IT industry has a habit of turning on its head constantly. 1 year in the IT world is like 5 in the rest of the world, maybe even more in the IT security world.

Getting lax about it all will only serve to expose you.

What I've covered here as well is just a small piece of the whole network protection world, but it's a start. Take it one step at a time to lock things down, so it's not so overwhelming and you just give up on the whole thing.