Prompted by recent reading on cryptography and computer security, I’ve been rethinking my pretty lax personal security plan. Right now I’m doing a number of pretty stupid things, including reusing just a couple passwords (“high” and “low” security), using browser/keychain password remembering too much, and storing important documents (tax returns, etc.) unencrypted.
A co-worker just had his laptop stolen, and I’ve realized just how screwed I could be if that happens to me.
So, I think it’s time to rethink how I’m doing personal security. Taking to heart the lesson that the best security is open, I figure I’ll post my plans publicly for comment.
Goals
In Applied Cryptography, Schneier repeatedly points out that the level of security you use out to be appropriate for the “value” of your secrets. I don’t have any really valuable secrets, and I’m not all that wealthy. There’s not any reason to suspect that I’d be personally targeted by any entity with appreciable resources. Keeping the NSA out of my password file just isn’t worth the trouble.
No, my goals are far more pragmatic. My personal data needs to be secure enough to keep “casual” attackers out. The most likely scenario is one involving large-scale attacks — a breached password file somewhere I’ve got an account; a botnet attack on my server, someone sniffing a password on an open Wifi network, etc. In these types of attacks, anyone with reasonably good security will be passed over in favor of those who’ve got none.
The main goal really boils down to convenience: the time I’d need to spend cleaning up from a server breach or identity theft would “cost” me far more than any stolen data or money. Identity theft in particular can take months or even years to recover from; I’m far more scared about the time then about losing my meager savings. Ditto a server breach; there’s nothing there worth stealing, but I’d have to spend at least a week cleaning up after a breach, and that would just suck.
Practical steps
Given these relatively modest goals, I plan to do a few things:
Stop reusing passwords.
I’ll start using a secure password manager. I’ve looked at KeyPassX, which is fine except for the shitty UI. I’d love something that fits better with the Mac UI; Quicksilver integration would be fantastic.
I’m a bit suspicious of OS X’s Keychain, so I don’t think I’ll use that.
I’ll generate each password randomly, either with a generator or by hashing the site’s URL with some salt.
I’ll use a strong (160-bit or greater) master password. Probably a passphrase since I should be able to memorize a short phrase easier than a random string. If I’m rembering correctly, English has about 1.5 bits of entropy per character, that means I’ll need something like a 100-character passphrase.
I’ll need to go through web sites one by one and convert passwords; that’ll be a pain, but worth it.
I’ll need to store backups of my passwords since a disk loss could mean I’m hosed. I’m going to keep the master copy on my laptop, but I’ll make automatic backups onto a USB stick, my iPhone, my personal server, and my backup server. That should ensure I never lose it. Of course, that means I need to be double-plus-ultra-sure that my keyphrase is good.
Stop “remembering” passwords anywhere except the password manager. This means turning off Keychain, Firefox’s password manager, etc.
I’m not sure what I’m going to do about shell account passwords (and especially the root password on my server). I don’t want to have to type random passwords each time, but using SSH keys makes the damage from a stolen laptop greater.
So I either need to either start use different passphrases for my shell passwords while stopping my use of SSH keys, or else use random passwords with SSH keys, and figure out a good way to protect said keys. I’m leaning towards the latter: random shell passwords with SSH keys protected by a good passphrase.
Set up a VPN and use it any time I’m at a public access point.
OpenVPN would be easiest here, but unfortunately iPhones don’t support TLS VPNs, so I’ll need to figure out something like PoPToP. Yuck.
Store important files encrypted. I’d like to use an encrypted disk image on my laptop, but I’m not sure if the security is all that great (I seem to recall from my iPhone hacking that cracking encrypted DMGs isn’t all that hard). Also, I’m not sure if said images can be mounted under other OSes; I might need to access ‘em on my Linux boxen.
There’s got to be a cross-platform disk image tool based on openssl; I need to look into that.
Meatspace
As I said above, perhaps my biggest concern should be identify theft. To that end, there are a couple of things I need to do in meatspace:
- Place a fraud alert on my credit report. These unfortunatly only last for 90 days — thanks, Congress! — so I’ll either need to remember to renew every quarter or pay for a company like Debix to do it for me.
- Start shredding my bills and such. It’s silly that I don’t do this already.
Whatdayathink?
I wanted to post this publicly so I can get some eyes on it. Am I missing anything here? Is there a big weakness I’m overlooking?
It would also be cool if this could start a discussion of personal security plans. Anyone out there want to post your own security plan?
Comments:
OpenVPN might be overkill. When I'm around, I simply log in via SSH to one of my servers, redirect a few ports (IMAP/SMTP/etc.) and either use a proxy I have previously installed on the server for browsing, or simply let ssh act as a socks proxy (-D), which can also be used to access IM services.
I forgot to say that, in order to be able to reach my server via SSH, it is sometimes useful to have the SSH daemon listen on port 443. Then either connect directly, or tunnel packets through an HTTP proxy using proxytunnel or something equivalent.
I had my share of troubles including a stolen notebook. But all my real troubles with identity fraud came from the Real World (tm).
On several occasions (!) I got my trash stolen (!) and found that documents were used in attempts to scam me out of money. After the second time I started to shred all identifiable documents (with my name on it, my address, my account numbers, or anything that can be traced back to me).
Once I got a fraudulent transaction on my credit card. I spotted it immediately, and notified the bank, which was less than helpful trying to persuade me that it is my transaction, I just forgot I did it. Fortunately it was used in a place I never shop. During the conversation it turned out that it was not made over the internet (as I suspected initially), but it was made in a brick-and-mortar shop. Somebody presented it physically, scanned it, and signed a receipt. I requested a copy of receipt --- of course, that somebody didn't even attempted to forge my signature, it was signed as "John Smith" in block letters. :-)
Later I was talking to my friends about this accident, and one said that he knows how it was done. Apparently the best way to clone a card (which is very simple, and inexpensive) is to have "your man" working as a waiter, which takes a card away from you to scan it after the meal. S/he will have plenty of time to clone it. Of course this card is not going to be used immediately, will be used only once, and most probably signed as "John Smith" so you can contest charges without many problems making you less eager to trace your life to find a culprit.
The moral of the story: in places where your card is taken away for a moment pay cash, or always use one card with low credit limit, which can be canceled without much problems for you. Especially be wary of strange places, where you get a bad vibe. And always shred any identifiable papers (bills, envelops, spam) before throwing them out.
I've been using KeePass(X) for a while now. One thing I recommend is periodically dumping your KeePassDB to txt, encrypting it with your master using OpenSSL, and secure-deleting the unencrypted file. I just don't like trusting a weird binary format and not-so-popular-software with all my (unknown) information.
I use FileVault on my laptop as one extra measure, they'd have to break my (weaker) user password in order to get to my encrypted KeePassDB (much longer master, as you said - a phrase). I started using SSHKeyChain recently (http://www.sshkeychain.org/) and put a master on my private-key, which gives me access to personal and work servers. I feel pretty good about the security of my phrase... but SSHKeyChain is used to ease my pain and could (has) have flaws. :(
There is a large flaw I recently found in my (our) plan, which has shaken my security world and sort of left me in limbo for now. I'm webernets, computer, and OS X savvy... but you just can't trust binaries. I download all sorts of software, much of it open, some not. What happens when someone logs my keys or user activity? Is this easy on OS X, would they (I) be prompted for root access? (they would, I assume, be running as my user) If they got my master, and were able to send my KeePassDB somewhere (easy when running as my user) - I'd be grand royally screwed.
Have you seen Wallet? It might fit your taste better for a more OS Xish password manager.
http://www.waterfallsw.com/...
@Brian: no, I'd not seen Wallet; it looks pretty nice. However, I'm pretty suspicious of any security software that's not open-source. It's very hard to trust an obscure binary blob to do things correctly...
Personally, I'd consider Keychain in large part because of the integration, and it isn't just a giant black box. Apple has some good descriptions of the system online: (http://developer.apple.com/...)
Also, most of the actual system that Keychain uses to store, decrypt and encrypt, etc is Open Source: (http://developer.apple.com/...)
Of course, all I use Keychain for is my IM passwords, all important passwords are just stored in a GPG encrypted file.
I purchased Wallet when I switched to OS X, thinking it was a nicer KeePassX.
Nope.
I don't remember it much now, I don't think you could copy passwords out with the keyboard (like Command-C in KeePassX), and passwords ALWAYS showed, which was ridiculous. I use KeePassX in front of people all the time, why the hell would I want to show the world my passwords?
All it had going for it was the fact that it was, I guess, Cocoa. Definitely not for power users.
@Brett: yech. I just wish KeePassX wasn't so fugly (and didn't have a name that sounds like "keep ass".
Maybe I'll take a stab at writing a password manager myself... I've got a long weekend to play with it, at least... Wonder how much PyObjC I remember...
I don't know what your server is running, but I recently asked Metafilter how to set up VPN on my Debian server to connect to it from my iPhone, and got great answers. Now I've stopped using ssh tunnels on my laptop, and switched to using VPN there as well. The instructions I got there worked a treat! Link: http://ask.metafilter.com/6...
(The instructions are for PoPToP)
take a look at pwsafe http://nsd.dyndns.org/pwsafe
you can compile it everywhere, use from shell
and you can ever read database from other guis
(http://passwordsafe.sourcef..., http://www.fpx.de/fp/Softwa...)
TrueCrypt is missing from your tool set. I have a 2gb truecrypt file thats hosts all my personal data, passwords, ssh keys etc. Depending upon your paranoia level you can set it to forget your password every few minutes or when you lock your laptop or on system reboot.
I have also installed lots of portable apps, python with all my laptops in that 2 gb partition, which makes migrating to a new laptop just a matter of copying single file.
@Robert: thanks for the link; pwsafe looks like a good starting place if I end up wanting to write my own password manager. Don't think I'd use it directly; having to fire up a shell each time I want a password is a bit annoying.
@Amit: I've played with TrueCrypt in the past, but since it won't work on my Mac (my primary computer), it's probably not for me. Real shame, too, since it would be perfect were it cross-platform.
@Jacob: If you do decide to implement your own password manager, I hope you will considering basing in on the password manager Revelation (which is also written in Python). I would love to have an OS X "port" of it, since I use Linux and Mac both.
More information:
http://oss.codepoet.no/reve...
http://en.wikipedia.org/wik...)
Regarding Credit History: I recently read something to the effect that you can get your credit history locked, i.e. if anyone wants to access it (including banks for credit applications etc), they need to contact you first to get it unlocked. Unfortunately, that is all I know so far. The Experian and the like will likely ask for a small but not insignificant amount of money, every time you need to get your credit history unlocked.
Leave a comment: