Code for this blog can be found on github at

Friday, July 1, 2011

TANGENT: Getting caught with your pants *up*

For many moons, I've been promising my relatives that I'd write something up about how I handle online security.  Many of you probably have the same experience as me, being the most tech-savvy individual in your extended family.  I've found over the years that the best thing I can do is to embrace the fact and use the opportunity to raise awareness about the stuff that matters to me, and one of those things is online security.

Security is tough these days.  So many weaknesses, so many "vectors of attack", so many wallets to drain.  In the last couple of months, we've seen pigs fly - figuratively, of course, as we first saw a wide-spread virus targeting the Mac (Mac Defender) followed immediately by a more potent variant (Mdinstall).  And just a week or two ago, we saw a rampant Windows virus that targeted people holding Bitcoin, reportedly stealing more than $500,000 worth of the virtual currency before it trashed that market.  Dangerous times for us to be online, but we don't have to be caught unaware or unprepared.

Deny First

One of the basic principles in security, online or off, is the Deny First model - if you do not know what to do about a request, the default action should be not to allow the action, but to dis-allow it.  Get it?  Deny first, Allow only when you are certain.  You can also think of this as explicit permission and implicit denial.  Consider it- when someone comes to your door and asks to come in, do you allow them into the house before figuring out who they are and why there are there?  No, you don't.  You automatically know to figure out why they are there (a friend, a service person that you requested to come, etc.) before you allow them to perform the action of coming in.

The reason that Allow First (the opposite of Deny First) is a weak model is that it glosses over any mistakes we may have made, or areas that we didn't think about.  However, Allow First is the model our browsers have chosen in some areas, isn't it?  JavaScript in the browser is one of the most powerful tools we have today, and it is also one of the main attack vectors used by online "bad guys".  When we install modern browsers, JavaScript is turned on by default for all websites- "Allow First".  That's not the right way to do business in this modern world.  We need to tread more cautiously.

Firefox has a plugin called NoScript which is a fantastic tool for controlling which websites can run scripts.  It starts with the concept of Deny First - you only allow websites you trust to run JavaScript on your computer. It also allows a lot of other control over what is running inside your browser, like cookies, plugins, etc.  I'm a Google Chrome fan, and about a year ago, it added most of this as a built-in feature, but it is kinda buried ("Options->Under the Hood"->Privacy->Content Settings").  If it is on, Chrome will tell you when it has blocked a site from using JavaScript (an icon to the right in the address bar) and will give you the option of allowing JavaScript on that site.
Now, I want to make sure you know this - the Deny First method takes a while to get used to.  Think of how many sites you use today.  Now think of having to specifically allow each of those to work, one by one, the next time you visit them.  The first few days using Deny First will be pretty easy, as JavaScript will be disallowed by default on every web site and you will remember to set it to "allow".  But as time goes on, you will hit this situation less frequently and you will start to forget.  Eventually, you'll run across a site which doesn't detect that JavaScript is turned off, and you'll be thinking, "Why is this site so bad?"  Well, it's because your decision to be safe has broken their site, and the developers didn't consider that when implementing.  This is not meant to dissuade you from choosing this model- it is meant to be a reminder a week or two from now when you start to forget that smart decision to Deny First.

Keep your Doors Closed

Another principle of security is to close all the doors.  If your computer has no weaknesses, then the only way in is if you let something in.  Viruses mainly spread using weaknesses in the operating system, or in applications like Flash, IE, or Firefox that run on the operating system.  Many of these weaknesses are already known, and many already have patches available- but many of the computers running out there don't have those patches applied, so they are still vulnerable.  Consider this- the application or OS vendors publicize what has been fixed, and security web sites will write up how the exploit worked on these newly patched problems, so lazy virus writers can wait for the explanation then use those exploits in their code.  Lots of machines will still be unpatched!

There is a lot of software on most PCs, and keeping up with all the patches can be a lot of work.  If you are running Windows, please install the patches when Microsoft releases them (at a minimum, the 3rd Tuesday of every month).  Keep an eye out for the "Updates Available" icon that appears in the System Tray.  For everything else, I use Secunia Personal Software Inspector (PSI) to keep up with security patches.  Secunia (the company) keeps track of security patches for lots of different software, and their client (PSI) knows what programs are on your box.  It will alert you when security patches become available, and if allowed, it will attempt to auto-update those programs to keep the holes closed.  That makes it much safer to browse the web.  Only the viruses using unknown (zero-day) vulnerabilities should be able to get in.

Use Different Keys

My last principle of security (at least for today) is to use different locks for different places.  You may have a key for work, a key for your home, a key for your car.  If you lose only one of them, it doesn't jeopardize the others.  They have independent locks, so if a thief breaks into one place, they won't necessarily be able to get into the others.  You should treat your online life the same way- don't use the same password for every website.  Instead, use a different password for every place you go.  You may have seen all the news articles about passwords being stolen.  If you use the same userid & password for every site (at least, all that you can), then if one website is broken into, those credentials could be used to gain access in other places. 

The remedy for this is to use a password manager.  You need a password manager that will create strong, random passwords, that will encrypt the data, and should autofill login forms for you.  The last feature isn't a must, but helps immensely since the passwords won't be typeable.  I use LastPass, which gives me all these capabilities and more.  In fact, I use it across all my devices (that costs $12/year) and I use it to record my random answers to those inane "security questions", like "Who was your first boss" or "Who is your favorite athlete".  I am a firm believer that security questions weaken an application by allowing attackers a vector of personal information that might be discoverable on Facebook or via personal communication with the intended target (I think there was a Monk episode where a person used speed dating to discover this kind of information).

Using a password manager is similar to keeping all your keys on a keyring (something most people do)- if you lose control of the keyring, all the keys are gone and everything you own is susceptible to break-in.  A good password manager is typically guarded by its own password - kinda like a keyring on a chain, clipped to your belt.  The strength of your password manager is going to depend upon a good strong password for opening its door.  Make certain that it's a long password, something unguessable.

These principles alone will make you safer than 95% of the people out there, maybe even more.  There is always more you can do, like reduce the number applications you load, never visit sites you don't trust, disconnect your internet connection and move to the hills.  How far you want to take the mantra of "Trust No One" is up to you.

POST SCRIPT: If you are a developer, you may want to learn more.  Here's a few suggestions:

No comments:

Post a Comment