Monday 24 July 2017

Revising My Computer Security

A few weeks ago one of our in-house digital security people gave a presentation. He was not singing the usual tunes and had some interesting things to say, so I looked again at my security and privacy arrangements.

The public discussion about privacy is about keeping the prying eyes of the government and advertisers away from what you're up to. That's because no-one wants to say that the privacy you really need is from your wife, children, extended family, friends, and housemates. That doesn't sound sharey-carey-trusting-loving, but until the day the last person who likes to embarrass their mates is swinging from a tree, we're going to need that privacy.

I'm a single-occupancy household, so I don't need to lock my computers against my fellow trusted dwellers. On the other hand, I take two devices, the phone and the iPad, out with me most days, so those should have security enabled.

Also, I should do my bit to maintain herd immunity. Herd immunity happens when a high enough proportion of a group of animals has immunity from a disease that it can't spread. Maintaining herd immunity is why mothers who refuse to get MMR jabs for their darling ones are not exercising personal choice, but being irresponsible. If the word goes round the amateur villain chat boards that they have to steal twenty phones to find one that has no security and can be exploited, they will decide the odds aren't worth it.

For a long time I didn't do my part. There was nothing on any device I took out of the house that could be used to steal from me. Then along came PayPal, banking apps, Apple Pay and password managers.

I lock my work laptop every time I step away from my desk, and that's in a reasonably secure corporate environment. However, that's what my employer insists I do, and there are folk whose job it is to wander around spotting unlocked, unattended computers: it's part of my job, and I'm being paid to do it.

But then, I don't mind being locked out of my work thoughts. I do mind about being locked out of my personal thoughts. If that makes sense.

Anyway, as a result of the guru's advice, I made a few changes.

Apparently, advertisers put all sorts of tracking gizmos and other crapware on our machines. Some of it for people who have postcodes in Kaliningrad. I want to avoid that, so I put Adblock Plus on both my iOS devices, which improved the browsing experience as well. I have it on all my laptop browsers already.

I put my serious passwords into LastPass and have that on the devices I use to run my life. Caveat: LastPass doesn't sign you out after N minutes of inactivity. Signing out is manual. This is a mistake on their part. If you don't sign out, anyone who can get into your phone has access to the password manager that's still open because you forgot to sign out. As soon as you put a password manager on a device, you must activate the physical access security on that device. And sign out of the password manager anyway.

So I trained my phone to recognise my thumbprint, giving me a HTF (Do They Do That) moment. Folklore says it can tell if the Mafia cut off your finger and are using that. I'd like to know how that's done.

The guru has F-Secure on his phone. I met Mikko Hypponen, on a flight to Helsinki back in the day. He's a great ambassador for his company, but I still don't like active scanners. I use the default Windows Defender and the default Windows or OS X firewalls. I don't run McAffee, Norton or F-Secure. On iOS there's no point because of the way iOS sandboxes apps. On Windows or OS X, scanners are an operational overhead with little benefit. I read somewhere that the pros don't do use any. Instead they practice safe computing:
Don't visit dodgy websites, ignore any website that tells you your computer has viruses or your files are corrupt, and anybody who wants your passwords. Don't open e-mails from people or companies you don't know, and only download from the original supplier. Here I will tell you nothing have to do on sites which English not best used.
I clean out browsing history, caches and other stuff with CC Cleaner on Windows, and Clean My Mac for OS X. Cache cleaners for iOS are still lacking in functionality.

Just because I've cleared the cache or deleted the file, doesn't mean it's gone. Deleting is one thing, shredding is another. Here's the thing: file shredding and free / slack space wiping works on conventional hard drives (HDDs) but is iffy, if not discouraged on modern SSDs. It's not even clear what 'secure delete' in means on an SSD. There are encrypted drives that use a key which gets wiped, and unless the NSA or the Chinese are after you, guessing at the key is going to be computationally unfeasible. Most SSDs are not encrypted.

If you want to store large amounts of personal or private data, do it on a conventional hard drive. The you can shred-and-wipe, and it's gone. As soon as an SSD gets involved, you can't be sure the data won't still be there.

On Windows I use CC Cleaner to shred files in the Wastebin after deletion. Every now and then, I over-write the spare space on the drive as well. A three-pass wipe will do fine. The disk recovery people can work wonders with a physically damaged drive. The stuff they have works at bit-level. If you have, however, written random bits all over the drive, all they will get back are random bits. And no, on a modern 2.5-inch multi-gigabyte drive, all those tricks invented in the 1980's don't work.

My work laptop encrypts my Documents folder, but leaves the rest alone, which is sensible. On my personal computers, I'm not so sure. I might forget the password.

Encrypted files on personal computers are a red rag to anyone who wants to pick a fight. Encrypted files will be assumed to be the worst thing the person finding them wants them to be. Why else you you encrypt the stuff if it wasn't stolen company data / classified government documents / illegally-downloaded movies / whatever. Anyway, unless you are a journalist, very rich or have high-profile lawyers, you can be compelled to de-crypt it all by US Immigration, the Police, an Anton Pillar order, your wife, anyone with a gun... you get the idea.

(It occurs to me that the most secure personal laptop is one of those Lenovos or Dells that only corporates buy, dressed up with a corporate logon and two layers of passwords. Create at least two other user profiles and fill them with encrypted junk, suggesting that you are the third person to be using this computer. Make sure none of the software is within two releases of the latest version. Put on an old VT terminal emulator, McAffee, and make IE9 the default browser. Add a sticky label declaring that the Asset ID is BG788453TD, remove one of the keys (say Z) on the keyboard, and everybody will assume you work for a large financial services company and this is your work computer.)

While we're talking about encryptions, the guru suggested using Signal to communicate, or WhatsApp, which uses the Signal protocols. Use any end-to-end encrypted communication, as long as it is well-known. The quickest way to get GCHQ interested in you is to use fancy e-mail encryption, or a program known only to people who have attended Black Hat more than twice. I have WhatsApp, use the regular message app on the iPhone, and have a totally boring life.

All this stuff is free, by the way.

No comments:

Post a Comment