Sunday, August 20, 2017

As computers become an increasingly important part of our everyday life, it is vitally important for people to understand how to keep our computers safe from malware and unauthorized access. This is even more critical now that our computers can store digital cash.

Email Encryption Tutorial

Encrypting your email communication is something that has been a complicated process to setup.  Here's a video produced by Justus Ranvier that offers a step-by-step guide on configuring and using Thunderbird for email encryption.


To help out, here are some links to the software discussed by the video above:

Thunderbird Email Client:  https://www.mozilla.org/en-US/thunderbird/

Enigmail Plugin for Thunderbird:  https://addons.mozilla.org/en-us/thunderbird/addon/enigmail/

GPG for Windows:  http://gpg4win.org/

GPG for OSX:  https://gpgtools.org/

 

Computer Security

Physical Security

Physical security has always been a vital part of computer security. If a bad guy has unmonitored physical access to your computer, a large number of bad things can be done to your detriment. This become even more critical as we start to store a potentially large financial value on our devices.

Files containing cryptographic keys, Bitcoin wallets, and confidential data can easily be retrieved from hard drives with the proper knowledge – even when accounts and BIOS are protected by a password. The only protection against this, specifically, is if Full disk or container encryption is used to protect those sensitive bits. But if you don’t maintain proper physical security, key loggers can be installed to record passwords used to secure those containers, tiny video cameras can be installed above keyboards to record key strokes, and bootloaders can be “enhanced” with Malware to compromise your Operating System.

Software Updates

The first piece of keeping your computer secure is making sure it has the latest versions of your Operating System, patches, and software applications. Letting these things fall behind can open the door to malware thru vulnerabilities.

Don’t just take for granted that your Operating System is automatically applying system updates. Verify it for yourself and run the update process yourself from time to time.

If your Operating System does not update individual applications, make it a point to manually check the vendor’s website to see if there are any available updates – especially security related updates, which typically will be free of charge.

AntiVirus / Malware

Honestly, AV software is nearly useless against new/unknown types of attacks, especially targeted attacks. But they can be very useful against well known problems. Even on traditionally Virus-Free Operating Systems, you should consider getting some type of AntiVirus protection for your computers that play a role in helping you manage your finances.

Personal, Password Protected Accounts

Your computers should have a dedicated, password protected account for each user. Setting this up allows for a higher level of non-repudiation – It is much more easy to identify who is doing what from your computer. It can protect you (and other users) from false accusations and protect confidential information stored in the account profiles.

Unique, Strong Passwords

It is somewhat important to maintain strong passwords for your computers. They should be as random and long as possible. This comic does a great job of explaining what a strong password might look like:

Comic by XKCD: Randall Munroe

Other Password Options

One method that can be used to ease the pain is by using a Yubikey. The Yubikey is a small ThumbDrive” looking device that is really just a USB keyboard. When you press the button, it will input characters to your computer as if you were typing them in yourself.

The simplest way to use this product is by setting it with a static long, random string of characters and add or remove simple, easy to remember characters as a second factor of protection. This is often referred to as 2 factor authentication or “have something, know something”. For instance, if “ePhae9yi7uov” is stored on the Yubikey, and your additional component is your dog’s name “spookey”, your effective password might be “ePhae9yi7uovspookey” – something very hard to break, yet very simple to remember. As long as you maintain smart security* over your Yubikey, you’ve just enabled yourself to have super easy, strong account protection. There are much stronger methods of using your Yubikey, but the method described is a way for the average user to easily gain a whole lot of password security.

“Smart Security” being – maintain physical possession of your Yubikey at all times and don’t use it unwisely (like at untrusted computers or over unsecured protocols such http).

Additionally, the same Yubikey could be used for other passwords by simply using a different “easy to remember” additive password. For instance, your TrueCrypt/encryption password might be “backspace, backspace” and your cat’s name “bubbles” which would make your encryption password “ePhae9yi7ububbles”.

External Password Stores

Several password storage systems exist that can help you manage a large number of unique passwords and their usage history. One of our favorites is from Keepass.info because it is cross-platform (MacOS, Windows, Linux) and you are responsible for the database’s security and privacy.  We also recommend LastPass, if you would like a reputable 3rd party to manage the database security and privacy. LastPass offers a great solution that can be accessed via your desktop or mobile device and is another well known application that can also be tied to your Yubikey for unlocking the database. However, by using Yubikey/LastPass in this fashion, you’re extending your rights to privacy to a 3rd party.

Browsing Habits

Browsers

It is our opinion that you should not use Internet Explorer for general browsing on the Internet. There will be cases where you will need to use it to access some non-standards compliant websites, but it is better to be using anything else in the meantime because of the historically high number of security vulnerabilities associated with this browser. It is our recommendation that you use Firefox or Google Chrome for your normal/default browser.

Clicking Habits

The #1 method of breaching security is through Social Engineering – tricking people into doing something they otherwise know they normally shouldn’t do. The human factor is by far the easiest way to break security. One of the biggest reasons for this is because it is very easy for humans to become complacent. To combat this, you must be ever vigilant to analyze everything you do while you’re at your computer: Verify links before you click on them, validate senders before you open attachments, and be very prejudiced about the software you allow to be installed on your computer.

When you receive an email or are about to click a link in a browser, always compare the URL shown in the browser’s lower status bar with what is displayed by the link. If there is any difference in the domain name, use extreme caution. Typically, the best practice is to copy the link provided and paste it into the address bar yourself and review the contents before you visit the URL. You’ll want to be very wary of URLs within URLs, obfuscated domain names, parts of the URL that contain .exe or .com, etc.

SSL

SSL is a protocol used to securely send information to another computer (usually through your browser). You can identify it is being used when you see a URL that begins with “https”. If a URL begins with “https” then it is going to be using a cryptographically secure connection that may or may not contain sensitive information such as accounts and passwords. It is important to always try to use “https” connections when possible, especially when confidential information may be transferred.

Password Stores

On Wallet Security, we discussed how it is important to keep unique passwords for each resource you access and showed you tools you can use to help manage those passwords. But it can be quite cumbersome when you’re dealing with many of those resources on a frequent basis – unlocking the password store, copying a password, pasting it, etc.

Your browser probably has a relatively secure password store already built in that has the added functionality of being able to identify which password you need for a given resource/website. First, and most importantly, make sure you’re following our initial advice of maintaining strong password protected accounts for each person using your computer. Then, create random, unique passwords for each site you visit and allow your browser to remember those usernames and passwords for you. When you visit those sites later and need to login, your browser will most likely auto fill in the credentials you need to login and you’re on your way.

NoScript

Most websites rely on a programming language (Javascript) to help your browser render a web page, display it correctly, and offer other useful functions. Unfortunately, this same programming language can be used to exploit vulnerabilities is security and cause you problems. NoScript is a Firefox plugin that blocks Javascript from running on your computer. This will break some web sites from working correctly, but it has the ability to whitelist sites that you trust will not harm your computer.

Wallet Security

Backup Your Wallet

It is absolutely essential to routinely backup your wallet.dat file. This file holds the cryptographical information that allows you to spend your Bitcoins. If you lose access to this file and it’s data, you will lose the ability spend your Bitcoins.

It is important to make your backup frequently due to the way Bitcoin transactions are documented. Over time, new addresses (and cryptographic keys) will be generated as new transactions occur. If you try to restore and old wallet after some type of data loss, you may find that the old wallet does not have the keys necessary to sign off some amount of your Bitcoins. Backup your wallet.dat file often!

The wallet.dat file can be found is your profile/home directory under a folder called “.bitcoin”.

Encryption

Encrypting your wallet can protect your money on systems where you do not maintain physical control. To access your wallet, a password must be entered or the cryptographic keys are simply not available.

There are several ways to do this. Just recently, the official Bitcoin client has integrated the ability to encrypt the wallet, making it necessary to enter a password before any Bitcoins can be spent.

Alternatively, and for the time being, We suggest that you use a more proven encryption technology to protect your wallet such as TrueCrypt or PGP. Once the official client encryption feature has been proven stable and reliable, we may change our recommendation.

TrueCrypt is relatively easy to use and freely available. It has been around many years and has a good security record.

Offline Wallets

Keeping your Bitcoin Wallet/cryptographic keys off the Internet (safely away from malware and remote theives is the only guaranteed way to make sure your Bitcoins are not stolen or seized. Unfortunately, this also means that you cannot access or spend your Bitcoins. So you will have to determine a policy that is comfortable for you and only keep “online” what you can afford to lose given a particular threat (physical access, malware, value, password strength, etc).

To create an off-line wallet, simply build a new OS on a computer (or boot a “live CD” Operating System) that has no network connectivity, install and run the client, and make note of the Bitcoin addresses generated. Backup the wallet.dat file, encrypt it, and store it safely in several geographically separate locations. Even though this wallet has never “seen” the Internet, you will be able to send Bitcoins to these addresses. Recover/use of the Bitcoins is as simple as copying the wallet.dat file to a network connected Bitcoin client and send away.

During the time that your encrypted wallet is safely stored off-line, your Bitcoins will remain absolutely untouchable by any Government or thief as long as you are using strong encryption. By storing multiple copies of the encrypted wallet across several places, you’re ensuring you’ll be able to recover the keys if some copies are seized.

Eventually, the official Bitcoin Client will have a key import/export/delete feature integrated into the application but until then, this is the easiest way to protect your Bitcoins. A note of caution: You must take care to securely delete the original wallet.dat file after it has been taken off-line. If someone can forensically recover this file, they will be able to spend/move those Bitcoins at any time outside of your knowledge or control.

Scams

It is important to know how Bitcoin scams can be perpetrated so that you can identify them before they happen to you. The bottom line will always be, if something seems too good to be true or makes you uncomfortable at any time, walk away. Remember: Once you spend your Bitcoins – they are gone and you will have little recourse to get them back.

Hacks

All of the major negative news surrounding Bitcoin have been the result of hacking and misplaced trust in people and/or their security posture. We beam with joy and exuberance knowing that the actual Bitcoin protocol has never been successfully compromised in its entire life!

You need to be cautious when trusting a 3rd party with your Bitcoins – If they are lax in their security, you may lose your Bitcoins and have no recourse to get them back. The old rule applies: Know your dealer – Ask your service providers to publish their general security postures and incident response protocols.

You need to maintain a high level of security with your own systems, computers, and phones as described in the Computer Security section. If you manage to get infected with malware that is Bitcoin aware, you stand a good chance to lose all your Bitcoins with no recourse to recover them.

Impersonation

You need to express extreme due diligence to identify the people you are dealing with when it comes to Bitcoin. It is too easy to pretend to be someone else on the Internet. When in doubt, use alternate established methods of communication (such as telephones, webcams, etc) to verify intent and status. This also helps in establishing forensic trails that may help Law Enforcement identify someone who has defrauded you.

One other technique you can use to verify a person’s authenticity is through PGP. This is a method of using cryptography and digital signatures to guarantee a high level of certainty that you are dealing with a particular individual and verify the integrity of message sent between you. It is beyond the scope of this site to teach you about PGP, but it is HIGHLY recommended you seek more information and attempt to learn just the fundamentals of how it works and how it can protect you in these kinds of circumstances. You will be able to find some informative resources on PGP in the Resource page.

Altered Bitcoin Addresses

It is important to verify a Bitcoin address before sending any Bitcoins to it. When a Bitcoin address is viewed over an insecure protocol such as email or http, it can be altered to the attacker’s Bitcoin address – effectively stealing the Bitcoins in transit. To counter this, you should try to retrieve a Bitcoin address over a secure connection like https. Alternatively, you could use the previously discussed PGP technology to verify a message’s (Bitcoin address) integrity if it was prepared appropriately.

Chargebacks

One of the first scams surrounding Bitcoin involved Chargebacks. This is when a credit card processor would reverse a charge based on a report of fraud or similar cause. As an example, Eve would purchase Bitcoins from Bob via Paypal. Bob would receive the money from Paypal and send the requested amount of Bitcoins to Eve. Eve would then call Paypal and claim fraud or non-delievery and Paypal would reverse Bob’s transaction and remove the money from his account. Bob was now out the Bitcoins and the money. Do not ever sell Bitcoins to anyone with anything other than cash in a face-to-face encounter.

Learn more about Bitcoin with the Bitcoin Q&A at StackExchange