Dec 25, 16 / Cap 24, 00 03:45 UTC
Using digital technology securely ¶
Based purely on the number of citizens that would use facebook, I feel various topics of secure use of digital technology should become a focus. The intent of this thread is to store posts of best practices in order that Asgardians who do not naturally think in terms of security can be prevented from making simple, avoidable errors in procedure that would endanger their digital security, and by extension, the nation as a whole.
I heavily encourage to read carefully this post, and any others, and reaching the end of the thread. I will try to avoid technical jargon where possible, and keep information and concepts easy to digest.
True, an opponent of enough skill given enough time will ultimately prevail as the defensive role in this game is the more difficult of the two sides to play, but that doesn't mean this should be made easy for them. Like encryption, the idea isn't to make it impossible, simply that difficult or take that long it isn't even attempted.
Clearly, an important topic in such a realm is that of usernames and passwords. Both of these can commonly leak more information than is warrented, care should be taken to avoid this wherever possible, even more important when a service is "public facing", but that's a privacy issue more than security. The security part is obviously the password - and commonly the human element is a critical failing here. Despite numerous warnings from "security advisers" in multiple locations, for a very long time, people still attempt to use their spouses pets birthday and other rediculously easy to guess(to anyone with any access to various details, the sort of details that litter social, I mean docile media) passwords. The common cause for this is they find it "easier to remember". Even worse, some use dictionary words - and feeding a list of words into a computer to attempt is about as simple as things can get. To combat this I personally augment the system dictionaries with known password lists ensuring that users cannot set themselves a password that will be commonly attempted in a brute force assault. About here I should mention the problem of password recycling. Effectively this is the incredibly poor practice of using a password to one service for another service. Breach of one service, then leads to breach of multiple. Even if you've set a secure password that would survive some intense assault just one of the places losing their user DataBase will result in multiple additional breaches in unreleated services. Again, the reason for this is due to memory issues. A technique I commonly reference when discussing the subject of setting secure passwords is the "XKCD method" (https://xkcd.com/936/). Effectively, it's to combine multiple words, like the example "CorrectHorseBatteryStaple" - I would personally suggest an additional layer, by intersecting numbers/symbols between the words: "£Correct$Horse€Battery⅝Staple" which would drastically increase entropy. It's even more cunning when you use symbols that don't actually appear on the keyboard. These words must be selected at random. Selecting anything with any significance or connection to you, even a few degrees removed, will assuredly fail against anyone with intent of you as a target, and reasonable research skills. There's software that will collect this information, then make "educated guesses" on password formations based on the data input, and common password syntax. Ofc, trying to remember multiple passwords for multiple services fifty or sixty services can become a little encumbersome. I personally advocate KeepassX, a free open source(code it is built from is publicised for inspection) password manager. The idea is that this encrypts all of your passwords into a secured database, which is then as secure as your passphrase, or keyfile if it's locked to that instead, and your ability to keep people from making copies, or otherwise having access to it. There are other similar tools available, but you want to be able to trust the software author for things like not using backdoors, being able to impliment encryption methods in a sane fashion etc, so when selecting one aim for open source and look for cryptography audits. I like keypass because I can trust it's lack of malware and it's use of encryption - further it can populate forms of browsers with details with a click, or copy fields from the database to the buffer for pasting - and then sanitises the buffer after a few seconds. The user can simply adjust a GUI slider to increase entropy of the passwords it can also generate - equivical to commands like "dd if=/dev/urandom bs=1 count=64 | base64 -w 0 | rev | cut -b 2- | rev" which will output a string like: "mfe5qjYwsPj878dIOg2p2VmLEkpkS9b1Sn3PkfDZy/1kx+yT5rJQm2Ip46AuXN20Ua2rM7PCJGys1ZSAh7jchA=" - this sort of password would be impractical to brute force, rememberable to but a few and pretty impossible to be leaked by "shoulder surfing". Even more secure than that is the use of certificates. X.509 certificates (this is related to SSL/TLS -=- HTTPS that secures most banks traffic, almost any sane online service etc) can be generated locally, giving you a private and public key. The private key, as the name suggests, should be protected from external or third party access. The public key however is safe to be viewed by random public. It's possible to get this key signed by a remote service - without the private key leaving the system - and then the remote system can challenge in a way that only the private key can decode, and thusly respond correctly. To secure the use of the private key further it's possible to lock them with a pasphrase. Accounts secured via certificates are almost impossible to brute force.
As this is a long and complicated subject, keeping your passwords secure is only the tip of the iceberg. The most common way people get hacked/infected, up until the onset of IoT at least, is from clicking shady links in spam emails, or docile media. Right behind office(orrifice) documents with infections attached to emails, is the browser itself. The act of visiting a site by default transfers data - you need to get the text, the pictures etc - and commonly this also includes various code. Much of this is benign and simply is things like the HTML of the page construct, but executing random third party code as a default, IMHO, is insanity. You wouldn't just let any random third party drive your car, not without at least asking where they intend going/what doing with. I fail to see why people allow randoms to execute their code on their computers, but I can't explain a lot of things regarding human behaviours. The obvious solution here would be to not execute code as default, and only allow things from sources that you trust to execute. It's possible to obtain plugins like NoScript for firefox, which as the name implies, prevents scripts. It allows for access to execute on a temporary basis, and allows to create whitelists of services you allow in order to become less obtrusive to the end user. It also has some other interesting features, but the critical point is it will stamp on a lot of shady ventures before it can get further than your browser should you inadvertantly or misguidedly click on a link. Even better use a browser like lynx, or edbrowse - That's far too basic for most malicous code to gain traction on.