Personal, home, cyber security and YOU

I have written many times about preparedness for emergencies, having a plan that your loved ones understand for various scenarios.

I have written many times about situational awareness and having gamed our in your head various possibilities in the case of an active shooter, etc.

I have written many times about having good supplies in a secure and accessible place.

I have written many times about steps to take to protect yourself and family.

In light of recent allegations about a priest having illegal material on a computer, I am reminded of incidents with priests who were accused of doing bad things with computers and internet only to be found innocent because their wifi security was bad and someone had hacked it.

Everyone has to be careful.

It’s always someone else… until it’s you.

Just today a weird thing happened. Someone parked in what is essentially a no-parking area on the street next to where I live.  I haven’t seen this before.  I had an optical gadget handy, so I took a closer look and saw what I thought was the driver moving his hand with a device around in the manner of one trying to get more bars or perhaps wifi.   That’s when I shut everything down, went out the side, and took a photo of the vehicle.  He sat there for a while longer and then left.  Distinctive vehicle.  I’ll keep my eyes open.

If you watch videos from a source like Hak5 you learn really fast the various ways to crack passwords, enter networks with half-handshake attacks, etc.   You can even get into a network through a wifi enabled appliance.   Hostiles can plant things on your cars or on your property.

Say you are out and about and find a USB drive.  Curious, you plug it into your computer to see what is on it.  You are now toast.  The drive had hostile scripts.  The drive was planted to get some sucker.   They can unlock your computer, copy your files, get your passwords in the blink of an eye and send it to someone.

Say you just left your laptop for a moment at the coffee shop or airport lounge. It would take a few seconds for someone to insert the drive and, bammo, your stuff is his stuff.  You are now toast.

Say you are out and about and your phone’s power is low.  You ask if you can use someone’s power cable.  You are now toast.  The power cable, indistinguishable from good ones, actually has “Rubber Ducky” scripts that can do amazing things to your phone and data that you won’t like.

Analogy.  I broke into my garage with a wedge and coat hanger in 15 seconds.   These scripts are a hell of a lot faster than that.   Access to your house through your garage makes you and yours vulnerable.  Access to your network, laptop, phone through USB drives, cables, half-handshakes, etc. makes you and yours vulnerable.

I once plugged by phone into the usb port on an airplane and got a message on my screen: Trust this network?”   HELL NO!   I now have these for all travel.  HERE

Changes have been made to the garage.  Changes have been made to cables.

Everyone… be careful out there.

Change passwords.  Make them strong.  Don’t use the same one over and over.

Keep your security tight, and use two-step identification.  Yes, take the extra annoying two seconds.

Treat view devices in the hands of nearby strangers as being filled with the CCP virus.

Leaving your mobile phone at home if you can.

Use signal blocking bags.

 

About Fr. John Zuhlsdorf

Fr. Z is the guy who runs this blog. o{]:¬)
This entry was posted in Semper Paratus, The Coming Storm, The future and our choices and tagged , , . Bookmark the permalink.

14 Comments

  1. Pingback: Personal, home, cyber security and YOU – Via Nova Media

  2. Cafea Fruor says:

    Two-factor authentication is great…until you lose your phone, it breaks, or it gets stolen, and then you’re toast, because you can’t get into anything at all. It’s also a massive pain in offices when you have one account that multiple people use, but then they want the 2FA to go to one person’s cell phone. That person goes on vacation or out of cell range, and everyone’s locked out. It seems like it’s great until it’s not.

  3. Antonia D says:

    Thanks for the great advice & links, Fr. Z!

  4. acardnal says:

    Cafea Fruor, 2FA can be used without access to a cell phone.

  5. Semper Gumby says:

    Thanks Fr. Z, important topic.

    On a lighter note, the second-strongest password can only be cracked by Moses:

    𓄿𓈉𓅏𓄾𓀀𓇼𓅱𓃰𓈠𓍄𓂀𓇐𓎡𓊝

    The strongest password is, of course: 1ChuckNorris&.

  6. JonPatrick says:

    A couple of other suggestions.

    To avoid the kind of tracking that happens with Google Chrome, use the Brave browser: https://brave.com/ It is available for your phone also.

    In addition, don’t use Google as your search engine, use DuckDuckGo which does not spy on you and monitor your searches as Google does.

    https://spreadprivacy.com/what-does-google-know-about-me/

    https://duckduckgo.com/

  7. Jim Dorchak says:

    This is such a time of No Confidence in our government to protect us and in our societal associations (Churches) to defend us and help us. Instead many times they are the ones attacking us. Either in our Churches directly or in our Schools or in our bank accounts or in just the way the try to force us to believe a person born male can suddenly become female.
    The result is increased distrust over all.
    The people we look to tell us and defend the truth are now lying to us.
    Today if you disagree with any of their agenda then you are a ripe target.
    Ask yourself if you can beat them? Can you defend yourself? Protect your wife and Children?
    If the answer is no…. and it most certainly is NO… then you are living in the center of the bulls eye.
    God.
    Family.
    Country.
    In that order. People need to make decisions before they will be made for them. It is too late when it is a knock on your front door coming to take your kids from you because you do not support their agenda.
    For me and my family it was better for us to not be on the other side of the door when they come. We left.
    When the bolsheviks came to take away my Catholic ancestors in Russia, some… some of my family had left for a safer place.
    The ones who did not leave were executed and they were the lucky ones.
    No GOD
    NO FAMILY
    ….. country?

  8. JesusFreak84 says:

    I work in IT in FinTech and we get these things drilled into our heads all the time. (Also, seeing Hak.5 plugged made me smile since I started watching that at its beginning in the mid-00s.)

    If your parish actually has servers and some more advanced IT infrastructure, don’t hire an IT guy who doesn’t even know what the OWASP Top 10 list is: https://owasp.org/Top10/

    Some other thoughts this post brought to my mind:

    I personally am also a big fan of VPNs. ProtonVPN has free servers, but TunnelBear’s by far the most “idiot-proof” one I’ve seen. If you’re a seminarian who doesn’t want to get busted coming to this blog, it’ll hide your traffic.

    Note on 2FA/MFA: SMS spoofing IS a thing, so SMS, plain text messages, are the absolute worst way you can possibly get your 2FA code because it’s the easiest way to intercept.

    Password managers are your friend. We use KeePass at work, I use RememBear personally, but 1Password and LastPass are also supposed to be good. Microsoft appears to be turning its Authenticator app into a PW manager, and you can get that from the Microsoft Store and run it on your desktop, no phone required. I hate google, so I don’t use their authenticator; I use Authy instead.

    We should really start setting up our most important Catholic sites as TOR onion notes, I2P sites, Freenet nodes, etc., so we’ll still have access.

  9. PostCatholic says:

    Those data blocker USB connectors are great, I especially use them when working at the office of a client. It helps make sure I don’t take home any problems.

  10. Lurker 59 says:

    With technology, it is best to assume that the hardware has a back door and that the software has a back door.  Therefore, your data is accessible given knowledge of the “door”, or enough time/computing power to “pick the lock”.  As an example, it is pretty easy to reset the Administrator Password for a Windows computer if one has physical access to the computer.  Thus the need to have a plan for how to proceed should the data/system/network become accessed.  

    Don’t think that deleting a file means that it is gone.  If it is online, it still exists in an untold number of physical backups that, say Google, constantly makes of their physical hard drives.  Also, say in the case of a text message, all you have done is hidden your ability to see it.  If you delete the file from your local computer, it is still there — all you have done is removed the file’s location from the HD’s Table of Contents.

    Tracking:  In order for you to get data on your device from the net, other devices have to know where your device is.  You cannot hide, you can only mask and encrypt your location and data.  You are just adding extra steps.  Yes extra steps do help but understanding that they are only extra steps helps you to not have false confidence about your data.

    The fundamental structure of networking is insecure and open.  Security is akin to being in the middle of an ocean and trying to build walls to keep the water out while allowing some water in and out at the same time.

    I want to add some things to what JesusFreak84 said.

    VPNs — Sure but it still shows up as VPN traffic in the network logs.  Network Admin can either block the VPN outright (If a NetAdmin isn’t blocking VPN traffic outright they are being negligent in their job.  Seriously, don’t allow individuals to have VPNs on your parish network, that stuff can come back to bite you.) or red flag you for indicators of looking at contraband.

    The sad truth is that diocesan/parish IT positions don’t pay enough to attract people who truly provide security that is beyond configuring consumer-level products.  Don’t expect what they cannot deliver.  This is not a dig at them!  Most IT people are just doing basic configuring of consumer-grade products.  (A very good Vendor that we worked with just did basic configuration on the network equipment — for tens of thousands of dollars).  Understand the limitations of your technology and your personal.

    Password Managers — A physical USB Password Manager is ideal, especially one that unlocks via fingerprint.  I don’t recommend keeping financial or the admin password for your personal website in any password manager, though.

    SOME SUGGESTIONS

    *Put your alternative email addresses in your Contacts under a different name.  If you get hacked and someone starts sending out messages to your Contacts, you will get the emails too.

    *Make it a habit of checking your logs.

    *If you have real concerns about someone accessing your data, put activity loggers on your own devices. 

    *Chromebook in DEV mode only logging in as Guest always logging out (never suspending) and periodically taking in and out of DEV is pretty much an empty device.  Given that each partition (when you drop in and out of DEV you are constantly repartitioning, and each Guest is a new partition) is an encrypted OS, which is going to be really hard to recover erased data from (still extra steps).  

    *If your position is a sensitive position (and/or people in your position tend to get charged with things) don’t have your office computer’s screen situated so people cannot see what you are doing.

    *Staff and Administrative personal are not IT Administrators.  Keep clearly defined roles — only IT has ID/Logins that are Admin Users and only they have the passwords.  Make your IT department change password periodically and fire any IT using Admin p@ssw0rd.

  11. moon1234 says:

    NIST guidelines for password security in 2021 have thrown out almost all of the above recommendations and they have JUST ONE recommendation:
    Make you password as long as possible and easily for the user to remember, ideally 14 characters or more.

    WHY? Simple. The technology to attempt every combination of a 14 digit or longer password does not reasonably exist today and won’t for quite some time. Get ride of the complex password requirement, the must have numbers, capitols, non-alpha characters, etc. WHY? When complex passwords are required they only lead to people choosing easy to guess passwords or worse they write them down or use a password managment tool to “remember” them all. Now access to your whole life if in ONE place.

    NIST also advises against requiring password rotation on a schedule (every 90 days, etc.) WHY? Because MOST people dislike this frequent password change. They wind up incrementing a number by one, changing common letters to symbols S to $ o to zero, etc. Hackers know all of these same tricks and use them commonly.

    The most secure password will be 14 or more digits long, not contain your name or common information about you or your family. Combine this with two factor authentication that uses O-AUTH (a token sent to from and app/hard device/etc) and it will be virtually impossible to hack your account using credentials.

    MFA can have multiple options. If using Microsoft Authenticator, make sure to add a 2nd backup MFA option in case the primary is not available. What are good secondary options? YubiKey is a good hardware based key. It is a USB dongle with a button. You connect it to any device that will accept a USB keyboard, when prompted for MFA you select the YubiKey option (it is supported by almost all major online platforms) and push the button. A long number hash will be passed that is unique to your key. Don’t want to carry around a hardware key, setup an e-mail account on a platform you trust that is ONLY used as a secondary MFA source. If your primary goes offline, etc. then a secure code can be sent to the secondary account. A phone call could be a relatively secure secondary source provided you can assure your number is not compromised.

    Finally, the only secure data is data that is NOT online or connected to the internet and stored where physical access is not possible. Anything else is a compromise. MOST people do not have interesting enough data for people to try and steal. It’s much more likely they will just hold it hostage via encryption/ransomeware. Look at your security from that point of view and it will keep almost everyone (maybe even yourself) from accessing your data.

  12. millercr2 says:

    Small biz here… one of the biggest security threats faced is employees clicking on links of phishing / spoofing emails. Be very careful, don’t trust emails, hover over links first to ensure it’s legitimate URL / link. Hire a service to test employees by sending out a test phishing email. Remind employees constantly about this and other security measures.

  13. JabbaPapa says:

    I would think that aggressive countermeasures like those suggested here would be a requirement only for those, like Father Z, who might be targeted more frequently than others not having such a large public internet footprint.

    Basic countermeasures bundled with current Operating systems and keeping your OS and your antivirus up-to-date should be sufficient for most people.

    OTOH if you are even moderately well-known or if you are running a business, even from home, or you are even moderately wealthy, then it’s a good idea to adopt those extra security measures ; which might be so simple as a home backup system with its own safety backup. And having a trusted IT professional or ex- IT professional you could call upon in emergencies.

    Another simple security measure, in positions where private conversations might need to be protected from snoopers, would be a room without electronics of any kind, not even a land-line phone, and forbid bringing any mobile phone into the room.

  14. JabbaPapa says:

    As for passwords, among the best and most secure are sequences of three words having some personal meaning.

    Like, for example, WonderfulSpanishPilgrimage (NOT my password). Easy to remember ; hard to crack.

Comments are closed.