Joseph Mullins

Programmer | Security | Automation

joseph@ropeney.com

Setting up Good Security Practices

Back
Inspect looking over files
 
The landscapes evolving, threats are constantly growing and barrier to entry just keeps dropping. Do a simple google search and you come up with 100 guides on how to hack anything, whether they work or not is another thing, but it still shows the available resources for anyone wishing to be mischivious or "research" is able to get a straight forward how-to guide. The following is a simple collection of security practices that are easy to follow and will put you on a bit more equal footing.

Updates

Updates are worth more then any AntiVirus or security package. Staying on top of updates is the single most important thing you can do to keep your machine safe and secure. Software is constantly being broken for malicious intent or simply research, updates are generally quickly provided when vulnerabilities are found so that they can no longer be exploited. Keep this habit up and your security packages won't have to work as hard. The easiest way to not let this slip is keep automatic updates on, most operating systems can be configured to only install security updates so shouldn’t ever need to be turned off.

Use an Ad Blocker

Ads have been a known source of cross site forgery and other malicious activity, especially when served from less then reputable providers. While some sites make their money primarily off advertising, and this should be respected, when browsing less reputable sites it is an invaluable tool.

Encrypt your Phone

Encrypting your phone is a safety measure to protect against those accidents when you lose it or come across some insincere guests. Phones used to get slowed down by encryption which put a lot of people off, these days though with the rapid advancement of technology there is almost no reason not too; with almost no visible side effects. If you use a Samsung device, I strongly suggest looking into isolating the more important apps in Secure Folder.

Use a Reputable VPN

When using public Wifi, you are sharing a network with everyone. The way networking works, all your data that's unencrypted (non-https) websites or internet traffic is view able by everyone in clear-text. Using a VPN and tunnelling all your traffic through it prevents the ears dropping of others, encrypting it and making the sites you browse hidden. Setting up a OpenVPN server on Linode is a viable alternative to paid services.

Digital Signature

Cryptography is commonly thought of as keeping things secret, however this is only part of the real benefits cryptography provides. Cryptography, like PGP, provides strong authenticity mechanisms for providing certainty of who someone is or who authored something. Getting into the habbit of using cryptography to implement a digital signature improves basic security practices in magnitudes. If people rely on information you provide, even your partner, it will now be a lot harder for them to be manipulated under your guise. This works both ways, as now you can request authors of information you utilise to use their signature so you can guarantee the reliability of the information they are giving you.

Password Manager

There is a lot of discussion over using password managers, and which one should you use. To me there is a level of practical security that I adhere to, that meets the guidelines of my employees and my professional ethics. Using a password manager can dramatically improve your security, especially if you use 1 common strong password across every website. Using a single password across many websites gives you a single point of failure if any of them were compromised and database was compromised, or worse if their website was hijacked and password fields logged.
 
I make use of 1Password, from my research they provide the best security and ease of integration into all my services. All my passwords are securely encrypted on their servers and sync across to my Mobile Phone and Computers. This gives me the ability to use the most complex passwords I can on any website I sign up to, and then easily sign in on any other device. If an account becomes or is suspected of being compromised, the password was isolated to that account and I can just regenerate another.

Using Secure ports for Email

A lot of email clients I come across, seem to be defaulted to using insecure transmission on ports 25 and 110. When setting up your email client, it is best to use TLS encryption when connecting to your mail server which is often found using ports 465/587 for SMTP and 993/995 for POP/IMAP. It is also good practice to make sure your email server is enforcing secure practices when communicating with other email servers, as if the security is only on your side then it is vulnerable once it leaves the email server and is retrieved by the recipient.

Using GPG for Email

There is debate about PGP being "Too hard". It feels a bit of a ridiculous statement, though I only have experienced it's seamless use on Linux and Mac so Windows mileage may vary. For Mac there is GPGTools, which provides a simple "Lock" and/or "Sign" button on the top right of each email you send. If you have imported your recipients PGP key, which is so easily done too, then you can lock it; even just signing it is an improvement to protect from tampering. The same integration can be done using Thunderbird and GPG suite on Linux, storing the PGP keys in the key-chain for seamless secure communication between friends and colleagues.

Using Keybase.io

Keybase is an awesome idea, providing you a way to submit a secure signature on different services and then Keybase keeps checking to make sure you are still the authority of it. This gives a central way of making sure fake accounts aren't created in your name and trusted, if people know to confirm your identity of these services like twitter with your keybase account then scamming under your name becomes a lot more difficult.

Switching to Signal or even WhatsApp for messaging

Text messaging is very dated and was never meant to take secure communication into account. Signal is currently the most trusted platform for secure communication, with Whatsapp offering end to end encryption but backed by Big Brother Facebook. Switching to secure communication for private conversations helps stop people being able to easily impersonate you should they  somehow start trying to intercept your communications.

Comments