TSA Keeping Us Safe From Hackers
 

Blogdad Bob has formally expanded the TSA's mission into the realm of cyber security.

I guess this is a good way to ignore the Angela Rye incident.

I haven't even had the motivation to create a blog account for one of my friends so I can wirebrush them.

My list for family
 

Skimmed that TSA article. Meh.

1) Stay patched. If your OS isn't being patched, complain to the vendor IN WRITING and get a newer device that does get patched. Also, complain to your representatives. Any OS provided to the general public needs 5 yrs of support.

2) When online with any network away from home or work, use a paid VPN. Period. This applies especially in airports, hotels, libraries, cafes, restaurants where you don't know the networking. If you are technology savvy, run your own VPN, just don't use PPTP. Stay with IPSec or L2TP or OpenVPN. This applies to commercial VPN providers which seem to default to the highly-cracked PPTP.

3) Encrypt all portable devices. Laptops, smartphones, netbooks. WHEN these devices are stolen or lost, you'll thank me. Use whole-drive-encryption with a 2FA device.

4) Backup everything you consider important. That should be everything, but some people might be willing to just backup data and settings.

5) Use long, random, passwords. Nothing is more important than length (20+ characters) and being random. Never use dates, words, names, places, l33t-sp34k.

6) Never reuse passwords. Basically, use a password manager to ensure all online accounts are using different, long, random, passwords. If you never have to type the password, why not use 50+, random, characters?

7) Have different email addresses for home, financial (banks/broker), and business uses. That is at least 3. Having a separate 1 for social networks would be smart too. Being able to read/send email with an account means all passwords can be reset.

Advanced stuff:
* Use two-factor authentication, but not SMS/phone as the 2nd factor. SMS is spoof-able.
* A chromebook is probably the most secure OS available today. It is possible to run ChromeOS without using anything from google, BTW.
* Replace the smartphone OS with an aftermarket OS that is maintained and patched for older devices not being supported by the vendor anymore. I'm looking at all the Samsung, Nexus devices specifically, which loose support 2-3 yrs after purchase.
* Watch out for cheap smart-phones. Many (most?) of these have pre-installed spyware capturing location, userids, contacts, passwords, web-browsing, etc.
* Run internet connected programs inside a sandbox or VM. firejail is handy for this, but there are other methods.
* For this crowd specifically, take steps to combat the "evil maid attack" against your encrypted devices.
* Always have a 2nd OS on netbooks/laptops to boot and show airport security people. It should only have enough OS to get online and use a web browser. Something like TinyCore would be sufficient. 1G storage needed at most, but 200MB would be enough.

Did I mention staying patched, using long, random, passwords, and having versioned backups? Those 3 things are the most important of all of them.

I disagree with point 5, you may want to take a read of the following for full reasoning - but TL;DR: you don't need random characters with a long password:
https://en.wikipedia.org/wiki/Diceware

Yes, if you're using a password manager then there's no difference whether or not you use random characters. But you still need (to remember) a password to protect your password manager, system login passwords, and possibly email or bank passwords that you use regularly when you might not have a password manager with you.

What ends up happening is that people use shorter insecure (but maybe random character containing) passwords for those common use cases, when it's just as easy to remember a much more secure long password using the above schema.

All other things being equal, nothing is more important than length (most of the time) in a password. Also true is that there is always a need to know a few, long, strong, passwords for system accounts, drive decryption and to unlock the password manager.

"For those few system logins, I use the long, funny, sentence, method of password generation." --> "ftfsl,Iutl,f,s,mopg." for example. I'm moving over to a passphrase + yubikey method, where possible. Yes, that means that if I don't have the yu....y, then I don't get into the system. OTOH, if someone else has the yubikey, they still don't know the other half of the login, or how long it is. A 2nd yubikey, identically configured, is at the bank in a safety deposit box. There are other vendors than yubico which make these devices. SmartCARDs are another option, but don't work cross-platform without very careful effort.

Convenience is often the enemy of security. The few things I use which are actually more secure AND more convenient are not usually things used by end users. ssh and things that leverage ssh, like rsync, x2go, scp, sftp. Not used by most end users.

I disagree that there is a need to know either email or bank passwords - heck, I don't even know my login-name for my broker - it is random too. Why? Because that company limits the password field to 8 characters, but allow 35 characters for the userid, so I use both, random. Sure, the userid could be leaked, but I don't know it. Never needed to login to either my bank or broker without access to the password manager. Accessing money just doesn't require that level of access these days. My broker provided a SecureID FOB when I asked about it. No cost. Sadly, they don't mandate the use, which kinda defeats the purpose. Seems their 8 character password limit probably has something to do with allowing touch-tone phone and their back-end mainframe system access. I've worked on mainframes for a few years early in my career.

Plus, since I use a different email account (actually a different alias, not account) for almost every different business, I've stopped remembering any of those logins. Just look at my userid here. Random. Generated by a computer. I won't remember it. The same applies with most of my online accounts. Don't remember the email alias used for it either, but if/when the email spam starts coming in and 1 isn't handled by the anti-spam tool, I'll know exactly where the leak happened.

Don't get me started about the lack of security for people using most free email accounts. The rule is simple, if you aren't paying for the service, then you and your data are the product. Gmail, yahoomail, hotmail - JUST SAY NO! Plus, I don't know that I'd use gmail/twitter as the authentication for other online accounts either - privacy thing - not a security thing.

Realistically, if we are only using passwords for logins, we've already lost the security battle. Over the years, smart people have tried to come up with an alternative. Mozilla has, google has, NIST has, but the login/password seem to never die.

If it isn't obvious, I'm in the business.