Sunday, December 20, 2015

Digital Security Review




Being positive has been difficult in the last weeks.

Yes, in Switzerland, Marcus and Agata recently suffered a break in/ theft in our home town of Lausanne Switzerland. Now as can be seen above you might say:

But this is merely car crime

Not so fast to trivialise

- Agata's expensive iPhone was amongst the stolen items.  It and other costly items are not covered by our existing  Insurances.

- Our House keys were stolen leaving open the possibility to thieves simply opening our front door and helping themselves

Negligence?
For the record, let me state that Agata placed her bag in the boot of our beloved Audi TT, not on the back seat. 

Somebody must have been watching us :-( . Further, breaking the window of the TT does not allow you access.  The doors are deadlocked, so they used a tool to open the back seat and drag items from inside the boot.   Bastards.

The rest of this post covers Digital Security, we have also reviewed and upgraded our physical security, but it is not discussed here.


A New Digital Security Standard

The new and rigorous home objective is as follows

- Survive a home break in with as close to zero information loss as possible

- Survive a Cloud computing break in with as close to zero information loss

AND HOW?

The big solution is Encryption.  I'll share (obviously) not how but what

- For some years we've had a highly encrypted way of storing ALL financial information , from bank logon passwords to  official government information.

- And this was never clouded,  just all the 'other stuff' which was stored in plain text (uh oh) both at home and in the cloud

- So now we've moved to full encryption of ALL documents, so that in any event of a home or cloud intrusion, all you will find is gvdlbmm

- Actually triple encrypted in a fashion that I am not sure Marcus  totally understands

- The downside is that access to all home documents, like our eBay password, or our last configuration change of a computer, is all now behind this encryption.  Which takes time to unlock, every time.

- So this is the price to pay for security, and the response to some bastard recently stealing from us and causing us worry. (We don't believe they could have broken the Apple iPhone 6 encryption, but it was a warning to us)

No Paper
We already operate a paperless environment.  All documents from financial to photos, from birthday cards to letters from an aunt, are digitally scanned and then originals securely shredded.  This means we don't need to employ large scale physical security systems to protect paper.  Just to protect digital.


What is left is our Systematic Security review.  I hope this could trigger yours, because when you have already suffered a loss, it is difficult to recover


Security Review - Cloud
2 systematic issues are at hand

Many people have pushed most of their major documents into the cloud, unencrypted.

We often have cloud access programs on our phones but the phone is marked as a secure device, thus Cloud access is reliant purely on Smartphone lock screen. No good! Loopholes detected and closed follow:


- Removal of compromising information on Google Drive.  No financial information was there of course, but things like ebay and facebook plaintext, now all removed.

- Individually Encrypting any sensitive documents that are put on the cloud  (previously some were in plain text)

- Ensuring all files are removed from cloud BIN not just deleted

- What machines can access Google Drive  (example) because they are setup as trusted?  Review trusted machines for each cloud service.

- Sharing on Cloud
You may have given read or read/write access to friends of your data.  So if their smartphone with say Google Drive and no security is stolen, your information is again visible to anybody.

- Sharing on Local Network
You could have given password free access to work colleagues on your LAN network.

Some Cloud providers recognise that installing their app on a smartphone and marking it trusted can reduce protection. So for Cloud storage apps on smartphones, if a further layer of PIN protection per app is available, set it up.


Different Passwords



We already operate a random password naming scheme. Actually for Marcus it's not totally random.  It usually one or more words from BBC  Radio 4.  So hackers beware, that is quite a large selection

Also we include punctuation characters, special symbolic characters, spaces and other unusual characters in every passwords.

So with random passwords and 3 layer encryption hackers better have a very good prime number factoring programme and an infinitely powerful computer.  Game on.




Oh, and also every BIOS, every poweron, every Admin, every hard Disk is now Password Protected.

2 Factor Authentication
This means wherever possible, example on Google or Microsoft or Financial or Shopping online accounts that a password and one other form of login security be used.

Unfortunately in many cases the second form is via SMS codes sent to your Smartphone.  Make sure your SIM is PIN locked so this SIM cannot be put into a hackers personal phone to receive your special codes.

Authenticators
Service providers like Microsoft or Google allow you to install an authenticator on your smartphone that produces a code that needs to be entered when you use (say) Gmail or a MS account.

The issue can be that if you lose your Smartphone, and that is where your Authenticator is, then this can be freely used against you.   The only thing that protects you then is the Smartphone security.

- So your Smartphone filesystem needs to be encrypted so that if the phone is connected via a cable and it's disk read,  it will not be intelligible

- Your Smartphone Lock better be turned on so that when powered on free access to the contents is barred. In Android this also means that any attempt to connect via adb or cable access will also be blocked.  Nice one Android.


Dashboards
Large providers offer scary services to show you what they know about you.

Google Dashboard for example

Go through their dashboard and any Security review that they offer. Make sure you pass the review.


Mobile Find Services



- Registration on Find my  iPhone or with Android Device Manager.  Windows has a Devices page but note you can only


Ring, Lock and Erase a Smartphone, and not for example other devices e.g. a laptop.


What I re-learnt from 5 years ago
For a period of over 10 years upto about 2010 I was one of the last ever Psion users.  Psion was a small UK handheld which could not only act as an electronic diary but a comprehensive portable datastore.

The information I saved on that device was not just IT technical but grew to encompass financial and telephone and details, well about just everything.

Eventually I realised this volume of information was just to risky to be carrying about always in the event of a theft or loss.

It's similar to today's Cloud based Services. So, I've subscribed to another and new separate Cloud service and now use that for mobile Photo uploads. Leaving my other more sensitive cloud services without any mobile access.

We live and learn. Or is that live and re-learn?


And So
It has taken about 2 weeks, digitally now all is done.

To some extent, the bastards have won. Access to any sensitive or private document now takes longer, a lot longer.

But it is as secure as we can be.

We have also improved the physical security of our home, and all vehicles. If some shit does break through the physical layers, get past the Internet alerting cameras, and locks, and digital tripwires they'll just find encryption.



Fortress