Email Security 101


At MISTI in 2013 I was on the closing panel with Alex Hutton (at the time CSO of Zions Bank) and Chris Nickerson (a “red teamer”) – the topic was the distressing state of internet security. Hint: it’s distressing. Somewhere in the course of the panel I decided to do a “show of hands poll” and asked everyone in the room:
How many of you use the google 2 factor authentication on your gmail account?

Alex and Chris and I raised our hands. One lady on the corner of the room raised her hand. A ballroom full of IT security and audit professionals generally don’t use free, high quality authentication – well, that tells you everything you need to know about the state of internet security. People keep saying things like “no matter what we do, we get owned anyway!” except that, you know, they refuse to do the most obvious, basic stuff – not even the free stuff. Have you heard about the Ben and Jerry’s diet? That’s the one where you eat a gallon of ice cream every day and complain about your weight. If you complain enough you may burn off some calories.

Here’s a Roadmap:

  1. Turn on Two Factor authentication on your crucial systems: email, paypal, ebay, amazon – anything that involves your money. If one of your crucial systems doesn’t offer two factor authentication, then use a different system that does not suck. This dramatically raises the difficulty of attacking your account. Now that you can transfer your cell phone number when you change providers or accounts, there’s no reason not to take advantage of your phone as an authenticator – either through something like the google authentication app, or simply having a code SMS’d to your phone as part of your monthly login process.
  2. Use a password vault for your passwords. The value of a password vault is not that you can use a 20-character password (that’s easy) but that you can use a different 15-character password for every system: if your account on that knitting patterns site gets compromised, the password is not the same as the one on your amazon.com account. This also dramatically raises the difficulty of attacking your account.
  3. Do your backups. This is a topic I will eventually do a separate post on, but: have a USB external drive that you sync important stuff to regularly, and when it’s not in use it’s powered off. This will dramatically reduce the chance of you losing any data by accident or as a result of a cryptolocker attack.
  4. Don’t fall for phishing scams, document attachments, etc. This is mostly a matter of not clicking on links in your email or opening attachments or obeying the message from your CEO saying “please enter the following command at your windows prompt – FORMAT C: /Y”  Because humans are fallible, this does not dramatically raise the difficulty of attacking your account, but it does help a bit.
  5. Don’t browse the internet or read your email with a privileged account. Create a user account on your windows system that is a normal unprivileged account and do your browsing and emailing from there. This dramatically raises the difficulty of exploiting a successful penetration of your account.
  6. Use an email client that’s not horribly stupid if you can. I use Mozilla Thunderbird because a) it has good built in bayesian spam filtering, b) it uses your spam filters to build an adaptive model of which messages it should and shouldn’t show dynamic content from c) it also builds an adaptive whitelist model – if I send you email regularly, your replies are not likely to be spam filled with links to driveby malware. This dramatically improves your security. Or, you can use Outlook – in which case why are you reading this?
  7. Browse using an ad blocker and a script whitelister. For one thing, your web experience will be much faster (I’m on metered bandwidth thanks to Verizon’s blood-sucking rural broadband and when I turn my ad blocker off, my bandwidth usage jumps 35%)  My particular incantation is: Firefox, Ad Blocker Pro, Noscript. On iShinies I use Safari and 1Blocker. This dramatically improves your security.
  8. Extra Credit: If you have a way of vectoring emails to your SMS text, or otherwise red-flagging them, red-flag all emails involving account management: password changes, new machines being authorized, or new two factor authentication devices being added.
  9. Extra Credit: Do not install Java or Flash on your machine. This dramatically improves your security.
  10. Extra Credit: Do not install Adobe PDF reader on your machine. Instead, go buy a copy of Corel PDF Fusion, which is way better and faster anyway. It’s $34. Not having Adobe reader on your machine dramatically improves your security.
  11. Extra Credit: Have one system you use for gaming and browsing and farting around on, and another you use for work. Your work machine should spend a lot of its time powered off. Being powered off dramatically improves your security.
  12. Extra Credit: Use AppLocker to whitelist your non-privileged browsing/emailing account so that it can only do those things and pretty much nothing else. If, like many of us, you are the “IT Department” for an aging parent or a child, deprivileged accounts plus parental controls (which is an interface on top of AppLocker) is a very very good approach.

Discussion

Each of the suggestions above will reduce the likelihood of you getting compromised by a good 50-70%* – by the time you do all that, you’ll be a hard target, indeed. If you’re protecting a secret identity, you should have a dedicated laptop or an iPad with a keyboard, that you do nothing else with. If you’re blogging anonymously or whatever, do not browse to any other sites using that device. Install TrueCrypt on your user partition and dekey it if you’re ever crossing an international border.

When you boost your security you want to think not just about making it harder to get hacked, but also to detect attempted hacks. That’s where turning the two factor on is important: it’s not just two factor – it embeds an enrollment process in which you’re also registering which system you use. This is super duper uber important because if your password somehow gets compromised, your attacker now has to figure out how to avoid you getting an SMS from google saying “please enter this code to authorize your new machine …”  That tells you it’s WTF time. If you ever get a “password reset?” email don’t just click on links it because the link may be bogus – that’s a favorite phishing technique. You should only ever get password reset emails when you’re, you know, resetting your password.

The way the two factor works is great: you enroll your cellphone with the site and when you want to make a credential change to your account from then on, you’ll get an SMS txt with a code that you enter into a page on the site. That tells them not only that you have your password but you have your cellphone. Raising the bar to the point where your attacker has to have your cellphone – that’s raising it about as high as it can go.

Typically you can also set two factor authentication to require the code once a month. The site stores a cookie in your browser that expires monthly (or whatever) and if you ever try to go to the site from a new machine without the cookie, it’ll do the SMS code check. That means if someone gets your password and tries to use it from another location, you’ll get a notification that a new system is trying to enroll – which means you know your password has been compromised and it’s time to get busy with the code check and password change cycle.

Do not waste your time thinking about passwords. Passwords are a losing game** and as anyone who’s seen WARGAMES knows, it’s best not to play those at all. When I need to set up a new password on something I pop up Lastpass, generate a 16-character random password, copy and paste it into the window, paste it into Lastpass, and forget about it. If I need the password a month later, I just copy and paste it again. The easiest way to set something like Lastpass up is to use the “I forgot my password” re-enrollment process on every site you use, then just re-enroll with a random password and forget about it. Here’s the thing: your passwords are more secure if they are different than if they are long, or not written down. If I have my 16-character password on a post-it note (or even in notepad on my desktop so I can copy and paste it!) stuck on my computer, you have to come to my house in order to read it. Now, the FBI will do that. Your typical hacker won’t. Then we’re down to talking about threat models and “who are you afraid of” and that sort of thing.

The Cloud

Do not fear putting your email out in the cloud, i.e.: at Google or Apple or wherever. For one thing, that makes it easy for the FBI to get them without having to smash in your door or hack your computer – it’s all very genteel. I’m sort of kidding.

Here’s the thing: if all the suggestions I made above for securing your email endpoint sound bad – the list of things you should be doing to set up a secure server is a lot worse. If you don’t intend to be a professional system administrator and do log analysis and vulnerability management on your server, then let Google or Apple or whoever do it. They’ve screwed up, of course, but they’ve got the energy and time to fix it, which most of us don’t. The vast majority of vulnerable systems on the internet are exploitable with well-known vulnerabilities that have been published for months or weeks – sometimes years. It doesn’t matter if it’s your personal @clintonemail server or your corporate server – servers are a target and there are lots and lots of robotic hack-o-matics that will check for the exploit and break in regardless of whether you’re important or not. The large cloud systems have already dealt with those, or they wouldn’t be large cloud systems for very long.

If you’re moderately paranoid (me! me!) you can have your email reader client pull down and delete messages off your server – don’t leave your messages to pile up on the server; we call that “evidence.” Use a pop client like Thunderbird and have it poll the messages down every 15 minutes and delete them. The downside of this is that if you mangle your local email archive, it’s gone. On the other hand, I suspect there are a lot of people at the DNC who wish they had a single place where they could mangle their local email and make it gone. Gosh, that Hillary Clinton sure is naive about technology, huh?

Short form: unless you want to be a professional server administrator, leave your email in the cloud.

Ugh

And… This is why I am extremely irritated by things like the DNC breach or the Clintonemail.com server kerfuffle. None of this nonsense needs to happen. Especially not for the High and Mighty. Set them up with a dedicated system that’s configured to do the right thing, and hand it to them. That, by the way, was what the State Department tried to do with Hillary Clinton except her definition of “the right thing” was different from theirs – she didn’t want record management. As my accountant once said “there are only two kinds of people in hell: those who were caught in the act, and those who kept records.”***

You get some weird counter-intuitive tradeoffs when you start to realize that having your passwords stored in the clear in notepad on your iPhone is more secure than having a 35-character password that some DNC administrator idiot emails to everyone: “HEY THE NEW SECURE PASSWORD IS ‘DIEBERNIEDIEDIEDIE’ EVERYONE USE THAT.”

If you’ve designed your security so that emailing around passwords is something you may even want to do, you’re doing it wrong. That’s one reason I get sniffy when the FBI says “the {Chinese, Russians, North Koreans} did it!” because I’m pretty sure that an australian shepherd dog could hack some of these organizations, their basic security practices are so bad. The FSB does not need to dust off an elite hacker team to come after an organization that’s so stupid you can probably hack them by sending them an email appearing to come from a fund-raiser, that contains a spread-sheet, which contains a trojan horse. A poodle could hack these people.

If you follow the roadmap above, I guarantee you you’re safe from the poodles and probably the FBI as well.****


(* More actually, but when I’m making up numbers I try to be conservative unless I’m running for office.)

(** I swear I have been saying exactly those words over and over since 1992. So much for progress.)

(*** Now amended to “3 kinds…” and “… those who have accountants.”)

(**** Because the FBI will cheat. They’ll just drop a national security letter on your landlord and walk into your apartment while you’re out, then install a keylogger in your computer and come back for it in two weeks.)

Comments

  1. Dunc says

    Another benefit of using a password vault: you can set it to remind you to change your important passwords regularly. (At least, KeePass can, and I assume others are similar).

  2. says

    Dunc@#1:
    you can set it to remind you to change your important passwords regularly

    Yeah, but…

    This is what I mean by “it’s counter-intuitive” — if you’re using 16-character passwords and you’ve got a different password for each site, why change them at all? The reason for changing them is because, I suppose, one might be exposed or someone might crack it slowly over a long time – but in the latter case you ought to already know (you should get an email that your account got locked, then go through the password reset procedure with your 2 factor authentication) If it gets exposed, well, yeah, that’s a problem.

    Nowadays I think of my passwords more as crypto keys that I exchange and manage. Sure, I re-key sometimes but since I’m doing nothing but point-to-point security and am not establishing a network where I have to worry about transitive trust, I can let the re-key interval get large. As in: “I’ll probably die of old age before I have to change my 25-character random Apple-ID password”

    One more thing: when sites get compromised they usually trigger a password refresh for you so you can’t login without going through the whole two factor dance. That’s a big step in the right direction, though it can get annoying as hell if you think you’re going to just nip over to someplace and do something and you don’t have your cellphone handy.

  3. AndrewD says

    I would suggest an additional rule:- “If what you are about to say may be incriminating, compromising or embarrasing, do not send it by E mail or put on any digital equipment especially if networked”, use snail mail or dead drops.

  4. Pierce R. Butler says

    If you do “have” to keep a password list on your disk, at least label it “Aunt Millie’s Carrotcake Recipe” or somesuch – and put a carrot cake recipe at the top of the file.

  5. says

    AndrewD@#3:
    “If what you are about to say may be incriminating, compromising or embarrasing, do not send it by E mail or put on any digital equipment especially if networked”

    That’s a longer form of:
    As my accountant once said “there are only two kinds of people in hell: those who were caught in the act, and those who kept records.”

    I used to wear a Tshirt I had made, which read:
    What happens in cyberspace stays in cyberspace
    (usually, forever)

  6. says

    Pierce R. Butler@#4:
    If you do “have” to keep a password list on your disk, at least label it “Aunt Millie’s Carrotcake Recipe” or somesuch

    Just don’t. Keep it on your phone. There are password vaults for iPhones that encrypt locally and use the thumb-reader. Just don’t lose your thumb.

  7. Pierce R. Butler says

    Just don’t lose your thumb.

    Do you happen to know whether any of the stories are true about (ahem) hackers slicing off fingers to open fingerprint-detecting locks?

  8. says

    Pierce R. Butler@#7:
    Do you happen to know whether any of the stories are true about (ahem) hackers slicing off fingers to open fingerprint-detecting locks?

    The only infosec-related dismemberment I’ve ever heard of was a hacker who was extorting money from gambling sites using DDOS attacks, until he hit a site owned by the Russian mafia and he was found in a couple different dumpsters.

    Here’s the problem: if I can slice off your finger, I can just as easily slice off your ear to encourage you to unlock your phone politely. We have to whisper about such things because if the FBI hears us they’ll be pushing Congress to allow them to do it. To protect the kids against terrorism or something.

  9. Pierce R. Butler says

    I recall reading somewhere, quite a few years ago, about some company’s superwhizbang fingerprint-reader which also detected pulse & temperature, specifically to discourage such digital misappropriation.

    Having to haul around an entire authorized personnel to access The Secret Place does seem a bit more awkward.

  10. says

    Pierce R. Butler@#9:
    Having to haul around an entire authorized personnel to access The Secret Place does seem a bit more awkward.

    This stuff is all movie plots anyway. If you want secrets it just takes money and a bit of persistence, generally. The secrets Snowden, Ames, Manning, Walker, Philby, and so many others show us – they walk out the door by themselves.

    You don’t need to haul an entire authorized personnel around, you just have to haul a gun and let them walk on their own. It depends on the threat scenario, of course. Remember – if your security is too good to break, the only thing left for them to break is you.

  11. John Morales says

    My particular incantation is: Firefox, Ad Blocker Pro, Noscript

    Mine is Firefox, RequestPolicy, Noscript.

  12. Dunc says

    if you’re using 16-character passwords and you’ve got a different password for each site, why change them at all?

    It’s a fair point – but on the other hand, why not? It’s not like it costs anything… Especially for the handful of critical systems that I use that don’t support 2-factor auth, but am sufficiently attached to for other reasons that I don’t want to jump ship.

    Financial institutions in the UK have been very slow to adopt this sort of 2-factor auth, so there aren’t that many options (in fact, there may not be any – I haven’t done the research needed to find out, and frankly I can’t be bothered), and there are other considerations involved in my choice of bank, such as “do they invest in arms manufacturers and tobacco companies?” and “does their customer service make me want to kill myself?”. While my bank does have a nifty chip-and-pin based 2-factor auth system for authorising new transactions, they don’t use 2-factor for login… So I like to change my password regularly. Sure, it’s probably not necessary, but it doesn’t hurt and it doesn’t cost anything.

  13. says

    Dunc@#12:
    but on the other hand, why not?

    It’s one more thing that can go wrong, one more place to slip up, one more time your password crosses the internet encrypted under SSL’s dubious protections…

    If they are critical systems and don’t support 2FA they should have a privileged access management box (Cyberark, Thycotic, etc – there are many) in front of them. A system can’t both be “critical” and “not important enough to protect” …

    Financial institutions in the UK have been very slow to adopt this sort of 2-factor auth

    I’m horrified by the endless number of people who’ll do internet banking with mediocre security. Examine your terms and conditions carefully and see if they indemnify themselves in the case that your credentials are compromised. I.e.: they suck and they made it your problem that they suck. Surprise, surprise. I should probably do a posting about the morning when I got a call from a guy who lost his retirement savings that way.

  14. Dunc says

    I’m horrified by the endless number of people who’ll do internet banking with mediocre security.

    Well, like I say, my bank uses 2FA based on chip+pin (so you’d need my card, a card reader, and my PIN) to actually authorise transactions… And it’s not like other banking channels are any better. (Don’t get me started on the bad joke that passes for phone banking “security”…)

    There comes a time when your options are to either accept what’s on offer, or not function in modern society. Sure, it’s a shitty deal, but that’s functioning in modern society for you.

  15. Alistair B says

    Another advantage of a password vault is: if you use it to copy the URL to your browser, in theory a keylogger won’t know the URL or the (also copied) password you are using. Screen-scrapers will get the URL, but not the (hopefully) masked password.
    Foxit for PDF is free and doesn’t seem to have enough users to be worth hacking.
    I also use the MVPS hosts file as additional security.

  16. lorn says

    It isn’t as bad as ISIS computers. No, not those guys. ISIS with Sterling Archer from the show “Archer”.

    A running joke in the series is that all the computers allow “guest” as a password. The computers are, even though the show originated in 2009, depicted as ancient LIsa-2 package units and the mainframe uses tape units and teletype printers.

    It reminds me of the days of phone cradle, bleeding edge 300 baud Hayes modems. Those were the days. Dial up the sysop at the mainframe using the convenient rotary-dial desktop model phone, read off your user information and then, when told to do so, place the handset into the cradle and push the button. That was High Tech.

    A few months before we were punching cards, delivering batches to the processing center and waiting hours for the results.

    And yet I remember those times as the good-old-days.