Online Privacy, Security and Password Management

Ohio Linuxfest
Saturday, 2019Nov02
15:00 in Union A

der.hans
CDE
Object Rocket, a rackspace company
https://www.ObjectRocket.com/

Yes, we’re hiring :)
https://jobs.jobvite.com/rackspace/jobs/location?&l=US-Work%20from%20Home

Finding Hans

SeaGL: Seattle, WA
- Seattle GNU/Linux conference - Debian Software Management
- 2019Nov15-16
SCaLE: Pasadena, CA
- https://www.socallinuxexpo.org/scale/18x
- Call for Presentation open until Nov 30th ( talk to me about MySQL track )
- Southern California Linux Expo
- 2020Mar05-08
List of Some Upcoming and Previous Talks and Publications
- https://www.LuftHans.com/talks
Mastodon
- https://floss.social/@FLOX_advocate

First off,

IANAL

And,

Specifically…

More Importantly,

IANYL

If you need legal review for any ideas from this talk, talk to YOUR lawyer

Why do we need security?

— Spectre/Meltdown — Equifax admin/admin — Gentoo GitHub // password policy that mandates password managers is planned — Heartbleed — Apple SSL — Apple iCloud — Home Depot — Target — Yahoo! x 2 — LinkedIn x 3 — Eharmony — Last.FM — TJ Maxx / Marshalls — Adobe — Nieman Marcus — 7-eleven — Barnes and Noble — TriCare x 2

— Mat Honan — Jennifer Lawrence — Kate Upton — Rhianna

Cost

"They could have used my e-mail accounts to gain access to my online banking, or financial services. They could have used them to contact other people, and socially engineer them as well." – Mat Honan

What’s really at Stake?

"more than a year’s worth of photos, covering the entire lifespan of my daughter" – Mat Honan

"including those irreplaceable pictures of my family, of my child’s first year and relatives who have now passed from this life" – Mat Honan

Data Collection

90% of data collected in last 2 years

First Things First

Use only trusted software sources!
Install Security Updates!

Encryption Demos

Postcard vs Envelope
Open Road vs Tunnel

When to Use Encryption

All the time!
Every time!
HTTPS Everywhere
- Now available from Firefox add-ons

What to Encrypt

Log in credentials
Personal information
- Name
- Address
- Phone Number
- Credit Card Information
- SSN
- Medical Information
- Private Photos
- Shoe Size

Password Bleedover

Same password at multiple sites?
One site compromise could quickly expose your data at multiple sites
Use unique passwords for every site!

Avoid the Domino Effect

Domino Effect: credentials stolen from one site used to compromise your other accounts

Really!

Use unique passwords for every site!

Are you you?

Username, often email address
Password
Security Questions
PIN
Multifactor Authentication (MFA)
Body Parts

Unique

Every one of those should be unique to every site
Each item, not just combinational uniqueness
Some restrictions may apply

Random String

Random sequence of text gibberish
Longer and more random are both better
Letters ( upper case and lower case )
Numbers
Punctuation ( !@#$%^&*.,/:\; )
Underline and dash
Spaces
Example: fnYV@tki4M'jj;iTW]21

Random Word Salad

Random sequence of unrelated words
Longer and more random are both better
Use multiple languages if you can
Declension, conjugation, etc.
Add mid-word capital letters
Add randomish punctuation
Example: correct battery horse staple

ERROR: /dev/brain read-write failure

But, Hans, that’s way too much to memorize and it’s not near as interesting as baseball stats…

Password Managers

Securely store credential information
Easy to use for authentication

Password Manager Requirements

Free Software
Hidden Password Entries
Locally Encrypted, Operating System Independent File
Data Liberation
Automagic Clipboard Entry Clearing
Easy Copy and Paste
Configurable Password Generator
Space For Notes
Entries Organization

Password Manager Bonuse Features

Human Readable Password Generation
Pronunciation Guide
Random Word Generator, aka Diceware
Random String Generation from Anywhere in UI
Secondary Key/Value Storage
Copy/Paste of Secondary Key/Value
Data Export with Sync

My Recommendations

GNU/Linux or BSD Desktop
- KeePassXC
- KeePassX, version 2.x
- keepassxc-cli or kpcli
Web
- BitWarden
- NextCloud
Android
- KeePassDroid
Other Desktop
- KeePass

One Password to Protect Them All

One Password to Hold Them All

Memorizing Passphrases

Pronounceable Strings

Like Dr Seuss, but make less sense
Useful for over the phone
Avoid lookalike characters
- 1l
- 0O
Pronunciation guides help
- werecbyivofejmu (wer-ec-byiv-of-ej-mu)

Are you you?

Authentification is identifying that you are you

How do you prove it?

3 types of authentication data
- What you know
  - Ex: Username, password, PIN
- What you have
  - Ex: ID, smartphone app, physical token
- What you are
  - Ex: Fingerprint, DNA

4th Element: You’ve been tokenized

Cookies
Device ID

ID: Username

random string: Banks, shopping, utilities
- Ex: eddyityoz
recognizable handle: Public and social sites
- Ex: https://floss.social/@FLOX_advocate

ID: Email Address

Subaddressing
- [email protected]
- username+[email protected]
Also great for mail filtering
- username+[email protected]
Limited use for social networking
- Great for notifications from social network
- Friends and colleagues

ID: Using Subaddressing

Unique ID and email address for every site
Use a random token for subaddressing
- Put site name or other human readable string after the token
Don’t reuse that tokenized email address for anything else
Bonus
- Filter incoming email to the tokenized email address
- File fake emails as spam

ID: Cookies

3rd party cookies can track you on multiple sites
Lightbeam Add-on
uMatrix Add-on

ID: Device ID

Mobile devices have unique ID

ID: Security Questions and Answers

The most important thing is …

Nonsense Is More Secure

LIE

ID: Security Questions and Answers

Random answers
Random questions
Use pronounceable strings

Multi-Factor Authentication (MFA)

TOTP - Time-Based Tokens
HOTP - HMAC
Message - SMS
Message - Push Notification
Email
Phone Call
Body Part

MFA: TOTP ( Application or Token )

Site does not need phone number
Time based tokens
Use your device like a hardware token
Time sync
Backup/offline numbers
aka Google auth
Use OneTimePass from F-Droid

MFA: HOTP

Each code used only once
Must be kept in sync
Client to server auth
Server to client auth

MFA: Message - SMS

Uses your phone number
MitM
Requires network connection

MFA: Message - Push Notification

Requires phone to have Internet connection

MFA: Email

See SMS :)
- Spam rather than sales calls

MFA: Phone Call

See SMS :)

MFA: Body Part

Hard to change credential

ID: Birthdate

Lie when you can
February 31 no longer works :(
One liner for randomish date
- date -d @$((RANDOM*24*3600/2-500000000)) +%Y%b%d
- # Random day between 1954 and 1999

Other Data

Website password limitations
PINs can often be 5 or 6 digits

Key Value Store

Security questions and answers
As random as practical
Consider verbal use

Backups

Make regular backups
Make offsite backups
Deletion
- Clouds are forever

Going Forward

Change important site passphrases regularly
Use long, random strings
Use subaddressing
Use multifactor authentication
Ask vendors to encrypt email

Nicht Vergessen!

Please use unique credentials for every site!

Glossary

Credentials
- Anything used to identify you to a system for authentication
Passphrases vs passwords
- Essentially the same, but passphrases implies they are longer and the ability to use special characters and spaces
Subaddressing delimiters
- Often a +, but doesn’t have to be. Depends on your mail provider.

Resources

Linux Journal (2017Jan): Online Privacy and Security Using a Password Manager
- https://www.LuftHans.com/LinuxJournal/Online_Privacy_and_Security_Using_a_Password_Manager
My talks and publications
- https://www.LuftHans.com/talks/
Mat Honan Wired article
- http://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/
Subaddressing list at Wikipedia
- http://en.wikipedia.org/wiki/Email_address#Address_tags
XKCD "Password Strength" explained
- https://www.explainxkcd.com/wiki/index.php/936:_Password_Strength

Obtaining Software

Credits

XKCD by Randall Munroe
- http://XKCD.com
- Password Strength - https://xkcd.com/936/
Freakonomics Radio
- America’s Math Curriculum Doesn’t Add Up (Ep. 391)

Bonus Rounds

Data Escrow

Use a KeePassXC file to store other important information
- Bank account info
- Life insurance info
- SSNs
- Passphrases for GPG keys
- Use multiple different files

Tips

Don’t use links in email to login
Use application-specific passwords
Don’t use Internet Explorer
Don’t use Outlook

Getting Help

Tech Support Fastlane - http://xkcd.com/806/
Free Software Conferences ( SCaLE, SeaGL, LFNW, OLF )
Local user groups