A Shabbos Goy on Cyber Security

Many moons ago, I started this account and I completely forgot about it, as I do with many things. Until today.

Today I woke up (sigh...), checked my cryptos (PROFIT! Fuck yeah!) and checked the Twitterverse for news and updates in the world of crypto. Although I didn't find much news on coins or tokens, I did find that one of the most popular / controversial Twitter dudes, PhilaKone, got hacked. As far as I read it, all of his devices were compromised. All of his email accounts were compromised. His 2FA codes were compromised. All of his funds were gone. Ouch, tough luck.

I noticed many comments on Twitter from people who gave advice that, although posted with a good intention, simply didn't add up. And that's okay. Why should it? After all, information security is a specialized field within computer science. This gave me the idea to create a simple guide for my fellow cryptocurrency enthusiasts on information security.

So what I'd like to share with you today is a quick guide on how to better secure your working space in general – not just specifically for cryptocurrency management/handling. I will explain to you not only what to secure, but also why certain security measures must be taken. I will explain, in short, how attackers think and what they do in order to get to you and how you can fend off those attacks.

If you'd like a more in-depth guide on handling your cryptocurrency funds, I recommend you check out @notsofast and his guide on this specialized subject. There are some elements that overlap, but he mentions things like hardware wallets.

Disclaimer

I am not responsible for any data loss that might occur before, during or after this guide. I am not responsible for your behavior on the internet and/or in real life. You must understand that nothing in the world is “unhackable” and even after you've got all (technical) security measures in place, you're still required to use your common sense. While I can only show you the information security doorway, it is you who has to walk through that doorway and decide on how to walk through it. There is much more to information security that what is laid out here in this quick guide. This is the tip of the iceberg, but should be more than enough to secure you in most situations. Thank you for understanding.

Software Updates

In my experience the most effective and simple way to fend off attacks is simply by updating your software. Software in this case entails everything from your operating system to any and all installed software packages. Have software packages check for updates automatically, or schedule a weekly moment for yourself to check on your most important software. These days most software packages have an auto-update function. Turn it on! This one is especially important with your operating system (Windows, Linux, iOS, etc.).

Attackers prey on people who have software updates disabled. Software updates, to a lot of folks, are considered to be annoying. Thus the updates get turned off. This is one of the biggest security risks out there today! Attackers know this and will make use of that. A person who doesn't update their software is one of the easiest targets. Usually this person also opens up phishing emails and clicks on social media scams.

Anti-malware

Next to software updates, having a proper anti-malware suite installed is one of the easiest and effective things you can do to secure your systems. Anti-malware suites, depending on how much features there are on it, will secure you from malware attacks (viruses, Trojan horses, rogue bitcoin miners, key loggers, etc.) where the underlying operating system and/or you yourself fails to protect you from them.

After all these years on the great internet of ours, one of the easiest way to penetrate a system is to send a trojan horse or a virus via email or a malware link. Even today people who are not aware of the dangers will click links without any regard of the consequences. It's people like these that attackers prey on through this method of attack. Some hackers modify the source code of their malware, so that the digital signature of the malware package changes. This allows them to circumvent most anti-malware suites.

This is one of the many reasons why it's important to invest in a proper anti-malware suite, such as Bitdefender. Yes, it costs money, but it's well worth it. Bitdefender is one of the few suites that has a 100% detection score in independent tests. Free anti-malware suites often don't offer advanced protection the way Bitdefender does. Bitdefender looks at the behavior of a piece of software, rather than just the signature which can be altered.

As an added bonus, Bitdefender also comes with a firewall. Which brings us to the next topic.

Firewall(s)

There are two types of firewall that you can install and/or make use of: a perimeter firewall (such as a firewall that is pre-installed on your router, also known as a hardware firewall) and a system firewall (one that you install yourself on your laptop/computer, also known as a software firewall).

Make use of both!

Usually a perimeter firewall is a simply firewall, it doesn't have much intelligence or functionality other than “close port” and “open port”. This is sometimes also referred to as NAT functionality (Network Address Translation). This is a piece of functionality in your router that makes sure that certain incoming connections from the internet to your internet modem/router on a certain port get rerouted to the proper computer on your home network. I am not going to go into detail on this bit, but Wikipedia has some interesting articles on this.

A software firewall usually has more functionality, such as filtering on IP address, allowing/denying a certain executable/app on the internet and of course allow/deny ports. I personally recommend the firewall that comes with Bitdefender. As is with their anti-malware suite, it is one of the fastest and most effective software firewalls at the time of writing.

With a proper firewall a common method of attack (or rather a method of scouting) called a port scan can be fended off. A port scan is a program that is run by the attacker (that already knows your public IP address) which checks for open ports. If a port is open, one could try to find an exploit through a program running behind that port.

Full Disk Encryption

Disk encryption, also called encryption at rest, is a method of transparently encrypting the contents of your storage device, without you noticing this. This one applies especially to mobile devices, such as a smart phone, tablet or laptop. Reason for encrypting the contents of your hard drive(s) is that the stored data becomes unreadable at rest and can only be decrypted with your (secure!) password. This effectively bars any stolen devices to be read by thieves.

On most operating systems these days it's possible to encrypt the stored data on your hard drives. Windows has a native feature called Bitlocker, Linux can also encrypt (portions of) your hard drive, Android and iOS based devices also offer this option.

If you happen to run a system that doesn't support native disk encryption, there's a third-party application called VeraCrypt which is the spriritual successor to TrueCrypt. This application, although not easy to use, allows you to create encrypted file containers or encrypted disk paritions. It offers a wide range of encryption methods and is quite a bit more secure than the native options available on most operating systems. Although the native options (which are all based on AES) should be more than enough for most cases, the truly paranoid among us will feel more secure using three layers of different encryption algorithms that come with VeraCrypt.

Is your data 100% secure using disk encryption? No. Even with disk encryption, there are ways to go around it. One such attack is called a Cold Boot attack where an attacker with physical access to the device dumps the contents of the RAM, possibly exposing the private keys needed to decrypt the data on your storage device. This is a beautiful example which shows that nothing is “unhackable”. There is always a way. It just depends on the risk-reward.

Secure Network Connection (VPN)

A VPN, or a Virtual Private Network, is a virtual network adapter which piggy backs on your physical network adapter that forces your internet connection to connect to a single server, a VPN server. What this allows, is that to the outside world, your computer makes requests to one and only one address, masking the actual destination. Often times, if not always, a VPN connection is encrypted. This hides the actual content that goes over the line - even if the destination (web) server does not support encrypted connections.

Using a VPN these days can be quite easy and not too expensive. Personally I recommend Private Internet Access or PIA for short. They have a plethora of servers spread around the world and most servers are lightning fast. They offer extra services to block advertisements and protect you against some network exploits, such as a DNS leak. Please refrain from using free VPN services, as they are usually not as secure as the specialized paid services by companies like PIA. NordVPN is another solid provider, although my personal experiences with them are not that great, speedwise.

A VPN can conceal your true traffic to the outside world. Using a VPN can fend off a possible man-in-the-middle attack. This is a form of attack where a hacker sniffs your internet connection for useful information (such as a clear-text password). It also keeps out the prying eyes of an ISP or government agency that you might not want to have looking at the contents of your browsing.

Another use case for going online over a VPN connection is that it also protects you from the KRACK attack, that was recently discovered. The KRACK attack, in short, is an attack where devices on a WiFi network are vulnerable even over the encrypted WPA2 connection. Although the KRACK attack has mostly been patched (see Software Updates!) some client devices (such as Android-based devices) are still vulnerable to this exploit. What this does is allow an attacker to sniff out your private keys (i.e. the encrypted passphrase needed to access your network) and access your network and wreak havoc.

Account Policies

This one is especially true for Windows users. It's recommended to set a logout/login policy where the user's active session is locked out after X minutes of inactivity or when a laptop screen is closed. This greatly reduces the chances of unwanted users on your computer while you're away. The common sense part is to always lock out your active session when walking away, of course. Do this by hitting the Windows button + L.

This policy/habit is especially applicable in a working environment. In my work space, whenever a person leaves their laptop or computer unlocked, we try to “hack” them. In this case it means sending an unwanted email to everyone in the office, saying the compromised person is treating everyone for something like cake. This is a rather harmless way of ramming that habit into someone's thick skull once and for all. No one likes to buy cake for their co-workers. No one.

Check out this nifty guide on how to enable a security policy like this on Windows.

Disable Remote Access/Assistance (Windows only)

By default a feature called Remote Assistance is enabled on Windows. This feature allows people to connect to your computer and help you with an issue you might have. As you probably guessed by now, this feature can also be used to "help" you with your cryptocurrency funds... A guide on how to disable this feature can be found here.

Passwords

Ah yes. Passwords. Many myths, misconceptions and mysteries surround passwords. Are they supposed to be long? Complex? Random? Well... yes and no.

Realize the following: passwords usually get stored as something that's called a hash. Usually a SHA-256 hash. Exactly like the hashes used in Bitcoin! The Hash is a cryptographic representation of that password. This way password verification can be done without storing the clear-text password of a user. However, if you know the original clear-text value of that hash, i.e. the password, one can gain access to an account.

That's where attackers take advantage of short and simple passwords. They simply try many (known) combinations of passwords. Perhaps your birthday, your dog's name, your hobbies, etc. This attack is called a Brute Force attack. It's a pretty naif form of attacking, but quite effective if the password is simple, short (anything less than 12 characters) and easy to guess.

A better way to get a secure password is to use a Passphrase that is nice and long, contains uppercase letters, lowercase letters and numbers and maybe even special characters. An actual (English) phrase that is easy to remember and preferably doesn't make any sense at all. For example:

Sup3rLongP4sswordAndIHateBuyingC4keForCoWorkers@2018

Yes it's overdone, but you get the idea. The key here is to use a combination of all types of characters and making the password quite long, i.e. more than 12 characters. Preferably even 16 or even 32 characters. The rule of thumb here is: the longer, more complex and more random a passphrase is, the better.

Password Manager

A password manager is simply a program that creates a file called a password database. This password database is encrypted and only accessible by that password manager, on the condition that you enter the correct (master) password to access that password database. Usually a password manager also contains a random password generator, so that you don't have to remember your passwords, but you do keep them safe in your encrypted password database – as long as you remember your master passphrase.

One such password manager for the Windows OS is KeePass. It creates encrypted password databases in which you can store all your passwords securely and comes with a password generator.

##Cloud Storage
Of course, you're going to need to store that password database somewhere safe. Somewhere where you can still recover the database file after a local disk crash (it happens, be prepared). You can make backups of your password database (and other files), but making manual backups every now and then tends to not be a solid backup policy. Rather, look outwards to something like a (private) cloud service.

Is this goy really recommending a cloud service? Depends on the situation.

Although you should always be careful about the cloud storage service you use, as not all cloud storage services encrypt the stored files at rest (i.e. an attacker who attacks the cloud storage can openly read the stored files in your account), storing an already encrypted database file should pose little to no threat (as long as you've secured your password database with a strong passphrase!). If you want to add an extra layer of security to that, consider zipping the password database into a .zip or .rar file with password protection, using AES-256 encryption (an option available on WinRAR and 7zip).

If you really want to stay in control of your storage, it's possible to rent a virtual private server (VPS) and install your own cloud service software, such as ownCloud. This does require quite a bit of technical know-how. Combine this with disk encryption, and you'll be even more secure.

2FA codes

This part applies especially to social media accounts and cryptocurrency exchanges. 2FA stands for Two Factor Authentication. No it's not a cryptocurrency coin, but it's an authentication method. 2FA can be setup on most cryptocurrency exchanges and social media platforms. If a platform of this nature does not offer 2FA, please don't use the service for your own safety!

2FA is usually setup by providing the service with your phone number, so that they can send you a One Time Password (OTP) each time you login, next to your regular password. This is usually a 6-digit code, which is valid for about a minute each time it's generated. Google also has an app for this, so that you do not need to provide your phone number, called Google Authenticator. Each account requires a seed, which is usually given in the form of a “secret seed” or QR-code with the same value as the secret seed. Store this seed in a safe place, as you'll need it to restore your 2FA access if your device ever gets corrupted in some way.

The best way to use 2FA is to install Google Authenticator on a device that is disconnected from the internet. A popular way of attacking an 2FA-enabled account, is to attack the device that contains the actual 2FA codes.

WiFi Protection

Now this one can be a bit difficult, as you'll need to access and configure your wireless router. If you don't know how, please google for a manual of your router's make and model. Although router and network configuration is whole topic on its own, I can only recommend that you enable WPA2 encryption on your wireless router, use a strong password and be sure to update all your client devices to protect against the KRACK attack, as mentioned before. If the latter is not possible, be sure to always connect to the internet using a VPN connection.

Another option you can use is to disable the broadcasting of your wireless network's name (the SSID). It'll be a hassle to connect to the network, as you'll manually need to enter all the connection details, but you won't advertise your wireless network to the world. Wardriving is still a thing.

Also be careful when connecting to public WiFi hotspots, especially the open unencrypted ones. A VPN connection can help you greatly here to stay protected, but if you want to be sure, stay on your mobile data (3G, 4G) connection.

Phishing Emails

Although I feel like I really shouldn't explain this one, it still baffles me how many people still fall for it. Usually driven by greed, people click on fake links to obtain "free cryptocurrency" or respond to a fake email from the support service of a known cryptocurrency exchange with their username and password. If you ever receive an email asking you for a password, the answer to your secret question, just delete it. Don't click any links in spam emails, don't load images (they can already contain a malware payload), just hit delete. These emails usually come in the form of a notification from your bank, or cryptocurrency exchange, saying someone logged into your account, or the bank is requesting some private information about your bank account. These emails usually do not have any attachments either, as they are not needed. Don't respond to these emails, instead contact the bank, exchange or even the police!

Attackers hope that people open up these emails out of curiosity or haste, then click load images or click a link, whereby clicking a link or loading images that are embedded in the email already contain a payload that can compromise your system.

Having a solid anti-malware suite will protect you from most of these types of phishing emails. Bitdefender does a great job at filtering your incoming (and outgoing!) emails.

Separate Email Accounts

Speaking of emails... This one sounds like an open door, but it's a great way of filtering email communication – and so few people actually do this. Use a separate email account for registering with services, such as cryptocurrency exchanges. If you receive spam on that email account, you'll know instantly that 1) your email address was leaked intentionally or unintentionally and 2) that the email you received is 100% without a doubt a scam and should be deleted and/or put in your spam folder.

Browser Extensions

There are several browser extensions out there that can help you secure your web browsing and increase the quality of your browsing experience. I'll recommend three that I use myself:

• Adblock Plus: this extension blocks advertisements on the internet. While not a security measure per say, it does increase the browsing experience.

• Disconnect: Disconnect. Disconnect blocks social media cookies and links. Cookies that can be used to track your browsing behavior. This behavior is gathered by companies such as Google, Facebook and Twitter to sell to third party companies and/or study.

• HTTPS Everywhere: This extension forces your browser to connect to the secure https address on every website, even if you entered the unsecured http address.

Although these extensions aren't the biggest security improvements, I do like to consider them as the icing on the security cake.

Friends & Family

Last but not least: your friends and family. A popular way to attack a certain target, is to vector in through a friend or family member who is not as tech savvy. Imagine this: You own a lot of Bitcoin and have become the target of some evil hacker. This hacker will first try to attack you directly. Phishing emails, social media scams, etc. this is a low effort attack that usually yields great results. However, Mr. Hacker finds out that you are smart. You won't click on any links, you won't fall for any scams. You have a firewall that rejects any port scans, and he simply can't get in through the proverbial front door. Now what? Simple: he vectors in through your friends and family that do fall for the aforementioned tricks and scams. This way, he can pretend to be your mom on Facebook, or your friend on Twitter. Because you're now receiving links or emails from someone you trust, you are more likely to click a link or fall for a scam.

So be careful of the links that even friends and family send you. Do your part in warning them about the dangers on the internet. You don't have to tell them that you're a cryptocurrency whale, but urge them to take some actions. Show them this guide, recommend they turn on automatic updates and get some anti-malware software. Get them to do the bare minimum and help protect themselves and you.

Conclusion

After all of this, it's up to you and your common sense and intelligence to assert a situation or a threat. You can install a thousand anti-malware packages and still get hacked if you clicked on that weird email. You can install a thousand firewalls, and still get hacked.

What I'm not saying is that you have to go through life with a tin foil hat, but if you take just a few precautions when dealing with highly sensitive situations (such as you handling your cryptocurrency portfolio), then you'll come a long way.

Security is all about adding barriers or layers. Basically information security is all about delaying the attack until you can or have to pull the plug out of your compromised systems. If the barriers become too difficult, if the delay becomes too great, an attacker will cease his attack (usually).

Attacking someone is simply a risk-reward business case. Is it worth the risk and effort? If you have 1 BTC in your portfolio, then effort has to be scaled down to 1 BTC. If you have 10.000 BTC, then I can tell you that no effort is too great.

From what I've read from PhilaKone's posts on Twitter is that his devices are still corrupted. Even his friend who tried to help him got infected and had Bitcoin funds stolen from him. Now I'm thinking that it's quite possible that his network got infected. Someone has hacked their way into his wireless network. Perhaps they left a Raspberry Pi (a small mobile microcontroller with an operating system on it) with the malware that keeps on infecting a known wireless network with a known (KRACK?) attack. Either way, this shows that hacking him is worth the investment.

I hope you've learned a little bit from this wall of text and that I've helped you secure your working environment a little bit better.

Thanks for reading!

P.S. If you wish to know more about securing your cryptocurrency bags, then please read @notsofast's post on securing your bags.