Personal Information Security Best Practices

My 2017 new years resolution is to start taking personal information security more seriously by learning and implementing reasonable best practices. Of course, security practices tend to be a slippery slope that ends with wearing a tinfoil hat (i.e. diminishing returns). With that in mind, this post ranks best practices by increasing amount of pain/paranoia; that is to say, the first items on the list are definitely worth implementing.

2-Factor Authentication (2FA) wherever possible

Multi-factor authentication is a security mechanism that requires two or more forms of authentication:

  • know something (password)
  • have something (smartphone)
  • be something (biometric)

2-factor authentication (2FA) is commonly employed using a password and a code that can only be generated on your smartphone. In practice, this means someone trying to guess your account password (either intentionally or as part of a broader scan) would also need to have access to your phone to login. I jumped on the 2FA bandwagon after I realized someone overseas was trying to log in to my Stripe account and my 2FA protection was keeping them out.

I enable 2FA for every service I can, but if I had to choose the most important subset:

  • Email
  • Facebook
  • Slack
  • Financial accounts

I use and recommend Google Authenticator, but I know others are just as happy with Authy. Each service you connect should provide you with back-up codes; it’s important to keep these in a secure and accessible location. Without backup codes, you could end up being techno-crippled if something happens to your phone and you find yourself locked out of your accounts.

Use encrypted messaging

SMS messages can (and probably are) logged by your cellular provider — how else would they show up so often in subpoenas? Any SMS message you send should be encrypted so that the logs will be full of gibberish. It’s also important that the encryption/decryption happens on your phone so the network you’re on never sees the plaintext.

iMessage. Encrypts end-to-end by default if the recipient is also iMessage — but sending to an Android phone or automated service will be all cleartext. Owned by Apple, so only trustworthy as far as you trust Apple.

Signal. Made by the good folks at Whisper Systems. The biggest downside is convincing your friends to install another messaging app.

WhatsApp. Uses the same encryption as Signal, but is much more pervasive than Signal. Owned by Facebook, so only trustworthy as far as you trust Facebook.

Require a passcode on your phone

This is explicitly a passcode, and not touch ID. We saw in the San Bernadino case that even Apple claims nothing can be done if the passcode can’t be furnished. There have been some legal flip-flops on whether or not a court can compel you to give up your passcode, but someone could certainly hold you against your will and press your finger to a phone.

If you do decide that touch ID is worth the risk, remember that you can force a passcode log in by turning your phone off and back on.

Don’t display message previews from the lock screen

2FA over SMS is weakened if an attacker has physical access to your locked phone, but can can still retrieve and use 2FA codes that your phone previews from the lock screen.

Unique password for every web site

Your password should be a random assortment of letters, numbers and characters or random phrase of words. Furthermore, you shouldn’t reuse your password because not all services are created equal. I’m reasonably confident Google won’t get hacked and leak my Gmail password, but I’m not as confident that 2-year old startup can safely protect my password. Reusing passwords between services could allow an attacker to escalate into a higher privileged account.

But I’m also not advocating that you remember 100 different randomly generated 16 character passwords! Let a password manager, like 1Password, LastPass, Dashlane or Keepass do it for you. In addition to browser and smartphone extensions, a password manager will make it easy for you to generate secure passwords.

It can be alarming to realize you don’t know practically any of your passwords, but with access to your email and phone, resetting any password should be a relatively straightforward and painless task.

And as a final note of caution, if you’re saying “I don’t care if they get my Facebook, it’s not important”: it is important. With access to your Facebook, someone could reasonably impersonate you, and use that to gain access to more privileged data and accounts.

Encrypt your hard drive

OS X makes it very easy to encrypt your startup disk with FileVault. Really no excuse not to. Even if an attacker gains physical access to your computer, without the encryption password, they won’t be able to access any of your data.

VPN

Similar to not trusting any one web site to not leak your password, you shouldn’t trust any random wireless network you hop on. You really have no way of knowing the network is not logging information about your internet usage. Using HTTPS-enabled web sites will obscure your data from them, but it won’t obscure the DNS requests — so they could potentially see every site you’ve loaded, and how long you’ve been there.

That’s why I use a Virtual Private Network (VPN) to encrypt all of the traffic on my laptop and smartphone before it leaves the device. The wireless network sees that I have a connection to my VPN server, and that’s it — no subsequent DNS lookups or data transferred will be readable by any middleman. My level of paranoia may be high, but I use a VPN even on “trusted” networks like my home wifi and cellular network.

If you’ve got some dev ops chops, you can set up something like Streisand on Amazon Web Services relatively inexpensively. On the other hand, I’m happy to pay $10/month to Cloak for a reliable service and a polished smartphone and laptop experience.

Disable recovery by phone

Using your smart phone as a recovery device is encouraged by many major web services. However, it means that someone who gains physical access to your phone can then use that to get into sensitive accounts. You might be making life harder by not having a recovery phone, but it can also make you more secure.

Physical shutter on your webcams

If it’s good enough for Zuckerberg, it’s good enough for you. Sentiment analysis can be used to extract gender, age and current mood from a photo of you. This technology is pervasive enough that any app you grant camera permissions to could be running sentiment analysis when you’re using it. Even if you’re not a tin-foil hat wearing conspiracist with respect to what the NSA can do with your iPhone, there’s a good chance you stare at an app with camera permissions (Facebook, Instagram, Snapchat) for several hours a day or week. No software will be able to see through a webcam cover, though.