With all of the data breaches happening such as Equifax, the update on the Yahoo breach that happened a while back, etc, it’s been on my project to do list to go in and work on my own personal security.
I used to be really good at protecting myself online but you know, you get busy and/or lazy, start using the same password everywhere, disabling two factor because it’s a pain and so on.
So where did I start? The very first step I took was to dust off my LastPass account and go through all of my online services and replace all of my passwords with randomly generated passwords (up to 100 characters where accepted) from the service.
Then it was time to secure LastPass. Since it now contains all of my passwords for all of my accounts, the last thing I want is someone to gain access to my account. For that, I ordered myself a new Yubikey. For those of you that don’t know, a Yubikey is a small usb device that looks like a usb flash drive but instead, every time you hit the button on the Yubikey, it omits a 44 character, one time password that the service then checks with the Yubico servers to verify that the code is authentic. So as a consequence, in order to get into my LastPass account, you need my username, password as well as physical access to my Yubikey.
Two Factor Authentication
The second thing I did was to turn on second factor authentication wherever possible.
What I found was a lot of services only offered two factor authentication via SMS which isn’t exactly the best way to implement two factor since it’s been proven that text messages can be sniffed out of the air and read, however it’s definitely better than no two factor at all.
Where it was offered, I turned on two factor authentication via Yubikey. Very few services offered it as an option but it was great to see that Google, Facebook and Dropbox all have it as an option.
Amazon Web Services
Most of my servers and databases are hosted with Amazon Web Services. I was fairly surprised that they don’t support YubiKeys as multi-factor authentication. So instead, I ordered one the devices that they recommend from Gemalto called a Safenet Display Card. It’s a credit card sized device that generates a six digit pin when you activate it. Once again, now in order to gain access to my AWS account, you’ll need my username, password and access to the display card.
When you turn on second factor authentication, most services give you a list off “backup codes” that you can use to override the second factor device just in case your device gets destroyed or lost.
What you’re SUPPOSED to do is actually print the codes out and store them in a safe place. But since I absolutely LOATHE paper, I stored them all in a text file, put them all onto a flash drive and made arrangements with my best friend (who lives in an entirely different county) to physically store the flash drive in a fire/water proof safe in her apartment. This way the codes are entirely offline and are protected against nature disasters.
This section I particularly went crazy with, mostly because I wanted to ensure that if my laptop ever got stolen, it would be completely unusable to the thief.
Since I use Ubuntu, it offers two different ways to encrypt your data.
Full Disk Encryption
When you install most distributions of Linux, they give you the option to encrypt the entire hard drive. So when you boot up the machine, before you even get to the username and password prompt, you need to enter a password to decrypt the hard drive. With the Yubikey, you can program the second “slot” to store a static password up to 38 characters. So that’s what I did and used that static password as the entire hard drive decryption key. Mostly because I’m lazy and didn’t want to enter multiple passwords whenever I turn on my computer or reboot.
Home Directory Encryption
Most Linux distributions offer to encrypt just your home directory where people store the majority of their documents.
This is usually the easiest way to do it just because it uses the password for your local account as the decryption key.
I went ahead and turned that on as well so the files in my home directory are double encrypted, once by the full disk encryption and once by the home directory encryption.
External Hard Drive Encryption
I always have a four terabyte external hard drive connected to my laptop for all my big files.
In Linux, you can have a drive formatted to be fully encrypted with the LUKS algorithm requiring you to enter a password when you connect the drive in order for the data to be decrypted. Yep, turned that on.
The very first thing I changed in the BIOS was to change the boot order from CD/DVD then USB device then hard disk to hard disk first so someone can’t boot from a live DVD or flash drive.
Then I disabled the boot menu option so someone can’t change the boot order without going into the BIOS.
Of course I then put a password in the BIOS so someone can’t change anything on it without the password.
Lastly, not every BIOS has this option but my Thinkpad does, but a tamper detection mechanism. So that whenever a hardware change is detected, you must confirm the change in the BIOS for it to boot, which of course requires the BIOS password. This makes it where even if the thief is smart enough to take out the hard drive and put a different one in, it still requires a password making the laptop completely unusable.
Securing your data is absolutely a pain in the ass. However, we live in a time where it is now a must. Would you rather be slightly inconvenienced now or wait until your identity is compromised?