Ben’s Phone Guide (2016 edition)

Phones depreciate in value fast, their useful life is less than their lifespan.  Not because old phones don’t work anymore.  But because manufacturers stop providing security updates after about 3 years (at best!)

old_phone

What If I Told You a Hacker Can Take over Your Phone with One Text… And You Don’t Even Have to Open It?

You might be hacked now and not even know it.

Exploits like like this and like this are real.  Vulnerabilities have been found in the past and exploited.  They will be found in the future and exploited.  Some exploits require you to do nothing but receive (not even open, just receive) an SMS message and a hacker can do what he wants with your phone.  He can install malware, use your phone to launch a DDoS attack against Krebs on Security, he can spy on you (or your kids if your kids have phones) activating the camera and microphone at will listening in on your conversations and reading every message passing through the device.

The only protection against this is either (1) not have a phone (more secure), or (2) if you must have a phone, keep it up to date constantly (not as foolproof but would block all but the most sophisticated hackers).

One of the big problems with phones is security.  For iPhones you get your updates through Apple.  For Android things aren’t as clean.  The Android OS itself gets security updates, but then it has to trickle down through the manufacturer (who often doesn’t provide an update) and then the carrier you bought the phone from.

Calculating Remaining Life Before You Buy

To calculate the real cost of a phone, find out how long the manufacturer and carrier will support security updates for it.  Divide the cost of the phone by the number of months left for security updates and that’s cost of the phone.

monthly cost = cost of phone / remaining life in months

e.g.
cost of phone: $500
remaining life for security updates: 29 months
monthly-cost: $500/29 = $17.24

Oddly, the price of phones doesn’t usually drop that much after the 1st year even though they have lost 1/3rd of their useful life!

There Are Only Two Options

A lot of phone manufacturers / carriers don’t even provide updates to their phones.  They’re unsupported from the moment you bought them!

For the sake of security, I only recommend two phone manufacturers.  Google and Apple.  Both have a track record of providing timely security updates.  Google pushes out a security update every month and Apple doesn’t have a schedule but does a good job getting them out timely.  I also only recommend Apple with the caveat that you trust them because it is a proprietary closed source OS.  You are trusting them to do the right thing and have decent security.

Google Nexus Devices

Nexus 5X

Google stopped selling the Nexus, but they still have 2 years of updates left and are reasonably priced on Amazon.

Google Guarantees Security Patches on Nexus devices 3-years from the release date or at least 18 months from when the Google Store last sold the device (whichever is longer).

As of October 2016, here is the cost per month as I calculate it:

Nexus 5X – security updates until October 2018.  $332. – 16GB.
Ben’s cost over remaining life:  $332/24mos = $13.83/mo
Nexus 6P – security updates until October 2018. $450 – 32GB.
Ben’s cost over remaining life: $450/24mos = $18.75/mo

(If you get a Nexus, note that there are U.S. and International versions of the phone, if you live in the U.S. you’ll want the U.S. version).

Google has not committed to EOL dates on the Pixel line but if it’s similar to Nexus you’re looking at:

Google Pixel – $650 – 32GB – probably until October 2019
Ben’s cost over remaining life: 650/36mos = ~$18.05/mo

Google Pixel XL – $770 – 32GB – probably until October 2019
Ben’s cost over remaining life: 770/36mos ~$21.38/mo

Apple Devices

iPhone 7

iOS is closed source so I consider it less secure and less open than Android, but they do a pretty decent job at keeping hackers out.  Most compromises I hear about are through hooking your iPhone up to a service like iCloud and not the iPhone itself.  I used to use an iPhone, but at the time it was the best phone (better than Blackberry).  Now that we have Android I don’t see a huge need to use a closed proprietary system.  However, it’s always good to have competition.

Here’s a comparison of iPhone models currently getting security updates with a guess of (but not guaranteed) security updates for 3-years.

iPhone 7 Plus – probably until September 2019
Ben’s cost over remaining life: $650/35mos ~$18.57/mo

iPhone 7 Plus – probably until September 2019
Ben’s cost over remaining life: $650/35mos ~$22.00/mo

iPhone 6S – probably until September 2018
iPhone 6 / 6 Plus – probably until September 2017
iPhone 5S / 5C – probably until the next major iOS update

Where Not to Buy a Phone

Mobile carriers typically install a lot of battery sucking bloatware, which can’t be deleted, and often delay pushing out security updates by months, even years, leaving your phone vulnerable to hackers.  Not only that some of the extra software installed introduces vulnerabilities.

Also, phones bought from a mobile carrier are usually locked to that carrier so you can’t switch to someone else without purchasing a new phone.

Mobile Carriers

Having an unlocked phone I avoid the main carriers and instead use MVNOs (Mobile Virtual Network Operator).  These MVNOs use the same network that Verizon, AT&T, Sprint, and T-Mobile have, but most often for a better price.  For great service and prices I like Google Fi (Sprint & T-Mobile Network), Ting (Spring or T-Mobile), and TracFone (Verizon or AT&T) and there are plenty of other MVNO operators to choose from.  You can find one that offers the best plan for your situation.  Using TracFone (which is a pre-paid service) we pay less than $10/month for a voice/data/text plan for a Nexus 5X on Verizon’s network.

Don’t Save Money with a Used Phone

I used to buy used phones off eBay to save money but now I don’t think it’s a good idea with the recent USB firmware hacks and the amount of malware out there.  Used phones are a security risk–you have no idea if a used phone has been compromised, and if it’s been plugged into a compromised USB device that rewrote it’s firmware.  Physical security is paramount.  To be safe, I always buy my phones new.

Personal Data on Work Phones and Work Data on Personal Phones

Think carefully before using your personal phone for work.  If you connect your phone to work email it almost always gives your employer complete control of the device.  They can wipe your phone when you leave, track your location, install software on your phone, and have access to all your personal data.

And similarly, if you put your personal information or your personal email account on a work phone your employer has access to that data.

What Phone Do I Have?

Kris and I both use the Nexus 5X.  I’ve reviewed the Nexus 5X here.  I will likely replace them both when security updates go EOL which will likely be 2018.  Pixel phones are bit expensive so I’m hoping they release some new phones on the Nexus line again next year.

Phone Safety Tips

  1. Always use a phone that’s getting regular (monthly) security updates.  As soon as the phone goes out of support, get a new phone.
  2. Minimize the number of apps you install.  Limit yourself to the official Google Play Store or iOS store and avoid 3rd party stores like the Amazon Store where authors don’t do as good a job at keeping things updated.
  3. Favor installing well known apps with lots of downloads as they’re more likely to be reviewed and have better security practices.
  4. Uninstall apps that you don’t use.
  5. Always buy a new phone.
  6. Don’t use a phone at all.
  7. If you have a Samsung Note 7, you might want to return it before you catch on fire.

 

How to Encrypt Your Email

So, you want to hide your email from the NSA’s prying eyes?  It’s impossible… but here are some steps you can use to make it harder.

This isn’t theoretical.  The NSA has and does intercept this traffic.

Common Points of NSA Interception

The NSA has unlimited resources to compromise your communications.  You’re not going to stop them.  But that doesn’t mean it should be easy. Below are the easy points of NSA interception.  In this example of an email from Mom to Ben the NSA can intercept the email at Mom’s ISP, Mom’s email provider, Ben’s email provider, Ben’s ISP, and any internet hop in between.

no-encryption

 

I’m going to skip over a lot of important stuff, this guide is not intended for security experts or sysadmins of email systems and how to prevent downgrade attacks, etc.  This is meant to be a post about what the average American should do to protect their emails.

Step 1. Client to Server TLS Encryption

client-server-encryption
thunderbird_starttlsEnsure your email client (e.g. Thunderbird) or browser is using a TLS connection to the server.  If you’re using any major provider like Gmail, Office 365, etc. they will be enforcing TLS.  All email providers should be enforcing TLS so if yours is not that’s a good sign you should be switching.

chrome_httpsIf using webmail your browser should show https, if using Thunderbird you should be using STARTTLS for both inbound and outbound connections.

Note, the entire CA (Certificate Authority) system is broken, the NSA could generate a fraudulent certificate from an amicable CA and do a MITM attack and still intercept the email, but now they have to take some effort to do so.  The point is security comes in layers, and we need to start at the basics, we’ll get to more advanced security below.

Step 2. Make sure Your Email Provider is Encrypting Server to Server Traffic

server-serverIn 2013 Google was outraged after finding out the NSA was intercepting it’s server to server traffic.  As a result Google started encrypting all internal traffic between servers (Good for Google).  Most major internet providers provide server to server encryption.  But the problem is not all ISPs use encryption, so it doesn’t do much good if you send an email from a secure service like Gmail to a small-town ISP that has no security whatsoever.  Probably the best way to check is to enter in a recipients email address here: http://checktls.com/ and if their email provider’s MX server’s pass all the test they’re probably secure.

Step 3.  PGP Encrypt Your Emails

openpgp-4096

Now, the NSA can still potentially intercept your emails at rest through a court order, through PRISM, or through hacking into ISPs.  Your email should be encrypted not only in transit, but also at rest.  The best way to do that is to encrypt it using OpenPGP.  This means even if the NSA gets a hold of your email they can’t read it (at least not without spending some serious time and money).

PGP (Pretty Good Privacy) isn’t foolproof.  It doesn’t encrypt the metadata (the NSA can still see that you sent me an email, they can see when you sent it and where you were) but it does encrypt the content.

How go you get OpenPGP?  Right here:  http://openpgp.org/software/ It’s free, open source, and there are plugins for just about everything.  It works on Webmail, Thunderbird, Outlook, etc.  Check the link above for a complete list but here are two common options:

If you use Thunderbird I suggest Enigmail, and if you use Gmail with the webmail interface Mailvelope is a great plugin.

Here’s a very quick getting started guide for Mailvelope below.  If you’re not going to use Mailvelope the concept is pretty much the same nomatter what plugin you choose.  You’ll Generate a Public/Private Keypair, obtain the public key of the person you’re sending an email to, and send them en encrypted email.

How to Setup Mailvelope for Gmail and Chrome

Mailvelope IconHere’s a quick walk-through to set it up.  After installing the plugin you should see this icon on the top-right in Chrome.   Right-click on it and choose Options.

Next Generate a Key….

I should note that “Password” is traditionally called a Pass Phrase, it should be long, but you don’t ever want to forget it or you won’t be able to read any encrypted messages sent to you.  I strongly suggest writing it down and keeping it someplace safe.

mailvelope_key_generation

Now, to send an encrypted email to me, you’ll need to import my key.  Go to “Import Keys” and type in my email address and hit search.  You should click on the keyID: 13E708FC.  A key will pop up, click on it to import my key.

mailvelope_buttonNow, you can send me an encrypted email.  Go to compose a new email in Gmail.  You’ll notice a button in the compose menu.  Click the button.

Write me a message…

compose_email_to_ben

When you receive an encrypted email, it will look like this.  Click on it and enter your passphrase to decrypt.

decrypt

And there you have it.   I wouldn’t say this is foolproof…. it doesn’t protect against a lot of other attack vectors…

XKCD Comic
CC-By-NC 2.5 https://creativecommons.org/licenses/by-nc/2.5/

But I say if the NSA is going to intercept my communications it shouldn’t be easy.  I want them to spend some effort and money to do so.

For further reading I might suggest https://futureboy.us/pgp.html

 

Dell Hacked: Watch Out For Social Engineering Scams

Dell Support Social Engineer

The last few days I have been getting a lot of calls from “Unknown Caller” for which I didn’t pick up.  This morning I got a call from a number in the 845 area code so I answered.

It was my friendly Dell Support rep from India!

Hello, this is Dell support, we detected some malware activity on your computer.
They had detected malware on my machine.  Oh no!  All I needed to do was go to this url to scan for viruses.  I put the call on speaker phone and my coworkers and I played along hoping to figure out what we could about the operation–until we told him I had a Mac and then he knew we were on to him.

Dell Data Breached

The guy had all my information: my name, the phone number I gave Dell, and even knew the Dell model I had and about a tech support call I made last year to replace a bad motherboard.  He even had an Indian accent just like Dell Support!

I can see how some people would fall for this, this is known as “social engineering” where an attacker attempts to social engineer someone into going to a website to “scan your computer for malware” which of course will turn up positive (and may actually install malware).  Then “Dell Support” will charge a fee to remove the malware that was just installed.

Since Dell isn’t as forthcoming as they should be, I thought I’d post this, because it’s obvious the hackers have been able to obtain data from Dell.  At the very least Dell support data has been compromised which makes the scam sound more convincing.

One thing I am disappointed in is that Dell hasn’t told me that my information has been compromised despite being aware of a breach since the last 7 months!  As far as I know Dell hasn’t made any effort to notify their customers of the attack.  But they should.

YubiKey Two-Factor Authentication

Last year I started looking at 2FA (Two Factor Authentication) solutions and came across YubiKey which is a fantastic little device.  I ordered a few NEOs to play with.  There are several models, I opted for the NEO since it supports the most features and has an NFC chip that Android phones can use.  It’s $50 on Amazon or can be ordered direct from the Yubico Store for $55.

Three YubiKey NEOs

YubiKeys purposefully have firmware that can’t be overwritten.  The downside is it’s impossible to upgrade them when new firmware features become available, but the benefit is it’s more secure.  So far Yubico has stood behind their product and done what’s right–last year a security issue was discovered with the Yubikey NEO’s OpenPGP card applet and Yubico issued free replacements to everyone affected.

A few things I wanted to try:

  1. Secure a KeePass database using a YubiKey.
  2. Use in place of a Google Authenticator for services that support OATH-TOTP.
  3. Use in place of a Battle.Net Authenticator.
  4. Use with a service that suports FIDO-U2F (Universal Second Factor)
  5. Cloning a key (to have a backup)

The rest of this post is sort of a guide on some of the things I’ve experimented with.

Preliminary: Enable All NEO Modes

Open up the Yubikey NEO Manager, insert a YubiKey and hit Change Connection Mode.

click the Change connection mode button

All three modes need to be checked:

Check CCID

And now apps are available.

YubiKey NEO apps are now available

Encrypting a KeePass Database

Enable Challenge/Response on the Yubikey

I followed a well written post: Securing Keepass with a Second Factor – Kahu Security but made a few minor changes.  I think some of the options I used such as variable input were not working right when the above guide was written.  The below is the configuration I used when testing.  If you want more details and screenshots see the Kahu Security post.

Open the YubiKey Personalization Tool and program SLOT 2.  If you might use YubiCloud in the future don’t reprogram SLOT 1.  There are two options, one (which I don’t want) is Yubico OTP.  This will generate one time passwords based on a counter (HOTP).  Since I want to use multiple YubiKeys, HOTP will not work well because the counters will get out of sync.  I suggest using HMAC-SHA1 which allows a program to send a challenge that only the YubiKey would know the correct response to based on the secret.

Selecting HMAC-SHA1

Select Slot 2, if you want to be able to unlock Keepass with multiple YubiKeys then select those options and choose “Same secret for all keys”   Generate the secret key, hit “Write Configuration”  Then insert any additional YubiKeys to program them all with the same secret.

Config Slot 2, Program Multiple Keys checked, Automatically program YubiKeys when inserted checked, select Same Secret for all Keys under Parameter generation Scheme, under HMAC-SHA1 Parameters choose variable input, click Generate, click Write Configuration

Assuming KeePass 2 is already installed,

Grab the KeeChallenge plugin, install it by extracting the contents, including folders into the root of: C:\Program Files (x86)\KeePass Password Safe 2.

Download the Yubikey Personalization Tools (command line) for both 64-bit and 32-bit.  Under ykpers-1.17.3-win32.zip/bin extract the .dll files to C:\Program Files (x86)\KeePass Password Safe 2\32bit overwriting any files, and do the same for 64-bit.

Once that’s setup create a KeePass database using YubiKey’s challenge-response as part of the composite master key.

KeePass Create Composite Master Key Screen. Master password is checked. Key file / provider is checked and Yubikey challange-response is selected.

Obviously save the secret to recover the database someplace safe in case the Yubikey(s) should fail or get lost.  And once again, if you’d like more details or screenshots see the Kahu Security guide.

KeeChallenge Linux Install

Also, this is easily setup in Linux.  Using Ubuntu Gnome 16.04 Beta:

(although KeeChallange doesn’t need it, I’ve found most plugins for KeePass2 on Linux need mono-complete installed or it fail to load the plugin with a plugin incompatibility error).

What Security Does YubiKey Provide for KeePass?

This method causes KeePass to encrypt the database which can only be unlocked with a response to the challenge stored in an XML file in the same location as the KeePass database.  Only the YubiKey (or of course the recovery key) can provide the answer and it does so without revealing the secret which means an interception doesn’t give an attacker the ability to respond to future challenges.  This challenge/response changes each time the KeePass database is modified.  If an attacker were to intercept the Challenge/Response he would only be able to use that information to decrypt that particular version of the database–not future or past versions–and only if he also was able to intercept the rest of the composite key (such as the password).  This isn’t foolproof of course, and there are certainly other attack vectors that this offers to no protection against, but adding challenge/response to the composite key does add another layer of security.

Caution with Synchronizing

I should note that if you’re using something like DropBox, Google Drive, Syncthing, etc. to keep the KeePass database on multiple devices in sync that both files: the KeePass KDBX file and corresponding XML file must be kept in sync.  The XML file is updated with a new challenge/response for the kdbx file on each KeePass save.  An older version of the xml file will not open the latest kdbx file and vice-versa.  Probably the only time the files would go out of sync is if changes on one file synchronized but you lost connection before the other one was updated.  It’s probably a rare event but something to be aware of and another reason to have decent, versioned backups and also have a recovery key.

Yubikey Challenge/Response with Android

KeePass2Droid can use Challenge/Response encrypted databases if YubiKey’s YubiChallenge app is installed.  Open KeePass2Droid, select “Password+Challenge-Response”, enter your master password and hit “Load OTP Auxiliary file…” which should open YubiChallenge.  I think it may prompt for the auxiliary file the first time, if so choose the .xml file with the same name as the KeePass database.

KeePass2Droid screenshot. Select master key type set to Password + Challange-Response. Click Load OTP Auxiliary File.

Swipe your YubiKey to unlock the database.

KeePass2Droid Screenshot. Dialog says Challenging, Please swite your YubiKey NEO.

LastPass

LastPass also supports Yubikey using OTP for the paid versions of LastPass.  The YubiKey isn’t used as part of a master composite key to encrypt the password data like it does with Keepass, instead it’s only used to authenticate against the service.

FIDO U2F Authentication

Some services like Google, GitHub, etc. are starting to support FIDO U2F (Universal 2 Factor) auth.  The main disadvantage I’ve found to this method is you need a backup method for logging in if you lose the YubiKey since you can (with the services I’ve tried) only associate one YubiKey with an account using U2F.  That said it is very simple to use… and some services let you use OTP, an Authenticator or SMS as a backup which I think is reasonable.  Typically after providing a username/password the service will have you insert your YubiKey to authenticate the user.

Google 2-Step Verification Screenshot. Instructions say Insert your Security Key (showing graphic of YubiKey inserting into USB port)

Yubico Authenticator

OTP Auth codes can also be stored using the Yubico Authenticator for Android (just swipe the key near your phone’s NFC antenna to get your auth codes) or the Desktop Authenticator (Win, Mac, or Linux).

YubiKey authenticator screenshot showing several entries with auth codes.

Yubico Authenticator works like the Google Authenticator, but the auth secrets are stored on the YubiKey instead of the Android device.  I like this because it means if my Android is dead I can just use another Android phone, or run the desktop authenticator app on a computer and insert the YubiKey.  Password protection is also available to secure the auth codes adding one more layer of security.

Yubico Authenticator showing New Credential screen

I was able to get YubiKey to work with pretty much any service that works with the Google Authenticator.  And I was also able to program the secret into multiple YubiKeys.

YubiKey as a Battle.Net Authenticator

(Note that this is not supported by Battle.Net, use at your own risk).

I found a project called WinAuth and the latest BETA version is able to generate a virtual Battle.Net Authenticator.

Create the virtual authenticator…

WinAuth Screenshot of generating a Battle.net Authenticator

Export the WinAuth config to a text file…

Screenshot of WinAuth. Click on Gear, Choose Export.

Copy the secret…

Screenshow showing WinAuth Export of Battle.Net Authenticator, with Secret highlighted.

Add it to YubiKey and you’ve got a Battle.Net Authenticator!  This should work with all the Blizzard games like StarCraft and WarCraft and whatever else they have these days.  Register the device with Battle.net using the Serial number in WinAuth.

Yubico Authenticator Screenshot showing secret key pasted in from WinAuth export.

I also tried to emulate a Steam Guard Mobile Authenticator but it won’t work with YubiKey’s Authenticator out of the box–however, since the YubiKey Authenticator is open source I’m sure it would be fairly easy to implement for someone that has a bit of time on their hands.

And More…

I certainly haven’t explored everything that can be done with the device… it can store PGP keys and be used for SSH authentication, be used for PAM or AD authentication, etc.  What I really like about Yubico is the devices are affordable, the company stands behind their product, the software is open source (with pages of projects on GitHub) and works on Linux, Mac, Windows, and Android making it a great cross platform solution.  For people that use several different 2FA methods against a variety of services this single USB device will probably handle most, if not all of them.

Of course, 2FA isn’t going to make anyone immune to hackers, but it does add an additional layer of security on top of passwords.