Tuesday, November 22, 2016

Digital Privacy - Part 2 - Two Factor Email Authentication

Email is NOT private.
This is mostly about stopping hackers and the like.  Two-factor authentication (sometimes abbreviated 2FA) is not going to prevent government agencies from accessing the contents of your email and you should not be under any illusions about that.  Securing the contents of your email will be the topic of another post (probably more than one) but for now just know that email is not secure in general and you should not assume that you have privacy in your emails.  If you're not willing to have that message read aloud in a court room, don't send it.

The problem we're solving:
If someone can log in to your email they can see your contacts, read your emails, delete your emails, and send emails while pretending to be you.  They can also use your email account to reset passwords for your other accounts.

In addition to having a good password, one of the ways to protect the security of your login is to have Two-Factor Authentication.  This just means that logging in requires your password (the first factor) and some other thing that identifies you as the person trying to log in (the second factor.)

It is really easy to set up these days and and it seems that most webmail providers offer it.  The most common options are:
  1. They text you a code.
  2. You install an app from your email provider on your phone that generates a code.
Keep in mind that the texting option requires cell service.  The app options I looked at will still work even when your phone is in airplane mode - no data and no cellular required.

How To
You can use this site which provides tutorials for setting up two-factor authentication for many sites.  If you don't see your provider listed, just search for it. Just googling for your mail provider and "two factor authentication" will also turn up results, like these help pages for GmailHotmail or Outlook.com. Yahoo.  You'll notice that you can use two-factor authentication for other non-email logins, too.

If you're using an email address from your ISP like Time Warner you may find that they do not offer this.  You may wish to change email providers, or at least have a second account somewhere else that is more secure.

Remember Me 
When you log in from a web browser, you will be prompted first for your password and then for the code.  Someone who only has your password cannot log in.  You will likely have an option to have it remember your computer and not ask you for the second factor of authentication again when you log in from that same machine.  Do not use this option from a public or shared computer. If that computer is running a keylogger to capture your password and you also authorize it to login without your two-factor then your account is compromised.  Note that Gmail checks this option by default and you must specifically uncheck it when you enter the code.  Each time.

Plan B
Because it will be difficult or impossible to access your email without your phone, there are some recovery options to consider:
  1. There should be an option for a recovery code or for one-time-use codes.  These should be stored somewhere safe, ideally not electronically and obviously not on or with your phone where it would get lost at the same time.
  2. You may be able to set other recovery options such as additional phone numbers, other email addresses, a USB security key, etc.  Gmail provides a lot of options.
When you're thinking about these options, try to imagine what could go wrong that might cause you to lose access.  
  • Losing your phone will cause you to lose both the app and the ability to receive a text message.
  • If you replace your phone and keep the number the texting will still work on your new phone but the app will need to be re-downloaded and re-married to your account which you cannot do without logging in.  
  • Getting your cellular plan shut off could cause you to lose access to more than one phone number if they're all on the same plan.  
If the worst happens and you don't have a recovery code, don't forget that you can still log in from any devices that you have set as trusted.  Otherwise, you may be able to recover your account but it is going to involve customer service and it's probably not going to happen quickly.

Outlook and your Xbox
If you have other programs or devices that need to log in to your email, such as Outlook or another email client, or your Xbox, your phone's email app, etc. they will not be able to use the two-factor-authentication.  You will need to generate an app-specific password for them to log in with.  This does bypass the two-factor authentication but these app-specific passwords are strong and not re-used so they are much less likely to get broken or stolen than the average person's password.

Extra credit: Connection Security and master passwords for Outlook, etc.
If you use a mail application (not just webmail) it is important that your email client is using an option called SSL or TLS to encrypt your login or it will be possible for someone to snag one of your app-specific passwords off the network and use it to log in.  SSL/TLS is pretty standard as a default now as far as I know but it doesn't hurt to double check your mail settings in your mail client, especially if it was set up a long time ago.
-Outlook: Instructions for changing your mail settings are here.  Step 4 is where the encryption settings for your incoming and outgoing connections are.
-Thunderbird: Instructions for changing your mail settings are here.  It's the connection security you want to set.  If you have SSL/TLS for your connection setting then your entire conversation with the email server is encrypted and you do not need to separately set encryption for your password.

For Thunderbird I also prefer setting a master password.  This encrypts your saved email account's app-specific password in a more secure fashion, and also stops someone who has access to your desktop from simply opening your email client and getting the password out of it.  It will require you to login every time you open the application.  All this master password does is decrypt your other password.  This is still hackable, it's just harder.  You can do something similar for Outlook but I am unclear on how the password storage for Outlook functions and the guide itself says that this is not for improving security.

Friday, November 18, 2016

Digital Privacy - Part 1 - Phone Unlocks

For Part 1 of this series we're going to look at phone unlocks.

There is room for you to make different decisions with your own stuff, but the TLDR is that I think the appropriate measures are to:

1) Make your phone require a passcode to unlock.
2) Do not use a biometric unlock.  If you have one, remove it.
3) Use either a 6-digit code or an alphanumeric code for your unlock.
4) Do not use easily guessed passcodes.
5) Set your phone to lock immediately.
6) Set your phone to delete all data after 10 (or some other number of) failed attempts to unlock it.

You can find details on setting up Android here, and on setting up iPhone here.

Protecting your phone can protect your emails, your texts, the emails and texts of people who have communicated with you, videos or pictures that the police might want to delete, or any of your other data.  It is yours, and you have a right to take measures to secure your own privacy and to refuse to consent to any searches.

U.S. Courts have found that you can be compelled to unlock your phone with a fingerprint (with a warrant), but you cannot be compelled to provide a passcode.  You have a 5th Amendment right to refuse to provide the passcode.  Your biometric unlock is not protected this way under current law. This article from Android suggests that you can still use it and just shut your phone off if you see blue lights.  But that removes your ability to, for example, film the police and then quickly lock your phone at the last moment.

Item # 3 in this article lists commonly used 4-digit passcodes.   Here they are:
1234 9999 1111 3333 0000 5555 1212 6666 7777 1122 1004 1313 2000 8888 4444 4321 2222 2001 6969 1010
You can see the pattern to them and avoid it in your 6-digit passcode, if you use that.  If you use an alphanumeric password just follow good password practices. You should also assume that an attacker will do their homework and try things like your birthday, anniversary, the birthdays of your children or spouse, your social, etc.  These are not good passcodes.

I was reluctant to enable the data deletion on my phone because I have a toddler who loves to play with it and one can easily imagine disaster.  But as you have more and more failed attempts the iPhone will force you to wait longer and longer between unlock attempts, making it very unlikely that 10 failed attempts would accumulate by accident.  A malicious person could do it to you but they would need access to your phone for hours.  Android has an app that will allow you to set the number of tries before a data wipe.

You can, in any case, restore your phone from a backup if you have one.  So just backup your phone and enable the data wipe on too many failed logins.

If someone can't easily guess your password, and they can't guess at it indefinitely without wiping the data they want, and they cannot compel you even with a warrant to unlock the phone, then it becomes difficult for them to obtain the data.

It should be noted that none of this is perfect.  The operating system of the phone may have bugs that defeat some of this security, as this older version of iOS did.  And in a case that became very public, the FBI was taking Apple to court to force them to provide a backdoor to someone's phone.  The case was dropped when the FBI claimed to have found a way to unlock it without Apple's help.  No one is sure what method they used or whether it has been or can be patched.  It may even be that it is now trivial for the FBI to unlock your iPhone, I just don't know.

That's a lesson that applies to this entire series.  Your privacy is going to be good.  It's not going to be impenetrable, and you should not assume that it is.