Lost Laptop

[Auspicious]

Quote:

Originally Posted by jmh2002

Even if someone manages to gain access to my password, they can't do anything with it because they can't produce the 2fa code.

That depends on how much of a target you or your service provider is.

Quote:

Originally Posted by SailFastTri

I am curious to know (methodology and operationally): How do you secure (and backup) all your passwords and keep them unique for each site/app and long enough 14+ character (with complexity) and easily usable, and encrypted using strong encryption algorithms with long/complex private keys?

I use a mathematical convalution I can do in my head with a file I keep on my phone and computer. I never use any cloud services for sensitive information. Backup is on paper in a secure location that I certainly won't post on the Internet. Everything is behind a long password I remember (I'm good for about six passwords). Passwords in the file and paper are offset.

I've done this stuff for real.

Do not trust the cloud. Major vulnerability.

[JC Reefer]

For protection you should always use a password or fingerprint or pin to enter your computer. I know some of us either disable this or have are using such outdated devices that it is not required.

To help with the loss of data, Being connected to a cloud based backup system that syncs you laptop when connected to WiFi is the best.

I use one drive and didn’t think anything of it until my laptop was run over by a car. Different sorry for another day.

Anyway it was a lesser issue because I was able to log into another new computer using my office 365 account and everything was back to normal.

Apple and google have similar products.

[SailFastTri]

Quote:

Originally Posted by JC Reefer

For protection you should always use a password or fingerprint or pin to enter your computer. I know some of us either disable this or have are using such outdated devices that it is not required.

To help with the loss of data, Being connected to a cloud based backup system that syncs you laptop when connected to WiFi is the best.

I use one drive and didn’t think anything of it until my laptop was run over by a car. Different sorry for another day.

Anyway it was a lesser issue because I was able to log into another new computer using my office 365 account and everything was back to normal.

Apple and google have similar products.

OneDrive, iCloud, Google drive, Dropbox , etc are not backup programs, they are replication and file share apps. If a file is corrupted or deleted, usually no big deal and you might be able to restore to a prior version, depending on the app and service options purchased (and implemented).

If you get a cryptolocker type virus, you will be SOL because the virus will find and encrypt all cloud synced files and any network/USB connected backups. Your only recovery option would be to restore from a disconnected backup, or cloud backup that can restore the entire file store to a recoverable point in time.

Here's a link to some typical apps. I have no affiliation, but I recommend iDrive for personal users.
edit: I forgot to paste the link https://www.tomsguide.com/us/best-cl...view-2678.html

[SailFastTri]

Quote:

Originally Posted by Auspicious

That depends on how much of a target you or your service provider is.
I use a mathematical convalution I can do in my head with a file I keep on my phone and computer. I never use any cloud services for sensitive information. Backup is on paper in a secure location that I certainly won't post on the Internet. Everything is behind a long password I remember (I'm good for about six passwords). Passwords in the file and paper are offset.

I've done this stuff for real.

Do not trust the cloud. Major vulnerability.

IMO You might be able to pull this off, but the average computer user would need a more usable and reliable method, as a practical matter.

[requiem]

Quote:

Originally Posted by SailFastTri

IMO You might be able to pull this off, but the average computer user would need a more usable and reliable method, as a practical matter.

Agree; for most users the greatest vulnerabilities are through weak passwords or password re-use. Something like LastPass, combined with 2FA, would do a great deal to prevent the "my account was hacked" phenomena.

If you're a more special sort of target, then you likely can take stronger steps, but most people can't. Most people have trouble achieving the "I have backups" stage of robustness.

[Dsanduril]

I've spent an awful lot of time in the back of beyond with very tenuous internet connections. I'd argue that is precisely where you need 2FA the most. If you have enough bandwidth to get online to any place sensitive then you have enough for 2FA.

If your internet is that bad then you won't be able to properly monitor your accounts and look/check for irregularities. And the IT provider is likely a little less savvy than you might find elsewhere, meaning their network protections are likely less than up-to-date. Under these conditions a VPN and 2FA are nearly mandatory.

[Auspicious]

Quote:

Originally Posted by JC Reefer

To help with the loss of data, Being connected to a cloud based backup system that syncs you laptop when connected to WiFi is the best.

Not best. Arguably easiest, but not best. Who has not read of major penetration of cloud services and credit card data?

There is no substitute for positive physical control. This applies to password management and to backups.

My solution may not be best for everyone. I offer it merely as an example. I use network attached storage (NAS) for backup. My computers, my wife's computers, and her assistant's computer back-up. Connections over the Internet work fine - we can back-up and restore remotely. Data is encrypted in motion and in place. It took a few hours to set up but it just works.

Quote:

Originally Posted by SailFastTri

IMO You might be able to pull this off, but the average computer user would need a more usable and reliable method, as a practical matter.

Then I return to positive physical control. A piece of paper in your wallet or safe means you are responsible for your security. You aren't trusting to a bunch of clock-punching drones who skip hard steps and are subject to social engineering penetration. Note - a Post-It with passwords over your nav station is NOT positive physical control. Neither is under a mouse pad or under a keyboard or on the bottom of a drawer. To paraphrase DCS training 'an object in sight is out of control.'

Quote:

Originally Posted by Dsanduril

I've spent an awful lot of time in the back of beyond with very tenuous internet connections. I'd argue that is precisely where you need 2FA the most. If you have enough bandwidth to get online to any place sensitive then you have enough for 2FA.

If your internet is that bad then you won't be able to properly monitor your accounts and look/check for irregularities. And the IT provider is likely a little less savvy than you might find elsewhere, meaning their network protections are likely less than up-to-date. Under these conditions a VPN and 2FA are nearly mandatory.

Most of the apps I'm familiar with use one-time keys generated based on time. If you're sitting anchored off Long Island in the Bahamas using a cell hotspot that jumps through a bunch of routers, a microwave link or three somewhere else, and a satellite link the latency adds up and the key isn't any good anymore by the time it gets checked. I like hardware tokens like the RSA SecurID but they suffer from the same problem at the edge of the Internet.

So if you're somewhere in the South Pacific and your autopilot fails and you need to move money around to get a new A/P computer shipped in and end up locked out of your accounts, what do you do? 2FA is fine as long as everything work. See Murphy's Law and consider that for long distance cruisers Murphy was an optimist.

If you're cruising in your own country and adjacent areas and are never more than a day from first world communications do whatever you like, although cloud services are still a fundamentally bad idea for personal information.

By the way - my customer's data gets treated the same way mine is.

[Dsanduril]

As I said, I’ve found that if I have enough bandwidth to “move money around” I can manage some kind of 2FA, and with all your discussion of data security I’d think you’d want the same kind of security for moving money. To each his own.

I prefer to use a 2FA app, but in the past we have used the National Geographic sponsored world cell phone. It is terribly expensive for phone calls, but offers free incoming text messages in something like 150 countries. We made one call a year to keep it active, spent less than $20/year to have that option. Had all of our 2FA configured to that number. In this day and age, if you want to keep a constant phone number you can use Google Fi (expensive for data) or pretty much any service that has WiFi calling and connect your phone to the same signal when you need 2FA.

Many ways to skin that cat, and for my personal peace of mind I prefer to use something more than just my passphrase. And yes, I’ve ordered watermaker parts from a little island in the South Pacific with a lousy, high latency WiFi to satellite connection and been just fine. YMMV.

[SailFastTri]

Quote:

Originally Posted by Auspicious

snip

My solution may not be best for everyone. I offer it merely as an example. I use network attached storage (NAS) for backup. My computers, my wife's computers, and her assistant's computer back-up. Connections over the Internet work fine - we can back-up and restore remotely. Data is encrypted in motion and in place. It took a few hours to set up but it just works.


Snip

If any device on your NAS' network is compromised by a crypto ransomeware virus -- the NAS will be fully encrypted before you know it.


Your backups MUST be disconnected or they are not backups -- they're just copies.


Edit: The bad guys have become very sophisticated. Usually they conduct surveillance on the networks they compromise and monitor the traffic as well as all file locations and applications in use. Then they strike.

[Dsanduril]

FWIW I use a pretty common cloud-based storage company. I had a folder there synced to my company laptop when the company was hit by ransomware (see SailFastTri's comments above, that pretty much sums it up). The files in my local synced folder were encrypted and synced to the cloud. All is lost....

The company had difficulty in unencrypting/restoring backups/etc. I was pretty sure I was in the same boat, but was able to use the built-in history function of the cloud storage to return all of my files to the versions that were present just prior to the attack. Took all of about 5 minutes to get back ~25GB of stored files. Even though it was easy, lesson learned is that I now also have everything set up to require manual sync. It's certainly not foolproof, and the attackers will always find a way to get there, but it was far faster and more complete than pulling out my week old (or so) offline backups and restoring them (and yes, I have those, a necessity in my business - stored at a different location and completely offline).

[Auspicious]

Quote:

Originally Posted by Dsanduril

As I said, I’ve found that if I have enough bandwidth to “move money around” I can manage some kind of 2FA, and with all your discussion of data security I’d think you’d want the same kind of security for moving money. To each his own.

I do. My point is that 2FA is not a panacea. How long can you manage if you get locked out?

Quote:

Originally Posted by Dsanduril

In this day and age, if you want to keep a constant phone number you can use Google Fi (expensive for data) or pretty much any service that has WiFi calling and connect your phone to the same signal when you need 2FA.

Read the TOS for Google Fi (and lots of other US-based world roaming services). They are meant for travelers, not nomads. The service provider reserves the right to turn your account off without notice if it costs them too much or you don't use it inside the US more than out. Are you willing to take that gamble?

I have yet to figure out why, but some phone calls simply don't get through. My GV number simply didn't connect when called from a NZ number.

Quote:

Originally Posted by SailFastTri

If any device on your NAS' network is compromised by a crypto ransomeware virus -- the NAS will be fully encrypted before you know it.

My NAS runs on Linux which helps. The internal drive it operates on is hardware write protected which helps more. Good luck getting that from a cloud service.

I used to back up to rotating external USB drives. Now I back up the NAS to those drives. The problem with local back ups to removables is physical damage: fire, flood, etc. The NAS gets me geographic diversity and the periodic back up of the back up improves sustainability.

Not free though. *grin*

Security through obscurity is not true security. Nonetheless, I'm a lot smaller target than a large service, unless of course someone targets me explicitly.

Quote:

Originally Posted by Dsanduril

I was pretty sure I was in the same boat, but was able to use the built-in history function of the cloud storage to return all of my files to the versions that were present just prior to the attack.

Which is a normal part of good backups.

The challenge for cruisers is working out a way to take secure offsite back ups without falling into the cloud trap. The logistics are difficult unless you start shipping drives around the planet or have someplace and someone you trust to help. Perhaps you trust Microsoft or Google or whoever. Fine. I don't.

[GrowleyMonster]

Quote:

Originally Posted by SailFastTri

Rule # 1 Encrypt the disk/memory of all smart devices and storage devices, and use strong passwords.

Rule # 2 Use a good password manager such as LastPass, Myki, 1Password, or Apple Keychain -

Rule #3 Make the password for every site unique and don't use a pattern or sequence for changing passwords
Rule #4 Enable Multifactor (2-factor) authentication on every account that supports it.

YES. Always encrypt your hard drive. This is easy in Ubuntu and most other Linux flavors. Windows users, be aware of something called a paging file which can store stuff that you didn't know was stored after making best efforts to secure your computer. In past versions this could be disabled. Not sure about W10, as I have never used it.



Personally, I do not like password managers. Compromising that will compromise all of your stored passwords. Unlikely, I know, but theoretically possible I am sure. Unique passwords for every account? Absolutely. Not for the sad event of losing your computer, but for day to day security. You don't want to give free access to EVERYTHING to someone that has somehow exploited one account. It is easy to accidentally give away a password. Spoofed sites are common and quite effective if well done by a talented hacker. WIFI man in the middle attacks are common and occasionally succeed. Simply spying on your keystrokes is a good old fashioned way to get your password. Luckily keyloggers are not the danger that they used to be, but a poorly protected computer could still be vulnerable. People click on links all the time that they shouldn't have clicked. It happens. Even a relatively bulletproof system like a modern PC running Linux isn't idiot proof. Not so smart computing practices, of which we are all guilty of some time or another, can short circuit computer security. The chances of an account being compromised sooner or later are fairly good, so make sure you don't give up everything at once.


But back to the stolen/lost/misplaced computer, yes turning it all the way OFF when you are not using it, setting a good user password, not enabling root account, and encrypting your drives with strong encryption and good passphrases can make a huge difference. Like the difference between CAN get into your system and accounts, and CAN NOT do so. Simply having good user account passwords to log on to your computer is NOT good enough by itself. Someone can easily boot up your machine from an external drive and access anything that is not encrypted. He could also, if he was a bit on the clever side, install malware and prevent your security software from alerting you or isolating it. Encrypt it all. Don't take a chance. And write down your whole key somewhere secure, not just your passphrase. Usually the actual encryption key is NOT your passphrase and it may be needed to recover your hard drive after a computer failure.


Be very suspicious of a lost computer that is returned to you. Especially if the entire hard drive was not encrypted.


The majority of you out there are using Windows, no doubt. The most glaring user security fail I see, is not enabling all filename extensions to be visible in the file manager. Unlike Linux, Windows operating systems actually use those filename extensions to decide what to do with a file that you click on. You might click on "hot_midget_lesbian_amputee_mud_wrestling.avi" thinking it is a simple but oddly interesting media file, only to later find out to your great concern it is actually an exe or bat or com file, with the true filename extension hidden, and that you gave up sensitive data by running it. WinDOHs, at least as far version 8, hides filename extensions by default but you can change that in your settings. Class dismissed.

[gonesail]

computers and phones are extra high priority items when traveling. never let them out of your sight.