Useful links and resources from the #SkepTech 2 security panel
April 6, 2014 4 Comments
Today in Minneapolis I was on a panel with Neil Wehneman of Secular Student Alliance and Jason Thibeault of Freethought Blogs. It was moderated by Sean Wurgler. The panel was frankly titled “How to protect your shit online” and this was the summary:
Even “real life” activists have to navigate online spaces–online activists obviously more so. Unfortunately, the power that online activism can lend can easily turn against activists. How do we protect our content from hackers, spammers, and trolls? How to we maintain security while simultaneously engaging in online activism–an act that requires us to put our content out into the interwebspaceplace? Expect conversation on basic content protection measures, DDOS attacks and how to subvert them, and beyond.
In this post I will attempt to gather up the links and resources we mentioned during the panel and closely related ones as well. Feel free to chime in with other good resources in the comments. Here we are in action:
Denial of Service Attacks
Wikipedia has a very complete definition of “Denial of Service Attack” includes a section on DDoS (Distributed Denial of Service attack). CloudFlare is the company that Jason recommended to protect your blog. CloudFlare has an article about the recent NTP reflection attacks to help you understand them.
The three critical pieces of third party software Tim mentioned were Adobe Flash, Adobe Reader and Java. Be sure they are up to date. But you should always keep all your software including the operating system up to date – load patches and updates as quickly as you can using the facility provided by your OS. If you are running Windows or Ubuntu, there is an open source tool called Ninite to help make loading updates easier, according to Nik on Twitter.
Tim mentioned several sites that will tell you if your account/password combination has been exposed by hackers publicly. They include Should I Change My Password, Pwned List and Have I Been Pwned. All of these let you put in your account name or email, and they will tell you if and when your password has been exposed. Do not use other sites, particularly sites that ask you to enter the password! Some of these are hackers trying to impersonate these services. Should I Change My Password has a pay version that lets you get alerts for an entire domain worth of emails, the other services may have options like that too.
When you try to clean up and use a different password on each site, you need a tool to keep track. There are several, each will store your passwords in encrypted storage and unlock with a single pass phrase. Pick one based on whether it supports the platforms (Windows, Mac, Android, iPhone and so on) that you need. Most have free versions you can try out.
For whatever it is worth, Jason and Tim both use KeePass, and synchronize the passwords across platforms using Dropbox.
Multifactor or Two Factor authentication is where you augment a password (“something you know”) with another physical item (“something you have”) such that both would have to be stolen for you to be hacked. Many services have added this for added security just in the last year, typically they use a smartphone app or send you a text message to finish the login. The EFF wrote up a single guide to setting it up on Twitter, Google, Dropbox, Facebook, Apple and Microsoft.
As Jason mentioned there are two-factor plug-ins for WordPress self-hosted sites. As Tim speculated, WordPress.com has in fact added it too using Google Authenticator.
Other popular services that now have this:
- Buffer (social media scheduling that Heina mentioned)
- Hootsuite (social media client with scheduling that Tim uses)
- LastPass (password manager)
- Tumblr (microblog)
- Evernote (note taking)
Because of all the password hacking in the last few years, many of these have just added it in the last year or so. Keep an eye out for notifications from other services adding this.
URL and Attachment Checkers
We talked about being careful with links and attachments being sent to you in email. If you have one that you really suspect might be real, and you are worried the anti-virus on your computer might not check it properly, there are services you can use – if you are willing to upload file elsewhere (obviously not a good idea for sensitive data).
Virus Total will scan the file with several virus programs at once. You can also paste in URLs to see if they may lead somewhere evil. Two other services that can only check a hyperlink (by pasting in the URL) are URLQuery and URLVoid.
Tim strongly recommends any webmaster or blogger be signed up in Google Webmaster tools. Aside from being a handy free service, they can warn you about some DMCA complaints and other shenanigans involving your site. Microsoft also has Bing Webmaster Tools that are similar, but if you sign up for Bing also sign up for Google too.
We talked quite a bit about the Digital Millennium Copyright Act and abuse of it. Electronic Frontier Foundation has good backgrounders on it. They also have a good explanation of how your hosting company, DNS and other technologies affect your free speech online. EFF is a good organization. They also blogged about WordPress standing up for it’s users.
Chilling Effects monitors abuse of the DMCA, if you receive a takedown you should report it to them.
Update: I’ve collected the live Tweets during the panel in a Storify for reference.
Update: The day after this post, Heartbleed - a serious vulnerability in key security software used by many sites – became public. Many sites are recommending password changes, but don’t jump the gun. Watch for notices from specific sites and change your password promptly. Or, this tool from LastPass can tell you if a given site has fixed the bug – only after they fix it should you change your password.
Again, if there are any resources you think I missed, mention them in the comments.