How do you ensure your data and online activity is secure? Both on your personal/work computers and servers.
Here in the UK the government has just passed the Investigatory Powers Act 2016 which, amongst other things, means that ISPs must now keep a record of all your internet activity and it can be accessed by around 50 govt agencies. Apart from the corrosion of privacy, a big concern is that this information will at some point get hacked (ISPs retain it, not ultra-secure govt departments).
Anyway, it got me thinking about security.
On the server side I think we practice the usual stuff, firewall, port-scanner blockers, failed password blockers, remove-root login, passwordless-login, change ssh ports etc but on my local dev machine I just:
- Encrypt contents of HD
- Enable Apple firewall
And that’s it
What else can be done to protect the contents of my computer and my online activity? Is a VPN the way to go?
I love VPN’s, I have a constant SSH tunnel from my phone to one of my servers to go out for example. SSH is awesome. ^.^
Plus firewall rules to limit Internet traffic to the VPN tunnel.
For the home network I’m planning on setting up a small pfSense security gateway.
Do you install the VPN software on your computers or configure your routers?
Configuring a router would be my preferred option - so that all devices on the network automatically use it.
Do you experience a reduction in speed? Or interruption in service?
And… what are the best VPNs out there? (Many lists seem to be ‘affiliates’ :/)
I use SSH forwarding everywhere, installed straight on to my computers/phones for my VPN use. SSH adds some latency but that is about it.
I’m currently connecting to my VPN provider’s servers from each computer (my provider allows for up to three connections), but plan to change that when I get my pfSense box set up. Two of my computers are connected all the time, and they get the internets just fine.
I find AirVPN to be by far the most reassuring provider so far. They allow for a variety of means of connection, including downloading openvpn config files which can be put in
/etc/openvpn (minus the
.ovpn extension) for auto-connection; at least that works in my Debian-derived Linux distros. They also have an opensource GUI client called Eddie for Mac OS, Windows and Linux.
We at AmberBit have introduced a few company-wide measures.
We enable 2 factor auth everywhere, and require all our employees and contractors, as well as clients who wish to have access to our tools (say Github). People’s passwords are weak link.
We disable SSH passwords on all installations, use only keys.
We require all employees/contractors to encrypt the storage that we keep our code on. When we buy laptops, before giving to employee, we encrypt full hard drive.
We do not have any backup codes, or 2fa configured to use publictly available phone numbers (say visible on web site). Telecom companies are a weak link. You can literally go and ask for sim replacement, and the employees do not care to check your ID or to ensure you look the same as on ID card. I asked for replacement showing them 12 years driving license, where I was 20kg slimmer, had long hair and no beard. The guy said “you don’t look anything alike on your ID” and handed me SIM card replacement within next 30 seconds, no further questions asked. I have other device to use as 2fa / authorization tool that no one has knowledge of but me.
Do not use any publictly available wifis.
Use Telegraph / Signal / similar encrypted chat tools to discuss impotant stuff and send over credentials. No passwords pasted on Slack.
I’ve never really thought of this - when I got my new sim they did say I could go into one of their retail shops to get one or they’d send me one out (I opted for them to send one). I wonder what ID they would have asked for had I gone into their shop…
Have you thought about using a VPN? Such as the one @BrightEyesDavid posted?
I use a VPN for most things. My company actually has a little tool you can run to provision a VPN for yourself on Digital Ocean. It’s usually cheaper than most VPN providers, and let’s you stay in control of all of your data.
I haven’t used it since we changed the copy up for the Rio Olympics, but it should still work: https://www.tinfoilsecurity.com/vpn/new
Edit: If you’re curious, this is the OpenVPN script we deploy: https://github.com/tinfoil/openvpn_autoconfig/blob/master/bin/openvpn.sh
That’s a cool idea - but do you have to keep an eye on bandwidth? I watch a lot of Youtube videos
I wonder how easy OpenVPN is to set-up/use. But then again, their ‘Private Tunnel’ service seems to be pretty inexpensive: https://www.privatetunnel.com/home/pricing Edit: Hmmm, looks like that is something else.
The cheapest plan on Digital Ocean ($5/month) gives you 1TB of transfer. That’s a lot of Youtube videos
VPN to a country that does not have any ISP retention laws.
Use throw away VM that boots “live cd” to browse crap sites.
At work we mostly used openBSD + pf for firewalls and pretty much all network infra. type things,
for paranoid setups OpenBSD in bridge mode doing filtering.