Security All The Way Down [#27]

Source, one of the many blogs I follow, has recently had a themed content week focusing on security. For their main readership this means security for the newsroom, security for the journalist, but their articles are both fascinating and widely applicable. It may seem a bit ridiculous but the reality is: everyone is a target. Yes, a journalist is more likely to be specifically targeted, because they have access to unique and often-times damaging material, but literally every single person has something that is valuable to someone else.

Maybe it’s money in the form of online bank accounts, crypto wallets or card-verified e-commerce sites like Amazon. Maybe it’s social media accounts, valuable for gathering personal identifiers that can be sold en masse for identity theft purposes or even to be used as part of modern botnets, spreading viruses and further compromises. Maybe it’s compromising personal information, images you wouldn’t want widely distributed or conversations you’d rather pay to keep out of the public eye. Maybe it’s just the thrill of seeing how far you can go, what you can uncover.

It’s unlikely that you would be directly targeted, but it’s actually fairly likely that you will be targeted at some point. It’s happened to me. A few years ago I received a message from my bank querying a large sum purchase made with a debit card that I hadn’t used in years. I freaked out a little, contacted them and had the transaction cancelled; once the bank had assured me that no further charges would occur I calmed down and started trying to piece together how the hell someone had managed to skim a card that had been out of circulation for years.

The answer, as is so often the case, was the combination of forgotten accounts, common passwords and third party security breaches. Exactly which chain of interconnecting services led to this particular attempt at fraud is impossible to prove, but here’s my best guess. Back when I was heavily active on League of Legends they had a mass server breach, with hundreds of thousands of accounts compromised. The parties involved made off with data tables of passwords, account names and associated email addresses; no credit card details, but enough personal information to be seriously damaging. My account name was unique and the associated email address had a different password, so I figured I was safe. I was wrong. Someone, somewhere, managed to link my username to an old email account, which used that same password (Error #1). They accessed that email account without my knowing (Error #2 – setup two-step authentication!) and from their likely downloaded my entire email history (Error #3 – if you don’t need it right now, encrypt/archive it or delete it).

Within that database of emails were messages from an ancient PayPal account I hadn’t used in years (Error #4 – close accounts you no longer need). That PayPal account had a different password, but that doesn’t matter; whoever it was simply had a password reset request sent to my compromised email address and flipped it. That PayPal account was still connected to my old debit card, which I’d never closed down despite no longer using it (Error #5). They tried to use that account, with that card, to make a purchase when luckily a third party, my bank, flagged it as suspicious. As a result, the purchase was cancelled. Great, right? Problem solved, issue avoided, time for a cup of tea, right?

Wrong. I contacted PayPal and had the account closed, I went to my bank and terminated the card and figured the worst of it was over. Except, the email account was no longer accepting my leaked password. Four years later and, for some reason, the password happened to be flipped back to the original one; I’ve just managed to regain control, through sheer luck, but the ripple effects are still being discovered. That email account was the main personal ID for dozens of other online accounts, many of which have been deleted, taken over or banned. Some were used for spam, others for malicious “fun” and others just destroyed. I’ve spent the best part of the last two weeks going through that old email account, finding associated logins across the web and shutting them down or taking back control.

The whole ordeal has spanned years and is still on going. Now, on the one hand, I got lucky. Losing so many accounts didn’t impact my financially, it didn’t uncover any secrets that could have been used to blackmail me or hit me IRL (I’m too boring for anything like that) and I never really felt any negative impact from it. I’ve lost some memories and a decent chunk of my personal time, but that’s about it. But like I said, I got lucky.

So, whilst very interesting and a recommended read, going through Source’s recent articles on personal security have left me a little red-faced. For everything I supposedly “learned” I’m not much better today then I was four years ago in real terms. I’ve slowly been building a database of accounts I have, what they’re associated with and the personal details they contain. I’ve reset my passwords and made sure they’re all unique. Where possible I’ve closed accounts I no longer want or, at the least, removed any personal identifiers from them. But beyond that? Not much.

Reading through A Guide to Practical Paranoia is like reading a checklist of ways I’m falling behind. It recommends using local password managers like KeyPass rather than cloud-based services, but I still haven’t managed to even make that step. Tor and other end-to-end encryption are mentioned as good first steps, but all I have is WhatsApp… not sure that really counts. Don’t use out of the box, popular options for data you care about it says, which I agree with whilst writing on a WordPress blog running the vanilla theme.

Perhaps it’s time to start making inroads into my personal security again. The reason it hasn’t happened yet is because it’s hard, it’s boring and it can be pretty confusing to boot, but the alternative is harder and potentially actively damaging. In the mean time, though, I can definitely recommend giving the suggestions and ideas on Source a good read over:

A Guide to Practical Paranoia – Stephen Lovell (Source)
Why My Motto as a Security Journalist is “Assume Breach” – J. M. Porup (Source)


Mister Vimes’d Go Spare & Assorted Odds ‘n’ Ends [#23]

Well, back from trip number two, which was a little more relaxing (though a lot more tiring… I do not understand how bodies work). As a result, I’ve actually been reading a bunch of stuff, including some fascinating finds in my Pocket archive, which I just want to get off my chest.

First up is a pretty recent post from Brynn Metheney, a fantastic artist whose work I’ve followed for years. The post details a recent contribution to an interesting project, the Endangered Species Book. That’s an impressive list of artists to be working on a single project and it seems like a very worthy cause. Definitely one I’ll be keeping my eye on.

Next, are a combination of quite old posts that have taken me far too long to catch up on. Both are written by Richard Thornton, a friend of mine who is currently living/working out in Japan (I say currently, but he’s been out there for years now). The first is a brilliant look at sake culture, which was utterly alien to me but now has leap-frogged up my bucket list for the land of the rising sun. The second is a rather more personal account of shaving-procrastination (I can seriously relate) and snowboarding (I have zero life experience to understand this utter madness). Like everything Richard writes, they are funny, inciteful and make me equal parts jealous of his life and incredibly grateful for my own. Perhaps Japan should be the aim for 2018…

Finally, the oldest of the lot, is a short story I saved to my Pocket account so long ago I have zero recollection where it is from or how I found it. Mister Vimes’d Go Spare is an utterly fantastic piece of Discworld fan fiction; in fact, it’s so good that I was almost convinced it had been written by Pratchett himself. The script, phrasing and language is very witty and the overarching concept is so incredibly correct to the voice of the series that it is definitely part of my head-canon now. I almost added it to this month’s MiM, but I don’t feel fan-fic is something I need to keep track of in that way. If you’re a fan of the main series, you should definitely read this – it provides some clever closure on several key themes and characters.

That suggestion does come with a slight word of warning, however: it may get to you a little bit. Personally, reading Mister Vimes’d Go Spare made me realise I have been avoiding reading Pratchett since he passed away. It hasn’t been an intentional, conscious choice but it is clearly one I’ve stuck to. Reading a story that even mentions, and briefly touches on, several of these characters I love and hold so dearly was, at times, surprisingly hard. Not only that, but the core idea at work was, and remains, incredibly powerful. Vimes has always been one of my favourite characters and, I think, the one that has been most influential on my own personality and life. Part of that reason is the character’s understanding of and relationship with the concept of justice. It’s a very nuanced one, yet contains absolutes which have always appealed to me. Vimes and the Watch storylines shaped my own concepts of morality a great deal.

As a result, Mister Vimes’d Go Spare cut close to the bone. The central concept is that, in the wake of Vimes’ death, his ideals and belief in justice take on a life of their own. That shouldn’t be confused with ‘good’ or ‘right’; Vimes never lived in a ‘good’ world, never had much time for something just because it was ‘right’. But there are standards. Some things have to be done, and they have to be done in a certain way. That’s justice. Not making sure the good guys win and the bad guys lose, but making sure that the result is fair and that everything is equal. It’s a very powerful idea. Talking about why I enjoyed the short so much to my partner, even writing this now, and truly contemplating that idea gets to me. It gets to me because I believe it; because, to me at least, it is true. It also gets to me because it is one of those wonderful Pratchett ideologies that feels important and correct; something that is both worth remembering and striving to obtain in our world. And that gets to me because we won’t be getting any more of those. So be warned: it might get to you, too.