Staying safe in the world wide web
A security horror story
A few weeks ago I got really scared.
The reason was this post.
The writer leads engineering at Bitgo (large cryptocurrency payment processor).
has had a very juicy Coinbase account.
That Coinbase account was created with a Gmail account that had 2FA based on his mobile phone number.
Attackers called his mobile service provider, convinced the (probably young but naive) representative to port his sim card.
Attackers then hack Gmail --> access Coinbase --> steal $100K worth of crypto
No need for fancy techniques that listen to the sound your CPU makes to crack your password.
All it takes is just one smooth talker and perhaps some highly available personal information.
I was aware for a while now that my security measures were lacking.
But as it happens with a lot of things in life I didn't have the sufficient activation energy to do anything about it.
Hardening my security
I'm by no means a security expert, but I hope sharing my experience here might help someone trying to figure out how they can make themselves a bit safer.
I started my journey with a rather innocent link posted in the post from above. It's just a chart that compares a bunch of password managers.
Note 2 things:
- There is one clear winner in the game of password managers - Password Store
- The document is part of a repo about security tokens - what are those?!
The conclusion was quite simple.
I should get a hardware token.
YubiKey is the standard hardware token.
I should get a YubiKey.
So on one sunny Sunday, I did just that. I went to the local reseller and bought a pair of YubiKey5 Series.
I get excited when I get new stuff. So I went on a binge of learning what I should do with my YubiKeys, an initial list I came up with was:
- Move all my accounts to MFA with a YubiKey + backup
- Set up fresh PGP keys and store them on the token
- Finally set up Pass as my password manager and leave cloud services like LastPass for good
Setting up MFA
This should be pretty straightforward.
Go to your favourite and most sensitive accounts. Choose a security token, and connect it.
And don't forget to set up your second token as a backup.
Turns out most providers are not particularly supportive of security tokens as a means of MFA.
Best case, you can set it up as a secondary option after you set MFA with your phone and then delete your phone.
Worst case, you can't have MFA without your phone and you only have the security token as a backup.
PGP has always been there, quite literally, since it was invented before I was born.
It has a UX to match and the only time I've ever used it was when transferring a private key to a fellow developer.
So the hell would I care about creating PGP keys and putting them on my yubikey?
Mostly because I think it's cool. Some other benefits:
- Finally signing git commits.
- Sending and receiving encrypted things online.
- No more worrying about a million ssh keys since PGP keys can double as ssh identity.
So I went for it, set keys up on an air-gapped system and transferred them to my token.
Felt like a wizard.
If you want to do this yourself here is one of the guides I followed.
One difference is that I used tails instead of ubuntu for the air-gapped system.
For years I trained my mind to be the ultimate instrument for remembering passwords. But then at some point during the previous crypto bull market, I forgot the password for a wallet with 20 ETH in it. My trusty mind has failed me.
I needed a password manager.
I even used some for work purposes. But I could never get over the hurdle of entrusting my personal passwords with a third party.
Pass turned out to be the perfect solution for me.
It's just a folder (and potentially a git repo) encrypted with PGP.
And then guess who just got himself some securely generated PGP keys :).
I followed this guide and had it set up in no time. Two things I've done after:
- I migrated my existing Lastpass passwords. You have a bunch of migration tools available here).
- I installed PassFF to manage the passwords directly from the browser. UX is not on par with LastPass but the difference is worth it for me.
Overall, the entire process, including the "research" took me about 8 hours.
Not too long compared to the amount of value stored in the accounts/passwords I just secured.
Investing in security is hard. It's fairly confusing and time-consuming, the benefit is in all the shit you avoided, not all the value you created. I think that parts/most of my experience can be useful and applicable to other people, if only in showing you how one such setup could work.
Feel free to contact me if you have any questions/corrections.