(digital security – 6 minute read)
Hi Accounting fans, as many of you know, our old website got hacked in February 2022. Since then we’ve learned a lot about small business security. Today we have a guest post from our team’s DevOps architect – Chan Ju Ping!
Hi, I’m Chan Ju Ping. I am a solutions architect who helps the global community resolve tech issues in an affordable manner. In accordance with my anarchist, anti-capitalist values.
I wear many hats depending on the project I may be in charge of. In The Comic Accountant’s case, it went from a relatively simple cloning test to a different hosting provider for their WordPress install. It then became a full-on damage control migration project instead when we independently verified their server had trojans.
Don’t worry! I won’t overload you with jargon. I shall be writing this piece for you, as a small business owner who may not have access to your own personal IT department. In this first part we’ll look at what initial measures need to be put in place to ensure your risk of getting infected with trojans and being inducted into a global botnet is as low as possible.
The term we use to talk about security practices is known as OpSec (operational security). Your goal is to get your security practices to be good enough that it would cost far more in time and resources to gain your credentials.
Ultimately, hacking can be thought of as a business (which it is!). If your attackers determine it is too costly to hack you, they are likely to give up quickly. Here’s what you can do to ensure your OpSec is good enough to discourage all but the most determined attacker.
Use Multi-Factor Authentication (MFA) to increase digital security
In a remarkable research conclusion, Microsoft claims more than 99.9% of attacks were stopped simply via the use of multifactor authentication (MFA). An MFA is an extra security layer to protect your account after inputting your password. If your password has been stolen, the MFA also has to be compromised before your account is ‘pwned’ (to use the technical lingo).
MFAs can include something as basic as using your email to receive a secondary login pin. You can also use of compatible apps that supply time-based one-time pins (such as Google Authenticator). My personal preference is a hardware key called a ‘Yubikey’ from trusted companies like Yubico.
Hardware keys and MFAs
An example of my use of Yubikeys (Yoo-bee-keys) are authenticating my server connections when doing backend work. I also use them to decrypt my password manager when I need to use any of my stored credentials.
If you have the option to set up MFA (or 2FA) on your accounts, do it as soon as possible. If you are using services online that do not have MFA options, get in touch with them to ask when they intend to offer that service. Prioritise apps and services which can potentially be used to impersonate you, like your email, and chat apps. Eventually, you should move on to setting up MFA for everything you use online.
Don’t use your phone number for MFA!
Notice that I DID NOT mention using phone numbers as your MFA? That’s because they are vulnerable to several ways of attack. So much so that Google themselves allow admins to disable voice or SMS verification. Whenever possible, choose either hardware keys or MFA apps to verify your logins.
Use a Password Manager to simplify digital security
As part of my Raspberry Pi class, I regularly run a password cracking session prior to the pandemic. The reason is to show new participants how easy it is to set up a password cracker. You may have a smart or complex your password, but you will probably do one of two things:
- Reusing the same password.
- You reuse the same password with additional memorables variations. For example, password123netflix, password123twitter.
Use an open source password manager
The password manager I use is KeepassXC. You will need to generate a master password at setup. I generated mine using the Diceware method. This should be the only password you ever need to memorise from now onwards. Use Keepass to randomly generate all your other passwords. Naturally, that means your passwords can be something like:
Ê+ûëI;öY`Br¹ð¬Äâ
I wouldn’t even know how to pronounce this phrase, let alone type it. In fact, I don’t know any of the passwords to the accounts I use. Because they are all managed for me by KeepassXC.
There are many other features which make KeepassXC an effective part of OpSec. Like clearing the clipboard if you copy your credentials from its interface after a short period. You can also use hardware keys to lock the database and verify changes.
Should you use a browser-based password manager for digital security?
I realised this while working with The Comic Accountant. Many people rely on the built-in browser-based password manager. I have had no reservations about this practice, as having a password manager is better than not having a password manager.
However while I was working on the site, it was apparent that browser-based attacks would be attractive if a popular website were taken under the control of an attacker. And if your browser is compromised, the password manager within would probably be the next target of attack as well.
Using a separate password manager that is relatively tamper-proof would therefore be preferable. With a password manager like KeepassXC, you can also sync the password database across devices, building your own cloud-based system. For that, I run Syncthing on all my devices, which keeps all my databases up to date.