Security Hygiene for Software Professionals

As software makers, we face a unique threat model. The computers or accounts we use to develop and deliver software are of more value to an attacker than what ordinary computer users have—cloud service keys can be stolen and used for profit, and the software we ship can be loaded with malware without our knowledge. And that’s before we consider that the code we write has a tremendous value of its own and should be protected.

Taking responsibility for our security hygiene is, thankfully, not very difficult. Today, most tools we need are either already present in our operating systems or can be added without much effort. In this post, I’ll take you down a list of things you should consider.

Always Stay Up-to-Date

TL;DR: Don’t skip security updates. Know your vendor’s security update policy on all your devices.

Keeping up-to-date with your operating system vendor’s security updates is the bare minimum of security hygiene for anyone—not just developers. When your computers—desktops, laptops, smartphones, IoT devices—tell you there’s a security update, apply it. The kicker is making sure you are offered security updates in the first place.

On computers, the situation is pretty clear. Just about any current operating system has regular security updates available, provided updates are turned on and working. What defines “current” is another issue entirely, and it requires you to know your operating system vendor’s security update policy.

Look it up, know it, and use it to plan larger upgrades between major versions of your operating system in order to ensure you continue to stay secure. You probably don’t need to stay on the bleeding edge for security’s sake, but you will need to make sure you don’t get left too far behind.

Keeping your smartphone up-to-date is also very important. Although you probably don’t do much development there, your smartphone almost certainly has access to cloud accounts that could be used to gain access to both your personal and professional digital life in all sorts of ways. For example, outdated Android smartphones recently allowed attackers to scoop up over a million Google access tokens. Considering just about everyone uses Gmail, and an email address can be used to reset just about any passwords, this is a serious breach indeed.

Unfortunately, keeping smartphones up-to-date can be challenging depending on your choice of platform. Apple does a great job with iOS, supporting all of their phones for several years, but with Android, you need to pay very close attention to the device you choose to make sure it’s getting prompt security updates from Google. You also need to be prepared to ditch that phone as soon as those updates stop, whether you’re ready for a new phone or not.

Finally, don’t forget the other devices on your network. They may not normally have access to anything that seems important to you. However, if compromised, they can be used by attackers to escalate access into higher-value networks that are generally not protected, or into microphones or cameras as well—not to mention, they’re increasingly being used in DDoS attacks. Try to shop for devices made by vendors with a commitment to security, and keep them up-to-date.

Block Unnecessary Web Content

TL;DR: Install uBlock Origin in all your web browsers, and avoid ad-supported apps.

Ad blocking has been big news lately as publishers get more and more desperate in their attempts to monetize content and readers get more and more annoyed by the way ads interrupt their reading experience, track them, and often flat-out break pages. Much less spoken of but much more serious, however, is the delivery of malware over ad networks. This is something that has affected just about every major website that carries ads, and lately ad-supported apps as well.

The easy solution to stopping most ads and greatly reducing the threat is to install an ad blocker. uBlock Origin is your current best choice if you want a hands-off option. If you’re interested in getting your hands a little dirtier and having a lot more control, uMatrix (by the same developer) gives you sane default rules and an intuitive interface for selectively blocking or unblocking content. As a bonus, you’ll learn a lot about how modern websites are put together when you need to use the tool to allow a site to work.

Unfortunately, browser-based ad blockers won’t do anything to protect you against mobile malware or malware delivered in ad-supported software that makes an end-run around your browser. If you can’t protect those avenues, pay for the software to get rid of the ads or discontinue using the software entirely. Be sure to let the developer know why you must stop using their software if you do, and if you make ad-supported software, make sure you’re being responsible to your users by not using ad networks that execute code you didn’t write on your users’ computers.

Check Your Software Sources

TL;DR: Don’t disable Gatekeeper on Macs or similar features on other operating systems. Be very cautious about installing insecurely-delivered software.

Most operating systems now offer some form of code signing not just for operating system components, but for applications as well. Signing code cryptographically ensures that the chain of custody for a given piece of software has been unbroken since it was signed. Regrettably, some users and developers choose to entirely disable code-signing because they find it inconvenient or annoying, or they simply can’t find a way to install the software they want.

For a time (until macOS Sierra removed the option from Preferences) it was common to advise macOS users to set their systems to “allow apps downloaded from anywhere”—bypassing this important security protection entirely. A far better option is to leave the protection in place, and bypass it only as needed, making conscious decisions about each piece of software you bring into your system. You can do this easily on macOS by right-clicking a new app, clicking open, then following the prompts.

Outside of the app ecosystem, there’s also the problem of the popular “curl | sh” pattern for installing command-line software. While curl | sh isn’t necessarily outright insecure, you should be particularly careful using it, making sure you’re not accepting software delivered without certificate-checked HTTPS (especially if you’re working over open Wi-Fi, which is trivially easy to man-in-the-middle) and checking checksums for the downloaded code if you can.

Of course, even with these options, a lot of software is impossible to verify. In these cases, press software vendors (for for-profit projects) or volunteer to help (for open-source projects) maintain a clear, easy path for software to have a verifiable chain of custody. Other security-minded developers will thank you for it!

Use a VPN on Untrusted Networks

TL;DR: Use a VPN whenever you’re on a network you don’t control.

As I mentioned in the last section, it’s rapidly approaching trivial to sit on open Wi-Fi and not only read all traffic, but intercept and modify it as well. This is something that has literally become a business model for some internet providers. The increasing use of TLS helps defend against this, but not everyone is there, and not everyone who is there is bringing their “A” game to the party.

When you’re away from trusted networks at your home or office, rather than just shut down and be disconnected, consider using a VPN as an encrypted tunnel to re-route your internet traffic through another trusted network. On the untrusted network, you’ll only be sending and receiving one stream of opaque, encrypted data. That stream will be unpacked on the other end, and you’ll still be able to stay in touch with the wider internet.

Of course, the primary risk of using a VPN to route internet traffic is trusting the other end of the VPN to not meddle with your internet traffic. Regrettably, commercial VPN providers are difficult to pin down on this. Your best bet is to use a VPN running from a network you already trust, like your office—but don’t underestimate the work involved in running and defending a VPN service. I’d love to hear suggestions in the comments. As for myself, I’ve recently been trialling Private Tunnel (by the developers of OpenVPN).

Use Full-Disk Encryption

TL;DR: Use FileVault 2 on macOS, BitLocker or VeraCrypt on Windows, or built-in FDE options on Linux-based systems.

Full-disk encryption encrypts everything that lands on your computer’s internal storage. Although a number of security-sensitive applications can use OS services like keychains to encrypt things like your email access key, if you’re a software developer, chances are extremely strong that valuable secrets are often written insecurely to your computer’s disk. Full-disk encryption makes sure that those secrets are not readable by someone in physical possession of your computer or its disk unless that someone also has the key used to encrypt it.

Obviously, this scheme protects you from data disclosure when someone steals your computer. But this scheme is also useful when you consider that your computer won’t be your computer forever, and it will be sold or disposed of someday. If you’ve used full-disk encryption over your computer’s entire lifetime, you effectively eliminate the risk that secret data will be readable by whoever comes into possession of your machine or its components. This is a guarantee you won’t have even if you try to erase the disk later (especially on SSDs, which might remap sensitive data out of visibility with user tools.) Trying to zero out an entire disk is also very time-consuming. It’s better to get it right up-front.

Beware of thinking the fact that your computer appears unusable without your encryption key is a guarantee that no one can tamper with your system. It’s still very possible. Keep your computer in your physical possession at all times.

One final tip: If you’re using macOS, consider configuring power management to put your computer into a deep sleep and dispose of your FileVault key when you close its lid. This not only saves your battery, but it also prevents someone who gets their hands on your sleeping computer from retrieving the key through key recovery devices:

$ sudo pmset -a hibernatemode 25 destroyfvkeyonstandby 1

With this configuration in play, you’ll have to type your password twice—once to unlock your machine’s sleep image, and again to unlock the screen once that’s restored. However, you can rest easy knowing your sleeping computer isn’t an easy target.

Use a Password Manager

TL;DR: Use a password manager like 1Password and replace all your insecure passwords with random strings.

Cloud service compromises and dumps of password databases—well-hashed or not—are now sadly a regular occurrence. And when those password databases are cracked and the passwords made known, the first thing attackers do is try the emails and passwords on other services—because it works so well, with people re-using passwords left and right.

As a human being signing in to an ever-growing number of services, you have no hope of creating and remembering unique, strong passwords for every one of dozens of services you likely use every day. Instead, delegate the job to a well-designed password manager like 1Password, using it to generate and store truly random passwords for those services, then easily enter them with convenient browser and mobile extensions.

Of course, you do need to consider the risks of putting all your eggs in one basket. A good password manager defends your secret data by never having the decryption key stored in the cloud (in case their cloud service gets compromised) and by using whatever defenses the operating system on your computer makes available. However, if you aren’t careful about all of the other advice presented in this post, you increase the risk that password-manager-attacking malware could land on your system.

You also need to make sure that you create and store backup “emergency kits” (1Password makes this easy!) in case you lose your devices or forget your master password. If you can’t get ahold of the encrypted vault that contains your passwords and unlock it, you could be in for a very difficult time regaining access to increasingly-important cloud services. But with a little forethought, you can minimize this risk and rest easier that the damage from the next cloud compromise can be contained.

Stay Alert

TL;DR: Follow security people on social media. Understand and advocate for security issues. Revise your plans as necessary.

This advice, given in 2017, looks very different from advice I may have given years ago. For example, many password managers of the not-so-distant past were often terrible, centralizing the risk of a complete compromise without adequately defending against threats. They were designed for convenience above security. Today, the most popular password managers are much better-designed, but the threat landscape is also different, with more cloud providers playing a more important role in the day-to-day operation of the world than ever before.

The threat landscape is always changing, but one thing is not likely to ever change: If you write or publish software, you are a bigger target than the average user. Take your responsibility seriously. Stay in touch with the security community, understand security issues, advocate good security hygiene among your colleagues and cohorts, and—above all—stay vigilant.

 
Conversation
  • Richard Ahlquist says:

    I so hate to see a password manager ever recommended. I so prefer people to use pattern passphrases and not have to depend on yet another app that can be compromised.

    • Matt Behrens says:

      By “pattern passphrases”, I assume you mean something along these lines? http://www.infosecisland.com/blogview/21562-Its-Time-to-Convert-from-Passwords-to-Passphrases.html

      I don’t believe that method will scale well as we accumulate more and more logins (I have three hundred items across my 1Password vaults), and also sacrifices much-needed entropy—in the event one passphrase is reversed, it’s a short journey from that compromised passphrase to one that will work on another site.

      It’s also not likely to work well with the hodgepodge of password requirements you’ll find across most online services.

      • Richard Ahlquist says:

        With all due respect entropy is irrelevant when an password or passphrase is long enough. The page you mention is quite similar to what I recommend people use.

        I tell them to start with a phrase of at least 10 characters, alphanum. mixed case, with at least one ‘special’ character of ‘@,^,&,-‘ anything beyond that is up to them, the more the merrier, other special chars like %,*,$ can be troublesome as lots of sites block them. Again we are looking for length and difference is all.

        So now lets say we are lazy and come up with DedCat333@ for our core phrase. In a brute force attack that gives a total potential of 60,510,648,114,517,017,120 possible passwords within the character sets used. If you were to be able to brute force guess this at 1000 guesses per second, to fully exhaust this list it would take 19.24 million centuries. Lets say you have access to a massive cracking array and are able to do one hundred billion guesses per second, it would still take 19.24 years to exhaust all the possible passwords in the potential set.

        But thats just the core part of our passphrase, we would not want to use that for every web site. So how do we make it unique in a manner thats predictable to us and reproducible? Simple patterns based on the site we are using it for. I tell people figure out your pattern and stick to it, what do I mean by that? Lets take a look.

        http://www.funnydomain.com

        Ok we have DedCat333@ now decide how you want to place your site unique characters. I suggest for example they base them on things like the syllables in the name. So in our test case above that gives us F and N. If they are extra security conscious I tell them to then add the total # of characters in the base domain name ( funnydomain.com ) as a number as well. So lets say they decided to split the syllables, and add the number to the end. They now have FDedCat333@N15

        To brute force exhaustively search the 95 potential characters over that length of password would take 1.57 thousand trillion centuries at 1000 tries per second. With the massive array at one hundred billion tries per second its 15.67 million centuries to exhaust all possibilities.

        Now, I know a brute force attack would not have to completely exhaust the search space, this is true. The thing with a password though, is it is only as effective as a door lock. If someone wants in bad enough there are other ways. A strong password/passphrase is to keep the lazy criminals and the honest out.

        Why do I not trust password keeping apps? As a developer I realize sh*t happens. Things break, get broken or get hacked, often in amazing, and marvelous ways. For example https://www.theregister.co.uk/2017/01/31/cryptkeeper_cooked/ that was a bit ugly, disk encryption software with a fubar password.

        Another case in point. Do you know why in the past (and maybe still) some video streaming android apps wouldn’t run on rooted devices? If you are thinking its to prevent the downloaded movie from being stolen you are on par, but, the way they wanted to prevent is not often what people think of. If you have root access to a device you can grab a copy of the frame buffer for the screen. Effectively they wanted to prevent people from stealing movies by taking a copy of the framebuffer as a pseudo screen shot of each frame. The reason being they can privately encrypt the data, in a fairly unhackable method and only allow playback through their app with the ability to decrypt, but to display it on your screen, it has to go into the framebuffer in a non encrypted manner that an outside bit of code could read. The same holds true for a password app, no matter how carefully encrypted the data is, if its ever displayed to you, there is and or has been decrypted data that malware could access.

        • Tracy Reed says:

          > With all due respect

          This is passive-agressive speak for “screw you”.

          > entropy is irrelevant when an password or passphrase is long enough.

          Long enough == enough entropy

          > I tell them to start with a phrase of at least

          And here we’ve already failed. You are replying on the human to put some brainpower into following the rules you specified and generate an appropriate password. That is not going to happen reliably. They need to press the button in their password manager which automatically generates the password for them. It may as well be as long and ugly as possible because they will never be typing it in.

    • Tracy Reed says:

      Password managers are by far the best way to go. The threat model is such that the chances of your local password app being compromised are FAR less than your password being guessed or duplicate passwords being used where compromise of one service leads to compromise of others etc.

  • Richard Ahlquist says:

    BTW For the brute force calculations I used https://www.grc.com/haystack.htm since its readily available.

  • Comments are closed.