Request a free site audit

Interested in offering ad free site memberships?

Life news: I got a dog

Categories

My digital security setup

Y’all see that guy who got hacked recently? TL;DR: AT&T sent a hacker some dude’s SIM card, so all his 2FA defenses were useless.

Story shocked me into getting my operational security into shape. Here’s where I am right now.

Step 1: Secure my devices.
I’ve switched to 10+ character randomized alphanumeric passwords for my phone and work/personal laptop. In retrospect these devices were SPOF – if a malicious party had gotten access, they could have gained access to my password vault and any sensitive information on my hard drive.

To prevent the Mac login experience from taking too long, I’ve also purchased YubiKeys and Rohos Logon Key for Mac. This allows me to unlock my computer with physical YubiKeys. If someone got my computer and my YubiKey, I’d be screwed – I think it should be possible to add a PIN code to the YubiKey but I haven’t done this yet.

I’ve also ensured that my password managers require passwords be re-entered after new login.

Step 2. Secure my services.

The most involved part of this process was auditing Github, Google, Dropbox, and Facebook for settings, as well as deleting any apps/devices no longer being used. These services all support YubiKey as a 2FA option, so that coupled with Google Authenticator allowed me to drop SMS for 2FA entirely. Twitter requires use of SMS –  a glaring weakness.

Surprisingly my financial institutions were least equipped to handle 2FA. Simple only supports text messages; Chase’s implementation is sporadic and also text only; and PNC has got literally nothing in the 2FA space. Despicable.

Update 10:27am Colin Howells pointed out on Twitter that PayPal’s SMS-based 2FA might be worst of all. He also noted some flaws with iCloud’s 2FA implementation, which uses any Apple devices previously authorized (including the device you might be physically using to access the service). So that iCloud protection is of questionable security value if the malicious actor has already gained access to your desktop.

Step 3. Secure my network access.

I got a lifetime subscription to VPN Unlimited as a general prophylactic. My main WordPress server has been running SSL for a minute now and I hardened my SSH settings. Pantheon doesn’t have its own 2FA technology, unfortunately, but I was able to apply 2FA through Google Authenticator to my administrator account.

Anything else I should be doing? Share your tips in the comments!

Did you enjoy this post?

Signup to receive a weekly email containing my new posts, curated links, and book reviews.

Thank you for subscribing.

Something went wrong.

Comments

Follow me on Twitter
Thoughts

Less, More, and None

My friend Ethan shared his Less, More, and None list (inspired by Jacoby Young). Cool idea, thought I’d give it a try. Always good to remind yourself of your better aspirations.

Lenfest Institute and Digital First Media?

Notes on dynamic meters

Notes on newsletters

Notes on the membership model for news

Essays

Capturing Shawmont Station before its $1,000,000 preservation begins – the oldest extant passenger rail station in America

Originally a 18′ by 36′ stone house (Wissahickon Schist), the structure wouldn’t have stood out from the other country homes in this part of Philadelphia, at the tip of the Manayunk Reach, situated at the end of today’s Manayunk Canal Towpath.

Testing WordPress Gutenberg on a high volume news site

Water, sand, and societal change

The best restaurant? Matunuck Oyster Bar

Does Perry Raso run the best restaurant? Yes, I think he does.

EverQuote and patent medicine

In a thread begun October 2016, Washington Post technology director Aram Zucker-Scharff tweeted about the shady advertising practices of EverQuote, a Boston-based startup. Since then these ads have become prolific on the web (and nearly as prolific are Aram’s tweets documenting the malfeasance).

Lenfest Institute and Digital First Media?

What if Alden let another organization manage its newspaper assets as a blind trust? It would lose a great deal of flexibility in using DFM assets to leverage other companies it owns, but it would be able to wash its hands of the growing public relations crisis. Furthermore, it would give space for the strategic direction of DFM to be explored and pursued without the added baggage of hedge fund cross-percolation.

Receive a weekly email with newly posted content

  • About one email per week
  • Includes original posts, curated links, and book reviews

Thank you for subscribing.

Something went wrong.

Send this to a friend