cra
mr

Secure Yo Self

Last week the Bun.js corporate Twitter account was compromised. It happened via SIM swapping, which is a technique criminals use that involves them contacting the cell phone provider (T-Mobile in this case), and convincing them you are the owner of the phone number. They’ll then swap the phone number to a new SIM card, one that they control. This is often done via social manipulation, although not exclusively, which begs the question how do you protect against it?

I wanted to talk about some things I’ve done over my career to improve my personal security, which in cases like this also improves Sentry’s corporate security. I won’t claim to be an expert in this field, and I’m sure there’s some great advice that I will omit here, but hopefully you’ll find something in here of value, and an easy change to avoid the kind of scenario Jarred and team had to deal with.

The most effective solution you have at your disposal is invisibility, obscurity. You need to make it difficult to find the information that will expose you, because you cannot make it impossible. In some cases that means making your password difficult to find, or making an OTP generator difficult to access. In many cases however, its more about making your personal information difficult to access. This actually has a dual-purpose benefit as your profile grows in visibility: by ensuring your information is not out there in the world, not only will you vastly improve your personal security, but you’ll also make it harder for fraud and spam to target you. Put your personal phone number on corporate docs and you’ll very quickly understand what I mean.

You should assume that any information you give out, to anyone who’s not a personal connection, is almost certainly public. More so, you should also assume that if the information you give out is to someone who may not take privacy and security seriously, it’s also likely to become public knowledge. This means your best defense is creating confidential information and protecting it.

I really hope one that you don’t need informed about MFA, but the biggest investment you should make is utilizing one-time passwords. They come in a variety of shapes these days, but importantly, you want to use physical or digital variants, rather than relying on network comms. That is, use a passkey when you can. Use a Yubikey if you want. Use a one-time password stored in 1Password - its totally fine. All of those have fairly serious obstacles to overcome in order to access them: you, and your security. Do not use SMS. While not all providers support these behaviors, as best as you can you should avoid and remove SMS as an authentication mechanism on your accounts, and at the same time ensure you have something beyond a password used.

On the password front, what again should be obvious but is continually ignored, is password reuse. Even people who use password managers keep reusing passwords! Stop doing it. Its simple, and its one of the most important changes you can make. Its inevitable that every company gets hacked, and in those hacks someone accesses a database full of passwords. Some of those companies are going to have weaker encryption or hashing employed, which means someone will be able to brute force that password dump. Even if that doesn’t happen, its likely your password will get sniffed in some other way. Accept it, its going to happen. The way you protect yourself is ensuring that password operates only on that property and nowhere else. Its easy, and you have no excuse for not generating unique, impossible to remember passwords.

With password management in check, the next big issue is our personal mobile phones.

Going a bit deeper on the SMS front, as thats a huge vector of attack. If you listen to stories about corporate fraud you’ll find it almost always involves a phone, typically through text messages, and often via impersonation. Employees at Sentry regularly get messages from our CEO (not actually our CEO) asking them for favors, to buy gift cards, etc. The best way to avoid that problem is to prevent the attackers from accessing your phone number, which is a double win because it will stop sales people from constantly blindly wasting your time. The logical question here is: how do you protect your phone number? How do you do business if you don’t give out your phone number? Well you simply get a second number.

My approach to this, because I actually did put my mobile number on our corporate docs (sigh), was to transfer my old number to Google Voice. I still use that when I need to fill in a random form with a phone number, or if I have to give it out for business. I then acquired a new personal number which I only share with friends, family, or coworkers who must be able to reach me. Sentry’s Head of Security (Alek Amrani) suggested that Google Fi has also been a historical better carrier to use for this, as they’ve not been a successful target of SIM swaps in the past.

The other feedback I got when vetting this: just buy a SIM card for your corporate phone number. Paying for two phone lines as an individual is bonkers, but if one is a corporate line its actually totally fine. Its worth also mentioning that Google Voice might not be a great solution for that second line, as theres restrictions around it and as Google does, it could disappear on a whim, but I found it a convenient option.

There’s some additional things you might want to consider:

  • Add your phone number(s) to whatever equivilent of the Do Not Call registry your country has.

  • Install something like Robokiller to block questionable numbers.

  • Search around for other databases that index numbers, and Exercise Your Rights to have them removed. See also this (unvetted) article which has some great tips.

So you’ve locked down your phone, at least to some degree, now what?

Well we all use Google products, and a lot of us rely on them for email. Email, almost more than anything else, is the asset you need to lock down. Email is the gateway into everything, and if someone breaches your account there’s an endless world of hell they can unleash on you. They’ll be able to gain access to almost any service you use. They’ll be able to easily impersonate you and potentially cause even more harm by gaining access to other individuals accounts. Its Very Serious Business and should be treated as such.

So lock it down.

  • Don’t use a random third party email client, especially not for your corporate email. They don’t actually improve productivity and they just expose you to more risk.

  • Opt-in to any and all security features. No SMS, full 2FA. Opt-in to Google’s Advanced Protection Program. Use a key-per-device when possible.

  • Revoke authentication tokens to your Google account that are unused. This is easy to review and there is certainly something there that you signed up for and should no longer have acecss.

  • Never give access to your email. Great you got an EA, you’re a big shot now, they don’t need to send emails on your behalf or read your inbox. Even going beyond basic compromise security there’s a variety of other reasons its silly to allow that.

All of that should be common sense, but sometimes we need a reminder. I’ll say that if you’ve done all the above, you should rest fairly easy. It mostly is about being aware, knowing that compromise is inevitable, and limiting the scope. It’s no different than how we build software infrastructure: you don’t want a single failed service (or server) taking down your entire business. You don’t want a single compromised acount destroying your entire security.

Oh, and apply all of this to your significant other while you’re at it, as that’s another great way to get compromised.

Yell at me on Twitter if you think I’ve provided some terrible advice here.

I want to shout out to the IT and security teams at Dropbox and now Sentry who have provided a lot of great education on this in my career. To Google for pushing their Beyond Corp security model which applies so well to everything in life. To Darknet Diaries, which is an awesome security podcast for all the nostalgia and horror stories.

More Reading

Lunch Isn't Free

What is Brand?

Fire Faster, but Hire Better

Open Source is not a Business Model

CTA: Structuring Unstructured Data