Samhain Labs

How to protect yourself against targeted attacks

By Rainer Wichmann rainer@nullla-samhna.de    (last update: Jan 22, 2018)

Are you a target?

Malicious software on the internet is often quite undiscriminating. Scripts on a website may abuse your browser to mine Bitcoin or other cryptocurrencies without regard to who you are. So-called ransomware may encrypt files on your computer (making them inaccessible for you) and demand a ransom for decrypting, regardless of who you are.

However, there a many cases where you might become a target for a dedicated and sophisticated attack by some resourceful attacker. Some examples are:

• You are member of some NGO (non-governmental organization) that is fighting human rights violations
• You are a journalist investigating civil rights violations in oppressive states
• You are a lawyer working e.g. for civil rights activists

How can you protect yourself?

Protecting yourself against malicious software is always useful, but if a dedicated and resourceful attacker targets you personally, you will need to step up your efforts. Of course this can become quite tedious, depending on the perceived threat and the resources of the potential attacker.

1 - Safe passwords and recovery phrases

If you are at risk of a targeted attack, it is quite possible that your adversary has researched some facts about your personal life. Thus, you may want to avoid using things like your birthday or your mothers name for passwords or password recovery phrases/questions. It is much safer to use facts which only you yourself know about, and of which there are no public records (e.g. like "which was the first CD you bought?").

2 - Keep up-to-date with updates

Software has bugs, and known bugs are often like gaping holes in a fence. There's no point in installing security systems at the door (e.g. antivirus software) if anyone can just walk through the fence.

• On Windows 10, automatic updates are enabled by default; for other Windows versions, see this support page.
• For macOS, see here
• On Ubuntu Linux, you will be informed about available updates and given the choice to install them or not

3 - Don't follow emailed links, Don't open email attachments

If you get a message from your bank, asking you to check for something or verify something, and that message includes a link, you have two choices:

• Use your bookmarks to login to your bank account and check your messages there, or
• Blindly trust that link sent by someone who may or may not be your bank, and follow it.

Of course there are rare occasions where you have to trust a link from an email, e.g. when you register for a website and have to confirm via a link sent by email (but even here, reasonable websites offer the option to type in a code that is given in the email, along with the convenient link). If however you have no other choice but using a link sent by email, you should only do so if:

• you have verified the origin of the email
• the email arrives when you expect it, and from whom you expect it

Likewise, opening an attachment is rarely a good idea, with few exceptions only:

• Businesses will send invoices as PDF files. So make sure:
  • it IS a PDF file and not something else (like, e.g. an Word DOC file, a spreadsheet or a ZIP archive)
  • you actually bought something from that business and expect an invoice from them
  • you have verified the origin of the email
• Your friends may send you pictures. However, if you are the potential subject of a targeted attack by a resourceful attacker, you have to consider that they know your friends and relatives, and may try to impersonate them (send email with their name as sender). Therefore:
  • verify the origin of the email, or only open the attachment if your friend/relative has announced it in a phone call or similiar
  • make sure the attachment is actually an image file (GIF, JPG, or PNG)
• While it may be tempting to exchange Word DOC files or spreadsheets with other people for collaborative work, it is also a highly unsafe practice. It it safer to use a collaborative platform (e.g. Google Drive/Google Apps), possibly one that
  • allows you to work on documents using a web browser rather than having to download them and open them on your computer, and
  • offers the option to sign in with a hardware token (e.g. a Yubikey, which you insert in the USB port when needed).

If for any reason you need to open an attachment, make sure your software is fully up-to-date with the latest updates before doing so!

4 - Safe browsing

Surfing the internet to get information or use online services is both a neccessity for most people as well as a danger. Even reputable websites may unknowingly host malicious scripts which exploit browser bugs to gain access to your computer.

Modern browsers have built-in security measures to warn you about malicious websites. If your browser warns you about visiting a site, heed that warning rather than falling for the promise of some interesting content. However, these warnings are based on lists compiled by the browser vendors, and may not always be up-to-date.

If your adversary is able to interpose between your computer and the website you're visiting (e.g. if you are in a state with "democracy deficits" and your internet provider supports the authorities), they will be able to modify the traffic and put in malicious content. The only way to avoid this is by always using HTTPS, i.e. an encrypted connection. The Electronic Frontier Foundation offers a browser plugin named HTTPS everywhere that makes the browser use HTTPS whenever possible. If you want to completely block all non-HTTPS traffic (and depending on the threats you're against, you may want that), you need to change the settings of the plugin (click on the icon in the toolbar) to enable "Block all unencrypted requests". Note that this will make some websites unusable.

Just as for email, make sure your software is fully up-to-date with the latest updates before surfing the net!

5 - Isolate your browser

If you are worried that the above isn't sufficient for safely browsing the net, you may want to isolate your browser from the rest of your computer. There are several options to do that:

• Run your browser in a sandbox, i.e. under the account of a different (and unprivileged) user. For Linux, you can find a howto here
• Install a separate operating system (OS) in a virtual machine (e.g. VMware Player) and use that system only for browsing.
• Use different devices for browsing and other work. Note that using a smartphone is probably less safe than using a PC/Notebook because many smartphone vendors are notoriously late in pushing out security patches.

6 - Physical access

You may want - or need - to consider the possibility that your adversary breaks into your house to gain physical access to your computer in order to install malicious software on it. Possible ways to safeguard against this kind of attack might include:

• Use full disk encryption to deny access to your operating system and data. This is supported on all major OS (Windows, Linux, macOS), although for Windows, you may need to upgrade to a Pro edition to have Bitlocker (the Windows disk encryption software) available. Also note that full disk encryption is only secure if:
  • you power down the machine rather than just putting it to sleep when not using it, to avoid a so-called "cold boot attack", and
  • you avoid the convenient "transparent operation mode" of Bitlocker (or other full disk encryption software), but rather use a mode that requires a PIN/password or USB key for booting.
• Use a very lightweight notebook that you can always carry with you. The obvious disadvantage is that this increases the danger that it may get stolen or left behind inadvertently.