Incident Response Instructions
Let's review a comically bad IR and the review how to do it right.
Hereโs a lovely headline for an article youโll need to read. Itโs just a one pager.
CISA confirms Russia-linked hackers tapped into correspondence between federal agencies, Microsoft
OK, so think about what you read, but understand what was NOT in that article.
Microsoft was communicating with federal agencies and they were tapped by Russians. How do you think this went?
Microsoft: โLooks like this federal agency might have a security problem with their email serverโ
Microsoft: โSo Iโll just send them an email about it โฆโ
End User Agency: "Dang, potential email security problem, let me email this to the whole incident response team so we can share our feelings on this matter.โ
Security Vendor Previously Unnoticed By Intruder: *makes wrist slitting gestures*
Intruder: *opens folder of Monty Burns excellent gifs โฆ*
If you think that isnโt an every day kinda thing, take a look at how an Actual Incident Response Today progressed last fall.
Attention Conservation Notice:
I may or may not be doing something along these lines with someone who has also received a recommendation to immediately get sterilized, in addition to various security related suggestions. This is the rauhauser dot net way, where pro bono clients always get their moneyโs worth. If itโs too early for acidic humor, be gone wit ye.
Injuries & Insults:
OK, so hereโ the deal. How do you recover from a communications compromise?
The answer varies, but โby freely using the compromised system to communicate about the compromiseโ should NOT be part of it.
Hereโs a typical set of instructions Iโd give to someone who believes their systems are compromised:
Go to store, get a burner phone and reload card. Pay cash.
Do NOT use this device on any of your wifi networks.
If it really wonโt run w/o update, go to a coffee shop for wifi.
Get a Google Voice number.
Install Signal using the GV number and call me.
This is a litmus test. If the problem isnโt so serious that the victim is going to promptly spend $70 to have a safe conversation, then the problem isnโt technical, either theyโre too poor, or itโs behavioral. It is very exciting to have some edgy security field guy assisting you with problems โฆ itโs like catnip for Cluster B personality disorders, as discussed in Psychiatrically Challenged Challenge. The anxious, fearful Cluster C personality disorders may turn up, but theyโre seeking comfort and validation.
I really do try to be kind to everyone, but for such disordered individuals the kindest thing is not enabling them exercising their issue(s). If theyโre just poor thatโs harder. Are they a poor but highly effective activist? Or poor and concealing some of that cluster B/C fairly well? What would life be without a little angoraphobia?
Post Validation:
Once that initial call on a new device is complete, the victim has marching orders.
Itโs easier to do an Actual Phone Security Consult BEFORE thereโs a problem. After the fact itโll look like Beach Blanket Bingo, 21st Century Style.
Basic prescriptions will involve many of these, but perhaps not all, it depends on the personโs threat model.
Install Authy on burner.
Make a couple new passwords, write them on back of business cards, one goes in wallet, one goes in desk drawer at home, maybe another in glove compartment, laptop bag, etc.
Go around and lock every single account you have using Authy.
Yes, Authy or similar, SMS is NOT proof against SIM swap attacks.
No, really, even my Bookwyrm account has this; just because YOU canโt envision how an intruder would use some random thing you perceive to be low value doesnโt mean it really IS low value.
You poor groundlings with your consumer operating systems โฆ I canโt even. Youโll need to backup, reinstall, add some workable antivirus, then restore data files. Not perfect but raises the bar significantly.
Phones are just tiny, stupid, poorly secured computers we trust too much due to their physical proximity. I havenโt trusted them in ten years and just straight stopped taking one when I leave the house five years ago. That being said, factory reset & restore is a good idea.
Start compartmentalizing things immediately. There is ZERO reason the email everyone uses to reach you is also the one for your bank login. I donโt care if itโs inconvenient for you or for whatever sites you use, stop treating your cell number like your social security number and your phone like itโs your passport.
Conclusion:
What I know of these things comes from fifteen year of participation in social movements that faced corporate, law enforcement, and foreign intel attention. I also have a lot of experience reading other peopleโs email, so I can envision hazards that arise from disclosures.
Less helpfully, Iโve had such an extreme environment, and itโs been that way for so long, that I simply donโt do things with one phone/one computer like a normal person would. I try to keep prescriptions in the realm of 1) something people CAN do and 2) something people WILL do over the long haul. Running Qubes and lusting after a Google Pixel 8 so I can switch to GrapheneOS IS normal for me, but itโs one in a thousand professional paranoia.
Given that Novemberโs Civil War Referendum is inescapable, more and more of us are going to need to expose a lot less to the world. If youโre not quite there yet one of the things you can do is to start accumulating some older gear that youโd otherwise give away or toss. The phone that works fine but which you idled because you just had to have the latest is still a very useful bit of kit. If youโve been dancing on that line between wanting and needing a new laptop, go ahead and make the jump, then you can wipe the old one and put your seldom used high value stuff on it.
You donโt have to be flawless, you just need to be more trouble than youโre worth โฆ