Incident Response Instructions
Let's review a comically bad IR and the review how to do it right.
Hereās a lovely headline for an article youāll need to read. Itās just a one pager.
CISA confirms Russia-linked hackers tapped into correspondence between federal agencies, Microsoft
OK, so think about what you read, but understand what was NOT in that article.
Microsoft was communicating with federal agencies and they were tapped by Russians. How do you think this went?
Microsoft: āLooks like this federal agency might have a security problem with their email serverā
Microsoft: āSo Iāll just send them an email about it ā¦ā
End User Agency: "Dang, potential email security problem, let me email this to the whole incident response team so we can share our feelings on this matter.ā
Security Vendor Previously Unnoticed By Intruder: *makes wrist slitting gestures*
Intruder: *opens folder of Monty Burns excellent gifs ā¦*
If you think that isnāt an every day kinda thing, take a look at how an Actual Incident Response Today progressed last fall.
Attention Conservation Notice:
I may or may not be doing something along these lines with someone who has also received a recommendation to immediately get sterilized, in addition to various security related suggestions. This is the rauhauser dot net way, where pro bono clients always get their moneyās worth. If itās too early for acidic humor, be gone wit ye.
Injuries & Insults:
OK, so hereā the deal. How do you recover from a communications compromise?
The answer varies, but āby freely using the compromised system to communicate about the compromiseā should NOT be part of it.
Hereās a typical set of instructions Iād give to someone who believes their systems are compromised:
Go to store, get a burner phone and reload card. Pay cash.
Do NOT use this device on any of your wifi networks.
If it really wonāt run w/o update, go to a coffee shop for wifi.
Get a Google Voice number.
Install Signal using the GV number and call me.
This is a litmus test. If the problem isnāt so serious that the victim is going to promptly spend $70 to have a safe conversation, then the problem isnāt technical, either theyāre too poor, or itās behavioral. It is very exciting to have some edgy security field guy assisting you with problems ā¦ itās like catnip for Cluster B personality disorders, as discussed in Psychiatrically Challenged Challenge. The anxious, fearful Cluster C personality disorders may turn up, but theyāre seeking comfort and validation.
I really do try to be kind to everyone, but for such disordered individuals the kindest thing is not enabling them exercising their issue(s). If theyāre just poor thatās harder. Are they a poor but highly effective activist? Or poor and concealing some of that cluster B/C fairly well? What would life be without a little angoraphobia?
Post Validation:
Once that initial call on a new device is complete, the victim has marching orders.
Itās easier to do an Actual Phone Security Consult BEFORE thereās a problem. After the fact itāll look like Beach Blanket Bingo, 21st Century Style.
Basic prescriptions will involve many of these, but perhaps not all, it depends on the personās threat model.
Install Authy on burner.
Make a couple new passwords, write them on back of business cards, one goes in wallet, one goes in desk drawer at home, maybe another in glove compartment, laptop bag, etc.
Go around and lock every single account you have using Authy.
Yes, Authy or similar, SMS is NOT proof against SIM swap attacks.
No, really, even my Bookwyrm account has this; just because YOU canāt envision how an intruder would use some random thing you perceive to be low value doesnāt mean it really IS low value.
You poor groundlings with your consumer operating systems ā¦ I canāt even. Youāll need to backup, reinstall, add some workable antivirus, then restore data files. Not perfect but raises the bar significantly.
Phones are just tiny, stupid, poorly secured computers we trust too much due to their physical proximity. I havenāt trusted them in ten years and just straight stopped taking one when I leave the house five years ago. That being said, factory reset & restore is a good idea.
Start compartmentalizing things immediately. There is ZERO reason the email everyone uses to reach you is also the one for your bank login. I donāt care if itās inconvenient for you or for whatever sites you use, stop treating your cell number like your social security number and your phone like itās your passport.
Conclusion:
What I know of these things comes from fifteen year of participation in social movements that faced corporate, law enforcement, and foreign intel attention. I also have a lot of experience reading other peopleās email, so I can envision hazards that arise from disclosures.
Less helpfully, Iāve had such an extreme environment, and itās been that way for so long, that I simply donāt do things with one phone/one computer like a normal person would. I try to keep prescriptions in the realm of 1) something people CAN do and 2) something people WILL do over the long haul. Running Qubes and lusting after a Google Pixel 8 so I can switch to GrapheneOS IS normal for me, but itās one in a thousand professional paranoia.
Given that Novemberās Civil War Referendum is inescapable, more and more of us are going to need to expose a lot less to the world. If youāre not quite there yet one of the things you can do is to start accumulating some older gear that youād otherwise give away or toss. The phone that works fine but which you idled because you just had to have the latest is still a very useful bit of kit. If youāve been dancing on that line between wanting and needing a new laptop, go ahead and make the jump, then you can wipe the old one and put your seldom used high value stuff on it.
You donāt have to be flawless, you just need to be more trouble than youāre worth ā¦