Usable Security Tools

There are a lot of useless security tools and applications. Their use cases are specific and might not match your threat model. They are complicated and create hurdles that turn away inexperienced users. There are a lot of good security tools that are not usable. If someone can't pick up your

Good, usable security tools need to enforce consent, be widely applicable, and be easy to set up and easy to use. When I hear of a good tool I usually leave it to simmer and let other people test them, and if I hear good things then I test them out myself. I've found some excellent and usable tools that I'd love to share.

Tools Discussed

  • Boxcryptor Classic (Free)
  • KeePass (Free)
  • Mooltipass ($80 USD)
  • YubiKey U2F ($18 USD, $24 CAD)

Secure The Cloud: Boxcryptor Classic

I had never heard of BoxCryptor before so I did not know what it did or what it was for. Turns out it creates a folder in your omnipresent cloud drive and automatically encrypts all files you place into that folder. It also creates a storage drive that functions as a regular disk drive and automatically decrypts files when you access them through that mapped drive.

Why should I use this?

All the files that you upload to your Google Drive or Microsoft OneDrive can be browsed and read by those companies. If law enforcement issues a warrant for your data they can gain access to all of your data as well. Cloud storage should be about you being able to access your files from anywhere, and you should get to choose who gets access to them.

You may not have anything to hide but you also shouldn't just give your privacy away (consent), and by not putting measures like encryption in place then if your cloud account gets breached then all your files are lost to criminals forever.

Boxcryptor vs Boxcryptor Classic

Boxcryptor Classic was suggested to me over the current Boxcryptor, and having now tried both I can see why. New Boxcryptor has clear tutorials that guide you through the set-up process, and has some features for sharing your encrypted files. While New Boxcryptor says that it supports offline accounts I did not see the option during installation, and frankly the account registration and "private keys in the cloud" concept is not something I'm too fond of.

I like Boxcryptor Classic more than New Boxcryptor for a couple reasons. It does not have integration with other services, and you don't have to manage encryption on a file-by-file or folder-by-folder basis. It hits that perfect transparency point of having no user interface with nothing to keep track of once you set it up. It is not actively supported but since you just point it at a folder on your computer and let it work it would take substantial changes to Windows to disrupt how Boxcryptor functions.

Boxcryptor Classic Installation (For Windows):

  1. Download BoxCryptor Classic and run the installer.
  2. Accept the License Agreement. Click Next.
  3. Select where to install Boxcryptor Classic. This is the agent that will manage the encrypted files. You can leave it as default. Click Next.
  4. Boxcryptor Classic will display an explanation for what happens next. Read the explanation, then click Next.
  5. Click Install. If UAC comes up, click yes.
  6. Windows will prompt you to restart (due to the device installation). Click Finish.
  7. Boxcryptor Classic will open a window to set up your files. Click Cancel. Boxcryptor Classic will tell you it is not finished set-up, click yes.
  8. Restart your computer.
  9. Run Boxcryptor Classic. The set-up prompt will reappear.
  10. Select Create a new Boxcryptor Classic Folder. Click Next.
  11. Select Custom. Click Browse and select your cloud storage. Click Next
  12. Choose the drive letter you wish mount the drive to. This is where you will access the encrypted files. Click Next.
  13. You will be asked to create a password. This password is used to encrypt a hidden file in the Boxcryptor Classic drive, which then contains the more secure encryption keys used to encrypt your files. This password should be strong, unique, and something you should write down elsewhere.
    • You can select to Remember this password, which will mean you do not have to re-enter the password when Boxcryptor Classic starts.
  14. You will be prompted to back up your configuration file. Read the explanation. You should back up your key now.
  15. Open File Explorer and open your Boxcryptor drive. There are a couple guides here that you can read, otherwise just start putting the files you want to encrypt here.

Boxcryptor Classic Installation (For Windows: Episode II - Attack of the Clones)

You won't be able to access files in that folder from other devices you own unless you install Boxcryptor Classic on that device.
  1. Follow the above steps to step 10.
  2. Select Open a Boxcryptor Classic Folder. Click Next.
  3. Select Custom. Click Browse, and select the Boxcryptor Classic folder in your cloud storage. Click Next.
  4. Select the drive letter to mount to. Click Finish.
  5. You will be congratulated. Keep the box checked, click Next/Finish.
  6. You will be prompted for your password for this drive. Enter the password, click OK.

What now?

Nothing. You are done setting up encrypted cloud storage. Now only you can access the files that you store in the cloud. Your cloud storage provider can still access your folders and see the filenames, but the files themselves are encrypted and unusable to anyone but you. All of your files are accessible through the mounted drive and you can interact with those files as you would any other file on your local computer. Short to set-up and easy to use, no learning curve once installed, your files become secure by default, and access is based on your consent. Boxcryptor Classic is a fantastic and very usable security tool that gives you security and privacy, and syncing files through the cloud remains seamless.

Offline Password Manager: KeePass

It is an offline password manager and it is available here. It is widely recommended. It is fairly easy to use. I moved away from KeePass because I would have to actively sync the password database with my phone and use a third party app to be able to access my passwords away from a PC. KeePass is the best free password manager, but I have heard many stories of people like me who found it to be too much of a hassle to use in practice.

Which brings us to...

Hardware Password Manager: Mooltipass

The Mooltipass is a hardware password manager that you connect to a computer via a microUSB-to-USB cable or to your phone via a microUSB-to-microUSB. When you connect it to a device it registers as a generic keyboard, and you can use it to enter your stored passwords as if you were typing normally.
I've had my eye on the Mooltipass since it launched, waiting to hear someone's experience with it. Evidently it is as easy to use as it sounds.

You load your accounts on using an application you can download from the Mooltipass website. The device uses a tiny included smart card and a pin number to decrypt your password database and then you roll the the wheel to select which account you'd like to use, and then push it in and the device types in the password.

Because it is a hardware device you can access your accounts on any device without installing your password manager or running an application. You don't risk leaving your password database behind to be attacked over time, running your password manager or it's browser extension on computers you don't trust, and perhaps most importantly the Mooltipass is a play on the Multipass from The Fifth Element which was a great movie.

I plan on purchasing one when I am able to. It appears to be highly usable, appears to have a small learning curve, and widely applicable since it can be used on any device that accepts a keyboard input (basically any that require a password).

Don't Use SMS As Your Two Factor Authentication: YubiKey U2F

SMS has been proven time and time again to not be a reliable two factor authentication (2FA) token. Also I find SMS 2FA to be very annoying to deal with. U2F is an up-and-coming 2FA standard that is very simple to use and quick to activate on services that allow it.

The Yubikey U2F token is available on Amazon in the US and Canada for cheap. More information on the Yubikey U2F is available here, and more information on U2F is available here, with guides to link it to Google, Facebook, Github, Dropbox, and some other services.

It works with Chrome and, I believe, Firefox. After you've linked the key to your account, when you log onto a service you will be prompted to plug in your key and tap the gold circle. 2FA done, you're into your account.

While perhaps not so widely applicable yet, securing some of the most common big services you use day-to-day with hardware 2FA is enough to warrant the small price tag for me.

Anything else? (Conclusion)

I read about Boxcryptor and tested it out, and I've had my eye on the Mooltipass for a while. I've used my U2F token for over a year and it has served me well on all occasions. Your security tool doesn't matter if users don't use it, and they won't use it unless the barriers to entry are low and the learning curve isn't a learning barely-noticeable-incline. Boxcryptor is especially easy to set up and use for a typical person, and the U2F token cuts out the annoying parts that people don't like about 2FA.

I'm still pretty bad at closing out posts because I write them as I think them, usually with little planning. I wanted to share and talk about these because I think they are going in the right direction when it comes to making security usable and accessible to non-technical people.

Give them a try, give me your opinions on them, and tell me if you've found other security tools that are very usable! You know where to find me.


Popular posts from this blog

InfosecN00bs, Part 1: Press Release

BlackHat/DEFCON, Part 1: Travel Advice

InfosecN00bs, Part 2: Fixing the Problem