What's in your threat model?

Everyone should have a threat model, but a bit of thought should go into calibration. Make sure your model is appropriate and that your opsec follows from it.

Since early February, there’s been a surge of people giving travel advice in response to recent travel bans, immigration enforcement measures, and stories about people being detained at our borders. A majority of it isn’t very useful, and some could be result in serious complications for travelers (e.g., lying to CBP agents, as in the Medium article just linked). This made me think a little more about giving operational security (opsec) advice in general, especially with respect to the flood of concern among some people post-Snowden that the NSA should now be in everyone’s threat model.

Thinking through your model

For most Americans, the NSA probably shouldn’t be in your threat model (unless you’re in contact with a foreign intelligence target, in which case you have several serious problems). It’s highly unlikely that federal agencies are filing subpoenas for your emails, reading your messages, or installing malware on your laptop to turn the camera on while keeping the green indicator light off. I think it is likely that for most Americans this is a waste of time and energy, and is probably a miscalibrated threat model. I understand it’s not the sexy “David-versus-Goliath” story about government tyranny and the surveillance state run amok, where the little guy stands up to the NSA by using Tails everywhere. Stop that. Even if you’re doing everything right, which is very difficult, I think most people with this attitude are probably barking up the wrong tree.

I would argue that the threat models of most Americans should, rather, focus on malware exploits more in line with financial gain and cybercrime. I’m talking about identity theft, ransomware, copied intimate photos or personal documents, and data corruption or destruction. I think most of us should be more concerned about a skidd in some former bloc country sending us a malware payload in a fake FedEx shipping email, then encrypting our hard drives and demanding $500 USD to unlock it. We should also be concerned with someone buying a dump of usernames and passwords on the dark web for a website we forgot we used, then trying those same credentails against our Gmail accounts. Again, this doesn’t fit the sexy “TV cyber” most of us see, but I think this more accurately describes what the gamut of most users face online.

The thing about threat modeling is that we’re better served by ones that are properly calibrated. There are some opsec basics that should go into any threat model, which should generally encompass malicious threat actors of any kind. For example, we should always update our operating system and programs, as exploits typically hunt for known but unpatched software vulnerabilities. We should also enable firewalls (included with Windows, Mac, and Linux systems), avoid emails from unknown senders, be extremely careful (but ideally never) enabling macros, use an in-browser ad blocker, use passwords longer than eight characters with a combination of letters, numbers, and specials, and never re-use the same password twice. Use a password manager, use two-factor authentication everywhere it’s supported, and avoid installing software from third-party or unknown sources. While there are other, perhaps more complex advice (user accounts with least privilege, BIOS passwords, manually encrypted filesystems, SElinux/grsec/PaX, etc), these basic steps will protect most people from most threats.

Extending your model to adapt and overcome

Within reason, our measures should modify additional features depending on our situation. Traveling to your in-laws and using their known safe wifi? Take your laptop and maintain your opsec. Traveling in a new city and using some random coffee shop’s wifi? Use a VPN, ideally one that utilizes the OpenVPN protocol, that you paid for and manually configure the DNS servers that your machine is using. Better yet, do the same thing but with a Chromebook.

Why? Because your threat model should have evolved to include a malicious actor taking advantage of insecure public wifi to sniff passwords, hijack session cookies, inject malicious redirect requests, and leverage other exploits that could be used to compromise you or your machine. A good VPN will make this more difficult by encrypting all traffic across that wireless access point. Manually-configured DNS server settings will make sure that you specify where your machine retrieves IP addresses from, rather than relying on an unknown ISP (the one used by this coffee shop) to resolve those addresses for you. The Chromebook sandboxes individual browser tabs, so the malware served by a spoofed Imgur page can’t be used to exploit your open American Express banking tab (you shouldn’t be doing anything sensitive from a coffee shop anyway, so insert a quip about a frog and a cup of tea here).

As another example, suppose a government official visiting some country is taken to an end-of-visit dinner and is encouraged to leave her laptop and luggage behind. Her threat model should evolve to include attacks on unattended hardware, such as full disk cloning, cold boot, or evil maid attacks. Her opsec should change as well. Full disk encryption would help mitigate easy drive cloning and access, as the data copied would be encrypted. Cold boot attacks can be made more difficult by shutting down a machine with full disk encryption, because encrypted disks are usually unmounted and their keys overwritten when shut down (so, putting your computer to sleep is insecure); she could have also taken along a computer where the RAM is soldered in as another option. To protect against an evil maid attack, she could ensure that SecureBoot or Trusted Boot are supported and enabled on the machine … or avoid doing anything sensitive on the flight home and scrap the machine altogether (wasteful but secure).

The point is that we should have a few different threat models that are extensible to whatever we’re doing. We should spend time thinking about our models, ensuring that they are appropriate for the threats we’re most likely to face, and then calibrating our opsec to address that model. It is not helpful to have a static, ill-fitting threat model that doesn’t meet the likely challenges and heaps on a variety of different countermeasures–system complexity is usually proportional to its likelihood of failure.

It takes time, but your digital security depends on it.