People constantly ask me about the precautions one should take to keep their data safe and secure from those who would either try to snoop their communications or steal their data in some way. One of the most fundamental understandings a person has to accept concerning privacy and security is that attack vectors come in various forms; technological, direct, and indirect. Locking down ones computer with IP tables, firewalls, and antivirus is all fine and good for keeping out the random, anonymous attacker but one must also consider the direct vectors which are those people who have physical access to you and your device as well as any parties they may be associated with. In short, your privacy and security may possibly be compromised by anyone around you or has access to you. However, do not let this concept stir up exceptional levels of paranoia but instead, simply a heightened awareness of one’s surroundings and the current situation.
Also, never be overly forthcoming in telling people the methods you use for security. One never knows who is reading, listening, or trying to gather information in an attempt to hack your own personal security. In the following article, I give examples of best practices one should use to keep their data and communications safe. There are lots of different ways a person can do this and the less information given out the more “in the dark” the asshole is that wants desperately to break into your security. Always get multiple opinions of best practices as well, never trust the opinion of just one person regardless of who they are. Research and follow up, then use good judgement based on correlating information.
Passwords
For years, technology experts have been trying to drive the concept of good passwords into the heads of the gp (general public). Good passwords are the first essential line of defense for any security model. The arguments for what constitutes a good, strong, password is as endless as the arguments for just about anything including religion or government. Too many people use poor passwords without enough entropy (disorder in a system) as most will believe that passwords need to be memorizable. To a degree, there is some truth to this although there are a number of password management systems now available for free to the gp that can overcome the need to have poor, memorizable passwords. Research these programs and make good use of them. The easiest passwords to crack are those that have commonly used strings or dictionary words, i.e. 13579 or theaccount. Good passwords should look something like the following which was generated on a Linux system using the following command:
cat /dev/urandom | tr -dc [:graph:] | fold -w 20 | head -n 1
password = X=UyY^+fq.!AE?9OGIC{
While many would agree that the likelihood of the ‘average’ user being able to memorize such a password is extremely low, the odds of a brute force attack or someone trying to memorize such a password from watching over one’s shoulder is also unlikely as it presents no memorable pattern or words that someone would easily commit to memory. Another method that might be easier for someone to remember, and nearly as effective, is the use of memorable phrases such as “I have two cats and I love them both” however, to avoid the usage of common dictionary words, one would apply this phrase in a manner with much higher entropy:
1-hv-(1+1)=2c&I<3ThM2!
One should also never use the same password twice. A person never knows what account may get attacked or compromised thus, not having the same password that works on multiple accounts can save a lot of headache and disaster down the road. If a person uses the same password for one account and that network becomes compromised by either an outside attacker or a malicious administrator, all is lost and that person now can get access to anything that would use the same credentials. Remember, it’s not always an attack from the outside that one has to worry about, people on the inside can be just as shitty and malicious.
Foreign Tech
Always be wary when working on an unknown network or device. Most places such as an office, school, or any other public place should be considered a hotspot for disaster. In cases such as a workplace or school, a technology policy will be given to employees to acknowledge that automatically states one should not expect any level of privacy while using the network. Many people construe this as not sending personal email or spending any time on social networks while on the network, however, other factors may be involved and should be considered. The more one knows of the various ways a person can gather information from any device on a network, the better prepared they can be to protect their own personal interests and their privacy while on an insecure network. An insecure network is any network that a person does not have full control of from the terminal to the outside.
The first concern is the possibility of keyloggers. Keyloggers record every keystroke a person types on a computer and stores it in a file. That file can then possibly be sent to anywhere or anyone who is on the network as determined by the administrators of those networks. If you are not the owner of the physical technology, the best defense is to work under the assumption that a keylogger has been installed and is running on the foreign technology.
http://compnetworking.about.com/od/networksecurityprivacy/g/keylogger.htm
Any employer, school, or public office personnel who are legit would never coerce an individual into using foreign tech for logging into a personal account of any type. I worked at a place once where they were slow at providing a company email address and tried to force me into logging into a personal email account on a company computer. Needless to say I was completely irate and never trusted my direct supervisor after that. In the long run, I was right after a number of these idiot attempts. If this situation arises, try to use your own device such as a tablet or smartphone for lobbing the “immediately important” emails but be aware of any spamming which may occur afterwards as well as bad actors now that a stranger has your personal email address. If the entity in question does manage to ‘blackmail’ you into using a personal account on foreign tech for any reason, change the password immediately after or even consider shutting down the account. Don’t get overly attached to email accounts.
Another good defense against the keylogger is the password safe mentioned earlier. In many situations, the password safe will allow the user to copy and paste the username and password from the safe into the required field completely bypassing any keystrokes that would normally occur. If no keys are pressed, nothing can be logged.
The Network
Once we have acknowledged the potential of the keylogger, we can also be guaranteed that the network is compromised. This concept is usually told to employees up front and one ‘really’ needs to make sure and remember it at all times. What this means is that any website, program, data entered, stored, or emailed to anyone else on that network is being recorded, stored, and possibly reviewed by entities who you will most likely never know. In some situations, it’s possible to read the faces and actions of people who would be likely candidates of having access to such information and determine through observation how active their monitoring is. Some people have good poker faces and some don’t. The dumbest ones try to create ‘real world’ actions from the information they collect. Don’t be one of these people as it’s a stupid and predictable thing to do which only creates mistrust and puts you on the asshole list.
Storing and or monitoring is a fact one needs to get used to. It’s actually a security precaution that can help save companies and institutions from lawsuits. If done properly, no one would know anything is going on as it’s only when unfortunate situations arise from crazy people looking to cause trouble that the collected information comes into play. Thus the best offense it to say as little as possible to the least amount of people possible on an untrusted network. Never assume anyone is your friend or that anyone is going to back you up; not your employer, not your school, not your union...no one. It’s always a “user has been warned” scenario and one has to use their own precautions and best judgment to how careless or carefree they are willing to be on an untrusted network.
If possible, try to use a VPN (virtual private network). This entails either having an account with a VPN provider or creating what is known as an ssh tunnel to a remote device. The way this works is that an encrypted tunnel is created between the user terminal and a privately owned and trusted server somewhere else. Any data passing through any device that is on the path between the user terminal and the remote server is completely encrypted and useless to any shitty snoop and their monitoring tools. Using Tor can help immensely in private browsing and communication however, most companies and institutions will not allow tor on their networks simply because it gets a bad wrap from misinformed FUD (fear, uncertainty, doubt) spreaders. The truth about the Tor network is that it is used by law enforcement, corporate entities, government agencies, and special interest groups such as witness protection and battered spouse protection so that they may sustain anonymity while using technology to go about their lives.
https://www.torproject.org/
http://www.pcworld.com/article/2030763/how-and-why-to-set-up-a-vpn-today.html
https://chamibuddhika.wordpress.com/2012/03/21/ssh-tunnelling-explained/
Current measures are being taken by various groups to try and bring HTTPS to every website so that the concern for insecure browsing is greatly reduced. While this is becoming more prevalent, it is not a global deployment yet. Always try to insure a solid HTTPS connection between your device and any site that requires login credentials. Pay attention to any variations or strange activity from regularly visited sites, even if they are HTTPS sites. There are ways of spoofing HTTPS but it’s not very common and becoming less common as cryptography and site certification techniques continue to mature.
https://www.eff.org/https-everywhere
https://www.eff.org/deeplinks/2014/11/certificate-authority-encrypt-entire-web
EMail
Email is it’s own animal and security debate has (and will be) going on for quite some time about what is warranted interception and what is not. People constantly bring up to what degree does a company have the right to store and read email that is created by their employees using company technology and the expected level of privacy a person should be able to expect from their communications. The unfortunate (current) truth is that any email message that has been generated on foreign tech and is carried on a private network before reaching the outside lines is considered monitorable by the network and hardware owners. As such, it is vitally important that nothing is said in emails generating from such devices or networks that would not be said in a public forum. Company provided email accounts should be considered to have the same level of insecurity and distrust. The best defense is to assume that the entire email system is bugged and compromised from the very onset.
One should also be aware of email spoofing on such networks. Do not automatically assume that the emails received from person X are ‘actually’ from person X and a conversation with person Y is not actually taking place as a MITM (man in the middle) scam. Do not automatically assume that the conversation between you and X is being regarded as private either. Person X may be providing ‘bait’ to try and get sensitive information or instantiate an entrapment scenario that may lead to disciplinary measures later down the road.
Email spoofing is when an asshole tries to impersonate someone else to get you to share information with them that you would otherwise not share. It’s not exceptionally hard to do but a person typically has to have a criminal mind to even consider such activity. Using good mail filters, spam control, and phishing protection can stop much of what the average asshole will try to pull over on someone. Being able to spoof emails has become much harder with modern email security protocols, however, some persons with advanced network access or connections to such individuals can still find ways to spoof mail.
http://www.pcworld.com/article/253305/minimize_your_exposure_to_email_spoofing.html
The MITM takes a little more work to set up and requires a bit of advanced knowledge which usually requires someone to have administrative capabilities to any network. The MITM simply does what they can to monitor and record any plain text messages that travel between two points. If the person doing this is a real jackass, they may also monitor any web activity that happens from the same device address. An aggressive MITM unfortunately puts you on the defensive and to get around such activity requires a VPN, ssh tunnels, encryption, or even the use of the Tor network for all data that travels between you and the rest of the world.
http://www.makeuseof.com/tag/man-middle-attack-security-jargon-explained/
https://en.wikipedia.org/wiki/Man-in-the-middle_attack
The very best defense for secure email is to use end-to-end cryptography. What this means is that as soon as you are done composing your message to X, a program on your computer encrypts the entire message to where only the intended recipient is capable of decoding the message. To a MITM or anyone along the network path, the message will look something like this:
hQIMA+UPxzxVNX89ARAAg3wu6XZXirFydYXZjeG1B42Jm1lsxhR3i82pLedCcz3z
gzUumIjrVGAr2ZcGdADubv6Mt0SjGnCLn/OsAaUte6dWmH9yIrFwCB8vVP6luah6
KoosNwriPqNOQfgw0ck3y+ZBqkC/fCv5MTc/UDWeWq9N9Cv33TGtJqNHJu3DkOf3
m/MBnvezKN4/8uAeMFD4LAY5jbg94XMkAPSNLpcE1gzLQmYRATf75Xs3kjSU+Gzm
zbfBiMElMSNfbVd8md/d4GySJPfA15l06CKGUn4WlD1DCzF/kfFiMq9dscBDXs6d
07SK/yrWBhhh4OD3jvVrYhMoc9pwmZaNbteTGqkA7lHHWshX0a2YOUmBVoRJkAQL
03FZ9qEbk9X85x8Gp6a0A/arZUgQp2g6pMyauiRi1+v/5qfnGC5T68qnO+6YUHwG
wx8sNxHAe2wbNlcGzyLuNEhWPTmmOzkkKAVj5JF5JXuip0gWHJt+U5SjKOdi/+qD
yZt8Q0nz6k48OOkSFJQIPukUOgvN8c9mvsjfRJw5x88uUy+XgEbJvX4Fq4Lj9eth
wYnhNmPWFkdQUIxmGPxN5dl5yZTPGe7D8IOS1CAFONXm0vdAWGSeFro2uxOUH3Gs
Daiu19g/5KzzQVQEdRGfeaM8DUMqAUBVyUBOoRYQAibZ3/6m3SO7Oyi6QpQtRWvJ
Mp1hTjG6ot2ne+UPfDFrRVwHytxHjIp2wlliRrmr+BYKkLU0qwfm7YCghno8izAz
bJcn
=YzyG
Believe it or not, the above message ‘actually’ says “this is an encrypted message”. Your recipient, X, would then use their encryption program to decrypt the message which requires another password. This provides a level of protection even in the case of a person getting access into X’s machine and opening their mail program or getting access to a web mail account and looking for any information they could use to screw you or X over.
Encryption is not as difficult to set up as most people seem to think and is the best method to insure that any message sent from you to any other person reaches it’s destination unedited and unread along the way. Once encryption has been established, most programs handle all the difficult work automatically,
As a secondary measure, not as good as encryption, but as a means of making sure messages reach their intended recipient and have not been edited along the way, is to digitally sign the message after it has been composed. This level of security requires the same encryption software to be installed and utilized although the difference is that the message can still be read by anyone along the message path between you and X. Although, when X receives the message, they can validate the signature on the message and be assured that what was wrote did in fact come from you and was in no way edited along the way. A signed message looks similar to this using the older inline message signing:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This is an example of a signed message
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIVAwUBVLL3DUCnAjFhe0E3AQL7zg/9EPJmSW6giQRXdDFUC8RXaqpepDNpaq7a
QCkWROO/aUKYQwhUbvZjRc8miYDp/fms2/Iye6JKmcMrcD04RRrqkPrDGgZIigSv
jOimB5VSIAX1Mu5yZoZch4KCP9Gs0pBRvk6brjHACTitBhTDMswiLCFxB/yyI2jg
jGkMY11G8DiZjeWGfyEX8a3OOYu5lWfxw5gsY85SV3Dzq48ca4fJ0Nn+om1jljSr
np8xCm88fDQyo41NCTWTKTwJXlpjWcDcJ2j0S7L8ZaTfqS22Qd2DPo4f+/TYMQZf
/fpHk9pxU/HmkN55kJ0firdSdrqQBk28RK2ZtNFiPa0qZF1vP7iVHMNs6J/Dbbzo
uuza3nZktr/Txgirk3l3bIgw+mGaiYIEJ6/0xWDVBI5lcu6ddA/mZW1XAuYJOwT5
1oOwxZxE+Kd9wXXAcEqguT+2PXtEeHC5XNH1Fpp6phToiNNgao2G/AG84FD3BpEY
2a/hFXwU1MsykYEzny5vynxFk7YzzUOOvtEeQHidMCBr0s8F+PwH0O81JZKwls8f
MEi2efg2bfIvDtot6iBZ89NlPWTYHMq65M7G2Nzonv/N4ym+kegIVYGWVnypSDIc
JnnriMGJYVbpnfYI9D00fZ35heiy+vuaPL1ssXP24+khNnylqj5izMAnO+KEBC1m
qoba3LCPYfI=
=Gi4g
-----END PGP SIGNATURE-----
As one can see, the original message can still be read and the big blob of encryption at the end can be digitally verified by X’s system that the message has not been altered in transmission. Digitally signing cuts out the potential for a MITM to hijack communications as only you and X have the key pairs required to verify each others signatures and if the MITM tries to change the conversation in any way, the signature would then become invalid and you and X can then call each other on the phone or determine a different platform to discuss the problem in the network line of communication.
The newer method called PGP/MIME uses attachments to the message so that the message body is not so cluttered with the addition of the signing encryption. Many modern mail programs can automatically read both types of signatures and the ones that can’t should be avoided.
The signing method is great for companies and institutions such as schools to digitally verify ‘beyond a doubt’ that messages between individuals have not been tampered with during transmission while also keeping messages in clear text for liability reasons in case they should arise. Without digitally signing at a minimum, there is no guarantee on any network that communication between parties has not been compromised whether by an external deviant criminal or a malicious employee with criminal intent.
http://threatpost.com/google-releases-end-to-end-chrome-extension-to-open-source/109935
https://ssd.eff.org/en/module/introduction-public-key-cryptography-and-pgp
Some people use the excuse that using crypto is only for criminals or those who are trying to hide something; this is FUD and complete BS. Cryptography is used every time a person visits a website with the HTTPS protocol and to insure that no asshole can hijack communications or steal our private conversations or data. It doesn’t matter if a person is just sending an email about what they had for dinner to their grandmother, the point is that this information can be hijacked by malicious criminals and used against someone who might be personal enough to cause harm to either of the two parties. Using full encryption or digitally signing eliminates that risk and puts malicious assholes out of business; period. Legitimate people are the ones who do not care if a person uses encryption or not as it’s only a means of guaranteeing the information sent to them has not been read or tampered with by anyone along the message path.
When the topic of handling email is presented to me, I simply point people to what the Federal law says about US mail in general. For those who have taken the time to consider the legalities surrounding the movement of mail whether it is in physical or electronic form, precedent dictates what is the legal handling of mail. Unfortunately lawless and criminal people don’t care about this and it is one’s ability to follow the law or negate the law that dictates their character as either a criminal or quality citizen.
http://www.law.cornell.edu/uscode/text/18/1708
Update 1/15/2015
Concerning EMail beyond the actual messages sent, make every effort to use two step authentication. Using two step can be a PITA but is a very good method of insuring your account stays in your control. Learn to work with two step as it can be rather complex when multiple accounts become involved and linking devices together as well as setting up MTA's (Mail Transfer Agent) and securing MUA's (Mail User Agent). More than once I have gotten alerts from mail accounts that someone didn't have the right credentials as well as my own testing to insure the account is still in my control.
The Hotspot
In most homes there is a device referred to as the modem. There is only one modem on most home networks and what this device does is modulate and demodulate the analog signal that come over the wire into a digital signal that electronic devices can understand. This device is the single point of personal security deterioration in the home. Both ISP companies and any person with administrative access (account holder) to this device can snoop network traffic and destroy the privacy of anyone who passes data through this device.
It’s an unfortunate situation but many large ISP’s simply can’t be trusted to play a neutral role in moving traffic through their network. Some of this is based on company policy, some of it is from rogue employees who abuse their positions, and some of it comes from government agencies who impose themselves on the carriers. Other possibilities include merit-less warrants that are not questioned for validity by the carrier. Whatever the circumstances may be, one should not necessarily put any level of significant trust that data passing through their modem is being handled with proper care to insure data privacy or security.
http://politicalticker.blogs.cnn.com/2008/11/21/verizon-employees-fired-over-obama-cell-phone-breach/
https://www.techdirt.com/blog/netneutrality/articles/20141012/06344928801/revealed-isps-already-violating-net-neutrality-to-block-encryption-make-everyone-less-safe-online.shtml
http://www.dslreports.com/shownews/Comcast-Users-Struggle-To-Keep-Rented-Routers-From-Sharing-WiFi-131719
Social Engineering
One of the hardest security issues anyone will have to face is social engineering. This includes what gets said to who, who is eavesdropping on a conversation, who is ‘overly’ eager to be one’s friend and those individuals that stalk their targets trying to dig up useful information that can be used in a malicious way. Social engineering takes time to spot and unfortunately can come from a variety of sources not necessarily technical in nature. One needs to exercise caution when dealing with strangers above and beyond just what is said but also what information is passed along as well as what information is left exposed that can be harvested by malicious individuals.
Be cautious when entering passwords for people who would look over your shoulder while doing so. I once worked with a technician who would watch over my shoulder while I unlocked a secure file cabinet from which I had previous problems of important documents going missing. Knowing full well what was going on, I would immediately change the code as soon as the technician left. Reporting the incidents to management didn’t make a difference, the standard response was “not my problem”. Quality and legitimate people will turn away when passwords or security codes are being entered; it will be an immediate sign of separating the quality people from the assholes.
Always be wary of the individual who tries too desperately to be your friend. These are the people who, more often than not, probably know someone who is using them as puppets to dig information from you on their behalf. Joe claims to have so much in common with you and wants to be your friend, Joe and Dave (who you don’t care for much) are best of friends but you don’t know that. Everything you say and do gets reported from Joe back to Dave. These situations happen all the time and in reality, Dave is still an asshole and Joe is a puppet. In real situations, people are cautious of strangers and are not very likely to want to be friends too eagerly. When a person encounters this scenario enough times, it becomes much easier to distinguish the social engineers from the legitimate people.
In some situations, Joe might legitimately want to be your friend. You might get a good sense of legitimacy from Joe and decide he’s ok so start a relationship. Joe might still be feeding information back to Dave but you are still in control of what information you share with Joe. If Joe begins to become overly demanding to discuss things that you are not comfortable sharing with anyone, a simple response of “I’m not comfortable talking about that” should in all cases suffice and the topic is dropped. If Joe is trying to pump you for information, he will become aggressive at either trying to ‘force’ you to give up the information through badgering or, may bring the topic up again at a later date. Use your gut instinct as more often than not, it’s better to be safe than sorry with the information that you share with other people.
http://www.howtogeek.com/180186/htg-explains-what-is-social-engineering-and-how-can-you-avoid-it/
https://blog.spideroak.com/20140521100000-considering-you-most-vulnerable-secuirty-links-how-to-combat-social-engineering-attacks
http://www.academia.edu/7978172/Social_Engineering_Human_Hacking
http://www.ieee-security.org/TC/SPW2014/papers/5103a236.PDF
Conclusion
Ultimately it is our understanding of situations we’re in that dictates the level of security measures we need to take. If one is unsure, look it up and ask people who you trust. With the levels of technological data theft that are available to the average criminal, one has to be more cautious than ever before with the information that is shared between people. Good people will understand security concerns and measures one takes as they, most likely, use similar measures and share the same concerns. Criminals, and those with an intent to do harm, are detectable but it takes time to learn how to read behavioral patterns which exposes them. The best advice to anyone is to deploy the most sophisticated security measures you are capable of to insure your own safety and security in any situation whether on a technical device or among the general public.
This post is only a small portion of the dangers one may encounter or deal with on a daily basis. I don’t want to be one to alarm people and I wouldn’t suggest that absolutely no one can be trusted. Real trust takes time to establish between two people regardless of their relationship with each other. However, if people respect the privacy of others to the degree they wish it to be respected, then trust can be built much faster between the two parties. Often a person will try to use their rank within a company or institution as leverage for being trusted, don’t buy into it. Persons of all levels in an organization or institution can be corrupt or be involved in unlawful or criminal behavior. While this is by no means a suggestion that one should be disobedient, it’s simply an overview of awareness of the potential that can happen and in some regards, situations that I have encountered or experienced.
EFF ID: 1731778
