Steve’s Security Tips For Keeping Your Stuff Private

While discussing cyber security and online safety with clients, family and friends, I’ve had several of them ask me for guidance on how to secure their communications and web activities. While a thorough examination of all the detail surrounding privacy, security, and good online habits could be the length of a book, let me give you some of the basics along with a few links to learn more.

There are several reasons you should care about whether your online, digital communications and web surfing are private:

a) Tracking: Ever wonder how Facebook knows you just shopped for Corningware at Amazon and suddenly the ads on Facebook are displaying other bakeware companies? Would you be surprised to know that nearly all websites you visit set a little digital file called a “cookie”—a file that can prove to be very beneficial most times—but that some cookies are set by third party companies that do nothing but track ALL of your website visits (and much more) everywhere? 

b) Are You Naked on Public Wifi? If you ever connect to a public Wifi hotspot, you should know that it is trivial for a Wifi hotspot to be spoofed and you might have already inadvertently connected to it! There are also packet-sniffers that can view any unencrypted traffic going back and forth between your laptop or device and the Wifi router and some blackhat hacker can view it.

Want to see how incredibly trivial it is to create a man-in-the-middle attack and spoof a Wifi hotspot? Then read this article which should scare the beejesus out of you (it did me). It’s called Maybe It’s Better If You Don’t Read This Story on Public WiFi and its tagline is this:

We took a hacker to a café and, in 20 minutes, he knew where everyone else was born, what schools they attended, and the last five things they googled.

If after you have read that article you are still logging on to public Wifi hotspots without using a VPN, please comment below and give me your argument as to why you think it’s OK to get online with public Wifi and no VPN. I’ve yet to hear a single, valid reason why someone shouldn’t connect securely.

c) Government Surveillance: You’ve undoubtedly heard about Edward Snowden who revealed the vacuum mass surveillance apparatus in place by the National Security Agency and that they’re are scooping up ALL metadata about who called whom; what websites you visit and searches you perform; what texts you send; who your Facebook/Twitter and other friends are; what photos you post; and much more.

As a preview to what might very well happen here in the U.S. under a Trump administration, a new law just passed in the United Kingdom and it will give you a taste of what is probably coming to America…and soon…and why we all need to be more diligent about our privacy and security. The UK Now Wields Unprecedented Surveillance Powers — Here’s What It Means spells out what we could expect in the US in the near future:

The UK is about to become one of the world’s foremost surveillance states, allowing its police and intelligence agencies to spy on its own people to a degree that is unprecedented for a democracy. The UN’s privacy chief has called the situation “worse than scary.” Edward Snowden says it’s simply “the most extreme surveillance in the history of western democracy.”

The legislation in question is called the Investigatory Powers Bill. It’s been cleared by politicians and granted royal assent on November 29th — officially becoming law. The bill will legalize the UK’s global surveillance program, which scoops up communications data from around the world, but it will also introduce new domestic powers, including a government database that stores the web history of every citizen in the country. UK spies will be empowered to hack individuals, internet infrastructure, and even whole towns — if the government deems it necessary.

It is also probable that both the UK and the US will take steps to ban end-to-end encryption (one reason I use more and more services outside the US) and/or legally force companies to insert backdoors in their software so law enforcement can get in to the computer or device you own, especially without having to secure one of those pesky search warrants. It’s actually a lot more ominous than that, but writing much more about it is beyond the scope of this post.

Are you scared now?

You should be. I am, and I stay abreast of all of this every, single day. Read on for some specific tips and tricks to stay safe online.

Edvard Munch’s painting The Scream…and a few scared internet users

Here is what you can do now to radically improve your privacy and security online immediately:

Step One: Secure Yourself

a) Get a Password Manager: There is absolutely no reason for you to use the same password (or some easily guessable variant like a birthdate) on every site. Whining that “I can’t remember all these passwords though!” is exactly why you need a password manager. In my secure vault I have literally hundreds of passwords and every, single one is different! Added to that vault are secure notes with information in them that has to remain confidential. Though I use LastPass personally (and it is now FREE, by the way), here is a good post at LifeHacker on the The Five Best Password Managers if you’d like to know more or have a few other choices.

b) Use 2 Step Factor Authentication (2FA) when it’s available! If you have a mobile phone, you can use 2 step factor verification. You login and are then presented with a box asking for your six digit code. This code changes every 30 seconds and its time-based, one-time password algorithm means that it cannot be guessed by some hacker, even if that hacker already has your password. I use Google Authenticator for iPhone and, of course, it’s available for Android too.

If you have email with one of the big providers (e.g., Gmail, Yahoo Mail, Outlook, etc.), shop at Amazon or Apple, or use one of the dozens of major web services that have implemented 2 stepfactor verification, even if someone does steal your email password they’d also have to have your mobile phone too in order to access your email account.

c) Get a Virtual Private Network (VPN) Service. A VPN sets up a secure, encrypted “tunnel” through which all of your computer or device’s traffic travels. Your internet service provider cannot see (or capture) your traffic and neither can hackers. I won’t rehash what I said in my post You’re in Danger on Public Wifi! but, suffice to say, if you do not use a VPN and you do use public Wifi anywhere (e.g., coffee shop, airport, at a conference) you are playing Russian Roulette with your security. If the bullet is not yet in the chamber, given enough spins the bullet will be and you will be hacked.

I use a service called Private Internet Access (PIA) and it costs $6.95 per month or, if you pay for one year in advance, it’s only $39.95 and includes up to 5 devices. My other top choice—and one I intend to switch to when my PIA subscription is up—is called NordVPN. It is a bit more expensive for a year at $69.95, but has significantly more features and offers up to six devices to be connected simultaneously.

d) Uninstall Adobe Flash: This article in Forbes talks about why Adobe Flash’ days are numbered: “For what seems like forever, the Adobe Flash plug-in been abused by hackers to infect people’s computers. Despite introducing automatic updates and getting serious about Flash security, it’s still the most popular way for cybercriminals to wreak havoc.”

Seriously. Uninstall Adobe Flash from your computers since it’s a security nightmare (here is how to Uninstall on Windows & Uninstall on Mac). Google is removing Flash from Chrome and Microsoft from its new Edge browser. It’s over anyway and Flash will soon be history.

Step Two: Secure Your Email

Your email account getting hacked is your #1 problem and, if it gets hacked, you could lose more than you can imagine.

Just ask Wired magazine contributor, Mat Honan, who was hacked hard in 2012 and had is Macbook, iPhone and iPad erased (how he recovered his most important data, for $1,690, is here. It should also be noted that Apple, Amazon and others have implemented a 2-factor authentication (2FA—see more below) fix to Mat’s original issue).

Even after that highly publicized fiasco, most people I know still use super-simple passwords for their email. They also use no other security measure to make certain their email can’t get hacked. It makes me sad so I’m going to try one more time to scare the crap out of you so you take action.

What could happen if a black-hat-hacker stole or brute-force-attacked your email account password:

• Do nothing but watch & read your email and steal the occasional, high-value information (perhaps from your customer’s emails sent to you?).

• Go to all of your accounts and do a “Forgot your password?” and reset your passwords at your bank, brokerage, Facebook, Twitter, and other accounts and then they own you. If they get in to your Apple iCloud account they can reset all your machines just like Mat Honan experienced since the reset link always goes to your email. You would instantly lose access to ALL of those accounts and you would have to scramble to stop the tsunami of problems, that is if your own devices weren’t already erased.

• If any documents you sent in the past are archived in your email account—and contain your Social Security number or other personal, private data—your entire identity could be stolen.

Using 2-step authentication is key but doing so does NOT mean your email is encrypted and, in the case of the big email providers mentioned above, it still means they can scan your email and present ads or store tidbits of private information to your digital dossier. In addition, these providers hold the master key to access your email and can hand it over to law enforcement and, arguably, the various intelligence services.

a) Consider Encrypting Your Email: So how can you encrypt your email so that only you and the intended recipient can read it? The easiest way is to signup for the service I use called Protonmail. The company is located in Switzerland, a country that remained neutral even through world wars.

The Protonmail service is the easiest encrypted email method I’ve ever used. It uses end-to-end encryption, you can keep your account anonymous, it is fully open source and has been vetted by top security experts, and it works like you’ve come to expect from a top email provider. Go and sign up for a free account and try it out. Send me an email at steve.borsch (at) protonmail.com if you want to have someone to send an end-to-end encrypted email to so you can see how it works.

Step Three: Update, Update, Update

Most technical folks hammer on their friends and family who are somewhat naivé, a beginner, or are an otherwise less-than-tech-savvy user who doesn’t bother to back-up their computer or devices and run updates. Let me be crystal clear: Running updates is the #1 most important thing you can do to keep secure.

Why? Because the moment security vulnerabilities are discovered and published they are now “in the wild” and blackhat hackers quickly exploit them. Understanding that many people don’t bother to run updates when they first are released (if ever) they know that some percentage of people will be vulnerable to these exploits. That’s why so many people get malware on their computers or their devices hacked from a known and patched exploit, even long after an update has been released to fix that exploit.

Step Four: Secure Your Web Browsing

There are many ways to secure your web browsing but let me give you a few that will get you started:

a) Install Privacy Badger (requires Chrome, Firefox or Opera browsers). Privacy Badger is a browser add-on that stops advertisers and other third-party trackers from secretly tracking where you go and what pages you look at on the web.

b) Use “Private” or “Incognito” Mode: Modern browsers allow you to select a window that disallows cookies to be stored and helps you maintain a minimum level of anonymity.

Why only a minimum level of anonymity? While these modes keep the browser from storing information about the websites that you have visited, if you login to some service like Google or Facebook while in the browser’s private mode, websites you visit will still have records of your visit, and any files saved to your computer will still remain on your computer.

Moreover remember that Internet Service Providers (ISPs) can and do store information about your surfing habits, which could make that ‘incognito’ surfing session you’ve been on a little less incognito than you might think. At the very least the websites you visited are tied to the IP address your ISP has assigned to you.

c) Use Multiple Browsers: It’s smart to use multiple browsers for different tasks. For example, use Chrome for your main browser and Firefox as the one you use to login to Facebook. Google will still track you with Chrome but you won’t have Facebook also following you around the web. Then, for example, you could use yet another browser like Opera (or Safari on Mac or Edge on Windows) for online shopping activities so your purchases remain relatively private (and you won’t also have an ecommerce seller like Amazon or Target tracking you around the web!).

Optional Site Specific Browsers (SSBs): If you’re on a Mac you might want to know about a tool I use called Fluid app which is described by its creator as:

“Web applications like Gmail, Facebook, Campfire and Pandora are becoming more and more like desktop applications every day. Running each of these web apps in a separate tab in your browser can be a real pain. Fluid lets you create a Real Mac App (or “Fluid App”) out of any website or web application, effectively turning your favorite web apps into OS X desktop apps.”

I use Fluid to create SSBs for Facebook, multiple Google Apps accounts, client accounts, different team sites that are difficult to have multiple logins within any single browser, and other uses that I choose to keep self-contained. SSBs are VERY USEFUL and keep accounts separate and, most importantly, keeps their respective cookies self-contained. So anything I view or surf in Facebook that sets cookies, stays in that SSB only!

Step Five: Step It Up!

At a minimum complete those top three steps and do them immediately. Then consider these others as you become more confident in your secure communication and web use:

a) Use Tor: The Tor software protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, it prevents the sites you visit from learning your physical location, and it lets you access sites which are blocked.

Tor Browser lets you use Tor on Windows, Mac OS X, or Linux without needing to install any software. It can run off a USB flash drive, comes with a pre-configured web browser to protect your anonymity, and is self-contained (portable).

Just make certain that you read and understand their warnings about what you should, and should NOT do, when using Tor. Otherwise you’ll not be anonymous.

b) Use Signal: Signal is an encrypted instant messaging and voice calling application for Android and iOS. It uses the Internet to send one-to-one and group messages, which can include images and video messages, and make one-to-one voice calls.

What really sold me on Signal was when my wife was on a recent business trip to Hong Kong. Her hotel’s Wifi was set up to disallow the use of VPNs so she was not able to set up a secure, encrypted channel. This is because of what is euphemistically called the great firewall of China which the country uses to restrict what their citizenry has access to outside of China. It also is set up to capture, and restrict, all communications from hotels as well.

So my wife and I connected on Signal and, because the system has both private messaging and voice calling, we knew we would be secure and assured that some Chinese government flunky wasn’t eavesdropping on our messages or listening-in on our calls. It worked flawlessly.

Signal uses standard cellular mobile numbers as identifiers and end-to-end encryption to secure all communications to other Signal users. The applications include mechanisms by which users can independently verify the identity of their messaging correspondents and the integrity of the data channel. In addition to the mobile versions there is a Google Chrome app that can link with a Signal client on your smartphone. Read my recent post about Signal here.

c) Use privacy-oriented search engines. DuckDuckGo is a very good search engine that does not collect or share personal information. It emphasizes protecting searchers’ privacy and avoiding the filter bubble of personalized search results. It does not profile its users and by deliberately showing all users the same search results for a given search term.

d) Get Geeky: There are a lot of other things that you could grow in to with security. For example, I have a Ubuntu Linux container that runs in my Parallels virtual machine (VM) software. Inside it is my VPN (which connects when the Linux VM boots), the Tor browser, and a few other things. After a particularly robust security research session—one in which I might be on the darknet poking around—I will quit the VM and delete it, just in case I was hacked during that session. Then I’ll copy over a pristine copy that is ready to use the next time.

On occasion I’ve had to resort to booting from a thumb drive on someone’s computer since that USB drive contains a version of Tails. This light, basic, “leave no trace” version of Tor/Linux means that there is nothing at all left as you connect over the internet.

NOTE: In the VPN discussion above I mentioned NordVPN. This provider also offers Tor over VPN for yet another layer of security.

Hope this helps you stay private and safe out there. The only downside to knowing more is, as you learn about all the possible ways your machines can be infiltrated and you spied upon, you’ll become increasingly paranoid. Of course, that doesn’t mean they’re not out to get you.  😉

Comment below if you have any other suggestions.

Learn More

• Here is the Electronic Frontier Foundation’s (EFF) guide you should use for staying safe with email, chat, voice calls, if you’re at a protest, and so on.
  • EFF’s The 12 Days of 2FA: How to Enable Two-Factor Authentication For Your Online Accounts and how to set up two-factor authentication on:
    • Dropbox
    • Facebook
    • Gmail and Google
    • Outlook.com and Microsoft
      
    • Twitter
    • Yahoo Mail
• Visit StaySafeOnline.org and learn how to keep your machines clean from malware, hacked accounts and more, teach online safety, keep your business safe and other useful pieces of information.
• How to Be Online Anonymously at WikiHow
• Donald Trump will control the NSA – what this means for your privacy