As I’ve been dubbed “Mr. Security” by my friends, family and clients (I pay significant attention to, and use, cybersecurity, privacy and software measures) but my pleadings with them to be secure often are ignored…until they get hacked. Then they plead with me to help them out and get their digital life on track. Usually it’s too little, too late, and the work to recover is enormous.
You should care deeply about your digital life and its security, especially since the risk of getting hacked is exploding! The World Economic Forum in its 2018 report (PDF) said blackhat hackers are gaining the upper-hand in cyber warfare…and they are coming after you…and even the experts can’t keep up:
“Offensive cyber capabilities are developing more rapidly than our ability to deal with hostile incidents.”
Here’s the good news: if you haven’t yet been hacked it’s likely you will at some point, so lets get you cyber secure NOW!
I was delighted this morning to discover this Security Checklist, “An open source checklist of resources designed to improve your online privacy and security. Check things off to keep track as you go.”
The Security Checklist is very comprehensive, easy to follow, and one you should look at and implement as quickly as possible. It gives you the “why” and specific resources to use for each category, making this pretty brain-dead-simple to follow and implement:
- Password Manager
- Create a strong device passcode
- Use two-factor authentication
- Set up a mobile carrier PIN
- Encrypt your devices
- Freeze Your Credit
- Use 22.214.171.124 for DNS resolution
- Use a VPN
- Cover your webcam
- Use a privacy-first web browser
- Use a privacy-first search engine
- Review app permissions on your devices
- Review your social media privacy settings
- Educate yourself about phishing attacks
For years I’ve been a staunch supporter and trusted Google, loved their services like Google Suite, Gmail, Google Voice, and others, all while admiring their machine learning and artificial intelligence research. One thing I specifically trusted was Google’s Don’t Be Evil motto which was baked in to their Code of Conduct for the company.
Then, back in May, I became troubled when they removed Don’t Be Evil and replaced it with Do The Right Thing. At the time I joked with a friend of mine asking him, “Is ‘do the right thing’ for us, or for Google?”
It appears the motto change was focused on Google.
The biggest shift away from that “Don’t Be Evil” motto that Google has ever done just happened. Though this thread started on Hacker News a few weeks ago, a cryptographer and professor at Johns Hopkins University whose blog I follow, Matthew Green, wrote a post entitled, Why I’m Done with Chrome. In it he said:
A few weeks ago Google shipped an update to Chrome that fundamentally changes the sign-in experience. From now on, every time you log into a Google property (for example, Gmail), Chrome will automatically sign the browser into your Google account for you. It’ll do this without asking, or even explicitly notifying you.
Green also sees this move as having serious implications for privacy and trust. Do you think!?! My trust-level in Google has plummeted. So much so that I have now shifted 100% back to Mozilla’s Firefox browser and away from Chrome. I will no longer use Chrome until they change the way they infiltrate my privacy.
SO WHAT EXACTLY DID GOOGLE DO?
Google’s recent update to Chrome (browser version 69) has done something unprecedented in their history:
a) Once you login to Chrome as a user, Google can (and does) track EVERYTHING you do in the browser. Every site you view, every login. The change? If you login to any Google service in the Chrome browser, Google will log you in to that browser to give them access to everything you’re doing within Chrome.
c) Google is increasingly using “dark pattern” user interfaces in their services to hide or obfuscate what something does when you check, uncheck or choose an option. In ExtremeTech’s article Chrome 69 Is a Full-Fledged Assault on User Privacy, they describe how Google’s dark pattern user interfaces obscure their intent to get you to enable them to do the right thing for Google:
These changes are all part of what’s known as a dark pattern. If a pattern is defined as a regularity in the world (designed or naturally occurring) that repeats in a predictable manner, a dark pattern is an attempt to trick users by designing interface options that look like the options users expect to see.
I, for one, don’t want to research, study or figure out how a company I trust might be trying to trick me in to do something that is in THEIR best interest…and not mine. I’d rather pay for offerings and am growing tired of “being the product“.
- GOOGLE NEWS COVERAGE: FIND IT HERE (yes, I’m aware of the irony)
- THE VERGE: Google criticized for Chrome change that logs users in without telling them The latest version of the browser, Chrome 69, is pushing users into sharing more data, say critics
- WIRED: A Seemingly Small Change to Chrome Stirs Big Controversy
- THREAT-POST: Google’s Forced Sign-in to Chrome Raises Privacy Red Flags
- INQUIRER: Chrome 69 secretly logs you in to Chrome Sync when you visit a Google site
- SECURITY RESEARCHER S. BÁLINT: Chrome is a Google Service that happens to include a Browser Engine
This morning the U.S. Supreme Court ruled that police must obtain a search warrant in order to get access to cellphone location information.
This is HUGE and a big win for anyone who cares about intrusive, mass, warrantless surveillance that is, by any measure, illegal searches and (data) seizures.
Chief Justice John Roberts sided with the “liberal” justices (ones I instead use the adjective “strategic” to describe). This National Public Radio (NPR) story In Major Privacy Win, Supreme Court Rules Police Need Warrant To Track Your Cellphone put it succinctly:
The majority declared that the Fourth Amendment guarantees an expectation of privacy and that allowing police to obtain moment-by-moment tracking of an individual’s cellphone location is a kind of surveillance that the framers of the Constitution did not want to occur without a search warrant.
The chief justice said that this sort of tracking information is akin to wearing an electronic ankle-bracelet monitoring device and that the citizens of the country are protected from that kind of monitoring unless police can show a judge that there is probable cause of a crime that justifies it.
After the 2014 Edward Snowden revelations about mass, warrantless surveillance of U.S. citizens — which was being performed by the signal intelligence focused National Security Agency (NSA) — was an enormous concern both domestically and internationally as the NSA’s clear mission was to focus only on foreign signal intelligence while excluding spying on American citizens. The outcry domestically and internationally reached a fever pitch…but little was revealed on what was being done to stop mass, warrantless surveillance.
Then some of Snowden’s document releases were published and it was revealed that all of this vacuumed-up data had a “Google-like search engine” that could be used to scour all data for an individual or group. Somehow the Drug Enforcement Agency (DEA) and other law enforcement agencies were being provided with data that couldn’t be challenged in court due to “national security concerns” so the extent of data being swept-up has never been completely understood.
The bottom line? The accelerating “surveillance State” was already out of control and Congress seemingly turned a blind eye toward it and extended its capability.
Though it has taken too many years for the Supreme Court to weigh in on the Constitutionality of warrantless surveillance, the explosion in law enforcement’s use of cellphone tracking devices like Stingray, meant that warrantless tracking by police agencies was low-hanging-fruit for the court to address.
In my mind it’s too little, too late…but it’s a start.
Email is your most important application whether you access it in a web browser or with an app on your smartphone or tablet. If your email gets hacked, it is trivial for a blackhat hacker to go to your online accounts with a bank, stock brokerage, ecommerce site, and reset your passwords…
…and then gain control of all your accounts!
But you can easily and quickly protect your email. If you set 2FA up and turn it on, a hacker would have to have both your email password and your smartphone in order to gain control over your email account! In the case of Gmail, you can set up another layer of protection though: two-factor authentication (2FA…also called 2-step verification). 2FA makes your smartphone an additional, secure method of proving it is you trying to login to your Gmail.
There is a new tool for hacking in to an iOS device (i.e., iPhone or iPad) you should be aware of and why you should change your password NOW…but also make it a strong one.
A Motherboard investigation has found that law enforcement agencies across the country have purchased GrayKey, a relatively cheap tool for bypassing the encryption on iPhones, while the FBI pushes again for encryption backdoors.
According to Matthew Green, assistant professor and cryptographer at John Hopkins Information Security Institute, said on Twitter that GrayKey has an exploit that disables Apple’s passcode-guessing protections (i.e., SEP throttling) AND that a 4-digit passcode can be cracked in as little as 6.5 minutes on average, while a 6-digit passcode can be calculated in roughly 11 hours:
Guide to iOS estimated passcode cracking times (assumes random decimal passcode + an exploit that breaks SEP throttling):
4 digits: ~13min worst (~6.5avg)
6 digits: ~22.2hrs worst (~11.1avg)
8 digits: ~92.5days worst (~46avg)
10 digits: ~9259days worst (~4629avg)
— Matthew Green (@matthew_d_green) April 16, 2018
Another Motherboard article emphasized that you should immediately Stop Using 6-Digit iPhone Passcodes and yes, you should.
Why a Long, Secure Password Now?
Security and convenience are always a trade-off. But I’ve set up a password for my devices that, according to this password checker, will take 44 thousand years to crack BUT it is easy for me to remember, and to use, as my iOS “custom alphanumeric code.” This password has numbers, upper/lower case letters, along with a few special characters (e.g., !@#$%^&*()).
Do I have something to hide? Nope. But the reason I lock my front door, have security cameras and alarm system, and don’t invite random people in to dig through my drawers or important-papers in filing cabinets, IS THAT MY STUFF IS *MY* STUFF AND PRIVATE! I intend to keep it that way so I protect the shit out of things I want to keep private AND SECURE.
If you travel outside the U.S. like my wife or I do and come back in with your device, TURN IT OFF. That is because U.S. Customs is increasingly grabbing traveler’s devices and disappearing with them to a back-room, apparently to hook them up to a device to suck off all the data. While this hasn’t yet directly affected U.S. citizens, there is nothing stopping other countries from doing the same thing.
Plus, once all of your data is captured, there are enough cracking resources available to government agencies to be able to take their time to crack your device data they have previously stored. It might take them a year or, after quantum computing becomes a reality (if it isn’t already real) in the next several years, those times to crack may be reduced to minutes instead of days or years.
Police agencies within the United States may also be less adherent to the U.S. Constitution and Bill of Rights when it comes to the gray area surrounding digital search and seizures, even though in 2014, the U.S. Supreme Court addressed two cases, Riley v. California and United States v. Wurie, dealing with cell phones searches and the search incident to arrest exception to the warrant requirement. During searches incident to arrest, the high court has not required warrants under certain circumstances where protecting officer safety and preventing evidence destruction are at issue. For more, read this at FindLaw.
The U.S. Border Patrol also could be in a position to do whatever they damn well please — within 100 miles of the U.S. border — as you can see from this article at the American Civil Liberties Union (ACLU):
Why Can You Do?
- How to Create a Password You Can Remember
- Four Methods to Create a Secure Password You’ll Actually Remember
- Know Your Rights is a good primer you should read it now at the Electronic Frontier Foundation and download their printable “pocket guide” here.
The Department of Homeland Security (DHS) is doing something unprecedented for a tactical government bureau: they just released a draft request for companies to bid on their “Media Monitoring Services.” This request from DHS seeks a firm that could build them a searchable database that has the ability to monitor up to 290,000 global news sources:
Services shall enable [the DHS’s National Protection and Program’s Directorate] to monitor traditional news sources as well as social media, identify any and all media coverage related to the Department of Homeland Security or a particular event. Services shall provide media comparison tools, design and rebranding tools, communication tools, and the ability to identify top media influencers.
They’re claiming “standard practice” but DHS is NOT an intelligence service and global monitoring is what the National Security Agency performs as does the Central Intelligence Agency. WTF is DHS going to do with this sort of database? Why do they need “media influencers” and “bloggers”? The request specifically requests:
24/7 Access to a password protected, media influencer database, including journalists, editors, correspondents, social media influencers, bloggers etc.
Most troubling was their intent to have this database indicate what the coverage “sentiment” is:
[The database shall have the] ability to analyze the media coverage in terms of content, volume, sentiment, geographical spread, top publications, media channels, reach, AVE, top posters, influencers, languages, momentum, circulation.
Why am I concerned and bringing forth a story like this one? Because our Department of Homeland Security potentially has an enormous tactical advantage set forth in the Constitution that could allow them to subvert our protections under that very Constitution and our Bill of Rights. Don’t believe me or think I’m paranoid? Then read this about our Constitution and the 100-mile border zone that DHS could essentially do whatever they damn well please within, like searching our “sentiments” when within a border zone and restricting our movements if we’re deemed a threat to homeland security.
To say the shit-hit-the-fan after this release is an understatement. Here is a Google search that has articles from Forbes, Bloomberg, CBS News, CNN, Chicago Sun-Times, and a host of others. Here is a Twitter search to allow you to read thousands of tweets questioning why in the world DHS needs such a database.
Many of we “bloggers” also leapt on this story as it is clearly easier for DHS to level suspicions at us. It’s also significantly easier to intimidate an individual than it is an institution filled with journalists like CBS News or CNN.
That said, other government agencies, like the FBI, have adopted secret rules to spy on journalists who publish classified information and hunt down their anonymous sources.
While all the articles I read were questioning the ‘why’ behind having this database, DHS’ spokesperson, Tyler Q. Houlton, had this to say in response to their sh*t hitting media’s fan:
Despite what some reporters may suggest, this is nothing more than the standard practice of monitoring current events in the media. Any suggestion otherwise is fit for tin foil hat wearing, black helicopter conspiracy theorists. https://t.co/XGgFFH3Ppl
— Tyler Q. Houlton (@SpoxDHS) April 6, 2018
My gut tells me that the “why” behind this database is that DHS wants to have a searchable one so they can perform quick lookups for those crossing our borders, being stopped at checkpoints, and potentially for those of us who happen to be within 100 miles of any border.
Read the bid yourself below or download it here:RNBO-18-00041_SOW_-_Draft (1)
Staying secure with our communications is finally easy and, only recently, Signal added a computer-client for Mac, Windows and Linux which ties to your smartphone’s Signal app and works flawlessly.
Using encryption for your critical communications has always been a challenge, even for those of us who are hard-core technoweenies. But all that changed when an American computer security researcher and cypherpunk named Moxie Marlinspike created the Signal protocol and later an app called Signal (which is available here for iPhone, Android or desktop/laptop computers).
Signal is widely regarded as the most secure and easiest to use encrypted texting and calling application. It’s a vital tool for journalists, whistleblowers, and ordinary citizens. But it is also so good that the U.S. Senate approved the use of Signal by its staffers due to its end-to-end encryption and bulletproof security.
Even WhatsApp, the communication app that boasts well over 1 billion users, leverages the Signal protocol as the underpinnings of their wildly successful messaging platform.
Why should you use it? With Signal you can send high-quality group, text, voice, video, document, and picture messages anywhere in the world without SMS or MMS fees (obviously you need an internet connection on your phone or computer). But rather than re-hash all the reasons why you should use it, take a peek at a post I wrote in October of 2016 that will detail Why You Should Use the Signal App.
Don’t just take my word for it though:
After Equifax finally revealed that they had been breached and personal credit information (and credit card numbers) on as many as 143 million Americans had been stolen, they created EquifaxSecurity2017.com for information and enrollment which, as it turns out, should have been named EquifaxINSECURITY.com.
Why? It’s because of trying to sign up and having their web application for TrustedID not come up, return an error, and then finally display after two minutes without a theme! As you will see from the screenshots below, someone like me with A LOT of cyber security knowledge is concerned, even though I did verify that their certificates were valid but my Equifax trust level is very, very low.
View five screenshots of why this failed and why even me, someone with the skills to determine if this is a real app loading from Equifax, don’t trust it:
Regardless of browser-type used, I’ve always been **extremely** cautious about loading extensions, especially if they’ve been created in God-knows-what-country and ask for permissions that are worse than leaving your front door open with the key in the lock!
There have been a number of compromised extensions recently in Chrome (see Attackers Go on a Chrome Extension Hijacking Spree” – Several More Compromised) and other browsers are not immune. But it’s this recent spate of Chrome-based extension compromises that is the biggest worry.
How-To Geek just published Browser Extensions Are a Privacy Nightmare: Stop Using So Many of Them and it is absolutely worth a read, especially with warnings like this:
“Modern web browsers like Google Chrome and Microsoft Edge have a permission system for extensions, but many extensions require access to everything so they can work properly. Even an extension that just requires access to one website could be dangerous, however. For example, an extension that modifies Google.com in some way will require access to everything on Google.com, and therefore have access to your Google account—including your email.
These aren’t just cute, harmless little tools. They’re tiny programs with a huge level of access to your web browser, and that makes them dangerous. Even an extension that only does a minor thing to web pages you visit may require access to everything you do in your web browser.”
So either don’t load extensions or be very, very, very careful when you do so.
The team of scientists and engineers that came out last year with the wildly successful end-to-end encrypted email service, ProtonMail, has now officially made public their new highly secure (and very fast!) virtual private network (VPN) called ProtonVPN.
As a ProtonMail user I’ve been incredibly pleased with the service and its security and this morning I signed up for their newest offering, ProtonVPN. I did so mainly because of the features, but also because it’s from a company I trust and, as a beta user, found it to be fast, robust, secure, and rock-solid.
I’m also stunned by how quickly they’ve nailed the key features needed in both email and VPN to keep us private and secure. A big plus also is that the company, Proton Technologies AG, is based in Switzerland, a country whose laws favor privacy, security and non-disclosure which is the perfect place to headquarter the firm:
“ProtonMail was founded in 2013 by scientists who met at CERN and were drawn together by a shared vision of a more secure and private Internet. Since then, ProtonMail has evolved into a global effort to protect civil liberties and build a more secure Internet, with team members also hailing from Caltech, Harvard, ETH Zurich and many other research institutions.
Today, we help our community of millions of users secure their private data online. More than 10,000 supporters have assisted us in this mission by donating to make this project possible. Thanks to your support, we are continuing to develop state of the art email privacy and security technology from our home base of Geneva, Switzerland.”
ProtonVPN has several key features that are a bit geeky, but have turned my head as someone who is deep in to cyber security:
- Secure Core: This architecture gives their secure VPN service the unique ability to defend against network based attacks. Secure Core protects your connection by routing your traffic through multiple servers before leaving our network. This means an advanced adversary who can monitor the network traffic at the exit server will not be able to discover the true IP address of ProtonVPN users, nor match browsing activity to that IP.
- Strong Encryption: All your network traffic is encrypted with AES-256, key exchange is done with 2048-bit RSA, and HMAC with SHA256 is used for message authentication which means it is VERY secure.
- Forward Secrecy: The encryption cipher suites they use only include ones that have Perfect Forward Secrecy. This means that your encrypted traffic cannot be captured and decrypted later if the encryption key from a subsequent session gets compromised. With each connection, ProtonVPN generates a new encryption key, so a key is never used for more than one session.
- Strong Protocols: They exclusively use VPN protocols which are known to be secure (OpenVPN and IKEv2). Though I’m not a cryptographer, every one that is whom I follow online swears by both of those protocols which have been examined and certified secure by top cryptographers all over the world.
- Physical Security: The company has gone to extreme lengths to protect ProtonVPN’s Secure Core servers to ensure their security. Critical infrastructure in Switzerland is located in a former Swiss army fallout shelter 1000 meters below the surface. Similarly, our Iceland infrastructure resides in a secure former military base. Our servers in Sweden are also located in an underground datacenter. By shipping our own equipment to these locations, we ensure that our servers are also secure at the hardware level.
Other Key Features Include:
- Open Source: Goes without saying that their transparency level is very high and having their software reliant on open source software examination and certification is a big selling point for any of us.
- No Logs Kept: Under Swiss law they don’t have to keep them so they do not.
- DNS Leak Protection: They ensure that your browsing activity cannot be exposed by leaks from domain name service (DNS) queries.
- Kill Switch: Their desktop and mobile applications come with a built-in Kill Switch feature which will block all network connections in the event that the connection with the VPN server is lost.
- Tor VPN: ProtonVPN comes with Tor support built-in. Through their selected Tor servers, you can route all your traffic through the Tor anonymity network and also access dark web sites. This provides a convenient way to access Onion sites with just a single click.
Take a look at their pricing page. They have a free offering (which is currently shutdown due to the overwhelming response and signups this week) and I signed up for the “PLUS” level today since, as a current ProtonMail user, I got a bit of a larger discount on both ProtonMail and ProtonVPN as a bundle.
I need to end with this: I’ve analyzed more than a dozen of the top VPN providers and previously chose Private Internet Access (which I still have active since I’m paid through April of 2018) and, especially for the non-geeks out there, it’s still the easiest to use, they keep no logs, have the most data centers, and still has my strong recommendation.
But if you’re extra-serious about your VPN — or have specific needs to be highly secure when online — I’d absolutely recommend you immediately go and signup for ProtonVPN.