Protecting Anonymity

I had originally planned for my next post to be about further protecting your online experience with two-factor authentication.  While I still plan to cover that topic in the near future, recent actions by the White House prompted me to jump ahead to a more advanced topic.

In the first few weeks of the new President’s term, his administration made it ever more clear that it considered the Press to be the enemy, and in recent days took actions like this and this to limit the latter’s ability to fully perform its duty to the American people. I hope that the following information will prove useful to any readers who may be in a position to report on or research sensitive or controversial subjects, and allow them to do it to the best of their ability.

In order for the American press to perform its Constitutionally protected work completely and without bias, two things must be ensured: first, the freedom to do research without fear of censorship or retribution; and second, the protection of anonymous sources. Without these things, no story can be considered complete, and the cost is the truth.

Technologies exist to combat both of these potential obstacles.

First, the Tor browser allows a researcher to browse to any site on the Internet while at the same time masking both the source and destination addresses from prying eyes. Traffic at an Internet site cannot be traced back to a specific individual while they are using Tor, and furthermore, if a person’s Internet activity is being monitored, the watcher will not be able to see what sites they visit. This technology has proven very beneficial to users in nation states that monitor or restrict Internet activity.

The second is encrypted communication, which provides the ability to securely communicate with other individuals electronically while protecting the message content and the parties involved.  This can be in the form of encrypted email, or secure messaging for mobile devices which can be used for secure chats and calls.

EFF.org has compiled an excellent set of instructions for configuring and using many forms of encrypted communication. (They also provide an essential guide to protecting personal information for anyone that may be attending a political protest.)

It should be noted that these technologies are not without controversy. Encryption and anonymizing tools can of course be used for evil as well as good. The needs of law enforcement are at constant odds with the rights of privacy when criminals take advantage of Constitutional protections for their own illicit practices. However, the nature of encryption is that it cannot be weakened without compromising the entire structure. There is no way to provide a “back door” that can only be used by law enforcement despite what some lawmakers believe. These tools are a weapon of freedom used by repressed people all over the world, and have proven themselves under fascist regimes.

The current administration needs to realize that criticism is not “fake news.” Freedom of the press is guaranteed under the Constitution for a reason.  The Founding Fathers strongly believed that the most powerful check against those in charge of our country is an informed public. Attempting to silence the press sends a dangerous message that the Administration has something to hide. We need the press more than ever, and they need to be allowed to perform their job to the best of their ability. Anonymous sources are not a cop-out.  They provide a way to get the honest truth from someone who might otherwise feel compelled to keep quiet.

The tools I mentioned here allow them to do just that. If you are one of those people, I applaud your efforts and hope that this information is helpful to you.

Advertisements

Let’s Talk Passwords

Yes, I know you have a lot of them.  And yes, I also know that you hate when you have to change them, or when the site refuses to accept your repeated attempts to create one because the one you want to use doesn’t match their password rules. To make matters worse, the next time you visit that site, your chances of remembering that new password are practically nil. The unfortunate result of all of this frustration is that most people reuse the same weak passwords over and over.

You shouldn’t do that.  Why?  Because web sites get breached all the time, and sooner or later, one of those breaches will expose an account and password that belongs to you.  In some cases, the hackers will get passwords in the clear, which obviously makes their job easy. However, even if they don’t, weak passwords are very easy to crack and they will have them in no time.

You say: “So hackers got my Yahoo! account.  I don’t use Yahoo! anymore.  What’s the worst that could happen?” Well, I’m glad you asked!

The worst that could happen, is that particular password is the same one you use on  your banking site, email, Facebook, etc.  So, now the Bad Guys have your master key, and you are left scrambling to remember every site where you use it so you can change the password before they get to something that is important to you.

So what’s the answer? Use a strong, unique password for everything that asks for one, and change it on a regular basis to make sure you stay one step ahead of the Bad Guys. Of course, this creates a new problem: how to manage an ever growing list of complex, hard to remember passwords that change on a regular basis.

The solution? Use a password manager.

Password managers are just what they sound like.  They are special software that act like a secure vault where you can store all of your passwords in one place. In addition, many have features that can auto-fill your passwords when you log into web sites, can help you generate random complex passwords, and can be synchronized across all of your devices, including phones and tablets.

There are many to choose from, but since not all password managers are created equal, ensure that the one you choose meets the following criteria, at a minimum:

  1. Encryption: Make sure the one you choose uses strong encryption for the password vault. Since you will be keeping all of your passwords in one place, it is critically important that it is well protected.
  2. Two-factor authentication for the master password: I plan to dedicate a future post to explaining two-factor authentication in detail, but in brief it means using an extra piece of information in addition to your password when you log into your account. This can be anything from a security code sent to you via text, to a device you plug into your computer that proves it’s you accessing your account and not someone who stole your password. This is especially important for your vault password, since it is now your master key to all of your accounts. Which leads to the next point…
  3. A method for master password recovery: A password manager that uses strong encryption means that only you can access your passwords. Which is a good thing…unless you forget the master one.  Even the company’s support staff won’t be able to recover an encrypted master password, so you need to have a strategy for recovering it in case it is ever lost or forgotten.
  4. Auto-password generation: As I said before, weak passwords are no match for hackers. It’s important to create strong unique passwords, that are long and complex. Password managers can make this easier by generating the password and storing it for you, so you don’t have to type it.
  5. Password synchronization across devices: This is more convenience than requirement, but most people use multiple devices, and having a manager take care of your passwords will encourage you to create better ones.

While it’s true that most modern browsers have the ability to store passwords for you, they don’t typically provide all of the features above.

There are many password managers out there, so you will have to do some reading and decide which one suits you best. Look for the features that matter to you most. Also, consider the various pricing options. Some have free versions, but you may have to pay for more features or more device support.

The manager I use is Last Pass. It has all of the features I listed above, has a very functional free option, and a reasonably priced premium one ($12 per year). Another regularly well-reviewed one is called Dash Lane. You would be well served by either of these.

Of course there are others, and everyone you talk to will have their favorite. If you use one now, and you love it (or hate it), I’d like to hear about it. Let me know what you think.

 

 

Just the Basics

As promised in my last post, I want to start with some of the basics. While everyone’s needs for digital security will be different, there are some fundamental things that we all should do to ensure a certain level of security and privacy while online. Like I said before, the online world is an increasingly hostile space when it comes to our privacy, and we can no longer assume a minimum level of safety without taking some additional precautions. There was a time when very few people wore seat belts in the car. Now, most of us realize that we are much safer when taking a little extra precaution whenever we drive. Think of these tips as seat belts for your ride down the information superhighway.

  1. Install Virus (malware/spyware/adware) protection: There really is no excuse for not having virus software any more. Most people have access to some sort of malware protection for free, either from their Internet provider or a number of other options. For Windows users, Defender provides a basic level of protection and it’s included with the O/S. And for those non-Windows users out there (Linux and Mac), I say this; there is no such thing as a secure operating system. If it’s a computer, it can be compromised—and that includes mobile devices.
  2. Make offline backups: Even with malware protection in place, bad things can still happen. Aside from the usual computer failures, there are other more disturbing trends. Ransomware is a relatively new type of threat that can render your system unusable. Bad Guys literally hold your system hostage by encrypting all of your data forcing you to pay the ransom for the key to decode it. One way to combat this type of attack is to have multiple copies of your important data where you can easily recover it. However, don’t leave these backups attached to your system or depend solely on an “always connected” solution, as the Bad Guys can attack that too. USB thumb drives are cheap—get a few and use them to do your backups, then remove them and store them in a safe place. Cloud backup solutions are a good option too, but make sure you read tip #3 first!
  3. Use unique passwords for all sites: Yes, I know this is a pain, and I can guarantee that you have already heard this from someone other than me. That’s because password reuse has become one of the easiest ways for Bad Guys to hack your online accounts. It’s practically a given that at least one of your online accounts will be involved in a data breach at some point. Those breached IDs and passwords get passed around the Internet for fun and profit. If you use the same password for all your accounts, consider them all to be exposed. To more easily manage multiple passwords and keep them secure, you can use a Password Manager. I’ll cover these in an upcoming post, but for now, change your passwords, and if you have to, write them down.
  4. Install Ad Blockers: Yes, pop-up windows and ads on web pages are annoying, but that’s not what I’m talking about. In recent years, ads have also become malicious. Most major web sites don’t put ads on their pages directly. Instead, they outsource the ad space on their pages to a 3rd-party provider who ultimately supplies the code to display ads from paying retailers. Therein lies the problem. Since the web site owner doesn’t oversee the ads on their site directly, they have little control over the content. If that content gets compromised somewhere down the line, the site could unknowingly be distributing malware. And don’t think this only happens on the sketchy pages. It has happened recently to some very well-known sites.
  5. Enable automatic updates: The majority of attacks take advantage of well-known vulnerabilities in major software and operating systems.  In many cases, these vulnerabilities have already been fixed by the software’s creators. However, the attacks succeed because device owners failed to install those fixes in time. One way to ensure this doesn’t happen is to enable the automatic update features available in most of these applications.

Okay, I know that was a lot to absorb for the first post, so I’ll stop there for now. Tune in next time when we will start to go more in-depth to some important topics.

Thanks for reading, and Happy New Year!

Same Site…New Mission

When I first launched this blog in 2008, the world was a much different place. That may sound like an old cliché, but I stand by that statement. Think for a moment about where we were; Obama was poised to become POTUS for his first term, American Idol was in its seventh season, most of us failed to understand the true meaning of the term “sub-prime lending,” and the iPhone was only just beginning its global dominance of the mobile device market.

Fast-forward nearly nine years and technology has all but taken over. Our entire existence is digital, from shopping and banking, to navigation and entertainment, we manage every aspect of our day-to-day lives with technology. Thanks to the ubiquity of hand held devices, all manner of Internet connected gadgets (the “Internet of Things”), and the ability to connect from virtually anywhere, we have become completely dependent on technology for almost everything.

And this dependency comes with a price—our privacy.

As a Cybersecurity professional I know, arguably better than most, just how exposed we are while performing routine tasks in a world where an online presence has become not only commonplace, but a necessity. It is unfortunate, but most Internet-connected businesses are tracking our every online move, attempting to glean every last drop of our digital habits for their own gain. And, let’s not forget an ever growing number of evil-doers who would seek to profit by stealing our private information and selling it the highest bidder.

Furthermore, there are those in the government that would like to infringe on that privacy as well. Some would seek to limit our Constitutional right to free speech. Still others would have you believe that in order to fight terrorism, we should give up more of our own freedom—especially when it comes to technology, by allowing the government to limit encryption methods, or force tech companies to install “digital back-doors” that would allow easier spying by law enforcement.

Add to this the current political climate, where nation state hacking has become a very real and present danger, possibly even aided and abetted by the incoming administration. The same administration that would seek to limit freedom of the press, and curtail other forms of free speech in order to preserve the illusion of its political prowess.

The online world has become a hostile place, and it is likely to get worse before it gets better.

I found myself thinking about my old blog again, within this new context. What if I attempted to provide some timely and useful information that people may want and need to protect themselves in these increasingly unfriendly times? I began to feel compelled to share my own knowledge and experience to provide some helpful guidance and advice for others to use.

So, I’ve decided to start blogging again with a new purpose. I’ll be writing instructional posts aimed at providing the average (read: non-cyberprofessional) person with the tools and knowledge they need to stay safe, and maintain their privacy, in this increasingly hostile world. We’ll start with the basics; the things that everyone should do to protect themselves from everyday threats like malware and online tracking, using and managing strong passwords, or configuring two-factor authentication (2FA) for commonly used web sites. Then we will move on to more advanced things like sending and receiving encrypted communications, and anonymous browsing using the TOR network.

I’ll also be growing a list of relevant links in the blogroll for easy reference. Here you’ll find shortcuts to privacy information, detailed instructions for security tools, and other topics you may find helpful.

I hope you will find this information useful. Of course, whether you choose to implement the protections I propose is entirely your choice—as it should be. But, if you are worried about your decreasing privacy and feel like you have lost control of your digital life, my mission is to provide you with some tools to help you take back control.