Loading...

Cybersecurity For the Common Man 2

 

Activities Online are Not Very Secure

A web search on cybersecurity will quickly reveal that 2015 was the worst hacked year in American history — key players being the US Government’s Personnel office and Anthem, the 2nd largest health insurance provider. Between the two of them, something like almost 100 million pieces of sensitive information (name, email(s), birth date, home address, phone numbers, family members, place of work, etc.) were comprised and/or stolen. Additionally, it’s been discovered that Microsoft’s Outlook email accounts are being regularly hacked by overseas governments. Sadly, this doesn’t include the various Sony (both Pictures and PlayStation), Target, Adobe, JP Morgan Chase and smaller organization hacks have happened in the last few years.

Realistic Issues

Most the time it feels like, as the common user, we can’t do anything about it. We’re at the mercy of the platforms we use. The stage has been set for us and we need the internet to navigate business and personal life. And really, nobody wants to give up social media since the connections and sharability are fantastic!

We all have various degrees of privacy in mind when it comes to our own information. The various levels of sensitive information that may be out in the wilds of the cyber world is more important to some than others. That’s fine. But consider, most of the time in personal interactions we’re fairly discretionary about who we give that information because we recognize that it’s just smart. However, we typically fail to take the same precautions when that information is easier to get and more vogue to give as it frequently is as we disseminate it around the internet.

Let me repeat: Computers and phones are getting hacked. All the time. Everywhere. Our data is always at risk. If you want a sobering peek into this reality, here are two real-time, interactive (and very mesmerizing to watch) cyber-threat and active hacking maps: Kaspersky Lab and Norse Coporation.

The Trade-Off: Convenience vs. Security

So what can we do to minimize risk without going off the grid (an option I list below but is just not realistic for most)?

I’ll start by saying, I’m not an expert but I research a lot and have an active interest in the subject. This is what I’ve seen time and time again: with cybersecurity, the trade-off to privacy is convenience. The default mode of everything that is convenient is lower security.

This is why I’ll cover some steps every common man (or woman!) can take with respect to that primary trade-off (security v. convenience) with different levels. Level 1 contains the most convenient suggestions of these levels but gives you more security than most internet users have by default while level 4 is on the other end of the spectrum and requires completely moving off the grid.

Level 1: Best Practices

In 2016, I would consider the steps in level 1 a minimum and essential to adding a barriers between your various accounts since each account that is linked makes your identity and information less secure.

Get a password manager.

This principle is simple in theory: You need a strong and different password for every site you log in to. You need a different password because when a hacker gets into one account they can get to a lot of important things (possibly everything!). You also don’t want to use a dictionary-based (i.e. an existing word) as a password. Current accepted standards for the strongest passwords are 12 characters + a random mix of every character available on the keyboard. This is where the password manager comes in handy. A password manager is great since it helps you generate random passwords for each site and keep you from needing super-human memorization skills. In my case, I have over 300 online accounts — and different random, strong password for each one (come at me, bro).

Yes, if they get your memorized master password, that you use to access your password manager (This one should also be strong!), they could theoretically gain access to all of your login information. However, two things need to happen:

1) They need to gain access to your password database (hacking something that’s very secure at the server and user level) and

2) Guess your password because the database will always be encrypted to the strongest available encryption level (and your password is the encryption key).

Great news: I don’t think I’ve ever heard of this happening yet! LastPass was hacked and they got database files but couldn’t get into them without master passwords. That’s amazing!

Here are several options for password managers that are all acceptable:

  1. Keeper Security (my preference and also zero-knowledge which I’ll tap on in Level 2)
  2. 1Password
  3. KeePass
  4. LastPass
Use a credit card for all online purchases.

I was recently having lunch with my banker and we were talking about cybersecurity and he was really excited about the developing concept of credit card “burner” numbers, meaning one-time use CC numbers. Sadly, we don’t have that yet but the next best thing is using a credit card for all your online purchases. The main issue here is: you don’t want someone to hack a retailer’s account and have your debit card number which is tied directly to your bank account. The added benefit is that credit card companies also have very extensive and thorough fraud and security monitoring services that typically exceed that of most banks.

Use multiple email accounts.

Set up a separate email account for those oft-compromised and frequently tracked and monitored social media accounts. E-mail accounts are generally free to you and, since you probably haven’t read most of their Terms of Service, they make their living selling your information to advertisers, track your every moment and fill your mailbox with spam. In a sense, it’s not truly free and the old adage stands: There is always a product/consumer dynamic and if you’re not paying anything you’re probably not the consumer — you are (or your metadata is) the product.

Now that your submitting your email out there on Facebook, Twitter, Instagram, etc. and it’s being passed around like a cold in a church nursery, do you really want it to be the same email you use on your bank accounts or the one you check every day for that letter from your best friend who is wine-tasting around Italy? Probably not. Email accounts are generally free, easy to set up and readily available so take an extra moment out of your day and set up one for social media and a different one for retailers and banking.

Don’t let websites track your behavior.

Information is power in the digital sphere. “Anonymous” as it may seem (and that is debatable), the sites you visit, what you look at, shop for, talk to, where you are, photos you upload, you every internet movements are bought and sold to advertisers and others in the form of metadata (and maybe more..) who have a reason to use this information. Ever wondered why you Google something one day and then the next day you see an ad on Facebook for the same type of thing? Or you write and email about visiting a new store in town and then the next moment an ad on Google shows you information about something similar? Behavioral tracking and metadata mining.

If you use a blocker that keeps websites from tracking your behavior, the trade-off is that you may not get to see exactly what you just shopped for on Amazon and Facebook may not give you ads for things you might really like. It’s your call.

If you don’t want every waking digital moment tracked, here are couple simple steps to take:

  1. Use a “private” or “incognito” mode on your web browser.
  2. Use Ghostery’s anti-tracking browser plug in and set it to block all trackers all the time (my preferred method). They also have a pretty killer mobile browser. You can turn this blocker off if you need to.
  3. Don’t go on the web.

For mobile devices, it’s a bit trickier but here are few things that can impeded some services but to maintain your privacy you can:

  1. Buy a Blackphone 2.
  2. Use an app or an OS (Android’s Cyanogen Mod- native to my One Plus One) that has app privacy control. A couple of untested options that came up in my research are the iPhone’s “MyPermissions” (Privacy Shield) and Android’s “Permissions Manager” (Open View Mobile) .
  3. Don’t connect to unknown public WiFi when you don’t have to. WiFi is generally insecure. I use the app SkyCure on Android to check the authenticity of the WiFi before I connect but generally opt to use my cell provider. I’m sure the iPhone has something similar.

Level 2: Paid Services & Increased Separation

Move to Zero-Knowledge Services.

All major services use some form of encryption for site logins, data information entry, and the like. This is typically denoted by an “https” vs. “http” in a website URL. Sometimes it will include a lock icon in your address bar area to denote further security. This, the https or the lock emblem, means the only person that can read the information understandably it is you or them because they have access to your information. An example of this is that all your emails through Gmail’s interface are encrypted this way. Nobody can read them if they snag the message en-route over WiFi but Google can also read them since they’re the ones encrypting it. The same goes for all major cloud storage providers.

Zero-Knowledge is a term used to described the next-level in encryption security and it means that nobody has the knowledge except you. To read more about zero-knowledge, check out the Zero-Knowledge Privacy Foundation.

If you don’t want anybody but you to have access to your information, use a Zero-Knowledge provider. These are generally paid services. I’ve used the following:

There are several other options in the cloud storage business but I haven’t seen much to date in the email world. (shoot me an email at [email protected], if you’ve heard of something else.)

A note on paid services that bears repeating: If it’s free, you or your information is probably the product. All the companies that provide you “free” email, storage, photo-hosting, and social media services need to make money. Instead of charging you, they collect all your information, remove your name and sell it (metadata). They generally sell it to advertisers. This is why people tend to dislike Facebook. They’re really great at targeting advertising because they know so much about you. They know more about you than some family members and then sell that knowledge to others or use it for their own internal advertising. Paid services have a strong tendency to keep things far more private since they don’t need to generate revenue by collecting data.

Use multiple credit cards.

The concept behind this builds on having separate emails but adds another level: Use separate credit cards. Don’t use your daily, ole-trusty card for buying things on the internet where the chances of having the number compromised is much higher than at the local coffee shop. You could even go so far as to have difference cards for different accounts. The principle here is that the more strong links you have in the chain of your bank account information, the harder it is to break through the chain.

Use multiple phone numbers.

Never give your main phone number to anyone you don’t absolutely trust. I do this often: I have my provider-provided number I give to family and close friends and I have a Google number I use for work, acquaintances or those times I need to give out a phone number…legitimately. For those not-really-legitimate times like a website or a friendly person you just met at a party and aren’t up to straight up denial? Use an app to generate a burner number that will automatically expire or you can burn whenever you want

Note: anything used with Google can be tracked but that’s where the trade-off comes in. Google Voice has great user options and will generate a number for free. The burner app will produce a burner number for you.

Disconnect logins and integration.

Under this idea, if one is compromised, both (all) are compromised. This isn’t always a risk but it is more often than not.

  1. Primary example: Don’t use your Facebook or Google login for everything else on the web. This also leaves the door open to track information and behavior on those other sites even if you’re not actively on them.
  2. Don’t connect every app and every other account to Microsoft or Facebook or Google or… you name it! They market it as being so great that everything syncs but that means that they all have access to the deepest level of information you’ve shared on any one of those integration. I went through my connected Facebook apps and wowzers apps that really had no business knowing who my friends’ friends were and where I like to run, knew just that. In some circumstances, even if you don’t have the account or use the app anymore, it’s still chugging away collecting information in the background.

Level 3: Limited Use

 

More and more people are moving in the direction of limiting online use. This doesn’t eliminate all risks but it lowers them considerably since it gives less data to hackers and data miners and it reduces the opportunities for weak links in the security chain. This can include leaving social media or choosing not to shop online. For me it includes buying local, deleting Facebook from my phone, and making sure to log out of every website, all the time on top of the measures mentioned above. Obviously, this is the most inconvenient but most private way to keep using the glories of the digital age.

Level 4: Off The Grid

Get some land, build a cabin with your own two hands, and be more “of the Earth” than the rest of us.

I’m only half joking because look at that.

(image credit: unsplash)

Have questions or comments? Shoot us an email at [email protected]