It’s a tired understatement to say the internet has changed the way the world works – the entire concept of location independence wouldn’t be possible without its benefits. However, despite all the possibilities, the internet has a dark side. While we take these benefits and conveniences for granted, without a basic understanding of the security and privacy implications, we inadvertently expose ourselves to bad actors, from governments to big businesses to hackers.
The good news is that we can upgrade our day to day operational security (OPSEC) with a few tweaks to our usage patterns. These are not perfect solutions – they won’t completely eliminate the threats, but it will make you much less likely to become a victim. The following are just a few tactics to increase your privacy – for a more complete guide check out Surveillance Self-Defense from the EFF.
According the the Electronic Frontier Foundation, the first step is what’s called threat modeling. In short, that means determining how likely you are to be a target of an attack. Personally, I don’t possess military, trade, or state secrets, I am not wealthy, and as far as I know I don’t have any enemies. Therefore, I am unlikely to be a specific target of a hacker or other bad actor, so I likely don’t need NSA level encryption for my day to day internet use. Instead, like most of us, I am much more likely to have my information compromised in a larger scale attack or data breach that targets thousands of people in the hopes the attacker can get lucky with a few.
My dad used to tell a corny joke:
Two campers are in the woods around the campfire. Just then, a large bear emerges from the trees. Upon spotting the bear, one of the campers calmly takes off his hiking boots and puts on his running shoes. His friend says to him “Are you crazy? You can’t outrun a bear!” to which the man replied, “I don’t need to outrun the bear, I just need to outrun you.”
The goal of these tactics is to make yourself a more difficult target than the next guy, so hopefully the attacker won’t bother and will just move on to an easier target. None of these are perfect solutions that offer complete privacy, but you will be better protected and a more difficult target.
Use passphrases instead of passwords
Many hackers use a method called a “brute force attack” when trying to break into your online accounts. Basically, they use a program that rapidly guesses passwords thousands of times, trying variation after variation until they guess it right. And, while you may think it’s secure, replacing letters with numbers or characters does almost nothing (as in replacing an S with $ or O with 0), as these are known variations that these programs will exploit. Instead, if you focus less on the complexity of a password and instead focus on length, the better. The longer your password is, the longer it will take for an attacker to break in. Ideally, the phrase should be a string of random words with no correlation, something weird like WeaselAmmoNinjaLondon12!. The technical term for this approach is password entropy, and it involves computer science and physics that are way above my pay grade. But in short, long phrases of random words are your safest bet, and even better if they vary from site to site.
You might be asking “what about using a password manager?” While there are plenty of options out there, I’ve always been a bit uncomfortable with the idea that an attacker only needs access to 1 account in order to get logins to everything I have.
Enable 2-factor authentication
Many online services, including Facebook, Gmail, Slack, Twitter, Evernote, iCloud, online banking, and many others offer what’s called 2-factor authentication. This process makes login 2 steps instead of 1, hence the name. The most common implementation is once you’ve entered your password into a site, they will text you a shortcode and ask you to enter that code. This adds an additional layer of security to the login process – anyone trying to break into one your accounts would also need access to your phone, which they are less likely to have. There are also companion apps like Authy and Google Authenticator that will generate the code if you don’t have access to text messaging or would rather not use the data.
Here are a few tutorials to get started, or just search for “2-factor authentication <service name>”:
Incognito/Private Browsing Mode when using a public device
Most major browsers have a private browsing mode – Chrome calls it Incognito while Safari and Firefox call it Private Browsing (most everyone else calls it porn mode). Using private browsing does not store cookies and browsing history on your computer, which can dampen some of the effects of ad-trackers and other malware. Note that does not mask your browsing activity from your ISP or any sites you may be using – it just doesn’t allow them to store anything on your local machine. While these are small benefits on your own device, it’s a must if you are using a shared or public device. Open the “File” menu in the browser and you should be able to find the private browse mode there.
Use Opera with VPN enabled
Opera is a free, full-featured web browser that has a built-in ad blocker and VPN. Download Opera here and install it. When installed, open the preferences and click “Block Ads and surf the web three times faster” as well as “Enable VPN.”
You can also use 3rd party VPN services which allow you to use any browser you prefer. VPNs are a much larger topic that we will cover in a later post, but in short, they encrypt your traffic on whatever network you are on so the ISP can’t see it. Note that the use of VPNs are illegal in some countries – find out if you are safe to use one here.
You may have heard this word thrown around on the news surrounding both the revelations from Edward Snowden as well as the Silk Road and the dark web. In short, TOR is a web browser that lets you view sites on both the regular and dark web anonymously. Tor stands for “The Onion Router,” and was developed by the US Navy to mask their IP addresses to confuse websites by shielding the users point of origin. It works by bouncing your web request around through a number of “nodes” and finally through an exit node that connects to the site you are trying to visit. This ensures that your identity is hidden. The drawback is that because your web request is bounced through a number of other computers before it’s final destination, it can be much slower than a traditional browser.
HTTPS everywhere browser extension
While many sites enable SSL encryption when accessing their sites, many still do not. (You know if a site has SSL enabled if you see a little padlock icon before the URL in pane at the top of the browser. The Anywhere Company is SSL enabled). When a site is SSL enabled, the data between your browser and the website is encrypted in transit. This prevents 3rd parties from eavesdropping on your browsing activity, or worse, showing you a spoofed website in an effort to steal your information or other nefarious intentions (known as a “man in the middle” attack). HTTPS Everywhere is a free browser extension created by Tor and the Electronic Frontier Foundation. It enables SSL encryption even on sites that do not have it. It’s not a perfect solution, but it takes less than a minute to install and adds some additional security to your everyday browsing, with no downside.
Turn off wifi and bluetooth when not in use, or in transit
There are devices that register the wireless antennae in your devices and capture your information as you move through public spaces. The MAC address of your device can be captured and can be connected to you, allowing governments or bad actors to track your movements. Additionally, hackers can use attacks like Blueborne to access your device and steal your data. For additional security, it’s best to turn your device completely off, or if you want to go the extremely secure route, use a Faraday pouch to block all wireless signals to and from your devices.
Use DuckDuckGo for search
Convenience vs. Privacy
You’ve no doubt noticed that some of these tactics require some work, and they might even add a few steps to your workflow. Ultimately, it’s a trade-off between convenience and security. Simply put, the more convenience you opt into, the more privacy you opt out of. It’s up to you to determine where that line is drawn.
Do you have any tactics we haven’t discussed here? Let us know on Facebook.
- Check to see if you have been compromised: https://haveibeenpwned.com
- Want more info? The EFF has a very thorough guide on protecting yourself online, called Surveillance Self-Defense.
- The Art of Invisibility by Kevin Mitnick