October is National Cyber Security Awareness Month and right on time for the end of the month, I thought I’d post some tips of my own for the every day user.
Cyber security is a complicated beast and there is always a balance between security and usability. Solid cyber security also requires a blend of different technologies and good habits, so I’ve put together my thoughts on what you can do to protect your data without having to become a cyber security guru and with minimal disruption.
TL;DR – Be smart about your passwords using two-factor authentication and a password vault like LastPass; browse the web privately using Firefox with key privacy plug-ins; use a personal VPN like Private Internet Access always, but specifically on public wifi; and encrypt everything with GnuPG and Thunderbird for email.
1.) Browse privately and securely
Most browsers today allow for some form of private browsing, but I’m a big Firefox fan. I almost never use any other browser, except Tor, except under very specific circumstances. There are a couple of key Firefox plugins that I highly recommend: HTTPS Everywhere and Privacy Badger from the EFF, and Disable WebRTC by Chris Antaki. The EFF plug-ins are helpful in using secure connections to web sites whenever such connections are available and to block tracking methods from advertisers, respectively. Disable WebRTC helps keep certain information about your internal network from being leaked to the Internet.
You can also select which search engines you want to use in Firefox and I prefer Duck Duck Go and Disconnect.me as both are supposedly anonymous and don’t log your searches unlike Google, Yahoo, or Bing.
Tor is based upon Firefox but uses a technique called onion routing. (Tor is an acronym for “The onion router.”) It’s very useful for keeping oneself anonymous when browsing and searching. Just keep in mind that no technology is 100% secure and it’s wise to follow Tor’s best practices to keep your online uniqueness low.
2.) Passwords, Part 1: Best practices
A.) Change any default passwords immediately! Do you have a Linksys router at home? If you do, let’s try something: Is your wireless network name Linksys? When you’re on the network, is your IP address 192.168.1.100 or higher? If I put 192.168.1.1 in a browser, can I log in with admin/admin? Are you wondering how I know that?
Those are the defaults for Linksys, and anybody that wants to breaking into your network, or use your devices as part of a massive botnet for launching huge Internet attacks, knows that. Go change all of your default credentials now.
B.) Make your passwords difficult to guess but easy enough for you to remember. One method is to use the first letter of each word in a phrase. If you use regular words, those can be easy to crack. Personally, I use a random password generator like this one from Norton.
C.) Let’s face it, passwords are a pain. They should all be different and difficult to guess. The situation quickly gets unmanageable. I recommend using a password vault like LastPass to keep track of them all. LastPass also has a fee version, which I have been testing out for about a month now, and I think I’m going to spring for the paid version, which is still ultra-affordable.
D.) One last point: Publicly sharing a password to show trust is like leaving your keys in Penn Station along with directions to your house to show trust. Not recommended.
3.) Passwords, Part 2: Two-factor authentication (2FA)
Two-factor authentication requires that, in addition to your password, you have something else in your possession that is generating a random code to help prove that you’re you. If somebody guesses your password, they still won’t be able to access your account without this second code, which should only be in your possession. Some methods of 2FA use an app while others will send you a text or an email. Google Authenticator is an easy-to-use app you can install on your phone and it can be used for multiple accounts.
Using 2FA is something you should do for every account possible, especially for banking and anything else that could put a wrinkle in your day if it were compromised.
Pro tip: Many apps/sites will give you “rescue” codes when you set up 2FA. Those are for use should you lose your phone. Take the time to print those. Trust me. Last year, I had my phone stolen while out of the country and I’d been too lazy to print my rescue codes. Eventually, I was able to get back into all of my accounts, but it wasn’t easy.
4.) Encryption, Part 1: VPN
My first thought goes to public wifi. Think of public wifi as a communal hot tub for your data. Think about that for a moment…
Did that gross you out? Good. Public wifi should gross you out, but we can’t deny that it’s useful and convenient. It’s also really easy for someone to snoop on all of your traffic. Using VPN will help you keep your data private even if a snooper is copying it.
VPN stands for virtual private network and it basically creates an encrypted tunnel for your data to pass through. (This is not the same as encrypting your data.) Therefore, even a snooper can’t read your data over VPN. This applies to any mobile device such as laptops, phones, and tablets. If you are using your company’s device, they should have already provided you a means to connect to your work network via VPN. If you’re using your personal device, services such as Private Internet Access will provide you a client that can be used on a variety of mobile devices.
One thing to be aware of when using a private VPN is that some web hosting companies don’t care for them, so you may run into issues when connecting to certain web sites or using different email services. It can be a pain, but it’s still better than having your data spied upon.
5.) Encryption, Part 2: Everything else
Data has a couple states: At-rest, in-use, and in-motion. And encryption consists of two parts – a public key and a private key. I’m not going to explain all of these concepts here, but I’ll give you the important highlights.
A.) At-rest: This is when your data is in storage on your hard drive, on a network server, in the cloud, on a USB drive, etc. If you save an important file to a USB stick, drop it and I find it and plug it into my computer (which should NEVER be done), I can read that sensitive file. If the file is encrypted, I can’t read it without your private key. If you want to share an encrypted file with only one person, you can both exchange your public keys, so that you can both access the file, but I still can’t read the file;
B.) In-use: This is when an application is using data that’s in some form of volatile memory like RAM. I’m not going to get into that here, but for the sake of completeness, at least wanted to explain it;
C.) In-motion: Think email and web traffic, amongst other things. A VPN will provide an encrypted tunnel, but not encrypt your data. If you don’t want anyone to read an email you intended for a specific person, the VPN protects it as it’s sent from your device to the recipient, but then it’s conceivable that someone else can access that email. Think of VPN as a car tunnel through a mountain, if you’re on the outside, you can’t see the cars and the people inside when their in the mountain, but you can see them before they go in and after they come out. Now think of an encrypted email as a car with tinted windows that nobody can see into at any point.
This scenario works the same for text messages, as well, and pretty much any data that you transmit over a network whether it be the Internet, a cellular network, or your home network.
GnuPG (GPG) is a free, open-source encryption tool and there’s a lot to it. It plugs into my email client (Thunderbird) so that I can sign and encrypt messages automatically. I can do the same for files, as well.
Remember to always protect your private key!
Signal and Wickr are a couple of examples of apps that encrypt communications between clients and are my preferred methods of calling and texting. Be aware that Facebook Messenger now allows the ability to send encrypted “secret” messages between individuals.
Thanks for hanging in there. Now go forth and be secure.