So you just got a new computer, the cable company came in to put in your new line, and you just can not wait to jump on twitter. One thing is making you a bit worried tho, all those digital fingerprints have been left from before and you can’t shake the feeling that your last boyfriend has been following your Facebook posts a little too closely. Whats a young lady/man to do? Well, its time to go … SECRET SQUIRREL!
Internet safety or as I like to call it PIISec is something that more often then not is overlooked when we surf or buy stuff online. I don’t subscribe to the notion that it is OK to spy on me because i am not doing anything wrong, in fact it kinda disgusts me. If you wish to know something about me, say for instance, what type of cool gadget I just bought from Hak5 Shop then please ask. Don’t place a cookie in my cache and have me sign something you know I am not going to read. I want to be as safe online as I can be and deep down, i would like you to be safe too.
Live like a spy, THINK like a spy!
Fake it till you make it is a long overused phrase but in security its always wise to be a little if not very paranoid. In the post snowden world its no longer an if but a WHO is watching me in my everyday boring life. Keeping this in mind we need to make some personal choices and STICK WITH THEM! The methodology I use is stolen from the Microsoft security model called the “Ring of Trust”. Imagine you are the sun and around you are three orbits, each one granted a little bit more knowledge about you as they get closer and each one given a bit more PII (Personal Identifiable Information). The reason we want to start doing this sort of micromanagement is because sometimes in this day and age we find ourselves saying we have 25,000 friends yet only 3 show up to our parties. These kind of social networks are HUGE kinks in our PIISec and allow our threatscape to be very large for anyone wanting to social engineer us. The way I break up my online contacts is like this:
- Family – Close
- Work – Bosses
- REAL Friends
By real friends I mean people who can or would drive to your house and knock on the door if they thought you were in danger or missing. NOT people you talk to “all the time” or people who “liked” your posts.
- Family – Not so close
- Work – Associates
- Friends – People you talk to often and normally but not ring 0 friends.
This is a middle ground, these people have a phone number to you and an email address for you but its saved in a contact list and probably under some name like “Hairy dood” or “Loud Chick”.
- Work – Vendors or random people from work, they need to send that e-vite to the boss’s birthday SOMEWHERE.
- “Friends” – Everyone else … They know your Twitter handle or Facebook profile.
These are of course just suggestions but after a while, it becomes second nature so please don’t give up before trying a few of them. The whole reason we are breaking our life up like this is because it makes it easier to not only give the person asking the right information but if your PIISec is broken its easy to see where it all went wrong. The goal of course is not only to be safe but to trust our most private of information to only the closest people in our lives. We should also take some time to consider WHAT information is sacred and what can be disposable. I like to be vague to everyone, even if your my best friend its very unlikely you will know my address until its absolutely necessary. My Social Security Number is known to only my immediate family and my phone number to a select few I have chosen. So before we get started and the comments come in let me just say this. It is 100% possible to do this with any mix of the following, including adding extras along the way but to be honest sometimes you have to just be happy with being secure enough because to be totally secure you have to be totally off the grid. That being said I recommend the following setup and uses.
- 2 phones
- 3 email address’s
- 2 PGP Keys
This is a good start. One phone can be a crappy throw away and the other can be your personal phone. You do not want to have two IPhone 6’s when your faced with throwing one into a garbage can. You want to have 3 email address’s at the very least, one for your services, one for your bills and one for your ring 0 friends. This ensures that the email you check the most wont be filled with spam or stupid notifications and keeps your personal email off any lists you may not want to be a part of. Use your Ring 0 email address for correspondence ONLY! There is no need to use it to sign on to any services. 1 PGP key is usually enough but I recommend two. One will be used for your ring 1 contacts and the other is your secret squirrel key. IF some nation state is looking for you its probably best to have that backup key to buy you a bit of time. I recommend Keypass.io for your forward facing pgp needs since it does all the handwork for you and allows you to easily verify your contacts. If you need an invite you can hit me up on twitter and if I got some left will happily send one to you. I will need an email address so have your ring 2 email address handy! Simple copy/paste tools allow you to be secure without a whole suite of tools….however you still may want some.
For instant communications I recommend some sort of XMPP system, preferably one that supports OTR. There are tons of applications so to go over each would be crazy. I like to think in these terms: Use OTR or End-to-End encryption chat systems if available and if they are not then wrap your text in PGP and feel good that your doing better then most. The EFF has a great site dedicated to this and more over at its Surveillance Self-Defense site.
For general browsing needs I prefer to use Firefox over chrome however security wise they are both as vulnerable as the other. One can argue and argue over which is better, I will leave that to you to decide. To me I have seen them both render slow, both get exploited and both render fast. I personally run both but I do tons of web programming and like to check for cross platform compatibility. What to install on your browser however is a whole different thing. Every browser should have both Privacy Badger and AdBlock installed. Together these tools will ensure that you have a totally different web experience. You may actually start to enjoy surfing the web again! Another addon that I suggest is NoScript for Firefox or uMatrix for chrome. These will limit the effects if you happen to find yourself on a site loaded with drive by malware software and generally keep you safe while you surf. Also since we are trying to ensure we take the safe route where ever we go, I should mention HTTPS Everywhere, its a great plugin that tries to force HTTPS where ever possible. While not something that is a MUST for every site you should install it simply because if you can make it harder for the bad guys you might as well. Plus we don’t EVER want to push credentials over a plain HTTP connection.
Password Vaults and Physical Security
So the biggest complainant most people have with not using the same password over and over is trying to securely keep all those passwords around and accessible. Even having a bank of say 3 passwords is a bad choice when you consider that if I was tasked to brute force them the mathematical probability of me succeeding would be huge. The other problem I see is keeping data safe. If its a full hard drive or simply your key vault it should be wrapped in some sort of secure container to keep it from being lifted and broken into offsite. While having a secure vault is a good start having that extra layer is even more comforting. These problems seem huge but with a couple pieces of software/hardware we can tackle them hands on. For password vaults the most often used is Keepass. This vault not only works on a multitude of operating systems but allows you to throw in special files that must be there in order for the password to work. This is essentially a poor mans 2FA (Two Factor Authorization) since it can be placed on each computer you use and carry your vault with you or better yet two USBs. One with your special file (can literally be any type of file) and one with your vault. I personally prefer LastPass since it is also available on plenty of platforms but goes a step further and offers browser extensions and mobile support for a price. LastPass also has 2FA like Keepass using their software sesame but can also use hardware 2FA generators like the ones sold by Yubico (I have yet to purchase one yet since money has been tight so Yubico if your listening get at me!).These are pretty cool and can be used with plenty of software packages. If you got the money buy one now, if you got extra money, by me one!
TOR & VPN’s
Now many people may ask why I have yet to suggest TOR and to that the answer is simple. I do not trust TOR enough to take the speed loss it offers. I have seen the tests ran by some of the top scientists and while I will not deny that THEORETICALLY Tor will keep your connections anonymous it is still too predictable for me to lose so much bandwidth. A good VPN company will offer you decent security and speeds while not breaking the bank. For most people however TOR is simply overkill and should be used to help those truly censored to be heard. Run a node if you want to support TOR but don’t expect it to be safe. That brings me to another issue I have with TOR. Many users feel OVER safe while using it and it causes them to not only leak data but put themselves at risk by feeling much more brave then they should. I see TOR as the drunk glasses of the internet.
If your looking for a good round up on VPN’s this is a good read.
While the internet is still very much the same dangerous place it always was if not more so its not somewhere I’m willing to stay away from. That being said, keeping safe online is as much a mindset as it is a software/hardware problem and I hope I have helped even in the smallest way. I will expand this post as information and questions comes in.