- Always use the HTTPS version of a website
- Use strong passwords
- Never use the same password twice
- Use Password Managers
- Use firewalls
- About Antivirus Software
- Avoid Public or Free Wifi.
- Avoid Airport Wifi
- Mobile or Cell phone conversations are not secure
- Use different user names
- About VPN´s
- About TOR
- Using TOR and a VPN together
Two things have shocked me today
A) I am about to use the word ¨Cyber¨ in a serious way
B)My ¨other¨ career aside from Outdoor related things is about to cross over.
Before I got into working with bushcraft and expedition clients, I worked as an Engineer in the Broadcast and Telecoms sector. I still do from time to time actually.
Here are some points on how to be secure online. I have tried to keep this as jargon free and non-technical as possible so that it can be understood by everyone.
In that field, I have always had an interest in IT and IP security. As we become more and more dependent on Information Technology so our vulnerability to ¨Cyber¨ attacks or Hacking increases. It is now well known in the household that we are all at risk from people stealing our banking information and personal data. It is less well known that companies such as Google and Facebook among many others, are prolific harvesters of our personal data which they then convert into cash by selling it on to advertisers.
Unpalatable as this may sound, it has become a largely accepted compromise and we are at a point now where you simply cannot expect any privacy at all.
There is nothing that you can do to prevent a directed attack on you from the network.
Much like physical security, which is going to be covered here later, you can make yourself a harder target in the hope that the hackers and their armies of software bots will move on to easier targets.
If we follow some best practise and basic hygiene, we can greatly improve our chances of maintaining a decent level of security and making it harder for people to A) invade your privacy too much and B) actively steal from you
What can you do in simple steps?
- Always use the HTTPS version of a website, that is encrypted, the standard HTTP version is not.An internet connection between you and the website you are talking to is very much like two people shouting at each other across the street. You shout so the other person can hear you and they shout back so that you can hear them. The problem is that everyone else can hear you too.If they know how, a person can very easily listen to that conversation between you and the website.It is possible and very easy to secure that conversation by using the equivalent of a hard cable connecting the two people on the street so that their conversation is private.We do this by encrypting the messages. This means that the message is all jumbled up using some extremely complicated mathematics and only the intended recipients can read it.That is what HTTPS (SSL) does. I´ll try not to use too much jargon but in this day and age, you might want to be mindful that if you are going to succeed in this, you are going to have to learn a few new things.
So use the HTTPS version of the website. The best way to make sure that you don´t forget is to use this simple browser plugin from the EFF. Only this and not some other imitation. It is free and you should never pay anyone for it or anything similar.
2. Use strong passwords Never use names, birthdays, addresses, or anything else like that, they are too easy to guess. At this stage in the technology revolution you must be using passwords that are virtually impossible to guess.
For example: 1q%45XW@y7FkXK6SrBt8)
Impossible for a human to guess and very difficult for a computer to guess too but also impossible to remember for the average person.
Never give other sites passwords for other sites. For example, Linkedin, the social networking site asks you to give it your email and facebook passwords so that it can log in and collect your data from there. That is a cowboy practise and you should not do it.
You may be able to trust linkedin (I dont but a lot of people do) but what if somebody else gains access to that data at linkedin and steals the passwords? This has happened countless times on other sites and there is no reason that It wont happen to them either.
3. Never use the same password twice
If you used the same key for everything you own, your house your car, your office and your safe, a person only needs to steal or copy one key and they can take everything that you own.
It is the same with online passwords which are just like keys that lock your accounts. A different key is required for each account. If an attacker steals one password, they must not be allowed to use that to get into every other locked account that you have.
4. Password Managers – Now days, every website you go to wants you to create an account and log in before you can use it, mostly this is because of SPAM bots, software that trawls the internet looking for places to auto post fake messages and attempt to game google into promoting websites in their searches.
How do remember hundreds of passwords without using easy to remember (and therefore easy to guess) passwords?
Use a password manager. Lastpass make a good one. It generates good passwords and then stores them in an encrypted database on your computer or phone. You only need to remember one password for Lastpass and then it will log you in to which ever site you want to go to.
5. Use firewalls. If you computer asks you if you are at home, the office or public – say public, that way it will turn everything up to max and do it´s best to protect you. A good firewall will make is very hard for somebody to connect to your computer directly. There are software firewalls to protect your computer and there are bigger firewalls to protect you network. I´m talking about the one on your computer now. We can take about network firewalls later but that is a bit more advanced.
The built in windows firewall is fine, you don´t need to buy anything else. Linux has many but the UFW package is currently popular and is very easy to use.
6. Antivirus is good but also bad. Antivirus does not really protect your computer as we once thought but on thew whole, it seems better to have one than not as it does at least provide a warning about some known threats but the problem with Antivirus software is that it requires a lot of access to important parts of your system and is itself a possible way in for an attacker. Attackers can target the antivirus software and use that as a way to get all your stuff. If you use windows, the built in windows defender is enough. Thankfully, still, most viruses are written for windows and will not run on Linux or MacOS.
7. Public or Free Wifi. These are like the wild west areas of the internet, people actively join these networks to sit and listen to what is going on and they make great places to collect peoples private data and passwords. Never, ever trust a free wifi connection. If you must use a free wifi, never do anything like banking or email, don´t log into a single site if you can avoid it.
8. Airport wifi. Not only are all the same problems here as they are in the previous public wifi section, here you have government actively and aggressively monitoring the network and you may wish to have some level of privacy from them. Don´t use it, not if you can help it.
9. Mobile or Cell phone. At Airports or other protected place and near government buildings, mobile and cell phone traffic is very insecure, these locations often use decoy transmitters that are not owned by the telecoms company. They do this so that they can monitor and track you without going through the legal system in order to to do so. This is not a conspiracy theory, it is a proven fact.
10. Use different user names. While on the subject of tracking, it helps to use different usernames on different sites. If you use the same username on every site that you visit, a simple google search will pull up a list of everything that you have ever said online. This, many years after the internet started, is a problem if you have ever said anything online that you later came to regret.
11. VPN. Virtual Private Networks. These are common and popular but why and are they safe? A VPN creates an encrypted tunnel for your messages and traffic between your computer and some other computer somewhere on the internet. It is very difficult for anyone else to see inside the tunnel and so you are sort of hidden in a way.
The problem with VPN´s is that you dont usually know where the other end of the tunnel is, for all you know if could be in a criminals bedroom or a CIA data centre in the US, we dont know. What we can be sure of is if it is a ¨Free¨ VPN then they will be collecting information on you to sell on for a profit. Nothing is truly free on the internet. If they are doing this then they probably don´t care about your privacy so why should you trust them? Dont
Setting up your own VPN is the safest way to do it and is not that hard to do but it is not for this post, I will explain that later in another post.
If you want to use a VPN then the paid version from Protonmail is quite good. They are a company that specialise and have made their name in safeguarding private data and have quite good legal protection so cannot be forced to give you up to the authorities either which makes them very attractive.
12. Tor. Tor is a very technical and very complicated tool that allows you to be anonymous online. I´m still trying to not to be too technical or use jargon so bear with me as I describe this.
If you go to your favourite online blog form your computer or phone, the messages that go back and forth between the blog and you pretty much take the most direct route possible and the messages contain certain information like your address to that the blog and your phone or computer can find each other.
This makes it all very easy to see who you are because your address is included in the messages. There is no way to hide your address because then you wont be able to find each other again.
When you use Tor, instead of sending the messages directly, it sends them through a network of ¨routers¨, your messages could go through hundreds of routers before they reach the blog and when the blog replies, the messages go back through hundreds of different routers. It makes tracing you extremely difficult. Not impossible but it is the closest thing we have to anonymity online.
People can however still see the content of the messages.
13. To be very secure, that is, to have anonymity and privacy, you can use a good VPN like ProtonMail and Tor at the same time. We create our encrypted tunnel though the labyrinth of Tor routers and then nobody can see where we are or read out messages. This is the best that we currently have in remaining hidden and private.
If you choose to use this method and are particularly concerned about government spying then keep this in mind. If you only use VPN / TOR to send secret messages and you go back to normal connections for everything else, it creates a pattern that they will notice. They will know that every time they see a VPN and Tor being used by you that you are sending something that you do not want them to see, this will probably arouse their interest and they may start digging to see what they can find on you.
Consequently, VPN / TOR only really works when you put all of your traffic through it, all your browsing and mundane stuff as well as your sensitive stuff.
Finally for now few key points to address common problems
Don´t say anything online that you would not want to be brought up 10 years later and used against you. The internet does not forget, companies have found ways to monetise your information and everything that you say online is gold. They don´t delete gold, they keep it forever.
If anyone tells you ¨You have nothing to fear if you have done nothing wrong¨ you should immediately ignore any further advice that they have to offer. This is totally untrue and the only people that say it are people who do not know anything about how network security works and people who do not have your best interests at heart. Neither are good sources for you to listen to.
¨I dont care if they look through all my mindless emails and amazon orders, its fine¨ You would be surprised and alarmed that this is the exact kind of data that they use to build a profile on you. With data like that they can predict with high probability your Political views, your movements, your cash flow, your general wealth and health, what you interests are, who you associate with, how you are feeling, what you are planning and so and so forth.
Before the technology revolution, Police and Intelligence agencies used to do the same thing with your records but it is so intrusive that there were and still are laws to prevent them from doing so unless they have permission from a court to do so. Ie they must suspect you of a specific crime before they begin researching your private records.
However, now there is so much more data available to them and most of it visible that they just started trawling through it all without permission from the courts. We evidence of the scale of this thanks to Ed Snowden. Since then, not much has changed other than a few new laws have been created that allow it to continue.
The choice is up to you on how far you are willing to go to maintain your security and privacy but you should at least be presented with some unbiased information and some options to help you to make that choice.
Have you got anything to add? Leave a message or contact me