18 March, 2020
Most guides to online privacy simply tell their audience to replace one set of software (that invades their privacy) with another (that respects their privacy). But the software one uses is only part of the battle and I'm not convinced it's even the most important. If you want to protect your online privacy, it's far more complicated than just "this company good" or "this company bad." In order for anyone to understand how best to protect their privacy, they must first understand what it is, exactly, they wish to protect and who is a threat of preventing it from being kept secure. Once this has been done, individuals will be equipped to make the best decision for themselves, their situations, and their level of technical ability. This article seeks to explain foundational security terminology, explain modern threats online, and offer basic security strategies so that individuals can devise their own strategies to protect their privacy.
The most important words in all of this are privacy and security. Therefore, it's only fitting to begin by properly defining them.
Privacy is the default state of others not knowing where we are, what we are doing, or what we are thinking.
Privacy is a fundamental human right implied in multiple parts of the US constitution including the 4th amendment's right against unreasonable searches and seizure and the 5th amendment's right to remain silent. Most people actively exercise their right to privacy every single day when they close the door to use the restroom, draw the curtains at night, or put a passcode on their phone. Most people also dislike the feeling of people peering over their shoulders while using their phones.
Privacy matters because, as we've seen in the last three decades since the dawn of the world wide web, our personal information grants entities tremendous power which can then be exercised over us, on both a personal and societal scale. Imagine the harm someone could do knowing your social security number, first and last name, and credit card information. It's very important that such information be kept private. Now imagine the harm a state actor could with personal information (personal beliefs and location data) about individual targets.
Security is the freedom from potential threat or harm including the measures one takes to ensure this freedom.
Online, it is used to reference the broad tools, methods, and processes one might use to protect something valuable. In this sense, valuables could include banking information, social security numbers, contact information, employment history, or home addresses, for example. Having such information open and available to anyone exposes you to multiple threats including identity theft, credit card fraud, harassment, stalking, or burglaries.
Nothing is 100% Secure: Given unlimited time and resources, any form or depth of security is breakable. The goal is to make your system impenetrable enough to deter any malicious actor or impenetrable enough to exhaust the resources of any adversaries you may have.
Opsec, or operations security, are the specific processes or countermeasures one might employ to secure something. For example, one's use of opsec may entail email encryption, not using certain pieces of technology, or specific rules about what information they share online such as not posting personally identifiable information, not uploading any personally identifiable images, or scrubbing metadata from photos posted online.
There are 5 main processes in order to determine which countermeasures will provide the best security.
What is it that you're trying to secure and from whom?
All personal information?
Hackers, Malware, Phishing Attempts?
Family Members, Angry Ex-partners, Stalkers?
Mass Surveillance from... Internet Service Providers? Online Companies and Services? Governments?
Targeted Surveillance from.. Internet Service Providers? Online Companies and Services? Governments? Individual Adversaries?
How competent are these adversaries?
What are ways they could do you harm?
What is their motivation?
What are their goals?
Once these questions have been answered, you can then begin to employ effective countermeasures.
The modern web is a spooky place. Tracker scripts run amok on literally every website. The NSA is collecting as much web traffic as possible through their Stellarwind, PRISM, and Five Eyes programs. And the most popular websites are owned by centralized entities that collect whatever data they can get their hands on.
One of the most effective opsec practices, regardless or your threat model, is minimalism. Simply put, the larger the attack surface you have, the more vulnerable you are. This attack surface in a software environment is the sum of all the different attack vectors, or ways an unauthorized user can potentially do you harm. For this reason, keeping the attack surface as small as possible is basic opsec.
In practice, this means you should limit the number of devices you own, the number of software you use, and the number of accounts you have to an absolute minimum. Any bloat or unnecessary attack vector just weakens your security and leaves you more vulnerable to harm. Actionable steps you can take right now is deleting every unused account you have and deleting any unused apps from your devices.
In my opinion, this is the greatest security practice in isolation. Even the most knowledgeable cybersecurity experts can still fall victim to phishing attempts, social engineering, or email/website spoofing due to momentary lapses in attention. But what if you don't do online shopping or don't have any online accounts? What information would you even give over?
For similar reasons, IoT devices such as Amazon Alexa, Ring Doorbell, Smart Watches, Smart Fridges, and pretty much anything that connects to the internet is an inherent threat to your privacy and security. I pick on IoT devices specifically because in my view they are little more than gimmicks that offer little to no added convenience over standard internet devices like computers or smartphones. They are a complete nonessential. And they also have more privacy and security related concerns to be wary of.
Authentication is a fundamental security concept. It determines who has access to what. If you want to secure your information, then you need to have tight locks on who can access what. This is what passwords do. Passwords are the key to the door that guards the accounts that hold your information. Except in this scenario, the door and the lock are only as strong as that key that unlocks it and how well hidden it is. The strength of your passwords, and your ability to keep them safe, are what determines the degree of difficulty someone has in accessing your accounts.Can your password be guessed?
If you actually know your password from memory, the answer to all of these questions is probably yes.
In order to mitigate these attacks, passwords should be long (as long as permitted but at least around 20+ characters or so), unique (not reused by other accounts), and completely random. But remembering such a password, especially unique ones for multiple accounts, is impossible, right? Right.
This is why you need a password manager. A password manager is software that stores login credentials for easy access, allowing you to choose whatever password you want without having to memorize it. Authorization is handled by a single master password. With this model, your password cannot be guessed or cracked because it's long and random. It also cannot be pulled from a list of previous breaches. Additionally, social engineering attacks and shoulder surfing will be far less likely as you yourself don't even know your own password. On the downside, it still wouldn't prevent phishing attacks or keylogger attacks. In order to mitigate such attacks, change these randomized password regularly.
This introduces other security vulnerabilities, though, right? You're literally putting all your eggs in one basket? Yes, this is true, but these risks can be mitigated by other practices that I'll cover later (such as device encryption and compartmentalization). An attacker gaining access to your password manager is still unlikely on the surface though, just because any proper cloud-based password manager will hash your master password when logging in so as to not store it in plain text. Also, offline password managers allow you to lock your database at designated periods rendering it useless even if the user is still logged into the computer.
Overall, though, using a password manager offers far more security despite this rather large risk. First and foremost, it's important that you pick a long passphrase, while incorporating as wide a percentage of numbers and special characters as possible while still being easy to remember. For example, a good one would be MD_teacH-isthetruuPK_luffY2sleep4, a reference to my favorite anime One Piece. Practice it enough and attempt to commit it to muscle memory over time. Inside jokes are an even better subject of passphrases as they aren't easily guessed or googlable.
Good password managers are KeePassXC and Bitwarden.
Lie! When it comes to security questions, lie like never before! Security questions, or insecurity questions, are perhaps the dumbest opsec out there if you tell the truth. You do not want an answer someone could look up about you because security questions can be used to reset the password of an account. If a website asks you what your mother's maiden name is, respond with a random string of characters as long as the answer permits. Store the fictional answer in your password manager.
2FA, or two-factor authentication, is like an extra layer of authentication security. In such a scenario with 2FA activated, compromised login credentials wouldn't be enough to compromise an account. This is because in order to login you would first have to input the OTP, or one-time password, provided by the 2FA app associated with the account.
2FA is very good, but only if done by an app. SMS-based authenticators are a ridicoulous security vulnerability. Just ask Twitter CEO Jack Dorsey. The reason why two-factor by SMS is so bad is primarily because of sim-swap attacks - a targeted social engineering attack where an attacker gathers information about a victim in order to impersonate the victim before their mobile telephone provider in an attempt to have the victim's phone number ported a device controlled by the attacker. Once the attacker has access to the victim's phone number, he gains access to any account linked to the number via SMS-based 2FA. This is just one prevalent attack. Others include infecting a mobile device with malware to gain remote access, and resetting accounts from there. Moreover, with SMS being an insecure messaging protocol, messages such as one-time passwords can be intercepted via man-in-the-middle attacks.
For 2FA apps, andOTP and Aegis are good on Android as is Tofu on iOS. Hardware based 2FA such as Nitrokey is even more secure, but over-kill for the average person.
When I recommended the software in the last section, why did I do it? What are the criteria I set?
One of the main criteria is whether or not a tool is open-source or not. This is because large and reputable open-source projects, especially KeePass, are constantly being probed and inspected by independent security researchers. Also, most people who create open-source application do so because they have little to no profit motive, making it less likely for them to collect your personal information, let alone attempting to monetize it. And even if it could, you or someone else could inspect the code for yourself to ensure it's not "phoning home" or making unnecessary connections.
Another good criterion is whether or not a software has been the subject of an independent security audit. If a security tool, such as a password manager, is not open-source and has never been audited, this should be a massive red flag. Nobody has been able to guarantee the authenticity of the tool. Bitwarden is an open-source password manager that proudly displays the results of their third-party security audit. They also have a public bug bounty program, offering payment for individuals who are to find vulnerabilities in their code. This is a very good sign, and surely one to trust.
One downside of Bitwarden, however, is that it's cloud-based. Connecting anything to the internet opens doors for vulnerability because you could be compromised without the attacker needing physical access to your device. If they were to compromise your credentials, they could access your password database from anywhere in the world. For this reason, KeePassXC is preferred from a security standpoint as your database is just a file on your computer that cannot be accessed from the internet.
Most of the malicious content on the internet is injected into websites in a similar manner: third party scripts and content delivery networks. These two delivery methods are responsible for annoying pop ups and ads, malware, and malicious tracking software. Luckily there are rather simple solutions to mitigate all of them in one fell swoop.For most users, malicious advertisements and content delivery networks can be blocked rather easily using web browser extensions such as uMatrix, uBlock Origin, and Decentraleyes.
For more advanced users, entire domains can be blocked on a device or network level via host blocking.
Compartmentalization is the opsec strategy of not putting all your eggs in one basket so that in the event of a breach, damage is limited to the confines of that single compartment. Compartmentalization can be applied in any of the following ways:
Obviously, all of this will become very complex if repeated too long. If this is the case just return to the first opsec rule to simplify it. Just reduce the number of accounts you have!
Encryption is the go-to security measure when ensuring the confidential authorization aspect of the CIA (Confidentiality-Integrity-Availability) triad of security. Different types of encryption are used depending on the method of data transfer, data access, or data storage.
Encrypting a physical device is a common solution for securing data-at-rest, or data that is not traveling over the internet or any network. Common tools for encrypting data-at-rest include:
Encrypting data which travels over a network is a bit different. Commonly used to prevent Man-in-the-middle attacks, end-to-end or point-to-point encryption make use of public and private key pairs to safely transfer data. A public key holds the information that will travel across a network, but in an encrypted format that is completely unreadable to those who may come across it, while the matching private key holds the code to decrypt the public and make it readable again. This private key is only ever stored on a device and never travels across networks. A common end-to-end encryption protocol is the signal protocol which is used in the popular Signal and WhatsApp messengers.
In order to encrypt web traffic, protocols such as HTTPS and TLS are the most common ones. HTTPS, or Hypertext Transfer Protocol Secure, encrypts common web traffic using TLS, or Transport Layer Security. HTTPS ensures authentication and protects against eavesdropping, tampering, and interference by attackers between a client and server. Likewise to end-to-end encryption, it is also primarily used to protect against Man-in-the-middle attacks.
Virtual Private Networks act as an encrypted tunnel between your IP address and theirs. From there, all traffic coming from your IP address appears as coming from the IP address of the VPN. Depending on your threat model, VPNs can play a role in your opsec.
VPN uses cases:
Things to be aware of:
Using a VPN means that not only does the VPN/VPS provider know your IP address, but they also have a log of your web history similar to an ISP. All VPNs claim a strict no log policy, but this simply cannot be verified. Whether or not a VPN company logs or not can best be checked by the laws of the jurisdiction in which they operate.
What To Look For
Mullvad is an example of a VPN provider who meets these requirements. You give no personally identifiable information upon sign up including no names, no usernames, and no passwords. Instead, they give you a randomly generated number that handles log in. Bitcoin payment is also available.
Tor Browser Bundle, on the other hand, is a hardened variant of the Mozilla Firefox Web Browser which routes and encrypts all traffic through various relays with the goal of making impossible the identification of the source of an individual web request. For the average user, Tor probably isn't necessary for any use beyond web searches as it will hide your search history from your ISP. Using Tor to login to a website pretty much defeats the purpose and it's not suitable for torrenting.