The Cyber Policy Center‘s report, “Securing American Elections: Prescriptions for Enhancing the Integrity and Independence of the 2020 U.S. Presidential Elections and Beyond” makes for some discouraging reading. In short, our election are as secure as most everything else these days, i.e., not very secure.
“The reality is that your sensitive data has likely already been stolen, multiple times. Cybercriminals have your credit card information. They have your social security number and your mother’s maiden name. They have your address and phone number. They obtained the data by hacking any one of the hundreds of companies you entrust with the data — and you have no visibility into those companies’ security practices, and no recourse when they lose your data.
Given this, your best option is to turn your efforts toward trying to make sure that your data isn’t used against you. Enable two-factor authentication for all important accounts whenever possible. Don’t reuse passwords for anything important — and get a password manager to remember them all.
Do your best to disable the “secret questions” and other backup authentication mechanisms companies use when you forget your password — those are invariably insecure. Watch your credit reports and your bank accounts for suspicious activity. Set up credit freezes with the major credit bureaus. Be wary of email and phone calls you get from people purporting to be from companies you do business with.
Of course, it’s unlikely you will do a lot of this.”
—Bruce Schneier, “Protecting Yourself from Identity Theft.” Schneier on Security. May 6, 2019.
“GPS and other Global Navigation Satellite Systems (GNSS) are used in everything from cellular communication networks, to basic consumer goods, high-end military systems, and stock trading inputs. But these systems are vulnerable: by attacking positioning, navigational, and timing (PNT) data through electronic warfare (EW) capabilities, state and non-state actors can cause significant damage to modern militaries, major economies, and everyday consumers alike. With recent technological advances, the tools and methodologies for conducting this interference are now at a high risk for proliferation. GNSS attacks are emerging as a viable, disruptive strategic threat.
In this report, we present findings from a year-long investigation ending in November 2018 on an emerging subset of EW activity: the ability to mimic, or “spoof,” legitimate GNSS signals in order to manipulate PNT data. Using publicly available data and commercial technologies, we detect and analyze patterns of GNSS spoofing in the Russian Federation, Crimea, and Syria that demonstrate the Russian Federation is growing a comparative advantage in the targeted use and development of GNSS spoofing capabilities to achieve tactical and strategic objectives at home and abroad. We profile different use cases of current Russian state activity to trace the activity back to basing locations and systems in use.”“Above Us Only Stars: Exposing GPS Spoofing in Russia and Syria.” C4ADS.org. April 2019.
“Data privacy matters, and we all deserve respect and consideration from those we visit on the internet. As shown by the numerous data breaches that have affected companies and individual users around the world, individuals and governments, however, we must also look out for our own personal data and privacy. Using a VPN to obfuscate your location and encrypt data is a powerful way to prevent the tracking, stalking and theft of personal and private data.”
—Eric Jeffrey, “How to Boost Your Data Privacy With a Virtual Private Network.” Security Intelligence. November 2, 2018.
“There is simply no way to secure US networks while at the same time leaving foreign networks open to eavesdropping and attack. There’s no way to secure our phones and computers from criminals and terrorists without also securing the phones and computers of those criminals and terrorists. On the generalized worldwide network that is the Internet, anything we do to secure its hardware and software secures it everywhere in the world. And everything we do to keep it insecure similarly affects the entire world.
This leaves us with a choice: either we secure our stuff, and as a side effect also secure their stuff; or we keep their stuff vulnerable, and as a side effect keep our own stuff vulnerable. It’s actually not a hard choice. An analogy might bring this point home. Imagine that every house could be opened with a master key, and this was known to the criminals. Fixing those locks would also mean that criminals’ safe houses would be more secure, but it’s pretty clear that this downside would be worth the tradeoff of protecting everyone’s house. With the Internet+ increasing the risks from insecurity dramatically, the choice is even more obvious. We must secure the information systems used by our elected officials, our critical infrastructure providers, and our businesses.
Yes, increasing our security will make it harder for us to eavesdrop, and attack, our enemies in cyberspace. (It won’t make it impossible for law enforcement to solve crimes; I’ll get to that later in this chapter.) Regardless, it’s worth it. If we are ever going to secure the Internet+, we need to prioritize defense over offense in all of its aspects. We’ve got more to lose through our Internet+ vulnerabilities than our adversaries do, and more to gain through Internet+ security. We need to recognize that the security benefits of a secure Internet+ greatly outweigh the security benefits of a vulnerable one.”
—Bruce Schneider. “Five-Eyes Intelligence Services Choose Surveillance Over Security.” Schneider.com. September 8, 2018.
“The wargames offered by the OverTheWire community can help you to learn and practice security concepts in the form of fun-filled games.”
Beyond security, the first game, “Bandit,” is a useful introduction to the command line, common tools, e.g, ssh, man, grep, etc., and basic operating system concepts, such as permissions.
Secure Accounts is comprised of five different modules, each designed to function as a standalone resource on a specific aspect of account security, or as a series, with each module building on one another.
The five modules include:
- Secure Your Accounts: A comic that explains why people should take their account security seriously
- Account Phishing and Civil Society: A brief explanation of what phishing is and two examples of phishing attacks against civil society groups based on recent Citizen Lab research
- 2-step verification in 2-minutes: A comic that explains what 2-step verification is and why it’s important
- Set up 2-step verification now: A collection of links to instructions on how to set up 2-step verification on popular online platforms
- Who could get access?: A app that users humour to highlight how adopting better security habits will mean hackers need more time and skill to break into your accounts
Troy Hunt provides a detailed explanation why you should be using a password manager.
tl;dr: The five easy steps are: (1) start using a password manager, (2) set a password for your computer and devices, (3) install HTTPS Everywhere, (4) setup two-factor authentication for your important accounts, and (5) install Signal Private Messenger. If you do nothing else, start using a password manager, like LastPass. (2,127 words)
Let’s start by doing the easy steps that can make your computer and phone more secure, right now.
- Download Lastpass. If you are not using a password manager, you should be (see below for why). LastPass works on mobile phones and tablets, such as iPhone/iPad and Android. It also works on personal computers, and there is a download page for Macs, PCs and for Linux. Passwords you add on your phone are also available on your computer, and vice versa. If you use all Apple products, the best manager is 1password for your Mac, iPhone, or iPad. However, it costs $2.99 a month for individuals and $4.99 for families to use.
- Set a password for your phone and computer. Instructions for setting a password rather than a pin on iPhone are available. In Android, it can vary, but you can search for “lock” (without quotes) in settings to find the Lock screen settings and select password. Most computers have lock screens on by default, but if you need to set it up, instructions on how to turn the lock screen on for a Mac and Windows are available.
- Install the HTTPS Everywhere browser extension. This extension is available for three major browsers: Chrome, Firefox or Opera. If you do not currently use one of these browsers, you will need to download one of them to your computer or device using one of these links: Chrome, Firefox, or Opera. Then, install the relevant extension from the links above. If you aren’t sure which browser to use, try Firefox.
- Set-up two-factor authentication for your important accounts. Your debit card for your bank account is two factor authentication. You have to have the card and the pin number in order to access your money. You want the same kind of protection for your online accounts. The easiest way to do it is to have a text message sent to your phone that has a six digit code that you use in addition to your password to access your accounts.
- Install Signal Private Messenger. Signal is easy to use software for encrypted messages on iPhone or Android. To the person using it, it looks and works no differently from Facebook Messenger, Hangouts, or whatever default messaging app that’s already on your phone.
The How & Why
Knowing what you should be doing to keep your information safe online can be hard. It’s work. It can be complicated. It means changing the way you do things. The goal of this essay is to talk about five easy changes that everyone should consider doing, explain why as simply as possible, and point you to the tools and techniques you will need to get off to a good start.
1. Download LastPass
The most important change you can make to improve your online security is to start using a password manager. People are bad at creating passwords. We are bad at remembering them. We also tend to reuse them. With a password manager, you only have to remember one password, i.e., the master password. The good news is that there is a technique for creating a secure master password called Diceware that takes less than 10 minutes. Here’s how:
Take a six-sided dice, and roll it five times. I rolled a five, five, five, one, and a one. You then take the number 55511, download a Diceware wordlist, open it and look up the number. (If the wordlist doesn’t display correctly, open it in Word or WordPad.) The word corresponding to 55511 in the linked wordlist is “splendor”. You then repeat the process six times to get six words. At the end, you’ll have a strong password like “splendor applicant gooey attentive composite cramp” (without the quotes). You’ll have to write down your password initially, but eventually, you’ll just remember it.
Once you have a good master password, then you can use it to create an account and log into LastPass. Then, you can start the time-consuming part, changing the passwords on all your online accounts using LastPass. LastPass uses an algorithm to create unique strong passwords for every site you use. It then stores them in an encrypted database, so it is only available to you. If you are logged into LastPass, then it will automatically paste your login information into the login page and enter the website. Start with your most important passwords. It can be hard to remember all the accounts you have made over the years, so you can look for saved passwords in your browser, reset emails in your email, and other ways to try to get them all. Expect the process to take a few weeks, if you do a few every day.
Note: Instead of giving correct answers to security questions like, “What was make of your first car?”, consider answering them incorrecly or input additional passwords and put the answers in the Notes field for that account in your password manager. This makes it more difficult for criminals to reset your password on your account using online account recovery or by calling customer service, if they know personal details about you.
2. Set a password for your phone and computer
If LastPass is open in your computer browser or phone app, it means anyone with access to the computer or phone can access every site you use with it. As a good general precaution, you’ll want to make sure that anything that uses LastPass requires a password so that if you misplace your phone or a burglar is in your home, they cannot use LastPass to access your banking account or other online services. You can always logoff and login again with your strong master password for LastPass, but it is often easier just to use the lower level protection of the lock screen that is already on these devices.
3. Install the HTTPS Everywhere browser extension
Some websites you use may still sending your passwords in the clear when you login. It doesn’t matter if you use strong passwords created by a password manager like LastPass, if you are going to show this password to everyone who cares to look when you are connected to a open wifi hotspot at the airport, coffee shop, hotel, hospital, conference, library and so forth when you login. HTTPS Everywhere turns these postcard passwords and puts them in sealed envelopes that only you and the website you are connecting to can read.
Note: If you spend a lot of time using unencrypted connections or want to take the concept of HTTPS Everywhere to the next level, consider using a VPN. ExpressVPN is a good example. It costs about $100/year. Discussing VPNs is beyond the scope of this essay, but a look at the link above can explain why you might want to use one.
4. Set-up two-factor authentication for your important accounts
Like setting the lock screen, two-factor (or multi-factor) authentication provides an additional layer of security. With two-factor authentication set-up, you login normally. Once the website receives a good username and password combination, it then asks for an additional (usually six digit) code. The two most common ways of getting the code is either through a text message to your phone or in an phone app like Google’s Authenticator. If someone were to get your password using an email phishing attack, say a website that looks like your bank but is a criminal’s website where you were fooled and put in your password, they would still need the second factor from your phone to access your account. Additionally, two-factor authentication can warn you that there is a problem. If you receive text messages from a service you are not trying to logon to but has two-factor authentication, it might be an indication that someone has access to your password information that shouldn’t.
Note: Reading the EFF’s tutorial, “How to Avoid Phishing Attacks” is a good point to start, if the idea of “phishing” is new to you.
5. Install Signal Private Messenger
Just as we use HTTPS Everywhere to preventing passwords from being shared “in the clear” over wifi networks, Signal does the same thing for text messages. Text messages over a phone network can be read by anyone. For example, if a criminal sets up a device that mimics the behavior of a cell phone tower, your phone might connect to it, and any data passed through that connection will be readable by that criminal. Chat services like Facebook’s Messenger and Google’s Hangout’s also read the contents of your messages in order to serve advertising to you. Using Signal Private Messenger ensures that the only people that can read a message are the sender and the recipient.
If you have implemented the above changes, congratulations! You have significantly improved your online security. Since these steps were relatively easy, what else can you do?
The problem with security measures is that few things apply to everyone, and there are always trade-offs. Which trade-offs are worth making is a subjective judgment call. A few examples:
Browser extensions: There are many browser extensions that provide some measure of protection from malacious computer programs, advertising and third-party tracking online, such as NoScript, Privacy Badger, uBlock and others. While each extension is easy to install and use, it means sometimes a website will not work as you expect, and you may need to change some settings in your extensions in order to have a website display correctly. Do you need all three? Are you willing to figure out which extension is causing a page to not load the way you want? People’s tolerance for working through these kinds of issues differ.
Secure email: Are you comfortable with a service like Yahoo scanning your Yahoo email on behalf of the NSA? Is it worth it to start using Thunderbird with Enigmail with Yahoo? (Probably not.) Or what about paying $50/year for “secure” email services like Kolab, Countermail, or Protonmail? Even people that work in the software security industry have opinions for and against trying to secure email. Signal, which we installed above, is so easy to use. Why not just use it? Good question.
Encrypted files: Or, perhaps you have digital documents — such as an electronic college transcript, financial documents, medical information or a last will & testament. Do you need to protect that information from being stolen or being targeted by ransomware? What security measures do you want to take? Is a low tech solution like keeping these files on a separate USB drive enough? Do you want to use some type of encryption mechanism such as whole disk encryption available through Bitlocker on Windows, FileVault on Mac, or the device encryption options for iPhone and Android? The problem with full disk encryption is that maybe you’ll have a hard-drive failure and you won’t be able to recover the encrypted drive, which means you have to keep it in multiple locations and maybe use an encrypted storage service like SpiderOak, Seafile or use a standard cloud drive like Google Drive, Dropbox, Microsoft’s OneDrive, etc. in combination with something like LibreCrypt software in order to have encrypted data and the backups necessary to make sure you won’t lose your information. There’s no one right answer for everyone, but moving beyond putting files on a USB drive gets complicated, real quick.
For those concerned about survelliance, the EFF has a great guide called Surveillance Self Defense that discusses security concepts (e.g., threat profiles), software tools (such as PGP/GPG, VPNs, Tor, ChatSecure and so forth), and tutorials (like the one on Phishing mentioned above) that can help you better understand security concepts and trade-offs. Other sites like Prism Break can also offer software suggestions worth some consideration.
There are many options available, depending on your personal needs and concerns. While the many options can be overwhelming, taking small concrete steps, like we have done here, can make you much less likely to be a target for criminals online. The old saying is that security is a process. You cannot prevent everything, but it is prudent to do the small things that help prevent the most common problems.