So in 2016 I decided I’m be much more focused on my own personal security. Not bodyguards & blacked out Range Rovers (!!), I’m talking more about what I do online. Like anything we do as humans every day we become sloppy and start falling into bad practice. When it got to the point whereby I was looking under my keyboard for passwords I’d scribbled on a post it note, I decided things had to change.
The problem with what I do as an IT Professional, (although granted this is the same for most people regardless) is that I manage & access so many systems and services online, and need to be able to quickly switch between them all, I’m either guilty of using the same or similar password or writing stuff down in plain text. Not good.
Considering I’ve helped companies become ISO27001 compliant, it’s a bit of a joke really I don’t perform the same diligence myself.
So below is a review of all the tools I’m using this year to protect myself online. If you’ve ever wondered, ‘how can I be secure’ then the following list may be a good start. It doesn’t cover everything, it just covers ‘what I do’ on various machines.
I’m going to highlight several areas. Hard Drive encryption, email encryption, chat encryption, secure passwords, data backup & syncing:
Hard drive encryption
– a complex subject, but your first response to anyone who physically steals your laptop or computer is encrypting the hard drive. There was only one solution for a quite a while, Truecrypt, but development stopped on that due to security concerns a while back, although you can still use a version of it. Read more about it here https://www.grc.com/misc/truecrypt/truecrypt.htm
So you can use Truecrypt, which I do, and it runs you through scanning your drive & files (which can take a while) and you then select the type of encryption you want to use and then you create a mouse movement to generate a secure key whereby the idea is the longer you wiggle your mouse, the longer the random key that is generated is & thereby harder to crack.
You write all this down & then every time you switch on your computer, you’re presented with a login screen before even POST happens.
This is usually a good starting point in terms of security.
So from then on, you’re into your OS and you start needing to think about passwords & local security so that moves us neatly onto passwords.
Passwords (see I told you)
People still to this day use stupid passwords. There name, dob, significant other, there number plate. You can see here the top 50 (see below & thanks to wsj.d here http://blogs.wsj.com/digits/2010/12/13/the-top-50-gawker-media-passwords/ for that)
So I’m wanting to use unique and complex passwords for every service I use. What is a complex password? Something which contains things such as special characters (!@~# etc), upper & lower case text, numbers, and be over eight characters.
I use this resource online to generate passwords for me on-the-fly http://passwordsgenerator.net/
That way I can always be sure I’m at least making a best stab at actually using a reasonably secure password. Although one could argue using an online service to generate a password is a security risk in itself, but that is addressed in the next section.
So we’ve done passwords, now how on earth do we remember all those passwords?
I use LastPass. Lastpass allows you to store all your passwords in a secure ‘vault’ and you access that vault with just one password. Lastpass can live in your browser and automatically login to sites you visit frequently along with generating passwords for you via it’s control panel. Its’ relatively easy to use, and free so this is a really good way of being secure.
It also works great on mobile too!
So we’ve encrypted our hard drive, but we need to consider encrypting our emails too, typically emails contain so much personal information its really easy to build up a bio of someone’s life, purely through the contents of their emails. Think of what you send in emails. To family members, to children, to loved ones.
Mailvelope is a is a plugin browser extension for webmail (such as Gmail) which uses the PGP encryption protocol to protect your emails. Available for Chrome & Firefox, and you can read how it works here https://www.mailvelope.com/help but basically it involves the use of a public and private key.
A public key is something you give to everyone and can be used to encrypt a message. A private key is what you give to people securely, they will need this to in effect, decrypt the email. This concept is quite nicely illustrated here https://www.gpg4win.de/doc/en/gpg4win-compendium_8.html
Once you’ve got your private key to your recipients, you can then start sending encrypted emails – this is a good thing. Especially when you email about the type of stuff I do! Now, there’s some cons to email encryption. It relies on your recipients jumping on board, you going through the rigmoral of getting your private key to them & that’s if they don’t laugh at you for wanting to encrypt email in the first place.
I tend to use a myriad of chat clients, Lync (now Skype for business), and aggregators such as Trillian and Pidgin. If you use an aggregator such as this (one which combines your Yahoo message, Gtalk, MSN etc) then this is for you.
Chat encryption works the same way as email, and is very simple to set up. Although most chat clients use something called off-the-record messaging, meaning that in order to read IM conversations the recipients needs authentication by you.
Adium is a fantastic aggregator https://adium.im/ for Mac and Pidgin is pretty good for Windows https://www.pidgin.im/download/windows/ so by using this, you can use there inbuilt chat protection to ensure your conversations aren’t sniffed & decrypted.
Data Backup & Encryption
Uploading your backups to the cloud (such as Dropbox) is one thing, but that leaves the data unencrypted & potentially exposes you to hackers online who by breaching your security can rummage around your personal data.
I use a service called Crashplan which encrypts the data as it’s backed up. Crashplan is great, because you can specify another machine, or somewhere in the cloud. It’s really easy to set up & has a great mobile client. www.crashplan.com
Hide your Internet Traffic
Between your ISP, and the NSA, everything you do is tracked online. Hiding your web activity ensures that people can’t spy on what you’re doing. You have a ton of options here to cover your tracks, from the nuclear option of a completely private OS to the slightly less tricky privacy protecting extensions. I tend to use browser extensions as these work well, and you barely notice they are running once you’ve set them up.
Both Privacy badger https://chrome.google.com/webstore/detail/privacy-badger/pkehgijcmpdhfbdbbnkijodmdjhbjlgp and Ghostery https://chrome.google.com/webstore/detail/ghostery/mlomiejdfkolichcflejclcbmpeaniij?hl=en are excellent & easy to use.
But how secure is this? See this lovely excerpt from Lifehacker below….
Browser extensions help mask what you’re doing, but they don’t take care of everything. To really privatize what you’re up to, you’ll also need a VPN. It’s hard to justify the work needed to get a VPN set up unless someone wants to intentionally hide something. Sure, you can use a proxy to hide your BitTorrent traffic, or just use a browser like Tor to hide some traffic, but if you want to use the internet all the time privately, you’re going to sacrifice some conveniences.
So we’ve now got hard drive encryption, complex passwords & secure storage of those passwords sorted. (well, sorted for most mere mortal human beings anyway), what else can we do to protect ourselves? Below is a quick list of practice I put into place every day to attempt to protect my privacy.
Two factor authentication for my social media accounts – I need a one-time generated code generated from an app on my phone to access my primary social media accounts, and I also have set up alerts to ensure I’m notified if someone tries to access my accounts.
Being careful what I do when connected to public Wifi – I use public WiFi a lot. So when I do, I make sure I don’t access anything without switching my privacy extensions on, or using something like TOR. If I’m unsure, I won’t access anything such as online banking or my social media accounts.
Physical security – I never leave my equipment unattended or unlocked, and I never leave files laying around with anything written down. Ever.
So there you have it, there’s my list of best practice methods of staying safe when online. As always, let me know what you think via Twitter & look out for a Video on this subject, in my New YouTube Channel very soon