In light of this new world we find ourselves in, I figured I’d plan a few tech posts to share some knowledge and best practices relating to privacy and security. I hope this encourages some good conversation, questions, and other tips from readers. More or less, this mostly a good idea/bad idea discussion.
To be clear, this is a mix of technical, conceptual, and philosophical information and represents my views only. When it comes to governments, my concern as a civil libertarian is to preserve all of my legal and civil rights in all situations as possible, and this means preventing anyone except duly authorized parties from accessing my private information.
You may disagree with my stance regarding compliance with government searches of electronic devices (for any physical or electronic search or access to my information, I say “warrant or exigent circumstances, with me or my lawyer present, no you do not have my permission and I will not give away my precious rights”), but I did want to make clear my absolute position on this up-front.
When it comes to privacy and security of my information, there are three realms that concern me:
- Personal – things that you do, use, or carry
- Online – considerations and implications of things we do online
- Home – things to think about relating to your home/apartment
In these three realms, you should always consider your privacy and information security.
I don’t include Work because that is not an area where you have privacy, no matter what you think. Your employer has the right to observe and track you, and many do, so you cannot really protect what you don’t have!
Similar to the Realms, there are Threats. In truth, there are countless Threats, but for the most part, they break down into the following groupings:
Companies want to make money and violating your privacy, selling your information, or otherwise making money off of you beyond sales is a great addition to a company’s bottom line.
People want to steal private information to use for fraud or to sell to others. Ethics and morals are not really in play; they will take everything they can get.
- Government (domestic or foreign)
Depending on your country and status, governments, both domestic and foreign, may want to violate your privacy to understand you, your social connections, and causes (especially protest-related ones). Other goals include gaining insight into a colleague, family member, friend, or neighbor: you may just be a step towards a larger goal.
People in our lives – family, friends, neighbors, coworkers, and more – are not all angels. There are people who like to spy and nose around people’s private affairs in order to have information that’s useful for manipulation, ego reinforcement, blackmail, or as ammunition in a future argument or fight.
Some parties try to collect as much information as possible purely because accurate information in bulk is valuable. Such brokers are often hackers who steal pre-summarized information from a source such as a company’s website’s unsecured back-end. They can also be app and online widget developers who provide a cheap or free thing in exchange for access to your data. Because their goal is bulk data, there is less emphasis on searching for anything of value beyond that information. In many cases, loyalty cards, free apps, software, tools, services, and websites aren’t free- they’re selling you. Not literally, of course, but they are analyzing and selling your behavior and information.
- Social Engineering and Influencing
There are parties who use private information to affect behavior. For instance, a bad guy may steal some private information in order to successfully impersonate an employee to bluff their way into getting a password reset or door unlocked. Or to blackmail someone into securing a password or piece of personal information they need for a different purpose. Private information can even be used to encourage or discourage behavior – such as identifying folks who can be easily convinced to not vote for a candidate due to a certain term in, or subject of, past emails, chats, or messages. In this case, you don’t need to identify folks who you can convince 100% of the time, just folks who are more likely to be influenceable – if you target one such person, who cares, but if you target 100,000 folks like that, a 10% success rate means 10,000 folks not voting for a candidate. And those kinds of numbers can change elections.
As there is a lot to cover and things are in flux, this will be a multi-part series.
Let’s explore the Realms.
This is the most important realm as it’s with you at all times. Many folks know the basics, so I won’t waste too much time on them. Instead, let’s talk about a few key concerns:
- Your phone: unlike previous times, we now carry around with us a huge amount of valuable information at all times. You need to ensure it is secure.
When you leave your home/office/normal WiFi usage area, turn off the WiFi on your phone. Many companies track folks through their WiFi signals from their phones. So do amateurs and others. When WiFi is on, it is constantly looking for open hotspots to connect to, and depending on the approach your phone vendor/OS implementation takes, you may broadcast such information as the last successful WiFi network you connected to. Many bad guys setup fake hotspots in hotels (they rent a room and setup a router to impersonate official WiFI), conference centers, airports/trains/concerts/etc. – basically anywhere large numbers of people who aren’t regulars and might join a WiFi imposter. Your phone company’s internet service is much more secure than any WiFi you don’t control or trust fully.
Make sure to limit the apps on your phone, and ensure that appropriate privacy settings are set. There is no reason that most apps need access to your microphone, camera, contact list, location, or other user data. Many apps are sending back info about your location, usage, etc. and who knows how that data is combined with other data to reveal things about you you may prefer to remain private. As an (antiquated) example, just because you spend cash at the local Adult Store, if your phone is on and with you, you’ve left breadcrumbs showing you having been there. And, as is likely, you hit the ATM before going to the store, that location was also tagged, and it doesn’t take too much deductive genius to link the two events and to develop a better profile of you.
Make sure to set a secure password that’s not easily guessed. Make sure it’s unrelated to all other passwords you use. At least 8 characters. Do not use only numbers, and try to include a foreign character or symbol; this diversity makes it that much more secure.
- Lost Phone/Wipe
Do enable the “find a phone/wipe phone remotely” setting or function on your device. Better a stolen or lost phone than your personal data and other info as well as the phone!
- Use different passwords for different devices or accounts.
- Never repeat a password.
- Use a different password for backups (this is to encrypt them)
- Make sure that all backups, whether local or online, are encrypted.
- Use a password database. My solution is to store my password database, encrypted, in my Dropbox. I have open source app on my computers, and a cousin app on my phone and tablet. I can access, enter, or edit logins and passwords no matter the device. LastPass was well-reviewed: https://www.engadget.com/2017/02/24/the-best-password-managers/
- NEVER enter passwords on strange computers. If you must, change it as soon as you can on a trustworthy device.A quick story – missed my connection in Beijing airport so spent the night at an airport hotel where I was one of just a few non-Chinese. It was mostly for flight crews and had arrangements with airlines. There was no WiFi, so I went to the lobby and there wasn’t a business center. There was a travel office, with a computer that guests could use.This computer was filled with more malware, tracking software, keyboard loggers, etc. than you can possibly believe (good hotel hygiene is to have guest computers start with a brand new session of Windows). I had to access my email, so I did, but I knew that when I did, my password would be grabbed. I also knew that in 8 hours, I’d be back at the airport using WiFi and could change it then.So the first thing I did the next morning was to access the airport (trusted from bad guys but not Chinese government) WiFi to reset my email password. And then I did it again, from my home, when I returned to ensure no state snooping.
- Fingerprint scanner
The fingerprint scanner is great but there are some privacy and security considerations.
- It’s not difficult to create a fake fingerprint that works to unlock devices.
- When detained by customs or law enforcement, they may push your finger to the sensor to gain access to your device.
- Whenever you are in a situation where you wish to keep your private affairs private, reboot your phone or scan the wrong finger multiple times until the phone demands a password. From this state or from being freshly rebooted, the device will ask for a password and so no one can use your finger or fake fingerprint.
Local backups of phone data are very handy, but they are often not encrypted by default. This means that someone can access your computer (physically or by hacking) and get access to lots of info that you thought was secure. This is how some celebrities get their personal pictures stolen.
Online backups are very handy, but are not necessarily encrypted. They should be secure, but if it’s not in your control, you have no guarantees as to security, so encryption is fundamental. Also, someone may be able to get an older model of your phone (a model with worse security) and convince your service provider to reset your password and allow them to download the backup to that older model. So a good password on all cloud/remote backups is critical.
- Voice Control
Voice control in phones, home devices, cars, etc. can be great, but it also means that there is something listening all the time around you. If that info is being sent to the cloud for analysis of what you said, then your privacy is affected. So watch what you say when around your, or others’, technology. Germany just banned a toy bear because it listens and can be intercepted, easily hacked, etc.
One nice thing about trying to hack passwords on most modern phones is that they enforce a timeout after an unsuccessful attempt. And this timeout often grows for each additional attempt. This makes brute forcing passwords not very practical. So if you have a reasonably strong password, you should be in good shape, even if a dedicated computer could crack it in 24 hours, with the timeouts, that 24 hours becomes centuries. This is why one hack is to copy the phone to multiple clones and try to brute force on these copies – allowing parallel attempts. Still, with a well-formed, long password, it would take a boatload of copies and months without state-level resources.
- Text Security
Texting is both secure and insecure, depending on what your needs are. The nice thing about texting (normal, from your mobile phone company) is that it’s secure from private actors almost always. The text goes from your phone to the phone company (encrypted from phone to tower but not encrypted until going from tower to phone), then to the receiver’s phone company, then to their phone. There’s no simple mechanism for a private party to snoop on that text. But…government certainly can, and the phone company knows what you’ve said as the encryption is between the phone and the tower and so it prevents eavesdroppers. There are controversial devices that mimic authorized cell towers and are in trucks or small planes and are used primarily by law enforcement and intelligence agencies – they act as a “man in the middle” and pass on your text to the real phone company, but only after reading and recording your text. In many countries and jurisdictions, there are laws mandating that phone companies keep all texts for months or years.iMessage and other encrypted texting apps such as Signal, offer a slight tweak to the texting formula. They encrypt the text from sender to sender, so no government, private party, service provider, or phone company can eavesdrop on the message. They can still tell who sent a message to whom, and when, but that’s pretty much it. (Unless you’ve stored your unencrypted backup of your phone in the cloud and in doing so, stored copies of your sent and received what-should-be-but-aren’t-encrypted messages).
- Two Factor Identification
This is a great thing that more and more apps, service providers, phone companies, and phone makers are offering and even requiring. It is premised on the concept that you need two complementary pieces of identification – a password and proof of something you, and only you, have. This is often linked to your phone. For example, to access your online banking, you login with username and password, then are texted a code to your registered mobile phone number, and must enter this code within a time limit to complete the login process. When given the option to enable two factor identification, do so – it will make bad folks’ jobs tougher!
- Giving information away
It is amazing what you can get people to tell you; this is the core of why social engineering is so often successful. People want to help, to share, to communicate and bond with people. So be careful – most sites, apps, stores, and people don’t need to know much of what they ask. They ask because they know that a significant percentage of people will offer that information, for free, sparing the company the expense of buying it from household list providers and other data brokers.
- Written passwords
Many folks keep a slip of paper in their wallet or purse. This is great – for a bad guy! A collection of passwords is worth a lot, so you’ve really made their day. Secure any written list of passwords as you would a platinum watch or gold bar. Also, keeping one on your desk isn’t the best plan either – unattended desks with Post-Its are an easy target for a cleaning crew, visitor, or coworker, and paper is easy to damage, from liquids, ink/other chemicals, or naughty girl kitties who really should know better than to eat the password list and, even more startlingly, cat food coupons!
- Information that doesn’t need to be with you all the time
Don’t carry information you don’t need with you when you won’t need it!
- Keys to things you don’t need daily access to
Similarly, don’t carry keys or other such security access items with you if you don’t need them. One – you might lose them and then feel stupid. Two – since you don’t need it everyday, you may not notice a missing key or pass, allowing an associate, coworker, or relative the time to access and pilfer from whatever is locked.
- Any key beyond your house, car, office key that has an address/license plate
Some folks keep keyrings for other vehicles or properties and have them conveniently labeled…
- RFID blocker not really useful with newer cards/post 2015
Until 2015, the earlier generation of chip-enabled credit/debit cards had some major security issues. And so a temporary market was created – wallets and purses with RFID-blockers in them. Since 2015, the cards in the USA are much more secure, joining much of the rest of the world. And this new, more secure “Chip and Pin” technology cannot be exploited by RFID readers hidden by strangers in their coats or bags. Don’t waste the money on RFID-proof wallets and purses; it’s really not a real threat worth the premium.
- Written passwords
- Credit Card
Always use Chip reader over the traditional swipe if you have a choice as it is much more secure.
- New chip
As of 2015, the standard for credit card chips in the US changed to EMV. The old chip used RFID technology whereas the new ones do not. They require a slot, a pin, and a unique cryptographic signature in that chip.
- Chip and Pin
When using the chip readers where you slide your card into the machine and let it sit, make sure that you’re using the correct slot and that the equipment doesn’t look “patched together”. Bad guys will install fake equipment or add a fake slot underneath the real equipment, etc.
- Card out of sight = possible it’s been read.
When a card is out of your sight, it may have been cloned. Check your next bill or two to ensure this hasn’t happened. This often happens at hotels, restaurants, and bars which business people use when traveling, especially near conferences. Keep your eye on whomever took the card and the other eye on your watch; a delay can mean that some skullduggery has occurred.
Many folks dislike PayPal, but many security-minded folks love it. The love is very simple to me – instead of giving my credit card number, expiration date, and three digit security code, billing name and address, and then trusting all websites to secure that information and store it encrypted, I trust one company – PayPal. If my PayPal info is used fraudulently, I have a recourse, like with a credit or debit card, but no one gets the chance to lose my credit card number and associated data because all they know is my PayPal account name which is the same as my email address, and so not a secret I try to keep!
- Credit Card
- Fingerprint/other biometrics
At first blush, fingerprints and other biometrics appear to be the Holy Grail of access control and ID. But this information isn’t as unique as we’d like to think, and innovative low- and hi-tech approaches can turn an embedded security system into a paperweight overnight. There are now documented cases of people making fake fingerprints from people’s HD pictures they’ve posted online, so much so that the Japanese Government has issued an advisory that people not show their palms up or let their hands be photographed if it might end up on social media. As sensors get better and picture analysis software more effective, I expect that other biometrics such as facial analysis and retina scanning will be made obsolete. Biometrics combined with a password seems like a great combination, a slightly-different implementation of Two Factor Authorization.
- Personal access – everyone you let near you is technically, a threat. If you invite someone you just met to your place and go to the bathroom, you’ve left a stranger in your room with access to anything that you might have around, like passwords written on a Post-It above your computer or the answers to the secret questions for your online banking or investment account. That and a quick glance at your computer can provide all someone needs to access your email, bank, home computer, etc.. Remember, not all information security is technical, some of it is physical common sense!
Well that’s the end of Part One; there’s at least a Part Two, likely a Part Three. I hope that this has helped open your eyes, helped you to identify areas where your privacy and security practices could improve, and hopefully you aren’t too scared to leave the house or use your phone, apps, etc. The point of this isn’t to scare you, but to inform you and help you to understand some of the risks about you in this digital age.
Should you have questions, tips, corrections, etc., please use the comments. I hope that our Commentariat share some best practices so that we all learn from each other. I know that many of you might consider something I’ve written to be inaccurate, incomplete, or just bonkers. I welcome the conversation as I most certainly do not know it all!
That said, if you would like me to review your practices, consult, clean up an issue, etc. just use the Contact a Frontpager form from the QuickLinks/Mobile Site Menu. I am happy to sign a Non Disclosure Agreement to protect your confidentiality, should that be a concern.