Tuesday, September 24, 2019
Monday, August 5, 2019
Some ideas on personal electronic security
Personal Digital Security
Establish a "root of trust"
If you believe that you are "under attack", consider establishing a secure position and starting from there. This secure position will require a new credit card, a new phone and new email account.
If your partner has knowledge of your personal information, they are in a better position than many hackers in that they can answer "knowledge based authentication" (KBA) questions. So the goal is to move away from any shared knowledge. This includes credit card account, phone and passwords.
Ensure you have a credit card in your name only. Credit cards are often a "factor" in authentication, e.g. proving you are who you say you are. Having the account only in your name begins to mitigate someone on a joint account having access. Setup online access to the account and do so with a new password that you've never used before, and enable 2FA/MFA (below).
Consider getting a new phone and number, or at the very least a free Google Voice number. Google Voice numbers support text (SMS) messages. If getting a new phone, use a different provider/carrier. If using the same carrier, establish a different account if you had a shared account.
Setup a new, free email account using a provider of your choice. Do not do this from a shared computer.
The new email address will be to receive notifications and alerts on account activity. The phone number will also be used for notifications and alerts, but also to serve as a second factor in authentication.
Remember that authentication is providing you are who you say you are. This often involves just a password, something you know, but that is rather insecure, particularly if one re-uses passwords across multiple accounts or if the password is based on shared knowledge. More secure authentication adds a second "factor", like something you have - your phone with its phone number. These multi-factor authentication (MFA) or two factor authentication (2FA) setups are the minimum you would like to have for your all new accounts. For a phone, this typically means receiving a text (SMS) message with a one-time code when you try to log into an account. Even more secure is a second factor that is "something you are" like a fingerprint.
With your new phone account, also setup online access to the carrier/provider with a new password you've never used before.
Passwords and challenge questions
On passwords, the best practice is to use a different password for EACH and EVERY account. Now you ask, how do I remember these? The answer is: you don't. On your new, secure phone, install a password manager application.
See https://www.wired.com/story/best-password-managers/ for options.
I recommend https://1password.com/
Now that you have a password manager, use the feature of the manager to generate a RANDOM password for each of your accounts and change them.
Now, to foil the knowledge based authentication attempts of a partner or anyone else, one has to change the nature of the game. Whenever an online account asks you to setup challenge questions, go ahead, but don't give them the true answers. Pick any three random "questions" and then use the password manager to generate random strings which become the "answer" to the questions. For example:
Name of elementary school: 3CJLGag3UX
Name of best friend: xn7TKjdWew
First pet: rD7LuxMidQ
Now copy/paste those three lines into the Notes area in your password manager for the account and you'll have a record of which questions you chose and the correct responses. Again, pick random questions and use random answers. Don't re-use these across multiple accounts.
Physical Security
- When setting up a password manager, some password managers will enable printing of an "emergency kit" to allow access to your password vault. Print this out and store this in the safe deposit box where only you have access to it. Consider first putting it in a tamper evident envelope.
- Turn off any location services, e.g. Find my phone, Find Friends, that are on shared accounts. Also consider parking payment and mapping/navigation apps that help you remember where you parked.
- On iPhones, ensure most apps that require access to location services are set to only allow access to location services while the app is in use. Consider turning off permission to location services for applications that really do not need it.
- Migrate any Tile or other Bluetooth locator type devices that you may have had on a shared account to a new account.
- If you've a new secured phone and account, as setup above, then I would leave find my phone on there.
Notifications
For all your online accounts, phone company, credit card, bank, email, etc. enable all the notifications that are allowed. This would include events like new logins, changes to address or other personal information.
Current Activity
Monitor what each services shows as your most recent activity and force disconnection of any active sessions/logins on other devices.
- Pay attention to the "last logged in" or "last account activity" (bottom right corner of gmail on the web) whenever you access any online account. Ensure those match your recollection and are not indicative of someone else accessing your account.
- See if each service (email, social media, streaming, etc.) has the capability to show a list of active sessions, for example in Facebook, under Settings/Security & Login/Where You're Logged In. Force a logout of all active sessions and log in fresh only from your secured device(s).
- Check all shared devices (phones, tablets, smart TVs, Kindles, kids devices, etc.) and log out of your accounts.
Phone Security
- Keep physical possession of your phone at all times.
- Consider limiting what information apps will show in a "preview" notification when the phone is on the locked screen. For example, messaging apps will default to showing both the message and who it is from. Consider changing this to show just that a message is arrived. The phone would need to be unlocked to see who the message is from or the message content.
- On iPhones, turn off AirDrop from Everyone (General/AirDrop)
- Set the phone to require a PIN/fingerprint immediately upon locking (Touch ID & Passcode/Require Passcode)
- Restrict which applications are available when the phone is locked (Touch ID & Passcode/Allow Access When Locked)
Existing accounts
Now that you have a "root of trust" and a password manager, update all your existing accounts, e.g. bank accounts, phone, social media, computers:
- Change the password on each account to a unique, random value
- Change the challenge questions
- Setup 2FA/MFA
- Setup notifications
Online Access
Establish online access accounts for all of your other physical world accounts, e.g. social security, bank accounts, credit cards, insurance policies, etc. Ensure you use strong, random passwords, different for each account, setup random challenge questions/answers, and enable account notifications.
If you haven't setup secure online access to these physical world accounts, someone else could impersonate you and setup online access, particularly if that person had enough knowledge to pass KBA. By establishing online access, even if you do not intend to use it regularly, you're preventing someone else from accessing your accounts.
If you haven't setup secure online access to these physical world accounts, someone else could impersonate you and setup online access, particularly if that person had enough knowledge to pass KBA. By establishing online access, even if you do not intend to use it regularly, you're preventing someone else from accessing your accounts.
Thursday, June 8, 2017
Rule #2: Be careful whose network you're on
Public WiFi
First and foremost, don't use open/public WiFi/network access points. If there's no password, then all your communications/traffic is able to be monitored by anyone else who connects to the same open network.
Also, there are folks that will sit in a public place, turn their device into an access point and give it a name that makes you think you're connecting to a legitimate, open access point. Instead, they're monitoring your traffic.
Better choices are to use your phone's cellular data connection or if you want to connect a tablet/laptop, turn your phone into a personal hotspot. In this case, your tablet/laptop connects via WiFi to your phone and then uses cellular data out from there.
Another option is to subscribe to a Virtual Private Network (VPN) service. Once the VPN client software is installed/configured on your device, you'll be making an encrypted connection between your device and the VPN service. This will mitigate the risks of using an open/public WiFi/network connection.
Work/Job/Client Networks
Then there's the topic of what to do when at work or on a client's site. Short answer: Don't. Again, use your phone for the connection. Why? Because most any business network connection is not only subject to, but probably is being monitored. Here's a nice article:
https://www.washingtonpost.com/news/the-switch/wp/2017/06/07/the-latest-nsa-leak-is-a-reminder-that-your-bosses-can-see-your-every-move/
First and foremost, don't use open/public WiFi/network access points. If there's no password, then all your communications/traffic is able to be monitored by anyone else who connects to the same open network.
Also, there are folks that will sit in a public place, turn their device into an access point and give it a name that makes you think you're connecting to a legitimate, open access point. Instead, they're monitoring your traffic.
Better choices are to use your phone's cellular data connection or if you want to connect a tablet/laptop, turn your phone into a personal hotspot. In this case, your tablet/laptop connects via WiFi to your phone and then uses cellular data out from there.
Another option is to subscribe to a Virtual Private Network (VPN) service. Once the VPN client software is installed/configured on your device, you'll be making an encrypted connection between your device and the VPN service. This will mitigate the risks of using an open/public WiFi/network connection.
Work/Job/Client Networks
Then there's the topic of what to do when at work or on a client's site. Short answer: Don't. Again, use your phone for the connection. Why? Because most any business network connection is not only subject to, but probably is being monitored. Here's a nice article:
https://www.washingtonpost.com/news/the-switch/wp/2017/06/07/the-latest-nsa-leak-is-a-reminder-that-your-bosses-can-see-your-every-move/
Sunday, January 17, 2016
Rule #1: There is no privacy on the internet/intertubes. Get.Over.It.
Public Service Announcement - If you want some attempt at anonymity (BTW: good luck with that!) check out the following.
Do NOT use a photo on a dating/social network site that you have published elsewhere on the internet, e.g. LinkedIn or your company's head shot, conference photo, etc. Examine the photo(s) you're about to post. Do they contain any of the following?
For general home safety tips, see:
http://www.securingthehuman.org/media/resources/STH-Poster-CyberSecureHome-Print.pdf
or the NSA's Best Practices for Keeping Your Home Network Secure (none of which would stop them if you were really in their sights ;-):
https://www.nsa.gov/ia/_files/factsheets/I43V_Slick_Sheets/Slicksheet_BestPracticesForKeepingYourHomeNetworkSecure.pdf
For end-to-end encrypted talk or text from your smartphone, check out:
https://signal.org/
Last, just don't say anything online (text, voice mail, email, chat, snapchat, blog, instant message, etc.) that you wouldn't feel comfortable saying out loud in a public place where it might be recorded by one of a million people with their smartphone.
Or just realize that in the digital age we're no longer anonymous and some institution you thought you trusted has already been hacked and "leaked" all your personal data. :-)
Public Service Announcement - If you want some attempt at anonymity (BTW: good luck with that!) check out the following.
Do NOT use a photo on a dating/social network site that you have published elsewhere on the internet, e.g. LinkedIn or your company's head shot, conference photo, etc. Examine the photo(s) you're about to post. Do they contain any of the following?
- Your work badge, particularly if you're in uniform.
- A conference name tag
- Your house number, e.g. shot on your porch.
- Your car license plate number.
- Your child's school's name, e.g. first day of school pictures, jerseys or sweatshirts
- Your work/organization's name, e.g. publicity photos with backgrounds containing corporate logos.
- A run/marathon/event "bib" number.
- Use Google Chrome as your browser.
- Right click one of their photos and click "Search Google for this image".
- If they haven't followed the previous advice, Google's Image Search will pull up their public profile(s) and/or online articles/journals they've appeared in.
For general home safety tips, see:
http://www.securingthehuman.org/media/resources/STH-Poster-CyberSecureHome-Print.pdf
or the NSA's Best Practices for Keeping Your Home Network Secure (none of which would stop them if you were really in their sights ;-):
https://www.nsa.gov/ia/_files/factsheets/I43V_Slick_Sheets/Slicksheet_BestPracticesForKeepingYourHomeNetworkSecure.pdf
For end-to-end encrypted talk or text from your smartphone, check out:
https://signal.org/
Last, just don't say anything online (text, voice mail, email, chat, snapchat, blog, instant message, etc.) that you wouldn't feel comfortable saying out loud in a public place where it might be recorded by one of a million people with their smartphone.
Or just realize that in the digital age we're no longer anonymous and some institution you thought you trusted has already been hacked and "leaked" all your personal data. :-)
Subscribe to:
Comments (Atom)