Getting a Grip on Privacy and Security
Posted on 23 Jun 2019 by Ray Heffer
Privacy and security are not one of the same. Without security, your privacy will be compromised. This is easy enough to understand if you think about your home. The place you sleep safe at night. The doors, windows, curtains, and shutters provide you with both privacy and security. Some people might even have locks on their doors and windows!
When it comes down to our digital privacy and security, people don’t always think of it in the same way. Unlike the physical world we live in, the digital world is abundant with malware, tracking cookies, identity theft, data collection, and an exploding number of data breaches. If you fail to take any measures to protect your personal data, then that next data breach could cost you dearly.
One way to illustrate my point is to try a little experiment. Head over to HaveIBeenPwned or DeHashed, and see if your email address is found in any of the data breaches. If not then congratulations. But give it time, and check back again someday.
Another example is at-home DNA testing kits, which are becoming very popular these days. They are cheap and easy to use. However, how would you feel if you were turned down for health insurance or you have to pay a hefty premium based on your DNA? The video below, by Verge Science, shows how you could be identified via your DNA even if you’ve never taken a DNA test yourself. You may be thinking “I’m not a serial killer, so I don’t care”, but what would happen if these private DNA databases get shared with your insurance company? Worse still, your DNA profile gets leaked in a data breach.
Nothing to Hide
People that say they have nothing to hide are really saying that they are happy to trade their personal data for the convenience technology provides. Whether that be social media, fitness trackers, or smart devices in the home.
Ignorance is bliss. The alternative is inconvenient.
Last week I had family visiting us from the United Kingdom. I noticed during their stay that they had connected their smartphone to the rental car so they could use Bluetooth, handsfree calls, and make use of Android Auto and Apple CarPlay. Data privacy is far from the mind of most of my family members, but what they didn’t realize is that connecting their phone to the rental car, it synchronized all of the contacts from the phone. This meant my phone number, home address, email address and full name are there for the taking of whoever rents the car next time.
Their phone also has WhatsApp and Facebook Messenger installed. Now that same contact information, personal details that I want to remain private, are connected with their Facebook and WhatsApp accounts. It actually gets worse. Facebook scraped call, text message data for years from Android phones
They might not place the same level of scrutiny on privacy as I do, but this was out of my hands. I couldn’t opt-out. In this case I erased the synchronized data from the car before they returned it, but there isn’t much I can do about WhatsApp or Facebook stealing my data.
Just in the past few days, as I write this blog post there have been some notable data security and privacy articles in the news:
| Articles in the past week (June 17-21 2019) | Source |
|---|---|
| Goodbye, Chrome: Google’s web browser has become spy software | Washington Post |
| Post-Ransomware Attack, Florida City Pays $600K | Threat Post |
| Ethical Hacker Shows Privacy Flaw in Venmo by Scraping Seven Million Users’ Transaction Data | BeInCrypto |
| Researcher leaked a dataset of over 7,000,000 transactions scraped from the Venmo public API | Security Affairs |
| Instagram Loophole Exposes Childrens’ Contact Details | Latest Hacking News |
| Multiple Universities in United States suffer Data Breach | CISO Mag |
| SIM swap horror story: I’ve lost decades of data and Google won’t lift a finger | ZDNet |
| Human error still the cause of many data breaches | HelpNetSecurity |
| American Medical Collection Agency Data Breach Lasted 8 Months and Affects Millions | SECALERTS |
Understanding Your Threat Model
Whether you realize it or not, each and every one of us has a threat model. This is simply the risk of your personal data getting into the wrong hands, criminal or otherwise, that puts you at a disadvantage or in harms way.
I say the wrong hands, but this begs the question. Who can you trust with your data? You must presume that any organization or online service will suffer a breach sooner rather than later. It’s not a question of if, but when it gets leaked.
If I were categorize the threat levels, then I’d put the Equifax breach of 2017 at level 1. The breach affected 145.5 million U.S. consumers, it put everyone at risk of identity theft. The same applies to those using a web browser without ad blocking. Despite the fact the advertisements are plain annoying, it can leave you open to malware via malvertising, which is the ability to deliver malware through otherwise legitimate websites.
Someone that works in law enforcement is going to have an entirely different threat model to someone that works in IT, a college student, or a nurse. What is common among all of us, however, is our threat model can change in an instant.
To determine your current threat model, imagine for a moment, that your home address, personal documents, private chat messages an emails have been exposed and are available online. Now let’s explore some what if scenarios:
- What if you have kids living at home?
- What if a stalker takes an unhealthy interest in your spouse, or your son / daughter?
- What if a neighbor suddenly appears in the public eye, perhaps for wrongdoing, and news reporters are digging the dirt on their friends and family (including you!)
- What if your identity is being used by criminals for money laundering?
- What if your child is getting bullied at school, and the bully uses what they find on the internet against them?
- What if you work in law enforcement and one of the bad guys wants to pay you a personal visit?
- What if you just find all that junk mail annoying!?
These are all very real examples, and saying you have nothing to hide is like saying ‘that will never happen to me’. Again, your threat model can change in an instant. You should take precautions now.
Getting a Grip on Privacy
As you can tell, I have a lot to say on the subject. In 2016, I started listening to Michael Bazzell’s Privacy and Security Podcast. I was fascinated. I bought many books on privacy and security, including Michael’s, and I started learning about OSINT (Open-source Intelligence), in addition to taking significant steps to protect my own privacy.
Since learning OSINT techniques, I now see how easy it is to find the home address and personal information of literally anyone. I actually became very good at it, in efforts to learn how much data is really out there, and I encourage you to do the same. Surely if you know how to pick a lock, you have a better chance at securing the door in the first place.
I was talking with my neighbor last week and he said “your home address is public information anyway”. I really don’t accept that. Sure, your property tax bill is subject to public record, but there is no law that states it must be searchable online. Having your home address available to the public is just damn intrusive in my opinion. Fortunately, there are ways to hide it by establishing a revocable living trust. A revocable living trust allows you to determine who will get your property and assets when you pass away, avoiding probate. Privacy is just an added bonus. Once your home and other financial assets are in the living trust, you become a trustee, and public records refer to the legal name of the trust which can be anything you like.
Back in the United Kingdom, privacy has been somewhat protected with the Data Protection Act of 1998, and more recently GDPR (the EU General Data Protection Regulation). More on GDPR at another time, but for over twenty years the Data Protection Act has been in place to protect the personal information of UK citizens. Fortune wrote an article last year, about data privacy laws in the United States, which touches on the idea of something similar coming into force in the United States.
The issues surrounding privacy isn’t just a stateside problem. I believe this affects everyone on the planet that uses the internet, has a smartphone, is a consumer of services, or a purchaser of goods.
What Can You Do?
Back to level 1 threats. There are steps I think we should all take. Securing your web browser, using a password manager, a VPN, and taking control of social media will be a great start.
Use Firefox (or at least stop using Chrome!)
Just use Firefox. This is something I think everyone should do. The Washington Post article already explains about tracking cookies and Google Chrome. If you like the Chromium browsing experience then try Brave, but really there is no reason to use Chrome. Firefox is not 100% private out of the box, but I like the fact that Mozilla is a non-profit organization and seems to be taking steps in the right direction.
Not only that, but Google secretly logs users into Chrome whenever they log into a Google site as ZDNet have pointed out.
Recommended Settings
- Delete cookies and site data when Firefox is closed (You can add exceptions using the Manage Permissions button.)
- Ask to save logins and passwords for websites - Disabled
- Autofill addresses - Disabled
- Location (Settings) - Block new requests asking to access your location
- Camera (Settings) - Block new requests asking to access your camera
- Microphone (Settings) - Block new requests asking to access your microphone
- Allow Firefox to send technical and interaction data to Mozilla - Disabled
- Allow Firefox to send backlogged crash reports on your behalf - Disabled
- Search Engine - Startpage.com
Don’t go crazy with browser add-ons and extensions though. The more you use, the more unique your browser becomes which can lead to fingerprinting. I do recommend these at minimum:
Recommended Extensions
Use a Password Manager!
Really, if you don’t used a password manager then you are either being careless or you have an incredible memory. I use KeePassXC as I self-host all of my data with NextCloud, but LastPass or BitWarden are also great options if you prefer a cloud hosted solution.
Use a VPN
Firstly, if you ever connect to public WiFi at the airport, coffee shops, or while at events and conferences then you really must use a VPN. This is the perfect example of convenience at a cost, and if you keep doing this without a VPN then you will suffer the consequences.
Without a VPN, then your network traffic can be monitored and sniffed with packet inspection. Worse still, you could be subject to DNS spoofing or DNS cache poisoning, and the secure site you think you are accessing is actually harvesting your passwords.
I’ve used many VPN services but found NordVPN and ProtonVPN to be excellent options.
Use Multi-Factor Authentication
Where at all possible, especially on your email, use multi-factor authentication (or 2FA). This is where you have an app on your smartphone, or a hardware device such as a Yubikey, that allows you to enter a code in addition to your username and password. If you don’t want your other online accounts hacked, securing your email with multi-factor authentication is a good first step.
Stop using Facebook and WhatsApp
There are many reasons to delete your Facebook account, not just for those concerned about privacy. I don’t want to hear any of your excuses either. If I can live without it, despite moving 3,800 miles overseas, leaving friends and family back in the United Kingdom, then it proves Facebook is not a necessity. If anything I speak with my family and friends more often now, since it means I send them photos directly using Wire or Signal, and make video calls more often.
Final Thoughts
While my own threat model is fairly low, any of those what if scenarios could happen one day. The steps I’ve taken to protect my own personal information, in the event of these scenarios or a data breach, go way beyond what I’ve discussed here. I’m not wearing a tin-foil hat just yet (some may disagree), and I’m obviously good with sharing my thoughts on this blog and Twitter.
Taking steps to protect your identity isn’t something that can be done overnight. It’s a continuous process and requires a lot patience and time. It has taken me two years to get back to a point wher I feel more comfortable, but I’m never done.
Here are some of the tools I use to stay secure online:
- pfSense firewall with separate VLANs (networks) for kids, WiFi, PC, IoT devices, and guests. Routing all traffic through ProtonVPN.
- MySudo for daily phone use. I don’t give out my real SIM card number.
- ProtonMail for all personal email.
- ProtonVPN for mobile devices and home internet.
- PiHole blocking malware, telemetry and ad-trackers.
- DNSSEC for DNS security.
- OpenVPN for access into home network.
- KeePassXC password database.
- NextCloud with 4TB of storage, self-hosted and accessible only via VPN.
- Privacy.com for all bank payments. Every merchant I do business with has a unique card number.
- Joplin for encrypted notes hosted on my NextCloud instance.
- Apple iPhone as it’s better than Android for privacy.
- Wire for secure messaging.
- Signal for secure messaging.
Edward Snowden’s response to the nothing to hide argument:
If one would give me six lines written by the hand of the most honest man, I would find something in them to have him hanged.