I’m giving a talk this weekend at Florida DrupalCamp on some basic personal security tips. The focus isn’t on development security, or on securing Drupal projects, but instead is meant to be applicable to pretty much everybody.
If you spend any time on the internet, this guide can offer some help to you. First:
Why do I need to care about this?
Let’s get one of the common misconceptions out of the way:
I don’t have anything to hide, so I don’t need to worry about privacy.
I honestly can’t think of anyone that this statement is true about. Everyone has something that they don’t want others to see, for whatever reason. If I were to ask you for access to every digital account that you own (not to mention your home and all other personal belongings), you would probably not give me access to any of them, even with my solemn pinky oath to not touch anything. The fact that I’m asking gives you pause. Now how about those that don’t bother with the pleasantries?
You have something of value to lose online. That’s a fact of life now, and while you may be thinking of embarrassing emails or compromising texts, there are other things like workplace data, financial accounts, health records, and more that are vulnerable if you do not maintain some basic web security. With the insidious chaining together of accounts, now you have the danger of one insecure email address allowing all accounts to be compromised.
Even if you still think that you don’t personally need to worry about security, what about those around you? There is a safety in numbers. When someone is alone in using encrypted communications, they stand out to profilers, even if the content of their communications does not. When everyone around them is using encrypted communications as well, now there’s just so much more chatter to stay safe in.
Like inoculations against illness serve to inordinately protect the members of society with the weakest immune systems, the group protection that comes from supporting secure software helps those most vulnerable who rely on these tools. Also, your insecure devices can be used to launch attacks that can affect everyone, and those insecurities are not going away anytime soon.
So now that we’ve covered that it’s important to care about your online security, where do we start?
What’s Your Profile?
We’re looking to define two profiles to start with: your Attack Surface Profile, and your Adversary Profile. These will help us determine where to put effort in building our security profile.
Attack Surface Profile: The ways that you can conceivably be compromised. This is the cellphone in your pocket, the accounts that you have logged in automatically on your laptop, the fact that your email address is linked to your Amazon credit card. You will miss some of these, but the major ones are where it matters most.
Adversary Profile: Who conceivably cares enough about you that you need to secure yourself against? Are you going through a divorce or custody battle, with lawyers watching your every move? Are you exploring your sexuality or religion in a setting where harm can come from exposure? In addition to these or other specific threats, you have the general drive-by attacks done on accounts related to data breaches to worry about.
Security Profile: Now that you’ve defined your Attack Surface Profile and your Adversary Profile, you can create your security profile. You’ve identified that you use your laptop at coffeeshops regularly, and commit to avoiding using financial services there. You want to avoid being tracked while going to a sensitive meeting, so you leave your phone at home. You want to learn more about things that may be socially unacceptable, so you use TOR browser to hide your browsing history.
How Can I Get Started?
There are a wide variety of tools available with varying degrees of complexity and protections afforded. A few suggestions:
- Use a password manager. There is the possibility that these tools can be compromised, but they are much better than memorizing (meaning reusing) passwords, which you should stop doing. LastPass is a free web-based tool, and KeePass is an open source password manager that lives on your computer.
- Enable two factor authentication everywhere that you can. That means email, social media accounts, developer accounts like hosting and Github, everywhere. Two factor authentication is generally accessed via a text or app on your phone, and is used as a secondary method to prove you are who you say you are.
- Switch to Signal for messaging. It doesn’t have the pretty colored bubbles of iMessage, but get over it. Signal is the current standard for end-to-end encrypted messaging, which means nobody without access to either device can read the messages being sent. It is compatible with all major phone brands, and has all of the features that any standard messenger has, plus some bonus goodies like secure VOIP calls.
- Check your privacy settings on Chrome, Firefox, Twitter and Facebook.
- Take advantage of the tools that the EFF makes for privacy. This includes HTTPS Everywhere, to encrypt your browsing to and from websites, and Privacy Badger, which is a custom tailored ad and tracker blocker.
This is too much. Isn’t this impossible anyway?
I agree, there are a lot of things that you have to worry about to maintain your privacy and security. There will always be something that you miss, but that doesn’t mean that you shouldn’t try. If you lock your house or car you are engaged in a similar decision-making process. Sure, a burglar could smash a window and get in, but they’re more likely to move on in search of an easier target.
Don’t give up on security! It is becoming easier than ever to maintain some of your privacy and information security thanks to the work of countless contributors to open source tools. Support their work, and protect your freedoms!
Your Cybersecurity Self-Defense Cheat Sheet, Jacob Brogan, Slate. 1 February 2017.
The Privacy Paradox Tip Sheet, Manoush Zomorodi, WNYC. 10 February 2017.
Tor Overview: Staying Anonymous. Retrieved 17 February 2017.