“I have nothing to hide” was once the standard response to surveillance programs utilizing cameras, border checks, and casual questioning by law enforcement.
Privacy used to be considered a concept generally respected in many countries — at least, in the West — with a few changes to rules and regulations here and there often made only in the name of the common good.
Things have changed, and not for the better.
China’s Great Firewall, the UK’s Snooper’s Charter, the US’ mass surveillance and bulk data collection — compliments of the National Security Agency (NSA) and Edward Snowden‘s whistleblowing — Russia’s insidious election meddling, and countless censorship and communication blackout schemes across the Middle East are all contributing to a global surveillance state in which privacy is a luxury of the few and not a right of the many.
As surveillance becomes a common factor of our daily lives, privacy is in danger of no longer being considered an intrinsic right.
Everything from our web browsing to mobile devices and the Internet of Things (IoT) products installed in our homes have the potential to erode our privacy and personal security, and you cannot depend on vendors or ever-changing surveillance rules to keep them intact.
Having “nothing to hide” doesn’t cut it anymore. We must all do whatever we can to safeguard our personal privacy. Taking the steps outlined below can not only give you some sanctuary from spreading surveillance tactics but also help keep you safe from cyberattackers.
Data management is at the heart of privacy
Data is a vague concept and can encompass such a wide range of information that it is worth briefly breaking down different collections before examining how each area is relevant to your privacy and security.
Personally Identifiable Information
Known as PII, this can include your name, physical home address, email address, telephone numbers, date of birth, marital status, Social Security numbers (US)/National Insurance numbers (UK), and other information relating to your medical status, family members, employment, and education.
Why does it matter? All this data, whether lost in different data breaches or stolen piecemeal through phishing campaigns, can provide attackers with enough information to conduct identity theft, take out loans using your name, and potentially compromise online accounts that rely on security questions being answered correctly. In the wrong hands, this information can also prove to be a gold mine for advertisers lacking a moral backbone.
Browsing habits and website visits
Internet activity is monitored by an Internet Service Provider (ISP) and can be hijacked. While there is little consumers can do about attacks at the ISP level, the web pages you visit can also be tracked by cookies, which are small bits of text that are downloaded and stored by your browser. Browser plugins may also track your activity across multiple websites.
Why does it matter? Cookies are used to personalize internet experiences and this can include tailored advertising. However, such tracking can go too far, as shown when the unique identifiers added to a cookie are then used across different services and on various marketing platforms. Such practices are often considered intrusive.
Message and email content
Our email accounts are often the pathway that can provide a link to all our other valuable accounts, as well as a record of our communication with friends, families, and colleagues.
Why does it matter? If an email account acts as a singular hub for other services, a single compromise can snowball into the hijack of many accounts and services.
Online purchases, financial information
When you conduct a transaction online, this information may include credentials for financial services such as PayPal, or credit card information including card numbers, expiry dates, and security codes.
Why does it matter? Cybercriminals who steal financial services credentials through phishing and fraudulent websites, who eavesdrop on your transactions through Man-in-The-Middle (MiTM) attacks, or who utilize card-skimming malware, can steal these details when they are not secured.
Once this information has been obtained, unauthorized transactions can be made, clone cards may be created, or this data may also be sold on to others in the Dark Web.
Medical records and DNA profiles
Another entrant to the mix, hospitals are now transitioning to electronic records and home DNA services store genetic information belonging to their users, submitted in the quest for health-related queries or tracing family histories.
Why does it matter? The loss of medical information, which is deeply personal, can be upsetting and result in disastrous consequences for everyone involved.
When it comes to DNA, however, the choice is ours whether to release this information — outside of law enforcement demands — and it is often the use of ancestry services that release this data in the first place. Privacy concerns relating to DNA searches have been cited for sales downturns with some popular home ancestry kits.
What is being done to protect this information?
Businesses that handle data belonging to their customers are being scrutinized more and more with the arrival of regulatory changes such as the EU’s General Data Protection Regulation, designed to create a level playing field and stipulate adequate security measures to protect consumer privacy and data.
Companies will often encrypt your information as part of the process, which is a way to encode information to make it unreadable by unauthorized parties.
One way this is achieved is by using SSL and TLS certificates that support encryption on website domains. While usually a paid service, Let’s Encrypt also offers free SSL/TLS certificates to webmasters who wish to improve their websites’ security. (Unfortunately, this has also led to the adoption of SSL by fraudsters.)
Apple, Google, and Mozilla have gone against a CA/B Forum ballot and have decided to reduce the lifespan of TLS certificates to 398 days, starting September 1.
End-to-end encryption is also becoming more popular. This form of encryption prevents anyone except those communicating from accessing or reading the content of messages, including vendors themselves.
Following Snowden’s disclosure of the NSA’s mass surveillance activities, end-to-end encryption has been widely adopted by many online communication services. With a recent shift to working from home practices prompted by COVID-19, this has expanded to include video conferencing tools.
Privacy advocates may cheer, but governments and law enforcement agencies have not rejoiced at the trend — and a political battlefield has emerged between tech vendors and governments that are attempting to enforce the inclusion of deliberate backdoors into encrypted systems.
It is up to us to make use of any privacy-enabling technology we have at hand. Below are some guides with simple steps to get you started.
Browser basics and Tor
Searching the web is a daily activity for many of us, and as such, it is also a hotbed for tracking and potential cyberattacks.
The most commonly-used browsers are Google Chrome, Apple Safari, Microsoft Edge, Opera, and Mozilla Firefox. However, you should consider using Tor if you want to truly keep your browsing private.
The Tor Project is an open-source browser that is privacy-focused. The software creates tunnels rather than establishing direct connections to websites, which prevents users from being tracked through traffic analysis or IP addresses.
Not to be confused with the Dark Web — although required to access it and .onion domains in general — Tor is legal and is often used by the privacy-conscious, including journalists, activists, civil rights groups, and NGOs.
The Tor browser can be slightly slower than traditional browsers, but it is still the best choice for secure browsing. The non-profit recently launched a membership program to secure funding and boost integration in third-party products.
Secure other browsers
If you are more comfortable using Chrome, Safari, Firefox, Microsoft Edge, or another browser, there are still ways to improve your security without implementing major changes to your surfing habits.
Cookies: Clearing out your cookie caches and browser histories can prevent ad networks from collecting too much information about you. The easiest way to do so is to clear the cache (Firefox, Chrome, Opera, Safari, Edge).
HTTP v. HTTPS: When you visit a website address, you will be met with either Hypertext Transfer Protocol (HTTP) or Hypertext Transfer Protocol Secure (HTTPS). The latter option uses a layer of encryption to enable secure communication between a browser and a server.
The most important thing to remember is while HTTPS is best used by default in general browsing, when it comes to online purchases it is crucial to protecting your payment details from eavesdropping and theft.
It is still possible for payment details to be stolen on the vendor’s side, but to reduce the risk of theft as much as possible you should not hand over any important information to websites without HTTPS enabled. (It is estimated that shopping cart conversion rates increase by 13 percent with HTTPS enabled, which should encourage webmasters to use the protocol, too.)
To find out whether HTTPS is enabled, look in the address bar for “https://.” Many browsers also show a closed padlock.
Google’s search engine, alongside other major options such as Yahoo! and Bing, make use of algorithms based on your data to provide “personalized” experiences. However, browsing histories and search queries can be used to create user profiles detailing our histories, clicks, interests, and more, and may become invasive over time.
If you wish to stay with your current browser you can also use software that bolts-on to your browser to enhance the privacy and security of your surfing activities.
HTTPS Everywhere: Available for Firefox, Chrome, and Opera, HTTPS Everywhere is a plugin created by the Tor Project and Electronic Frontier Foundation (EFF) to expand HTTPS encryption to many websites, improving the security of your communication with them.
Disconnect: Another worthy addition to the list, Disconnect provides a visual guide to websites that are tracking your activity. Invisible trackers that monitor you and may also expose you to malicious content can be blocked. Disconnect is available for Chrome, Firefox, Safari, and Opera.
Facebook Container: In a time where Facebook has come under fire for its data collection and sharing practices time after time, Mozilla’s Facebook Container application is a worthwhile plugin to download if you are worried about the social media network tracking your visits to other websites. The plugin isolates your Facebook profile and creates a form of browser-based container to prevent third-party advertisers and Facebook tracking outside of the network. While not bulletproof, this add-on is worth considering if you want to separate Facebook from the rest of your browsing activities.
Blur: Blur, available for Firefox and Chrome, is an all-around plugin to protect your privacy and security. While the add-on can be used as a password manager and generator, ad blocking, and encryption, the true value is the use of “masked cards” in the premium version of the software. When data breaches occur, financial information is often the target. With this plugin, however, throwaway virtual cards are used with online vendors in replacement for the direct use of your credit card data, keeping it safe should a cyberattack occur.
Privacy Badger: Last but certainly not least, the EFF’s Opera, Firefox, and Chrome-supporting plugin Privacy Badger is focused on preventing ad networks from tracking you. The software monitors third parties that attempt to track users through cookies and digital fingerprinting and will automatically block those which use multiple tracking techniques. The plugin also includes color-coded indicators of domain tracking scripts.
Public Wi-Fi: A security risk?
There is no denying that public Wi-Fi hotspots are convenient, especially in a time when many of us are working outside of the office. However, you may be placing your privacy and security at risk if you choose to use one while on the move without the right precautions.
The problem with them is simple: As you do not need authentication to access them, neither do cyberattackers — and this gives them the opportunity to perform what is known as Man-in-The-Middle (MiTM) attacks in order to eavesdrop on your activities and potentially steal your information, as well as manipulate traffic in a way to send you to malicious websites.
Hackers may be able to access the information you are sending through the Wi-Fi hotspot, including but not limited to emails, financial information, and account credentials. Hackers may also set up their own rogue honeypot Wi-Fi points that appear legitimate whilst only being interested in stealing the data of those who connect to it.
It is best not to use a public, unsecured Wi-Fi connection at all. An alternative and far more secure method is always to use a mobile 4G/5G/LTE connection through your own mobile device when possible.
If you need an internet connection for a device other than your smartphone, an easy way to accomplish this is to set up your mobile device as a mobile Wi-Fi hotspot itself. You can usually find this option in your main scroller menu, or under Wi-Fi settings.
There are other precautions you can take to make a public Wi-Fi hotspot safer — but it’s never devoid of risk.
When you connect to a new Wi-Fi hotspot on Microsoft Windows machines, make sure that you select “Public” when the option appears, as this will enable the operating system to turn off sharing; turn off the Wi-Fi connection when you do not need it, enable firewalls, and try to only visit websites with HTTPS enabled.
In addition, do not use the Wi-Fi hotspot to access anything valuable, such as an online banking service.
One of the most important layers of security to implement is the use of a virtual private network (VPN) if accessing a public Wi-Fi hotspot — and the use of a trustworthy VPN should be implemented across all your devices, no matter your connection type.
VPNs: Why, when, and where?
A virtual private network is a way to create a secure tunnel between browsers and web servers. Data packets are encrypted before they are sent to a destination server, which also results in IP addresses and your location becoming hidden. Many VPNs will also include a ‘kill switch’ that cuts off your internet access temporarily if a connection drops in order to keep your online activity secure.
VPNs have now entered the mainstream. Many users only adopt these services to access geolocation-blocked content — such as websites and apps banned in select countries — for example, a user in the United States could make themselves appear to be located in the United Kingdom, and vice versa.
However, VPNs have also surged in popularity in response to increased surveillance, making their use a popular option for activists or those in countries ruled by censorship. In addition, some organizations will require their employees to now use a VPN when accessing corporate resources remotely.
(For a more detailed look at how VPNs operate, check out our guide.)
VPNs are not a silver bullet for security; far from it, but they can help mask your online presence. It is worth noting, however, that VPN usage is banned in some countries.
Free vs. premium VPNs
Premium, paid services are often more trustworthy. Free options are often slower and will offer limited bandwidth capacity. VPNs cost money to run and so providers will also require users of free services to agree to alternative means for them to turn a profit — and this may include tracking and selling your data.
Remember, when you are using a free service, whether it’s a VPN or Facebook, you are the product and not the customer.
(If you’re technically able, you could also set up your own private VPN. A handy set of instructions can be found here.)
Which VPN should I use?
The most important element to consider when deciding on a VPN is trust. Using a VPN requires all your traffic to go through a third-party. If this third-party VPN is unsecured or uses this information for nefarious reasons, then the whole point of using a VPN for additional privacy is negated.
Conflicts of interest, VPN providers being hosted in countries of which governments can demand their data, and sometimes less-than-transparent business practices can all make finding a trustworthy option a complex and convoluted journey.
Also: VPN services: The ultimate guide | Why free VPNs are not a risk worth taking | With everyone working from home, VPN security is now paramount | Best VPN services for your home office in 2020: ExpressVPN, NordVPN, and more
Passwords and vaults
This kind of advice is repeated ad nauseam but it is worth saying again: using complex passwords is the first line of defense you have to secure your online accounts.
Thankfully, many vendors now actively prevent you from using simple combinations that are easy to break, such as QWERTY12345 or PASSWORD123, with dictionary-based and brute-force attacks. In July, researchers found that one out of every seven passwords in use is still ‘123456’.
However, it is difficult to remember complicated password credentials when you are using multiple online services, and this is where password vaults come in.
Password managers are specialized pieces of software used to securely record the credentials required to access your online services. Rather than being required to remember each set of credentials, these systems keep everything in one place, accessed through one master password, and they will use security measures such as AES-256 encryption to prevent exposure.
Vaults may also generate strong and complex passwords on your behalf, as well as proactively change old and weak ones.
It is true that password managers and vaults may have vulnerable design elements that can be exploited on already-compromised machines, but when you balance risk, it is still recommended to use such software. Vendors with the best ratings include LastPass, Keeper, and Blur, but for a full range, check out CNET’s password manager directory.
Enable Two-factor authentication (2FA)
Two-factor authentication (2FA) is a widely-implemented method of adding an extra layer of security to your accounts and services after you have submitted a password.
The most common methods are via an SMS message, a biometric marker such as a fingerprint or iris scan, a PIN number, pattern, or physical fob. Using 2FA does create an additional step to access your accounts and data.
2FA is a strong security standard, but if you are unlucky enough to become a victim of SIM hijacking, this layer of security means very little. SIM-wapping occurs when a cybercriminal poses as you to a service provider, such as AT&T, using social engineering techniques and information gathered about you to fool employees into transferring ownership of your mobile number.
Once they have secured your phone number, they have a small window of time to hijack online accounts — such as emails, bank accounts, or cryptocurrency wallets — before you notice your service has ended. In this time, attackers may be able to access 2FA codes.
In July, AT&T became the subject of a lawsuit centered around a customer who allegedly lost $1.9 million in cryptocurrency due to a SIM-swap attack.
This type of fraud is difficult to protect against. However, one way to do so is to connect 2FA telephone numbers to a secondary number that is not publicly known and so could only become subject to a SIM-swap if leaked elsewhere.
Secure your mobile devices
Mobile devices can act as a secondary means of protection for your online accounts via 2FA, but these endpoints can also be the weak link that completely breaks down your privacy and security.
Both Apple iPhones and mobile devices based on Google’s Android operating system have sell by the millions. Android has maintained the lion’s share of the global smartphone and tablet market for years, but due to its popularity, the majority of mobile malware samples are geared towards this OS.
The open source nature of Android has also opened the way for hackers to search for vulnerabilities in its code, but to combat this, Google does run a bug bounty program and consistent security patch cycle for vendors.
iOS, in contrast, is a proprietary operating system and iPhones are generally considered more secure — despite the emergence of security flaws on occasion, which are almost laughable.
(Google has previously said that Android security is now as good as iOS, but we are still waiting to see the real-world evidence of this claim.)
Patch, patch, patch
The first and easiest way to keep mobile devices on either platform secure is to accept security updates when they appear over the air. These patches resolve new bugs and flaws, as well as sometimes provide performance fixes, and can keep your device from being exploited by attackers.
To check your device is up to date on iOS, go to Settings > General > Software Update. On Android, go to Settings > Software Update.
Lock it down
It sounds simple, but many of us don’t do it — make sure your mobile device is locked in some way to prevent physical compromise.
You can turn on your iPhone‘s Passcode feature to enter a four or six-digit passcode, as well as select the ‘custom’ option to set either a numeric or alphanumeric code. On iPhone X and later, go to Settings > Face ID & Passcode, while on earlier iPhone devices, go to Settings > Touch ID & Passcode. If TouchID is not a feature on your iPhone, the menu option will simply show Passcode.
On Android, you can choose to set a pattern, PIN number, or password with a minimum of four digits. You can choose by tapping Settings > Security & location/Security > Lock Screen.
Face recognition, iris scanning, and fingerprints are biometric authentication options found on modern iPhones and Android devices. These services can be convenient, although it is worth noting that in the US, law enforcement may be able to force you to unlock your devices as biometrics are under question when it comes to the Fifth Amendment.
Find your phone
We want to stop ourselves from being monitored without consent, but some technologies can be beneficial for tracking down our own lost or stolen property.
Find my iPhone is a security feature for iOS devices that you can enable to allow you to track your device through iCloud. The system also includes a remote lock to prevent others from using your iPhone, iPad, or iPod Touch in the case of theft.
In order to enable Find my iPhone, go to Settings > [your name] > iCloud. Scroll to the bottom to tap Find my iPhone, and slide to turn on.
Google’s Find My Device can be used to ring a missing device, remotely secure your smartphone, and also wipe all content on your stolen property. The service is automatically made available by default once a Google account is connected to your device but it does require the device to be turned on, to have an active internet connection, and to have both location and the Find My Device feature enabled.
In order to do so, open Settings > Security & Location/Security > Find My Device.
Other privacy settings
For the iPhone
USB Restricted Mode: A handy security feature introduced in iOS 11.4.1, USB Restricted Mode prevents USB accessories from automatically being able to connect to an iPhone if an hour has elapsed since the last time it was unlocked. In order to enable, go to Settings > Touch ID/Face ID > USB Accessories.
Disable the option to enable unknown developers/apps: If there have been apps you simply had to install outside of Google Play, make sure the “Unknown Sources” or “Install Unknown Apps” option is not left open afterward. Sideloading isn’t necessarily a problem on occasion but leaving this avenue open could result in malicious .APKs making their way onto your smartphone.
To disable it, select Settings > Security > Unknown Sources. On the later Android models, the option is usually found in Settings > Apps > Top-right corner > Special access.
Encryption: Depending on your smartphone’s model, you may have to enable device encryption, or some will be encrypted by default once a password, PIN, or lock screen option is in place. If you have such a device you can generally encrypt your smartphone through Settings > Security > Encrypt Device.
Other models, such as the Samsung Galaxy S8, do not have this option as encryption is enabled by default but you can choose to encrypt accompanying SD cards by going to Settings > Security > Encrypt SD card.
You can also choose to enable the Secure Folder option in the same settings area to protect individual folders and files.
Rooting your device to allow the installation of software that has not been verified by vendors or made available in official app stores has security ramifications. You may not only invalidate your warranty but also open up your device to malware, malicious apps, and data theft.
An example of this is KeyRaider, a malicious campaign uncovered by Palo Alto Networks in 2015. The malware specifically targeted jailbroken iOS devices, leading to the theft of 225,000 Apple accounts and their passwords.
Encrypt your messages
There was once a time when Pretty Good Privacy (PGP) was one of only a handful of options available to secure and encrypt your online communication that existed. PGP is a program that can be used for cryptographic protection, however, PGP is complicated to set up and use and there are other options out there that are more palatable to the average user.
Keybase.io, an open-source app built based on PGP for mobile and desktop systems available for macOS/iOS, Android, Linux, and Windows, is another option for making use of PGP and end-to-end encryption without the technical difficulties usually involved.
There are a number of encrypted messaging applications:
Signal is widely regarded as the most accessible, secure messaging service in existence today. Available for Android, iOS, macOS, and Windows, the free app — developed by Open Whisper Systems — implements end-to-end encryption and no data is stored by the company’s servers, which means that none of your conversations can be seized or read by law enforcement or hackers.
In order to use the service, you will need to tie a phone number to the app. You can also use Signal to replace traditional SMS messaging, but the same encryption and protections do not apply unless both recipients are using the app.
WhatsApp is an alternative messaging app, which completed a rollout of end-to-end encryption across all compatible devices in 2016.
Available for Android, iOS, Windows Phone, macOS, Windows, and desktop, the messaging app is a simple and secure means to conduct chats between either a single recipient or a group. Having grown even more popular in recent years — perhaps more so as a way for colleagues to communicate while they work from home — and now boasting over one billion users, WhatsApp is certainly worth downloading to replace traditional chat apps. However, to tighten things up, make sure you visit the Chat Backup option in “Chats” and turn it off.
Apple’s iMessage, a communications platform that comes with Mac and iOS products, is another option if you want to secure and protect your digital communications.
Messages are encrypted on your devices via a private key and cannot be accessed without a passcode. However, if you choose to back up your data to iCloud, a copy of the key protecting these conversations is also stored.
In order to keep your messages truly private, turn off the backup option. Apple will then generate an on-device key to protect your messages and this is not stored by the company.
In addition, only conversations taking place between iPhones — rather than an iPhone and Android device, for example — are encrypted. 2FA must be implemented to use end-to-end encryption.
Apple Card transactions — on iOS 12.4 or later — home and health data, the
- What You Need To Know About The Senate Cybersecurity Bill
- UK Warns Government Agencies to Avoid Kaspersky Products, Citing Russian Ties
- Hackers Have Reportedly Gained 'Operational Access' to US Power Grids, But Don't Freak Yet
- Judges call for stronger personal data protection
- Enhancing protections for sensitive information in congressional investigations
- FBI smart TV warning: Five easy steps to protect your family from hackers
- New York State Is Pushing ‘One of the Strictest’ Privacy Bills in the Nation
- Personal Data Protection Bill To Be Introduced In Current Session Of Parliament: I&B Minister
- Cabinet nod to India’s first data protection bill, House test soon
- Committed to protecting citizens’ right to privacy, reports of surveillance misleading, says govt
- Government localises ‘critical’ & ‘sensitive’ personal data
- Hackers Hit US Customs to Steal Travelers' Photos, License Images
- DHS: Spying Risk From Foreign VPNs Is Real
- Hackers May Be Using Your New Smart TV To Spy On You, FBI Warns
- Evidence mounts linking DNC email hacker to Russia
- Hackers Are Messing With the 'Web's Phone Book' For Espionage
- Is your TV watching you? FBI warns US citizens that connected televisions can provide hackers a window into their homes — encouraging owners to stick TAPE over their smart TV cameras
- Amazon’s Alexa accused of ‘spying on your kids’ with speakers by saving recordings of their conversations
- The Complete Guide to Windows 10 Privacy Settings
- Your smart TV might be spying on you, FBI warns
Cybersecurity 101: Protect your privacy from hackers, spies, and the government have 5555 words, post on www.zdnet.com at September 9, 2020. This is cached page on Konitono.News. If you want remove this page, please contact us.