Two things happened recently which should raise an alarm for anyone concerned about their online privacy. The first was a major release by WikiLeaks on 7 March 2017 of a trove of hacks and hacking techniques allegedly employed by the CIA to exploit a number of common electronic devices and applications. Although these tactics were intended for use against foreign intelligence targeted by the United States, the collection illustrates the broad weaknesses in our everyday technologies that, if exploited by malicious actors, would result in the undermining of personal privacy in unexpected ways.
Despite advertiser's claims to the contrary, common technologies such as mobile phones, smart TVs, browsers, and secure messaging applications can all be subverted. The message here is that the security of all electronic devices or applications is paramount.
The other alarming event took place at the first Boston Conference on cyber-security hosted at Boston College in the US. On 8 March, US FBI Director James Comey spoke for forty-five minutes on the role and challenges faced by the FBI in the modern cyber-threat landscape. For five minutes he discussed personal privacy from the vantage point of the FBI. In this portion, Comey stated that there is no such thing as “absolute privacy” in America. He said this in context of the legal system's ability to approve surveillance for official investigation purposes, as well as the authority of a court to compel an individual to provide private conversations as evidence or testimony – even conversations with individuals generally considered off-limits for such subpoenas, such as conversations with doctors, clergy or spouses.
Comey also divulged that in the last four months of 2016, the FBI was unable to access 43 percent of the devices that were investigated due to default and/or strong encryption, which speaks to the power of encryption. Wherever you stand politically on the needs and abilities of law enforcement to protect society, you can derive from this that simple steps to protect privacy can be surprisingly effective.
The notion that there is no “absolute privacy” is not a revelation. However, the blunt notice of vulnerabilities in everyday technologies combined with the reality that privacy cannot be guaranteed by governments (including the assumed champion of individual liberty, the US) should cause everyone to assess their environment and online habits.
Privacy, like freedom, isn't free. Any privacy we have must be deliberately and thoughtfully planned. The following are ten measures to improve your online privacy. None will guarantee privacy but all will make improvements to your online footprint and give you a step up on protecting your personal privacy. And, bonus, all of these steps are easy to implement.
By following these steps, you can go a long way in protecting your privacy online. For CISOs and IT teams, this list might be worth posting in common areas where your employees may read it. Remember, the more your employees are considering their personal digital privacy, the more likely they will be to think about protecting their business applications, credentials, and, as a result, your business.
1) Keep software on all devices updated
Out-of-date software is one of the biggest attack vectors for attackers to gain access to your private information. If you own any modern digital device (Wi-Fi router, mobile phone, smart TV, Blu-ray player, home surveillance system, gaming console, PC, etc.) there is generally software or firmware included that needs to be regularly updated. You may have to go to the manufacturer's website to find updates and in some instances, you must install these manually following the manufacturer's instructions.
Some PC applications may offer no notice of an available update, or may have had these unintentionally switched off in the past. Examine your devices and ensure you know how to obtain the latest updates. If possible, enable automatic updates wherever and whenever they're available. If software support is discontinued, it's time to think about upgrading from that device or application to something that is supported.
2) Manage passwords effectively
We often choose weak passwords because we can easily remember them and, once set, we tend not to change them because to do so often is inconvenient. Another problematic reality is that we may use the same memorable password across multiple accounts or devices. This is great news for cyber-criminals.
Always choose strong passwords that are long and use a variety of upper and lower-case alpha-numeric and special characters. Use different passwords across accounts and devices; that way, if a password is ever compromised it then cannot be used to gain access to other sensitive assets. Change your passwords often! An easy way to both generate secure passwords and to save them so you don't have to recall them from memory is to use a password manager. There are many of these secure options available for free or for a small fee for personal use.
3) Segregate user accounts and devices for family members
Mum or Dad's phone isn't an appropriate toy for a child when it comes to security. If their age permits, provide them with their own device. Choose one that doesn't require Wi-Fi when possible. When children want to play on Mum or Dad's laptop, create their own account for them to minimise any accidental release of sensitive information. Parents must monitor any device or online activity of their children when practicing this rule to protect the privacy of the entire family. The same rule applies to teenagers, too!
4) Separate Wi-Fi networks for guests or kids
Deploy an additional Wi-Fi network for kids and guests that is separate from the one you use for financial and other personal transactions, including online shopping, banking, etc – basically, limit access to any network you use for your credit card information. This helps protect your most vulnerable assets should a password for that guest network ever be compromised.
5) Use separate email accounts for non-critical subscriptions or communications
Email addresses are harvested and sold on the black market as a commodity by malware authors with alarming regularity, generally resulting in spam email and email-based phishing or malware attacks. Don't pollute your most valuable email accounts with unnecessary shopping subscriptions or any non-critical accounts. Creating additional email accounts is trivial and these can easily be discarded if ever compromised or if marketers share your email address with other marketers.
6) Use device encryption
Most smart phones as well as PCs and laptops support disk or device encryption. If a phone or computer is lost or stolen, disk or device encryption will dramatically reduce the loss of private data. Typically, you enable encryption on your personal devices. For instance, on your iPhone and on newer versions of Android, encryption is on by default. But on other devices you may have to turn it on in settings. (On a personal note, I have picked up discarded computers from public dumpsters and performed forensics and data recovery on the hard drives. Disk encryption would have thwarted my abilities to recover sensitive data. Public waste disposal is not a good place for any hard drive.)
7) Encrypt documents containing sensitive information
Many of us collect our financial information and other sensitive data in spreadsheets or other such plain-text documents. Many modern documentation applications such as Microsoft Office and LibreOffice support document encryption. If a sensitive document is ever accidentally sent to the wrong address or if the laptop containing it is stolen, encrypting it will reduce the chances of your data being viewed or stolen. This step should be taken even when full-disk encryption is employed.
8) Favour SSL/HTTPS in all online browsing
Many websites offer non-encrypted (HTTP) and encrypted (SSL/HTTPS) access. Any site that you login to or perform any kind of shopping, financial, or banking transactions with should be encrypted. Most modern browsers will notify you that the site is secured by using a green lock icon or similar in the address (URL) bar. Sites which are not encrypted or have other security issues may be flagged as yellow or red. Know your browser and pay attention to whether a site you are visiting is encrypted. Google now uses SSL by default when you're using their search engine. There are also browser extensions you can install which will provide SSL encryption even for sites which do not officially support it.
9) Use online privacy Apps for communications
Thankfully, more and more communications applications are being created which support encryption or offer other security features often unavailable in default applications. When using any application for text messages, email, or other personal communications, examine if it supports encryption. Many secure applications are becoming quite popular as well, such as WhatsApp, Signal, and TOR (or the Tor Browser).
10) Use an alternate pperating system
Many exploits will only successfully subvert one operating system (OS) or applications designed to run on that specific operating system. Malware authors typically are market driven and focus their resources on targeting the most popular OS and applications. If an application is available for multiple operating systems, a vulnerability in that application may not have the same repercussions across all operating systems it runs on.
Therefore, running an OS beyond the most popular (eg Windows or Apple IOS) such as OpenBSD, FreeBSD or Linux could reduce risk due to the fact that the bad guys generally target the larger market. This step may require more advanced technical skills, but it's a smart move if you are serious about protecting your privacy.
Encouraging personal security of staff has an obvious spin-off benefit in increasing the security of their employer directly, as well as indirectly by fostering a security-consious mindset.
Contributed by Patrick Knight, security research architect, Cylance
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.