A Quick Guide to Online Privacy
As governments around the globe roll out COVID-19 contract tracing solutions, there will undoubtedly be growing concerns about how our data is being handled during the pandemic and beyond. In Thailand, the government released a check-in app back in May which faced initial backlash due to vague Terms & Conditions about how our data could be used and with whom it might be shared with. Singapore’s TraceTogether contact tracing app has been cited as a good approach for a privacy-preserving solution. However, concerns have been raised again when the government announced their bespoke “TraceTogether Token” wearable last month after the app was shown to not work well on iOS devices.
Pragmatically speaking, getting the virus under control and a quicker return to a “new normal” will mean less encroachment of civil liberties in the long run. But if the wider public distrust these technologies and refuse to use them, the overall effectiveness of any approach becomes greatly reduced.
While privacy-preserving contact tracing is a whole other beast, this whole issue inspired me to think about how I can improve my online privacy in general. The preliminary research was so eye opening that I decided to give a workshop on the topic of Online Privacy earlier this month. This article is a write up of that presentation and is worth a read if you:
Use social media
Shop online
Use public wifi
Use social logins to sign up for new products or services
Use one email address to sign up for everything
Reuse passwords
Have an online presence in general…
The recent Twitter hack is the latest reminder that even top companies with the best security teams are not immune against bad actors and data breaches, so why let them handle our sensitive data when we don’t need to?
You don't need to have skeletons in your closet to start caring about online privacy. It isn't about having something to hide, it is about having things that are worth protecting. Information about where you live, your phone number, your Social Security or ID number are things you probably don't want to give over easily or leave out there for anyone to find.
This guide won’t turn you into Edward Snowden, but should be enough to help you up your privacy game today with little to no costs. It will help you identify vulnerabilities in your current digital footprint, give you a cautionary mindset along with useful tools that will help protect your privacy. We will be going over a general framework for OPerational SECurity (OPSEC). This term originates from the military and refers to strategies used to deny an adversary from getting information that could compromise the secrecy or security of a mission. The framework is:
Identify - Analyze - Deny
First, we get a high-level view of information about ourselves that we either put out there, was posted by others, or leaked during a data breach (IDENTIFY)
Then, we categorize this information and prioritize which ones to put the security measures on first (ANALYZE)
Lastly, we’ll look at strategies to deter attackers from exploiting our information (DENY)
Without further ado, let’s get started!
🔎 Identify
The first step is to see what information about us might be out there that shouldn't be public. The goal is here is to build a picture of our own digital footprint 👣
This discovery process is done using what the cool kids call Open Source INTelligence (OSINT), which refers to collecting data from publicly available sources to be used in an intelligence context. This is data that can be found via search, public social accounts, media appearances, photos tagged by friends... You will be surprised at the amount of information someone can obtain about you by just surfing the internet, without even doing anything sophisticated with computer code. Take note of these. As we shall see, it isn’t any single piece of information that compromises our privacy, it’s the accumulated data from multiple places. So, start stalking yourself!
Search Engines
It's amazing what you can find with boolean search and operators like inurl: "your name" or Filetype:.doc intext:“your name”. Recruiters often play around with search strings like these to find resumes
("Machine Learning Engineer" AND “San Francisco”) Filetype:.pdf
Instead of limiting to one search engine you can use aggregators ("meta-search engines") like All The Internet. When I experimented with this, I found a phone book website that had my full name, age, and my old phone number and old college address. The directory for that address also contained names, phone numbers, and home addresses of people who lived with me at the time and even their immediate relatives. We wonder how telemarketers get our number and how paper ads end up in our mailboxes, and this is one of the ways. A company's server gets breached, our data gets sold to these people finder sites who then sell our private information to advertisers.
Images
Use reverse image search services like TinEye or Berify to see if a photo of you is being used for a profile you didn’t create. I reverse searched my LinkedIn photo on Yandex and it turns out my LinkedIn information had been scraped for a site called ConferenceCast. This is relatively harmless given that scammers often use strangers' photos on dating sites…
If you have a large online presence, particularly photos that either you posted yourself or friends/relatives have posted of you, it might be worth it to have a look at what you might you want to take down. A lot of people think twice about what we post online now as potential employers check for embarrassing posts, but the harmless-looking ones might also contain sensitive information that might be used for more sinister purposes. When looking through your photos, check if what's in the background might be sensitive information:
Does it reveal where you or your relatives live?
Are there keys that could be 3D printed?
Wi-fi password or company logins written somewhere visible?
Timetables that tells everyone where you’ll be, and when?
Employee/Student IDs with your full name and ID # visible?
License plate?
The last two examples are common posts that people do to celebrate their new job or a new car. While it’s fine to share happy news with your friends, there’s no need for them to know your license plate or ID number - so blank these things out before posting! I found the examples below by searching “finally got my ID” on Twitter and #newcar on Instagram.
Data Dumps
See where your information has been exposed in Data Dumps from third party services and applications that have been breached. Have I Been Pwned is a good tool for this. You simply put in your email and it gives a list of breached websites where some of your data had been compromised. Prioritize these when doing your password changes.
2. 👁 Analyze
Now that you have a pile of information that anyone with internet surfing abilities can find, you can categorize them by confidentiality so you can start prioritizing what security measures to put in first. The goal is to understand how an attacker may gain access to data they can later use against you or gain insight into your movements. Conduct risk assessment by asking questions like:
Should this information be public or private?
How might this information compromise me?
When was this data posted?
How would I know if this information has been used to compromise me?
Why would someone want to compromise me?
Think like an adversary
If you were targeting yourself, how might you use this information and why?
Categorize the information that is sensitive, identifies you, could be used to compromise your accounts or allow an adversary to build a profile on you. Prioritize the most important information you want to prevent from being compromised
3. 🙅🏻♀️ Deny
Now that you have identified the vulnerable spots in your digital footprint and prioritized the most important information, it's time to 1. do active OPSEC to clean it up or 2. set up preventative measures. The goal for this last stage is to make it harder to obtain information about you or compromise your accounts.
In order to understand the security loopholes that are out there, and thus the importance of preventative measures we can take, let's have a look at some notable attacks and see how they could have been prevented.
Vulnerability: Linked Accounts
In 2012, journalist Mat Honan had his Gmail, iCloud, and Amazon accounts compromised and his iPhone, iPad, and MacBook data erased. The hacker's goal? To grab Mat's three-letter Twitter handle and troll the account because the hacker simply liked the username.
Here's the rundown of how the hacker accomplished this simply using OSINT and some social engineering with customer service reps:
The hacker found his billing address by doing a whois.net lookup on his personal website, listed on his public Twitter profile. He then gave Mat’s real billing address to Amazon support rep asking to add a new credit card to the account. Once this was successful, the hacker hang up, and called Amazon support a second time (talking to a different rep) telling them that he had lost access to the account. The support rep asked for his billing address and credit card information. The hacker provided the credit card number he had added to the account in the prior call. That was enough for the support rep to get the hacker into Amazon.
After getting access to Honan’s Amazon account, the hacker was able to see the last 4 digits of Honan's real credit card. This was enough information to give to an Apple customer service rep to gain access to Honan's iCloud account, which happened to be the recovery email to his Gmail. From his Gmail, the hacker was able to get on Honan's Twitter.
The takeaway from this is that most companies are all over the map when it comes to account recovery procedures. Because of this, attackers can take advantage of where these procedures overlap to gain access to your accounts without writing a single line of code. As we saw from the above example, one form of attack is to play different account password resets off of each other. This attack could have been prevented if Honan had used two-factor authentication (2FA) on any of the accounts, masked his billing address on his domain, or used different bank cards for different purposes.
An effective way to prevent this sort of attack from happening is to compartmentalize your data and breaking the data links between different type of activities so that if one account gets hacked, the damage is contained. If your only Gmail address is used for social accounts, subscriptions, banking, and online shopping, the Gmail account becomes a centralized point of failure - an attacker has to only gain access to this one account to get access to everything else
To get an idea of how much trust you are putting into one company’s security team, identify how many of these products and services you use on a day to day basis. If your “main email” was compromised, how many other accounts would be taken down along with it?
Mitigate this risk by having multiple email addresses for different purposes. One for banking and finances, one for socials, one for shopping, one for gaming, and throwaways for one-off services like questionnaires that require an email address to send the results to. For each of these accounts, generate unique, strong passwords using a password manager like 1Password, KeePass or LastPass. This way, the damage is contained should any of these accounts become compromised.
Vulnerability: using real information for security questions
Another low hanging fruit for attackers is guessing answers to weak security questions. It’s incredible that some companies are still using this method as an account recovery procedure. Given the amount of information that you can piece together by stalking yourself in the OSINT step, it is relatively straightforward nowadays to find things like your mother’s maiden name, city you were born in, name of your first pet etc.
When Paris Hilton’s sidekick was hacked in the mid-2000s, the hacker only had to check online and the tabloids for her dog’s name to get the answer to the security question for her T-mobile account (it was Tinkerbell). Sarah Palin’s Yahoo account was targeted and hacked in the same way in 2008.
To mitigate this problem, generate and store random strings as the answer to security questions using a password manager.
Be wary of OAuth and Social Logins
One-click logins are convenient. But if your social account gets compromised, attackers can gain all sorts of data and abilities on linked third-party apps like: track your Uber trips, get your passport information from Expedia, send and read your Tinder messages.
Common social logins are Facebook, Google, Twitter, and Github. All of these services have permissions setting where you can check which third-party apps have access to your information. Remove permissions for the ones that you don’t use anymore.
Here are links to these settings page for Facebook and Google (the links will only work if you’re already logged into these services on your current browser).
Public Wifi
Attackers often create fake wifi hotspots that are named like the airport, mall, or cafe free wifi. Instead of guessing which network to connect to, ask an employee what the wifi is.
Avoid logging into sensitive accounts while on public wifi, and if you really have to, use a VPN like NordVPN or ExpressVPN.
Third-Party App Permissions
Take the time to customize what information the app gets access to. If an app doesn't have to know your location or gain access to microphone/camera, there's no reason to give it permission to. Permit location sharing only if you are sure and only while you need to share location.
New & Old Devices
When buying a new phone, tablet, laptop etc., store employees tend to quickly accept permissions to get your accounts set up on your new device. It's OK to slow them down to make sure you know and are OK with what the store person is doing.
Do software updates right away if applicable because there might have been security patches from the time your device came out of the factory and when you take it home.
When selling, discarding or trading in an old device, be sure to wipe it completely before parting ways with it. There are third party resellers who take advantage of data that remain on trade-in phones and this could be used to compromise your privacy.
Recap & Other Good Practices
Use a password manager to generate unique, strong passwords and security question answers for each account. Don't reuse passwords and don’t use real information for security questions!
Use a virtual private network (VPN), especially when using public wifi
Turn on two-factor authentication (2FA) wherever possible
Use a webcam cover for your laptop
Use privacy screen protectors for devices and disable lockscreen notifications
Ensure that email addresses for social accounts are hidden
Use burner phones, VoIP instead of giving your real phone number
Use pseudonyms instead of your real name/full name
Don’t use your real date of birth if you don’t have to, and avoid putting your year of birth as part of your username/email/password
Use privacy-preserving alternatives for common activities such as email, browsing, search, and messaging…
Now that you’ve made it more difficult for an attacker to compromise you, you might want to implement additional countermeasures that give them bogus information or alert systems when something has been breached. This involves going one step further to actually create false flags and plant them as a sort of flytrap.
Canary tokens are unique pieces of code that can be embedded in different files and applications. If someone is snooping around in there, an alert is triggered and you are notified. So you can use a fake document named something like “bank_statement.pdf” and send it to yourself in an email or leave it on your computer. If it gets opened by someone other than you, you’ll know to take care of that account!
Lastly, see if you have ways to delete public information that you've decided should actually be private and act on it. If the information has already made its way into the Internet archive there is unfortunately no straightforward way to remove it, best you can do is be aware that it’s there and manage the risk. For the deletable information: If there are accounts you no longer use, delete them (better than deactivation). You can also manually delete or mask sensitive information or submit an information removal request to the site. If you’re in the EU, you can enact your right to be forgotten under the GDPR.
One surprising piece of advice I found is that if someone does manage to hack and embarrass you or troll your social media somehow, you shouldn’t go dark and cut off your online activity. Continuing to leave a healthy digital footprint actually helps drown out whatever the trolls might be doing. Hopefully you never have to go through this because you have taken the time to take preventative measures from the start.
Parting thoughts
Many of the tools mentioned above would only take an hour or so to set up. As we have seen, security breaches sometimes don't involve sophisticated programming tricks at all. Rather, the attacker exploits loopholes in things like account recovery procedures and social engineering. Even foundational protective measures like the ones mentioned here can save you a lot of pain and money from these types of exploits.
When it comes to black-hat hacking (criminals trying to steal money or information), the reality is that it's an arms race between bad actors and the companies that are providing you products and services. As companies improve their security measures, criminals come up with yet more creative techniques to get into private servers, and on it goes. OPSEC isn’t something you can start and finish in a weekend, it is a constant process, general awareness and cautionary mindset to have when signing up for products or services.
In deciding on which measures to implement and comparing the tools available, you will find that the tradeoff is between security and convenience. It might feel awkward at first to not know any of your passwords because they are random strings stored in your password manager, but eventually it becomes second nature to generate and store your password this way. Taking the time to compartmentalize (one email - one use case), generating throwaway emails, customizing app permissions, and being more conservative about what information you share pays off in protecting your private information, finances, real-time location, messaging history and much more. This is the only the tip of the iceberg! For steps beyond this, I recommend A Modest Privacy Protection Proposal and How to Be Invisible.
That’s all for now, hope you find this useful! Please leave a comment if you have additional tips or find any errors, and pass it along to friend and relatives who still keep all their passwords unencrypted on a Notes app. Cheers 🥃
BTC: 3JaB3nHHfvWZVsnfHSNRepc8xAKubLSkZR
ETH: nich.eth
Further Reading & Resources
Why OPSEC is for Everyone Part 1 | Part 2 | Part 3 - Stuart Peck
What is OPSEC reddit post
How to Be Invisible - JJ Luna
How Apple and Amazon Security Flaws Led to My Epic Hacking - Mat Honan
Cover image courtesy Lianhao Qu via Unsplash