As is the case every year, Data Privacy Day rolls around and I come dangerously close to forgetting about it. This year, I was saved by Mauricio Prinzlau over at Cloudwards who reminded me to write something and gave me a useful article he wrote entitled “Data Privacy Day 2015: Top Experts Comment on Privacy Issues (+Infographic)” which I will use in this post and strongly recommend you read. To recap, however, last year I wrote a post about staying secure online and my personal security setup and published a PDF version. This year I intend to write a more general post about current security trends, some new tips to stay safe, and some nice infographics. As usual, I’ll see you after the jump!
Part 1. Introduction
As the Snowden leaks have aged and the NSA has faded from people’s minds (in favor of more trendy topics), data security is less of an issue, right? Of course not. Prominent politicians want to “permanently extend NSA mass surveillance”, links between cyber espionage and malware have been found, and, worst of all, the NSA knows my Angry Birds score! In all seriousness though, with potential reform coming and revelations about foreign spying coming out, the need to guard one’s privacy is even greater.
Before I really begin, however, I want to start this post the same way that I started the previous post, that is by telling about my subject position as well as a few disclaimers.
- The most obvious – I choose to share information about me on the designated page not because I do not know how to be secure, but because I am willing to share this much. I am also willing to stand by my convictions, thus I sign my name. That being said, incognito personas are fun and I maintain a few.
- There is rarely, if ever, total security. Someone wiser than I once said “a false sense of security is worse than being unsure”. The point of this post is to give you the tools to try to be secure.
- These are just the tools I use, if you want to complain, use the comments section or, as will be linked to throughout the post, read some other article.
- Finally, I am no expert in the academic sense of the word, rather, I am an enthusiast who wants to learn and share what he has learned. As such, don’t take my explanations with the same rigor as you would Jacob Appelbaum or Bruce Schneier.
Those being said, I think the best advice is to read this and do your own research.
Part 2. What’s Been Going On?
A lot has occurred over the past year and, to be honest, I haven’t kept a record of everything just because there’s so much. Almost everything from the guide a year ago still applies and is still relevant and works (I’ll reiterate a few things in a moment), but there has been one major change. For those fanboys paying attention, in May of 2014, my beloved TrueCrypt posted a cryptic message on their site out of the blue saying “WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues” (x) and then recommending users shift over to the notoriously bad Bitlocker. Despite the initial heartbreak associated with this post, I’ve rebounded and back in July, did some research and wrote a post called TrueCrypt Is Still Safe and I still stand by that. As will be reiterated below, industry experts have concluded that due to the auditing of TrueCrypt’s code, there is no reason to fear and something else must be going on.
Apart from the “demise” of TrueCrypt, there have been frantic claims that the NSA is building a super-mega-quantum computer that will crack all encryption forever. Nope. Not yet. If you use PGP or any other proven encryption methods successfully, you’re fine.
Additionally, as we all remember, Heartbleed was a serious issue a few months back that caused crisis amongst various web owners. For the average person, if you haven’t already dealt with the changing of passwords on previously vulnerable sites, LastPass has a useful tool to check which sites are unpatched. At this point, Heartbleed is functionally a non-issue, but if you wish to learn more you can read the post I wrote, Heartbleed Info, back in April explaining it.
UPDATE (after I finished writing this): As of early this morning it was revealed that “Ghost”, an exploit in the seemingly extremely secure OS foundation, Linux, could cause serious issues. While the information is still developing and I have no comments on solutions, there are patches in progress that ought to fix the issue soon.
Overall, while a lot of little changes have occurred, the big principles are still the same. That is, for those in the modern world, the principals of PC BAE still apply. Password managers, email Clients, Browser addons, Anonymity, and Encryption.
Part 3. Why Privacy Matters
I could go on a civil liberties rant and don my tinfoil hat, but I will let others speak more pragmatically. As Mauricio Prinzlau wrote:
The collection and dissemination of data through technology with the public expectation of privacy and the underlying personal, legal, and political implications are referred to as data privacy or data protection.
This concern will exist wherever personal, confidential, or other sensitive information is collected, stored,or shared―in the digitized world or otherwise. Privacy issues can derive from the improper or non-existent disclosure control of information. These data privacy and protection issues can arise due to various kinds of information. Some of these types are recognized below as:
Posting Information Online – With the growth of social networking, more and more people are posting their personal information, images, and videos online, which, if not monitored and protected through strict privacy controls, can be hacked by online goons for their selfish interests.
Various search engines enable users to collect personal data about individuals easily across multiple sources through proper data mining. Nearly everything is accessible online today, so only a controlled amount of information should be presented on portals and sites.According to an Identity Theft Report, approximately 15 million residents in the US are exposed to identity fraud activities each year, incurring financial losses of more than $50 billion. This is a clear example of why you need to be careful while posting your information online.
Medical Records – Three major categories of medical privacy include: informational (the control over personal information), physical (controlling the physical accessibility to others’ information), and psychological (the respect of doctors for patients’ cultural and religious beliefs, values, and feelings). Due to potential damage to their employment or insurance coverage, an individual may not be comfortable revealing their medical records to others. Medical records also will allow others to access a certain degree of patients’ personal information.
Financial Records -This is one of the most sensitive areas of information, which includes an individual’s financial transactions, amount of assets, stocks or funds, debts, and online purchases. Cyber criminals take great interest in these items, and gaining access to such information results in fraudulence and identity theft
Geographical Location – Location-tracking capabilities through mobile devices are increasingly used by this generation and lead to user privacy issues as well. By tracing mobile information, a lot of personal and professional data can be collected about an individual (x)
That’s far from all, though. Your search history taints what results you get when you do a web search, your history affects what ads you see, and insecure communication can lead to theft of passwords and other valuable information as well as, potentially, landing you on a “watchlist”. Or, if you’re like me, I think it’s just panoptic and creepy that an officer like this could see my browsing history or what I say to friends online (and all of this ignores the importance of pseudonymous communication in activism and identity politics ).
Part 4. What Can You Do?
PC BAE! Password managers, email Clients, Browser addons, Anonymity, and Encryption.
With the use of a password manager, you can randomize your passwords which is a good thing because, as we all remember from the post last year, DO NOT USE THE SAME PASSWORD FOR EVERY ACCOUNT. EVER. To bring back the analogy I used previously, using the same password is akin to the following scenario: “You install the same lock on your house, storage unit, car, and safe and you make one copy of the key. Now what happens if an adversary gets ahold of said key? They have access to your house, storage unit, car, and safe. Bam. Just don’t do it.”
The use of more secure web browsers or various addons that fight back against unwanted data collection (part 3) can help significantly. What’s more, you can use software that helps make you anonymous, or at least less noticeable, namely VPNs or TOR (part 6). I would, as I wrote previously, I would still recommend using Private Internet Access because it’s a cheap and very secure VPN that always works. Finally, encrypt everything! Although there are those that say TrueCrypt is gone, I argue that it is not. If you read the post I wrote here, I compile multiple different sources and security experts looking at the code, analyzing what happened, etc. and they all come to the conclusion that TrueCrypt is still safe. (If you don’t want to trust that, there are these alternatives too)
Additionally, there are useful internet tools to check the uniqueness of your browser set up, tools to test and fix browser leaks, and IP testers that you can use to see where your physical location is being reported as. What’s more, staysafeonline.org has plenty of resources to check and fix security issues right here.
If you want to download the old, audited and shown to be safe, TrueCypt files, I am hosting them and you can verify the TrueCrypt 7.1a hashes here.
TrueCrypt v7.1a installation packages:
- TrueCrypt Setup 7.1a.exe (Windows 32/64bit)
- TrueCrypt 7.1a Mac OS X.dmg
- TrueCrypt 7.1a-linux-x64.tar.gz
- TrueCrypt 7.1a-linux-x86.tar.gz
- TrueCrypt 7.1a-linux-console-x64.tar.gz
- TrueCrypt 7.1a-linux-console-x86.tar.gz
Again, considering all the information is functionally the same, I suggest reading my post from last year / reading the PDF version called “Introduction to Security Systems” because it contains over 32 pages of fleshed out, sourced and explained information and how-to guides (!!) on the PC BAEs.
As always, if you have questions, comments, criticism, or hate mail, you can email me at: piotr.heft@gmail.com and you can use my public PGP key:http://pastebin.com/VgmySYNh
At the end of the day, however, remember this: the internet is only as safe as you make it… and happy Data Privacy Day!
Part 5. Infographic
For those less textually inclined, what follows is a very useful infographic that ought to help/explain the above.
Hehe, that picture of the condom was pretty funny.