Security Tips for the Home User (a work in progress)
Intro
This guide will eventually be reworded and serialized to be more easily digestible. Right now, it’s mostly a brain dump…
After the most recent Facebook breach a week and a half ago, it occurred to me that I, as an IT professional, find it difficult to keep up with today’s security challenges; do non-IT professionals even try anymore?
https://www.nytimes.com/2018/09/28/technology/facebook-hack-data-breach.html
Here’s an article has some great first step if you were affected by the Facebook or any breach.
https://www.consumer.ftc.gov/blog/2018/10/facebook-breach-what-do-next
§
Setting Expectations
This is not meant to be a definitive, security guide. I would question anything that claims to be a definitive, security guide. Best practices can change on a moment to moment basis. Today’s most safe service could become tomorrow’s embarrassment. The important thing is to have reliable information sources to keep up-to-date.
Also, you shouldn’t take me or anyone else on the internet on face value. Vet all sources.
A useful truism to remember is that the more convenient something is, the less secure it is.
Think of it this way: A door with deadbolts, braces, jams, security bars, and a bracket will take longer to open than an unlocked door; however, which one is more secure?
§
Stay Informed
Find reliable sources and periodically check in with them. If your source is a person, reach out to them; do not wait for them to reach out to you.
I read a few news sources and am involved with some communities that share info. If I tried to tell every non-IT person I know about each and every vulnerability I read about, no one would want to talk to me anymore. And, frankly, many of vulnerabilities are resolved within a few days anyway. If you check in with your source, s/he will be able to give you summaries of things that are still issues versus the ones that have been fixed already.
§
Secure Your Devices
I use Symantec because I get a license through work.
https://en.wikipedia.org/wiki/Symantec_Endpoint_Protection
You can take every precaution in the world, but if your device is compromised, everything you do on that device is compromised.
I put anti-virus and anti-malware software on every device I can. We all know Windows computers get viruses, but Macs and Android devices are also vulnerable.
Yes, Macs are vulnerable. I was working in a Mac-shop when MacKeeper hit.
https://en.wikipedia.org/wiki/MacKeeper#Lawsuits
Because nothing had yet been documented, it sent me and my co-workers scrambling and reaching out to all of our contacts for answers. Unfortunately for us, those same contacts had reached back to us asking for help.
Androids are vulnerable too. I was setting up a new Android phone installing apps when my anti-virus software alerted me that I had installed an virus pretending to be an Adobe app.
§
Run Updates But Don’t Run Them Too Aggressively…
Unless you are a masochist, don’t run updates the day they’re released. Unless, there are credible warnings to update ASAP, let everyone else test the update for you.
A faulty update can break critical apps or even introduce security holes.
Tech moves at an unnatural pace. That means sometimes an update that tests perfectly on a software developer’s top-of-the-line computer with nothing but their software installed will take your computer with a cornucopia of apps and transform it into a $2,000 brick.
Give it a couple of days. See if the developer pulls the update from distribution. Do a quick search for anything breaking your critical applications.
(An aside for other IT professionals. it was not my choice for these computers to be unmanaged.)
Here’s an example: I helped a person who did a lot of fundraising. That person had more contact lists than I have contacts. Microsoft released an update for Office for Mac that disabled address lists. Suddenly, there was no way to communicate with any of donors. Had the updated been delayed just a few days, my agency wouldn’t have had to issue an invoice for me downgrading Office and rebuilding the contact lists.
Here’s another example, I worked in a company whose administrators had Windows updates installed without delay. One day, we came into the office to find that any computer who had received that Tuesday night’s updates would not boot. So the support staff had to go to each computer and manually uninstall the damaged update. If the update had been delayed even 12 hours, it would have saved hundreds of hours lost due to downtime.
A final example just so you don’t think I’m blaming Microsoft for everything. Apple’s High Sierra update made some Macs unusable. Now, there’s a chance there was something wrong on the computers to begin with, but the update took those unnoticeable problems and made them critical. In some cases the only way to fix the issues was to backup the data and reformat the computer. One of the users I support installed the update before a fixed update was released.
https://www.macrumors.com/2017/09/18/apple-files-system-no-fusion-drive-support/
§
Don’t Run As Admin
Typically, I use two users. My main user is a standard, non-admin account. I use the admin login as needed. This helps block malware and viruses.
Further, I like to give my usernames generic titles like STANDARD and ADMIN since there are ways to detect or accidentally disclose that info.
An example is when I see a print out someone has left somewhere in the world and the header or footer reads something akin to c:/users/[your name]/downloads… No need to make it easy for others.
If you’re particularly paranoid, there are ways to make it so your admin account doesn’t have network or internet access. I’ll have to circle back to document that properly here.
§
Passwords & Password Managers
Start using a respectable password manager.
https://en.wikipedia.org/wiki/Password_manager
No, a note on your phone is not secure. You may as well put your password on a post-it note and put it on your keyboard.
You should never use a password with more than one site or app. If that site or app becomes compromised, That password is no longer good for you to use anywhere.
My password manager has over 1,000 distinct logins. I cannot hope to ever memorize them all. I use a password manager to remember them for me. Because its memory is so much better than mine, as long as a service allows it, I default to 24 random characters.
A few years ago, my workplace vetted multiple password managers and two came out on top.
https://en.wikipedia.org/wiki/1Password
https://en.wikipedia.org/wiki/LastPass
Word to the wise, not all password managers are safe. Those are the two that I trust and recommend, but you should do your own research too. If you’re balking at the cost, get a family plan and split it with your family and/or friends.
I would be remiss if I didn’t tell you that there are a number of respectable, security experts who denigrate password managers with good reason.
https://lifehacker.com/lastpass-hacked-time-to-change-your-master-password-1711463571
The alternative is to have a notebook that you physically secure. Of course, having one notebook that you carry with you becomes a different kind of security risk. Having notebooks that you keep in several locations becomes another risk.
§
Secure Your Sensitive Info
You know what the best way to keep your info safe? Don’t give it out.
Years ago a friend asked me the best way to make sure Facebook didn’t give out his work cell phone number. I said, “Don’t enter it.”
When you have to enter info, use fake information: incorrect birthdates, fake answers for security questions, etc. For example, when a site asks, “Where was your first job?” enter, “water bling rocket mocha”.
Very important: Make sure you document that bogus information or else you will be in world of hurt.
The problem with entering in true information is that real information is too easily researched.
https://en.wikipedia.org/wiki/Sarah_Palin_email_hack
I also recommend entering answers you won’t be embarrassed to tell the customer support rep later…
§
Multi-Factor Authentication
Setup multi-factor wherever possible.
https://en.wikipedia.org/wiki/Multi-factor_authentication
I prefer to not use SMS for multi-factor for several reasons.
SMS is not secure.
https://en.wikipedia.org/wiki/SMS_spoofing
Some of my family live and travel abroad and will not necessarily be able to receive US-based SMS.
I’ve been told a first-hand account of a hacker successfully convincing the victim’s carrier to transfer the victim’s cell service to the hacker’s SIM. There are ways to lock the account, but this apparently did not stop the hacker.
Leverage an offline authenticator app that securely synchronizes data in case the device is stolen.
https://www.pcworld.com/article/3107644/security/microsoft-rolls-out-a-new-authenticator-app-for-android-and-ios-makes-2fa-simpler.html
https://www.wired.com/story/two-factor-authentication-apps-authy-google-authenticator/
There are some services that require some sort of SMS multi-factor. I’ll need to do further research on Skype’s encrypted messaging to see if it’s a viable workaround.
https://support.skype.com/en/faq/FA31/does-skype-use-encryption
Admittedly, Skype’s encryption is somewhat moot. If the sender sends data unencrypted, that data is vulnerable until it’s encrypted. If someone is able to get in between the sender and Skype, it’s game over.
§
Cellphone Service
Speaking of carrier vulnerability, at the very least, lock your account with a PIN. I mean, it’s not much, but let’s all try to make it just a little annoying for an attacker.
https://www.macworld.com/article/3082626/security/your-cell-phone-number-could-be-hijacked-unless-you-add-a-pin-to-your-carrier-account.html
§
Biometrics
Turn off biometrics… fingerprint, facial recognition, etc. You cannot reset your fingers or your face after the inevitable breach.
https://www.opm.gov/news/releases/2015/09/cyber-statement-923
§
Email & Messaging
I don’t have a good answer suitable for a normal person yet.
All of the good answers I have make me sound like I’m wearing face paint and dressing like a Fifth Element extra
https://io9.gizmodo.com/how-fashion-can-be-used-to-thwart-facial-recognition-te-1495648863
With very few exceptions, when it comes to privacy and security, your email provider sucks.
I know that’s a pretty big umbrella. So I’ll walk it back a bit. It takes a lot of money to run a large email service.
Basic and overly simplified costs for hosting email:
Hard drive after hard drive in computer after computer to store all your old emails with photos and videos (which I’ll just refer to as our data from now on).
Data center after data center to host redundant computer after computer so you never loose any of our data.
Massive networks through which massive amounts of internet bandwidth will flow so you can quickly access our data.
Amazing software to balance all the requests for photos and videos you and each of its customers make at the same time 24 hours a day 7 days a week for our data.
Amazing server and network operations engineers who maintain all of those servers and networks to make sure all of that runs without interruption 99.999% of the time OR an allowed 5 min 15.6 seconds of downtime per year where we can’t access our data.
The salaries of the army of amazing software engineers who are designing and maintaining the back-end software that manages all of our data and the requests for access to our data.
If the company uses it’s own email application (web-based like Gmail or device based like Outlook), another army of software engineers who build the front-end email applications that we use to request our data.
The salaries of the army of people-orientated, customer-service representatives who we, as consumers, expect to be experts even thought they’ve probably never even gotten to talk to any of the engineers who design and maintain all that stuff so that we can access our data.
The salaries of all the administrative staff who manages and supports those engineers and reps who need to make sure we, the consumers, the end-users are happy and not complaint tweeting while also being beholden to the company’s investors.
[Takes a breath.]
Given all that, how do any of us think that any email is free?
A: It’s not. We just don’t see the price we’re paying.
Those companies scan our data so that it can serve us targeted ads.
https://www.theverge.com/2018/8/28/17792522/yahoo-mail-email-scan-data-advertisers-opt-out
They build profiles of us so they can charge advertisers more because they’ve built demographic profiles of us.
https://adssettings.google.com/authenticated?hl=en
If you’d like to dive into some research, check out this site:
https://thatoneprivacysite.net/email-section/
Also, if you think this surveillance is limited to online-only companies, you are excessively wrong.
https://www.nytimes.com/2012/02/19/magazine/shopping-habits.html
… Oh, I was meant to talk about messaging in this section. :\ I’ll have to return to that.
§
Double-Check Your Accounts For Who & What You’ve Given Access
It can get kind of freaky how many sites retain access…
https://www.paypal.com/cgi-bin/webscr?cmd=_manage-paylist
https://myaccount.google.com/security-checkup/3
https://www.facebook.com/settings?tab=applications
https://twitter.com/settings/sessions
https://www.instagram.com/accounts/manage_access/
https://www.pinterest.com/settings/#socialNetworks
https://www.linkedin.com/psettings/permitted-services
§
How Are Sites Selling Your Data To Sell Advertisers Ads Directed At You?
...because if the service is free, they will need another way to make money off of you...
§
Notifications
Check if each family member’s financial institutions have mobile apps that have notifications. I’ve set all of the financial apps I use to notify me of any and all account changes including all deposits and withdrawals. By financial institutions, I mean checking/savings banks, retirement services, credit card issuers, PayPal, Venmo, LevelUp, Google Pay, Apple Pay, etc.
§
Secondary Accounts
For apps and online services that leverage either Google, Facebook, or Twitter for login credentials, setup secondary Google, Facebook, and/or Twitter accounts.
§
Secure Existing Data
I need to find a consumer analog of Spirion (formerly Identity Finder) to scan my family’s devices…
https://alternativeto.net/software/spirion/
Basically, the idea is to scan your devices to see if you have sensitive information (bank routing numbers, credit card numbers, SSNs, etc.) unencrypted on your computer. Then, delete them.
§
Investigate Which Sites Track You & Share Your Data
Review and stop tracking on various services, for example:
https://myactivity.google.com/myactivity
https://myactivity.google.com/more-activity
Also review data that’s already been shared, such as:
https://www.facebook.com/help/1873665312923476
§
Internet Search Yourself
See what I can find online so I can help remove what needs to be removed.
1Password leverages and integrates the site Have I Been Pwned to help determine if an account is vulnerable. On its home page, you can enter in your email addresses to see if they were part of any previous breaches.
https://haveibeenpwned.com/
Have I Been Pwned will even notify you when your email address shows up in a future breach.
https://haveibeenpwned.com/NotifyMe
§
VPN
This is a short version. I’ll need to take a few hours to write out the detailed version.
Bottom line at the top: For the average home user, I believe you should use a reliable VPN whenever you use an internet service you have not directly purchased. Services I would classify as generally safe are your home internet service that you are renting from a carrier (companies like Comcast, Verizon, Time Warner, etc.) or from a cellular company (AT&T, T-Mobile, Verizon, etc.)
Using a VPN would protect you from any unwanted monitoring by the owner of that public internet access.
[Note: I’m probably going to start adding addenda to each of these posts. Those addenda would cover the important but probably overly detailed info that some people may find interesting but others would find overwhelming. In this case, I want to give a quick overview of Tier 1, 2, and 3 networks and how much of the Internet’s architecture is invisible to us as consumers. With that very brief background, I could start digging into “free” public Wi-Fi and how/why it’s paid for and why they can be so dangersou. I could talk about hotspots and using tethering. I could even maybe touch on services like Biongo. But that is all very ahead of myself.]
So here’s why I have so many thoughts about VPNs. A while back, I sat down and researched VPN services to find which one had all the privacy and security features I would want. [In the past, I’ve relied on workplace VPNs for security because—I believe—I’d rather a job see my Wikipedia history versus some disgruntled cafe employee who setups a Wi-Fi network to log activity.] The only companies that had all of the features I consider crucial are based in countries with adversarial or nonexistent relationships with the US. Those are the people who I absolutely do not want to have my data. So while I do believe a travel VPN is a best practice, I’m left at a bit of a crossroads when it comes to which service to use even when you’re at home.
You may be asking what I mean by “Those are the people who I absolutely do not want to have my data.” Well, when you use a VPN, your internet traffic goes from you to that VPN service and then out into the world. That means, if anyone at that VPN would want to monitor your internet usage, they could. [Yeah, I probably need to make some drawings to explain all that.]
More later, but here’s a good place to start and lose your mind researching VPNs.
https://thatoneprivacysite.net/vpn-section/
§
Current Conclusions…
I know this is a lot. Security and privacy is broken. I attended a talk by a professor who conducts yearly surveys of security and privacy experts. What he’s found is that those who are most knowledgeable are the least hopeful that the situation can be fixed. But I would say that it doesn’t mean that we shouldn’t do whatever we can to secure ourselves to the best of our ability.
I know it can be very frustrating. You could have done everything I’ve suggested and more, but that won’t help you if Facebook (or any other site) makes a mistake.
I suppose you could say, “I’m deleting all my accounts and hiding in a cave.” I guess. But that’s not a 100% guarantee because we all have records in all sorts of systems that are vulnerable. The only way to find out and do something about breaches that affect you is remaining connected to the world.
https://www.consumer.ftc.gov/blog/2017/09/equifax-data-breach-what-do
If you’ve made mistakes, you’re not alone. even the most well-informed can make disastrous mistakes.
https://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/
[Note to self: I’ve got to figure out a more uplifting ending.]