TUS Guest Author: Salah Andalusi

On the Internet, no one knows who you are. Unless of course, you’re required to fill a Billing Address form to order the new Bluray series of Game of Thrones, then a few people know who you are. And maybe you decide that writing all of that personal information down is a big chore, so you click on your browser’s oh-so-handy and benevolent autofill query and now you can order more Blu-rays from some other place, and new jet engines for your Russian free game and your McDonalds app and that funny survey your Facebook friends sent you and so on and so on..

And before you know it, if anyone wants to know where you live, there might be a few web apps with flimsy security protocols in place that can be exploited. And by that same principle, your passwords, bank account number and ID/social security number can be fetched from the Internet. To say nothing of all the times you shared your email across all those platforms, and why bother change passwords! Good on you too, right? You’re getting such urgent warnings from that tech support guy who, for some reason, needs you to change something on your profile settings before new protocols come into place and linked you a place to sign in to! (That was sarcasm dear reader, a real administrator won’t ever ask you to sign in from a weird link that’s like the website’s but with a dot somewhere in the middle, they will notify you of imminent changes instead and either knows your credentials or needs only jump through a few decryption loops to get it). 

Whenever you’re about to share an aspect of yourself anywhere online, think for a moment about what you’re doing; does this survey really require my phone number and social security number for that cheap iPhone raffle? Do I really want to add my credit card details to this app full of Russians shrieking about “cyka” and casually ruining sessions by hacking and scripting, just so I can buy a new pixel tank in fake World War 2? Isn’t it a bit creepy that I’m getting ads for replica swords after that search for “Valyrian steel”? How the hell did that phone salesman drilled on plausible scenario construction get my contact from “a database”? Do I want to trust Microsoft or Google or any other big corporation with something used ubiquitously for profiling like my fingerprint, just so I can get over the hassle of typing a password?

The World Wide Web is connected more than its ever been, and as security measures increase, so too do attackers become more sophisticated. If for example your country’s government database is compromised, there is little that you can do about your demographical data. However, these high-profile attacks are conducted by a minority of skilled individuals, for better or worse, who are kept in check by one another. The majority of attacks, the daily attacks are rudimentary affairs, depending on lapses of judgment and complacency of the receiving end. And there is quite a bit you can do, even as someone not particularly tech-savvy, to avoid getting caught up in these basic breaches of security. 

Layer Zero – The Human Layer

One thing to keep in mind; obtaining sensitive information can be as simple as asking a question or nabbing a discarded receipt from the garbage can. It can be even as simple as looking over your shoulder when you’re logging in to your many accounts on a public space. Privacy begins before you start up that fancy 5-star review VPN and double click the Tor web browser icon and rummage through your notebook for the 2FA token key. Alas, Frank the overly friendly guy with a knack for getting you to open up came over as he usually does to pat you on the shoulder and ask you for coffee and you couldn’t bring yourself to shoo him away. Just as you were sitting down and typing in your login credentials! Who knows what he might’ve committed to memory while you were distracted!

Don’t do private tasks in public settings. Don’t let private data escape to the public domain. Whether it’s Facebook, Dropbox or the trash can. You don’t need to be a tech expert to wait to get home to pay for something, or to shred receipts that exhaust their tax return utility or even destroy the old laptop/disk that had that .txt file with every single one of your passwords just in case you forgot; it’s neither coincidence nor showmanship that your credit card is destroyed in plain view when you go to the bank to close an account. If at all possible or necessary, use a different machine for handling sensitive information. If you can’t afford two computers, consider having a virtual machine for the “real” tasks, and don’t let the two cyber presences (accounts, emails and so on) cross over if you can help it. Definitely do not use things like smartphones or tablets for things involving personally identifiable information (besides your phone number, you need that to make the smartphone more than a lousy tablet); public networks are ever more ubiquitous and your device will be constantly exposed. To say nothing of physical theft and what doors locked behind an SMS call can open; you can be easily tracked and your routines can be unveiled by a sufficiently persistent attacker. Especially if it’s our friend Frank, who relayed to you in the most enthusiastic terms how much he relies on that geolocator app that tells his wife whether he’s dining or at the gym to come to pick him up if he misses her call.

If you have many platforms that you peruse, do not fall into the habit of recycling passwords. If something happens and information in one platform gets leaked, your credentials for everything you frequent may as well be considered public domain. You can get a reasonably secure password really quick with a search of your favorite search engine, and one that will make any attempts at discovery exponentially harder too. To put things in perspective, there are text files on the internet numbering over a million common password entries that can be easily downloaded with little fuss. Programs that can enact brute force attacks on online forms are equally as common. If you’re in a bad mood when you write down your password and go “ihatelife” don’t think this can’t be cracked in a matter of seconds (it applies to any password involving liking or hating things, describing things or loosely alluding to things really). Long, non-verbal “gibberish” passwords with lots of weird characters to give the brute force algorithm some trouble (and make all those accesses easier to bust) are your friends. Write them down in a paper and hide it under your mattress if you have trouble remembering, just don’t tell your significant other about it. Also, keep in mind, many connectable devices come with standard administrator credentials. That means, for example, your home router. Take some time to review how to access it and change the password, so you don’t have to regret postponing it.

Don’t trust people that come up to you online any more than you would a total stranger getting familiar on a first encounter. If you need something from somewhere, that somewhere usually has a FAQ, or a helpdesk that can help you, or a simple mission statement followed by a description of their service and how they do it. Go to them and don’t trust those who go to you; the act of reaching out implies attempting to obtain something, regardless of it being mutually beneficent or one-sidedly malicious. This applies to people on whatever facsimile human interaction forums you frequent, sudden emails threatening doom and gloom  if you don’t click this link phishing for your information (presumably stored somewhere in your session history or prompted for upon arrival) and the classical Nigerian millionaire princess in the throes of terminal cancer kindly giving away her fortune to strangers on the Internet. These may seem obvious and dumb, but send enough emails/friend requests to enough people for enough time and eventually, dividends will be returned; your spam folder came from somewhere, but double check everything it misses. And the social engineers who enact them can be crafty in inducing misjudgments; demanding quick action to avoid an imminent consequence is a popular one.

If by some reason, going about your daily activities, you happen to find a conveniently discarded USB pen drive, do the civically responsible thing and deliver it to whatever the local equivalent of lost & found department exists in the immediate vicinity. It’s both polite, considerate and useful against inadvertently spreading malware that can cause serious damage to a device it’s plugged into (unless the person you pawn it off to decides they want a new flash drive!). Consider that you can start up an operating system from a USB drive. This means that it can access your hardware directly. And what that means is that your 500 dollar a month anti-virus subscription can’t do much about it. Alternatively, if you never got around to destroying that old laptop, unplugged from both your home LAN and the World Wide Web, you can see first-hand what might happen if you plug in that shiny new 50 GB USB drive you found. Just don’t use it for anything else before a virus scan and formatting.

If you have children, the risk factor of all the above scenarios increases severalfold. The author of this text does not presume to tell you how to raise your kids or what to let into their hands but understand that they are a particularly vulnerable demographic for cybercrime. Trust them with what you can be 100% sure you can trust them with. Not 99%, 100%.

These are just some of the ways social engineering can be used to get your personal information. Scam artists and malicious individuals of all stripes have been coming up with criminal schemes since the times of barter economies. Review your web habits, consider what you can change and how you can change it. The next Layer will take a step further up the technological ladder, and go over some ways that web-based applications can be used to obtain both data and use your device for parasitical purposes.

Before we cover the next layer...

If nothing else, consider these simple tidbits.

Your antivirus is usually your friend and it will have your back. When you download something, you shouldn’t have or browse somewhere you shouldn’t have browsed. Keep it fed with regular updates, and find one that is cheap/free. Or spend money on it, if you want. 

Choose a web browser that you can be moderately sure won’t send data back to its maker. Open source browsers are a good starting point, but always do a bit of homework before you settle on any single one for heavy-duty web browsing. If you’re particularly security savvy. Tor Browser comes with many privacy and security features pre-set and easily configurable.