Digital Self-Defense

How to protect yourself in the new digital world

Prepared and presented by
Charles Hill (a.k.a. "chill")

"Data is the new oil"

Businesses collect huge amounts of data from their customers every day. Often times the data is collected without a direct business need. And most of these businesses don't have the knowledge, skill, or desire to protect it. But there are some people out there who do have a use for this data - hackers!

On the so called "dark web" stolen data is packaged and re-packaged, bought and sold, and finally used by hackers to target individuals with phishing scams or theft.

But you don't have to be a passive victim. You can protect yourself.

Be a customer, not a product

Stop sharing your personal data!

The best way to prevent your data from being stolen by hackers, is to not share it in the first place. Here are some practical strategies to avoid giving away your information unless absolutely necessary:

Use fake names, emails, and phone numbers

  • Does the service or app need your real name? Probably not.
  • Use a temporary email inbox service like Mailinator
  • Provide a fake phone number
  • If you need to receive SMS, search for "Receive SMS online" to find a free service

Don't give your home address when buying online

  • Pick up products in-person at the store
  • Deliver to your office if you still have one ;)
  • Get your own box at the post office and have items delivered there

Already shared too much?

For how many websites have you created an account? How many apps have you installed? Most people accumulate app and website accounts over the years.

Uninstalling an app doesn't delete your data from that app's database. And most websites do not ever delete old, inactive accounts. It's their data: Why should they delete it? Or so they think.

The right way to delete old accounts

  • Change all personal data, replace with plausibly fake info
  • Wait a couple weeks for automated backups to be spoiled with the new info
  • Delete the account
  • You might need to contact support via email to request deletion
  • Bonus points for mentioning GDPR's "right to erasure"

Passwords, passwords, passwords.

Hackers don't sit and think about what your password might be. They share huge lists of stolen emails, usernames, and passwords that have already been cracked. The account that you used 10 years ago on that website you have long forgotten about - that password is in a list being shared every day between hackers.

Even if your current account credentials are not in a list right now, they can use the known passwords associated with your email addresses or usernames to better help them crack your new account passwords.

Have you been pwned?

haveibeenpwned is a free service that checks if your email or phone number has appeared in a data breach. It even has an automated notification service that can send you an email whenever you've been "pwned" by a new breach.

Hundreds of millions of accounts are exposed via data breaches every month.

Password managers

Do you remember your passwords? If yes, then you're doing it wrong. Humans are very bad at creating good, unique passwords. Use a password manager to create and store all of your account passwords.

So what's a good password?

  • One that you didn't make yourself
  • Long - 20 (or more) alphanumeric characters
  • Unique - create a new password for each service

Recommended password managers

  • KeePassX - Free software, cross-platform, standard database format
  • Keepass2Android - Android app, compatible with KeePassX
  • Strongbox - iOS app, compatible with KeePassX
  • 1Password - Paid service, cross-platform apps provided

Second factor authentication (2FA)

For all of your important accounts, you should enable 2FA. The most critical accounts to secure are your email and financial accounts. Do not use SMS-based 2FA unless it's the only option - banks are the worst about this. Do not enable SMS-based account recovery options.

Recommended 2FA methods

  • Authy or Google Authenticator apps
  • YubiKey or other universal second factor (U2F) device

Again, do not use SMS for 2FA! Your phone number can be hijacked via social engineering.

E.g. "Hello, my name is XXX and I lost my phone. Can you please port my phone number to this new SIM?"

Backups

So you're using a password manager and 2FA - that's great! But do you have backups so that if your computer or phone are stolen, you can still access your accounts?

When you enable 2FA on a new account, you are given what are usually called "backup codes". Save these backup codes in your password manager. You can use one of these backup codes to access your account, in case you lose your phone.

If you're using a password manager that saves a file on your computer, you can safely copy this file to your personal cloud file storage - e.g. Google Drive, iCloud, etc.

Two is one, and one is none.

Secure messaging

Email is not secure. Assume that your email can be read or modified maliciously.

Very few messaging apps have end-to-end encryption. And if they claim to have it, they most likely have a back-door which allows the company or government access to meta data and message contents.

Can we please stop using WhatsApp?

Recommendations

  • Signal - The most popular and trusted secure messaging app. Government agencies and military organizations have started to use it to secure their communications.
  • Element - Built on the Matrix secure, private messaging protocol. Cross-platform apps available.

Safer internet browsing

Use Firefox or Chromium (non-Googled version of Chrome) as your primary browser.

Use an adblock extension. I strongly recommend uBlock Origin. It is a trusted adblock extension that doesn't spy on you. The internet is a horrible place without adblock.

Do not install browser extensions - uBlock Origin is excepted. Malicious adtech companies and hackers buy popular, free extensions and then change their behaviors silently so that they can spy on their users' browsing habits and even steal their account credentials for banks and other services.

Anti-virus software is a virus

Do not use "anti-virus" software - e.g. McAfee, AVG, Avast, etc. These programs deeply manipulate your operating system's normal functions. And several times the anti-virus programs themselves have been exploited by hackers to infect computers.

How to protect against viruses

  • Enable automated system updates - stop delaying software updates!
  • Avoid installing every piece of random software that you find.
  • Windows users --> Enable Windows Defender and make sure that it is up-to-date.

Summary and priorities

There are many things you can do to improve your privacy and security situation in the new digital world. But everything takes time and energy. So here's a list to help you prioritize.

  1. 1.Use a password manager
  2. 2.Enable 2FA on your primary email and financial accounts
  3. 3.Have backups for 2FA codes and password manager database
  4. 4.Use Firefox or Chromium web browser with uBlock Origin extension
  5. 5.Stop oversharing your personal data

Thanks!

degreesofzero.com/talks/digital-self-defense

Scan the QR code for a link to this presentation