Tuesday, October 10, 2017 7:00AM / James Crace
Privacy is more important than ever. The Internet may be the best thing since sliced bread, but as we come to rely on it more and more in our daily life we risk exposing our data to attackers. Here at Cloudwards.net we figured we would help out our readers with a thorough online privacy guide that will keep you safe while your browse the world wide web.
We’ll look at the steps you can take to ensure your privacy, whether you’re just browsing or downloading torrents. However, we’re not here to help you hide from three-letter agencies that are actively searching for you: if you’re the next Edward Snowden, you’ll have to take extraordinary measures that are well out of the scope of this article.
With that said, let’s first take a look at the threats the average user will face while on the Internet.
Privacy under Attack
According to the Pew Research Center, half the U.S. population do not trust the government or social media to protect their data and 64 percent have experienced a major security breach of some description.
It’s not just hackers and scammers that we have to worry about. Governments around the world seem to want to get their hands on citizens’ data, too. Claiming a desire to thwart future terrorist attacks, some politicians want to require corporations to backdoor their software and purposefully weaken or break encryption so that law enforcement can more easily eavesdrop on users.
For example, the FBI wanted Apple to provide them with a backdoor to access encrypted iPhones, a request which Apple, thankfully, declined. As encryption becomes easier to deploy and use, cases like this will continue to crop up in the news until lawmakers learn that all back doors are simply another vector for criminals to attack innocent users — or for ISPs to sell customer data.
The upshot is that your privacy is at risk, whether from politicians or hackers, and it’s futile to rely on corporations or lawmakers to safeguard your private data. Your privacy is your responsibility and you need to grab this bull by the horns yourself if you want your data to stay yours.
A threat model is used to establish what steps to take to keep something secure. Software developers and security researchers use threat modeling when writing software or designing security systems, deploying servers or other hardware. It’s useful for users as well, since security and privacy can seem like a fuzzy gray area for home users.
You need a threat model because there is no single tool to keep your data safe online or to protect your privacy. To begin, ask yourself two basic questions:
· What do I want to protect?
· Who am I protecting it from?
Security is situational, meaning someone backing up cat pictures faces very different threats than someone backing up sensitive documents for a business. Do you need to protect those cat pictures? Are they a likely target for attackers? Not really, so you wouldn’t want to expend too much effort on the task.
Documents, on the other hand, are definitely a target for attack. Hackers love to go after them as they contain a wealth of information, so sensitive documents are worth the extra effort it might take to make sure they remain private and secure.
By asking those two questions — what am I protecting, and from whom — we establish a threat model. Ask yourself what the consequences are if you fail to protect something and decide if it’s worth the risk. Even if it might seem like extra work, the tools and tips we provide here will make it easier to keep your data safe and help maintain your privacy.
Common Online Threats
Now that we know what a threat model is and how to establish one that meets your needs, let’s take a look at some of the most common threats online.
Ads and Tracking
Many users find ads to be annoying at the very least and PageFair released a report that shows the use of adblock software to be increasing rapidly. Ad blocking is a good thing as you’re not just making browsing more pleasant, you’re also preventing those ads from tracking you.
Some people don’t mind this, since such data is often used to create targeted advertisements for users. If the idea of your Internet activity being tracked doesn’t bother you then you don’t have to include this in your threat model.
For those who don’t want to be tracked, it’s important to understand how it works. A web browser creates a “fingerprint” that can be used to identify a user with great accuracy. Websites can request specific information from your browser, such as screen resolution, language or installed add-ons.
You can get an idea of how unique your browser fingerprint is at Panopticlick and Am I Unique?. Fingerprinting is hard to prevent, since installing more add-ons or tweaking your browser simply results in a more singular setup than you started with.
There is a way to minimize fingerprinting: use at least two separate browsers.
Let’s say you’re logged into Facebook on Chrome. You leave Facebook, and browse the web for a while. Any page that has a Facebook “like” button automatically reports back to Facebook and you’re still logged in so any pages you visit with a “like” button are tied to your account. You’ll see content and advertisements based on all the tracking data Facebook has accumulated.
By using two browsers — one for Facebook, say, and another for everything else — you keep your activities separate. That way, Facebook and google will have trouble linking your party pics to your WebMD searches. We’ll touch on this more in depth later on in the article, but for now simply decide whether tracking and advertisements are on your threat model.
WiFi is available almost everywhere these days and many people connect their mobile phone or laptop to the first hotspot that pops up, often without a second thought. However, fake hotspots are easy to set up and often hard for users to distinguish from legitimate ones.
We’ve written in-depth about the dangers of public WiFi and it’s worth reading if you want to stay safe when using it. If you work in public spaces or use public wireless often, you should include it in your threat model; a few simple precautions will cut down the danger of hijacked connections considerably.
A virtual private network is your best bet here, so if you’re not sure what that is we’ll help you get up to speed and understand what a VPN is good for. Using a VPN goes a long way toward protecting you on wireless hotspots, but be sure to follow the basic guidelines below and use a plugin like HTTPS Everywhere, which we covered previously in our list of 99 free tools to protect your privacy.
General Privacy and Security Tips
Maintaining your privacy online requires a continuous effort. You can’t click a button and never worry about it again. By learning a few basic concepts and employing them every day, though, you’ll increase your security and privacy online and eventually it’ll become second nature.
Let’s start with what you can do on your own devices: encryption.
One way to put your privacy at risk is when your computer is lost or stolen. Even if you have password protected it, there are ways to access the data on your hard drive. Stolen or lost devices, in fact, are estimated to contribute to 45 percent of healthcare and 25 percent of bank data breaches, and it’s usually due to unencrypted hard drives.
The major operating systems all include support for full-disk encryption, making it easy to encrypt your entire hard drive. This protects your device in the event it goes missing, but since you simply decrypt it when you login, it makes no real difference in the way you use your device.
Another way of keeping data safe is to not keep it on your hard drive at all, but in the cloud, instead. You can then rely on your cloud provider to handle the encryption of your data and have them keep it safe.
If you go this route, you’re probably best off going with any of our best zero-knowledge cloud services, like Sync.com or pCloud, both of which let you create and maintain control of your own encryption key. Alternatively, you can use a less secure provider and encrypt your files yourself.
In the past, I used TrueCrypt to create encrypted volumes and then stored those encrypted volumes in the cloud. TrueCrypt is no longer supported or considered safe to use, but there are several great TrueCrypt alternatives. I’ve personally moved on to using VeraCrypt.
Using a zero-knowledge service or encrypting your own files is a big responsibility, however, since if you lose your encryption keys or passphrase you’ll have no way to recover the encrypted data. Always keep copies of encryption keys stored someplace safe.
In addition to the files on your computer, consider encrypting text messages stored on your mobile device with user-friendly apps like Signal. Most Android and iOS phones offer system encryption via passcode, which we also recommend taking advantage of.
Anyone with a little spare time and $500 can build a stingray to impersonate a cell tower and intercept text messages. GSM, the protocol used by many mobile phone carriers, is broken and insecure. Given the ease of encrypting text messages and ease of spoofing cell towers, you should strongly consider including your mobile device usage in your privacy threat model.
Finally, we recommend that you consider securing your email. Email is insecure by default, as your messages can pass through many different servers before hitting their destination. Even if those servers use SSL to encrypt the data, there is no guarantee as to the security of each individual server.
Encrypting email is a little more difficult than encrypting text messages, but our email encryption guide provides straightforward instructions and explains essential terminology.
It still might take some time to grasp the basics, but after you send and receive a few encrypted emails, it will become second nature, especially with one of the plugins featured in our guide.
The weakest link in information security is almost always the human element. People make mistakes, and when it comes to security one of the most common mistakes is choosing a terrible password and reusing it often.
The media frequently sensationalizes security breaches, always blaming it on hackers while criticizing large corporations for not protecting users. The truth is, corporations can’t be blamed when a someone picks an easily guessed password or falls for a phishing scam.
It’s the easiest avenue for attackers to pursue, preying on unsuspecting users that can’t spot a fake email or use “password123” everywhere they can. We previously covered several high-profile cases involving password fails, which illustrate that very point.
Thankfully, it’s actually not hard to pick a good password. We wrote a guide on choosing a strong password that goes into the logic behind password security and demonstrates how easy it is to pick a nearly unbreakable password.
There are many tools that make strong password creation easier, too, including password managers. Using a password manager requires the user to create and remember a single, lengthy and secure password that unlocks the user’s other passwords. Most password managers have browser plugins and other tools that make using them a seamless experience.
Another tactic you can take to protect yourself against password cracking is two-factor authentication, or 2FA. With 2FA, when logging into an online service from an unfamiliar machine, you’ll be asked enter another piece of information in addition to your normal credentials.
This piece of information is often a security code sent to your mobile device or a security token. This ensures that only you can access this information and is an essential tactic when keeping your data safe.
Use a VPN
We briefly mentioned VPNs earlier when covering public WiFi, but such tools do more than provide protection against digital eavesdropping: VPNs also protect you from marketers and anybody else who might want make use of your browsing data.
We already mentioned ISPs’ Congress-sponsored snooping, but also concerning is that service providers like Verizon and AT&T have been inserting perma-cookies to track users and injecting advertisements into web pages, invading the privacy of users and putting them at risk. Ad networks are often abused by malicious parties, and it’s easy to load malware into an advertisement.
By using a VPN, you can prevent ISP traffic logging and shady practices like those employed by Verizon and AT&T. VPN services can spoof your IP address with one of their own, effectively shielding your device identity and location. The tunnel created by a VPN encrypts traffic coming from your device, too. The net result is that only the VPN provider can see what you’re doing.
That’s why it’s important to find a VPN that doesn’t log traffic. Be especially careful of free VPN providers. Many profit by actually selling your data to the very sorts of people you think you’re protecting yourself from.
We’ve created a VPN comparison chart that will help you pick a no-log VPN. We also wrote a short guide to VPNs that includes a breakdown of the best VPN providers for 2017.
General Privacy Tips
We’ve covered the basic things you can do to maintain your privacy and security online:
· Use separate web browsers to compartmentalize your activity and prevent tracking
· Be wary of public WiFi and use a VPN to stay safe
· Encrypt everything: your devices, your data, emails and texts
· Choose strong passwords and never, ever reuse a password
· Keep a no-log VPN running to prevent traffic monitoring
It might seem like a tall order at first, but you can start by prioritizing and picking just one area to work on. Spend some time thinking about your own privacy needs, what matters to you and what you want to protect. In short, develop your threat model. Then, get to work.
Up next, we’ll look at some common day-to-day online activities (web browsing, chat and torrenting) and offer a few suggestions for how to increase your privacy for each.
We spend a good deal of time browsing every day, whether for work or play. In fact, Pew Research reports that 73 percent of Americans say they’re online every day and 21 percent say they’re online “almost constantly.”
The Internet is a lovely place, but it has its dark corners, too, and some less-than-nice people lurk there. We’ve discussed one privacy threat you might face, tracking, and mentioned both phishing and malware in passing.
Phishing is when malicious attackers impersonate a site or service, such as a bank or email provider, in an attempt to trick users into handing over sensitive information. Attackers have become adept at creating realistic pages that might fool all but the most suspicious of users.
Malware is malicious software designed to corrupt your computer. It’s often spread through pop-ups or advertisements, including fake antivirus warnings and updates. Be careful about clicking any such message: chances are someone is trying to scam you and infect your computer. Only update your operating system through the normal channels, like the control panel or app store, or by the package manager if using Linux.
It’s not difficult to avoid phishing sites or malware. By default, both Firefox and Chrome employ Google’s Safe Browsing Service to automatically identify and warn users when a site is known to contain malware and phishing links.
Always look for the SSL icon in the address bar — typically a little padlock — and read the website address to make sure you’re on the right page. Even that’s not a sure thing, though, as malicious sites may use SSL themselves. Always double-check the address, too. A common trick attackers use is to pick a domain with a typo, like “facebok.com” or something similar, hoping that users won’t notice the difference.
There are many clients for online chat, many of them free, and most users don’t stop to think about their privacy when using them. If you’re content with Facebook Messenger and chat privacy doesn’t factor into your personal threat model, keep doing what you’re doing. If you value your privacy and security, here’s what you can do.
First, you should use Off-the-Record Messaging (OTR) wherever you can. OTR provides encryption and authentication for instant messaging.
The best way to utilize OTR is with the XMPP protocol. XMPP is a free, open and decentralized protocol for instant messaging created in 1999 by Jeremie Miller. Jabber was the first IM technology built atop XMPP, and the popular app WhatsApp initially used a custom version of XMPP before switching to a closed, proprietary protocol.
You’ll need a client, which is simply a program that connects to the XMPP service. A few of the most popular clients that support OTR are:
· Pidgin: Windows, Linux and MacOS
· Adium: MacOS only.
· Gajim: Windows and Linux
To start using XMPP, you need to sign up for a public XMPP provider; there’s an excellent list provided by CryptoParty. Signing up is easy and there are plenty of free, public XMPP servers. Once you have an account you can chat with any other user across different XMPP servers.
I won’t get into detail on other chat apps, but we previously touched on some of the concerns regarding apps like WhatsApp and Telegram in another article. The short version: most use private/proprietary protocols, or custom codebases that lack the proven security and reliability of a protocol like XMPP, so it’s impossible to vouch for their security or privacy.
To recap: If you want to chat securely and privately, use a client like Pidgin along with a public XMPP server and the OTR plugin. Any other XMPP user can contact you since most servers are federated, and all of your instant messaging is encrypted and authenticated.
The bit torrent protocol relies on each user sharing the file in question with the “swarm,” a term that refers to everyone downloading a particular torrent. Torrent clients will download and upload to other peers, which makes for an excellent, decentralized protocol for file sharing.
It’s also a privacy nightmare. Your IP is broadcast to the swarm and it’s trivial to get the IP address of all users downloading a torrent. Copyright lawyers monitor the most popular torrent sites and files using automated software, sending out millions of notices to ISPs and users, threatening legal action and hefty fines.
There are plenty of legitimate uses for torrents, such as sharing Linux ISOs, but regardless of your intentions the goal of this guide is to help you maintain your privacy. To hide your IP address while torrenting, there are two easy options: Use a VPN or use one of our best cloud torrent services.
We discussed VPNs earlier, but it’s worth mentioning that not all providers are torrent-friendly. Check out our top VPN reviews to find a good provider that allows torrents before you sign up for a VPN service. Speed tests are a crucial part of our reviews, and you’ll want the best speeds possible when downloading torrents with a VPN. Remember to look for a provider that doesn’t log your data, too.
If you don’t want to use a VPN, there’s always cloud torrenting. These clients download the torrents on your behalf, so your IP is never in the swarm, and they cache popular torrents so often times your files are instantly available. Many support streaming on their paid tiers, making this a convenient choice, but keep in mind these providers typically keep logs and would comply with court orders.
I’m not aware of this ever happening, and services like Put.io have been in business for quite some time without issue. For the those who value their privacy, I recommend a torrent-friendly, zero-logging VPN provider for downloading torrents. It may be less convenient, but it’s better for your privacy.
Privacy and security are complex topics and it would take many more pages to cover every aspect. Fortunately, unless you’re on the run from an intelligence agency, users can protect their privacy by following a few basic guidelines and staying aware of trends and threats as technology evolves.
Determine the threats to your privacy: What do you want to protect, and how hard are you willing to work to protect it? Learn about VPNs and pick a reputable provider to keep your traffic secure at home and on public WiFi. Encrypt all of your devices, as well as your texts, emails and other data. Be wary when browsing the web, avoiding common phishing scams and malware.
First appeared on Cloudwards.net