Online security

Tags: English, technology, hacks
Created on Wed, 20 Oct 2021

Last week I wrote about a hypothetical Facebook messenger and Whatsapp breach which would give the world access to everyone's chats - including yours, your friends', your parents, everyone you know or don't - indexable, searchable by everyone. A truly privacy is over type of situation. I argued that this is what people really cared about - a personal hit, not bombs and terrorists or some unknown John in a three-letter agency reading your chats. Someone you know - or everyone you know - reading your personal communications with other people.

Scale it down

Alright, maybe leaking all of Facebook's chat would require literal trucks and months of unmonitored leakage due to the sheer amount of data. Text is not so big - the whole of English Wikipedia is merely 20 GB which can be stored in a 32GB ~10$ microSD card with storage to spare. More difficult would be the multimedia - images, audio, clips. If we are talking just about the content of text messages (which would be a non-trivial amount of communication, except maybe the more and more frequent voice-messages on many platforms) with the right tools and access, these can be exfiltrated compressed similarly to how Ed Snowden did it with the NSA.

But let's scale it down from "worldwide breach" - say it just happens to you. Who could target you? Ex-boy/girl-friends frequently have access to your password or physical phone(s) and computer(s) for some critical time right after the limbo separation. Roommates or party invitees, some of whom may not like you. Forgotten phones in a bar. What if all your chats get exported and shared publicly, easily searchable? Do you have anything to hide then?

Parents tech support

A few paragraphs one the side - I want to explain that these stuff may be technical but to implement them and use them you don't have to be tech savvy. It will be a little inconvenience (few minutes to an hour) while you set them up but then not much will change for your day to day life.

Last time I visited my parents I did the normal tech support games. I'm proud that since I left Bulgaria about 10 years ago my parents have been running a Xubuntu flavor of Linux without almost any issues on multiple different laptops that they changed over the years. Never dealt with anti-viruses or viruses, random slow-downs or driver updates. Almost any screw ups have been my own. One time after a remote access support I was able to screw up the update on the machine and resulted in the bootloader not being able to find the OS. My parents are not too tech-savvy but this resulted in my biggest achievement to date: be able to get my mom through a grub rescue console over a video chat. So I don't know - maybe they are secret hackers after all :)

So I checked everything with the OS is all right, update packages, no randomly installed software (although with Linux that would be super difficult - yet, just to be sure) and was fairly happy. But while doing that there were tons of annoying notifications from Facebook and news websites that kept popping up on the right. I asked my parents and they said they don't pay attention but decided to be a good citizen and remove all those XXI-st century toolbars.

But the bulk of the support was on passwords. Chrome has become more and more aggressive towards password management - which is good. (It has also become extremely easy to allow all websites to run service workers and so random notifications were popping up so I had to remove all of them and dissalow new ones). It reds-out passwords on non-https websites but almost none of them are anymore on non-https - which is also nice, yey let's encrypt. It also prompts you to use the password manager. I took the leap - but I wanted to lock it a lot. So I set them up with pretty much best practices these days. If my parents can do it, you can do it! What are these?

What can be done?

• Enable strong two-step verification: The best thing you can do on a personal level protection is to enable 2-step verification. Best is to have a special hardware key - there are now open-source versions as well. Next best is an app. Last is SMS - not best as it is fairly easily hackable but still better than nothing. I set my mom with a strong password and equipped her with the Google Authenticator on her phone, wrote down the recovery keys and told her to keep them safe. Took a picture and encrypted it in my own password manager myself for recovery purposes.

• Only one password: Have one single password which is hard to guess and easy to remember. Definately nothing on this list. This one single password is to your (preferably offline and definitely encrypted) password manager (which can also be protected with a two-step verification). Then on all other websites - facebook's, Google's and so on - you wouldn't know your password. It will be 20-30 or even 60 random characters long, full of small, large letters, numbers, random symbols like ^%\*)~\_+\_\\$#*&^)[]! - you wouldn't care because your password manager will store it. If your password manager is offline and encrypted, even if someone steals it they wouldn't know the password; even if they do - they wouldn't have your key or your phone and if they do - well, then you are kind of sloppy. But you can still get notified about logins. Then you can revoke a login and change your password quickly. It seems like a single point of failure, but in fact research has shown that this is much better than trusting yourself to remember tons of passwords for different websites - people tend to reuse so a hack on one service means hack on other services.

• If you don't want to manually manage your offline and encrypted password manager, next best thing is to probably use Chrome/Firefox password managers. They come with optional encryption passphrase so that even these companies won't be able to know your password, even if somehow they get hacked. I set up my mom with this and changed most of her passwords on most used websitess.

• Phishing - this one is the hardest. People are extremely likely to fall for some of the scams even when they say it won't happen to them. In any case went through the common themes with my mom - she said she never uses online payments anyway which is almost good enough. Reminded her to never ever ever give any hints to any pretend caller or emailer regarding password (although she now doesn't even know it) PIN codes or even names, date of birth, national numbers, address or anything. If someone calls or emails pretending to be bank support - hang up, find the official bank number and initiate the call instead.

There are many more ways to stay secure and protect your privacy these days, depending on your use case. There is no absolute security without usability, it's always a tradeoff but following the above 3-4 things should greatly help you stay safe online these days.

Pobody is nerfect, it can happen to all of us. That's why best these days is so called defense in depth - even if some part gets breached, there should be other controls that stop it. In a similar way to multiple physical doors for security. For example, I (almost) got pwnd by a friend that used my computer at home, logged in one of my firefox profiles which I used for some websites and thus synced some of mine and all of her passwords for months before realizing it.

That's a scenario that is too concrete, yet I implemented some more guards for similar situations. You don't have to go that far - using these simple rules above will get you a long way to being pwnd by someone who doesn't like. In this increasingly (some may say distopic) electronic world, a little privacy can go a long way. Do it if you can, it doesn't cost much!