Staying a bit safer online

With the passing of the “Access and Assistance” bill here in Australia, communications - innocent or not - are about to become a lot less secure. Depending on your need for security there are some changes you can make to reduce your risk. You will probably never be able to eliminate it totally as either the sheer weight of Govt resources or simple human error could still cause a problem.

Is the site secure?
When you communicate over any network there's the possibility your communications can be intercepted. If you visit a website and the URL starts with HTTP then there is no encryption happening, and anyone can 'sniff' and watch (and possibly modify) your network traffic (your ISP, any server along the way, a kid on the same Wifi as you in the mall). Most modern browsers will ask for the HTTPS version by default which adds some basic end-to-end encryption. At a bare minimum never enter credit card or personal information on a site without https as they obviously don't care about your security!

Tracking:
To ensure you're not leaking random information about what you're browsing it's a good idea to also block tracking mechanisms (including advertising) - again, most browsers will help with this, but something like Brave (a browser based on the Chrome engine but with additional privacy and performance optimizations) does this by default. If not using Brave, uBlock Origin is recommended as a plug-in to help maintain privacy. Similarly if you want your searches to not be tracked, DuckDuckGo is a great, privacy-centric, search engine.

The Network:
While you have no control over how an ISP routes you (and who they allow to see what you're doing) there are a couple of ways you can protect yourself and create anonymity. This is equally applicable to mobile phone networks, public, and home networks. The simplest (and highly recommended whenever you are on a public network) is to use a Virtual Private Network (VPN) - this creates an encrypted 'tunnel' to another server on the internet (which can be in any country) which is much harder to intercept, monitor, or track (good VPN services don't keep any logs so they can't be examined). PrivateInternetAccess have a very good reputation for privacy and anonymity (you can even pay with gift cards!) and good speeds. Proton (see later for email providers) also have a respected solution which you might want to consider, especially if using their email service. This article has somme detailed reviews of a number of VPN options. The Onion Router (TOR) is another way to keep your browsing anonymous. While strongly associated with "the dark web" in the press, it was actually created by the US Navy. At a high level it breaks your requests into multiple pieces and routes then via different paths and intermixes your traffic with everyone else so it is very hard to identify what sites you are visiting. While good for anonymity it should be noted that TOR can be slower than regular broswing because of the distribution and size of the network (though as more people use/support the network this is improving). TOR have their own browser (based on Firefox), but Brave also includes an option to use TOR for private browsing.

Another risk on the network is other devices snooping on what you're doing. At home you should always enable Guest wifi, and use that for any Smarthome devices or visitors - only allow trusted machines on your personal network.

Email:
one of the most basic communications tools this was created in an era where open transparency was the norm, which makes it easy to intercept and review. Until recently efforts to encrypt and verify email communications required a lot of technical expertise, but more recently Proton (via TOR) have developed a solution that is as easy to use as Gmail but with the added advantage of strong encryption (backed by Swiss laws) ensuring communications stays private. The strongest level of security is emailing fellow Proton users, as the messages never leave their system (if you email someone outside the system they have to view/respond to the mail via the Proton web interface, but for more technical savvy users they can also set up PGP Encryption for their mail client and keep messages encrypted). Proton has secure clients for the web, iOS, and Android, and can also integrate with existing desktop email clients (though that does require the email to be decrypted locally, so not recommended on a device that may be compromised).

Messaging:
SMS is insecure, don't use it, or any product owned by Facebook (including Whatsapp)! The most secure tool for instant messaging right now is Signal (available for iOS, Android, and on the desktop) and supports both messaging and calling. The critisism of Signal is it ties you to a phone number and only allows you to use one device at a time. An implementation of the same protocol is Wire which allows multiple devices and (on some plans) encrypted video as well as voice calls. Telegram is another option, supports multiple devices, voice, and video calling, however the encryption has not been proven to the same level as Signal/Wire so while the user experience is better it may not be the best choice for some scenarios (though they have a very strong stance of not breaking their encryption for Govt requests).

Passwords:
If you use the same email/password combination for everything... stop now. Sure, it's convenient and no-one will ever guess Passw0rd is your password but why risk it?! Your best bet is to use a password manager like LastPass, 1Password, or Dashlane and either create unique complex passwords yourself for each site or (better) let it generate and store random ones for you. Most modern browsers also feature a password manager but that limits you to just using just that browser.

Authentication:
On their own, passwords are good, but 2 factor authentication (2FA) is much better (something you know and something you have). Some services use delivery of a code via SMS as the second factor (theoretically proving you have a device tied to the phone number with you, as well as the password), but there are several well-known compromises of the GSM network that make it possible to fake or intercept these. Much better are services which support either physical tokens (eg YubiKey) or TOTP (Timed One Time Passcodes) codes (eg Authy or the password manager 1Password which can be used as an authenticator for many popular services).

Phishing:
One way your identity can be compromised is by accidentally entering your credentials on a site that's impersonating the real one - often after tricking you into visiting via a spam email with a carefully crafted link that fools you. One quick warning solution to this is MetaCert Cryptonite which has an extension for most common browsers that helps detect and alert you before entering credentials and exposing your details.

Device encryption:
Android, iOS, macOS, and Windows have some level of device enryption is built in - if not enabled by default (netiher Windows nor macOS turn it on by default), you should turn it on to make it harder to access the content of your devices. However, if you have to give up your PIN/Password then that information can still be accessed (especially easy with devices that unlock with a fingerprint or iris/face) so if you have sensitive material you should consider options to further secure it. For PC and macOS there is the option of VeraCrypt which allows you to create secondary encrypted drives within your main drive, and even stealthed areas that are hidden behind multiple layers of passwords. Not the easiest to setup and use, but for some data this may be required to ensure confidentiality. Sadly there is not yet a solution this secure for phones/tablets though there are apps that allow you to keep encrypted text notes available (and some password managers like LastPass also have a notepad function).

In the cloud:
If there is a risk that your device will be lost/compromised you can reduce the exposure by not storing any information on it at all. While not as convenient or fast as having everything local, you can run a Virtual Machine (VM) either in the cloud or on a computer at home and use Remote Desktop software to log into that (over a VPN and using 2FA of course!). You should ensure you follow the same security-minded policies even with those remote machines - encryption of the disks/files, strong passwords and authentication are just as important to reduce the risk of compromise.

Are you already compromised?
Any machine you use, you should regularly check for spyware and viruses. Some operating systems have built in software to do this, but for others something like Sophos or AVG (both have good, free options) are a good choice. You should also check to see if your email (and password) has been leaked from other sites via https://haveibeenpwned.com/ and if you show up there, review your unique passwords and 2FA.

These notes were scribbled together very quickly today when it looked like the bill was going to pass - please share any corrections or feedback via Twitter (@offbeatmammal), and feel free to check out my bio if you need an ethical geek on your side...

Support me, and browse safely with Brave