403: Forbidden v 1.1.0
By Alex Wieder
I came across a post the other day that illuminated how easy security slip-ups could be exploited to hack nearly any road message sign. The signs should be reasonably secure, but due to operator laziness, ignorance, or carelessness, many tend to have keys left in the lock, with passwords set at the default or even written on the inside of the access panel. Simple changes could easily deter most from tampering with these signs, but due to a string of oversights they’re terribly easy to hack.
In the same way that a mass of individual voices can create a strong movement, a mass of individual measures can create strong protection for your devices, software, accounts, and data. Throughout this installment we’ll start at data itself, and work outwards.
Access control and authentication will be key principles woven throughout this series, as they underpin just about every aspect of cybersecurity in both the digital and physical worlds.
Access control, like it sounds, is the act of controlling access to sensitive materials, and can range greatly in complexity. Police use access control during protests, setting up barricades and directing traffic, attempting to control protestors’ actions through access to thoroughfares. Protestors make use of access control by locking their devices and preventing biometric access, to prevent the police from scavenging, deleting, or otherwise censoring information obtained by the detained (more to come in installment 1.2).
The act of authentication, whether it uses credentials such as a password, PIN, fingerprint, even a simple lock and key, relies on secure verification of identity. Any credential you provide is intended to be something that you and only you would know, that can positively and repeatedly verify your identity thus granting you access.
We’re all at different levels of risk depending on your browsing habits, the value of your personal data, even the access you have to other forms of data through your profession or other relationships. While you’re probably not the prime target of the world’s top hackers, it’s important to provide yourself some reasonable protection from even low-level threats.
***
File Encryption
The first place to address your cybersecurity is your files, which in this case means encryption of your files. Your files can be read by any computer within reason and are an integral part of their design, however that can be disastrous if your files get into the wrong hands. Encrypting your storage drive(s) will reasonably prevent anybody who has your computer or drive(s) from being able to do anything meaningful with them, since the data will be unreadable without the proper credentials.
Encryption can be enabled via the operating system of your computer, and even on your smartphones and tablets, but this is not always automatically activated from the start. While Apple smartphones and tablets are encrypted via their operating system automatically, Android devices require you to manually enable encryption. Most computers don’t automatically encrypt their drives, whether it’s the startup disk or an external, and require you to turn it on yourself. It is important to note that while encrypting does take a while when you first activate it, usually hours or more, it doesn’t have any detrimental effects on your devices’ speed or abilities to access files in regular use.
PASSWORD PROTECTION
One of the most important and overlooked aspects of data security is password protection. Countless threats to your digital life can be averted with strong password protection - whether it’s the password protecting your email account, your debit card PIN, the passcode on your phone, even the password to log into your computer. While we’re forced to use authentication in so many aspects of our lives, we may resort to using lazy passwords, birthday or street address PINs, and repeating these across all platforms, which can amount to low-hanging fruit for malicious entities.
Despite the inconvenience it’s important to use a password wherever you can to provide a degree of access control to your information. This includes your computer, smartphone, tablet, accounts of all kinds, and to protect your encrypted drives.
Elements of a good password generally include both upper and lower case letters, numbers, special characters, and ideally has at least 12-14 characters. Many accounts, devices, and websites set predetermined rules for what your password may contain, usually to benefit you as a user. However, with different rules for every instance, it can be incredibly tempting to use just one password for them all. Resist that temptation, as credentials that are stolen are often used to attempt access to other known accounts This can result in a domino effect through your accounts and possibly your identity.
Passphrases can also be used if a traditional password is too difficult to remember, such as the classic “correct horse battery staple” created by the webcomic XKCD (please don’t reuse that passphrase). The protocol in the comic is a bit dated though, and cracking algorithms have advanced in recent years so it’s advised to have at least 6 words in your passphrase, ideally with the same substitutions of case, symbols, and numbers used in a good password.
Whether you use a password or a passphrase, remembering them can be a challenge all its own. One of the easiest ways to manage all of your passwords safely and securely is to utilize a password manager. These are software programs that encrypt your passwords and store them for your use, and some can even create difficult to crack passwords for you that you wouldn’t remember otherwise. While some operating systems and programs can store passwords for you, I highly recommend using an external program like 1Password, Dashlane, or KeyPassX as an extra level of protection. If you choose to use a password manager, don’t forget to clear any saved passwords from your browser after you get it set up, both to prevent confusion and to ensure they don’t end up in the wrong hands.
PHISHING
Passwords aren’t infallible though, as we’ve seen in countless incidents over the years. Hackers can do brute-force attacks, where the password is guessed countless times until it is breached, but this is a pretty time consuming tactic. More often than not, the password is gleaned through a phishing attack.
Phishing.org defines phishing as “a cybercrime in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords.”
The root of a good phishing attack is that it appears to be legitimate, otherwise why would anybody interact with them? The devil is quite literally in the details here; a subtle change of characters in a URL for bankofamerica.com can easily redirect you to bankofanerica.com, having you log in and offer your banking credentials to the creator of that false webpage. Maybe the email contact looks correct and says “Squarespace”, but the email address behind it is a long string of unintelligible text, created to deceive targets into willingly providing their billing information.
Simple tactics such as turning on your spam filter, hovering before clicking any links to see the link behind the text, and setting your browser to not automatically download attachments can all help prevent a phishing attack. Some email services are better than others when it comes to spam filtering. It’s ideal to use a contemporary, mainstream service like Gmail instead of an outdated legacy service like SBCglobal, which may not have up-to-date filters and protections in place.
Phishing attacks have changed greatly over time and take advantage of changes to high technology and software revisions. I highly recommend checking out phishing.org, which has comprehensive information on what to look for, and how to best defend yourself against these kinds of attacks.
MULTI-FACTOR IDENTIFICATION
An additional layer of defense that can help prevent phishing attacks and save you if your password has been breached, is to enable multi-factor identification whenever possible. Some may be dismayed by the additional steps, frustrated that every time they want to log in somewhere they have to wait for a text message or email to pop up. In this age of immediacy that’s an understandable frustration, but one that offers serious protection for a few more moments of your time.
Multi-factor identification takes the act of logging-in a step further by adding a second credential, commonly sending a PIN to a device only you would have access to such as your smartphone. Even if a hacker had your password, they (ideally) don’t have your phone in their possession, and the verification codes are usually time-sensitive which lessens incentive for further attempts. The key here is to make sure your multi-factor identification is up to date; if you get a new phone number make sure to update it where applicable, as goes for email addresses.
Browsers & VPNs
Accessing many of these accounts happens in an internet browser, regardless of your device, and that browser can be a vulnerability in and of itself if you’re not careful. The website you’re visiting can see and track when you visit, and your internet service provider or ISP tracks everything you do on the internet while using their services. That means activity, history, time spent, and frequency, among many other aspects of your internet goings-on can be stored, and even sold by that ISP, as well as handed over to authorities if so requested by law. Incognito mode doesn’t hide anything from your ISP, or the websites you visit, it only creates an environment where your immediate history won’t be saved locally by the browser, and cookies get deleted after you close the window.
Your internet history is no state secret, but there are tools you can use to keep your internet history, activity, and whereabouts from being breached by prying eyes, your ISP, and the websites you visit. While you may not be personally distributing politically subversive, or otherwise sensitive information, your browsing history and internet activity is your data, something you own and that’s personally identifiable to you. Keeping your data hidden offers protection, but also prevents corporations, businesses, and individuals from profiting off of your personal information. For those who are using the internet for political activist purposes, the same articles, tools, and resources currently being distributed to aid protest movements can be policed, censored, and shut down with significant ease with the help of your ISP and your browsing history.
Truly incognito internet browsing can be achieved with a variety of tools, one of which is a special browser called Tor or “The Onion Router”. The Tor browser is fundamentally different from Google Chrome as they explain that Tor “...routes traffic through multiple servers and encrypts it each step of the way.”. Traditional browsers route you through a variety of public-facing servers, eventually ending up at your destination, with a paper trail left along the way.In contrast, Tor bounces from server to server, encrypting your connection along the way. This makes it significantly more difficult to track your activities and whereabouts, as well as making any information gleaned difficult to understand due to encryption. You may see some decrease in your internet speed due to the rerouting, but any speed drop isn’t usually noticeable to most users and it’s well worth the protection it offers.
***
An alternative to the TOR browser is making use of a VPN, or Virtual Private Network, which hides your IP address and creates a tunnel between you and the site you’re trying to visit. Your identity is therefore protected since the IP address associated with your visits and activity will be that of the VPN, and not your device individually.
Your choice of VPN is a critical one. Privacy policies and encryption methods vary greatly depending on the provider, and I HIGHLY recommend avoiding free VPN services. While not all free VPNs are malicious, they may be selling sensitive data to advertisers (hence the free service) and don’t invest as highly in the most secure encryption protocols. Some free VPNs will even use YOUR IP address as the exit node for their services, meaning even if you didn’t visit a site, someone else using the VPN could be using your IP address to access their sites.
Paying for a VPN is a worthwhile investment if you’re regularly sending sensitive data, especially on public networks. One notable example would be ExpressVPN, which has a zero-log policy meaning users activities aren’t logged at any point on their servers, as well as a kill switch feature that prevents data leaking in the event of connection failure. Surfshark is another great option, which sports features like Camouflage Mode which masks your VPN activity so your ISP isn’t aware of your VPN use, and Multihop which hops your connection across multiple countries to prevent you leaving a trail behind. Both VPNs offer great compatibility across multiple operating systems and devices, and pricing is reasonably inexpensive at $7-$12 per month.
FIREWALL PROTECTION
A final consideration to be made, though easily overlooked and rarely set by most users, is to turn on your firewall. A firewall can help protect your network by filtering traffic and preventing outsiders from gaining access to your computer’s contents. The first place you should turn on your firewall should be at your modem, which connects your home network to the internet at large. If you’re renting your router/modem from your ISP, it should have a firewall built in to the unit itself, though if you purchased your own you may want to consider purchasing a standalone firewall. The modem firewall is an excellent way to protect not only your commonly used devices, but also protects your internet of things devices like your smart thermostat, light switches, etc. which still connect to the internet.
A second place to turn on a firewall (where applicable) is on the device itself. Your smartphone probably doesn’t have a firewall, but your computer most likely does. Firewalling your device is an important layer of protection especially on public networks where a firewall may not be present. These can usually be found in system settings or system preferences, depending on your operating system.
***
While this may have been a lot to digest, these are the underlying elements to good cybersecurity that we’ll build off of in the next installments. It’s important to make changes in practical steps; you don’t need to uproot your digital life and go off the grid in fear. Start with a few small changes like turning on multi-factor identification wherever you can, or maybe activating your computer’s firewall and build from there. The internet has become an integral part of our lives, as well as a crucial component of movements for political change, and your security in the digital space can not be ignored. Your eventual goal should be creating a cybersecurity ecosystem that you can reasonably maintain.
The next installment of 403: Forbidden will cover security considerations for those protesting on the ground, such as preparing yourself and your devices against compromise, secure methods of transmitting information, public surveillance and what you can do about it, and navigating difficult scenarios with the authorities.