The Art of Invisibility
Kevin Mitnick
Rating: 8.0
“Who better than Mitnick — internationally wanted hacker turned Fortune 500 security consultant — to teach you how to keep your data safe from spear phishing, computer worms, and Fancy Bears?”
–Esquire
Since the September 11, 2001, terrorist attacks, Americans have faced unprecedented levels of surveillance.
As digital connectivity spreads into more areas of life, the threat to your personal privacy increases. Networking now embraces much more than computers and phones. The Internet of Things is integral to myriad machines, such as cars and household appliances. Each new use of networking opens another portal for prying eyes.
“Many of us…now accept to at least some degree the fact that everything we do – all our phone calls, our texts, our emails, our social media – can be seen by others.”
Such intrusions follow a range of legal and illegal paths. Governments and law enforcement have taken surveillance to unprecedented levels since the terrorist attacks on September 11, 2001. They can tap phones, read emails and texts, obtain computer search histories, and trace your movements through a cellphone or smartwatch. Corporations track consumers’ online activity and purchases and use the information to target their ads. Criminals steal personal information, or they lock their victims’ accounts and hold their data for ransom. No defense against surveillance and attacks is perfect. A determined hacker can crack any protections. But you can make the hacker’s job more difficult and time-consuming.
Contents
Use long passwords on all your devices and online accounts.
A strong password is your first line of defense. Unfortunately, too many people take a lackadaisical approach to passwords. When hackers broke into the Ashley Madison site, for example, they found that its users’ most common passwords included “123456” and “password.”
“Many people, even executives at large corporations, are lazy when it comes to passwords.”
A strong password contains at least 25 characters and consists of a random string of letters, numbers and special characters such as “%” or “&.” Use a different password for each online account, and set a separate password for unlocking each device you use.
Long, random passwords are difficult to remember, so consider using a “password manager” – software that generates and stores passwords. An open-source manager, such as Password Safe or KeePass, will generate strong passwords and save them in a locked “vault” on your computer. Be aware of the drawbacks of such tools. An attacker could infect your computer with malware that opens access to the password manager. Another problem: If you forget the vault’s master password, you lose all your passwords and will have to reset them.
“All you are really doing by trying to make yourself anonymous is putting up so many obstacles that an attacker will give up and move on to another target.”
To add a second layer of protection, enable two-factor authentication (2FA) on your accounts. The most familiar use of 2FA is on ATMs, where you must establish your identity with two items, or “factors”: your credit or debit card, plus your PIN. When you enable 2FA on a site such as Gmail, you receive a code via a text message from Google. You must input the code when you change your password. Attackers who want to change anything in your account would need your password and your phone.
Use end-to-end encryption on your emails so the host can’t read them.
If you use Google’s Gmail service, Google will see the contents of your email. The same goes for Yahoo or any web-based email service. These companies scan emails to deliver targeted advertisements and detect malware. To protect your privacy, encrypt your emails so that only the recipients can read them. You can buy products for encrypting your messages from such companies as Symantec or use the free, open-source OpenPGP and GNU Privacy Guard. Encryption can be complicated, but PGP plug-ins available for the Chrome and Firefox browsers can simplify it.
“Create multiple email accounts – not to hide but to make yourself less interesting to third parties on the internet.”
Snoopers can deduce people’s location through their mobile devices. If you carry a cellphone, wear a smartwatch or use other devices, such as Fitbit, you send trackable location signals. This is true even if you turn off geolocation tracking. On newer iPhones, the GPS stays on even in airplane mode. Your cellular carrier and phone vendor, such as Apple or Google, keeps records of your travels. A hacker can learn a great deal about you by combining geographic information with other personal data.
Dedicate one laptop to communicating about your health and finances.
Your computer keeps a record of all the websites you visit, and third parties can delve deeply into your affairs by examining your web browsing history. Work around this by using the private-browsing option, which prevents the browser from storing any history of your online use. Nevertheless, your internet service provider can still intercept any unencrypted information you send or receive. Services like Google can track your online activity any time you log in.
Use an HTTPS plug-in to encrypt your interactions with websites.
Search engines like Google keep records of user search histories. Even after you log out, the search engine can link your search terms with your IP address. One solution is to use the DuckDuckGo search engine, which does not record users’ searches. To obstruct third parties’ view of your traffic, you can also use encryption. The Electronic Frontier Foundation’s plug-in HTTPS Everywhere forces websites to operate in a secure mode whenever possible.
Even with these precautions, an online eavesdropper can still see the URLs of pages that you visit. These URLs often contain clues to the content on the pages. For instance, if you look up “athlete’s foot” on WebMD, you end up at a page whose URL contains the unencrypted words “athlete’s foot.” Most health-related sites share your search activities with third parties, who use the data to target online ads to you. The Firefox plug-in NoScript and Chrome’s ScriptBlock will prevent these third-party referrals. Another plug-in, Ghostery, reveals the traffic-tracking services running on a website and allows you to block them.
“It’s easy for malicious software to activate the webcam and microphone on a traditional PC without the user knowing it.”
For an extra layer of security on your financial or health-related accounts, buy a separate computer, such as a low-cost Chromebook, and dedicate it to financial or health activities only. Bookmark your financial and health sites and activate 2FA for these accounts. If you visit no other sites on your dedicated Chromebook, you are unlikely to pick up compromising malware.
Attackers can easily intercept user traffic on free, public Wi-Fi.
Free Wi-Fi in coffee shops, airports and hotels is convenient but insecure. On public Wi-Fi, your online activities are open to anyone who wants to snoop, including criminals who might sell your address to spammers. Someone can intercept your traffic by setting up a “fake wireless access point.” Your computer might connect automatically to the fake access rather than to the coffee shop’s wireless network. The attacker can intercept your data, infect your computer with malware, or steal your user names and passwords.
“If you carry your cellphone with you throughout the day…you are being surveilled – even if you don’t have geolocation tracking enabled on your phone.”
Make sure that your laptop isn’t set to choose and connect to a wireless network automatically. If you have to work on private material in public, don’t use Wi-Fi. Use your mobile device’s cellular connection, buy a “portable hotspot” or use a virtual private network (VPN). A VPN service, which usually costs about $60 per year, won’t make you invisible, but will shield your activities with strong encryption.
Use the Tor browser, which doesn’t reveal your IP address.
Even with encryption, an email’s “metadata” remains readable. This includes the data in the “to” and “from” lines along with IP addresses, which can reveal your location along with the locations of all the servers your mail passed through. Snoopers learn a lot by analyzing metadata, including who you contact and how frequently.
“Now that you know the government and corporations are reading your emails, the least you can do is make it much harder for them to do so.”
You’ll be less visible when you utilize multiple layers of security. In public, for instance, you might use a VPN and a Tor browser with the HTTPS Everywhere extension. A Tor browser masks your IP address. Tor routes web traffic through a series of “nodes” around the world. Any website you visit would not see your IP address, only the address of the last node in the series.
In a digital world, your life can be an open book to governments, businesses and criminals.
Unless you are careful, your social-network posts will reveal more than you want people to know. Avoid posting personal details such as your birthday or the city where you grew up. Be careful about “friending” people you don’t know in real life. Examine the site’s privacy settings to control with whom you share information.
“If someone were to pick up your unlocked cellphone right now, that person could gain access to your email, your Facebook account and perhaps even your Amazon account.”
Digital photos contain EXIF (exchangeable image file) data – a type of metadata that might include the geographic coordinates of where you took the picture. Snoopers can uncover all sorts of personal information by combining a photograph with other software, such as facial-recognition systems. In one experiment, a Carnegie Mellon University researcher was able to learn the Social Security numbers of students photographed on the street by using facial-recognition software in pairings with data from Facebook accounts. Once you post a photo on social media, you can do little about it. Under their terms of service, social media sites like Facebook can usually store data from users and do anything they want with it, including share it with third parties.
Employers can monitor employee activities through company-issued smartphones and computers. They can use GPS features to monitor employees on the road and track office workers through their use of the company computer network. The American Management Association reports that a substantial percentage of employers track workers’ internet use, keep a record of keystrokes and audit employee email. Lock your computer screen whenever you are away from your desk. Don’t use a company printer or a copy shop to print sensitive personal data such as financial information. The company printer’s hard drive will retain a copy of the document, so it can monitor employees’ printer use. The document will remain on the hard drive indefinitely. And, you can’t control what will happen to the drive when the company takes the printer out of service.
Videoconferencing systems are vulnerable to attacks. They’re set to accept any incoming video calls, so someone could call in and look around your office. One researcher found that once he gained control of the conferencing camera, he could move it to see different angles, and could zoom in close enough to read an email on a computer on the other side of the room.
“If you really have something sensitive to do away from your house, then I recommend using the cellular connection on your mobile device instead of using the wireless network at the airport or coffee shop.”
Businesses increasingly rely on cloud-based file-sharing services to facilitate online collaboration. The most popular services – Apple iCloud, Google Drive, Microsoft One Drive and Dropbox – offer varying levels of security. Workers who use these systems should habitually encrypt files before they send them. That way, you control the keys that can open them. Apple or the other services won’t be able to unlock them. This is important because data in the cloud do not enjoy the same Fourth Amendment protection that physical data or data on a desktop computer do. Law enforcement can easily obtain files they want from the cloud service provider. Only one cloud service provider, SpiderOak, promises complete data privacy. The company encrypts all the data it stores and has no knowledge of the passwords that open them.
You can’t stop all attacks, but you can make a break-in sufficiently difficult that attackers will switch to other targets.“
Maintaining complete anonymity online is an elaborate process. It means creating a separate online identity distinct from your real life. Maintaining invisibility requires constant vigilance – make one mistake, such as using your personal email address on your dedicated computer, and snoopers will have access.
“There’s a truism in the security business that a persistent attacker will succeed given enough time and resources.”
You probably don’t need complete long-term anonymity. But by applying principles of invisibility – such as being careful about how much data you share and utilizing encryption – you can become a little safer online.
