Cybersecurity: Protection

October is National Cybersecurity Awareness Month, and therefore I’m focusing for this month on a mini-series of cybersecurity advice. (Originally I posted on my blog, and parts of this will be discussed on this TwitchCon 2017 panel.)

A key concept is that security is an enabler, not a disabler… security enables you to keep your job, security enables you to move into new markets, security enables you to have confidence in what you’re doing.” — Gene Spafford

Protecting yourself online from malicious attacks, advertisements, malware, and people is a daunting task, with terrifying warnings and complex instructions. This article is a guided attempt, rather than a deep dive, into encouraging a more security and privacy driven mindset, especially for content creators like streamers and their moderators and editors. This advice isn’t complete nor foolproof. Best practices may change. And there’s always plenty more to do. But this is an ideal start to increases your own security to protect your (and others through you) privacy, identity, and data from potentially unauthorized access.

Password Security History: Retired National Institute of Standards and Technology manager Bill Burr admitted to The Wall Street Journal that his 2003 password guidelines were misguided. His advice, while well intentioned, directed users towards lazily predictable practices. These guidelines made passwords difficult for humans to remember, but easy for programs to guess. The newest guides published this summer by the NIST’s current Senior Standards and Technology Advisor Paul Grassi completely re-hauls these previous guidelines in favor of more secure yet friendly suggestions.

Use a password manager. KeePassX, Dashlane, Sticky Password, and LastPass are the top contenders with similar benefits and interfaces. They lock up your passwords in a vault reachable from your browser and phone (subscriptions give more features), use one master password to access (so make it a strong and memorable one!), generate randomized passwords, and auto fill web-forms. They also can send reminders to change passwords (which isn’t an issue, but handy in the event of a compromised service) or if duplicate passwords are being used in multiple places.

Randomize your passwords everywhere. Password managers like those listed above can help generate and store passwords away safely. Don’t feel as though you must default to using alphanumeric gibberish, but don’t fall back to predictable phrases like your favorite movie or pet’s names.

Do not reuse passwords on any other services, currently or in the future. You never know when a service announces a compromise, for how long, and to what extent.

Enable multi-factor authentication (2FA / TFA / MFA) everywhere. MFA makes it harder for intruders to get into your accounts even if they have your password or recovery options. You can find these settings here: Google/YouTube — Facebook — Twitch — Twitter — Instagram — Snapchat — Tumblr — Pinterest — LinkedIn — Amazon.

Be wary of installations. Malware scripts can easily hide behind previously trusted or seemingly innocuous software and extensions. Even if the program was clean before, compromises can still occur, like how Avast’s servers for Ccleaner were targeted as a part of a wide-scale, state-sponsored, cyber-espionage campaign.

Use ad and script blockers. uBlock Origin is an open-source browser extension for filtering out several types of content related to malware, ads, and tracking. NoScript only allows JavaScript, Java, Flash and other plugins marked as trusted. It is a white-list based, pre-emptive script blocking approach, preventing exploitation of security vulnerabilities (known and unknown) with no loss of functionality.

Use anti-virus and anti-malware protection. The built-in Microsoft Security Essentials and Windows Defender work well for Windows based machines. Like condoms, don’t double use anti-virus programs for the sake of protection — they’ll fight against and disable each other. Supplement protection instead with scans via Malwarebytes, available on Windows, Mac, and Android. They also also provide an anti-rootkit beta and have a great cybersecurity blog.

Do not overshare data about yourself not critical to the service rendered — not every place needs to know your full name, address, phone number, or connect to your social media profiles.

Lock down your accounts. If you must use the same usernames across all platforms, such as being a public figure like a streamer, make sure there isn’t overlap between your public and private accounts. For personal, private accounts, do not use the same usernames, phrases, quotes, or photos. Lock down viewability access to unaccepted audiences. Like in the multi-factor section above, privacy settings for the US’s most popular social media services can be found in similar places: Google — Facebook — Twitch — YouTube — Twitter — Instagram — Snapchat — Tumblr — Pinterest — LinkedIn — Amazon.

Shut down old accounts. Use a service like Namechk to find and lockdown forgotten accounts (or imposters and catfishes). Use a service like HaveIBeenPwned to check if a service you’ve used in the past, or currently, has been compromised so you can reset account information and logins.

Don’t use Skype. Messages are un-encrypted and maybe be read, and by extension, calls potentially eavesdropped on. If you must use it, such as for business, select a random Skype username unrelated to your online or personal persona. Turn off direct connections for all but added contacts. Be very selective about added contacts and stay offline/invisible. If you are visiting a random city, log in and go online so that the IP last on record is not near where you live.

Guard your home address. Use a mailing address like a post office box for every interaction you possibly can.

Seal up PayPal. If you are creating a new PayPal account, start it as a basic Business account. If you are converting an existing PayPal account, become a basic Business account here. Change your contact information to a proper business email and replace the home address and contact options with a PO box.

Disclaimer! This advice detailed above is basic, beginner information to get people into the mindset of security and privacy protection, mostly geared towards public figures like streamers and their moderators and editors. There are many additional next steps to consider if you’re concerned about security and privacy: such as disconnecting use from most services, using VPNs, encrypting devices (TrueCrypt, Bitlocker, or FileVault) and emails (PGP), and chatting through Whatsapp, Signal, or Telegram.