Surf Modern Internet by Stealth
The Art of Invisibility — The World’s Most Famous Hacker Teaches You How to Be Safe in the Age of Big Brother and Big Data
1 Your Password Can Be Cracked
The leak of celebrities’ photos gives us a shudder, as we should be in full charge of the data of our own. Tools available on shady forums and github alone could be used to back up your iPhone, or for attackers to get into your iCloud account. Following a suspicious IP address, the police captured someone who had hacked into more than 300 iCloud accounts, but till now no charge has been pressed. Using a hard to guess password is not going to prevent certain tools to crack this, but this could stall the attacker to the point that he gives up.
The easiest and automatic way is to resort to a password manager. But beware that
- The master password could be breached, if the computer’s keystrokes are recorded.
- If you lose your master password, all passwords would be lost.
- Strong passphrases should be long (25+ characters) and be random!
- Never use the same password for 2 different accounts.
Passwords are stored as a hash. Don’t leave your PC open to public, when you’re having a guest at home or more importantly when you got called away from your desk at the office, because of an impromptu meeting. Protecting passwords of online services only works if you’re keep your physical devices safe as well. Use bluetooth to unlock/lock your desktop/laptop when you approach or go away. For mobile devices, biometric and a password together should be secure enough.
Most security questions are too obvious. Someone can scour your social media and gets the answer of your home town or where you went to high school. Be creative about the correctness of these questions. Write them down, or put them in a password manager. Also beware that providing the real answers to these questions is subject to the resell of your personal information, so people could fill in the blank about your profile.
If your email is hacked, the first thing to do is reset the password, a much stronger one. Second, check sent box or spam to see what emails have been sent. See if some addresses are added to the contact.
Two-factor Authentication encompasses what you have, what you know and what you are. But this still isn’t quite secure. A gmail password reset message is sent to your phone, and the attacker sent immediately a second message warning the possibility that your account is under attack, and asking you to send the secret code to ‘prevent’ this. Instead, use Google Authenticator, which doesn’t require a message to your phone.
For financial matters, I recommend that you use a chromebook (iPads are just too expensive) exclusively for banking. Install no other software on that device, and when you’re done with it, put it away. This sounds like and is indeed a huge hassle, but you’re far less vulnerable to attack this way.
2 Who else is reading your email
Emails, even deleted, are still stored somewhere on a server of that hosting company. Third parties will access these for sinister reasons. Yahoo, for example, scans the emails and uses that as a means of targeting advertisement, which is their main source of income. Google stopped scanning emails in your archive, but started to scan all emails sent and received. Your network may also choose to scan your traffic, for malsoftware and confidentiality purposes. Nevertheless, there’s always a good chance that the emails you sent, be it deleted or not in the future, will live on for quite a long while.
MTAs(mail transfer agents) may still use exposing channels to transfer mails. So use asymmetric encryption to protect your emails from end to end. PGP or GPG can also work well. Always verify the identity of the other side, the recipient might not who you believe to be.
You want public algorithms and private keys, not any proprietary algorithm. When sending any messages, use end to end encryption. For emails, use something like mailvelope to encrypt emails whenever possible. Yet meta data, such as subject, recipient’s IP address, sender’s IP address, date and so on, will persist to be in plain text. Third parties can see these data and figure out some patterns out of them.
Sending a email to an IP address of North Korea is suspicious, even if your subject is merely “Happy Birthday”. A 20-minute phone call at 11pm to some psychatric hotline reveals a lot about this person’s emotional status. To fully hide yourself, you need to remove the IP address, your fingerprint on the Internet. A remailer can hide the sender’s IP address, but type I and type II do not allow replies. Type III does offer full service.
Tor is free and open source, created to stay anonymous online. The nodes between you and the server will change frequently, thus no one can restore that route. Two drawbacks still exist: 1. the node you’re connected to might be controlled by government. 2. Page loading is slow. Use a specilized device for Tor, not your day-to-day device for browsing.
To go completely anonymous, you need a burner. Definitely cut off all connections to the past, including any email services or phone numbers. Via Tor, create a new gmail account, using the burner’s number. When using this invisible account, log in only through Tor and don’t search the Internet, since you could reveal your identity inadvertently. This requires a ton of perpetual diligence, but worth it in order to go incognito.
3 Wiretapping 101
IMSI(International mobile subscriber identity) creates a unique pair between your phone and the cellular towers. Some towers have been established just to intercept your messages. Others are used to monitor traffic status, based on how fast your signal moves from one tower to another.
Your phone when powered up connects to a series of cellular towers. The nearest one handles the actual phone call. But all have continuous signals transferred from your phone, identified by a unique TMSI, whether you make a phone call or not. Law enforcement can and does check the log of these records. Using a burner, if the purchase doesn’t reveal your identity, would be safer.
All cellular technologies are based on signaling system protocol, which could be used for surveillance. Researchers have found that these networks are more or less easy to tamper with. We need end to end encryption, for the network itself never is secure enough.
Whether it’s a physical switch at a phone company or a digital switch, law enforcement does have the ability to eavesdrop on calls. Digital phones are more vulnerable to monitoring than traditional landlines.
VoIP is great for laptops and tablets which might not be able to access cellular towers. Internet is used to transfer audio datagrams, but the security is still at risk. Some vendors still use symmetric encryption, and send the key over to the recipient not though SSL/TSL, which pretty much renders the whole process useless and susceptible. Other services stealthly keep the key at the server side, so that won’t protect you either.
Signal, an app available on iOS and Android, tackles this problem by keeping the key only on your own device, and destroying the key once the session is ended. Moreover, the keys generated are not the same. So even if one key is compromised, your further communication will stay secure and unintelligible to third parties.
4 If you don’t encrypt, you are unequipped
SMS text is proclaimed to be deleted within days by multiple carriers in the US. But traces can still be found and messages have been restored in the past. They are not as secure as you think.
Don’t use the native message service that comes with your carrier. Use a third party app that employs end-to-end encryption. But they are too susceptible to surveillance. No logs are good logs. Refrain from Whatsapp and Telegram, since all have been successfully hacked. What remains is OTR(off the record) and PFS(Perfect Forward Secrecy) messaging. Signal is a good choice. Unlike open source projects, propreitary applications cannot be fully trusted.
5 Now you see me, now you don’t
You can avoid leaving browsing history in the first place. Despite the hidden/incognito mode provided by all major browsers, your credentials still travel through your ISP. HTTPS is much secure than HTTP. Beware of any account you’re logged in, such as microsoft or Google, which can track all your behavior to provide better targeted ads. Don’t use the Safari or the browser that comes with the mobile device. Use private browsing whenever possible.
Enable HTTPS Everywhere. The browser will check the certificate to confirm the identity of websites. The most stringent one being Extended Verification Certificate.
Disable location tracking function. You might also want to fake your location. Use a plugin called Geolocator in Firefox, or in Chrome: open developer tools, click the triple-dot in the upper right corner, more tools, and select sensors to change your location.
Disable the auto synchronization. You might accidentally leave it open to others. Be vigilent when using a public terminal. Be careful when you’re using a shared service like family plan. Data can get synchronized and content from your past will also appear on another device. Set up multiple users if possible, and keep the administrative access to yourself.
Browsing history will remain on the cloud even if deleted on your own device. What you search for today might come back to haunt you tomorrow. Search results from Google, Yahoo and Bing are filtered based on your past history, which is still a form of censorship, whereas DuckDuckGo provides zero tracking policy.
6 Every mouse click you make, I’ll be watching you
HTTPS will encrypt the content only if the website supports it, but never the URL. And websites will send these information to third parties without you knowing, usually for advertising and marketing purposes.
Just like other applications, browsers will expose your meta data,Operating System, resolution and addons alike. One way to defend yourself is by using a virtual machine.
- Pop up windows can display no visible elements, for the only sake of connecting to third parties and tracking. Instruct your browser to disable this function.
- When you click a link on a website, the target website will know where you come from, i.e. your previous history will be recorded. Ads are put at the corner of the page. Go to Google to search for that site to avoid this. NoScript in Firefox can block scripts and flash, leaving your trace at bay, although you can cherry pick some elements to load. For Chrome, use ScriptBlock. Another solution is AdBlock plus, but the company will track your history as well. Ghostery is another useful option to disable trackers on a webpage.
- Create multiple emails to make yourself less interesting to third parties. For shopping, use an email address specially for that, have the boxes sent to your mail drop, and add balance with a gift card. When it comes to social networks, use another public email address, and give each nonprimary address a unique fake name.
Cell phones are not immune from tracking. Cookies are pieces of text stored on your browser, which are not dangerous by themselves. Removing cookies from one-off visits to sites need be done regularly. Cookie with name that does not match the name of the website should be deleted. Super cookies exist on your computer even after the browser is shut down and hence should be eradicated ASAP.
Equally pesty are tool bars. Read all checkboxes before install anything, that could save you a lot of hassles.
Now HTML5 introduces canvas, whose fingerprint can be tapped into to build a online profile. Plugins such as CanvasBlocker for Firefox and CanvasFingerprintBlock for Chrome tackle this issue.
Credit card companies do track us online. You can circumvent this via Bitcoin, with anonymous email address and gift card.
This post will be actively updated, so stay tuned.