Ask any random person on the street about digital security and very few of them have given much thought to protecting their digital information. In fact, most people only know the basics: pick hard-to-guess passwords, make sure your banking information is secure, never share your passwords with other people, maybe something about antivirus protection. But these are also the same people who blithely and routinely post vacation photos for the world to see while they’re still on vacation!
In the Age of Trump, we have to be more vigilant – the term of art used by experts is “increase your security posture.” The Trump administration will have a very powerful surveillance state (federal law enforcement, NSA) at its disposal. Furthermore, many of the extremist groups that oppose our efforts will also have various capabilities. Not to mention, hackers (ranging from lone actors to state-sponsored groups) will still be active, all with their own motivations.
One thing we know for sure: our adversary is playing for keeps. Having watched the aftermath of the 2016 presidential election (particularly the havoc wreaked on Hillary Clinton’s campaign by hackers) and such public imbroglios like Gamergate we know that they will stoop to any methods to achieve their goals.
Fortunately, just a handful of measures will exponentially increase your digital/information security – thus keeping yourself, your activities and private life, and other members of any groups you’re a part of safe and secure.
Before reading the list below, let’s get a few things out of the way:
- Becoming 100% secure is not remotely achievable. Even the most dedicated and vigilant folks will experience some kind of security issue – be it falling for phishing email or accidentally executing malware. Think instead about reducing your exposure to risk.
What you can do is become such a hard target that malicious actors (be they hackers or members of the surveillance state) just move along. - There are no silver bullets in security – no single remedy, task, or activity (including the ones listed below) can make you secure. Instead, you need to put in place a series of security measures. Experts call this “defense-in-depth.” Think about how castles are structured: they have moats, drawbridges, walls, and inner keeps to keep invaders out. They also have archers on the walls, patrols inside the walls, and locked doors in sensitive areas.
Castles don’t rely on just one measure to stay secure – and neither should you. - There may be some situations that call for common sense no matter how secure you’re living your life. For example, just because you’ve encrypted sensitive files with the most powerful tools available doesn’t mean you should tell everyone where you’ve stored the file – that basically amounts to a massive dare. Similarly, if you want to keep your activities within a resistance group secret, hinting to a stranger at a bar that you’re part of a group will work against your goal!
A little common sense goes a long way in terms of security.
Okay, let’s just get to the list.
1) Create strong passwords and keep them secure. Passwords are the first line of defense and are prime targets of most efforts to get at your information. First step: stop trying to use all those tricks and remedies you’ve picked up along the way to manage passwords in your head. You know what I’m talking about: names of pets combined with favorite Beatles lyrics and then a “123” at the end.
No matter how good you are at this game, you have too many accounts (Facebook! Online banking! Retail stores! Netflix! Amazon!) and you’ll eventually start falling back on all the bad habits that will get you into trouble, i.e., creating weak passwords, recycling/reusing passwords between sites, or using special prefixes or suffixes on formulaic passwords to distinguish them (like “fb” at start of a password for Facebook, “gm” for Gmail and so on).
Instead, you need to install a password manager like 1Password or LastPass. These tools allow you to create an encrypted vault protected by one very strong password (the last one you’ll need to remember) which contains usernames and passwords you use all the time. These tools can also generate strong passwords for you, and allow syncing across all your devices so you always have them on hand.
2) Make sure all devices and computers require login. I know it’s a pain in the neck, but this one step can keep a lot of your information safe. And don’t settle for numeric PIN on iPhone (for example) – use the alphanumeric option to create really strong PINs that will take forever to guess. While you’re at it, make sure your devices wipe memory and data after so many failed attempts.
3) Encrypt your filesystems. Use Bitlocker on Windows and FIleVault on Mac. Store the restore key in your password manager. That way, if anyone steals your device (or subpoenas it) and can’t get past your login screen, pulling your hard drive and accessing it directly will only yield further frustration.
4) Keep your devices patched/updated. If you’re on an end-of-life operating system, upgrade! Most hackers don’t use extraordinary measures to break into systems, they use well-known (and public) exploits against out-of-date software. Simple hygiene in this regard can keep a lot of trouble from your doorstep. This attack vector combined with phishing emails and other social engineering attacks (see below) make up a huge percentage of the threat!
5) Keep your antivirus software up to date. Don’t fall for the old “Macs don’t get malware” bit either. Malware comes in various packages: some install keyloggers that capture your usernames/passwords, other destroy or corrupt files/data, others steal it (exfiltration is the term of art), others enslave your computer to do the bidding of another computer (usually involving it in criminal tasks) and still others encrypt data and then demand payment to unlock (ransomware!).
6) Back up, back up, back up! That way if you do get malware/ransomware that corrupts your filesystem or steals your data, you can get it back. iCloud works here, as do other services like Dropbox (beware though, you should encrypt your backups!).
7) Turn on two-step verification (2SV) or two-factor authentication (2FA) wherever possible. 2SV usually involves getting a code via text message or other device whenever you login to a service. 2FA involves having not only a password (something you know) but some other factor to complete the authentication process (fingerprint – something you are; token USB card – something you have). There are few commercial services that provide 2FA but 2SV is becoming more available.
Please note: 2SV is not a fail-safe system! Skilled hackers can easily clone your mobile phone number (if they know it) to get those codes texted to them as well. (Do I sound like a paranoid crank yet? Don’t worry, it’s only paranoia if they’re really out to get you…just ask the Hillary Clinton campaign).
8) Go private on social media accounts. If you can, lock them so they’re visible only to friends/followers. Turn off all location services so that photos, tweets, and updates contain no metadata that might fix your location. Furthermore, set privacy levels such that users can’t find you via your phone number and/or email address.
9) Watch what you share and say in public, and that includes social media. Remember those old posters from World War II days: Loose lips sink ships. Even if all your social media accounts are private, posting photos of your participation in a counter-protest may feel good and get you many likes, but it can lead to a number of consequences.
For starters, you’ll garner attention from people who won’t like you. You may think to yourself, “I don’t care” but posting this photo might reveal the identity of another group member who might lose their job or suffer other consequences. We live in an age where our adversaries feel no remorse using such tactics as doxxing (posting work/home phone/address and other personally identifying information on the internet) and swatting (calling the police to say there is an armed gunman at your home address to elicit a SWAT response).
So posting that photo and getting a thousand likes might feel good, but the fallout might ultimately make you less effective to the group (ie, it’s hard to resist Trump when you’ve lost your job or you’re worried about crazy people posting death threats along with your home address on the Web).
10) Learn how to identify and defeat phishing emails. Hillary Clinton’s presidential campaign was the target of widespread phishing (and spear-phishing) attacks. These emails purport to be from a legitimate service making a routine request – in this case, “we noticed that someone was trying to hack your account, please change your password.” Anyone who clicks the link is of course taken to a hacker’s website that gathers the user’s account username and old password (and of course never updates with a new password!).
All of us remember and laugh at the Nigerian prince emails that make the rounds. Think about this: they’re so prevalent because they work! It only takes a vanishingly small percentage of people to respond to make those efforts lucrative for criminals.
Be advised that most of the phishing emails you’ll see are extremely good! They’ll look exactly like the emails you might get from your bank, a social media app, or favorite retailer.
How to spot a phishing email? Some dead giveaways:
- Spelling/grammar errors in the subject line or message
- You’re not addressed by name (more like “Dear Customer”)
- The URL the link goes to isn’t quite right (i.e. it might go to google.badhacker.com instead of google.com)
- Oh yeah – the fact that most services won’t ask you via email to update your password!
Pro tip: If you’ve installed a password manager and turned on their monitoring services, you’ll find out if/when a system you use has been hacked or breached!
So what do you if you get one of these phishing emails? Stop what you’re doing, open a web browser and go directly to the site in question to login. In other words, don’t click the link to go your bank, enter the URL you know and love directly into your browser. Simple as that. If there really is a problem, your bank/retailer/service will probably display a warning and/or ask you to reset your password right then and there.
Oh one more thing – pop up ads that say things like “we’ve detected malware on your system, please click here to clean it up” are super bad. Do not click. Just close the windows!
11) Certain sites (cough, cough – pornography) can be potential watering holes. A watering hole is any site that attracts traffic and which infects visitors with malware. Hackers love to seed high-traffic sites with malware to infect as many visitors as they can. The best remedy here is to not visit those sites, of course, but you’ll want to keep your antivirus up to date!
12) Learn how to identify and defeat social engineering. Social engineering is related to phishing, but it’s usually done over the phone (and rarely) in person. It’s basically tricking you into revealing something important or otherwise behaving in a way that isn’t in your best interests.
An example is someone calling you from the IRS or “Loan Office” to tell you you owe them money. During the high-pressure call, they’ll want to know your social security number, date of birth, and other information that could be used to defeat password reset systems at your bank (and they’ll know you bank at such-and-such a place because you took a selfie there to celebrate getting your home loan and then told all your Facebook friends about it).
Other social engineering scenarios might actually try to convince you to reset or share your password right there on the phone. A good way to resist this scenario is to take the person’s name and then call the main number to your bank (or whatever) and then get transferred back to that person.
In-person social engineering is more common in commercial environments and usually involve getting physical access through a badge-control area (guy walks up in a UPS uniform holding a heavy box and helpful employees opens the door) but these situations have been known to happen in everyday life.
Some examples:
- Be suspicious of any person who shows up at your house, without an appointment, who wants to perform a service you have not ordered or requested. If they are a city employee, call the city to confirm they are who they say they are.
- Similarly, people purporting to be door-to-door salesmen, proselytizing ministers, or the like *could be* just that, or they could be gathering intel on who is home at what times.
- When traveling, you might encounter individuals who approach you in social settings and engage you in conversation over drinks (for example). A good rule of thumb for everyone (but men especially) – if painfully attractive people don’t normally hit you up in your home town, it’s probably not going to happen while you’re on the road. Be suspicious.
Are you likely to be targeted out of the blue? No, not likely. Are you likely to become targeted if you become very active in a resistance movement? Could happen! So keep a low profile if you want to reduce your exposure to this risk.
Why spend so much time on social media hygiene, phishing, and social engineering? Because if you create strong passwords, keep files encrypted, patch and upgrade, and keep antivirus up to date you’re still vulnerable to low-tech attempts at getting through your defenses.
The weakest link in any security situation is almost always the distracted or fooled human who clicks a phishing link or divulges information to a seemingly innocuous stranger.
Make yourself less vulnerable!
Such a great resource thanks. Is your group thinking of using Signal for texting among members? I’m trying to see if ours (Indivis East Bay) can do so. Also, no real obvious suggestion for encrypted email, is there? Seems very involved to do PGP etc. etc.
Signal for text, Protonmail for email; also look into Semaphor for a Slack-like-thing.