Five Easy Ways to Increase Your Digital Safety & Security TODAY

In a previous blog post, I created a list of a dozen or so things anyone could do to increase their online/digital security.

It’s time to revisit this topic, but this time with a bit more focus. A dozen security tasks seems like a lot, doesn’t it? Well, don’t worry, you can massively increase your own digital security/safety by doing just a few things, so I figured I would just concentrate on five items.

Here are the five that top my list:

  1. Create and use strong passwords for all online accounts and identities. Stop using your birthday, anniversary, dog’s name, and favorite teacher’s last name in your passwords. And stop reusing the same password (or slight variations on the same theme) on all your online accounts (Facebook, online banks, commerce, etc). Instead, use a password manager like 1Password or LastPass – these apps can create and store random, impossible-to-guess passwords. If you want to login somewhere, just have the software feed the username and password to the site, and you’re in. My goal is to never know another password – except for the one that opens up my password manager. That one I keep memorized!
  2. Enable two-factor authentication (2FA) or two-step verification (2SV) everywhere. When you log in to your bank or other important online accounts, you can opt to receive an alphanumeric code via text message. This simple expedient increases your security a lot – think about it: even if hackers do guess or steal your password, they won’t be able to get in without that second code. Getting a text confirmation is an example of 2SV, which is not the same as 2FA. 2FA is when you use your thumbprint, or a code from a secure token in your physical possession as the “second factor” in your login attempt (the “first factor” is your password). Either way, 2SV and 2FA makes it much harder for unauthorized people to get into your most important accounts.
  3. Protect all devices with passcodes, PINs, and passwords. Make sure that all smartphones, laptops, and other computing devices are protected by strong passwords, passcodes, and long PINs (at least 6 digits – and if your devices support alphanumeric PINs then by all means do that too!). That way, if your devices are lost, stolen, or subpoenaed, they won’t automatically be wide open to a stranger’s prying eyes/fingers.
  4. Keep your software and systems up to date. Hollywood movies would have us believe that hackers break into computers using really sophisticated software packages that bypass encryption and defeat firewalls. Not really. The majority of breaches occur because the bad guys detect a completely out-of-date version of an OS or software running on your phone or laptop. The out-of-date version has a well-known security problem, which they use to get into the system – and from there they start to take over that machine or device and then move on to other systems. Keeping your systems updated and patched can be a giant pain, but it’s an essential part of security hygiene.
  5. Be cautious about what you publish on social media. We’ve all gotten pretty used to sharing a lot about our lives: favorite books and movies, photos of family and friends, news about vacations and promotions, photos of social gatherings at favorite haunts. Unfortunately, every post of Facebook, Twitter, Instagram and other services helps to paint a portrait of your interests, routines, and social circle. Any and all of that can be used against you by someone who wants to gain your trust, or exploit your absence (think about all the homes broken into because people post vacation photos while they’re on vacation!). If you can’t lock your accounts or make them private, just be very aware that everything you post on social media is something you are telling the entire world.

How Your Voices Made a Difference Last Week: March 12, 2017

Increase Security Awareness: Honeypots

We live in interesting, complex times – and a lot of it is due to the internet. Its power and reach is immense. We use it to organize, to get our message out, and to build movements.

But there are plenty of bad actors out there who want to use the internet’s power against us. In pop culture, you always see the bad guys using really complex code to break into computer systems and databases. In reality, hackers and other bad guys use more straightforward attempts at trickery:

  • They’ll send phishing emails to trick you into changing your password on a site that looks exactly like your bank or email provider.
  • They’ll set up honeypots (i.e., decoys) to trick you into signing up for services that appear legitimate but are actually anything but.
  • There’s lots more besides – like seeding popular websites with malware (this is called a watering hole attack – think all the animals on the savannah going to a watering hole, not knowing a predator lurks nearby). If you visit popular porn sites, for example, beware! You’re likely getting hit with malware. So update your antivirus protection. And if you need information on this, tune in later.

Let’s take the second case here – honeypots. Far-right groups are now setting up websites and online petitions to trick antifa groups (that’s anti-fascist brigades, BTW) into divulging their personal information. This is part of a deliberate campaign being waged to help identify and unmask these people – mostly because antifa has been extremely effective at countering far-right activities.

 

At first glance, these fake online petitions and sites look totally legitimate, down to the URL, which might be something like antifascism.org cited above. Everything about the design, web copy, and stated goals is meant to trick antifa members. Once a member of antifa logs in and signs the petition (often by providing their name and email address) they’ve now set themselves up for doxxing by the groups running the petition.

What is doxxing? It’s the repugnant practice of publishing someone’s information on the internet with the stated goal of harassing them. In the past, doxxing victims have had vital information published: names, home/work addresses, phone numbers, and social security numbers.

In this particular case, the far-right / neo-nazi groups want to doxx antifa to make them personally vulnerable and less effective in their actions.

Okay, so what’s the remedy here?

  1. As always, be aware. Use caution and think twice before committing to any online activity. There’s no need to be so paranoid you don’t log into the internet at all, just be aware of what you’re doing and what’s happening around you.
  2. Specifically, use caution when divulging your contact information anywhere on the internet. Do you know the people setting up the service or petition? If not, do you really want to divulge your personal information?
  3. Consider the creation of a secondary identity to fill in these kinds of forms. Never use your work email/identity, and think twice before using your primary personal one.
  4. Consider the use of Tor browser – it anonymizes your traffic and makes it much harder to identify sites you visit and the activities you engage in on the internet.
  5. Coincidentally, we’ve just published an article on the many Meetups that have recently cropped up claiming to be Indivisible. Just so you know, the Central Texas meetups have not been organized by us – so use caution.

Why Slack Isn’t Such a Good Idea

Disclaimer: I can’t tell you what to do. I am not dictating a policy here, nor do I have the means to enforce one. This is a discussion of basic security concepts as they apply to Indivisible teams & data and how Slack measures up. It also includes some mitigations to take if you do decide to use Slack.

Anything I say below can be applied to any/all communication technologies and methods: social media, email, signal, slack, face-to-face communication. Please keep our member & leadership data safe in the Era of Trump.

There’s been a lot of talk about using Slack as a communication tool to help keep all of our fast-growing Indivisible teams coordinated and moving forward. Although it has a very shiny interface and is fun and easy to use, it leaves a lot to be desired when it comes to security. In fact, lots of companies are leaping into the space to provide secure chat.

GROAN. YES! I can hear you groaning. “Oh, its the security guy, he’s always the party pooper.” Well guess what, I’m here to give you a few tidbits on security.

Focus on Security Essentials

Let’s think about what is most important to our cause:

  • Our member and leadership data. As in, anything that can personally identify them. Think to yourself, what happens if data about your members or leaders (names, emails, phone numbers, addresses) gets leaked or is hacked?Those people get PERSONALLY affected, is what happens. Think about that for a second. How effective will your teams be if they’re all doxxed? Or if just your leaders are doxxed? Or if people get fired because their Trump-loving boss figures out what they’re doing? Or if someone in a bright Red county loses all their business customers overnight because of a data breach? When you think about risk in this way, things come into sharp focus.
  • Our plans. Think how our adversary could mess with us if they knew what we were about to do. What if you’re planning to show up to a congressperson’s office and do all that planning in an open forum, and then the Congressperson decides to avoid you? And it’s because you talked about your plans on an open channel and all your efforts come to naught.
  • Our ability to coordinate and control effectively. Think about people with bad agendas inserting themselves into conversations. Impersonating users because they stole their passwords and assumed their identities or stolen their devices. Issuing commands to go one place across town when we were supposed be some other place. Or cancelling an event when in fact we were supposed to be there. In an era where Russians have likely hacked our elections, do you think any of this is far fetched? ARE YOU THINKING LIKE A SECURITY PERSON YET?

If you can secure these three aspects of our information security, you can go a long way toward keeping our members and initiatives safe across all of our Indivisible chapters.

The above should form the foundation of how you evaluate security on any platform: texting, email, Signal, Slack, whatever. If you can keep the three aspects of our operations secure, you know you’re on the right track.

So, think this through:

  1. You want your most sensitive data (member information, leadership data, plans) in your most guarded and secret places. That would be Signal for example.
  2. You want action messages and final plans to be on public spaces: blogs, social media, emails, mass texts.
  3. At all times you want to make sure that the person(s) you’re communicating with are actually, for real, the person(s) you intend to communicate with. And not someone who is impersonating them because they stole a password or cloned their phone number.

How Does Slack Rank Security-Wise?

Now that we have some basics down, let’s talk about Slack. It’s so SHINY and PRETTY. But you should know by now that pretty things aren’t necessarily good for you. Let’s see how it stacks up to our three criteria above.

  1. The encryption used on Slack is controlled by Slack. Which means no end-to-end encryption like on Signal. Which means that Slack admins can, according to their privacy rules and their own technical stack, look at your conversations. Even if they aren’t willing to do it, they can be subpoenaed to do so. So this means we can’t keep member/leadership data safe on Slack. Nor can we keep our plans safe on it.
  2. All conversations are kept on their servers. You don’t own those conversations. Slack has the data. In a centralized place. Where hackers can get into it. Which has happened. So, once again, our data is not safe on the platform.
  3. CAN I JUST ALL-CAPS REMIND YOU ALL THIS STUFF ON SLACK CAN BE SUBPOENAED? Okay, let’s see, let me give you an example. Hulk Hogan’s trial against Gawker, paid for by Peter Thiel, WHO IS ON TRUMP’S SIDE. Part of this involved Slack chat messages. Is it safe? Is it secure? NO GANDALF IT IS NOT.

Given all three things above, I’m personally never going to use Slack. There’s no end-to-end encryption, I don’t own the data (which hangs around forever and can be looked at by their admins) and it can all be subpoenaed.

I’m out.

You’re Totally Going to Use Slack, Aren’t You?

Here’s where the real world intrudes. As much as the security guy shouts from the rooftops about something, most people will do their own thing.

It’s okay, security people are used to being ignored until something horrible happens. At which point they can say, “I told you so!” while drinking numerous beers and catching up on favorite episodes of Firefly.

I can’t stop you from using Slack. I also can’t stop you from standing up in the middle of Main Street with a megaphone and telling anyone who cares to listen what our most secret plans are.

So you’re going to use Slack. Great! Here are some things to think about if you so choose to do this thing I’m begging you not to:

  1. Remember that Slack is an open channel. NEVER fully identify a member or leader on there. First names only. NEVER divulge emails or phone numbers. NEVER EVER EVER.
  2. Only use Slack to divulge last-minute coordination efforts, never for planning and discussion. Use Signal and face-to-face meetings for planning. Use Slack, social media,  and email to alert the necessary teams of final decisions.
  3. Turn on 2-factor authentication in Slack (this option was made available because they they were hacked, but okay they took a right step).
  4. Force everyone on your team to use 2-factor authentication. This way you’ll have some assurance you’re talking to the right person. Or at least, a real person. Try googling “how to not get catfished” if you want an entertaining evening.

Okay, that’s it. Go forth and do your thing. Remember to keep yourselves and other members of Indivisible safe!

Next Meeting: Saturday January 7 at 10:00 AM

Have you ever watched a movie or read a book and imagined yourself the hero? Perhaps you spent a pleasant few minutes visualizing yourself outwitting the terrorist, solving the Da Vinci Code, firing the shot that takes down the Death Star?

Well, now’s your chance to get in on some real action. Your chance to get involved in a grassroots, local effort to save our country from the dark and dangerous path it has embarked upon. Your chance to take small, meaningful, everyday actions that will make a difference.

It’s a new year and a new age in America. What better time to suit up and become a real life action hero?

Join IndivisibleATX and #resist the Trump regime.

Our next meeting will be :

Saturday, January 7
10 a.m. – 12 p.m.
Fellowship Hall
United Christian Church
3500 West Parmer Lane (just off of MoPac)

The church is on the north side of Parmer Lane (your right as you exit MoPac onto Parmer). It has plenty of parking. You’ll enter through the main doors and will immediately be in the fellowship hall.

You are welcome to bring a sack lunch, but alcohol and tobacco (including vape) are not permitted on church property.

Please download this PDF before the meeting:
IndivisibleATX – Congressional Contacts & Schedules

For more information, please email Ask@IndivisibleATX.com.

Happy New Year 2017

Today is the first day of a shiny new year. 2016, with all of its bad news, is over. Good riddance to bad rubbish!

I hope you all have had some time this holiday season to renew and recharge yourselves, because 2017 is going to be a busy time!

Are you ready to resist? If so, read on!

  1. It’s time for a practical, action-oriented mindset. Ever since the election, I’ve been watching everyone go through their stages of grief. In order to be effective you have to live in the real world and not be stuck in some early stage of grief:
    • Denial – “I can’t believe Trump won the election!”
    • Anger – “What the hell is wrong with everyone – why did voters do this???”
    • Bargaining – “Okay, maybe if we can convince the Electors to change their votes…”
    • Depression – “This is really happening, isn’t it? Okay I’ll drink myself into a stupor / hide under the blankets / ignore the world…”
    • Acceptance – “This is happening, and although I don’t like it, I have to face the reality of a Trump presidency.”
  2. So if you’ve read this far and you’re not at acceptance, please stop what you’re doing and figure out how to get to the place in your head where Trump is sworn in on January 20, 2017. If you still think there’s some wiggle room, some way to avoid that harsh, awful reality, then you’re not going to be effective to our (or any other) group that is resisting Trump.
  3. Okay, so now you’ve got the right mindset. What’s next? PLANNING. Let’s get our personal and collective acts together.
  4. First of all, let’s talk about you. You won’t be able to resist Trump if you’re not taking care of yourself.
    • Are you financially secure? Have a good job, have some money set aside, that kind of thing. Don’t let all the stress of our new political situation destroy your livelihood or finances.
    • Are you physically and mentally in a good place? Take some of the advice I put together here. Start working out, take up a hobby, whatever.
    • How are your relationships? Time to reconnect with loved ones, friends, and close colleagues. If all this political turmoil is causing lots of stress for you and the people you care about, then Trump wins. That’s what he wants – he wants to break us all. Don’t let him.
  5. Now let’s talk about what we need from you at Indivisible Austin.
    • We need people who will commit to a series of daily and weekly tasks, that over the long haul, will help turn the tide. This means calling your Congressperson, showing up at Town Halls, writing blog posts and letters to the editor, and showing up for protests and counter-protests.
    • We need people who will do all these things with conviction and passion.
    • We need people to understand that there is nothing more important to the future of our Republic than stopping Trump every way we can.
    • Finally, we need people who understand that the most effective way to contribute to this national effort is locally – to do what they can where they are right now!
  6. What comes after PLANNING? EXECUTION. Let’s get to work. You’ve taken the first step by coming here – you’re ready to turn all your complaints into real action. Head on over to our Take Action Now! page and get started.
  7. What comes after EXECUTION? IMPROVEMENT and ADAPTATION. If a script you’re using for calling a Congressperson isn’t working out so well – IMPROVE it, and not just for yourself. Tell others what you did! If calling isn’t working out so well, show up at their offices (ADAPT!).
  8. What else can you do? ENLIST HELP. Get as many friends, family, and colleagues involved in the effort. Let’s grow this Austin movement such that all the other Indivisible groups around the country are inspired to do what we’ve done.

Let’s go!

Keeping your Sanity Intact

If the 2016 election cycle is any indication, the next four years are going to be extremely interesting. Folks, we’ve elected a man who tweets and says outrageous things for the whole world to see.

So far, Trump has made fun of a disabled reporter, attacked a Gold Star family, unleashed his followers on reporters he doesn’t like, and caused the stock prices of at least two corporations (Lockheed Martin and Boeing) to plummet with simple disparaging tweets. And that doesn’t even begin to scratch the surface.

Suffice it to say, the next four years are going to be a constant churn of outrageous statements, lies, and childish outbursts from our new POTUS.

You’re gonna need to find balance – yes, you need to pay attention to what’s happening, but you also need to take care of yourself. If you’re constantly outraged by what Trump has to say (which isn’t hard as he’s got an unbelievable supply of crazy statements ready to go!) then you’ll just burn yourself out.

So, how do you take care of yourself?

  1. Cut the media cord. It’s okay to take several days, weeks, or even a month off. You don’t even need to disconnect from everything – years ago I cancelled cable and have been all the better for not having access to CNN, MSNBC, and other pundit platforms. And you should totally include taking a break from Twitter, Facebook, and other online venues too!
  2. Focus on something creative. Do you paint, sing, act, play guitar, write poetry, knit, or even cook? Start spending time every day (or several times a week) expressing yourself creatively. It’s a great way to focus your mind on something you can control and that doesn’t involve the world around you.
  3. Get outside. Go for a run. Take walks in the park. Garden. Go camping or hiking. Nature and the outdoors can be very healing. Even if you don’t consider yourself an outdoorsy type of person, give it a try – there’s bound to be a local park you can take your dog to.
  4. Learn a new skill. This is your chance to add something amazing to your repertoire. Take that cooking class, learn how to SCUBA dive, attain that next belt in your martial arts class! Nothing will give you a sense of control more than being able to focus on a new thing and getting good at it.
  5. Volunteer. There are tons of organizations who could use your talents and skills right now, ranging from those in the midst of the fight against Trump (ACLU, Freedom from Religion Foundation) to those who always welcome a helping hand (homeless shelters, food kitchens, interfaith groups, Habitat for Humanity).
  6. Read! There’s nothing like escaping into a good book. A great book to read right now? Mindfulness for Beginners – it’ll teach you new ways to think about yourself, your mind, your reactions to the world.
  7. Get out with friends. Here’s a thing to try: go out to dinner and drinks with friends, and don’t discuss politics, current events, or how the world seems to be on fire. Laugh, catch up on everyone’s lives, and plan the next outing.

Using Signal to Communicate Securely

You want to contribute to defeating the Trump agenda, but you don’t know where to start. At the same time, you’re a bit nervous about doing anything in public because, well, let’s face it, Trump seems hell-bent on establishing himself as an autocrat. And we all know how autocrats respond to dissent!

So how does one securely communicate with others who wish to dissent? Certainly not by using social media, email, or texting.

The media are replete with stories about folks who thought they were having private discussions on Twitter, Facebook or other platforms that were in fact, totally public–usually because of a silly user error. Likewise, there are plenty of stories out there about folks whose private communications were subpoenaed or hacked. And we all know what happened to Hillary Clinton’s campaign once the hackers penetrated their emails.

So if you can’t use Twitter or Facebook to organize, and if regular phone calls, emails, and texting are similarly insecure, what tool can you use to securely communicate?

Use Signal!

We suggest you use Signal, a free iOS and Android application made by Whisper Systems. With it, you can securely text, group chat, share videos and documents, and call others via the platform.

Everything is done via end-to-end encryption so Whisper Systems has no visibility into what you’re doing — even if they’re subpoenaed, they have no information to give out. Even the amount of metadata they collect (who participated, when they participated, etc) is severely curtailed.

And by curtailed we mean, they know when you sign up for Signal, and the last time you used it, and that’s about it. For more information, check out this story.

Getting Started

Here’s how to get started:

  1. Download the Signal app onto your phone. (On iOS, you’ll find it in the App Store. Android users can find it on Google Play.)
  2. Once the app is on your phone, sign up by registering your mobile phone number.
  3. They’ll send you a six-digit confirmation code via SMS.
  4. Enter that confirmation code into the app and you’re signed up!
  5. The final step is giving Signal access to your contacts – you’ll need that in order to identify other Signal users.

The first time you open Signal and start a chat or call, you’ll see all the folks from your Contacts who have downloaded Signal. If you don’t have their registered Signal phone number, you won’t see them.

A great tip is to ask folks if they’re on Signal – once they download and register, you can start talking securely.

Here’s a great article on how to use Signal. It’s a great write up by the good folks at EFF.

Keeping Your Digital Self Secure in the Era of Trump

Ask any random person on the street about digital security and very few of them have given much thought to protecting their digital information. In fact, most people only know the basics: pick hard-to-guess passwords, make sure your banking information is secure, never share your passwords with other people, maybe something about antivirus protection. But these are also the same people who blithely and routinely post vacation photos for the world to see while they’re still on vacation!

In the Age of Trump, we have to be more vigilant – the term of art used by experts is “increase your security posture.” The Trump administration will have a very powerful surveillance state (federal law enforcement, NSA) at its disposal. Furthermore, many of the extremist groups that oppose our efforts will also have various capabilities. Not to mention, hackers (ranging from lone actors to state-sponsored groups) will still be active, all with their own motivations.

One thing we know for sure: our adversary is playing for keeps. Having watched the aftermath of the 2016 presidential election (particularly the havoc wreaked on Hillary Clinton’s campaign by hackers) and such public imbroglios like Gamergate we know that they will stoop to any methods to achieve their goals.

Fortunately, just a handful of measures will exponentially increase your digital/information security – thus keeping yourself, your activities and private life, and other members of any groups you’re a part of safe and secure.

Before reading the list below, let’s get a few things out of the way:

  1. Becoming 100% secure is not remotely achievable. Even the most dedicated and vigilant folks will experience some kind of security issue – be it falling for phishing email or accidentally executing malware. Think instead about reducing your exposure to risk.

    What you can do is become such a hard target that malicious actors (be they hackers or members of the surveillance state) just move along.

  2. There are no silver bullets in security – no single remedy, task, or activity (including the ones listed below) can make you secure. Instead, you need to put in place a series of security measures. Experts call this “defense-in-depth.” Think about how castles are structured: they have moats, drawbridges, walls, and inner keeps to keep invaders out. They also have archers on the walls, patrols inside the walls, and locked doors in sensitive areas.

    Castles don’t rely on just one measure to stay secure – and neither should you.
  3. There may be some situations that call for common sense no matter how secure you’re living your life. For example, just because you’ve encrypted sensitive files with the most powerful tools available doesn’t mean you should tell everyone where you’ve stored the file – that basically amounts to a massive dare. Similarly, if you want to keep your activities within a resistance group secret, hinting to a stranger at a bar that you’re part of a group will work against your goal!

    A little common sense goes a long way in terms of security.

Okay, let’s just get to the list.

1) Create strong passwords and keep them secure. Passwords are the first line of defense and are prime targets of most efforts to get at your information. First step: stop trying to use all those tricks and remedies you’ve picked up along the way to manage passwords in your head. You know what I’m talking about: names of pets combined with favorite Beatles lyrics and then a “123” at the end.

No matter how good you are at this game, you have too many accounts (Facebook! Online banking! Retail stores! Netflix! Amazon!) and you’ll eventually start falling back on all the bad habits that will get you into trouble, i.e., creating weak passwords, recycling/reusing passwords between sites, or using special prefixes or suffixes on formulaic passwords to distinguish them (like “fb” at start of a password for Facebook, “gm” for Gmail and so on).

Instead, you need to install a password manager like 1Password or LastPass. These tools allow you to create an encrypted vault protected by one very strong password (the last one you’ll need to remember) which contains usernames and passwords you use all the time. These tools can also generate strong passwords for you, and allow syncing across all your devices so you always have them on hand.

2) Make sure all devices and computers require login. I know it’s a pain in the neck, but this one step can keep a lot of your information safe. And don’t settle for numeric PIN on iPhone (for example) – use the alphanumeric option to create really strong PINs that will take forever to guess. While you’re at it, make sure your devices wipe memory and data after so many failed attempts.

3) Encrypt your filesystems. Use Bitlocker on Windows and FIleVault on Mac. Store the restore key in your password manager. That way, if anyone steals your device (or subpoenas it) and can’t get past your login screen, pulling your hard drive and accessing it directly will only yield further frustration.

4) Keep your devices patched/updated. If you’re on an end-of-life operating system, upgrade! Most hackers don’t use extraordinary measures to break into systems, they use well-known (and public) exploits against out-of-date software. Simple hygiene in this regard can keep a lot of trouble from your doorstep. This attack vector combined with phishing emails and other social engineering attacks (see below) make up a huge percentage of the threat!

5) Keep your antivirus software up to date. Don’t fall for the old “Macs don’t get malware” bit either. Malware comes in various packages: some install keyloggers that capture your usernames/passwords, other destroy or corrupt files/data, others steal it (exfiltration is the term of art), others enslave your computer to do the bidding of another computer (usually involving it in criminal tasks) and still others encrypt data and then demand payment to unlock (ransomware!).

6) Back up, back up, back up! That way if you do get malware/ransomware that corrupts your filesystem or steals your data, you can get it back. iCloud works here, as do other services like Dropbox (beware though, you should encrypt your backups!).

7) Turn on two-step verification (2SV) or two-factor authentication (2FA) wherever possible. 2SV usually involves getting a code via text message or other device whenever you login to a service. 2FA involves having not only a password (something you know) but some other factor to complete the authentication process (fingerprint – something you are; token USB card – something you have). There are few commercial services that provide 2FA but 2SV is becoming more available.

Please note: 2SV is not a fail-safe system! Skilled hackers can easily clone your mobile phone number (if they know it) to get those codes texted to them as well. (Do I sound like a paranoid crank yet? Don’t worry, it’s only paranoia if they’re really out to get you…just ask the Hillary Clinton campaign).

8) Go private on social media accounts. If you can, lock them so they’re visible only to friends/followers. Turn off all location services so that photos, tweets, and updates contain no metadata that might fix your location. Furthermore, set privacy levels such that users can’t find you via your phone number and/or email address.

9) Watch what you share and say in public, and that includes social media. Remember those old posters from World War II days: Loose lips sink ships. Even if all your social media accounts are private, posting photos of your participation in a counter-protest may feel good and get you many likes, but it can lead to a number of consequences.

For starters, you’ll garner attention from people who won’t like you. You may think to yourself, “I don’t care” but posting this photo might reveal the identity of another group member who might lose their job or suffer other consequences. We live in an age where our adversaries feel no remorse using such tactics as doxxing (posting work/home phone/address and other personally identifying information on the internet) and swatting (calling the police to say there is an armed gunman at your home address to elicit a SWAT response).

So posting that photo and getting a thousand likes might feel good, but the fallout might ultimately make you less effective to the group (ie, it’s hard to resist Trump when you’ve lost your job or you’re worried about crazy people posting death threats along with your home address on the Web).

10) Learn how to identify and defeat phishing emails. Hillary Clinton’s presidential campaign was the target of widespread phishing (and spear-phishing) attacks. These emails purport to be from a legitimate service making a routine request – in this case, “we noticed that someone was trying to hack your account, please change your password.” Anyone who clicks the link is of course taken to a hacker’s website that gathers the user’s account username and old password (and of course never updates with a new password!).

All of us remember and laugh at the Nigerian prince emails that make the rounds. Think about this: they’re so prevalent because they work! It only takes a vanishingly small percentage of people to respond to make those efforts lucrative for criminals.

Be advised that most of the phishing emails you’ll see are extremely good! They’ll look exactly like the emails you might get from your bank, a social media app, or favorite retailer.

How to spot a phishing email?  Some dead giveaways:

  • Spelling/grammar errors in the subject line or message
  • You’re not addressed by name (more like “Dear Customer”)
  • The URL the link goes to isn’t quite right (i.e. it might go to google.badhacker.com instead of google.com)
  • Oh yeah – the fact that most services won’t ask you via email to update your password!

Pro tip: If you’ve installed a password manager and turned on their monitoring services, you’ll find out if/when a system you use has been hacked or breached!

So what do you if you get one of these phishing emails? Stop what you’re doing, open a web browser and go directly to the site in question to login. In other words, don’t click the link to go your bank, enter the URL you know and love directly into your browser. Simple as that. If there really is a problem, your bank/retailer/service will probably display a warning and/or ask you to reset your password right then and there.

Oh one more thing – pop up ads that say things like “we’ve detected malware on your system, please click here to clean it up” are super bad. Do not click. Just close the windows!

11) Certain sites (cough, cough – pornography) can be potential watering holes. A watering hole is any site that attracts traffic and which infects visitors with malware. Hackers love to seed high-traffic sites with malware to infect as many visitors as they can. The best remedy here is to not visit those sites, of course, but you’ll want to keep your antivirus up to date!

12) Learn how to identify and defeat social engineering. Social engineering is related to phishing, but it’s usually done over the phone (and rarely) in person. It’s basically tricking you into revealing something important or otherwise behaving in a way that isn’t in your best interests.

An example is someone calling you from the IRS or “Loan Office” to tell you you owe them money. During the high-pressure call, they’ll want to know your social security number, date of birth, and other information that could be used to defeat password reset systems at your bank (and they’ll know you bank at such-and-such a place because you took a selfie there to celebrate getting your home loan and then told all your Facebook friends about it).

Other social engineering scenarios might actually try to convince you to reset or share your password right there on the phone. A good way to resist this scenario is to take the person’s name and then call the main number to your bank (or whatever) and then get transferred back to that person.

In-person social engineering is more common in commercial environments and usually involve getting physical access through a badge-control area (guy walks up in a UPS uniform holding a heavy box and helpful employees opens the door) but these situations have been known to happen in everyday life.

Some examples:

  • Be suspicious of any person who shows up at your house, without an appointment, who wants to perform a service you have not ordered or requested. If they are a city employee, call the city to confirm they are who they say they are.
  • Similarly, people purporting to be door-to-door salesmen, proselytizing ministers, or the like *could be* just that, or they could be gathering intel on who is home at what times.
  • When traveling, you might encounter individuals who approach you in social settings and engage you in conversation over drinks (for example). A good rule of thumb for everyone (but men especially) – if painfully attractive people don’t normally hit you up in your home town, it’s probably not going to happen while you’re on the road. Be suspicious.

Are you likely to be targeted out of the blue? No, not likely. Are you likely to become targeted if you become very active in a resistance movement? Could happen! So keep a low profile if you want to reduce your exposure to this risk.

Why spend so much time on social media hygiene, phishing, and social engineering? Because if you create strong passwords, keep files encrypted, patch and upgrade, and keep antivirus up to date you’re still vulnerable to low-tech attempts at getting through your defenses.

The weakest link in any security situation is almost always the distracted or fooled human who clicks a phishing link or divulges information to a seemingly innocuous stranger.

Make yourself less vulnerable!