in
-
ODT Gun Show & Swap Meet - May 4, 2024! - Click here for info
Anyone want a How-To Cybersecurity guide?
- Thread starter pinkbunny
- Start date
Ok, mobile security.
First, the basics:
1.) Get a new-ish phone. Not a cheap one, either.
2.) Set up a secure pin.
3.) Set up a VPN ( this will be covered in more detail next post).
4.) Set up secure messaging apps, known how to use them.
5.) Don't put anything super secure on there.
6.) Turn it off.
1.) Get a new-ish phone. Not a cheap one, either.
I'm not saying this to make you spend money. I'm talking about vulnerabilities and patching.
As an example, a powerful mobile forensics tool is Cellebrite. They, in the past year, discovered a vulnerability, that would allow them to break into any iphone made up to that point. Later iphones will be patched against this. But those? Wide open.
New vulnerabilities and exploits are found every day. That's why it's not a good idea to use outdated software and hardware. While it was secure when it came out, there's no telling if it is still secure.
Next, the 'not a cheap one,' part. More expensive phones are more likely to get timely security patches than budget phones.
Note, this cuts both ways. Iphones have generally been considered more secure than the average Androi phone as, since they have a few limited phone hardwares (and only one software) to support, they can spend all their time on securing just that. Other side of the coin is the attackers can narrow down on just breaking into that, hence the Cellebrite exploits.
I'd stick with iphone, Samsung, and Pixel, my personal choice being Pixel(buy last years model used off Swappa).
You can get a good condition Pixel 3a XL for less than $150 on Swappa. Reasonably new, fast, get's regular security updates, and no known hardware vulnerabilities(it's not as popular as Apple or Samsung, so less focus on attacking it). No need to buy brand new $1k phone.
-----------------
2.) Set up a secure pin.
Ok, this will get a bit confusing. Let's say you use a fingerprint or a face to unlock.
You know how when you restart your phone for the first time, it'll say something like, "For security, enter your pin," and you have to enter your pin, not just use your fingerprint?
Think of things as Before the First Unlock(BFU), and After the First Unlock(AFU).
This is an important security tool. All newer phones are encrypted(remember, get a new-ish phone), meaning that they can't just plug your phone in and read everything off of it, it'll be gobblety-gook. They need to log into your phone, which will decrypt the data and allow them to read it. All exploits and forensics tools involving your phone itself and not the apps on it are attempts to bypass your login and get in.
AFU, there are a lot of tools to get past the biometrics, pins, what have you. There are ways. And, heck, you can be compelled to put in biometrics, but not a code. After you've unlocked once, the login is not very secure against good attackers.
BFU is a whole different story. There aren't as far as I'm aware, any ways to outright bypass the pin. The iphone exploit Cellebrite uses, as I understand it, allows them to just run password cracking against it many times a second, without it locking your phone. And that will be patched against soon.
Password strength is less partially about complexity, but more about length. A longer pin is much more secure. Make it long, make it safe. 8+ characters will take awhile to crack.
-----------
3.) Set up a VPN ( this will be covered in more detail next post)
Ok. Let's think about how you communicate over your phone. It could be through the cellular networks(LTE), or through wifi(wifi calling, wifi texting, emails).
Both of those can be 'sniffed,' where a Man-In-The-Middle between you and the destination of what you're sending can read or intercept that data in transit.
Let's say you go to Starbucks, get on the wifi, and send a few emails or texts using their free data. What if someone else was also in Starbucks, on the wifi? A simple tool, of which there are many(wireshark is an example) can capture all the data being transmitted. After all, wifi is just radio signals, if you can send it, other people can receive it. What's to stop them from reading it? Or, blocking the message, changing it, and sending it on?
Let's say you're using cellular data. The way they work, is that your phone is always 'pinging' for the closest, most powerful cellular network, and using that to send their data.
There are tools out there, such as Stingrays ( https://en.wikipedia.org/wiki/Stingray_phone_tracker ) which can pretend to be a cellular network. Being closer to you than a tower, the cellular data will go through them before being sent to other towers. Not only the good guys use these. Same issue as above, seeing/changing data.
What's the solution? VPN's. Let's say you want to send a text. Your VPN software connects you to a server they run, and then encrypt the connection. Then they connect to where you want to send the data, and do the same. Any traffic you send is then unreadable by anyone sniffing on the network. Very secure. Downside is, this is why we can't have nice things. Because it's such a useful thing, bad guys also use VPN's. Certain websites block VPN's, so you need to know when to turn it off. TNSTAAFL, more security means less usability. But this is a big step in the right direction. I would never use public wifi without a VPN.
-------------
4.) Set up secure messaging apps, known how to use them.
This is similar to VPN's.
Let's say I use Google Messages to send texts. Until about a month ago, all of that would be sent in the clear, without encryption. The newest update encrypts a message I send to one person. But it doesn't encrpyt group messages. And what if I send it to someone who doesn't use GM? That app can't know how to decrypt the message, so it can't encrypt messages to non-GM users.
That's the benefit and downside of encrypted messages. It's secure, but only if people are using the same thing.
A good, secure texting app is Signal. It can send texts and make calls, all securely. Note, that, while it can send to non-Signal users, by necessity those can be encrypted.
Similarly, Protonmail is a secure, encrypted mail app. But it's only secure sending to another Protonmail user, not to a gmail account, just keep that in mind.
End to end encryption doesn't work, if the other end of the message isn't encrypted.
------------
5.) Don't put anything super secure on there.
I will go into this in more detail in the next post that goes into passwords, and also the file protection, but we already know that the stuff on your phone isn't necessarily secure.
Add to that what we will later learn about password reuse, we need to consider having one or two very secure passwords to remember.
Don't write those down on your phone. You cannot depend on those being secure. Now, hints? Sure. But don't put anything on your phone you don't expect to be seen.
-----------
6.) Turn it off.
This goes back to the BFU/AFU stuff I mentioned above. Number one way to keep your phone from being accessed. Turn off regularly when not using, to require a pin to login.
----------
Hard to do screenshots for mobile stuff, later ones will have screenshots.
This make sense, and is it enough info to be useable without being too technical?
Next post will go into showing you how to determine if your passwords are exposed/insecure, and how to make more secure ones. And how to store them(password manager).
First, the basics:
1.) Get a new-ish phone. Not a cheap one, either.
2.) Set up a secure pin.
3.) Set up a VPN ( this will be covered in more detail next post).
4.) Set up secure messaging apps, known how to use them.
5.) Don't put anything super secure on there.
6.) Turn it off.
1.) Get a new-ish phone. Not a cheap one, either.
I'm not saying this to make you spend money. I'm talking about vulnerabilities and patching.
As an example, a powerful mobile forensics tool is Cellebrite. They, in the past year, discovered a vulnerability, that would allow them to break into any iphone made up to that point. Later iphones will be patched against this. But those? Wide open.
New vulnerabilities and exploits are found every day. That's why it's not a good idea to use outdated software and hardware. While it was secure when it came out, there's no telling if it is still secure.
Next, the 'not a cheap one,' part. More expensive phones are more likely to get timely security patches than budget phones.
Note, this cuts both ways. Iphones have generally been considered more secure than the average Androi phone as, since they have a few limited phone hardwares (and only one software) to support, they can spend all their time on securing just that. Other side of the coin is the attackers can narrow down on just breaking into that, hence the Cellebrite exploits.
I'd stick with iphone, Samsung, and Pixel, my personal choice being Pixel(buy last years model used off Swappa).
You can get a good condition Pixel 3a XL for less than $150 on Swappa. Reasonably new, fast, get's regular security updates, and no known hardware vulnerabilities(it's not as popular as Apple or Samsung, so less focus on attacking it). No need to buy brand new $1k phone.
-----------------
2.) Set up a secure pin.
Ok, this will get a bit confusing. Let's say you use a fingerprint or a face to unlock.
You know how when you restart your phone for the first time, it'll say something like, "For security, enter your pin," and you have to enter your pin, not just use your fingerprint?
Think of things as Before the First Unlock(BFU), and After the First Unlock(AFU).
This is an important security tool. All newer phones are encrypted(remember, get a new-ish phone), meaning that they can't just plug your phone in and read everything off of it, it'll be gobblety-gook. They need to log into your phone, which will decrypt the data and allow them to read it. All exploits and forensics tools involving your phone itself and not the apps on it are attempts to bypass your login and get in.
AFU, there are a lot of tools to get past the biometrics, pins, what have you. There are ways. And, heck, you can be compelled to put in biometrics, but not a code. After you've unlocked once, the login is not very secure against good attackers.
BFU is a whole different story. There aren't as far as I'm aware, any ways to outright bypass the pin. The iphone exploit Cellebrite uses, as I understand it, allows them to just run password cracking against it many times a second, without it locking your phone. And that will be patched against soon.
Password strength is less partially about complexity, but more about length. A longer pin is much more secure. Make it long, make it safe. 8+ characters will take awhile to crack.
-----------
3.) Set up a VPN ( this will be covered in more detail next post)
Ok. Let's think about how you communicate over your phone. It could be through the cellular networks(LTE), or through wifi(wifi calling, wifi texting, emails).
Both of those can be 'sniffed,' where a Man-In-The-Middle between you and the destination of what you're sending can read or intercept that data in transit.
Let's say you go to Starbucks, get on the wifi, and send a few emails or texts using their free data. What if someone else was also in Starbucks, on the wifi? A simple tool, of which there are many(wireshark is an example) can capture all the data being transmitted. After all, wifi is just radio signals, if you can send it, other people can receive it. What's to stop them from reading it? Or, blocking the message, changing it, and sending it on?
Let's say you're using cellular data. The way they work, is that your phone is always 'pinging' for the closest, most powerful cellular network, and using that to send their data.
There are tools out there, such as Stingrays ( https://en.wikipedia.org/wiki/Stingray_phone_tracker ) which can pretend to be a cellular network. Being closer to you than a tower, the cellular data will go through them before being sent to other towers. Not only the good guys use these. Same issue as above, seeing/changing data.
What's the solution? VPN's. Let's say you want to send a text. Your VPN software connects you to a server they run, and then encrypt the connection. Then they connect to where you want to send the data, and do the same. Any traffic you send is then unreadable by anyone sniffing on the network. Very secure. Downside is, this is why we can't have nice things. Because it's such a useful thing, bad guys also use VPN's. Certain websites block VPN's, so you need to know when to turn it off. TNSTAAFL, more security means less usability. But this is a big step in the right direction. I would never use public wifi without a VPN.
-------------
4.) Set up secure messaging apps, known how to use them.
This is similar to VPN's.
Let's say I use Google Messages to send texts. Until about a month ago, all of that would be sent in the clear, without encryption. The newest update encrypts a message I send to one person. But it doesn't encrpyt group messages. And what if I send it to someone who doesn't use GM? That app can't know how to decrypt the message, so it can't encrypt messages to non-GM users.
That's the benefit and downside of encrypted messages. It's secure, but only if people are using the same thing.
A good, secure texting app is Signal. It can send texts and make calls, all securely. Note, that, while it can send to non-Signal users, by necessity those can be encrypted.
Similarly, Protonmail is a secure, encrypted mail app. But it's only secure sending to another Protonmail user, not to a gmail account, just keep that in mind.
End to end encryption doesn't work, if the other end of the message isn't encrypted.
------------
5.) Don't put anything super secure on there.
I will go into this in more detail in the next post that goes into passwords, and also the file protection, but we already know that the stuff on your phone isn't necessarily secure.
Add to that what we will later learn about password reuse, we need to consider having one or two very secure passwords to remember.
Don't write those down on your phone. You cannot depend on those being secure. Now, hints? Sure. But don't put anything on your phone you don't expect to be seen.
-----------
6.) Turn it off.
This goes back to the BFU/AFU stuff I mentioned above. Number one way to keep your phone from being accessed. Turn off regularly when not using, to require a pin to login.
----------
Hard to do screenshots for mobile stuff, later ones will have screenshots.
This make sense, and is it enough info to be useable without being too technical?
Next post will go into showing you how to determine if your passwords are exposed/insecure, and how to make more secure ones. And how to store them(password manager).
Interesting stuff. Thanks
Internet – Where I scare you.
1.) Your passwords. They suck.
2.) How to improve your passwords. Random words.
3.) How to improve your passwords 2: Electric Boogaloo. Sentences and quotes.
4.) Password Manager.
5.) Unique passwords. Change your old stuff!
6.) Ad Blocker
7.) VPN
8.) Tor
9.) Throwaway email and phone number
-----------------------------------------
1.) Your pass words suck.
This is not surprising. Passwords were never meant to be as pervasive as they are. When passwords were first implemented on computers in 1961, there were less than 5,000 in the world. Now, there are billions of computer devices, and probably as many websites, all of which require passwords. They just did not expect the number of places we would go to that need passwords.
And, at the end of the day, humans are lazy. We know that we should make complex, unique passwords for each, but actually implementing that is almost impossible to remember. So, we write it down, or store it somewhere, or reuse passwords, all of which, of course lead to their own security concerns.
First, let’s go into passwords.
I don’t know you, but I’m gonna make a few guesses.
I bet you made one nice password. I bet you almost every single password is variations on that, like adding a 1 or ! to the end, capitalizing a letter, changing the letters for numbers. I bet your security questions to recover your password are things like your first car, the street you grew up on, your high school, a place where you lived a few years(and met your wife), your marriage date or location, your pets name, a childs name. Things that a basic search of public records for you(facebook for you and your family members, linkedin, and those “who are you” identity searches you can get for a dollar).
I also bet that you’ve been using your password for years. I bet you that your password has been exposed in a hack or a breach over the last couple of years.
I bet that, with that old password, and the open source information I gathered, I could write a script to do various combinations of those things, and either get your current password, or the security questions to reset your password. So, how close to the mark am I?
First, go here:
Try your email, see if it's been exposed in a hacking breach.
https://haveibeenpwned.com/
Next, check here:
Try some of your passwords, see if they have been exposed. Don't worry, they don't send your password anywhere, and I'm hoping you'll be convinced to change it by the end of this post anyway, it should be safe.
https://haveibeenpwned.com/Passwords
Let’s try a random password. Let’s say you made the password,
flower
Test that here:
https://howsecureismypassword.net/
Cracking time: instantly
Ouch.
How about:
flower1!
I added a number and symbol to it, that’s what they make me do, usually. That’s better, right?
Cracking time: 19 minutes
How about:
F10w3r1!
That’s hard to read, and hard to type. It’s gotta be more secure, right?
Cracking time: 8 hours.
There’s gotta be a better way!
https://giphy.com/gifs/nbcsvu-nbc-svu-MGYhqruPnQErEBv56c
There is. I’ll go into it in a bit, but let’s try a different password. How about:
OstrichCeilingFanPregnant
There’s no numbers or symbols in there, so it can’t be secure, right?
Cracking Time: 6 Septillion years.
That’s 6,000,000,000,000,000,000,000,000 years to crack.
Obviously, length is more important than complexity. Granted, adding a 1! To the end changes it to 600 nonillion years, but I think at that point, we’re splitting hairs, I think it’s secure.
-------------------------------
2.) Random words
Go here, and generate 3 words.
https://randomwordgenerator.com/
I got:
Elite, sight, sequence.
Let’s do something simple, lets use the first number and symbol in between the first word, and the last number and symbol between the second and third.
Elite1!Sight0*Sequence
Cracking Time: 600 Sextillion years.
Ok, that’s a pretty secure password. Kinda hard to remember, if you have a ton of them. Any other ways?
-------------------------------------
3.) Quotes or sentences
https://www.gutenberg.org/
I chose a random book from the main page, “The Jay Bird who went Tame.”
Then I chose chapter, 6, a paragraph, 3, and a sentence, 4.
https://www.gutenberg.org/ebooks/64586
This gives me the password:
The coon and the jay bird are living up at mine.”
Cracking time: 4 tresvigintillion years
That’s secure. And, remember the previous post, when I mentioned to never put your passwords on your phone?
I stand by that. But riddle me this, Batman.
What would happen if I downloaded 5 books onto my phone and computer, and have a note somewhere on my computer saying:
6 3 4
I don’t think anyone could figure out that is the key to figuring out this password. That is a pretty safe hint, imo.
But again, having to do this for every single website is super complicated. There has to be a better way!
------------------------------------
4.) Password Managers
Password managers are the solution to the problem of passwords. You store all of your passwords on a password manager, which is encrypted.
An example of this is BitWarden. It is extremely encrypted. To access it, you must type in your password for BitWarden. BitWarden does not store the password to your account, so they cannot be forced to open it by the government, or have it broken into by hackers. All that it requires is for you to have a secure password.
With this, you can securely store all your passwords. It works on Firefox, Chrome, Safari browsers. It works on your phone on Android and Apple IOS.
No longer do you need to remember 50 passwords for each site. Instead, you remember 1, and only 1 password, the password to BitWarden.
------------------------------------------------------------
5.) Unique passwords. Change your old stuff!
Ok, you’ve got a unique, strong password for BitWarden. You’ve got it installed on your phone and computer, so you can use it to access the websites you need to. And you’ve moved all your passwords to it, and deleted those excel spreadsheets that have your passwords on it.
You’re good now, right?
Wrong. You still have that reused passwords problem. I bet your email, your bank account, amazon, paypal, etc, I bet all of them use passwords that are similar to other passwords.
Sharing passwords is a big no no. Especially things that can mess up your life, like emails and financial stuff.
You need to spend a couple hours going to each of those websites, and making a new password, and updating the passwords.
If you click on BitWarden, you’ll notice they can generate passwords for you, so you don’t need to come up with everything from scratch. Pretty easy, right?
While you’re at it, spend the extra time to update a few things on your website accounts. You can add notes to each saved password in BitWarden. Might want to consider either saving your Security Questions in there or, my recommendation, make random answers for your Security Questions, and save those in the notes. Make it hard for the hackers to reset your passwords.
Optionally, you might also want to go into their settings, and see what stuff they are selling to advertisers. You are considered a commodity to them. I see no reason to give advertisers your information, do you?
It will take awhile, but it’s one of those buy-once, cry once things to give you better security.
With unique passwords, your accounts are safe from hackers using previous breaches to guess your password, and take over your account. Also, if there are future breaches, only one website’s password is insecure, not every password you have, like before.
------------------------
6.) Ad Blocker
Popups are everywhere. They are not just annoying, though. There is a type of attack called ‘malvertising.’ You know when you go to a website, and there are banners of ads on the tops and sides? Websites don’t usually chose their ads, they are paid by an ad company to have a place on their website for ads to be hosted, which rotate in and out over time. If a bad guy buys ad space, he can sneak malware into ad popups. They are caught quickly, but if he infects a few thousand computers before his ad is banned, hey, they’ve made money.
Ad blockers not only declutter your browser, but also protect you from that. I recommend Ublock Origin.
Note, sometimes ad blockers mess up websites, so you need to remember that, if something is not working correctly.
-------------------------
7.) VPN
As mentioned in the previous posts, VPN’s create secure connections between you and the destination, encrypting your traffic, protecting your privacy.
This is not just for phones, this can also be used on your computers. Two of the most popular VPN’s are ExpressVPN and NordVPN. They are also some of the more expensive. What you lose in cost, you gain in speed and support.
Note, yes, VPN’s will slow down your connection. Think of your internet connection like a river that anyone can see. A VPN is a small pipe going to a home. The pipe protects the water, holds it together, but the whole river flow can’t get into the small pipe. The better VPN’s are fast enough that you’ll likely never notice it, but it’s something to consider. Also, note that the best VPN’s do not keep logs, so there is no history of what you are accessing on the internet.
While VPN’s are great for privacy, not all companies like them, so sometimes you need to turn it off to access the rare website.
Is a VPN necessary for everyone? No. I’m in security, so it’s definitely necessary. For the average person, probably not. But it’s an option if you value your anonymity, something to consider.
--------------------------
8.) Tor
While modern browsers, like Chrome and Firefox, are great for extensibility and smooth use, they are not built for privacy.
Enter Tor.
Tor is a browser, built off a Firefox base, that is built from the ground up for security and privacy. They do this by routing all your traffic through pseudo vpns, called ‘onion nodes,’ to encrypt and anonymize your traffic. There are also a lot of little things. You’ll notice the full window isn’t taken up by the browser. That’s intentional, not to get technical, but the size of the window can be used to ‘fingerprint’ your computer by the unique settings of your browser, so it sets things up to make them all look identical. That’s just a single example.
For the more security conscious, you’ll notice there is a shield near the top-right of the screen. That is for deciding if you want to disable Javascript or not. Again, not to get too technical, but Javascript does all the fancy things on a website, making the webpage look pretty. However, at the end of the day, it is code running on your browser, and could be used by nefarious individuals. So, they give you the option to easily block it(note, again, disabling it can mess with the functionality of websites, do this at your own risk.) Lots of little things.
Long and short, Tor is an excellent browser. Do I recommend it for everyone? No, but if you’re privacy conscious, it’s worth a try. Pairing Tor with a VPN will protect your privacy even more.
--------------------------------
9.) Throwaway email and phone number
Sometimes, you want a throwaway email or phone number.
Let’s say you’re going to a car dealership. When you go in, they have you give your phone number and email. From then on, whoever dealt with you first “owns” you(yes, that’s what they call it), and you can expect to receive lots of annoying calls and emails from them. And yes, they will likely sell that information to data agencies, to make 10pm calls that your warranty is almost expired.
I’m sure you can think of times you just want a spam account, to shunt all the stuff you don’t care much into. Let’s go into how to get throwaway accounts.
You’ll notice that most email account providers, like yahoo or gmail, require you to give a phone number to proceed. And, being that this is a spam account(and yahoo has had multiple breaches), I’m sure you’re hesitant to give them that. So, here’s how to make a gmail account without giving them your phone number:
https://www.techjunkie.com/use-gmail-without-phone-number/
Long and short, is either make an account, and say you’re under 15(Gmail assumes that those under 15 won’t have a phone), or do it one an android or iphone, which allows you to skip adding a number.
Actually not that hard, you just need to know the quirks.
Encrypted email providers like ProtonMail can also be created, and don’t require a phone number.
Next, phone number.
Two ways:
a.) Download Google Voice, and create a phone number through them, linked to your account(note: some websites don’t allow you to sign up for things with a VPN number, but this is rare)
b.) Go old school, buy a calling card at a gas station, with a phone number.
Using a Password manager, a vpn, Tor(optionally), and throwaway email and phone numbers, you should very easily be able to be secure, and Gray-Man-ish on the internet.
----------------------------
Next post, we will go into Your home network. How to secure your router, how to make it so your ISP can’t see everything you’re doing. New functionality on the newer routers(and why you might want to upgrade). Other funky thing you can do on your network(like a DNS sinkhole or running your router, instead of your computer/phone through a VPN).
1.) Your passwords. They suck.
2.) How to improve your passwords. Random words.
3.) How to improve your passwords 2: Electric Boogaloo. Sentences and quotes.
4.) Password Manager.
5.) Unique passwords. Change your old stuff!
6.) Ad Blocker
7.) VPN
8.) Tor
9.) Throwaway email and phone number
-----------------------------------------
1.) Your pass words suck.
This is not surprising. Passwords were never meant to be as pervasive as they are. When passwords were first implemented on computers in 1961, there were less than 5,000 in the world. Now, there are billions of computer devices, and probably as many websites, all of which require passwords. They just did not expect the number of places we would go to that need passwords.
And, at the end of the day, humans are lazy. We know that we should make complex, unique passwords for each, but actually implementing that is almost impossible to remember. So, we write it down, or store it somewhere, or reuse passwords, all of which, of course lead to their own security concerns.
First, let’s go into passwords.
I don’t know you, but I’m gonna make a few guesses.
I bet you made one nice password. I bet you almost every single password is variations on that, like adding a 1 or ! to the end, capitalizing a letter, changing the letters for numbers. I bet your security questions to recover your password are things like your first car, the street you grew up on, your high school, a place where you lived a few years(and met your wife), your marriage date or location, your pets name, a childs name. Things that a basic search of public records for you(facebook for you and your family members, linkedin, and those “who are you” identity searches you can get for a dollar).
I also bet that you’ve been using your password for years. I bet you that your password has been exposed in a hack or a breach over the last couple of years.
I bet that, with that old password, and the open source information I gathered, I could write a script to do various combinations of those things, and either get your current password, or the security questions to reset your password. So, how close to the mark am I?
First, go here:
Try your email, see if it's been exposed in a hacking breach.
https://haveibeenpwned.com/
Next, check here:
Try some of your passwords, see if they have been exposed. Don't worry, they don't send your password anywhere, and I'm hoping you'll be convinced to change it by the end of this post anyway, it should be safe.
https://haveibeenpwned.com/Passwords
Let’s try a random password. Let’s say you made the password,
flower
Test that here:
https://howsecureismypassword.net/
Cracking time: instantly
Ouch.
How about:
flower1!
I added a number and symbol to it, that’s what they make me do, usually. That’s better, right?
Cracking time: 19 minutes
How about:
F10w3r1!
That’s hard to read, and hard to type. It’s gotta be more secure, right?
Cracking time: 8 hours.
There’s gotta be a better way!
https://giphy.com/gifs/nbcsvu-nbc-svu-MGYhqruPnQErEBv56c
There is. I’ll go into it in a bit, but let’s try a different password. How about:
OstrichCeilingFanPregnant
There’s no numbers or symbols in there, so it can’t be secure, right?
Cracking Time: 6 Septillion years.
That’s 6,000,000,000,000,000,000,000,000 years to crack.
Obviously, length is more important than complexity. Granted, adding a 1! To the end changes it to 600 nonillion years, but I think at that point, we’re splitting hairs, I think it’s secure.
-------------------------------
2.) Random words
Go here, and generate 3 words.
https://randomwordgenerator.com/
I got:
Elite, sight, sequence.
Let’s do something simple, lets use the first number and symbol in between the first word, and the last number and symbol between the second and third.
Elite1!Sight0*Sequence
Cracking Time: 600 Sextillion years.
Ok, that’s a pretty secure password. Kinda hard to remember, if you have a ton of them. Any other ways?
-------------------------------------
3.) Quotes or sentences
https://www.gutenberg.org/
I chose a random book from the main page, “The Jay Bird who went Tame.”
Then I chose chapter, 6, a paragraph, 3, and a sentence, 4.
https://www.gutenberg.org/ebooks/64586
This gives me the password:
The coon and the jay bird are living up at mine.”
Cracking time: 4 tresvigintillion years
That’s secure. And, remember the previous post, when I mentioned to never put your passwords on your phone?
I stand by that. But riddle me this, Batman.
What would happen if I downloaded 5 books onto my phone and computer, and have a note somewhere on my computer saying:
6 3 4
I don’t think anyone could figure out that is the key to figuring out this password. That is a pretty safe hint, imo.
But again, having to do this for every single website is super complicated. There has to be a better way!
------------------------------------
4.) Password Managers
Password managers are the solution to the problem of passwords. You store all of your passwords on a password manager, which is encrypted.
An example of this is BitWarden. It is extremely encrypted. To access it, you must type in your password for BitWarden. BitWarden does not store the password to your account, so they cannot be forced to open it by the government, or have it broken into by hackers. All that it requires is for you to have a secure password.
With this, you can securely store all your passwords. It works on Firefox, Chrome, Safari browsers. It works on your phone on Android and Apple IOS.
No longer do you need to remember 50 passwords for each site. Instead, you remember 1, and only 1 password, the password to BitWarden.
------------------------------------------------------------
5.) Unique passwords. Change your old stuff!
Ok, you’ve got a unique, strong password for BitWarden. You’ve got it installed on your phone and computer, so you can use it to access the websites you need to. And you’ve moved all your passwords to it, and deleted those excel spreadsheets that have your passwords on it.
You’re good now, right?
Wrong. You still have that reused passwords problem. I bet your email, your bank account, amazon, paypal, etc, I bet all of them use passwords that are similar to other passwords.
Sharing passwords is a big no no. Especially things that can mess up your life, like emails and financial stuff.
You need to spend a couple hours going to each of those websites, and making a new password, and updating the passwords.
If you click on BitWarden, you’ll notice they can generate passwords for you, so you don’t need to come up with everything from scratch. Pretty easy, right?
While you’re at it, spend the extra time to update a few things on your website accounts. You can add notes to each saved password in BitWarden. Might want to consider either saving your Security Questions in there or, my recommendation, make random answers for your Security Questions, and save those in the notes. Make it hard for the hackers to reset your passwords.
Optionally, you might also want to go into their settings, and see what stuff they are selling to advertisers. You are considered a commodity to them. I see no reason to give advertisers your information, do you?
It will take awhile, but it’s one of those buy-once, cry once things to give you better security.
With unique passwords, your accounts are safe from hackers using previous breaches to guess your password, and take over your account. Also, if there are future breaches, only one website’s password is insecure, not every password you have, like before.
------------------------
6.) Ad Blocker
Popups are everywhere. They are not just annoying, though. There is a type of attack called ‘malvertising.’ You know when you go to a website, and there are banners of ads on the tops and sides? Websites don’t usually chose their ads, they are paid by an ad company to have a place on their website for ads to be hosted, which rotate in and out over time. If a bad guy buys ad space, he can sneak malware into ad popups. They are caught quickly, but if he infects a few thousand computers before his ad is banned, hey, they’ve made money.
Ad blockers not only declutter your browser, but also protect you from that. I recommend Ublock Origin.
Note, sometimes ad blockers mess up websites, so you need to remember that, if something is not working correctly.
-------------------------
7.) VPN
As mentioned in the previous posts, VPN’s create secure connections between you and the destination, encrypting your traffic, protecting your privacy.
This is not just for phones, this can also be used on your computers. Two of the most popular VPN’s are ExpressVPN and NordVPN. They are also some of the more expensive. What you lose in cost, you gain in speed and support.
Note, yes, VPN’s will slow down your connection. Think of your internet connection like a river that anyone can see. A VPN is a small pipe going to a home. The pipe protects the water, holds it together, but the whole river flow can’t get into the small pipe. The better VPN’s are fast enough that you’ll likely never notice it, but it’s something to consider. Also, note that the best VPN’s do not keep logs, so there is no history of what you are accessing on the internet.
While VPN’s are great for privacy, not all companies like them, so sometimes you need to turn it off to access the rare website.
Is a VPN necessary for everyone? No. I’m in security, so it’s definitely necessary. For the average person, probably not. But it’s an option if you value your anonymity, something to consider.
--------------------------
8.) Tor
While modern browsers, like Chrome and Firefox, are great for extensibility and smooth use, they are not built for privacy.
Enter Tor.
Tor is a browser, built off a Firefox base, that is built from the ground up for security and privacy. They do this by routing all your traffic through pseudo vpns, called ‘onion nodes,’ to encrypt and anonymize your traffic. There are also a lot of little things. You’ll notice the full window isn’t taken up by the browser. That’s intentional, not to get technical, but the size of the window can be used to ‘fingerprint’ your computer by the unique settings of your browser, so it sets things up to make them all look identical. That’s just a single example.
For the more security conscious, you’ll notice there is a shield near the top-right of the screen. That is for deciding if you want to disable Javascript or not. Again, not to get too technical, but Javascript does all the fancy things on a website, making the webpage look pretty. However, at the end of the day, it is code running on your browser, and could be used by nefarious individuals. So, they give you the option to easily block it(note, again, disabling it can mess with the functionality of websites, do this at your own risk.) Lots of little things.
Long and short, Tor is an excellent browser. Do I recommend it for everyone? No, but if you’re privacy conscious, it’s worth a try. Pairing Tor with a VPN will protect your privacy even more.
--------------------------------
9.) Throwaway email and phone number
Sometimes, you want a throwaway email or phone number.
Let’s say you’re going to a car dealership. When you go in, they have you give your phone number and email. From then on, whoever dealt with you first “owns” you(yes, that’s what they call it), and you can expect to receive lots of annoying calls and emails from them. And yes, they will likely sell that information to data agencies, to make 10pm calls that your warranty is almost expired.
I’m sure you can think of times you just want a spam account, to shunt all the stuff you don’t care much into. Let’s go into how to get throwaway accounts.
You’ll notice that most email account providers, like yahoo or gmail, require you to give a phone number to proceed. And, being that this is a spam account(and yahoo has had multiple breaches), I’m sure you’re hesitant to give them that. So, here’s how to make a gmail account without giving them your phone number:
https://www.techjunkie.com/use-gmail-without-phone-number/
Long and short, is either make an account, and say you’re under 15(Gmail assumes that those under 15 won’t have a phone), or do it one an android or iphone, which allows you to skip adding a number.
Actually not that hard, you just need to know the quirks.
Encrypted email providers like ProtonMail can also be created, and don’t require a phone number.
Next, phone number.
Two ways:
a.) Download Google Voice, and create a phone number through them, linked to your account(note: some websites don’t allow you to sign up for things with a VPN number, but this is rare)
b.) Go old school, buy a calling card at a gas station, with a phone number.
Using a Password manager, a vpn, Tor(optionally), and throwaway email and phone numbers, you should very easily be able to be secure, and Gray-Man-ish on the internet.
----------------------------
Next post, we will go into Your home network. How to secure your router, how to make it so your ISP can’t see everything you’re doing. New functionality on the newer routers(and why you might want to upgrade). Other funky thing you can do on your network(like a DNS sinkhole or running your router, instead of your computer/phone through a VPN).
*** scam.....out...
Next post, we will go into Your home network. How to secure your router, how to make it so your ISP can’t see everything you’re doing. New functionality on the newer routers(and why you might want to upgrade). Other funky thing you can do on your network(like a DNS sinkhole or running your router, instead of your computer/phone through a VPN).
interested.
interested.
my PWs said 400 years. thats good nuff for me.
