by Sam (my security adviser for The Survivalist Blog.net)
Internet security is about preventing access to your network, computers and data by unwanted people. You don’t want to give hackers, be they government-sponsored or freelancers, access to your system or your personal information. In these cases, you’re dealing with someone who may actively try to access your information without your knowledge and without your permission. One might ask why some government or freelance hacker located on the other side of the world would be interested in their computer. There are two reasons. Your computer could contain a lot of personal information such as credit card, bank account or social security numbers.
If you do your tax returns on your computer, your entire return (with everything one needs to accomplish identify theft) is right there. Getting access to that information is worth money to these people. Another reason is to gain control of your machine. If a hacker can gain control of your machine, they can use it to do things on the internet and make it look like as though it’s coming from your location. It doesn’t take much imagination to see why some hacker somewhere in the world would find that to be a really useful thing. This sort of thing happens every day to a lot of people and, in most cases, they don’t even realize that it’s happening.
Internet privacy is about protecting your personal information, your interests and habits from being recorded by people and web sites that you visit or have to interact with. They are not hacking your network or computer to get this info you’ve laid it right out in front of them, with your online actions.
Many will say, “Who cares? I have nothing to hide.” But it’s not quite that simple. Most people, if they were told that every telephone conversation they had would be monitored and recorded by multiple individuals, would not tolerate such an invasion of privacy. So why are internet discussions and habits any different than phone conversations?
However, the most important concept that makes the “I have nothing to hide” logic faulty is that you really don’t know what you have to hide. Things that you think of as being trivial today could become crimes at some future date. Everyone is currently freaking out about how 30-round magazines may soon become illegal even though they are perfectly legal now. Is it so unreasonable to believe that things you discuss with others via email, discussion groups and forums or web sites which you visit today may become illegal in future times? So why would you want anyone to have a permanent record of this to possibly use against you?
And don’t think that there won’t be a record as there already is. Search engine companies such as Google and Microsoft / Yahoo are all about capturing and indexing every bit of information they can. This information is worth immense sums of money. Web site owners, and especially social sites like Facebook, are equally adept at gathering and indexing every piece of information they can get about you. Email services all keep records of your emails for years even after you delete the emails from your account. The only person who no longer has access to one of your deleted emails is you. You see, once Pandora’s box opens, you cannot put it all back in. You potentially have a great deal to lose by letting your information out.
So I suppose the better question is what negative could there possibly be in protecting your personal information today so that you never have to worry about it later? That way, someday, when your friends are devastated and thinking “how could this have happened?” you’ll be breathing a sigh of relief that at least you took actions to protect yourself.
Now that we’ve defined the terms, let’s talk about internet security. Common sense is the first line of defense. Going to sites known for seedy activities is just plain not a good idea. Opening up emails that have attachments, from people you don’t know, is also not a good idea. Most of us already know this.
Home wireless connection: When using a wireless connection at your house, be sure to enable WPA2 encryption with a strong key. Strong keys are long and random. The key dfh&hBNfp%2#hjfdow1ZR is an example of a strong key. The key passw0rd is not. Many people like to replace the letter O with the number 0 in words or similar substitutions thinking that this is somehow going to fool a hacker.
Do not use WEP because anyone capable of a Google search can learn how to break it.
All of this is important for two reasons. First, if someone connects from the outside to your wireless network, they are that much closer to your computer. They don’t have to attack from the Internet since they are on your local, trusted network. The second reason is that you don’t want your neighbor or someone parked outside of your house using your wireless and doing something criminal on it. The knock on the door by law enforcement isn’t something you need to hear when they track the crime back to your IP address.
Public Networks: If you use public networks, it’s important to understand that everyone on that network can see everyone else’s traffic. It doesn’t take a lot of skill to sit back at a coffee shop or hotel lobby and sniff the network for all the data passing through it. Using a VPN to encrypt and tunnel your connection is essential if you value your security and privacy. It will protect your data from being seen and will protect your computer from a direct attack.
Software updates: Always make sure your computer is up to date on its security patches. Bugs, and ways to exploit them, are found every day. An otherwise well protected system can easily be compromised because a new bug was not patched. However, this approach is not without privacy risks. As the operating system manufacturers add more and more features to their software, some of which could track your activities and behavior, the updates will increase security but could decrease privacy.
Hackers: There are a couple of basic ways that a hacker can get to your system and information. The first is by attacking your network directly. Your network, via its IP address, is constantly targeted by people trying to see if there is a way in. With some malware prevention programs, you’ll often see messages saying “such and such IP address has been successfully blocked”. What that’s telling you is that an attack was sensed and was blocked. Oftentimes, these IP addresses originate in China but they happen from all over the world. The people running these scans are looking for weak spots and have racks of computers, running 24/7, scouting for openings.
The first line of defense against this type of attack is your computer’s firewall. All modern operating systems, whether Mac or Windows, have a standard firewall included with their systems. At the very least, this firewall has to be able to prevent outside access to your computer unless the contact has been initiated from within. For example, if you get on your browser and go to a web site, you want that web site to send back the information you requested. However, you don’t want some random web site or computer to be able to send your computer anything if you haven’t initiated the connection.
Firewalls included with your operating system are fairly good these days and, unless you need to do a lot of tweaking to allow various ports and protocols (which is beyond the scope of this article), you don’t really need an aftermarket version, although many antivirus suites include a firewall with the application.
The second way an attacker may try to compromise your system is by placing malware on your computer. There are an unlimited number of viruses, Trojans and bots out there and new ones are written every day. Some are written by freelance hackers, others are written by government-employed hackers. It doesn’t really matter where they originate. Some of this malware is designed to cause havoc on your computer just for the fun of doing so. But most of it has a specific purpose as described earlier.
Antivirus: Everyone knows that antivirus and antimalware software are essential to combat these threats. There is a lot of such software on the market and most of it is decent. Both Avast and Webroot offer really good software, either free or at a very low price. There are others out there that are good as well.
Regardless of what antivirus software you choose, you also need dedicated, anti-malware software. The best here is Malwarebytes. It’s the go-to solution for most severe malware infections and having it running on your computer will go a long way. And it’s well worth the small price of the paid version to have it running 24/7, as opposed to the free version.
For the average person, doing all of the above will protect you from random attacks both over the network and from malware-filled web sites and emails. Obviously, if you are a high-profile individual at very high risk of intrusion, more needs to be done. But that level of firewalling and protection is beyond the scope of this article.
Web habits: There are many ways to enhance your Internet privacy. A lot of it depends on what you do on the Internet. If you are posting your life story and all your family pictures on Facebook, then you simply have no privacy and you are giving Facebook or similar sites unlimited access to all of this material. With the popularity of sites like Facebook, it’s clear that most people don’t care. Some believe that if they keep their profiles private then they are safe. But since Facebook owns everything you post on their site (and will keep it forever) you can bet they will use it to make money.
Perhaps people should think about their children whose photos and stories are being posted there. Does it occur to them that perhaps that child may not want to be an open book when he or she grows up? Ever think that the cute picture of your little boy, dressed in camouflage and holding his favorite toy gun, could be grounds for child abuse charges at some future time? Or perhaps your discussion about how you eat at fast food joints every day or ride your dirt bike on weekends turns into grounds for denial of life insurance coverage? In any case, if one’s Internet activity revolves around social networks such as Facebook, Twitter and Google +1, then no amount of privacy protection procedures can do anything for you.
If you are one of the relative few that care about their privacy, there are a number of ways to enhance it yet still remain online. We hear about OPSEC all the time in article after article related to survival activities. It’s recommended not to let others know how much food you have, what kind of survival plans you have and how many guns and how much ammo you have. The idea is that you don’t want to be targeted when the day comes. When you visit blogs, forums, firearms sites and prepper supply sites from your home internet connection, you are violating this golden rule.
Your ISP knows all the sites you went to. If you used Google to search for them, Google knows all the sites you went to. Even if you didn’t use Google directly but the web site you went to had a Google analytics link embedded in it, they still would know. Both your ISP and Google see this information as a money-making opportunity because they can sell it to someone down the road. I’m sure everyone has heard of the newspaper that published the names of all the CCW holders a few weeks ago. What’s to stop a similar paper or web site from buying a ‘Prepper’ list compiled from all of this data and publishing that?
And let’s not forget — the government knows all the sites you went to. You may ask how the government knows. It’s because they have systems installed at every ISP and monitor all the traffic. I know you may think that the government has neither the time/resources to monitor everything nor the desire to do so. You couldn’t be more wrong. They have more than enough computing power to monitor everything happening anywhere and anytime. To believe otherwise is naive and wishful thinking. They are expanding their spy networks at an unbelievable pace and it grows more powerful every day.
In any case, there are a lot of people who could potentially know about your survivalist plans and preparations. Some will argue that an IP address does not reveal ones identity. While at a simplistic level that is true, it is not true in the world of massive databases which record everything. Coupled with powerful computers, your IP address can easily be data mined and your identity determined pretty easily. And, of course, your ISP knows exactly who you are as does the government who has their systems collocated at the ISP.
Staying Private: So let’s look at a few ways to stay as private and anonymous as possible.
Changing your IP address by using a VPN to hide your traffic from your ISP and your IP form web sites is a very big first step.
Then, you need to secure your browser to prevent it from sending out information. This was discussed a little while back here so I will not repeat it again.
Assuming you have your browser properly configured and are closing it down and deleting all the cookies and history every time, consider installing a cleaning program on your computer — and use it, often. For Windows, CCleaner is great. For Mac, try Mac Cleanse. These programs will delete old information from your machine and clear all the caches when they are run. They can also be run to clear out all the free space on your hard drive to permanently erase all the “deleted” data which is not really gone but just marked as deleted.
I recommend using duckduckgo.com as your go-to search engine and relegate Google and Bing to the bench, to be used only when absolutely needed. This new search engine claims that they do not track you or your searches. I would support them in their effort by using them.
If you log into a web site that requires a log-in, always close out the browser after each use. When signing up for such a web site, use an alias if possible and provide a throw away email address. Obviously, you can’t do this for shopping sites where you must provide a credit card. But there are a lot of sites that require you to sign on in order to access otherwise free content. They don’t need to know who you are or what your real IP address is. You might also consider a throw away email address even for sites you shop with. That way, after a few months when they have sold your email to everyone, you can just change it and move on, reducing spam significantly.
If you buy a lot of goods online, you might want to use an offshore email address that doesn’t save your emails. Although the shopping site knows who you are and what you bought, as well as your credit card company, there is no need for your email provider to know by scanning the email.
If you log into a web site where you have to provide your real contact info, such as a shopping site, be sure to close the browser after the session in order to delete all the history and cookies. This will prevent the next site (or even Google) from following your path across the net.
When using your VPN, it’s also good to change your computer’s clock to match the location of the VPN. While not a really big deal, it won’t raise any questions if you seem to be coming from a different country if your computer’s time also concurs with that same country.
One final note, which while not directly related to Internet security it is still a good thing to do, is to secure your computer’s drive by fully encrypting it. A great program for this, which is public domain, is TrueCrypt. It is very easy to use and encrypts your entire hard drive to government, top secret-level encryption standards. If you do your part by picking a long passphrase and making sure to maximize the randomness of the key generation, it will be impossible to break. Within the encrypted hard drive, you might also want to create a small virtual encrypted drive that does not open when you start your system.
In this drive you would place all of your personal information such as credit card numbers, tax returns, bank accounts etc. Since you only open this drive when needed and close it right after use, it might prevent your information being stolen (in a situation where your computer is hacked) because it won’t be accessible to the malware or the hacker. I would not trust encryption software provided with your operating system. There have been rumors that this software includes ‘back doors’ to allow government agency access. Because much of this software is not public and the source code is not available to the public, nobody really knows. While there is no absolute guarantee that software such as TrueCrypt or OpenPGP are not also compromised, the fact that the source code is open for review and compilation makes it unlikely.
To sum up privacy and anonymity online, it boils down to providing as little real information as possible and as much disinformation as possible. Recognize how easy it is for companies with massive databases to take small pieces of info and stitch them together. Then it will become crystal clear why providing the smallest amount of information possible is absolutely critical to maintaining your privacy.