The Art of Privacy – Part 3

This is the best part of the whole series, as in this part I will tell you, what to do to protect yourself from prying eyes, whether the prying eyes are of hackers, or oppressing regimes (This is such a relative term 🙂 ). It’s usually such a good feeling when you realize and appreciate that your thoughts are your own, imagine if some of us could read your mind and could siphon off anything that you think and then mine the data and extract the useful bits of information and then use it. Well this is what is going on nowadays, in the cyber world, which has already been discussed previously (briefly) in this series.

So, how do I become invisible to everyone and even to a point where one has contingencies to if life turns into an iRobot’s plot.

The privacy protection can be divided into two parts:

Physical – In context of cyber

Cyber

Physical protection entails protection of your credit card data, protection of your phone’s screen information. Please keep in mind, this is not a tutorial to learn Kungfu and protect your wallet or phone from thieves, this is more in the context of what data an attacker can extract by not even making contact with you and how you can secure it, so that all the attacks are rendered unsuccessful.

Nowadays, if we notice, all credit/debit cards are contact-less, which means, in layman’s terms, you can just touch the point of sales machine with the card and you are good to go. It is a well-known fact that any threat agent can use cheap hardware to extract information from the credit card from afar. Same goes for the bus cards, tram/train tickets, etc. They all use RFID technology now.

The easiest way to protect them from an attack is to use a wallet with RFID protection. You can find many different kinds of wallets in the super market. If you love your own wallet, or your wife gave that as a gift and if you won’t use it, you will be sleeping outside of your house, then my friends, there is another solution, you can easily buy RFID protection sleeves which can hold your cards and then you can put them into your wallet. You can buy them from anywhere as well. I have been using the sleeves as well in my wallet. I got the F-Secure ones, work pretty well.

Information from the phones can be protected by adding a privacy screen protector on your phone. It comes for Android devices and iPhone/iPad/iWhatevertheycomeupwithNext.

Cyber based protection entails everything which is done online or offline, but dealing with the non-physical, bitbytes!! In case of Cyber, the threat actors have already been explained in the previous articles of this three part series.

The first thing one must and I say MUST do, is to install a VPN. VPNs are virtual private networks, which in a nutshell, encrypt all traffic between you and their server. Think of it as an underground tunnel which uses a special train which makes you invisible so you can easily pass through any barriers, and exit the city you want to exit undetected and then carry on. Usually when your traffic is going through the network, it looks like this (again a lot is going on but just to explain my point, it is illustrated so simply):

You ==> Your ISP — |Prying eyes| ===> Google/Facebook/Instagram/Blah/Blah and Blah

When you are going through a VPN:

You =|Encrypted tunnel|=> VPN server (ISP? WHO/WHAT?) ===> Google/Facebook/Instagram/Blah/Blah and Blah

So, that was that, VPN is a must if you want to stay anonymous, of course, one should never abuse this. Never do anything illegal!

The VPNs which I have personally used are F-Secure Freedome and Private Internet Access, which are quite good, with respect to price, log retention, speed.

Secondly, browser addons are your best friends. Addons like NoScript, Disable WebRTC, HTTPS Everywhere, uBlock Origin, User-Agent switcher. These are some of the addons for Mozilla Firefox. If you are a Chrome user then find equivalent addons.

Using proxies is usually not a good option to anonymize your traffic. As using WebRTC one can get your real IP, unless it is disabled on the browser side. Furthermore, by using Javascript one can extract your real IP. So, in short, don’t use proxies.

TOR is another good example of how to keep yourself anonymous. It is to note that TOR works as a proxy but it is untraceable. The operating system as well as all other apps which are not proxy aware and have not been explicitly provided, the IP for the proxy, they will connect to their respective services normally, and not through TOR.

Just to remember, if you are using TOR, never use your credentials on websites which do not run on HTTPS.

These are some of the things that Privacy health-conscious people use to protect themselves. I would recommend this to all the great readers out there.

Stay Safe.

 

~Peace

The Art of Privacy – Part 2

The biggest threat to privacy is the attitude of “AH, what would someone do with my email address, phone number or social security number”. Thanks to the awareness in security and security terminology becoming a fad and the names of attacks becoming more and more attractive, non-security savvy people are starting to somewhat understand the tricks malicious attackers use to lure people into giving out their private information.

Unfortunately, this isn’t enough. Privacy threat actors range from a 13 year old sitting on a computer to state sponsored hackers to law enforcement to advertising agencies, which technically are working within the bounds of the law and aren’t doing anything illegal.

The problem, which I have been talking for ages, is that there is so much unprotected personal information available on the internet that you cannot pin point and blame a specific person for taking the data and using it. We then have a problem of data leaks, for example the recent Equifax data leak. Data leaks and public dumps are a recent trend. In the early 2000’s there were more breaches because, well SQL Injection was new, even now SQL injection is almost 50% of the times, the reason of a breach, imagine when it was new, and google dorking was new, how many databases would have been dumped and would have roamed around in the underground but they never made the news or they weren’t available for anyone to download.

The dumps of emails and passwords leaked from Linkedin, Twitter etc. are now on several websites. As an example, please find the two websites below:

https://haveibeenpwned.com

https://hacked-emails.com/

Technically they do not show you the password for anyone else but just tell you if your email is in the hacked databases list, but they have all the raw data so…

I have been using a website called Pastebin for years now, which is quite valuable when it comes to find your leaked information. Google is also a very well-known platform for finding leaked information using google dorks.

Well, if we talk about data leaks, one can argue that it is not an individual’s fault that the data got leaked. It was because of an Apache Struts (Unpatched, though the patch was released like ages ago) vulnerability, 🙂 that the server got pwned! Yes, so that is not the individual’s fault. It is the individual’s fault when he is in the military and gives the whole detail about what he is doing and on which technology, so that anyone can track him down. What happens when people do that, you ask? ICWATCH happens!!!! It is also the individual’s fault, when he puts all his/her pictures public on Facebook or Instagram or any other social networking website. What someone can do with my picture from Facebook, you ask, it is not a social security number or your phone number, you say? I would just give an example, or two, of what they can do, apart from selling your picture to advertisers or a bad bad man getting a hold of your pictures, extracting the GPS location embedded into the pictures, thank you smartphones, and get your home address:

Example: So let’s talk about cryptocurrency, Bitcoin and the whole shebang. Oh, so, cryptocurrency is untraceable? Right? What do we do? Well, what the high end exchanges now do is that they require your picture taken from a camera and any photo-ID, for you to be able to get registered to that exchange and setup a wallet and so on. After that whatever transaction you do can be chained back to your account and inevitably to you. Unless you are using Monero!! So, about the attack, let’s call the attacker, “Evil Joe”! Evil Joe gets you selfie picture from Facebook which he/she conveniently finds online as it is public. Uses that picture for first round of verification and in the second round, uses a different picture and photoshops it onto a photo-ID, scans it and uploads it. Next, sets his username and password and boom, he has stolen your Face identity. Now whatever transaction he does, comes back to your face and as most law enforcement agencies have facial recognition, they will contact you and you are in trouble, at least until they are sure that you weren’t involved.

One, other scenario that I would like to briefly describe is that for example you have facial recognition on your Samsung S8. A thief steals your phone or purse (Ladies), what he can do with it, search your name on the internet, on Facebook, if he finds your public picture somewhere, where your face is prominent, he can use that to unlock your phone.

There are many other attacks, social engineering being the most effective, but for that I would refer to different books as this has been covered thoroughly by many people.

Recently, I saw a very well renowned political figure of A country, on twitter. She shared a picture of a document where she did not think of removing the name, phone number and social security number of another government official. I think that was because she has no concept of why exposing social security number is a very bad thing.

In the third part, I would explain how to protect yourself from these threat actors and how to be anonymous and invisible to prying eyes.

~Peace

The Art of Privacy – Part 1

This is a three-part special. The first part of this three-part special would include, what privacy means to a normal person, how it impacts the normal day-to-day life of that person, the facts about what is going on in the cyber world, in terms of privacy.

The second part would comprise of the mistakes that are made by people and the mindset that people have about internet privacy.

The third and the final part would include how you can protect yourself against attacks, even if you aren’t computer savvy. You will also be introduced to technologies being used nowadays to defend against privacy breaches.

Part 1:

Lets start with what privacy is, though all of you might already know what it is. Privacy is the right of an individual to keeps his/her’s private stuff, private. Technology is a part of our life now and unfortunately, the threat landscape is quite big, in terms privacy.

You might have heard about IOT (Internet of things) which means, all the devices that are connected to the internet and to each other, for example Cameras, locks, fridges etc. There have been many security concerns about IOT devices, which I will not be covering here.

Technology has become closely intertwined with our daily lives. Cell phones, for example, instead of having different devices for different tasks, now smart phones have everything in one package, such as GPS, 3G/4G, Bluetooth, NFC, which are technologies which have many applications in our day-to-day life. Internet, a technology that we are so dependent on, that a little disruption in it causes serious discomfort to us. These technologies, can be attacked to invade one’s privacy.

Security and Privacy have always had a love/hate relationship. Complete security requires privacy breach at some level, which becomes a problem in case of complete privacy. Last year General Data Protection Regulation (GDPR) was adopted in the EU which has several detailed points about the protection of privacy for the EU citizens and residents. This is a very good thing, but to be honest, this protects against our data on services such as Google, or any other corporate entities. What about hackers, intelligence agencies, cyber armies? How should we protect ourselves against them? How can we keep our personal information personal? Though I will tell the good readers on how to protect one’s privacy online, in the part 3 of this article.

Now, I would like to briefly talk about the attacks against privacy. Recently, we heard about NSA snooping into mobile networks and reading SMS etc. Due to the leaks, the world now knows about Hacking Team and Finfisher, which are the companies who blatantly sell command and control implants to governments and even law enforcement agencies, which were initially used to spy on activists, journalists, etc. Nowadays, due to the threat of increasing cybercrime, the implants might be used against normal people, if they are persons of interest to law enforcement. For example, the recent Surveillance law in Germany, which empowers the German police to read WhatsApp messages of people who become person of interest to the police. Though direct interception is not possible, most probably, they would be using some kind of social engineering technique to install the police controlled implant onto the cell phone of their target. Similar surveillance powers are or will be given to the police in the UK.

To be very clear, if the person has committed a crime and/or, well, if he is a bad guy, which is quite hard to know, unless it is Tom Cruise’s Minority Report, and there is a pre-crime unit, but still, I am completely in favor of this surveillance law, in that case. But knowing which of the suspect is a real bad guy and which of the suspects is an innocent, is quite hard to know, thus there would be quite a big range of false positives, who would lose their privacy as collateral.

There have been so many cases of identity thefts in different countries due to breaches, leaks, phishing etc. With your identity stolen, you can lose your bank accounts, can end up in the police wanted list, can come under serious debt, etc. Apart from identity theft, GPS spoofing, where you can be sent somewhere else and the information that you contain may be taken by force, cell phone hacking, television hacking and voice snooping, implants to intercept internet traffic at the ISP end, SMS interception, SS7 based attacks, all of which are attacks against normal people and which are used to compromise confidentiality and breach privacy of the intended targets.

I would be, in the end of this three-part article, mention different books covering privacy and how to be invisible.

Thanks for reading.

Part 2 would be coming out soon!

Peace!