Safer Internet Day 2016

safer internet dayIt’s always important to be safe on the internet, and that more than anything means being safe about your information. Too many people leave information out there that can lead to being stalked, attacked, or otherwise compromised, so your privacy is vitally important.

I’ve spent some 20 years online, a lot of it working on privacy issues, and sometimes annoying the wrong sort of people. I’ve also contributed to a bunch of cases focused on ways to track and locate people. So I’ve got a good idea what is and what isn’t ‘safe’.

So right now I’m going to give you a few tips for internet safety.

Identify your risks

One of the most important things is assess who your risk is likely to be. Protecting yourself from unwanted government attention requires a different approach to dealing with a jilted and bitter ex, and both have different risks to internet trolls doing it ‘for the lulz’ or identity thieves (and no, identity thieves don’t care if you’re broke, you still exist and can get credit somewhere, and both of those things can be valuable to people)

Good Passwords

Don’t reuse them if you can help it. Otherwise if one account can be compromised, they all can. There’s lots of different advice out there, some suggest using some kind of formulae to devise unique passwords you can remember, others suggest using a password manager (I use lastpass) to manage them.  However remember your risk factors above, sometimes a sticky-note can work just as well for tracking them if your threats are all online and not physically near.

Be Careful with Social Media

Don’t ‘overshare’ is the key thing. I have seen people actually “check in” on facebook to their home, which means not only does everyone you’re friends with on facebook (from your aunt who probably already knows, to that person you added because you play a game with them) know here you live. Not only that, but because it’s set as a ‘place’ in the facebook system, now anyone nearby will know it’s your house. Same goes for things like activity tracking apps (endomodo, runkeeper, etc)

Check your privacy settings on social media accounts as well, so that only the people you want to know things will know. Finally check cameras and camera settings. Many cellphone cameras (especially you iPhone) will have a feature called geotagging, which embeds the GPS coordinates of where the photo was taken into the metadata of the photo. It’s great if you’re out hiking and you want to know where you took that amazing vista, or you’re sightseeing in a city and want to keep track of what photos were of what. Not as useful if it’s a photo of your kids playing in the backyard – you know where it is, and anyone who has a need to know where your backyard is already knows, there’s no need to embed it in the photo.

Finally, on facebook it’s generally not the best idea to list family assosciations. Anyone that needs to know already does, anyone that doesn’t, shouldn’t. And you’d be surprised how often that information might be useful. AFter all, if your mother is marked as your mother on facebook, she’s the key to one of the most common of security questions, “What’s your mother’s maiden name?“. Who knows, she may even have it listed in her profile name, or (if you’re young enough) her mother might be listed.

Social engineering

This is a hard one for people to deal with themselves, as often it’s not targeted at you. Often it’s directed at companies you deal with. How well they handle it depends on them. Last month Amazon was severely panned for its poor security in dealing with social engineering attacks. By contrast, a day or two later I had to deal with Microsoft over an Xbox live account. When I spoke to the guy on the phone, all he could ask me was the email address the account was tied to, and I had to get a code. He typed it in wrong, so I couldn’t get the code, and so he couldn’t help me, not even type in a different/new email address, because multiple guesses are one way to engineer. I had to try back an hour later. It was annoying, but it was for my own security, so I had no issues.

It can also attack people as well though. Phishing emails (emails that claim to be from a company/entity but are sent by scammers warning you of an account problem and just log in at this link to correct it please and thank you). They range from fake apps (horoscopes, ‘who looked at your profile’ things, Who is your x friend ‘what does your name mean’ etc.) to images that are incredibly obvious (deliberately so). Others can be more surreptitious though, wheedling information you may not want to reveal.

A typical phishing email.  Note the account activation link at the bottom goes to gob.ve not apple.com

A typical phishing email. Note the account activation link at the bottom goes to gob.ve not apple.com

This kind of app provides a useless result, but can be used to suck down all your personal information

This kind of app provides a useless result, but can be used to suck down all your personal information

An image like this can be used to get personal information, in this case your month and day of birth.

An image like this can be used to get personal information, in this case your month and day of birth.

Extremely obvious, but it might catch some out.

Extremely obvious, but it might catch some out.

Children

This is a whole massive topic on its own.

First, remember that children are generally prohibited from setting up accounts on most sites until they’re 13 years old. That’s more for their benefit than anything else, as sites aimed at those under 13 generally have to obey stricter laws on data handling and privacy. And yes, that means it doesn’t matter how mature you think they are, your 11yo should not have an account on facebook. You’re not being a ‘cool parent’, you’re actually being a bad one, unless you REALLY know what you’re doing, and most parents do not.

There are two major aspects here though. The first is teaching the kids personal privacy. That means you don’t share information about yourself with random people. It’s basically the stuff above, but drilled into them. It’s not the easiest thing in the world to do, but it’s preferable to the potential fallout if you don’t. That also includes the basics for the park and playground applied to online activities.

Secondly, actually protecting your children from the internet itself. There are a whole bunch of programs that you can buy that claim to keep your child in a nice safe sanitized area of the internet. They don’t work. The internet is a dynamic place, and no outside program can work well. Sure they’ll work on blocking playboy.com or porn.com, but what about randomnakedpics.co.jp? Or even Google/bing image searches? Not only is it physically impossible to search and rate the entire internet, but there are people who specialise in tryig to circumvent such systems, to open themselves to traffic that would otherwise be missed because of filtering software installed by a university, library or coffeeshop for instance.

Of course the biggest give-away that these don’t work is that even court-ordered blocks, imposed at the ISP level to prevent that site being viewed by ANYONE in that country, fail. The Pirate Bay is often the number one bittorrent site in the very countries that aren’t supposed to be able to access it. When blocks at a national level, put in place to stop a specific site by people whose job requires them to be knowledgeable about internet systems can’t even manage that, what hope do you think a $45 piece of software has of blocking an entire genre of material from that one specific computer?

For the last two years at Dragon Con, I’ve given talks on this matter with my good friends Dave Maass of the EFF, and Geoff Termorshuizen (a cryptography/security researcher) in both 2014 and 2015 (see below), and much as we tried to focus on the first point, everyone wanted to talk about trying to get the second point to work. Nevertheless, there’s a lot of good info there.


Conclusion

To be safe requires some thought, some effort, and a lot of “being a really suspicious bastard”. If something seems too good to be true, it probably is. If an email from somewhere you have an account turns up unexpectedly in your inbox, don’t use any links it may provide, use one you know’s good. If a guy turned up and said he’s a police officer to check on something, you don’t take his word for it, nor do you call the number he helpfully provides (555-I-AM-A-COP / 555-426-2267) but you call a number you know is going to get you to the police. Use the same judgement here.

Don’t overshare on social media, and be aware of social engineering tricks. And if you have kids, all this goes double for them.

And again, these are just basic tips, I’ll give some advanced ones some time in the near future.