Hey guys,I'm going to leave this post up for a couple of days and afterwards I am going to delete it. Take notes. (EDIT: The reason why I want to delete this after a few days is to protect my own security habits. At some commenters' request I will leave it up for longer than a couple of days. Perhaps a couple of weeks then. Do know that this will be deleted eventually. Do not save this post, copy and paste it to your own notes.)So a lot of you are losing money by using poor cybersecurity practices. Most of my friends and people online say I'm a bit overkill and paranoid. I think everyone should be overkill and paranoid about their online security. Cybersecurity isn't "for the nerds" anymore. A lot of companies, governments and black hats are after your stuff for one reason or another and you need to wise up. "but i don't have anything to hide..." <- Zip it! Your computer and your phone hold more info than your closest friends. Believe me, you do have something to hide. That information can and will be used against you by anyone who can get to it.I decided to write a quick post giving you a layman's introduction to protecting your stuff and where you can further educate yourself. Without further ado, here's the paranoia guide to internet privacy and security, volume I:Passwords:Passwords are the keys to your stuff. You should never reuse passwords. You should only have one password, that is, the password of your password manager. That's it. Password managers are encrypted databases that hold your passwords and usernames, plus some extra notes if you wish. You use them by copying and pasting the info from the database to your login forms. They have specific security features for this purpose, therefore they're the right tool for this job (for instance, they clear your clipboard 15 seconds after you copied your login/password to prevent clipboard leak).You program your manager to create as complex of a password as you want, but I find that 15 characters long with numbers and special characters in the mix are the best, as in case you need to use an external computer, you don't wanna be spending too much time typing in a password manually.There are two types, offline and online. I prefer offline because I'm paranoid. Whatever is not in the cloud or accessible online is safer. If someone manages to hijack your browser or phish you, they may get access to your online manager. If someone manages to hack your account, they may get access to your online manager. Most people that use an online manager are fine. They have good programmers taking care of security. Still...My recommendations are: For online Bitwarden. It's open source and endorsed by the best cybersecurity nerds here on reddit. For offline, Keepass. Works with windows, you can put it in a flash drive and also works with android. Do put it in a dedicated flashdrive or two, because if your computer breaks, there goes all your passwords."But wasn't Keepass hacked?" <- No. The machine where they hacked keypass, using a program called keyfarse, was compromised. That brings me to:Machine security:A lot of you use windows. Linux is much safer, but also can be a PITA to use sometimes. If you're gonna use windows (which I also do), make sure to use an antivirus and run regular scans (at least once a month). Which ones? Avast, karspersky, bitdefender, eset are the most recommended ones. Pair it up with malware bytes for a beefed up malware defense as well. ccleaner is great to tune up your machine, but I also use it to remove start up programs easily, in order to kill bloatware or infection vectors.However like my cybersecurity teacher once told me, an antivirus is something that will protect you after you already messed up. It's a cure, not a defense. Someone has to get infected in order for the programmers to create a defense for it. So your true line of defense are your internet habits. Make sure your machine is updated. A lot of security holes are constantly being patched around the clock and delivered to you via updates. Updating is a slog, but it is important.Also, a lot of infection vectors come from pirated software and games. DYOR on the best piracy practices here on reddit (I shall say no more, nor link any more websites because I know some mods are touchy with it).Browser:A lot of people use chrome. Some people are into brave. I personally recommend Firefox. Firefox is the tried and true staple of anonymity and cyber security. It might not give you tokens, but hey it's pretty good at what it does. The default firefox is pretty good, but using extensions makes it perfect. Go into security settings, set up Do not track, HTTPS everywhere and jack up browser security to strict. Disable autofill, disable save passwords and logins (that's what the manager's for). I use the same on my android phone. For your phone you'll have to copy your keepass database manually using a cable every time you update it. PROTIP: You can save your address/cc card as a login info for easy form filling. You can also save your cc card expiration date and emergency numbers too, in case your card gets stolen you can cancel it quickly.Extensions:I recommend you install ublock origin (I know, I know, support websites. However, ads are a massive vector of malware. You can always unblock your favorite sites), privacy badger, privacy possum (anti trackers), multiaccount containers and descentraleyes. On android there's no option for HTTPS everywhere, so you should use the extension HTTPS everywhere. Every extension has an explanation page, but if you wanna know more, I can give you the quick version. Just ask.If you're good with computers, noscript and cleanlinks are good choices. The reason I say "if you're good with computers" is because these two extensions will break everything. Malware runs on scripts and trackers track you on tracking links, but so do normal website operations.2FA:Do not use sms 2FA. Several people have come here and to other cybersecurity subreddits because they were hacked this way. Your sim card can be cloned and someone else can get the same sms as you. In a pinch, you can use google authenticator, but what you should actually be using is yubikeys. Yubikeys are 2FA devices that will unlock your account via USB or via NFC. They're great, unhackable (so far), portable, offline, safe and only cost 50 bucks. Have more than one, because if your single yubikey breaks, then you have another. Yes, you can attach more than one key to your account. They work with most of the popular services (google, microsoft, amazon, facebook, instagram, etc...) and, best of all, they work with keepass.E-mail:Have a secret e-mail that no one knows about and use it as a recovery e-mail in case all else fails. I personally use protonmail for my secret recovery e-mail. It also gets the e-mails in case my main e-mails gets an unauthorized access.Likewise have a crap e-mail that you give to everyone who gatekeeps you from accessing what you want in exchange for an e-mail. I check that one once per give away, to confirm the link they send me. You can set up filters to forward the stuff you need easily.Never click on links on your e-mail. Got an e-mail from Netflix? Manually use your browser to get to Netflix.Reduce social engineering sources:I don't know how you feel about social media, however I hacked my first account at 13 using info I got from social media of a friend. How did I do that? Well his security question was "what color is my house" and his profile pic was in front of his house. I didn't mess (too much) with his account, but it shows how easy it is to gather info from your social media and use it against you. Be careful with what you put on social media. Another way I can easily steal your info is if you use my computer and I change the save login and password settings to save yours. Check the browser you are using and make sure your info isn't being stolen. Nevertheless a keylogger can be running in the background, so better yet, do not put your credentials in a computer that you yourself aren't managing. Do not open, under any circumstances, your keepass database in a computer that you aren't managing. Also be aware of running your mouth on social media, particularly on reddit. Your post history is not private. You only need so many crumbs to pull off social engineering hacks. Loose lips sink ships!Crypto:Ok now onto crypto. As you are well aware, the best crypto storage device is a hardware wallet, like a Ledger or a Trezor. Do use a passphrase. As for your security key, keep it in a steel wallet. They are impervious to fires, floods and kind of secure but also super obvious to who's in crypto. If you're a digital nomad and you're roaming around, perhaps writing it in somewhere clever, say, a book, might be better to get through airport security. If you wanna store your mnemonic extra securely, I recommend several steel wallets and using Shamir's secret sharing technique using slip-0039. In short, it allows you to spread your seed over, say, 3 cards and you need all 3 to reset your hardware wallet. That means you can entrust those cards to someone (responsible, so they don't lose it) and they can't do anything with it. Or you can have 5 cards and need 3 out of 5 to get to your mnemonic. DYOR about SSS using Slip-0039.What you should not do is invent your own cryptographic scheme (unless you're some sort of cryptographic genius) because you will create something that's less secure than what's out there, easier to crack and, worse even, you might forget what was your scheme.VPN:Tom Scott published a video saying VPNs were less useful than you might think and mocking adverts of VPNs. I recommend you watch it on Youtube for impartiality's sake. I honestly don't agree with it. I mean, he has many good points, browser security is pretty good nowadays and VPNs can be redundant. However, governments can still know which websites you're visiting and can keep you from accessing certain websites you want to access. Corporations will also have a harder time pinning you down with a VPN. I recommend a VPN. Personally i use wevpn, because it's super cheap. It costs money, but it removes internet gatekeepers and gives you that extra privacy bump. Do remember to rotate servers to try and mitigate the risk of landing on a compromised VPN server.There's so much more that I'd love to tell you but it's getting pretty long. I didn't cover cloud services and hard drive encryption. Some other time perhaps.More info: r/privacy r/europrivacy r/cybersecurity r/privacytoolsioKeep yourself safe and anonymous. I'm open to suggestions and criticisms, so if your method is better than my method, please share your method so I can use it too. Feel free to copy and paste it, even if you do not credit me. It's not a paranoia guide that's gonna make me famous.PS: This is advice for accessing the clear web. This is inadequate advice to access the darknet (because it's not relevant for this sub).
Submitted June 29, 2021 at 12:36PM
No comments:
Post a Comment