Posted on 12/23/2024 10:23:41 AM PST by Mean Daddy
With everything going on in the world, I wanted to reach out to see what other Freepers are doing online to protect yourselves, whether its subscribing to a monitoring service for activity under your name, using VPN (which one & why), password managers, multi-factor authentication etc.
What else should a person consider?
Newsflash! I left Proton VPN on inadvertently. It started to make websites such as X-Twitter non-loadable.
I have seen some great VPN deals for Christmas. Range of $25 for one year. $47 for 27 months. I will dig them up if you like
"I just tested Proton VPN. My speed was 102mbs. Turned off Proton, and speed was 115mbs."
Merry Christmas to you and your family!
93% of breaches occur due to successful phishing campaigns. 99% of those campaigns are unsuccessful if MFA is enabled. Think about that. Why would you want to leave your online protection to a single factor? With phishing-resistant MFA such as FIDO2 keys (YubiKeys) and authenticator apps, it’s impossible for adversaries to bypass those protections without your knowledge and actual involvement. Your mentality should be that you should be confronting any agency that DOES NOT offer MFA, because they’re putting your safety at risk.
Oh, I’m very glad to have it. My point was just that these days you often don’t choose to use it, it’s just a feature of those accounts.
Absolute #1: Multifactor Authentication (MFA)
If you’re not using MFA everywhere it’s available, you’re at risk. If you’re doing business with agencies that don’t provide MFA, you should demand that they do. Phone call and text messages ARE NOT SAFE! Do not be lulled into complacency. Phone and SMS factors have been against Federal cyber guidelines since 2015! Implement phishing-resistant MFA everywhere you can.
#2: EVERYTHING you do on your phone can be seen. Everything. I’m not embellishing this. I work in cybersecurity, and what I’ve seen would make the majority of thinking people in this world throw their phones in the trash. Even encrypted peer-to-peer apps such as WhatsApp and Signal have been compromised recently. Do NOT trust your phone for anything important.
#3: Don’t think you’re safe behind a VPN. While many VPNs have been public about not retaining records that could be subpoenaed, there are recent stories about nation state actors, including the CIA & NSA, compromising VPN providers to snoop. A VPN is just a redirect. It masks your source IP, but if they’re able to infiltrate the VPN provider itself, then you’re not anonymous.
#4: Remember this phrase: “Defense in depth.” Utilize VPN but also use a TOR browser along with a custom DNS provider, preferably a local Pi Hole but a public provider from OpenNIC will suffice, and make sure you’re using DNS over HTTPS (DoH). Where you go on the Internet is very easy to discover from DNS queries since almost everything uses names instead of IP addresses. Normal DNS traffic is unencrypted. All it takes is someone doing a packet capture on a network to which you’re attached to find out where you’re going. That includes websites behind HTTPS/TLS.
Using a VPN with TOR and a custom DNS provider is about as strong as you can get to anonymize yourself, but it’s not bulletproof. If the spooks want to figure out who you are, it’s only a matter of time.
#5: STOP USING SOCIAL MEDIA! It’s a cancer on our society and has almost zero redeeming value. It is also the source of a majority of scams, malware, and phishing.
Actually, these randomized passwords are based off of hashes. Many password utilities generate a random hash on your first use and continue to use the same hash for all of your passwords. It’s possible to reverse a hash with enough data. While you, and me, and most FReepers aren’t likely to be targets, an advanced adversary could very easily gather enough passwords from phishing to discover a hash. Once that’s figured out, your password vault is useless.
Microsoft is actually recommending a transition to passphrases with no complexity. They’ve put a number of cryptographic algorithms to the test and found that human readable passphrases with just spaces and some capital letters are better for account security than a random password. The catch: they need to be greater than 20 characters.
Why? Because long complex passwords are difficult to remember. Even passwords with substitutions (I l!ke d0gs) are easily guessed by password crackers. On the other hand, passwords with spaces and more than 20 characters creates a substantial amount of computational overhead due to the length of the password and the use of things like the space bar. Plus, the password is easier for an employee to retain, thus reducing calls to a helpdesk.
Sorry, no. While I am a huge Linux fan and an RHCSA, I do not prescribe Linux for home users. Why?
Linux distros are regularly one of the first three operating systems hacked at Black Hat EVERY YEAR. Macs are also in that list. Unpatched versions of Windows and versions of Windows out of support are also in that list, but you know what's not in that list? Patched versions of most modern OS (including Linux).
The problem is that the update process for Linux systems varies by distribution, and some distros have support issues for some third-party products that are either bootstrapped or put behind some sort of supplicant. If they fall out of support or are relying on a GitHub repo for updates, there have been several very public compromises of repos that infected Linux systems.
Linux also lends to a false sense of security. People who don't understand and just think, "Oh, I'm on Linux, I can't possibly be compromised," are often shocked when they get fraud alerts on their credit cards or their agency is hacked where patient zero was a Linux machine. (I've sat on IRs for where this happened on 2 different occasions.)
Linux is not natively secure, and it can be very obscure for someone who's only ever known Windows or MacOS. It's like eating the same meal for 10 years and introducing a new food to your diet: you'll probably tolerate it, but chances are high you'll be very irregular for a while as your body adjusts.
1. Norton 360 w/ VPN
2. Adblock
3. Adblock Plus
4. Ublock Origin
5. IronVest
6. Malware Bytes
7. Multifactor authentication (because many online services
will not function without it).
8. Experian, Kroll, and Transamerica monitoring services
(free because my personal information was compromised).
Lots of redundancy and overlap, but my PC is clean.
Some of these strategies go to extremes, but if you truly want to take control of your privacy, these are some starting places for the most ardent among you:
IntelTechniques Data Removal Workbook
This is a definitive workbook on how to wrest control of your privacy from every corporation on the planet!
ANA Consumer Preference Service
This is a central authority to remove your information from major advertisers that actually abide by it. The number of corporations is actually pretty significant, and this cut down on the amount of snail mail significantly for me. It also reduces the chances that you'll receive credit card offers which can be used against you if someone is skimming your mail.
Consolidated list of credit reporting agencies
As the name suggests, this is someone's GitHub repo with the names and contact information for a substantial number of data brokers around the world. It took me 2 months to go through this whole list, but it is possible for you to request removal of your personal data from most data brokers using this list. This is by no means exhaustive, as there are hundreds if not thousands of agencies out there collecting data for nefarious or illegal purposes; but any agency with whom you've done legitimate business has likely funneled your personal information into one of these data brokers.
Thanks for the information. Regarding MFA, do you recommend using a generator like Microsoft Authenticator vs. text/phone then? Thank you.
Absolutely. Authenticator apps all work using a hash and salt mechanism that leverages the cryptographic processor in your phone or related device. That processor does the heavy cryptographic lifting to generate complex numbers which are used to generate number patterns unique to your device. When you scan the QR code for the first time, the app is generating a unique hash for your login, and when the challenge portion of the authentication happens, instead of passing a password, you input your numbers which are then compared to the expected output of your key, which is stored with the auth provider, and if they match, you are let in.
If you want to be REALLY secure, opt for FIDO2 tokens. YubiKeys are the most common FIDO2 keys and are relatively cheap to acquire (~$60). These are self-contained cryptographic devices that have a processor and memory on board to generate cryptographically unique strings which can be used instead of passwords (passwordless logons). The best selling point for these: they're phishing resistant. How?
They have a small bioreactive "button" on them that you have to touch for the key to unlock the repository and provide the unique string/password. You have to be physically in control of the device, so unless you've lost the device, it's impossible for a threat actor to use your logon.
Most popular big tech companies such as Microsoft, Google, PayPal, and Amazon support FIDO2 keys, and they make security a breeze. You can store logins for up to 30 different providers on one YubiKey.
Thank you for mentioning the YubiKey. The person that setup my home network 3-4 years ago mentioned it & I had forgotten all about it. I will definitely look into, especially for my financial accounts. Merry Christmas!!
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.