Personal Cyber Security

Protecting your data in this connected-everything world is something that you should take very seriously. Your personal data is all over the internet, and any breach of security in any one of the hundreds of places you have your data can result in your private information being sold to unscrupulous parties. You need to brush up on personal cyber security to protect yourself. Your personal data is so valuable to companies, that there are many commercial organizations that will offer you free use of their services just so that they can siphon off this data and use it for profit.

Take facebook, for instance. It’s a completely free service that makes all, or most, of it’s money off your personal data. It sells all your information to advertising companies so that they can send you customized ads. They may not sell the raw information itself, buy they sell the promise of sending targeted ads based on the profile that advertisers specify. So if, for example, an advertiser wants to sell a product to all females in the age range from 16-18 who go to medical school and are interested in pet products, facebook can deliver. They have enough data on most users of their service to be able to identify most combination of demographic data that you can think of — and probably several that you can’t think of.

Facebook not only hoovers data that you enter on their site, they also follow you around the internet collecting information about your browsing habits. Ever searched for something on google and then found an ad following you on Facebook advertising that very thing? It’s not a coincidence. Facebook, and many other sites, follow you around the internet building a detailed profile on your likes and dislikes — they know the movies you like to watch, the books you read, the medical conditions you researched, your political position, the religious leaders that you follow and much much more.

If you think that the intelligence services of nation states are intrusive, you will be surprised to learn that some of these services buy data from the private sector. The private sector, together with governmental agencies, can profile you to a degree that is, frankly speaking, scary.

You may have noticed the brouhaha about TikTok in the US, and how their legislature is trying to ban it using the excuse that it, TikTok, in concert with the Chinese government, can spy on US users. But the same can be said about Facebook, or Twitter, or Amazon or Google or any other company that makes its money on the internet. These companies have huge profiles on you, and they may share it, willingly or unwillingly, with the US government, or the government of the country they are registered in, if they are compelled to do so by the legal system they are subject to. The US government is probably so scared about TikTok because it does the same with US companies.

So what do you do to protect yourself? The answer is one word: encryption. Encrypt everything. If you do this, you hide your data from thieves who want to steal things from you, advertisers who want to target you with ads, or even governmental agencies, foreign or domestic, who want to follow you online and know what you are doing all the time.

In the rest of this blog post, I will try to show you some of the things you can encrypt to ensure that your data is as private as it can be. Before going further there is one thing I want to make clear: if you are trying to hide from a government agency, you will most likely fail. If they are really interested in someone, they have the time and resources to get to them — you can only delay the inevitable.

For example, there are companies that make zero click malware that can be sent to targets’ devices without them even knowing about it. They don’t need to interact with anything, or click a link or download software — the malware will silently infect their device and send everything done on that device to the person monitoring it. Fortunately, such malware is very expensive — in the millions of dollars per device range — so you don’t have to be paranoid unless you have been very very bad.

To recap, while you can’t outrun a dedicated governmental agency that has specifically targeted you, you can follow some best practices to protect yourself from causal inspections and criminals who would like to get their hands on your data. Let’s get started.

Protecting your communications

Communicating with people is something we do everyday. We communicate with friends, family, colleagues, customers and many other people. It is normal to expect that these communications are private — after all, there are strict laws almost everywhere that make it illegal to record a conversation without the explicit approval of all parties involved. Expecting the same for our digital communication is normal — unfortunately it is not true.

Your email provider sees the content of your emails. Some even serve you ads based on the content of these emails. Your phone provider has a log of your calls record, and your SMS messages — some are even obliged to keep this record for several years. In short, if a bad actor decides to get your data and hacks your email provider or cell phone provider — and lets be honest, this has happened many many times before — all your data is up for grabs.

Your private messages with your significant other, that emergency message you sent to your doctor when you panicked about a medical condition, the rejection email you received from a college or a job you applied for — all of this data is available to anyone who has an appropriate search warrant, or who breeches the, sometimes woefully inadequate, security of your service providers.

So how do you protect your communications? You may have guessed it, you need encryption. Specifically, you need end-to-end encryption. End-to-end encryption is a type of encryption in which only you and the party you are communicating with has access to the plain text of the messages you are sending — the company providing this service cannot decrypt the messages simply because it does not have access to the encryption key. Let us now see how this works for some of the common services we use.

End-to-end encrypted messaging services

The first secure messaging app we will discuss is, believe it or not, WhatsApp. WhatsApp is a popular messaging app that boasts over 2 billion active users worldwide. It provides end-to-end encryption for all messages — before you send a message, it’s encrypted on your device, and it can only be decrypted by your recipient. This means Facebook, technically Meta but I still keep saying Facebook, the owners of the app, cannot see the messages you send. Neither can anyone else who is eavesdropping.

While the app provides end-to-end encryption for all messages, it has faced criticism in recent years for its privacy policies and data collection practices — this concern was about meta-data, not the actual content of the messages, but how often you use the service, who you communicate with etc. While this is not as serious as exposing the content of the messages themselves, it can still pose privacy issues. For example, WhatsApp shares user data with its parent company, Facebook, which has raised concerns about data privacy.

To address these concerns, WhatsApp has introduced new privacy settings that allow users to customize their app experience. For example, users can enable two-factor authentication, which requires them to enter a password and a unique code sent to their phone to access their account. This adds an extra layer of security and makes it more difficult for hackers to gain access to their account.

In the past, another issue with this app has been it’s backup strategy. It automatically backs up your chats to the cloud — either google cloud for Android device or iCloud for Apple devices — without encrypting them. This meant that employees of these companies, or any government agencies that had the appropriate warrant, could see all of your chat history while it was on the cloud. This, naturally, defeats the whole idea of end-to-end encryption.

But now end-to-end encrypted backups have been activated on both iOS and Android, to take advantage of it, you need to do the following:

Android:

Open WhatsApp and tap on the three dots in the top right corner.
Tap on “Settings” and then “Chats”.
Scroll down and tap on “Chat backup”.
Toggle on the “Include videos” option if you wish to backup your videos as well.
Tap on “Back Up Now” to create a backup of your chats.
After the backup is complete, scroll down to “Google Drive Settings” and select the Google account you want to use for backups.
Tap on “Back Up to Google Drive” and select the frequency at which you want to back up your chats.
Toggle on “Encrypt backup” and select a password.

Apple:

Open WhatsApp and tap on “Settings”.
Tap on “Chats” and then “Chat Backup”.
Toggle on “Auto Backup”.
Select a backup frequency that works for you.
Toggle on “Include Videos” if you want to backup your videos as well.
Toggle on “Encrypt your backup” and create a password.
Tap on “Backup Now” to create a backup of your chats.
It’s important to note that users should keep their backup passwords safe and secure, as they will not be able to restore their backups without the password. It’s also recommended to periodically create backups and store them in a safe location to ensure that their chat history remains protected

It’s important to note that while WhatsApp’s end-to-end encryption provides strong protection for messages in transit, it doesn’t protect against malware or other types of attacks. Therefore, it’s crucial for users to keep their devices and apps updated with the latest security patches and to be cautious of suspicious links or messages

Signal

Signal is a messaging app that is known for its strong focus on privacy and security. The app uses end-to-end encryption for all messages, which means that only the intended recipient can read them. Signal also offers advanced security features, such as screen security and disappearing messages, which can be set to delete messages automatically after a certain amount of time. Here’s how to use Signal for secure communications:

Install Signal on your device: Signal is available for both Android and iOS devices and can be downloaded from the respective app stores.
Register and verify your phone number: When you open Signal for the first time, you will be asked to enter your phone number and verify it via a verification code sent to your phone.
Start a secure chat: To start a secure chat with another Signal user, simply select their name from your contacts list and start typing your message. All messages sent between Signal users are automatically encrypted.
Use secure photo sharing: Signal allows users to take photos within the app and send them securely to other Signal users. When you take a photo in Signal, it is not stored on your camera roll unless you specifically choose to save it.

Signal also offers additional settings that can be used to further enhance security:

Screen security: Signal allows users to set a passcode or biometric authentication (such as Touch ID or Face ID) to lock the app and prevent unauthorized access.
Disappearing messages: Users can set a timer for messages to automatically delete after a certain amount of time, ensuring that sensitive information is not stored on the device.
Safety numbers: Signal uses safety numbers to verify the identity of the person you are communicating with. Users can compare safety numbers to ensure that they are communicating with the intended recipient.
PIN registration lock: Users can set up a PIN for Signal registration. This prevents someone from registering Signal with your phone number if they obtain your SIM card.

Signal is owned and operated by a non-profit organization called the Signal Technology Foundation. The foundation was established in 2018 by Brian Acton, who is also one of the co-founders of WhatsApp. The Signal Technology Foundation is a registered 501(c)(3) nonprofit organization based in the United States, which means that it is tax-exempt and operates exclusively for charitable purposes.

The Signal Technology Foundation is funded by donations from individuals and organizations who support its mission of advancing secure communication technology. The foundation’s stated goal is to develop and promote open-source privacy technology that can be used by anyone, anywhere in the world, without compromising on security or privacy. Signal’s open-source code is publicly available, which means that anyone can inspect the code and contribute to its development.

One of the benefits of Signal being owned by a non-profit organization is that it is not driven by profit motives or beholden to shareholders — unlike WhatsApp. This allows Signal to prioritize its users’ privacy and security needs over business interests. As a result, Signal has been able to develop a reputation as a trustworthy and secure messaging app, and its popularity has grown significantly in recent years as more people have become concerned about online privacy and security.

End-to-end encrypted email

PGP

PGP, or Pretty Good Privacy, is a security protocol used to encrypt and decrypt email messages. It was developed in the 1990s by Phil Zimmermann and has since become a widely used standard for secure email communication. Here’s how PGP works to secure email messages:

Key generation: To use PGP, you first need to generate a public-private key pair. Your public key can be shared with anyone, while your private key is kept secret and is used to decrypt messages sent to you.
Encryption: When you want to send an encrypted email using PGP, you use the recipient’s public key to encrypt the message. This ensures that only the intended recipient, who holds the corresponding private key, can read the message.
Signature: PGP also includes a feature for adding a digital signature to your email messages. This signature verifies that the message was sent by you and has not been tampered with during transmission.
Verification: When you receive an encrypted email, you use your private key to decrypt it. You can also verify the sender’s digital signature using their public key to ensure that the message was sent by them and has not been tampered with.

One of the advantages of using PGP to secure email messages is that it is an open standard, which means that anyone can use it without having to pay for proprietary software. This has helped to make PGP widely adopted by security-conscious users, including journalists, activists, and politicians.

However, PGP can be somewhat complicated to set up and use, and it requires both parties to have generated and exchanged public keys. In recent years, other secure email protocols, such as S/MIME and end-to-end encrypted email services like ProtonMail, have become popular alternatives to PGP. If you want to communicate with me securely using PGP, you can find my public key here.

Proton Mail

ProtonMail is an end-to-end encrypted email service developed by a team of scientists and engineers at CERN in Switzerland. To communicate securely using ProtonMail, start by creating an account – you can sign up for a free or paid account. Two-factor authentication is available as an additional security measure to protect your account from unauthorized access, which can be enabled in your account settings.

ProtonMail uses end-to-end encryption automatically to secure your emails, meaning only you and the recipient can read the contents of your emails. This feature works behind the scenes, so there is no need to do anything special to use it. To ensure complete security, encourage your contacts to use ProtonMail as well by sending them an email with a link to sign up.

ProtonMail also includes other security features such as the ability to set an expiration time for your emails and the option to send password-protected emails. Furthermore, ProtonMail is based in Switzerland, which has strong privacy laws that protect user data. ProtonMail is a secure and user-friendly email service that offers end-to-end encryption to protect your communications from being intercepted. And — more importantly for some — it is much easier to use than PGP.

It does have some downsides however, it only works seamlessly if the person you are communicating with also has proton mail. Although you can set it up to work with non-proton mail recipients who use PGP.

ProtonMail users who need to communicate with non-ProtonMail recipients who use PGP encryption can do so by following a few simple steps. First, they must obtain the recipient’s public key, which is necessary to encrypt messages sent to them. The public key can be obtained from the recipient through an encrypted message or by searching for it on a public key server. Once obtained, the public key should be imported into the ProtonMail account by going to Settings > Keys > Import Key. This prompts users to enter the recipient’s email address and public key.

To compose a new message, the user must follow the same process as they would normally. Before sending the message, however, they must enable encryption by clicking on the padlock icon in the message composition window. Once the padlock icon is enabled, the message will be encrypted using the recipient’s public key when sent. The recipient can then decrypt the message using their private key. It is important to note that PGP encryption only secures the content of the message and not the metadata, such as the subject line or email addresses of the sender and recipient

Protecting your browsing

This section of the blog post is two pronged. The first prong is to protect your browsing history from your Internet Service Provide, ISP, or from the owner of public wifi routers. In the former case, your internet traffic passes through the servers of your ISP. This means that your ISP can record all the sites you visited along with meta data such as when you visited the site, how long you spent on it etc. This may not seem like much, but it can help an adversary build a picture of your behavior. For example, let us assume that you visited a health website dedicated to a particularly bad disease, then you visited a suicide helpline and a religious site. An attacker can assume that you have been diagnosed with a disease that almost had you contemplating suicide, followed by a visit to a religious site to seek solace.

If this adversary is a business, he/she will try to sell you things taking advantage of your condition. If this adversary is a terror organization, or the intelligence service of an enemy country, they can try to recruit you to do things given your medical condition and religious beliefs that they have just ascertained. Of course this is an extreme example, but if you take a moment to think about your browsing history, I am sure you will find things that you do not want anyone to know about.

The good thing about this is that if the sites you visit use https, and most sites do, then you do not need to worry about an adversary, a normal adversary that is, knowing exactly what you did on each site — they will know which sites you visited, but not what you did on them. A state adversary, however, can take over your device and make all the encryption in the world moot since they will have access to your data before it is encrypted on your device.

But even if your adversary only knows where you have been, this meta data can be used against you as mentioned above. I’ve been writing so far with the assumption that the entity collecting data is your ISP, it could, however, just as easily be the owner of the wifi router in a cafe, airport or hotel. So how can you protect your data? You may have guessed it already — encryption. But in this case, instead of encrypting your messages or emails, you will be encrypting your connection to the internet. The next section shows how you can do this.

Virtual Private Networks (VPNs)

VPNs are the perfect solution to the problem mentioned above. They essentially create an encrypted tunnel between you and the VPN server. So before you visit, for example, www.google.com, your computer will send out a connection request to your VPN server. This connection is encrypted so nobody except you and the VPN server can see it; your request for www.google.com goes over this connection.

However, when the request reaches the VPN server, it is decrypted and sent to the servers of google — what this means is that your VPN server knows you are going to www.google.com. Essentially what you are doing is replacing the “trust” you had in your ISP or the owner of that WiFi router with trust in the VPN service provider. This is why you need to choose your VPN service provider very wisely.

If you choose a free service — you are the product. The service needs to make money to run its servers, its not a charity. So what it will do is collect all that meta data we previously mentioned, and sell it to advertisers or data brokers. So if you use a free VPN, you are essentially guaranteeing that what you want to avoid happens.

Paid VPNs are more secure, they don’t need to make money from selling your data since you already pay them. Just to be sure, it is a good idea to join a VPN that has been vetted by third parties to have a “zero log policy”. This means that they do not log anything other than the date you joined the service. There are some good VPNs out there in the market, but I personally prefer ExpressVPN. They over very fast connections, and have been audited by third parties and have a good reputation.

Tor

But VPNs are only part of the picture, VPNs will protect you from your ISP or from the owner of a router in a cafe offering free WiFi. It will not, however, protect you from the end point — the website you are visiting. The website you are visiting will know your identity. It is possible however, to hide your IP under several layers of encryption — three layers is the default.

Since you are hiding under several layers, like the layers of an onion, this type of protection is referred to as TOR — The Onion Router. It is essentially a software you download to your system that takes your message and encrypts it three times. The only node that can decrypt the first layer of the encryption is the next hop on your path to the destination. When this node decrypts the first layer, it will find the IP address of the next hop the message should be sent to — but the message itself will still be encrypted.

The node then forwards your message to the second node, this second node can decrypt the second layer of the onion. And doing so allows it to learn what the third, and typically last, hop is. It sends your message to the final hop where the last layer of encryption is decrypted resulting in the message you initially wanted to send — hopefully you are using a site that requires https, so this message itself is encrypted using https. But that last node, typically referred to as an exit node in tor, knows where the message needs to go. The message is sent to the destination, and the reply follows a similar path in reverse order.

Using this system, your IP address, and your identity, is hidden behind several layers of encryption. I typically use tor over a VPN — because I don’t want my ISP to know that I am using tor. This will provide as complete protection for your browsing as current technology allows. The tor browser is available for all major platforms, including iOS and Android. You can check their website here.

Protecting your data on your devices

It is very important to protect the data that is on your computer or on your phone or tablet. These days we live most of our lives online, and virtually everything we do is stored in our devices. Imagine if someone had access to the files on your computer. Think about it now, if you are a lawyer, you may have confidential information about your clients. The same applies if you are a medical doctor, or if you are an engineer with proprietary information you are developing for your companies.

It doesn’t have to be business data. You may also wish to protect the photographs you took of your family in the privacy of your home or sea side resort. Our devices hold a lot of data, and protecting this data is very important. How can we do this? At this point if you didn’t guess encryption I would be very disappointed. Let us now try to discuss how you can do this on your Windows computers, Mac computers and iOS devices. I will not mention Android because, to be honest, each device has different way to do this and some don’t at all.

Windows 10

Encrypting your hard drive can help protect your sensitive data from prying eyes in case your computer falls into the wrong hands. Windows 10 includes a native tool called BitLocker that can encrypt your hard drive with just a few clicks. In this section, I will walk you through the steps to encrypt your hard drive in Windows 10 using the BitLocker tool.

Before we start, it’s worth noting that BitLocker is only available in the Pro, Enterprise, and Education editions of Windows 10. If you have a Home edition, you won’t be able to use BitLocker, but you can still use third-party encryption tools. To check your Windows edition, right-click on the Start button and select System.

To encrypt your hard drive, open the Start menu and search for “BitLocker.” Click on “Manage BitLocker” to open the BitLocker control panel. If BitLocker is not enabled, click on “Turn on BitLocker” and follow the prompts to create a password or insert a USB drive to use as a startup key.

Next, choose how you want to encrypt your hard drive. If you have a new computer, you can choose the “Encrypt entire drive” option. If you want to encrypt only certain files, choose the “Encrypt used disk space only” option. If you have an older computer, you may need to use the “Compatible mode” option.

Finally, choose how you want to store your recovery key. This key can be used to recover your data if you forget your password or lose your startup key. You can save the recovery key to a file, print it, or store it in your Microsoft account. Once you have made your selection, click on “Start encrypting” to begin the encryption process. This may take some time, depending on the size of your hard drive and the encryption method you chose. Once the process is complete, your hard drive will be encrypted, and you will need to enter your password or startup key every time you start your computer.

Mac OS

MacOS includes a native tool called FileVault that can encrypt your hard drive with just a few clicks. In this section, I will walk you through the steps to encrypt your hard drive in macOS using the FileVault tool.

To encrypt your hard drive, click on the Apple menu and select System Preferences. From there, click on Security & Privacy, and then click on the FileVault tab. If FileVault is not already turned on, click on the padlock icon in the bottom left corner of the window to unlock the settings, and then click on the Turn On FileVault button. You may need to enter your administrator password to continue.

Next, choose how you want to store your recovery key. This key can be used to recover your data if you forget your password. You can choose to store the recovery key in iCloud, or you can choose to create a recovery key and store it on a USB drive. If you choose to store the recovery key in iCloud, you will need to enter your Apple ID credentials.

Once you have chosen your recovery key storage option, click on the Continue button, and then follow the prompts to complete the encryption process. This may take some time, depending on the size of your hard drive and the speed of your computer. Once the process is complete, your hard drive will be encrypted, and you will need to enter your password every time you start your computer.

If you want to check the status of your encryption, you can return to the Security & Privacy settings and click on the FileVault tab. You should see a message indicating that your disk is encrypted and that your data is protected with FileVault. If you ever want to disable FileVault, you can return to this screen and click on the Turn Off FileVault button. However, this will decrypt your hard drive and remove the protection that FileVault provides, so you should only do this if you no longer need the encryption.

iOS and iPadOS device

Encrypting your iPhone or iPad can help protect your sensitive data in case your device is lost or stolen. Fortunately, iOS includes a native encryption tool called Data Protection that automatically encrypts your device’s data using a unique encryption key tied to your device’s passcode. In this section, I will walk you through the steps to encrypt your iPhone or iPad using Data Protection.

To encrypt your device, first make sure that you have a passcode enabled. If you don’t already have a passcode, go to Settings, then Touch ID & Passcode (or Face ID & Passcode), and set a passcode. Make sure it’s a strong passcode that is at least six digits long.

Once you have a passcode set up, your device’s data will automatically be encrypted. You don’t need to do anything else to enable encryption. However, if you want to check that your device is encrypted, you can go to Settings, then Touch ID & Passcode (or Face ID & Passcode), and scroll down to the bottom of the screen. You should see a message that says “Data protection is enabled.”

If you ever want to disable encryption, you can turn off your passcode. However, this will also turn off Data Protection, and your device’s data will no longer be encrypted. If you want to turn off your passcode, go to Settings, then Touch ID & Passcode (or Face ID & Passcode), and select Turn Passcode Off. You’ll need to enter your passcode to confirm the change.

Conclusion

That’s it for now, I won’t give you more information, as it is, I think this post is already one of the longest I’ve written. In subsequent posts I will talk about securing your accounts with two factor authentication, password managers and hardware access keys, but for now I will leave you with the following takeaway — encrypt everything. Encrypt your messages, your emails, your internet connection, everything. Hold encryption parties with your friends and get them to encrypt their devices, because security is a team sport. Governments have fought hard, sometimes very hard, to prevent you from having the right to encrypt your data, this probably means they want access to it — protect yourself and send the right message to everyone, our private lives are just that, private. Nobody has the right to snoop in on us on a whim. Encrypt everything.

4 Comments

Personal Cybersecurity: Secure your online accounts - Neotheone's Thoughts, May 25, 2023 @ 8:31 pm Reply
[…] the first part of this two part series, I explained how to encrypt everything. Your emails, your messages, your […]
A Guide to YubiKeys and Their Uses - Neotheone's Thoughts, June 1, 2023 @ 2:42 pm Reply
[…] a top priority for individuals and businesses alike. Previously on this blog, I explained how to encrypt everything and how to secure your online […]
Best Browser Extensions for Privacy in 2023 - Neotheone's Thoughts, June 23, 2023 @ 1:41 pm Reply
[…] post is part of a series on personal cybersecurity, following my previous posts on encrypting everything and protecting online […]
How to securely delete files from your hard disks - Neotheone's Thoughts, July 2, 2023 @ 12:58 pm Reply
[…] the content of files on your SSDs, is to encrypt the drive from the get go. I wrote an entire blog post singing the praise of encryption. Seriously, I can’t say this often enough — encryption is your […]