Today I want to talk about online privacy concerns. When it comes to online privacy, I tend to take a slightly different road than many of my cybersecurity colleagues. Many in my industry tend to preach that you should never ever under any circumstances share anything personal online. I understand where they are coming from and respect their perspective; however, I do things a little differently.
Just like in real life (IRL), privacy is not a one size fits all. Some like to live out in the country with not another soul for miles. Others want to live in large cities where you can’t even turn around without hitting another person. Some like to dress very conservatively and show as little skin as possible, always keep their curtain drawn, etc. Others like to test the boundaries of public decencies laws both in the ways they dress as well as their choice in curtains and stuff. To me, I say to each their own.
Similarly, online privacy isn’t one-size-fits-all, so instead of being prescriptive, I like to talk about risks and dangers and then let people make their own decisions.
The most significant danger about oversharing online is it significantly increases your risk of becoming a victim of identity theft. It also gives scammers material to come across as if they know you when trying to scam you. Additionally, if you are sharing a lot about your daily schedule to a point where everyone knows exactly where you are going to be, how long, etc., that could lead to physical attacks against you.
The extend of these risks depends on your threat model (see other blog posts and my book for more details on this).
One way to mitigate these risks is never to share anything online. This does not work for me as I’m an open person and over-sharer. I like who I am, and I do not let the world change me. So instead, I take other precautions. For example, I subscribe to an identity monitoring service to monitor if someone uses my information to impact my identity. I know what information about me is available online, and I am skeptical about anyone trying to use that information to get close to me. I avoid sharing any deeply personal info such as names of friends or family, my SSN, phone number, address, etc. When I’m sharing things about me, I obfuscate location details and names of other participants. This is both for my security as well to protect other people’s privacy.
One key aspect that I think all cybersecurity professionals agree on is that it is each person’s right to control their privacy, what is disclosed to who, etc.
Consent is the key here. Never take pictures of people without their consent and never name them in anything without their consent.
One thing that is often overlooked when it comes to security is that there are very few things online that are actually private. Basically, there are two ways to ensure something is private. First is never put it online in any form, don’t put in cloud storage, don’t talk about in chat applications, and, most of all, don’t put on social media. The second method to ensure privacy is to encrypt it. In my book, I give a layman’s explanation of what encryption is and how it works. It is worth mentioning that an encrypted connection does not mean the content is encrypted. Again check out my book for more details on that distinction.
Anything that is in electronic form and not encrypted in a way that ensures that you are the only one able to read it, can be compromised and made public. Now, as with everything else, there are varying levels of risk, and various levels of “does it really matter.” This again depends on your threat model. For example, anything in Gmail or Goggle Drive can probably be read by someone with access to those platforms from within Google. The same goes for Outlook Online and Onedrive from Microsoft.
Now just because they can does not mean they do or that they will. Assuming they can’t does seem rather foolish. If your threat model requires absolute assurances that not even the platform owner can read your email, you need to use ProtonMail, a mail provider in Switzerland that fully encrypts all emails so that you need a password only you have to decrypt it. Before you sign up with then, please read my book errata blog entry on issues that caused me to stop using them. They are working on a fully encrypted cloud storage offering scheduled for public release later in 2020.
Most, if not all, social platforms have a feature they call either private messaging (PM) or direct messaging (DM). I feel the term direct messaging more honest because that feature allows for direct messaging between two people, but they are not private in the strictest sense of the word. Anyone with access to the backend for those platforms can read those DMs.
Just remember that just because something isn’t blatantly public doesn’t mean it is private.
On the topic of social media, I want to remind the reader about the old adage, “there is no such thing as free lunch.” What I mean by that is that any application or service for which you don’t pay for with money, you pay for with your privacy. When you look at companies like Twitter or Facebook that have a large staff and are reasonably profitable, where does that money come from? The answer is that they get paid large sums of money to target advertisements specifically to those who are more likely to purchase. This is done by analyzing what you post, what you share, what you like, and possibly even your DMs, and coming up with a formula describing your likes and dislikes. In other cases, companies are selling all the data they have on you so other companies can aggregate it and creating your marketing profile. In summary, no such thing as a free app. You either pay with money or your privacy.
One final thought to leave you with is the idea that anything you post on social media, blog, etc., never goes away even if you delete it. You never know who might have saved it before you removed it. If that is difficult to grasp you should check out the way back machine at https://archive.org/

In this installment, we’re going to look at different ways you could be separated from your money, which you may later regret. Let’s call these all Scams or Fraud, even though some don’t meet the legal or the conventional definition of those terms.

Before I start, I want to mention that to many, these may be obvious, but they aren’t apparent to everyone as many folks fall for these scams.

General Scams

The first type I’m going to dive into is phone scams, particularly impersonation scams. With these, someone will call you claiming to be a government official. They could claim to be law enforcement, IRS, or Social Security Administration (SSA). 

Here are some facts to keep in mind when dealing with these scam artists:

  • Your social security number (SSN) is never canceled, blocked, or frozen. The SSA does not have the ability to do anything of the sort, so even if there was some sort of major issue, they literally couldn’t do any such thing. If there were a major issue with your SSN, they would write you a letter sent through the postal service, not call.
  • Police will never call to demand payment for unpaid fines or anything like that. If some pending payments warranted an arrest, they wouldn’t call to warn you or get you to pay over the phone. They would send a uniformed officer to visit you and escort you to the station or the courthouse where you might get a chance to square your issue.
  • Anyone calling and demanding payments in gift cards is a criminal.
  • Any unexpecting call from Microsoft, Apple, Google, Adobe, etc., claiming to be informing you of a problem with your computer and offering to fix it is a criminal.

In all these cases, the course of action is simple, hang upon them. If you wanted to toy with them or unload a few well-chosen, possibly even harsh words, no one could blame you. I do not recommend that, though; I suggest you simply hang up without saying a word. 

Also, be wary of giving out any information at all to anyone unknown that calls you. The person that initiates the call should bear the responsibility to identify themselves. I wouldn’t even give them my name before I have their name and know why they called. If they want to provide you with information, that’s fine, but I don’t tell them anything without absolute certainty that they are who they claim. 

The best approach is to say to them that you’ll call them back through the company’s main number. Then find the main number online or through directory assistance; ignore any number they may give you. 

If a Nigerian prince, wealthy businessman, or long-lost relative contacts you and asks you to stash their billions in your bank account for a few months in exchange for a cut of the fortune, don’t do it. Best case scenario, you’ll be an accomplice to money laundering, which is a severe crime in most countries. More likely, the criminal running the scam uses this ruse to get your bank details so they can clean it out for you. 

If you get a call or email that you won the lottery or some sort of sweepstakes, but you have to pay taxes and fees before you claiming your winnings, it is a scam. Any taxes or fees are always taken out of your winnings, never paid upfront. If you have never heard of this Lotto or sweepstakes, that should be your first clue. Entering sweepstakes or buying a lotto ticket is kind of the first and critical requirement to winning. If it is something, you believe you did enter or purchased a ticket for, hang up, and call the organization that you registered with to validate your winning and claim your prize.

Romance Scams

These types of scams prey on lonely people desperate for companionship. They start by reaching out via social media, claiming to want to become friends. They often rely heavily on stereotypes when selecting their personas and will use pictures that match their personas. For example, if they target someone they believe is a heterosexual male, they will present themself as an attractive 20 something woman. This sometimes backfires as few men have no interest in women that are half their age. I suppose this works enough times to make it worth it for them. After they’ve chatted you up for a while, they will confess some financial hardship and ask you to help. They talk big about talking on the phone or meeting in person at some future point, but that time never comes. It is always only in text, and there is always a story as to why they can’t talk to you on the phone until next week or month. They tend to get very personal very quickly and sometimes ask questions that could be used to steal your identity. 

If you are lonely enough to be tempted by these types of scams, reach out to us, and we’ll help you find more constructive and fruitful ways to fix your situation, free of charge and without any financial hardship stories on our end.

Scareware

This type of scams tries to scare or embarrass you into paying a ransom. The general premise is that they’ll claim they hacked your computer and found evidence of something they feel you might be embarrassed about, such as visiting an adult entertainment site. They claim they downloaded all your contacts, and if you don’t pay up, they’ll send said evidence to all your contacts. This is usually conducted over email, and they do their best to sound very technical. I see a lot of these, and every single one is completed nonsense. In my book, I take one example and break it down to debunk each and claim they make. I recommend treating this as general spam and delete it.

Borderline scams

Now let’s dive into situations where it might be disputed to call them scams. There is often a very fine line between effective marketing and scams/fraud; they use the same tactics. It basically comes down to how truthful the marketing is and whether you believe you got what you paid for. This naturally is very subjective. If you have buyers’ remorse and do not have the option to reverse the transaction, you end up feeling defrauded. If you feel cheated, then from your perspective, the deal was a fraud, which is why I include it here.

Many marketing campaigns, both in sales and in fundraising, employ emotional manipulation. Sales marketing like to use the principle of scarcity to manipulate you into making a purchase. They will try to convince you that something is about to sell out and that you need to jump now to make sure you can get yours. They often rely on something called FOMO, or fear of missing out, also known as “keeping up with the Jones” or “the rat race.” They try to make you feel inferior if you don’t have the latest whatever, and you can’t be seen around town without it, if you don’t have it, you will be made fun of in your social circles. FOMO can be very self-fulfilling; those that are deep into FOMO will often ostracize those they feel don’t have all the latest whatchamacallit and thus create FOMO in others. 

The advice here is simple, do you actually need it and what will happen if you wait and then the item is sold out. If it does sell out and never comes back in stock, that is a sign it was not a viable product, and you would likely have been unhappy with it. If it is a product that sells so fast that it goes out of stock, it will be back in stock soon. No product owner will let a viable product be unavailable for very long. In every case, the product owner has way more to lose to have the product go out of stock for even an hour than the actual consumer ever does. The only reason to mention scarcity in a marketing campaign is to emotionally manipulate people to create a demand that isn’t there.

Another form this might take is what I call fake sales. They claim they offer something to you for a steep discount, say 60-80% or even 95% off. When in reality, their sale price is the same or higher than comparable products elsewhere. Typically those that use this scheme are offering a product of inferior quality. I’ve fallen for this tactic many times and never received a quality product for less than usual retail. A spin on this is when they claim they are giving away the product, you just have to pay shipping and handling. Then come to find out the shipping and handling cost is more than the regular retail price elsewhere.

I am always extremely wary of product marketing that feel they need to resort to these sort of tactics.

Yet another spin is what I’d call the congratulatory tactic. This is where you get an email along the lines of “Congratulations, you now qualify (or been granted access) to buy our product.” I’m always like, “what sort of privileged elitist crap is this where I have to qualify to give you my money.” I suppose this is a spin on FOMO. On principle, I always ignore those emails as I am actively against elitism and privilege. 

In fundraising marketing, they tend to be even sneakier. They try to pretend that there is a personal connection, that if only you gave x dollars, the issue or campaign would be saved. If you don’t, the cause is lost, and it is all on you. They will try to manipulate your helpfulness, and ask you to just do them this one favor. The thing here to keep in mind is that you never owe anyone anything that you haven’t previously made promises to. This means that you owe some random person or entity on the internet absolutely nothing. If there is a cause, you want to donate either time, goods, or money to, by all means, do that. However, do not under any circumstances let them manipulate you into over-committing. 

If there is one magic silver bullet that will help you maintain your online security, it is critical thinking skills. If you read my previous article on the basics of online security, you may recall that I stated there is no single thing that can automatically keep you safe. You will, therefore, recognize the title here and the opening statement as the hyperbole it is meant to be. In other words, there no magic silver bullet that maintains your online security automatically. While there is no single thing that can guarantee 100% online safety automatically, having rock-solid critical thinking skills is the next best thing.
There are probably entire college courses devoted to the acquisition of critical thinking skills, so I won’t be able to do that justice with a single blog post. I will endeavor to at least explain what I mean by critical thinking skills and how it helps you stay safe online.
Somewhere I once heard the advice “treat every day as if it was April 1st,” and I love that advice. On April fools, people do seem to make it a game if not a mission to figure out who is trying to pull a prank online, and they tend not to believe anything online that day. Then every other day, they seem to eat up anything that anyone puts online. If everyone put as much effort into identifying the scams online as they do recognize the April fools pranks, there would be much less crime online.
Critical thinking is about being critical about everything you read online. I know that is a bit of a recursive definition, so let me try to explain more.


To maintain online security, you need to be suspicious about everything you read online, whether it is on Facebook, Twitter, some blog, a News Site, your email, etc. The idea that “I read it online so it must be true” could not be further from the truth. Also, just because something is going viral on Social Media does not make it real. Like the old rumor mill, things don’t become true just because a lot of people are repeating it. Even viral videos don’t prove anything; they are frequently taken entirely out of context, manipulated, or outright fakes. We have fantastic technology these days, and it is often used for evil instead of good. There are a lot of people out there that get their kicks from spinning people up and get them fighting about nothing. Those people spread half-truths and deep fakes for their enjoyment. Some even go so far as setting up automation to help them spread their garbage faster and farther by setting up something called a bot farm. The term bot is derived from the term robot, and it is simple automation that carries out a specific task such as posting to Facebook.
Then, there is a whole class of online criminals that are termed “Social Engineers” in the cybersecurity world. I think the term “scammers” or “fraudsters” are much better terms. These criminals have been around since the dawn of time, and they use their trade to trick you into doing something you shouldn’t, buying something you regret or defrauding you in one way or another. The Play/Movie, “The Music Man,” depicts a man particularly skilled in this area. Many other movies depict similar tactics, but that is the first one to pop into my head.
One particularly prevalent subsection of Social Engineering is called phishing. Phishing typically happens over email and is geared towards tricking you into installing malware on your computer or getting you to click on a link. The goal generally is to either take over your computer so it can be used for criminal activity or to steal your identity. I go into a lot more details about phishing in my book, but I’ll touch on few pointers here. Please note that while email is the most prevalent method, a modified version of phishing also happens via text and voice mail.
In my book, one of the running themes throughout the book is don’t click on links in email or open attachments. If you never click on any links in email or open attachment falling for email phishing attack just became practically impossible.
The general theme of a phishing email is pretending to be a safe email from someone or something you know. This is where critical thinking comes in again. Here being distrustful will save the day. How do you know that email is from who it claims it is from?
One of the hallmarks of a phishing email is urgency; you need to click that link right this very second or face immediate financial ruin. Be extra wary of these emails.
Back to the idea of being distrustful, if you want to maintain online security, you can not trust anything online or take anything at face value. By that, I don’t mean that you can’t trust your buddy online even though you trust them in real life. I mean, don’t believe that really is your buddy.
Time for an analogy. I hope you are a Mission Impossible fan or at least are familiar with what it is all about. Imagine Ethan, the lead character, is using some government level tech to change how he looks and how he sounds so that he can get past security and complete his mission. There is a scene like that at least once per movie, if not more. I don’t know if this is actually possible in real life or if this is pure Hollywood fiction, but this is trivial to do online.
So let’s say for the sake of demonstration that you are a character in a Mission Impossible movie and you have some high-level access that Ethan needs. So Ethan dresses up like your best buddy and uses his tech to create a mask that makes him look and sound like your buddy. He calls you up and invites you out for a drink. At first, you’re glad to see your buddy, but then you start to get this gut feeling that something is off. You see, Ethan may be able to change his voice and create a mask that looks like your buddy, but copying your buddy’s mannerisms and the way they carry a conversation is much harder. What do you do, do you brush off the gut feeling, or do you throw out a curveball to test this person? If you are smart, you test them to show them for the imposter they are. I’m pretty sure there is a scene like this in at least one of the movies 😀
Now translate this to online behavior, if you get a message claiming to be from your buddy, do you just accept it, or do you analyze to see if it sounds like your buddy? The smart and safe approach is to be suspicious.
Again a lot more details about this in my book, so if you are looking for more details on how to maintain online security you should check out my book. If you have any questions, feel free to shoot me a note.

Definitions

Before we dive into the world of online security, let’s start with some definitions.

  • Threat Actor: A criminal that is a threat to either a specific person or a group of people. This is a catch-all term for online criminals. 
  • Hacker: Someone that attempts to use things for purposes they were not intended for. The media likes to use this term interchangeably with a threat actor, which I disagree with. I believe this term is much broader than that. In the original definition of this word, there was no criminal intent involved. 
  • Snake Oil Salesman: According to Wikipedia, this refers to deceptive or fraudulent salespeople.
  • Next-Gen and Military Grade: These are meaningless buzzwords used by snake oil salesmen
  • Fear, Uncertainty, and Doubt (FUD): This is a generic term covering anything or anyone inciting fear. They spread doubt and uncertainty that only spread fear.

Online Security basics

The first thing we need to realize when start talking online security and safety is that security is hard and an inconvenient pain in the butt. It is not possible to achieve 100% online security, and there are convenience trade-offs that have to be made. I talk about these trade-offs in my book. The trade-offs basically come down to a choice between being inconvenienced or being a victim. There are certain things you do so that you don’t get caught in a broad net campaign. If you are targeted by a threat actor that is both advanced and persistent, it is only a matter of time before they breach your security. Regardless of how good your security is, an advanced persistent threat actor (APT) will breach it. 

Think spearfishing vs. fishing with a net or a fishing pole. If you are a fish swimming in a lake and you are paying attention, you can avoid getting caught in a net, or biting that lure on that fishing line. It is, however, very little you can do to prevent having a spear skewer you.

Another analogy for the sports fans out there. If you are playing defense, you have to fend off all offenses. If you are playing offense, only one offensive player needs to get through the defense for the whole team to be successful.

Put another way, an attacker only has to be lucky once, defenders have to be lucky every time.

This is why it is not feasible to have 100% online security. Anyone that tells you otherwise either doesn’t understand security or is a snake oil salesperson (or both). There are several companies out there claiming to sell a comprehensive solution to protect your security. Claiming that once you buy their product, you will be safe online. They may throw buzzwords like “military-grade,” “machine learning,” and “next-generation” in an attempt to impress you. These are meaningless phrases. The salespeople from these companies are merely selling you a bill of goods. The fact is that these solutions are effective anywhere between 5-35% of the time, which in my opinion, is not very effective. 

Now while no security solution will make you bulletproof, it is still essential to have a good virus and malware blocking solution installed. The good news is that Windows 10 has a great one already built-in, so there is nothing else to purchase. Your defense will mostly come from your behavior online, which I will go into in future posts and is covered in-depth in my book. Here is a quick hint, every day is April 1.

Threat Modeling

You may be asking, “but I’m nobody, why should I bother with security?” As I explain in my book, everyone is at risk of becoming a victim of a cybersecurity incident. Everyone has something to lose. You may not care if criminals read your email, but what about using your email account to engage in criminal activity? Or using your email account to send your contacts malware? Threat modeling is something I cover in my book and goes deeper into this topic. As you build out your threat model, you gain a better understanding of what you have to lose and what security trade-off makes sense to you. One thing I feel several security professionals miss is that threat modeling is an individual thing. It is not appropriate for everyone to adopt the security posture of an intelligence agent. Anyone that preaches security as a one size fits all does not understand threat modeling and therefore probably doesn’t understand security. What is more, not only is a security plan an individual thing, it is perfectly acceptable, maybe even desirable, for one person to have multiple security plans. My book goes into a lot more detail here.

FUD and fear-mongering

Another thing to be aware of is all the FUD that is out there. It is hard to say whether those spreading FUD are well-intentioned but misguided, or they have malicious intent. My guess is there is little of both. 

There are a lot of people online with opinions that get spread as if they are facts. It is very critical in today’s world to be able to separate facts from opinions. Having a following does not make them an expert. Before you take anything as a fact, or even expert advice, analyze the author’s credentials. 

I’ve seen a lot of blogs and news about how insecure a particular product is, insinuating that these flaws make the product unusable. When I read their description of what the problem is, it usually comes down to what I might call sub-optimal configuration. What I mean by that is that the user did not leverage all the security features of the product, either intentionally or because they didn’t know better. To me, this is a classic case of FUD. Best case, the article author misconstrued the user’s scenario or use case. Worst case, some user education might be needed. I disagree that a product that defaults to less than secure configuration is an insecure product as long as it can be configured to be more secure.

Another case of frequent FUD is hyping up a use case that is outside most users’ threat models. An example here is when someone writes that because a product does not offer a feature, they think the product has to offer, so it is unsuitable for everyone. Just because the product does not meet the author’s requirement doesn’t mean it is unsuitable for practically everyone else. 

There were a lot of articles lately about security issues in Zoom video conferencing solutions, which I found to be complete FUD. Specifically, when it came to the level of encryption, they did or did not offer. Yes, there are specific use cases and specific threat models where this was an issue. In my opinion, for more than 90% of the Zoom users, whether the level of encryption being discussed was offered or not made absolutely no difference. 

BTW if you want to understand what encryption is and how it works, there is a chapter in my book that breaks that down using everyday language.

Most of the articles piling on Zoom for being insecure were about default meeting configuration. The default configuration did not prevent people from being jerks and joining random Zoom meetings for the sole purpose of being disruptive jerks. New users did not know this or understood how to turn on the features to prevent this. Zoom opted for convenience over security and paid a considerable PR price for it. So they fixed it by making high security the default configuration. 

In closing

That is all for this installment, be on the lookout for future installments on specific online security topics.

INTRO

This post will serve as an ongoing errata page for my book. My plan is to continuously update this post as I discover errors, issues, addendum, or just things I’d like to follow up on.

PUBLIC USB CHARGE STATIONS

First I want to address potential criticism that despite my promise to avoid all FUD that there might a bit of that in the section on public USB charging stations. I can totally see that point although I think calling it FUD is a bit strong. Yes, the likelihood that a public charge station could infect your phone is pretty slim and would require very specific circumstances for it to work. So more than 99% of you should be just fine. I still stand by my recommendation that carrying a power pack is a wise idea for multiple reasons.

TRAVELING MAILBOX

In my book, I mentioned that as I was wrapping up my writing I discovered a new service I thought showed great potential and promised to update all my readers on that service. I am happy to report that they have not disappointed and I plan to do a post dedicated to reviewing my experience with them. So stay tuned for that post.

PROTONMAIL

In my book, I spoke to great length about what a great company Protonmail is and their zealous privacy advocacy. This is all still true, they offer one of the few, if not the only, fully encrypted email service. This means they have a true zero-knowledge system, where even if they were forced to disclose things about their customer they simply couldn’t because everything is encrypted by the customer’s encryption certificate and their password. This means that all they could hand over are encrypted emails, which would take years, if not hundreds of years, to break the encryption on.

What has changed is that I am no longer using Protonmail as my primary email provider. I bet you are asking why did I stop using them if they are so fabulous and what am I using now. The answer to that goes back to thread modeling as discussed in the book. For my threat model encryption and secrecy is not my top requirement. I am satisfied with good privacy practices, I do not require great privacy. What caused me to leave Protonmail was their zero-knowledge encryption model meant there were a lot of features I appreciated were not possible or have not been implemented yet. Their UI is a little clunky, it is not possible to search email content are a couple of the negative aspects of Protonmail experience. What really pushed me over the edge though was lack of reliability. There were several cases where either email I sent or emails sent to me did not arrive. Protonmail support was either unwilling or unable to do anything about this, basically telling me to provide proof in a form of an error message, which I did not have, or go away.

So I took my business to a company in Australia called FastMail. They seem to have a good privacy reputation from what I’ve been able to tell and their feature sets are on par, if not above par, with the leading email providers such as Gmail and Outlook. They do not offer any encryption so if that is a requirement for your threat model then stick with Protonmail. Also, Australia is a member of the Five Eye Intelligence consortium. So if nation-states are part of your threat model you might be better of with Protonmail as Switzerland is not known for cooperating with other nation-states and there is nothing that Protonmail can provide other than heavily encrypted files even if they did. I believe that FastMail would not willingly disclose anything about its customers, however, governments could compel them to do so.

Be on the lookout for a post on my experience migrating all my domains and all my emails from Protonmail to Fastmail, as well as a full review on FastMail.

PRIVACY.COM

This is a site I just discovered this week and if I had known about it while I was writing the book I would have included it. What they are is a site that allows you to create virtual pre-paid credit card funding directly from your bank account, either through direct withdrawal or via a link to your debit card. Look for a post with a full review of privacy.com in the near future.