pict of user being phished Reading Time: 5 minutes

If there is one magic silver bullet that will help you maintain your online security, it is critical thinking skills. If you read my previous article on the basics of online security, you may recall that I stated there is no single thing that can automatically keep you safe. You will, therefore, recognize the title here and the opening statement as the hyperbole it is meant to be. In other words, there no magic silver bullet that maintains your online security automatically. While there is no single thing that can guarantee 100% online safety automatically, having rock-solid critical thinking skills is the next best thing.
There are probably entire college courses devoted to the acquisition of critical thinking skills, so I won’t be able to do that justice with a single blog post. I will endeavor to at least explain what I mean by critical thinking skills and how it helps you stay safe online.
Somewhere I once heard the advice “treat every day as if it was April 1st,” and I love that advice. On April fools, people do seem to make it a game if not a mission to figure out who is trying to pull a prank online, and they tend not to believe anything online that day. Then every other day, they seem to eat up anything that anyone puts online. If everyone put as much effort into identifying the scams online as they do recognize the April fools pranks, there would be much less crime online.
Critical thinking is about being critical about everything you read online. I know that is a bit of a recursive definition, so let me try to explain more.


To maintain online security, you need to be suspicious about everything you read online, whether it is on Facebook, Twitter, some blog, a News Site, your email, etc. The idea that “I read it online so it must be true” could not be further from the truth. Also, just because something is going viral on Social Media does not make it real. Like the old rumor mill, things don’t become true just because a lot of people are repeating it. Even viral videos don’t prove anything; they are frequently taken entirely out of context, manipulated, or outright fakes. We have fantastic technology these days, and it is often used for evil instead of good. There are a lot of people out there that get their kicks from spinning people up and get them fighting about nothing. Those people spread half-truths and deep fakes for their enjoyment. Some even go so far as setting up automation to help them spread their garbage faster and farther by setting up something called a bot farm. The term bot is derived from the term robot, and it is simple automation that carries out a specific task such as posting to Facebook.
Then, there is a whole class of online criminals that are termed “Social Engineers” in the cybersecurity world. I think the term “scammers” or “fraudsters” are much better terms. These criminals have been around since the dawn of time, and they use their trade to trick you into doing something you shouldn’t, buying something you regret or defrauding you in one way or another. The Play/Movie, “The Music Man,” depicts a man particularly skilled in this area. Many other movies depict similar tactics, but that is the first one to pop into my head.
One particularly prevalent subsection of Social Engineering is called phishing. Phishing typically happens over email and is geared towards tricking you into installing malware on your computer or getting you to click on a link. The goal generally is to either take over your computer so it can be used for criminal activity or to steal your identity. I go into a lot more details about phishing in my book, but I’ll touch on few pointers here. Please note that while email is the most prevalent method, a modified version of phishing also happens via text and voice mail.
In my book, one of the running themes throughout the book is don’t click on links in email or open attachments. If you never click on any links in email or open attachment falling for email phishing attack just became practically impossible.
The general theme of a phishing email is pretending to be a safe email from someone or something you know. This is where critical thinking comes in again. Here being distrustful will save the day. How do you know that email is from who it claims it is from?
One of the hallmarks of a phishing email is urgency; you need to click that link right this very second or face immediate financial ruin. Be extra wary of these emails.
Back to the idea of being distrustful, if you want to maintain online security, you can not trust anything online or take anything at face value. By that, I don’t mean that you can’t trust your buddy online even though you trust them in real life. I mean, don’t believe that really is your buddy.
Time for an analogy. I hope you are a Mission Impossible fan or at least are familiar with what it is all about. Imagine Ethan, the lead character, is using some government level tech to change how he looks and how he sounds so that he can get past security and complete his mission. There is a scene like that at least once per movie, if not more. I don’t know if this is actually possible in real life or if this is pure Hollywood fiction, but this is trivial to do online.
So let’s say for the sake of demonstration that you are a character in a Mission Impossible movie and you have some high-level access that Ethan needs. So Ethan dresses up like your best buddy and uses his tech to create a mask that makes him look and sound like your buddy. He calls you up and invites you out for a drink. At first, you’re glad to see your buddy, but then you start to get this gut feeling that something is off. You see, Ethan may be able to change his voice and create a mask that looks like your buddy, but copying your buddy’s mannerisms and the way they carry a conversation is much harder. What do you do, do you brush off the gut feeling, or do you throw out a curveball to test this person? If you are smart, you test them to show them for the imposter they are. I’m pretty sure there is a scene like this in at least one of the movies 😀
Now translate this to online behavior, if you get a message claiming to be from your buddy, do you just accept it, or do you analyze to see if it sounds like your buddy? The smart and safe approach is to be suspicious.
Again a lot more details about this in my book, so if you are looking for more details on how to maintain online security you should check out my book. If you have any questions, feel free to shoot me a note.

Reading Time: 5 minutes

Definitions

Before we dive into the world of online security, let’s start with some definitions.

  • Threat Actor: A criminal that is a threat to either a specific person or a group of people. This is a catch-all term for online criminals. 
  • Hacker: Someone that attempts to use things for purposes they were not intended for. The media likes to use this term interchangeably with a threat actor, which I disagree with. I believe this term is much broader than that. In the original definition of this word, there was no criminal intent involved. 
  • Snake Oil Salesman: According to Wikipedia, this refers to deceptive or fraudulent salespeople.
  • Next-Gen and Military Grade: These are meaningless buzzwords used by snake oil salesmen
  • Fear, Uncertainty, and Doubt (FUD): This is a generic term covering anything or anyone inciting fear. They spread doubt and uncertainty that only spread fear.

Online Security basics

The first thing we need to realize when start talking online security and safety is that security is hard and an inconvenient pain in the butt. It is not possible to achieve 100% online security, and there are convenience trade-offs that have to be made. I talk about these trade-offs in my book. The trade-offs basically come down to a choice between being inconvenienced or being a victim. There are certain things you do so that you don’t get caught in a broad net campaign. If you are targeted by a threat actor that is both advanced and persistent, it is only a matter of time before they breach your security. Regardless of how good your security is, an advanced persistent threat actor (APT) will breach it. 

Think spearfishing vs. fishing with a net or a fishing pole. If you are a fish swimming in a lake and you are paying attention, you can avoid getting caught in a net, or biting that lure on that fishing line. It is, however, very little you can do to prevent having a spear skewer you.

Another analogy for the sports fans out there. If you are playing defense, you have to fend off all offenses. If you are playing offense, only one offensive player needs to get through the defense for the whole team to be successful.

Put another way, an attacker only has to be lucky once, defenders have to be lucky every time.

This is why it is not feasible to have 100% online security. Anyone that tells you otherwise either doesn’t understand security or is a snake oil salesperson (or both). There are several companies out there claiming to sell a comprehensive solution to protect your security. Claiming that once you buy their product, you will be safe online. They may throw buzzwords like “military-grade,” “machine learning,” and “next-generation” in an attempt to impress you. These are meaningless phrases. The salespeople from these companies are merely selling you a bill of goods. The fact is that these solutions are effective anywhere between 5-35% of the time, which in my opinion, is not very effective. 

Now while no security solution will make you bulletproof, it is still essential to have a good virus and malware blocking solution installed. The good news is that Windows 10 has a great one already built-in, so there is nothing else to purchase. Your defense will mostly come from your behavior online, which I will go into in future posts and is covered in-depth in my book. Here is a quick hint, every day is April 1.

Threat Modeling

You may be asking, “but I’m nobody, why should I bother with security?” As I explain in my book, everyone is at risk of becoming a victim of a cybersecurity incident. Everyone has something to lose. You may not care if criminals read your email, but what about using your email account to engage in criminal activity? Or using your email account to send your contacts malware? Threat modeling is something I cover in my book and goes deeper into this topic. As you build out your threat model, you gain a better understanding of what you have to lose and what security trade-off makes sense to you. One thing I feel several security professionals miss is that threat modeling is an individual thing. It is not appropriate for everyone to adopt the security posture of an intelligence agent. Anyone that preaches security as a one size fits all does not understand threat modeling and therefore probably doesn’t understand security. What is more, not only is a security plan an individual thing, it is perfectly acceptable, maybe even desirable, for one person to have multiple security plans. My book goes into a lot more detail here.

FUD and fear-mongering

Another thing to be aware of is all the FUD that is out there. It is hard to say whether those spreading FUD are well-intentioned but misguided, or they have malicious intent. My guess is there is little of both. 

There are a lot of people online with opinions that get spread as if they are facts. It is very critical in today’s world to be able to separate facts from opinions. Having a following does not make them an expert. Before you take anything as a fact, or even expert advice, analyze the author’s credentials. 

I’ve seen a lot of blogs and news about how insecure a particular product is, insinuating that these flaws make the product unusable. When I read their description of what the problem is, it usually comes down to what I might call sub-optimal configuration. What I mean by that is that the user did not leverage all the security features of the product, either intentionally or because they didn’t know better. To me, this is a classic case of FUD. Best case, the article author misconstrued the user’s scenario or use case. Worst case, some user education might be needed. I disagree that a product that defaults to less than secure configuration is an insecure product as long as it can be configured to be more secure.

Another case of frequent FUD is hyping up a use case that is outside most users’ threat models. An example here is when someone writes that because a product does not offer a feature, they think the product has to offer, so it is unsuitable for everyone. Just because the product does not meet the author’s requirement doesn’t mean it is unsuitable for practically everyone else. 

There were a lot of articles lately about security issues in Zoom video conferencing solutions, which I found to be complete FUD. Specifically, when it came to the level of encryption, they did or did not offer. Yes, there are specific use cases and specific threat models where this was an issue. In my opinion, for more than 90% of the Zoom users, whether the level of encryption being discussed was offered or not made absolutely no difference. 

BTW if you want to understand what encryption is and how it works, there is a chapter in my book that breaks that down using everyday language.

Most of the articles piling on Zoom for being insecure were about default meeting configuration. The default configuration did not prevent people from being jerks and joining random Zoom meetings for the sole purpose of being disruptive jerks. New users did not know this or understood how to turn on the features to prevent this. Zoom opted for convenience over security and paid a considerable PR price for it. So they fixed it by making high security the default configuration. 

In closing

That is all for this installment, be on the lookout for future installments on specific online security topics.

Reading Time: 3 minutes

INTRO

This post will serve as an ongoing errata page for my book. My plan is to continuously update this post as I discover errors, issues, addendum, or just things I’d like to follow up on.

PUBLIC USB CHARGE STATIONS

First I want to address potential criticism that despite my promise to avoid all FUD that there might a bit of that in the section on public USB charging stations. I can totally see that point although I think calling it FUD is a bit strong. Yes, the likelihood that a public charge station could infect your phone is pretty slim and would require very specific circumstances for it to work. So more than 99% of you should be just fine. I still stand by my recommendation that carrying a power pack is a wise idea for multiple reasons.

TRAVELING MAILBOX

In my book, I mentioned that as I was wrapping up my writing I discovered a new service I thought showed great potential and promised to update all my readers on that service. I am happy to report that they have not disappointed and I plan to do a post dedicated to reviewing my experience with them. So stay tuned for that post.

PROTONMAIL

In my book, I spoke to great length about what a great company Protonmail is and their zealous privacy advocacy. This is all still true, they offer one of the few, if not the only, fully encrypted email service. This means they have a true zero-knowledge system, where even if they were forced to disclose things about their customer they simply couldn’t because everything is encrypted by the customer’s encryption certificate and their password. This means that all they could hand over are encrypted emails, which would take years, if not hundreds of years, to break the encryption on.

What has changed is that I am no longer using Protonmail as my primary email provider. I bet you are asking why did I stop using them if they are so fabulous and what am I using now. The answer to that goes back to thread modeling as discussed in the book. For my threat model encryption and secrecy is not my top requirement. I am satisfied with good privacy practices, I do not require great privacy. What caused me to leave Protonmail was their zero-knowledge encryption model meant there were a lot of features I appreciated were not possible or have not been implemented yet. Their UI is a little clunky, it is not possible to search email content are a couple of the negative aspects of Protonmail experience. What really pushed me over the edge though was lack of reliability. There were several cases where either email I sent or emails sent to me did not arrive. Protonmail support was either unwilling or unable to do anything about this, basically telling me to provide proof in a form of an error message, which I did not have, or go away.

So I took my business to a company in Australia called FastMail. They seem to have a good privacy reputation from what I’ve been able to tell and their feature sets are on par, if not above par, with the leading email providers such as Gmail and Outlook. They do not offer any encryption so if that is a requirement for your threat model then stick with Protonmail. Also, Australia is a member of the Five Eye Intelligence consortium. So if nation-states are part of your threat model you might be better of with Protonmail as Switzerland is not known for cooperating with other nation-states and there is nothing that Protonmail can provide other than heavily encrypted files even if they did. I believe that FastMail would not willingly disclose anything about its customers, however, governments could compel them to do so.

Be on the lookout for a post on my experience migrating all my domains and all my emails from Protonmail to Fastmail, as well as a full review on FastMail.

PRIVACY.COM

This is a site I just discovered this week and if I had known about it while I was writing the book I would have included it. What they are is a site that allows you to create virtual pre-paid credit card funding directly from your bank account, either through direct withdrawal or via a link to your debit card. Look for a post with a full review of privacy.com in the near future.