Just how much are you sharing online?
A few words on beefing up your online security
11 May 2018
Latest posts by Cristian
- Just how much are you sharing online? - May 11, 2018
Let’s face it, it’s 2018, the future is now, you’re active on every social network that’s popular right now, you’re connected to the internet via your computer, phone, watch, fridge, and you can even talk to your vacuum cleaning robot.
We’re becoming increasingly comfortable with embracing and interacting with new technology, however few of us are aware of how these technologies can impact our online privacy.
Bear with me as I’m going to show you some cool stuff and maybe give you a few tips on how you can take better control over what exactly you share online.
The “cool stuff” part
People are oftentimes unaware of the online security implications of the hardware or applications they’re using. Here’s an example: You buy a new house, move in, get some new furniture and maybe that fancy TV you’ve been eyeballing for a while. You think to yourself. “hey, I got all this stuff so I might as well get some surveillance cameras set up.” Smart move! So you hit up Amazon, order and then set up your security cameras all around your house. The issue here is that one may forget to change the default username and password for their security system, or even not bother to do it at all because who’s going to hack me? While it’s unlikely that some will target you specifically, there are many hackers who, say, for example, use automated tools to mass search, target and exploit vulnerable targets (i.e. software with security holes on them) and use their newly acquired nodes for spreading botnets, running DDoS attacks or even mine bitcoin on the victim’s hardware. Well, there are web crawlers that can find (mostly) unsecured devices with web servers on them which also offer convenient search tools so you can easily find whatever type of vulnerability you’re looking to exploit. You can find everything ranging from security cameras, FTP servers, routers, and perhaps more dangerously vulnerable SCADA systems, and that’s only scratching the surface.
Check this out. This is a screenshot I took from one such web crawler. I ran a simple search for IP cams and got somewhere around a few hundred results, which also conveniently shows the IP addresses for all the world to see (and access – don’t be that guy).
But what about other things that people like to throw unsecured web-servers on? Check these out…
Oh and look! A coal mine right in our backyard!
The point I’m trying to make here is that just because you could, doesn’t mean you should. And if you’re going to, it should be secured.
The privacy and security part
Securing your home network
Start by identifying your home router or wi-fi access point and upgrading their firmware. Go to the manufacturer’s website, look up the latest available firmware and a how-to guide for applying it to your hardware and get to it! Manufacturers typically release firmware updates to patch security holes and improve their overall performance so you might even get a performance boost out of that too. If, however, your model is several years old, you might want to consider upgrading it to a newer revision, especially if it is not supported with new firmware versions anymore.
Is your wi-fi access point password protected? Otherwise, you may be exposing yourself to some serious risks such as MiTM attacks or even people using your internet connection for mischievous activities, or at the very least slowing down your network when you’re trying to get your Netflix on. Even the most basic level of encryption will at least deter others from using your connection or even snooping around the wi-fi packets your devices are sending. So get on that ASAP! Add a password to your wi-fi connection and select the highest level of encryption available on your hardware (which is typically WPA2). While you’re at it, make sure you’ve also changed the default password for your router’s management interface. It’s 2018 – admin/admin has no place here anymore.
Securing your devices
Let’s start with your phone. Whether you’re an Android or iOS user, I’m willing to bet there’s something on your phone (contacts, texts, pictures, apps, banking information) that you don’t want to fall into the wrong hands. Given that context, leaving your phone unsecured is basically like leaving your home door unlocked. See what I’m getting at here?
Start by adding a lock screen password to your device. For Apple devices, you can typically find this in Settings > Face ID & Passcode > Turn Passcode On
For Android, you should typically find these settings in Settings > Security & Location > Screen Lock > PIN
Now, some devices even have fingerprint recognition or face recognition. As an added layer of security, you could also enable these features on devices that support them, since passcodes can be stolen however I would venture to guess that it’s much harder to steal your face or fingers.
So now you’ve made it more difficult for others to break into your phone (Ha! Good luck stealing my memes now!). But what about the other potential security hazards that you may face while using your phone in public? Here are a few more steps you could take in the right direction:
- Disable Bluetooth unless you need it, or if you have it on at all times, make sure you don’t accept any connection requests or file transfers from unknown sources (remember Blueborne? Yikes!)
- Some devices ship with NFC enabled by default. Unless you absolutely have to use it, I would also keep this one off
- Be wary of using public wi-fi networks. If you’re using them, you can bet others will use it too. If you deal with sensitive data such as logging in to your social media, e-mail or bank accounts, it’s a good practice to do this at home on a secured network or at the very least use a safe and secure VPN to encrypt all your data when out in public.
Please tell me you’re not reading this article on Internet Explorer. Oh, you are? Well it’s time to switch to a new and better browser. Firefox and Chrome offer a great deal of privacy protection and are also updated way more frequently than Internet Explorer, Edge or Safari. That being said, it’s now a good time to download one of those two browsers. Go ahead, I’ll wait. Done? Good.
Now, if you don’t want websites tracking your browsing habits, it’s a good time to turn on tracking protection:
- For Firefox, open up the menu and go to Preferences -> Privacy and Security. From there, you’ll want to go to Tracking Protection and select Use Tracking Protection to block known trackers to Always and do the same for Do Not Track.
- For Chrome, go to Settings, search for “track” and make sure you turn on Send a “Do Not Track” request with your browsing traffic and Protect you and your device from dangerous sites.
Now it’s time to install a few security add-ons for good measure. They will help add an extra layer of protection against tracking and malicious websites. The following add-ons are available for both Firefox and Chrome, so let’s start:
- HTTPS Everywhere is an extension that encrypts your communications with many major websites, making your browsing more secure. It works by making websites use HTTPS instead of HTTP requests and while potential attackers can see the data you’re sending, HTTPS encrypts said data making it unusable.
- uBlock Origin is an extension that blocks ads and pop-ups across websites. However, please keep in mind that a lot of websites are supported by ads so if you trust and want to support any of those websites, you have the option to whitelist it by clicking on the uBlock Origin icon, then clicking the large Disable button. Here are the download links for Firefox and Chrome.
- Ghostery is yet another layer of protection against web tracking and malicious ads. It’s recommended that you also use this extension to protect against those websites that don’t obey when the browser sends the “Do Not Track” requests.
Note: It’s perfectly fine and even recommended that you run all three of these extensions, however, do not use multiple ad blocking extensions as this may cause websites to not load properly or even ruin some of the website’s functionality.
A few more tips on browsing behavior:
- Don’t fall for clickbait titles and be extra careful around all those CLICK HERE TO CLAIM YOUR FREE IPHONE links. Nobody will give you a free iPhone, nor will that Nigerian prince leave you his inheritance cash. These types of links typically redirect you to a website that scams you for your credit card or banking information. Now me, I like my money to be kept safely on my accounts, thank you very much!
- And while we’re on the subject of credit cards, a solid piece of advice is to never save your payment or address information on shopping sites. Even the most trusted and secured websites can be hacked, and giving potential attackers access to your banking info and home address is going to result in a big headache if they get their hands on them.
- Need an account for some website that you’re only going to temporarily use? Maybe you’re just signing up on a random forum so you can ask a question and then never use that account again. For websites where your actual data isn’t necessarily relevant, you can create an alternate “for spam use only” e-mail accounts, or, better yet, use temporary e-mail address services such as 10minutemail or yopmail. Just be aware that these types of services are sometimes blocked on websites so your mileage may vary.
- Another good practice is to use different passwords for different websites. Picture this: you’ve created an account on some random website because reasons. Some time later, the website gets hacked and all the user data is leaked. It’s really easy for someone to try and use your leaked username (or email address for that matter) and password to try to log in to other websites such as your email accounts or social networks. Check out haveibeenpwned — a nifty web utility that helps you find if your account was has been compromised in a data breach. It works with both usernames and email addresses and it’s free!
- So you’ve followed my previous tip and set up different passwords for different websites. That’s awesome! Buuuut, maybe there are too many now and it’s just so hard to keep track of all those passwords. Have no fear! There are many online services called password managers which can safely keep all your passwords in a secure vault. I recommend using services like lastpass (freemium) or remembear (free). There are many to choose from so do your research first! Most of them also offer 2 factor authentication which is a huge security improvement. More on 2 factor authentication in just a second.
Two Factor Authentication
Oh no! Someone guessed your password! Good thing you have 2 Factor Authentication turned on!
2 Factor Authentication (or 2FA) works by adding an extra layer of security to your login procedures. Besides the usual username and password, websites that have this feature enabled will also ask for further confirmation that the person who’s trying to log in is actually you. Typically, websites will send you a unique confirmation code via SMS or e-mail which you are also required to enter in order to log in. Think of it like having two passwords: one that you have to remember, and a unique password that gets sent to you each time you want to log in to a certain website. Here are a few tutorials on how to set up 2FA on some of the most popular websites:
Social network clean up
So you’ve made it this far into reading this article. Congratulations, you’re almost at the end! In this section, we’ll be exploring the various security and privacy options that some of the most frequently used websites have to offer.
Let’s start with Facebook. Click the arrow next to the question mark on the top-right of the website and then go to Settings -> Privacy
- Who can see your future posts? — Here, you’ll be able to select the audience that will be able to view the rest of your Facebook posts from that point onwards. Do you want your posts to be seen by everyone, including people you’re not friends with? Only your friends? What about only sharing them with a few specific friends? The drop-down menu is pretty self-explanatory so select which option works best for you, then click Next.
- Limit the audience for posts you’ve shared with friends of friends or Public? — Now that you’ve set up who can see your future posts, this option will allow you to set all your previous posts to have the same audience. Let’s say you’ve made some public posts that you only intended your friends to see or vice-versa. This option will affect all those past posts.
- Who can send you friend requests? — Are you getting spammed with friend requests from complete strangers? You can set this option to Friends of friends so that not everyone gets to send you a friend request.
- Who can see your friends list? — It’s set as Public by default. In case you want to hide your friend’s list from anyone, it is good to know that you absolutely have that option.
- Who can look you up using the email address you provided? along with Who can look you up using the phone number you provided? should most definitely be kept to Friends only in order to prevent scammers (or even potential employers) from finding and fishing through your Facebook profile.
- Do you want search engines outside of Facebook to link to your profile? — If someone say, googles your name, this option allows your profile to be hidden from other search engines except Facebook.
Let’s move on to Twitter, shall we? After you’ve logged in to Twitter, click your profile image in the top-right corner, go to Settings and Privacy and select Privacy and Safety.
- Tweet privacy — Select this if you only want your tweets to be viewable by people you’ve pre-approved. This will prevent all your future tweets from being public, however, it might not affect your previous tweets
- Tweet location — If you don’t want any location data to be sent with your tweets, you might want to disable this one
- Photo tagging — This is up to you but I’d keep this one off also, to prevent being tagged by spammers
- Discoverability — Same as with Facebook, I would keep both phone number and email address options off, in order not to be identified by those items. If, let’s say, someone searches for your phone number or email address on Twitter and finds your account, they basically already have your username
- Twitter for teams — Unless you’re part of an organization that you represent on Twitter, keep this one off as well
- Direct messages — Nobody wants their DMs spammed by random bots, right? If you keep this option off, you will only receive DMs from people you follow
- Personalization and Data — This one controls how Twitter collects and shares certain user data. Unless you want them tracking you, disable all of them
Instagram is a bit of an easier one. Open up Instagram on your mobile device and tap the icon in the top-right corner.
- Private Account — Toggling this option to ON will set your profile to Private. Your current followers will continue to see your posts (even your past Instagram posts), however, if someone new wants to follow you, you will receive a notification to approve or deny their request.
- Show Activity Status — Toggling this option to ON will hide your online status from Instagram. This pertains to the messaging function. One thing to note is that if you turn this on, you will also not be able to see other people’s online status.
Linkedin is up. Buckle your seatbelt! If you have a LinkedIn profile, we’re going to assume that you want that information out there for potential employers (or employees). Since this one has a lot of options, I will only be highlighting the ones you might want to change, but feel free to explore yourself, since they offer inline explanations for each option.
- Who can see your email address — Unless you want other members (1st / 2nd-degree connections or even everyone who can create a LinkedIn profile) to see your e-mail address, I’d keep this one set to Only You.
- Manage who can discover your profile from your email address / phone number — Since you might want your potential employer to find your LinkedIn profile via email address or phone number (assuming that you haven’t given them the profile link), you can keep these on, however, be wary that someone who has your email address or phone number and finds your profile can stumble upon highly identifiable information.
Now I’m not calling myself a security specialist, I did my fair share of dumb things on the internet (even had to nuke my own laptop after getting ransomware’d) and learned a lot from it, the hard way. The least I can do is help others learn from my mistakes. I’ve also had a lot of fun experimenting with pentesting my own devices and servers, but maybe that’s an article for another time.
I hope this article helped you create some better browsing habits and be more aware of your online presence. If you’ve found it helpful, I encourage you to explore the privacy settings of any other online platform you use, for the web is dark and full of terrors.
Latest posts by Cristian
- Just how much are you sharing online? - May 11, 2018