Cybersecurity

[Smellincoffee]

Inspired by recently reading Data and Goliath and Future Crimes: How worried are you about cyber-security on a daily basis? What are some of your practices?

My parents were paranoid about the internet when I first got on it back in the 1990s, so I always approached websites with wariness in regards to personal information. I had to re-install windows early on after trying to load a photo that turned out to be an executable someone sent me in AOL Instant Messenger, and have developed the habit of running Spybot S&D every other day, and use browsers that block attempts by websites to install things on my PC.("Disconnect", for instance, which snuffs out social plugins.) I also keep my 'real' computer, the one that I store files on, disconnected from the internet. My online computer is an older one that has almost nothing on it, so if I get a virus... big deal.

The most serious issue I've seen was not on my PC, but on a relative's I was trying to fix -- a bit of ransomware that may have come through facebook. I managed to remove it, but doing so with either Malwarebytes or Spybot disabled the modem, so I did a system restore for want of a better solution.

 

[Zelig]

All software always up to date.

All ads and third-party scripts/iframes blocked with ublock origin. (No other browser extensions to block anything.)

No Java or Flash.

7-word unique diceware for any passwords I have to remember, 32-char random stored in KeePass for anything else.

Two-factor authentication for anything where I'm using diceware passwords.

System restore disabled.

Have never had a a virus.

I'm far more concerned about malware spread via USB than via web browsers. I won't use any usb storage that's been out of my control, people can upload the data somewhere instead.

 

[IglooDame]

Aside from the usual stuff Zelig lists, I use VMware sandboxes. My "iron" OS is for a few games and some non-internet-connected stuff. I use a few (Linux) VMs that have no iron HD/clipboard access for internet work, one is for webcomics and other risky browsing but has zero personally identifiable data on it, one for banking only, one for shopping (it's the only one that gets my credit card info) and one for medium-risk general-purpose browsing.

One thing reading Data and Goliath confirmed for me is that ultimately I'm getting swept up in some data-gathering anyway unless I try VERY hard ALL the time to avoid it. So I've relaxed a bit about the NSA/GCHQ and major corporate info-sucking and just focus on avoiding or defending against stuff that will annoy me or cost me money.

 

[Zelig]

I only listed cybersecurity best practices I follow in my previous post...

Off the top of my head, various other practices I follow, some for security, some to thwart data-collection:

Only run supported operating systems that are kept up to date with security patches. (So no non-Nexus Android devices allowed unless they run latest non-beta CyanogenMod.)

Full disk encryption for all my devices. (BitLocker for Windows, FileVault 2 for OS X, whatever native solution available for other devices.) I only cross international borders with disposable devices - if I'm asked to unlock anything, I'll refuse, but I don't expect to ever get the hardware back.

Never enter any credentials on PCs that aren't mine.

Browser cookies not allowed except for whitelisted sites.

Independent browser install for Facebook.

Independent browser install for Google products.

DuckDuckGo as default search engine.

 

[Silurian]

Full disk encryption for all my devices. (BitLocker for Windows, FileVault 2 for OS X, whatever native solution available for other devices.) I only cross international borders with disposable devices - if I'm asked to unlock anything, I'll refuse, but I don't expect to ever get the hardware back.

If you refuse to unlock you could end up in prison in some places.

 

[Glassfan]

I'm rather conservative in my surfing. I only have a few dozen sites bookmarked that I regularly visit that I know are safe - like Civfanatics. I don't open emails unless I know the source. I have strong passwords. Only I use my devices, noone else.

Zelig has some reasonable advice above. I would only additionally recommend a good antivirus company - I use Norton Internet Security - but there are others.

 

[Zelig]

If you refuse to unlock you could end up in prison in some places.

Pretty doubtful, I'm not aware of any situation where anyone has been compelled to give up passwords upon trying to enter a country (i.e. absent a court order.) Only real power border guards have is to confiscate device, perhaps detain you for an inconvenient amount of time, and refuse entry to the country.

There's a current ongoing court case between the CBSA and a man from Quebec - if the CBSA wins the right to compel passwords to be turned over, I'll simply switch over to securely wiping devices before crossing the border and reloading them afterwards.

My encrypted devices contain confidential client information, making them available to random governments absent a legitimate court order would be a breach of ethics.

 

[IglooDame]

It's not as utterly secure as full-disk encryption, but TrueCrypt at least supports hidden OSes enabling plausible deniability. It should get someone past a border guard that just wants to see the screen show something computerish and then wave them through. But, if a government is specifically after YOUR data, then the border guard will let you log in, then hand it to someone that is very good with computers to try to take it from there.

And then there's always rubber-hose decryption, in that case:

 

[warpus]

Do you mean Javascript, Zelig?

Blocking Javascript on all sites you visit is overkill, most people don't need to turn to such drastic measures.

 

[Silurian]

Pretty doubtful, I'm not aware of any situation where anyone has been compelled to give up passwords upon trying to enter a country (i.e. absent a court order.) Only real power border guards have is to confiscate device, perhaps detain you for an inconvenient amount of time, and refuse entry to the country.

There's a current ongoing court case between the CBSA and a man from Quebec - if the CBSA wins the right to compel passwords to be turned over, I'll simply switch over to securely wiping devices before crossing the border and reloading them afterwards.

My encrypted devices contain confidential client information, making them available to random governments absent a legitimate court order would be a breach of ethics.

People have been jailed for refusing to give up their key. If it has not happened at the border yet it will do soon.

https://en.wikipedia.org/wiki/Key_disclosure_law

 

[The_J]

Desktop
+ I run a Kubuntu here, with firewall and antivirus on (yeah, it's necessary).
+ Adblock and noscript in the browser, cookies disabled unless whitelisted.
+ My hardware is gladly so old that it can't run Flash ^^.
+ The passwords of importance are all long (15+) and mixed characters, or I just reset them every time I need them (like Amazon...once per year, no need to have a memorable password, just reset it with gibberish every time).

- I use Truecrypt for some things, but don't have full disk encryption on
- I use google
- I don't have email encryption activated
I know that I should't do all of that


Mobile
+ I have an antivirus
+ long password
+ no google account

- no full disk encryption yet (will activate it)
- outdated android (not my fault, I didn't by this phone)
- I use whatsapp

Still think I'm quite okay here.

 

[warpus]

I've heard of cases of them just telling you to turn around at the border, if you try to bring in an electronic device that requires a password or key, and you refusing to give that up. Doubt they would arrest you though, but who knows.

I just don't bring any electronics over the border, aside from my GoPro, camera, travel phone, etc. If they want to snoop around my phone, feel free to take in that uplifting & inspirational goatse background.

 

[Zelig]

I'm doubtful antivirus is of any value for users who keep software up to date and don't install anything from untrusted sources, I've only ever had false positives from AV programs.

It's not as utterly secure as full-disk encryption, but TrueCrypt at least supports hidden OSes enabling plausible deniability. It should get someone past a border guard that just wants to see the screen show something computerish and then wave them through. But, if a government is specifically after YOUR data, then the border guard will let you log in, then hand it to someone that is very good with computers to try to take it from there.

TrueCrypt hidden OS doesn't work with any modern UEFI system, or any mobile devices.

The use case of getting border agents to view and accept a fake OS without them asking questions that either make you seem more suspicious, or require you to let slip anything something potentially incriminating (i.e. anything that isn't completely truthful) isn't worthwhile, IMO.

People have been jailed for refusing to give up their key. If it has not happened at the border yet it will do soon.

https://en.wikipedia.org/wiki/Key_disclosure_law

So like I said, currently nothing that border agents can do. If that changes, I won't bring any data over borders where I can't have it securely encrypted.

Do you mean Javascript, Zelig?

Blocking Javascript on all sites you visit is overkill, most people don't need to turn to such drastic measures.

I don't install Java, as in the JRE.

I don't allow third-party javascript to run on webpages, only those from the domain from which the page is served. I whitelist other domains as required, or just don't bother with sites that are broken without third-party js if they're pulling from sources I don't feel like whitelisting.

e.g. This forum tries to load js from:
civfanatics.com
ajax.googleapis.com
facebook.net
google-analytics.com
google.com
googlesyndication.com
googletagservices.com

civfanatics.com is allowed as first-party, I manually whitelisted ajax.googleapis.com for every domain, none of the others provide any value.

+ Adblock and noscript in the browser, cookies disabled unless whitelisted.

Recommend replacing any non-ublock adblocker with ublock, and noscript with dynamic filtering in ublock. Much better performance than any other solution. Also ublock works on Firefox Mobile on Android, making FF Android the best mobile browser.

 

[warpus]

I don't install Java, as in the JRE.

I don't allow third-party javascript to run on webpages, only those from the domain from which the page is served. I whitelist other domains as required, or just don't bother with sites that are broken without third-party js if they're pulling from sources I don't feel like whitelisting.

Yeah, that's all sensible then. But depends.. There are legitimate reasons for using javascript from a 3rd party website, even if it isn't google or whatever, but yeah, that doesn't happen often. You're not one to confuse Java with Javascript, but you had me confused at first.

Last time I installed Java I got spyware and/or adware installed as well. So.. yeah, no more.

 

[civvver]

What are you guys worried about honestly? My credit cards constantly have unauthorized purchases on them (by constantly I mean like a few times a year). I just cut them up and get new ones, bank removes the charges, no big deal.

As far as everything else I just monitor it regularly. I don't think you can actually stop a super dedicated hacker, but you can notice stuff on your credit/etc and fix it right away. Other than that kind of info idk what else you'd need to secure. Secret formulas?

 

[warpus]

I've never ever had one of my credit cards compromised.. If it's happening to you a couple times a year, maybe you're doing something wrong. That shouldn't be happening!

 

[Zelig]

What are you guys worried about honestly? My credit cards constantly have unauthorized purchases on them (by constantly I mean like a few times a year). I just cut them up and get new ones, bank removes the charges, no big deal.

As far as everything else I just monitor it regularly. I don't think you can actually stop a super dedicated hacker, but you can notice stuff on your credit/etc and fix it right away. Other than that kind of info idk what else you'd need to secure. Secret formulas?

Losing access to your primary email is hugely more of a problem than having a credit card compromised.

If you're self employed, losing client/customer data is pretty problematic (i.e. potentially ruinous) too.

Compromised credit cards aren't generally cybersecurity related anyway, they typically get skimmed at retail locations.

I've never ever had one of my credit cards compromised.. If it's happening to you a couple times a year, maybe you're doing something wrong. That shouldn't be happening!

I've never had it happen since Canada switched to chip and PIN, happened to me pretty regularly before that.

Did just get back from the US last night and my amex was declined for coffee this morning, was going to call them and see what was up but got caught up with some stuff, and then it worked for me at lunch... will doublecheck online when I get home to see if there's anything going on.

 

[warpus]

Yeahhhh I was trying to use my CC in the U.S. and nobody's set up to handle a chip. Nobody. It's like they're stuck in the credit card 90s or something.

 

[Lord of Elves]

To you guys who are doing The Most here, do you really think these are realistic regimens for the majority of people who use electronics? In the future when these devices are even more inextricably linked to people's daily lives, don't you imagine that casual tinkerers would be able to wreak absolute havoc on ordinary people?

 

[warpus]

*shrug* if you don't know how to use and maintain a toaster, don't buy one. Same goes for a computer.

Maybe that's a bit harsh, but it's 100% on the consumer.