DIY Cyber Audit: #1 Account Security
Your launchpad for improving your own digital autonomy.
This guide is a work in progress.
The complete, latest version will be here
It’s good for people to take their own cybersecurity seriously. It’s a huge topic, and it can be difficult to decide what’s worth starting with, or expending a lot of effort on. This guide is intended to walk you through some of the basic “bare-minimum” steps one would want to take in improving their online security. In addition to pure security goals, this piece aims to emphasize how to reduce your dependency on systems that seize control of your information and workflows. It is my opinion that consolidated power inevitably leads to abused power, therefore one should take an active role in reducing their participating in enabling nefarious entities.
But why? you may ask. If the corporate platforms, services, and tools are working fine, why put any effort in changing? It’s easy to fall into the trap of believing our actions are of no consequence, and that compromises made along the way don’t accrue debts. Over the last decade, people have given corporate digital giants (aka “Big Tech”) immense power in society. While it has already been abused in many ways, more concentrated power means more abuse.
It’s largely a matter of personal responsibility on where you want to draw the line. Maybe it suits you to simply focus on preventing unwanted intrusion to your important accounts, or you could be willing to invest time and resources to do everything within your power. Your goals and aspirations are important to consider. Sometimes a small bit of effort can be strategically used to get the maximum benefit, others like to dedicate lots of effort over a significant amount of time. Ultimately the best moves are the ones that get the best impact with the effort and time you’re able to expend.
This overview is intended to be a starting-point for someone interested in reducing what sensitive information is shared about themselves, and keeping their systems safer from unwanted intrusion.
This guide is currently a work-in-progress.
The complete, latest version will be found here
More Great Guides:
It may seem redundant to list other guides with similar information. Every project is going to have it’s own perspective, prioritization, and level of detail. If this guide is not to your liking, I would hope that one or many of these will suit your needs.
The Regular Audit
I’d like to introduce you to the concept of a regular security audit. Instead of trying to reinvent your entire digital life overnight, it can be helpful to set aside some amount of time to make gradual changes, or to spend dedicated time solving a particular problem. This can help you transform a giant task over time, without too much immediate disruption to how you currently do things.
You can commit to whatever time interval works for you. It could be monthly, quarterly, or even yearly is worth considering over never at all. This can help you budget the time you’d like to spend on making changes, as well as help you keep an eye out for things to address later.
One helpful strategy would be to tier specific practices to certain intervals. For example making sure to run updates more regularly, but worry about changing passwords on a less frequent basis.
A hypothetical plan could look like this:
Why? Committing to a regular plan can help correct errors and keep you accountable. It also gets you focused on more proactive actions instead of always playing catchup.
The PEBKAC Vector
The easiest way for someone or something to infiltrate your accounts and systems is your own capacity to make a mistake. Hence the, Problem-Exists-Between-Keyboard-and-Chair vector. (That’s you!) One of the more obvious examples is how much people have been trained to share intimate details of their lives on corporate social media. Beyond just embarrassment, a lack of proper precautions can lead to having your entire system compromised. Consequences of that can range from mild regret to financially devastating.
Phishing Attacks
Phishing is when communications are sent out to trick a person to accidentally load a program, or divulge specific information. Phishing is very effective when combined with other attacks. The more someone (or something) can learn about you, the more effective phishing messages can be tailored to you. It is not out of the question that voice cloning, and other generative AI tools will be used to impersonate trusted contacts.
From A Non-Combattant’s Guide to Cyberwar
There are many different ways [phishing] can be carried out:
E-mail: one kind of attack is an urgent email that requires you to immediately click a certain link. That link will then present a fake log-in form disguised as a legitimate site. This could be used to steal your credentials. If the site itself has a vulnerability, merely clicking the link itself could be enough to compromise your account.Attachments: any file sent your way may be more than meets the eye. There are a variety of methods that allow a file that’s opened to either run as a virus, or send your data elsewhere.
None of this is exclusive to e-mail.
Messaging apps, and online communities can all enable the same problems.
Sometimes, an adversary being able to figure out which accounts are yours is enough to get very useful information, or to break into already compromised accounts. Other times, getting you to run some malware can give up complete control of your system. The best defense is to be aware of phishing, and take precaution before opening links or attachments.
Video: Protect Your Devices From Hackers – Don't Get '0wned' By AJ and the Electronic Frontier Foundation
For each channel, a purpose.
Reflect on how and in what way your trusted contacts will interact with you. Having separate email address(es) for different purposes can help filter specific messages for you, this will help you know if a particular message is genuine or not. Very often services will give you the option to enter a code instead of clicking a link, which is helpful in this situation. If you’re sure you must click a link, it can be worth copying it (with a right-click, or long touch) first, then inspecting it yourself before opening it.
Even something as simple as keeping in mind who tends to give you a phone call and who else prefers to use an end-to-end encrypted messaging app. If someone is reaching out to you in an unusual way, that can be an indication that something isn’t right. This applies to workplaces too, it can be a good idea to avoid mixing your career with your personal life, having an account for each can keep things separated.
Big Tech Services
Another way you may be outright, voluntarily handing out your information is when using cloud-driven and/or non-free software and services. Moving your data to your own devices, or at least to services run without vendor lock-in.
Disentangle Yourself from Cloud Platforms
There is no cloud, just somebody else’s computer!
Many online tools are just a service as a software substitute. This means that while you gain the convenience of sophisticated technologies at scale, you will also be unable to choose the terms of your computing. Simple things like using your own software like LibreOffice or Inkscape to create media allows you to keep your information under your own control. By not relying on external services for creating documents, presentations, or even notes you can go a long way to help reassert your own autonomy.
Choosing how you use social media will also have a significant impact. If you’re willing to put up with some inconvenience, it can be worth using alternate front ends for mainstream services to browse without being directly associated with an account. This can definitely help those who want to break away but don’t want to miss out on important information.
Online Footprint
Take Control of your Social Media
Being deliberate with your social media privacy settings is very important. Understand what features are available, and what it means for who can see what.
Who can see posts you make?
Is your profile searchable by site-members or anyone?
Does someone have to request access to see your information?
It’s important to consider what you’d like to be public, vs what is best left offline.
The best way to protect information is to never record it in the first place!
Find Yourself in Search Engines
You can see how easy it is to get information on you by performing your own searches. Given that search engines will make an attempt to find results relevant to you, it’s worth trying multiple search engines rather than making assumptions off a single search. Including details about yourself may help narrow the results.
Consider Alternate Identities
On other platforms, you may have an identity that isn’t your real name. It’s generally a good idea not to repeat usernames across platforms unless the intention is for them to be publicly associated.
Close Dormant Accounts
If you no longer use a service, you may want to consider closing the account if the option is available. If nothing else, it ties up another loose end.
Privacy Policies
Digital products and platforms will have a published privacy policy that ideally outlines what information is collected and how it’s used. They will vary in content, clarity, and detail.
For online platforms privacy policies can help you understand:
What information the platform collects
If your information is being shared with or sold
Another document is a warrant canary. A warrant canary is a document that explains that the organization hasn’t received any requests for information from governments and/or law enforcement agencies. It’s a useful thing to have, because law enforcement agencies will sometimes gag providers from informing their clients, or even stakeholders.
“Two government officials who spoke on the condition of anonymity said the Justice Department obtained an individualized order from a judge of the Foreign Intelligence Surveillance Court last year. Yahoo was barred from disclosing the matter.”
Yahoo Said to Have Aided U.S. Email Surveillance by Adapting Spam Filter
Legislative Protections
Depending on your jurisdiction, you may be entitled to privacy protections. Notably, EU Citizens are covered by the GDPR which grants outlines regulations for organizations handling data deletion requests from individuals. It is worth being familiar with what privacy protections exist (or don’t exist) in your locale.
Account Security
Using a Password Manager
While a notebook of passwords can be lost or stolen, there are digital means to keep track of accounts and passwords. Conveniently, some managers have integrated browser extensions that can make it easy to log in with stored passwords. These tools can go a long way towards improving your account security a lot easier to maintain.
Two password managers that I’ve used:
KeePass XC (Offline)
Long & Unique Passwords per account
Why? So that one account breach doesn’t spread to others.
Reusing passwords means that if your password is found in a data breach or hack, it can be used to gain access to other accounts.
Using a password manager can help you generate significantly longer passwords that are significantly harder to break, and may be more random than what you can come up with yourself.
Learn to develop good password management practices
Turn on either ToTP or hardware two-factor authentication, where possible
Why? By adding two-factor authentication you significantly raise the difficulty of attacks on your accounts. This can also buy you time to reset your password if it’s stolen. Multi-factor authentication is very important for protecting important accounts.
Unique e-mail addresses per account
Why? To make phishing campaigns much easier to identify.
Some e-mail providers support adding additional words to your email. For example you may be able to use +shopping at the end of your email as: name+shopping@example.com. This is good for filtering mail, but makes your alternate e-mails potentially discoverable.
If you’d like unique e-mails forwarded to your own e-mail address, an e-mail forwarding & aliasing service like firefox relay or addy.io can help. Many people will already have multiple e-mails from different providers, some of them may support aliases or disposable addresses.
Excellent advice, thanks
I’ll be on this tomorrow morning for a read. Thanks man!!