Sunday, December 24, 2017

MI’s Cybersecurity Tips for 2018


The biggest development in cybersecurity in 2017 was not a hack. The Trump Administration has authorized Customs and Border Protection (CBP) to demand access to electronic devices from all incoming arrivals – citizens as well as permanent residents and foreigners. Incredibly, CBP has also been authorized to demand social media log-in information, IDs and passwords, so they can access your social media accounts from inside. If you were concerned about warrantless search and seizure by the NSA as revealed by Edward Snowden then this development should really concern you. As an aside Section 702 of what used to be called the Patriot Act also looks like it will be extended, possibly indefinitely of some have their way.
The CBP Social Media policy is not codified in statute. The 4th Amendment is restricted at the border for routine searches. That allows border control to conduct deeper searches of incoming passengers without having to meet a federal warrant standard involving making a case for probably cause. Neither Congress or the Courts have adjudicated whether this rule applies to logging in to your social media accounts. Does it include Turbo Tax as a social media account? Bank apps? Encrypted chat apps? Etc.
So for now, id you travel internationally and you don’t want the federal government inside your phone and thus inside your personal finances, taxes, private chats with your spouse or kids, either leave your phone at home or get a burner for travel and do not leave anything on it before you cross the border. That’s a lot of hassle but a lot cheaper than being the test case that takes a decade to wend its way to the Supreme Court. Think of the legal fees!
The 702 issue and the Manafort/Flynn revelations show that the NSA remains vigilant when ot comes to communications with foreign targets. Media suggests that 702 applies to as many as 100,000 targets. Under 702 the NSA does not need a warrant to surveil these foreign targets even in cases where that communication is with a US person or travels via communication links on US territory. Section 702 needs periodic review and can fail to be renewed if Congress does not act in time. Evidentially the deadline in Jan 2018 may be covered by some of the language in a related law that sets the 702 cycle in April 2018.
You might think there is no way 702 can touch you. Perhaps, but 100,000 targets is a serious number. They are not all ISIS. They clearly include diplomatic representation to the US, foreign governments, financial and business leaders overseas, and so on. Maybe this does not matter to you, but MI knows many of its readers are national security personnel and higher end business people, this may touch you. For the record, in order to surveil a US person as the target (not the collateral damage in targeting a foreign communication) in their communications across the international border, the government still needs to get a FISA warrant. To surveil you domestically, a court issued warrant based on probable cause is required.
This background is important to know but it also the setting for the suggestions made below. Disclaimer: MI is not a legal advice organization, and these are suggestions that readers are free to ignore based on their judgement. MI has no responsibility for how you conduct your personal communications or travels. These are helpful suggestions not business recommendations. Just don’t sue us, ok?
As the fallout from the San Bernardino terrorist attack shows, it is not easy for federal law enforcement (FLE) to access encrypted devices. They say they got into the terrorist’s iPhone without Apple’s help; that may or may not have happened. Post Snowden Apple and others know that its business model will fail to grow unless it puts people and not FLE first (although its policies in China suggests that if the market is attractive enough Apple’s principles may be a little softer than in a mature market). So has MI become paranoid? Looking at the threat board too hard all year and unnecessarily freaking out? Surely all of these measures are for criminals and spies – they don’t apply to little ole me going about my day? What could possibly go wrong? I don’t break the law, I help enforce it.
Crime is an old canard to prevent you from protecting yourself – ironic really. Good digital security and privacy practices are essential and here’s why:
1.            Common sense. The Five give you their platforms for free, right? You don’t pay for Gmail or YouTube. It’s great! Yet if that’s true, why are The Five the most valuable companies in the world? Where does that money come from? YOU. The Five (and others) see you as a mine of data that they use to position their own services that do cost money and to sell to their advertisers to pinpoint your interest in 18th C Austrian stamps. Marketing on TV is wasteful, especially for specialized items. The cutting edge in marketing is personalized tailored focus on individual interests. Now instead of buying ad time on TV – very costly and basically useless for stamp collectors - highly specialized ads can be sent very cheaply to everyone on earth who is interested in 18th C Austrian stamps.
So you pay for these ‘free services’ of Facebook, Google, Amazon, and so on. The fee? Your privacy. What’s that really worth to you?
2.            Life Happens. You might become incapacitated and you have always been t6he one who does all of the administration for the family. Incapacitation or sudden death vastly complicates managing your affairs, The set up suggested below will enable someone you trust to pick up exactly where you left off and operate your life when you can’t. It should be a central part of any good estate planning. But as argued, can be there for life events or even getting stuck overseas with a lost phone, etc.  The settings below have you backed up and secure so you (or your trusted person) can keep driving and paying bills and not getting behind.
3.            Your obligation to protect the country. Most of MIs readership ace national security professionals. They know that weak security of their home, person or digital footprint can help bad actors gain situational awareness and/or actual data and access with which they can threaten national security directly or indirectly. The USG has broken this professional and social contract with its unacceptable laxness in protecting SF-86 Data that resided with OPM. Nevertheless, we all need to work together and this is a case where protecting yourself and your family will also maintain your sacred obligation to protect America.
4.            “But MI – The Costs of All These Services!” See point one – your digital world is not free. In fact, you have been commodified. This should annoy you. It annoys the crap out of us. Your spouse and your children are commodities to be traded. Ever wondered why little Suzie gets credit card offers at age 6? It’s not because she is a rock star shopper (even if she is, our commiserationsJ) It’s because Suzie’s very existence has been sold to someone who wants to sell to her (they just don’t know she’s a wee tot, as they say in Scotland).
All of the systems and services we suggest below charge fees. If they don’t, then that’s the first hint that they may not be the best solution to your digital fingerprint and footprint privacy. Most cost tens or a few hundred a year. All up, even with the most high end services an individual or family might want, you are looking at around $500 a year. That’s peanuts for what you get for that sum.
Do you really think your name, address and social are safe?
*2013    3 billion yahoo accounts hacked
*2015    ALL OPM SF-86s hacked
*2017    143 Million credit profiles hacked at Equifax
*2017    198 Million US voter records hacked
And you call MI paranoid J Companies like Target and a bunch of others have all been hacked too. It’s not going to end, it’s going to accelerate and deepen. The US election was hacked in the sense that social media was completely manipulated to pervert the course of the election. It goes on and on.
It’s time to get real. It’s time to protect yourself, your family, and your country.
Here are our tips for 2018:
1.      Encrypt everything.  Phones, computers, hard drives, thumb drives. There are now plenty of options to do this. MI recommends picking one option across all hardware platforms. There are easy to use software programs now that can do this. The other option is using the features on the laptop during set up. Apple now offers this. Remember the number of different systems you use will require remembering a lot of log-ins.
2.      Password gatekeeper. This is a MUST. Again, as with hardware encryption options, there are a lot to choose from – the type of program MI has in mind is 1Password and the like. Each has different pros and cons. What they do is simple – they create impossible to hack passwords for all the sites you use to bank, do taxes, communicate with people, social media, etc. anything you log into – they protect. The software conjures up long complex passwords with or without symbols (&%$₵#), numbers, etc. It then stores these with your log-in IDs against the relevant URLs. To access your bank, you don’t have to google and find the bank, you simply press the bank’s icon and the password program automatically logs you in with the long/complex password. It’s easy and incredibly secure. The weakest link – the password you use to access the app.
3.      Log-in IDs and email IDs. The days of using David.Smith@gmail.com are gone. Why make it easy for the bad guys to target you. As above, you can now use password apps to create unique log-in IDs, MI recommends random jumbles of letters, numbers, and symbols, just like a password – so they are unintelligible to whoever may be trying to find ‘David Smith’. MI recommends different IDs for high impact accounts like banks and maybe a common one for low impact stuff like Hulu. Note: Facebook is NOT low impact!
4.      Social Media. OK, this is going to hurt. Are you sitting down? Get off Facebook. Guess what? You can’t get off Facebook! Try it and see. It owns you. To the extent that your data, your most private data is you, it owns you. If you load it onto Facebook, they now own it; whether it’s a picture, your religious, political, sexual, social, or other habits, preferences, views, etc., Facebook owns it. This is not a rhetorical point, it is a legal fact. Remember the long Terms of service in tiny print? Don’t worry, no one else reads it either. It’s in there. As a matter of law, anything you put on Facebook is their property. It’s in there. As a matter of law, anything you put on Facebook is their property.

Why is this important? Because Facebook is the greatest human intelligence gathering platform ever devised. In the old days the following information had to be either interrogated out of you or was the fruit of weeks if not months of resource-heavy surveillance: your full name, date of birth, addresses of home and work, your up-to-the-minute location (from their geo-location settings as well as posting from your favorite café), your network of contacts from all aspects of your life, the books, magazines, websites, blogs, and tweets you read, your opinion on political social, international, gender, sexual orientation issues; digital records both still and video of you, members of your network, locations you visit, places you vacation, your home and vehicles and so on. Facebook owns that catalog of your identity. They sell that information and the patterns it depicts – pretty much anything can be known about you which helps companies market to you, but it also helps people find you and know what you are thinking and who you are associating with. If a foreign intelligence agent asked you 5% of this kind of data you’d be down to the SSO’s office to report a foreign intelligence collection operation in US soil.
Now, you are broadcasting all that highly personal and valuable data to anyone who wants to look. And if you think Facebook privacy settings are going to protect you, then… well, enjoy the ride.

How to delete your Facebook account. As noted above, you actually can’t do this. The best thing you can do is the following:  Go back through all of the sub-headings that list your preferences and delete them one-by-one. This applies to any data or pictures you want removed. It will take a long time and be tedious. But at least at that point you have some control over content. FB keeps the original but this way you minimize what can be discovered if the account is hacked and just maybe FB’s record is minimized. Then, go to “delete this account”, it will explain that the best it can do for you is turn it off the web but it does not delete the files and you can go back and reactivate at any time.

Before you do this, however, send out a note to all your FB connections advising them that you are deleting your account and that you are NOT UNFRIENDING them. Account deletion can appear to friends as unfriending, leading to awkward conversations, or worse, no conversations and the appearance of a major social slight when none was intended. Put that message up once a week for a month so your key friends catch it… then follow the steps above.

5.      Google. Yep, them too, and not just their social media efforts. Let’s just start with Gmail and YouTube. One of the many dorty little secrets of The Five as the companies that run the world are known, is they are surveilling you all the time. Have you ever wondered why the ads you get seem targeted to your interest in skiing? Because they scan your emails looking for key words that can be used to market products to you. Likewise, all your YouTube searches – like all of your Google searches –are logged with the company. In the past the FBI and CIA got into a lot of trouble for warrantless searches of people’s library borrowing habits – check out the Church Commission that followed some major espionage leaks, not of foreign threats but Uncle Sam monitoring citizens. You can delete search histories from your browser, along with cookies, do you honestly think that will do anything other than make you feel secure? They already have the data, you are just deleting your record of it, not theirs! (Still, it’s worth doing, BTW).

The Fix: as with Facebook, manually delete everything, then delete the account. This is possible with Gmail and YouTube. BUT FIRST, there are some steps you need to make. First, you need to move your emails from the Google servers onto your own hard drive(and/or cloud – more about the cloud below). The smartest way is a hard drive first and then the cloud – again, more below. There are a number if apps that will move all your emails in their folders from the Gmail system onto a hard drive of your own, so you have a complete record (assuming you need to keep the receipt from the Apple store where you just bought a new laptop for $2k, for example). Then Gmail has a global delete function – it save you going file to file and page to page. You can delete it all in one step. THEN make sure you empty the trash! Make sure SENT mails are collected and deleted too. Once you are satisfied that the complete record has been erased, then shut down the account.

The Cloud. Yes, both the company offering the cloud and the government can access search, harvest and sell all that data too. Google Drive, Dropbox, etc. There are cases in the courts right now where the government is forcing US cloud companies to divulge data that is not even resident on US cloud servers. All US providers use cloud servers here and overseas, Because the law never imagined needing to access an American safe in Ireland, there is no law covering accessing a US cyber safe in Ireland. MI anticipates the courts will force US cloud service providers to cough up data regardless if where it rests. Certainly US LE and the courts seem to have no regard for the domestic laws of the countries in which those servers reside (unless they are forced to, see below). Thus if you use an American cloud you are wide open.

This issue goes to the heart of the Apple v FBI situation following San Bernardino. Apple feared losing customers id the public saw them roll over to the FBI. So they took a stand (after years if secret collusion – the exposure of which embarrassed The Five – see the Snowden issue). Just to note, this impacts all The Five, not just Apple. MI welcomes the stance they have taken post-Snowden and acknowledges it’s in their economic best interests to protect the masses over the occasional bad actor who might benefit from their services (more about the crime argument below).

The Fix: back up all of your cloud files to a hard drive in your possession. This is good practice anyway. Then encrypt that drive.

Find a foreign end-to-end encrypted cloud service. Preferably this will be in a country that has strong privacy laws (any EU country has much stronger laws than the US, and some have even more stringent requirements than those mandated by the EU, such as Switzerland). Alternatively, a cloud service in a country that is not beholden to US pressure. The key is being in a non-US jurisdiction, one that has strong privacy rules, and the use of end-to-end encryption - which means that the content of the data is invisible except on the sending and receiving computers.

6.      Opening a new email account. Follow the same principles as the cloud – foreign jurisdiction, foreign company providing the service, and end-to-end encryption. Open at least 2 accounts. One for your private conversations with friends and colleagues and one for Administration. MI recommends also opening one for low impact activity like TV online accounts and newspapers and the like. Things that if you lost them would not matter to you.

You’ll be amazed at the sudden death of junk mail and ads and all the rubbish that comes with American ‘service’ providers, which should be more accurately, described as personal data wholesalers. MI hates to appear to be critical of American firms, but in fairness, they have gotten us into this situation. You are truly on your own when it comes to privacy and security. Most national security professionals know this (MIs key demographic) but it’s important to be reminded, especially when long term deep maintenance of one’s electronic fingerprint and indeed footprint takes so much work. We get that. But you owe it to yourself, your kids, and even the country to protect your data. With the politicization of national security staff these days and all the investigations, you don’t have to be a bad actor to get swept up in all if this and for CNN to run your tweets or texts to your girlfriend as headlines, to decide some protection is not a bad idea.

7.      Extended Security Questions and Dual Factor Authentication. When you change locations (either physically or via a VPN) most email companies, banks, etc. will ask for additional security questions to verify the right person is accessing the account. MI suggests using a bank of standard ‘answers’ that are mini passwords– they are not actual answers to ‘who was your childhood friend’ they are Password Gatekeeper generated (and remembered) strings  that you can use in this circumstance. So that when you are asked ‘who was your childhood friend’ the answer is not Fred, it’s ‘*nYss₵43$’.

Dual factor authentication particularly using cell phones can be hacked, it turns out. The bad guys can run off with the phone or cyber into it. Look for work-arounds. Password gatekeepers alone are best, a high end thumb drive is an alternate to consider based on your needs.

8.      Messenger Services. IMing is becoming more popular than emails. The state of the art for privacy right now is Signal. It’s end-to-end encrypted, and can be set to auto-delete chats after a period of time. But look out – one of the Five will try to buy it for billions in order to access the data. That’s why Facebook paid ca 15 billion for Whatsapp – Facebook’s engineers can build an IM platform in their sleep. They wanted the data, the identities, the patterns – the key to the money.

9.      Virtual Private Networks – VPNs. Get one, set it on a high-privacy foreign jurisdiction (see above discussion about the cloud/email) and use it religiously. A VPN hides your IP address. It also places all your digital activity inside the high-privacy jurisdiction of the country you choose. Each time you log-in to a VPN you can pick which country you will appear to be operating out of. MI recommends moving that location to other safe locations periodically. VPNs are available for both fixed and mobile platforms.

10.   Alexa and the other women in your life. Don’t let them into your home! Get off your ass and turn off the light yourself. Sheesh. Alexa and Siri and the girls are always listening and sending back all your requests to the mothership. Alexa has already been taken to court, or the recordings made passively (ie., not following a command to take action) during a murder. If you do not intend to say “Alexa give The Five all the conversations between me and my spouse and between us and our kids and between us and anyone on the phone who calls us etc. etc.etc.” then as delightful and ‘helpful’ as these wonderful ladies are, don’t let them into your abode – your castle. In 1984 the TV on the wall of your house was the interface for Big Brother – now you bring BB into your home on your cell phone, laptop, and increasingly on anything that can transmit… same goes for wherever you go…you Re taking a complete suite of surveillance tools with you, which you then turn against yourself 24/7. Not smart, people.

11.   Crossing Borders. The fix: Get a burner and don’t register it under your name! Or use your own phone and completely wipe it – before crossing any border. If America is forcing you to give up your log-ins, just imagine what China is up to! First, back it up to your new foreign cloud, then wipe it by choosing to reinstall the system software. Some shadow data will survive but a routine border check will not go that far. Then, once on the other side, use a secure connection and VPN to upload the phone from the cloud. It’s best to delete all texts, IMs, and conversations from all apps as well.

12.   Physical Mail Security. Get a UPS store account for all your physical mail. Your mail box at home is a sitting duck, filled with personal information and is completely open for anyone to access. Such access is a federal crime but proving someone stole your credit card statement from your mailbox might be hard. Avoid it by getting a street address based alternate mailbox. Sadly, USPS does not do street addresses, thus conceding the territory to UPS and others (no wonder they can’t compete). UPS can then forward on your mail or you can collect on your way home. Happy in the knowledge that it is secure and monitored by a human being and under considerable lock and key after hours. Remember in hacking, social engineering is often the easiest way in – mailbox jumping is old school and works just fine. Further point on mail. Given the legalities, if you need to send something really secure, consider the post.

13.   Cyber Hygiene Best Practices. Keep system software updated, Use anti-virus [just not Kapersky (Google it and DHS)] – and turn off geo-location on all hardware and software. This will make GPS maps useless – just consider cost/benefit for your situation. Again, a burner smart phone might be a solution.  Small cloth ‘Faraday Cages’ are a super convenient way to stop the phone transmitting your locations. No need to take out the battery and SIMs etc…just turn it off and slip it into the soft cover – if it’s on, it will drain the battery looking for a signal.


MI hopes you and those special to you enjoy this Christmas present from us. Here’s to a safe, secure, private and prosperous 2018.

No comments:

Post a Comment

The Real Coup Plot Is Trump’s

MI has not posted other content before. However, the essay linked below explains what MI refers to as 'American Self-Propagandizing'...