title: ‘Secure Your Identity’ slug: secure_your_identity
We all perform many actions online on a daily basis which increases the amount of data we leave behind that can be used against us. Securing your identity means being aware of the locations your data lives, being aware of the data’s vulnerabilities, and learning how you can begin to implement some very simple changes to ensure your identity remains protected. Here are some great tips, let’s get started.
Good Passphrases are the Best Defense!15
A “passphrase” is a long phrase used as a password, which is stronger than a secular word password. The increased length can allow for a greater number of possibilities, a passphrases made of randomly-chosen words can be both easy to remember and hard for someone else to guess, which is what we want.
Computers are now fast enough to quickly guess passwords shorter than ten or so characters—and sometimes quite a few more. That means short passwords of any kind, even totally random ones like nQ\m=8*x, or !s7e
&
nUY, or gaG5^bG, may be too weak, especially for settings where an attacker is able to quickly try an unlimited number of guesses. This is not necessarily true for an online account, where the speed and quantity of guesses will be limited, but it could be true in other cases (for instance, if someone gets ahold of your device and is trying to crack its encryption password).1To learn how to make a good passphrase we are going to follow the wonderfully easy workflow set up by our friends at the Electronic Frontier Foundation:
Step 1: Roll five dice all at once. Note the faces that come up without looking at the wordlist yet.
(On our dice, the EFF logo is equivalent to rolling a one.)
Step 2: Your results might look like this reading left to right: 4, 3, 4, 6, 3. Write those numbers down.
Step 3: Open EFF's Long Wordlist [.txt] to find the corresponding word next to 43463.
Step 4: You will find the word “panoramic.” This is the first word in your passphrase, so write it down.
Step 5: Repeat steps 1–4 five more times to come up with a total of SIX words.
When you are done, your passphrase may look something like this:
panoramic nectar precut smith banana handclap
Step 6: Come up with your own mnemonic to remember your phrase. It might be a story, scenario, or sentence that you will be able to remember and that can remind you of the particular words you chose, in order. For example:
The panoramic view, as I tasted the nectar of a precut granny smith apple and banana, deserved a handclap.
Once you have made your passphrase please make sure of the following:
KEEP IT SECRET Do not share your passphrase with anyone unless it is absolutely necessary. And, if you must share a passphrase with a friend, family member or colleague, you should change it to a temporary passphrase first, share that one, then change it back when they are done using it. Often, there are alternatives to sharing a passphrase such as creating a separate account for each individual who needs access.
MAKE IT UNIQUE Avoid using the same passphrase for more than one account. That way if one passphrase is compromised hackers won’t be able to exploit the rest of your accounts because you used your password for all of your online services. A good way to keep track of many unique and complex passwords is to use a password managers like Keepass X, Last Pass and 1pass.
KEEP IT FRESH Change your passphrase on a regular basis, preferably at least once every three to six months based on your risk assessment. Some people get quite attached to a particular passphrase and never change it. This is a bad idea. The longer you keep one password, the more opportunity others have to figure it out. Also, if someone is able to use your stolen password to access your information and services without you knowing about it, they will continue to do so until you change the password.2
These days we have accounts with a lot of companies. Emails, Social media accounts, online bank accounts and so on. One of the most important things you can do is not use one password for all accounts but generate different passwords for each of your individual accounts.
NOW, YOU MIGHT BE SAYING WHHAA???????
But hear us out. This is actually a good thing. After all, your bank information is likely linked to many of your accounts, as well as your purchase history, media browsing habits, and a slew of other private information that you’d prefer protected. But if you’re the kind of person who constantly forgets and resets passwords and usernames, or worse, recycles the same password you’ve been using for the past seven years, it’s time for a password management tool. If a hacker discovers your password on a list they can then use it to access every tool in your life!
Passphrase managers actually become invaluable once you take the first step—they are an incredibly powerful improvement to your security, while also being very usable.
Passphrase managers store all your passwords, generate strong ones for you, and in general, the only password you have to remember is the one to open your password manager. So, make it a strong one.3
LastPass saves your passwords and gives you secure access from every computer and mobile device. You only have to remember one password—your LastPass18 master password. Save all your usernames and passwords to LastPass, and it will auto login to your sites and sync your passwords everywhere you need them.
The benefit of LastPass is that it is super easy to use across all your platforms. The problem is that its ease of use comes with the caveat that LastPass is a corporation and your information is in their cloud. So balance its ease with your vulnerability and make your decisions for its use based on that. In general Last Pass is better then no Password Manager so please consider it.4
KeePassX19 Password Safe is another free, open source, lightweight, and easy-to-use password manager for Windows, Linux, and Mac OS X, with ports for Android, iPhone/iPad and other mobile devices. You can download it for PC’s or Mac’s here.
The benefits of KeePassX is that it is open source and is part of constellation of applications built by developers to support software independence. The challenges with KeePassX is the interface is confusing for beginners and there is not an easy way to sync KeePassX between your phone and your computer. That said, if you are willing to do a little work KeePassX can be one of your safest and most important autonomously implement password management solutions you could use.5
Like other password managers, 1Password enables you to sync your passwords across all of your devices using the same password vault. It is available for iOS, macOS, Android, and Windows.
When you first download the app from the App Store, you have to create an account. Same situation, one password will unlock all of your other passwords. It’s all you need to unlock your confidential world on both desktop and mobile. So make it good, and don’t forget it.
That will bring you into a dashboard where all your login information is stored. Here you can view and manage all the current user names and passwords you’ve saved.
The secret to easily managing Logins is in a browser extension. You can get one for Chrome, Safari, Firefox or Opera.
Every time you’re on a website where you need to input login information, you click this handy extension and tell it to fill in the information for you. The extension knows what site you’re on and automatically fills in the blank fields.
The extension is also a hub for your whole password experience. In the drop down that opens, you can copy and paste passwords, view login information, and make complicated and hard-to-guess new passwords for all the sites you use.
Now there is no need to remember any passwords, just the one that gets you into the 1Password app.
The 1Password app has its own built-in browser that can take advantage of saved passwords, credit card information and more, but with the addition of Extensions in iOS 8, MobileSafari can use this information as well.
Apps also exist for Androids that work similarly. We recommend you sync your data across devices on a secure wi-fi network.6
Google’s Gmail is one of the most used web email apps in the world. This section helps us learn how to secure Gmail and how to identify if you are currently vulnerable. First, let’s see whether your account has already been compromised.
Check that your recovery phone or email are accurate and up-to-date. This will be useful in case you lose your passwords and entry into your account or if suspicious activity is detected on your account and Google wants to alert you.
Now, back in your accounts page you can also perform a Privacy Check up.
Google can collect information on you to send you “personalized ads”. This means that you may get ads that relate to your recent emails. For example, if you wrote to your mom about difficulties you were having with your health, Google may start showing you ads for relevant pharmaceuticals. We strongly recommend you turn this service off and protect your daily information.
We recommend you get an IBA Opt Out Extension for your Google Chrome. This tells Google, you have opted out of being tracked for ads throughout your browser experience.
Because passwords can be phished, guessed, cracked, or acquired in other ways (like Keyloggers), you may want to consider adding another barrier to your accounts through two-factor authentication.
2FA as it’s commonly abbreviated, adds an extra step to your basic log-in procedure. On your frequently visited accounts you typically enter your username and password once, and then you’re done. This is categorized as a single factor of authentication. When you enable 2FA, it asks for two factors of authentication.20 This factor can be code or even a physical dongle connected to your device.
A common example of two-factor authentication is a bank card: the card itself is the physical item and the personal identification number (PIN) is the data that goes with it. Including those two elements makes it more difficult for someone to access the user’s bank account because they would have to have the physical item in their possession and also know the PIN.21
Almost all online accounts and platforms not offer two-factor authentication. You can learn more and slowly implement 2FA by going to https://www.turnon2fa.com. You’ll find tutorials for almost every platform you can think of and some you would even be surprised by. In either case you can never go wrong with 2FA so add it when you can!
Most people only have—their password—to protect their account. With 2-Step Verification, if someone hacks your password, they will still need your phone or Security Key to get in.
If turned on, signing in to your account will work a little differently:
Google will ask you for your phone number to send you the verification codes. Once you enter the phone number, you will receive a text with the secret code.
That’s it! Your 2FA has been set up!
If you set up 2-Step Verification using SMS text message or Voice call and also want to be able to generate codes using an Android, iPhone, or Blackberry, you can use the Google Authenticator app to receive codes even if you don’t have an Internet connection or mobile service. Go to this link, to set it up.
<div class="well none" style="border-radius:0">
<span class="warn-icon"><i class="fa fa-exclamation-triangle" ></i></span> <span class="warn-highlight">WARNING: </span><span class="warn-text" markdown="1">2FA can really protect your account from being hacked or stolen but bear in mind that setting up 2FA requires that you provide personal information, like your phone number, other email addresses etc, that will make these accounts increasingly traceable to you. In addition, many users find 2FA cumbersome because every time they login, it's a 2-step process. All factors considered, it is up to you to make the best decision on 2FA based on your situation and your needs.</span>
</div>
</div>
When an attacker sends an email or link that looks innocent, but is actually malicious, it’s called phishing. Phishing attacks are a common way that users get infected with malware (“Malicious Software”)—programs that hide on your computer and can be used to remotely control it, steal information, or spy on you.22
The vast majority of malware is criminal, aimed at obtaining banking information or login credentials for email or social media accounts. But malware is also used by state actors. State intelligence agencies use malware to carry out covert actions against other states’ computer systems, such as Flame and Stuxnet. States and state-supporting actors also use malware to spy on activists, journalists, and dissidents.23
The message contains a mismatched URL, or a misleading domain name.8
The message is coming from your friend, but doesn’t sound like your friend
The message asks for personal information like banking information
You are asked to send money to cover expenses
The best way to protect yourself from phishing attacks is to never click on any links or open any attachments sent to your email: this is unrealistic for most people. So here are some ways to deal.
Be alert. If something about a website doesn’t feel right to you, it may not be:
- Check with the friend/family/bank/organization, over phone or another channel, to see if they actually did send you the files that were sent to you.
- If you have to frequently send and receive files for work consider sending the files through secure servers like Google Drive or Dropbox.
Antivirus software are programs that help protect your computer against most viruses, malware, worms, Trojan horses, and other unwanted invaders that can make your computer “sick” by performing malicious acts, such as deleting files, accessing personal data, or using your computer to attack other computers. We recommend that you use anti-virus software on your computer and on your messages. Note, installed software will not be useful if you do not update it regularly! Updates, keep the anti-virus on the lookout for the latest types of threats online.
We recommend Malwarebytes, Anti-Malware, Kaspersky labs and SOPHOS security, along with Windows Defender. These platforms are popular and used by many which keeps them efficient and more up-to-date than others.
TIPS: Another tool that is useful to know of is VirusTotal is a free online service that analyzes files and URL’s enabling the identification of viruses, games, and other kinds of malicious content detected by antivirus engines and website scanners. Any user can select a file from their PC or email using their browser and send it to VirusTotal. However, it is important to note that VirusTotal is not a substitute for any antivirus/security software installed since it only scans individual files/URL’s on demand.
SO AGAIN NEVER OPEN ATTACHMENTS DIRECTLY ALWAYS OPEN IN GOOGLE DRIVE OR DOWNLOAD AND THEN SCAN IN VIRUS TOTAL
Everyday in the news, we hear about big corporations or websites getting hacked and being the bearers of bad news to their users informing them that their personal information has been stolen by hackers. These data breaches can include your name, passwords, government ID number, email address, date of birth, mother’s maiden name, or any other piece of data you hand over to a website. Data from these breaches are posted on the Internet for hackers of all types to see. These data leaks are often the source of bigger political hacks that can compromise movements.
One way to check to see when and where your data has been compromised is by using http://haveibeenpwned.com which is a service that catalogs data breaches as well as pastes (a type of publishing that is often used tech nerds and hackers). Be sure to change your passwords on these sites if you come up on a search.
It is important to know where your personal data is online. By searching your information on the list of sites we have collected you can find and clear your presence on public data lists.
This can be crucial for when Trolls, stalkers, and worse try to bully our folks for speaking out, a common strategy they use is Doxxing. In Doxxing your personal information including addresses, phone numbers, work information and family members are exposed on public platforms so that it opens you up to physical harassment and intimidation offline.
We want to stop tactics that might open up you and your loved ones to attacks. Limiting data is a crucial harm reduction strategy in a time when we are increasingly being seen as the target.
Please check yourself out and begin your data reduction journey with a visit to these sites:
Spokeo (to remove listing: http://www.spokeo.com/opt_out/new))
Anywho.com (to remove listing: http://www.anywho.com/help/privacy))
INTELIUS (to remove listing: https://www.intelius.com/optout.php))
Whitepages (to remove listing: https://support.whitepages.com/hc/en-us/articles/203263794-Remove-my-listing-from-Whitepages-))
Finally, there is a more comprehensive list at Trollbusters at this link https://yoursosteam.wordpress.com/2015/08/30/remove-your-mailing-address-from-data-broker-sites/
- https://securityinabox.org/en/guide/passwords & https://www.eff.org/dice
- https://securityinabox.org/en/lgbti-mena/passwords
- http://lifehacker.com/5529133/five-best-password-managers
- https://lastpass.com/how-it-works/
- https://www.keepassx.org
- https://1password.com/
- http://gizmodo.com/its-time-to-enable-two-step-authentication-on-everythin-1646242605 & http://searchsecurity.techtarget.com/definition/two-factor-authentication
- https://ssd.eff.org/en/module/how-avoid-phishing-attacks &https://www.eff.org/issues/state-sponsored-malware