My Ultra-Private iPod Phone 4

At this point in the process, the iPod has been initally setup, and the settings modified to make it as organically secure as possible.  At this point it is necessary to fund the iTunes account.  Even if you only plan to use free applications, the account must be funded before you can download apps.  The smallest denomination gift card you can purchase is $10 (I was unable to find anything below $15).

Continue reading “My Ultra-Private iPod Phone 4”

My Ultra-Private iPod Phone 3

Yesterday’s post covered the initial device setup for my Private iPod Phone.  Today’s post will go through the settings that impact privacy and security.  The goal of these settings is to make the device as inherently hardened as possible.  These changes are designed to lower the footprint of the iPod by limiting the amount of information it transmits, making it less trackable, and generally less “noisy”.  These are all important factors to me when creating my ultra-private iPod phone.  Many of these settings can also be applied to your iPhone. Continue reading “My Ultra-Private iPod Phone 3”

My Ultra-Private iPod Phone 2

Welcome back to Part 2 of my attempt to create a private and secure iPod phone!  When I started this series I thought it would consist of three parts: procurement, setup, and use.  Setup took far more time than I expected, however, so I am going to cover this stage of the process somewhat more slowly.  One of the reasons I wanted to do this experiment was to see what roadblocks I might run into.  True to form, I ran into a couple of problems right off the bat.  This post will cover setting up the iPod phone intially, and modifying basic settings for privacy and security.

Continue reading “My Ultra-Private iPod Phone 2”

My Ultra-Private iPod Phone 1

Some time ago I read an amazingly good article on using an iPod Touch as a secure/private phone.  I love the idea, and I have thought about it for quite a while.  An iPod Touch is remarkably similar to an iPhone, but potentially far more private and secure.  Recently I decided to try it for myself and see how easy (or hard) it would be to set up.  I also had unanswered questions about its actual use.  Part 1 of this article will cover device procurement and the lengths I went to for anonymity’s sake.  Part 2, 3, and 4 will cover setup, and Part 5 will cover actually using my new, ultra-secure and private iPod phone. Continue reading “My Ultra-Private iPod Phone 1”

How-To: Tor Browser Bundle

My last post covered threat modeling the Tor Network.  While I have a very nuanced opinion of Tor, I do think it is ideal for certain use cases.  Unless contraindicated .  Using Tor is not difficult, but there are some potential pitfalls to be aware of.  This post will cover how to use the Tor Browser Bundle.

Download and Install the Tor Browser

The first step is to download the Tor Browser from https://torproject.org.  Before you install it you should verify the integrity of the file. The Tor Project has an excellent tutorial on how to do this here.  Additionally, I will begin to post checksums for the Tor Browser this month.  After you have verified the file, install it.  If you use a Mac, double-click the .dmg and drag the icon into your applications folder.  A few more steps are required if you use Windows, but setup is not difficult.  Instructions are available here.

Tor Browser Bundle

Begin Browsing with Tor

You are now ready to begin browsing.  Double-click the Tor icon.  Tor will as you to choose between “Connect” and “Configure”.  For the vast majority of use-cases connecting directly is your best option.  The “configure” option gives you the ability to use a bridge or proxy.  Using a bridge or proxy may be necessary if you are in a country or on a network that blocks Tor traffic.  Configuring a bridge or proxy is fairly intuitive, should you need to do so.

Tor Browser Bundle

When you connect to the Tor network, your request is first routed to a directory server.  This server will create your custom “circuit”, the network of three nodes through which your traffic will be routed.  When your connection is established, the Tor browser will open automatically.  You are now ready to browse through the Tor network.  The Tor Browser is a modified version of Firefox.  Browsing with Tor is superficially no different than browsing with Firefox with one or two exceptions.

Using Tor-Specific Features

Clicking the Onion button opens some options not available in Firefox.  It also displays your Tor circuit and allows you to change the following options:

  • New Identity:  This closes all open tabs and discards any browsing data, like cookies.  A new, clean instance of the browser is then opened.  I do not recommend this
  • New Tor Circuit for this Site:  This feature builds a new circuit for the tab that is currently open.
  • Privacy and Security Settings:  See below.
  • Tor Network Settings:  Allows you to configure bridges and/or proxies if needed.
  • Check Tor Browser for Updates:  Always keep your browser up-to-date.  I recommend checking each time you open Tor because updates are frequently released.

Tor Browser BundlePrivacy and Security Settings:  Click this to open an additional dialogue.  The privacy portion has four radio buttons.  Leave all of these checked.  The security dialogue contains a slider and allows you to choose a desired level of security (low, medium-low, medium-high, high). These settings correlate roughly to threat models.  The higher your threat model, the higher a level of security you should choose.  I believe you should always use “high”.  It is less convenient and requires a working knowledge of NoScript, but if you are going to use Tor you should use it to its full potential.  On the other hand, ease-of-use may convince more people to use it overall.

Tor Browser Bundle 4

Potential Problems with Tor

Tor is imperfect for everyday use.  There are reasons it is not incredibly common.  Among them: the Tor Network is slow.  Traffic is routed through multiple servers, usually in multiple countries.  This inevitably slows your traffic.  Additionally, your traffic is slowed at least to the speed of the slowest server in your circuit.  You will also be forced to solve captchas to visit or log in to some websites, and encounter other minor inconveniences. You will also encounter security issues when using the Tor Browser.  I addressed some of these in my last post.  My next post will address one of them specifically: exit node security through HTTPS.

If you enjoyed this article and would like exclusive content, sign up for the Operational-Security Newsletter.

Tor Threat Models

The Tor Browser Bundle is a terrific security tool.  Tor is a decentralized, anonymization network. To use it you need a specific internet browser, and it allows you to be as close to anonymous as one can be on the internet.  It also strongly encrypts your traffic, and best of all, it is free.  Readers have asked my opinion on Tor, and why I have not written about it.  There are some potential downsides to using Tor.  As a result, I have very mixed, very nuanced feelings about using it.  Before jumping into and using this tool you should take some time to consider these Tor threat models.  Though I typically analyze variations of the tool itself, my Tor threat models are in relation to use cases and user profiles rather than the tool.

Continue reading “Tor Threat Models”

Social Engineer Podcast Interview

My co-author, Michael Bazzell and I were recently interviewed on the Social Engineer podcast. Michael and I discussed topics from our recently released book, The Complete Privacy and Security Desk Reference, and how these techniques could help defeat social engineers. The podcast was a lot of fun, and it was pretty awesome to be invited as guest.  If you don’t listen to the SE podcast, you should check it out. The podcast deals with human security and covers a broad range of “human” security topics.

You can find our episode at http://www.social-engineer.org/podcast/ep-082-hide-seek-michael-justin/.  If you listen, be sure to let me know what you liked – or didn’t like.

Thanks!

Justin

If you enjoyed this article and would like exclusive content, sign up for the Operational-Security Newsletter.

Usernames as a Security Measure

I was recently a guest alongside my co-author, Michael Bazzell on the Social-Engineer podcast (the episode will be be available tomorrow).  We discussed social engineering for security and privacy reasons.  Since being on the show I have thought more about social engineering than at any time since I attended Chris Hadnagy’s SE course back in 2013. One realization I’ve had is that social engineering attacks commonly begin with a starting point.  An email address to which the attacker can send phishing emails.  A phone number she can use to hack your cell account.  A username she can use to call customer service and request access.  Along this line of thought, it has also occured to me that it is never a bad time to restress the importance of usernames as a security measure. Continue reading “Usernames as a Security Measure”

Cloud Storage Threat Models

It is likely that readers of this blog know where I stand on cloud storage.  I have been fairly outspoken against the practice of storing personal data in the cloud.  Unfortunately, I realize this may be an untenable solution for many who desire – or even require – the ability to use and access cloud storage.  Even I had a personal experience recently that made me re-think the utility of cloud storage.  Cloud storage does offer the benefit of being a strong hedge against data loss.  Losing data can be crippling for an individual, and even more so to a small business.  With these factors in mind (and at the request of a reader) I have taken a look at some cloud providers and developed some cloud storage threat models.

Continue reading “Cloud Storage Threat Models”

Identity Theft & Data Breach Response

Data breaches occur with shocking regularity.  The news is full of reports of data being spilled by companies and individuals being targeted for identity theft.  Few of these stories contain much useful information on appropriate data breach response, however.  Once your information has been spilled it is impossible to fully recover it.  However, there are some meaningful data breach response steps you can take if you do fall victim to this type of crime.

  1. Contact your financial institutions immediately. If you think your financial information has been compromised this should be your first step.  Call your bank or credit card issuer and alert them to the problem.  Frequently your bank will contact you if suspicious activity occurs, but if you know something they don’t, don’t wait!  Request to cancel your credit and debit card numbers and be issued new ones.  Use new PINs on these cards, and ask the bank to flag your account for suspicious activity.
  2. Contact the credit reporting bureaus.  If you do not have a credit freeze in place and the breach involves financial information, you should immediately contact Equifax, Experian, and Transunion. Some online resources advise placing a fraud alert on your account at this point; I recommend a credit freeze (see below).
  3. Change your login information.  If you suspect an online account has been breached you should immediately change its password and, if possible, username.  If the account does not already have two-factor authentication enabled, enable it.  In addition, you should also change the login credentials for any accounts associated with the breach account.
  4. Contact local law enforcement and file a report.  I will be honest – your local law enforcement agency probably isn’t going to open an investigation and bring the perpetrator to justice, so be prepared for that.  What they will do is generate a police report for you.  This serves as proof that you were the victim of identity theft.  This can help you recover your credit later if the need should arise.  It can also assure that you get free credit freezes for life (see below).  It may also be useful if you attempt to opt-out of public and non-public databases as Michael and I recommend in The Complete Privacy and Security Desk Reference.

Of course, the best spillage, identity theft, or data breach response is preemptive (the best defense is, after all, a good offense).  There are several steps you can take to make yourself more resilient against identity theft.  The time to act is now – once your information is online you will never completely erase it.  I am a strong advocate for dealing with the problem before it is a problem!

  1. Use strong authentication for online accounts.  Use strong passwords and two-factor authentication on all of your online accounts.  Though this isn’t a guarantee that your accounts are safe, you are unlikely to fall into the “victim of opportunity” category.
  2. Use unique usernames.  Though this could fall under the above category, I am listing it discretely because I think it protects you where strong passwords and two-factor authentication do not: customer service reps.  If an attacker knows your username, he or she can often convince a customer service rep to give out sensitive information.  Using a unique username gives you a great layer of protection against this type of attack.
  3. Have a credit freeze in place.  A credit freeze with each of the credit reporting agencies (Experian, Equifax, and TransUnion) is the strongest measure you can take to ensure new credit is not issued in your name.  Credit freezes also protect your personal information and credit report.  A credit freeze will not protect your current accounts and lines of credit, however.
  4. Use one-time credit card numbers.  Some credit card issuers offer this option organically.  A one-time credit card number is only good for one purchase.  If a hacker recovers it, it will no longer be valid and cannot make a charge to your account.  If your bank does not offer this an online service that I recommend called Blur does.
  5. Limit personal information that is publicly available.  Large amounts of personal information make you vulnerable to social engineers.  This information can be pieced together to allow someone to impersonate you in order to gain access to your financial or online accounts.  I recommend minimizing the information you place in the public domain on social media, personal blogs, etc.  If a great deal of information is available about you, remove it!  More information is available in The Complete Privacy and Security Desk Reference which will be publicly available soon.