z3r0id@daniel-bryan.com

Reducing Your Personal Attack Surface

Daniel Bryan Security

Reducing Your Personal Attack Surface

Reducing Your Personal Attack Surface


If the recent Marriott hack isn’t example enough, our personal data is in danger every day. Every year it becomes more and more necessary to guard our personal data ever closer. What’s more, our society today is become more desensitized to the casual sharing of close personal information without a second thought. This can be more dangerous than most know.

If you’re like me, you’re concerned about your personal data and you’d like to keep your life private. There are a number of ways to reduce your personal online attack surface, and in some ways make yourself almost invisible to the online world.

I’d like to share some of the methods you can employ every day to keep your personal life private and your data from going into the wrong hands.


1. Leave Social Media Behind

Social media, I believe, is the number one information leakage vulnerability in the vast majority of people’s online lives. To you, it’s a wonderful place to share your life with your friends and family, catch up with old friends, and share moments with people you don’t normally see. This isn’t inherently a bad thing. But to an attacker, this is a feeding ground for semi-sensitive information.

Did you know that your social security number, probably the most guarded set of digits in your life, can be guessed by an attacker? A group of researchers discovered that with fair accuracy and freely available information on the web that you put out on the internet, they can guess your highly guarded SSN. In summary, after 1988 SSNs started being assigned immediately at birth, sequentially. If an attacker can find out your name, date of birth, and place of birth, they can look at the publicly available list of the dead (which includes their SSN), find someone with the same or similar birthday, and count the numbers back or forward.

Check out this article for more.

You didn’t think your birthday was sensitive information? Well, you’re not alone.

This is one of the less obvious problems with sharing information, but other things like sharing a picture of your fresh driver’s license when you were 16, or your first paycheck at 18… both very dangerous things that some people do. Taking a selfie in a network closet, not realizing you just gave away the model of your router too…

It may be hard for some, but in the end if protecting your personal life and information is something of value to you — this is step #1.

2. Always Use A VPN

For many, using a VPN is second nature. Why? Because if you’re trying to cover your tracks on the internet, your IP address is easily tied back to you and can be tracked. If an attacker gets your WAN-side IP address (especially if it’s static) it’s like trying to get away from a stalker who has your home address. Many bad actors use a VPN to cover up suspicious activity, but it was created to be something good. For those living in strict countries such as China, a VPN or proxy is their only way to communicate with the free world.

Personally, I recommend NordVPN. It’s what I use, and it’s highly recommended by many. They have servers you can use all over the world, some even using Tor, and SOCKS5 browser extensions you can use when you can’t use a VPN exactly.

3. 1.1.1.1 For DNSsec

Believe it or not, even when you use a VPN your DNS queries go out unencrypted and can still be sniffed. The attacker won’t be able to grab any of your data in transit necessarily, but they can still see what sites you connect to. Many don’t know this, and until relatively recently there was no way to avoid this.

Cloudflare has implemented a DNSsec solution that queries DNS over HTTPS, encrypting all DNS queries and keeping your browsing even further from prying eyes. It’s as easy as changing your DNS to 1.1.1.1 or “quad one.”

Check it out on their website here.

In many cases (like my own) 1.1.1.1 is actually a lot faster than your ISPs DNS and you’ll notice the difference.

4. Secure Your Browser

Securing your browser is naturally the next step in this process. If you’re trying to limit your fingerprint in the online world, your browser is a big one. Take a quick visit to this website and see what the results are. Panopticlick will fingerprint your browser and see how unique it’s fingerprint is. If it’s unique, then everything you’ve done thus far won’t do much to stop a motivated attacker.

Here are some extensions I use to keep my browser secure and less easily recognized:

  • uBlock Origin — ad and tracker blocker
  • NoScript — blocks Javascript, which can be used by malicious sites to steal cookies and other sensitive information
  • CanvasBlocker — the way your browser renders images is unique and trackable, this eliminates that
  • HTTPS Everywhere — always looks for the secure version of a web page
  • Use Firefox’s built in ad and tracker blocker — this actually speeds up your browsing significantly since your browser isn’t dragged down by the extra ads and trackers most webpages have
  • Use Tor Browser — if you really want to cover your tracks, but using tor all the time can be slow

5. Ditch Google

If you have a gmail account, files stored on Google Drive, and an Android phone — Google has a complete outline of your entire digital life. You may know already that Google saves your search history, your browsing history if you use Chrome, and you may know they use tracking cookies nearly everywhere. But what you probably don’t know is that Google actually reads your gmail inbox as well as all the files in your Google Drive. This is so they can create better ads, so they say, but this generates more information that’s being collected on you and stored somewhere. You wouldn’t have read this far if that wasn’t a concern to you. Check out more info on this here.

If you use the Google accounts that I listed above, you may want to check out the Google My Activity page here. This is a compiled list of everything Google is collecting on you… you may want to take some time to turn all of these settings off.

DuckDuckGo is a search engine that’s becoming more popular lately. It’s an alternative to Google search that doesn’t track and doesn’t store any of your search queries. You can check them out here.

6. Consolidate And Secure Your Email

Many people today have more than one email address. Most people, after changing email addresses, leave the old account still open. This is more dangerous than most people know since your email has in the last two decades become the gateway to resetting any linked account password. Since you no longer use this old email account regularly, you probably won’t notice when an attacker starts attempting to brute force your password.

For the sake of reducing your online footprint, it’s also a very good idea to tie up all unused accounts, not just old emails. I’ll come back to more details on closing unused accounts. But for now, the general idea is to forward all your unused emails to a single email for some time and comb through incoming mail, changing account emails as necessary.

As for your new email, I recommend Protonmail, an end-to-end encrypted email solution housed in Switzerland under 1000 meters of rock. The end-to-end encryption only works between Protonmail accounts, but they also allow for easy PGP usage, self-destructing emails, and password protected emails for communicating with non-Proton emails. The free account allows for up to 500 MB of storage, but the first-tier paid account is only $5/mon. The best part of anything end-to-end encrypted is the knowledge that even if someone did steal your data from the cloud provider, or even if the provider decided to go snooping through your account, the data remains encrypted because it was encrypted from your device and stored that way.

7. No-Knowledge Cloud Storage

Cloud backups or any of the various forms of cloud storage are almost impossible to avoid using in your online life. Cloud storage isn’t necessarily a risk to your security or online identity, as long as you do it right. Since you’re already ditching Google, you’ll need to move to a new solution.

The one I personally use is SpiderOak, an end-to-end encrypted cloud storage solution. The GUI is a little rough around the edges, but in general this product is wonderful for security. As I mentioned already, end-to-end solutions encrypt the data from your device, and send it over the wire and into the cloud fully encrypted until you pull it out again and decrypt it from your device. SpiderOak does this with their client, and it also comes with a Share feature, allowing you to password protect a folder of your choosing and share it with a link.

Another great solution, which I would use if I wasn’t already using SpiderOak, is Boxcryptor. This flexible product gives you the ability to use any cloud solution in a no-knowledge (another word for end-to-end encrypted) context. The client can connect to 30+ different cloud vendors, and allows you to upload anything to the cloud end-to-end encrypted. The only catch is that the free account only allows one device and one cloud provider, but the paid account allows much, much more. You encrypt and upload, download and decrypt. It’s flexible and secure.

8. Close All Old, Unused Accounts

This step might be more easily completed if combined with step 6. Basically, if you really want to wipe away your online footprint, you’ll need to go back and close all unused accounts. Even if you become more conscious about your online information leakage, old accounts might still have relevant information for an attacker, especially old social media accounts.

If you combine this with step 6, it becomes much easier to search for old accounts. Your best tool — your spam folder. You don’t necessarily have to open the emails, just look through them for reminders about accounts you may have opened in the past that have been spewing spam at you for years.

Sometimes closing accounts isn’t easy. Sometimes you have to dig for the option or even contact support and ask them nicely to wipe everything relating to you from their database. If you can’t find the option on their website, best way to get started is to hit the search engine. “How do I close my [something] account?” Usually you’ll find a pretty straightforward answer.

9. Use Third Party Payment Vendors (Or Better Yet, Cash)

Apple Pay, Android Pay, Paypal — all actually provide a level of security you might not think about. These products don’t at all keep you from being tracked, but think about it this way — every time you pay with your credit or debit card, you risk exposing your card number to skimmers or even shoulder surfers. Using a third party payment solution protects your card number by adding another layer between the card and the payment machine. So yes, you’re giving your information to the payment vendor, but would you  rather give it to every shop you make a payment to online or in person? It’s a lesser of two evils kind of scenario.

In reality though, cash is always the best way to go. For in-person transactions, use cash, and for online transactions you could either use prepaid Visa gift cards, Bitcoin or another cryptocurrency, or you can suck it up and use a third party payment vendor. Keep in mind though, the more secure you want to be, the less convenient paying for something gets.

10. Don’t Use Your Real Name (or Email)

For those of you who even care about working your way up to this step, you’re a paranoid SOB, and I admire your schizophrenia.

From now on you’re going to need to worry about your OpSec, or your operational security. You’ve worked so hard to minimize your online exposure, so you really don’t want to move backwards. If you’re using a VPN 100% of the time, but you visit your personal Facebook account — are you really gaining any kind of privacy? The best way to keep activity from being linked back to you online is to avoid using your real name anywhere you can. You could pick a pseudonym that you’d like to stick with everywhere, or you could simply rotate names between every account. It’s your choice, but remember, the more convenient option is almost always less secure.

In addition to your name, your email address is also a giveaway if it’s public. For accounts that don’t need a permanent email beyond activation you can use 10 Minute Mail. A beautifully simple website that will host an email for exactly 10 minutes, while you create and activate a new account. Of course if you ever need to use this email again you’re basically screwed, so make sure that you won’t. Additionally, if this email is required for login (such as in place of a username) make sure you document this in your password manager, assuming you use one — which you should.


In Closing…

It takes quite a lot of work to complete each of these steps in full, and even then you’re not really “off the grid” as some might think. It’s easy today to lose track of how much information about you is really out there, but at the very least these steps will ensure your online identity is more secure and your attack surface is at a minimum.

 

Leave a Reply

Your email address will not be published. Required fields are marked *