What I have learnt about cyber security at Digital Privacy Salon

Yesterday, I read an interesting, funny but alarming blogpost that there is a company that did a test on the police of Berlin to see if they would believe a fake email and a fake link to a website that says they should enter their user-password into a special database. 252 out of 466 opened the email and 35 police officers entered their login credentials. So everybody can become a victim and that’s why it is important to raise awareness about cyber security.

Last week, I stumbled upon a tweet from BeeSecure that said:

This caught my interest as I think, Digital Privacy is something that really concerns everybody who browses the internet today. As soon as you’re connected to the World Wide Web, that means also that you are vulnerable and open to cyber threats. And also, you’re tracked all the time. In fact, the big companies like Google, Facebook etc. – well – their business is big data. Do you pay anything to use their services? No. And yet, they have huge infrastructure, facilities with servers etc.

Although cyber security may be very complex nowadays, there are however several things you can do as an enduser to ensure more privacy and more security on the web. These are not complicated. And that’s what the Digital Privacy Salon Luxembourg is all about. These sessions are free, intended for everyone and no prior technical expertise is assumed.

„Digital Privacy Salons are skill & knowledge sharing sessions which aim to teach people the basic ways of protecting themselves and their data from intrusive surveillance. Generally the salons deal with how to have private conversations over instant messaging, how to encrypt emails, how to browse anonymously amongst other things. It is very important that you leave the Privacy Salon with tools & knowledge you can use on a daily basis, and explain to your friends how to do it too. All the attendees should come with device(s) they want to install tools on.“

So look out for future events on their website. Also, the location where the sessions are held, the Syn2Cat hackerspace in Bonnevoie at Level2 is very cozy and the people there are nice.

In the meantime I want to share with you the tools we have been discussing.

First we got an introduction by Chris (aka cataspanglish) about how the internet works basically. Then together with Raphaël Vinot, IT security expert from CIRCL, we looked at what we can do.

We are being watched

I love the TV show „Person of interest“. Although it is fiction, many things they’re talking about, are not really far from reality. In this case, I mean by „being watched“, being followed and tracked on the intenet. This happens on nearly every site you browse. For example you go to a news website like welt.de, then there are 19 companies in total that will get your data. Well not all your data, but for example your IP address, browsing habits you can see these connections on the interesting website Trackography:

www.trackography.org

„Most websites include embedded images and code which come from the domains and servers of third party companies. These companies are able to track us through the use of cookies and other technologies which collect different pieces of information about us. Such data can include our IP address, type of computer or mobile phone, operating system and the plugins we have installed, as well as data about our online behaviour, such as the websites we visit, where and for how long our mouse lingers on a page and what we search for. Data about our device and online behaviour enables companies to link our likes and interests directly to us and to create profiles about us, which are then subsequently sold to advertisers.

Why are we being tracked? Online tracking is part of a larger industry which makes a profit out of our data. The data industry makes billions of dollars from collecting data about who we are and what we are interested in by tracking the websites we access every day.“

trackography

So what to to about that? There are tools that can help us to avoid or minimize this.

System and browser

To access the internet, you need some tools. Most people use Windows computers nowadays, so this is of course the most vulnerable system. It’s susceptible to viruses, malware, trojans etc. Then there are Mac-Systems and Linux-Systems which fewer people use, so also less threats. As with SmartPhones, the Android-system is very widerspread, vulnerable and open. It is very difficult to secure. The iPhone OS is more closed as also proprietary. Good browsers to use are still Firefox and Google’s Chrome. In any case, ermm forget about Internet Explorer ;-)

Secure connection

One simple thing to check at every website, is if the connection is secure, above all when you enter login data. It is important to check the URL address. It should says https:// instead of just http://. The „s“ means: secure. It means that your communication is encrypted by SSL.

https_lock

The first interesting plugin we looked at is called:

HTTPS Everywhere from EFF (Electronic Frontier Foundation)

You can install this plugin to your browser. Chrome, Firefox or Opera are supported. This plugin ensures to use the secure version of a website whenever it is possible.

Block ads and tracking

Above I presented Trackography which shows that we are tracked by various sites by embedded code in websites. One tool we can use to prevent most of this is:

www.ublock.org

It is simple to install and works quietly in the background.

Deactivate scripts

Evil scripts that run in the background may harm your computer. So it would be a great idea to deactivate scripts in your browser. The problem is however, that without scripts, a lot of websites are no fun and no more interactive as maybe too many contents are blocked. However here is the link to NoScript, only for Firefox though.

No Flash

Since several years, experts say, Adobe’s Flash technology will die. In fact, Flash often had security problems in the past and since Apple said, it would rather go with technologies like HTML5, Flash development has decreased. Today, Adobe even released the new Creative Cloud Apps, and astonishingly, Flash has disappeared, been rewritten and now been integrated into Adobe Animate CC. So whenever you can avoid Flash and that there is an alternative, then use the alternative. Like for YouTube for example you can simply go to:

www.youtube.com/html5

and check the option „the HTML5 Player is currently used whenever possible“.

Is this link secure to click?

Before clicking a link, you often don’t know if it leads to a website which can be trusted. So here is the next interesting plugin:

www.mywot.com Web of Trust puts a little icon next to your links. If it is green, it is safe to click. When it’s red: be careful.

weboftrust_icon

Secure chat

Nowadays there are tons of applications to connect to your friends, to chat, to share data, like Facebook Chat, Messenger, Facebook Chat, WhatsApp, Viber. All these are not secure. If you want to be on the secure side you can use

crypto.cat: „Cryptocat is a fun, accessible app for having encrypted chat with your friends, right in your browser and mobile phone. Everything is encrypted before it leaves your computer. Even the Cryptocat network itself can’t read your messages.“

A good Skype alternative would be: Jitsi Meet.

Secure datatransfer

I like to use services like Dropbox or GoogleDrive to store documents and to be able to access them from every machine. This is really handy. However Dropbox has been a victim of password stealing in the past. If you have critical data, it would be better to use other services. If you have to transfer data like Edward Snowden, you better use:

www.spideroak.com
They say: „Our baseline premise is the user alone holds the key to decrypt their data. Data shall never be transmitted or stored in a non-encrypted state and we never store the encrypted data along with its keys except on the user’s computer.“

Mobile communication

Our mobile phones are mini computers. So they’re as vulnerable as their big brothers. To ensure secure communication (phone calls, SMS) with end-to-end encryption on your mobile, there are these great tools from:

whispersystems.org

Passwords

Passwords have to be used all the time in our modern world. For every service you need a password, mostly online. Most critical of course are those services that have to do with your money. Your online banking or services like Paypal etc. Two days ago, I read an article that 1 of 10 internet users use the same password on every site they use. That’s really the thing you really should neverrrr everrrr do. Most people find passwords very annoying and nobody can remember all the passwords if they have to change for every site. However there is a solution, that is a password manager.

www.KeePass.info. KeePass is a password manager that lets you save all your passwords encrypted with a masterpassword. I can also help you create secure passwords that are not like 12345 ;-)

keepass

I personally like to use Pastor on my Mac, which has basically the same functionality.

Secure E-Mail

Unfortunately, this topic is complicated because when you want to use encrypted e-mail, the one receiving the e-mail also has to use that service, otherwise it makes no sense. So we skipped that topic. However, when you really want to encrypt, then GPG is interesting to look at. Or EnigMail. There are other systems out there, for example ProtonMail and even Google Extensions for GMail.

Go even more anonymous

There is a project that is very interesting if you even want to go more anonymous on the web. Issue with this is, more security also means the less fun.

www.torproject.org
„Tor is free software that protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, and it prevents the sites you visit from learning your physical location.“

torbrowser

Search engine alternatives

Everybody uses search engines, everyday. Google knows everything :-) However, these search engines also track what you are looking for and they’re saving your search history and are evaluating it. When you check out the Tor project, you can discover that it uses a different search engine:

disconnect.me

or here is yet another you can use that won’t track or hack you: www.ixquick.com

ixquick

Resources

At the end of this Digital Privacy Salon, we looked at these resources to stay up-to-date:

https://tacticaltech.org/

https://myshadow.org/

Report Web Abuse

www.circl.lu/urlabuse
„URL Abuse is a public CIRCL service to review the security of an URL (internet link). Users regularly encounter links while browsing the Internet or receiving emails. When there are some doubts regarding an URL (e.g. potential phishing attacks or malicious links), users can submit an URL for review via URL abuse.“

Finally: Thank you BeeSecure for the Pizzas and Red Wine :-) And thank you Hackerspace / Level2 / Digital Privacy Salon for the insights!

5 Responses to What I have learnt about cyber security at Digital Privacy Salon

Eine Antwort hinterlassen