As my final blog post of 2020, I’d like to share a brief checklist to help users and researchers stay safe online. Many attackers use broad, sweeping methods, and those who overlook the basics are often the first to be compromised. This guide aims to support those who are beginning their journey into Operational Security (OPSEC):
Social Media:
- Set social media accounts (e.g. Twitter, Facebook, Instagram, Tiktok) to private.
- Avoid using your real name when creating accounts.
- Avoid using identifiable personal pictures for profile pictures and cover pictures.
- Leave bio details blank and avoid sharing identifiable information.
- Do not check-in to locations or share your location for social media posts.
- Have a vetted list of friends/contacts that you permit to view your social media content.
- Finally, personnel who work in cleared positions may often ask family members not to share pictures of you and prevent tagging.
Personal Security (PERSEC):
- Use more than one email account – ideally one for critical services like finances, online shopping etc, and one for social media and other non-essential platforms.
- Setup Multi-factor Authentication (OTP SMS text or Auth App). [1]
- Check the enabled permissions of mobile apps so that you do not unwittingly share your contact details, SMS log, notifications, and other sensitive information with marketing companies, adware, and malware.
- Only download applications from official sources, such as the Google Play Store for Android.
- Check if a URL is malicious using these three services: Browserling, URLscan and VirusTotal. [2, 3, 4]
- Have I been Pwned – VERY useful service to check if your email address has appeared in any breaches and where you may need to update your passwords, as well as notifying you if your email address is present in a new breach when it is uploaded to the platform. [5]
- Password managers – one of the most useful programmes to organise accounts in an encrypted database that can only be accessed locally with one master password. [6]
- Alway backup data for a plethora of reasons, potentially in multiple ways such as removable media, and cloud services that will do it for free such as Google Drive, OneDrive, or iCloud.
The goal of these tips are to become harder to track down and targeted by threat actors. The more time it takes them to attack you, the more likely it is they will give up and move on.
Along with the above, those who are public facing personalities may not get the luxury to conceal their real names from the world. For this group of people they are forced to up their OPSEC game due to the increased threat level and the higher number of attacks. These are also recommended for any type of user that takes security seriously:
- Firstly, if you require a proper security review, it will be worth it to ask a professional to check your OPSEC using OSINT and other other types of audits.
- Credit monitoring to check for fraudulent transactions.
- Setting up alert emails to check if you are mentioned on Twitter or in news articles can be done via Google Alerts or Warble Alerts. [7, 8]
- Secure email services such as ProtonMail can be used to send encrypted email addresses to others with similar ‘@protonmail.com’ accounts. [9]
- Any applications, software or services should be reviewed before use with their privacy policies reviewed.
- Before you interact with someone online whether you know them or not, they should be vetted via a quick background research.
- Virtual Private Network (VPN) appliances are recommended for when surfing the web and in public WiFi to encrypt your traffic on networks you do not own and from websites. [10]
- It may also be worth investigating the use of a Virtual Machine (VM) to run a Linux or Windows operating system (OS) inside your primary OS. [11]
- End-to-end encrypted (E2EE) chatting applications for mobile and desktop are recommended such as Keybase, Telegram, or Signal for secure communications and file sharing. [12, 13, 14]
- A final interesting tool that many security engineers use are known as CanaryTokens – these are laid like traps that set off an alert if an intruder triggers them. [15]
Links:
1. https://www.microsoft.com/en-us/account/authenticator
2. https://www.browserling.com/
4. https://www.virustotal.com/
5. https://haveibeenpwned.com/
7. https://www.google.co.uk/alerts
11. https://www.virtualbox.org/
15. http://canarytokens.org/generate