Cybersecurity Awareness Tip 20: Avoid social media quizzes, surveys and public groups
TMI
Hackers and other surveillance organizations (governments, companies) use social media, too. Surveys, quizzes, games, pages and groups can all be used to collect personal information that can be used in indirect phishing or direct cybersecurity attacks.
"Be Less Social.
What to do: Minimize the amount of personal data you have on social media platforms.
Why: Information like your pet’s name or mother’s maiden name is sometimes used to recover account logins. Don’t give hackers an easy way into your online accounts!"
Cybersecurity Awareness Tip 19: Check your privacy settings on social media
Who Are You and How Can I Use Your Profile Against You?
Check the authentication options and enable 2-factor authentication or multi-factor authentication if possible. Also check what personal information is collected (SwampGeek recommends to provide as little as possible), what is visible, and who can see your posts.
For Example
The privacy and security options supported by social media companies vary from basic (Minds) to complex (Facebook).
Facebook's security and privacy settings seem almost intentionally complex, but also highlight the vast amount of data the company surveils.
Facebook
Privacy Checkup (yes)
Settingss require a Master's degree
Posts require a Bachelor's degree
Supports two-factor authentication via OTP (One-Time Passwords), Facial and Biometric authentication on mobile devices
Can limit logins to certain devices and can use application-specific passwords
Instagram
Privacy:
Private account (yes)
Hide commends (not sure who identifies offensive comments or how, but hiding them in generate is good)
Posts: hide like and view counts (yes)
Allow tags and @mentions from people you follow
Show Activity Status: No
Who can add you to groups? Only people you follow
Security
Save Login Info: No
Two-factor Authentication: OTP (e.g. Authy, LastPass Authenticator) and SMS / Text message
Apps and Website: review and remove as appropropriate
Issue: you can view - but not remove - access data (i.e. advertising tracking data)
LinkedIn
Partners & Services: check who has access to your valuable LinkedIn information / contacts
Visibility: Who can see / download your email address?
Third-party Data:
Two-step verification via SMS or OTP (e.g. andOTP, Microsoft Authenticator)
MeWe
Allow Chat Requests (from other members of a group): may no since it's difficult to verify the person is real
Limited to single-factor (password) authentication
Minds
Two-factor authentication via OTP (e.g. Duo Mobile and Google Authenticator) or email code
Twitter
Data Sharing and Off-Twitter Activity
Two-factor authentication via SMS, OTP (e.g. FreeOTP and Aegis Authenticator), U2F (e.g. Yubikey and others)
Venmo
Privacy: Yes, Venmo shares your payment description with the world by default. What could possibly go wrong? (Change the default privacy option to Private)
You can also change Privacy For Past Transactions to Private
Friends & social: will you REALLY benefit from giving Venmo access to your Facebook friends list? 'Cause Venmo sure will!
Supports single factor authentication via PIN or biometric (thumb print)
Cybersecurity Awareness Tip 18: Don't open suspicious attachments
Dangerous Attachments (It's Not a Lifetime Movie)
No matter what the King of a tiny foreign country promises in the attached instructions, what "Amazon" says you ordered in the attached shipping document, or FedEx charged you for shipping in the attached invoice, just don't open that attachment.
Any Way You Want It, Just the Way You Don't Need It
Attachments may look like they were sent by some from Amaz0n.com or another legitimate looking website. They might be described as containing some salacious or otherwise must-know-right-now information. Definitely don't open something compressed (.zip, .7z, .arc, .rar, etc.) or with an executable (.exe, .com, .iso, .dmg).
If it looks legitimate (i.e. it comes from a possibly valid source and has a common extension (.pdf, .docx, .pptx, .xlsx - but not .docm, .pptm, .xlsm), download the file on a home computer (not a mobile device) instead of opening from the email. Your system's antivirus or other anti-malware tool may identify issues, but to be safe, upload it to an online virus scanner like VirusTotal, which scans the file with almost every available anti-malware scanner for quick and fairly complete detection.
Petya is a family of encrypting malware first discovered in 2016 which propagated via infected email attachments.
Cybersecurity Awareness Tip 17: Don't Take the Click Bait
All the Time, On Every Channel
Spammers, phishers, hackers and surveillance organizations (governments and companies) don't care how they reach you - only that you take the clickbait. They'll put clickbait in email, text, social media, comments on online posts or news stories, instant messengers, chat rooms, TV or on paper in snail mail, newspaper or magazine ads. Some even look like stories from the site you're visiting, often mixed with real stories from the site you're visiting.
Stop It Before It Starts
You can stop many malicious communication attempts before they start by using:
Even the best malicious communication blockers won't catch everything, and they can't stop you from visiting sites that might have malicious links in comments or articles. And there aren't any good tools for blocking malicious text or instant messenger communications. So think before you click. Think, and check:
Check the URL, especially if the URL doesn't match the website you think you're going to visit - use a link checker to see the final destination and a website reputation checker to determine if it's safe
Use a URL expander to see the end final destination of shortened URLs (e.g. goo.gl, bit.ly, etc.)
Remove tracking parameters from links. The ability to remove tracker parameters from links is built into Brave, you can also add browser plugins to do this. Some email clients (e.g. FairEmail) can also prompt you to remove tracking parameters.
"Security without privacy is like having a house made of bullet-proof glass. Sure, no one is getting inside, but your personal life is still on display."
New threats target all platforms. All. Platforms. HowToGeek suggests you don't need antivirus protection on your iPhone because malware on iOS is rare by design. Antivirus BitDefender reminds us that iOS isn't safe either.
South Florida Seasons: Summer and Hurricane
In South Florida, many use a checklist to prepare for hurricane season each year (our other season is summer). Even though the threat of cybersecurity attacks are constant, schedule a reminder to check your cybersecurity preparedness at least annually. Schedule it a calendar that you're sure to see and remember to take action.
SwampGeek Recommends...
SwampGeek recommends (without affiliate or any other compensation):
Cybersecurity Awareness Tip 14: Use private email to limit snooping to governments
Nothing to Hide
40% of emails are spam, and 70% contain email trackers, and hackers, spammers and surveillance organizations (companies, governments) use this to target individuals. What about the email providers who may have direct access to your email communications?
"Here's my email address. ...Email me the passwords to all of your email accounts, not just the nice, respectable work one in your name, but all of them, because I want to be able to just troll through what it is you're doing online, read what I want to read and publish whatever I find interesting. After all, if you're not a bad person, if you're doing nothing wrong, you should have nothing to hide."
Greenwald doesn't mention being able to reset the passwords for all your financial accounts, find your phone and much more, just by being able to access your email.
Google insists it no longer reads your email and neither do 3rd-party app makers. Preveil and Guardian disagree. And even if Google, Yahoo, Microsoft and other providers of "free" email services don't scan your messages, they can (and do!) still use the meta data - who sent and received the email, when, what was the subject - for marketing or other purposes.
Snooping Governments Will Still Snoop
Even privacy-focused email providers must respond to the force of courts and other government agencies, including top providers ProtonMail and Tutanota. After a recent event, ProtonMail explained why it scrubbed its website of "no IP logging" content, how it transparently reports incidents of government force, and how you can use its free ProtonVPN service to mitigate the impact of government force.
Keeping Your Email Yours
There are better options for private email without the surveillance incentives of the major free email providers. Some of them have free versions with limitations. These offer end-to-end encryption, but beware:
You can also send unencrypted email, and the contents are visible on the recipient's potentially-surveilled inbox.
You must use secure email clients on all devices. Most secure email providers offer clients on major platforms, but beware of using other clients, especially without encryption, via POP or IMAP.
SwampGeek Recommends...
SwampGeek recommends (without affiliate or any other compensation):
ProtonMail - Switzerland-based with good free service with most features and low cost, fully-featured commercial service
Tutanota - Germany-based with good free service with most features and low cost, fully-featured commercial service
You can also use email forwarding to further protect your inbox.
Resources
Privacy Tools - provides services, tools and knowledge to protect your privacy
Using a password manager with unique passwords is one of the most common cybersecurity recommendations (and SwampGeek agrees). But, when creating new accounts, why not use a unique email address, too?
Use a Unique Email Address
There are many reasons for using unique email addresses when creating accounts:
Limit the reach of image trackers used in 70% of emails
Limit the impact of hacked accounts that contain your email address (billions have been included in data dumps - check yours at Have I Been Pwned? )
Limit the impact of surveillance companies, governments and organizations that collect and sell your email address and associated personal data
To Be, or Not to Be? Which Alias is the Question
There are multiple ways to use unique email addresses, including:
Free email accounts with or without email aliases
Email forwarding using disposable email addresses (random or user named)
Temporary disposable email, which generates a random address, but email is available temporarily to anyone who knows the address
Hackers, spammers, scammers can use this information to target you for phishing or other harmful activities.
Choosing Options
Generating multiple free email accounts (e.g. Gmail, Outlook, Yahoo Mail, etc.) can get tedious and requires connecting multiple accounts to an email client or checking multiple websites for mail. Using aliases in these accounts can also be tedious and is often limited to a small number. However, Google allows tags (e.g. user#tag@gmail.com) or variations of the user account (e.g. u.s.e.r@gmail.com, us.er@gmail.com are all delivered to the same inbox as user@gmail.com). Free email providers with good privacy protection and reasonable commercial options include:
Forwarding disposable email addresses are best for creating online accounts, especially with the possibility that your email addressed can be sold, shared or stolen. They can be deactivated at any time, blocking the inevitable spam that comes with linking your email address to any other marketable personal information. Better free options include:
DuckDuckGo Email Protection (removes tracking info before forwarding and lets you generate random address via a browser extension)
ManyMe (lets you generate email addresses offline and blocks spam)
Temporary disposable email is only useful when combined with VPN and other privacy protection for when you don't want to be tracked. And since email is publicly available, it shouldn't be used for anything you wish to keep private. Options include:
ManyMe - with ability to manage (change, block, etc.) unique emails offline using a qualifier that doesn't need to be created in advance, e.g. sabrina.walmart@manyme.com or sabrina.mewe@manyme.com
DuckDuckGo Email Protection (@duck.com) - strips tracking information before fowarding and generates random addresses that forward to your primary address via a browser extension
Specifically:
Register for accounts using ManyMe (yourmanyme.account@manyme.com),
Forward your ManyMe email to DuckDuckGo (yourduckuser@duck.com)
Forward your DuckDuckGo email to your regular email account (youruser@tuta.io)
Just opening - or previewing - an email can display tracking images that can be used to collect all kinds of information about recipients, including:
when, where, with which email client, using which email provider and on what device the email was opened
how long the message was opened
how many times the message was reopened
whether or not you clicked any links within the message
what type of device you used to open the email
how many times and to whom the message was forwarded
Hackers, spammers, scammers can use this information to target you for phishing or other harmful activities.
A Simple Solution: Don't auto-display images
The simple solution is to disable the display of remote images or remote content. Even better, some providers can block all remote content. A few offer the ability to block embedded images, which can be used to transmit malware when displayed.
Privacy focused email providers like ProtonMail and Tutanota block external images by default. Tutanota doesn't even allow external images to be displayed by default, but it allows you to identify trusted senders so future emails can display images without prompting.
For now, the most effective way to protect yourself is to simply not display images in email. And watch out for similar techniques in texts and instant messages, too.
The main difference between a passphrase and a password is that passwords do not have spaces. Passphrases are usually longer than a random string of letters and have spaces. But passphrases can also contain symbols. Although it might make it easier to remember, a passphases does not have to be a proper sentence or be grammatically correct.
Password Dragon offers 5 reasons why passphrases are better than passwords:
Passphrases are easier to remember than a random of symbols and letters combined together. It would be easier to remember a phrase from your favorite song or your favorite quotation than to remember a short but complicated password.
Passwords are relatively easy to guess or crack by both human and robots. The online criminals have also leveled up and developed state of the art hacking tools that are designed to crack even the most complicated password.
Satisfies complex rules easily. The use of punctuation, upper and lower cases in Passphrases also meets the complexity requirements for passwords.
Major OS and applications supports passphrase. All major OS including Windows, Linux and Mac allow pass-phrases of up to 127 characters long. Hence, you can opt for longer passphrases for maximum security.
Passphrases are next to impossible to crack because most of the highly-efficient password cracking tools breaks down at around 10 characters. Hence, even the most advanced cracking tool won’t be able to guess, brute-force or pre-compute these passphrases.
Four words should be sufficient. Five words is better.
Don’t choose from the most common words, and don’t choose quotes or sayings. The words should be as random as possible.
Use a unique passphrase for every account you own. That way, if one passphrase is ever exposed, the other accounts remain secure.
Even though Lastpass recommends using a passphrase for your Lastpass Master Password, the otherwise fully-featured password manager can't generate passphrases yet. You can use an online passphrase generator, but be careful to use one that doesn't log the generated passwords.
