Using a password manager with unique passwords is one of the most common cybersecurity recommendations (and SwampGeek agrees). But, when creating new accounts, why not use a unique email address, too?
Use a Unique Email Address
There are many reasons for using unique email addresses when creating accounts:
Limit the reach of image trackers used in 70% of emails
Limit the impact of hacked accounts that contain your email address (billions have been included in data dumps - check yours at Have I Been Pwned? )
Limit the impact of surveillance companies, governments and organizations that collect and sell your email address and associated personal data
To Be, or Not to Be? Which Alias is the Question
There are multiple ways to use unique email addresses, including:
Free email accounts with or without email aliases
Email forwarding using disposable email addresses (random or user named)
Temporary disposable email, which generates a random address, but email is available temporarily to anyone who knows the address
Hackers, spammers, scammers can use this information to target you for phishing or other harmful activities.
Choosing Options
Generating multiple free email accounts (e.g. Gmail, Outlook, Yahoo Mail, etc.) can get tedious and requires connecting multiple accounts to an email client or checking multiple websites for mail. Using aliases in these accounts can also be tedious and is often limited to a small number. However, Google allows tags (e.g. user#tag@gmail.com) or variations of the user account (e.g. u.s.e.r@gmail.com, us.er@gmail.com are all delivered to the same inbox as user@gmail.com). Free email providers with good privacy protection and reasonable commercial options include:
Forwarding disposable email addresses are best for creating online accounts, especially with the possibility that your email addressed can be sold, shared or stolen. They can be deactivated at any time, blocking the inevitable spam that comes with linking your email address to any other marketable personal information. Better free options include:
DuckDuckGo Email Protection (removes tracking info before forwarding and lets you generate random address via a browser extension)
ManyMe (lets you generate email addresses offline and blocks spam)
Temporary disposable email is only useful when combined with VPN and other privacy protection for when you don't want to be tracked. And since email is publicly available, it shouldn't be used for anything you wish to keep private. Options include:
ManyMe - with ability to manage (change, block, etc.) unique emails offline using a qualifier that doesn't need to be created in advance, e.g. sabrina.walmart@manyme.com or sabrina.mewe@manyme.com
DuckDuckGo Email Protection (@duck.com) - strips tracking information before fowarding and generates random addresses that forward to your primary address via a browser extension
Specifically:
Register for accounts using ManyMe (yourmanyme.account@manyme.com),
Forward your ManyMe email to DuckDuckGo (yourduckuser@duck.com)
Forward your DuckDuckGo email to your regular email account (youruser@tuta.io)
Just opening - or previewing - an email can display tracking images that can be used to collect all kinds of information about recipients, including:
when, where, with which email client, using which email provider and on what device the email was opened
how long the message was opened
how many times the message was reopened
whether or not you clicked any links within the message
what type of device you used to open the email
how many times and to whom the message was forwarded
Hackers, spammers, scammers can use this information to target you for phishing or other harmful activities.
A Simple Solution: Don't auto-display images
The simple solution is to disable the display of remote images or remote content. Even better, some providers can block all remote content. A few offer the ability to block embedded images, which can be used to transmit malware when displayed.
Privacy focused email providers like ProtonMail and Tutanota block external images by default. Tutanota doesn't even allow external images to be displayed by default, but it allows you to identify trusted senders so future emails can display images without prompting.
For now, the most effective way to protect yourself is to simply not display images in email. And watch out for similar techniques in texts and instant messages, too.
The main difference between a passphrase and a password is that passwords do not have spaces. Passphrases are usually longer than a random string of letters and have spaces. But passphrases can also contain symbols. Although it might make it easier to remember, a passphases does not have to be a proper sentence or be grammatically correct.
Password Dragon offers 5 reasons why passphrases are better than passwords:
Passphrases are easier to remember than a random of symbols and letters combined together. It would be easier to remember a phrase from your favorite song or your favorite quotation than to remember a short but complicated password.
Passwords are relatively easy to guess or crack by both human and robots. The online criminals have also leveled up and developed state of the art hacking tools that are designed to crack even the most complicated password.
Satisfies complex rules easily. The use of punctuation, upper and lower cases in Passphrases also meets the complexity requirements for passwords.
Major OS and applications supports passphrase. All major OS including Windows, Linux and Mac allow pass-phrases of up to 127 characters long. Hence, you can opt for longer passphrases for maximum security.
Passphrases are next to impossible to crack because most of the highly-efficient password cracking tools breaks down at around 10 characters. Hence, even the most advanced cracking tool won’t be able to guess, brute-force or pre-compute these passphrases.
Four words should be sufficient. Five words is better.
Don’t choose from the most common words, and don’t choose quotes or sayings. The words should be as random as possible.
Use a unique passphrase for every account you own. That way, if one passphrase is ever exposed, the other accounts remain secure.
Even though Lastpass recommends using a passphrase for your Lastpass Master Password, the otherwise fully-featured password manager can't generate passphrases yet. You can use an online passphrase generator, but be careful to use one that doesn't log the generated passwords.
The best way to safely use your mobile service is to use a VPN on your mobile devices. All the time. If you can't use a VPN, at least change the default DNS server.
Posted by: kguske on Sunday, October 10, 2021 @ 08:00:00 CDT
Disable Wi-Fi Auto-Connect to Avoid Evil Twin Wi-Fi Phishing
What Is An Evil Twin Attack?
An Evil Twin attach is a form of phishing in which attacker creates a Wi-Fi access point that appears to be a legitimate Wi-Fi network. When users connect to this "evil twin" access point, the data they share with the network passes through a server controlled by the attacker.
Evil Twin Attacks are more common on public wifi networks which are unsafe and leave your personal data vulnerable.
SInce the evil twin uses the same network identification (SSID) as a legitimate network it isn't possible to detect before connecting. But you can prevent an evil twin from spoiling your day. US Cybersecurity Magazine recommends:
Do not connect to open WiFi access points without verifying it as legitimate.
Disable to auto connect feature and promiscuous mode on all wireless devices.
Report, block and / or delete phishing and spam communications.
First, what is phishing? According to Phishing.org:
Phishing is a cybercrime in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords.
Many Ways to Scam You
But, let's be clear: hackers, phishers scammers and spammers don't care how you receive the message. And they'll use any method they think will work on you:
phone (aka vishing - voice phishing): Please to call IRS immediately to pay your back taxes or we put warrant for out for you are arrested
email (from: William J Clinton <im.hacker@mail.ru>: I'm the president of a mythical African nation and need help getting gold out of the country - would you like some?
SMS / text (aka smishing): Your Amazon package insured for $5000 is on the way, click http://h@ck.me/AcXyj3 for details
instant messages: (via FB Messenger or Whatsapp, from Sally's real-life friend Krysten, who lives in Peoria and never travels): Hi, Sally. It's your friend Krysten, and I'm stuck in a mythical country. Can you send money via Western Union so I can get home?
Social media (social phishing) - on Facebook, with a picture of a starving puppy: Your gift of $50 can help save puppies from cruel humans! Click to donate: http://weh8u.too)
Regular mail: (formal letter that looks like it's from your insurance company) Dear Mr. Gullible, Your policy # 654321 has been cancelled due to non-payment. Please call 800-SCAMYOU to make payment and reinstate.
Spear phishing is an especially nefarious approach that targets a specific individual or group of individuals. According to cybersecurity tool provider Crowdstrike, "One adversary group, known as Helix Kitten, researches individuals in specific industries to learn about their interests and then structures spear phishing messages to appeal to those individuals. Victims may be targeted in an effort to reach a more valuable target; for example, a mid-level financial specialist may be targeted because her contact list contains email addresses for financial executives with greater access to sensitive information. Those higher-level executives may be targeted in the next phase of the attack." Another group used AI to mimic a CEO’s voice.
A Foolish Clicker and His Money Are Soon Parted
Don't fall for it. Just delete it. And, if possible, report and block the sender.
Use a browser with built-in security on all devices to block ads & malware, force https and minimize your browser fingerprint
The ability to securely surf the Internet has improved significantly in recent years. It's easier to block ads and malware using powerful services. Websites offer encrypted access (https) on a much wider scale than just a few years ago. VPN services are faster, cheaper and more widely available than ever before. Private browsing and tracker blocking capabilities continue to improve. But hackers and surveillance businesses and governments continue to find new ways to harm us. Although great tools to protect us are available as plug-ins, using a browser with built-in security - on all devices - can help.
Cybersecurity Awareness Tip 6: Use multi-factor authentication when available and require it for email, phone, and financial accounts, but beware of security questions.
Authentication happens when you provide evidence to identify yourself. This happens when you board a plane, pay your taxes, open a locked door, withdraw money from a bank, or vote (at least in some states). Evidence can come in several forms, or factors, including:
Something you know, or a knowledge factor (e.g. a password, PIN, birthdate, mother's married name, answers to security question)
Something you have, or a possession factor, (e.g. a passport, driver's license, SSN card, ATM card, key, one-time password generator device, Universal 2nd Factor / U2F device)
Something you are, or a physical inherence factor (e.g. finger/eye/face/voice print, DNA)
Somewhere you are, or a location factor (e.g. in a building / room that requires secure access, in a specific geographical location)
For many years, a single piece of evidence (a single factor) was sufficient for identification. But criminals found ways to provide false identification. As technology advanced and online activity grew, cybercriminals found ways to circumvent the online single factor: passwords. Some debated whether passphrases with 4 or more random words (e.g. correct horse battery staple") are more secure than passwords because they are harder to guess and easier to remember. Others suggested resisting password reset questions - or answering them with lies. Since passwords and other knowledge factors will never go away, use a password manager and unique passwords.
Two Factors are Better Than One
Requiring more than one factor made false identification significantly more difficult because it requires the criminal to have access to all required factors. For example, having an ATM card (first factor) without knowing the PIN (2nd factor) makes the ATM card a worthless piece of plastic.
Can You Take That to the Bank?
Many banks and online accounts use a combination of password and a temporary PIN provided by test message, phone call or email. Although this is more secure than a password itself, criminals can intercept the temporary PIN, changing it from something you have (e.g. the phone that received the text message) to something else you know (the intercepted PIN). Different types of evidence is more secure than multiple pieces of the same type of evidence.
Disconnected Possession
Using a One-Time Password (OTP) app such as Authy on your mobile device enhances security because it requires physical access to your phone either with yet another phone password or PIN or with a biometric factor (e.g. fingerprint or facial recognition). The OTP app generates a "random" code using an agreed method that is synchronized between the app and the system requesting identity confirmation.
Hey, Let's Get Mikey to Try U2F!
Since the OTP app is software, it could still be hacked. Hardware-based authentication, such as a Universal 2nd Factor (U2F) security key, enables even more secure authentication by being physically connected (e.g. via USB) or by being in very close proximity (e.g. via NFC / Near Field Communication). USB and NFC are widely available on smart phones, tablets, laptops, desktops and more.
What's In Your Online Wallet?
So check out the multi-factor authentication options for your email, phone, and financial accounts, and protect your online wallet today.
Posted by: kguske on Tuesday, October 05, 2021 @ 23:27:52 CDT
Cybersecurity Awareness Tip 5: Use a password manager with unique passwords for all accounts
Although addition methods of authentication, including biometric, One-Time Password (OTP) and multifactor, are increasing, passwords are and will continue to be critical to securing your online accounts for personal finance (banking, credit cards, cryptocurrencies, investing), social media, shopping and many more. Everyone should know the importance of using complex password (or pass phrases) that are unique to each account, to prevent hackers from guessing. Since most people have more than few online accounts, a secure password manager is necessary.
Different Approaches
Password managers take one of these approaches, based on where the passwords are stored and whether or not they can be accessed on multiple devices:
Modern browsers offer the ability to store and use passwords. Some offer the ability to synchronize across devices. None have the ability to generate passwords or to check the security of your passwords. Because they are built into the browser, no browser extensions are required. However, because they're built into the browser, browser-specific password managers won't work with other applications on your devices.
Offline password managers store your passwords on your device, rather than online. Some of these allow you backup or synchronize across devices, but that requires you to have the knowledge to set up sync yourself or to manually sync - one you might often forget. And one you can't recover if you lose the device or forget the master password. But offline password managers can work with browsers and other apps.
Cloud-based password managers offer the most functionality, and most have strong security, too. Many offer secure password sharing. Some offer 2 factor or multifactor authentication for added security and convenience. Some offer tools for checking to see if your passwords have been shared on the dark web, if you're using the same password in multiple sites, and if you haven't changed your passwords in a while. Most have browser extensions and can also be used with other applications.
SwampGeek Recommends...
SwampGeek recommends (without affiliate or any other compensation):
LastPass (Cloud-based) https://lastpass.com - offers powerful functionality for free, and even more for a small fee.
Posted by: kguske on Tuesday, October 05, 2021 @ 19:24:38 CDT
The bottom line for all of these reasons is that hackers, ISPs and governments can see unencrypted traffic. Banks, retailers and others who collect or provide sensitive personal information use secure HTTP (aka HTTPS) to protect the data you enter or view on those sites, but your usage of those sites is still visible. This includes information about your location, your device, and your browser. And unless you've changed the default DNS server (and you should, even if you use a VPN), you're using an unknown DNS server on public Wi-Fi.
Encrypt your Internet traffic with a Virtual Private Network (VPNs)
Encrypt your Internet traffic on all devices with a Virtual Private Network (VPNs) - especially on hotel, retail, restaurant and other public networks. And treat every network as a public network.
How VPNs work
VPNs protect you by encrypting your Internet traffic and by changing your IP address to the IP address of the VPN server to which you are connected. Encrypting Internet traffic hides your web activity from hackers, ISPs and governments. Changing your IP address limits (but doesn't prevent) hackers, ISPs, governments and advertisers like Google, Facebook and Amazon from tracking your activities. But using a VPN adds another connection to your Internet usage, and this can impact performance, especially if the VPN server you're using is overloaded.
Some VPNs offer the ability to use multiple VPN servers for additional privacy. This capability is called "double-hop" or "multiple-hop," depending on how many servers are involved (the most is 4). Note that reviewers found performance with some double-hop services to be similar to single-hop services.
Which VPN? Beware of free and freely recommended...
There are many available VPNs, including both free and paid services, so it can be difficult to choose. Most VPNs use the same level of encryption (AES 256-bit), so the level of protection is generally equal. However, if you're concerned about privacy and performance, paid services are generally better. Some offer unlimited devices, while others limit the number of simultaneous connections. You can easily find VPN comparisons and VPN recommendations, but be aware of sponsored reviews. Many VPN services offer huge discounts during the week of the US holiday, Thanksgiving and on Black Friday.
SwampGeek recommends (without affiliate or any other compensation):
ProtonVPN (https://protonvpn.com) - offers free VPN with decent performance and minimal constrains, but paid plans are expensive (look for deals on ProtonMail and ProtonVPN combinations)
ExpressVPN (https://expressvpn.com) - good combination of price, performance and features
MullVPN (https://mullvad.net) - another good combination or price, performance and features
NordVPN (https://nordvpn.com) - one more good combination of price, performance and features
Perfect Privacy (https://perfect-privacy.com) - expensive, but has excellent privacy options
SurfShark (https://surfshark.com/) - inexpensive without sacrificing performance or features
Posted by: kguske on Monday, October 04, 2021 @ 14:01:50 CDT
