This is the first section of key takeaway notes from The Art of Invisibility by Kevin Mitnik, a compelling source of information for a one wanting to understand the risks of not considering privacy online. Not just reserved for the Snowden’s of the world, it is a great read to help understand how your online accounts or identity can be used or stolen.
These are essentially pen-notes for myself, rather than narrative on the topics covered.
During 2014 what is now dubbed “theFappenings” happened, Celebrity photos were stolen and published online. Ultimately over 100 iPhone users accounts breached. This wasn’t a attack at the infrastructure (iCloud), but the determining of credentials, using phone migration tools (used when getting a new phone) and a combination of iBrute and Elcomsoft Phone Password Breaker (EPPB) to download a full backup of data. Accounts had been hacked, rather than the initial thought that iCloud or another part of the Apple ecosystem/infrastructure had an exploited vulnerabiity.
The Art of Invisibility gets into our personal OPSec to help us share what we want to share and keep private what we want to keep private.
Passwords
We are currently reliant on passwords to protect the majority of our online information. The basics of password creation, don’t rely on the smarts (or not) of the software or site that holds the password to protect you from brute force attacks. Additionally be aware that if a site is hacked the hashed passwords can be attacked offline.
Password managers are great, but be aware of keyloggers that make capture your master password! Use a long passphrase when not using a Password Manager created password. Passphrases overcome many of the usability issues of complex passwords. It’s much easier to remember ‘RabbitDogGrassRace1-0’ than ‘E4%ggdfg!@dsf’
Protect Physical Devices
Create users accounts with good passwords, lock you screen (especially in the workplace). Mobile phones are the crown jewels and the easiest to lose or have stolen. Protect with pins (and don’t settle for the default length of 4 numerics), FaceId etc.
Biometrics are good and convenient, but still emerging and not infallible.
Password resets are an often easier target for hackers than trying to crack your actual credentials, social engineering to trick the software vendor or site by having just enough information to (wrongly) convince their Servicedesk that they are speaking to the target is easily done with snippets of your public information.
Security questions often still used “Where were you born?”, “What was your first car?” are both insecure ways of identifying you. A quick search of your Facebook or other social media posts can quickly provide enough information to answer these questions. They also have the troublesome issue of you also sharing more personal information to a website, which they have to store somewhere, which means it can be hacked.
If a website (sadly all too often Banks) insists on this method, then try to use the less obvious questions from the list. Better to choose an obscure option which you have to write into a notebook than one that is easily determined. You can of course answer with made up answers to the security questions (so long as you know the answers you use). For example if you were born in London, you could use ‘Glasgow Hospital’ instead!
2Fa or MfA
2Fa uses a two step method to authenticate you. Something you know and something you have. A password would be something you know (and may be compromised). A text message to your cell phone would leverage the ‘something you have’. There is a great side-affect of this approach, if someone else is trying to access your account, you are going to be alerted via the 2fa texts or prompts!
When setting up 2Fa the text to phone (SMS) option is potentially the least secure option as your cellular service can be hijacked allowing an attacker access to the 2Fa information. SMS is also an unencrypted system. The message is in cleartext. Authenticator apps are much more secure than the SMS option.
Email is more likened to a Postcard than a letter. If you’re not familiar with a PostCard, imagine writing the content of your letter on the back of the envelope rather than on a piece of paper that sits inside it! Email passes through many hands (servers) to get delivered, and can be read or copied by a person (or software) anywhere along the way.
Many free email providers use advertising as their income source and are increasingly using algorithms to read and assess the incoming and outgoing email to target Ads at you. There are also historical examples of services scanning email for their own purpose, such as Microsoft scanning the Hotmail emails of someone they suspected of having pirated versions of their software.
This second issue may be resolved by using a paid for email service, the first issue is a little more challenging.
It should go without saying, don’t use work email for personal stuff. Work email is largely ‘owned’ by the Company you work for. At best they will have a policy for managers to access your mailbox, at worst they can access your mailbox or archives whenever they want.
Email Encyption
Most email encryption uses asymmetric encryption. I create two keys mathematically linked; a public key that I share and a private key I keep secret.
Bob wants to send Alice a private email
- Bob obtains Alice’s public key
- Bob encrypts his email using Alice’s public key
- Alice receives the email and decrypts it using her private key
This allows bob to send Alice an encrypted (private) email, but doesn’t allow Alice to know it actually came from Bob. Sometimes the metadata (the information needed to make email delivery possible) and timing of emails is enough to know emails were sent between two people.
Exchanging keys in a way that both parties know they are interacting with whom they trust often relies on a third party.
Email metadata includes:
- Subject line
- To
- From
- IP addresses of servers used to deliver the email
- Timestamp of email being sent
For private email, much more is needed than just encryption!