This week we learned:
1. The Equifax breach was indeed the result of an unmitigated known security vulnerability in the Apache Struts 2 web application service discovered in March 2017 Apache Struts CVE-2017-5638.
2. Security researchers exposed an additional database in Argentina protected with the credentials of admin/admin. Equifax claims that this database had not been used since 2013 which leads one to question what other databases were left exposed to the internet with easily guessable passwords.
3. Two executives have “retired” and the CEO will be facing a congressional inquiry on October 3rd.
In last week’s article we focused on tackling the immediate steps to take charge of your own credit. If you haven’t had a chance to freeze and review your credit and change your logins and passwords please consider doing so. Keep track of all of your receipts and expenses related to the breach, as there will be opportunities to participate in a variety of lawsuits, especially if your identity was stolen as a result of Equifax’s negligence. There’s also the opportunity to take a short position through put options or a straight short sale, if that interests you. The stock has moved 50 points down in the last 2 weeks and some speculate that it still has further to go.
This week the focus will expand to include ways to protect your overall identity and take back control over what information companies have about you. Recent legislation allows ISP’s (Internet Service provider) to get into the data mining business and collect information about your browsing history, geo location, and online activity.
Three things you can do to protect your browsing.
1. Use a VPN (virtual private network) service that doesn’t log your data. For a few dollars a month you can set up a VPN service, creating a virtual encrypted network tunnel between your computer and the VPN service provider. Since all Internet traffic will be coming from the network you connect to at the end of the tunnel, your ISP will be blind to your surfing activities. VPNs are a must have for people who connect to public wifi connections in coffee shops, libraries, etc.
2. Use a tor browser: Tor obfuscates your traffic by sending it through a free relay network which helps to conceal location and browsing information from anyone conducting network surveillance, including your ISP. https://www.torproject.org/
3. Make sure the sites you browse leverage HTTPS instead of HTTP. HTTPS traffic is encrypted, and while your ISP can see the site that you visit (unless using a VPN or tor browser) it won’t be able to see and record as much of what you are doing on the site.
4. Use a web browser that has built in tracking prevention and/or install 3rd party extensions such as Ghostery, Ad Block, uBlock Origin or Privacy Badger. Reminder: Some sites rely on ad revenue to survive. Consider white listing the sites you frequent, and those sites that promise an ad-light experience.
Write up on new Safari tracking prevention:
Secure Email – Setup time 10 minutes. Cost: free or a small monthly fee.
All of the free email providers (Yahoo! (Verizon), Gmail, Hotmail (Microsoft)) and many of the paid providers (Comcast, other ISPs, etc.) scrub your email for content and sell metadata about you. All of the major social media providers (Facebook, Twitter, Instagram, Snapchat) also collect and store information about you, not only is this information available for sale in metadata form, it’s also available to the federal government.
The PRISIM program allows for the collection of Internet communications from at least nine Internet companies. The data collected includes E-mail, Chat (video & voice), Videos, Photos, Stored data, VoIP, File Transfers, Video Conferencing, login data, Social networking details (Geo locations, etc).
If you wish to exclude yourself and your data from this type of collection then a place to start is by making sure your personal email is encrypted in transit and at rest by using a secure email provider.
Proton mail is a provider that offers encrypted email with data stored on servers in Switzerland, a country known for its privacy laws. Proton mail is unable to provide access to your data to any country or entity because 1. Swiss laws do not allow it. 2. Proton mail does not have cryptographic access to your data.
It seems you can’t sign up for a service without the service requesting an email address. Think twice before giving away access to your personal email address. There is really no reason why your ISP, grocery store, streaming video provider, car dealer, etc. needs your private email address to conduct business.
Most ISP’s provide an email address as part of their service offering. While this account is good for junkmail, it’s never a good idea to use an ISP’s email account as your primary account as you will loose this account if you change providers.
A way to keep spam and ransomware out of your inbox is to use a junkemail address. There are quite a few anonymous and/or disposable email address providers. Here’s a recent review in PC Mag:
Backups: Setup time 10 minutes. Cost: free to a few dollars/month
Backups are critical to protecting your data. There is an adage that stipulates in order to be sure your data is protected, three copies are needed. One on your computer, one in an offline backup, and one offsite. Backblaze has a good write up the differences between Cloud Sync, Cloud Storage, and Cloud Backup.
The primary players in the Cloud backup space are CrashPlan (though they are getting out of the consumer business), Carbonite, Backblaze, and Mozy. As of this writing CrashPlan, Backblaze, and Carbonite offer unlimited options – though there are caveats in the fine print.
Most of these solutions offer data encryption. With a little bit of research, you can find one that has the features/benefits and price that works for you.
This concludes the two part post on ways to protect your privacy and identity while online. Next week I’ll resume providing information on the top five security incidents of the previous week. Feedback is always appreciated!