How to Avoid Common Security Pitfalls
LAS VEGAS — "Don’t f*** it up!" That was the advice security expert Dr. Andrew "Zoz" Brooks had for attendees of the annual DEF CON hacker conference here this past weekend.
"A computer is just a tool to help you [mess] things up a billion times faster than you could do by yourself," Brooks explained.
Speaking to a packed crowd at the Penn and Teller theater in the Rio All-Suite Hotel & Casino, Brooks, who prefers to be called by his online moniker Zoz, ran through the most common mistakes people make while trying to be private or secure on the Internet.
His talk ran the gamut, from email to virtual private networks (VPNs) to burner phones to the Tor privacy network.
How to use a virtual private network properly
Zoz started with VPNs, networking protocols that put all inbound and outbound Internet traffic from a computer through an encrypted tunnel, adding another layer of security and privacy to the information. VPNs are an essential part of any privacy-minded person's arsenal, but they are not a panacea.
VPNs don’t provide end-to-end encryption, for example, so a snoop could target those brief points in a connection where the data is unencrypted. VPNs also can't stop traffic-correlation attacks, where snoops look at endpoint data and try to put together a picture of who was doing what and when.
Zoz reminded his audience that if they're paying for VPN service, they leave a financial trail that could be used to deanonymize their traffic. If VPN provider keeps logs of its users' traffic and encryption keys, a law enforcement agency could force that company to disclose that information.
"Just because [companies] don't log [your activity] now doesn't mean they won't in the future if you become interesting," said Zoz.
If you're using a VPN while traveling, it may sometimes take the VPN time to connect with its secure servers. Your data may be vulnerable during these gaps, particularly if you've left browser tabs open, because these Web pages might be refreshing and trying to reconnect as well.
Ironically, a VPN may call more attention to its user, as a government agency monitoring Web traffic may notice the added encryption.
"I use a VPN when I travel, so I'm definitely on some sort of list," Zoz said, adding that despite the risk of increased attention, VPNs do keep data more secure.
Finally, Zoz suggested using more than one VPN.
"One thing you can do if you're truly paranoid is hop VPNs every few minutes," he said. "Now you're generating really interesting traffic for the NSA!"
How to use Tor properly
The most common mistake when using the Tor Web-privacy service is assuming that it encrypts traffic by default, Zoz said. It doesn't.
Internet traffic is transmitted in chunks called packets, and each packet contains the contents of the traffic (comparable to the contents of a letter) as well as addressing information for that content (comparable to the address written on the envelope holding that letter).
Tor encrypts the addressing information, not the contents. In other words, it makes your data anonymous, not private.
"[Tor is how] dissidents get out of oppressive regimes, researchers look up suspicious information without themselves being targeted. It's how ordinary people can communicate without being tracked and monitored. And it's how all of you can do a search after DEF CON for 'catastrophic liver damage' without raising your insurance premiums," Zoz said to laughter from the audience.
"So it [ticks] me off when people say Tor is only for illegal acts. Don't [mess] up Tor by only using it when you're doing sketchy [stuff]," he said.
"Pump a whole bunch of your normal traffic through it. Even if you're completely squeaky clean, still use Tor, because that helps out everyone else," Zoz said. "Don't provide the correlation of Tor usage with doing bad things."
If anyone in the audience was comfortable sharing his or her reasons for using Tor, Zoz encouraged tweeting about it with the hashtag #TorforGood.
Zoz advised Tor users to make sure all Internet traffic, including Domain Name System (DNS) traffic, was going through Tor's network. To check, go to ip-check.info. You might even use a firewall, or a separate computer that only uses the Tor service.
Despite recent security issues, or speculation that Tor might be a government "honey pot" designed to lure dissidents and criminals, Zoz says he still trusts and uses Tor.
Like VPNs, using Tor may draw more attention to your network traffic, because an observer will be able to tell that your traffic is Tor-based.
"Tor is designed to make Tor users look alike, not like non-Tor users," he said, adding that Tor will also conversely keep your actual information more private and anonymous.
How to use 'burner' phones
Mobile phones can leak call metadata, contact lists, recent Wi-Fi networks, browser cookies, IMEIs, UDIDs, search contents. And what phones don't leak, carriers or manufacturers might simply hand over to a law-enforcement agency that requests it. Older mobile devices often have weak cryptography.
"What can that little Benedict Arnold in your pocket do to give you away?" Zoz joked.
Some phones auto-connect to Wi-Fi networks they recognize — or think that they recognize. Phones also have limited memory, so they constantly reload tabs when you move to a different network, re-exposing your data. That's not to mention any data that apps may collect, leak or sell.
"It all adds up to a unique identifier for you, and a pattern for your life," Zoz warned. "If you're carrying a personal tracking device, a.k.a. a cellphone, you've probably already f***ed it up."
Given the sheer volume of data that phones leak, Zoz's list of things to remember when using a "burner" phone, or prepaid and difficult-to-track mobile phone, is nearly as long.
First, buy a feature phone, not a smartphone. Buy the burner phone far in advance of when you want to use it, and in a different geographic location from where you want to use it. Provide false information if you have to register the phone. Remove the battery when you're not using it.
Fill its address book with fake contacts. Switch phones when you switch locations, and leave the phone at the previous location when you leave it. Intentionally call unrelated cell numbers to camouflage recognizable patterns in your call data. Finally, destroy the phone when you're finished.
If you can be placed at a certain location, don't turn the burner on there. Use your regular phone someplace else than where you using the burner. If you call a non-burner number from a burner number, call it with multiple burner numbers. Don't tie your burner to any online information, such as Gmail accounts.
"If you can't go to this much trouble to not [mess] it up, evaluate whether the risks you're taking are worth it," Zoz said.
Email and instant messaging
Everything sent via email is being saved somewhere, Zoz reminded the audience.
Even if you don't use Gmail, Google has the messages you sent to someone who does. If you encrypt your email, the NSA has probably collected it, since its rules let it collect any and all encrypted messages, whether from U.S. residents or not.
"Commercial webmail is basically all f***ed," said Zoz. "I advise people to run their own mail server. At least when the feds are interested, you'll know about it."
As for instant messaging, Skype appears to be completely compromised, Zoz said. So what can you use instead? He recommended Cryptocat and Bitmessage, but said the security community needs to do more auditing of encryption and privacy software in order to test how secure they really are.
Zoz concluded with one last piece of advice for the hacker community: "Lose the ego."
"'Cred' is your enemy," he said. "Don't talk about the [stuff] that you're doing."
- Best Antivirus Software 2014
- Pwnie Awards Celebrate Security Wins and Epic Fails
- 9 Tips to Stay Safe on Public Wi-Fi
Jill Scharr is a staff writer for Tom's Guide, where she regularly covers security, 3D printing and video games. You can follow Jill on Twitter @JillScharr and on Google+. Follow us @tomsguide, on Facebook and on Google+.