Indivisible members, this resource is being shared anonymously for our mutual information and protection. It is written by one of our members who invites us to share freely with other groups and individuals as needed.
In what follows, I differentiate between “casual” attacks and “directed” attacks. A casual attack is when you and a million other people receive malware via email, or are swept into a data theft from someone’s mailing list. A directed attack is when someone is attempting to gain access to your information, personally, either because of who you are or because of an organization you’re affiliated with.
There is some overlap, and so some of the same precautions apply to both.
Three Basic Steps
First, there are three basic steps that every internet user should take, regardless of who you are or how you use the internet. These will protect you from the majority of “casual” attacks, and many of the common “targeted” attacks as well.
- Use strong, unique passwords.
If they’re strong enough, they’ll be hard to remember. There are several good password managers out there. (LastPass and 1Password are two of the largest.) Information about what a strong password is can be found here: https://ssd.eff.org/en/module/creating-strong-passwords
- Use two-factor authentication for every site that supports it.
If it’s a critical service, like email, that will see a lot of your data, consider switching to a provider who supports two-factor. (Gmail does.) More information here: https://www.theverge.com/2017/6/17/15772142/how-to-set-up-two-factor-authentication
- Learn how to recognize common identity attacks, such as phishing.
If in doubt about a particular email, contact the source via another method. (Call your bank instead of filling out the “account reset” form in your email, for instance.) More information here: https://www.wired.com/2017/03/phishing-scams-fool-even-tech-nerds-heres-avoid/
And then there are directed attacks.
As I said, the above precautions are still the first line of defense. John Podesta’s emails were hacked because (1) neither he nor the DNC technical support team recognized a phishing attack, and (2) he didn’t have two-factor authentication, so getting his password gave away all the goodies.
But, if you are or suspect you might be personally targeted, particularly by a government, there are many more levels of security you can consider. Lawyers, journalists, and others who might handle sensitive information about other people should be especially cautious, as should anyone considering civil disobedience of any kind. Remember that sharing information creates two vulnerabilities: the person receiving the information may provide a link back to you, and the person receiving the information may be personally targeted because they have it. Be mindful about what you share, with whom, and by what mechanism.
The best resource I’ve found is the Committee to Protect Journalists’ security guide, particularly the section on Technology Security: https://cpj.org/reports/2012/04/technology-security.php
It was written for journalists working under repressive regimes, and simply reading the discussions of possible attacks will have you looking over your shoulder. A little paranoia is healthy: there are certain sites where I would never consider using an email address that could be traced back to me, and that I would never visit without an anonymizing browser.
But for most of us, operating at that level of security requires lifestyle changes that we’re not willing to make, and isn’t really necessary anyway.
The Electronic Frontier Foundation has a good discussion of threat modeling and discusses some specific situations where you might want to be especially cautious: https://ssd.eff.org/
Both the Committee to Protect Journalists and the Electronic Frontier Foundation are highly respected organizations doing important work. If you find their tools useful, you might consider kicking some funds in their direction.