Human Security

These security help pages include a lot of fancy talk about encryption. Ultimately, however, all this wizbang cryto-alchemy will be totally useless if you have insecure behavior. A few simple practices will go a long way toward increasing your security.

Save the world with better passwords

Because passwords are almost always the weakest link in any security system where they are used, the first step to better security is better password practice.

Things to avoid:

  • Don’t pick a dictionary word or a proper noun! Passwords are often easy to crack because most people pick a password that is a variation on a word in the dictionary. There are simply not that many words in human languages: it is trivial for a computer to try them all! This includes words where you have replaced some letters with numbers. For example, “L0V3” is just as easy to crack as “LOVE”.
  • Don’t use the same password for all your accounts. Also, it can be better to write down your passwords in a secure place rather than use the same one everywhere.
  • Don’t forget to change your password. You should change your password at least once a year.
  • Never tell anyone your password, especially if they ask for it.

How do you create a password that is strong and yet easy to remember? This can be really tough. There are three generally approved methods:

1. Use a password storage locker

Don’t try to remember passwords. Instead, generate random passwords for all the different services and websites you use, and store them in a secure password locker.

2. Passwords

  1. Start with multiple words you can easily remember.
  2. Convert these words to non-words (for example, by taking the first letter of each word).
  3. Add a few random uppercase letters, numbers, or symbols, and you are done.

For example:

You could turn “The Revolution Will Not Be Televised” into “trwNbt” and then add a few random characters for “trwNbt!42”.

3. Passphrases

  1. Pick a few random words you can easily remember. Mixing in words from different languages and non-dictionary words is a good idea.
  2. String these together into a long passphrase. This will be longer, but easier to type.

For example:

Common internet scams

Keep your software up to date

To be written.

Be cautious on shared computers

Logout: make sure that you always logout when using web-mail. This is very important, and very easy to do. This is particularly important when using a public computer. Don’t leave your computer unlocked and unattended.

Avoid public computers: this can be difficult. If you do use a public computer, consider changing your password often or using the virtual keyboard link (if you use for your web-mail).

if you share a computer with friends, create multiple logins which keep user settings separate. You should enable this feature, and logout or “lock” the computer when not in use.

Avoid personal information leaking

Personal information leaking caused by Social Engineering is a very embracing topic, because of the uses for good or not so good reasons, so we will write down not to explain what Social Engineering is, or to list reasons someone would use it, instead, we will give some basic tips to identify and avoid such approach when needed. Afterall, it is all about build your own human firewall against “things” that seek for your information for any nefarious sake.

The tips are:

  • *Identify social engineering approach. Learn through real cases, reports, documentaries, etc. about the different methods used by social engineers today, also these applied in identity theft. There is a lot of books and articles out there;
  • *Creating an awareness program for personal safety. Create and attend events (like CryptoParty, or any underground neighborhood meetup), dynamics or culture (like that we do here) that will engage people, causing a deep interaction with the theme and creating awareness about preventive measures.
  • *Create awareness for the value of your information sought by social engineers. How important to you is your name, your phone number, your e-mail password or simply your favorite color? Create an inquisitive sense about providing information, investigating the applicant with questions to determine exactly who needs the information, exactly what information and for what purpose, ask where the applicant comes from, what kind of place he or she want to send the information.
  • *Develop scripts that bypass the social engineer steps. Practice director answers to investigate the applicant’s information, something that encourage the applicant to reveal more of his identity and purpose. Always ask why the applicant wishes the requested information. Remember that you don’t need to correct anyone that don’t need to have a true information, don’t be afraid to say “no” or ask for space to think about the subject, if it seems something important. Eliminate your own doubts the maximum as possible. An example, if someone requested to enter a restricted office, check the credentials of the applicant even before state whether such office is or before providing any other information, even corrections about where to go.
  • *Don’t consume information you didn’t requested. Be aware of people using disasters to appeal an emotional request.

See also the book “Social Engineering: The Art of Human Hacking” by Christopher Hadnagy which is available online.

Feel the love of free and open source software

Why should you use GNU/Linux over Windows or Mac OS? There are a number of reasons, one of the biggest is that the large quantities of viruses, trojans, back-door programs, security bugs, targeted government hacking, and other exploits over the years make them very difficult to trust, especially because you are not given the opportunity to look under the hood to see if what is going on is ok. The software is proprietary and closed source, that means you are trusting your private information to a corporation whose sole focus is profit, not the security of your personal information and whose methods you are unable to audit for yourself.

OS X suffers from similar issues that windows does. While it is based on Unix (of which Linux is a “clone”), a large portion of the operating system is not open source and thus not available for third party review. Its increasing popularity has been resulting in increasing viruses and exploits (though still far fewer than windows) and its corporate culture of authoritarianism is reflected in the structure of the operating system. OS X also includes the built-in “feature” to remotely activate the webcam which, as a feature regardless of the OS its on, has been shown to be used for other purposes.

GNU/Linux, however, is composed primarily (and can be made exclusively) of software whose source can be obtained and audited by essentially anyone, it has been built by a community of people for years. Its history is filled with few viruses and user-level exploits. Linux is also an easy to use operating system that supports a wealth of older hardware that makes this level of security accessible to the average individual.