SECURE YOUR DIGITAL LIFE - s3.amazonaws.comYour+Digital... · 9.1 The Passcode ... Hackers can...

A R E P O R T F R O M S O V E R E I G N M A N . C O M

SECURE YOUR

DIGITAL LIFE2017 EDITION

ABLACKPAPER

PROTECT YOURSELF FROM UNAUTHORIZED ACCESS TO YOUR DIGITAL ASSETS

Secure Your Digital Life © January 2017 SovereignMan.com

2

ABLACKPAPER

SECURE YOUR

DIGITAL LIFE 2017 EDITION

CONTENTSIntroduction ....................................................................................................................... 41.0 Passwords ..................................................................................................................... 6

1.1 How Hackers Get Your Password ............................................................................ 61.2 What Secure Passwords Look Like .......................................................................... 91.3 Techniques for Creating Strong, Yet Memorable Passwords ................................... 101.4 Use a Password Manager ....................................................................................... 131.5 Password Summary ............................................................................................... 15

2.0 Phishing Prevention ................................................................................................... 172.1 What is Phishing? .................................................................................................. 172.2 How to Detect & Prevent Phishing ....................................................................... 17

3.0 Two-Factor Authentication ......................................................................................... 194.0 Backups ...................................................................................................................... 21

4.1 Local Backups ....................................................................................................... 224.1.1 Macs ............................................................................................................. 224.1.2 Windows....................................................................................................... 23

4.2 Cloud Backups ...................................................................................................... 235.0 Data Encryption ........................................................................................................ 25

5.1 Computer Full Disk Encryption ........................................................................... 265.1.1 Full Disk Encryption on Macs ...................................................................... 275.1.2 Full Disk Encryption on Windows PCs ........................................................ 28

5.2 External HDD Encryption .................................................................................... 285.2.1 Software Solutions ........................................................................................ 285.2.2 Hardware Solutions....................................................................................... 29

5.3 Encrypted Cloud Storage ...................................................................................... 305.3.1 Consideration With US Based Providers ....................................................... 305.3.2 Do You Need Encrypted Cloud Storage? ....................................................... 315.3.3 Encrypted Cloud Storage .............................................................................. 31

Tresorit ............................................................................................................. 31Other Options - Ones we do NOT recommend ............................................... 32

5.3.4 Unencrypted Cloud Storage .......................................................................... 32Cryptomator - Encrypt files in your normal cloud storage ................................ 32

6.0 Internet Encryption .................................................................................................... 326.1 Why Additional Internet Encryption is Important ................................................ 336.2 Use HTTPS whenever possible ............................................................................. 356.3 How to Encrypt ALL Internet Traffic With a VPN ............................................... 36

6.3.1 How to Pick a VPN Provider ........................................................................ 37


3

ABLACKPAPER

SECURE YOUR


6.3.2 Recommended Service .................................................................................. 39VyprVPN .......................................................................................................... 39

6.4 Using TOR & Accessing the Darknet ................................................................... 406.4.1 The Darknet ................................................................................................. 406.4.2 Should you use Tor? ...................................................................................... 41

7.0 Securing your Communication .................................................................................. 427.1 Email .................................................................................................................... 42

7.1.1 Email Encryption .......................................................................................... 437.1.2 How to increase your email privacy ............................................................... 447.1.3 Recommended Email Provider ...................................................................... 47

7.2 Instant Messaging & Calls ..................................................................................... 487.2.1 Signal ............................................................................................................ 487.2.2 Whatsapp ...................................................................................................... 52

8.0 Secure Your Social Media Habits ................................................................................ 559.0 Securing Your Smartphone ......................................................................................... 56

9.1 The Passcode ......................................................................................................... 579.2 Smartphone Encryption ........................................................................................ 58

9.2.1 iPhone and iPad Encryption ......................................................................... 58Enabling Encryption & Passcode ...................................................................... 59Making sure all user data is encrypted ............................................................... 59

9.2.2 Android Encryption ...................................................................................... 609.2.2.1 Limitations of Android Encryption ....................................................... 60

Off-Box attacks are possible ......................................................................... 60Only the internal memory is encrypted on some devices .............................. 61Performance impact ..................................................................................... 62

9.2.2.2 Enabling Android Encryption ............................................................... 629.2.2.3 Use the Most Recent Android Version .................................................. 62

9.2.3 When Is My Data Encrypted and Decrypted? ............................................... 639.3 Picking a Secure Passcode ...................................................................................... 659.4 Fingerprint Sensors ............................................................................................... 669.5 Additional Settings You Should Check .................................................................. 69

9.5.1 Apple iOS ..................................................................................................... 699.5.2 Android Devices ........................................................................................... 72

10.0 Choice of Devices and Systems ................................................................................. 7410.1 Windows vs Macs................................................................................................ 74 10.2 Android vs iOS ................................................................................................... 75

Conclusion ....................................................................................................................... 76


4

ABLACKPAPER

SECURE YOUR


INTRODUCTION

Every day, you make yourself vulnerable.

Your phone knows every detail of your communications, your comings and goings, and your restaurant habits. Your wrist monitor knows your heart rate and other vitals. Amazon knows what you like to read and what brands of paper towels you buy on a regular basis. Netflix knows your taste in films, and Google knows your political leanings and whether or not your kid might have the croup.

We live in a world where more than 50 billion ‘things’ are connected, where our refrigerators take photos of their contents and ping them to our phones, where our health records live in the digisphere, and where most of our banking, communicating, planning, driving and working prowess depends on the functionality of these electronics and their services.

The rewards can be great. But with all of this good, great real-time data shuffling and Big Data collection and analysis comes a price: The more we rely on technology, the more information we reveal about ourselves… rendering us vulnerable to attack.

Vulnerability makes us less free. That’s why the best balance between convenience and security, in our view, always favors the protection of the user.

In this comprehensive report we’ll help you craft that balance. We’ll share the latest developments in data security and data hacking, as well as the biggest risks that users of Macs, iPhones, Windows and Android users must guard against.

And, of course, we’ll recommend the best techniques, programs and apps we know of -- strategies we ourselves use here at Sovereign Man -- that will help you avoid becoming a target of mass surveillance, a hacker, or even a disgruntled ex-spouse.

Technology changes at a blistering pace; some of these tools we’ve recommended in the past either no longer exist or have been usurped by better ones. That’s why we’re committed to updating this vital report as often as necessary. (Make sure to study the sections on building strong passwords and on creating back-ups. Those are key.)

By following our simple steps, you can make yourself much less attractive to


5

ABLACKPAPER

SECURE YOUR


criminals. You can mitigate the loss of a misplaced or stolen device, and you can make it more challenging for government agencies to invade your privacy without due process.

We can’t promise total invulnerability, of course. If your attacker has the necessary resources, he will find a way to access your data. And if you are the target of government agencies such as the NSA or CIA, the advice we’ll share will indeed make their job harder, but not impossible.

Our aim instead is to thwart hackers who end up with your data as part of a breach of a company or service you trust; it’s also to teach you Internet street-smarts that will keep you from becoming a target for criminals.

Think of how you protect your car. An alarm system, anti-theft steering wheel locks and GPS tracking may not stop the most determined thief out there, but the combination may indeed deter someone seeking an easy target.

The same idea applies to protecting your digital self.

We certainly hope you will find the information contained in this Black Paper valuable. If you have any suggestions or comments, please reach out to [email protected].

mailto:[email protected]


6

ABLACKPAPER

SECURE YOUR


1.0 PASSWORDS

Your digital security starts and ends with passwords.

Period.

It doesn’t matter how careful you are – that you encrypt all your data, or only use the most privacy-conscious anti-NSA web services – if your passwords are weak, none of this will help you one bit.

Many people think their passwords are great. After all, when they picked it, the website showed a long green bar and said “Password Strength: Strong” and made them jump through many hoops like adding numbers, lowercase, uppercase and special characters. But as you will see, this song-and-dance ritual doesn’t necessarily mean your password is actually safe.

Even if you do know how to pick a truly secure password, chances are you don’t actually use one, because it’s impossible for you to remember it.

No longer. By the end of this section, you will know exactly how to create truly secure, random passwords that are unique to every service you use… and you’ll know how to remember them.

1.1 How Hackers Get Your Password

In order to create a secure password, you need to first understand who and what you are up against, how they operate and what their limitations are. Once you understand these things, it’s easy to reduce your risk and minimize the impact a hacker can have on you... even if he manages to get his hands on one of your passwords.

Hackers can obtain passwords in myriad ways, such as:

● • They trick you into entering a password on a fake website that looks like a trusted one (such as your bank’s site). This is called phishing.

● • They infect computers with malware that records everything typed into the keyboard.

● • They hack into websites and nab passwords off of member databases.


7

ABLACKPAPER

SECURE YOUR


● • They even use automated programs that try out various combinations of usernames and passwords hundreds or thousands of times per second. This is bruteforce cracking.

Unless you are being targeted directly, one of the most common scenarios is that your password is stolen from the database of a hacked website.

Here are some of the largest password leaks that we know about:

● • In 2008, MySpace was hacked; eight years later, after messing with people’s data, hackers put up for sale data for over 350 million accounts;

● • In 2012, LinkedIn was hacked; a hacker stole 6.5 million encrypted passwords, but that was just the beginning. In 2016, criminals put up for sale the usernames/passwords for 160 million accounts;

● • In 2013, Adobe was hacked and over 150 million accounts were leaked; and,

● • In 2012, around 68 million Dropbox accounts were hacked (data released in 2016).

As you can see, it can take years for the hacked passwords to be proffered around for sale. In the meantime, the original hackers start using them right away. And don’t scoff at the Myspace example; you might not use it anymore, but criminals bet that the kinds of passwords you used back then still apply. (And they’re often right.)

Some companies are more responsible than others and notify their users and customers as soon as they notice the hacks, that is, if they notice them at all. Others, however, don’t want to attract bad publicity and may chose not to announce a breach.

In other words, you might not have any idea about the breach of your data.

The cases noted above are largest, publicly known ones. Think about the number of smaller websites that get hacked. You likely won’t hear about those incidents.

You can visit https://haveibeenpwned.com/ and enter your email address to see if there have been any known account hacks that involve you. Make sure to try older email addresses as well, as some leaks just coming to the surface

date from 5-10 years ago.

Once a hacker acquires a password for an account, he will try to log in to web services

https://haveibeenpwned.com/


8

ABLACKPAPER

SECURE YOUR


such as Facebook, iCloud or email to steal more private data. If he gains access to your email, he can then break into your other accounts by resetting passwords and intercepting confirmation emails that other sites send.

Often, however, you may not even be the real target of an attack; instead, hackers might use you to access the prize: They’ll gain access to your email account and send specialised malware to a target who knows and trusts you. People know not to open links from strangers, but doesn’t everyone open links from friends and family?

This is why, by practicing weak password hygiene, you are not just endangering yourself. You are also endangering your family, friends, employer, business partner, and your own business.

Example of password cracking

A good website doesn’t store your password in plain text. Instead they use a one-way hashing algorithm to convert a password like “ImSoSecure” into a hash like “15eb12a1dfbc4723b50f2bb1b7e6f835” and store it in a database.

“One-way hashing algorithm” means that it’s very easy to generate this hash, but almost impossible to revert it back into the original, plain-text password.

When you sign in to your account, the website converts the entered plain-text password into the hash and then compares it to the hash stored in the database. If they match, you are granted access.

Once hackers steal user information from a database, the hashed passwords are useless to them unless they can convert them back to the original plain-text password.

One way to do that is to run a brute-force cracking program that converts thousands of potential passwords into their hashed versions and checks if any of those hashes are in the stolen database. If they find a match, they know the plain-text version of the password and can use it to log into your account or try it on other websites.

These programs use lists containing millions of possible word combinations, ranging from “1234,” or “god” or “love” to complex words with upper and lower case letters, numbers, and special characters. Sound familiar? Over time, a hacker’s word list becomes more efficient, quickly identifying password length, case, or other parameters


9

ABLACKPAPER

SECURE YOUR


that dramatically reduce the number of words they need to try.

If your password is a word or a combination of words that can be found in a dictionary like “FreeDog”, your password will be cracked within minutes... or even seconds. No exaggeration.

If your password is a slightly modified version like “Ch1cken!C0w”, which most websites will accept as sufficiently secure, it can still quickly be cracked.

Creating a random password forces hackers to randomly generate combinations of characters to guess your password. If your password is long and complicated enough, this process could take years or decades instead of minutes or hours.

This is not only true for website passwords but also for when you want to encrypt data.

1.2 What Secure Passwords Look Like

The best way to prevent this kind of attack is to use a long and completely random password.

The job of your password is to force the attacker to generate a huge list of potential random passwords.

The longer your password is, and the more varied the types of characters you include, the more potential combinations are possible, and therefore the longer it will take the attacker to crack it.

PASSWORD CRITERIA POSSIBLE COMBINATIONS

6 lowercase characters (English alphabet) 266 = 308,915,776

14 lowercase characters (English alphabet) 2614 = 64,509,974,703,297,150,000

14 lowercase, uppercase, special characters 7814 = 3.09 * 1026

As you can see, the more complicated a password is, the more combinations are possible. Most attackers know nothing about your password habits and have to try passwords ranging from two characters to 14 containing lowercase, uppercase and even special characters.

The time and effort required to convert all of these combinations into a hash and compare it to the hacked database increases significantly.


10

ABLACKPAPER

SECURE YOUR


The 4 Golden Rules for your Passwords:1. Unique for every website or account2. Long (At least 10 characters, preferably 14 or more)3. Random combination of characters (No real words)4. Special characters, uppercase, lowercase and numbers

Examples of bad passwords:● Sc4rface55● Aa556245622 (Your phone number, birthday, ... for example)● My4wesomeSecure

Most of these would pass the standards of most website password checkers, and yet they are insecure.

Here are examples of good passwords:● Mm10hwttp0tms!● 14ss,b1jhtmu4gpapFvw● T47wh5raylitf.

You may think it impossible to memorize these kinds of passwords, but as you will see in the following section, it can be easy to do so.

1.3 Techniques for Creating Strong, Yet Memorable Passwords

Step 1: Come up with a random sentence related to the purpose of the password

All you have to do is come up with a sentence that makes sense to you and is at least 14 words long. Make sure to include some words that start with uppercase letters.

A random sentence would be best, but you could also use parts of a song lyric, a poem, a quote, or a book passage.

Our Example:

I am glad that I am an SMC subscriber and know how to protect my Facebook well!


11

ABLACKPAPER

SECURE YOUR


Step 2: Write down the first character of every word

Now you simply reduce the sentence into a short and completely random password by taking the first character of each word.

Our Example:

I am glad that I am an SMC subscriber and know how to protect my Facebook well!IagtIaaSsakhtpmFw!

Step 3: Convert some characters into numbers and special characters

Come up with a system where you can easily convert some characters into numbers and special characters.

You can, for example, turn some characters that look like numbers into numbers. You could come up with creative and unique ways to do this.

Replace the relevant characters of your password.

Our Example:

t = 7i = !a = 4

!4g7!44Ss4khtpmFw!

Now you have a very long password (18 characters) with uppercase, lowercase and special characters.

Step 4: Memorize the password

To memorize this password, all you have to do is memorize your sentence and which characters you are replacing.

When you want to use the password, simply say the sentence slowly in your mind and type each of the first letters while remembering to replace some of them with numbers and special characters.


12

ABLACKPAPER

SECURE YOUR


PRO TIP

At first it won’t be easy to remember and type the password correctly. Over time, however, the password will come to mind easily, and soon your fingers will type the password without your having to think about it.

Simon has used this technique with great success with his passwords, as has the rest of our team. The mnemonic works, and our passwords are all much less vulnerable for it.

Mnemonics For Random Sentence

To make it easier to memorize a random sentence, imagine something that represents or summarizes it. See it clearly in your mind and make sure it’s large, 3D, detailed and colorful.

Then simply repeat the sentence (aloud or in your mind) ten times while you are imagining it.

This will create a connection between the image and the sound of the sentence in your mind. Once this connection is created, whenever you bring up the image, the sentence will automatically follow.

Repeat this for five consecutive days at least three times: • while brushing your teeth in the morning • when taking your first bite of your lunch • while brushing your teeth in the evening

When you practice, do your best to come up with your sentence using your mind alone. Only peek at a cheatsheet after trying hard not to use it.

A connection is only created and strengthened if you recall it without cheating. Reading something and repeating it over and over, without associating it with something else, will not create a connection in your brain, and memorization will be much slower and less reliable.


13

ABLACKPAPER

SECURE YOUR


1.4 Use a Password Manager

If you recall, one of the golden rules of passwords is that each of them has to be unique. This way, if hackers manage to nab one of your passwords, they won’t be able to penetrate your other web assets and identities.

You might have dozens, if not hundreds, of different accounts at different websites; using the previous password technique for each of them would be onerous or impossible. This is where a password manager such as 1Password comes in. It allows you to save all of your logins, passwords, credit cards, bank accounts and other sensitive information in a database protected by very strong encryption.

The database can only be opened by someone who knows the master password, which means that even if an attacker gains access to the database file, he would be unable to access your passwords unless he also somehow accesses your master password.

There are several password managers, but we use and recommend 1Password, because it allows you to store your database on your own computer instead of in their cloud.

The app is available for Macs, Windows, iOS and Android.

Recently they have started offering a subscription service, which syncs the database through their cloud.

Don’t use it. All that will do is make you vulnerable to hackers wanting access to the passwords of thousands of other customers.

Instead we recommend you purchase a standalone license from their website and set it up to sync between your desktop and your smartphone using dropbox.

Although your 1Password database (also called “vault”) will be stored in dropbox, nobody (including dropbox employees or government authorities), will be able to access your passwords, as they are protected by your master password.

1Password

https://1password.com/

https://support.1password.com/sync-with-dropbox/

https://1password.com/


14

ABLACKPAPER

SECURE YOUR


When you set up 1Password, make sure to create a secure yet memorable password with at least 14 characters, numbers, symbols, lowercase and uppercase characters. Use the technique we described in the previous section.

1Password has a feature that allows you to generate unique, random and very secure passwords for every single website and account you have.

Use that feature to create a random password for every single one of your logins and make sure to set it up to use at least 14 characters, several digits and several symbols.

Many websites also require you to set up security questions such as, “What is your mother’s maiden name?” in case you need to reset your password.

Don’t use the real answer. An attacker could easily figure that out. Instead, use a randomly generated password as the answer and save it in 1Password.

Whenever you want to log into a website, 1Password can autofill the password into the login form instead of you having to type it yourself.

https://support.1password.com/browser-extension/

https://support.1password.com/browser-extension/


15

ABLACKPAPER

SECURE YOUR


If your computer gets hacked, the attacker could install a keylogger, a program that records your physical keystrokes. That could give him access to your master password, and thus the rest of your passwords. Therefore, it is vital to install all

the latest security updates and use good antivirus software - or even run a system that is targeted less frequently, such as one on a Mac or Linux-based PC.

1.5 Password Summary

Password security is crucial and the foundation of your overall digital security. If you take nothing else away from this Black Paper, at least install 1Password and change all of your passwords to something unique and random. Then create and memorize at least one secure password that you use only for 1Password’s master password.

To take it a step further, create a separate, secure and memorable password for each of your important websites and computer logins. To make this task easier, you can make your secure password “variable”. We used this sentence and password in our example:I am glad that I am an SMC subscriber and know how to protect my Facebook well!!4g7!44Ss4khtpmFw!


16

ABLACKPAPER

SECURE YOUR


You can replace the “F” for Facebook with “G” for “Gmail”, “B” for “Banking” and create multiple unique passwords:

● !4g7!44Ss4khtpmFw!● !4g7!44Ss4khtpmGw!● !4g7!44Ss4khtpmBw!

Since each password is technically unique, the attacker would not be able to use it to log into another service.

Here are the unique passwords we recommend you create:● One master password for your password manager● One password for your computer login● One password for each of your critical websites (such as email)

Stay vigilant! The more passwords you create, the harder they will be to remember.

Use our system to help, but don’t reuse the same password in more than one place. If you find yourself tempted to do this, reduce the number of passwords you’re trying to remember and change them to random passwords stored in your password manager. This will always be a better choice than using the same password in multiple locations.

One more thing to note: The more the attacker knows about you personally, the more he can reduce potential combinations.

Think about the amount - and type - of personal information readily available online or available to purchase: birthdays, family members and their birthdays, addresses where we’ve lived in the past, the names of our pets, phone numbers, and more. These tidbits are easy for an attacker to try, so never use them in your passwords or security questions.

PRO TIP


17

ABLACKPAPER

SECURE YOUR


It’s up to you to decide how much effort you put into this process and how much you modify it. The more creative you get, and the more random and longer the sentences you use, the higher your security will be.

2.0 PHISHING PREVENTION

2.1 What is Phishing

The next technique hackers use to access data is phishing. It’s far simpler than hacking a website, so it’s something you must guard against.

Phishing is a type of spam which is designed to trick you into giving your password or other personal information to an attacker.

Typically, you receive an email that appears to be from a legitimate sender such as Google, eBay or Paypal. The email informs you that you received a payment, an order or another important message and that you need to sign in and confirm it.

Once you click the link or button, you are taken to a fake website that was created by the attacker. Often the site can look legitimate. When you enter your password, the website saves it for the attacker and then redirects you to the real website.

These scams are often easy to spot, but sometimes the hacker goes through extraordinary effort to make it look real and hard to detect.

2.2 How to Detect & Prevent Phishing

1. Inspect the email

When you receive an email urging you to log in, first check if there is anything suspicious about the email itself.


18

ABLACKPAPER

SECURE YOUR


Is the “from” email correct?

Most spammers create a fake from address like “[email protected]” instead of “[email protected]”.

To get a better feel for the kinds of addresses phishers use, have a look at your SPAM folder and see where spam emails are coming from. Phishers (and spammers) have to change their emails often, so legitimate addresses are in short supply.

Is the email personalized?

Most legitimate websites greet you by name and include a username and/or at least part of an account number.

Does the design look like other emails from the legitimate sender?

Often the email formatting, logos and design just look ‘off ’.

Is it using a pushy call to action?

If the call to action is unusually pushy, contains red text and/or other things urging you to visit the website immediately, proceed with caution.

Important:Always hit the “This Is Spam” button in your email client if you detect spam or phishing. Depending on your email provider, this normally sends them a red flag notification. If enough people do this, the sender’s email will automatically end up in other people’s spam folder.

2. Inspect the website

Check the URL address of the website before you click the link.

Check if the domain in the URL matches with the company’s domain.

It may look real, thanks to today’s sophisticated attacks. But you might spot a common spelling mistake, an extra character like “paypal1.com” or a different domain






19

ABLACKPAPER

SECURE YOUR


ending. If you’re at all unsure, don’t click the link in the email. Manually type the company’s address into your browser and then log into their site from there. For some types of attacks it is enough to visit a fake website to have malware installed on your computer. Don’t click any link you’re not absolutely sure of.

Is the website encrypted?

Make sure the website is using encryption by checking whether the URL starts with “https://” rather than “http://” and that your browser displays a lock symbol next to the URL.

It’s important to make sure the lock symbol is displayed by the browser and not inside the website. Anyone can paste images of locks on a site to say it is secure and encrypted, but that doesn’t make it so. Clicking on the lock will give you more information about the site and allow you to view its SSL certificate. If you’re unable to view information about the security of the site, or if the certificate is reported as invalid, the site may not be real.

3.0 TWO-FACTOR AUTHENTICATION

Two-Factor Authentication protects your accounts even if someone finds a way to obtain your password through phishing or a password breach.

You may already be familiar with this from online banking. Instead of relying only on your password, your bank may have issued you a security device that requires you to generate additional one-time-passwords to log in or perform critical actions.


20

ABLACKPAPER

SECURE YOUR


This kind of security is becoming more popular with everyday web services. And no, you don’t have to carry around dozens of security dongles.

Instead of relying on security devices, use your smartphone to generate additional one-time passwords.

This way, if an attacker gets your password, they cannot use it without also having access to your smartphone.

Two apps that are supported by many websites for Two-Factor Authentication are Google Authenticator (Apple App Store Link and Google Play Link) and Authy.

If you followed our advice and purchased 1Password, you can add all your one-time-password generators to your logins and have everything in one place, all protected by your Master Password. This is great for convenience, but by combining both parts of the authentication scheme into one application, it makes your password manager the weakest link. If you choose to use this feature, protect your password manager with a very strong master password.

Some of the services that support Two-Factor Authentication are:● • Google (Including Gmail)● • Apple iCloud & App Store● • Fastmail● • Namecheap (domain hosting)● • Dropbox● • Facebook● • And many more...

The setup process differs from service to service, but generally you have to scan a QR-Code with your Two-Factor Authentication app, which adds the service to your app. After that you simply open the app to continuously generate one-time passwords that expire every minute.

When you need to sign into a website, you have to enter the current one-time code in addition to your password.

Many websites allow you to mark a device as ‘trusted’ so that you don’t have to enter

Authy

https://www.google.com/url?q=https%3A%2F%2Fitunes.apple.com%2Fen%2Fapp%2Fgoogle-authenticator%2Fid388497605%3Fmt%3D8&sa=D&sntz=1&usg=AFQjCNGEMd4VqIdo9jgq7I6cID6FpA6yRw

https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en

https://www.authy.com/


21

ABLACKPAPER

SECURE YOUR


the code every single time you sign in. This gives you the ease of use on your own device, while still protecting you when you are using other computers.

Additionally, most websites and services allow you to enter a backup phone number where you can receive a one-time-password as a text in case the app doesn’t work. Others allow you to store extra, single-use passwords in case you lose your smartphone or need to reset an account and no longer have the physical device that generates the passwords. These can also be stored as a secure note in your password manager.

For a complete and up-to-date list, please refer to https://twofactorauth.org/, which has links to instructions on setting this up for most services that offer Two-Factor Authentication.

We strongly recommend you enable this at least for your email, because this is the most critical web account you have. If someone gains access to it, they can potentially reset your other passwords and gain access to even more accounts.

4.0 BACKUPSA critical part of your digital security is to back up your data. A backup protects you and allows you to quickly recover from the loss or theft of your laptop, data corruption, or hardware failure.

If your laptop’s hard drive has ever started clicking and given out, you know how stressful and costly it can be to get back up and running.

This is especially important if you want to protect your data through encryption. If your unencrypted hard drive starts failing, it’s sometimes possible to save most of the data, but if your data was encrypted... it can be impossible to recover without a backup.

To create a tight backup strategy, we recommend regular local backups to an external hard drive, as well as additional off-site backups to a cloud-based service.

Your backup strategy should also be completely automated and not require any effort on a regular basis from you. If your backup strategy is to copy files manually to the cloud or an external hard drive, it is much harder to guarantee that it will happen on time,

https://twofactorauth.org/


22

ABLACKPAPER

SECURE YOUR


every time. Things come up, backups get missed, and before long you might find yourself with a dead laptop and no backup more recent than last year...

4.1 Local Backups

This is the foundation of your backup strategy, because it’s quick to set up and helps you rapidly recover in the event of a hard drive failure.

You want to set up a system where all your data is regularly copied to an external hard drive. If your computer is a laptop, make sure the hard drive is connected to your network and does not require you to plug directly into your computer to perform a backup.

An important consideration is whether you can encrypt your backup. If you’re storing it on a small external hard drive, one that could easily be lost or stolen, you want to prevent others from accessing your files.

An option that works well is to use an external hard drive with hardware encryption and PIN input. We will talk about this later in this Black Paper.

4.1.1 MacsIf you’re using a Mac, Apple makes this very easy for you. Their Airport Extreme wireless router is a home router and WiFi access point into which you can plug a USB hard drive. They also make the Time Capsule, which is the same wireless router but has a hard drive for backups built into it.

Apple’s macOS operating system includes a backup suite called Time Machine that is very easy to use. If you have an external USB drive or one of the WiFi-connected options above, your computer will detect it and will ask if you want to use it as a backup destination. If you confirm, your computer will start backing up to it every hour whenever you are connected to your wireless network.

At this time, Apple doesn’t provide the means to encrypt your Time Machine backup when backing up through WiFi. Therefore, we recommend purchasing the Airport Extreme instead of Time Capsule and using a hardware encrypted external hard drive with it.


23

ABLACKPAPER

SECURE YOUR


Synology is another external solution worth exploring. It can serve as a destination for non-encrypted Time Machine backups. We will cover Synology in more detail in Windows section below.

4.1.2 WindowsWindows includes backup functionality via Backup and Restore under Control Panel/System and Security. This will allow you to configure a local or network drive as a backup destination and then choose files and folders to be backed up. You can tell Windows to create a system image, from which you can restore a complete computer, or you can choose what files and folders to back up.

Another option is to purchase a standalone network drive such as the DiskStation DS214se from Synology. This two-drive device can act as a backup destination for Windows and Mac in addition to providing other cloud-like services for your home or office.

The two hard drives can be configured as one large drive, or as one redundant drive, providing additional protection from hardware failure. Synology provides the Synology Replicator, allowing you to backup your Windows computer to the Synology storage device.

Many software products exist to perform backups of Windows machines, but these options are simple and effective.

To additionally secure your backup and make it more convenient, purchase a hardware encrypted external hard drive and connect it to your router to allow wireless backups. You can find more information about how to do this in section 5.2 of this Black Paper.

4.2 Cloud Backups

An offsite cloud backup is like health insurance. You hope you’ll never need it, but if you do, you’ll be glad to have it.

The disadvantage of cloud backup is that the initial procedure can take a long of time if you have a lot of data, because everything has to be uploaded first. It also takes


24

ABLACKPAPER

SECURE YOUR


longer to restore your computer to its previous state after a data loss.

Once you have it set up, however, the system can run on its own. You can rest assured knowing your data is always backed up, even if you are away from home.

Offsite backups also protect you from catastrophes such as fire and flooding. That’s why it’s called an “offsite backup”: No matter what happens to your laptop or your home, your data remains safe.

Several providers specialize in cloud backups and offer solutions for a monthly or yearly fee. We recommend Arq Backup.

Backup to any cloud storage with Arq

Arq is software available for Macs and Windows PCs that lets you make client-side encrypted backups to a wide selection of cloud storage providers.

This makes for an incredibly cost-effective solution: Instead of paying $5-10/month for every computer you want to back up, you pay once for the software and can then back up data from each of your computers to your preferred cloud provider.

For example, if you are already paying for Dropbox Pro, you can store your backups there, too.

If you don’t yet use any cloud storage providers, we recommend Amazon Cloud Drive Unlimited. It’s currently available for only $59.99/year.

The service is very secure, as all your data is encrypted before it ever leaves your computer. You are the only one who holds the encryption password. An additional benefit: Amazon’s upload speeds are much faster than the industry average.

The service also places no limits on how much data you can backup, and it allows you to keep backups of external drives indefinitely.

Cloud Backup Providers

If Arq does not seem like the right solution to you, you can also consider a traditional cloud backup service.

https://www.arqbackup.com/

https://www.amazon.com/clouddrive/home

https://www.amazon.com/clouddrive/home


25

ABLACKPAPER

SECURE YOUR


We’ve tried CrashPlan and had a positive experience with their upload speeds and customer support. CrashPlan is available for both Windows and Macs.

In its standard configuration, CrashPlan encrypts your backup, but then stores the encryption key on its own servers. We don’t like this, as it means they have the ability to access your data and/or share it with a third party or government agency.

Instead, set an additional “Archive Key Password” accessible in the app settings. This way your encryption key itself also becomes encrypted - with a separate password, one which is never shared with CrashPlan.

To enable “Archive Key Password”, open CrashPlan, navigate to “Settings” and select the “Security” tab. In the “Archive Encryption” section, select “Archive Key Password” and make sure not to set any archive questions which would allow you and CrashPlan to restore your key if you forget your password. Instead, use the password techniques as described earlier in this Black Paper.

After you do this, even CrashPlan itself will not be able to access your data.

5.0 DATA ENCRYPTION

Most people think that the data on their computers is secure and inaccessible to others. After all, every time you turn your computer on, you have to enter a password, and only then can you view your files.

Unfortunately, without encryption, your computer password does not actually prevent anyone from accessing your machine’s contents. All someone has to do is boot your computer from a USB stick; then he can access and change any file he wants on your computer without having to know or enter your password. For Macs they can set the computer into “target mode,” which turns it into a big hard drive. They can then plug this “hard drive” into another computer and browse all of its files.

Your operating system is hiding data from people who don’t have the password… but that becomes moot once you start a different operating system.

In order to make your data completely inaccessible, you have to use encryption.


26

ABLACKPAPER

SECURE YOUR


When you encrypt your information, you’re encoding it in a way that requires the right key.

There’s been a recent uptick in surveillance and confiscation, especially at airports and other border crossings. That’s why encryption is so important.

But if your laptop or external hard drive is properly encrypted, then it doesn’t matter much if it is lost, stolen or confiscated: Nobody can read what’s on it unless they have the secret key… a key only you know.

5.1 Computer Full Disk Encryption

Not too long ago, encrypting your data required a good deal of time, as well as the use of complicated and unintuitive software that would compromise the performance of your system. But that all changed a few years ago when laptops started moving towards very fast solid-state-discs instead of mechanical hard drives, as well as when Intel added native support for encryption to their chipsets.

These days, you can encrypt your entire hard drive and likely won’t notice any performance reduction (if you have a newer computer, that is).

Doing this stores your data in an encrypted fashion on your hard drive. Every time you turn on your computer, you enter the password to decrypt and use the data. But if someone sends you malware and you install it accidentally, that malware will be able to access your data while your computer is turned on.

For maximum security, you should always completely shut down your computer when you are in higher risk situations, such as crossing borders or any time your device will be outside of your physical control.

Important:If you decide to encrypt your hard drive and suffer a hard drive failure, it’s likely you won’t be able to recover your data. That’s why it’s imperative to first implement a sound backup strategy. At the very least, use a cloud backup service... and only then encrypt your hard drive.


27

ABLACKPAPER

SECURE YOUR


5.1.1 Full Disk Encryption on MacsApple has created a very safe (and easy to use) way of encrypting your entire hard drive. It is called FileVault.

To enable it, all you need to do is go to your System Preferences Security & Privacy ● FileVault tab, where you can turn it on.

For more information and more detailed instructions, please refer to Apple’s support document about FileVault.

If there is more than one user on your Mac, you, the administrator, will be asked whether you want to allow other users to unlock the disk. Be very mindful of which users you allow to do this, as they will be able to unlock the entire disk and not just their own data.

If one of the other users uses a weak password, that negligence could compromise the entire system.

Keep in mind that any users added on after the encryption has been set up automatically gain the right to unlock the disk. To revoke that right:

● • Search for “Terminal” in the Spotlight search (magnifying glass icon in the menubar)

● • Open the Terminal application

● • Enter “sudo fdesetup remove -user Simon” (Replace “Simon” with the username you want to remove)

● • Enter your computer admin password

● • To verify that it has worked, enter “sudo fdesetup list” - It should show you a list of users who can unlock the disk and should no longer include the user you just removed.

Important:Make sure NOT to save your recovery key with Apple itself, as this would allow them to hand over the decryption keys if forced to do so.

Instead, memorize your recovery key, or save it in a safe location. If you created a strong master password, your 1Password database would be a good place to store this.

https://support.apple.com/en-ap/HT204837

https://support.apple.com/en-ap/HT204837


28

ABLACKPAPER

SECURE YOUR


If you have a Mac with a Solid State Drive (SSD), one that was released in 2012 or later, then we strongly suggest you turn on FileVault. SSDs are much faster than traditional hard drives. Obviously, owners of traditional hard drives can (and probably should) also enable FileVault, but they may notice slower performance.

5.1.2 Full Disk Encryption on Windows PCsTrueCrypt used to be the de facto standard for full-disk-encryption software for Windows. But in 2014, the development team abruptly shut down the project and left behind only a skeletal version capable of decrypting files but not encrypting them.

An independent audit has concluded that no significant flaws or backdoors were present as of March 13, 2015. But although TrueCrypt is probably still safe, the auditors did find a few minor problems that won’t be addressed, as the software has been discontinued.

We say don’t use it.

Fortunately TrueCrypt is open-source, and several projects have developed to bolster, support and improve the software. VeraCrypt looks like the most promising successor at the moment, and is the best option to use today.

5.2 External HDD Encryption

We store a lot of important data on external hard drives (HDDs)—if nothing else, our backups are there. It’s especially important to protect HDDs because of how easy it is to lose or steal a small external hard drive.

You have two main options for encrypting your external HDD: Software or Hardware.

5.2.1 Software SolutionsWhen you use the software option, either the software or your operating system encrypts files on your hard drive and allows you to decrypt them.

https://veracrypt.codeplex.com/


29

ABLACKPAPER

SECURE YOUR


The problem with software encryption is that you need to use the software on every computer from which you want to access the files, and sometimes the software is not compatible between Windows and Macs.

Additionally, it’s not possible to software-encrypt a network-based Time Machine backup, nor to attach a software-encrypted drive to a network storage system.

Mac Solutions:● • Encrypt entire external hard drives with Apple’s FileVault● • Encrypt only certain files and folders with Apple’s Sparse Disk Images● • Use Agilebits Knox for a more user-friendly solution for encrypting only

certain files and folders

Windows:● • Microsoft BitLocker to encrypt entire external hard drives● • GPG4Win to encrypt certain files and folders

5.2.2 Hardware SolutionsAn alternative is to purchase a hard drive that has encryption functions built right into its hardware. When you connect such a hard drive, your computer doesn’t even detect or recognize the HDD until you type the password on a keypad attached to the drive.

The advantage is that it’s completely cross-compatible. It doesn’t matter whether you connect it to a Mac, Windows, an Airport Extreme, or some other network storage system. Once you type in the password, they see it as a normal hard drive.

At the same time, you have to be careful to purchase a quality product. Some solutions do not actually encrypt the data and can be circumvented by simply taking the hard drive out of the enclosure and connecting it directly to a computer.

Here are two highly regarded solutions we like that actually encrypt data:

● • StarTech.com 2.5-Inch Encrypted Hard Drive Enclosure● • Apricorn Encrypted Hard drives & USB Sticks

We strongly recommend using one of these as your local backup hard drive.

http://kb.mit.edu/confluence/display/istcontrib/Enable+FileVault+on+External+Disks+in+OS+X+10.8+and+Up

http://kb.mit.edu/confluence/display/istcontrib/Enable+FileVault+on+External+Disks+in+OS+X+10.8+and+Up

http://www.macworld.com/article/2852122/how-to-protect-your-macs-most-secret-stuff.html



https://agilebits.com/knox

https://agilebits.com/knox

http://windows.microsoft.com/en-HK/windows7/products/features/bitlocker

http://www.gpg4win.org/

http://www.startech.com/HDD/Enclosures/USB-3-Encrypted-Hard-Drive-Enclosure~S2510BU3PW

http://www.apricorn.com/products/hardware-encrypted-drives.html


30

ABLACKPAPER

SECURE YOUR


5.3 Encrypted Cloud Storage

Everyone knows how convenient cloud storage like Dropbox is. But you’re trading convenience for vulnerability, as what’s there is not stored securely.

Dropbox assures users that their data is encrypted while being uploaded, downloaded and when stored on Dropbox servers. While this is technically true, it’s important to understand that Dropbox holds the encryption keys to the files.

This means Dropbox employees can decrypt your files to read them and, if forced to, share them with government agencies.

Even Edward Snowden specifically warned against using Dropbox and called it “hostile to privacy.”

Fortunately there are security-and-privacy-focused cloud storage providers who have designed their services in a way that makes it impossible for them to read your files and can only hand over encrypted, unreadable content to government agencies.

These services use client-side-encryption and are “Zero Knowledge Providers”. This means that the data is encrypted on your device BEFORE it’s uploaded and you are the only one who holds the necessary encryption keys.

Even if a court forces the provider to share whatever data they have on you, such a move will prove fruitless… as you are the only one holding the encryption keys.

5.3.1 Consideration With US Based ProvidersIt’s important to understand that if you are using a provider who is a US business or who stores your data on US soil, the FBI or NSA can force the company to install backdoors on their network and their software to capture the encryption keys in clear text. Even if the provider stores the data outside of the US but is a US-registered company (such as Amazon Web Services), the data is not safe. This is exactly what happened to Lavabit, a company that used to provide encrypted and privacy-focused email solutions to customers, including Edward Snowden. Ladar Levison, the founder, was ordered by a US court to install a backdoor onto his network that would allow the government to capture customers’ plain-text passwords.

http://www.theguardian.com/technology/2014/jul/17/edward-snowden-dropbox-privacy-spideroak







31

ABLACKPAPER

SECURE YOUR


He fought the broad scope of the search, and when his efforts to have the search limited to a specific target failed, he chose to shut-down his 10-year-old company in order to protect his 410,000 customers.

You should therefore try to use a service provider based in a privacy-focused country such as Switzerland, or at least in a country outside the jurisdiction of your home government.

5.3.2 Do You Need Encrypted Cloud Storage?Before you go and move all your files away from Dropbox, you should consider whether you actually need encrypted cloud storage in the first place. If all you store on Dropbox are pictures of your cat, you really don’t need to do this.

On the other hand, if you store or plan on storing your entire documents folder, which may contain sensitive information, such as bank statements or legal documents, you may want to consider encrypting them.

5.3.3 Encrypted Cloud StorageOver the past few years, quite a few secure options have surfaced, but today we can only recommend one of them: Tresorithttps://tresorit.com

Tresorit is secure. It’s hosted in Switzerland. And it’s user-friendly, with great apps on many platforms. They even started a hacking contest, offering US$50,000 to anyone who can break their system.

Nobody has been able to do it.

In our opinion, Tresorit is the only secure cloud storage provider out there that comes close to Dropbox.

They have a free entry-level option, as well as much more advanced, paid ones.

https://tresorit.com


32

ABLACKPAPER

SECURE YOUR


Other Options - Ones we do NOT recommendSpideroak is another option, one which Edward Snowden has recommended in the past. But we cannot recommend it anymore, as their focus has changed from cloud storage to backups.

Another popular option used to be Mega, but due to controversies surrounding their founder and shareholders, we do not recommend you use Mega for sensitive data.

5.3.4 Unencrypted Cloud StorageIf you are already using a cloud storage option such as Dropbox and only want to encrypt a limited amount of files, you may want to consider Cryptomator.

Cryptomator - Encrypt files in your normal cloud storagehttps://cryptomator.org

Unlike the other options, Cryptomator is an open-source software that allows you to encrypt files and store them inside of your traditional cloud storage such as Dropbox.

It works well if you only want to encrypt a small amount of data, but it is not as convenient as Tresorit, especially for encrypting large amounts of data.

You should also consider that this is a very young solution that has not been independently audited and may contain cryptographic flaws. In other words, it’s not necessarily a high-security solution and may not protect you against resourceful attackers.

6.0 INTERNET ENCRYPTION

Most of the technology behind what we know as “the Internet” came out of a US Department of Defense network called ARPANET. It was designed to allow university researchers to communicate with each other and share information, and its potential likely was underrated.

ARPANET was never intended to transmit confidential and secure data. All of the technology that allows our modern Internet to do so has been stacked on top of the

https://cryptomator.org


33

ABLACKPAPER

SECURE YOUR


ARPANET foundations. Some of it works well, but all of it relies on a complicated web of interdependent components. If one of these components fails, the whole system fails.

The majority of data transferred through the Internet is unencrypted, and that’s okay. If you’re out in a restaurant, you can hear the conversations of those around you, and no one cares. People know not to talk about private information in public. For that we have encrypted communication. But even encrypted traffic is vulnerable to certain attacks that allow hackers and governments to spy on you.

6.1 Why Additional Internet Encryption is Important

Many of the websites you visit use an encrypted connection (HTTPS), which is signified by a little lock icon in your browser. Bigger sites pay more to have their identity information shown next to their Internet address, telling you that you really are visiting their site. Some of them encrypt your entire visit, while others only encrypt key parts such as logging in or purchasing.

We at Sovereign Man are encrypting your entire visit to increase your privacy.

While the number of encrypted websites keeps growing, you would be surprised by the amount of websites that do not encrypt even the most sensitive information. This is especially important because most people do not pay attention to whether a website is using a secure connection, and some apps, especially on smartphones and tablets, don’t even display this information.

Every time you visit a website, read your email, or download a file, the traffic connects through many different points between you and the destination. If the connection is not encrypted, anyone along that route can capture the traffic and read it.

It starts with your local WiFi, where a person armed with a little bit of knowledge can capture which unencrypted websites you are visiting, what pages you are viewing, what data you are transmitting to them (including passwords & credit card details). Even your email program may be using an unencrypted connection without your knowing it, exposing your password and email content to anyone who is on the same WiFi network and knows how to listen in.


34

ABLACKPAPER

SECURE YOUR


But it doesn’t stop there. Once you load a website, the request leaves your computer and travels through a long chain of routers and servers before arriving at the site you’re visiting. Any admin, government, or hacker who has access to any one of these devices can potentially intercept the data.

For example, in 2015, the US telecommunications company AT&T introduced a fiber broadband plan where customers had to pay an additional $29 for the privilege of not being spied on. Those who chose not to pay agreed to allow AT&T to collect and share information with their advertising partners, information such as “the webpages you visit, the time you spend on each page, the links or ads you see and follow, and the search terms you enter.” As of this writing (January 2017) data collection and targeted ads are shut off, as confirmed by AT&T.

Edward Snowden’s NSA leaks have even revealed that the NSA and British GCHQ tap undersea cables to mass-collect information and later sift through it. Information attained by the NSA is stored in their massive data center in Utah, where they mine it retroactively for information about people of interest. They even store all encrypted data there with the hope that today’s strong encryption will be easy to break in future years.

Knowing that people can and will collect and search through, your unencrypted data, it’s of utmost importance to additionally secure your Internet connection AT THE VERY LEAST when you are using public WiFi networks. Ideally, you would want to secure it ANY time you connect online and prevent your computer from accessing the Internet without additional encryption.

Here is a summary of reasons why we secure Internet traffic whenever possible, and why we encourage others to do the same:

● Privacy is a basic right;● We don’t want criminals to steal the data;● My activities are no one else’s business.


35

ABLACKPAPER

SECURE YOUR


6.2 Use HTTPS whenever possibleGovernments, criminals and companies all vie for your data, and they’re not going to stop devising ways to access it. Although no deflection strategy is 100% effective, your first line of defense is to make sure to use HTTPS whenever you transmit sensitive information such as passwords or credit card details over the Internet.

Browsers indicate whether the current page is encrypted through a little lock icon in the URL bar:

Although the look of the icon can vary among browsers, it should be easy to find.

If you don’t see the icon, your connection is not encrypted and your traffic can be easily intercepted.

If you ever visit a page that is using HTTPS, but you still receive a warning box saying there is a problem with the site’s certificate, then do not continue. It could be a sign that somebody is trying to intercept the connection and eavesdrop on you, even if you’re using an encrypted connection.

A useful (and free) plugin that we recommend you install is HTTPS Everywhere by the Electronic Frontier Foundation (EFF). This plugin forces a secure HTTPS connection with many major websites and thus encrypts your communications.

https://www.eff.org/https-everywhere


36

ABLACKPAPER

SECURE YOUR


You always want to use HTTPS if it’s available. Remember, however, that doing so still might not guarantee the safety of your traffic.

The entire HTTPS system relies on the integrity of the top-level certificate authorities, which issue the encryption certificates.

In theory, any government could coerce a certificate authority in its jurisdiction to issue an authoritative root certificate to an ISP. Such a certificate would allow the ISP to intercept, decrypt, and re-encrypt the traffic.

An authoritative root certificate like this could, for example, allow AT&T to intercept all your encrypted HTTPS traffic and make it available to the NSA.

To protect yourself from this, make sure to connect to the Internet through a VPN server in a foreign country that is unlikely to be in bed with the NSA.

Also keep in mind that there are companies out there that purport, as Cloudflare does, to “[speed] up and [protect] millions of websites, APIs, SaaS services, and other properties connected to the Internet.”

It sounds good, but the corollary to making these sites faster is that Cloudflare gains the ability to intercept all their traffic… making them vulnerable.

If you as a user visit some of these sites -- even if they have HTTPS -- you likely won’t be able to detect or protect yourself from that kind of third-party interception.

So is HTTPS more secure than HTTP? To some degree, yes.

But is it totally secure?

No.

6.3 How to Encrypt ALL Internet Traffic With a VPNWhen you connect to the Internet, your ISP gives you an IP address. The ISP keeps track of what IPs were assigned to which customers at any given moment. This makes the ISP the first point at which your data can be monitored or tampered with.

A VPN creates a secure, encrypted tunnel from your device to the VPN provider’s server: Instead of connecting to your ISP and then to the Internet, a VPN allows you to connect, via an encrypted tunnel, through your ISP to the VPN provider.


37

ABLACKPAPER

SECURE YOUR


No one in between you and the VPN provider can see what’s happening inside the tunnel, so if someone is listening in on your local WiFi, or if the government is gobbling up all traffic going through your ISP, you’re protected. For someone to know what you’re doing, he would have to control the remote end of the connection as well. This is much harder to do.

For example, if you are in the US and use a VPN in Hong Kong, the websites you visit will think you are a visitor from Hong Kong. Your IP address will literally be the address of the VPN provider in Hong Kong. This is because you are establishing a connection to the Hong Kong VPN server and from there connecting to the final website.

If someone is snooping in between the Hong Kong VPN and the website, they will have no way of knowing it was you who accessed the website by looking at the visitor IP addresses. The reason for this is simple: The VPN has potentially thousands of users and it could have been any one of them who visited the website.

This is also how people can circumvent various geolocation restrictions that service providers have, by using a VPN server located in a different country. Since this may violate Terms of Service for many of them, we are not formally endorsing the use of VPNs for such purpose.

Please note that VPN encrypts only the part of the connection between you and the VPN. As soon as the data leaves the VPN, it is not protected by the encryption anymore.

This means that even if you use VPN, you should continue paying attention to whether a website is using HTTPS when you transmit sensitive information.

6.3.1 How to Pick a VPN ProviderWhen you are picking a VPN provider you need to consider the following things:

1. Your home country2. The country where the VPN company is registered3. The country where the actual VPN servers are4. Anonymity claims - beware


38

ABLACKPAPER

SECURE YOUR


VPN Provider Country

Generally you should pick a VPN outside the jurisdiction where you are a citizen or resident. This way, interested parties would have to go through at least two different jurisdictions, which is more difficult and expensive.

You also want to make sure the country you pick has no mandatory data retention laws, which are, for example, very common in Europe. Hong Kong, however, has no mandatory data retention laws.

For more information on the current status of mandatory data retention laws you can consult the Electronic Frontier Foundation.

You can also pick a country with strong legal support for privacy, such as Iceland or Sweden. These are countries where your digital rights are protected by courts requiring evidence of criminal activity before allowing data to be handed off to others.

VPN Server Country

Most VPN providers allow you to pick from a range of VPN servers in different countries, masking your real location on the Internet.

Just as with a VPN company, you want to pick a location that’s different from your country of citizenship and residency. At the same time you want to pick a VPN server that’s as close as possible to where you currently are. Generally, the further away the server is from you, the slower your connection will be.

If you are in Germany, for example, picking Netherlands would be a great choice.

Beware of anonymity claims

Most VPN providers claim they are completely anonymous and don’t log any information that could identify you, but you should take these claims with a grain of salt as you have no way of telling whether they are actually true.

We recommend assuming they are just empty marketing claims and carefully studying their privacy policy.

https://www.eff.org/issues/mandatory-data-retention

https://www.eff.org/issues/mandatory-data-retention


39

ABLACKPAPER

SECURE YOUR


6.3.2 Recommended ServiceVyprVPNhttps://www.goldenfrog.com/vyprvpnUnited States

The biggest strength of VyprVPN is its ease of setup and use. They provide easy-to-use apps for Mac, Windows, iOS and Android, which make the often inconvenient setup more straightforward.

They log a small amount of data about your usage for abuse prevention, but are very open and clear about it – as well as how they respond to investigations – in their privacy policy.

Because they are US-based, this is not the most private VPN service out there if you are concerned about the heavy hand of the US government. For all other intents and purposes, such as securing your Internet connection and data while on public WiFi networks, VyprVPN is a good and easy to use option.

Several members of the Sovereign Man team - including Simon - use their service and are satisfied.

That said, no one here puts anything highly private or sensitive online, either.

Other ProvidersThere are, of course, many more providers, but we only want to recommend those our team members have personally used and liked.

A good start for researching providers is the following link: https://www.bestvpn.com/.

As always, be careful with review websites as a lot of them are actually affiliates of providers and may not be entirely truthful or objective. Do your own due diligence, especially if you require a high amount of anonymity.

If all you want to do is protect yourself while on public WiFi, and from tracking by your Internet provider, then most any VPN service will be sufficient.

https://www.goldenfrog.com/vyprvpn

https://www.goldenfrog.com/privacy

https://www.bestvpn.com/


40

ABLACKPAPER

SECURE YOUR


6.4 Using TOR & Accessing the DarknetTor, aka “The Onion Router”, is a free software designed to increase your privacy and anonymity on the Internet.

It works similarly to a VPN as it encrypts your traffic, but it also routes all the traffic through several “nodes.” Nodes are computers all over the world (run by volunteers) through which your traffic is bounced. This makes it near impossible to retrace who visited a page.

When you use Tor, each node only knows the previous and next connection point, but not the entire path through which your traffic flowed.

When you use a VPN, an attacker could gain access to your VPN server and track which VPN user is visiting which pages, but on Tor he would have to compromise each node you are connecting through. Since Tor has A LOT of nodes and your traffic is always zipping through different ones, this is nearly impossible.

Because of the high degree of anonymity Tor provides, it is often used by people with restrictive governments to circumvent censorship, or by activist and whistleblowers to protect their identity. It is also, however, exploited by shady people who buy and sell things on the online black markets.

6.4.1 The DarknetOne of the more infamous uses of Tor is access to the so-called “Darknet”.

While many sites that you can access through Tor are legit, the “dark” portion that is accessible through Tor offers users access to online black markets that sell all kinds of questionable products and services... including drugs, weapons, fake passports, and more.

We urge you to stay away from these kind of sites, and not just because of the obvious moral issues. Not only do they expose you to legal jeopardy, but they expose you to data theft, as they are riddled with scams and malware.

Educate yourself further about the perils of the Darknet with this video about how

https://www.youtube.com/watch?v=LkRhBOZSw38


41

ABLACKPAPER

SECURE YOUR


the founder of the largest online black market, Silk Road, was apprehended couple of years ago. It explains how an enormous illegal venue could operate for so long, and how it eventually was shut down.

6.4.2 Should you use Tor?Although Tor can significantly increase a person’s anonymity and privacy online, it should be used very carefully.

Tor is often portrayed in a “download and run this free tool and you’re magically safe” way, which gives people a false sense of security.

Being completely anonymous on the Internet with Tor is very difficult, and if you make a tiny mistake, your anonymity can be compromised and your identity connected back to you.

As you can see in the video above, even the founder of the largest online black market was not disciplined enough to stay completely anonymous... and eventually was caught.

Unlike a VPN which encrypts all your Internet traffic, Tor usually only encrypts traffic from software that is configured to use it. This means you could easily expose yourself by making an innocuous error... such as downloading a PDF and then opening it with an application not designed to use Tor.

This is just one example of the limitations Tor has, and of the many tiny mistakes you could make.

It is also easy for your Internet service provider to detect that you are using Tor (even if they can’t tell what exactly you are using it for), which could potentially make you look suspicious.

A VPN provides many plausible usage benefits, such as accessing geolocation-restricted online services and protecting your privacy on public WiFi networks.

Tor, from the other side, today is often used with the expressed purpose of evading authorities.

https://www.youtube.com/watch?v=LkRhBOZSw38


42

ABLACKPAPER

SECURE YOUR


Sometimes it’s to evade oppressive regimes when journalists or whistleblowers need to report information of human rights abuses or other actions. But, let’s face it, there’s a viable reason why Tor’s reputation today is not exactly pristine.

Our take: Generally speaking, using Tor is simply not worth it. To protect yourself, we recommend using a VPN instead. It provides sufficient privacy, and it offers reasonable protection from mass surveillance and hackers on public networks.

7.0 SECURING YOUR COMMUNICATION

7.1 Email

When email first started gaining steam 20 or so years ago, it was thought of in the general public as the electronic equivalent of a physical letter, one which travels securely over the Internet and which can only be read by the intended recipient.

That idea could not be further from the truth. In reality, an email is actually closer to a postcard, one which can be read by anyone who intercepts it.

Unauthorised parties such as hackers, governments and nosy system administrators can gain access to your email in myriad different ways.

After you hit the “send” button, your email travels through several servers, routers and ISPs, seldom guaranteed to be encrypted in transit. This means that anyone who has access to these transit points can potentially eavesdrop on your emails and read them.

Edward Snowden’s NSA revelations show that governments actively capture internet traffic in order to store and read emails that are travelling this way in real time.

Unless you specifically encrypt your email, it will be stored on your email provider’s and your recipient’s email provider’s email server in a way that the providers can read, access or surrender to government agencies.

You should always assume that the content of your email can be read by third parties.


43

ABLACKPAPER

SECURE YOUR


As a rule of thumb, never put anything in an email that you wouldn’t want to see read out loud to a jury if you were put on trial.

It sounds extreme, but if you ever get sued, your email is 100% up for grabs in the discovery process.

And never forget that in modern “justice” systems, opposing counsel’s primary objective will be to make you look like a bad person. With enough time and access to your email, they’ll find something. Do yourself a favor and leave sensitive issues out of your email. Period.

7.1.1 Email EncryptionThe technology we use to send emails was first created in 1982 and gradually improved upon, but this does not change the fact that it was never designed to be used the way we are using it today.

Although it is possible to encrypt emails, the process is inconvenient. And even if you go through the hassle of setting it up, you will most likely find you won’t have any communication partners who are willing to do the same.

Encrypted emails require special encryption software to be “readable”, and such emails are also not “searchable”. The reason for this is that the email protocol has never been designed with encryption in mind and it is simply tacked on top of the outdated, inherently insecure design.

Additionally, you can only protect the body of the email with email encryption, which leaves the metadata - such as the subject line, whom you communicated with and when - unprotected. It can be enough to know that someone communicated with a certain person at a certain time to compromise their privacy.

Because of these reasons, we encourage you not to bother with email encryption and instead avoid discussing any sensitive information via emails.


44

ABLACKPAPER

SECURE YOUR


For more sensitive info, you should consider using modern secure communication channels, such as encrypted messengers discussed in the next sub-section.

However, if you still want or need to use email encryption, the two most common standards are PGP and S/MIME. If you search for these online, you will find many guides on how to set up and use them.

7.1.2 How to increase your email privacyDespite email being inherently insecure and email encryption not worth the hassle, there are still several things you can do to increase your email privacy and reduce the chance of becoming a victim of mass surveillance.

Don’t use free email services

“If you are not paying for it, you’re not the customer; you’re the product being sold.”

Email providers do not provide their service for free out of the goodness of their heart.

They do it because they make money from you using their service. In most cases, they make money by showing you advertisements, and get paid every time you view or click on one.

In order to increase the effectiveness of the ads, they store, read and analyze every email and build a detailed profile of you to provide more relevant advertising and thus make more money.

The legality of what they’re doing is iffy. Their privacy policies are often worded vaguely and leave a lot of room for interpretation.

Many people suspect that Google retains deleted emails even after you “empty the trash”. Deleted emails might not show up in your account when you search for them, but there is a possibility that Google employees and the government could still access them if needed.

They even scan every image you send and receive and cross-reference them against a database of child pornography. Yes, reducing child pornography is a noble goal, but keep in mind that this kind of automatic surveillance could easily be extended to much less noble causes.


45

ABLACKPAPER

SECURE YOUR


The solution is simple: Don’t use free email services, as they store much more information than necessary about you and are known to hand over your data as soon as a government agency knocks on their door.

That being said, keep in mind that if you communicate with people who continue using free email providers, your email will still be analysed by them.

Therefore keep our previous advice in mind and leave sensitive content out of emails entirely.

Move your Email offshore

To make it even more difficult for authorities to get their hands on your data, you may want to use an email provider that is outside of the country you are living in.

This does not guarantee that your email will not be seized, but it creates an additional legal hurdle for anyone wanting to gain access to your email.

Definitely avoid the US and UK, even if you are not living in these countries, and consider a more privacy-focused country such as Switzerland or Netherlands.

Consider using your own domain

Consider buying your own domain and using it for email instead of the default email provider’s domain.

When you use your own domain for your email, you can easily move to another provider without having to notify your contacts or change your logins.

Doing so gives you control and flexibility, which is important, because the paid email provider market is always changing, and there might be another company that could offer you a better service or price in the future.

When you pick your domain, consider using a foreign TLD (the final part of the domain, such as .com or .org) to further increase your digital resilience.

The US government can seize pretty much any .com, .org, .net and many other domains, even if you use a foreign company for the registration.


46

ABLACKPAPER

SECURE YOUR


To protect yourself from that, use a foreign registrar and avoid registering domains that are handled by VeriSign or Afilias, including .com, .org, .net and .name.

You can for example use Sweden’s .se or Iceland’s .is.

By default anyone can find who is the owner of any given domain, therefore make sure to always enable your domain’s whoisguard privacy feature and make sure to avoid picking a TLD that does not support this feature (such as .ch).

Beware of encrypted email services

There are some email services which focus specifically on privacy, security and encryption.

Some of them even allow you to additionally encrypt your mailbox with a password that only you know, which theoretically makes it impossible for them to access your email.

We say “theoretically” because in reality they can’t access your email… until they choose to backdoor the service.

Earlier we talked about Lavabit, the famous secure email provider that offered similar functionality. You’ll recall that Edward Snowden used it.

The US government ordered the company to backdoor the service to gain access to Snowden’s personal emails, but instead of giving in, the founder chose to shut down the company.

Since email is an inherently insecure communication protocol, and since all of these “secure” providers build on top of that protocol, it is impossible for them to create a completely unbreakable solution.

Some of them try to mitigate this risk by setting up in a jurisdiction that theoretically would not permit such back doors, but even then you shouldn’t lull yourself into a false sense of security.

https://en.wikipedia.org/wiki/Verisign

https://en.wikipedia.org/wiki/Afilias


47

ABLACKPAPER

SECURE YOUR


7.1.3 Recommended Email Provider

We want to stress once more that emails are inherently insecure and should be treated as if they are postcards or flyers that anyone can read.

Even if you pick one of the privacy-focused providers with encryption features, don’t let yourself be lulled into a false sense of security.

Also don’t forget that as a rule of thumb, you should never put anything in an email that you wouldn’t want to see read out loud to a jury if you were put on trial.

FastMail (https://www.fastmail.com/)

This is a great, fast, reliable email provider that has been in business since 1999 and is a big improvement over a free mail provider that “reads and analyzes” every single one of your emails.

Several members of the Sovereign Man team have been using it for a long time and are satisfied with it.

Fastmail is an Australian company, so it ticks the “foreign provider” box for most of us. However, their servers are based in the US, and Australia belongs to the Five Eyes Alliance. In other words, their ability to fend off US government requests is in doubt.

Bottomline - it is not the most private email provider out there, but if you are mostly concerned with each and every email of yours being analysed for ad purposes, and do not want to compromise the reliability of your email provider, then this is a good service for you.

Other Options

There are, of course, other options, many of which we have no experience with, but which could be suitable for you.

The only option we would discourage you from choosing is Neomailbox; a few of our members had negative experiences with reliability and their customer service.

https://www.fastmail.com/

https://en.wikipedia.org/wiki/Five_Eyes




48

ABLACKPAPER

SECURE YOUR


7.2 Instant Messaging & Calls

As you have learned, email is an insecure protocol by design and should not be used for transmitting sensitive information.

If you want to have real privacy, you need to use a communication system that employs end-to-end encryption, meaning that when you send a message, it is encrypted on your device and can only be decrypted on the device of the recipient.

This means that even the operators of the app do not have the ability to read your messages.

7.2.1 Signal https://whispersystems.org/

This is a free, open source app that supported by donations and is recommended by Edward Snowden and many prominent cryptographers.

It is widely accepted as the best and most secure encrypted messenger and was audited by a team of security experts in October 2016, which found it to be safe.

It is available for both iOS and Android and supports both text messaging and audio calls.

How to ensure your communication is not intercepted

Although an attacker would not be able to decrypt your communication, he can try to intercept it by running a “man-in-the-middle” tactic.

https://whispersystems.org/

https://itunes.apple.com/us/app/signal-private-messenger/id874139669

https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms


49

ABLACKPAPER

SECURE YOUR


The graphic shows an example where Bob and Alice are communicating, but Eve intercepts the messages.

This means Eve impersonates Alice, forcing Bob to send messages to Eve instead of Alice using an encryption key Eve knows.

To avoid detection, she forwards that message to Alice and intercepts her messages to Bob in the same way.

Signal allows you to detect this kind of interception through some cryptographic and mathematical tricks.

If you are interested in learning more how it works, you can watch this video.

How to verify your text messaging

Every conversation inside Signal has a “Safety Number” that you can use to verify whether the person you are communicating with is really the person whom they say they are.

When you are inside of a conversation with someone, tap on their contact name at the top to show the conversation settings and select the “Verify Safety Number” option.

You will see a screen with a QR code and three rows of numbers below it.

Bob Alice

Eve

Man-in-the-middle Communication

Original Communication

https://www.youtube.com/watch?v=3QnD2c4Xovk


50

ABLACKPAPER

SECURE YOUR


You need to make sure the numbers you see are exactly the same as the numbers your conversation partner sees in his or her app.

It is important to compare ALL of the numbers, and not just the first few, as half the numbers identifies you while the other half identifies your communication partner.

You can long-press on the numbers to copy and share them with your communication partner, or just compare them on screens when you meet in person.

If all of the numbers match, the you can be sure you are communicating with the right person, and that your connection is safe.

If the numbers don’t match, it is possible that your communication has been intercepted, but before panicking, make sure both of you have the most recent version of Signal and that you have exchanged at least one message with each other.

You can read further instructions on Signal’s support page here.

https://support.whispersystems.org/hc/en-us/articles/213134107-How-do-I-verify-the-person-I-m-sending-messages-to-is-who-they-say-they-are-


51

ABLACKPAPER

SECURE YOUR


You only have to do this verification once, unless you see a message such as this:

Most likely that means that your conversation partner got a new phone or reinstalled the Signal app.

But if he didn’t, it can also mean that someone is trying to intercept your communication and that you should therefore repeat the verification process before continuing to communicate.

How to verify audio callsSignal makes verifying calls much easier than verifying text messages.

When you make a call, the screen displays 2 random words, as shown in the picture below:


52

ABLACKPAPER

SECURE YOUR


To verify that the call is not intercepted, you simply need to make sure the words match on both your and your conversation partner’s screen.

Signal suggests the following sequence for verification:● • You read the first word● • Your contact reads the second word● • Confirm these words match on each other’s screens

7.2.2 Whatsapp (https://www.whatsapp.com/)

Signal is the best and safest solution you can use, but you have to convince all your other contacts to use it first, which could be impractical.

We think that WhatsApp is a reasonable alternative. It is used by billions of people around the world and starting in 2016, it has been using the same encryption protocol as Signal.

WhatsApp is not perfect and has its privacy limitations, but if you can’t move the majority of your communication to Signal, then WhatsApp is a big improvement over other unsecured message services and SMS.

Snowden’s leaks have shown that the NSA grabs over 200 million SMS messages every day in blanket (not targeted) surveillance. That being said, you should understand the privacy and security limitations that WhatsApp has, then pick which communications are suitable for WhatsApp and which are better handled through Signal.

WhatsApp Backups

WhatsApp has an option to backup your messages to the cloud. Keep in mind that these messages will not be encrypted.

You should make sure to disable them and be aware that if your communication partner has this option enabled, authorities could still get a copy of your communications through that person.

https://www.whatsapp.com/


53

ABLACKPAPER

SECURE YOUR


To disable backups open WhatsApp and navigate to Settings > Chats > Chat Backup and make sure it is off.

Key change notifications

Signal by default notifies you if the encryption keys of a conversation change. Such a change is usually harmless, but it also could be a sign of a man-in-the-middle attack.

WhatsApp, however, does not display similar notifications in its default configuration, which could allow such an attack to happen unnoticed.

To mitigate this risk, go to Settings > Account > Security and enable the “Show Security Notifications” warning.

Additionally, make sure to verify the “security code” of WhatsApp conversations in the same way as described earlier in the Signal section.


54

ABLACKPAPER

SECURE YOUR


If you see a warning that a security code changed, do a quick verification with your communication partner to ensure it is not an attempt to intercept the conversation.

In the conversation, click on your partner’s name and then on “Encryption”. Compare whether the security code is the same for both of you.

For more information of how to verify the security code, please refer to this WhatsApp documentation.

In January 2017, the Guardian incorrectly reported that a backdoor to WhatsApp could allow them to force a limited amount of messages in a way that could be intercepted without user knowledge.

It has been confirmed by WhatsApp and by developers of the signal communication protocol that this is not a backdoor, but rather a tradeoff between security and usability.

You can limit the impact of this by following the above instructions to enable security code change notifications, and to make sure you verify them with the other party whenever you see them.

Understand WhatsApp’s Facebook data sharing

WhatsApp updated their privacy policy in August of 2016, allowing it to share phone numbers and usage data to serve you more relevant friend recommendations and ads.

The language of the update is vague. It’s also not exactly clear what is being shared now, in which countries, and what will be shared in the future.

If you are a new user of WhatsApp, or have already accepted changes to this privacy policy update, there is unfortunately nothing you can do to opt out anymore.

WhatsApp audio and video call encryption

Although WhatsApp encrypts your calls, it does not offer a method to verify calls the way that Signal provides in their app.

If you need a completely private way to make calls, stick with Signal.

https://www.whatsapp.com/faq/en/general/28030015

https://www.whatsapp.com/faq/en/general/28030015

https://whispersystems.org/blog/there-is-no-whatsapp-backdoor/

https://whispersystems.org/blog/there-is-no-whatsapp-backdoor/


55

ABLACKPAPER

SECURE YOUR


8.0 SECURE YOUR SOCIAL MEDIA HABITS

Most of this report is about communicating privately, but as we are living in the age of social media, there’s another aspect of privacy that you need to consider: the data you want to share with the world can be as dangerous and revealing as the data you want to keep for yourself.

Don’t share your whole life on Facebook.

This may apply more to the young people in the audience, but think about it; if you’re an average visitor to social media websites and apps such as Facebook, Twitter, Instagram, etc., chances are you share some of the following information:

● • Your name● • Your birth date● • What you look like● • Past and present locations where you’ve lived, worked, gone to school, etc. ● • Your future travel plans● • What your lifestyle looks like● • Your interests● • Your political and religious views● • Who your friends are● • Details of family members● • And last but not least, your location every time you log in

What more could a government agency ask for?

So when it comes to social media, just think one extra time before you post something online. It can save you trouble years down the road.


56

ABLACKPAPER

SECURE YOUR


9.0 SECURING YOUR SMARTPHONE

Our phones are a true gold mine of information about us: messages, emails, contacts, photos, location data and much more. What is worrying about this is how easy it is to lose it or have it stolen.

It’s of utmost importance to protect this information and make sure it doesn’t fall into the wrong hands.

Ever since Apple significantly improved the encryption of the iPhone in September 2014, intelligence agencies in the US have been calling for a legislated ban of strong encryption.

In February 2016, the FBI launched a full-on assault on such technology by trying to persuade a judge to order Apple to create a backdoor that would weaken the encryption and make it possible for the FBI to crack the work phone of the San Bernardino shooter.

They tried to use the “All Writs Act of 1789”, a law that is over 200 years old, to justify their expansion of power.

Although the FBI tried to frame the case as an attempt to find information about other suspects on the phone, it was nothing more than a publicity maneuver.

It was an attempt to take advantage of a tragic case that many people were still very emotional about and gain public support for severely compromising data privacy issues. They wanted to seize the moment and create a precedent that would allow them to backdoor any technology that they might want to gain access to in the future.

The iPhone was a work phone that the shooter did not bother to destroy. They had access to the data on it thanks to a backup that was made six weeks prior to the shooting. Even FBI Director James Comey acknowledged the possibility that there was nothing useful on the phone.

Additionally, the FBI chose to battle this out in public, blogging about it and issuing press releases discussing the details. If there were really any leads on additional


57

ABLACKPAPER

SECURE YOUR


suspects, this would have severely diminished their ability to act on any intelligence recovered from the phone.

Fortunately, they did not garner the public support they expected, and dropped the case when they found a way to hack into the phone without Apple’s help.

This was the first big attempt to kill encryption since the 1980s, and we assure you, it will not be the last. But with the help of the next section, you will learn how to secure your phone in a way that would thwart such a back door.

9.1 The Passcode

Your passcode is your very first line of defense and is akin to the lock on your front door - it keeps unwanted people out.

How much protection your passcode actually provides fully depends on whether it’s actually used to encrypt the data on your phone, and on the strength of your passcode.

In most cases, your passcode does nothing more than prevent people from walking through the front door of your phone.

Just because your data can’t be accessed by simply unlocking your phone doesn’t mean the data can’t be accessed in other ways... like being copied directly from the device to a computer.

It will keep the curious teenager who finds your phone on the street out, but it does not guarantee it will protect you from a sophisticated attacker.

Does this mean the passcode is unimportant, and that you shouldn’t bother with bolstering it?

No. Your passcode is actually the foundation of your phone’s security; instead of dismissing it, you have to be aware of its limitations and simply know how you can make it more secure.


58

ABLACKPAPER

SECURE YOUR


9.2 Smartphone Encryption

Both Apple’s iOS and Android allow you to encrypt all user data on your phone. Although both platforms offer a similar approach to user data encryption, there are significant differences you should be aware of.

9.2.1 iPhone and iPad EncryptionIf you are an iPhone or iPad user, all you have to do is set a passcode to enable user data encryption.

Apple has been encrypting some of your data, such as email, automatically since 2009. In iOS 8, which was released in September 2014, it significantly expanded the amount of data that’s encrypted by default:

“On devices running iOS 8, your personal data such as photos, messages (including attachments), email, contacts, call history, iTunes content, Notes, and Reminders is placed under the protection of your passcode. Unlike our competitors, Apple cannot bypass your passcode and therefore cannot access this data. So it’s not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession running iOS 8.”

This protection is also enabled by default for third party apps, although app developers can disable it for certain files.

In addition to using strong encryption, Apple has added measures to ensure the data can only be decrypted using the same iPhone or iPad. This means an attacker cannot create a copy of the encrypted data and brute force it on a powerful machine.

This gives you the convenience of being able to use a much simpler passcode without compromising the security of the encryption.

All encryption features are implemented through hardware and will not slow down your device. You will not notice any difference in performance with or without a passcode.


59

ABLACKPAPER

SECURE YOUR


Enabling Encryption & Passcode

To enable a passcode and the full-disk-encryption, which comes with it, simply enable it in the settings:

● • On devices with Touch ID: Launch the Settings App → Touch ID & Passcode● • On devices without Touch ID: Launch the Settings App → Passcode

To further increase your protection, use a more complicated passcode instead of the default 4 digit option. You can do it by disabling the option “Simple Passcode” and entering a longer numeric or alphanumeric passcode.

You may also want to enable the “Erase Data” option, which wipes your iPhone after 10 failed passcode attempts. This option is a great protection against random people guessing your passcode, but you should be aware that it has flaws and a very sophisticated attacker can circumvent it.

Therefore you should not rely on it alone, but pick a very secure passcode. More details on what constitutes a secure passcode are in the next section.

Making sure all user data is encrypted

Important: Make sure you are using the latest version of iOS.

If you are using iOS before version 8.0, not all of your data is encrypted. To ensure you have full protection, your devices should be updated to iOS 8.0 or higher.

To check your iOS version:● • Launch the Settings App → General → About → Version

To update your device:● • Launch the Settings App → General → Software Update

All devices released in 2011 or later can be updated to iOS 8 and take advantage of this functionality.


60

ABLACKPAPER

SECURE YOUR


The only devices that cannot be updated are:● • The iPhone 4 and older ● • The original, first generation iPad● • The iPod Touch fourth generation and older

9.2.2 Android EncryptionGoogle has been offering full-disk-encryption in Android since 2011, but not as a default; you have to specifically turn it on.

They significantly improved their encryption technology in October 2014 with the Android 5.0 “Lollipop” update and improved it even further in the Android 7.0 “Nougat” version.

Although Android has supported encryption for a very long time, and that support has continuously improved, there are still not many phones that ship with encryption enabled by default.

The reason is that unlike the iPhone, very few Android phones support hardware-accelerated encryption. We will discuss this issue below.

9.2.2.1 Limitations of Android Encryption

Off-Box attacks are possible

The most important issue present in versions of Android before 5.0 is that encryption was not tied to the device. This means an attacker could copy the encrypted contents of your phone and bruteforce the password on a much more powerful computer.

If you enable encryption on a pre-5.0 Android device, you should use a VERY complicated passcode, otherwise the encryption can be cracked within minutes.


61

ABLACKPAPER

SECURE YOUR


Screenshot of a password cracking tool in action.

The screenshot shows a tool that cracked the password of an Android full-disk-encryption in 59 seconds. The password was 8 characters long and included lowercase letters and numbers: “p4ssw0rd”.

On iOS devices and Android devices with the new 5.0 update the same password would take approximately 7,000 years to break. This is because the attacker would not be able to use a powerful computer to do the attack, but instead would have to use the limited processing power of the phone itself.

Only the internal memory is encrypted on some devices

Many Android devices come with limited internal memory and allow you to add more via additional SD cards. Unfortunately, not all devices support encrypting this additional storage. In that case you need to be careful about what data you store on the SD card.


62

ABLACKPAPER

SECURE YOUR


Performance impact

Unlike Apple devices, most Android devices do not support hardware acceleration of encryption, which degrades the performance and battery life of your device.

Hopefully in the future, more Android phones will implement hardware features to accelerate encryption, but at the moment you have to be aware that your device will likely become notably slower.

Google recently released the new Google Pixel and Pixel XL phones, which are our top recommendation if you are an Android person and if you value encryption and security on your phone. It supports hardware-accelerated encryption and is the quickest to receive security updates.

9.2.2.2 Enabling Android EncryptionDepending on which device you have, and which version of Android it’s running, the encryption can take an hour or more. Make sure you have enough time to finish the process, and make sure to plug your phone into an outlet.

1. Set a PIN or passwordOpen Settings → Security → Screen Lock → PIN or Password

2. Encrypt the phoneOpen Settings → Security → Encryption

For further information, please read Google’s support document.

9.2.2.3 Use the Most Recent Android VersionSignificant improvements in encryption technology have been made in versions 4.4 and 5.0 of Android; if possible, you should take advantage of them by updating.

Check which version of Android your device is running:Open Settings → About Phone → Android Version

Update your AndroidUnfortunately, many Android devices do not receive many updates or have to wait a very long time to receive a new version.

https://support.google.com/nexus/answer/2844831?hl=en&ref_topic=6052367


63

ABLACKPAPER

SECURE YOUR


Enable encryption even if you cannot updateIf you cannot update to Android 5.5 or higher, off-box attacks are possible, albeit probably not for unsophisticated attackers.

The encryption may not protect you from the NSA, or even from a low-level law enforcement agency, but at least it will stop strangers and thieves from gaining access to your private data.

Make sure to use a strong password.

9.2.3 When Is My Data Encrypted and Decrypted?If you have encryption enabled in your Android or iOS, user data is encrypted the moment it’s written to the persistent memory and decrypted when read.

One important caveat is that not all data remains in an encrypted state at all times. When the device is turned on, it needs to be able to access data like your address book to function properly, thus requiring some decryption.

Not encryptedIf you don’t set a passcode on your iPhone or do not enable encryption on an Android device, your system files and other files required to start the device will not be encrypted at all.

Encrypted until first passcode entryMost user data is fully encrypted until the device is unlocked for the first time after being turned on. Once you type in your passcode for the first time after turning on the device, the data is decrypted and stays decrypted until you restart your device again.

Your contacts are a great example, which you can see for yourself:

Restart your iPhone without unlocking it and call yourself from another phone. You will only see the number and no contact information from your address book.

Once you unlock your phone for the first time and lock it again, you will still see the contact information of the incoming call.


64

ABLACKPAPER

SECURE YOUR


Encrypted while the phone is locked (iOS only)Sensitive information like Safari passwords are only decrypted while your iPhone is unlocked. As soon as you press the lock button the data is encrypted again and not accessible anymore.

This functionality is only available in iOS—Android does not support this.

What does all of this mean for me?

The important takeaway from this is that your data is only fully protected before you enter your passcode for the very first time.

Once you enter your passcode, an attacker has several points of entry to access your decrypted data. If you, for example, visit a website on your phone, which exploits a security vulnerability and installs malware on your phone, the malware could send the decrypted information to the hacker.

A more practical example is the case of confiscation:

Law-enforcement agencies have several tools that allow them to copy unencrypted and decrypted files from your device, but you can make it impossible for them by simply turning your device off before handing it to them.

It will be impossible to access the data without your passcode and even Apple, Google or Samsung will not be able to recover it without your passcode. They will have to try to crack your passcode, which can take a very, very long time if you picked a good one.

Recently the police in the UK have found a way to circumvent this: They conduct street robbery and steal a suspect’s phone while he is making a call... and then continuously use it until their forensic team can analyze it.

IMPORTANT:Our recommendation is to always turn off or restart your devices when you are in situations where confiscation is a possibility. This includes police checks, border crossings and so on.

http://www.bbc.com/news/uk-38183819




65

ABLACKPAPER

SECURE YOUR


9.3 Picking a Secure Passcode

The complexity of your passcode defines how well your data is protected. If your iOS device is using iOS 8 or higher and your Android device version 5.0 or higher, the complexity of your passcode can be significantly lower as any cracking attempt must be done on the device itself and cannot be done on a very fast computer.

This means you can use a passcode that is easier and more convenient to type while still being sure your data is secure.

If you are using a pre-5.0 version of Android, you should use a long and complex password as described in the password section of this Black Paper for the highest security. Unfortunately it becomes unpractical to enter a difficult password like that.

In that case we recommend using the most complex passcode you are comfortable typing in and enabling encryption. It may not protect you from a sophisticated attacker, but it still gives you additional security.

The calculations below are based on the information Apple provided in their iOS Security Guide and should apply to Android 5.0 devices as well.

Look at the table and the time necessary to break the password and then decide what level of security you need.

COMPLEXITY EXAMPLE TIME TO CRACK

4 characters with numbers only 4681 13 seconds

6 characters with numbers only 254781 22 minutes

8 characters with numbers only 81262493 92 days

10 characters with numbers only 3572479317 25 years

4 characters with lowercase letters and numbers 4fa7 1.5 days

6 characters with lowercase letters and numbers ga5b8j 5.5 years

4 characters with lower and upper case letters and numbers

hF3a44 13 days

6 characters with lower and upper case letters and numbers

hoP532g 52.5 years


66

ABLACKPAPER

SECURE YOUR


Important Note:These calculations are based on Apple’s passcode implementation, which requires an attacker to crack the passcode on the mobile device itself and prevents them from using a much more powerful computer. They do not apply to your usual passwords.

These numbers are also a worst case scenario, where all additional security features, such as delays between wrong attempts, have been disabled. Disabling the feature of delays between wrong attempts is exactly what the FBI wanted Apple to implement after a shooter’s case.

This underscores the importance of using a strong password once again - with it your data will be safe even if you don’t have the “delays between wrong attempts” feature enabled!

9.4 Fingerprint Sensors

When Apple released iPhone 5S in 2013, the biggest new feature was the ability to unlock the phone with your fingerprint. Since then the implementation has become even more accurate and some Android phones have added fingerprint sensors too.

The added convenience is unquestionable—especially if you are following our advice of using a complex passcode. The question is: Is it safe?

There are two major reasons that speak against using fingerprints to unlock your phone:

1. It can be circumvented with a fake fingerprint

In fact, Touch ID was hacked less than 48h after the iPhone 5S was released and it may be possible to create a fake fingerprint from a photo of the finger.

The same hacker also demonstrated that Iris scanners and facial detection can be spoofed in a similar way.


67

ABLACKPAPER

SECURE YOUR


2. Police can force you to unlock your device with your fingerprint

In the US the Fifth Amendment states that “no person shall be compelled in any criminal case to be a witness against himself.”

In 2010, a US District Court in Michigan decided that a person cannot be compelled to provide a passcode because it would require the defendant to “communicate knowledge, unlike the production of a handwriting sample or a voice exemplar”.

A fingerprint on the other hand is more like a key in that it “does not require the witness to divulge anything through his mental process”.

This means that a court cannot force you to be a witness against yourself by providing the passcode of your phone, but they can force you to use your fingerprint to unlock your phone.

3. Not all fingerprint implementations are safe

Apple got it right from the very beginning, since the fingerprint data is stored as a mathematical representation of the fingerprint, which is encrypted and stored in a separate chip called the “Secure Enclave”.

Google has added fingerprint support and security specifications for manufacturers of all devices shipping with Android 6.0 and later. And fingerprints are now also stored in a separate chip, similar to how iPhones store them.

Unfortunately, any fingerprint implementations prior to that should be considered highly insecure, as each manufacturer had their own implementation, and many of them were vulnerable to extremely easy extraction of fingerprint data. We highly recommend you leave that feature off on these older phones.

How to reduce the risk

Even though Touch ID and fingerprint authentication has these major risks, you can significantly reduce your risk by taking advantage of the additional security features on your phone.


68

ABLACKPAPER

SECURE YOUR


On iOS devices the passcode is still required under the following circumstances:

● • The device has just been turned on or restarted● • The device has not been unlocked for more than 48 hours● • The device has received a remote lock command● • The fingerprint authentication has failed five times in a row

In 2014 the Supreme Court decided that smartphones are protected by the Fourth Amendment and cannot be searched without a warrant, which means your phone would not be searched immediately. If more than 48 hours go by after seizing your phone, they would not be able to compel you to unlock it anymore, since that would require your passcode.

Again, a better approach to this is turning your device off or restarting it anytime you find yourself in a situation where this may be a possibility. This is also necessary to make sure all the data is in an encrypted state and cannot be copied off the device.

Unfortunately Google did not impose similar requirements on their manufacturers. We were unable to find any documentation on how different phones handle these cases.

What this means for you

The safest approach would be, of course, to use a device that doesn’t allow off-box attacks, such as the iPhone with a six-or-eight-character alphanumeric passcode without fingerprint authentication.

But would you be bothered to actually enter a password like “ac4x7bau” every time you want to check your messages?

The worst thing you can do is use no passcode or a simple four digit passcode. This is what most people use and it offers very little protection against sophisticated attackers.

Using an 8-digit or 6-character alphanumeric (characters and numbers) passcode with Touch ID is a sensible option for some.


69

ABLACKPAPER

SECURE YOUR


Additionally, by not entering the passcode often, you lower the chance of surveillance cameras recording your typing of it.

Be aware that your fingerprints can be copied, and that you can be forced to use them to unlock your phone. If in doubt, quickly turn off your device.

In the end, you are the only one who can decide what level of security you need and what kind of inconvenience you’re willing to go through to protect your privacy and security.

9.5 Additional Settings You Should Check

All your effort of using a strong passcode and enabling encryption on your phone could be wasted if you allow your device to copy all your data to the cloud, for example.

If you store sensitive data online, you should always make sure you are the only one with access to the encryption key and that the data is encrypted on your local device BEFORE it’s uploaded.

9.5.1 Apple iOSGenerally, your iOS device is secure at this point, but you should consider the following iCloud settings.

Apple offers a range of convenient services to store your data online under the name of “iCloud”. These services make it very easy and convenient to sync data across multiple Macs, iPhones and iPads, as well as to keep your data safe in case you lose your device.

These conveniences come at a price, however, and are regularly requested by law enforcement.

Even though Apple stores data encrypted in the cloud, they still have the encryption key. This means they could be compelled to decrypt your data by a court.

Disable iCloud backup

Disabling iCloud backups is the most important step to take. Yes, such backups allow you


70

ABLACKPAPER

SECURE YOUR


to restore your device if you break or lose it , and you never have to worry about more secure backups.

Unfortunately, this would also make all your efforts of encrypting your phone useless: Government agencies could simply force Apple to hand the same data over from their cloud.

To disable iCloud backups, follow these steps:1. Disable the backup by launching the Settings app → iCloud → Backup → set

“iCloud Backup” to off2. Delete previous iCloud backups by following these steps.

Enable encrypted iTunes backups

Instead of relying on automatic backups to the cloud, you should enable backups stored on your computer and protect them with a password. This way every time you plug your device into your computer, or sync it with your computer through the same WiFi connection, it will automatically be backed up by iTunes where it can only be accessed by you.

Follow these instructions to enable iTunes backups.Follow these instructions to encrypt your iTunes backups with a password.

Disable iCloud drive

iCloud Drive is Apple’s cloud storage similar to Dropbox. It allows applications to store new documents in the cloud and be accessible from all devices through their apps.

You can browse the contents of your iCloud drive by logging in with your Apple ID here.

How to disable iCloud Drive:Launch the Settings app → iCloud → iCloud Drive → set “iCloud Drive” to off

Disable Photo Stream & iCloud photo library

Storing your pictures online is convenient, but you have to be aware that your photos not only capture your life, they also capture your location. Every time you take a picture on your device, your current location is added to the photo to allow you to see where it was taken.

https://support.apple.com/kb/PH12792?locale=en_US

https://support.apple.com/en-hk/HT203977#itunes

https://support.apple.com/en-hk/HT203790

https://www.icloud.com/#iclouddrive


71

ABLACKPAPER

SECURE YOUR


This data can be used to create a profile of where you go and what you do.

Also think about the kinds of photos being captured. In an age of facial recognition, do you want your children’s irises stored in the cloud? What about compromising photos of you taken by an ex? In 2014 several celebrities learned the hard way that online storage of photos can have embarrassing consequences when their nude pictures were leaked online.

How to disable Photo Stream & iCloud Photo Library:Launch the Settings app → iCloud → Photos → set all options to off

Disable Keychain syncing

With iOS 7, Apple introduced “iCloud Keychain Sync”, which allows you to seamlessly sync your passwords among all your Apple devices. They have gone to great lengths to secure the data and make it impossible even for them to access it.

They documented this in their iOS Security Whitepaper; you can read a good summary of it here.

Nonetheless, there is still a chance a court could compel them to backdoor this service and circumvent these protections.

How to disable iCloud Keychain:Launch the Settings app → iCloud → Keychain → set “iCloud Keychain” to off

Contacts, calendars and reminders

Your contacts, calendars and reminders are also synced through iCloud. Whether you want to disable this function is of course up to you and your privacy needs. How to disable contacts, calendar and reminder sync:Launch the Settings app → iCloud → set the services you don’t want to sync to off

http://www.apple.com/business/docs/iOS_Security_Guide.pdf

https://tidbits.com/article/14557

https://tidbits.com/article/14557


72

ABLACKPAPER

SECURE YOUR


9.5.2 Android DevicesIt’s much more difficult to give concrete advice for Android devices, since every device manufacturer adds their own twist, customizations and additional apps.

You should consult your device’s settings and feature list to find out what kind of services may be sharing or uploading your data.

At the very least, consider the strategies below.

Disable photo backup

Google has a convenient service to backup all your photos to Google+, but for privacy reasons, you may want to disable this.

Your kids, for example, might want to claim as much digital privacy as possible privacy when they’re adults. But if you’re uploading thousands of photos of them to Google, they’ll never have that chance. Once privacy is gone, it’s gone.

How to disable photo backup:

Launch “Google Photo” app → Settings → set “Auto Backup” to off

Additionally you may have toLaunch Google Settings → Google+ → set “Auto Backup” to off

Disable unknown app sources

It’s very important to be careful about what kind of apps you are installing. To be on the safe side, only install apps from the Google Play store and make sure to always check what kind of permissions the app requires. You should also read the reviews to see if the app is doing anything suspicious.

Additionally, you should disable app installations from unknown sources to avoid being tricked into installing malware.

How to disable unknown app sources:Go to Settings → Security → uncheck “Unknown Sources” and check “Verify Apps”


73

ABLACKPAPER

SECURE YOUR


Understand Android permissions

When you download an app to your Android device, the Google Play store gives you a list of permissions the app is going to use. You can use this to decide whether you want to download and install the app. If you feel it’s requesting too much data that it doesn’t need, you can choose not to install the app.

Some apps may ask for unnecessary permissions such as the ability to grab your GPS position for advertising purposes... even though they don’t need it for the core functionality of the app. A good example are the numerous flashlight apps.

With Android Marshmallow, Google finally introduced the ability to selectively revoke permissions for applications.

As not all apps properly request permissions, make sure to manually review the permissions for each new app you install.

● • On your device, open the main Settings app.● • Tap Apps or Application Manager (depending on your device, this may look

different).● • Tap the app you want to update.● • Tap Permissions.● • Next to a permission you want to turn on, move the switch to the right until

it turns green. If you want to turn a permission off, move the switch to the left until it turns gray.

With older Android versions it is unfortunately an “all or nothing” approach. And when installing apps, consider what the app is supposed to do and what kind of permissions it would need to function correctly. Don’t install it if you’re at all suspicious of its intentions.

You should be particularly careful when an app wants permissions to your accounts, SMS, microphone or location.


74

ABLACKPAPER

SECURE YOUR


10.0 CHOICE OF DEVICES AND SYSTEMS

We did our best composing this guide to help you secure your digital life, regardless of which devices you use, but in this section we want to give you our personal recommendations.

Some devices make it easier - and others make it harder - to keep yourself and your data safe.

However, if you have a motivated, sophisticated attacker with enough resources, you can be almost certain that they will find a way into your device—no matter whether you use a Mac, Windows, Android or iOS.

10.1 Windows vs Macs

Both Windows and Macs have fatal security problems from time to time; a debate of which one is more secure is not meaningful.

Neither of them will ever be 100% secure.

On the other hand, if you are concerned about general malware, viruses and so on, Macs have a significant edge over Windows.

This is not because they are in some way inherently less prone to malware, but simply because Macs have fewer users and are therefore less frequently targeted. Writing malware is a difficult task that requires time and resources, and since most of it is being written with profit in mind, hackers usually target the platform where they get the highest return.

This advantage may not last forever, but at least for now it gives you additional peace of mind.

On top of that you can easily enable full disk encryption without special software or a “professional” or “ultimate” version of the operating system.


75

ABLACKPAPER

SECURE YOUR


It’s also rare that any software you download for your Mac contains spyware or adware.

10.2 Android vs iOS

When it comes to Android and iOS, the differences in security are more apparent than between Macs and PCs.

Apple continues to differentiate itself from its competitors by putting a strong focus on privacy, designing features to share as little data as possible and pushing strong encryption on all of their devices.

Apple has put a lot of effort into locking down iOS, and although many people don’t like this because they are limited to apps which Apple allows in their App Store, it has created a much safer platform.

Viruses and malware are essentially unheard of, for example, but the most important reason why iOS is a safer choice for most people is Apple’s update policy.

Updates are great and often add new features beyond what you initially paid for. Still, that’s not the main reason why you should always keep all your devices current: Software updates fix security vulnerabilities and bugs, which is critical to keeping you safe.

Apple generally tries to provide updates for their devices for at least 3 years after their release, and all updates are available immediately to all of their devices at the same time.

A good example is the iPhone 4S, which was released in 2011 and has continued to receive updates for 5 years, through August 2016.

Android users receive far fewer updates. When they do, it can often take up to 6 months to arrive on users’ devices. The reason for this is Google’s process: Google creates a new version of Android, device manufactures modify it by adding additional software, and then mobile


76

ABLACKPAPER

SECURE YOUR


carriers add their own branding and software on top of that.

When an important security vulnerability is discovered, Google is usually quick to create an update, but then the device manufacturers have to add their customizations to it and test it before handing it over to the mobile carriers, who then have to do the same.

For you as a user this means that you will have a phone with a critical software vulnerability, one you cannot close for up to 6 months or longer—that is if your manufacturer and carrier bother to go through the entire process and provide you with an update.

For example, in July 2015 a critical vulnerability was found in Android that allowed a device to be hacked without any user interaction, through a MMS message.

It was estimated that between 1.4 and 2 BILLION devices were affected... and 9 months later, more than 40% of them were still vulnerable.

Although this was the most severe Android vulnerability ever found, it was not the only one. Multiple critical vulnerabilities have been discovered throughout 2016, which will leave users vulnerable for a long time.

CONCLUSION

As you can see, in general Macs and iPhones tend to be more secure than Windows and Android machines and phones. Does this mean that you must throw away your Windows PC immediately and rush to the next Apple store to buy a new Mac?

Probably not, especially if you are generally happy with Windows, and if the reasonable level of security that it can provide is enough for you. (That likely constitutes a lot of people).

By following the advice we’ve presented in this Black Paper, you may achieve healthy levels of security, even with Windows and Android.


77

ABLACKPAPER

SECURE YOUR


However, if obtaining the highest possible levels of security is your main goal, then for now at least you should strongly consider switching to Apple products.

If you prefer Android-based phones to iPhones, Google’s own devices are the safest option. They receive security updates quicker and are the first to implement new security features such as hardware accelerated encryption. If you insist on getting a device from manufacturer other than Google, at least try to purchase it “unlocked”, instead of a part of a mobile carrier plan. This might help you receive more timely updates.

Whichever path you take, be sure to follow all of our critical recommendations outlined in this Black Paper.

They’re the ones we use. They’re the ones Simon uses. And they’re the ones that, after painstaking research, we believe will keep your digital life as private, robust and secure as humanly (or inhumanly) possible.

You need to make a decision that is best for you while understanding the risks. The objective of this Black Paper is to give you the scope of those risks.

And to remind you to never… ever… ever use your pet’s name for a password again.

SECURE YOUR DIGITAL LIFE - s3.amazonaws.comYour+Digital... · 9.1 The Passcode ... Hackers can...

Documents

Transcript of SECURE YOUR DIGITAL LIFE - s3.amazonaws.comYour+Digital... · 9.1 The Passcode ... Hackers can...