Getting Hacked and Getting Hard

personal security audit cover image


Clearance sale! Vans shoes cheap! I was as surprised as anyone to hear that I’d pivoted from blogging to hawking knock-off footwear on Facebook. After pulling down the scam posts and changing my password, I checked my activity log. At least three interlopers had somehow managed to access my account, one of them several years ago. Creepy, but unimaginative: they didn’t lock me out, or steal my identity, or use my password to access other sites. As far as I know, my nudes are still between me and Zuckerberg.

Then there was the second incident: I changed my Google password, immediately forgot it, and couldn’t get back into my account. This was bad, because at that point, I lived inside the Google ecosystem. I had a Chromebook and an Android phone, used Chrome for all my browsing and bookmarks, kept all my files, photos, and storage in Drive, did all my work in Docs and Sheets, and had all my contacts and other accounts connected to Gmail. None of it was backed up anywhere else, and now it was all gone.

I filled in the account recovery forms over and over, and sat there silently panicking as each robotic form rejection destroyed a tiny piece of my soul. There was no way to get in touch with a human being. With one moment of carelessness, I had lost all my work, years of treasured memories, and my entire digital life.

Then I remembered that I knew some people at Google, so I sent them a grovelling message and they eventually got me unlocked, even though it had nothing to do with their department. Phew.

On both occasions I got lucky: it could have been much, much worse. Screwing up for a third time was probably tempting fate, so I decided it was time to actually sit down and do a personal security audit of my digital life.

That’s how I got hacked. This is how I got hard.

hackerman time


Bottomless Pits of Doom

Hardening your online security is a big fat juicy asymmetry. Looking at it through the optionality framework, the downside risk is essentially unbounded: if there’s even a small chance of losing your money, your files, your livelihood, your accounts, your identity, that has to be mitigated at all costs. It’s a Bottomless Pit of Doom.

At the same time, there are simple precautions that reduce this downside risk by ~95 per cent. These insurance-style options are not only cheap to take out, but free. The only real ‘cost’ is the time spent figuring out best practice, and then actually taking the required steps.

So why do so many otherwise smart people take the ‘do literally nothing and hope for the best’ approach? I think it’s because the threat isn’t visceral. No-one is comfortable walking alone through a strange city at 3am, because we’re wired up to be scared of muggers and rabid dogs. But it’s much harder to develop the required respect for cybersecurity until something bad happens, by which point it’s already too late.

hacker stock image what the actual fuck
‘hacker’ stock images are really not making it any easier to take this stuff seriously

There’s also the sheer inertia: even if you vaguely know this is important, you still have to waste a weekend researching what to do and doing an audit of all your accounts.

Having already wasted said weekend, I thought I might as well share my notes, and hopefully make it a bit easier for anyone else who wants to follow suit. Obviously I’m not a security expert. Don’t take my word for anything! But maybe it’s useful to read a security guide for dummies, written by a dummy.

(Also, I’m obscuring the details of my own setup slightly because I’m not that dumb. Come at me, discount shoes scammers.)


General Principles of Online Security

The personal security audit has six pillars:

Before we get into the specifics, a few general principles:

Paranoia is totally rational

You’d have to be the unluckiest schmuck on the planet to have your data stolen the first time you connect to a public WiFi network without protection. Probably nothing will happen the first hundred times, or even the first 1000 times.

The thing about taking a small ‘one-off’ risk is that if you keep doing it over and over, you will eventually blow up with 100 per cent certainty. As Nassim Taleb puts it, repetition makes paranoia about low-probability events perfectly rational.

Redundancy, redundancy, redundancy

You will forget your password. Your phone will get lost, and with it all your two-factor authentification codes. A company which has your details on file will be compromised.

When this happens, you need a system with built-in redundancy. You can’t rely on any one factor to save you. You need a Plan B to fall back on as a bare minimum, and preferably a Plan C too.

Perfect is the enemy of good

This guide will get you hard. But it won’t get you, like, titanium hard. I’m only covering the most obvious steps, which are but a tiny drop in a huge and ever-changing ocean of cyberwarfare.

Unless you’re some kind of criminal or high-value target, I think an 80/20 approach is fine. It might even be optimal, considering how many breaches are caused by security that’s too complicated or onerous for anyone to actually stick to.


1. Set Strong Passwords

OK, I admit it. I had basically one password, and then used variations of it on almost every website. My brilliant code looked something like this:

!spankyFacebook69

!spankyTwitter69

!spankyBank69

…etc

If someone got access to any one of my passwords, they would essentially have them all. And the hackers wouldn’t even have to guess my stupid password: they could just steal it from some company’s database, and then apply it to all my other accounts.

This is probably a good time to check whether any of your accounts have already been pwned.

have you been pwned?
🙁

My personal email address turns up four related breaches going back to 2013, one of which happened pretty recently. So my hacked Facebook page is no longer looking like such a great mystery.

In my defense, it can’t be humanly possible to remember unique passwords for 100+ different accounts, each of which requires some highly specific combination of characters, and must be changed under a waxing moon or whatever. This is the kind of bad design that leads people to do dumb shit like keeping their passwords on a post-it taped to the monitor, or uh, using slight variations of the same code for everything.

The good news is that password managers exist. All you need is one master password to unlock your central vault, and you can write down all your passwords in one place. This is basically the same as the ‘taped post-it note’ strategy, except it’s actually secure. Neat!

The killer feature is that you can also replace all the useless !spankyFacebook69 passwords with randomly generated ones like this, and load them from your vault with one click:

lastpass strong password generator
now THAT’s a password

Some browsers offer password managers, although it’s better to use dedicated services like LastPass, BitWarden, 1Password and Dashlane. They’re all free or cheap: here’s the Wirecutter review.

Nowadays, the only thing I have to remember is my master password, which gives me access to 98 per cent of my stuff, along with a couple of other unique passwords for ultra-secure accounts which only exist in my head (see principle one: paranoia).

The master password is the weakest point in the system, which means it has to be rock-solid. One approach is to use passphrases made out of random words strung together, like spankchickenchairfriend. The concern is that these can be deciphered by ‘dictionary attacks’ based on common words, whereas incomprehensible strings of gibberish are harder to brute-force.

There was a big debate in the security community about this a while back, which led to this definitive post. As AviD pointed out, there are two components to a password: not only how difficult it is to guess, but how difficult it is to remember. Failing to account for human frailties leads to bad outcomes, which is why we must follow AviD’s Rule of Usability:

Security at the expense of usability comes at the expense of security.

(principle no. three: perfect is the enemy of good.)

Personally, I want to have the best of both worlds. With some simple mnemonic tricks, you can get a high-entropy password which is still easy to remember.

Take the first letter of each word in a quote or song lyric that you can easily remember. Let’s assume for the sake of this exercise that my favourite song is Taylor Swift’s Bad Blood:

‘Cause baby now we got bad blood / You know it used to be mad love

This gives us cbnwgbbykiutbml, which is already a decent start. We can make it harder by adding an extra riff: either changing some of the letters into 1337-speak, or varying the cases, or inserting a number. I’m going to Spongebobise the text, add half of my old cellphone number at the start by holding the shift key down while typing the numbers, and add the other half at the end just for good measure:

)@[email protected])$CbNwGbByKiUtBmL$(&(

That looks suitably gibberish-like. Now let’s test it:

checking the strength of the password
once you get into the realm of numbers that were clearly made-up by a five year old you’re probably good

This is overkill. I probably wouldn’t bother changing the cases, because it’s too annoying to type, and might use a shorter number, or only append it to one end. The point is that a password like this is ridiculously hard to brute-force, while simultaneously being ridiculously easy to remember. It’s literally the first line of my favourite song and my first ever phone number, and yet it would take seven squillion years to crack.


2. Use Two-Factor Authentication (2FA)

Once you’ve got a strong password, there’s almost no chance it will be cracked before the sun implodes, but we’re not out of the woods yet.

Scenario 1: Someone steals your computer, or otherwise gains remote access to it. Assuming your password manager is unlocked, they can now log into pretty much all of your accounts without needing the master key.

Scenario 2: One of the many companies with whom you have an account gets hacked. They have not demonstrated big brain behaviour in storing your details on the backend, and the hackers can just take your password as plain text.

In either case, I’m not worried at all, because I have 2FA set up on any account that matters a damn. If someone tries to log in from a new location, IP address, or device, they’ll be prompted to enter a code sent to my phone. Unless they have also stolen my phone, and my phone’s access code, they’re not going to get anywhere: I can easily reject the unauthorised login attempt and update my password.

Of all the different types of 2FA, one unusually bad option is to get SMS messages sent to your phone. These are vulnerable to ‘SIM spoofing’ attacks, in which hackers get your mobile provider to switch your number to their own device. Plus it’s a pain in the ass to update all the accounts if you change your phone number.

A better option is to use something like the Google Authenticator app, which keeps all your secret 2FA codes easily accessible in one place, and refreshes them every few seconds.

2fa google authenticator example
looks like this

If you have a hard password and proper 2FA you’re basically golden. At this point, your own worst enemy is likely to be yourself.


3. Contingency Planning

A friend and I were exploring a huge bazaar in Colombia called El Hueco (‘the hole’). We got separated for a split second, and immediately lost each other in the crowds. She didn’t have my address memorised, she didn’t speak Spanish, and it was not a good place to be after dark. None of this would have mattered, except for the fact that her phone was in my pocket and we had no way of contacting each other (why does women’s clothing never have functional pockets?). She eventually managed to find a computer in a hotel lobby, and logged into Facebook to message me, but all of her accounts were blocked by 2FA.

This was a stressful experience.

When something frustrating happens, it’s tempting to call off the whole enterprise and go back to having crappy security. Especially if you ever make it so rigid that you accidentally lock yourself out of some account forever, like I almost did with Google. No redundancy, no backups, no mercy.

In either case, the answer is to come up with contingency plans. Let’s say I’m having a really bad, no-good, day: someone steals my phone on the train, and I forget my master password. I’m locked out of my password manager, and therefore almost all of my accounts. I try to send a hint to my Gmail address, but it asks me for a 2FA code to log in…generated by the phone I don’t have.

No fear. Having learned my lesson, I now have multiple 2FA methods set up with Google, including single-use backup codes on a piece of paper in a secure location. If I need to recover my account entirely, I’ve registered two recovery phone numbers, as well as a sister account which, crucially, is not tied to my password manager (principle no. 2: redundancy, redundancy, redundancy.)

I highly recommend not dismissing those annoying prompts that companies send asking you to verify your phone number or provide extra information to recover your account. I also recommend signing up for the emergency 2FA codes which most accounts offer, then printing them off and giving them to a trusted friend or family member, or locking them in a safe.

So now we have strong passwords, 2FA, and contingency plans. But none of this matters if someone can access your physical device.


4. Secure Your Devices

Last summer I worked out of an unassuming library in San Francisco, which just so happened to be the site where the Dread Pirate Roberts was finally arrested. The way they got him in the end was very low-tech: two FBI agents pretended to be quarreling lovers, then a third snatched his open laptop away while he was distracted, before he could close it or encrypt its contents.

device security cybercrime or something
YOINK. oldest trick in the book

I don’t run an illegal darknet marketplace from my computer, or even have anything particularly embarrassing on it. But I do stay logged in to some of my accounts for convenience, which means anyone who gets into my device can effectively read all my emails in the cloud, access all my documents, look at all my photos, etc.

Some obvious precautions: use a strong, unique password for your devices, set the screen so it locks if left unattended, and make sure you’re signed up to remotely track/disable/wipe your devices with Find My Device or similar.

A determined thief could still bypass your device password by other means, so you should also consider encrypting your data with FileVault (Mac) or BitLocker (Windows). There might be a small performance hit, especially on older machines, but it’s almost certainly worthwhile.

Reduce your surface area to attack by deleting any unused apps, make sure software is set to update automatically, and review all the current permissions: you should only give access to apps you trust.

As far as virus protection goes, Chrome OS is the closest thing to completely virus-proof, and Mac OS has historically been relatively secure because it’s a closed system (this is still true, although less so). I don’t know what Windows users should do, sorry.


5. Backup Everything

It’s nice having pretty much my entire life neatly filed away in the cloud. Paper is for cavemen. As far as I know, highly reputable storage services like Drive have never lost data outside of user error, but a) paranoia is totally rational, and b) they can arbitrarily ban your account any time they want.

For any type of cloud-based service, the obvious redundancy is to sync a folder with all your data to the hard disk on your computer: if something screwy happens online, you have another copy.

Scheduling automatic backups is always better than relying on such feeble things as memory and willpower. For example: this entire website is automatically backed up by my host, Siteground. If I break something or the site gets hacked, I can go back and restore from my pick of different versions.

You might also save a copy of your data to a rugged indestructible external hard-drive, and then store it in a different location to your main computer. This is not ideal for work-in-progress, but it works fine for data you don’t access or update often. Plus, you know, redundancy and all. Better to lose six months of recent files than to lose the whole lot.


6. Avoid Prying Eyes

surveillance and security online

It’s best to go ahead and assume that everything you put in cloud storage can always be accessed by the government and various other spooks: all your photos, all your emails, your pirated media, your secret diary entries, etc. If you’re important enough to be worth spying on, I guess you need to think about encryption. This is beyond me, so all I will do is flag the issue: almost every company will certainly hand over your dossier when law enforcement comes knocking.

The second main vulnerability is your web browser and search engine. Google hoovers up vast swathes of your data, and Incognito Mode is a bad joke: website operators and advertisers still have all sorts of creepy ways to triangulate who you are. Firefox has much higher privacy standards, especially when used with an anonymous search engine like DuckDuckGo.

I deleted my data and blocked Google from tracking me in certain ways, but I’m too wedded to the ecosystem to escape it all together. I still use Chrome as my main browser, and the Firefox + DDG combo if I want to search for something I’d rather not add to my file.

The third main vulnerability is your Internet Service Provider (ISP). This time, it makes no difference what browser or search engine you use: your ISP is watching every move you make. On websites that don’t use HTTPS (the padlock icon) it can see your passwords, address, credit card details, and exactly what you’re buying—especially horrifying in countries where ISPs are allowed to sell your info to advertisers and other third parties.

Installing the HTTPS Everywhere extension is a good start, but your ISP can still see the general flow of your traffic, and make all sorts of inferences. The only way to avoid its prying eyes altogether is to use a Virtual private network (VPN) to ‘tunnel’ through the Internet and pop up from a different IP address.

The problem with using a VPN constantly is that it drags on speed, and often creates issues with logging into accounts (the strange IP address triggers a security review). Personally, I leave it off except when I want to unblock content which is geo-restricted, or I’m using a public or non-secure WiFi connection.

Some VPNs log more or less data, with the general consensus being that those based in Five/Nine/Fourteen Eyes countries are probably more likely to dob you in to the feds. There are other trade-offs here between price, performance, location, and protocols. After looking over this spreadsheet, I ultimately settled on Mullvad. They take their obligations ridiculously seriously: they never know who you are; you can send them literal cash in an envelope, pay with crypto, and they log next to nothing. I also liked that they don’t have affiliates, or do any other shady marketing.

Of all the items on this list, this is the only service I’m paying for: none of the free VPNs seemed good enough to me, and I didn’t want to pinch pennies on something this important. Mullvad has one flat monthly rate of €5, which is hardly going to break the bank.


Personal Security Audit Checklist

There are always going to be trade-offs between usability and privacy/security, but for me, this gives the maximum of results with the minimum of effort.

Here’s a checklist:

  • Get a password manager
  • Create a strong master password you won’t forget
  • Generate strong, unique passwords for all of your existing accounts
  • Set up 2FA for all your important accounts
  • Set up physical 2FA backup codes and store them securely
  • Run through contingency plans to make sure there’s no chance of being permanently locked out of an account
  • Delete unused apps and set others to update automatically
  • Set strong passwords on your physical devices
  • Consider encrypting your hard disk
  • Schedule automatic backups for your computer and cloud accounts
  • Install the HTTPS Everywhere browser extension
  • Consider using Firefox + DuckDuckGo instead of Chrome + Google
  • Sign up for a VPN and use it whenever you’re on a public or untrusted WiFi network

That’s it. Again, I’m no expert, but I thought I might as well share my notes and give you a decent starting point. If you have any further suggestions or corrections, add them in the comments. And if you want to buy some discount Vans shoes, I can totally hook you up.

guest
16 Comments
Inline Feedbacks
View all comments
Gina Stevens
4 days ago

Hey Rich, new reader here, LOVING what I’ve read so far…. just incase you were truely interested in the history of pockets https://99percentinvisible.org/episode/pockets-articles-of-interest-3/

Monica
Monica
7 days ago

That’s a great article. Earlier this year my kiwisaver provider got hacked. They got my name, date of birth, email address, phone number, driver’s license and IRD number. I had to spend 3 days changing all my passwords, putting credit freezes in place (the worst process ever) and getting a new driver’s license, new email address etc. It was extremely stressful and at the end of the day my data is still out there in the hands of God knows who.

Monica
Monica
5 days ago

Yes when I went to AA to get my license they knew exactly what had happened. They got something like 20,000 people, maybe more. It’s worrying that companies keep data in the same place so hackers can get all of it. There should be some way of storing photo ID and IRD numbers separately

Jonathan Sterling
Jonathan Sterling
7 days ago

> do all the above
> go to https://www.google.com/maps/timeline
> weep

Claire
Claire
7 days ago

Haven’t read yet but thank you because I fell for a phishing attempt a year ago and despite having changed most of my passwords there were some I missed because they weren’t in my password manager, and it’s all terrible. Bleh.

Simon
Simon
7 days ago

Hi Rich, i responded in your email – but forgot to add one thing. Firefox are introducing to limited countries for now a VPN. It is a bit pricey but .. one thing it has which no other does is other than the usual goodness apparently performance.

One of the major issues for VPN is that it can slow down your connections but the new VPN from Firefox is supposedly much faster.

Alex
Alex
7 days ago

If you have a hard password and proper 2FA you’re basically golden. At this point, your own worst enemy is likely to be yourself.

Unless hackers pay a low-level admin at Twitter to switch your account recovery email address to an address they control – allowing them to control your account and send bitcoin tweet spam…

Also, I’ve switched from Chrome to Brave for my primary browser – it’s basically Chrome under the covers, but without all the Google-tracking stuff.

Alex
Alex
7 days ago

So far I haven’t found a Chrome extension that doesn’t work in Brave – of the dozen or so (out of thousands) that I use.

Gardie
Gardie
3 days ago
Reply to  Alex

+1 for Brave been using it for almost a year, the numerous extensions I’ve loaded for specific things have worked fine but I only tend to use a couple regularly. It uses DDG as the search engine by default though occasionally you may want to search outside of that as you still carnt beat the ‘Google bubble’ to find that certain thing your looking for.
Try private browsing with TOR to anonymise your IP and watch the VPN adds tell you your in *some country your not in* and you should use a VPN to hide your IP, smugness abounds.
Though your ISP may be blocking TOR, mine worked for a while now it just times out 🙁

BTW – Congrats on your great blog, I’ve been a long time lurker but finally *joined in* as your range of topics resonate well with with me.