The Iron Jacket and Cyber Security Evolution – Summer 2017

The Iron Jacket and Cyber Security Evolution Summer – 2017

Deadly new Cyber Security threats are coming to a business near you… very soon. Cyber mayhem is on the horizon. To bring better continuity to the collective underlying thoughts, this series of blog scripts’ has been re-set to perform more like a short book. Cyber Security is constantly evolving and growing. Can we do less and survive? As we have been plowing new ground, we have encountered moldy old artifacts.

What we have learned in recent months has brought our standard business plan to a screeching halt.

We have the world’s best cyber security products, but selling them under a standard business plan, without benefit of the following observations would have been a colossal failure… one that I personally do not wish to be a part of. This treatise will explain why. It will also reveal insightful information that every business person needs to read. Be sure to read Post # 5 – “Spin the Bottle” as Cyber Security is about to become deadlier than ever.

 

POST # 1   Cupcakes full of surprises

By J.R. Hildebrand, CEO, RADIAN Global, Inc.

May 2016 / edited and re-posted Summer 2017

In the summer of 2015, we at Raidian Global discovered a serious potential security breach within the general assembly of essential Internet access hardware. Units were being shipped from various factories to retail markets with built-in firmware flaws that could make every user vulnerable to multiple forms of hacking.

Because of the potential, large volume impact on a global basis, the only way to quickly deal with this issue was to make the manufacturers of these products aware of the issue and challenged them to immediately fix it. We labeled the exploit group “Cupcakes” and proceeded to privately contact the manufacturers. Our mission was to thwart a potential worldwide catastrophe without expectation of monetary gain. Getting through to them without demonstrably shaking their very cores was a larger, more time and resource consuming effort than we ever imagined. Just dealing with the initial denial of probability was disheartening at best.

An ounce of prevention.

We faced a conundrum of gigantic proportions. Handling our discoveries on a highly responsible basis was priority one. Going public with this information would have panicked the end users while also alerting hackers. This was a tough issue. Hackers who perhaps had not yet discovered the exploits would have a bonanza of opportunity to play with for the months that it would take to shut down the exploit portals. Looking at the big picture, we elected not to go public and surmised that widespread damage was diverted because of the silence. We gambled on manufacturers to do the right thing, but only under threat of negative public exposure, did they respond. The IT personnel we contacted eventually, but reluctantly, reacted in a positive manner. However, to save face and embarrassment, they quietly went about correcting the issues in a some-what covert fashion.

We tried to be a helpful partner, demonstrating to these folks our sincerity and capability in Cyber Security. We elected to take the high road to assist with no financial expectations for our help. We merely wanted the exposure for who we are and what we do and perhaps find a new collaborative partner. In this regard, we failed miserably. Yes, these folks all know who we are now. However, because of the culture of pride, we were summarily dismissed and ignored in order for management teams to save face with their bosses… who had no idea that a huge, potential crisis for them had in reality been diverted by a relatively unknown third party from an unlikely haven in Colorado.

We must explain here that we learned a valuable lesson about an underlying issue that lurks deep and has greater long-term consequences than you might initially think. Fact; many of these folks are of certain ethnicity where their ancestral cultures run deep. Within these ancient cultures, publicly admitting that one has made a mistake and following up with efforts to correct it is not readily accepted behavior. Therefore, when Raidian Global recognized “Cupcakes” for what it was and corrections initiated by those whom we alerted, there were no big announcements. Corrections were launched with sudden and yet subtle, visually laid-back action. End users were softly encouraged to change passwords, update firmware and practice other security protocol with their equipment. This result presented a very sharp, double-edged sword. On one side, a potential catastrophic event was quietly foiled without causing panic and without giving hackers any play. However, on the other side, the stealth approach has unavoidably enabled a cultural lack of transparency and accountability.

Friends, you must realize and understand that this formulary of veiled ‘discovery and fix’ happens more often than not. Unfortunately, it seems the silent treatment is frequently applied, un-ethically; more to save face for developers than to ethically protect consumers from hackers. Demographics of culture, age, ethics and biases are huge issues. It would seem that the more things change, the more some do not.

The next blog post will address these issues and how the stage is being set for more mayhem.

 

POST #2         Pride and Ego worse than hackers.

By J.R. Hildebrand, CEO, RADIAN Global, Inc.

August 2016 / edited and re-posted Summer 2017

Our previously reported experience with “Cupcakes” helped confirm emerging suspicions regarding how basic ego and pride affect IT and Cyber Security. The first two quarters of 2016 have provided us with greater understanding of the emerging dynamics that are forming modern business adjustments. However, some of these adjustments are taking a disturbing turn. Worse, in many cases there have been no adjustments and this failure to act has been buttressed with steadfast determination to do business as usual.

For instance; Part 1 of a very concerning trend is for IT engineers to imply to their employers that the IT team is a one-stop, fix-all, know-everything department, not necessarily needing any outside assistance for anything, including the rapid development of the exclusive arena of Cyber Security.

Part 2 is the boss that readily accepts the nonsense in part one as you just read. This happens because he or she does not understand anything beyond how to login on his/her desktop. This worked as a ‘get by’ measure a few years ago. Today it is a wretched crutch made with wet straw. No forward thinking company administrator should be too proud to admit they need to learn new stuff. If a company leadership is not willing to learn the basics and increase awareness, are they not inevitably setting themselves up for crippling cyber failure or worse, sabotage from within?

With their usually burdensome daily responsibilities, it is somewhat understandable that the bosses just want things to work. A good manager hires the best people available to handle a department, follow the company plan and deliver the expected results. SOP. It has worked well for businesses large and small for years.

Times and things have changed.

Remember, as we stated earlier, “The more things change, the more they stay the same?”

Technology has brought us Neurosurgeons’, Podiatrists and a host of specialty medical practitioners in between. They all go to medical school and have the same basic training, but would you trust a Podiatrist to treat a brain tumor? Of course not. So why would you continue to expect your general IT person to understand and handle Cyber Security without having additional help, training and funding? Sadly, this is exactly what is happening- AND this is what hackers count on. The old IT attitude of “We do it all” has now become dangerously self-defeating.

Hackers are correctly expecting a “just-enough-to-get-by” indifference, fueled by ignorance and arrogance. These negative attributes serve as catalysts for successful hacks. One day soon we will see a Fortune 500 company on the verge of collapse… simply because of internal strife created by these very issues.

The technology driven changes we have experienced in our collective cultures during just the past decade are astounding, if not overwhelming. However, the manner in which these dazzling blessings may come to be used and/or abused is ultimately regulated by individual integrity and underlying primal, cultural instincts.

Businesses seem to all follow the same time-proven pattern; they build on an idea, then thrive on it, become complacent with success and eventually wither away. It is the nature of the technology beast and it feeds an ever-growing list. If we need to provide proof then you are beyond help. If you recognize this pattern which has played out in spades in recent years then you will be quick to understand that if we are not all growing by meeting the daily challenges, then we are coasting, and coasting is akin to dying! Becoming adaptable to change and making it work for you rather than against you has always been key to a successful future. Solve the problem by identifying it. This is currently playing out in our own business efforts and discussed in a separate post labeled, “181 Degree Adjustment.”

Like an addict who requires a family intervention to bring him into the severity of his problem, if you find yourself offended or scoffing at what you are reading here – then you are indeed the person that needs it most.

Particularly in these modern times, the conveniences we enjoy make it easy to delegate and get a job done without getting dirty. I have observed that the last thing most modern business leaders are willing to do is get in the trenches with their most basic employees. The TV show “Under Cover Boss” (CBS) has changed the lives of many bosses and the people who they employ when the boss goes “undercover” and gets into the trenches. But when you consider the masses of small to medium businesses, let alone the “Fortune 500,” functioning today, the ideas behind the show are only reaching a small fraction. The concept of the show proves the point that it is more difficult to delegate with definitive probable cause; in other words, definitive probable cause only comes from getting in the trenches to find the real issues behind what works and what does not. Just looking at the bottom line financially does not give you a realistic view of the over-all health of your company.

Now, in addition to the normal past issues related to time, space, finances, personnel and product management; Internet management MUST make way for state-of-the-art Cyber Security. Not only has cyber security entered the mix, but, most business managers have been blind-sided by the sheer magnitude and speed of changes wrought by its presence.

Unfortunately, many folks have not fully and positively responded to the changes. Perhaps unwilling to accept the requirements needed to meet new developments, the foot-dragger with a “Get By” mentality has unwittingly been the fuel that the hacking community thrives on. It is a historically recorded fact that arrogance, false-confidence and misdirected responsibility, are common covers for incompetence and ignorance. Take a look around. The signs may be subtle, but they are there and if you take a few moments to reflect upon what you have just been reading, you will begin to see and understand if you have not already grasped the message.

As of today, almost every business has already been hacked on some level. Most are just blissfully unaware. However, some know it but are not ready to admit so because of fear of retaliation and ramifications. FTC vs. Wyndham Hotels anyone? http://www2.ca3.uscourts.gov/opinarch/143514p.pdf

 

POST #3   Seven Steps

By J.R. Hildebrand, CEO, RADIAN Global, Inc.

FALL 2016 / edited and re-posted Summer 2017

Same theme… It would seem that the more things change, the more they stay the same.

Demographics of culture, age, ethics and biases are immeasurable influential issues as we move through the depths of rapid and ever changing digital trends. Conversations with business leaders of all variety’s and dispositions reveal a common universal and archaic fear of the unknown. Many are unwilling to talk about Cyber Security because they do not understand even the basics. Regardless of the modern informational avenues available, many of these folks seem to have one or more of the following rather unenlightened attitudes:

  • Cyber Security is someone else’s problem or…
  • We are not important enough for anyone to want to mess with us.
  • This is a passing fad, the government will arrest a few people and the problem will go away.
  • That is a “Dot Com” thing and we do not do “Dot Com” stuff. (I am not kidding – this was a very real observation from the CEO of a well-known company.)

And this is the most prolific problem…

  • We have a good IT person and he/she has things covered.

Can you hear me screaming?

Would you consider anyone expressing these attitudes as a competent business manager?

No? Then why are there so many of them out there?

SEVEN STEPS TO EVENTUAL OBLIVION…*

that hackers are counting on!

  1. “We are not ready for that.”
  1. “We have never done it that way before.”
  1. “We are doing alright the way things are.”
  1. “We tried that once before.”
  1. “It costs too much.”
  1. “That is not our responsibility.”
  1. “It just will not work.”

* Seven Steps to Stagnation by Erwin M. Soukup

Add to the list; “I do not understand computers and/or the Internet – I leave that to the professionals.”     (This is another sad example of culture interfering with progress.)

Conclusive Observation for leadership and managers:

Ignore current tech trends and you might as well save yourself the drawn-out grief and close your doors today. Without embracing change, without personally being schooled in the basics of IT and Cyber Security functionality… your business will not survive long term.

However, if your heart is now pounding, your palms are sweaty and your mind seems about to explode, then you have a chance to recover.

The best insurance is:

HIRE more IT & Cyber Security folks. Pay them very well and consider making Cyber Security a solidly established part of your company identity… supported with a healthy budget.

The consultation you have received here is worth tens of thousands of dollars and has only cost you the investment of your time. We hope you will use this gift wisely.

 

POST # 4                  181 Degree Adjustment.”

By J.R. Hildebrand, CEO, RADIAN Global, Inc.

SPRING 2017 / edited and re-posted, SUMMER 2017

Problem 2010: Find a way to make a secure data management system that performs better than anything on the planet.

Solution 2010-2017: I recruited an amazing team, laid everything on the line and went for it.

Having found the haystack, RAIDIAN Global set about finding the needle and we did just that. When we first realized what amazing and unique technology we had, we were understandably giddy with the possibilities. After all, we had the entire global community as potential customers.

However, as we lined up and got ready to sell our products to the masses, something did not feel right. Inner whisperings were heeded and we personally toned down the pace. What you see in the current Iron Jacket Website is just a small portion of the work involved in actually being able to deliver and support the product sales. As we worked with multiple “Live” test case scenarios, we became very concerned about the precarious paths that we could travel without even more preparation.

The problem we have with owning the most un-hackable web security available is not just its potential for good, but how it might be misused for evil and nefarious purposes. We had already addressed that issue with deep vetting via an application and contractual process.

But then the “Cupcakes” issue surfaced.

That peculiar set of affairs was followed by one revelation after another. We were facing far deeper concerns regarding potential abuse by possibly and inadvertently permitting cart-blanc security to unspecified users. In the face of emerging cultural and business contradictions our control base was woefully weak. There were dangerous roads ahead and it was time to slow down, take a deep breath and rethink our business plan.

We are not making donuts or selling T-shirts. We made the mistake of comparing our business product with conventional business models. We had begun selling up, small to large like any other business endeavor. We thought we could sell our way to financial success. But as we look back, to do so in a conventional way would have been irresponsible. Our ability to effectively and securely manage large numbers of small sales was bass-akwards. We needed either a massive infusion of capital with a big partner, a large sale or both. That said, the mistake was caught in time and has actually laid a foundation for future large volume, small business activity. All of the efforts in the past few years have taught us that because we are already outside the conventional box, we must stay there. Because of the nature of our product and many of the variables you have read about in the previous three segments we have taken painstaking and costly time to re-adjust and fully understand the re-direction we are now undertaking.

Our Websites will soon be redesigned to more appropriately reflect the changes. The Orange Connection, enterprise edition, is being re-branded “Private Digital Courier” (PDC) and will be the primary focus. PDC and The Iron Jacket are currently only available to a few large, deeply vetted partners. Expansion to serve others will proceed carefully from the top downward as finances and staffing allow. We are dedicated to responsible control of these unique and highly sophisticated products. Taking this top down approach will provide us with the resources to distribute our products accordingly.

We remain debt free and unencumbered in any way. Our integrity and ethics for good business has deep roots. The question is, do you have what it takes to join us?

 

POST # 5   Spin The Bottle

By J.R. Hildebrand, CEO, RADIAN Global, Inc.

LATE   SPRING 2017   edited and re-posted, SUMMER 2017

For many years the city in the United States listed for having the highest number of killings is East St. Louis, Illinois. The murders are so plentiful; they go fairly much unreported in the media. Commonality has bred a disturbingly high level of tolerance and indifference.

Similarly, high volumes of vicious hacks of corporations and businesses also go unreported. While there has been no bloodshed (that we are aware of) thousands of lives have been turned inside–out. We are woeful at the disturbing trend of indifference and complacency. Unfortunately, these twins will be a catalyst to even bigger, more profound and destructive hacks. One of our daily e-mail reads is the Recorded Future Report. Just from this daily hack activity report alone, one has no choice but to realize the quality and quantities of malicious attacks is out of control. The current diet of hacks may not be front-page news every day, but it is there and growing. Global corporate technological ignorance and carelessness has set the table with fine linens, gleaming silverware and crystal goblets. Invitations have been sent and the main course is about to be served… All that remains is to spin the bottle. Are you on the menu?

Current cyber threats.

The malware sweeping Europe in the early summer of 2017 has a single underlying theme… hackers are exploiting the corporate frailties that we have reported here. Hackers do not care about the few large entities that have things somewhat buttoned up, rather they are relying on the masses of technologically dependent but dysfunctional businesses to be caught off guard.

The late spring and early summer surges are like the opera singer clearing her throat. Worse, malware as we currently recognize it is undergoing a transgender type change. Within the next few months (mid to late summer or early fall of 2017) malware that has already been placed “Cupcake”-style, will be triggered into action by the very measures originally designed to eliminate them. Picture a trim diver jumping back out of the water onto a springboard… only when he re-connects with the springboard, the diver is actually a nearly invisible elephant. Confused?

CLOAKED WITHIN THE DEEP WEB, EVERYTHING YOU THOUGHT YOU KNEW ABOUT CYBER TECH HAS ALREADY CHANGED!

The larva is about to emerge from the cocoon as an elephant- with teeth- like a great white shark. By the time financial and health care providers of all sizes understand that the elephant is in the room, the diver will have jumped. The only part that stays nearly the same is the ransom demands and the associated liability for failure of due diligence.

At this juncture, pleading ignorance is in itself a scathing indictment.

Businesses and individuals of all types will be hit, with the most crippling occurrences affecting financial and health care services. FINRA and HIPAA regulations will be compromised and abused in new and very disturbing ways. Mayhem and chaos will be the new business partners for many. Also, and unfortunately, from our observations, this palatial hack-fest is already underway. To re-emphasize; most have already been hacked but are just unaware. It is only a matter of time before one of our larger, most stoic monoliths of enterprise is brought to its knees by hackers.

Note that we have deliberately failed to mention names of some of the highly suspected (promoted?) malware programs, that is something for your own Cyber Security professional to identify. What we intend to do here is generate broad awareness and preparedness. If we were to single out one or two of our most concerning malevolent sequencers, too many folks would focus on them while allowing a back-door attack via yet another camouflaged exploit. Never let the enemy know that you know where they are hiding.

BOTTOM LINE –

THE MOST VALUABLE, BEST ADVICE THAT COSTS YOU NOTHING MORE THAN THE TIME IT TOOK YOU TO READ THIS…

  1. Re-read this series of posts and change what needs changing in your attitude and everything else that is currently a potentially negative drag on your business.
  2. Hire additional IT people and develop a division for Cyber Security personnel.
  3. Treat them well and pay them well.
  4. Provide them with the equipment and resources they need.
  5. Develop and follow a new company and employee operational plan that includes Cyber Security.
  6. Immerse yourself in learning everything you can about the technology used in your business, Cyber Security issues and your new technological ethics responsibilities.
  7. Apply for our Consulting*, Cyber Security and Secure Data Management Services. Please use the “Contact Us” page on this Website or https://raidian.com

* Consultations are discrete and conducted on base levels designed to educate and train business executives in terms they are familiar with and understand.

 

THE NEED FOR GREAT WEB AND INTERNET SECURITY JUST ESCALATED.

It seems that every day brings new challenges to the world of e-commerce security, but now with the popular idea of becoming a “hacker” with so many misaligned folks, those daily challenges are jumping right into your living rooms. Nothing is sacred and has not been for quite some time.

In early September 2015, during the course of ethical investigation regarding additional utilization of our security technologies, we happened to discover a truly bothersome situation that required a step back and several weeks of further verification. We have notified directly affected manufacturing and sales entities. When we have fulfilled our responsibility to them, we will then fulfill our additional responsibility to inform everyone.

We had no sooner completed our research and issued the first courtesy notifications on Monday the 19th of October 2015, than on the very same day,  MICHAEL CASEY of FOX NEWS released a CYBERCRIME article titled  “Companies need to start making security part of their brands, experts say.” This is an absolute “MUST READ” for everyone that owns and uses a computer – period.

There is a disturbing connection between the content of Mr. Casey’s article and our recent discoveries-  which confirm his pronouncements. Once we have fulfilled our obligation to affected businesses, we will publish that information in generic form at the appropriate time.

Additional information is forthcoming.  Meanwhile, please locate and follow the manufacturers instructions for resetting the password on your modem and your WiFi router.

© 2015-2017 THE IRON JACKET,™ LLC

& RAIDIAN™ Global, Inc.

Why all Websites, ESPECIALLY small businesses, need The Iron Jacket™.

You may be thinking; “My Website only gets 30 or so users per month, who would hack ME?”

This is a fatal flaw in today’s modern security environment. The risks of being hacked go well beyond a dedicated attack.

Hackers these days scan huge numbers of Websites. They scan them by the millions, looking for even one with a known exploit. When a vulnerable website is found, no matter how small, they automatically exploit the Website for a number of nefarious purposes. If you are lucky, all they will do is send out spam or scams which can be used to attack other Websites.  However, they can also use your Website to host attacks to directly steal money and implicate you in a criminal act.

But what does it matter to me?” you say.

Consider that if your Website is used to send spam, all of your legitimate email may eventually be marked as spam or even a scam. Law enforcement may get involved if your Website is un-secure and has become a portal for sending out millions of Nigerian type scams. In this case you’ll have to answer some tough questions. See the information regarding FTC vs Wyndham below.

If you have a shopping cart, the situation is even worse.

Consider the case of a client we had recently; the client refused to let us diagnose and secure her Website.  Inevitably, her site was soon hacked and dozens of customers had their identities and money stolen.

Thousands of dollars – VAPORIZED, gone forever because her Website wasn’t secured. The problems didn’t end there. Her credit card processor stopped doing business with her and put her name on a “Black” list. Her online store had to be shut down because she could no longer process credit card payments. Without asking questions, no one would do business with her. Many years of work circled the drain and then vanished.

All this happened because of a hack by a person who had no knowledge of who she was or what her Website represented. The hackers don’t know or care who they hurt in their quest to enrich themselves.

These days, a hacker may never even visit your website to exploit it.

The hack is done remotely and automatically. Anyone can download the software to do this off the internet. Anybody can simply “Google” these things and have free access to them. They don’t even have to be a real hacker because this software is so easy to use. Hundreds of thousands of small, low traffic Websites are compromised this way, sending scams and spam, attacking other websites and stealing personal information. An un-secure Website is an open portal to your network and everything else sacred.

Worse, these scoundrels will even install malware on your Website to distribute to YOUR customers as they unsuspectingly visit you. When that happens, you can say “Goodbye” to your position on Google and other search engines. They will outright remove you from their indexes because your Website is compromised.

The problem is compounded by the fact that now you can’t even pay for legitimate advertising and your “bread and butter” Website is effectively ruined.

No one is safe because of their size or what kind of information is on their Website. If there is a vulnerable crack, hackers will find it and screw you over maliciously and without remorse.

STILL NOT CONVINCED

Consider the fact that recent announcements of law suits related to Web Security emphasize the necessity of using “Best Practices” and “Due Diligence” to protect your customers from the harmful aftermath of a hack on your Website. For confirmation of this statement, look at the following link and read page 8.

FEDERAL TRADE COMMISSION v. WYNDHAM WORLDWIDE CORPORATION  –  Third Circuit Court of Appeals Ruling Rejecting  Wyndam’s Appeal – dated August 24, 2015.  READ Page 8.  http://www2.ca3.uscourts.gov/opinarch/143514p.pdf

(if you see only code on this PDF – refresh the page)

Every layer of protection you can add makes it harder for hackers and reduces the potential for malevolent and unrecoverable penetration.

Undeniable fact: Adding The Iron Jacket™ to your Website helps comply with the expectation of “Due Diligence” security and protection efforts the FTC and your customers are already  demanding!

Click here to read about our “Web Security Audits” and learn how we can help you get on track to a more secure future.

© 2015-2016 THE IRON JACKET,™ LLC

& RAIDIAN™ Global, Inc.

Good Web Security Begins With YOU!

Good Web Security begins with YOU!

Are you an employee? If so, do you leave your house unlocked, or even the doors and windows open when you head for the office? Of course not! Being the smart person that you are, your home is  locked up tight and perhaps even protected by a security service. So why then do you jeopardize your workplace and expose your employer to all kinds of costly mayhem with sloppy Internet surfing habits on your office desktop? If the company IT department has not choked down your browsing privileges, do you not owe it to the company, and yourself, to practice some integrity and refrain from leaving “doors and windows” open to potential thieves? Losses due to interrupted productivity and compromised information can substantially affect the company revenue position, to the point its managers do not have the money for raises, or even for keeping you employed. Smart employees selfishly protect their workplace as well as they do their own homes. Lest a disgruntled employee feels that leaving the company network exposed would be a good way to even a bad score with an employer, think again. Cyber forensic teams can track you down, document all of your keystrokes and provide the employer with enough information to pursue both criminal and civil charges. If you are unhappy, do your self-esteem a favor and find another job.

Are you an employer? If so, do you set the example and apply the same standards you expect your employees to follow? Using a personal laptop in your office for non-business Internet use and communication is the most ethical and secure way to set that example. Further, consider making your example attainable by your employees. Every office has used equipment. If not, it is easily attainable. Have your IT department set up a separate wired Internet access on a few old desktop units in a quiet room your employees can use during breaks. A separate Wi-Fi for employees and guests who have their own devices should also be a standard service. With these tools in place, there is no excuse for employees to use their company desktops for anything other than non-compromising work. The best office set-ups that we have observed also have locking desk drawers or lockers where employees are required to store their personal smartphones, tablets and laptops during assigned shift hours.

The bottom line; an adaptive, high integrity workplace is a happy, productive and secure workplace.

© 2015-2016 THE IRON JACKET,™ LLC

& RAIDIAN™ Global, Inc.

The Demise of IE

There was a great, collective sigh of relief in our office when we received word that Microsoft was retiring Internet Explorer. This announcement came six weeks after we had decided that doing anything to make our Orange Connection software compatible for use with IE was a waste of time and resources. As we posted earlier, the best choices for general Internet Browser services are Firefox and Safari. Safari has made a rather decent step up with their private viewing and regular security updates. After putting Safari Private Viewing to the test, the performance is impressive. Both browsers work on all platforms.

Used with careful practices along with DuckDuckGo or ixquick™ and a VPN, your Internet use with either Firefox or Safari should be  safe.

© 2015-2016 THE IRON JACKET,™ LLC

& RAIDIAN™ Global, Inc.

Security And Privacy Online Guide

Privacy and Security Online Guide

Version 1.9

This is a live document, updated as required.

– January 2016 –

Why Privacy?

Every single action you do online is tracked and logged for a number of reasons: Marketing, advertising delivery, security, warrantless NSA tracking, usage statistics, demographic studies, and so many more.  

The end result is dozens of private companies, your ISP, our government (and likely foreign governments) all have detailed files about you. Your browsing habits, what bank you use, your financial situation, your interests, your contacts, your friends, your employer and job, your medical history, games you play, political affiliations, just about every single detail of your life is logged and recorded. Most of this is used for government criminal investigations and marketing purposes, but it’s anyone’s guess what else the data is being used for.

Not to mention the fact that the data is routinely sold between companies further completing detailed records of every single Internet user.

Furthermore, the majority of major web services (Google, Yahoo, Twitter, Facebook, etc.) have been known to be compromised by the NSA and God knows who else.

Privacy is important in this day in age, not only to defend yourself against warrantless searches, but against simple corporate manipulation.

How bad is the problem, really?

Short answer: Terrifyingly bad.

Take this simple example of an average day of Internet use:

First, you check your email on Gmail. Then you check your Facebook, add a friend, make a post, and like a few others. After that you check the news on the CNN and Fox News websites. You look up a recipe for bratwurst for dinner and Google the symptoms of a cold your roommate has. Look up some funny cat pictures, check your bank balance, and buy a book and a new coat on Amazon (looking good!). Then you install a flashlight app on your phone and look up directions to your friend’s house.

Over the course of this normal day of web browsing you have been tracked and your activities logged by no less than 30 private organizations, who now know:

  • Your name
  • Your location.
  • Your friend’s location.
  • Your friends on Facebook.
  • Your taste in books.
  • Your fashion tastes.
  • That you shop on Amazon.
  • Your sense of humor.
  • Your food preferences.
  • What banks you use.
  • A general idea of your financial situation.
  • What search engine you use.
  • All the websites you visited that day.
  • In some cases, your precise location in real time.
  • Other web and social media accounts you possess,
            and all the data associated with them.
  • The type of computer and web browser you use
  • Your model of phone and carrier.
  • What ISP you use.
  • Your travel plans and when you are going to be away from home.
  • Most Names of family members and the name of your pet.
  • Most likely a whole host of other information.

You have also been exposed to no less than 75 advertisements, many of which are automatically tailored to you (using the information gathered as described above) to increase sales rates.

Needless to say, if this happens after ONE DAY of normal use, imagine how much is known about you after years of unprotected use.

How does this tracking work?

There are a number of different ways to track you and they are mostly extremely technical. Typically tracking is done through purposeful logging by the website you’re using. Also, the advertisements loaded onto the page track your every move. Beyond that, tracking cookies and even more insidious LFO cookies that are hard to remove are used. Then, non-advertising analytics software is installed on web pages to even more easily track you.

This all happens without the unsuspecting visitor even signing up for an account or logging in to anything. Once you sign up for an account anywhere and log in, even MORE data is logged.

How do I stop this nonsense?

Unfortunately, due to the extremely sophisticated nature and range of tracking methods, this is no simple task. It will require the installation of new software, configuration of add-ons, and preparation of white lists. You will also have to change some of your browsing habits and change some of the services you use online. You will also have to learn the concepts and application of common encryption technology (like PGP), which can be difficult for the novice to grasp. Also, ideally, it will require the purchase of a VPN (Virtual Private Network) to the tune of approximately $40 per year. The rest of the techniques are completely free.

Still, for all the inconvenience in set up, its certainly a worthwhile venture to not only maintain your privacy and security, but to make a statement that you don’t consent to activity that should be illegal and in some cases is outright criminal.

Configuring your web browser

Step 1:  Switch to Firefox.

Internet Explorer and Google Chrome track your browsing habits. Ditch them. Safari tracks if you don’t use the private browsing feature. If you are going to use Safari, make sure you have Private Browsing turned on and no history will be recorded. Also, Under the Privacy tab, select “Tell Sites I Don’t Want To Be Tracked.” Best plan is to switch to Firefox, which has all the useful add-ons that you will need.

Download Firefox from http:///www.getfirefox.com –

it’s totally free.

Step 2:  Make Firefox Amnesic

The next step is to make configure Firefox to forget everything every time you close it.

Click on the three horizontal lines in the top right corner and then click on Options.

Under the Privacy tab, select “Tell Sites I Don’t Want To Be Tracked” under Tracking and select “Never Remember History” under History.

You will have to log in to each account every time you start your browser because it will clear cookies each time.

Use bookmarks as shortcuts to your favorite sites instead of relying on browser history- it’s much more secure.

Step 3: Block Advertisements and trackers

Click on the three horizontal lines again and click “Add-ons.”  Search for and install “ublock.” This will block an impressive number of advertisements and trackers.

Step 5:  Force SSL Encryption Wherever Possible

Now install the ad-on HTTPS-Everywhere. It will automatically request sites to encrypt the connection wherever possible. Download it here https://www.eff.org/https-everywhere

Step 6: Block Tracking Cookies

Install the ad-on “BetterPrivacy.” This will block the majority of tracking cookies and the harder to eliminate LFO objects.

Step 7: (Semi Optional) Block Scripts and Embedded Plugins

NoScript” is an extension that blocks JavaScript, Java, and Flash automatically by default, allowing you to manually choose what scripts and plugins are run on each page. This is best used by technically proficient users who understand, at least in some basic way, how these things work. You will need some time fiddling with allowing useful scripts before your Web browsing goes smoothly again, so it can be a bit of a pain. Still, there is no better privacy add-on available.

To do this, install the NoScript add-on.

Step 8: (Optional, Very Technical) Block Externally Loaded Objects by Default

RequestPolicy” is a powerful security tool that will block all externally loaded objects (images, scripts, style sheets, fonts, etc.) by default. It can be tricky to use and is certain to disrupt your browsing experience frequently, forcing you to whitelist a number of externally loaded objects on Web pages. But, it is a powerful tool that will ensure no third party can steal your information.

Step 9:  Stop Using Google Search

I know that Google is everybody’s favorite search engine, but it is also among the most prolific trackers on the Internet. Change your default search engine to Startpage SSL by clicking on the Google logo in the search box and selecting Startpage SSL.  Startpage SSL doesn’t log anything, doesn’t track you, and keeps you completely anonymous while searching.

Step 10 (Optional):  Get Control of Cookies

The use of the ad-on Advanced Cookie Manager can be useful to understand and take individual control of cookies that websites have left on your computer.

Step 11:  Configure Flash Player

On Windows, go to Control Panel and the Flash Player. Select “Block All Sites From Storing Information On This Computer,” then click “Delete All.” Check both options and click “Delete Data.”

Change Your Browsing Habits

Now that your browser is secure, you still need to change some habits to remain secure.

Step 1:  ALWAYS Log Out When You’re Done Using a Website

This is ESSENTIAL. Not only to prevent that very same Website from tracking you (Google, Facebook, etc.) but also to keep your account secure. CSRF (Cross Site Request Forgery) is one of the most common Web security issues there is, but it only works if you are logged in to your account. Log out! Also, on a daily basis or more often, completely shutdown and re-launch your browser.

Step 2:  Switch Websites You Use (As Much As Possible)

Getting away from major providers like Google, Microsoft and Facebook is often nearly impossible. Whenever possible, find alternative providers for things like email and productivity if possible. This may be a lost cause and even I regularly use quality Google products. Still, when selecting a new service to use in the future, keep their privacy policies in mind.

Step 3: READ AND UNDERSTAND TERMS AND CONDITIONS

This one is a huge pain, but extremely important. Deliberately and carefully read any agreement and understand it. If you see something that bothers you, try to find another service. Please don’t just carelessly click “I AGREE” when you don’t know what you’re agreeing to. Remember, clicking “I AGREE” is legally the same as signing a document in person and IS legally enforceable in the US. Also, it’s usually impossible to escape any tracking or sale of private information after clicking. Click with caution!

Step 4:  Try To Avoid Signing Up For Accounts

The more accounts you sign up for online, the easier it is to track you. Accounts are often a necessary evil, but try to avoid them as much as is practical.

Step 5:  Good Password Policy

This one is a hassle, but very important. First of all, the majority of passwords hacked are done by brute force. Hackers try every possible combination of letters and numbers until they find the right password.

A long, complex password is the best defense against this. To make an easy to remember, long password, try coming up with an easy to remember sentence and mix up capital and lowercase letters, add numbers and symbols, and make it L O N G.  Characters like spaces are usually the strongest when allowed. It is rare for a brute force hacker to include spaces in the search.

Also, using a different password for each account is important. It is often more convenient to use one “base” password and modify it slightly for each site.

Beyond that, you should change passwords regularly. Yes, it is a hassle, but critically important. Try our recently added  “Passgen” password generator in the “Free Tools” section of this Website.

Step 6: Two-Factor Authentication

Several major websites like Google, Amazon Web Services and Digital Ocean offer two-factor authentication. This is where you log in with a password as well as a generated code that is either generated on a phone app or is texted to you. Using two-factor authentication wherever possible makes your account much more difficult to hack into.

Protect Your Computer

The next step is to protect your computer. Malware, hardware theft, and even nosy friends can be a threat to your security and privacy.

Step 1:  Antivirus

This one is pretty obvious, but be sure to install a quality antivirus and keep it updated. Set a schedule to scan regularly. On Windows, the free Microsoft Security Essentials is good and light weight.

Step 2: Password and Screen Lock

Don’t leave your computer without a user password! Be sure to set your password and make the password secure. (See note on passwords above) When leaving your computer unattended, always log out or lock the screen. On Windows, lock the screen with the key command [Win]+L.

On a MAC, set your security to require a password to require signing back in after the MAC has gone to sleep. Log out and shut down when not using your MAC.

Step 3:  Hard Drive Encryption

This will protect your computer in the event of theft or unlawful seizure. There are a number of ways to do this. In Enterprise versions of Windows, BitLocker is available.  If you don’t have that available find a third party application to do it.

Follow the guides on the site and BE SURE TO BACKUP YOUR DATA BEFORE YOU BEGIN!

We will also be using VeraCrypt in the next step to encrypt individual files.

Step 4:  Sensitive File Encryption

Use VeraCrypt from the last step to create an encrypted volume for extra security. We would suggest creating a “Hidden Volume” where one password will open the real volume, and the mock password will open a fake volume. This is in case you are coerced to reveal the password for the volume.

Also, be sure to use keyfiles with it for extra security. We also suggest using cascading encryption like AES-Twofish-Blowfish to make extra, extra sure it can never be cracked. A good strong password is also essential.

Step 5:  Encrypt and Anonymize Your Internet Connection

This is the only step in this guide that costs money, but its well worth it. Sign up for a VPN (Virtual Private Network) and always use it. A VPN will not only hide your IP address from websites but also strongly encrypts the traffic. This will eliminate MiTM attacks, network sniffing, and general tracking. It will allow you to remain truly anonymous online until you log in to an account and identify yourself. We use Private Internet Access for $40 a year and have found the quality to be excellent.  Also NordVPN

Step 6:  Keep Your System and Software Up To Date

Be sure to regularly install updates for you operating system and software. This is especially so for Firefox!

Step 7:  Uninstall Unneeded Programs

Remove unused software from Control Panel->Add/.Remove Programs.

Protect Your Communications With PGP

As email is an old and flawed protocol, email and file transfers are still widely insecure. Gmail and other email providers read and log all email and use it for marketing purposes, and no doubt companies and governments have full access to it. By encrypting sensitive messages you eliminate this problem.

About PGP

PGP stands for Pretty Good Privacy. Its a form of public key encryption that will secure emails, files, and allow you to sign a message or file to confirm that it was in fact you who sent it and that it has not been tampered with en route.

PGP has two key files: the public key, and the private key.

Say you want to send an encrypted message to Sally. You will use her public key to encrypt the message and then only her private key can decrypt the message. Then, when she responds, she will use your private key to encrypt it, and you will use your private key to decrypt it. The private key can also be used to sign a message, even if its not encrypted.  

Using PGP

A good, basic software for PGP is OpenPGP Studio.

PGP has a bit of a learning curve to understand and use fluently. Check the OpenPGP Studio Documentation to learn how to use it.

Protecting Your Phone

Your phone is one of the most insidious ways to track you in terrifying ways.  Some apps will literally use the phones built in GPS and location services to track everywhere you go in real time and use the information for marketing purposes.  It is suspected that the NSA also routinely uses this technology. 

Most of these steps are generalized because of the number of models and makes of cell phones and you may have to look up the documentation for your device to do some of these.

Step 1:  Disable Location Service

While its still possible to track your approximate location, disabling location service will help a lot.

Step 2: Never Use Bluetooth

Bluetooth is probably the most insecure protocol known to mankind. Don’t use it and disable it entirely.

Step 3: Use Screen Lock

However you do it, be sure to use some manner of screen lock. We prefer using phones with a fingerprint scanner for convenience.

Step 4: Encrypt your phone

Encrypting your phone will require a password on boot. This is a great way to foil thieves or anyone else you don’t want snooping through your phone. 

Step 5: Pay Attention to App Permissions

Many apps have horrible tracking and privacy features. If your phone supports app permissions, be sure to read and understand the permissions of all the apps you install. You would be surprised at the number of apps that do amazingly sketchy tracking things. Games, utilities, toys, just about every category of app has some malcontents that will abuse permissions. If the permissions don’t seem necessary for the nature of the app, find another one.

Step 6:  Use VPN on Your Phone

Private Internet Access has apps for Android and iPhone. Be sure to install them to secure the network connection on your phone.

Step 7:  Close Apps When You’re Done With Them

Be sure not to keep unused apps running in the back ground! Not only will it improve performance, but it will also inhibit tracking and reduce security threats.

Step 8:  Use Firefox Mobile if Possible

Android supports Firefox Mobile. Use that instead of the default browser. Configure the browser to be amnesic and install the available add-ons just like on your computer browser.

Remember to exit the browser properly to clear the history and cookies. Tap the three dots in the top right and scroll down to Quit.

Step 9: Link As Few Accounts As Possible

Always assume that every account linked to your phone will be tracked. Link as few as possible.

Top

 

   

© 2015-2016 THE IRON JACKET,™ LLC

& RAIDIAN™ Global, Inc.


Our servers are protected by THE IRON JACKET™