Secure Your: Digital Life

A REPORT FROM SOVEREIGNMAN.
COM
SECURE YOUR
DIGITAL LIFE
P R OTE CT YO U R S E LF F R O M U NAUTH O R I Z E D
AC C E S S TO YO U R D I G ITAL AS S ETS
A
BLACK
PAPER
A
BLACK
PAPER
SECURE YOUR
DIGITAL LIFE
CONTENTS
Introduction: Why this is important and how to use this Black Paper
1.0 Passwords
1.1 How Hackers Get Your Password
1.2 What Secure Passwords Look Like
1.3 Technique to Create Strong, yet Memorable Passwords
1.4 Password Managers
1.5 Password Summary
2.0 Phishing Prevention
2.1 What is Phishing
2.2 How to Detect & Prevent Phishing
3.0 Two-Factor Authentication
4.0 Backups
4.1 Local Backups
4.1.1 Macs
4.1.2 Windows
4.2 Cloud Backups
5.0 Data Encryption
5.1 Computer Full Disk Encryption
5.1.1 Full Disk Encryption on Macs
5.1.2 Full Disk Encryption on Windows PCs
5.2 External HDD Encryption
5.2.1 Software Solutions
5.2.2 Hardware Solutions
5.3 Encrypted Cloud Storage
5.3.1 Consideration With US Based Providers
5.3.2 Do You Need Encrypted Cloud Storage?
5.3.3 Encrypted Cloud Storage Options
Tresorit
SpiderOak
Mega
2
Secure Your Digital Life Report 1.0 July 2015 SovereignMan.com
A
BLACK
PAPER
SECURE YOUR
DIGITAL LIFE
6.0 Internet Encryption
6.1 Why Additional Internet Encryption is Important
6.2 How to Encrypt ALL Internet Traffic With a VPN
6.2.1 How to Pick a VPN Provider
6.2.2 Recommended Services
VyprVPN
Hide Me
Other Providers
7.0 Securing Your Smartphone
7.1 The Passcode
7.2 Smartphone Encryption
7.2.1 iPhone and iPad Encryption
Enabling Encryption & Passcode
Making Sure All User Data is Encrypted
7.2.2 Android Encryption
7.2.2.1 Limitations of Android Encryption
Off-Box Attacks Are Possible
Performance Impact
On Some Devices Only Internal Memory is Encrypted
7.2.2.2 Enabling Android Encryption
7.2.2.3 Use the Most Recent Android Version
7.2.3 When is My Data Encrypted and Decrypted?
7.3 Picking a Secure Passcode
7.4 Fingerprint Sensors
7.5 Additional Settings You Should Check
7.5.1 Apple iOS
7.5.2 Android Devices
8.0 Choice of Devices and Systems
8.1 Windows vs Macs
8.2 Android vs iOS
3
A
BLACK
PAPER
SECURE YOUR
DIGITAL LIFE
INTRODUCTION:
Why this is important and how to use this Black Paper
In the last 20 years computers have penetrated every aspect of our lives to the
point where we are wearing little computers on our wrists and carrying more
processing power in our pocket than anyone could have imagined only a few
generations ago.
The convenience, functions, and access to information computers provide to us
are invaluable, but the more we depend on electronics and their services, the more
information we reveal about ourselves. This information can make us vulnerable
to attack.
The purpose of this Black Paper is to give you information that you can use to
protect yourself. With these simple steps you can make yourself a more difficult
target for hackers, you can mitigate the consequences of losing a device or having
it stolen, and you can make it more challenging for government agencies to
invade your privacy without due process.
You cannot make yourself invincible, but you can raise the bar significantly. If
your attacker has the necessary resources, they will find a way to access your data.
If you are the target of government agencies like the NSA or CIA, the advice I
share with you will make it much harder for them, but they will eventually get
what theyre after..
What this advice will do is keep out hackers who end up with your data as part of
a breach of a company or service you trust and teach you Internet street smarts
that will keep you from becoming a target for criminals.
This Black Paper is a comprehensive guide for ensuring your digital life is secure
and more private.
Its not meant as a complete blueprint that you should religiously follow. You have
to determine your risk tolerance and profile and decide to what lengths youll go
to protect your privacy and security.
4
A
BLACK
PAPER
SECURE YOUR
DIGITAL LIFE
We merely provide a large number of options that are available to help you do so.
Since this is an extensive guide, the table of contents will help you navigate to the
solutions that you are interested in.
We certainly hope you will find the information contained in this Black Paper
valuable. If you have any suggestions or comments, please reach out to clients@
sovereignman.com.
1.0 PASSWORDS
Your digital security starts and ends with passwords. It doesnt matter how careful
you are that you encrypt all your data, or only use the most privacy-conscious
anti-NSA web services if your passwords are weak, none of this will help you
one bit.
Many people think their passwords are great. After all, when they picked it, the
website showed a long green bar and said Password Strength: strong and made
them jump through many hoops like adding numbers, lowercase, uppercase and
special characters. But as you will see, this doesnt necessarily mean your password
is actually safe.
Even if you do know how to pick a truly secure password, chances are you dont
use one, because its impossible for you to remember it.
Dont despairby the end of this section you will know exactly how to create
truly secure, random passwords that are unique for every service you use without
being a genius or memory world champion.
1.1 How Hackers Get Your Password

In order to create a secure password you need to first understand who you are up
against, how they operate and what their limitations are. Once you understand
5
A
BLACK
PAPER
SECURE YOUR
DIGITAL LIFE
these things, its very easy to reduce your risk and minimize the impact a hacker
can have on you even if he manages to get his hands on one of your passwords.
There are many ways hackers may get passwords. They trick people into entering
their password on a fake website that looks like a trusted one such as a bank
(phishing). They infect computers with malware that records everything typed
into the keyboard. They hack into websites and get passwords from the member
database. They can even use an automatic program that tries combinations of
username and password hundreds or thousands of times a second (bruteforce
cracking).
Unless you are being targeted directly, one of the most common scenarios is that a
website gets hacked and the passwords from their database are stolen.
Two of the largest password leaks were when LinkedIn got hacked in 2012 and
over 6.5 million passwords were leaked, and when Adobe got hacked in 2013 and
over 150 million passwords were leaked.
These are the big, publicly known cases. How many small websites get hacked
every day and nobody ever knows about it?
Once a hacker gets a password for an account, he will try to log in to other web
services like Facebook, iCloud or email to steal more private data. If they gain
access to your email, they can get access to your other accounts by resetting the
passwords and intercepting the confirmation emails that other sites send.
Oftentimes, you may not even be the real target of an attack. Hackers frequently
gain access to email accounts of trusted, easier targets in order to send specialised
malware from a known and trusted email address to the real target. People know
not to open links from strangers, but doesnt everyone open links from friends
and family?
This is why, by practicing weak password hygiene, you are not just endangering
yourself. You are also endangering your family, friends, employer, business
partner, or your own businesses.
6
A
BLACK
PAPER
SECURE YOUR
DIGITAL LIFE
Example of password cracking
A good website doesnt store your password in plain text. Instead they use a oneway hashing algorithm to convert a password like ImSoSecure into a hash like
15eb12a1dfbc4723b50f2bb1b7e6f835 and store it in the database.
One-way hashing algorithm means that its very easy to generate this hash, but
almost impossible to revert it back into the original, plain-text password.
When you log in, the website converts the entered plain-text password into the
hash and then compares it to the hash stored in the database. If they match, you are
granted access.
Once hackers steal user information from a database, the hashed passwords are
useless for them unless they can convert them back to the original plain-text
password.
One way to do that is to run a brute-force cracking program that converts
thousands of potential passwords into their hashed versions and checks if any of
those hashes are in the stolen database. If they find a match, they know the plaintext version of the password and can use it to log into your account or try it on
other websites.
These programs use lists containing millions of possible word combinations,
ranging from 1234, or god or love to complex words with upper and lower
case letters, numbers, and special characters. Sound familiar? Over time a hackers
word list grows in efficiency, and they are able to quickly identify password length,
case, or other parameters that dramatically reduce the number of words they need
to try.
If your password is a word or a combination of words that can be found in a
dictionary like FreeDog, your password will be literally cracked within minutes or
even seconds!
If your password is a slightly modified version like Ch1cken!C0w, which most
websites will accept as sufficiently secure, it can still be cracked quickly using
hardware that is readily available.
7
A
BLACK
PAPER
SECURE YOUR
DIGITAL LIFE
Creating a random password forces hackers to randomly generate combinations
of characters to guess your password. If your password is long and complicated
enough, this process could take years or decades instead of minutes or hours.
This is not only true for website passwords but also for when you want to encrypt data.
1.2 What Secure Passwords Look Like

The best way to prevent this kind of attack is to use a long and completely random
password.
The job of your password is to force the attacker to generate a huge list of potential
random passwords.
The longer your password is and the more different kinds of characters you
include, the more potential combinations are possible, and therefore the longer it
will take the attacker to crack it.
PASSWORD CRITERIA
6 lowercase characters (English alphabet)
14 lowercase characters (English alphabet)
14 lowercase, uppercase, special characters
POSSIBLE COMBINATIONS
26^6 = 308,915,776
26^14 = 64,509,974,703,297,150,000
78^14 = 3.09 * 10^26
As you can see, the more complicated a password is, the more combinations are
possible. Most attackers know nothing about your password habits and have to try
passwords ranging from 2 characters to 14 containing lowercase, uppercase and
even special characters.
The time and effort required to convert all of these combinations into a hash and
compare it to the hacked database increases significantly.
The 4 Golden Rules for your Passwords:
1. Unique for every website or account
2. Long (At least 10 characters, preferably 14 or more)
3. Random combination of characters (No real words)
4. Use special characters, uppercase, lowercase and numbers
8
A
BLACK
PAPER
SECURE YOUR
DIGITAL LIFE
Examples of bad passwords:
Sc4rface55
Aa556245622 (Your phone number, birthday, ... for example)
My4wesomeSecure
Most of these would pass the standards of most website password checkers and yet
they are insecure.
Here are examples of good passwords:
Mm10hwttp0tms!
14ss,b1jhtmu4gpapFvw
T47wh5raylitf.
I know, it seems impossible to memorize these, but as you will see in the following
section its actually very easy.
1.3 Technique to Create Strong, Yet Memorable Passwords

Step 1: Come up with a random sentence related to the purpose of the
password
All you have to do is come up with a sentence that makes sense to you and is at
least 14 words long. Make sure to include some words that start with uppercase
letters.
A random sentence would be the best, but you could also use part of a song lyrics,
a poem, a quote, or a book passage.
Our Example:
I am glad that I am an SMC subscriber and know how to protect my Facebook
well!
Step 2: Write down the first character of every word
Now you simply reduce the sentence into a short and completely random password
by taking the first character of each word.
9
A
BLACK
PAPER
SECURE YOUR
DIGITAL LIFE
Our Example:
well!
IagtIaaSsakhtpmFw!
Step 3: Convert some characters into numbers and special characters
Come up with a system where you can easily convert some characters into
numbers and special characters.
You can for example turn some characters that look like numbers into numbers.
You could come up with creative and unique ways for this.
Replace the relevant characters of your password.
Our Example:
t=7
i=!
a=4
!4g7!44Ss4khtpmFw!
Now you have a very long password (18 characters) with uppercase, lowercase and
special characters.
Step 4: Memorize the password
To memorize this password, all you have to do is memorize your sentence and
which characters you are replacing.
When you want to use the password, simply say the sentence slowly in your mind
and type each of the first letters while remembering to replace some of them with
numbers and special characters.
10
A
BLACK
PAPER
SECURE YOUR
DIGITAL LIFE
At first it wont be easy to remember and type the password, but after a few days
the password will come to mind easily, and after a short while your fingers will
type the password without you even thinking about it.
PRO

TIP
Mnemonics For Random Sentence
To make it easier to memorize the random sentence, imagine something

that represents or summarizes it. See it clearly in your mind and make
sure its large, 3D, detailed and colorful.
Then simply repeat the sentence (aloud or in your mind) from the top of
your mind ten times while you are imagining it.
This will create a connection between the image and the sound of the
sentence in your mind. Once this connection is created, whenever you
bring up the image, the sentence will automatically follow.
Repeat this for five consecutive days at least three times:
while you brush your teeth in the morning
when taking the first bite of your lunch
while you brush your teeth in the evening
When you try to remember it, do your best to come up with it using
your mind alone. Only peak at a cheatsheet if you have tried hard and
couldnt remember it.
A connection is only created and strengthened if you recall it without
cheating. Reading something and repeating it over and over, without
associating it with something else, will not create a connection in your
brain, and memorization will be much slower and less reliable.
11
A
BLACK
PAPER
SECURE YOUR
DIGITAL LIFE
1.4 Password Managers
If you recall, I said one of the golden rules of passwords is that all of them have
to be unique. This way, if hackers manage to get one of your passwords, all your
other web assets and identities will be protected and inaccessible to them.
You might have dozens if not hundreds of different accounts at different websites
and using the previous password technique for all of them will be simply
impossible.
This is where password managers
like 1Password and LastPass come
in. They allow you to save all your
logins, passwords and other sensitive
information in a database, which is
encrypted by one master password.
You can easily generate and save
unique, random and very secure
passwords for every single website and
account you have. When you want
to login to one of these accounts the
password managers will automatically
complete the login form without you
having to type or even copy/paste a
complicated password.
LastPass is a perfectly acceptable

choice for password manager, but
even they are not outside the reach
of criminals. In mid-2015 LastPass
was hacked and their database of
customer email addresses, password
reminders, and authentication
hashes were compromised.
LastPass assured its customers that
actual passwords and other sensitive
data stored in encrypted user vaults
werent at risk.
The passwords are all encrypted
by the master password for each
user, so users who chose a strong
master password are probably still
safe. I want to bring this up because
it demonstrates that you might do
everything correctly and yet your
data can still end up in the hands of
criminals. If you build your security
profile in a way that protects your
data even after this happens, youve
done it right.
On top of that, they are compatible

across different devices like Macs,
PCs, iOS and Android.
This means you only have to
memorize a few unique passwords. At
the very least you will need a strong
password for your password manager.
If you want to go one step further, you
12
A
BLACK
PAPER
SECURE YOUR
DIGITAL LIFE
can add a memorable password for each important login, such as your primary
email account or your bank. Keeping these additional passwords memorable using
a mnemonic system ensures that you can access those accounts even if you lose
access to your password manager.
These password managers also allow you to create and save random answers to
the Security Questions that websites sometimes ask you for. This helps you to
prevent anyone who is able to Google your first pets name to takeover an account
of yours.
There are many solutions in this area, but the two biggest and most well known
are 1Password and LastPass.
LastPass is a Cloud App that stores all your login information in their online
database, but all data is encrypted and decrypted on your device only.
1Password stores everything locally by default and allows you to sync through
iCloud, Dropbox or local WiFi.
I recommend 1Password, simply because it gives you more control over your data.
Everything is encrypted locally and only then stored in the cloud if you wish to do
so. You also have the option for your passwords to never touch the cloud at all and
instead sync your logins to your smartphone or tablet through your local WiFi.
1.5 Password Summary

Password security is crucial and the foundation of your overall digital security.
If you take nothing else away from this Black Paper, at least install a password
manager and change all your passwords to something unique and random. Then
create and memorize at least one secure password for your password manager.
To take it a step further, create a separate secure and memorizable password for
each of your important websites and computer logins.
To make this task easier, you can make your secure password variable.
13
A
BLACK
PAPER
SECURE YOUR
DIGITAL LIFE
We used this sentence and password in our example:
well!
!4g7!44Ss4khtpmFw!
You can replace the F for Facebook with G for Gmail, B for Banking
and create multiple unique passwords:
!4g7!44Ss4khtpmFw!
!4g7!44Ss4khtpmGw!
!4g7!44Ss4khtpmBw!
Since each password is technically unique, the attacker would not be able to use it
to login to another service.
Here are the unique passwords I recommend you create:
One master password for your password manager
One password for your computer login
One password for each of your critical websites (such as email)
One variable password for your important but not critical websites
PRO S

tay vigilant! The more passwords you
create, the harder they will be to remember.
TIP
Use our system to help, but dont re-use the same password in more
than one place. If you find yourself tempted to do this, reduce the
number of passwords youre trying to remember and change them to
random passwords stored in your password manager. This will always
be a better choice than using the same password in multiple locations.
One more thing to note about this is that the more the attacker knows
about you personally, the more they can reduce potential combinations.
A lot of our information is online or available to purchase: birthdays,
family members and their birthdays, the names of our pets, addresses
where weve lived in the past, phone numbers, and more. These tidbits
are easy for an attacker to try, so never use them in your passwords or
security questions.
14
A
BLACK
PAPER
SECURE YOUR
DIGITAL LIFE
Its up to you to decide how much effort you put into this process and how
much you modify it. The more creative you get and the more random and longer
sentences you use, the higher your security will be.
2.0 PHISHING PREVENTION

2.1 What is Phishing
Besides hacking a website to get a password database, the second most used
technique is much simpler.
Phishing is a type of spam which is designed to trick you into giving your
password or other personal information to an attacker.
Typically you receive an email that appears to be from a legitimate sender like
Google, eBay or Paypal. It informs you that you received a payment, an order or
another important message and that you need to log in to confirm it.
Once you click the link or button, you are taken to a fake website that was
created by the attacker and looks like a legitimate one. When you enter your
password, the website saves it for the attacker and then redirects you to the real
website.
These scams are often easy to spot, but sometimes the hacker goes through
extraordinary effort to make it look very real and hard to detect.
2.2 How to Detect & Prevent Phishing

1. Inspect the email
When you receive an email urging you to log in, first check if there is anything
suspicious about the email itself.
15
A
BLACK
PAPER
SECURE YOUR
DIGITAL LIFE
Is the from email correct?
Most spammers create a fake from address like notifications@ppalsupport.com
instead of notifications@paypal.com.
Is the email personalized?
Most legitimate websites greet you by name and include a username or account number.
Does the design look like other emails from the same sender?
Often the email formatting, logos and design simply do not look real.
Is it using a pushy call to action?
If the call to action is unusually pushy, contains red text and other things urging
you to visit the website immediately, be very careful.
These are simply signs that something may be wrong, and a sophisticated attacker
may avoid all of these. Train yourself to look for these things to detect phishing
attempts more easily and quickly.
Important:
Always hit the This Is Spam button in your email client if you detect spam or
phishing. Depending on your email provider, this will often send a notification
to them about the message. If enough people do this, the senders email will
automatically end up in other peoples spam folder.
2. Inspect the website

Check the URL address of the website before you click the link
Check if the domain in the URL matches with the companys domain.
It may look real, and nowadays there are very sophisticated attacks. Usually there
is a common spelling mistake, an extra character like paypal1.com or a different
domain ending. If youre at all unsure, dont click the link in the email. Manually type the
16
A
BLACK
PAPER
SECURE YOUR
DIGITAL LIFE
companys address into your browser and then log into their site from there. For some
types of attacks it is enough to visit a fake website to have malware installed on your
computer. Dont click any link youre not absolutely sure of.
Is the website encrypted?
Make sure the website is using encryption by checking whether the URL starts
with https:// instead of http:// and that your browser displays a lock symbol
next to the URL.
Its important to make sure the lock symbol is displayed by the browser and not
inside the website. Anyone can put images of locks and say that a website is secure
and encrypted, but it doesnt mean its true. Clicking on the lock will give you
more information about the site and allow you to view its SSL certificate. If youre
unable to view information about the security of the site or if the certificate is
reported as invalid, the site may not be real.
3.0 TWO-FACTOR AUTHENTICATION

Two-Factor Authentication protects your accounts even if someone finds a way to
obtain your password through phishing, a password breach or any other way.
You may already be familiar with this from your online banking. Instead of
relying only on your password, your bank may have issued you a security device,
which requires you to generate additional one-time-passwords in order to log in
or perform critical actions.
17
A
BLACK
PAPER
SECURE YOUR
DIGITAL LIFE
This kind of security is not only available for online banking, but it is also
becoming more popular with everyday web services. Dont worry, though. You
wont have to carry around dozens of security dongles with you.
Instead of relying on security devices, you can often use your smartphone to
generate additional one-time passwords.
This way, if an attacker gets your password, they cannot use it without also having
access to your smartphone.
Two apps that are supported by many websites for Two-Factor Authentication are
Google Authenticator (Apple App Store Link and Google Play Link) and Authy.
If you followed my advice and purchased 1Password, you can even add all
your one-time-password generators to your logins and have everything in one
place protected by your Master Password. This is great for convenience, but by
combining both parts of the authentication scheme into one application, it makes
your password manager the weakest link. If you choose to use this feature, protect
your password manager with a very strong master password.
You can find an extensive list of websites that support this kind of authentication
by visiting https://twofactorauth.org/.
Some of the services that support Two-Factor Authentication are:
Google (Including Gmail)
Apple iCloud & App Store
Fastmail
Namecheap (domain hosting)
Dropbox
And many more...
The setup process differs from service to service, but generally you have to scan
a QR-Code with your Two-Factor Authentication app, which adds the service to
your app. After that you simply open the app and it will continuously generate
one-time passwords that expire every minute.
When you need to log in to a website, you have to enter the current one-time
code in addition to your password.
18
A
BLACK
PAPER
SECURE YOUR
DIGITAL LIFE
Many websites allow you to mark a device as trusted so that you dont have to
enter the code every single time you log in. This gives you the ease of use on your
own device, while still protecting you when you are using other computers.
Additionally, most websites and services allow you to enter a backup phone
number where you can receive a one-time-password as a text in case the app
doesnt work. Others allow you to store extra single-use passwords in case you
lose your smartphone or need to reset an account and no longer have the physical
device that generates the passwords. These can also be stored as a secure note in
your password manager.
For a complete and up to date list, please refer to the website https://
twofactorauth.org/, which has links to instructions for how to set this up for most
services that offer Two-Factor Authentication.
I strongly recommend you enable this at least for your email, because this is
the most critical web account you have. If someone gains access to it they can
potentially reset your other passwords and gain access to even more accounts.
4.0 BACKUPS
An absolutely critical part of your digital security is to back up your data. A
backup protects you and allows you to return to work quickly after a situation
where data was lost, such as the loss or theft of your laptop, data corruption, or
hardware failure.
If you have ever been in a situation where your laptops hard drive started clicking
and then suddenly gave out, you know how stressful and costly it can be to get
back up and running.
This is especially important if you want to protect your data through encryption. If
your unencrypted hard drive starts failing, its sometimes possible to save most of the
data, but if your data was encrypted it can be impossible to recover without a backup.
To create a tight backup strategy I recommend regular local backups to an
external hard drive and additionally off-site backups to a cloud-based service.
19
A
BLACK
PAPER
SECURE YOUR
DIGITAL LIFE
Your backup strategy should also be completely automated and not require
any effort on a regular basis from you. If your backup strategy is to copy files
manually to the cloud or an external hard drive, it is much harder to guarantee
that it will happen on time, every time. Things come up, backups get missed,
and before long you might find yourself with a dead laptop and no backup more
recent than last year...
4.1 Local Backups

This is the foundation of your backup strategy, because its quick to set up and
very quick to recover from in the event of a hard drive failure.
You want to set up a system where all your data is copied to an external hard drive
regularly. If your computer is a laptop, make sure the hard drive is connected to
your network and does not require you to plug it directly into your computer in
order to perform a backup.
An important consideration is whether you can encrypt your backup. If youre storing
it on a small external hard drive, its very easy to lose it or for it to be stolen. If that
happens, you dont want anyone to be able to get access to all your files.
An option that works very well for this is to use an external hard drive with hardware
encryption and PIN input. We will talk about this later in this Black Paper.
4.1.1 Macs
If youre using a Mac, Apple makes this very easy for you. Their Airport Extreme
wireless router is a home router and WiFi access point into which you can plug
a USB hard drive. They also make the Time Capsule, which is the same wireless
router but has a hard drive for backups built into it.
Recent versions of Apples OSX operating system include a backup suite called Time
Machine that is very easy to use. If you use an external USB drive or one of the WiFiconnected options above, your computer will detect it and will ask if you want to use
it as a backup destination. If you confirm, your computer will start backing up to it
every hour whenever you are connected to your wireless network.
At this time Apple doesnt provide the means to encrypt your Time Machine
20
A
BLACK
PAPER
SECURE YOUR
DIGITAL LIFE
backup when backing up through WiFi. Therefore, I recommend purchasing the

Airport Extreme instead of Time Capsule and using a hardware encrypted external
hard drive with it.
4.1.2 Windows
Windows includes backup functionality via Backup and Restore under Control Panel
/ System and Security. This will allow you to configure a local or network drive as a
backup destination and then choose files and folders to be backed up. You can have
Windows create a system image, from which you can restore a complete computer, or
you can choose what files and folders to back up.
Another option is to purchase a standalone network drive such as the DiskStation
DS214se from Synology. This two-drive device can act as a backup destination for
Windows and Mac in addition to providing other cloud-like services for your home or
office.
The two hard drives can be configured as one large drive or as one redundant
drive, providing additional protection from hardware failure. Synology provides
the Synology Replicator, allowing you to back up your Windows computer to the
Synology storage device.
Many software products exist to perform backups of Windows machines, but these
options are simple and effective.
To additionally secure your backup and make it more convenient, purchase a hardware
encrypted external hard drive and connect it to your router to allow wireless backups. You
can find more information about how to do this in section 5.2 of this Black Paper.
4.2 Cloud Backups

An offsite cloud backup is like your health insurance. You hope you will never need
it, but if you ever do, youll be glad you have it.
The disadvantage of a cloud backup is that the first initial backup can take a lot of
time if you have a lot of data, because everything has to be uploaded first. It also
takes longer to restore your computer to its previous state after a data loss.
21
A
BLACK
PAPER
SECURE YOUR
DIGITAL LIFE
These disadvantages are offset by the fact that once you have it set up, it just runs,
and you can be sure that your data is always backed up even if you are traveling
and not home.
Offsite backups also protect you from catastrophes like fire and flooding. Thats
why its called an offsite backupno matter what happens to your laptop or
your home, your data will always be safe.
There are multiple cloud backup providers, but I highly recommend CrashPlan.
I have had nothing but good experience with them, their upload speeds are
sufficient and support is responsive.
They are also available for both Windows and Macs.
You can set it up with client-side encryption, which means your data is encrypted
with a private key locally on your computer and then uploaded. If you ever need
to access your data, its downloaded and then decrypted once again on your local
computer.
To increase your security, you can (and should) set an additional Archive Key
Password in your app settings. This means that your encryption key itself is also
encrypted with a separate password, and this password is never shared with CrashPlan.
CrashPlan then never has access to your encryption key and cannot access your
data or share information with any third parties or government agencies even if a
court compelled them to.
To enable Archive Key Password open CrashPlan, navigate to Settings and
select the Security tab. In the Archive Encryption section select Archive Key
Password and make sure not to set any archive questions which would allow you
and CrashPlan to restore your key if you forget your password. Instead, use the
password techniques as described previously in this Black Paper.
Some other cloud backup providers and potential alternatives are:
BackBlaze
Carbonite
Mozy
22
A
BLACK
PAPER
SECURE YOUR
DIGITAL LIFE
5.0 DATA ENCRYPTION

Most people think that the data on their computers is secure and inaccessible to
others. After all, every time you turn it on, you have to enter a password and only
then you can view your files.
Unfortunately, without encryption, your computer password does not actually
prevent anyone from accessing it. All it takes for someone to access your data is to
boot your computer from a USB stick, and they will be able to access and change
any file they want on your computer without having to know or enter your
password. For Macs they can set the computer into target mode, which turns it
into a big hard drive. They can then plug this hard drive into another computer
and browse all of its files.
The reason is that your operating system is hiding data from people who dont
have the password, but once you start a different operating system, the data is
accessible.
In order to make data completely inaccessible, you have to use encryption. When
you encrypt your data, it is encoded in a way that makes it unreadable without
having the key to decrypt it.
This means if your laptop or external hard drive is lost, stolen or confiscated,
nobody can read the data on it unless they have the secret key, and this key is one
which only you know.
Surveillance and incidents of confiscation have been happening more frequently.
Governments act with impunity and your devices can be seized and searched even
without you being accused of doing anything wrong. This is especially true for
airports and other border crossings. Thats why encryption is so important.
5.1 Computer Full Disk Encryption

Not too long ago encrypting your data was a lot of hassle, required you to use
complicated and unintuitive software and would slow down your computer as it
decrypted data being read from the hard disk and encrypted data being written to it.
23
A
BLACK
PAPER
SECURE YOUR
DIGITAL LIFE
The disadvantages and inconvenience outweighed the benefits for most people.
All of this changed a few years ago when laptops started to move towards very fast
solid-state-discs instead of mechanical hard drives, as well as when Intel added
native support for encryption to their chipsets.
If you have a modern computer, you can encrypt your entire hard drive and will
most likely not even notice any performance reduction or inconvenience.
Its important to understand that your data is stored encrypted on your hard
drive, but every time you turn your computer on you have to enter the password
so that the data can be decrypted for usage. If someone sends you malware and
you install it accidentally, that malware will be able to access your data while your
computer is turned on.
For maximum security, you should always completely shut down your computer
when you are in higher risk situations, such as crossing borders or any time your
device will be outside of your physical control.
Important:
If you decide to encrypt your hard drive and you suffer a hard drive failure, your
data will most likely not be recoverable. Thats why we covered having a sound
backup strategy first. At the very least, use a cloud backup service and only then
encrypt your hard drive.
5.1.1 Full Disk Encryption on Macs

Apple has created a very easy to use and safe way of encrypting your entire hard
drive called FileVault.
All you have to do is go to your System Preferences Security & Privacy
FileVault tab and enable it.
For more information and more detailed instructions, please refer to Apples
support document about FileVault.
Important:
Make sure NOT to save your recovery key with Apple as this would allow them to
hand over the decryption keys if forced to do so.
24
A
BLACK
PAPER
SECURE YOUR
DIGITAL LIFE
Instead, memorize it or save it in a safe location. If you created a strong master
password, your 1Password database would be a good place for this.
Its also worth mentioning that every user you add after enabling the encryption
will be able to start and decrypt your Mac. Therefore make sure all users of your
computer are using long, random passwords as described in the password section.
I recommend anyone with a Mac that has a Solid State Drive (SSD) and that was
released in 2012 or later to turn on FileVault.
Everyone else can also enable it, but will notice slower performance.
5.1.2 Full Disk Encryption on Windows PCs

TrueCrypt used to be the de facto standard of full-disk-encryption software on
Windows. In 2014 the development team abruptly shut down the project and left
behind only a version that is capable of decrypting files but not encrypting them.
A public audit of the software is in progress, but this has caused suspicion that
the software may contain backdoor access and that the encryption might be
compromised.
Whenever Im using a tool to protect my privacy and I encounter something
that raises a doubt about if it is still the right tool, I prefer to stop using it until
the questions are answered. In the case of TrueCrypt, its possible to use an older
version, and there may not be any risk in doing so. Without knowing for sure, I
recommend that you avoid using TrueCrypt.
Fortunately there are other alternatives.
Windows BitLocker
BitLocker is the encryption software included in Windows itself, which is very
similar to FileVault on Macs.
Its only available in certain Windows editions, however:
Windows Vista: Ultimate and Enterprise
Windows 7: Ultimate and Enterprise
Windows 8: Pro and Enterprise
25
A
BLACK
PAPER
SECURE YOUR
DIGITAL LIFE
For more information on how to enable and set it up, please read Microsofts
support document.
Symantec Drive Encryption
Symantec Drive Encryption is powered by the same technology as the PGP email
encryption.
Its closed source, just like BitLocker, but security and cryptography expert Bruce
Schneier uses it. He is a well-respected member of the digital security community,
so his use of it speaks strongly in its favor..
5.2 External HDD Encryption

We store a lot of important data on external hard drives (HDDs)if nothing
else, our backups are there. Its especially important to protect them because of
how easy its to lose or steal a small external hard drive.
You have two main options for encrypting your external HDD: Software or
Hardware.
5.2.1 Software Solutions

When you use a software option, a software or your operating system encrypts all
or some files on the hard drive and allows you to decrypt it.
The problem with software encryption is that you need to use the software on
every computer you want to access the files from, and sometimes the software is
not compatible between Windows and Macs.
Additionally, its not possible to software encrypt a network-based Time Machine
backup or attach a software-encrypted drive to a network storage system.
Mac

Solutions:
Encrypt entire external hard drives with Apples FileVault
Encrypt only certain files and folders with Apples Sparse Disk Images
U
se Agilebits Knox for a more user friendly solution to encrypting only
certain files and folders
26
A
BLACK
PAPER
SECURE YOUR
DIGITAL LIFE
Windows
Microsoft BitLocker to encrypt entire external hard drives
GPG4Win to encrypt certain files and folders
5.2.2 Hardware Solutions

The alternative is to purchase a hard drive that has encryption functions built
right into its hardware. When you connect such a hard drive, its not even
detected or recognized by your computer until you type the password on a keypad
attached to the drive.
The advantage is that its completely cross-compatible. It doesnt matter whether
you connect it to a Mac, Windows, an Airport Extreme, or some other network
storage system. Once you type in the password, it appears like a normal hard
drive to them.
At the same time you have to be careful to purchase a quality product. Some solutions
do not actually encrypt the data and can be circumvented by simply taking the hard
drive out of the enclosure and connecting it directly to a computer.
Here are two solutions that are highly regarded and actually encrypt the data:
StarTech.com 2.5-Inch Encrypted Hard Drive Enclosure
Apricorn Encrypted Hard drives & USB Sticks
I highly recommend using one of these as your local backup hard drive.
5.3 Encrypted Cloud Storage

Everyone knows how convenient cloud storage like Dropbox is, but the data there
is not stored securely.
Dropbox assures users that their data is encrypted while its being uploaded,
downloaded and when its stored on the Dropbox servers, and while this is true,
its important to understand that Dropbox holds the encryption keys to the files.
This means Dropbox employees can decrypt your files to read them and, if forced
to, share them with government agencies.
27
A
BLACK
PAPER
SECURE YOUR
DIGITAL LIFE
Even Edward Snowden specifically warned against using Dropbox and called it
hostile to privacy.
Fortunately there are a few security and privacy focused cloud storage providers who
have designed their services in a way that makes it impossible for them to read your
files and can only hand over encrypted, unreadable content to government agencies.
These services use client-side-encryption and are Zero Knowledge Providers.
This means that the data is encrypted on your device BEFORE its uploaded and
you are the only one who holds the necessary encryption keys.
Even if a court forces the provider to share whatever data they have on you, it will be
useless as its encrypted and you are the only one who holds the encryption keys.
5.3.1 Consideration With US Based Providers

Its important to understand that if you are using a provider who is a US business
or who stores the data on US soil, the FBI or NSA can force the company to
install backdoors on their network and their software to capture the encryption
keys in clear text. Even if the provider stores the data outside of the US but is a
US-registered company (such as Amazon Web Services), the data is not safe.
This is exactly what happened to Lavabit, a company that used to provide
encrypted and privacy focused email solutions to customers, including Edward
Snowden. Ladar Levison, the founder, was ordered by a US court to install
a backdoor onto his network that would allow the government to capture
customers plain-text passwords.
He fought the broad scope of the search, and when his efforts to have the search
limited to a specific target failed, he chose to shut-down his 10-year old company
in order to protect his 410,000 customers.
You should therefore try to use a service provider based in a privacy-focused
country such as Switzerland, or another country that is out of the jurisdiction of
your home government.
28
A
BLACK
PAPER
SECURE YOUR
DIGITAL LIFE
5.3.2 Do You Need Encrypted Cloud Storage?
Before you go and move all your files away from Dropbox, you should consider
first whether you actually need encrypted cloud storage. If all you store on
Dropbox are pictures of your cat, you really dont need to do this.
On the other hand, if you store or plan on storing your entire documents folder,
which may contain sensitive information, such as bank statements or legal
documents, you may want to consider this.
5.3.3 Encrypted Cloud Storage Options

Over the past few years quite a few secure options surfaced, but in my opinion
most of them havent been able to create a solution that can really compete with
Dropbox in terms of usability and convenience.
Most of the services listed below differ in terms of features, but all of them
employ zero-knowledge client side encryption.
The purpose of this section is to give you a start on finding the perfect solution
for yourself. You have to make a decision based on where you are located, what
type and quantity of data you want to protect, as well as how much importance
you put on usability.
Tresorit
https://tresorit.com
Tresorit is not only very secure and hosted in Switzerland, but also user-friendly,
with great apps on many platforms. They started a hacking contest offering
US$50,000 to anyone who can break their system and nobody has been able to.
In my opinion its the only secure cloud storage provider that comes close to
Dropbox.
SpiderOak
https://spideroak.com
SpiderOak is famous for being recommended by Edward Snowden and offers
zero-knowledge client side encryption just like Tresorit.
29
A
BLACK
PAPER
SECURE YOUR
DIGITAL LIFE
They offer attractive pricing options, but the big drawback is that their service is
US based and their apps are not as polished as Tresorit.
Mega
https://mega.co.nz/
Mega is the new file hoster by the infamous Kim Dotcom whose previous file
sharing service Megaupload was shutdown by the FBI for copyright violations
and Dotcoms villa in New Zealand raided spectacularly with helicopters and
armed forces.
Dotcom decided to fight back and created a secure zero-knowledge filehoster,
which would make it impossible for him to be responsible for the content hosted
on it. Having been bitten by the US government himself, he made it his mission
to create a private and secure service.
Mega has been trying to establish itself as a secure Dropbox replacement, but the
app, syncing and sharing capabilities are not as convenient. Nonetheless its still a
great service because of its generous free tier and the ability to store large files.
Megas situation is similar to what I discussed earlier with TrueCrypt. It might be
safe, but Kim Dotcom is under the thumb of law enforcement right now and is
working aggressively to prove his innocence. Until he resolves those problems, I
prefer to keep sensitive information off of Mega.
6.0 INTERNET ENCRYPTION

Most of the technology behind what we know asthe Internet came out of a
US Department of Defense network called ARPANET. It was designed to allow
university researchers to communicate with each other and share information,
and they never expected it to become what we have today.
ARPANET was never intended to transmit confidential and secure information.
All of the technology that allows our modern Internet to do so has been stacked
on top of the ARPANET foundations. Some of it works well, but all of it relies
on a complicated web of interdependent components. If one of these components
fails, the whole system fails.
30
A
BLACK
PAPER
SECURE YOUR
DIGITAL LIFE
The majority of data is transferred through the Internet unencrypted, and thats
okay. If youre out in a restaurant, you can hear the conversations of those around
you, and no one cares. People know not to talk about private information in
public. For that we have encrypted communication. But even encrypted traffic is
vulnerable to certain attacks that allow hackers and governments to spy on you.
6.1 Why Additional Internet Encryption is Important

Many of the websites you visit use an encrypted connection (HTTPS), which is
signified by a little lock icon in your browser. Bigger sites pay more to have their
identity information shown next to their Internet address, telling you that you
really are visiting their site. Some of them encrypt your entire visit, while others
only encrypt key parts such as logging in or purchasing.
While the number of encrypted websites keeps growing, you would be surprised
by the amount of websites that do not encrypt even the sensitive information.
This is especially important because most people do not pay attention to whether
a website is using a secure connection, and some apps, especially on smartphones
and tablets, dont even display this information.
Every time you visit a website, read your email, or download a file, the traffic
connects through many different points between you and the destination. If the
connection is not encrypted, anyone along that route can capture the traffic and
read it.
It starts on your local WiFi where a person armed with a small bit of knowledge
can capture which unencrypted websites you are visiting, what pages you are
viewing, what data you are transmitting to them (including passwords & credit
card details). Even your email program may be using an unencrypted connection
without you knowing it and exposing your password and email content to anyone
who is on the same WiFi network and knows how to listen in.
But it doesnt stop there. Once you load a website, the request leaves your
computer and travels through a long chain of routers and servers before arriving
at the site youre visiting. Any admin, government, or hacker who has access to
any one of these devices can potentially intercept the data.
31
A
BLACK
PAPER
SECURE YOUR
DIGITAL LIFE
For example, the US telecommunications company AT&T has introduced a fiber
broadband plan where customers have to pay an additional $29 for the privilege of
not being spied on. Those who choose not to pay agree to allow AT&T to collect
and share information with their advertising partners such as The webpages you
visit, the time you spend on each, the links or ads you see and follow, and the search
terms you enter.
Edward Snowdens NSA leaks have even revealed that the NSA and British
GCHQ tap undersea cables to mass collect information and later sift through it.
Information collected by the NSA is stored in their massive datacenter in Utah,
where they mine it retroactively for data about people of interest. They even store
all encrypted data there with the hope that todays strong encryption will be easy
to break in future years.
Knowing that people can and will collect and search through your unencrypted
data, its of utmost importance to additionally secure your Internet connection
AT THE VERY LEAST when you are using public WiFi networks. Ideally,
you would want to secure it ANY time you connect online and prevent your
computer from accessing the Internet without additional encryption.
Here is a summary of reasons why I secure my Internet traffic whenever possible
and why I encourage others to do the same:
Privacy is a basic right
I dont want criminals to steal my data
My activities are no one elses business
6.2 How to Encrypt ALL Internet Traffic With a VPN

When you connect to the Internet, your ISP gives you an IP address, and they
keep track of what IPs were assigned to which customers at any given moment.
This makes the ISP the first point at which your data can be monitored or
tampered with.
Current legislation related to net neutrality is about this part of the journey.
ISPs want to be able to prioritize traffic according to customer type. What this
means is that you already pay them for Internet, but if you want to watch Netflix,
32
A
BLACK
PAPER
SECURE YOUR
DIGITAL LIFE
Netflix has to pay them too. This is the slipperiest of slopes and is founded on the
ISP watching and recording everything that every one of their customers is doing
all of the time. To get past this and out into the ocean of space that is the Internet
proper, you can use a Virtual Private Network (VPN).
A VPN creates a secure, encrypted tunnel from your device to the VPN providers
server where all data flows through. Instead of connecting to your ISP and then
to the Internet, a VPN creates an encrypted tunnel through your ISP to the VPN
provider.
No one in between you and the VPN provider can see whats happening inside
the tunnel, so if someone is listening in on your local WiFi or the government
elsewhere is gobbling up all traffic going through your ISP, youre protected. In
order for someone to know what youre doing, they would have to control the
remote end of the connection as well. This is much harder for them to do.
For example, if you are in the US and use a VPN in Hong Kong, the websites
you visit will think you are a visitor from Hong Kong. Literally, your IP address
will be the address of the VPN provider in Hong Kong. This is because you
are establishing a connection to the Hong Kong VPN server and from there
connecting to the final website.
If someone is snooping in between the Hong Kong VPN and the website, they
will have no way of knowing it was you who accessed the website by looking at
the visitor IP addresses. The reason for this is simple: The VPN has potentially
thousands of users and it could have been any one of them who visited the
website.
This is also how people can circumvent various geolocation restrictions that
service providers have, by using a VPN server located in a different country.
Since this may violate Terms of Service for many of them, we are not formally
endorsing to use VPNs for such purpose.
33
A
BLACK
PAPER
SECURE YOUR
DIGITAL LIFE
6.2.1 How to Pick a VPN Provider
When you are picking a VPN provider you need to consider the following things:
1. Your home country
2. The country where the VPN company is registered
3. Whether the service is anonymous or retains your history
4. The country where the actual VPN servers are
VPN Provider Country
Generally you should pick a VPN outside the jurisdiction where you are a citizen
or resident. This way interested parties would have to go through at least two
different jurisdictions, which is more difficult and expensive.
You also want to make sure the country you pick has no mandatory data retention
laws, which are for example very common in Europe. Hong Kong, for example,
has no mandatory data retention laws.
For more information on the current status of mandatory data retention laws you
can consult the Electronic Frontier Foundation.
You can also pick a country with strong legal support for privacy, such as Iceland
or Sweden. These are countries where your digital rights are protected by courts
who require evidence of criminal activity before allowing data to be handed off to
others.
Whether the company is logging your information
Simply picking a VPN provider in a country which does not require mandatory
data retention does not guarantee that they will not log any information about
you.
Therefore you should additionally do research on what the companys privacy
policy is and what kind of information they retain.
Back in 2011, the UK-based HideMyAss was forced to hand over data logs
belonging to a member of hacker group Lulzsec to the US authorities.
34
A
BLACK
PAPER
SECURE YOUR
DIGITAL LIFE
VPN Server Country
Most VPN providers allow you to pick from a range of VPN servers in different
countries, masking your real location on the Internet.
Just like with a VPN company, you want to pick a location thats different from
your country of citizenship and residency. At the same time you want to pick a
VPN server thats as close as possible to where you currently are. Generally, the
further away the server is from you, the slower your connection will be.
If you are in Germany, for example, picking Netherlands would be a great choice.
6.2.2 Recommended Services

VyprVPN
https://www.goldenfrog.com/vyprvpn
United States
The biggest strength of VyperVPN is its ease of setup and use. They provide
easy to use apps for Mac, Windows, iOS and Android, which make the often
inconvenient setup very straightforward.
They log a small amount of data about your usage for abuse prevention, but are
very open and clear about it as well as how they respond to investigations in
their privacy policy.
Because they are US-based this is not the most private VPN service out there,
if you are concerned about the heavy hand of the US government. For all other
intents and purposes, such as securing your Internet connection and data while
on public WiFi networks, VyprVPN is a good and easy to use option.
Several members of the Sovereign Man Team are using their service and are satisfied.
Hide Me
https://hide.me/en/network
Malaysia
Hide Me is based in Malaysia, with no mandatory data retention laws, and assures
their customers that they do not log any information.
35
A
BLACK
PAPER
SECURE YOUR
DIGITAL LIFE
At the time of publishing, they only had apps for Windows and Android, which
made the setup and usage on Macs and iOS difficult.
If you are concerned about your privacy and anonymity this may be the right
service for you. One of our team members used it before and was overall satisfied,
except for the inconvenient usage and setup on Apple devices.
Other Providers
There are many more providers, but we only want to recommend the ones our
team members have personally used.
A good start to research more providers is the following link: https://www.
bestvpn.com/.
As always, be careful with review websites as a lot of them are actually affiliates
of providers and may not be entirely truthful or objective. Do your own due
diligence, especially if you require a high amount of anonymity.
If all you want to do is protect yourself while on public WiFi and from tracking
by your Internet provider, almost all VPN services will be sufficient.
7.0 SECURING YOUR SMARTPHONE

Our phones are a true gold mine of information about us: messages, emails,
contacts, photos, location data and much more. What is worrying about this is
how easy it is to lose this tiny device or have it stolen.
Its of utmost importance to protect this information and make sure it doesnt fall
into the wrong hands.
Fortunately both Apple and Android have improved their mobile phone
encryption drastically to the point where the FBI even proposed to ban strong
encryption by law.
36
A
BLACK
PAPER
SECURE YOUR
DIGITAL LIFE
7.1 The Passcode
Your passcode is your very first line of defense and like the lock on your front
door, it helps to keep people out.
How much protection your passcode actually gives you depends on whether its
actually used to encrypt the data on your phone and on how strong your passcode is.
Its important to be aware and in most cases to assume that your passcode is doing nothing
more than this: Prevent people from walking through the front door of your phone.
Just because your data cant be accessed by simply unlocking your phone, it
doesnt mean the data cant be accessed in other ways like being copied directly
from the device to a computer.
It will keep the curious teenager who finds your phone on the street out, but it
does not guarantee it will protect you from a sophisticated attacker.
Does this mean the passcode is unimportant and you shouldnt bother at all with it?
Most certainly: No. Its actually the foundation of your phones security and
instead of dismissing it, you have to be aware of its limitations and simply know
how you can make it more secure.
7.2 Smartphone Encryption

Both Apples iOS and Android allow you to encrypt all user data on your phone.
Although both platforms offer a similar approach to user data encryption, there
are significant differences you should be aware of.
7.2.1 iPhone and iPad Encryption

If you are an iPhone or iPad user, all you have to do is set a passcode to enable
user data encryption.
37
A
BLACK
PAPER
SECURE YOUR
DIGITAL LIFE
Apple has been encrypting some of your data, such as email, automatically since
2009. In iOS 8, which was released in September 2014, it significantly expanded
the amount of data thats encrypted by default:
On devices running iOS 8, your personal data such as photos, messages

(including attachments), email, contacts, call history, iTunes content, Notes,
and Reminders is placed under the protection of your passcode. Unlike our
competitors, Apple cannot bypass your passcode and therefore cannot access this
data. So its not technically feasible for us to respond to government warrants for
the extraction of this data from devices in their possession running iOS 8.
This protection is also enabled by default for third party apps, although app
developers can disable it for certain files.
In addition to using strong encryption Apple has added measures to ensure the
data can only be decrypted using the same iPhone or iPad. This means an attacker
cannot create a copy of the encrypted data and bruteforce it on a powerful
machine.
This gives you the convenience of being able to use a much simpler passcode
without compromising the security of the encryption.
All encryption features are implemented through hardware and will not slow
down your device. You will not notice any difference in performance with or
without a passcode.
Enabling Encryption & Passcode
To enable a passcode and the full-disk-encryption, which comes with it, simply
enable it in the settings:
iOS 8 on devices with Touch ID: Launch the Settings App Touch ID & Passcode
iOS 8 on devices without Touch ID: Launch the Settings App Passcode
iOS 7 on devices with Touch ID: Launch the Settings App General Touch ID &
Passcode
iOS 7 on devices without Touch ID: Launch the Settings App General Passcode
38
A
BLACK
PAPER
SECURE YOUR
DIGITAL LIFE
To further increase your protection use a more complicated passcode instead
of the default 4 digit option. You can do it by disabling the option Simple
Passcode and entering a longer numeric or alphanumeric passcode.
You may also want to enable the Erase Data option, which wipes your iPhone
after 10 failed passcode attempts. This option is a great protection against random
people guessing your passcode, but you should be aware that it has flaws and a
very sophisticated attacker can circumvent it.
Therefore you should not rely on it alone, but pick a very secure passcode. More
details on what constitutes a secure passcode are in the next section.
Making sure all user data is encrypted
Important: Make sure you use iOS 8
If you are using iOS before version 8.0, not all of your data is encrypted. To
ensure you have full protection, make sure your devices have been updated to iOS
8.0 or higher.
To check your iOS version:
Launch the Settings App General About Version
To update your device:
Launch the Settings App General Software Update
All devices released in 2011 or later can be updated to iOS 8 and take advantage
of this functionality.
The only devices that cannot be updated are:
The iPhone 4 and older
The original, first generation iPad
The iPod Touch fourth generation and older
39
A
BLACK
PAPER
SECURE YOUR
DIGITAL LIFE
7.2.2 Android Encryption
Google has been offering full-disk-encryption in Android since 2011, but it was
never enabled by default and you have to specifically turn it on.
They significantly improved their encryption technology in October 2014 with
the Android 5.0 Lollipop update and now its enabled by default on some new
phones such as the Google Nexus 5.
7.2.2.1 Limitations of Android Encryption

Off-Box attacks are possible
The most important issue present in versions of Android before 5.0 is that
encryption was not tied to the device. This means an attacker could copy the
encrypted contents of your phone and bruteforce the password on a much more
powerful computer.
If you enable encryption on a pre-5.0 Android device, you should use a VERY
complicated passcode, otherwise the encryption can be cracked within minutes.
Screenshot of a password cracking tool in action.

40
A
BLACK
PAPER
SECURE YOUR
DIGITAL LIFE
The screenshot shows a tool that cracked the password of an Android full-diskencryption in 59 seconds. The password was 8 characters long and included
lowercase letters and numbers: p4ssw0rd.
On iOS devices and Android devices with the new 5.0 update the same password
would take approximately 7,000 years to break. This is because the attacker would
not be able to use a powerful computer to do the attack, but instead would have
to use the limited processing power of the phone itself.
Performance impact
Unlike Apple devices, most Android devices do not support hardware acceleration
of encryption, which degrades the performance of your device. This includes new
Android 5.0 devices such as Googles Nexus 5.
Future Android phones will hopefully implement hardware features to accelerate
encryption, but at the moment you have to be aware that your device will be a
little bit slower and more sluggish.
On some devices only internal memory is encrypted
Many Android devices come with limited internal memory and allow you to
add more through additional SD cards. Unfortunately not all devices support
encrypting this additional storage.
In that case you need to be careful what data is stored on the SD card.
7.2.2.2 Enabling Android Encryption

Depending on which device you have and which version of Android its running,
the encryption can take an hour or more. Make sure you have enough time to
finish the process and plug your phone into electricity.
1. Set a PIN or password
Open Settings Security Screen Lock PIN or Password
41
A
BLACK
PAPER
SECURE YOUR
DIGITAL LIFE
2. Encrypt the phone
Open Settings Security Encryption
For further information, please read Googles support document.
7.2.2.3 Use the Most Recent Android Version

Significant improvements in encryption technology have been made in the
version 4.4 and 5.0 of Android and if possible you should take advantage of them
by updating.
Check which version of Android your device is running:
Open Settings About Phone Android Version
Update your Android
You can check whether an update for your device to Android 4.4 is available by
clicking here, and whether an update for Android 5.5 is available by clicking here.
Unfortunately many Android devices do not receive many updates or have to wait
a very long time to receive a new version.
Enable encryption even if you cannot update
If you cannot update to Android 5.5, off-box attacks are possible, albeit probably
not for unsophisticated attackers.
The encryption may not protect you from the NSA, or even a low level law
enforcement agency, but at least it will stop strangers and thieves from getting
access to your private data.
Make sure to use a strong password.
7.2.3 When Is My Data Encrypted and Decrypted?

If you have encryption enabled in Android or iOS, user-data is encrypted the
moment its written to the persistent memory and decrypted when read.
One important caveat is that not all data is in an encrypted state at all times.
When the device is turned on, it needs to be able to access data like your address
book to function and the data is therefore decrypted.
42
A
BLACK
PAPER
SECURE YOUR
DIGITAL LIFE
Not encrypted
System files and other files required to start the device are not encrypted at all.
Encrypted until first passcode entry
Most user data is fully encrypted until the device is unlocked for the first time
after being turned on. Once you type in your passcode for the first time after
turning on the device, the data is decrypted and stays decrypted until you restart
your device again.
Your contacts are a great example, which you can see for yourself:
Restart your iPhone without unlocking it and call yourself from another phone. You
will only see the number and no contact information from your address book.
Once you unlock your phone for the first time and lock it again, you will still see the
contact information of the incoming call.
Encrypted while the phone is locked (iOS only)
Sensitive information like Safari passwords are only decrypted while your iPhone
is unlocked. As soon as you press the lock button the data is encrypted again and
not accessible anymore.
This functionality is only available in iOSAndroid does not support this.
What does all of this mean for me?
The important takeaway from this is that your data is only fully protected before
you enter your passcode for the very first time.
Once you enter your passcode, an attacker has several points of entry to access
your decrypted data. If you, for example, visit a website on your phone, which
exploits a security vulnerability and installs malware on your phone, the malware
could send the decrypted information to the hacker.
A more practical example is the case of confiscation:
Law-enforcement agencies have several tools that allow them to copy unencrypted
and decrypted files from your device, but you can make it impossible for them by
simply turning your device off before handing it to them.
43
A
BLACK
PAPER
SECURE YOUR
DIGITAL LIFE
It will be impossible to access the data without your passcode and even Apple,
Google or Samsung will not be able to recover it without your passcode. They will
have to try to crack your passcode, which can take a very, very long time if you
picked a good one.
IMPORTANT:
My recommendation is to always turn off or restart your devices when you are in
situations where confiscation is a possibility. This includes police checks, border
crossings and so on.
7.3 Picking a Secure Passcode

The complexity of your passcode defines how well your data is protected. If you
are using an iOS 8 or an Android 5.0 device, the complexity can be significantly
lower. This means you can use a passcode that is easier and more convenient to
type while still being sure your data is secure.
If you are using a pre-5.0 version of Android, you should use a long and complex
password as described in the password section of this Black Paper for the highest
security. Unfortunately it becomes unpractical to enter a difficult password like
that.
In that case I recommend using the most complex passcode you are comfortable
typing in and enabling encryption. It may not protect you from a sophisticated
attacker, but it still gives you additional security.
The calculations below are based on the information Apple provided in their iOS
Security Guide and should apply to Android 5.0 devices as well.
44
A
BLACK
PAPER
SECURE YOUR
DIGITAL LIFE
Look at the table and the time necessary to break the password and then decide
what level of security you need.
COMPLEXITY
4 characters with numbers only
4 characters with lowercase letters and numbers
6 characters with lowercase letters and numbers
4 characters with lower and upper case letters
and numbers
6 characters with lower and upper case letters
and numbers
EXAMPLE
TIME TO CRACK
4681
2547 81
8126 2493
3572 4793 17
4fa7
ga5b 8j
13 seconds
22 minutes
92 days
25 years
1.5 days
5.5 years
hF3a 44
13 days
hoP5 32g
52.5 years
Important Note:
These calculations are based on Apples passcode implementation, which requires an
attacker to crack the passcode on the mobile device itself and prevents them from
using a much more powerful computer. They do not apply to your usual passwords.
7.4 Fingerprint Sensors

When Apple released the iPhone 5S in 2013 the biggest new feature was the
ability to unlock the phone with your fingerprint. Since then the implementation
has become even more accurate and some Android phones have added fingerprint
sensors too.
The added convenience is unquestionableespecially if you are following my
advice of using a complex passcode. The question is: Is it safe?
There are two major reasons that speak against using fingerprints to unlock your
phone:
1. It can be circumvented with a fake fingerprint
In fact Touch ID was hacked less than 48h after the iPhone 5S was released and it
45
A
BLACK
PAPER
SECURE YOUR
DIGITAL LIFE
may be possible to create a fake fingerprint from a photo of the finger.
The same hacker also demonstrated that Iris scanners and facial detection can be
spoofed in a similar way.
2. Police can force you to unlock your device with your fingerprint
In the US the Fifth Amendment states that no person shall be compelled in any
criminal case to be a witness against himself.
In 2010, a US District Court in Michigan decided that a person cannot be
compelled to provide a passcode because it would require the defendant to
communicate knowledge, unlike the production of a handwriting sample or a voice
exemplar.
A fingerprint on the other hand is more like a key in that it does not require the
witness to divulge anything through his mental process.
This means, a court cannot force you to be a witness against yourself by providing
the passcode of your phone, but they can force you to use your fingerprint to
unlock your phone.
How to reduce the risk
Even though Touch ID and fingerprint authentication has these major risks, you
can significantly reduce your risk by taking advantage of the additional security
features your phone has.
On iOS devices the passcode is still required under the following circumstances:

The device has just been turned on or restarted

The device has not been unlocked for more than 48 hours
The device has received a remote lock command
The fingerprint authentication has failed five times in a row
Samsung and other Android manufacturers with fingerprint technology have not
released enough information about their technology, therefore this advice only relates
to Apple devices.
46
A
BLACK
PAPER
SECURE YOUR
DIGITAL LIFE
In 2014 the Supreme Court decided that smartphones are protected by the
Fourth Amendment and cannot be searched without a warrant, which means your
phone would not be searched immediately. If more than 48h go by after seizing
your phone, they would not be able to compel you to unlock it anymore, since it
would require your passcode.
An even better approach to this is turning your device off or restarting it anytime
you find yourself in a situation where this may be a possibility. This is also
necessary to make sure all the data is in an encrypted state and cannot be copied
off the device.
What this means for you
The safest approach would of course be to use a device, which doesnt allow
off-box attacks, such as the iPhone with a six or eight character alphanumeric
passcode without fingerprint authentication.
But would you be bothered to actually enter a password like ac4x7bau every
time you want to check your messages?
The worst thing you can do is use no passcode or a simple four digit passcode.
This is what most people use and it offers very little protection against
sophisticated attackers.
Using an 8 digit or 6 characters alphanumeric passcode with Touch ID is a
sensible option for a lot of people in my opinion.
Additionally, by not entering the passcode often, you lower the chance of
surveillance cameras recording you typing it in and compromising your phones
entire security.
Simply be aware that your fingerprints can be copied and if you are in doubt,
quickly turn off your device.
In the end, you are the only one who can decide what level of security you need
and what kind of inconvenience you have to go through in order to protect your
privacy and security.
47
A
BLACK
PAPER
SECURE YOUR
DIGITAL LIFE
7.5 Additional Settings You Should Check
All your effort of using a strong passcode and enabling encryption on your phone
could be wasted if you allow your device to copy all your data to the cloud, for
example.
If you store sensitive data online, you should always make sure you are the only
one with access to the encryption key and that the data is encrypted on your local
device BEFORE its uploaded.
7.5.1 Apple iOS

Generally your iOS device is very secure at this point, but you should consider
the following iCloud settings.
Apple is offering a range of convenient services to store your data online under
the name of iCloud. These services make it very easy and convenient to sync
data across multiple Macs, iPhones and iPads, as well as keep your data safe in
case you lose your device.
These conveniences come at a price, however, and could be a gold mine for law
enforcement agencies.
Even though Apple is storing the data encrypted in the cloud, they still have the
encryption key. This means they could be compelled to decrypt your data by a
court.
Disable iCloud backup
Disabling iCloud backups is the most important step you have to take. Its a very
convenient and automatic service, which stores frequent copies of all your user
data on Apples servers. This allows you to restore your device if you break or lose
it and never have to worry about backups.
Unfortunately this would also make all your efforts of encrypting your phone
useless if government agencies can simply force Apple to hand the same data over
from their cloud.
48
A
BLACK
PAPER
SECURE YOUR
DIGITAL LIFE
To disable iCloud backups, follow these steps:
1. Disable the backup by launching the Settings app iCloud Backup set
iCloud Backup to off
2. Delete previous iCloud backups by following these steps.
Enable encrypted iTunes backups
Instead of relying on automatic backups to the cloud, you should enable backups
stored on your computer and protect them with a password. This way every time
you plug your device into your computer, or sync it with your computer through
the same WiFi connection, it will automatically be backed up by iTunes where it
can only be accessed by you.
Follow these instructions to enable iTunes backups.
Follow these instructions to encrypt your iTunes backups with a password.
Disable iCloud drive
iCloud Drive is Apples cloud storage similar to Dropbox. It allows applications to store
new documents in the cloud and be accessible from all devices through their apps.
You can browse the contents of your iCloud drive by logging in with your Apple
ID here.
How to disable iCloud Drive:
Launch the Settings app iCloud iCloud Drive set iCloud Drive to off
Disable Photo Stream & iCloud photo library
Storing your pictures online is convenient, but you have to be aware that your
photos not only capture your life, they also capture your location. Every time you
take a picture on your device, your current location is added to the photo to allow
you to see where it was taken.
This data can be used to create a profile of where you go and what you do.
In 2014 several celebrities have learned the hard way that online storage of photos
can have terrible consequences when their nude pictures were leaked online.
49
A
BLACK
PAPER
SECURE YOUR
DIGITAL LIFE
How to disable Photo Stream & iCloud Photo Library:
Launch the Settings app iCloud Photos set all options to off
Disable Keychain syncing
In iOS 7 apple introduced iCloud Keychain Sync, which allows you to
seamlessly sync your passwords between all your Apple devices. They have gone
through great lengths to ensure the data is secure and to make it impossible even
for them to access the data.
They documented it in their iOS Security Whitepaper and you can read a good
summary of it here.
Nonetheless, there is still a chance a court could compel them to backdoor this
service and circumvent these protections.
How to disable iCloud Keychain:
Launch the Settings app iCloud Keychain set iCloud Keychain to off
Contacts, calendars and reminders
Your contacts, calendars and reminders are also synced through iCloud. Whether
you want to disable this function is of course up to you and your privacy needs.
How to disable contacts, calendar and reminder sync:
Launch the Settings app iCloud set the services you dont want to sync to off
7.5.2 Android Devices

Its much more difficult to give concrete advice for Android devices, since every
device manufacturer adds their own twist to it and their own customizations and
additional apps.
You should consult your devices settings and feature list to find out what kind of
services may be sharing or uploading your data.
At the very least you should consider the things below.
50
A
BLACK
PAPER
SECURE YOUR
DIGITAL LIFE
Disable photo backup
Google has a convenient service to backup all your photos to Google+, but for
privacy reasons you may want to disable this.
How to disable photo backup:
Launch Google Photo app Settings set Auto Back Up to off
Additionally you may have to
Launch Google Settings Google+ set Auto Backup to off
Disable unknown app sources
Its very important to be careful about what kind of apps you are installing. To be
on the safe side, only install apps from the Google Play store and make sure to
always check what kind of permissions the app requires. You should also read the
reviews to see if the app is doing anything suspicious.
Additionally, you should disable app installations from unknown sources to avoid
being tricked into installing malware.
How to disable unknow app sources:
Go to Settings Security uncheck Unknown Sources and check Verify Apps
Understand Android permissions
When you download an app to your Android device the Google Play store presents
you a list of permissions the app is going to use. You can use this to decide whether
you want to download and install the app or if you feel its requesting too much data
that it doesnt need, you can choose not to install the app.
Some apps may ask for unnecessary permissions like the ability to get your GPS
position for advertising purposes even though they dont need it for the core
functionality of the app. A good example are the numerous flashlight apps.
Unfortunately, unlike with iOS devices, its currently not possible in Android to
simply revoke access to location data for example. Its a all or nothing approach.
51
A
BLACK
PAPER
SECURE YOUR
DIGITAL LIFE
Fortunately the next version of Android called M, which will be released sometime in
2015, will allow more granular control over permissions, just like on iOS.
In the meantime, when installing apps consider what the app is supposed to
do and what kind of permissions it would need to do so. If you see that the
permissions its requesting do not correlate with what functions the app is
supposed to perform, do not install it.
You should be particularly careful when an app wants permissions to your
accounts, SMS, microphone or location.
8.0 CHOICE OF DEVICES AND SYSTEMS

I did my best to write this guide to help you secure your digital life regardless of which
devices you use, but in this section I want to give you my personal recommendations.
Some devices make it easier and others make it harder to keep yourself and your
data safe. The following recommendations are my personal, biased opinion and
you will find many people who will disagree.
If you have a motivated, sophisticated attacker with enough resources, you can be
almost certain that they will find a way into your deviceno matter whether you
use a Mac, Windows, Android or iOS.
8.1 Windows vs Macs

Both Windows and Macs have fatal security problems from time to time and a
debate of which one is more secure is not meaningful.
Neither of them will ever be 100% secure and if you have a motivated,
sophisticated attacker with enough resources, you can be certain that they will
find their way into either one of them.
On the other hand, if you are concerned about general malware, viruses and so
on, Macs have a significant edge over Windows.
52
A
BLACK
PAPER
SECURE YOUR
DIGITAL LIFE
This is not because they are in some way inherently less prone to malware, but
simply because Macs are a less valuable target due to their smaller user size.
Writing malware is a difficult task, which requires time and resources, and since
most of it is being written with profit in mind, hackers usually target the platform
where they get the highest return.
This advantage will not last forever, but at least for now it gives you additional
peace of mind.
On top of that you can easily enable full disk encryption without needing special
software or a professional or ultimate version of the operating system.
Its also extremely rare that software you download for your Mac contains spyware
or adware like on Windows, which increases your privacy.
Therefore I highly recommend you consider a Mac as your primary machine.
8.2 Android vs iOS

When it comes to Android and iOS the case is very different.
Apple has put a lot of effort into locking down iOS, and although many people
dont like this because they are limited to apps which Apple allows in their App
Store, it has created a much safer platform.
Viruses and malware are essentially unheard of, for example, but the most important
reason why iOS is a safer choice for most people is Apples update policy.
Updates are great and oftentimes add new features beyond what you initially paid
for, but thats not the main reason why you should always update all your devices
to the most recent version.
Software updates fix security vulnerabilities and bugs, which is critical to keeping
you safe.
Apple generally tries to provide updates for their devices for at least 3 years after release and
all updates are available immediately to all of their devices at the same time.
53
A
BLACK
PAPER
SECURE YOUR
DIGITAL LIFE
A good example is the iPhone 4S, which was released in 2011 and has received
the iOS 8 update in 2014 and will receive iOS 9 in 2015. This means it will be
supported at least until the middle of 2016, possibly even longer.
Android devices receive far less updates, and if they do, it can often take up to 6
months until it actually arrives on users devices.
The reason for this is because Google creates a new version of Android, device
manufacturers modify it by adding additional software, and then mobile carriers
add their own branding and software on top of that.
When an important security vulnerability is discovered Google is usually
quick to create an update, but then the device manufacturers have to add their
customizations to it and test it before handing it over to the mobile carriers who
have to do the same.
For you as a user this means that you will have a phone with a critical software
vulnerability, which you cannot close for up to 6 months or longerthat is if
your manufacturer and carrier bother to go through the whole process at all and
provide you with an update.
For example, in December 2014 Samsung was notified of a critical vulnerability
affecting over 600 million devices, including their flagship smartphone models
such as the Galaxy S4, S5 and S6. The researchers decided to disclose this
vulnerability when it was still not fixed in June 2015.
Samsung stated that they provided patches to their carriers in early 2015, but at
the end of June it was still not clear whether any of the carriers have provided an
update, and no estimates have been given.
This is not an isolated incident as in January 2015 Google announced they would
not provide fixes for multiple critical vulnerabilities in Android, which affect 50%
of active Android devices many of which will never receive an update.
54
A
BLACK
PAPER
SECURE YOUR
DIGITAL LIFE
Anyone using Android lower than 4.4 is affected by this vulnerability. While less
than 12% of users are using the newest version of Android, 84% of iOS users are
up to date.
What this means for you

My clear recommendation is to avoid Android and use an iOS device, unless you
are a highly technical person and like tweaking every little aspect of your phone.
If you insist on using Android, I recommend sticking with Googles own devices,
which receive the longest support and the quickest updates.
If you insist on getting a device from another manufacturer, at least try to
purchase it outright, instead of as part of a mobile plan through a carrier to
receive more timely updates.
Be prepared to upgrade to a newer device at least every 1 to 2 years.
55

Secure Your: Digital Life

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Secure Your: Digital Life

Загружено:

Авторское право:

Доступные форматы

A REPORT FROM SOVEREIGNMAN.

1.1 How Hackers Get Your Password

1.2 What Secure Passwords Look Like

1.3 Technique to Create Strong, Yet Memorable Passwords

Mnemonics For Random Sentence

To make it easier to memorize the random sentence, imagine something

LastPass is a perfectly acceptable

On top of that, they are compatible

1.5 Password Summary

2.0 PHISHING PREVENTION

2.2 How to Detect & Prevent Phishing

2. Inspect the website

3.0 TWO-FACTOR AUTHENTICATION

4.1 Local Backups

backup when backing up through WiFi. Therefore, I recommend purchasing the

4.2 Cloud Backups

5.0 DATA ENCRYPTION

5.1 Computer Full Disk Encryption

5.1.1 Full Disk Encryption on Macs

5.1.2 Full Disk Encryption on Windows PCs

5.2 External HDD Encryption

5.2.1 Software Solutions

5.2.2 Hardware Solutions

5.3 Encrypted Cloud Storage

5.3.1 Consideration With US Based Providers

5.3.3 Encrypted Cloud Storage Options

6.0 INTERNET ENCRYPTION

6.1 Why Additional Internet Encryption is Important

6.2 How to Encrypt ALL Internet Traffic With a VPN

6.2.2 Recommended Services

7.0 SECURING YOUR SMARTPHONE

7.2 Smartphone Encryption

7.2.1 iPhone and iPad Encryption

On devices running iOS 8, your personal data such as photos, messages

7.2.2.1 Limitations of Android Encryption

Screenshot of a password cracking tool in action.

7.2.2.2 Enabling Android Encryption

7.2.2.3 Use the Most Recent Android Version

7.2.3 When Is My Data Encrypted and Decrypted?

7.3 Picking a Secure Passcode

7.4 Fingerprint Sensors

The device has just been turned on or restarted

7.5.1 Apple iOS

7.5.2 Android Devices

8.0 CHOICE OF DEVICES AND SYSTEMS

8.1 Windows vs Macs

8.2 Android vs iOS

What this means for you

Вам также может понравиться