Secure+Your+Digital+Life

A R E P O R T F R O M S O V E R E I G N M A N . C O M

SECURE YOUR

DIGITAL LIFEABLACKPAPER

PROTECT YOURSELF FROM UNAUTHORIZED ACCESS TO YOUR DIGITAL ASSETS

Secure Your Digital Life Report 1.0 July 2015 SovereignMan.com

2

ABLACKPAPER

SECURE YOUR

DIGITAL LIFE

Introduction: Why this is important and how to use this Black Paper

1.0 Passwords1.1 How Hackers Get Your Password1.2 What Secure Passwords Look Like1.3 Technique to Create Strong, yet Memorable Passwords1.4 Password Managers1.5 Password Summary

2.0 Phishing Prevention2.1 What is Phishing2.2 How to Detect & Prevent Phishing

3.0 Two-Factor Authentication

4.0 Backups4.1 Local Backups

4.1.1 Macs4.1.2 Windows

4.2 Cloud Backups

5.0 Data Encryption5.1 Computer Full Disk Encryption

5.1.1 Full Disk Encryption on Macs5.1.2 Full Disk Encryption on Windows PCs

5.2 External HDD Encryption5.2.1 Software Solutions5.2.2 Hardware Solutions

5.3 Encrypted Cloud Storage5.3.1 Consideration With US Based Providers5.3.2 Do You Need Encrypted Cloud Storage?5.3.3 Encrypted Cloud Storage Options

TresoritSpiderOakMega

CONTENTS


3

ABLACKPAPER

SECURE YOUR

DIGITAL LIFE

6.0 Internet Encryption6.1 Why Additional Internet Encryption is Important6.2 How to Encrypt ALL Internet Traffic With a VPN

6.2.1 How to Pick a VPN Provider6.2.2 Recommended Services

VyprVPNHide MeOther Providers

7.0 Securing Your Smartphone7.1 The Passcode7.2 Smartphone Encryption

7.2.1 iPhone and iPad EncryptionEnabling Encryption & PasscodeMaking Sure All User Data is Encrypted

7.2.2 Android Encryption7.2.2.1 Limitations of Android Encryption

Off-Box Attacks Are PossiblePerformance ImpactOn Some Devices Only Internal Memory is Encrypted

7.2.2.2 Enabling Android Encryption7.2.2.3 Use the Most Recent Android Version

7.2.3 When is My Data Encrypted and Decrypted?7.3 Picking a Secure Passcode7.4 Fingerprint Sensors7.5 Additional Settings You Should Check

7.5.1 Apple iOS7.5.2 Android Devices

8.0 Choice of Devices and Systems8.1 Windows vs Macs8.2 Android vs iOS


4

ABLACKPAPER

SECURE YOUR

DIGITAL LIFE

INTRODUCTION:

Why this is important and how to use this Black Paper

In the last 20 years computers have penetrated every aspect of our lives to the point where we are wearing little computers on our wrists and carrying more processing power in our pocket than anyone could have imagined only a few generations ago.

The convenience, functions, and access to information computers provide to us are invaluable, but the more we depend on electronics and their services, the more information we reveal about ourselves. This information can make us vulnerable to attack.

The purpose of this Black Paper is to give you information that you can use to protect yourself. With these simple steps you can make yourself a more difficult target for hackers, you can mitigate the consequences of losing a device or having it stolen, and you can make it more challenging for government agencies to invade your privacy without due process.

You cannot make yourself invincible, but you can raise the bar significantly. If your attacker has the necessary resources, they will find a way to access your data. If you are the target of government agencies like the NSA or CIA, the advice I share with you will make it much harder for them, but they will eventually get what theyre after..

What this advice will do is keep out hackers who end up with your data as part of a breach of a company or service you trust and teach you Internet street smarts that will keep you from becoming a target for criminals.

This Black Paper is a comprehensive guide for ensuring your digital life is secure and more private.

Its not meant as a complete blueprint that you should religiously follow. You have to determine your risk tolerance and profile and decide to what lengths youll go to protect your privacy and security.


5

ABLACKPAPER

SECURE YOUR

DIGITAL LIFE

We merely provide a large number of options that are available to help you do so.

Since this is an extensive guide, the table of contents will help you navigate to the solutions that you are interested in.

We certainly hope you will find the information contained in this Black Paper valuable. If you have any suggestions or comments, please reach out to [email protected].

1.0 PASSWORDS

Your digital security starts and ends with passwords. It doesnt matter how careful you are that you encrypt all your data, or only use the most privacy-conscious anti-NSA web services if your passwords are weak, none of this will help you one bit.

Many people think their passwords are great. After all, when they picked it, the website showed a long green bar and said Password Strength: strong and made them jump through many hoops like adding numbers, lowercase, uppercase and special characters. But as you will see, this doesnt necessarily mean your password is actually safe.

Even if you do know how to pick a truly secure password, chances are you dont use one, because its impossible for you to remember it.

Dont despairby the end of this section you will know exactly how to create truly secure, random passwords that are unique for every service you use without being a genius or memory world champion.

1.1 How Hackers Get Your Password

In order to create a secure password you need to first understand who you are up against, how they operate and what their limitations are. Once you understand


6

ABLACKPAPER

SECURE YOUR

DIGITAL LIFE

these things, its very easy to reduce your risk and minimize the impact a hacker can have on you even if he manages to get his hands on one of your passwords.

There are many ways hackers may get passwords. They trick people into entering their password on a fake website that looks like a trusted one such as a bank (phishing). They infect computers with malware that records everything typed into the keyboard. They hack into websites and get passwords from the member database. They can even use an automatic program that tries combinations of username and password hundreds or thousands of times a second (bruteforce cracking).

Unless you are being targeted directly, one of the most common scenarios is that a website gets hacked and the passwords from their database are stolen.

Two of the largest password leaks were when LinkedIn got hacked in 2012 and over 6.5 million passwords were leaked, and when Adobe got hacked in 2013 and over 150 million passwords were leaked.

These are the big, publicly known cases. How many small websites get hacked every day and nobody ever knows about it?

Once a hacker gets a password for an account, he will try to log in to other web services like Facebook, iCloud or email to steal more private data. If they gain access to your email, they can get access to your other accounts by resetting the passwords and intercepting the confirmation emails that other sites send.

Oftentimes, you may not even be the real target of an attack. Hackers frequently gain access to email accounts of trusted, easier targets in order to send specialised malware from a known and trusted email address to the real target. People know not to open links from strangers, but doesnt everyone open links from friends and family?

This is why, by practicing weak password hygiene, you are not just endangering yourself. You are also endangering your family, friends, employer, business partner, or your own businesses.


7

ABLACKPAPER

SECURE YOUR

DIGITAL LIFE

Example of password cracking

A good website doesnt store your password in plain text. Instead they use a one-way hashing algorithm to convert a password like ImSoSecure into a hash like 15eb12a1dfbc4723b50f2bb1b7e6f835 and store it in the database.

One-way hashing algorithm means that its very easy to generate this hash, but almost impossible to revert it back into the original, plain-text password.

When you log in, the website converts the entered plain-text password into the hash and then compares it to the hash stored in the database. If they match, you are granted access.

Once hackers steal user information from a database, the hashed passwords are useless for them unless they can convert them back to the original plain-text password.

One way to do that is to run a brute-force cracking program that converts thousands of potential passwords into their hashed versions and checks if any of those hashes are in the stolen database. If they find a match, they know the plain-text version of the password and can use it to log into your account or try it on other websites.

These programs use lists containing millions of possible word combinations, ranging from 1234, or god or love to complex words with upper and lower case letters, numbers, and special characters. Sound familiar? Over time a hackers word list grows in efficiency, and they are able to quickly identify password length, case, or other parameters that dramatically reduce the number of words they need to try.

If your password is a word or a combination of words that can be found in a dictionary like FreeDog, your password will be literally cracked within minutes or even seconds!

If your password is a slightly modified version like Ch1cken!C0w, which most websites will accept as sufficiently secure, it can still be cracked quickly using hardware that is readily available.


8

ABLACKPAPER

SECURE YOUR

DIGITAL LIFE

Creating a random password forces hackers to randomly generate combinations of characters to guess your password. If your password is long and complicated enough, this process could take years or decades instead of minutes or hours.

This is not only true for website passwords but also for when you want to encrypt data.

1.2 What Secure Passwords Look Like

The best way to prevent this kind of attack is to use a long and completely random password.

The job of your password is to force the attacker to generate a huge list of potential random passwords.

The longer your password is and the more different kinds of characters you include, the more potential combinations are possible, and therefore the longer it will take the attacker to crack it.

PASSWORD CRITERIA POSSIBLE COMBINATIONS

6 lowercase characters (English alphabet) 26^6 = 308,915,776

14 lowercase characters (English alphabet) 26^14 = 64,509,974,703,297,150,000

14 lowercase, uppercase, special characters 78^14 = 3.09 * 10^26

As you can see, the more complicated a password is, the more combinations are possible. Most attackers know nothing about your password habits and have to try passwords ranging from 2 characters to 14 containing lowercase, uppercase and even special characters.

The time and effort required to convert all of these combinations into a hash and compare it to the hacked database increases significantly.

The 4 Golden Rules for your Passwords:1. Unique for every website or account2. Long (At least 10 characters, preferably 14 or more)3. Random combination of characters (No real words)4. Use special characters, uppercase, lowercase and numbers


9

ABLACKPAPER

SECURE YOUR

DIGITAL LIFE

Examples of bad passwords: Sc4rface55 Aa556245622 (Your phone number, birthday, ... for example) My4wesomeSecure

Most of these would pass the standards of most website password checkers and yet they are insecure.

Here are examples of good passwords: Mm10hwttp0tms! 14ss,b1jhtmu4gpapFvw T47wh5raylitf.

I know, it seems impossible to memorize these, but as you will see in the following section its actually very easy.

1.3 Technique to Create Strong, Yet Memorable Passwords

Step 1: Come up with a random sentence related to the purpose of the password

All you have to do is come up with a sentence that makes sense to you and is at least 14 words long. Make sure to include some words that start with uppercase letters.

A random sentence would be the best, but you could also use part of a song lyrics, a poem, a quote, or a book passage.

Our Example:

I am glad that I am an SMC subscriber and know how to protect my Facebook well!

Step 2: Write down the first character of every word

Now you simply reduce the sentence into a short and completely random password by taking the first character of each word.


10

ABLACKPAPER

SECURE YOUR

DIGITAL LIFE

Our Example:

I am glad that I am an SMC subscriber and know how to protect my Facebook well!IagtIaaSsakhtpmFw!

Step 3: Convert some characters into numbers and special characters

Come up with a system where you can easily convert some characters into numbers and special characters.

You can for example turn some characters that look like numbers into numbers. You could come up with creative and unique ways for this.

Replace the relevant characters of your password.

Our Example:

t = 7i = !a = 4

!4g7!44Ss4khtpmFw!

Now you have a very long password (18 characters) with uppercase, lowercase and special characters.

Step 4: Memorize the password

To memorize this password, all you have to do is memorize your sentence and which characters you are replacing.

When you want to use the password, simply say the sentence slowly in your mind and type each of the first letters while remembering to replace some of them with numbers and special characters.


11

ABLACKPAPER

SECURE YOUR

DIGITAL LIFE

At first it wont be easy to remember and type the password, but after a few days the password will come to mind easily, and after a short while your fingers will type the password without you even thinking about it.

Mnemonics For Random SentenceTo make it easier to memorize the random sentence, imagine something that represents or summarizes it. See it clearly in your mind and make sure its large, 3D, detailed and colorful.

Then simply repeat the sentence (aloud or in your mind) from the top of your mind ten times while you are imagining it.

This will create a connection between the image and the sound of the sentence in your mind. Once this connection is created, whenever you bring up the image, the sentence will automatically follow.

Repeat this for five consecutive days at least three times: while you brush your teeth in the morning when taking the first bite of your lunch while you brush your teeth in the evening

When you try to remember it, do your best to come up with it using your mind alone. Only peak at a cheatsheet if you have tried hard and couldnt remember it.

A connection is only created and strengthened if you recall it without cheating. Reading something and repeating it over and over, without associating it with something else, will not create a connection in your brain, and memorization will be much slower and less reliable.

PRO TIP


12

ABLACKPAPER

SECURE YOUR

DIGITAL LIFE

1.4 Password Managers

If you recall, I said one of the golden rules of passwords is that all of them have to be unique. This way, if hackers manage to get one of your passwords, all your other web assets and identities will be protected and inaccessible to them.

You might have dozens if not hundreds of different accounts at different websites and using the previous password technique for all of them will be simply impossible. This is where password managers like 1Password and LastPass come in. They allow you to save all your logins, passwords and other sensitive information in a database, which is encrypted by one master password.

You can easily generate and save unique, random and very secure passwords for every single website and account you have. When you want to login to one of these accounts the password managers will automatically complete the login form without you having to type or even copy/paste a complicated password.

On top of that, they are compatible across different devices like Macs, PCs, iOS and Android.

This means you only have to memorize a few unique passwords. At the very least you will need a strong password for your password manager. If you want to go one step further, you

LastPass is a perfectly acceptable choice for password manager, but

even they are not outside the reach of criminals. In mid-2015 LastPass was hacked and their database of

customer email addresses, password reminders, and authentication hashes were compromised.

LastPass assured its customers that actual passwords and other sensitive data stored in encrypted user vaults

werent at risk.

The passwords are all encrypted by the master password for each

user, so users who chose a strong master password are probably still

safe. I want to bring this up because it demonstrates that you might do everything correctly and yet your

data can still end up in the hands of criminals. If you build your security profile in a way that protects your

data even after this happens, youve done it right.


13

ABLACKPAPER

SECURE YOUR

DIGITAL LIFE

can add a memorable password for each important login, such as your primary email account or your bank. Keeping these additional passwords memorable using a mnemonic system ensures that you can access those accounts even if you lose access to your password manager.

These password managers also allow you to create and save random answers to the Security Questions that websites sometimes ask you for. This helps you to prevent anyone who is able to Google your first pets name to takeover an account of yours.

There are many solutions in this area, but the two biggest and most well known are 1Password and LastPass.

LastPass is a Cloud App that stores all your login information in their online database, but all data is encrypted and decrypted on your device only.

1Password stores everything locally by default and allows you to sync through iCloud, Dropbox or local WiFi.

I recommend 1Password, simply because it gives you more control over your data. Everything is encrypted locally and only then stored in the cloud if you wish to do so. You also have the option for your passwords to never touch the cloud at all and instead sync your logins to your smartphone or tablet through your local WiFi.

1.5 Password Summary

Password security is crucial and the foundation of your overall digital security. If you take nothing else away from this Black Paper, at least install a password manager and change all your passwords to something unique and random. Then create and memorize at least one secure password for your password manager.

To take it a step further, create a separate secure and memorizable password for each of your important websites and computer logins. To make this task easier, you can make your secure password variable.


14

ABLACKPAPER

SECURE YOUR

DIGITAL LIFE

We used this sentence and password in our example:I am glad that I am an SMC subscriber and know how to protect my Facebook well!!4g7!44Ss4khtpmFw!

You can replace the F for Facebook with G for Gmail, B for Banking and create multiple unique passwords:

!4g7!44Ss4khtpmFw! !4g7!44Ss4khtpmGw! !4g7!44Ss4khtpmBw!

Since each password is technically unique, the attacker would not be able to use it to login to another service.

Here are the unique passwords I recommend you create: One master password for your password manager One password for your computer login One password for each of your critical websites (such as email) One variable password for your important but not critical websites

Stay vigilant! The more passwords you create, the harder they will be to remember.

Use our system to help, but dont re-use the same password in more than one place. If you find yourself tempted to do this, reduce the number of passwords youre trying to remember and change them to random passwords stored in your password manager. This will always be a better choice than using the same password in multiple locations.

One more thing to note about this is that the more the attacker knows about you personally, the more they can reduce potential combinations. A lot of our information is online or available to purchase: birthdays, family members and their birthdays, the names of our pets, addresses where weve lived in the past, phone numbers, and more. These tidbits are easy for an attacker to try, so never use them in your passwords or security questions.

PRO TIP


15

ABLACKPAPER

SECURE YOUR

DIGITAL LIFE

Its up to you to decide how much effort you put into this process and how much you modify it. The more creative you get and the more random and longer sentences you use, the higher your security will be.

2.0 PHISHING PREVENTION

2.1 What is Phishing

Besides hacking a website to get a password database, the second most used technique is much simpler.

Phishing is a type of spam which is designed to trick you into giving your password or other personal information to an attacker.

Typically you receive an email that appears to be from a legitimate sender like Google, eBay or Paypal. It informs you that you received a payment, an order or another important message and that you need to log in to confirm it.

Once you click the link or button, you are taken to a fake website that was created by the attacker and looks like a legitimate one. When you enter your password, the website saves it for the attacker and then redirects you to the real website.

These scams are often easy to spot, but sometimes the hacker goes through extraordinary effort to make it look very real and hard to detect.

2.2 How to Detect & Prevent Phishing

1. Inspect the email

When you receive an email urging you to log in, first check if there is anything suspicious about the email itself.


16

ABLACKPAPER

SECURE YOUR

DIGITAL LIFE

Is the from email correct?

Most spammers create a fake from address like [email protected] instead of [email protected].

Is the email personalized?

Most legitimate websites greet you by name and include a username or account number.

Does the design look like other emails from the same sender?

Often the email formatting, logos and design simply do not look real.

Is it using a pushy call to action?

If the call to action is unusually pushy, contains red text and other things urging you to visit the website immediately, be very careful.

These are simply signs that something may be wrong, and a sophisticated attacker may avoid all of these. Train yourself to look for these things to detect phishing attempts more easily and quickly.

Important:Always hit the This Is Spam button in your email client if you detect spam or phishing. Depending on your email provider, this will often send a notification to them about the message. If enough people do this, the senders email will automatically end up in other peoples spam folder.

2. Inspect the website

Check the URL address of the website before you click the link

Check if the domain in the URL matches with the companys domain.

It may look real, and nowadays there are very sophisticated attacks. Usually there is a common spelling mistake, an extra character like paypal1.com or a different domain ending. If youre at all unsure, dont click the link in the email. Manually type the


17

ABLACKPAPER

SECURE YOUR

DIGITAL LIFE

companys address into your browser and then log into their site from there. For some types of attacks it is enough to visit a fake website to have malware installed on your computer. Dont click any link youre not absolutely sure of.

Is the website encrypted?

Make sure the website is using encryption by checking whether the URL starts with https:// instead of http:// and that your browser displays a lock symbol next to the URL.

Its important to make sure the lock symbol is displayed by the browser and not inside the website. Anyone can put images of locks and say that a website is secure and encrypted, but it doesnt mean its true. Clicking on the lock will give you more information about the site and allow you to view its SSL certificate. If youre unable to view information about the security of the site or if the certificate is reported as invalid, the site may not be real.

3.0 TWO-FACTOR AUTHENTICATION

Two-Factor Authentication protects your accounts even if someone finds a way to obtain your password through phishing, a password breach or any other way.

You may already be familiar with this from your online banking. Instead of relying only on your password, your bank may have issued you a security device, which requires you to generate additional one-time-passwords in order to log in or perform critical actions.


18

ABLACKPAPER

SECURE YOUR

DIGITAL LIFE

This kind of security is not only available for online banking, but it is also becoming more popular with everyday web services. Dont worry, though. You wont have to carry around dozens of security dongles with you.

Instead of relying on security devices, you can often use your smartphone to generate additional one-time passwords.

This way, if an attacker gets your password, they cannot use it without also having access to your smartphone.

Two apps that are supported by many websites for Two-Factor Authentication are Google Authenticator (Apple App Store Link and Google Play Link) and Authy.

If you followed my advice and purchased 1Password, you can even add all your one-time-password generators to your logins and have everything in one place protected by your Master Password. This is great for convenience, but by combining both parts of the authentication scheme into one application, it makes your password manager the weakest link. If you choose to use this feature, protect your password manager with a very strong master password.

You can find an extensive list of websites that support this kind of authentication by visiting https://twofactorauth.org/.

Some of the services that support Two-Factor Authentication are: Google (Including Gmail) Apple iCloud & App Store Fastmail Namecheap (domain hosting) Dropbox And many more...

The setup process differs from service to service, but generally you have to scan a QR-Code with your Two-Factor Authentication app, which adds the service to your app. After that you simply open the app and it will continuously generate one-time passwords that expire every minute.

When you need to log in to a website, you have to enter the current one-time code in addition to your password.


19

ABLACKPAPER

SECURE YOUR

DIGITAL LIFE

Many websites allow you to mark a device as trusted so that you dont have to enter the code every single time you log in. This gives you the ease of use on your own device, while still protecting you when you are using other computers.

Additionally, most websites and services allow you to enter a backup phone number where you can receive a one-time-password as a text in case the app doesnt work. Others allow you to store extra single-use passwords in case you lose your smartphone or need to reset an account and no longer have the physical device that generates the passwords. These can also be stored as a secure note in your password manager.

For a complete and up to date list, please refer to the website https://twofactorauth.org/, which has links to instructions for how to set this up for most services that offer Two-Factor Authentication.

I strongly recommend you enable this at least for your email, because this is the most critical web account you have. If someone gains access to it they can potentially reset your other passwords and gain access to even more accounts.

4.0 BACKUPS

An absolutely critical part of your digital security is to back up your data. A backup protects you and allows you to return to work quickly after a situation where data was lost, such as the loss or theft of your laptop, data corruption, or hardware failure.

If you have ever been in a situation where your laptops hard drive started clicking and then suddenly gave out, you know how stressful and costly it can be to get back up and running.

This is especially important if you want to protect your data through encryption. If your unencrypted hard drive starts failing, its sometimes possible to save most of the data, but if your data was encrypted it can be impossible to recover without a backup.

To create a tight backup strategy I recommend regular local backups to an external hard drive and additionally off-site backups to a cloud-based service.


20

ABLACKPAPER

SECURE YOUR

DIGITAL LIFE

Your backup strategy should also be completely automated and not require any effort on a regular basis from you. If your backup strategy is to copy files manually to the cloud or an external hard drive, it is much harder to guarantee that it will happen on time, every time. Things come up, backups get missed, and before long you might find yourself with a dead laptop and no backup more recent than last year...

4.1 Local Backups

This is the foundation of your backup strategy, because its quick to set up and very quick to recover from in the event of a hard drive failure.

You want to set up a system where all your data is copied to an external hard drive regularly. If your computer is a laptop, make sure the hard drive is connected to your network and does not require you to plug it directly into your computer in order to perform a backup.

An important consideration is whether you can encrypt your backup. If youre storing it on a small external hard drive, its very easy to lose it or for it to be stolen. If that happens, you dont want anyone to be able to get access to all your files.

An option that works very well for this is to use an external hard drive with hardware encryption and PIN input. We will talk about this later in this Black Paper.

4.1.1 MacsIf youre using a Mac, Apple makes this very easy for you. Their Airport Extreme wireless router is a home router and WiFi access point into which you can plug a USB hard drive. They also make the Time Capsule, which is the same wireless router but has a hard drive for backups built into it.

Recent versions of Apples OSX operating system include a backup suite called Time Machine that is very easy to use. If you use an external USB drive or one of the WiFi-connected options above, your computer will detect it and will ask if you want to use it as a backup destination. If you confirm, your computer will start backing up to it every hour whenever you are connected to your wireless network.

At this time Apple doesnt provide the means to encrypt your Time Machine


21

ABLACKPAPER

SECURE YOUR

DIGITAL LIFE

backup when backing up through WiFi. Therefore, I recommend purchasing the Airport Extreme instead of Time Capsule and using a hardware encrypted external hard drive with it.

4.1.2 WindowsWindows includes backup functionality via Backup and Restore under Control Panel / System and Security. This will allow you to configure a local or network drive as a backup destination and then choose files and folders to be backed up. You can have Windows create a system image, from which you can restore a complete computer, or you can choose what files and folders to back up.

Another option is to purchase a standalone network drive such as the DiskStation DS214se from Synology. This two-drive device can act as a backup destination for Windows and Mac in addition to providing other cloud-like services for your home or office.

The two hard drives can be configured as one large drive or as one redundant drive, providing additional protection from hardware failure. Synology provides the Synology Replicator, allowing you to back up your Windows computer to the Synology storage device.

Many software products exist to perform backups of Windows machines, but these options are simple and effective.

To additionally secure your backup and make it more convenient, purchase a hardware encrypted external hard drive and connect it to your router to allow wireless backups. You can find more information about how to do this in section 5.2 of this Black Paper.

4.2 Cloud Backups

An offsite cloud backup is like your health insurance. You hope you will never need it, but if you ever do, youll be glad you have it.

The disadvantage of a cloud backup is that the first initial backup can take a lot of time if you have a lot of data, because everything has to be uploaded first. It also takes longer to restore your computer to its previous state after a data loss.


22

ABLACKPAPER

SECURE YOUR

DIGITAL LIFE

These disadvantages are offset by the fact that once you have it set up, it just runs, and you can be sure that your data is always backed up even if you are traveling and not home.

Offsite backups also protect you from catastrophes like fire and flooding. Thats why its called an offsite backupno matter what happens to your laptop or your home, your data will always be safe.

There are multiple cloud backup providers, but I highly recommend CrashPlan. I have had nothing but good experience with them, their upload speeds are sufficient and support is responsive.

They are also available for both Windows and Macs.

You can set it up with client-side encryption, which means your data is encrypted with a private key locally on your computer and then uploaded. If you ever need to access your data, its downloaded and then decrypted once again on your local computer.

To increase your security, you can (and should) set an additional Archive Key Password in your app settings. This means that your encryption key itself is also encrypted with a separate password, and this password is never shared with CrashPlan.

CrashPlan then never has access to your encryption key and cannot access your data or share information with any third parties or government agencies even if a court compelled them to.

To enable Archive Key Password open CrashPlan, navigate to Settings and select the Security tab. In the Archive Encryption section select Archive Key Password and make sure not to set any archive questions which would allow you and CrashPlan to restore your key if you forget your password. Instead, use the password techniques as described previously in this Black Paper.

Some other cloud backup providers and potential alternatives are: BackBlaze Carbonite Mozy


23

ABLACKPAPER

SECURE YOUR

DIGITAL LIFE

5.0 DATA ENCRYPTION

Most people think that the data on their computers is secure and inaccessible to others. After all, every time you turn it on, you have to enter a password and only then you can view your files.

Unfortunately, without encryption, your computer password does not actually prevent anyone from accessing it. All it takes for someone to access your data is to boot your computer from a USB stick, and they will be able to access and change any file they want on your computer without having to know or enter your password. For Macs they can set the computer into target mode, which turns it into a big hard drive. They can then plug this hard drive into another computer and browse all of its files.

The reason is that your operating system is hiding data from people who dont have the password, but once you start a different operating system, the data is accessible.

In order to make data completely inaccessible, you have to use encryption. When you encrypt your data, it is encoded in a way that makes it unreadable without having the key to decrypt it.

This means if your laptop or external hard drive is lost, stolen or confiscated, nobody can read the data on it unless they have the secret key, and this key is one which only you know.

Surveillance and incidents of confiscation have been happening more frequently. Governments act with impunity and your devices can be seized and searched even without you being accused of doing anything wrong. This is especially true for airports and other border crossings. Thats why encryption is so important.

5.1 Computer Full Disk Encryption

Not too long ago encrypting your data was a lot of hassle, required you to use complicated and unintuitive software and would slow down your computer as it decrypted data being read from the hard disk and encrypted data being written to it.


24

ABLACKPAPER

SECURE YOUR

DIGITAL LIFE

The disadvantages and inconvenience outweighed the benefits for most people.

All of this changed a few years ago when laptops started to move towards very fast solid-state-discs instead of mechanical hard drives, as well as when Intel added native support for encryption to their chipsets.

If you have a modern computer, you can encrypt your entire hard drive and will most likely not even notice any performance reduction or inconvenience.

Its important to understand that your data is stored encrypted on your hard drive, but every time you turn your computer on you have to enter the password so that the data can be decrypted for usage. If someone sends you malware and you install it accidentally, that malware will be able to access your data while your computer is turned on.

For maximum security, you should always completely shut down your computer when you are in higher risk situations, such as crossing borders or any time your device will be outside of your physical control.

Important:If you decide to encrypt your hard drive and you suffer a hard drive failure, your data will most likely not be recoverable. Thats why we covered having a sound backup strategy first. At the very least, use a cloud backup service and only then encrypt your hard drive.

5.1.1 Full Disk Encryption on MacsApple has created a very easy to use and safe way of encrypting your entire hard drive called FileVault.

All you have to do is go to your System Preferences Security & Privacy FileVault tab and enable it.

For more information and more detailed instructions, please refer to Apples support document about FileVault.

Important:Make sure NOT to save your recovery key with Apple as this would allow them to hand over the decryption keys if forced to do so.


25

ABLACKPAPER

SECURE YOUR

DIGITAL LIFE

Instead, memorize it or save it in a safe location. If you created a strong master password, your 1Password database would be a good place for this.

Its also worth mentioning that every user you add after enabling the encryption will be able to start and decrypt your Mac. Therefore make sure all users of your computer are using long, random passwords as described in the password section.

I recommend anyone with a Mac that has a Solid State Drive (SSD) and that was released in 2012 or later to turn on FileVault.

Everyone else can also enable it, but will notice slower performance.

5.1.2 Full Disk Encryption on Windows PCsTrueCrypt used to be the de facto standard of full-disk-encryption software on Windows. In 2014 the development team abruptly shut down the project and left behind only a version that is capable of decrypting files but not encrypting them.

A public audit of the software is in progress, but this has caused suspicion that the software may contain backdoor access and that the encryption might be compromised.

Whenever Im using a tool to protect my privacy and I encounter something that raises a doubt about if it is still the right tool, I prefer to stop using it until the questions are answered. In the case of TrueCrypt, its possible to use an older version, and there may not be any risk in doing so. Without knowing for sure, I recommend that you avoid using TrueCrypt.

Fortunately there are other alternatives.

Windows BitLocker BitLocker is the encryption software included in Windows itself, which is very similar to FileVault on Macs.

Its only available in certain Windows editions, however:

Windows Vista: Ultimate and Enterprise Windows 7: Ultimate and Enterprise Windows 8: Pro and Enterprise


26

ABLACKPAPER

SECURE YOUR

DIGITAL LIFE

For more information on how to enable and set it up, please read Microsofts support document.

Symantec Drive EncryptionSymantec Drive Encryption is powered by the same technology as the PGP email encryption.

Its closed source, just like BitLocker, but security and cryptography expert Bruce Schneier uses it. He is a well-respected member of the digital security community, so his use of it speaks strongly in its favor..

5.2 External HDD Encryption

We store a lot of important data on external hard drives (HDDs)if nothing else, our backups are there. Its especially important to protect them because of how easy its to lose or steal a small external hard drive.

You have two main options for encrypting your external HDD: Software or Hardware.

5.2.1 Software SolutionsWhen you use a software option, a software or your operating system encrypts all or some files on the hard drive and allows you to decrypt it.

The problem with software encryption is that you need to use the software on every computer you want to access the files from, and sometimes the software is not compatible between Windows and Macs.

Additionally, its not possible to software encrypt a network-based Time Machine backup or attach a software-encrypted drive to a network storage system.

Mac Solutions: Encrypt entire external hard drives with Apples FileVault Encrypt only certain files and folders with Apples Sparse Disk Images Use Agilebits Knox for a more user friendly solution to encrypting only

certain files and folders


27

ABLACKPAPER

SECURE YOUR

DIGITAL LIFE

Windows Microsoft BitLocker to encrypt entire external hard drives GPG4Win to encrypt certain files and folders

5.2.2 Hardware SolutionsThe alternative is to purchase a hard drive that has encryption functions built right into its hardware. When you connect such a hard drive, its not even detected or recognized by your computer until you type the password on a keypad attached to the drive.

The advantage is that its completely cross-compatible. It doesnt matter whether you connect it to a Mac, Windows, an Airport Extreme, or some other network storage system. Once you type in the password, it appears like a normal hard drive to them.

At the same time you have to be careful to purchase a quality product. Some solutions do not actually encrypt the data and can be circumvented by simply taking the hard drive out of the enclosure and connecting it directly to a computer.

Here are two solutions that are highly regarded and actually encrypt the data:

StarTech.com 2.5-Inch Encrypted Hard Drive Enclosure Apricorn Encrypted Hard drives & USB Sticks

I highly recommend using one of these as your local backup hard drive.

5.3 Encrypted Cloud Storage

Everyone knows how convenient cloud storage like Dropbox is, but the data there is not stored securely.

Dropbox assures users that their data is encrypted while its being uploaded, downloaded and when its stored on the Dropbox servers, and while this is true, its important to understand that Dropbox holds the encryption keys to the files.

This means Dropbox employees can decrypt your files to read them and, if forced to, share them with government agencies.


28

ABLACKPAPER

SECURE YOUR

DIGITAL LIFE

Even Edward Snowden specifically warned against using Dropbox and called it hostile to privacy.

Fortunately there are a few security and privacy focused cloud storage providers who have designed their services in a way that makes it impossible for them to read your files and can only hand over encrypted, unreadable content to government agencies.

These services use client-side-encryption and are Zero Knowledge Providers. This means that the data is encrypted on your device BEFORE its uploaded and you are the only one who holds the necessary encryption keys.

Even if a court forces the provider to share whatever data they have on you, it will be useless as its encrypted and you are the only one who holds the encryption keys.

5.3.1 Consideration With US Based ProvidersIts important to understand that if you are using a provider who is a US business or who stores the data on US soil, the FBI or NSA can force the company to install backdoors on their network and their software to capture the encryption keys in clear text. Even if the provider stores the data outside of the US but is a US-registered company (such as Amazon Web Services), the data is not safe. This is exactly what happened to Lavabit, a company that used to provide encrypted and privacy focused email solutions to customers, including Edward Snowden. Ladar Levison, the founder, was ordered by a US court to install a backdoor onto his network that would allow the government to capture customers plain-text passwords.

He fought the broad scope of the search, and when his efforts to have the search limited to a specific target failed, he chose to shut-down his 10-year old company in order to protect his 410,000 customers.

You should therefore try to use a service provider based in a privacy-focused country such as Switzerland, or another country that is out of the jurisdiction of your home government.


29

ABLACKPAPER

SECURE YOUR

DIGITAL LIFE

5.3.2 Do You Need Encrypted Cloud Storage?Before you go and move all your files away from Dropbox, you should consider first whether you actually need encrypted cloud storage. If all you store on Dropbox are pictures of your cat, you really dont need to do this.

On the other hand, if you store or plan on storing your entire documents folder, which may contain sensitive information, such as bank statements or legal documents, you may want to consider this.

5.3.3 Encrypted Cloud Storage OptionsOver the past few years quite a few secure options surfaced, but in my opinion most of them havent been able to create a solution that can really compete with Dropbox in terms of usability and convenience.

Most of the services listed below differ in terms of features, but all of them employ zero-knowledge client side encryption.

The purpose of this section is to give you a start on finding the perfect solution for yourself. You have to make a decision based on where you are located, what type and quantity of data you want to protect, as well as how much importance you put on usability.

Tresorithttps://tresorit.com

Tresorit is not only very secure and hosted in Switzerland, but also user-friendly, with great apps on many platforms. They started a hacking contest offering US$50,000 to anyone who can break their system and nobody has been able to.

In my opinion its the only secure cloud storage provider that comes close to Dropbox.

SpiderOakhttps://spideroak.com

SpiderOak is famous for being recommended by Edward Snowden and offers zero-knowledge client side encryption just like Tresorit.


30

ABLACKPAPER

SECURE YOUR

DIGITAL LIFE

They offer attractive pricing options, but the big drawback is that their service is US based and their apps are not as polished as Tresorit.

Megahttps://mega.co.nz/

Mega is the new file hoster by the infamous Kim Dotcom whose previous file sharing service Megaupload was shutdown by the FBI for copyright violations and Dotcoms villa in New Zealand raided spectacularly with helicopters and armed forces.

Dotcom decided to fight back and created a secure zero-knowledge filehoster, which would make it impossible for him to be responsible for the content hosted on it. Having been bitten by the US government himself, he made it his mission to create a private and secure service.

Mega has been trying to establish itself as a secure Dropbox replacement, but the app, syncing and sharing capabilities are not as convenient. Nonetheless its still a great service because of its generous free tier and the ability to store large files.

Megas situation is similar to what I discussed earlier with TrueCrypt. It might be safe, but Kim Dotcom is under the thumb of law enforcement right now and is working aggressively to prove his innocence. Until he resolves those problems, I prefer to keep sensitive information off of Mega.

6.0 INTERNET ENCRYPTION

Most of the technology behind what we know asthe Internet came out of a US Department of Defense network called ARPANET. It was designed to allow university researchers to communicate with each other and share information, and they never expected it to become what we have today.

ARPANET was never intended to transmit confidential and secure information. All of the technology that allows our modern Internet to do so has been stacked on top of the ARPANET foundations. Some of it works well, but all of it relies on a complicated web of interdependent components. If one of these components fails, the whole system fails.


31

ABLACKPAPER

SECURE YOUR

DIGITAL LIFE

The majority of data is transferred through the Internet unencrypted, and thats okay. If youre out in a restaurant, you can hear the conversations of those around you, and no one cares. People know not to talk about private information in public. For that we have encrypted communication. But even encrypted traffic is vulnerable to certain attacks that allow hackers and governments to spy on you.

6.1 Why Additional Internet Encryption is Important

Many of the websites you visit use an encrypted connection (HTTPS), which is signified by a little lock icon in your browser. Bigger sites pay more to have their identity information shown next to their Internet address, telling you that you really are visiting their site. Some of them encrypt your entire visit, while others only encrypt key parts such as logging in or purchasing.

While the number of encrypted websites keeps growing, you would be surprised by the amount of websites that do not encrypt even the sensitive information. This is especially important because most people do not pay attention to whether a website is using a secure connection, and some apps, especially on smartphones and tablets, dont even display this information.

Every time you visit a website, read your email, or download a file, the traffic connects through many different points between you and the destination. If the connection is not encrypted, anyone along that route can capture the traffic and read it.

It starts on your local WiFi where a person armed with a small bit of knowledge can capture which unencrypted websites you are visiting, what pages you are viewing, what data you are transmitting to them (including passwords & credit card details). Even your email program may be using an unencrypted connection without you knowing it and exposing your password and email content to anyone who is on the same WiFi network and knows how to listen in.

But it doesnt stop there. Once you load a website, the request leaves your computer and travels through a long chain of routers and servers before arriving at the site youre visiting. Any admin, government, or hacker who has access to any one of these devices can potentially intercept the data.


32

ABLACKPAPER

SECURE YOUR

DIGITAL LIFE

For example, the US telecommunications company AT&T has introduced a fiber broadband plan where customers have to pay an additional $29 for the privilege of not being spied on. Those who choose not to pay agree to allow AT&T to collect and share information with their advertising partners such as The webpages you visit, the time you spend on each, the links or ads you see and follow, and the search terms you enter.

Edward Snowdens NSA leaks have even revealed that the NSA and British GCHQ tap undersea cables to mass collect information and later sift through it. Information collected by the NSA is stored in their massive datacenter in Utah, where they mine it retroactively for data about people of interest. They even store all encrypted data there with the hope that todays strong encryption will be easy to break in future years.

Knowing that people can and will collect and search through your unencrypted data, its of utmost importance to additionally secure your Internet connection AT THE VERY LEAST when you are using public WiFi networks. Ideally, you would want to secure it ANY time you connect online and prevent your computer from accessing the Internet without additional encryption.

Here is a summary of reasons why I secure my Internet traffic whenever possible and why I encourage others to do the same:

Privacy is a basic right I dont want criminals to steal my data My activities are no one elses business

6.2 How to Encrypt ALL Internet Traffic With a VPN

When you connect to the Internet, your ISP gives you an IP address, and they keep track of what IPs were assigned to which customers at any given moment. This makes the ISP the first point at which your data can be monitored or tampered with.

Current legislation related to net neutrality is about this part of the journey. ISPs want to be able to prioritize traffic according to customer type. What this means is that you already pay them for Internet, but if you want to watch Netflix,


33

ABLACKPAPER

SECURE YOUR

DIGITAL LIFE

Netflix has to pay them too. This is the slipperiest of slopes and is founded on the ISP watching and recording everything that every one of their customers is doing all of the time. To get past this and out into the ocean of space that is the Internet proper, you can use a Virtual Private Network (VPN).

A VPN creates a secure, encrypted tunnel from your device to the VPN providers server where all data flows through. Instead of connecting to your ISP and then to the Internet, a VPN creates an encrypted tunnel through your ISP to the VPN provider.

No one in between you and the VPN provider can see whats happening inside the tunnel, so if someone is listening in on your local WiFi or the government elsewhere is gobbling up all traffic going through your ISP, youre protected. In order for someone to know what youre doing, they would have to control the remote end of the connection as well. This is much harder for them to do.

For example, if you are in the US and use a VPN in Hong Kong, the websites you visit will think you are a visitor from Hong Kong. Literally, your IP address will be the address of the VPN provider in Hong Kong. This is because you are establishing a connection to the Hong Kong VPN server and from there connecting to the final website.

If someone is snooping in between the Hong Kong VPN and the website, they will have no way of knowing it was you who accessed the website by looking at the visitor IP addresses. The reason for this is simple: The VPN has potentially thousands of users and it could have been any one of them who visited the website.

This is also how people can circumvent various geolocation restrictions that service providers have, by using a VPN server located in a different country. Since this may violate Terms of Service for many of them, we are not formally endorsing to use VPNs for such purpose.


34

ABLACKPAPER

SECURE YOUR

DIGITAL LIFE

6.2.1 How to Pick a VPN ProviderWhen you are picking a VPN provider you need to consider the following things:

1. Your home country2. The country where the VPN company is registered3. Whether the service is anonymous or retains your history4. The country where the actual VPN servers are

VPN Provider Country

Generally you should pick a VPN outside the jurisdiction where you are a citizen or resident. This way interested parties would have to go through at least two different jurisdictions, which is more difficult and expensive.

You also want to make sure the country you pick has no mandatory data retention laws, which are for example very common in Europe. Hong Kong, for example, has no mandatory data retention laws.

For more information on the current status of mandatory data retention laws you can consult the Electronic Frontier Foundation.

You can also pick a country with strong legal support for privacy, such as Iceland or Sweden. These are countries where your digital rights are protected by courts who require evidence of criminal activity before allowing data to be handed off to others.

Whether the company is logging your information

Simply picking a VPN provider in a country which does not require mandatory data retention does not guarantee that they will not log any information about you.

Therefore you should additionally do research on what the companys privacy policy is and what kind of information they retain.

Back in 2011, the UK-based HideMyAss was forced to hand over data logs belonging to a member of hacker group Lulzsec to the US authorities.


35

ABLACKPAPER

SECURE YOUR

DIGITAL LIFE

VPN Server Country

Most VPN providers allow you to pick from a range of VPN servers in different countries, masking your real location on the Internet.

Just like with a VPN company, you want to pick a location thats different from your country of citizenship and residency. At the same time you want to pick a VPN server thats as close as possible to where you currently are. Generally, the further away the server is from you, the slower your connection will be.

If you are in Germany, for example, picking Netherlands would be a great choice.

6.2.2 Recommended Services

VyprVPNhttps://www.goldenfrog.com/vyprvpnUnited States

The biggest strength of VyperVPN is its ease of setup and use. They provide easy to use apps for Mac, Windows, iOS and Android, which make the often inconvenient setup very straightforward.

They log a small amount of data about your usage for abuse prevention, but are very open and clear about it as well as how they respond to investigations in their privacy policy.

Because they are US-based this is not the most private VPN service out there, if you are concerned about the heavy hand of the US government. For all other intents and purposes, such as securing your Internet connection and data while on public WiFi networks, VyprVPN is a good and easy to use option.

Several members of the Sovereign Man Team are using their service and are satisfied.

Hide Mehttps://hide.me/en/networkMalaysia

Hide Me is based in Malaysia, with no mandatory data retention laws, and assures their customers that they do not log any information.


36

ABLACKPAPER

SECURE YOUR

DIGITAL LIFE

At the time of publishing, they only had apps for Windows and Android, which made the setup and usage on Macs and iOS difficult.

If you are concerned about your privacy and anonymity this may be the right service for you. One of our team members used it before and was overall satisfied, except for the inconvenient usage and setup on Apple devices.

Other ProvidersThere are many more providers, but we only want to recommend the ones our team members have personally used.

A good start to research more providers is the following link: https://www.bestvpn.com/.

As always, be careful with review websites as a lot of them are actually affiliates of providers and may not be entirely truthful or objective. Do your own due diligence, especially if you require a high amount of anonymity.

If all you want to do is protect yourself while on public WiFi and from tracking by your Internet provider, almost all VPN services will be sufficient.

7.0 SECURING YOUR SMARTPHONE

Our phones are a true gold mine of information about us: messages, emails, contacts, photos, location data and much more. What is worrying about this is how easy it is to lose this tiny device or have it stolen.

Its of utmost importance to protect this information and make sure it doesnt fall into the wrong hands.

Fortunately both Apple and Android have improved their mobile phone encryption drastically to the point where the FBI even proposed to ban strong encryption by law.


37

ABLACKPAPER

SECURE YOUR

DIGITAL LIFE

7.1 The Passcode

Your passcode is your very first line of defense and like the lock on your front door, it helps to keep people out.

How much protection your passcode actually gives you depends on whether its actually used to encrypt the data on your phone and on how strong your passcode is.

Its important to be aware and in most cases to assume that your passcode is doing nothing more than this: Prevent people from walking through the front door of your phone.

Just because your data cant be accessed by simply unlocking your phone, it doesnt mean the data cant be accessed in other ways like being copied directly from the device to a computer.

It will keep the curious teenager who finds your phone on the street out, but it does not guarantee it will protect you from a sophisticated attacker.

Does this mean the passcode is unimportant and you shouldnt bother at all with it?

Most certainly: No. Its actually the foundation of your phones security and instead of dismissing it, you have to be aware of its limitations and simply know how you can make it more secure.

7.2 Smartphone Encryption

Both Apples iOS and Android allow you to encrypt all user data on your phone. Although both platforms offer a similar approach to user data encryption, there are significant differences you should be aware of.

7.2.1 iPhone and iPad Encryption

If you are an iPhone or iPad user, all you have to do is set a passcode to enable user data encryption.


38

ABLACKPAPER

SECURE YOUR

DIGITAL LIFE

Apple has been encrypting some of your data, such as email, automatically since 2009. In iOS 8, which was released in September 2014, it significantly expanded the amount of data thats encrypted by default:

On devices running iOS 8, your personal data such as photos, messages (including attachments), email, contacts, call history, iTunes content, Notes, and Reminders is placed under the protection of your passcode. Unlike our competitors, Apple cannot bypass your passcode and therefore cannot access this data. So its not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession running iOS 8.

This protection is also enabled by default for third party apps, although app developers can disable it for certain files.

In addition to using strong encryption Apple has added measures to ensure the data can only be decrypted using the same iPhone or iPad. This means an attacker cannot create a copy of the encrypted data and bruteforce it on a powerful machine.

This gives you the convenience of being able to use a much simpler passcode without compromising the security of the encryption.

All encryption features are implemented through hardware and will not slow down your device. You will not notice any difference in performance with or without a passcode.

Enabling Encryption & Passcode

To enable a passcode and the full-disk-encryption, which comes with it, simply enable it in the settings:

iOS 8 on devices with Touch ID: Launch the Settings App Touch ID & Passcode iOS 8 on devices without Touch ID: Launch the Settings App Passcode iOS 7 on devices with Touch ID: Launch the Settings App General Touch ID &

Passcode iOS 7 on devices without Touch ID: Launch the Settings App General Passcode


39

ABLACKPAPER

SECURE YOUR

DIGITAL LIFE

To further increase your protection use a more complicated passcode instead of the default 4 digit option. You can do it by disabling the option Simple Passcode and entering a longer numeric or alphanumeric passcode.

You may also want to enable the Erase Data option, which wipes your iPhone after 10 failed passcode attempts. This option is a great protection against random people guessing your passcode, but you should be aware that it has flaws and a very sophisticated attacker can circumvent it.

Therefore you should not rely on it alone, but pick a very secure passcode. More details on what constitutes a secure passcode are in the next section.

Making sure all user data is encrypted

Important: Make sure you use iOS 8

If you are using iOS before version 8.0, not all of your data is encrypted. To ensure you have full protection, make sure your devices have been updated to iOS 8.0 or higher.

To check your iOS version: Launch the Settings App General About Version

To update your device: Launch the Settings App General Software Update

All devices released in 2011 or later can be updated to iOS 8 and take advantage of this functionality.

The only devices that cannot be updated are: The iPhone 4 and older The original, first generation iPad The iPod Touch fourth generation and older


40

ABLACKPAPER

SECURE YOUR

DIGITAL LIFE

7.2.2 Android Encryption

Google has been offering full-disk-encryption in Android since 2011, but it was never enabled by default and you have to specifically turn it on.

They significantly improved their encryption technology in October 2014 with the Android 5.0 Lollipop update and now its enabled by default on some new phones such as the Google Nexus 5.

7.2.2.1 Limitations of Android Encryption

Off-Box attacks are possible

The most important issue present in versions of Android before 5.0 is that encryption was not tied to the device. This means an attacker could copy the encrypted contents of your phone and bruteforce the password on a much more powerful computer.

If you enable encryption on a pre-5.0 Android device, you should use a VERY complicated passcode, otherwise the encryption can be cracked within minutes.

Screenshot of a password cracking tool in action.


41

ABLACKPAPER

SECURE YOUR

DIGITAL LIFE

The screenshot shows a tool that cracked the password of an Android full-disk-encryption in 59 seconds. The password was 8 characters long and included lowercase letters and numbers: p4ssw0rd.

On iOS devices and Android devices with the new 5.0 update the same password would take approximately 7,000 years to break. This is because the attacker would not be able to use a powerful computer to do the attack, but instead would have to use the limited processing power of the phone itself.

Performance impact

Unlike Apple devices, most Android devices do not support hardware acceleration of encryption, which degrades the performance of your device. This includes new Android 5.0 devices such as Googles Nexus 5.

Future Android phones will hopefully implement hardware features to accelerate encryption, but at the moment you have to be aware that your device will be a little bit slower and more sluggish.

On some devices only internal memory is encrypted

Many Android devices come with limited internal memory and allow you to add more through additional SD cards. Unfortunately not all devices support encrypting this additional storage. In that case you need to be careful what data is stored on the SD card.

7.2.2.2 Enabling Android Encryption

Depending on which device you have and which version of Android its running, the encryption can take an hour or more. Make sure you have enough time to finish the process and plug your phone into electricity.

1. Set a PIN or passwordOpen Settings Security Screen Lock PIN or Password


42

ABLACKPAPER

SECURE YOUR

DIGITAL LIFE

2. Encrypt the phoneOpen Settings Security Encryption

For further information, please read Googles support document.

7.2.2.3 Use the Most Recent Android Version

Significant improvements in encryption technology have been made in the version 4.4 and 5.0 of Android and if possible you should take advantage of them by updating.

Check which version of Android your device is running:Open Settings About Phone Android Version

Update your AndroidYou can check whether an update for your device to Android 4.4 is available by clicking here, and whether an update for Android 5.5 is available by clicking here.

Unfortunately many Android devices do not receive many updates or have to wait a very long time to receive a new version.

Enable encryption even if you cannot updateIf you cannot update to Android 5.5, off-box attacks are possible, albeit probably not for unsophisticated attackers.

The encryption may not protect you from the NSA, or even a low level law enforcement agency, but at least it will stop strangers and thieves from getting access to your private data.

Make sure to use a strong password.

7.2.3 When Is My Data Encrypted and Decrypted?If you have encryption enabled in Android or iOS, user-data is encrypted the moment its written to the persistent memory and decrypted when read.

One important caveat is that not all data is in an encrypted state at all times. When the device is turned on, it needs to be able to access data like your address book to function and the data is therefore decrypted.


43

ABLACKPAPER

SECURE YOUR

DIGITAL LIFE

Not encryptedSystem files and other files required to start the device are not encrypted at all.

Encrypted until first passcode entryMost user data is fully encrypted until the device is unlocked for the first time after being turned on. Once you type in your passcode for the first time after turning on the device, the data is decrypted and stays decrypted until you restart your device again.

Your contacts are a great example, which you can see for yourself:

Restart your iPhone without unlocking it and call yourself from another phone. You will only see the number and no contact information from your address book.

Once you unlock your phone for the first time and lock it again, you will still see the contact information of the incoming call.

Encrypted while the phone is locked (iOS only)Sensitive information like Safari passwords are only decrypted while your iPhone is unlocked. As soon as you press the lock button the data is encrypted again and not accessible anymore.

This functionality is only available in iOSAndroid does not support this.

What does all of this mean for me?The important takeaway from this is that your data is only fully protected before you enter your passcode for the very first time.

Once you enter your passcode, an attacker has several points of entry to access your decrypted data. If you, for example, visit a website on your phone, which exploits a security vulnerability and installs malware on your phone, the malware could send the decrypted information to the hacker.

A more practical example is the case of confiscation:

Law-enforcement agencies have several tools that allow them to copy unencrypted and decrypted files from your device, but you can make it impossible for them by simply turning your device off before handing it to them.


44

ABLACKPAPER

SECURE YOUR

DIGITAL LIFE

It will be impossible to access the data without your passcode and even Apple, Google or Samsung will not be able to recover it without your passcode. They will have to try to crack your passcode, which can take a very, very long time if you picked a good one.

IMPORTANT:My recommendation is to always turn off or restart your devices when you are in situations where confiscation is a possibility. This includes police checks, border crossings and so on.

7.3 Picking a Secure Passcode

The complexity of your passcode defines how well your data is protected. If you are using an iOS 8 or an Android 5.0 device, the complexity can be significantly lower. This means you can use a passcode that is easier and more convenient to type while still being sure your data is secure.

If you are using a pre-5.0 version of Android, you should use a long and complex password as described in the password section of this Black Paper for the highest security. Unfortunately it becomes unpractical to enter a difficult password like that.

In that case I recommend using the most complex passcode you are comfortable typing in and enabling encryption. It may not protect you from a sophisticated attacker, but it still gives you additional security.

The calculations below are based on the information Apple provided in their iOS Security Guide and should apply to Android 5.0 devices as well.


45

ABLACKPAPER

SECURE YOUR

DIGITAL LIFE

Look at the table and the time necessary to break the password and then decide what level of security you need.

COMPLEXITY EXAMPLE TIME TO CRACK

4 characters with numbers only 4681 13 seconds

6 characters with numbers only 2547 81 22 minutes

8 characters with numbers only 8126 2493 92 days

10 characters with numbers only 3572 4793 17 25 years

4 characters with lowercase letters and numbers 4fa7 1.5 days

6 characters with lowercase letters and numbers ga5b 8j 5.5 years

4 characters with lower and upper case letters and numbers

hF3a 44 13 days

6 characters with lower and upper case letters and numbers

hoP5 32g 52.5 years

Important Note:These calculations are based on Apples passcode implementation, which requires an attacker to crack the passcode on the mobile device itself and prevents them from using a much more powerful computer. They do not apply to your usual passwords.

7.4 Fingerprint Sensors

When Apple released the iPhone 5S in 2013 the biggest new feature was the ability to unlock the phone with your fingerprint. Since then the implementation has become even more accurate and some Android phones have added fingerprint sensors too.

The added convenience is unquestionableespecially if you are following my advice of using a complex passcode. The question is: Is it safe?

There are two major reasons that speak against using fingerprints to unlock your phone:

1. It can be circumvented with a fake fingerprint

In fact Touch ID was hacked less than 48h after the iPhone 5S was released and it


46

ABLACKPAPER

SECURE YOUR

DIGITAL LIFE

may be possible to create a fake fingerprint from a photo of the finger.

The same hacker also demonstrated that Iris scanners and facial detection can be spoofed in a similar way.

2. Police can force you to unlock your device with your fingerprint

In the US the Fifth Amendment states that no person shall be compelled in any criminal case to be a witness against himself.

In 2010, a US District Court in Michigan decided that a person cannot be compelled to provide a passcode because it would require the defendant to communicate knowledge, unlike the production of a handwriting sample or a voice exemplar.

A fingerprint on the other hand is more like a key in that it does not require the witness to divulge anything through his mental process.

This means, a court cannot force you to be a witness against yourself by providing the passcode of your phone, but they can force you to use your fingerprint to unlock your phone.

How to reduce the risk

Even though Touch ID and fingerprint authentication has these major risks, you can significantly reduce your risk by taking advantage of the additional security features your phone has.

On iOS devices the passcode is still required under the following circumstances:

The device has just been turned on or restarted The device has not been unlocked for more than 48 hours The device has received a remote lock command The fingerprint authentication has failed five times in a row

Samsung and other Android manufacturers with fingerprint technology have not released enough information about their technology, therefore this advice only relates to Apple devices.


47

ABLACKPAPER

SECURE YOUR

DIGITAL LIFE

In 2014 the Supreme Court decided that smartphones are protected by the Fourth Amendment and cannot be searched without a warrant, which means your phone would not be searched immediately. If more than 48h go by after seizing your phone, they would not be able to compel you to unlock it anymore, since it would require your passcode.

An even better approach to this is turning your device off or restarting it anytime you find yourself in a situation where this may be a possibility. This is also necessary to make sure all the data is in an encrypted state and cannot be copied off the device.

What this means for you

The safest approach would of course be to use a device, which doesnt allow off-box attacks, such as the iPhone with a six or eight character alphanumeric passcode without fingerprint authentication.

But would you be bothered to actually enter a password like ac4x7bau every time you want to check your messages?

The worst thing you can do is use no passcode or a simple four digit passcode. This is what most people use and it offers very little protection against sophisticated attackers.

Using an 8 digit or 6 characters alphanumeric passcode with Touch ID is a sensible option for a lot of people in my opinion.

Additionally, by not entering the passcode often, you lower the chance of surveillance cameras recording you typing it in and compromising your phones entire security.

Simply be aware that your fingerprints can be copied and if you are in doubt, quickly turn off your device.

In the end, you are the only one who can decide what level of security you need and what kind of inconvenience you have to go through in order to protect your privacy and security.


48

ABLACKPAPER

SECURE YOUR

DIGITAL LIFE

7.5 Additional Settings You Should Check

All your effort of using a strong passcode and enabling encryption on your phone could be wasted if you allow your device to copy all your data to the cloud, for example.

If you store sensitive data online, you should always make sure you are the only one with access to the encryption key and that the data is encrypted on your local device BEFORE its uploaded.

7.5.1 Apple iOSGenerally your iOS device is very secure at this point, but you should consider the following iCloud settings.

Apple is offering a range of convenient services to store your data online under the name of iCloud. These services make it very easy and convenient to sync data across multiple Macs, iPhones and iPads, as well as keep your data safe in case you lose your device.

These conveniences come at a price, however, and could be a gold mine for law enforcement agencies.

Even though Apple is storing the data encrypted in the cloud, they still have the encryption key. This means they could be compelled to decrypt your data by a court.

Disable iCloud backup

Disabling iCloud backups is the most important step you have to take. Its a very convenient and automatic service, which stores frequent copies of all your user data on Apples servers. This allows you to restore your device if you break or lose it and never have to worry about backups.

Unfortunately this would also make all your efforts of encrypting your phone useless if government agencies can simply force Apple to hand the same data over from their cloud.


49

ABLACKPAPER

SECURE YOUR

DIGITAL LIFE

To disable iCloud backups, follow these steps:1. Disable the backup by launching the Settings app iCloud Backup set iCloud Backup to off2. Delete previous iCloud backups by following these steps.

Enable encrypted iTunes backups

Instead of relying on automatic backups to the cloud, you should enable backups stored on your computer and protect them with a password. This way every time you plug your device into your computer, or sync it with your computer through the same WiFi connection, it will automatically be backed up by iTunes where it can only be accessed by you.

Follow these instructions to enable iTunes backups.Follow these instructions to encrypt your iTunes backups with a password.

Disable iCloud drive

iCloud Drive is Apples cloud storage similar to Dropbox. It allows applications to store new documents in the cloud and be accessible from all devices through their apps.

You can browse the contents of your iCloud drive by logging in with your Apple ID here.

How to disable iCloud Drive:Launch the Settings app iCloud iCloud Drive set iCloud Drive to off

Disable Photo Stream & iCloud photo library

Storing your pictures online is convenient, but you have to be aware that your photos not only capture your life, they also capture your location. Every time you take a picture on your device, your current location is added to the photo to allow you to see where it was taken.

This data can be used to create a profile of where you go and what you do.

In 2014 several celebrities have learned the hard way that online storage of photos can have terrible consequences when their nude pictures were leaked online.


50

ABLACKPAPER

SECURE YOUR

DIGITAL LIFE

How to disable Photo Stream & iCloud Photo Library:Launch the Settings app iCloud Photos set all options to off

Disable Keychain syncing

In iOS 7 apple introduced iCloud Keychain Sync, which allows you to seamlessly sync your passwords between all your Apple devices. They have gone through great lengths to ensure the data is secure and to make it impossible even for them to access the data.

They documented it in their iOS Security Whitepaper and you can read a good summary of it here.

Nonetheless, there is still a chance a court could compel them to backdoor this service and circumvent these protections.

How to disable iCloud Keychain:Launch the Settings app iCloud Keychain set iCloud Keychain to off

Contacts, calendars and reminders

Your contacts, calendars and reminders are also synced through iCloud. Whether you want to disable this function is of course up to you and your privacy needs. How to disable contacts, calendar and reminder sync:Launch the Settings app iCloud set the services you dont want to sync to off

7.5.2 Android DevicesIts much more difficult to give concrete advice for Android devices, since every device manufacturer adds their own twist to it and their own customizations and additional apps.

You should consult your devices settings and feature list to find out what kind of services may be sharing or uploading your data.

At the very least you should consider the things below.


51

ABLACKPAPER

SECURE YOUR

DIGITAL LIFE

Disable photo backup

Google has a convenient service to backup all your photos to Google+, but for privacy reasons you may want to disable this.

How to disable photo backup:Launch Google Photo app Settings set Auto Back Up to off

Additionally you may have toLaunch Google Settings Google+ set Auto Backup to off

Disable unknown app sources

Its very important to be careful about what kind of apps you are installing. To be on the safe side, only install apps from the Google Play store and make sure to always check what kind of permissions the app requires. You should also read the reviews to see if the app is doing anything suspicious.

Additionally, you should disable app installations from unknown sources to avoid being tricked into installing malware.

How to disable unknow app sources:Go to Settings Security uncheck Unknown Sources and check Verify Apps

Understand Android permissions

When you download an app to your Android device the Google Play store presents you a list of permissions the app is going to use. You can use this to decide whether you want to download and install the app or if you feel its requesting too much data that it doesnt need, you can choose n

Documents

Secure+Your+Digital+Life