Protecting Privacy on the Internet

Bhutan is undergoing a major shift with regards to its technological infrastructure. With the advent of mobile technology and subsequently 3g services, the number of online users have skyrocketed in recent times. However, the general public at large are unaware of basic steps to ensure privacy online. The Global Cyber Security Centre (Capacity Centre) at the University of Oxford had partnered with the World Bank to provide an assessment of the existing level of cyber-security capacity in the country in 2015. The assessment conducted reveals cyber-security capacity within Bhutan especially in the area of privacy online is still at the start-up stage. At this stage either no capacity exists with respect to some factor, or it is only initially being considered[1]. Considering this, the BtCIRT has made an attempt to provide recommendations and measures to ensure Bhutanese internet users can have a safe browsing experience.

Here we will see a few things that an internet user can adopt to protect his/her private information:

Account Management:
It is advisable to have separate email for public forums, social networking sites and those site that requires personal information like bank account details. This is because search engines can check and extract information out of random posts and things we post online.

Numerous sites are giving the option to link accounts such as Google. It allows you to link all your different Gmail accounts in a browser. In order to protect your information, it would be good to unlink you accounts.  Nowadays we have the option to use our Google or Facebook accounts to directly access different sites without having to manually register for the site. This is risky because if one account gets compromised, other accounts are also vulnerable for attacks automatically. [2]

Password Management:

  • Avoid using easy-to-remember passwords:

Protect your account with passwords that cannot easily be guessed. If your password is compromised, someone else may be able to access your account and pretend to be you.
The US CERT(Computer Emergency Response Team) recommends the following tactics while choosing a password:

  1. Don’t use passwords that are based on personal information that can be easily accessed or guessed.
  2. Don’t use words that can be found in any dictionary of any language.
  3. Develop a mnemonic for remembering complex passwords.
  4. Use both lowercase and capital letters.
  5. Use a combination of letters, numbers, and special characters.
  6. Use passphrases when you can.
  7. Use different passwords on different systems [3]
  • Don’t use same password for sites with your sensitive information and other random sites.

It is advisable to use different password for different internet accounts. In reality, it can be impossible to remember a different one for the dozens of online services you use. The problem with using the same password in more than one place is if someone gets access to your password, hackers can use the same password to hack other sites you used. In an attempt to remember passwords, most of the time we allow a website to remember it. The US CERT states, if your password is stored, your profile and any account information you have provided on that site is readily available if an attacker gains access to your computer. Phil, a Sr. Cyber Security Principal for the Cyber Readiness and Response practice at Symantec[4], suggests using a free password manager like Norton Identity Safe, to eliminate the hassle of remembering multiple passwords while keeping your personal information secure. LastPass and KeePass are some free passwords favored by many[5]. Mac operating systems have pre-installed password manager called the Keychain access which manages your personal passwords.

Blocking Cookies
When you browse the Internet, information about your computer may be collected and stored.Information that can be collected can be your computer’s ip address, the domain name you are connected to, such as (gov.bt, .com, .edu.bt , .org.bt) , and also the kind of browser you used like Chrome, Firefox, Safari.  Cookies can also store our browsing habits, such as the last we visited a particular site and our preferences regarding the same.

In order to improve your security, the US CERT suggests adjusting your privacy and security settings to block or limit cookies in your web. To make sure that other sites are not collecting personal information about you without your knowledge, they recommend only allowing cookies for the web site you are visiting and block or limit cookies from a third-party. In  Firefox this can be done by clicking Tools> Options>ContentPrivacy> Security tabs to explore the basic security options. Different browsers have different security options and configurations, so we need to familiarize ourselves with the menu options, check the help feature. Another important thing to note is, if we are using a public computer, we should make sure that cookies are disabled to prevent other people from accessing or using our personal information.[6]

Privacy policy
Before you provide personal information through a website, for example an online shopping site, it is always advisable to check the privacy policy of the site to ensure what all information they gather about you. Companies sometimes share information with partner vendors who offer related products or may offer options to subscribe to particular mailing lists. Some companies share email addresses by default, so checking the privacy policy is a must. Generally, the privacy policy of a website can be found at the bottom of a page.

The Microsoft Saftety & Security Center states privacy policies should clearly explain what data the website gathers about you, how it is used, shared, and secured, and how you can edit or delete it. If there are no privacy statement, we should take our business elsewhere. They also recommend the following:

  • Do not post anything online that you would not want made public.
  • Minimize details that identify you or your whereabouts.
  • Keep your account numbers, user names, and passwords secret.
  • Only share your primary email address or Instant Message (IM) name with people who you know or with reputable organizations. Avoid listing your address or name on Internet directories and job-posting sites.
  • Enter only required information—often marked with an asterisk (*)—on registration and other forms. [7]

Privacy Settings
It is important to update our privacy settings on websites especially on social media such as Facebook, Google, Pinterest etc to protect our privacy. This can usually be done under a “settings” menu option. Since most sites default to information being shared publicly, changing settings will ensure personal information is seen by fewer people. Preferably one should choose to share information only with people you know.

Two step Verification:
 2-Step Verification helps protect your account from unauthorized access due to a compromised password. Even if your password is cracked, guessed, or otherwise stolen, an attacker can’t sign in without a verification code(similar to a PIN), which only you can obtain via your own mobile phone. The Royal Government of Bhutan(RGoB) has already migrated to using Google Apps accounts and as a part of its security policy, it is mandatory for all RGOB Google users to set up 2-Step Verification. For government employees, you can email the RGoB google app support team at support@gov.bt  for any enquiries regarding the verification steps.

It is advisable to enable two step verification/ authentication wherever the features are available such as Google, Facebook, Yahoo, Apple ID, Twitter etc too. The Electronic Frontier Foundation site [8] has a great overview of how to enable two factor authentication.

Stay Updated:
It is recommended to always keep your operating system, Antivirus, Firewall, and other softwares up to date. There are chances of existence of design flaws or bugs that can expose confidential information and potentially reveal a user’s identity. Spywares can watch a user so it is important that antivirus or anti-spyware softwares are updated with the newest definitions. The US CERT recommends the use of some type of firewall product, such as a network appliance or a personal firewall software package. Intruders are constantly scanning home user systems for known vulnerabilities. [9]

Social networking
A social networking site contains a lot of up-to-date personal information like user profiles and even current location. While the majority of people using these sites do not pose a threat, malicious people may be drawn to them because of the accessibility and amount of personal information that’s available. The more information malicious people have about you, the easier it is for them to take advantage of you for example, information that you provide about your location, hobbies, interests, and friends, a predator could impersonate a trusted friend or convince you that they have the authority to access other personal or financial data.

The US CERT recommends the following while using social networks:

  • Be wary of third-party applications– Third-party applications may provide entertainment or functionality, avoid applications that seem suspicious, and modify your settings to limit the amount of information the applications can access.
  • Limit the amount of personal information you post– Do not post information that would make you vulnerable, such as your address or information about your schedule or routine. If your connections post information about you, make sure the combined information is not more than you would be comfortable with strangers knowing.
  • Be wary of strangers– The Internet makes it easy for people to misrepresent their identities and motives. Consider limiting the people who are allowed to contact you on these sites. If you interact with people you do not know, be cautious about the amount of information you reveal or agreeing to meet them in person.[10]

Other Recommendations:
CERT division from the Software Engineering Institute (SEI), Carnegie Mellon University recommends the following:

  • Don’t open unknown email attachments: Before opening any email attachments, be sure you know the source of the attachment. It is not enough that the mail originated from an address you know, such as your friends and family. Their addresses can be compromised and be used to send malicious attachments.
  • Don’t run programs of unknown origin: Never run a program unless you know it to be authored by a person or company that you trust. Also, don’t send programs of unknown origin to your friends or coworkers simply because they are amusing — they might contain a Trojan horse program.[11]
  • In addition, Microsoft Safety & Security Center suggests we should protect ourselves from fraud by using sites that uses encryption, a security measure that scrambles data as it crosses the Internet. Good indicators that a site is encrypted include a web address with https (“s” stands for secure) and a closed padlock beside it. (The lock might also be in the lower-right corner of the window.) [12]

Hopefully you’ve found something useful in this article. The BtCIRT shall endeavor to update any new information on online privacy in this article. If you have any comment or query, we will be happy to answer them. You can write to us at info@btcirt.bt.

Additionally if you have knowledge of any computer incident report it at cirt@btcirt.bt

 

References:

[1] Global Cyber Security Capacity Centre, O. U. (2015). Building Cyber-security Capacity in the Kingdom of Bhutan
2 Slain, M. (2016). 7 ways to protect your privacy on the internet.   Retrieved from https://thenextweb.com/insider/2015/08/18/7-ways-to-protect-your-privacy-on-the-internet/#gref
3 Mindi McDowell, S. H., Jason Rafail. (2013). Choosing and Protecting Passwords. Retrieved from US-CERT website: https://www.us-cert.gov/ncas/tips/ST04-002
4 Harris, P. (2012). The Power of Passwords. Retrieved from Symantec Official Blog website: https://www.symantec.com/connect/blogs/power-passwords
5 Parker, J. (2014). Take control of password chaos with these six password managers. Retrieved from CNET website: https://www.cnet.com/news/best-password-managers/
6 McDowell, M. (2013). Browsing Safely: Understanding Active Content and Cookies. Retrieved from US CERT website: https://www.us-cert.gov/ncas/tips/ST04-012
7 Protect your privacy on the Internet. Retrieved from Microsoft Saftety & Security Center website: https://www.microsoft.com/en-us/safety/online-privacy/prevent.aspx
8Higgins, P. (2013). How to Enable Two-Factor Authentication on Twitter (And Everywhere Else). Retrieved from Electronic Frontier Foundation website: https://www.eff.org/deeplinks/2013/05/howto-two-factor-authentication-twitter-and-around-web
9/10 Publications, U.-C. (2015). Staying Safe on Social Networking Sites. Retrieved from US-CERT website:  https://www.us-cert.gov/ncas/tips/ST06-003
11 Home Network Security. (2001). Retrieved from Software Engineering Institute (SEI), Carnegie Mellon      University website: https://www.cert.org/information-for/home_networks.cfm#
12 Protect your privacy on the Internet. Retrieved from Microsoft Safety & Security Center website: https://www.microsoft.com/en-us/safety/online-privacy/prevent.aspx