How to Defend Yourself Against Scammers, Corporations, and Government: Hacker’s Perspective
This piece has been written by Jesse McGraw, an activist, writer, former hacker and first person in recent U.S. history convicted for corrupting industrial control systems
Nothing online is really secure by default. Every website you visit and every link you click can be logged and reviewed by your Internet Service Provider (ISP). Even though individual internet users are rarely watched in real-time without justification, it is still unnerving. I can vouch for this because I used to work as a network security analyst for a small private ISP in Dallas, Texas. There was nothing our clients did on their computers and network devices that I could not observe, log, and analyze.
Many ISPs store users’ internet history i.e, metadata, and sell them to data mining and marketing companies. Additionally, this same information can be obtained by law enforcement agencies with a warrant as your ISP is obligated by law to cooperate with them.
But what about the agencies who are capable of obtaining user information without a warrant? It has been known and documented that police have been using IMSI catchers at protests (International Mobile Subscriber Identity) without a warrant. The device performs a Man-In-The-Middle attack which simulates a cellular tower that tricks users’ mobiles to connect to the catcher so they can track your movements, intercept phone calls, text messages, and other user data to unmask your identity. When you compound all these factors, it feels like the internet is preying on users.
Scams have exponentially risen due to the onset of the COVID-19 epidemic. According to the Federal Trade Commission, “[…] from January 1 until today, the FTC has gotten 18,235 reports related to COVID-19, and people reported losing $13.44 million dollars to fraud.”
When it comes to avoiding scams, it’s usually enough to exercise healthy suspicion whenever you receive unsolicited links in your email, messenger, and other online accounts. Exercise caution when clicking. You can hover over a suspicious link to see its origin before you click as a means to verify its authenticity. Most scamming links will redirect you to a malicious website, preventing you from exiting the page, while it installs malware on your device. If you’ve won a prize, it’s usually too good to be true.
Similarly, avoid downloading software from untrusted third-party sites, and don’t forward chain messages, especially if the message claims to come from somebody you know and says that their Facebook account was hacked. Just leave it alone. Trust me. I used to be the attacker.
Steal. Sell. Prosecute.
Scammers aren’t the only adversaries who oppose our interest in controlling our own data. Digital ad metadata corporations and invasive government agencies are also an opposing force that threatens our ability to maintain secure web browsing, protection from data theft, and the opportunity to choose whether or not we want to be tracked, logged, or flagged.
The adage of “if you’ve got nothing to hide, you’ve got nothing to fear” is a common statement I hear from people who welcome government-sponsored surveillance programs. That’s because most internet users only have a passive understanding of the scope of these surveillance programs.
Here in the West, people may complain about being spied on, but do not really put into practice any counter-measures to frustrate or combat government spying.
Even though most of us may not be engaged in criminal activity, the opinions we have may be subject to censorship criminalization. We are already living in this world.
For instance, in some areas of China’s Xinjiang region, immigration agency officers have been forcing travelers to install Android-based spyware, allowing the authorities to collect text messages, photos, calendar events, call logs, user accounts, and more. Border agents also have a machine that allows them to interface with iPhones to perform similar invasive functions.
In the United States, I learned about an extensive profiling identity records database used by law enforcement from the assistant U.S. attorney prosecuting my criminal hacking case.
I was handed several printouts from this database which included Uniform Commercial Code-1 (UCC-1) filings, possible properties owned, possible relatives, corporate affiliations, possible coworkers associated, possible names or aliases fraudulently used under your social security number, criminal record, driving record, driver’s license, accident reports, registered motor vehicles, concealed weapons permits, professional licenses, Federal Aviation Administration (FAA) certifications, aircrafts owned, watercrafts owned, hunting/fishing permits, bankruptcies, liens and judgments, and more.
It’s kind of a people mapping/profiling system that attempts to connect the dots. Not all the data in the database is accurate, but it’s efficient.
The good news is that we do not have to accept these conditions of censorship, surveillance, or scams, as if they are simply unavoidable machinations of our reality. As a former hacker, it is my firm belief that every system designed by man is prone to be broken, whether it is tangible or virtual, and the vices of big corporations and governments are far from perfect. They aren’t omniscient nor omnipotent. They are only people.
Tactics Against Censorship and Surveillance
The weapons of anonymity are really quite simple and effective when you use them correctly. Here is a comprehensive list of tools I encourage you to use. As with anything you install on your phone, tablet, or personal computer, it is important that you do a little research on the app before committing to it.
Signal. It’s a cross-platform instant messenger that uses end-to-end encryption, which obstructs potential eavesdroppers such as telecom providers, law enforcement, most hackers, and the service itself from even having the ability to access your correspondence. They would need the cryptographic keys to decrypt messages, and they just don’t.
Unlike conventional messenger services, messages aren’t stored on internet servers. Therefore, there is no user data to share with law enforcement, even if they were forced to try. This is a safe alternative to WhatsApp, the end-to-end encrypted messenger which is owned by Facebook.
WhatsApp is vulnerable to hacking exploits and creates backups of user messages in an unencrypted format as well as other features that defeat the purpose of the end-to-end encryption. Signal also has a screen lock feature, as well as an option to enable users to set a timeframe from five seconds to one week that ques Signal to automatically delete messages after they are read.
Tor/Tor Browser. Tor stands for The Onion Router and is cross-platform, so you can install it anywhere. You’ll need Tor if you want to descend below the surface of the common internet and access the dark web. According to the website, Tor traffic is relayed and encrypted three times as it passes over the Tor network.
Web services will be able to determine if you are using Tor, and some will even block inbound connections from Tor. Nevertheless, your information will be encrypted and secure. Whenever I am testing network penetration tools from my mobile, I pipe all my internet traffic that is generated from the apps I use through Tor. This is perfect for free speech, defeating censorship, and helping to protect your online data from metadata thieves and criminal hackers.
However, it is not absolutely secure. According to leaked classified National Security Agency (NSA) documents, the NSA has the capability to attack a users’ Tor connection, and to exploit certain versions of Firefox to de-anonymize encrypted Tor traffic, though this doesn’t grant them continuous access to spy on Tor users.
Additionally, merely using online privacy and IP anonymizing tools without a way to accurately test them to ensure they are working properly isn’t sufficient to know you are protected. Tor has a critical bug known as TorMoil that can cause your operating system to connect to the remote host, bypassing Tor entirely. IP leaks can also occur when using a Virtual Private Network (VPN). To ensure that your phone, tablet, or PC isn’t leaking your IP address while utilizing an IP anonymizer, be sure to run an IP Leak Test. Many websites offer this testing service free of charge.
NordVPN. This is a subscription-based private Virtual Private Network (VPN) service that was referred to me by a fellow hacker who works in the information security industry. Using a VPN does not create anonymity. It merely moves trust from wherever you access the internet to the servers of the VPN service you are using.
This is practical if you access the internet from a particular location or ISP (home, work, school, etc.) but want to move your web traffic away. Remember, it will merely end up on the servers of your VPN service provider.
Firefox. It is a cross-platform web browser capable of protecting users from ads and tracking scripts, blocking cookies that enable ads, manage passwords, private browsing, and notify users of new security threats. It’s customizable and user-friendly.
Adblock will stop ads and trackers from infiltrating your web browser. I do not recommend installing many plug-ins, as this makes your browsers’ security less secure. If you create a Firefox account, you can then access your bookmarks, search history, etc from any browser. You can also create a portable version of Firefox and install it on a USB flash drive or SD card.
Protonmail. This is a free email service that uses end-to-end encryption. It was founded in 2013 in Geneva, Switzerland by scientists who met at the European Organization for Nuclear Research (CERN) research facility. Proton Technologies cannot decrypt user messages. However, under Swiss law, they are required to cooperate with law enforcement on criminal investigations. Still, it is safer than using Gmail, or any other mainstream email service provider.
Sandboxie. I’ve been using this for years. This is an open-source sandboxing program designed for use with Microsoft Windows. It creates a virtual quarantine environment that can be run from the executable or installed without creating any changes to the local operating system. This allows users to browse insecure, risky, or untrusted websites without the risk of getting infected by malware, and to test or open suspicious programs without infecting your computer.
Tails. Now we’re getting into the darker side of things. Tails stands for The Amnesic Incognito Live System. This is a security-based Debian Linux distribution designed to protect your online privacy and anonymity. All web traffic is forced to run through Tor at startup. You can run it from a DVD or USB thumb drive from just about any computer system while leaving no digital fingerprints behind. It is the government censorships’ worst nightmare. It comes equipped with all the necessary components needed to maintain online anonymity. Every activist should have a copy of TAILS.
Duckduckgo. Duckduckgo is a private search engine alternative to Google. Since Google is designed to gather intelligence on its users, we want to steer away from these kinds of invasive relationships. Duckduckgo doesn’t track or profile its users, which means it is not going to generate custom search results based on a users’ search history. Duckduckgo does support ads, but this feature can be disabled by the user.
Startpage. This is a private proxy server-based search engine alternative from the Netherlands. Startpage anonymously requests search results from Google and then shares them with you privately. As long as you use Startpage, your web surfing will be protected. A supplementary secure browsing insulation called Anonymous View n is also available. It’s free to use. Basically, it is a reliable proxy feature that gives users an extra layer of protection to bypass tracking.
There are many tools to protect yourself from scammers, corporations, and government snoops alike. Therefore, it is up to you to put them to use and to defend your personal data.
If you don’t fight to defend what is yours, it will be taken away, sold, logged, and flagged. Maintaining online anonymity must be thought of as a nurturing relationship between a user and his or her data. Anonymity must be nurtured with care in order for it to work because it is becoming harder and harder to maintain. Use the tools. Make sure they are functioning correctly. In the same way that a person receives training to operate an automobile, you also have to train yourself to practice anonymity.
This is the world we live in. Data is sold to the highest bidder, and it is done so without your consent. But you can take back what’s rightfully yours.
Written by Jesse McGraw
Edited by Ana Alexandre and Jenny Aysgarth
Added several clarifications to the opening section of the article at the author’s request
Subscribe to our Newsletter<
- AT&T Faces Lawsuit Over Alleged SIM Swapping Leading to Massive Cryptocurrency Theft
- North Korean Hacker Group Lazarus Laundered Over 2,500 Stolen Bitcoins In May, Report
- U.S. University Pays Over $1M Ransom in Bitcoin to Hackers to Regain Access to Encrypted Data
- U.S. Accuses Julian Assange of Recruiting LulzSec and Anonymous Hackers to Steal Gov’t Documents for WikiLeaks
- Secure Identity Expert Explains How Cryptography Gives Us Power Over Personal Data
- Eastern European Hacker Group Stole $200m From Crypto Exchanges via Supply-Chain Attack
- Telegram User Data From Earlier Leaks Found on Dark Web, Contact Import Feature Is to Blame
- Are RSA and Cryptocurrencies Safe Despite Quantum Computing Progress?