JBM’s Basic Guide To Online Subterfuge: Phase 4

Hey, welcome back! If you haven’t already, you should probably go back and read Phases 0,1,2 and 3 first. This probably won’t make a lick’a sense if you don’t. So mosey on over to those and get you some book learnin’

Phase 4.0: Cleaning It Up

Ok, so now we’ve got ourselves a reasonably secure environment to do every day battle on the Internet. Now we need to go back and clean up the mess you’ve already created. I’m not going to lie to you right now, this is going to suck. Cleaning up your messes always suck though, but it’s the only way to not drown in your own filth… so put on your hazmat suit!

Phase 4.0.1: Logging It Out

Alright, since you’ve probably been tromping all over the Internet putting your sensitive data everywhere, we need to go back and shore that up. We need a clean slate to start with. First and foremost, we’re going to go ahead and make sure all the online accounts we have don’t have old session keys sitting out there. Session keys bypass logins, passwords and even two factor authentication schemes.

Malware designed specifically to steal session keys to gain access to online accounts has been on the rise. To start clean, we need to log out all devices on all of our accounts, then log them back in one by one. This is by no means an exhaustive list, but it’s a good place to start. Think of all the apps you use on your phone, or in a browser that automatically log you in as soon as you visit the website or open the app. Figure out how to do it for all of them.

1. Google, including Gmail/Drive/Phone Accounts. You can see devices logged in here.
2. Microsoft accounts, including Hotmail, Xbox and OneDrive.
3. Cloud accounts that store your login info via an app, like Dropbox, OneDrive or any other.
4. Facebook/Instagram/Messenger. Help documentation here.
5. Apple ID/ iCloud. If you’ve ever swapped your phone or laptop out, there’s a good chance your old device is still authorized on your iCloud account. Now the key is likely lost if you reset the device, however its best to just remove it. Help documentation here.
6. Discord/Signal/Matrix or any messengers / social media apps.

As a best practice you should log out of accounts when you’re done using them. Don’t just close the tab, find out how to log out on the site you are using. This closes the session and makes the session key stored on your computer useless. Always log out when you’re finished using an account! As another best practice, don’t check the box to “keep you logged in for 30 days”, don’t “remember me” and if asked always choose “this is a public computer” so the site won’t create or store any session keys or cookies.

Security Warning: Logging into phone apps every time you want to use them sucks ass, I know. So you’re going to have to choose convenience or security here. Phones are a great target just due to the amount of personal account data that is stored on them. When is the last time you had to enter your username and password for the Facebook or Insta apps on your phone? Been a minute huh? An attacker could heist those session keys from your phone to access all those accounts. Always use caution when accessing the Internet using your phone.

Phase 4.1: Securing It Up

Ok, now that you’ve logged everything out, and logged back in on a single device, it’s time to secure your accounts. The easiest way to secure any account is with Two-Factor Authentication or Multi-Factor Authentication, 2FA/MFA for short. While these two things have subtle differences, for the most part they’re interchangeable and represent the same idea. When you enable 2FA on an account, you will be required to provide a second code, in addition to your password in order to log in.

This code is called a One Time Password (OTP) and it changes every 30 seconds to prevent someone from reusing it. Think of it like a rolling code on a remote garage door opener. The code changes after every use so someone recording the signal can’t copy it to open your garage door. In this case it’s not after every use, but every 30 seconds, forever! This is the best thing you can do to secure your online accounts against password theft.

Tip: If you don’t use an account any longer, find out how to close it. Don’t keep accounts open if you are no longer using them.

Phase 4.1.1: You Have Your Phone

Good account security practice at the most basic level should be a combination of “Something you know” like a password, and “Something you have” like a OTP generator. There are a few ways to take advantage of 2FA, but I will cover the easiest and cheapest way. The easiest way to get a OTP generator is by using an app on your smartphone. There are a lot of choices for apps out there but I will list a few of the more popular ones here for convenience.

1. FreeOTP – Opensource, Android, iOS
2. andOTP – Opensource, Android
3. Google Authenticator – iOS, Android
4. Microsoft Authenticator – iOS, Android
5. Authy – iOS, Android

Exploit Warning: Some password managers including Bitwarden, 1Password and KeePassXC have the ability to generate OTP passwords and fill them automatically. I DO NOT recommend using the same password manager to store your passwords and generate OTP codes. If an attacker manages to breach your password vault, having your 2FA codes on another device may prevent them from accessing your accounts. Use your phone or a second device. Layers.

Now … a lot of sites will use your phone number to call or text two factor authentication codes. Banks are notorious for this. I will say this once: USING SMS FOR TWO FACTOR AUTHENTICATION WILL GET YOU HACKED. DO NOT USE IT IF YOU HAVE ANY OTHER OPTION. At a minimum, use an OTP generator app on a second device, like your phone.

Ensure that device is also pass-coded and up to date. If SMS/Voice Call is the only option for 2FA on your account, it’s better than nothing and you should use it. If you followed my guide for setting up secure email, I believe an email 2FA may even be more secure than SMS if that is an option.

Phase 4.2: Obfuscating It Up

Ok, nice… your security be lookin’ good homie! So you got all those accounts locked down, you have a good 2FA app on your phone and you have that enabled on all your online accounts that provide it, even your ProtonMail accounts. All those usernames and passwords are stored safe and secure in your password manager, right?

Of course, so next we need to start obfuscating the data you give to websites. Now some accounts like your bank, or your credit card accounts, mortgage, etc… that are regulated under the freedom robbing laws known as the “Know Your Customer” laws or KYC laws … well you can’t change those, can you?

No, of course not John! That would make you a criminal! Only criminals and terrorists need to hide! It keeps you safe from bad guys you idiot!

Oh man… I don’t want that, bad guys are scary! Unfortunately, all of those systems get hacked all the time just like any internet connected system, and now all your personal data is out there in the world just waiting for someone to find it and use it against you… and you can’t legally change it, and you legally had to provide truthful information to open that account under the penalty of imprisonment… because you’re a criminal if you don’t trust anyone but yourself to properly secure that unchangeable information. You must be up to no good if you want some privacy and security in a world where everyone, including the Government and the Bank are trying to rob you every day. Animals!

Phase 4.2.1: The First Link

Sigh… but I digress. So we’re going to do the best we can to not make it easy to link those leaked account details with all the other leaked account details. So if you remember, in Phase 3 you purchased a Proton Unlimited account. Well… you’re about to be really happy again because it’s the gift that keeps on giving! It’s not well advertised, but your Proton account also includes a free subscription to SimpleLogin.

SimpleLogin generates random unique email addresses for each one of your online accounts and forwards those to your real email address. There is even a browser extension to make it quick and easy! So once you’ve logged into SimpleLogin using the “Login with Proton” button on their page, and installed the browser extension from their website, and logged in there again, you’re ready to go.

So now we’re going to back to all those online accounts again and we’re going to change our email address to a totally random, unique generated one using the SimpleLogin browser plugin. I’m not going to lie to you here … this is going to take you a long time to do all your accounts since most send a verification email to the new email address, but it’s worth the time. If you’re allowed to change your username, I suggest doing that as well. Especially if you use the same username across many different sites. If it’s not a KYC account, change your Name, Address and Phone number to an alias like we setup in Phase 0 of this guide. Don’t forget to update or save each one in your password manager after you make changes.

SimpleLogin is also great for when you want to sign up for something to try it out, but don’t want to give them your real email address. With SimpleLogin you can just switch off any email address alias you’ve created with a click. Great for creating fast throwaway email addresses where you know you’ll probably get spammed.

Hack detection: It’s also great for knowing when a companies database has been hacked or stolen. If you suddenly start getting spam or phishing email attempts at the random unique email address you gave to Wells Fargo, then you know they’ve probably been compromised. This may even alert you before the business themselves are aware they’ve been exploited. With this information, you can take the appropriate action, like freezing your credit, before it’s too late.

Phase 4.3: Smarting You Up

At the end of the day, you are the weakest link in this whole thing. It doesn’t matter how secure we make it if you don’t pay attention to what’s going on and you slip up and invite some malware through because you clicked a link or something. So these are basic best practices, but these alone will not protect you from a motivated hacker, so stay alert.

Phase 4.3.1: Secure Your Essentials

Don’t give your drivers license, social security number, bank account numbers ANYONE online or over the phone, unless absolutely necessary, like credit applications or government websites. Do your absolute BEST to keep this information out of as many databases as you can. As we covered earlier, that’s not always possible with KYC laws, but when possible always refuse to provide that information to anyone…yes, even the Police, even people from the government. If they’re a government official and they don’t already have that information, then they don’t need it.

Phase 4.3.2: Easy on the clicker finger homie!

Don’t click any links in emails, ever. I know people have probably told you this a million times. Well, listen damnit! If you get an email saying a bill is past due, or there’s a problem with your account with a nice button to click to take care of it … DON’T CLICK IT. Go to your web browser, open the container tab for your banking, log into the website with your password manager and your 2FA code from your phone, and see for yourself. If you’re not near a computer, call the number on the back of the card, never the one provided in the email.

Don’t click links in DMs, ever. Well, at least from people you don’t know or trust. It is possible to be compromised just by visiting a website loaded with a 0-day exploit. You might get lucky and get saved by NoScript if you had that installed, but I don’t bet on it. NoScript is a safety net, not a firewall. Beware of links! Harbingers of doom they are!

Phase 4.3.3: Learn To Lie

Look, lying is not good unless you’re doing it to protect YOURSELF from an attacker. Then it feels ok for some weird reason. At any rate, when signing up for free things, online accounts, etc … they will always ask you for a bunch of personal information like name, address, phone number, etc… You don’t have to give them anything. Just make up a name like Bob Loblaw at 420 Walbol St. in Penisdusky, Wisconsin. Just because someone asks for information doesn’t mean you have to provide it, and it also doesn’t mean you have to be truthful about the information provided.

If a website gets a little too invasive with the questions, provide lies. It’s really none of their business who you are, even if you are a paying customer. You pay them for a service, that’s all that should matter to them…unless the service is a ruse and they’re just data mining you for another reason. If they require verification of the information you provided, like sending a text message to your phone, provide your burner phone information along with your fake information. Most however only do email verification, so use SimpleLogin to create a random one.

Phase 4.3.4: Social Media, a Con Man’s Dream

Check your privacy settings on your Facebook/Insta/Socials. If you’re not a public figure like Paris Hilton 👊🏻 then lock your accounts down. Go through the privacy settings on all of them, and limit past posts, photos, birthdays, cities, workplace, schools and all those little details to friends only. Better yet, don’t give Facebook that information anyway.

They will hound you to provide your city or phone number, but you don’t have to. If an attacker needs your birth date and high school mascot to gain access to an account, all they have to do is visit your Facebook page for all the deets! Hide it! Also, review and purge your friends list periodically… and you know… don’t friend every asshole that requests you.

Hey … look … I know we’re all out here looking for affirmation that we’re good enough, smart enough, pretty enough, nerdy enough … whatever enough. Social media is all about showing off, letting everyone know how badass you are and laughing at the hoople heads that air all their dirty laundry online. Believe me, I know. But you don’t have to post everything, and people don’t have to know every little personal thing about you. Be careful what you share.

Things like locations, check ins, etc…are fun but they can work against you as well. If you are being targeted, that will let the attacker know when you aren’t home and when it’s a good time to go rummage through your things or steal your computer. Especially if you announce your plans way ahead of time, so they have time to plan. Now I’m not tryna say don’t share your life, go ahead and show off … just do it after the fact. In past tense, not present tense if you know what I’m sayin’

👀 Pppsstt …your attacker could even be someone you call a friend.

Phase 4.3.5: Be Different

Always use different usernames across different websites. If your email address isn’t your username on a website, and they allow you to choose an username, don’t use the same one on a bunch of different sites. Each site you sign up for should have a totally different username, email address and password. It would be very easy to link all your accounts across all the leaked databases if you always use “StarfireUnicorn” as your username and vittyfanclub21@gmail.con as your email address. It would also make it easier to attack other accounts they don’t already have access to since they already have your username, email, birthday, favorite band, favorite color and highschool mascot thanks to your very public Facebook account.

Tip: Some password managers have the ability to generate random usernames, if yours has this, use this feature. If it doesn’t, book mark this random username generator website and use it. Remember, save all these details in your password manager so you only have to remember one password.

Phase 4.3.6: Pay For Your Stuff

Look … I’m no stranger to torrenting a game because you’re too poor to afford it. I understand the pain of wanting to try a game before you commit to starving for a week so you can save your lunch money to buy it. I know the agony of doing that and having the game suck too. You know what’s worse? Having all your crypto stolen, your bank accounts drained and your credit ruined because you just had to play the newest Leisure Suit Larry title but didn’t wanna pay the $5.

Pay for your software. Buy it from trusted sources. If possible, buy it directly from the developers website. Better yet, if you can, use opensource software. Most of the time it will do 85% of the things expensive paid software will do and it’s completely free. If you’re the person that needs the other 15% then I’m not talking to you. For us amateurs there is more than likely a free opensource piece of software that will let you do what you want. Be very careful what software you install!

Phase 4.4: You Can’t Trust Anybody Man!

Hey look at me rn… I know on the Internet and in crypto dreams do come true sometimes. There is a certain feeling of magic around it all. Well that’s a bunch of bullshit! This is a battlefield soldier! If something seems to good to be true, be suspicious! Even when everything appears normal, you need to be paying attention to the small details. Things like fonts and font sizing that are different on websites you visit regularly, subtle spelling errors or typos, missing links on text that is normally linked.

If something looks out of place, irregular, or just feels wrong … back out immediately. Attackers and blackhat hackers make mistakes all the time. They’re usually really sloppy and lazy. They also typically lack attention to detail, have really shitty work ethics, smell bad and nobody likes them … not even their own mother. As a result, they’re hoping you won’t notice the difference. You need to notice. Pay attention to the details.

Slow down and pay attention to what you’re clicking, what exactly the software is asking from you. Computers usually only ask for input when they’re unsure, they ran into a problem, or they need your authorization to proceed. Figure out what the computer is asking you before commanding it. If it needs authorization, stop! Analyze why it needs that permission and decide whether to allow it proceed. Be alert and suspicious. If you see somethin’ say somethin’ and ask a friend. Cool? Aight, cool.

Phase 4.5: Go Forth And Prosper

Well … you made it. I’m impressed. If I’m being honest, I barely made it this far. So kudos to you friend. I hope you take this information and build a personal security protocol of your own. I hope this prevents you from being the “low hanging fruit” for an attacker and helps keep you safe online so you can safely prosper in this world without too much inconvenience. I also hope it helped you understand why regular people sometimes need to hide their identity even if they aren’t up to no good. Thanks for reading homie!