Legion hacker group: Protect your privacy with the same tools that hackers use to protect theirs

In a world where knowledge is power, it’s best to avoid giving out information willy-nilly. If you’re part of a hacker group like Legion or Anonymous, there’s an even greater need for protecting your data . But it’s not just hackers who need such security. You could be an average citizen worried about a stalker, a journalist looking for a secure means of communication, a businessman worried about industrial espionage, you could even harbour a persecution complex of some note, either way, you need to know that your data is secure.

Legion has made tall claims of hacking into government and hospital databases, siphoning of terabytes of private data from servers, including private email, login details, banking information and much more.

None of this would have happened if we’d taken some very simple, rudimentary steps to protecting our digital lives. Your first step to securing your digital life starts with an understanding of how you can be compromised.

Understanding the problem

When you send an email or browse the web or log into Facebook or upload a photo or perform any other action in the digital world, your data is being transmitted over the internet. The internet is essentially a bunch of interconnected computers and routers (which route your data).

The problem is that with the right tools, anyone can intercept that data and figure out what’s being sent.

Think of the telephone exchanges of yore. To place a call you ask an operator to connect you to someone, the operator would then mess around with cables and hook you up. However, that operator could, at any time, listen in on your conversations and you’d be none the wiser.

You can prevent this by either talking in code that the operator won’t understand or by using a system that bypasses the operator entirely.

This, in a nutshell, is what information security is about.

The goals are as follows:

• Keeping the snoops out: Nobody should be able to listen in on your conversations (data), and even if they do, that conversation (data) should be meaningless to them.
• Ensuring data integrity: There needs to be a way to verify that the information that’s sent is the same as the information that’s received.

Given the complexity of the internet, it’s almost impossible to keep your data from being intercepted. You can, however, obfuscate the information so much that those who intercept it will be able to make no sense of it. This is done via encryption.

Encryption essentially takes the data you want to secure and distorts it in such a way that it seems meaningless. It’s only with the right decryption tools that someone can read encrypted data.

Pretty Good Privacy a.k.a. PGP Encryption

Currently, this is the most popular method of encrypting your data. This system uses so called public and private keys to secure your data. Its working is best explained by an analogy.

Think of PGP as a special lock that anyone can make. The lock is special because it requires two keys to use. You need one key to lock it and both keys to unlock it. Once locked, the lock can’t be opened with just one key alone.

These keys are your public and private keys.

As is evident from the name, the key used to lock the box is your public key and you can give it to anyone you desire. The private key you keep to yourself and never give to anyone, except those you trust absolutely.

Suppose someone wants to send you something, they pick a strong box, put the data in it and then lock it with the special lock and the public key. Assuming that the box is impregnable (in the digital world, it usually is), nobody will now be able to open that box without both keys.

The post office can handle that box, or anyone else for that matter, and no matter what happens, the data will be safely locked.

When you receive the box, you can examine it to see if it’s been tampered with. Once you’re satisfied, you can use your public and private keys in combination to unlock the box and examine the data.

In the digital world, the box is a file, the key is a complex alphanumeric value (hundreds, even thousands of characters long) and the lock is an algorithm that distorts (encrypts) the data in some complex manner.

With enough time and computational power, any encrypted data can be decrypted, in theory. In practice, the computational power and time required makes this task impossible.

Since the public key is, well, public, the cornerstone of your data security is your private key, and this must be kept safe at all costs.

What’s a PGP fingerprint?

Most of the time, your public key is going to be a few hundred characters long and so complex that you can’t share it easily. In such a situation, people tend to share what’s known as a PGP fingerprint.

Standard practice is to upload your public key to a website or other relatively secure location and let people download it from there. The problem is that it’s possible for someone to hack that website or location and tamper with the key.

This is where the PGP fingerprint comes in. It’s a unique identifier, like a fingerprint to a human being, for your public key. Anyone can use the PGP fingerprint to verify that the public key you’ve downloaded is the correct one.

All secure forms of communication, be it voice, radio data or anything else rely on a variation of PGP.

When the likes of WhatsApp and Telegram claim to be “end-to-end encrypted” and secure, they’re essentially saying that they’re using some form of PGP and that your private keys remain on your device.

The tools of the trade

Obviously, the first thing you need is a PGP key. To be absolutely safe, we’d recommend that you generate a PGP key using a program on a safe PC rather than via some online tool.

You can use an open-source PGP tool like Portable PGP to do the same. You can use this tool to securely create a unique public and private key for yourself, as well as to encrypt and decrypt messages using your keys. Portable PGP can also verify public keys for you, as well as generate PGP fingerprints.

An online tool can be found at sites like iGolder , but we wouldn’t recommend it because there’s no guarantee that your keys are safe.

Once generated, Portable PGP will store your keys in its installation folder, which you can further protect by, say, dumping the files into a password-protected zip file using a tool like 7-zip .

The message you generate via Portable PGP or any other such tool, along with your public key, can safely be transmitted over the open internet.

Next, we’d recommend that you use Tor browser for your secure browsing needs. It uses an encrypted, obfuscated communication protocol called onion routing and you can read all about it here . Suffice to say, the browser and the data transferred on it is as secure as it’s possible for a browser to get at this time.

For messaging, we’ll refer to Snowden and recommend his favourite messaging app, Signal . This app uses a protocol called Signal Protocol to ensure that all your communication is safe. The Signal Protocol can be considered to be a variation of PGP.

The system is so secure, in fact, that Facebook now uses the same protocol in Facebook Messenger, but only for its “Secret Conversations” feature.

If you really want to go all in on security, the final tool that you’ll need is Tails. It’s an operating system (think Windows, Mac and Linux) that is designed with nothing but security in mind. You can install it on your system or run it off a pen drive. Better yet, for the truly paranoid, you can run it off a DVD, thus ensuring that no data is written to the operating system (OS) and thus, it’s not tampered with.

There’s a lot more to securing your data than just the tools above. You might also want to read up on how to secure your online accounts here .

Remember that there is no method of communication out there that is absolutely secure. The tools and practices we’ve listed here will, however, keep your data as secure as it’s possible to get in the current scenario.