On Personal Cybersecurity

I think the recent US government Signal chat leak creates a good opportunity to talk about personal cybersecurity and offer a few high-level tips.

Signal is a private messaging application. It prevents specific types of adversaries from accessing the contents of your calls and messages, and their metadata. But if you, the human, choose to use it for adversaries it was never designed to defend against, that’s a problem the technology can’t fix. The biggest vulnerability in cybersecurity is not the tools, the protocols, nor the cryptography. It’s the human.

Often, it’s the human not understanding the limitations of the tools they’re using. If you think that using Signal is all you need to do to secure your messages, you are so wrong. Consider that Signal is not designed to protect you against any of the following threats:

• A weak phone password
• Phishing attacks
• Shoulder surfing
• Inserting a malicious USB device masquerading as a charging cable into your phone
• Your virtual keyboard app collecting your keystrokes
• Vendor spyware installed on your phone’s stock operating system
• Hardware backdoors installed by governments or corporations acting on their behalf
• Someone stealing your phone while it’s unlocked and impersonating you
• Someone installing a rootkit on your phone while you’re away, sleeping, or distracted
• Someone screenshotting your disappearing messages
• Someone replacing your phone with a lookalike that sends them your password
• Being drugged and hit with a five dollar wrench until you give up your messages
• Being overheard while on a phone call
• Adding the wrong person with the same name to a private group chat

What happened with the Signal leak was government officials used Signal for a purpose it wasn’t designed for — sharing military attack plans. There’s a proper tool for doing that. It’s called a SCIF. It would’ve prevented the mistake that caused the leak. The fact that they used a mobile chat app instead of a SCIF is a monumental OPSEC failure, and somebody should be held accountable for it.

Unfortunately, instead of owning up to their error, they made excuses and blamed Signal for being “insecure”. This leads me to another point which is important to understand for personal cybersecurity:

Calling an application “secure” or “insecure” is an oversimplification. No one has ever managed to build a foolproof communications system. We only have systems that are secure against certain types of attacks carried out by certain adversaries. As you can see with Signal, I just listed a dozen ways its security could be bypassed right off the top of my head.

Another thing to keep in mind for your personal cybersecurity is that it’s easy to get tunnel vision, focusing only on the technicals while overlooking more basic threats that are far more likely. Your messages aren’t going to get compromised by a vulnerability in the Double Ratchet algorithm or Post-Quantum Extended Diffie-Hellman that Signal uses. But have you ever sent a message to the wrong person because you were distracted or intoxicated? Exactly. You are the biggest vulnerability to your personal cybersecurity, not the technology.

Also, you need a cohesive strategy. Merely using Signal, or merely having a password manager, is not enough for good cybersecurity. Good tools are necessary for good cybersecurity, but cybersecurity is more than a set of tools. It’s a mindset. It requires you to think like the adversaries you’re likely to face, anticipate their attacks, create strategies to impede them, and update those strategies when circumstances change.

Although “cyber” is in the name, sometimes the most effective measures you can take to improve your cybersecurity are non-technical. They have more to do with social awareness. Do you have any enemies? A jealous ex? A roommate who can’t stand you? A dirty cop whose ego you bruised? What information do they have on you? What information can they find out? What are their available resources? How might they carry out an attack? How dedicated are they? To create a sensible personal cybersecurity plan, you must know thine enemy.

Just one more thing I want to mention before signing off. Personal cybersecurity is an endless rabbit hole one can go down. You’re free to go down that rabbit hole to your heart’s content. Just be sure to prioritize the threats to your security posture. Address the most likely attack vectors first, and the least likely ones last. And finally, don’t rely on any single technology to protect you one hundred percent.