NOTE: Updated links on 4/10/22
Encrypt
Encryption is "the process of encoding a message or information in such a way that only authorized parties can access it." The very first thing that you want to do upon purchasing a new computer, phone, or external hard drive is to do a full-disk encryption so that accessing the information requires a key. This could take some time depending on the size of the drive, and even longer if you've already started installing apps and saving data. We'll get to end-to-end encryption for messages later on, but for now your disk information should be protected from anyone who could theoretically remove your hard drive, plug it into a computer, and read or copy the data. Even so, you should drill holes in your hard drives when you dispose of them just in case.
Windows BitLocker
macOS FileVault
Android
iOS
Download
I feel like I shouldn't have to say this, but don't download from sources you don't trust. Email links and attachments are a big offender here, as are websites that advertise the latest and greatest proprietary software for free, in addition to apps with long lists of permissions (why does a flashlight app require access to the Internet and my contacts?). To limit this from happening in your browser without your knowledge, in settings under Downloads select the option to "Ask where to save each file before downloading" (that's what it says in Chrome, anyway). If you were to accidentally download malware, just be sure you're not logged into...
Admin
...an administrator account. This would give the malware free reign to implant itself onto your computer. That's why it's important to create a separate "standard user" account for your day-to-day activities, and only authenticate with an admin password when necessary to install trusted software and make other changes. It's damage control if the worst were to happen. The best time to set this up is when you reformat (I start fresh with all devices once a year) or get a new desktop or laptop (it's much harder to pull off on mobile), preferably right after you encrypt your drive. ~_^ Then log in as the standard user and use as normal.
Windows
macOS
Update Frequently
Updates that "brick" your device aside, the best thing you can do to ensure that your device has the latest software to fix bugs and patch security vulnerabilities is to set up automatic updates. This goes for both your OS and your trusted apps.
Windows
macOS
Android apps
iOS apps
Browser
The only 100% safe computer is the one that's off and buried under 10 feet of dirt... and even then, well, it's questionable. As soon as you turn on mobile data or Wifi, or plug into the Ethernet port, your risk of an attack increases exponentially. Your web browser is a window to the outside world, but it's also a window back to you and your device. The Onion Router (Tor) browser, originally developed by the Navy, "is intended to protect the personal privacy of users, as well as their freedom and ability to conduct confidential communication by keeping their Internet activities from being monitored." While it isn't perfect, it offers an all-in-one package to increase anonymity, and you can search all day using DuckDuckGo (sorry, Google) without worry about tracking.
Windows and macOS
Android Orfox and Orbot (both required)
iOS (Unofficial)
Although Tor is the go-to for anonymity and the dark web, there are three extensions I recommend to browse more securely with software we already know and love (think Chrome and Firefox). This security can be magnified in conjunction with VPNs (see below).
- Ad blocker - you may already be using this, but in addition to blocking annoying ads some technology experts recommend them as a way of bypassing those that contain malware, even on major websites.
AdBlock Plus (Chrome, Firefox) - HTTPS - it's becoming common knowledge that a website address with HTTP is not as safe as one with HTTPS and a green padlock when providing personal information online. The S indicates that the website is using a secure communications protocol (with an encryption layer of SSL/TLS) that "ensures reasonable protection from eavesdroppers and man-in-the-middle attacks." The HTTPS Everywhere extension (for Chrome, Firefox, and Opera) was developed by The Tor Project and will re-write requests to unencrypted HTTP sites by defaulting to HTTPS.
HTTPS Everywhere - Script blocker - even if you block ads and restrict downloads, untrusted executable content (using JavaScript, Java, and others) could run in the background on websites and open you up to cross-site scripting (XSS) and Clickjacking attacks. By using the NoScript and equivalent extensions, not only is active content blocked from running, but the DoNotTrack opt-out proposal is enabled by default. NOTE: From my experience, this is more appropriate for an advanced user, since it requires manual adjustment whenever a trusted page doesn't load or loads improperly.
Firefox: NoScript
Chrome equivalent: ScriptSafe or uMatrix
VPN
A Virtual Private Network (VPN) "creates a secure, encrypted connection, which can be thought of as a tunnel, between your computer and a server operated by the VPN service." Unlike Tor which is focused on anonymous browsing and is much slower, a VPN can offer location spoofing and is quickly accessible to any app in your arsenal. Think of it like a condom. You go out to a strange airport, mall, or Starbucks and you don't know where that WiFi connection has been and how many people are involved, so you put it on and go about your business. At home you should be safe, right? After all, you should know where your own WiFi connection has been. Except if ISPs are going to start saving and selling your
Do you have to pay for a VPN? Technically no. But chances are your speed or monthly data allocations will be greatly reduced, and always be wary of business plans for free services - you and your personal information could very well be the product they're selling to third parties. Choosing a VPN can be a headache, though; you can read articles by LifeHacker, Tomsguide, and PC Advisor and still be confused about which ones are best and how they break down.
All of these VPNs are cheap, fast, strong, private, and offer multiple device usage. However, only one let me purchase using an Amazon gift card... bought with a VISA gift card... paid for in cash: Private Internet Access (PIA). A $25 Amazon gift card = 100 days of service (about $7.50/month). Registration was extremely easy, and all I had to give them was a valid email address (see below). After successfully downloading on Windows, macOS, Android, iOS, Kindle Fire (sideloaded Android apk), and even on Chrome as an extension, I configured the highest possible encryption (AES-256, SHA256, RSA-4096), which admittedly does slow speeds. Here are some of my impressions of PIA over the last few months:
- The connection will start quickly upon opening the app, though you can select the location of the server manually if you like (the closest to you tends to be fastest).
- Some services such as Netflix and Google Home do not work while connected, but the Android version does let you whitelist apps.
- You can lose connection when going from mobile data to WiFi and vice versa; just open the PIA app and disconnect/reconnect to fix.
- I compared speeds on Speedtest with different devices in different locations by looking at the speed percentage of VPN on versus the default speed of VPN off (I acknowledge a multitude of extraneous variables in these tests, including time of day and number of people connected):
- Desktop at home: 85% down / 87% up
- Desktop outside: 100% down / 95% up
- Mobile at home: 70% down / 87% up
- Mobile outside: 121% down / 80% up
As mentioned above, the VPN I signed up for required a valid email address. When it comes to creating an ultra-secure account, I advise using a special email that doesn't include any personally identifiable information and protects your privacy when sending emails. This is where end-to-end encryption is beneficial, so "only the communicating users can read the messages" to prevent "potential eavesdroppers." Here are a few solid email providers that offer this protection: Mailfence, Tutanota, and Protonmail (read more here). All are premium with limited free memberships.
While we're on the subject of email, here is a clever way of signing up for an account if you have a Gmail address (maybe it works with other providers too, not sure). Let's say your email is myemail@gmail.com and you want to register for an Amazon account. You can use the alias myemail+amazon@gmail.com (which works as normal) and instantly give yourself a way to not only filter all emails going to that address, but also see which other companies get a hold of the same address. Some websites don't let you add the +, but if they do give it a shot.
If you're looking for a messaging/calling mobile app that provides a deep level of end-to-end encryption, you can't go wrong with Signal. This is the app that journalists use when communicating with leakers and human rights workers, and it's endorsed by the Snowden himself.
Passwords
It goes without saying that passwords have gotten pretty overwhelming. In this post alone, I'm assuming you'll remember your passwords for your computer (standard user AND administrator), your phone, your VPN, your email, and much much more. And yes, they should all be complex and different from each other. How are you supposed to keep track of it all? With a password manager! I was extremely cautious of these for years because it seemed like the perfect app for a hacker to develop and gain access to your entire digital life. Marc Goodman, former FBI futurist and author of Future Crimes, stands behind these 4 managers:
1Password (premium), LastPass (freemium), KeePass (free, open source), Dashlane (freemium).
Once you have your password manager, you can start coming up with some decent passwords. For the ultra-secure accounts, password managers typically come with a feature that lets you generate a completely random complex password; then you really will need the manager if you want to log in. For those accounts that you don't keep any personal information on and use purely for entertainment, I would say feel free to use a less secure password as long as it's at least 8 characters. For all accounts inbetween, here are some rule suggestions:
- The longer the better, period. This makes brute-force attacks nearly impossible.
- Aim for around 20 characters (lower case letters, upper case letters, 3+ numbers, symbols, spaces).
- No full names, birthdays, usernames, phone numbers, or full words in any language to render social engineering attacks and dictionary attacks useless.
- Try shorthand, acronyms, or 1337 to make it easier to remember.
- Have a method that keeps passwords unique for each website.
- Change every 3-6 months.
I know it seems intimidating at first, but once you have the passwords in a password manager it's all maintenance. And wherever possible, don't forget to enable multi-factor authentication with your email or phone number in order to get temporary log-in codes for unrecognized devices or locations. By the way, if you're entering passwords onto a public computer that you think might have a keystroke logger, try typing them with an on-screen keyboard (Windows, macOS).
Registered Sites
When considering the feat of collecting your passwords, you probably realized that you are registered to a lot of websites. In just a few clicks and by selecting your birthday, bam you are the proud owner of an account on some forum where you can post cheat codes to your favorite games (do they still have those?). Unfortunately, the more your personal information is out there, the easier you've made it for your identity to be compromised. Sites like ';--have i been pwned? will check your email against lists of accounts from recorded data breaches, and then it would be a good idea to change your passwords on those sites, as well as on any other site that uses that same email and password combination. Better yet, delete your accounts altogether. I came across justdelete.me as an easy way to get information on removing accounts from many common websites. Finally, I took it a step further and went through a Registered Sites folder in my email that dates back to 2006, and proceeded to methodically erase myself from the web, or at least minimize my personal information and log the site in my password manager. You don't need to do this, but I wanted to keep my current email locked down. While you're on these sites, check the privacy settings and consider what you're willingly sharing to the world (and how that may be used against you).
For accounts that are difficult or next to impossible to remove, here's another suggestion on the justdelete.me site from earlier: Fake Identity Generator. Choose an identity that you'd like to assume, and keep notes on the following information to populate any would-be-deleted account:
- Name
- Junk email
- Address (business or middle-of-nowhere)
- Date of birth
- Lame duck password
- Phone (business)
People Finders
If you've been to sites like Spokeo, WhitePages, and Intelius and tried searching yourself, you understand the true meaning of "creepy." For the longest time I figured that this was a cat and mouse game: opt-out of one site and another two will pop up. It's still like that to a certain extent, but we have options thanks to Reddit: HOW TO: Remove yourself from ALL background check websites. Thanks to LawyerCT. This guide will walk you through removing yourself from 18 major websites that should trickle down to the smaller players. Once you've confirmed that you are indeed in their results, you can take steps to opt-out. I was able to remove myself from all of them with some patience, a digital copy of my ID with everything blacked out except my name and address and DOB (which they had anyway), and a fax machine (for two of them). MyLife told me that they couldn't remove my information unless I had a premium account, so I sent them back a copy of their own privacy policy where it said otherwise and they processed my opt-out request. It was pretty rad.
Turn Off
Finally, if you're not using something, turn it off. Shut down your computer, cover up your camera, turn off WiFi, disable Bluetooth and NFC, etc. etc.
--
Phew, we've come to the end of the guide. I know it's a lot to digest, but if you take it one point at a time you can avoid over 85% of the most common digital threats. To remember a few of these points, we return to Marc Goodman who wrote Future Crimes, and consider his UPDATE protocol.
Update Frequently
Passwords
Download
Admin
Turn Off
Encrypt
No comments:
Post a Comment