Since childhood, we know that when we come from the street, we have to wash our hands. However, we do not really think about what to do after surfing online.
Everyone should decide for himself which level of security is acceptable for him personally. You have to understand how much the protected information costs in case you lose it. If you have important information and you are afraid of losing it, and the mere thought that this information might reach your enemies scares you, then you should think about information security.
Who reads me or knows me personally understands that I am very much worried about personal security and I want to share how I deal with it. What’s private should remain private.
All links to applications and resources are not advertising — I use them myself. If you want to thank me — click on the coffee button at the end of the article.
Fishing and social engineering
Most of the data leaks, hacks occur because of social engineering. It's happening when a criminal doesn't crack the password server, he doesn't look through the possible password options but when people give their passwords themselves. There are many ways to be exposed to scams. Someone calls you from an unknown number, introduces as a bank representative, and tells you that your card will be blocked if you do not provide the password. Or when you are asked to fill out an application form on the website to get a guaranteed winning. Or getting told there's a problem with your phone, laptop, or internet connections. Or being asked for money by friends/partners you've met online. Or unusual ways to pay for something.
On the Internet, the most popular method of such fraud is phishing. By sending e-mails on behalf of well-known companies with links to fake sites that look like the original ones, like faceb0ok.com. Usually, here they offer to enter the user's personal data (depending on what the criminal wants). After entering an error occurs or is thrown from the site to another resource. You're done — the data is gone.
Keep your personal data safe and make sure you think carefully before you enter it online or share it with anyone. Protect the information that can be used to access your accounts, create a fake online presence. It is worth thinking about the chances of winning a prize compared to the value of your data.
Let's start with the trivial — you need to have passwords. I am surprised by people who still do not protect their personal devices with passwords.
Do not tell anybody your password. Even the support staff. And rest assured that if anyone ever asks for your password, it's a hundred percent fraud. All services are designed so that only you know your password. No employee of the company has the right to ask you for your password. Period.
Do not store passwords in plaintext. Similarly, don't listen to people who advise you to write down your passwords on a piece of paper. And do not store passwords just in notepads.
Use a password manager. And preferably not free. This may be the most basic security tool for those who use the Internet because no one can generate and memorize a gazillion random passwords, so the best way to do this is to use a password manager. I started using LastPass, then 1Password, and now stopped at Bitwarden. I like Bitwarden because it is open source and you can install it on your own hardware.
Use strong passwords. Long and random passwords prevent brute-force attacks and rainbow-attacks. See the statistics and analysis of more than a billion missing logins and passwords right here. Interesting numbers:
- The average password length is only 9.5 characters
- The most frequent password is 123456. It fits 0.722% of accounts!
- The first thousand passwords cover 6.607% of accounts.
- If you go through the first 10 million passwords, you're more than 50% likely to guess right
- Only 12.04% of passwords contain special characters
- About a third of passwords consist of letters only
- More than a quarter consist of letters in one case only
- 13% of passwords consist of numbers only
Stop reusing passwords. Golden rule of Internet security — use different passwords for each site. Almost every service in its history lost its database or somehow leaked it to the public. Using different passwords for each account prevents all your accounts from being compromised at the same time.
Use secure connections
Try to use sites that use the HTTPS protocol. HTTPS protects the connection between the browser and the server from being intercepted and compromised by attackers. This ensures confidentiality, integrity, and authentication for the vast majority of modern internet traffic.
Very often you don't see the full url of the site in your browser at all. This reduces your understanding of which site is safe and which is not, and on which page you are on right now. Usually, you can change this behavior in the settings, which is worth doing.
Do not use a free Wi-Fi network.
Note that most devices can automatically connect to known networks. For example, you came to a cafe and used a local access point, getting the password from a waiter. The next time you in the cafe with Wi-Fi enabled, your smartphone or laptop will connect to this network automatically.
Attackers can create a twin network — a network with the same name (network ID, SSID) and password. By linking the device to a twin network, you risk that data sent from your device will fall into the hands of a third party. Your accounts and bank cards, as well as information from the HDD, are at risk of viruses that can infiltrate your computer.
In addition, you can be easily identified by your device's mac address or other fingerprinting tools and thus better understand your interests and movements. This way, it is easy to understand where you live and where you work. The timing of your movements also makes it easy to understand your interests and social status — student, worker, a mother with children, etc.
Think about using a virtual private network (VPN) to ensure your privacy and anonymity when using public Wi-Fi. VPN services can encrypt all the data you send and receive using a public Wi-Fi hotspot, protecting your information from other users on the same connection.
Cover your webcam
I always wonder when I see people who don't cover their webcams at all. It's the right thing to do. Cover the camera on laptops and smartphones, and remove it physically if possible.
Simply cover the camera with a piece of sticky tape to avoid prying eyes. When you need to use your webcam, all you have to do is remove the sticker and glue it later. There are also stickers with slide switches which is easier to use.
Keeping your computer up to date is another step towards Internet security. Start by updating your operating system and enable automatic updates if you have not done so. Windows, OSX, and Linux support this.
In my opinion, the most secure are open-source operating systems. There are quite a few. You can start with the easiest to install and use — Ubuntu.
For those who are very concerned about their security, there is a Tails operating system. Tails is an abbreviation and stand for The Amnesic Incognito Live System. Tails is a security-oriented Linux distribution based on Debian. The main objective of this Linux operating system is to ensure complete anonymity on the Internet for users. This product comes with several Internet applications including web browser, IRC client, mail client, and messenger, all of which are pre-configured with security.
Limit permissions to applications
Look at the permissions on your mobile device. No flashlight application needs to track your location or calendar. Seriously, do it, it will take less than five minutes. Look through your permission settings and disable the application permissions to reduce the amount of data that applications collect. Good device privacy tips can be found on the DuckDuckGo website.
Turn off Wi-Fi and Bluetooth until you need it, as this can increase your privacy and save your battery at the same time.
Secure your accounts
Take a moment to review your most important accounts and check your privacy settings on social networks and accounts. Usually, these settings are in Privacy and security. You may have stored a lot more information than planned.
Review your privacy settings to determine who can see what you write, photos you post, phone usage, email, credit cards. It's all individual. But try to avoid linking your social network accounts to other third-party services when possible. Your social platform doesn't need to know what music you're listening to, so don't link your music accounts to your social network account.
It's scary to think that everything you've ever searched for could have been stored somewhere. I feel like most of the time we are more honest with the search engine than with our closest friends. Do you trust companies like Google to keep this personal information confidential?
Google not only sells advertising on its search platform, but also on more than 2.2 million other websites and more than 1 million applications. Each time you visit one of these sites or applications, Google stores this information and uses it to advertise on you.
I must say that Google is really good at searching. There are very few free analogs that respect your privacy. In fact, there is only DuckDuckGo but it is not searching perfectly especially when looking for solutions to technical problems. Meh.
Use two-factor authentication wherever you can. 2FA implies two factors for authentication (not to be confused with authorization) — what you know (like a password) and what you have (like a security token). 2FA means that if someone has only your username and password, they can't log in like you, and this is really important because companies are constantly losing their users' password databases. This is a very effective additional level of security which is essentially worth nothing to you. Check out the service you use can it supports 2FA here.
SMS-authentication. I don't like this method at all, although sometimes some services offer only it — and this is certainly better than nothing. The problem is that there are a lot of ways to get control of your phone number.
Time synchronized passwords. In my opinion, one of the most common, secure, and most successful options for two-factor authentication. A QR code or a line with your one-time password, which changes every 30 seconds, is shown to you. It is a bit difficult when you change your device, but in general, it is very good.
The hardware security key, in my opinion, is also quite a good option, but I am concerned about several things. For example, it is not clear what to do if this key breaks or just stops working. Also, I do not understand what to do if I just lose it, which will happen in the next 24 hours.
Encrypt your data
Full disk encryption makes it harder for people to access and read your files and provides an additional layer of security for your information. Do you know what happens if your laptop goes to the wrong person? He can boot it with any bootable flash drive and easily access all of your data. It is like owning a safe but leaving it unlocked. Therefore it is very important to encrypt the whole disk. So that if you lose your device, the person will not be able to access it.
Backup your data
It is just as important not to lose your data as to encrypt it. So make backups. Back up your data, photos, videos, documents, both on your external hard drive and in the cloud or both. And make sure you encrypt them. This will save you from hardware failure, unwanted deletion, and even malicious programs.
Boost the privacy on your browser
Your Internet browser stores a lot of personal information about you. Your browsing history and cookies that record your activities are just two examples of the data that your browser can store by default. It is done for the good of speeding up the websites, but this information can be accessed by your browser. So choose your browser wisely.
Choosing a browser is a very personal decision and you may want to weigh the arguments. I think it is better to use open-source browsers: Firefox, Chromium, Brave, Icecat. In terms of usability and other features, they are as good as the same Chrome.
After choosing the browser be sure to change the default privacy settings. To change this on...
- Chrome: go to Settings, advanced, content settings, cookies, and then turn on "block third-party cookies".
- Edge: go to Settings, view advanced settings, cookies, and then use the drop-down to select "block only third-party cookies".
- Firefox: go to Preferences, Privacy & Security, then under the History section, switch "accept third-party cookies" to "never".
- Safari: Apple actually activates this setting by default. To check that it’s enabled, go to Preferences, then Privacy, and look for "prevent cross-site tracking".
In addition to choosing a browser, a quick and easy way to limit the tracking of your online activities is to use private mode. Your browser will not store cookies or Internet history during a session, but remember that this provides limited protection from tracking your IP address by websites, your browser, and your ISP, too. Closing and exiting your browser in a private mode each time you can be sure that any stored data cannot be correlated with other sessions and help in profile analysis.
Enhance email security
Think about whether to respond to the e-mail at all. Anyone who has access to your email message can see what you write when you send it, and with whom you communicate. You may be able to keep track of your mailbox, but you don't know what others will do with it.
Ideally, you should use zero-knowledge mail providers. It means that the server does not have access to the original data source. Or it is better to start your own mail server. It is not as difficult as it seems.
Another way to improve email security is to use one-time email providers who can offer you a one-time email address(masked emails). That can improve your privacy in case a website or service provider discovers that their database has been compromised in the future.
If you are very afraid that your email will be intercepted, then think about encrypting it. PGP encryption is the best-known form of encryption and has been simplified with the Mailvelope extension for Chrome and Firefox users.
Virtual card — a card designed only for paying for purchases and making payments online. Such cards cannot be used in ATMs. The virtual card may not have a material carrier and may be issued electronically for specific purchases or transactions. It works without a PIN code. The following parameters are used for calculations: card number, its validity period, and three-digit code for card authentication.
The use of such cards in online payments increases the security level of the operations performed, as the virtual card allows not to disclose the details of the main card.
When you create a virtual card, you set a limit on it yourself. For example, you want to subscribe to Netflix, but you do not want to enter your bank card details for fear of fraud or overpay. In this case, you just create a virtual card with a limit and pay with it. No one else will be able to use this card later, as the limit has been spent on it. Then you can block the card or delete it at all.
Privacy.com allows you to create secure virtual credit cards for free. They have no plan to charge for the service as their business model is making money off the transaction fees. This is not advertising, I use the service myself. There is also Blur but they have shitty UI.
Loss of privacy is a relatively new problem, the scale of which we have not yet realized. However, the scandals and high-profile cases related to it make us think about the consequences of a "transparent society". The obvious threat, however, is not only political manipulation and new types of crime made possible by access to confidential data. Also, a huge threat is Big Data with ML methods that have just begun to gain in popularity.
Let us take measures to better protect our online privacy. We may not clean our rooms or dust our furniture, fold our clothes or wake up at the first alarm, but we would prefer our information not to show the world how lazy we can be.
The Art of Deception by Kevin Mitnick and William L. Simon
Highly recommend the EFF tutorial: https://ssd.eff.org/en/playlist/want-security-starter-pack
Buy me a coffee