Good practices

What follows is a list of things you can consider doing in order to better address the privacy and security of your data.

 

Index

1. Software updates
2. PIN
3. Device encryption
4. Find my device
5. Password manager
6. Multi-Factor Authentication
7. Secure communication
8. HTTPS
9. Browser extensions
10. Data breaches
11. Data minimization
12. Social engineering attacks
13. Anti-malware software
14. Webcam security
15. Backup
16. Personal security assessment
17. Wrapping things up

 

1. Software updates

You can keep your software (apps and operating systems) always up-to-date and make sure it is recent enough to still be supported by its developer (it being an indie developer, or a big company like Facebook, Apple, Microsoft, or Google).
This is one of the best ways in which you can protect your data, because in doing so you’ll not only make sure that you have access to the latest features and fixes of a product, but that you’ll also be running the most secure version of any given software, at any given time.

In the words of EFF’s Gennie Gebhart (which I edited for clarity): “All code is sketchy, some code is just less sketchy than other.
Running on your devices there’s a lot of code and it has problems in it. It is written by humans and humans make mistakes at some point. You have (ideally) teams of engineers constantly working behind these OSes and apps to find the mistakes and fix them.
All they need you to do is click “Update” and maybe restart. If you don’t do that, that means that there is a way out there to exploit your device or your software and the world kind of knows about it.
Until you click “Update” you are easier and cheaper to hack.”

⬆ Index

 

2. PIN

You can use a PIN (sometime referred to as a passcode) or biometric authentication on your devices (preferably making every PIN unique) to make sure you’re the only person able to access your personal data even if you loose the device, or if the device is stolen.

The shorter the time window between when you lock your device and when a PIN or biometric factor is required to unlock it, the better.

While complex and long PIN’s can help, consider changing them on a regular basis to further improve the security of your data. Think of PIN’s that you frequently use in front of other people, or in public venues.

⬆ Index

 

3. Device encryption

You can turn on device encryption both on your devices’ internal storage and on any external storage drives you use (such as SD cards, HDDs, SSDs, and USB flash drives) to make it harder for anyone to extract data from those devices.

Data stored in devices like the iPhone can easily be encrypted by setting up a passcode.
Android devices may require a little bit of research to find out if such a feature is available and how to activate it (depending on the handset, the device manufacturer and the version of the Android OS the device is running).
Windows devices (other than Windows 10 Mobile devices, which have the option to turn on such a feature via the Settings app once a PIN is activated) can be encrypted using BitLocker, available to consumers as part of Windows Pro.

⬆ Index

 

4. Find my device

You can turn on features such as Find My Phone, Find My iPhone, or Find My Device to have remote access to at least some of the following actions and information (the availability of which may vary based on the type of device in question):
• Position of the device on a map and other information
• The ability to remotely make the device ring (even if set to silent)
• The ability to remotely lock people out of the device and display a custom message on the screen
• The ability to remotely erase all the data stored on the device

⬆ Index

 

5. Password manager

You can use a password manager (which is an encrypted vault) to improve the security of your accounts and make the whole process of managing such sensitive information easier.
Once you start using a password manager (popular ones are 1Password and Enpass) you can start using strong, randomly generated, unique passwords without worrying about having to remember them.
Picture a string of 30+ characters (or as many characters as you want, really) made up of randomly generate letters, numbers, and symbols. That’s a password.
“123456”, dictionary words, movie titles, etc. are not passwords.
In most cases you’ll be able to copy/paste passwords and in some cases autofill functionalities will also be available.
Having an organized and encrypted list of all your accounts (and any other kind of sensitive information you might want to store there) in a single place is a big plus both for security and convenience.

Just like PIN’s you can consider changing passwords on a regular basis as well. Think of very important passwords, the ones you use to access your main Internet accounts.

PS: You should probably never share your passwords with other people.

⬆ Index

 

6. Multi-Factor Authentication

You can enable Multi-Factor Authentication (Two-factor authentication, Two-step verification, etc.. are all forms of MFA) to improve over sign-in processes that only require you to provide username and password.

You’ve probably already used some form of MFA before. If you own a credit card when you go to an ATM you put in your card, and then you provide a PIN: that’s MFA.
These factors are generally something you know (like a password or a PIN), something you have (like a phone or a credit card), and/or something you are (like your thumbprint, your face scan, or your retina scan).

The availability of MFA unfortunately varies from service to service (if they support MFA at all), and you might not have a lot of choice when it comes to picking the MFA method that best fits your needs.

In the case of the online companies and services that do offer MFA (such as Facebook, Twitter, Google, Microsoft, etc.) the second factor is usually a one-time verification code delivered to your phone (something you have) via SMS, or generated by a software token (a code generator app) installed on your phone (again, something you have). Popular software tokens are Microsoft Authenticator, Google Authenticator, FreeOTP, and Authy.
In some cases you will also be able to use an hardware token like a YubuKey. In such a scenario you will have to physically insert the key in the device in order to log in. This is currently the most secure option of the bunch.
Keep in mind that SMS is not a secure channel and even thought MFA via SMS is usually better than no MFA at all, you might want to go with software token, or hardware token MFA if those options are available.

The fact that you’ll have to demonstrate not only that you know your log-in credentials, but that you also have access to the device you’ve set up MFA with, significantly improves the security of your data against all sorts of attacks.

Here are a few resources that can help you choose the method that’s best for you:
Decoding two-factor authentication: which solution is right for you? (Access Now)
A Guide to Common Types of Two-Factor Authentication on the Web (EFF)
Two passwords are always better than one (Jessy Irwin)

PS: Apps like WhatsApp (https://faq.whatsapp.com/en/general/26000021) and Telegram (https://telegram.org/blog/sessions-and-2-step-verification) offer similar MFA features as well. Consider enabling them.

⬆ Index

 

7. Secure communication

You can try to prioritize the use of communication services with built-in end-to-end encryption like WhatsApp, Signal, Wire, or Wickr over less secure options such as Email, Facebook Messenger*, Telegram*, Skype*, WeChat or SMS. This can help you make sure only you and the people you communicate with have access to the information you share.

When using WhatsApp you can use the Security Code feature to make sure a given chat is secure. You can also enable security notifications to get alerts when your contacts’ Security Code changes.
Keep in mind that WhatsApp backups to the cloud are not encrypted, so you may want to turn them off and delete previous ones (if present).

If you want/need more security than what WhatsApp currently offers, consider using Signal.
The organization behind the app (Open Whisper Systems) develops the same end-to-end encryption technology WhatsApp uses (the Signal Protocol), the main difference being that WhatsApp logs quite a lot of metadata, while Signal does not (https://github.com/WhisperSystems/Signal-iOS/wiki/FAQ#what-about-metadata).

⬆ Index

 

8. HTTPS

HTTPS is HTTP (Hypertext Transfer Protocol), but secure.

When browsing the web, you can keep an eye out for the address bar: if your connection to a website is secure the URL will start with HTTPS and a lock icon will be displayed. This means that the exchange of information between you and the service you’re visiting is protected, that the data flowing back and forth is not tempered with, and that the service you’re using is really who it says it is.

HTTPS improves upon HTTP in all sorts of ways…
HTTP webpages can and are used by malicious actors, governments, and ISPs around the world to:
• Gain access to the unencrypted data flowing between users and the webpage their’re visiting.
Think again before typing sensitive information such as login credentials or credit card information into an unsecure HTTP page.
• Do targeted censorship
In the case of HTTPS pages everything after the “/” (forward slash) is encrypted. This means that if you visit any Wikipedia page all a potentially malicious actor can see is: “https://www.wikipedia.org“. This also means that a repressive government (or an unregulated ISP) has to choose between blocking Wikipedia entirely, or not blocking Wikipedia at all.
In the case of HTTP pages though, a malicious party could potentially censor single pages in a selective manner, and even alter the content of such pages.
• All sorts of other nasty things
Like injecting ads or malicious links directly into the HTTP webpages people are visiting.

Keep in mind that in some circumstances the act of visiting a given web page could be in itself considered very personal information and that just because you deleted your info from a search box, an online form, or any other type of input field before submitting it doesn’t necessarily mean the website in question has not logged what you entered anyway.

PS: The fact that a page is secure doesn’t necessarily meant it is also safe.

⬆ Index

 

9. Browser extensions

You can consider using browser extensions (sometimes referred to as add-ons) such as uBlock Origin, HTTPS Everywhere, DuckDuckGo Privacy EssentialsPrivacy Badger, and Ghostery to improve your browsing experience as well as your security and privacy.

Interesting side effects to using blocker extensions like uBlock Origin are that your browsing speed will likely go up (since your web browser doesn’t have to load all those ads and tracking components anymore) and your bandwidth usage, as well as your battery life could be positively impacted as well.

Keep in mind that the vast majority of websites is ad-supported, so you might want to consider white listing the ones you want to support and/or the ones you trust to help them continue doing what they’re doing.

⬆ Index

 

10. Data breaches

Data breaches have become very frequent in recent years, and every breach adds to an ever growing pool of personal data about us that is publicly available (compromised).
Think about the Equifax disaster that exposed personal data such as Social Security Numbers and dates of birth of over 140 million US citizens, or the Yahoo! data breach that exposed personal info of all Yahoo’s 3 billion registered accounts.
All of this compromised data will never go back under the control of the people who lost it, and in cases such as SSNs and dates of birth there’s not much one can do. Those are things that just cannot be changed.

In a world where such basic personal information is frequently compromised in data breaches or voluntarily disclosed on social media, and yet still used to identify and authenticate people (think about what “only-you-could-know” info your phone company asked you the last time you called customer support to have information or change something about your contract, or to block your SIM and request a replacement) malicious parties can do real damage.

A very useful tool (both when it comes to security awareness and knowledge about data breaches) is Troy Hunt‘s https://haveibeenpwned.com project that lets anyone check if their data was ever part of a known data breach via a publicly searchable database.

You can also subscribe to the service (it’s all free) with the email addresses you want to keep monitored and (after having verified you’re actually the owner of those inboxes) receive email notifications of both publicly searchable, as well as sensitive data breach information.

⬆ Index

 

11. Data minimization

Try to be aware about which data you share about yourself (including personal info such as your full name, date of birth, home address, etc.), with whom you share it, and how/where you share it. Keep in mind that you’re not probably dealing exclusively with your personal data, but with the personal data other people shared and are sharing with you as well.

Personal info such as full name and date of birth, which are still used in many cases as only info required to authenticate people (looking at you telecommunication companies…), could be used to impersonate you and gain unauthorized access to all sorts of services you use. Moreover once such data becomes public there might be no way for you to do much of anything about it. You may be able to change your passwords, but changing things such as your date of birth, your full name, or your home address is much more difficult, if not impossible.

Consider deleting data you don’t need/use anymore. This could mean deleting old files, Internet accounts, as well as wiping unused devices (like old phones, or old HDD’s still full of personal data).
Take into consideration the notion that the best option to wipe devices like old HDDs is usually that of physically destroying them.

Two products that can help you minimize the data about yourself you wittingly or unwittingly share with third parties are DuckDuckGo (a search engine that doesn’t track users), and the Tor Browser (a tool that lets you browse the web anonymously).

⬆ Index

 

12. Social engineering attacks

Even though popular email services like Gmail and Outlook.com already do a pretty decent job at filtering out most junk mail from your inbox and popular web browsers such as Google Chrome, Mozilla Firefox, and Microsoft Edge have the capability of warning you when you’re about to visit potentially malicious webpages, keep in mind that such safeguards will not protect you against everything.

Contemporary hacking involves very frequently the user’s unwitting participation. This is because it is way easier for hackers to send a malicious link or attachment and have the victim do the work for them, instead of having to actually make their way through technical safeguards themselves. That would be possible too, it would just be generally more expensive.

Think twice before opening suspicious email attachments or clicking fishy links. They could end up tricking you into unknowingly giving away personal information (phishing), into installing malicious software such as ransomware, or some other nasty thing.

Here’s a few thing you can look out for to protect yourself against these attacks:
Something that’s too good to be true
Such communications may involve free giveaways, large sums of money, or something along those lines…
A messages that conveys a sense of urgency and ask you to act promptly
Such messages may involve communications about your accounts being compromised, and may ask you to put your info into a page that looks just like the original one but in fact is not.
Shortened links
Shortened links (like bit.ly’s) can be used to hide links to malicious webpages.
Email addresses that don’t look quire right
This may involve very long, apparently random email addresses as well as addresses similar to ones you trust but different in some little, less apparent way.
Messages from and about services you don’t use
Such as an email about an bank account from a bank you don’t bank with, or from a service you never signed up for, or about a package you never ordered.

⬆ Index

 

13. Anti-malware software

When using anti-malware software (like anti-virus software) take into account the fact that for it to work it has to have deep access to a system. Vulnerabilities in such software would therefore greatly increase the surface for potential attacks.
This is not to say that you should downright avoid it, instead that you should be aware of the fact that poorly developed anti-malware software could (in some cases) add serious vulnerabilities to a system, instead of helping securing it.

In cases like Microsoft’s Windows 10 the OS comes with what I understand to be a good solution straight out of the box: Windows Defender Security Center. Consider sticking with it.

Here are some more information on the topic:
Disrupt the revolution of cyber-threats with Windows 10 (Microsoft)
Disable Your Antivirus Software Except Microsoft’s (Robert O’Callahan)
A Followup About AV Test Reports (Robert O’Callahan)
Anti-virus software products compatibility issues on Windows 10 (Steve Gibson)

Whatever you choose to do, try also to be careful and mindful about what you’re doing with your devices and in which context you’re doing it. Anti-malware software can help you, but it can’t do much to protect you if you just ignore common sense security practices.

PS: Remember that there’s malware for everybody. Looking at you macOS users…

⬆ Index

 

14. Webcam security

Webcams are a piece of hardware that is generally easy and very cheap to hack. Consider putting some tape (or a very cool sticker) over it.

This will not make you hack-proof, there’s probably plenty of other cameras around you at all times over which you have less or no control over, not to mention microphones (which are much more difficult to cover or disable)… But hey! At least you’re doing something, and while you’re hopefully feeling good about it, you’re also subtly telling other people that you do care about security and privacy (which is important, and cool).

⬆ Index

 

15. Backup

A good way of preventing losing your data to ransomware, or to an HDD or SDD failure (which will happen at some point) is backups. You can back your files up to another drive or you can back them up to a cloud storage service.

When choosing between the two options take into account the sensitivity of the data in question, and the trust you’re willing to place in the cloud storage provider.

⬆ Index

 

16. Personal security assessment

A good way to go about implementing the chapters of this list is defining your threat model.
• What are you trying to protect?
What is it you consider personal/sensitive enough that you’re willing to take extra steps in order to avoid it falling into the wrong hands, or going public?
• From whom are you trying to protect it from?
Are you worried about police surveillance, corporate surveillance, surveillance from your parents, threats from people with physical access to your devices and systems such as spouses, roommates, and employers, or what you’re interested about is adopting general security measures to avoid losing your information to hackers?
If that person or entity were to come after what you’re trying to protect, how would they do it?
Would they just need to grab your device? Would they need to guess a PIN? Would they need to gain remote access to your devices using malware? Would they need to guess the password you keep reusing? Would they be willing to force you into unlocking your data for them?
• If they were to succede, how bad would the consequences be?
What could be the worst case scenario? How would you handle such a situation, if you were confronted with it?
• How likely is it that someone will come after what you’re trying to protect?
How valuable do you think your information is for the person or entity in question?
• What resources such as time (and maybe money) are you willing to invest to secure what you’re trying to protect?

While going through this keep in mind that figuring out who and what you trust, as well as realizing the fact that if there is someone targeting you their capabilities will likely grow over time can be very important.

Here’s a good resource from the Electronic Frontier Foundation that dives a little deeper into the topic: Assessing Your Risks (EFF).

⬆ Index

 

17. Wrapping things up

All of these things are a good way of protecting your data and the data other people share with you.

Digital security is only as strong as its weakest link though, so you can now ask yourself: Do the people I share private/personal/sensitive information with protect their data (and the data I share with them) as well?
Would it make sense for me to suggest, ask, or demand they follow good practices similar to they ones I follow?

Here are some questions you could ask to make sure you communicate with them securely:
Would you mind communicating over an end-to-end encrypted service like WhatsApp and (in the case of WhatsApp) verify each other’s Security Code first?
• Are the operating system and the apps on your phone and on your other devices supported and up to date?
• Is your phone protected with a strong PIN (both a phone PIN and a SIM PIN) that you change from time to time and that (in the case of the phone PIN) you need to type-in every time you access the device?
• Do you have a device encryption feature (one that also covers your SD card, if you have one and store sensitive information on it) turned on?
• Do you have any feature similar to Find my iPhone turned on that lets you try and locate your phone if you lose it, and lets you send a request to erase all the data stored on it in case you can’t find it?
• If any of the data that we will exchange here will be accessible from other devices you own, are those devices protected too?
• Thanks.

⬆ Index

 

*

Facebook Messenger’s Secret Conversations, Telegram’s Secret Chats and Skype’s upcoming Private Conversations features all allow users to have end-to-end encrypted conversations as a plus, something that’s not core to the products they’re built in.
This means that they do not represent a layer of security that’s on by default and users have to be aware of them and enable them for specific conversations on a specific device to benefit from actual private conversations.

 

Page last updated: 17 February 2018

Advertisements