Security is the ever evolving process of using the best tools at your disposal to protect your information. Privacy is about having control over how that information is stored, used, or shared.
What follows is a list of measures you can consider adopting in order to better address these important aspects of your digital life.
Index
1. Software updates
2. PIN
3. Device encryption
4. Find my device
5. Password manager
6. Multi-Factor Authentication
7. Secure communication
8. HTTPS
9. Privacy settings
10. Online tracking and advertising
11. Cloud services
12. Data breaches
13. Data minimization
14. Social engineering
15. Anti-malware software
16. Webcam security
17. Backup
18. Personal security assessment
19. Wrapping things up
1. Software updates
Software is complex, flawed, and ever evolving.
One of the most important things you can do to protect your information is to keep your software (like your apps and operating systems) always up-to-date, making sure at the same time they are recent enough to still be supported by their developer (it being an indie developer, or a big company like Facebook, Apple, Microsoft, Google, TP-Link, or Samsung).
By doing so you’ll not only make sure that you have access to the latest features and fixes, but that you’ll also be running the most secure version of any given software product, at any given time.
Keep in mind that it’s not only your phone, laptop, and desktop computers that rely on software updates and firmware updates to function securely, improve over time, and introduce new features. Routers (which are at the heart of any local area network like your home network) and IoT devices such as smart speakers, lights, fridges, doorbells, TVs, TV remotes, etc. also rely on regular updates for the very same reasons.
In the words of EFF‘s Gennie Gebhart (which I edited for clarity): “All code is sketchy, some code is just less sketchy than other. Running on your devices there’s a lot of code and it has problems in it. It is written by humans and humans make mistakes at some point. You have (ideally) teams of engineers constantly working behind these OSes and apps to find the mistakes and fix them. All they need you to do is click “Update” and maybe restart. If you don’t do that, that means that there is a way out there to exploit your device or your software that the world kind of knows about. Until you click “Update” you are easier and cheaper to hack.”
2. PIN
You can set up a unique PIN (sometime referred to as a passcode) for each of your devices to make sure (to a reasonable degree) that you’ll be the only person able to access your personal data (and the personal data other people might be sharing with you) even if you lose them, or if they are stolen.
Once you’re using a PIN, it might be possible (based on the device you’re using) to set up some form of biometric authentication. In this case you’ll also be able to unlock your devices by way of scanning parts of your body such as your fingerprints, your face, or your iris.
The longer and complex the PIN, and the shorter the time window between when you lock your devices and when a PIN or biometric factor is required to unlock them, the better.
Setting up a biometric factor can be a good way of keeping your PINs secret even when unlocking your devices in front of other people (such as in public venues), or in places that might be employing video surveillance.
If for any reason biometric authentication is not an option for you, consider changing your PINs either regularly, or upon indication or suspicion of compromise.
3. Device encryption
You can turn on device encryption on both your devices’ internal storage and on any other external drives you may be using (such as SD cards, Hard Disk Drives, Solid State Drives, and USB flash drives) to make it harder for anyone to extract data from them.
Data stored in iOS devices like iPhone and iPad can be easily encrypted by setting up a passcode.
Android devices may require a little bit of research to find out if such a feature is available and how to activate it (depending on the handset, the device manufacturer, and the version of Android the device is running).
Windows devices can be encrypted using the built-in BitLocker feature (available to consumers as part of Windows 10 Pro, but not available to Windows 10 Home users), and macOS devices can be encrypted using FileVault, a feature that is part of the OS and available via System Preferences.
Keep in mind that encrypted devices might need to be powered down for the data they contain to be fully encrypted.
Here are a few resources, if you need a little help:
• How To Encrypt Your Devices / DuckDuckGo
• How to Encrypt Your iPhone / EFF
4. Find my device
You can turn on features such as Find My Device (available on Windows and Android devices) and Find My iPhone/Mac (available on iOS and macOS devices) to have remote access to at least some of the following actions and information (the availability of which may vary based on the type of device in question):
• Position of the device on a map and related information.
• The ability to remotely make the device ring (even if set to silent).
• The ability to remotely lock people out of the device and display a custom message on the screen.
• The ability to remotely erase all the data stored on the device.
Note that by enabling this you will be regularly sending your location information to a company such as Microsoft, Google, or Apple (depending on the device in question).
You should therefore balance the benefit of locating your devices and remotely erasing the data stored on them, with your willingness to disclose such personal information to a third-party.
Keep in mind that this is not the only way your devices may be broadcasting your location. Mobile phones transmit this kind of information to mobile network operators as a matter of course, for instance.
5. Password manager
You can use a password manager (which is an encrypted vault) to drastically improve the security of your accounts and make the whole process of managing such sensitive information easier.
Well-regarded options when it comes to choosing one are:
• 1Password – Downloads page, Beginner’s guide
• LastPass – Download page, Beginner’s guide
• KeePassXC – Download page, Beginner’s guide
Start using a password manager means you can start randomly generating long, complex, unique passwords and not have to worry about remembering them.
Picture a string of 30+ characters (or as many characters as you want, really) made up of randomly generated letters, numbers, and symbols: That’s a password! 123456, dictionary words, movie titles, dates, etc. are not passwords…
You can approximate the strength of your passwords here: PasswordSecurity.info
Password managers usually come with the ability to copy/paste things like usernames and passwords and in some cases to auto-fill them where needed as well.
One thing that could make the overall experience even more convenient on your tablet, laptop, or desktop computer is a password manager browser extension, which password managers also usually provide. Look for it in their various download pages, or in your web browser’s extension store.
Creating and maintaining an encrypted and possibly well organized list of all your accounts’ information (and any other kind of sensitive information you might want to store there) is a big plus for both security and convenience.
Even when using a password manager you’ll probably need to create a few strong and memorable passwords for things like your password manager’s master password and your various PINs and passcodes. A good way to go about solving this issue is using passphrases created with the help of the Diceware method.
To do this you’ll need five dice (just one will also do), a Diceware word list like this one from the EFF or these ones from Arnold Reinhold, and one of the following guides on how to proceed:
• How to Make a Super-Secure Password Using Dice / EFF
• EFF Dice-Generated Passphrases / EFF
• Passphrases That You Can Memorize — But That Even The NSA Can’t Guess / The Intercept
Even though a password manager is the best solution for most people, there will be cases in which (for whatever reason) a software solution is just not viable.
If this is you, keep in mind that managing your credentials with a physical password book that you keep someplace safe might still be better than not managing them at all.
Once you’ve set up strong and unique passwords (or passphrases) for your accounts, you’re pretty much done with them. Companies and services that follow modern security practices should only require a password change upon indication or suspicion of compromise.
A note: You should not (in most cases) share your personal passwords and passphrases with other people.
6. Multi-Factor Authentication
You can enable Multi-Factor Authentication (Two-Factor Authentication, 2-Step Verification, etc. are all forms of MFA) to improve over sign-in processes that only require you to provide username and password.
You’ve probably already used some form of MFA before. If you own a credit card when you go to an ATM you put in your card, and then you provide a PIN: that’s MFA!
These factors are generally something you know (like a password or a PIN), something you have (like a phone or a credit card), and/or something you are (via a fingerprint, face, or iris scan).
The flavors of MFA available (as well as how such features are referred to) usually varies from service to service (if they support MFA at all, that is).
This means that even though any kind of MFA (even SMS, an easy to social engineer, spoof, frequently non-verifiable, insecure channel) is usually better than no MFA at all, you might not have much of a choice when it comes to picking the method that best fits your needs. It also means that in your quest to MFA All The Things very similar things will have pretty different names.
Here’s some help: Turn On 2FA
In the case of the online companies and services that do offer MFA (such as Facebook, Twitter, Google, Microsoft, etc.) the second factor is usually a one-time verification code delivered to your phone (something you have) via SMS, or generated by a software token (a code generator app) installed on your phone (again, something you have).
Less frequently you’ll also be able to use a hardware token like a YubiKey that you’ll need to physically plug into the device to log in. This is currently (as far as I know) the most secure option available.
Popular software tokens are Microsoft Authenticator, Google Authenticator, FreeOTP, and Authy.
The fact that you’ll have to demonstrate not only that you know your log-in credentials, but that you also have access to the device you’ve set up MFA with, significantly increases the security of your data against all sorts of attacks.
Here are a few resources that can help you choose the MFA method that’s best for you:
• Decoding two-factor authentication: which solution is right for you? / Access Now
• A Guide to Common Types of Two-Factor Authentication on the Web / EFF
• Two passwords are always better than one / Jessy Irwin
PS: Apps like WhatsApp (More info here) and Telegram (More info here) offer MFA features as well. Consider enabling them!
Keep in mind that no matter how layered your security approach is, your accounts’ security are only as strong as your “I forgot my password” settings are. That is to say that you might want to check those out as well…
7. Secure communication
You can try to prioritize the use of end-to-end encrypted communication services like Signal (Beginner’s guide), Wire (Beginner’s guide), WhatsApp (Beginner’s guide), or Wickr over less secure options such as regular email, Facebook Messenger*, Telegram*, Skype*, WeChat, SMS, or regular phone calls.
This will help you make sure (to a reasonable degree) that only you and the people you communicate with have access to the information you share. No third-parties like Facebook, Google, Microsoft, governments, or malicious actors will be able to access your conversations.
End-to-end encrypted communication services usually rely on a technology called public-key cryptography, which assigns a public key and a private key to every user.
When you send a message to someone (or an voice message, or an attachment, or a voice/video call) that data is encrypted locally using your contact’s public key and then sent over the Internet. Once it reaches your contact’s device it is decrypted locally using their private key (which is never shared).
Public keys can also be used to make sure any given conversation is end-to-end encrypted and to verify that the person on the other end is really who they say they are.
Various services refer to this feature in different ways: Signal calls it Safety Number, Wire calls it Key Fingerprint, WhatsApp refers to it as Security Code, and Wickr as Key Verification.
In the case of WhatsApp you should consider enabling security notifications to make sure you’re notified if you contacts Security Code changes, not enabling cloud backups (which are not encrypted), and understand if you’re comfortable with the amount of metadata WhatsApp is able to collect (things like who you are, who you communicate with, and how frequently you do so) as opposed to Signal’s much stricter metadata policy.
Here are two additional resources you might want to check out:
• Secure Messaging Apps Comparison / Mark Williams
• Secure Messaging? More Like A Secure Mess. / EFF
If you’re interested in improving your security and privacy on the email front, you might want to take a look at ProtonMail.
* Facebook Messenger’s Secret Conversations, Telegram’s Secret Chats and Skype’s upcoming Private Conversations features allow users to have end-to-end encrypted conversations while at the same time not representing a layer of security that’s by default turned on and available to everybody. This means that people have to be aware of them and enable them for specific conversations on a specific device to benefit from actual private conversations.
8. HTTPS
HTTPS is HTTP (Hypertext Transfer Protocol), but secure.
When browsing the web, you can keep an eye out for the address bar: if your connection to a website is secure the URL will start with HTTPS and a padlock will be displayed. This means that the exchange of information between you and the service you’re visiting is protected, that the data flowing back and forth is not tempered with, and that the service you’re using is really who it says it is.
HTTPS improves upon HTTP in all sorts of ways…
HTTP webpages can and are used by malicious actors, governments, and ISPs around the world to:
• Gain access to the unencrypted data flowing between users and the webpages their’re visiting.
Think again before typing login credentials, credit card information, or any other kind of sensitive information into an HTTP page.
Also keep in mind that any HTTP page you visit represents valuable information for ISPs able to use or sell personal information for advertising purposes, or for governments engaged in mass surveillance.
• Do targeted censorship.
In the case of HTTPS pages everything after the “/” (forward slash) is encrypted. This means that if you visit any Wikipedia page all a potentially malicious actor can see is: https://www.wikipedia.org. This also means that a repressive government (or an unregulated ISP) has to choose between blocking Wikipedia entirely, or not blocking Wikipedia at all.
In the case of HTTP pages though, a malicious party could potentially censor single pages in a selective manner, and even change the content of such pages.
• Alter the content of webpages in all sorts of ways and for all sorts of purposes.
Ranging from injecting ads, malicious links, whole sets of UI controls, or completely replacing the content of a page (essentially blocking it), to altering the content of a page to redirect traffic, install malware, or spread phishing attacks.
Some websites may be available both via insecure HTTP and HTTPS. Browser extensions such as EFF’s HTTPS Everywhere (which requires sites to use HTTPS whenever possible) can help here.
Keep in mind that in some circumstances the act of visiting a webpage could be in itself considered very personal information and that just because you deleted your info from a search box, an online form, or any other type of input field before submitting it doesn’t necessarily mean the website in question has not logged what you entered anyway.
Also: The fact that a page is secure doesn’t necessarily mean it is also safe.
Here are a few additional resources you might want to check out:
• Here’s Why Your Static Website Needs HTTPS / Troy Hunt
• Does my site need HTTPS? / Matt Holt
• HTTPS Is Easy! / Troy Hunt
9. Privacy settings
The apps and services you use come with a set number of default settings. Those can include permissions that grant the apps you use access to things like your camera, microphone, or geographic location; as well as settings that let companies like Facebook and Google access your personal data to target you with ads.
Since in many cases security and privacy do not come as the default, consider exploring such settings while at the same time asking yourself: What data about myself should the apps and services I use be able to access, store, and use?
Making sure you’re comfortable with any of these settings could mean:
• Checking your apps permissions
How many of your apps really need access to your location, microphone, camera, or contact list in order to work?
• Checking other apps’ settings
Maybe you want to protect your WhatsApp app with a PIN? Maybe you’re not OK with iOS automatically backing up your messages to the cloud?
• Checking all the privacy settings of the services you use
Have you ever done a Privacy Checkup, or visited the Privacy, Apps and Websites, and Your ad preferences pages on Facebook? Or the Google Privacy Checkup and My Activity pages if you have a Google account? Or the Privacy and safety and Your Twitter data pages if you use Twitter?
• Quitting a service deleting your account
If you make this decision but want to keep you data remember that most services allow you to download a copy of your data.
Don’t forget that when you sign up for a service you’re most likely also agreeing to privacy policies, terms of service, and other similar documents that govern your relationship with that service as well as what you and the company behind it can and cannot do. Consider reading them.
10. Online tracking and advertising
Big tracking networks like the ones put in place by Google, Facebook, and Amazon are always trying to follow you around the web with the goal of collecting as much data about you and your behavior as possible, data they are then able to use to do things like targeted advertising.
Ads can be invasive, sometimes exploited for malicious purposes (like prompting you to install malware, or giving up personal information) and can negatively impact your browsing experience, your bandwidth usage, and your battery life.
Sites can even be hijacked to mine cryptocurrency without your consent. Which can be a very lucrative business for malicious actors.
To minimize this kind of behavior, you can try out browser extensions such as uBlock Origin, DuckDuckGo Privacy Essentials, Privacy Badger, and Ghostery.
Keep in mind that the vast majority of websites is ad-supported, so you might want to consider white listing the ones you want to support and/or the ones you trust to help them continue doing what they’re doing.
11. Cloud services
Cloud services can be amazing tools. But they can also bring some important security and privacy trade-offs with them.
Mainstream and very useful products such as Google Drive, OneDrive, Dropbox, OneNote, Evernote and so on cannot guarantee that the user is the only party with access to their personal data simply because (for various reasons) they have access to users’ data as well.
Although this can be fine in some scenarios, there are times when (even at the cost of losing out in terms of functionality) you might want to have more control over your data.
This is where services like Sync for cloud storage and Standard Notes for note-taking could come in handy. They both encrypt and decrypt your data locally, so as to provide a service in which you can be sure (to a reasonable degree) to be the only person able to access your data.
These kind of offerings are sometime called zero-knowledge.
12. Data breaches
Data breaches have become very frequent in recent years, and every breach adds to an ever growing pool of personal data about us that is publicly available (compromised).
Think about the Equifax disaster that exposed personal data such as Social Security Numbers and dates of birth of over 140 million US citizens, or the Yahoo! data breach that exposed personal info of all of Yahoo’s 3 billion registered accounts.
All of this compromised data will never go back under the control of the people who lost it, and in cases such as SSNs and dates of birth there’s not much one can do. Those are things that just cannot be changed.
In a world that’s increasingly reliant on digital means to store, share and collect all sorts of data (including personal data and sensitive personal data), in which personal information is frequently compromised in data breaches and/or voluntarily disclosed on social media and yet still widely used to identify and authenticate people (think about what “only-you-could-know” info your phone company asked you the last time you called their customer support to get info about something, change something about your contract, or block your SIM card and request a replacement) malicious parties can do real damage.
A very useful tool (both when it comes to security awareness and knowledge about data breaches) is Troy Hunt‘s Have I Been Pwned? project.
The easy to use website lets people check if their data was ever part of a known data breach via a publicly searchable database.
You can also subscribe to the service (it’s all free) with the email addresses you want to keep monitored and (after having verified you’re actually the owner of those inboxes) receive email notifications of both publicly searchable, as well as sensitive data breach information.
A number of companies are now starting to incorporate the useful Have I Been Pwned? tools directly into their products and services. This includes password managers such as 1Password, but also browser extensions such as PassProtect, which can help you avoid using passwords previously exposed in known data breaches by prompting you to change them in real-time.
1Password and PassProtect use k-anonymity, which means that your passwords are never sent to anyone.
13. Data minimization
Try to be aware and mindful about which data you digitize and where you store it, as well as which data you share about yourself (including personal info such as your name and surname, date of birth, home address, etc.), with whom you share it, and how/where you share it.
Keep in mind that you’re not probably dealing exclusively with your personal data, but with the personal data other people have shared and are sharing with you as well.
Personal info such as name and surname and date of birth, which are still used in many cases as only info required to authenticate people (looking at you telecommunication companies…), could be used to impersonate you and gain unauthorized access to all sorts of services you use. Moreover once such data becomes public there might not be a way for you to do much of anything about it.
You may be able to change your passwords, but changing things such as your date of birth, your name and surname, or your home address is much more difficult…
Consider deleting data you don’t need/use anymore.
This could mean deleting old files, Internet accounts, as well as wiping unused devices (like old phones or old Hard Disk Drives still full of personal data).
Keep in mind that aside from employing a trusted disk wiping tool, the best option to wipe devices like old Hard Disk Drives is usually that of physically destroying them.
Two products that can help you minimize the data about yourself you wittingly or unwittingly share with third parties are DuckDuckGo‘s search engine (a search engine that doesn’t track users) and the Tor Browser (a tool that lets you browse the web anonymously).
In case you were wondering: Private Browsing is not an anonymity tool.
14. Social engineering
Even though popular email services like Gmail and Outlook.com already do a pretty decent job at filtering out most junk mail from your inbox and popular web browsers such as Google Chrome, Mozilla Firefox, and Microsoft Edge have the capability of warning you when you’re about to visit potentially malicious webpages, keep in mind that such safeguards will not protect you against everything. And will not protect you against yourself.
Contemporary hacking usually involves the user’s unwitting participation. This is because it is way easier (and cheaper) for someone to send a malicious link or attachment and have the victim do the work for them, instead of having to make their way through technical safeguards themselves (which could be possible too, just generally more expensive).
Think twice before opening suspicious email attachments or clicking fishy links. They could end up tricking you into unknowingly giving away personal information (phishing), into installing malicious software such as ransomware, or some other nasty thing.
Here are a few things you can look out for to protect yourself against these types of attack:
• Things that are too good to be true.
Such communications may involve free giveaways, large sums of money, or something along those lines…
• Messages that convey a sense of urgency and ask you to act promptly.
Such messages may involve communications about your accounts being compromised, and may ask you to put your info into a page that looks just like the original one but in fact is not.
• Shortened links.
Shortened links (like bit.ly’s) can be used to hide links to malicious webpages.
• Email addresses that don’t look quite right.
This may involve very long, apparently random email addresses as well as addresses similar to ones you trust but different in some little, less apparent way.
• Messages from and about services you don’t use.
Such as an email about a bank account from a bank you don’t bank with, or from a service you never signed up for, or about a package you never ordered.
15. Anti-malware software
When using anti-malware software (like anti-virus software) take into account the fact that for it to work it has to have deep access to a system. Vulnerabilities in such software would therefore greatly increase the surface for potential attacks.
This is not to say that you should downright avoid it, instead that you should be aware of the fact that poorly developed anti-malware software (particularly if provided by a third party, which usually needs to hack its way into a system in order to work) could add serious vulnerabilities to a system, instead of helping securing it.
Microsoft’s Windows 10 comes with Windows Defender Security Center as part of the operating system. Consider sticking with it.
Here are some more information on the topic:
• Protect my device with Windows Defender Security Center / Microsoft
• Should users disable Windows Defender on Windows 10? / Security Now
• Steve Gibson’s position on anti-virus software / Security Now
• Disable Your Antivirus Software Except Microsoft’s / Robert O’Callahan
• A Followup About AV Test Reports / Robert O’Callahan
• Steve Gibson and Leo Laporte talk about AV software / Security Now
• Next-gen security with Windows Defender Antivirus / Microsoft
• Disrupt the revolution of cyber-threats with Windows 10 / Microsoft
Whatever you choose to do, try also to be careful and mindful about what you’re doing with your devices and in which context you’re doing it. Anti-malware software can indeed help you, but it can’t do much to protect you if you ignore common sense security practices.
Also, in case you were wondering: Yes, everybody has software vulnerabilities and (yes) there is malware for everybody. No system is immune and there is no such thing as a hack-proof system. That is where regular an timely updates come into play.
16. Webcam security
Webcams are a piece of hardware that is generally easy and very cheap to hack. Consider putting some tape (or a very cool sticker) over it.
This will not make you surveillance-proof, and there’s probably plenty of other cameras around you at all times over which you have less or no control over, not to mention microphones (which are much more difficult to cover or disable)… But hey! At least you’re doing something, and while you’re hopefully feeling good about it, you’re also subtly telling other people that you do care about security and privacy (which is important, and cool).
17. Backup
A good step you can take to try to prevent losing your data to ransomware, or to an Hard Disk Drive or Solid State Drive failure (which will happen at some point) is backups.
You can back your files up to another drive (using tools such as SyncBackFree) or you can back them up to a cloud storage service (such as OneDrive, Google Drive, Dropbox, or Sync if you prefer a zero-knowledge offering). Or you can do both.
While choosing the option (or combination of options) that best fits your needs take into account the sensitivity of the data in question, and the trust you’re willing to place in the cloud storage provider.
18. Personal security assessment
A good way to go about implementing the chapters of this list is defining your threat model.
• What are you trying to protect?
What is it you consider personal/sensitive enough that you’re willing to take extra steps in order to avoid it falling into the wrong hands, or going public?
• From whom are you trying to protect it from?
Are you worried about police surveillance, corporate surveillance, surveillance from your parents, threats from people with physical access to your devices and systems such as spouses, roommates, and employers, or what you’re interested about is adopting general security measures to avoid losing your information to hackers?
• If that person or entity were to come after what you’re trying to protect, how would they do it?
Would they just need to grab your device? Would they need to guess a PIN? Would they need to gain remote access to your devices using malware? Would they need to guess the password you keep reusing? Would they be willing to force you into unlocking your data for them?
• If they were to succede, how bad would the consequences be?
What could be the worst case scenario? How would you handle such a situation, if you were confronted with it?
• How likely is it that someone will come after what you’re trying to protect?
How valuable do you think your information is for the person or entity in question?
• What resources such as time (and maybe money) are you willing to invest to secure what you’re trying to protect?
While going through this keep in mind that figuring out who and what you trust, as well as realizing the fact that if there is someone targeting you their capabilities will likely grow over time can be very important.
Here’s a good resource from the Electronic Frontier Foundation that dives a little deeper into the topic: Assessing Your Risks (EFF).
19. Wrapping things up
All of these things are a good way of protecting your data and the data other people share with you.
But digital security is only as strong as its weakest link, and should therefore be approached as a team sport.
So you can now ask yourself: Do the people I share private, personal, or sensitive information with protect their data (and the data I share with them) as well?
Would it make sense for me to suggest, ask, or demand they follow good practices similar to they ones I’m now starting to follow?
Here are some questions you could ask to make sure you communicate with them securely:
• Would you mind communicating over an end-to-end encrypted service and verify each other’s Safety Number, Key Fingerprint, Security Code, or Key Verification first?
• Are the operating system and the apps on the devices from which this conversation will be accessible supported and up to date?
• Are each of those devices protected with a strong device PIN that you need to type-in every time you unlock them?
• If one or more SIMs are involved, are those protected with a strong SIM PIN as well?
• Do you have device encryption features (ones that also cover any external drives such as SD cards and Hard Disk Drives you might be using) active on your devices?
• Do you have features similar to Find my iPhone turned on that lets you try and locate your devices if you lose them, and lets you send a request to erase all the data stored on them in case you can’t find them?
• Thanks.
Page last updated: 26 July 2018
•
Download page as PDF
