Hacked accounts in the news, endless robocalls, online ads that eerily seem to read your mind. Do I hear Alexa and Siri gossiping about your secrets? It almost feels like paranoia is a totally appropriate reaction.
Last month we posted the first 5 tips that will help make you more secure. Here, we will post items 6 through 11. Let us know if you have any questions about how to keep yourself and your data safe. We are always here to help! Read on…
6. Stock Browsers are Bad Browsers
At least if you’re very serious about privacy. Safari sends data to Apple and you better believe Chrome sends info to Google. If this is part of your threat model, ditch them both and go with Firefox, which is the most secure of the mainstream browsers.
For super-duper security and privacy, here are some recommended extensions:
- HTTPS everywhere: This is a must for everyone. Forces sites to encrypt your connection whenever possible.
- Ublock Origin: Great, customizable ad-blocker. Do not install if you love ads.
- Cookie Autodelete: Prevents tracking. Not for everyone. Very secure, not-so-convenient.
- Multi-Account Container: This makes each tab operate as if it was a separate browser, preventing those eerie recommendations that seem to read your mind. Not for everyone.
- Track Me Not: It runs random Google searches in the background to bury your real searches in a haystack of noise. Only needed if you’re very privacy conscious and have a puckish sense of humor.
For your smartphone, it’s Firefox again, unless you want super-security and don’t mind a convenience hit; then go with Firefox Focus.
And at the super-extreme outer edge we have the “Deluxe Snowden Package.” You’ll need Qubes and Tor (Pro tip: be careful with those exit nodes.) And you cannot afford to be tracked by your phone. Get a Faraday bag — or put it in a martini shaker. Yes, seriously.
Browser secured. But that’s not going to help much when the data leaves your computer and heads out there into the big bad internet. How do you keep your online activities secure and private when they’re out of your hands?
7. Dig a Tunnel
Your ISP can see every site you visit when you’re online at home. And so can the marketers they sell that info to. If a connection isn’t secure, hackers can intercept your traffic and mess with you. And using public WiFi is like making your poor little phone have unprotected sex with very unattractive strangers. How the heck do we stay safe from all these prying eyes and barbarians at the digital gate?
It’s called a VPN and I’ll go so far as to say everyone should have one. Basically, it creates an encrypted “tunnel” between you and your VPN provider, protecting your internet activities from visibility and attacks. Your ISP now only knows you’re connected to the VPN, and nothing more. Hackers can’t break through the encryption to monkey with your data. And public WiFi gets a much-needed condom.
Note that some sites don’t play well with VPNs, because many bad guys use them. VPNs are pretty cheap (roughly $5 a month) and they’re simple to set up on both computers and smartphones. PIA and NordVPN are recommended providers.
So far we’ve discussed a lot of attack scenarios you’re probably familiar with. But here’s one most people aren’t. And if you’re not protected, it could lead to someone emptying your bank account…
8. The Phone Number is the New Social Security Number
What do you do whenever you get a new phone? Call your cellular provider and have them move your number to the new device. Easy peasy. But what if I called your cellular carrier and pretended I’m you? They move your phone service to my phone. And when I log in to Bank of America with your password, guess who gets the text with that 2FA code? Yup, moi. Shopping spree time. (Hacking the password was easy; it’s was “123456”, right?)
This is called “SIM swapping.” These days people are signing up for 2FA more often, so SIM swapping is happening more often. If you’re doing 2FA with an app like Authy or a hardware token, you’re covered. But some sites (*cough*, *cough*, Bank of America) only offer 2FA by SMS. Ugh. What to do?
Many of the phone companies are now offering to secure your account with a password, so go to their site or call them to get one. People won’t be able to port your number without the code.
And what’s the ultimate-privacy-Jason-Bourne-level-security-tinfoil-hat-conspiracy-theory solution? That’s easy: make sure nobody knows your phone number — not even you. This will prevent both SIM swapping attacks and shady dudes from selling your GPS location. But how the heck do you do it?
Move your current phone number to Google Voice. (You can do that here for $10. Instructions here.) Sign up for a pre-paid mobile plan. (Mint Mobile is dirt cheap and reliable. Join here.) They’ll give you a new SIM card with a new number. You now get all your calls, texts and voicemail through the Google Voice app. And you never give the new SIM card number out to anyone. Yes, this works. You can’t be SIM swapped, you can’t be tracked… and anyone you tell about it will probably assume you’re a fugitive, a drug dealer or utterly insane.
While we’re driving down paranoia lane, SMS text messaging is fundamentally insecure. Switch to an encrypted free app like Signal. But the people you’re contacting need to have it as well. So now you’re an insane fugitive drug dealer who is also having an affair. Remember what I said about security vs convenience..?
We’ve covered a lot of technical stuff, but one of the most important things to do when dealing with online security threats is to change your attitude…
9. Be More Skeptical
Phishing attacks don’t always come in the obvious form of emails from Nigerian royalty. Increasingly, these attacks appear to come from close friends, leading you to click links without hesitation. Using a site like this I can send you an email that appears to be from, well, anyone. And this site lets me do the equivalent with my phone, spoofing my caller ID. Yes, it’s that easy.
Don’t log in to anything important using a public computer or public WiFi without a VPN. Turn WiFi off on your phone to avoid being tracked in retail stores. And sign up for notifications here to find out if any of your personal information has popped up in data breaches.
If giving out personal info is an overwhelming concern for you (everybody say it with me now: threat model) you might want to check out MySudo. Ever wanted a secret identity? MySudo offers you multiple “aliases” — each with their own working phone number and email address. For when you have to give the hotel a number but don’t want marketing calls, when you’re not sure about that person on Tinder, when buying things online, or if you just want to pretend you’re Stringer Bell from “The Wire” carrying a burner phone.
10. Be Wary Of The Cloud And Social Media
Most of us see free iCloud backup as an awesome service. And it is… but also look at it through your security lens: any time you backup in the cloud you are putting all of your data on a computer you do not control.
The cloud is great for convenience and data loss protection but anything you put on someone else’s computer is subject to data breaches or nosy employees. For most people, the cloud is probably fine. But if you plan on becoming a political dissident or an international celebrity (no, I’m not going to link to the hacked nudes of Jennifer Lawrence but I can’t stop you from Googling them) keep your data on your devices. There’s also a middle path: encrypt files before uploading them.
11. Convinced “They” Are Watching You? Set Traps.
If you’ve got a stalker, an abusive spouse, or live in a country where having unpopular political opinions tends to make people vanish, you’ve got a legit extreme threat model. And I’m here to help.
Whether it’s a despotic government, your boss, or the henchmen of the Illuminati, how do you know if someone already has access to your computer? What if you had a “canary in the coal mine” to warn you?
Canary Tokens allows you to create, for free, files that send you an email when they’ve been opened, along with the IP address of the intruder. Throw one on your desktop with a too-good-not-to-click-on name like “passwords”, “finances” or my personal favorite, “stuff to discuss with therapist” and then never touch them. If you get an email from Canary Tokens, somebody’s looking at your stuff — and it ain’t you.
Barker, Eric. “11 Secrets That Will Make You More Secure on the Internet” Barking up the Wrong Tree – Blog March 2019