A friend of mine recently lost their smart phone. They did most of the right things – sent the wipe signal to it, and changed their passwords. Unfortunately, they missed telling the cellular carrier, and it turns out that someone had simply moved the SIM card into another phone and used it to make hundreds of dollars in overseas calls (much like we used to see with calling card and conference call numbers). It also meant that any inbound calls and SMS messages would have rung on that stolen phone – something to think about in the age of SMS-two factor authentication.
He asked me for an updated list of suggestions on how to get secure and stay safe online, and rather than doing a one-off, I thought I’d share here – feel free to add suggestions in the comments, and I’ll keep this current. The first is the most important, and the rest are in no particular order. Many of these are involved topics that deserve posts in their own right – this is just a quick summary.
[Updates at the end]
#1 – Keep Current
Make sure you’re on a current and supported operating system, and keep up with patches. For Windows that means 7 or higher, for Mac El Capitan or higher, and for iOS it means 9 or higher. For both Windows and Mac, that’ll change soon – Windows 10 and Sierra are better options. Android is much harder unless you get updates directly from Google. If you don’t, you’re behind – that’s one of the reasons I don’t recommend non-google Android devices.
This also means keeping your applications up to date. If you still have Office 2003 because it’s all you need, unfortunately, you’ll have to pay the Microsoft tax and get a current version to get patches. Ditto on the Adobe products, and pretty much everything else.
For both OS and apps, apply patches and updates on a regular basis. For Windows machines, makes sure you watch for ‘Patch Tuesday’ and apply patches right away – often the bad guys release new malware shortly afterwards that attacks unpatched machines. We all find it hard to keep up with patches (Window takes far more care than Mac), so when possible, turn on automatic updates. Which brings us to the importance of the next item:
Backups
Things will go wrong. Consumer cloud has no guarantee of backup or restoration of data, so don’t trust Google, Apple, Microsoft, DropBox, or any other service as the sole place your information lives: any critical information (i.e. family photos) should live in at least two physical places, one of which should be in your personal controls. For example, one of the first things I disabled in Sierra was the ‘automatic migration of data to iCloud’. Aside from not controlling what’s uploaded, the last thing I’d trust a consumer-grade service to do is delete anything off my machine automatically.
Backups should be encrypted (see below), and at least one stored offsite – either a cloud-based backup like CrashPlan, or a drive in a safety deposit box or at a friend’s house. If you use cloud backup, remember that they don’t work for things like virtual machines, and can blow out your data charges.
So I backup my iOS devices to my local computer (not iCloud), then backup the Mac using Time Machine (for the oops I deleted it situations), and Carbon Copy Cloner (www.bombich.com) for my disaster backups. CCC has saved my bacon more times than I can count, and I highly recommend it for Mac users.
I also strongly recommend that at least one of your backups be physically disconnected from your computer when not actively backing up. That’s the single best defense against ransomware.
Securing the browser
Absolutely run a current browser version. I recommend using uBlock Origin and Privacy Badger to cut down on the worst of the tracking and funky sites. Don’t use shady extensions like video downloaders. To be extra safe, use two browsers – one for general browsing, and one for sensitive sites. Be careful of typo-squatting sites. That’s one reason I like 1Password – it validates the URL before pasting in credentials. Stick with one of the big three – Edge, Firefox, or Chrome. Retire Internet Explorer.
Trust the cloud – sort of
There are three kinds of cloud services: free/consumer, and enterprise. Free services monetize you in some fashion (more below), usually by selling your data to advertising – and I recommend avoiding them. This includes services like Gmail, Facebook, Twitter, and such – if you’re not paying for it, you’re the product, not the customer.
iCloud is paid for as part of buying Apple products, and while Apple uses the data for marketing and product development, they don’t sell it to third parties, so it’s somewhat better. One thing that all consumer services have in common is that they disavow any responsibility for data loss or disclosure.
So, for backups and email, I recommend paying for the service. You’ll get much better responsiveness and much less privacy compromise. And make darn sure the data is encrypted before uploading.
Passwords & Password Managers
That’s especially true of Password Managers. I’m not a fan of cloud-storage for my password vault – it’s too inviting a target. That’s one of the reasons I use 1Password from www.agilebits.com – they offer a local sync option. But using one with the cloud is far better than not using one, and I have a number of family and friends using the 1Password cloud options. I’ve written recently about 1Passwords migration to the cloud, and while I have concerns, it’s still the best option out there.
Your password manager password needs to be a good one – a passphrase is best. The new advice is to pick four or five words: cheetah shark Saturn smiley mayonnaise. You’ll remember it much easier than a random set of characters, and most good cracking tools now easily bypass backwards words, replacing letters with numbers, and all the other tricks.
All this implies, yes, use a password manager that generates unique random passwords for each site. That way you only need to remember one single password (hence 1Password) that’s really good and strong, then it does the rest for you.
Note: Do not use the web-version of a password manager. Use the application on a device that you control.
Lie
That brings me to one of the toughest ones – lying to sites by intent. This falls into two categories – lying for protection, and lying because it’s none of their business. For the former, when a site asks you to create a secret question and answer, lie – use a random word, and then store that in your password manager.
More importantly, when a site asks you for information it doesn’t need – your birthday for a shopping site for example, make something up that’s completely random. I started getting retirement spam after using a 1940’s date…interesting.
This is also true for sites or companies that ask for ‘mother’s maiden name’. Go change all those and record the new random answers in your password manager. For companies that continue to insist on the single worst authentication mechanism (last 4 of SSN), pester them to see if you can get it changed. If not, then we should all shame them on social media.
Use two-factor
When offered, use two-factor authentication. It’s not perfect, but it’s better than just a password. Do not use just device-based authentication though, always use both factors.
Disk/device encryption – backup and machines
Turn on whole disk encryption on your system. For mac: https://support.apple.com/en-us/HT204837 and for Windows: https://support.microsoft.com/en-us/instantanswers/e7d75dd2-29c2-16ac-f03d-20cfdf54202f/turn-on-device-encryption
Set mobile devices to lock and wipe
If you have options to disable biometrics, and force a passcode after a handful of attempts turn it on, and then turn on the options to wipe the device after 10 failed attempts.
And use something stronger than a 4 digit PIN – at least 6. Alpha numeric is better. Pick one that’s not your, your spouse, your kids or any other date, address, phone number, or anything else that’s easy to guess or on social media.
While you’re at it, set airdrop to ‘contacts only’. Better to stay off the grid.
Biometrics
Biometrics are a mixed bag. Right now there’s tons of snake oil out there. The only one that I trust for regular use is the fingerprint reader on the iPhone – and that’s because of the lock/wipe options. I do not use it on a computer – type the passphrase instead. Facial recognition, swipe patterns, and such can be spoofed trivially, and many consumer grade fingerprint readers can be as well.
Stay off public (and other) computers.
Using a public computer is like licking the seat in an outhouse. Just don’t. Ever. Your friend’s computer isn’t quite as bad, but unless you know that they have good hygiene, it’s best to only use your own devices.
Uninstall Flash and Java
It’s time to get rid of these two applications from your personal machines. Corporate machines should too, but that’s a whole more involved story.
Flash:
Mac: https://helpx.adobe.com/flash-player/kb/uninstall-flash-player-mac-os.html
Windows: https://helpx.adobe.com/flash-player/kb/uninstall-flash-player-windows.html
Java:
Mac: https://www.java.com/en/download/help/mac_uninstall_java.xml
Windows: https://www.java.com/en/download/help/uninstall_java.xml
If you have to use Flash, use Chrome (but disable all the tracking first).
Get accounts before the bad guys do
As Brian Krebs recommends, get accounts on https://www.ssa.gov/ and IRS.gov https://krebsonsecurity.com/2015/03/sign-up-at-irs-gov-before-crooks-do-it-for-you/ before someone does it first.
Credit Freeze
And again a shout-out to Brian, for his information on getting credit freezes from all four agencies. Credit monitoring is useful for telling you it’s been compromised – a freeze protects it up front. https://krebsonsecurity.com/2015/06/how-i-learned-to-stop-worrying-and-embrace-the-security-freeze/
If your homeowners insurance offers identity theft protection as a rider, that’s not a bad investment for the price.
Note: If you have kids, freeze their credit too.
eMail security
Email is not private. If you have a standalone email application, using SSL only keeps it secure between your machine and the server. If you do it in the browser, same situation – and you’re also exposed if the browser is compromised. Never email any sensitive information like bank account numbers, social security number, credit card numbers, and so on. If you’re emailed a new password after a reset, immediately go change it on the site itself.
Note: Yes, there are ways to technically encrypt email end-to-end. It’s not clean or easy, and pretty fiddly. If you absolutely positively must email something sensitive, my recommendation is to encrypt the document itself then attach that to a regular email. That’s beyond the scope of this post.
Because password resets are done via email, this is the most important account you have. It must be used with a robust random password, and you should never login from any device that you don’t own and control. If the bad guys get your email, they get all your other accounts.
Have a throwaway email
So that means having more than one might make sense. Ever have a site that you might want to get information from, but don’t want them to have your details? Get and use a throwaway email account – or a junk mail account to use for all of them.
Never click links
And never, ever, click on any link in anything on that junk account. That’s good practice for all email and all links. Go manually to their site, and login by hand. Related – stop sending emails with links in them (internal corporate communications I’m looking at you).
Stay off the seedy side of the internet
It goes without saying, stay off the seedy side of the internet. Get legal software and content, avoid torrents, and naughty sites.
VPN/Public Hotspots/Cellular Data
I avoid using any public hotspots – it’s far too easy for someone to sniff what you’re doing, Use your cellular hotspot when you can. For better protection, use a personal VPN like www.getcloak.com to prevent traffic monitoring and cellular carrier supercookies. This includes hotel internet.
Never respond to inbound phone calls
If you get a call allegedly from your credit card company, bank, insurance company, or similar company, don’t give any information or acknowledge that you even have an account. Politely thank them, and call the number on your credit card or statement (not the one they give you over the phone). Hiring a fake call center is trivial.
Firewalls & Antivirus
Turn on the Firewall on a Mac https://support.apple.com/en-us/HT201642 and Windows https://support.microsoft.com/en-us/instantanswers/c9955ad9-1239-4cb2-988c-982f851617ed/turn-windows-firewall-on-or-off
As a minimum, turn on Xprotect on the Mac https://support.apple.com/en-us/HT201940 and Windows Defender on Windows: https://support.microsoft.com/en-us/help/17464/windows-defender-help-protect-computer
On both Mac and Windows use www.malwarebytes.com to scan and remove malware, including adware.
On Windows, seriously consider paying for antimalware software. At this point I’d probably recommend Symantec over the alternatives – the free solutions aren’t worth it. If your bank offers Trusteer Rapport, download and install it.
Oh, and disable file sharing if you haven’t already.
Don’t tweak the bad guys
I know folks who will keep the ‘tech support’ spoofers on the line, or text with the thieves who stole a phone, or respond to phishing emails with ‘nice try’. Don’t. These folks are very good at what they do, and most of the time you’re just a drive by as they conduct a massive campaign. But if you get them mad and they target you, it’s a whole different ball game. Respect their skills.
In the end
Be skeptical, be wary, and be prepared to be hacked. I had a bank ask me to send mortgage paperwork via email. I said no. I’ve had calls to my phone that spoof my own callerID. I hung up. I’ve also had really clever phishing emails that I almost clicked. I did – to delete. We’ve had our credit card stolen several times – caught it by watching my bills weekly.
As one of the characters in Harry Potter was fond of proclaiming, ‘Constant Vigilance’.
[Update]
Shred it
Shred anything and everything that has your information on it. That includes envelopes from bills (they identify targets for the bad guys to hit), junk mail, receipts, boarding passes, hotel room cards, credit cards (unless metal – cut those with tin snips), conference badges (I punch out the RFID chip as soon as I get one), old business cards, and so on. Bar codes are the most insidious as they can hide a lot of personal information, as Brian Krebs points out in the link about boarding passes.
