Want to protect your security and privacy? Here are some places to start.
With Thanksgiving behind us, the holiday season in the US is officially underway. If you’re reading Ars, that can only mean one thing: you’ll be answering technical questions that your relatives have been saving since the last time you visited home.
This year in addition to doing the regular hardware upgrades, virus scans, and printer troubleshooting, consider trying to advise the people in your life about better safeguarding their security and privacy. Keeping your data safe from attackers is one of the most important things you can do, and keeping your communications and browsing habits private can keep that data from being used to track your activities.
This is not a comprehensive guide to security, nor should it be considered good enough for professional activists or people who suspect they may be under targeted surveillance. This is for people who use their phones and computers for work and in their personal lives every single day and who want to reduce the chances that those devices and the accounts used by those devices will be compromised. And while security often comes at some cost to usability, we’ve also done our best not to impact the fundamental utility and convenience of your devices.
These recommendations simply don’t represent the absolute best in security and privacy—the Electronic Frontier Foundation (EFF) has excellent, more in-depth guides on security for activists and protesters that you can read if you want to get even further out into the weeds. But these are all good, basic best practices you can use if, like so many of us, you want to protect yourself against security breaches and trolls. Feel free to share it directly with those in your life who insist on doing the computer work themselves.
Protecting your devices
Install updates, especially for your operating system and your browser
This ought to be self-evident, but: install updates for your phones, tablets, and computers as soon as you can when they’re made available. The most important kinds of software updates are those for the operating system itself and for your browser, since Chrome, Firefox, Safari, Edge, and the rest are common points of entry for attackers. Updates for password managers and other apps on your system are also important, though, so don’t ignore those update prompts when you see them.
Waiting a day or two to make sure these updates don’t break anything major is fine, but don’t ignore update prompts for days or weeks at a time. By the time an update exists for a security flaw, it is often already being used in attacks, which is why it’s important to install updates as quickly as possible.
On this note, also be careful about using Android phones, which often run out-of-date software without current security patches. Google’s Nexus and Pixel phones, which get software updates promptly and directly from Google, are the best way to make sure you’re up to date; while Samsung’s newer smartphones are also patched relatively promptly, everything else in the Android ecosystem is hit or miss.
Use strong passwords and passcodes
Having your accounts hacked is what you should be the most worried about—more on this later—but it’s also important to secure the devices you’re using to access those accounts.
It goes without saying that you should use a good, strong password to protect every single user account on any PCs or Macs. On smartphones, you should use as strong a PIN or password as you reasonably can. If your phone uses a fingerprint reader, take advantage of that added convenience by locking your phone with a strong alphanumeric password. Target a 12- to 14-character minimum, since shorter passwords are more susceptible to brute force attacks.
Encrypt your phones and computers
If you need an oversimplified but easily understood way to explain “encryption” to someone, think of it as a massively complex decoder ring; when data is encrypted, it can only be accessed and read by a person or device that has the “key” needed to translate it back into its original form. It’s important to encrypt your communications, and it’s also important to encrypt the devices you use to access any sensitive data since that data can be stored on them locally whether you realize it or not.
The basic encryption guide we ran last year is still current; I’ll cover basic guidelines here, but refer to that for fuller details.
- iPhones and iPads are encrypted by default. Use a strong passcode and you’ll generally be fine.
- Macs are not encrypted by default, but FileVault disk encryption is fairly easy to enable in the Security section of the System Preferences.
- Some newer Android phones are encrypted by default, but go to the Settings and check under Security to confirm (this may differ depending on the phone you use). If the phone isn’t encrypted, it’s fairly easy to turn it on in the Security settings; protect the phone with a strong passcode afterward. Older phones and tablets may suffer a performance hit, but anything made in the last two or so years should have no major problems.
- Windows PCs tend not to be encrypted by default, and it’s only easy to enable encryption on newer PCs with the more expensive “Pro” versions of Windows. Windows can be encrypted by default, but only by supporting an esoteric list of requirements that few PCs meet.
Protecting your accounts
The most significant thing you can do to protect your e-mail, bank, Apple, Facebook, Twitter, Google, Amazon, Dropbox, and other accounts is still to enable two-factor authentication (sometimes called two-step authentication or 2FA). This means using a combination of multiple credentials to get into your account, usually a password and a six-digit code sent to your phone or generated by an authenticator app.
There are three primary types of authentication: something you know (i.e. a password), something you have (i.e. your phone or a secure key), or something you are (i.e. your fingerprint or face). To be considered “true” two-factor authentication, each factor needs to be from a different one of those three categories. So, for instance, something that requires a password plus your phone is two-factor authentication. Something that just asks you for two passwords is not, since they’re both something you know.
SMS texts sent to your phone are relatively easy to hijack for determined attackers, so you should definitely use an authenticator app whenever possible. I prefer Authy, but Google Authenticator is also widely used. When you enable two-factor authentication on an account, the first time you log in to an account on a new phone or computer, you’ll generally be asked to enter a special code after you enter your password. Anyone who has your password but doesn’t have the code can’t get into your accounts. You may also need to sign back in on all of your other devices before you can use them with your account again.
Here are instructions for setting up two-factor authentication for a variety of services; if you can’t find yours on this list, Google is your friend; twofactorauth.org is also a helpful resource.
Using a password manager (and good password practices)
Two-factor authentication is great, but it’s only extra protection on top of good, strong passwords and password practices. Security researcher Brian Krebs has a good primer on password security here, but the most important things to remember are:
- Don’t use the same password for multiple sites/services, especially if you use those sites/services to store personal data.
- Change your password regularly, and change it immediately if you suspect that the service has been hacked or that someone else has tried to use your account.
- Use the strongest passwords you can. Using various characters (capital and lowercase letters, numbers, punctuation) is important, but password length is also important. Consider a 12-to-14-character password to be a useful minimum, depending on the site’s password policies.
Remembering passwords is annoying, especially if you’re changing them all the time. One solution to this problem is to use a password manager. These are apps that generate long, random, complex passwords and store them for you in encrypted form either on your device or in the cloud. You have to set and remember one strong master password (we recommend perhaps writing this down and putting it in a safe and secure place), but the app does the rest.
There are lots of password managers available, but 1Password is probably the best known and best supported. It costs $2.99 a month for one person and $4.99 a month for a family of up to five people, and there’s a 30-day free trial available as well. LastPass is also an OK free alternative, though this sort of protection is worth the cost. It’s also generally a good idea to support companies that do security- and privacy-related work going forward.
Protecting your communications and Internet use
Using Signal for SMS and voice calls
Protecting your communications from being intercepted and read is one of the most important things you can do, but it’s also more difficult than other security measures we’ve discussed so far.
Using an encrypted messaging service is the best way to protect your texts from prying eyes. If you’re using Apple’s iMessage service (i.e. blue bubbles), you’re already using an encrypted service, but the downside is that it only works between two Apple devices and that Apple may still be able to hand out your data if asked.
For communications between an iPhone and an Android phone or between two Android phones, your best option is Signal, a secure SMS app by Open Whisper Systems that provides encryption for both texting and voice calls. Both you and your recipient will need to have Signal installed for it to work, but the app makes it easy to send out download links to your recipients and it’s easy to set up and use. The EFF has detailed installation instructions for iOS and for Android.
Another encrypted messaging service you may have heard of is WhatsApp, but the company’s acquisition by Facebook in early 2014 has given rise to some concerns among security and privacy advocates. Still, depending on what the people you know already use, it could be better than just plain SMS or other chat services.
Using VPNs, especially on public Wi-Fi
You know those unsecured public networks that you log into when you’re at the cafe or coffee shop? Not only can anyone also get on that network and potentially exploit it, but attackers with relatively simple, inexpensive tools can see all of the data that travels between your phone or laptop and the wireless router. Even networks with passwords (like those you’d use at work or in a hotel, for instance) can expose your data to other people who have the network password.
The answer here is to use a Virtual Private Network, or VPN. If you think of the streams of data going between a router and everything connected to it as an actual stream, then a VPN is a sort of straw or tube that keeps your stream separate from everyone else’s. VPN services can also hide your browsing data from your Internet service provider, and they can give you some degree of protection from trackers used by websites and ad networks. (Again, like most measures, this is not a guaranteed way to achieve perfect security.)
Subscribing to a VPN does cost money, but there are many options that will run $10 or less per month. Private Internet Access offers support for Windows, macOS, iOS, Android, and Linux; will let you use the service on up to five devices simultaneously; and costs a relatively inexpensive $6.95 a month or $39.95 a year (which breaks down to $3.33 a month). If you use public wireless networks with any frequency at all, a VPN is a must-have and well worth the cost.
VPNs aren’t cure-alls, since some public networks are set up to keep them from working—sometimes on purpose so they can show you ads, sometimes by accident because they want to keep the networks from being used for anything other than basic Internet. Using a Mi-Fi hotspot or your phone’s tethering features when you’re in public can be expensive, but it can also provide some peace of mind when you’re having trouble getting your VPN to work on a public network.
E-mail security (is hard to do)
E-mail security is difficult, and both of our security experts on staff have described it to me as a “lost cause” and “fundamentally broken.” The primary problem is that even if you take precautions to protect your end of the conversation, you can do little to secure the servers and clients in between and on the receiving end. Some services like Gmail offer enabled-by-default encryption between your computer and their servers, but sending a message from one server to another is still often unencrypted. Paid services like ProtonMail are promising—it promises enhanced security and privacy and they won’t read your messages or scrape data from them so they can sell ads to you—but it hasn’t been thoroughly audited, and it only really works as intended when sending mail between ProtonMail accounts. And longstanding e-mail encryption tools like PGP (“Pretty Good Privacy“) are notoriously difficult to set up and use.
You should definitely do what you can to secure your e-mail from casual snooping, and you should protect your account with the tools we’ve already mentioned—using an account from a major provider like Google, Microsoft, or Yahoo with a strong password and two-factor authentication enabled is a good way to start. But for truly sensitive communications that you want to keep private, using Signal or WhatsApp or even Facebook Messenger’s “Secret Conversations” feature is a better way to do it.
Deleting old e-mails
Another mitigating factor for the e-mail problem is message retention—someone with ten years’ worth of data to dig through is naturally going to reveal more about themselves than someone who only has six months of messages. Even free e-mail providers often give you so much storage space that it can be tempting to be a digital packrat and just keep everything, both for nostalgic reasons and just in case you ever need it for something. But the more communications you store, the more information that companies, law enforcement, and hackers have to track your wheelings and dealings.
Consider how important or sensitive your communications are, and consider how often you actually need old e-mails. Consider deleting e-mails at regular intervals—deleting things after one year or even six months can be a good way to start if this is something you’re worried about, and think about deleting unimportant messages even more frequently.
If you’ve done all of these things and you’re looking to do more, the EFF’s Surveillance Self-Defense page is a good resource. It has more in-depth technical explanations for many of the concepts discussed here, as well as further recommendations. The EFF also offers Chrome and Firefox plugins like Privacy Badger and HTTPS Everywhere, which (respectively) attempt to keep ads from tracking you across multiple sties and load content over an encrypted HTTPS connection rather than a standard HTTP connection whenever HTTPS is available. You could also look into things like the Tor project, which goes to greater lengths to obstruct surveillance and ensure privacy.
Via: Ars Technica