Before we commence with the festivities, I wanted to thank everyone for helping my first book become a Wall Street Journal bestseller. To check it out, click here.
Hacked accounts in the news. Endless robocalls. Online ads that eerily seem to read your mind. Do I hear Alexa and Siri gossiping about your secrets? It almost feels like paranoia is a totally appropriate reaction.
In 2018 alone, data breaches exposed four-point-five billion records to hackers. Three months into 2019 and another two-point-seven billion are already illegally available for sale. But hackers aren’t the only problem…
We’ve all read about the 50 million Facebook accounts involved in the Cambridge Analytica scandal. And another 30 million were exposed in October of 2018. Oh, and in September another 7 million had private photos revealed. Of course, Google knows every search you’ve made (yes, even in incognito mode) and tons of other stuff about you. And in 2014, hackers released a lot of not-so-clothed pictures stolen from celebrities’ Apple iCloud accounts.
Oh, and don’t forget that your internet service provider has a list of every website you’ve ever visited at home. Yes, even “those” websites that we don’t discuss at family dinner. And they sell that info to marketers. Some retail stores now track how often you visit and which aisles you spend the most time in. Three-hundred bucks to the right shady individual can buy me your exact location at any time. And nobody wants their credit info leaking. But it already has. Multiple times.
Feeling a bit “1984” over there, Winston Smith? Okay, let’s take a breath. Don’t start folding your tinfoil hat just yet.
There is one ironclad rule on our side: Nobody can abuse information about you that they don’t have. Which is why we need to take security and privacy more seriously. Because it’s on us. And so I present you with what could be titled: “Internet Security and Privacy: The-More-Than-You-Care-To-Know Edition.”
I’d like to single out Michael Bazzell for his fine work that I drew a fair portion of this info from. He spent years at the FBI’s cyber crime division and was a consultant on the first season of Mr. Robot. His incredibly thorough books are The Complete Privacy & Security Desk Reference and Hiding from the Internet: Eliminating Personal Online Information.
We’re gonna cover everything from fundamentals like good passwords all the way to the paranoid level of aliases and burner phones. If you just want to be safer online or if you want that tinfoil hat to be nicely tailored, this should have you covered.
So what’s the first step?
Security and privacy are different. Security is somebody breaking into your online accounts. Privacy is someone having personal details about you. (So putting your entire digital life into Google products is excellent for security — but often terrible for privacy.) You can be more concerned about one and less about the other.
And then there’s the “security/privacy” vs. “convenience” trade-off. It’s pretty much axiomatic that more secure means less convenient. You can be concerned about privacy… but not concerned about it enough that you want to live in a Faraday cage. So how can we be responsible without being paranoid?
The answer is to think about your “threat model.” Ask yourself (non-rhetorically): “What am I afraid of? And how much am I willing to do to prevent it?” Are you more concerned about security or privacy? More worried about hackers or stalkers? Are you someone who just wants to be on fewer marketing lists or are you a whistleblower who may have the resources of a global corporation turned against him or her?
Know what you want to defend against and you’ll know what measures will be vital — and what is paranoid overkill.
(To learn more about how you and your children can lead a successful life, check out my bestselling book here.)
Alright, we know how to evaluate what’s necessary for each of us. But this first one is non-negotiable, whatever your threat model may be…
No, not the Disney movie. You need to get a credit freeze. It’s the best defense against identity theft. The best time to get one is yesterday. Or sooner.
Many of you are saying: “Yawn. I did that a long time ago with all three credit agencies.” To which I would reply, “Actually, there are 6 credit agencies.” Oooooops.
And if you have young children get a credit freeze for them too. Kids are a big target because their credit is not only “clean” but also their reports are unlikely to get checked for, oh, about a decade or so. It would be awful for little Jimmy to be $300,000 in debt by age nine. More info on credit freezes for kids here.
(To learn how to stop checking your phone all the time, click here.)
Okay, let’s talk about that computer of yours. It’s feeling vulnerable and needs a little more than a hug…
This trio is critical for your computer. Full disk encryption keeps your data safer and a firewall protects you from some online attacks. (Here’s how to setup FDE and a firewall on Mac, and here’s FDE and firewall on Windows.)
Backing up means if anything happens to your computer you won’t lose your data. Think of it like homeowner’s insurance for your digital life. You have to do this regularly, but it’s often easy to automate. If you’re very concerned about your data, you want to have multiple encrypted backups, with one of them maintained offsite. The latter means putting an encrypted copy of your info on a USB drive that you keep at a friend’s place (recommended) or in the cloud (not recommended.) This way if a meteor hits your house or the jackbooted minions of the great global conspiracy seize the rebellion’s plans, you’re covered. Good options are Time Machine and Carbon Copy Cloner. And I highly recommend this little guy.
The most important part of smartphone privacy is limiting app permissions like location data, contacts, etc. And don’t download sketchy apps.
(To learn the 4-step morning ritual that will make you happy all day, click here.)
Okay, you should be in good shape. But there’s something that comes up again and again that we tend to put off. But it’s vital. In fact, many experts say it’s the single most important thing you can do to increase security…
Most hackers aren’t geniuses. Often they’re using the same tricks from 5 years ago. But if you haven’t updated your software in 5 years… uhhh yeah, that’s a problem.
Those updates you’re putting off? Most of them are security-related. Apply updates ASAP. It often feels like it’s doing nothing but you’re forgetting that when it comes to security, “nothing” is a wonderful thing and “something” is very very bad.
And routinely update all your devices. Desktop, laptop, smartphone, firmware on routers, etc. Enable automatic updates on any device that offers it.
After any update, check your settings. When new features are added they often default to the least secure options. And sometimes updates even turn on options you turned off. Sadly, the price of digital liberty is often eternal vigilance.
(To learn the 4 harsh truths that will make you a better person, click here.)
Okay, you’re updating often. But there’s a way to increase security and make updates less cumbersome at the same time…
If you don’t use something regularly, delete it. Smartphone apps, computer software, browser extensions, etc. This reduces “attack surface.” The more software you have, the more points of failure you have. More things that can have vulnerabilities. More potential rogue software doing things it shouldn’t do.
(To learn how to have a long awesome life, click here.)
Alright, time for an intervention. We need to have a serious talk about a very serious subject. I’m very disappointed in your behavior…
The most common passwords are embarrassing: “The top two slots have been left unchanged for the fifth year in a row. They are, maddeningly, ‘123456’ and ‘password.‘”
A password-cracking expert has unveiled a computer cluster that can cycle through as many as 350 billion guesses per second. It’s an almost unprecedented speed that can try every possible Windows passcode in the typical enterprise in less than six hours.
By the way, that article is seven years old. You think computers have gotten faster or slower since then? Exactly. You need unique, strong passwords for every account and on every device. 12 characters or more, a mix of letters, numbers and special characters. No excuses.
Some people are thinking, “Are you crazy? I can’t remember all those.” But you don’t need to. Get a good password manager like Lastpass. It will generate super-strong passwords for you and remember them all.
Willing to forego convenience for super-duper security? Then forget Lastpass. You don’t want a password manager that uses the cloud — that means your passwords are out there on someone else’s computer. Yes, they’re almost certainly safe and cloud-based systems are very convenient — but if you’re a die-hard about security the only place the keys to your digital kingdom should be is on your devices. Go with KeePassXC and MiniKeePass for your iPhone.
Beyond that password, guard your primary email account with your life. If I can get into that, I can go to most every site you frequent and request a password reset. Boom — hacking one account gets me all of them. And I’m not speculating here. This is exactly what happened to Wired reporter Mat Honan.
You also need two-factor authentication. (“2FA”) You know when you log into your bank and they text you a code? Yeah, that. And if you’re getting all your 2FA codes via SMS you are doing it wrong. Use an app-based system instead, like Google Authenticator (iPhone, Android) or Authy. Some sites only offer SMS-based 2FA and, inexplicably, many are companies you would expect the most security from. (I’m looking at you, Bank of America.) If SMS is your only choice, it’s definitely better than nothing. A helpful list of all major sites offering 2FA is here.
And finally, what if you want ultimate security (but not necessarily privacy) for that precious primary email account? Try Google Advanced Protection. Then nobody can get into your account without a password and a physical USB key. And it works. Google instituted it for all employees. How many phishing-based hacks have they had since then? Zero.
(To learn how to deal with out-of-control kids — from hostage negotiators — click here.)
“123456” is now “eY]QAsUt>7Vc4RFftNUBpZn5[rbi“. Perfect. But what are you using to log into those accounts anyway? And is it as private as you’d like?
At least if you’re very serious about privacy. Safari sends data to Apple and you better believe Chrome sends info to Google. If this is part of your threat model, ditch them both and go with Firefox, which is the most secure of the mainstream browsers.
For super-duper security and privacy, here are some recommended extensions:
And at the super-extreme outer edge we have the “Deluxe Snowden Package.” You’ll need Qubes and Tor (Pro tip: be careful with those exit nodes.) And you cannot afford to be tracked by your phone. Get a Faraday bag — or put it in a martini shaker. Yes, seriously.
(To learn how to deal with passive-aggressive people, click here.)
Browser secured. But that’s not going to help much when the data leaves your computer and heads out there into the big bad internet. How do you keep your online activities secure and private when they’re out of your hands?
Your ISP can see every site you visit when you’re online at home. And so can the marketers they sell that info to. If a connection isn’t secure, hackers can intercept your traffic and mess with you. And using public WiFi is like making your poor little phone have unprotected sex with very unattractive strangers. How the heck do we stay safe from all these prying eyes and barbarians at the digital gate?
It’s called a VPN and I’ll go so far as to say everyone should have one. Basically, it creates an encrypted “tunnel” between you and your VPN provider, protecting your internet activities from visibility and attacks. Your ISP now only knows you’re connected to the VPN, and nothing more. Hackers can’t break through the encryption to monkey with your data. And public WiFi gets a much-needed condom.
Note that some sites don’t play well with VPNs, because many bad guys use them. VPNs are pretty cheap (roughly $5 a month) and they’re simple to set up on both computers and smartphones. PIA and NordVPN are recommended providers.
(To learn 5 secrets from neuroscience that will increase your attention span, click here.)
So far we’ve discussed a lot of attack scenarios you’re probably familiar with. But here’s one most people aren’t. And if you’re not protected, it could lead to someone emptying your bank account…
What do you do whenever you get a new phone? Call your cellular provider and have them move your number to the new device. Easy peasy. But what if I called your cellular carrier and pretended I’m you? They move your phone service to my phone. And when I log in to Bank of America with your password, guess who gets the text with that 2FA code? Yup, moi. Shopping spree time. (Hacking the password was easy; it’s was “123456”, right?)
This is called “SIM swapping.” These days people are signing up for 2FA more often, so SIM swapping is happening more often. If you’re doing 2FA with an app like Authy or a hardware token, you’re covered. But some sites (*cough*, *cough*, Bank of America) only offer 2FA by SMS. Ugh. What to do?
Many of the phone companies are now offering to secure your account with a password, so go to their site or call them to get one. People won’t be able to port your number without the code.
And what’s the ultimate-privacy-Jason-Bourne-level-security-tinfoil-hat-conspiracy-theory solution? That’s easy: make sure nobody knows your phone number — not even you. This will prevent both SIM swapping attacks and shady dudes from selling your GPS location. But how the heck do you do it?
Move your current phone number to Google Voice. (You can do that here for $10. Instructions here.) Sign up for a pre-paid mobile plan. (Mint Mobile is dirt cheap and reliable. Join here.) They’ll give you a new SIM card with a new number. You now get all your calls, texts and voicemail through the Google Voice app. And you never give the new SIM card number out to anyone. Yes, this works. You can’t be SIM swapped, you can’t be tracked… and anyone you tell about it will probably assume you’re a fugitive, a drug dealer or utterly insane.
While we’re driving down paranoia lane, SMS text messaging is fundamentally insecure. Switch to an encrypted free app like Signal. But the people you’re contacting need to have it as well. So now you’re an insane fugitive drug dealer who is also having an affair. Remember what I said about security vs convenience..?
(To learn the neuroscience secret to how to quit bad habits without willpower, click here.)
We’ve covered a lot of technical stuff, but one of the most important things to do when dealing with online security threats is to change your attitude…
Phishing attacks don’t always come in the obvious form of emails from Nigerian royalty. Increasingly, these attacks appear to come from close friends, leading you to click links without hesitation. Using a site like this I can send you an email that appears to be from, well, anyone. And this site lets me do the equivalent with my phone, spoofing my caller ID. Yes, it’s that easy.
Don’t log in to anything important using a public computer or public WiFi without a VPN. Turn WiFi off on your phone to avoid being tracked in retail stores. And sign up for notifications here to find out if any of your personal information has popped up in data breaches.
If giving out personal info is an overwhelming concern for you (everybody say it with me now: threat model) you might want to check out MySudo. Ever wanted a secret identity? MySudo offers you multiple “aliases” — each with their own working phone number and email address. For when you have to give the hotel a number but don’t want marketing calls, when you’re not sure about that person on Tinder, when buying things online, or if you just want to pretend you’re Stringer Bell from “The Wire” carrying a burner phone.
(To learn the 4 rituals from neuroscience that will make you happy, click here.)
Okay, you’ve got the skepticism part down. But we’re already using some services that may not pass that new threshold. Time to reevaluate…
Most of us see free iCloud backup as an awesome service. And it is… but also look at it through your security lens: any time you backup in the cloud you are putting all of your data on a computer you do not control.
The cloud is great for convenience and data loss protection but anything you put on someone else’s computer is subject to data breaches or nosy employees. For most people, the cloud is probably fine. But if you plan on becoming a political dissident or an international celebrity (no, I’m not going to link to the hacked nudes of Jennifer Lawrence but I can’t stop you from Googling them) keep your data on your devices. There’s also a middle path: encrypt files before uploading them. (Free software for that here.)
So what about social media? Here’s how to get what Facebook knows about you, how to delete it, or to change your privacy settings. Here’s Google. This is Apple’s data on you, how to delete it, and how to limit ad tracking.
Me? I’ll be sharing this post all over social media. But you can’t see my nudes. I know my threat model.
(To learn the secret to never being frustrated again, click here.)
I’ve tried to give a balance of reasonable options along with more extreme measures. At this point, the reasonable folks are more than covered. But there are going to be some who say I’m not being paranoid enough. Oooooookay, let’s go to the total edge case…
If you’ve got a stalker, an abusive spouse, or live in a country where having unpopular political opinions tends to make people vanish, you’ve got a legit extreme threat model. And I’m here to help.
Whether it’s a despotic government, your boss, or the henchmen of the Illuminati, how do you know if someone already has access to your computer? What if you had a “canary in the coal mine” to warn you?
Canary Tokens allows you to create, for free, files that send you an email when they’ve been opened, along with the IP address of the intruder. Throw one on your desktop with a too-good-not-to-click-on name like “passwords”, “finances” or my personal favorite, “stuff to discuss with therapist” and then never touch them. If you get an email from Canary Tokens, somebody’s looking at your stuff — and it ain’t you.
Yeah, agreed, this is all super-paranoid… That is, unless the canary sings.
(To learn the science of how to take naps that will make you smarter and happier, click here.)
We have covered a positively gargantuan amount of information. I should give you a diploma at this point. Let’s round it all up and I’ll tell you how to get everything you need to get your info off all those sketchy online data broker sites that flood your inboxes with spam and robocall you to death…
Here’s how to be more secure on the internet:
Yeah, it’s a lot. Consider your threat model and do a little bit at a time. (No, you can’t email me with your IT problems. Only my dad gets to do that.)
If you want to get your info off those data broker sites, two excellent places to start the process are here and here. Also, in my next weekly email I’ll be sending out a PDF with an exhaustive list that will really help improve your online privacy, get you off marketing lists, and reduce the amount info out there that hackers can use against you. To make sure you get it, join here.
And if you want to get more involved in the security and privacy cause, check out the EFF.
I hope this will keep you, your loved ones and your beloved data that much safer.
I mean, after all, They are watching our every move, you know…
A canary told me.
Join over 330,000 readers. Get a free weekly update via email here.