Cybersecurity for non-nerds
- Clean your digital profile to reduce exposure
- Develop a simple, effective routine to stay safe
Most of us get hacked all the time, although we don’t know it. Long gone are the archaic viruses that would cause glitches on the monitor, noticeably slow down your computer, or trigger a prank. Today’s infections are typically more discrete—and more dangerous—but a few precautionary measures will go a long way to thwarting these invisible threats.
Nowadays, hackers use viruses to surreptitiously track your digital behavior, whether for surveillance purposes or identity theft. They may monitor your behavior, steal your usernames and passwords, or even carry out tasks on your computer—all without your noticing. They often sell the access and information they have acquired on a thriving underground market. This stolen data may be used for politically motivated leaks or individual extortion and blackmail. But the bulk of the problem is invisible: Our phone or computer may have been hacked ten times in less sensational ways and we are none the wiser.
Our reliance on digital devices puts us in an uncomfortable position. The technology is both hugely convenient and frustratingly opaque, exposing us to hazards we rarely grasp. Although we may feel vulnerable, the risks seem too remote for most of us to take appropriate countermeasures. Instead, we usually rely on improvisation and hearsay. How sure are we that a piece of tape covering our laptop camera will prevent spying? What, exactly, does an antivirus protect against? Do virtual private networks (VPNs) truly conceal our identity? Are so-called “end-to-end” encryption services, like WhatsApp, really un-hackable? As a rule, we tend to default to one-off, partial solutions that provide us with the comfort of at least doing something. More often than not, this is far from enough.
Bad habits and weak links
Taking the right precautions requires an upfront investment: a small budget and two to three hours of our time dedicated to the task. The first step is to ascertain which of our habits pose a problem and why. The following rules of thumb capture the most common weaknesses.
When it’s free, it comes at a price. Pirated software often contains malware. Even when it doesn’t, it leaves you exposed to hacking: Whereas commercial programs are constantly debugged, patched, and updated in response to the latest viruses, pirated ones are static and therefore vulnerable. Many free apps and games are likewise unsafe; some are deliberately designed to lure users into downloading malicious code. Similarly, open access Wi-Fi networks—like those available in many cafés and airports—present a far easier target for cyberattacks than password protected ones. Free VPNs have their own problem: The business model behind such software rests on collecting user dataand selling it to advertisers; in other words, your data could be leaked or sold to the wrong buyers.
Nothing digital ever dies. Erased files on your computer ordinarily leave clones or tiny electronic traces, which experts can use to revive the original content. You may remove apps or delete messages from your phone, but the device usually keeps a telltale downloads history as well as automated backups from messenger apps like WhatsApp. Any information uploaded to the web—emails and their attachments, social media posts, documents and pictures saved to the cloud—will always exist as multiple copies hosted by different servers, even after you delete your own version of them. The same is true of all the “activity logs” that track your clicks on every website or app you ever signed in to. Acknowledging the size of our digital footprint is essential to start reshaping it.
Nothing digital ever dies
You’re never truly off the grid. The only way of being invisible on the web is to disconnect entirely. “Private” or “incognito” functions only protect you from your parents’ or partner’s snooping. VPNs do a better job at veiling your identity, but only go so far: Your computer continues to transmit information, in the form of “metadata” like screen specifications, which leaves a digital signature that can still be traced back to you. Encrypted services are deceptive, too: Sophisticated attackers—intelligence services, for example—can circumvent WhatsApp’s defenses because the key to decipher messages must still be sent from one device to another. Group chats on Telegram are not encoded at all.
Everything is set to ‘unsafe’ by default. Most hardware—particularly smartphones—comes without built-in encryption or antivirus software. Today’s devices are also programmed to broadcast as much of our behavior as possible, leaving users to manually switch off all the tracers and trackers. Password management systems on popular web browsers like Chrome often store sensitive data in ways accessible to anyone who gains access to your computer. As such, cybersecurity will always depend more on steps you take consciously than built-in measures.
Weak links come in a tangled chain. Most of us juggle dozens of accounts, usernames, and passwords that are more closely interconnected than we tend to think. Your Gmail account, for example, will likely contain information related to virtually every other facet of your digital identity—and the means to retrieve those passwords by claiming to have lost them. This intricacy is a gift to hackers, presenting weak links that can serve as entry points. Rationalizing your ecosystem, by closing down accounts, removing unnecessary connections, and shoring up your key passwords, will inevitably play a central role.
Hackers need our help. Contrary to popular culture, hackers are rarely reclusive geniuses wielding arcane technology. On the contrary, their craft hinges on understanding people. They look for human mistakes such as predictable passwords or sloppy code in an otherwise secure app. And, most importantly, they bait us with all kinds of tricks. They simultaneously spam thousands of accounts in search of the odd user naïve enough to click a malicious link. They create fake accounts—or hack real ones—to pose as our friends or relatives. They do background research to mount elaborate scams: say, a sequence of emails and calls claiming to be from our bank or internet provider, driving us gently toward the clone of a familiar website, where we all too willingly enter our credentials. If an email address or website domain doesn’t feel quite right, pause before you click or sign in.
Protecting ourselves requires simple yet clearly defined set of practices that together form an effective defense system. There is no need for an advanced understanding of the technologies involved nor an in-house expert to guide the way. Cybersecurity is more akin to personal hygiene: Just as we get into the habit of brushing our teeth, a small number of essential routines will help maintain our digital health. Some simple precautionary strategies follow, which can be checked off upon completion—leaving you with peace of mind.
Setting up a strong base
Lock all your devices, including your laptop or desktop, with a password, fingerprint sign-in, or face recognition. Typically, data related to fingerprint and face recognition is stored on a separate chip on your phone, which is not connected to the Internet and therefore not in circulation.
Install a commercial antivirus software on all your devices, including your smartphone.
Install two-factor authentication wherever feasible, especially on key accounts such as Gmail. Google Authenticator may help you implement two-factor authentication on some apps and websites that don’t provide for it themselves.
Go through your smartphone privacy settings and turn off information sharing wherever possible, leaving only what you really need. Search for “privacy settings” for advice and tutorials. Also visit a service like “Google my activity” to get a sense of how much is being logged by default.
Settle on a browser that meets your requirements without raising unnecessary risks. Internet Explorer, for example, is particularly vulnerable. Chrome poses privacy issues. Firefox, meanwhile, is currently a good all-rounder. Search for “safe and private browser” for comparators reviewing all available options.
Review your browser settings to switch off any unnecessary sharing of data. Search for “browser security settings” for advice and tutorials.
Check email and website addresses whenever their content seems unusual or wrong. Never click links unless you have ascertained their genuine character. That includes downloads shared across messaging apps.
Opt out of your web browser’s built-in password management function.
Create your own system to generate strong, long, evolving, and memorable passwords, by following the advice in the paragraph below.
Write out by hand the hints you need to remember your system and the passwords it generates. Keep these hints in two or three safe but separate places.
Set reminders to change your most sensitive passwords—such as those for Gmail or online banking—roughly every three to six months.
Delete all accounts you don’t use and implement your password management system across all others. Search for “delete accounts” for advice and look up a service like Just Delete Me for help with finding accounts you may have forgotten about.
If you use a password manager, prefer a paid service and diligently implement the steps above concerning your master password. Search for “password manager” for comparators.
Increment your passwords or change your master password at least twice a year.
Typically, a strong password will contain a memorable string of uncommon words; symbols and numbers used creatively, to avoid all the most predictable substitutions; a variable portion that changes per the service you are accessing, as in fcbK for Facebook; and some form of incrementation, through letters, numbers or symbols, to introduce regular modifications without having to redesign the whole password. Search for “strong password” for tips and sources of inspiration.
Routine digital hygiene
Enable auto-download of updates to your operating system and all other software, and accept updates whenever prompted. These include fixes for bugs and other vulnerabilities.
Run a complete scan using your antivirus on a regular basis—ideally once a week. You can program this to run automatically without disturbing your work.
Restart your smartphone once a week. This will refresh its memory and purge it of any malware.
In addition to observing these regular good habits, be sure to avoid the following:
- Pirated software and illegally downloaded media of any kind. Run a complete virus scan whenever you do, for whatever reason, use or download free software or services.
- Logging in any credentials to non-secure websites, whose URL start with http rather than https.
- Logging into sensitive accounts, notably your email, on computers other than your own—such as those in internet cafés or hotel lobbies.
- Plugging into to your computer any flash disk or external memory of any kind that is not your own. Run a complete scan whenever you do.
- Unnecessary linkages across apps—such as using your Facebook account to log into a dating app. These ensure that compromising one account means compromising the other.
- Downloading inessential or arcane apps, sticking instead to those you really need. Virtually any app will access large amounts of personal data, such as your contacts, pictures, and location.
If you are using encrypted communication services, bear in mind that all such apps are flawed one way or another. Besides, the more secure they are, the more niche they tend to be, which can make your digital behavior look suspicious—and thus draw attention from the very people you are trying to avoid.
All encryption apps are flawed one way or another
Moreover, the person you are communicating with may have inadequate cybersecurity practices, leaving you exposed. Highly sensitive information is best exchanged 1) with someone whose cybersecurity measures are on par with your own, 2) after verifying the identity of your interlocutor on one app through a parallel conversation held simultaneously via another app, and 3) through calls or even voice messages rather than text. Also verify that your messaging apps are not backing up your data to your phone.
The following extra steps can be taken to ensure an even higher level of security. That said, those working in particularly sensitive fields or environments should first sit with a cybersecurity professional to identify specific risks and develop a more tailored checklist of countermeasures.
Encrypt your computer disk, your smartphone memory, and your SIM card.
If you work in a setting prone to surveillance or censorship, purchase a commercial VPN that does not log your data. Comparator websites like That One Privacy Sitewill help narrow down the options. However, never assume that your identity is completely clouded by a VPN, especially against the scrutiny of sophisticated intelligence agencies.
If you face any plausible threat of detention, confidentially share your most sensitive login information with a trusted person who could—in an emergency—remotely change your passwords, locate your phone, and so on.
If you face the risk of surveillance by intelligence services, consider maintaining two separate smartphones and laptops: one for inconspicuous purposes and another for sensitive work and correspondence. Leave the latter in a secure location whenever possible.
To erase sensitive files from your computer, use software specifically designed to do so comprehensively. Emptying your trash bin is not enough. Search for “file eraser” for guidance.
Because digital threats are constantly evolving, none of us will ever achieve failproof digital security. But the steps above will nonetheless keep you as safe as possible: If hackers mostly exploit your weaknesses, you’ll at least give them a very good run for their money.
6 December 2019
Illustration credit: Nicanor Parra Pixel art on Wikipedia / CC Attribution ShareAlike 4.0 International.