Online security 101: Tips for protecting your privacy from hackers and spies

What’s next for ransomware?

Got nothing to hide? Think again.

Privacy is what sets us apart from the animals. It’s also what sets many countries and citizens apart from dictatorships and despots. People often don’t think about their rights until they need them — whether it’s when they’re arrested at a protest or pulled over for a routine traffic stop.

Surveillance is also a part of life, and it’s getting progressively more invasive. Government eavesdropping is increasing, carried out in wider secrecy, and it’s becoming far more localized. In fact, the last three presidents have pushed for greater surveillance: Clinton introduced mandated wiretapping laws, Bush expanded mass domestic surveillance, and Obama expanded the intelligence service’s reach — just in time for Trump.

Now, with a new president in the Oval Office, many are concerned about the future of their fundamental freedoms and constitutional rights.

There is no such thing as perfect security. But no matter who you are or where you are in the world, there are a lot of things you can do — many of which are simple — to protect yourself in this turbulent time.

THE SIMPLE STUFF

Your privacy, at its core, relies on your data being secure.

There are some professions — such as government workers, journalists, and activists — who face far more and complex threats than the average citizen, who should usually only worry about tech companies tracking them to serve up the best kinds of ads, or government bulk data collection of their personal records. But everyone can take the basic advice and modify it on varying degrees.

While most apps and services nowadays secure your data with encryption on their servers to prevent data from being readable if hacked or served with a government subpoena, many more now are providing it “end-to-end.” In other words, nobody else can see what’s sent, stored, or received, other than you and the person you’re talking to — not even the companies themselves.

Usually, the only way to break that “end-to-end” model is to attack an endpoint, such as the device you’re using, the internet pipe that the data’s traveling along, or the company’s servers.

If you secure each of those points, you’re well on the way in keeping your data private.

SECURE YOUR DEVICES

Your phone is your ultimate endpoint. You carry it everywhere and it usually holds your most personal secrets and sensitive information.

iPhones are widely seen as the most secure mainstream device today. Modern and newer Android devices usually come with strong security features, but there isn’t a universal implementation of encryption yet. Your iPhone encrypts as soon as you lock your screen (even the feds can’t access it), but Android devices have to be shut down entirely.

Here’s a guide on how to secure your iPhone, and here’s another guide for most Android devices.

TURN OFF FINGERPRINT PHONE UNLOCK

Your Touch ID or fingerprint sensor is meant to keep your data more secure. But in some cases federal agents can force you to unlock your phone with your fingerprint, because the courts have determined that it’s not a violation of the Fifth Amendment, which protects against self-incrimination. The feds however can’t force you to turn over your passcode.

Turn off Touch ID by going to Settings > Touch ID & Passcode > turn off iPhone Unlock. (Android users can go to Settings > Security > Lock Screen or Nexus Imprint.)

BE MINDFUL OF EVERY APP YOU INSTALL

Each time you install an app, it will ask you for permissions to your phone’s features or data, like your contacts, photos, camera, or even the phone dialer itself. Be mindful of apps that you install, as a single rogue app can punch a hole in your privacy protections.

Take Meitu, the anime photo app that whipped up a privacy storm. For such a simple app, it required almost unlimited and unfettered access to your phone. Remember: if an app is free, you’re paying for it in some other way — and usually it’s with your data.

SET A STRONG PASSCODE

Chances are you’re already using a six-digit passcode, if you’re using a modern version of iOS. But you can make the code as long as you like. We have a simple and handy guide here. Choosing the “custom numeric code” will still give you the number keypad on the lock screen, making the passcode entry easier to type in.

USE A COMPUTER? TAKE THIS ADVICE

Keeping your devices and apps up to date will significantly reduce attacks. Every app or service you install will increase your vulnerability risks because no software is perfect. If you have preinstalled apps or “bloatware,” you should remove those — and that includes web plugins like Adobe’s Flash, Oracle’s Java, and Apple’s QuickTime. Using ad-blockers can prevent ads from installing tracking cookies and even malware (which happens surprisingly often).

You should also consider encrypting your computer, which is easy if you use either Windows or a Mac. Just make sure you don’t upload your encryption keys to the cloud, otherwise Microsoft or Apple could be forced to turn them over.

Yes, Windows 10 is more secure than Windows 7, but it’s understandable that many think it’s a privacy nightmare. We have a separate Windows 10 privacy guide that shows you the right options for you.

REDUCE YOUR ONLINE FOOTPRINT

There are dozens of websites called data brokers that crawl the web for your personal information, and then post it online for the world to see. If you Google your name along with the city you live in, these data broker sites are always the top search results. Websites like MyLife, Whitepages and Spokeo make millions by selling access to this information. You can use this helpful guide from DeleteMe to remove yourself from each of these data broker websites, but this process can be tedious and time consuming.

DeleteMe offers a hands-free service that removes your personal information from the leading data broker websites online, starting at $129 per year – they also offer discounts on multi-person or family plans. DeleteMe does all the hard work for you by going directly to the source and removing your personal information like names, addresses, age, phone numbers, email addresses, and even photos of your home. Removing personal information from data broker websites reduces your online footprint and keeps you, and your family safe.

SECURE YOUR MESSAGING

Now that your device is secure, you should think about your data in-transit — that is, as it traverses the waves of the wireless spectrum and the pipes of the internet.

SMS messages and phone calls can be intercepted and wiretapped at any time — it’s the law. Police can also use cell-site simulators (known as “stingrays”) to force-downgrade your cell connection from LTE to non-encrypted channels to make it easier to snoop on your phone.

It’s not just the messages you send that you need to worry about; you also have to think about the data that’s generated as a result — so-called metadata, such as who you’re talking to, when, and sometimes where. That information alone can tell a lot about your life, which is why it’s so important to intelligence services. Metadata is a core pillar of government surveillance.

Countering metadata collection isn’t easy, but its collection can be limited. The trick? Use the right app.

Let’s get one myth out of the way: There is no secure email solution — at least not yet. While there are systems like PGP encryption, which remains the favorite for scrambling the contents of email messages, it’s not as strong as it used to be and better instant communications exist.

In ranked order, best first:

USE SIGNAL FOR ENCRYPTED MESSAGING

Signal is by far the simplest and the most secure app when it’s used properly. Available for iOS and Android, the end-to-end encrypted messenger was almost universally accepted as the gold standard among security experts and professionals after its debut audit.

The messaging app and its desktop counterpart are also open-source, meaning anyone can look at and inspect the code to ensure there are no backdoors. And, Signal almost entirely removes itself from the surveillance loop by collecting almost no metadata. Even if a user chooses to upload their contacts list to Signal, each record is scrambled and can’t be used by the intelligence services.

signal-pic.png

Using a secure messaging app alone won’t keep you secure. Ensuring that you properly verify the keys of those you’re talking to will ensure that you’re not talking to someone else. (Image: ZDNet)

The Intercept has a simple guide on how to verify your contacts in the unlikely event that your communications are being intercepted. You usually only do this only once (unless you or someone you’re talking to changes device).

You can download Signal here.

IGNORE THE FEARMONGERS. WHATSAPP IS BASICALLY FINE

If you heard recently that WhatsApp has a “backdoor,” that’s wrong. So wrong, in fact, that some of the world’s foremost security experts and cryptographers have called for the story to be retracted. The Guardian, which published the story, later said “flawed reporting” led the newspaper to “overstate the potential impact on the security of users’ messaging.

The end-to-end encrypted messenger, owned by Facebook, works on a range of devices, including desktop. At its core, it uses the same protocols as Signal — so it’s secure and neither Facebook, WhatsApp, or anyone else can read your messages.

WhatsApp is fine as long as it’s being used properly by verifying your keys with the other party. Make sure that you enable security notifications so you can monitor for any key changes.

Do this by going to WhatsApp then Chats > Chat Backup > then set Auto Backup to Off.

You should also turn off online backups — both on the app and iCloud and Android’s settings — as backups can be cherry-picked out of the cloud by law enforcement with a search warrant.

The app does collect and store more metadata than Signal. That means the government, if it demands data from Facebook, could see who you’re talking to and when. A recent report by Forbes confirms that the company could be forced to turn over data it collects, such as IP addresses, phone identifiers, and even location data in some cases.

iMESSAGE IS OK, BUT BE MINDFUL

Apple’s iMessage is also encrypted end-to-end, but you can’t verify your keys with the people you’re messaging. That’s a problem, because you can’t ever be sure that your messages aren’t being intercepted. Recent developments have shown that the system is vulnerable to man-in-the-middle attacks, so don’t rely on the system for critical communications. And again, don’t back up your messages to iCloud, because Apple can be forced to turn that data over to law enforcement. End-to-end encryption refers to your message securely traversing the internet and not when it’s in storage.

That said, you should regularly carry out an encrypted local backup your iPhone or iPad on occasion. It’s very simple to do, and can restore your data if you break your device.

AS FOR ENCRYPTED EMAIL…

Again, encrypted email is a fallacy, so you should get the idea out of your head. Consider services that don’t require you to handle private keys, such as ProtonMail, which now comes with support for the Tor browser (more on that shortly).

Or, there’s still PGP, which remains clunky and difficult to use for even many advanced users. Even the creator of PGP admits he doesn’t use it anymore. If you really want to use PGP, get started with these Windows or Mac guides from the Electronic Frontier Foundation.

Or, if you can get an invite to Keybase.io (you can find some here or by searching Twitter), you can choose to import your PGP private key and use the web-based encrypt and decrypt tools. This has raised some eyebrows, but it’s entirely optional, as it makes scrambling and unscrambling PGP messages and files significantly easier.

SECURE YOUR BROWSING

Browsing is usually at the heart of what most people do. But just as you’re looking out at the world, you also have a lot trying to look in. Ad networks will track you from site to site, your internet provider will log which pages you visit, and hackers will try to target you.

Without getting too into the weeds, no browser is perfect, but some are better than others.

When it comes to the gold standard of privacy, consider using Tor. It’s like a regular browser with privacy benefits, and it’s often used by the privacy conscious, such as reporters and activists.

tor-screenshot.png

tor-screenshot.png

Tor Browser is a great tool for secure and private browsing. But remember, be careful with plugins and browser extensions as these will significantly weaken the browser’s security. (Image: ZDNet)

The Tor browser lets its users browse the internet anonymously by bouncing traffic through multiple relays. Not only does it hide a user’s internet history, it’s also used to circumvent state-sanctioned network blocks. The service also allows users to browse parts of the dark web, which aren’t accessible through traditional browsers and networks, as well as websites and services that are blocked in your region.

You can use Tor for anything — but streaming video can be slow, and some web plugins (like Flash) are generally disabled as these can be used to de-anonymize you, defeating the point altogether.

With other browsers, to enhance your security, you can install the HTTPS Everywhere plugin (available for most popular browsers), which forces websites that support website encryption to turn it on by default.

Secure sites are your friend, because it means an attacker can’t modify the pages and that internet providers (and the government) can’t see which individual web pages you visit on a domain.

You can also use mobile versions of the Tor browser called Orbot for Android and Onion Browser for iOS, both of which are also open source.

Both of these apps are widely used and trusted by leading security researchers.

DO I NEED A VPN?

A common question is: will a VPN protect my privacy? The simple answer is that you can’t know for sure.

VPNs, or virtual private networks, redirect a user’s internet traffic through a server, often encrypted, in order to make it difficult for others to eavesdrop on their browsing habits or pinpoint a person’s real-world location.

It’s no surprise that VPNs are therefore popular among activists or dissidents in parts of the world where internet access is restricted because of censorship, or heavily monitored by the state.

But using a VPN means funneling all of your internet traffic through a third-party. All of it. And while it may be encrypted and unreadable, a lot of information about you — such as your location and which unencrypted sites you visit — is still readable.

Security researcher Troy Hunt said in a blog post that because VPN providers control your traffic, “they can inspect it, modify it, log it, and have a very good idea of what it is you’re up to.”

In short: using a VPN means having to trust it to not abuse your trust and to resist demands for your data by the government in which the provider is located.

If you want to use a VPN to avoid geo-blocks or to evade censorship, plenty of decent services exist. The paid-for services are better for privacy than free services, which often monetize your traffic by serving you trackable ads.

If you need anonymity and privacy, your best bet is to instead use Tor — which is free.

PUBLIC WI-FI NETWORKS ARE A BIG ‘NO’

Remember: If you ever use a public network, like a Wi-Fi hotspot in a coffee shop or anywhere else, be extremely careful. Treat this network as though every page you visit will be monitored — which may expose your personal information, including your usernames and passwords.

USE YOUR PHONE’S DATA FOR BETTER SECURITY

If you need a secure network, you should use your phone’s data — such as 4G or LTE — or use your phone as a hotspot for your computer. It’s far better to use your phone’s data plan for anything important than using insecure public Wi-Fi.

You can usually find your hotspot option in iPhone’s settings or Android’s notification tray.

BE AWARE OF STINGRAY ‘DOWNGRADE’ ATTACKS

On that note, be mindful of your connection if you’re at public or high-profile events, including protests or demonstrations. We mentioned earlier that police can use “stingrays” to intercept your phone calls and texts, and possibly your browsing data.

There’s a lot of secrecy surrounding stingrays, such as who has them and what they do, but some news outlets have discovered other tech with similar aims. Most modern phones use high-speed LTE, which comes with encryption, making interception almost impossible. By blocking or jamming LTE and 3G, the stingray can force a phone into connecting to 2G, which can be easily intercepted by the stingray.

If you’re at a protest or other high-security event and you suddenly lose LTE connectivity and are pushed to 2G, that could be a sign your communications are being monitored. (Image: CNET/CBS Interactive)

Android users can select a “preferred network type” such as LTE only by accessing a hidden Android menu. Here’s a helpful guide which explains how to do it.

For iPhones, you have the option to select LTE as a preference, but no way to disable 2G. Go to Settings > Cellular > Cellular Data Options > Enable LTE > and select Voice & Data.

Then, use your smarts: If you’re in a busy area, such as a city, and you suddenly lose LTE connectivity in the middle of a protest, your phone may have been tricked into connecting to a stingray.

SECURE YOUR SERVERS AND CLOUDS

You’ve secured your phone, your computer, and you can communicate and browse with relative safety. But you still store a wealth of data in the cloud — in other words, other people’s servers.

US citizens and residents have Fourth Amendment protections against unreasonable searches and seizures. In other words, police must get a warrant before anything’s searched or taken. But those protections are less clear when it comes to the cloud, according to a guide cross-posted by the Freedom of the Press Foundation. In most cases, authorities still need a warrant to access your data, but they can still serve subpoenas, which don’t require a judge to sign off on, to access limited metadata.

It’s not only wise to be careful with what you store in the cloud wherever possible, but also to ensure that your various clouds are secure. Some services even allow their staff to read and access your content.

USE STRONG, UNIQUE PASSWORDS

You must use a strong, unique alphanumeric password that is at least in the double-digits of characters for each account you have. Use a password manager like LastPass, 1Password, or Dashlane to generate strong passwords for you.

Once you set strong and unique passwords for each account, it’s not necessary to change them often. Many — even government agencies themselves — say it’s bad advice to change your password often.

NOW, SET UP TWO FACTOR AUTHENTICATION ON EVERYTHING

Two-factor authentication adds an extra layer of protection to your accounts. Once you enter your password, you’ll get a code sent to your phone to make sure it’s you.

This helps prevent account takeovers from hackers. CNET has a great explainer on two-factor, and why it’s so important.

If you are a reporter or a government worker, it’s wise wherever possible to have your two-factor token sent to you by an authenticator app, which delivers a code via an encrypted channel. This is because in some cases, SMS messages can be intercepted in a number of ways, such as exploiting flaws in the cell network. But, for most people, receiving two-factor tokens over SMS is generally fine.

You may use many different services, and each process is different. But one website, the aptly-named Turn It On has you covered. It explains how to set up two-factor authentication on dozens of major websites, including Facebook, Google, Twitter, and more.

Just make sure you keep your phone number safe. You might want to set up a strong and secure passcode for your phone account by calling your cell provider.

If you do decide to use an encrypted two-factor app, Google Authenticator is highly recommended, as well as Duo Mobile.

CONSIDER DELETING ACCOUNTS YOU NO LONGER USE

If you know you have an account that you never use, delete it. Holding onto these old accounts may expose you to greater hacks or intrusions down the line, even if you long forgot about them.

Log in and shut down the account. You can find out the best way to do this for each site by going to JustDeleteMe.

There is, however, an important caveat: some sites and services recycle accounts after a certain period of inactivity or after an account is deleted. You should be especially mindful of email providers that recycle email addresses or accounts after a period of time.

Microsoft and Yahoo are good examples. If you delete your account, anyone can register for your email address after a grace period. If that account is still linked to other sites and services — like your social networking account or two-factor authentication — an attacker could log into those accounts by resetting your passwords sent to your old email address.

DON’T STORE YOUR ENCRYPTION KEYS IN THE CLOUD

You should encrypt as much of your data wherever possible. To make life easier, some providers allow you to upload your encryption keys in case you get locked out of your account. Helpful, yes, but a huge risk to your privacy if leaked.

Windows lets you upload your BitLocker encryption key to the Microsoft cloud. To check to see you have already, go to your Microsoft account, log in, and check. Back up the key onto your computer and delete it from the webpage. You can then re-encrypt your device by following this guide.

Macs also offer the same option. Once you begin encrypting your Mac hard drive, you are given the option to upload your key to your iCloud. If you choose not to, you’ll be given a recovery key which can you can keep safe, and your encryption key won’t be uploaded to Apple’s servers.

BEWARE THE HARD PART

There’s a lot you can do to ensure your personal security and data privacy, but all too often it takes two to tango — in that you should ask your friends, colleagues, and others you communicate with to also jump in.

When it comes to messaging and communication, you put your privacy in their hands as they do yours. It’s a collective effort that everyone can — and should — support.

A FINAL NOTE

Today’s security might not be what is tomorrow’s, so this guide will be kept as up to date as it can be. While this guide has been poured over to make sure it’s fair and accurate, do take the time to read more (from the various links).

ZDNET INVESTIGATIONS

READ MORE HERE