Growing up in Silicon Valley, I developed an interest in computing and cybersecurity from a fairly young age.(1) I’ve noticed that this is a fairly uncommon interest among colleagues and students. I’ve listed here a few simple steps toward a more secure computing existence (these are also important considerations for mobile devices, like tablets and phones).
- Install updates regularly! This is particularly important for your operating system, browser(s), pdf software, and office suite. If you use Flash or Java, include those on this list, after considering whether you really need them. Enable checking for automatic updates and when you get notifications of available updates, save your open work and install them.
- Require a sign-in password or similar biometric solution to unlock your computer. If you use a laptop, set it to lock after a specified and short period of inactivity.
- To protect any personal data on your machine, use your operating system’s disk encryption solution (in conjunction with a sign-on password). (Other solutions like VeraCrypt may be better, but involve more technical knowhow.)
- Use a security suite. This will typically consist of antivirus/anti-malware, a firewall, and some utilities. PC Magazine maintains a list of their top choices (standalone antivirus); other publications have comparable results. Malwarebytes and Adguard provide additional protection for more specialized use cases (malware prevention in the former; privacy protection in the latter). Options for Apple are similar.
- Follow Brian Krebs’s three basic rules for online safety:
- If you didn’t go looking for it, don’t install it.
- If you installed it, update it.
- If you no longer need it, remove it.
- Don’t reuse passwords across multiple applications or websites.
- Don’t use simple passwords like ‘password1’ or ‘12345678’. If any of your passwords ever pops up on an annual ‘most common passwords’ list, you’re doing things very, very wrong.
- There’s a running gag on Archer involving sensitive information, from personal medical records to nuclear launch codes, being protected by the password guest. Both hilarious and bad.
- Get a password manager. You can typically install these across your devices (laptop/tablet/phone/etc.). Rather than using one password across all websites (a horrible idea – if one site is compromised, you’ll need to quickly change the password for other sites), you’ll need to remember one unique, complex password for your password manager, which will do the heavy lifting for you. 1Password and Lastpass are top choices, but a wide range of options exist. Keepass is a good free open-source alternative, although much less user-friendly than the others.
- Secure your password manager with a long, complex passphrase (see below).
- Don’t use a browser-based password manager: historically, these have been more susceptible to attack, and in general are less likely to work across different web browsers, applications, and devices.
- Use a long, unique password (or passphrase) for every website. Your password manager should be able to generate long and complex passwords for you; go for the longest string allowed by the website.(2) The XKCD method for generating strong passwords is also quite popular, but you may need to add special characters and/or numbers to fulfill websites’ own complexity rules. Even if you go the XKCD route, use a password manager to avoid repeating or forgetting passwords.
Back Up Your Data
Back up your data. This can be to an external drive or network attached storage (NAS) or to a cloud service. The choice is up to you. UCL’s extenuating-circumstances guidelines expect students to maintain back ups; as such, no extensions are offered where equipment loss or failure also results in significant data loss. Backing up data to a physical on-site device (external drive, NAS) has the benefit of being intuitively simple and allows you to maintain control over access to your data in a very tangible manner. There are a some shortcomings to this approach: failure/loss/theft of the back-up device could mean the same for the data. If you do use a local external device for backups, make sure you encrypt your data (prepackaged external drives often include back-up software that can do this for you) and store the password/passphrase in your password manager.
Cloud storage solutions typically offer good alternatives to offline solutions (or you can supplement an offline local solution with the cloud, or use one for sensitive data and the other as a general back-up solution). Dropbox is a very popular cloud solution, although free accounts provide severely limited space, and a lack of storage encryption means that Dropbox employees and governments can access your data while it rests on Dropbox’s servers. Box provides a similar service, although it targets corporate customers; you can usually get around 50GB with a free account, but with similar caveats to Dropbox when it comes to storage encryption. Boxcryptor provides encryption while files are at rest for both solutions, at a price.
Some alternative services provide both transfer encryption (which is standard with Dropbox and Box) and storage encryption. Well-regarded options here include Backblaze, SpiderOak, and Sync. They’re not particularly cheap, but a good secure back-up system is worth the investment (and Dropbox’s plans are expensive by comparison).
The one caveat to a secure backup system with storage encryption is that if you lose your login credentials, you lose your data. Save your credentials in a password manager.
Harden Your Browser
Browser choice and settings
Despite the fact that Google’s Chrome has become the de facto web-browsing standard and Apple and Microsoft do their best to push Safari and Edge, respectively, a lot of choice exists when it comes to browsers. For example, Vivaldi relies on the open-source Chromium engine that powers Chrome, but offers a wide range of additional features without the cost of Google monitoring your every online move. Likewise, the engine powering Firefox can be found elsewhere in browsers like Pale Moon and Waterfox. Regardless of your browser choice, take a bit of time to go through the settings: you’ll want to either enable automatic updating or check for updates on a regular schedule, and lock down cookie preferences. Firefox has the added benefit of building some fairly robust anti-tracking privacy measures directly into the browser. It’s worth reading into these tools and modifying your settings.
As I mentioned above, disable the browser’s option for saving passwords and form data, especially if you ever let anyone else use your computer. A discrete password manager offers a much more secure alternative.
Extend your browser for security and privacy
I also like CanvasBlocker/Canvas Blocker, which protects against a different range of user-tracking technologies.
- Compartmentalize your email life. Create aliases (this is easily done in Gmail and with a number of other providers) or separate accounts (that you can forward to your main account) to deal with different parts of life. For example, use your main account for personal conversations, use your UCL/school account for school/career-related interactions, and create separate aliases for banking, shopping, utilities/service providers, and any other interests you have.
- This serves two purposes: by limiting the spread of your banking (or other sensitive uses) email address(es), you’re less likely to receive spam or phishing attempts to that specific address; when you receive spam/phishing attempts at a different address, it is very easy to identify the phishing attempt. Depending on how you set things up (like a unique alias for each online retailer, financial institution, mailing list), it can be fairly easy to see where your information may have been leaked.
- Most login systems rely on an email address and password. While having a unique complex password for each site protects you against most common attacks, preventing distribution of your log-in email address provides some additional simple protection against brute-force attacks.
- Use two-factor authentication (2FA). While 2FA using SMS/text messages is weak, there are a number of application-based solutions: Authy, Duo Mobile, Google Authenticator, and a variety of mobile banking apps (increasingly common in the UK). These forms of authentication do rely on a fairly secure phone, so keep an eye on it and keep it updated (and with a trustworthy security solution).
- Use a screen-locking solution (fingerprint, pattern, password, PIN, etc.) on your mobile device. Not doing so is akin to leaving the front door to your home wide open whenever you leave.
- If you’re technologically adept, consider setting a DNS provider that isn’t your ISP, as this can significantly enhance both your online security and privacy; Synology has a good blogpost on the topic, focusing on DOH (one of several secure DNS implementations).(4) Cloudflare, Google, OpenDNS and Quad9 are good general options and provide simple tutorials for changing DNS settings across a range of operating systems.
- while Simple DNS Crypt provides other, potentially more secure alternatives in an easy-to-use application for your device.
- Use a virtual private network (VPN) on public networks. NordVPN (despite a recent security breach) is a popular option. ProtonVPN (tied into the security-conscious ProtonMail) has worked well for me.
(1) This interest only heightened when other people began to mistake one of my Gmail accounts for their own email addresses. I’ve been sent a ton of sensitive information (from both personal and business perspectives) as the (un)intended recipient.
(2) Length is key. I clearly recall a mid-flight conversation with someone who worked in cybersecurity over password length early on in grad school. He thought I was crazy for maintaining a minimum length of 30 characters wherever possible. My response was that, assuming breaches were more common than those publicly disclosed, the length and uniqueness of my passwords meant I had fewer worries than other users. At the time breach disclosure wasn’t mandated by law; even where it is, disclosure still depends on detection. Better to be safe than sorry, even if you consider the account to disclose minimal personal information.
(3) Both Adblock and Ghostery take approaches to advertising networks that have been somewhat controversial. Adblock Plus in its default configuration will whitelist ‘acceptable’ ads, for a cost to the whitelisted advertising network. Ghostery sells aggregated user data.
(4) DNS queries through ISPs’ DNS servers are unencrypted, allowing for the possibility of DNS hijacking. ISPs additionally have a tendency to log and retain extensive amounts of information about users’ browsing activities. In the US it is common practice for ISPs to then sell this valuable information on to unaffiliated third parties like retailers and advertising networks without users’ explicit and informed consent.
Version: December 2019