Growing up in Silicon Valley, I developed an interest in computing and cybersecurity from a fairly young age.(1) I’ve noticed that this is a fairly uncommon interest among colleagues and students. I’ve listed here a few simple steps toward a more secure (and private) computing existence (these are also important considerations for mobile devices, like tablets and phones).
This is currently a work in progress – I’m currently shifting smaller and more technical points to an additional page to simplify presentation.
- Brian Krebs’s three basic rules for online safety provide an excellent starting point:
- If you didn’t go looking for it, don’t install it.
- If you installed it, update it.
- If you no longer need it, remove it.
- Enabling update checking where it’s available is very helpful for ensuring that all your software is up to date. This is especially important for anything you use that interacts with online resources: your operating system, word processor, PDF reader/editor, and web browser are key here.
- To prevent random people from accessing your personal data, set up a sign-in password or biometric solution (such as a fingerprint) for your devices. Also setting your devices to lock themselves after a short period of inactivity can also be a good idea.
- A dedicated security suite will protect you from additional online threats, usually through antivirus/anti-malware capabilities and a firewall. PC Magazine maintains a list of their top choices (as well as standalone antivirus). UCL provides free subscriptions for students and staff for both F-Secure Premium and Sophos Home through ISD’s software database, both of which are fairly good options for both Windows and Mac. Windows Defender is a remarkably poor performer in comparison; I wouldn’t rely on it.
- The easiest way to deal with lots of unique and complicated passwords is to use a password manager, which will securely remember them for you. This way, the only password you really need to remember is the one you set for your password manager. It can also generate complex passwords for all your online accounts. 1Password and Lastpass are top choices, but a wide range of options exist, which should work on all of your devices. Keepass is a good free open-source alternative, although much less user-friendly than the others.
- I’d avoid allowing the browser to save passwords (or other sensitive form information). Browsers are popular targets for attack by malicious actors and have had a somewhat mixed record on their ability to appropriately secure private information.
- Reused passwords and simple passwords are the bane of the internet. Simple passwords are things that are easy to guess or brute-force, often things like individual words or strings of numbers like ‘12345678’. Password reuse means that if a website you use is breached, your accounts elsewhere are likely to be breached as well. Have I Been Pwned provides a useful service for checking if your passwords have been compromised somewhere.
- There’s a running gag on Archer involving sensitive information, from personal medical records to nuclear launch codes, being protected by the password guest. Both hilarious and awful.
- If you need to generate a password/passphrase for an account that you may need to access without your password manager, go for long and complex.(2) This doesn’t necessarily mean ‘impossible to remember’. The XKCD method for generating strong passwords is quite popular, but you may need to add special characters and/or numbers to fulfill password complexity rules. For example, something like Brave+BUNNY+h0pp3r is long, complex, uses special characters, and is fairly easy to remember.(3)
- Even if you go the XKCD route, you should use a password manager to avoid repeating or forgetting passwords.
Backing Up Your Data
Back up your data. This can be to an external drive or network attached storage (NAS) or to a cloud service. The choice is up to you. UCL’s extenuating-circumstances guidelines expect students to maintain back ups; as such, no extensions are offered where equipment loss or failure also results in significant data loss. Backing up data to a physical on-site device (external drive, NAS) has the benefit of being intuitively simple and allows you to maintain control over access to your data in a very tangible manner. There are a some shortcomings to this approach: failure/loss/theft of the back-up device could mean the same for the data. If you do use a local external device for backups, make sure you encrypt your data (prepackaged external drives often include back-up software that can do this for you) and store the password/passphrase in your password manager.
Cloud storage solutions typically offer good alternatives to offline solutions (or you can supplement an offline local solution with the cloud, or use one for sensitive data and the other as a general back-up solution). Dropbox is a very popular cloud solution, although free accounts provide severely limited space, and a lack of storage encryption means that Dropbox employees and governments can access your data while it rests on Dropbox’s servers. Box provides a similar service, although it targets corporate customers; you can usually get around 50GB with a free account, but with similar caveats to Dropbox when it comes to storage encryption. Boxcryptor provides encryption while files are at rest for both solutions, at a price.
Some alternative services provide both transfer encryption (which is standard with Dropbox and Box) and storage encryption. Well-regarded options here include Backblaze, SpiderOak, and Sync. They’re not particularly cheap, but a good secure back-up system is worth the investment (and Dropbox’s plans are expensive by comparison).
The one caveat to a secure backup system with storage encryption is that if you lose your login credentials, you lose your data. Save your credentials in a password manager.
(1) This interest only heightened when other people began to mistake one of my Gmail accounts for their own email addresses. I’ve been sent a ton of sensitive information (from both personal and business perspectives) as the (un)intended recipient.
(2) Length is key. I clearly recall a mid-flight conversation with someone who worked in cybersecurity over password length early on in grad school. He thought I was crazy for maintaining a minimum length of 30 characters wherever possible. My response was that, assuming breaches were more common than those publicly disclosed, the length and uniqueness of my passwords meant I had fewer worries than other users. At the time breach disclosure wasn’t mandated by law; even where it is, disclosure still depends on detection. Better to be safe than sorry, even if you consider the account to disclose minimal personal information.
(3) Unfortunately, this specific example is no longer secure, as it’s been published online. However, you can use it as an example to form your own long, complex, secure passphrase.
(3) Both Adblock and Ghostery take approaches to advertising networks that have been somewhat controversial. Adblock Plus in its default configuration will whitelist ‘acceptable’ ads, for a cost to the whitelisted advertising network. Ghostery sells aggregated user data.
(4) DNS queries through ISPs’ DNS servers are unencrypted, allowing for the possibility of DNS hijacking. ISPs additionally have a tendency to log and retain extensive amounts of information about users’ browsing activities. In the US it is common practice for ISPs to then sell this valuable information on to unaffiliated third parties like retailers and advertising networks without users’ explicit and informed consent.
Version: December 2019