As a companion to my brief overview, this post focuses on browser and networking considerations.
Hardening Your Browser
Because everyone uses a browser, these pieces of software can present a significant security risk if they’re not kept updated. However, tracking of your browsing activities, as Google Chrome does, presents a threat to privacy (and potentially security).
Chrome may be the most popular browser out there, but other options provide superior privacy, keeping Google from watching your every online move. For example, Opera and Vivaldi are two (of several) options that rely on the open-source Chromium engine that powers Chrome, but without those built-in Google trackers. Firefox has been positioned as another privacy-focused alternative to Google Chrome, but runs on a different engine. All three have built-in options to disable tracking components and advertising networks, although in most cases you’ll need to enable these capabilities yourself.
Whichever browser (or browsers) you choose to use, take some time to go through the privacy and security settings. Enable automatic updating, disable password and form-data saving, and minimize stored browsing history and third-party cookies. A little online searching can lead you to useful guidance for setting these options.
Extending your browser for more security and privacy
Firefox and Chrome-based browsers have large libraries of extensions, or small programs that enhance the browser’s built-in functionality. Probably the most important of these is an ad blocker, which will usually provide more power and functionality than the versions built into some browsers. An ad blocker will block website scripts associated with advertising networks (or anything else you tell it to block). You can always enable advertising on specific websites if you want to support them. uBlock Origin (Firefox, Chromium, Edge) is the best all-around option. Adblock Plus and Ghostery are also pretty good options: both are a bit easier to use, but engage with advertisers in different ways.(1)
Driver and UEFI/BIOS updates
Device drivers and the UEFI/BIOS provide essential functionality to your device. In general, the BIOS/UEFI should be kept updated, as updates are often issued in response to potentially highly damaging security threats; these updates can usually be found on the device manufacturer’s website. It’s also a good idea to watch for updates to the chipset driver and related software for the same reasons. Frequent advice on other drivers is to keep them as is, unless something stops working. I tend to check change logs for new updates for security and bug fixes; often, updates will just add new devices to the list of supported configurations.
Mobile devices, like phones and tablets, tend to handle these updates (or lack thereof) in the same way that they handle OS updates.
Protection beyond the antivirus/security suite
Browser-based ad-blocking software only protects you from advertising networks within your browser. Better Blocker (for MacOS) and AdGuard (multi-OS) are system-level solutions that protect your entire device.
For protection against malware, which may not trigger antivirus protection, Malwarebytes is invaluable. However, this is something you may be able to avoid using through good computing hygiene. Running regular scans can be good for peace of mind.
Out in public
The most basic network safety involves the use of public and unsecured WiFi networks. The best security practice is to avoid these altogether; for those of us for whom this may not be practical, using a virtual private network (VPN) is a good alternative means of avoiding accidentally transmitting sensitive or personal data in the open. NordVPN (despite a recent security breach) is a popular option. ProtonVPN (tied into the security-conscious ProtonMail) has worked well for me. There are a lot of other VPN providers around, but be careful when choosing one: there are a lot of stories of sketchy providers, and you pretty much always get what you (don’t) pay for. You’ll want to do some comparison shopping, look at reviews, and choose a widely trusted provider.
Networking at home
I think my most frequent recommendation for securing home internet access is to ditch the ISP/broadband provider’s modem-router and get your own.(3) This is for two reasons: ISP-provided equipment is often not patched to fix security holes; most users don’t update their passwords for the administrative account on the device. The result is something that can be trivial to breach and misuse.
Going with your own device can require a bit of knowhow. I’m usually happy to geek out a bit about this stuff, and good online resources abound.
Domain Name System (DNS) settings
If you don’t want your ISP/broadband provider to know everything you do online (and if you’re in the United States, to sell your activities to everyone under the sun), changing your DNS settings, either on your devices (so those settings travel with you) or on your modem-router hides your online activities from your ISP/broadband provider. Changing your DNS settings to a secure DNS server also increases security – unsecured DNS connections (like those used by ISPs/broadband providers can be exploited).
Synology has a good blogpost on the topic, focusing on DOH (one of several secure DNS implementations). Cloudflare, Google, OpenDNS and Quad9 are good general options and provide simple tutorials for changing DNS settings across a range of operating systems. Changing settings on your modem-router will require logging into the administrative account (be sure to change the default password to something complex that’s saved in your password manager) and setting the DNS server options in the firmware.
Simple DNS Crypt provides a user-friendly device-based interface for selecting a range of often privately-run DNS servers.
Social engineering is the practice of exploiting human weaknesses in security, rather than targeting technological weaknesses. We’ve all seen this to an extent in phishing emails, which frequently rely on the target’s entry of sensitive data into a form operated by the attacker, but these efforts can be much more sophisticated. Brian Krebs recently highlighted one example involving bank fraud.
I discuss two ways to reduce risk of falling for simpler threats through a couple of largely behavioral modifications, which complement the use of a password manager and the other technical issues discussed in the previous post.
Most people use one or two email addresses for everything, which can make it difficult to ascertain legitimate communications from fakes. As an example, I’ve had fairly realistic Amazon order confirmation emails sent to my work email address; these are easy to disregard because I don’t use my work email for non-work things.(3) I’ve also received the odd fraud alert email to that address from a bank (usually not one I do business with), but again, because none of my banking is done through my work email, it’s easy to disregard these messages without a second thought.
Compartmentalizing different kinds of email correspondence, as well as the email addresses used to create accounts for online services. For example, set up unique email addresses for each of the banking services you use and do not use these addresses for anything else. Based on where your email is received, this will let you quickly verify whether an email presumably coming from your bank is the real thing. Treat other sensitive service providers in the same manner. You may want to do this for all online accounts, but that can become a bit difficult to do; segmenting email addresses for less sensitive accounts (like online shopping, newsletters, etc.) may be easier to do. This does take some effort to adapt, and is much easier done with the assistance of a password manager than without. You don’t necessarily need to create new email accounts for each address: most providers offer email aliases (Gmail is especially good at this, while Outlook has some more limited options, paid providers tend to offer options as well), which you can customize for each purpose without having to leave your main email account.
Two-factor authentication (2FA)
Consider enabling two-factor authentication for your important accounts (like email). British banks all have some sort of government-mandated two-factor option in place, but there are a number of good app-based authenticators available: Authy, Duo Mobile, and Google Authenticator seem to be the most widely supported.
Two-factor authentication typically requires two different ways of proving your identity through what you know (user account and passphrase combo) and what you have (mobile device with authenticator app). This does mean that you’ll need to not lose your device or let its battery run down if you’ll need to access a 2FA-enabled account.
Try to avoid using SMS (text message)-based authentication, as there are known (and exploited) security vulnerabilities in the underlying infrastructure.
- Adblock Plus has an option to enable ‘acceptable ads’, which is checked by default; this has been a bit controversial among both users and advertisers, the latter of whom view it as akin to extortion. Ghostery shares aggregated user data with advertising networks.
- For everyone outside the United States, ISP stands for ‘internet service provider’, which is equivalent to ‘broadband provider’ in UK lingo. Except line-rental fees are a purely British form of stupidity. Also, my assumption here is that most people are using an integrated modem-router and not two separate devices, because the former is simpler to set up.
- The details in the email header were also a dead giveaway, but that’s not something that most people would check first if they think their Amazon account has been breached. I think the attacker’s aim was to get the target to click through one of the links in the email to ‘Amazon’ to check their account. The link would then either capture the account login details, deposit a malware payload, or both.