Categories
Cyber Security Educational Personal Development

Protect Yourself Online: Tips And Resources

Why You Should Protect Yourself

For those who don’t understand the importance of being equipped and able to protect yourself online, I’d like to point you to an article I read recently on TechWalla.com. The article, aptly titled Why Is Internet Security Important?, outlines 5 different reasons as to why it is imperative that you protect yourself when you’re surfing around the web, and it really got me thinking about making a post of my own on this highly important subject.

The article does a good job of making their reasons simple and easy to understand, but I’d really like to take a little bit of a deeper dive into the subject and provide some resources and information you can use to protect yourself, as well as your family. I’d also like to give a general overview of the current cyber security landscape.

On a personal note, I’m aware of (at the very least) multiple instances of companies getting their websites hacked while they were in possession of my personal information. Yahoo had a ton of data stolen a number of years back while I had an account with them. More recently, Equifax experienced a breach that affected hundreds of millions of people, including me. Equifax is in possession of my social security number, amongst other information. PayPal recently had vulnerabilities exploited, and I have both a personal and a business account with them. Google’s been hacked before. Sony’s been hacked. Canva too. The list goes on and on.

I don’t say these things to scare you, per se. I say them because awareness is critical to minimizing the risk posed to you online. Also, by familiarizing yourself with the risks, I believe you’ll be more vigilant in taking precautions. However, I do want to point out the unfortunate reality that having information and data compromised is something that can happen to anyone, regardless of the precautions you might take. There’s no such thing as 100% protection, and there’s no such thing as 0% risk. BUT, if you can decrease the likelihood of a theft or breach at all, it’s worth taking action and making yourself aware.

Considering that every connection to the web opens us up to new vulnerabilities, and that more and more devices are being connected every single day, this subject becomes more and more important all the time. Laptops, smartphones, tablets, smart TVs, robot vacuums, doorbells, appliances, gaming systems, media players, security cameras, vehicles, and light bulbs are, astonishingly, just a few of the things that we’re hooking up to the internet these days.

All that said, it does us no good to become paranoid of the dangers that reside online. With clear, practical thinking coupled with awareness and the power of information, we can save ourselves a lot of worrying and feel more at ease with our relationship with the web. I think that as you read your way through this post, you’ll find that you feel better and better about your ability to protect yourself, your information, and your privacy from hackers and vulnerable websites and devices. Let’s get going.

Increase Your Awareness

Some of the good news is that there are a number of really great online resources that provide free information regarding data breaches, attacks, and mitigating the risks associated with online activity. I’m happy to share and give links to some of my favorite websites that do exactly that. I’d recommend bookmarking at least one or two of them and checking in every week (at a minimum) or so to improve your knowledge of the dangers posed to you and your family and to see if you need to act quickly to protect yourself and your data. Sometimes, time is of the essence.

I’ve already linked to TechWalla, but I’ll mention them once more. Occasionally, they’ll have some good cyber security related articles, but to me, TechWalla typically falls more into the category of “general tech news”
or “pop tech news” than it does “cyber security news”. It is a great website though if you have a general interest in technology, and I’d argue that even just knowing more about the technology landscape can help you reduce the possibility of falling prey to a hacker.

ZDNet.com is firmly one of my top choices when it comes to getting the latest cyber security news. It’s another website that has a lot of general tech articles, but it’s less pop news and more fact driven than TechWalla. If you’re looking for information to protect yourself with, it’s a great resource. This is one of the sites I’d recommend putting a star next to, so you can easily navigate back to it. It’s certainly my most visited website for cyber security news and related information.

Every day, without fail, a slew of articles from the website pop up on my Google news feed, because I’ve clicked on so many of them. It’s how I first learned about the recent multitude of security issues that have plagued Microsoft Windows, and I credit them with prompting me to update my computer with the latest security patches. Who knows what would have happened had I not found out about them as quickly as I did and had I waited for a more “convenient” time to proceed with the updates. Not that I keep much important information sitting on my hard drive, but still. The results could have been rather unpleasant.

Just taking a quick look at ZDNet’s homepage, I already see one article on dangerous mobile applications and another one on smart vacuum vulnerabilities. It’s easy to see why the site is a such a valuable tool, and it’s one that you can easily add to your security toolbox at zero cost to you. Let’s add a couple more.

Another security site I frequent when I’m on the hunt for news about security as it relates to technology and the web, and another one that frequently pops up on my news feed, is The Hacker News. It, along with the next site I’m going to list, is 100% dedicated to providing news from the cyber security realm. It includes, on its website, news on everything from attacks that have already occurred to potential vulnerabilities in both devices we use on a daily basis and technologies that major companies use frequently. Consider adding this one to your bookmarks as well and maybe even joining its more than 2 million followers on Facebook.

Latest Hacker News is similar to The Hacker News, not just in name, but also in its complete dedication to cyber security news and the fact that, it too, has over 2 million followers on Facebook. Latest Hacker News has also found a home inside my Cyber Security bookmark folder.

Another one you can check out is CNET’s security page which has even more news about the world of the web. CNET is an enormous resource for all kinds of news, so I don’t just partake of their security offerings, but also their tech articles and their reviews on different products. Kind of like Consumer Reports, except they’re free. I digress.

Last but certainly not least, CISA.gov is a reliable and trustworthy source (though you’re free to make your own determination) for security news and suggestions. CISA is the official website for the U.S. Department of Homeland Security. CISA, itself, stands for Cybersecurity and Infrastructure Security Agency. As its name implies, you can find a handy cyber security section on its homepage. It’s actually the very first link in the main menu.

Within their cyber security section, there are a lot of great resources, tips, suggestions, etc. you can use to protect yourself from cyber criminals including some really sweet vulnerability summaries. These summaries list all of the vulnerabilities that have been recorded for a particular week by the National Institute of Standards and Technology and placed in its National Vulnerability Database. CISA.gov is the authority in the U.S. for official information regarding security.

Suffice to say, there are tons of great resources out there you can use to protect yourself. All you have to do is a little searching around. This section doesn’t even begin to scratch the surface.

Understand Browser Security And Privacy

Different web browsers have (slightly) different security features. Currently, I have 3 different browsers on my laptop and, surprisingly, I find myself using all three. Crazy, I know. Mostly, this is due to the fact that at any one time I could have 50, or sometimes many more, different tabs open, and I don’t want to crash a browser and have to go fishing around my history for my lost tabs. But something, at least initially, drew me to each one of them.

My most used browser, as is the case with most internet frequenters, is Google Chrome. It’s quickly become the default choice for the vast majority. I’m pretty trusting when it comes to Chrome and Google, but I’m far from absolutely sure that this trust isn’t misplaced.

The issue is that Google harvests as much data from its users as possible, and it certainly hasn’t been immune from security issues. However, Chrome is by far the most used browser, and therefore, is probably going to be targeted disproportionately compared to other browsers.

Within the Chrome browser, I use a couple of browser extensions for security and privacy that are available for download in the Chrome Store for free. Currently, I’m using HTTPS Everywhere and DuckDuckGo. According to HTTPS Everywhere, it “encrypts your communications with many major websites, making your browser more secure”. I can attest to the fact that it does, in fact, ensure that HTTPS (Hyper Text Transfer Protocol Secure). HTTPS uses TLS (Transport Layer Security) encryption to secure the sites you visit.

To put it simply, HTTPS makes life a little more difficult for hackers that want to access your information that might be sent out during an online session or information you might receive during a session. HTTPS Everywhere’s FAQ explains it like this:

On supported parts of supported sites, HTTPS Everywhere enables the sites’ HTTPS protection which can protect you
against eavesdropping and tampering with the contents of the site or with the information you send to the site.
Ideally, this provides some protection against an attacker learning the content of the information flowing in
each direction for instance, the text of e-mail messages you send or receive through a webmail site, the products
you browse or purchase on an e-commerce site, or the particular articles you read on a reference site.

DuckDuckGo is my default search engine. This is due to their claim that it never tracks you or stores your personal information. While, the web sites you visit can still obviously track you, it’s a comfort to me that my search engine does not. It’s kind of refreshing in this day and age. While, DuckDuckGo doesn’t have a desktop browser, just a search engine, they do have a mobile browser. It currently serves as the default browser for my phone. Also, I have to say that, for a search engine that doesn’t track you, it’s web results are still very good, in my opinion. It reminds me of the Google search results of the 2000s.

On the other end of the spectrum is Google. Google tracks your every search and your every move. It builds a profile on you so that advertisers can more accurately target you with their advertisements, and it sells your search data to whoever pays the most.

Internet service providers can also sell your browsing data, and thanks to our current government, it’s officially legal to do so, without requiring your consent or alerting you to what information they’re peddling.

The other two browsers I use are Firefox Developer Edition and Brave. Firefox drew me in for four separate reasons:

  1. Mozilla, its creator, is one of the premier authorities on the internet and everything having to do with it
  2. Mozilla’s self-professed dedication to security and privacy (Their newsletter is worth signing up for. Not just web development news.)
  3. Browser speed
  4. Some seriously badass developer and browser tools

Brave, my other browser, is a newer one that came out, essentially, in late 2019. It was founded by the creator of JavaScript (probably part of the reason I like it) and the former CEO of Mozilla, Brendan Eich. It features website tracker and ad blockers and lightning fast page speed. As you might have guessed, I love the fact that it blocks website trackers, but its page speed is what really does it for me.

I do have to admit though, that I’m not a huge fan of the fact that, by default, it blocks ads. Companies selling user search data to improve target accuracy without user consent and without user compensation is a problem, but most free-content websites recoup their operating costs and make their money by displaying ads (like yours truly).

My advice to you, as far as which browser to go with, is to choose the one with features that you value the most and to not use Internet Explorer or Edge. Internet Explorer is a disaster, and Edge’s first iteration was such a failure that it was given up on by its own creator, Microsoft.

Internet Explorer’s security issues have been really bad, in the past. How bad? So bad that they even triggered a national security alert back in 2014. You probably remember it. Wikipedia has this to say regarding IE’s vulnerabilities:

Internet Explorer has been subjected to many security vulnerabilities and concerns: much of the spyware, adware,
and computer viruses across the Internet are made possible by exploitable bugs and flaws in the security
architecture of Internet Explorer, sometimes requiring nothing more than viewing of a malicious web page in order
to install themselves.

Microsoft Edge has recently been rebuilt, and a new version came out just last month (January 15th, 2020). It features significant performance improvements, but I would hold off a while before downloading and using, just in case.

We’ve talked a lot about privacy in this section, but if you’d like to go beyond what most browsers provide, and browse “anonymously”, then Tor is really your only bet. Opera provides users with a free VPN that helps hide your online activity and mask your I.P. address, but for anonymity, you’d have to go with Tor.

I don’t use Tor, but I do use Opera more and more, especially if I’m having to access a public wifi network. The VPN comes in handy in those situations.

Know What You’re Downloading And Clicking On

Knowing what it is you’re downloading to your computer, phone, or device, and knowing what you’re clicking on, is pretty much security 101, but it’s an important thing to visit/revisit.

As a developer and as someone who just generally enjoys trying new technology, it’s a daunting task to try and research everything that I’m downloading and trying out. That being said, it’s important to do, and it’s become more and more a focus for me. You’d be amazed at the number of bad actors out there promoting apps and software that exist only to infect your device.

CISA’s vulnerability summaries that I mentioned earlier are a great resource as far as knowing which websites and apps currently have known vulnerabilities. CISA also expresses trepidation with China, Russia, and North Korea. I’d be especially wary of downloading anything that comes out of these three countries. This has little to nothing to do with any of their citizens and business owners. They don’t deserve judgement, and I hate that this wariness can affect their profits. It has everything to do with the fact that their economies are state run, meaning their governments can exercise full control over the businesses. It can become a major security concern.

It can be difficult to know where certain apps and websites are coming from or whether they have known vulnerabilities. Before I download something, I will look for the company name, as this is often times different than the name of the software. In the app stores, it will usually be listed on the download/install page. I’ll then go to my search engine and search for, “Where is this business out of”, “Where is this business located”, or “Where is this business based”. Some variation of one of those, and of course, I’ll replace “this business” with the actual business name.

I have a pretty good success rate at finding the location that way. You can also search Wikipedia to see if the business has a page. If it does, it will more than likely have the location listed on there. Sometimes the Wikipedia page will also have a section that lists vulnerabilities it’s had in the past. Your search engine will also have a news option. You can search the business name and security concerns, and then look to see if there’s been any recent news about security issues it’s had.

If I can’t find any information about the company from a reputable source, that’s a red flag for me, and I just don’t download it, regardless of how cool or helpful it may sound or look. It’s way better to be safe than sorry. It’s important to note that just because a company has a great looking website and looks legitimate, definitely doesn’t mean that it is. I also look for frequent misspellings and bad grammar. This doesn’t mean that it’s a bad actor, but most professional businesses don’t overlook these things. If their spelling and grammar is poor, one could assume that their code is too, or that the site and its software could have been hastily put together.

If you have antivirus software, it should alert you to questionable websites and downloads. If you have questions about software that you’ve previously downloaded or software that just ended up on your device, you can visit Should I Remove It? and do a search for the program.

Most of the time when you’re installing a download to your device, it will provide you with an installation wizard that walks you through the steps. Be careful as you go through these steps, because a lot of them will ask if you want to install additional third party software. Often, these will be checked by default. If you don’t want these extras, make sure the checkboxes or radio buttons are empty or you may get some unwanted surprises.

Then, as far as links and emails are concerned, if you’re unsure about them, it’s best to just not go there. Links are often misrepresented as something that they’re not. It may say it’s a link to one website, but when it’s clicked, it will take you somewhere else. To make sure it’s going where you want to go, hover over it and look in the bottom left corner of your browser. It will list the destination. You can try it with one of the links on this page.

Like I said, don’t click on any emails that you’re unsure of. Emails will misrepresent themselves too. This goes for links inside of emails as well. Don’t click on any downloads or emails that you don’t remember requesting. Also, be aware that people will clone company emails and try to pass them off as legitimate services. For example, you could get an email from “PayPal” that looks almost 100% like a PayPal email, but it’s actually something else.

There have even been instances where emails appear to be coming from someone you know. If someone has access to your email, they’ll look for people to imitate. Look for any inconsistencies, and if you find any, don’t click on any of its links. Contact any company that you think might be being impersonated and ask if they sent the email. If it’s not a legitimate email, they’ll be happy to know. Security is enhanced when everyone is working together and using good practices. Malware and other vulnerabilities are like viruses.

Again, be knowledgeable of the threats and don’t click on anything that you’re unsure of. Do a little homework on the companies, apps, and software. It’s unfortunate that we have to be so careful and proactive, but considering all that the internet has given us, it’s certainly worth it.

Password Managers And Strong Passwords

When I first heard about password managers, I was pretty apprehensive, but after learning a little bit about them, I’ve changed my tune quite a bit. I just started using LastPass, as it came with my antivirus software. Make sure that you’re using a reputable manager, because, like it or not, you’re allowing someone else access to these passwords, and you better believe people are gunning to hack those services.

PC Mag’s article about the best managers and CNet’s similar article have some recommendations. Be alert to the fact that some sites with “best” lists are promoting certain products because they’re being compensated by those companies. In addition, some sites can put too much emphasis on features and not enough on the actual protection. People like shiny things, sometimes to the detriment of the recommendations.

When creating a new password, I’d recommend making them at least 16 characters long, if not longer. The longer the better. Password managers and browsers can help keep track of these long passwords. I write them all down with pencil and paper too, just in case. You could also store them in a plain text file (I just use Notepad) and then encrypt that file with 7-Zip. This is easy to do. If you’re interested, check out this article explaining how by Northeastern University.

Use a combination of uppercase and lowercase letters, numbers, and characters. Don’t be afraid to use brackets, semicolons, periods, etc. Mix it up, and never use the same password twice. There are websites, such as Passwords Generator where you can easily create a strong password and control every aspect of it. While it’s a good service, I personally prefer to just come up with my own. Passwords Generator also has a number of good safety recommendations featured below the generator.

If you do hear about a vulnerability or hack on a site that you have a password with, change that password immediately. Some password managers will change your password constantly, so you don’t have to worry about that. Even if you don’t learn of a vulnerability or hack, change your passwords every few months to ensure you’re doing everything you can to protect yourself.

VPN

VPN stands for Virtual Private Network. They mask your IP address and location by allowing you to use a variety of networks, usually from around the world. So, let’s say you live in the Dallas area, as I do, and someone attempts to get your IP address and the location of that IP address. Instead of giving your actual IP address and location, it might list your location as being in the Netherlands and give an IP address in that location. The encryption layer it uses, also hides your online activity. It enhances your privacy and security.

If you’re interested in using a VPN to enhance privacy and security when using public networks, use care similar to what I described in the downloads section. I would recommend using a paid service as opposed to a free one. Though not necessarily the case, the idea behind choosing a paid service is that they’re less likely to abuse your data or sell your data, such as browsing and search data, to a third party.

By using a VPN, you’re allowing VPN providers to potentially access that data. Also, VPNs have been known to be hacked as well. I know, it’s frustrating, but everything is vulnerable. Nothing is immune. That isn’t to say you shouldn’t use one, I think it’s a good idea, but, nonetheless, it’s good to bear in mind.

You’ll find tons of articles on why you should be using a VPN if you give it a quick search, and you’ll also find plenty on why you shouldn’t be using a free VPN. Here’s a snippet from an article by How To Geek on this subject:

A recent investigation by Metric Labs spotted
by The Register drew attention to
this problem, discovering the majority of free VPN apps have links to China and 86% of them had unsatisfactory
privacy policies. Some explicitly stated they transfer user data to China. Most of them had customer support
emails pointing to generic personal email accounts on services like Gmail or Hotmail. These don’t sound like
services worthy of your trust.

It can be assumed though, that anything a free VPN might be doing, paid VPNs could be doing as well. Do research and choose one that you trust if you do decide on using one. Try to use one that has access to many different networks in many different locations. The more locations, the better it can help you protect yourself and your identity.

Never assume that all of your data and activity are completely hidden. A common, kind of motto, within the cybersecurity community is “Don’t trust anything or anyone”. Never assume anything, because you can only control so much. You can lessen the risks on your end, but you can’t do anything to control whether the companies you keep your passwords and banking information with get hacked.

Another option is to set up your own. You’ll have to purchase hosting, and it takes some technical know-how, but it is possible.

Unless you’re frequently using public networks (I try my best not to use any if I can help it, though many people have to due to the work they do), or you’re living under an oppressive government, you probably don’t need to bother with a VPN.

Antivirus

What you do need to concern yourself with, regardless of use cases, is good antivirus software. The good news is, every device I’m aware of, comes with some level of antivirus software, and works out of the box. I use Windows, and so Windows Defender is automatically turned on and operating. However, Windows has had a whole host of issues, especially recently, so to further mitigate the risks, I use additional software.

Again, when choosing antivirus protection, do your research and select carefully based on your needs. Similar to the lists, I wrote about in the VPN section, PCWorld and PCMag have a couple of great articles on the best antivirus products. They go as far as to test each and every one of them. If you want to find out more about each individual company, they have entire articles on them and the tests they performed on their security.

I don’t want to endorse any one product, because I think there are a number of good ones out there, but if anyone’s curious, I use WebRoot. So far, I’ve been completely satisfied with its performance. I’ve also used Norton, McAfee, and Kaspersky.

All three of those seemed to work just fine, but McAfee was almost too secure. I joke a little, but its firewall blocked lots of safe websites that I visited on a regular basis, and I got tired of whitelisting web addresses, but at the same time, I didn’t want to comepletely turn it off. This was part of the appeal of WebRoot. Instead of just blocking websites, any sites it might be unsure about it will watch and then determine whether it’s a liability. If it does determine it’s a liability, it will reverse the damage done. WebRoot hasn’t disrupted my online activity at all, so far.

Kaspersky is another story. It’s been written about extensively already, but it’s worth mentioning that it’s been alleged that they have collaborated with the Russian government in the past. This doesn’t necessarily make it an untrustworthy company, but I just prefer not to use it for this reason. As far as antivirus goes, though, by all accounts it’s one of the better security companies out there. If you’re interested in knowing more about the allegations, you can check out this Wikipedia entry.

In fact, in PCMag’s article, Kaspersky, along with BitDefender, a Romanian company, and WebRoot, now owned by a Canadian company, got the top scores of all antivirus software tested.

A New Internet

Fuck, is it really coming to this? Maybe. It may be a scary proposition to those who have gotten used to our current model or those whose jobs rely on the current internet, but considering that, according to Webroot, there are 6,000 new phishing attacks, 25,000 new dangerous websites, and 101,000 new malicious files every single day, I think it’s been necessary.

Needing a new internet has actually been written about for a while now. I’m not bringing up anything new. Personally, I don’t feel like the current model is sustainable. There are only so many band-aids you can use to patch things up before the whole thing falls apart and everyone’s data is in the hands of bad actors. I think a better idea is to build one from the very beginning that prioritizes security and privacy.

I don’t think it’s impossible either. There are still a number of kinks to work out, but one such internet has been in development for over a decade now, and progress is being made. Unfortunately, it could still be a number of years before a production build is ready.

It’s called the SAFE Network, and it’s decentralized, so no one “owns” it, and it’s encrypted by default. As soon as data is uploaded through its browser, that data is encrypted and then fragmented into tons of different pieces and distributed at random throughout its network. That data is also completely redundant, meaning there’s no fear of losing it. This data can then be accessed only by the user who submitted it, unless otherwise specified by that user.

They’re not the only one’s actively working on a better way to do things in the digital world, but I like the concept so far. Only time will tell whether it’s the answer, and there are a lot of entities who would probably like to see this project fail, so it’ll be an interesting thing to follow.

The point is though, the world deserves a more secure and private internet experience. Perhaps the current internet and the new concepts will one day live side by side to give more control and peace of mind to consumers. I, for one, hope that people continue the innovating, so we can experience an internet the way it should be.

RELATED: Web Development Resources

Main image courtesy of Nahel Abdul Hadi