35
votes
What are the essential dos and don'ts of digital security for the average person?
Thanks to all of you who gave me guidance in the thread about password managers. It got me thinking I should expand the question to overall best practices regarding security, just in case I have any other important blind spots.
What are the essential do's and don'ts of digital security for the average person?
Absolutely agree with everything except the VPN. For a detailed explanation, read this https://gist.github.com/ohhdemgirls/734321ae735e488db198298cb7e421af
I don't think it's fair to say either "all people should always use VPNs" or "no one should ever use VPNs." It's true that by using one you are presenting a large volume of data to your VPN provider on a silver platter. We need to recognize that as an act of trust in a third party, as your link explains.
However, even if you don't use a VPN, you're still placing trust in third parties, just different ones. You have to weigh these groups against each other, and determine who you believe to be most trustworthy according to your values, internet usage, and threat model.
Without a VPN, you are placing your trust in...
Using a well-configured VPN will effectively mask your data from all of the above, but expose you to the VPN provider.
Some of those concerns can also be mitigated by using Tor, and making sure you aren't using your ISP-provided DNS resolution. Of course, there are trade-offs with both of those as well. Always do your research into technologies like these before using them, so you are aware of the limitations and caveats.
Not all VPN providers are equally trustworthy. We have no idea of how many of them are not, we can only speculate. Lots of people have put a lot of time into this problem, so I'm not going to rehash any of that now. I will say that using a free VPN is an especially bad idea in just about every situation. And I also wouldn't give any consideration to ones that don't espouse privacy as a core tenet, particularly with regards to log keeping. Sure, they could still be merely paying it lip service, but it's better than nothing.
My personal recommendation would be Private Internet Access. I'm not aware of any past situations that would call their trustworthiness or privacy claims into question. To me, their biggest selling point is that their Head of Privacy is Rick Falkvinge, the founder of the Swedish Pirate Party. He has a great track record of outspoken activism. Putting a well-known ideologue in that position speaks volumes to me about the company's true motives. He wouldn't stick around if there was a conflict of interest.
Edit: Grammar
I agree with pretty much everything you say... except for your recommendation at the end. PIA are headquartered in the US and that is enough for them to be written off entirely as a recommendation, IMO.
p.s. I personally use blackVPN and also ExpressVPN (since I got a really good deal on 2 year signup).
PIA has repeatedly proven in court that they don't have logging for their users. It's still good to be suspicious, but I don't think there are too many VPN providers with that kind of track record.
Couldn't a government agency force them to give them a key to the server, or otherwise allow them to spy on the network?
Do all 2FA require a separate device? Google asked for an app that provides timed codes. Apple does ask for it, too. I can foresee a situation where I may want to access a 2FA-locked account and not have my smartphone on me.
Man... I have so much to say about this – but I'll spare you the rant.
I'll say this, though: to me, U2F is a much-better idea than app-based 2FA, because it's a physical item that I can carry anywhere (and I will: I don't forget these things ever since I forgot keys to the house back in 8th grade) and that doesn't rely on overhead technology that I may or may not wish to use.
Basically, the way I see it, if it requires thought to use, it shouldn't be relied upon for security. U2F is what I came to call a "natural design": one that utilizes simplest mechanism for maximum effect.
I switched to using Authy specifically because of the situations when I may not have my smartphone on me. Authy can work as an app on the same device (phone or computer) you're trying to log into—I treat it as a second factor because I have a unique password on it that I know I have not used anywhere else, and never will. It's the same setup as my password manager, and I figure if it's good enough for my password manager, it's good enough for my 2FA. I'm far more worried about someone breaking into my password manager than my 2FA codes.
An unintended result of using a 2FA method like this is that it's become mindless for me. It's a matter of muscle memory to bring up Authy, get my code, and paste it into the relevant field. I can do it as fast as it takes someone to even open up a 2FA app now.
The risk I'm now exposed to is keylogging but it's easy enough to minimize that risk through other methods (primarily access). If my risk profile in general increases, I'll probably go more secure and get a YubiKey or the like.
I love authy!
A VPN hardly seems necessary for the average person, unless you are using public WiFi or doing something illegal.
VPN's help me because I travel in Asia for work and frequently run into websites being blocked. Medium, reddit, twitter, etc. I would go to a meeting at a cafe and the only website we could access was Facebook. Open to other suggestions to get around bans like this aside from VPN's. I use PIA normally and ExpressVPN when in China.
Travel is definitely right up there as one of the best use-cases for a VPN.
But your ISP might have a alternative opinion about what's illegal or what's their right to do to my traffic.
Not really a security reason but the best part about a vpn for me is I can instantly get around geo blocks.
Never click links sent to you by strangers. That's a world of trouble. Only click links you are looking for specifically, and make double sure that it is what you're looking for
When you download something, take note of the size and file type. Let's say you're downloading a song. Songs come in many formats. MP3, MP4, WAV, OGG, and WMA are a few, and really the most common. Most songs also are never any bigger than a few MB. A random example would be Ten Speed (Of God's Blood and Burial) by Coheed and Cambria. This song's length is 3:45 in an MP3 format, with a filesize of 4.2 MB. Let's say you went to download this song specifically from a first page google result, and the file you are downloading is an .exe instead of a .mp3. BIG no-no. Music does not come in .exe filetypes. That means somebody has disguised that malicious program as a song to fool less tech savvy people, and once downloaded and run, it will wreak havoc. This goes for all files as well, but it's most common with music I've found. A significantly smaller file can be just as harmful as a significantly larger file.
TNSTAAFL. Any link/page telling you that you've won something is full of shit and can safely be ignored. They want your information, and you will not be getting a free iPad in return.
Always have an anti-virus handy, but know your options. There are many invasive programs (ahem, Avast) that keep things on a tight leash. This means that in their holy crusade against malware, they'll likely disrupt many programs and features of said programs that you want to run. Avast in particular has been known to prevent many games from working, as well as preventing online play in many games. Antivirus programs are kind of like training wheels. If you don't know your way around using the internet, it'd be smart to keep on. However, if you already know your do's and don't's, then it likely isn't necessary. Maybe run an antimalware program every few months or so to make sure everything's working fine
Google may know what your bathroom looks like, but it's much harder for them to mail you boxes of anthrax. Never disclose any personal information (such as address, full name, schools you went to, or even fringe info like businesses near you) online. Especially if you're a girl. There are a lot of people out there who are very capable of triangulating your exact location through small bits of info you give. It likely won't happen though, depending on the sites you frequent, but always think before you give any kind of info. 4chan has found ISIS (There's probably some common 4chan vocabulary in this so read at your own peril) and triangulated Shia LaBeouf's flag position using fucking flight contrails, so just know that people can be tenacious.
If something's too good to be true, it is. Don't go looking for free downloads of video games/movies online (unless you're a seasoned sailor). You'll only find malware.
And probably much more that I can't think of right this moment
Edit: I'd like to add that this may be a tad more basic than maybe the OP had intended. Nonetheless, I believe it is still good to know. @Bauke mentioned a lot of great extensions for people at a more intermediate level in their post
In regards to point 2: If you're a Windows user, enable file extension display in folder options. Shows what files are made of, helps in not accidentally executing coolsong.mp3.exe.
You can and should enable file extension display if you're a macOS user too.
To do so open the Finder app, go to Preferences and check "Show all filename extensions"
If you don't do stupid stuff, you don't need an antivirus. Keep your machine up to date (always, but especially if you have to use Windows), use an adblocker, don't go to shady sites, don't ever use Flash or Java, and don't do anything with email from folks you don't know, and you'll be fine. You made my "more trouble than they're worth" argument for me, so I won't repeat it.
You've got a valid point there. I know what I'm doing, I work in security. As I've mentioned elsethread, I have this tendency of assuming other people know the things I do. Thank you for pointing that out to me. :) That said, you can mostly mitigate the need for an antivirus if you're careful on the web and with your email.
And in the cases when I was using Windows, I could vet the opsec of anyone that connected to the same network because there wasn't anyone connecting to the same network. :)
That's not the kind of use case I had in mind when I was suggesting you don't need an antivirus, though. :) If you're actively playing with malware, yes, absolutely take proper precautions!
I think Windows 8 and later is not as susceptible to malware as Windows used to be in the past. I have not really used it myself since Windows 7 though.
Oh yeah this stuff's pretty obvious to people who are well acquainted with the tricks of the trade, but the OP said tips for the average person, so I figured I'd add the antivirus in accordingly. I'll definitely edit my initial post to better reflect the necessity of AV software, though
Sure, but that's the point of my comment, so OP realizes what they can do to avoid the hassle caused by an AV. They're also largely marketed via scaremongering to people who are ignorant and gullible. Thank you for editing, much appreciated. :)
The thing is that using windows by design involves doing stupid stuff. On linux you don't need an anti virus because all software can be found in the repos which are maintained by trusted people but on Windows the proper way to install something is to visit some website and grab an EXE. Or use the windows store which isn't monitored even close to how linux distro repos are.
Unless you're Debian and you think you know better than the OpenSSL devs. And there are other instances like that, too.
I'm not even going to get into systemd.
These days there are package managers you can use just like on Unix (there's more to not-Windows than your 64 bit x86 running Linux, you know).
4chan finding that ISIS camp is still one of the coolest things I've ever seen happen on the Internet. Internet detectives doing some good for once.
Re: number 5. Holy crap, I never knew about either of those. The Shia LaBeouf one is kind of funny, the idea of someone just driving around honking their car horn until it gets picked up on a livestream and all. But the one where they find ISIS and get it bombed... That's quite alarming.
Have you heard about the Reddit witchhunts? Search for
reddit boston bomber.Reddit's supposed to be the more-civilized one there.
Hah, reddit and 4chan are almost the same place. Much of reddit is absolutely horrid like /pol/ and parts of 4chan are reasonably decent like /n/
Must admit: that does seem like a stretch.
Then again, I've never been to 4chan.
The public only knows about a few boards on 4chan (/b/ /pol/ and /v/). There are a bunch of boards on 4chan that have a totally different culture. /n/ is a board focused mainly on trains, planes and bikes. There is a little bit of a leakage of people from /pol/ visiting other boards and they are usually flooded with replies telling them to go back to /pol/.
Its a bit like a person who has never used reddit but has only seen /r/the_donald in the news
Doesn't make me more excited about visiting, but – thanks for disabusing me of my ignorance about that place.
Number 5 should be number 1. And I would expand it to include giving that information to companies. Even if they're just asking for your name, the first question in your mind should be why.
We are living in an era filled with bad actors, and those bad actors can just as easily be corporations. It's a world where Facebook is a trusted household name in spite of being involved in real-life conspiracies. And this is a company who will straight out lock you out of their addiction factories until you provide them with a government-sanctioned form of identification.
These were in no particular order of importance, but that is a very real concern and it's a great thing to be aware of
Most of my songs are about 40MB each. Even an MP3 encoded to a adequate quality comes out at 20MB
This is fairly accurate. The public internet and google only show malware. If you know where to look you can find unlimited trustworthy content but its not what you will find by searching "x free download"
"the ultimate motivating force that drives innovation on the internet is being told "that's impossible" and then wanting to publicly humiliate that person by proving them wrong."
This is the best answer lmao. 4chan runs off of spite and a dash of antisemitism. Also thanks for the not news website link. Didn't know if there'd be any reddit links around
What are you using now? I've been using ClamShell
This guide by the EFF is probably a really good starting point. The most important things are use a password manager and keep your devices--and all of your applications--up to date. Yes, even if the update breaks something for you. Chances are it'll be fixed soon (and if it's not, your software vendor sucks). Being secure is ultimately more important than your app working, because if your machine is compromised, it may be ransomed to you via a cryptocurrency scam. And that's just the first thing to come to mind.
Often missed: Backups, so that if you get hit by ransomware or are otherwise comprimised and have to reformat, you can afford to do so.
As to how, this depends on who you trust, and what your resources are. I'd personally upload to the cloud, but in an encrypted form.
Better than having one backup is having multiple, local and cloud. A USB hard drive that you can use for backing up your computer is likely going to be a few hundred USD. "But that's a lot!" you say. And it absolutely is! But what's the value of the things you could lose if you don't have a good local backup? Probably a lot more or "no amount of money could replace that data". Cloud backups are good for some things, local backups are good for others. I have a local backup for my main personal machine that I can use to go from an empty drive to a machine in exactly the state it was at the time of the backup, and all I have to do is enter the encryption key. That's called Time Machine for Mac users, by the way, and there are equivalents in the Windows and Unix worlds (I'm particularly a fan of
dump(8)on Unix, but I'm an oldschool grumpy sysadmin).OH! I almost forgot (... and this is precisely the point, as you'll see in a moment)! You need your backup to be automatic so you don't have to think about it. The backup you have to think about and do manually is the backup you put off until later when you're not busy. The backup you have to think about and do manually is the one you wish you'd done when you lose your data. Schedule your backup so it happens automatically. You want your backup to be configured so that when you forget about it, it doesn't forget about you.
I have really been meaning to set up a good backup solution. One of my fears is if its fairly automatic than any issue that wipes out all my computer drives might also wipe out the backup drive if its always connected. My ideal system is probably a hdd + raspberry pi which allows my desktop to only upload new backups but not delete. The old backups are then automatically deleted after an amount of time.
This is why I suggested having a local and an offsite backup. I like Backblaze. I actually had to think for a moment to remember their name because I just do not need to think about it and that's how your backup should be. If you're wanting something more open source friendly, tarsnap is really, really good. Develolped by the previous FreeBSD security officer. Stick it in cron (or anacron for a laptop) and forget about it.
I cannot emphasize enough how important it is that you do not think about your backups. If you need to think about it, you will eventually screw it up.
#1: Mindful browsing habits.
About to click on a link? Hover over it first. Where does it go? Do you recognize where it's heading? If not, do a bit of quick research about the website. Some antivirus companies do some basic profiling of websites to determine whether or not they seem trustworthy, so you might look into that as an option. Make sure to double-check the domain, too, because it's not uncommon for a malicious actor to use an identical looking domain name, e.g.
ti1des.netvs.tildes.net. When in doubt, just stay away.About to download a file? Make sure the file extension matches what you're expecting and that the file size makes sense. You definitely don't want to find yourself downloading and opening
le_funny_meme.jpg.exebecause then you're just asking to have a virus ruin your desktop.Run an ad blocker. Seriously. Ads are ridiculously insecure attack vectors. Whitelist for the websites you want to support and trust enough to have ads running on, but block everything else. I can't tell you how many times I've had normally trustworthy websites get hijacked by an ad that redirects me to a page that tries to scare me into downloading an "antivirus" by claiming that it found a virus on my machine.
Use HTTPS Everywhere. It'll help prevent man-in-the-middle attacks where someone can intercept your internet traffic, dump a malicious script or link or something into the page, and ruin your day as a result. Hell, they could probably just change the response headers to redirect you to a malicious website.
Through all of this, search engines like Google, Bing, and DuckDuckGo are your friends. Make friends with your search engine of choice. Get used to using it.
Those are enough for 99%+ of your safe browsing needs.
#2: Account security.
You've already touched on this one with password managers, so I'll keep this brief. Use a password manager with a reasonably strong master password. Start using unique, randomly-generated passwords for all of your accounts and update the passwords for your existing accounts if they're not already using randomly-generated passwords. Make those passwords decently long (personally I like using 32-character passwords, but that's a bit overkill). Secure your password manager with 2FA.
Preferably you would secure your other accounts with 2FA as well. For accounts that require setting security questions, avoid using any answers that can be googled or which a normal person would reasonably know about you. Some services have really terrible password length limits, and these are usually really high-value targets built on legacy systems (especially banks, holy shit), so make sure that you use the longest passwords possible for them, be particularly careful about your answers to security questions, and definitely use 2FA if available.
#3: Device security.
Encrypt. Your. Devices. It takes just a bit longer to boot when they're encrypted, mostly because you have to enter some kind of password to decrypt your data, but it's worth it. Otherwise, a thief doesn't necessarily need your device password--they may just be able to disconnect your drive and access your unencrypted filesystem via their own device, using your drive as external storage. Hell, there doesn't even need to be a thief involved if you ever sell or donate your old device and some file recovery software manages to find your "deleted" data.
If your device doesn't support full drive encryption, then don't sweat it--usually there's software available to encrypt certain folders or to create encrypted partitions on your drive without requiring a bunch of in-depth knowledge, so just make sure that you keep your sensitive files (tax information, credit report copies, whatever) locked safely away in an encrypted location.
Alternatively, just avoid ever having any sensitive data stored on your device ever. But let's face it, odds are you're going to slip up at some point or another, so do yourself a favor and encrypt that shit.
You don't really need much more than that, honestly. There are plenty of other things you could do for privacy, but that's beyond the scope of your question and I'm not about to make this comment any longer than it already is :)
Someone already said a password manager, but I think it warrants being repeated. A good one can go on all of your devices, and randomize all of your passwords for you. At this point I only have to remember one password, and the password manager fills in all of the super strong random passwords it made up for me. It's probably one of the best things you can do to protect yourself online. I personally use (and like) BitWarden, but I have no affiliation with them.