Staying Safe Online: A Guide For Everyone

Perhaps you’re worried about being doxxed, perhaps you’ve received some specific threats, maybe you just want to increase your security. No matter the reason, this article is for you! Below I will list a collection of good practices to keep you and your accounts safe online. I fully expect to update this post as things change in the future.

I have tried to put things in a logical order, with some later steps depending on earlier steps, and some things that may be considered “controversial” towards the end.

This post was last updated on Oct 27, 2022.


Passwords

Let’s start with passwords. I shouldn’t have to say this, but I will do so anyway: do not reuse passwords. Reusing passwords means that if a single account provider is breached and your plaintext password is recovered, you now have additional accounts at risk of compromise. This has happened before.

Anyone in a hoodie is NOT to be trusted.

I recommend using a password manager such as 1Password to keep track of your passwords. While having your passwords stored in an app that uploads them somewhere increases your risk slightly, I feel it is outweighed by using a different password for each service. For passwords themselves, you can use random characters or a system such as Diceware to create long passwords that are easier to remember. While the latter is slightly less secure, a password that can be remembered is one less password to store into a password manager.

Change Default Passwords

This one is mainly for devices. Many devices ship with default passwords, which can be easily found via an online search. If an intruder is able to access your home network via malware, they could try getting into any devices you have connected to the network in order to exfiltrate data. Please change the default passwords to a different password on devices such as the following:

  • Cable modems
  • Routers
  • Wireless access points
  • Disk arrays
  • Security cameras
  • Doorbells
  • Appliances
  • …and anything else I didn’t mention here. If it ships with a password, change that password!

Password Protect Your Phone

Starting with the iPhone 5S, Apple began including a chip in their phones called “The Secure Enclave”. This is a chip which Apple created from the ground up, obtained a patent for, and handles all encryption and decryption of user data on the iPhone, along with storing/validating the phone password, TouchID verification, and FaceID verification.

In short, an iPhone with a password set has its data encrypted and protected against all but perhaps nation-state level attackers. You should absolutely positively set a password on your iPhone, and share it with no one.

Android users, I’m sorry but I don’t have any experience with your platform. I do recommend setting a password on your phones, however.

Turn on Two-Factor Auth (2FA)

Two factor authentication in its current incarnation is where your use your phone or a hardware device to generate a 6 or 8-digit number to use when logging into your accounts. That number is good for only 30–60 seconds and then it changes to something else, based on a shared secret. The advantage of this is that even if an attacker gets your password, they will need to get your phone as well. And if you password protected your phone, that’s another hurdle for them…

Here is how to turn on 2FA for your Gmail account.

You should NOT use SMS as the second factor for reasons I will go into later in this article, instead consider a software app and/or a hardware key for that purpose. Here are some suggestions:

Anything that supports the TOTP spec will work just fine. And don’t stop with just Gmail — do you use Twitter and Facebook? Turn on 2FA there, too!

Remove Cellphone Numbers From Your Accounts

There is a type of attack called a “SIM Swapping attack” wherein the attacker ports your cellphone number to a new SIM, which is in a phone that they own. You’ll have no warning that this is about to happen, but will only learn when your phone suddenly loses cell service. From there, an attacker can use SMS to recover any passwords from your online accounts.

Such an attack sounds rather complicated, but in reality the going rate for SIM Swapping is about $100 per number. Seriously, if you have a cellphone number on an account that you control, remove it ASAP.

If you have an account where a cellphone number is required, my recommendation would be to get a Google Voice number, install the Google Voice app on your phone, and turn off SMS forwarding of messages. When a text comes in to the Google Voice number, you will get an alert on your phone with the contents of the text. (You did enable 2FA for your Google Account, right?)

A benefit of this approach is that it also protects against your cellphone being stolen and the SIM put into a new phone to receive 2FA texts.

Put a PIN on Your Cellphone Account

Cellphone companies will allow you to set a PIN on your account, so that anyone attempting to change anything on your account has to supply the PIN that is in addition to the password. It varies by carrier, and it’s not perfect, but it’s one more layer of defense which can help against a persistent attacker.

Turn Off Sharing On Your Computer

Oh dear god”

Go into the “Sharing” control panel on your computer and turn off anything you’re not using. Even if you are using it, carefully consider whether it’s something you really need, and if you really really need it to be turned on 100% of the time. If it is something used infrequently, consider turning it on only as-needed and turning it off afterwards.

Set a Password in Telegram

Telegram is a popular messaging platform with 700 million users worldwide. Telegram uses your phone number to log in by texting you a code, but recall what I said above about SIM Swapping attacks? Telegram will let you set up 2-step verification by adding a password. Do it.

Cover Your Laptop Cameras

One way to spy on a user would be to infect their laptop with malware and then make use of the laptop camera to watch them. While camera covers are a thing, I don’t recommend them because they sometimes cause damage to the underlying trackpad when the laptop is closed. Instead, just use a piece of tape. A bonus to that approach is being able to see through the tape if the camera is turned on.

Yes, I had a number of calls where I thought there was something wrong, and realized I had the camera covered — switching to tape reduced the number of those incidents to zero. 🙂

Keep Your Software and Devices Up To Date

Computers, cellphones, appliances, and routers. If it runs software it needs to be kept up to date.

Run software updates regularly. 0-day attacks are a thing, and applying updates sooner rather than later limits your chances of getting hit with one.

Defense in Depth

If you’re made it this far, you’re probably wondering why I suggested disassociating your cellphone number with your accounts, but also adding a PIN on your cellphone account?

The reason for that is Defense in Depth. That is an approach where you have multiple layers of security, so if one element of security is breached, an attacker still cannot get in to your computer or your accounts. For example, Google says that successful phishing attacks against their employees dropped to zero after switching to hardware keys for 2FA.

Avoiding Phishing Attacks

Phishing attacks can be tricky — because the blackhats behind them tend to do a really good job of making their emails look both convincing and urgent. One way to defend against them is the following:

If you click a link and suddenly get a login screen, stop and close that tab. Then create a new tab and type the site into the address bar or use a pre-existing bookmark to log in.

If you’re using a YubiKey, there is an extra layer of defense called Origin Binding. That binds a user login to a specific site, which means that only the legitimate site can authenticate with that key. While you may be fooled, the YubiKey will not be. 🙂

Freeze Your Credit Reports

This is more for identity theft than overall security, but it’s still a very prudent move, especially in the wake of the Equifax data breach. In the US, there are 3 credit bureaus, and there is a different procedure for freezing your credit report on each of them:

The only time you will need to unfreeze your credit is for anything that requires a credit check, such as applying for a loan or getting a credit card. These events are so rare that the extra effort to (briefly) unfreeze your credit is worth the extra protection against identity theft that it provides.

Buy Google One, DropBox Plus, etc.

If you’re a Gmail user, I would recommend buying Google One, which is their paid offering. It starts at $1.99/mo for 100 GB of storage in Gmail and Google Drive. But the real benefit here is that if something goes wrong with your Google account (possibly in response to an attempted hacking), you will now have an official support channel that you can use to recover your account.

Same thing goes for your files in DropBox — their paid plans start at $9.99/mo which means that if something goes wrong, you are more likely to get a speedier resolution to your issue.

In a perfect world, neither of the above should be necessary. Sadly, we live in an imperfect world where leopards are confused with cheetahs daily.

Someone called him a cheetah and THEN hacked his Gmail account. Source

Tor and VPNs

This section probably doesn’t apply to you unless you need to stay anonymous online because:

  • A government is interested in what you may be doing, or
  • You are visiting a website that tracks visitors, or
  • Someone is trying to trick you into revealing your IP address and/or location (which isn’t that difficult to set up)

In addition to getting your IP address, an adversary might attempt browser fingerprinting, which would let them track you even if you are using different IP addresses. The way to deal with this is by one of two approaches.

The first approach would be to download the Tor Browser. This browser makes use of the Tor Network, so that your original IP hidden, and the browser itself is built so that all users look the same, making it difficult for browser fingerprinting to be affected. This option is free.

The second approach would be to use a VPN for your connection and then use a hardened version of FireFox for your browsing sessions. This option will cost money, because you absolutely positively should not use a “free” VPN. It will also be faster than Tor, but requires a little more setup and therefore is slightly more error prone.

Again, unless you have a specific reason to believe that someone is trying to track you, Tor or a VPN is probably overkill. I’d rather see you do everything else in this blog post, and leave Tor/VPN usage for the very last thing.

Increase Your Social Media Presence

This last one is a little controversial — I have friends who would rather not be on social media for a variety of reasons, and I understand that.

Say what you will about social media, sites like LinkedIn and YouTube, photo sharing sites like Flickr, etc. but one thing that those sites all have in common is this: they have a very high PageRank in Google. This means that if you create accounts on those sites, and use them semi-regularly, those are the websites that will show up when people Google for your real name. This is a good thing, because it means if someone tries using a link farm to spread lies or misinformation about you, they will have to work that much harder in order to bump you down from the top 5 results on Google for your real name.

The above approach is actually a simple form of reputation management, as low-key as may be.

But I understand that social media is not for everyone.

Additional Reading

Would you like to read more about computer and software security? Great! Here is a list of resources to check out:

About the author

I am a software engineer living in Philadelphia, PA. While not a security expert, my 20 years of experience has helped me understand much of the computer and Internet ecosystem, and where the weak points are. Feel free to check out my GitHub at https://github.com/dmuth or hit me up on Twitter.

And a disclosure: the Diceware app mentioned above was written by me, but the Diceware approach has been around since 1995.

Final Thoughts

This is hardly meant to be an exhaustive guide to security — but since the topic of security and the fear of doxxing has come up among people I follow on Twitter recently, I felt it was a good time to take some of the things that I have learned over the years and put them into a guide that others may find useful.

If you have any thoughts on the topic of security, feel free to reach out or leave a comment!

(Mirror on Medium)