Here are 10 actions you can do to improve the security of your private PC / mobile / tablet. Implementing them will make it more difficult to steal your private data from your device’s drive or one of the websites where you have an account.
These tips are addressed to an average ‘Joe Bloggs’, but some of them might require being familiar with computer technology. If you are uncertain about any of these please ask in comments or ask someone more familiar with IT.
Encrypt the *whole* hard drive
Full disk encryption will protect from unauthorised access to your data, for example when your device is stolen. It will also protect you from so called ‘Evil Maid’ attack, where someone has access to your unattended device.
- TrueCrypt for Windows
- FileVault2 for MacOS
- BitLocker for Windows (built-in)
It is worth to take care of regular backups (also encrypted) as for encrypted hard drives even changing a single bit of information may result in having all data inaccessible.
Some hard drives support encryption at hardware level in which case no additional software needs to be installed.
Keep your software up to date
It can protect you from most of the mass attacks like:
- Opening a specially prepared PDF file
- Entering a malware infected website
Every software has so called bugs. They are being found and updated constantly. To make sure you are not vulnerable you need to apply software updates on regular basis.
Turn on automatic updates for all of the programs that you are using. This is especially important for web browsers.
If you have to manually download an update do it from manufacturers website over HTTPS protocol (otherwise someone who is on your connection path could infiltrate downloaded data).
- Personal Security Inspector (PSI) for Windows
- Linux: apt-get update && apt-get upgrade
It is also worth to review permissions you gave to the external applications on your accounts:
- Facebook: https://www.facebook.com/settings?tab=applications
- Google: https://accounts.google.com/b/0/IssuedAuthSubTokens?hl=en
Use unique passwords for every service and turn on 2 factor authorisation
This tip will protect you from unauthorised access to your data (online accounts). In most cases the attacker will get access to your account X because he/she managed to break into Y where you had an account registered with the same e-mail / login.
It is also quite common to workaround the logon form by using password reset form. For that reason do not set your reminder question that is very easy to guess (Q: ‘Favourite colour?’. A: ‘Black’).
Two factors authorisation will protect your account when your password has been taken over. In order to gain access to your account the attacker will also need your mobile phone.
The attackers can check over 5 million passwords per second. Therefore to delay the brutal force attack, the password should be:
- non-dictionary (passwords like: qwerty, qazwsx, john123 are not good as they are present in brutal force dictionaries).
- not template based – do not use a pattern in your passwords (ThisIsMySecretFacebookPassword) – if your password is overtaken than the attacker will easily get access to your other accounts passwords.
- long and complicated
Same rules apply to answers to password recovery security questions.
Generate and keep your passwords in a passwords manager like KeepAss (available for Windows, Linux, Mac, iOS, Android). This way you only have to remember one password – to your manager.
Two factors authorisation can be enabled in:
- Google Gmail
Increase the security of your web browsers
This step will prevent from your Internet traffic being hijacked and identity stolen. Your web browser is most likely an application you spend most of your time.
Google Chrome has the advantage of sandboxing but it sends some statistics data to Google – this can be limited in application’s settings.
Turn off Java plugin as well as any others that you do not need.
Turn on “click-2-play” function for your plugins. This will prevent any Flash applet from starting without your acceptance. To activate a movie applet on Youtube you will have to click on it. For chrome:
- Settings -> Show Advanced Settings -> Content
- Settings -> Plugins -> Click to play
Set up your cookies into “No third party cookies” mode – this will protect your privacy from marketing tracking.
Install useful extensions:
- HTTPS Everywhere (enforces encrypted connection where possible)
Use VPN when you connect through a foreign network
Using a VPN will protect you from hijackers and MITM attacks (man in the middle). When you are using free hotspots and WiFi networks with WEP encryption, every other network user can see your whole Internet traffic. If you do not use encrypted protocols (HTTPS), your passwords are easy to be stolen.
The attacker can also set up a fake and unsecured network with same name (SSID) as the one you previously connected. Your device will connect with it automatically which will allow him/her to attack you.
Any certificate errors that come up when you try to establish connection with a secure website and any messages notifying you about the change of fingerprint should be treated as MITM attack and you should not accept such connection.
Always use VPN when connecting with untrusted WiFi networks. You can buy VPN service or do it yourself. If you have an SSH account, log in to it with the following:
ssh login@server -D 9090
Once you have the above set up a SOCKS proxy in your browser on port 9090. Note your non-www traffic is still vulnerable to hijacking. To prevent this you will have to enforce system-wide SOCKS connection. It is also important to know that the traffic is only encrypted back to your SSH server. If someone is listening to your SSH server, he/she will be able to see your unencrypted connection on the exit.
Another alternative to VPN is TOR network.
Use a firewall
This will help you protect from being overly exposed to the Internet. Without a firewall all the services enabled on your computer are accessible to any Internet user.
Block all incoming connections to your computer – it will make no difference to your Internet usage as long as you are not running a WWW server or have any other services running that you want to share. If you have to you can enable appropriate ports to other Internet users with a simple rule on the firewall.
Consider installing software that will limit your outgoing traffic. You can use LittleSnitch for Mac OS or ZoneAlarm for Windows.
Use an antivirus and non-admin account
A good antivirus will protect you from well known viruses and using a privileges-free user account will not allow malware to gain total control over your system.
You do not have to buy an antivirus software – many companies have free editions and they are as successful as the paid ones.
Do not use an administrator account for your daily work.
Consider what you put online
This will help you avoid an online faux pas and leak of secret data. Everything you put online or send via email to even 1 selected person needs to be considered as publicly visible to everyone.
The mailbox of your trusted recipient might become public due to an attack. A private gallery on Facebook can become available to everyone due to a temporary error on the website. Such situations have already happened in the past.
Everything you put online has a big chance of staying there forever, no matter if you wish so or not.
Make your BIOS password protected
It will help you in case your device gets stolen. The attacker might not be able to start your PC from LiveCD / USB and will not get access to your hard drive.
Please remember that the hard drive can always be physically unmounted and if you did not encrypt it (see point 1), then there is nothing stopping unauthorised people from accessing / stealing your data.
There is no BIOS in Mac computers, but you can set up a ‘startup password’.
Unfortunately BIOS password can be reset in most cases when you have physical access to computer’s motherboard.
If you did not choose the encryption of your whole hard drive…
Well, in that case nothing protects you in the case of your device being stolen:
- your private data is no longer private
- your identity can be stolen
- your very private pictures might get posted to your Facebook
You can however attempt to locate the thief if you have installed on your computer / mobile phone a friendly troyan: