Hackers steal hundreds of millions of passwords in one swoop and occasionally cause large-scale blackouts. The future is probably not going to get better, with real-life disasters caused by internet-connected knick-knacks, smart home robots that could kill you, flying hacker laptops, and the dangers of hackers getting your genetic data. Meanwhile, an ever-growing and increasingly passive surveillance apparatus that has trickled down to state and local police is an ever-present threat to our digital privacy.
That doesn’t mean it’s hopeless out there. There are lots of things you can do to make it much more difficult for hackers or would-be surveillers to access your devices and accounts, and the aim of this guide is to give you clear, easy-to-follow steps to improve your digital security. There are, broadly speaking, two types of hacks: Those that are unpreventable by users, and those you can generally prevent. We want to help you mitigate the damage of the first and prevent the second from happening.
You, as an individual user, can’t do anything to prevent your email provider, or the company that holds your financial details, from getting hacked. But you can avoid phishing attacks that will let a hacker get into your individual email account, and you can also prevent a password obtained in a larger hack from being reused on another, separate account you have.
This guide isn’t comprehensive and it’s not personalized; there is no such thing as “perfect security” and there are no one-size-fits all solutions. Instead, we hope this will be a jumping-off point for people looking to batten down the hatches on their digital lives.
That’s why we’ve tried to keep this guide as accessible as possible, but if you run into any lingo you don’t know, there’s a glossary at the end of this guide to help out.
This guide is the work of many people on Motherboard staff both past and present, and has been vetted by several of our sources, who we owe a great debt to. Large sections of it were written by Lorenzo Franceschi-Bicchierai, Joseph Cox, Sarah Jeong, and Jason Koebler, but the tips within it have grown out of years of writing and research on digital security by dozens of reporters and infosec professionals. Consider it a forever-ongoing work-in-progress that will receive at least one big annual refresh, as well as smaller updates when major new vulnerabilities are exposed. Special thanks to Matt Mitchell of Crypto Harlem, and Eva Galperin, of the Electronic Frontier Foundation for reviewing parts of this guide.
Anyways, enough. This is the our Guide to Not Getting Hacked.
Everything in this guide starts with “threat modeling,” which is hacker lingo for assessing how likely it is you are going to get hacked or surveilled. When thinking about how to protect your digital communications, it is imperative that you first think about what you’re protecting and who you’re protecting it from. “Depends on your threat model” is a thing infosec pros say when asked questions about whether, say, Signal is the best messaging app or Tor is the most secure browser. The answer to any question about the “best” security is, essentially: “it depends.”
No one security plan is identical to any other. What sort of protections you take all depend on who may try to get into your accounts, or to read your messages. The bad news is that there are no silver bullets (sorry!), but the good news is that most people have threat models in which they probably don’t have to live like a paranoid recluse to be reasonably safe online.
So before doing anything else, you should consider your threat model. Basically, what are you trying to protect, and who are you trying to protect it from?
The Electronic Frontier Foundation recommends asking yourself these five questions when threat modeling:
- What do you want to protect?
- Who do you want to protect it from?
- How likely is it that you will need to protect it?
- How bad are the consequences if you fail?
- How much trouble are you willing to go through in order to try to prevent those?
Is your threat an ex who might want to go through your Facebook account? Then making sure they don’t know your password is a good place to start. (Don’t share critical passwords with people, no matter who they are; if we’re talking Netflix, make sure you never reuse that password elsewhere.) Are you trying to keep opportunistic doxers from pulling together your personal information—such as your birthday—which in turn can be used to find other details? Well, keeping an eye on what sort of stuff you publish on social media would be a good idea. And two-factor authentication (more on that below) would go a long way to thwarting more serious criminals. If you are an activist, a journalist, or otherwise have reason to fear government, state, or law enforcement actors want to hack or surveil you, the steps you must take to protect yourself are significantly different than if you’re trying to keep plans for a surprise party secret from your best friend.
Overestimating your threat can be a problem too: if you start using obscure custom operating systems, virtual machines, or anything else technical when it’s really not necessary (or you don’t know how to use it), you’re probably wasting your time and might be putting yourself at risk. At best, even the most simple tasks might take a while longer; in a worst-case scenario, you might be lulling yourself into a false sense of security with services and hardware that you don’t need, while overlooking what actually matters to you and the actual threats you might be facing.
In certain places, this guide will offer specific steps to take if you have a threat model that includes sophisticated actors. But, in general, it’s designed for people who want to know the basics of how to strengthen their digital security. If your threat model includes NSA hackers or other state-sponsored groups like Fancy Bear, we recommend that you speak to a trained professional about your specific situation.
KEEP YOUR APPS UP TO DATE
Probably the most important and basic thing you can do to protect yourself is to update the software you use to its newest version. That means using an updated version of whatever operating system you’re using, and updating all your apps and software. It also means updating the firmware on your router, connected devices, and any other gadgets you use that can connect to the internet.
Bear in mind that, on your computer, you don’t necessarily have to use the latest iteration of an operating system. In some cases, even slightly older versions of operating systems get security updates. (Unfortunately, this is no longer the case with Windows XP—stop using it!) What’s most important is that your OS is still receiving security updates, and that you’re applying them.
So if you come away with one lesson from this guide is: update, update, update, or patch, patch, patch.
Many common cyberattacks take advantage of flaws in outdated software such as old web browsers, PDF readers, or spreadsheet and word-processing tools. By keeping everything up to date, you have a way lower chance of becoming a victim of malware, because responsible manufacturers and software developers quickly patch their products after new hacks are seen in the wild.
Hacking is often a path of least resistance: you go after the easy, soft, targets first. For example, the hackers behind the destructive ransomware outbreak known as WannaCry hit victims who had not applied a security update that had been available for weeks. In other words, they knew they were going to get in because the victims had not changed the lock to their door even though their keys had already been made available to everyone.
We all have too many passwords to remember, which is why some people just reuse the same ones over and over. Reusing passwords is bad because if, for example, a hacker gets control of your Netflix or Spotify password, they can then use it to get into your ridesharing or bank account to drain your credit card. Even though our brains aren’t actually that bad at remembering passwords, it’s almost impossible to remember dozens of unique, strong passwords.
The good news is that the solution to these problems is already out there: password managers. These are apps or browser extensions that keep track of passwords for you, automatically help you create good passwords, and simplify your online life. If you use a manger, all you have to remember is one password, the one that unlocks the vault of your other passwords.
That one password better be good though. Forget about capital letters, symbols, and numbers. The easiest way to make a secure master password is to make a passphrase: several random but pronounceable—and thus easier to memorize—words. For example: floodlit siesta kirk barrel amputee dice (don’t use this one though, we just burned it.)
Once you have that you can use unique passwords made of a lot of characters for everything else, as long as you create them with a password manager and never reuse them. The master password is better as a passphrase because it’s easier to memorize, and the other passwords don’t need to be memorized because the manager will remember them.
Intuitively, you might think it’s unwise to store your passwords on your computer or with a third party password manager. What if a hacker gets in? Surely it’s better that I’m keeping them all in my head? Well, not really: The risk of a crook reusing a shared password that has been stolen from somewhere else is far greater than some sophisticated hacker independently targeting your database of passwords. For example, if you used the same password across different websites, and that password was stolen in the massive Yahoo! hacks (which included 3 billion people), it could easily be reused on your Gmail, Uber, Facebook, and other websites. Some password managers store your passwords encrypted in the cloud, so even if the company gets hacked, your passwords will be safe. For example, the password manager LastPass has been hacked at least twice, but no actual passwords were stolen because the company stored them securely. LastPass remains a recommended password manager despite those incidents. Again, it’s all about understanding your own threat model.
So, please, use one of the many password managers out there, such as 1Password, LastPass, or KeePass. there’s no reason not to do it. It will make you—and the rest of us!—safer, and it’ll even make your life easier.
And if your employer asks you to change passwords periodically in the name of security, please tell them that’s a terrible idea. If you use a password manager, two-factor authentication (see below), and have unique strong passwords for every account there’s no need to change them all the time—unless there’s a breach on the backend or your password is stolen somehow.
Having unique, strong passwords is a great first step, but even those can be stolen. So for your most important accounts (think your email, your Facebook, Twitter accounts, your banking or financial accounts) you should add an extra layer of protection known as two-factor (or two-step or 2FA) authentication. A lot of services these days offer two-factor, so it doesn’t hurt to turn it on in as many places as you can. See all the services that offer 2FA at twofactorauth.org.
By enabling two-factor you’ll need something more than just your password to log into those accounts. Usually, it’s a numerical code sent to your cellphone via text messages, or it can be a code created by a specialized app (which is great if your cellphone doesn’t have coverage at the time you’re logging in), or a small, physical token like a USB key (sometimes called a U2F security key or YubiKey, named after the most popular brand).
There’s been a lot of discussion in the last year about whether text messages can be considered a safe “second factor.” Activist Deray McKesson’s phone number was hijacked, meaning hackers could then have the extra security codes protecting accounts sent straight to them. And the National Institute of Standards and Technology (NIST), a part of the US government that writes guidelines on rules and measurements, including security, recently discouraged the use of SMS-based 2FA.
The attack on Deray was made possible by “social engineering.” In this case, a customer service rep was tricked by a criminal into making Deray vulnerable. The attack involved getting his phone company to issue a new SIM card to the attackers, allowing them to take over his phone number. That means when they used his first factor (the password) to login to his account, the second factor code was sent directly to them. This is an increasingly common hack.
It’s hard to defend against an attack like that, and it’s a sad truth that there is no form of perfect security. But there are steps you can take to make these attacks harder, and we detail them below, in the mobile security section.
SMS-based two-factor can be gamed, and it’s also possible to leverage vulnerabilities in the telecommunications infrastructure that carries our conversations or to use what’s known as an IMSI-catcher, otherwise known as a Stingray, to sweep up your cellphone communications, including your verification texts. We don’t write this to scare you, it’s just worth noting that while all forms of two-factor authentication are better than nothing, you should use an authentication app or better yet a physical key if at all possible.
You should, if the website allows it, use another 2FA option that isn’t SMS-based, such as an authentication app on your smartphone (for example, Google Authenticator, DUO Mobile, or Authy), or a physical token. If that option is available to you, it’s great idea to use it.
Nov 15 2017, 3:00pm