A noob’s guide to (online) security
Hello everybody, welcome to my first post in the Community Tutorials section of the forum! In this post, I will be talking about security, which is a very interesting topic that I haven’t seen much talk about on the forum. I have on my own been researching content online, and I find it to be pretty much a mess on how to become secure (online), all from the basic steps, all the way to becoming “completely” secure. Even if you follow everything listed in this post (and other tutorials), it doesn’t mean you’re safe from any threat. Because, in reality, “Everything is vulnerable in some way” - Nick Espinosa
So, before I get started on this long topic, I can tell you that I am in no way a security expert, nor do I have any formal education regarding this topic. This guide is partially based on third-party sources which I will list at the corresponding topics below.
This post is split into different sections of security concerns and safety so that you can pick the “safe zone” you prefer to be in. Please also remember that security goes on the cost of convenience. If you want to be more secure, you’re going to have to sacrifice some of the convenience in your (digital) life.
Also, note that I might sound paranoid in this post, maybe I am? :o
Also, note that this guide is not final, if you see that I’m mistaken somewhere, if I forgot to add something, or you have something else you think I should add, send me a DM! This post is meant to serve as guidance to what you can do to keep yourself secure in these modern days!
Before we begin, please select a number from 1-10 on how secure you think you are, before reading this article!
Table of contents
Intro / discussion
Protect yourself online
A “must” for everyone (Paranoid 1/4)
General security (Paranoid 2/4)
Over-the-average security (Paranoid 3/4)
For the more demanding ones (Paranoid 4/4)
For those who want to protect themselves in the real world
Intro / discussion
What is security?
Security is all about how you can defend yourself from dangers & threats, and this applies both to the real world and your online life. When you’re online, you want to secure yourself, not just from hackers, but also viruses, your friends and more. Threats can come in any shape/form, and there are almost always dangers when you’re being on the internet. It’s up to you what you want to do about it, and that’s why I created this topic!
I want more people to be focused on security because it’s a fact that there are hackers in this world, and they’re not going to stop any time soon. We live in modern society, and most of us use the internet for important things that matter to us, and that’s why we need to become more aware of this important topic.
What many people tend to think, however, is that they’re not going to be attacked since they are not popular. They also think they have a good password while they don’t. They also think that it doesn’t matter if somebody accesses their account. Maybe it’s true, or, maybe not. Ask yourself, are you on the internet? What do you do on the internet? Would you like somebody else to gain access to your accounts and pretend to be you, or steal your private information? Or sell it?
Some of us don’t think over it, and that’s exactly how people get access to your accounts. Most of us don’t realize either that you as an individual, you’re not the goal, you’re just some random account. Unless you’re internationally famous or have made enemies, you’re just some random dude on the internet, they just want to access your information for money or fame.
Here are some key principles of security:
Your security is only as good as your weakest link
Multi-factor authentication consists of:
- Something you know (a password)
- Something you have (a phone, a hardware token generator)
- Something you are (biometric unlocking, fingerprint, iris scanner, etc.)
Can you always be secure?
This is a good question, and to say it in short, no, you can never always be completely secure against any threat. There is always a way into something, there is just not a known way in, or it’s not commonly known. There is always a possibility for failure, but that doesn’t mean you shouldn’t protect yourself.
By protecting yourself from most threats, you drastically reduce the chance of getting attacked (not eliminating the threats, but minimizing them). This results in less of an attack surface. Let me show you an example. Let’s say you have 3 applications on your computer. You use mostly one of them, the second one sometimes, and you don’t use the third one. I will explain more in detail later why you should remove unused applications, but just so it’s said, all the applications impose a security threat, they are three individual applications that receive updates. The probability of you being exposed to a threat is higher with 3 applications than with only one.
Humans’ nature of trust, and human errors
If you have witnessed any data/security breaches, the chances for it being a human error are pretty high. Several independent studies have concluded with human errors being the most common reason for these breaches. Do you know why? Because we humans trust by default. By trust, I don’t necessarily mean that you trust someone enough to share your entire life, but, humans tend to share information about their lives with others. It’s normal.
If you go to a store and meet someone and they say “Hey, how are you?”, you respond with “good” or “bad” (or “fine”). You’ve already shared some of your private information, about how your day is going. Now, this is simply social interaction, and it’s normal. Is it safe? Sure, as long as the one you share the information doesn’t have any bad intentions. Do you know if the other person has evil intentions? Don’t ask me.
Now, I know you’re thinking “why should I not respond?”, or you probably think I’m weird. But it’s true. We often choose to share basic information about ourselves with others, and that’s perfectly ok, we humans need social interaction at some point. Whether it be with your friends or strangers. You’re also probably communicating with others through Discord or Roblox while playing. Just be careful not to reveal any kind of identifiable information about yourself, unless you know what you’re doing.
I’ve often seen in Discord servers people who reveal their birthdays, age, where they come from, their first name, etc. It’s not that dangerous, just be cautious about how much information about yourself is publicly known. It might be innocent at the time, but if someone uses the search function they can easily collect information about you and can turn it into a profile on you. Be careful about who you’re sharing your information with, unless, as I stated above, you know what you’re doing and you have control.
You might also wonder what people can do with your birthday, name and country. Easy. Have you ever heard of “restoring your account”, or “forgot password”? I bet you have. Now, if you’ve revealed too much information about yourself, cybercriminals can use that information to look more into you and find out what you like, then answer the security questions asked. I know I’m talking like a paranoid here, but I’m only trying to explain to you how people can use your information to your disadvantage
You can read more in the articles below:
Security and privacy
Security and privacy are two different concepts. Privacy is about keeping what you’re doing, who you are (personal information) to yourself. For example, when Google is logging information about you, your privacy is being decreased. The more information people know about / that is easily accessible by “anyone”, the less of privacy you have.
GDPR was introduced by the EU to enhance end users’ privacy, and is an abbreviation for “General Data Protection Regulation”. The reason for its introduction was to let end-users know what data is collected, why it is collected, what it’s used for, when it “expires” and to whom it’s shared with. Anyone making anything for any EU resident has to comply with GDPR, or they will risk severe punishments/fines.
Security is about securing who has access to your accounts/items and more. Think of it as safe. You put things in there to make them secure, but not (necessarily) to protect your privacy. You don’t want everyone to have access to your items now, do you?
Now, the interesting thing here is that even though these two are different, they are both involved with each other. Now let’s imagine this safe where we keep our items again. You have a password to access it, to prevent unauthorized entrance. More often than not, we humans do what’s the easiest for us because it’s easy.
For example, many are choosing passwords related to their lives/relatives. It’s easy, right? Why remember “fgJdo284$3!&69bh” when you can remember your brother’s name and birth date. For example “John1991”. Right? No.
As I have stated previously, security goes on the cost of convenience.
Privacy is important to keep. People can fetch information about you and then use it to impersonate you against the services you might use. Many applications today ask you for “where did your parents meet?”. Don’t answer it correctly, ever. They can easily find that information by just knowing your name + age + location.
A “must” for everyone
Now that you’ve learned a bit about what security is, and why it matters, it’s time to get down to what you can do about it.
Use a password manager
You’ve probably heard this a lot of times, and it’s important to use one. There are some cons related to using password managers, and if you’re interested, give it a read here. If you don’t use a password manager, you’re going to have to solve these issues on your own:
Memorizing/writing down all of your passwords for all of your websites
If your memory fails, or you forgot where you wrote your passwords, you can’t access your accounts
Authorizing yourself to get access to the passwords; when you have written down your passwords, you don’t have a log of who accessed them. You can keep them in a safe, but it’s easier to crack into a physical safe than it is to crack your encrypted passwords with the key only you know, by an algorithm security experts have created.
It takes time to write down your new passwords, and type them into forms instead of just selecting the field & pasting.
A password manager makes your life much easier while keeping you just as secure. A good password manager creates strong, random passwords unique that you can easily use to create accounts/change passwords on your existing accounts. While it’s important to use one, it’s even more important to use a secure one (search online for security reviews) and to find one you like to use.
I have tried 6 password managers, which are True Key, Dashlane, LastPass, KeePass, BitWarden and 1Password. My recommendation is 1Password. It’s very easy to use, it’s easy to get started, it’s secure, and it has the best UX of all the others, its features are also a bonus. (Creating local vaults encrypted with a key, adding OTPs to accounts, notifying that 2FA is available for a website and so much more).
Just find a secure one and one that you like, and always use it. You can search online to find a password manager.
Use 2FA everywhere
To be honest, 2FA is just as important as a good, strong password or even more! Its purpose is to serve as “something you have” which is an additional authentication step. 2FA comes in many different shapes and forms, and it’s important to choose one that’s safe. Note that using 2FA is more important than not using it at all.
When you log in to a website, you’re usually providing a username/email and password. A password is a single factor authentication. You’re simply claiming to be that user by just providing one thing, which is “something you know”. In the past, this has usually been good enough, but now as there are more frequent data breaches (take for example Disney+, that had a huge data breach within the first day of launch) passwords are no longer good enough. They’re barely any good, and that’s where 2FA / MFA comes in. Instead of only providing something you know (password), you provide something you have or something you are.
Also, don’t get me wrong, passwords are still recommended to use!
There are three - 3 - ways to utilize 2FA. It’s through SMS, it’s using an app, and it’s using a hardware U2F. If you have the money for it, and if you want to be as safe as possible, I strongly recommend you get a hardware U2F like Yubikey. It’s currently the safest option if you’re going to use 2FA.
Next is 2FA using an app, although this is secure, it’s not as secure as hardware tokens, but still, it’s pretty safe to use. There are many free apps you can use which are reliable. I recommend Authy, I haven’t tested others but Authy seems like a good one. P.S, if you’re using 1Password or another Password manager you can add an OTP token to the account, it’s just as good as Authy!
Lastly, we have 2FA through SMS, although this is better than no 2FA at all, I recommend you to avoid this if at all possible. If you can use an app or hardware token instead, use those! The reason why SMS is not safe is explained in detail later in this post, but I will describe it shortly here. People can call to your provider and pretend to be you (it’s very easy to do), and request them to redirect any SMS to their phone instead. People can also record your phone, or hack radio towers and access your SMSes.
Simply put, if you don’t use 2FA today, you are risking your account. Instead of making intruders go through two steps of verification (to be identified as you, the account holder), they only have to get your password. This problem becomes even worse without a strong password, with symbols, upper/lower case letters, spaces, etc, or if you use re-use them. 2FA is put in place to prevent people from getting to your account, and it’s very easy to use, it cuts off a small piece of the convenience but it’s ultimately worth it in the end.
If you ever feel like it, you can check howsecureismypassword.net, and you can even see if your accounts have been compromised on haveibeenpwned.com. If you see that none of your emails/passwords have been used/found in breaches then you’re safe for now, but you could be more safe with 2FA enabled. If somebody somehow gains access to your passwords, you still don’t have to worry if you have 2FA enabled. Assuming the websites have taken proper security measures and follow a strict protocol, you’re the only one who can access the account because of your extra verification method. You should still change your password afterward.
…about the Disney+ incident:
Keep software updated
Believe it or not, it’s important to keep software and your OS updated so that you can get the newest security updates. (Note that it’s a good idea to opt-in for automatic security updates, but not regular updates). If you, however, know that whatever app/OS you’re using has a reputation of breaking things with their new updates, you can wait it out to see if users are reporting issues.
The sooner you install a new security update, the better. They’re released for a reason! Whenever somebody finds a security loophole, exploit or anything like that they are going to use it! Vulnerabilities will be exploited when found!
There is a slight catch about updates, though. Have you ever been told, “don’t be one of the first to update”? Sometimes updates bring with them disaster, like deleting files and more. Although this is rarely happening, it’s worth to keep an eye out, and if you’re skeptical about an update, search about it online and ask others if there are issues with it. Better safe than sorry!
Use anti-virus programs
This should speak for itself, but I’m stating it here again because it’s important. You can have the best password manager or security programs on your device. But, if you get a virus that records your keystrokes or gains access to your passwords you’re back to where you started, almost. Use trusted programs. I use Malwarebytes, so feel free to check it out.
There are also other programs such as McAfee,
Always search online for trusted reviews to make sure whatever you use is worth it. Most anti-virus programs come with a price. Also, note that Windows Defender or whatever default program that comes with your device should be sufficient.
Encrypt your files
When I was younger, I always thought that nobody could access my data if they didn’t know the password to my OS. Turns out I was wrong. This is probably something many people fail to realize. The OS only protects from getting unauthorized access to your system and nothing more. Don’t get me wrong, it’s still important to have an OS-password, but your files are not safe, and isn’t that a huge concern? If you haven’t encrypted your files, anybody can just remove your storage device and gain access to all of your data. It’s that easy!
The process of gaining access to your unencrypted files is extremely difficult, and I will explain it right now:
- Unmount the disk and plug it into another computer
- You’re done
The solution to this is to simply encrypt your files. If you have Windows 10 Pro, you can use BitLocker. There are also other programs you can use if you don’t have the pro version, but use BitLocker if you can. It’s easy to set up and it’s very secure. Just the way we want it I’m not sure what programs you can use if you don’t have Windows, but a quick search online should give you plenty of information.
When you encrypt your files, they are gibberish that nobody can read without having the secret it was originally encrypted with (in theory, using a proper encryption algorithm). This is a huge security bonus because it prevents intruders from gaining access to important/confidential files that you don’t want to share. People who scan your disk tend to find important content, and use it for personal gains or just sell it to those who care. Either way, you’re risking files you own to fall in the wrong hands. And in all movies you’ve seen, that’s not something anyone wants.
Use an iPhone
Yep, you read it correctly. iPhones are generally more secure and harder to infiltrate than for example Android devices. However, this only applies to stock versions of the phone. Unless you’re using a custom, secure OS on your Android device, iPhone is the more safe way to go. I will be describing what you can do if you want to keep your Android device, or if you simply just don’t like iPhones.
Use a VPN
Why / what
You have probably heard this so many times, and it’s very important, even though the ads from NordVPN are annoying. A VPN encrypts your traffic to prevent anybody else but you and the server you’re connecting to see the content. For example, without a VPN your ISP (Internet Service Provider) can see what website you’re connecting to and all your requests (not the content if you’re connecting using tls/SSL). With a VPN, all the ISP sees is the only server you’re connecting to.
Let’s say you visit roblox.com with a VPN because you’re worried about your ISP tracking your activity. If you are connected to a VPN server, all the traffic goes to that single server. If the server’s IP is 184.108.40.206, you’re always only sending your traffic to 220.127.116.11, but without a VPN, you’d be sending all the traffic to the website’s servers and the ISP can see what you’re doing. And this applies to all websites as well.
This is also even more important when using public networks (you really shouldn’t), those who are hosting the network may have evil intentions and can sniff out the data from your requests. Or, those who are connected to the network may have evil intentions. In these cases, you definitely should use a VPN to secure the information exchanged.
You have also probably heard there are better alternatives than a VPN to secure your traffic, and yes, that is right, but that requires more technical skills, takes longer, and is generally slow, so I found it to be better not to include it yet, but we’ll see what people are saying after this article has been published.
There are many providers out there claiming to the best, don’t trust the websites. Find legitimate websites, or trusted review websites that can confirm that this VPN provider is serious about what they’re doing and have been given certificates. For example, NordVPN claims that they do not log your traffic at all. Independent researches have verified their claim.
Some of the VPN providers I know of are NordVPN, ExpressVPN, CyberGhost VPN. There are of course others, but you’re going to have to find one that’s good for your needs. Your VPN provider should have a kill-switch, that prevents any traffic from going through if you’re not connected to a VPN/the connection suddenly drops. This ensures your information is still safe.
Restrict usage of social media
Cybercriminals who’re doing social engineering often like to stalk your social profiles for information that can connect to your passwords, identity, etc. For example, if you love dogs and post on Facebook your dog’s name, age and that you love your dog, there is a high probability that you have some account information tied to your dog. They can then reach out to you and say “Your dog is so cute, what’s its name?”, or “Omg your dog is so awesome, how old is it?”.
If you don’t want to do something like this, you have to be aware and remove any connections to what you post on social media to prevent people from gaining unauthorized access to your accounts. Also, beware that social media are the stalkers. They log everything you do for analytics and more, so by having an account on Facebook or Twitter you need to know that it’s not safe. Of course, this doesn’t apply to business accounts for game updates, but more related to your personal ones.
Even though most of the browsers are safe today, there are always some vulnerabilities, and that’s why you should use some browser extensions to stay safer while you’re browsing. It can also be the websites developers’ fault as well for not forcing, for example, HTTPS connections when logging in. These extensions are made specifically for letting you be safer on the internet.
Note that some browser extensions are malicious, so be sure to always check online that it’s safe to use before you use it. We’re talking about your security here!
The browser extensions you should use are the following:
This extension ensures that every website you go to start with
https:// which is the recommended security protocol. It automatically warns and prevents you from visiting the website you’re connecting to if it doesn’t support https. It’s great if you want to be sure any credentials you input are safely taken care of.
This extension removes most ads and prevents tracking & unnecessary web requests for content that’s not related to the website you’re visiting. It improves page speed and is incredibly useful.
This extension prevents any malicious content in PDF files to be executed on your device. It’s also much better than Chrome’s native PDF viewer.
Remove apps you don’t use
(and the accounts belonging to them)
As I have previously stated, the more applications you have, the greater the chances are that at least one of them will have a vulnerability that gets exploited. As stated in this article, “Apps Are Not Pokemon. Stop Collecting Them.”.
The more software you have on your device, the greater attack surface you have, and you have more things that can go wrong, the more potential there is that software goes rogue. This also frees up disk space from your device so you can spend it on more useful stuff, and it also increases the overall disk speed. So there are benefits of doing this too!
Post continues below…