A Noob's Guide to (Online) Security

Resources Community Tutorials
#1

A noob’s guide to (online) security

(This article has been peer reviewed by @railworks2)

Hello everybody, welcome to my first post in the Community Tutorials section of the forum! In this post, I will be talking about security, which is a very interesting topic that I haven’t seen much talk about on the forum. I have on my own been researching content online, and I find it to be pretty much a mess on how to become secure (online), all from the basic steps, all the way to becoming “completely” secure. Even if you follow everything listed in this post (and other tutorials), it doesn’t mean you’re safe from any threat. Because, in reality, “Everything is vulnerable in some way” - Nick Espinosa

So, before I get started on this long topic, I can tell you that I am in no way a security expert, nor do I have any formal education regarding this topic. This guide is partially based on third-party sources which I will list at the corresponding topics below.

This post is split into different sections of security concerns and safety so that you can pick the “safe zone” you prefer to be in. Please also remember that security goes on the cost of convenience. If you want to be more secure, you’re going to have to sacrifice some of the convenience in your (digital) life.

Also, note that I might sound paranoid in this post, maybe I am? :o

Also, note that this guide is not final, if you see that I’m mistaken somewhere, if I forgot to add something, or you have something else you think I should add, send me a DM! This post is meant to serve as guidance to what you can do to keep yourself secure in these modern days!

Before we begin, please select a number from 1-10 on how secure you think you are, before reading this article!

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10

0 voters

Table of contents

Intro / discussion

Protect yourself online

A “must” for everyone (Paranoid 1/4)

General security (Paranoid 2/4)

Over-the-average security (Paranoid 3/4)

For the more demanding ones (Paranoid 4/4)

Physical protection

For those who want to protect themselves in the real world

Intro / discussion

What is security?

Security is all about how you can defend yourself from dangers & threats, and this applies both to the real world and your online life. When you’re online, you want to secure yourself, not just from hackers, but also viruses, your friends and more. Threats can come in any shape/form, and there are almost always dangers when you’re being on the internet. It’s up to you what you want to do about it, and that’s why I created this topic!

I want more people to be focused on security because it’s a fact that there are hackers in this world, and they’re not going to stop any time soon. We live in modern society, and most of us use the internet for important things that matter to us, and that’s why we need to become more aware of this important topic.

What many people tend to think, however, is that they’re not going to be attacked since they are not popular. They also think they have a good password while they don’t. They also think that it doesn’t matter if somebody accesses their account. Maybe it’s true, or, maybe not. Ask yourself, are you on the internet? What do you do on the internet? Would you like somebody else to gain access to your accounts and pretend to be you, or steal your private information? Or sell it?

Some of us don’t think over it, and that’s exactly how people get access to your accounts. Most of us don’t realize either that you as an individual, you’re not the goal, you’re just some random account. Unless you’re internationally famous or have made enemies, you’re just some random dude on the internet, they just want to access your information for money or fame.

Here are some key principles of security:

  • Your security is only as good as your weakest link

  • Multi-factor authentication consists of:

    1. Something you know (a password)
    1. Something you have (a phone, a hardware token generator)
    1. Something you are (biometric unlocking, fingerprint, iris scanner, etc.)

Read more

Back to top

Can you always be secure?

This is a good question, and to say it in short, no, you can never always be completely secure against any threat. There is always a way into something, there is just not a known way in, or it’s not commonly known. There is always a possibility for failure, but that doesn’t mean you shouldn’t protect yourself.

By protecting yourself from most threats, you drastically reduce the chance of getting attacked (not eliminating the threats, but minimizing them). This results in less of an attack surface. Let me show you an example. Let’s say you have 3 applications on your computer. You use mostly one of them, the second one sometimes, and you don’t use the third one. I will explain more in detail later why you should remove unused applications, but just so it’s said, all the applications impose a security threat, they are three individual applications that receive updates. The probability of you being exposed to a threat is higher with 3 applications than with only one.

Back to top

Humans’ nature of trust, and human errors

If you have witnessed any data/security breaches, the chances for it being a human error are pretty high. Several independent studies have concluded with human errors being the most common reason for these breaches. Do you know why? Because we humans trust by default. By trust, I don’t necessarily mean that you trust someone enough to share your entire life, but, humans tend to share information about their lives with others. It’s normal.

If you go to a store and meet someone and they say “Hey, how are you?”, you respond with “good” or “bad” (or “fine”). You’ve already shared some of your private information, about how your day is going. Now, this is simply social interaction, and it’s normal. Is it safe? Sure, as long as the one you share the information doesn’t have any bad intentions. Do you know if the other person has evil intentions? Don’t ask me.

Now, I know you’re thinking “why should I not respond?”, or you probably think I’m weird. But it’s true. We often choose to share basic information about ourselves with others, and that’s perfectly ok, we humans need social interaction at some point. Whether it be with your friends or strangers. You’re also probably communicating with others through Discord or Roblox while playing. Just be careful not to reveal any kind of identifiable information about yourself, unless you know what you’re doing.

I’ve often seen in Discord servers people who reveal their birthdays, age, where they come from, their first name, etc. It’s not that dangerous, just be cautious about how much information about yourself is publicly known. It might be innocent at the time, but if someone uses the search function they can easily collect information about you and can turn it into a profile on you. Be careful about who you’re sharing your information with, unless, as I stated above, you know what you’re doing and you have control.

You might also wonder what people can do with your birthday, name and country. Easy. Have you ever heard of “restoring your account”, or “forgot password”? I bet you have. Now, if you’ve revealed too much information about yourself, cybercriminals can use that information to look more into you and find out what you like, then answer the security questions asked. I know I’m talking like a paranoid here, but I’m only trying to explain to you how people can use your information to your disadvantage

You can read more in the articles below:

Read more:

Back to top

Security and privacy

Security and privacy are two different concepts. Privacy is about keeping what you’re doing, who you are (personal information) to yourself. For example, when Google is logging information about you, your privacy is being decreased. The more information people know about / that is easily accessible by “anyone”, the less of privacy you have.

GDPR was introduced by the EU to enhance end users’ privacy, and is an abbreviation for “General Data Protection Regulation”. The reason for its introduction was to let end-users know what data is collected, why it is collected, what it’s used for, when it “expires” and to whom it’s shared with. Anyone making anything for any EU resident has to comply with GDPR, or they will risk severe punishments/fines.

Security is about securing who has access to your accounts/items and more. Think of it as safe. You put things in there to make them secure, but not (necessarily) to protect your privacy. You don’t want everyone to have access to your items now, do you?

Now, the interesting thing here is that even though these two are different, they are both involved with each other. Now let’s imagine this safe where we keep our items again. You have a password to access it, to prevent unauthorized entrance. More often than not, we humans do what’s the easiest for us because it’s easy.

For example, many are choosing passwords related to their lives/relatives. It’s easy, right? Why remember “fgJdo284$3!&69bh” when you can remember your brother’s name and birth date. For example “John1991”. Right? No.
As I have stated previously, security goes on the cost of convenience.

Privacy is important to keep. People can fetch information about you and then use it to impersonate you against the services you might use. Many applications today ask you for “where did your parents meet?”. Don’t answer it correctly, ever. They can easily find that information by just knowing your name + age + location.

Read more

Back to top

A “must” for everyone

Now that you’ve learned a bit about what security is, and why it matters, it’s time to get down to what you can do about it.

Use a password manager

Why

You’ve probably heard this a lot of times, and it’s important to use one. There are some cons related to using password managers, and if you’re interested, give it a read here. If you don’t use a password manager, you’re going to have to solve these issues on your own:

  • Memorizing/writing down all of your passwords for all of your websites

  • If your memory fails, or you forgot where you wrote your passwords, you can’t access your accounts

  • Authorizing yourself to get access to the passwords; when you have written down your passwords, you don’t have a log of who accessed them. You can keep them in a safe, but it’s easier to crack into a physical safe than it is to crack your encrypted passwords with the key only you know, by an algorithm security experts have created.

  • It takes time to write down your new passwords, and type them into forms instead of just selecting the field & pasting.

A password manager makes your life much easier while keeping you just as secure. A good password manager creates strong, random passwords unique that you can easily use to create accounts/change passwords on your existing accounts. While it’s important to use one, it’s even more important to use a secure one (search online for security reviews) and to find one you like to use.

How

I have tried 6 password managers, which are True Key, Dashlane, LastPass, KeePass, BitWarden and 1Password. My recommendation is 1Password. It’s very easy to use, it’s easy to get started, it’s secure, and it has the best UX of all the others, its features are also a bonus. (Creating local vaults encrypted with a key, adding OTPs to accounts, notifying that 2FA is available for a website and so much more).

Just find a secure one and one that you like, and always use it. You can search online to find a password manager.

Read more

Back to top

Use 2FA everywhere

What

To be honest, 2FA is just as important as a good, strong password or even more! Its purpose is to serve as “something you have” which is an additional authentication step. 2FA comes in many different shapes and forms, and it’s important to choose one that’s safe. Note that using 2FA is more important than not using it at all.

When you log in to a website, you’re usually providing a username/email and password. A password is a single factor authentication. You’re simply claiming to be that user by just providing one thing, which is “something you know”. In the past, this has usually been good enough, but now as there are more frequent data breaches (take for example Disney+, that had a huge data breach within the first day of launch) passwords are no longer good enough. They’re barely any good, and that’s where 2FA / MFA comes in. Instead of only providing something you know (password), you provide something you have or something you are.

Also, don’t get me wrong, passwords are still recommended to use!

How

There are three - 3 - ways to utilize 2FA. It’s through SMS, it’s using an app, and it’s using a hardware U2F. If you have the money for it, and if you want to be as safe as possible, I strongly recommend you get a hardware U2F like Yubikey. It’s currently the safest option if you’re going to use 2FA.

Next is 2FA using an app, although this is secure, it’s not as secure as hardware tokens, but still, it’s pretty safe to use. There are many free apps you can use which are reliable. I recommend Authy, I haven’t tested others but Authy seems like a good one. P.S, if you’re using 1Password or another Password manager you can add an OTP token to the account, it’s just as good as Authy!

Lastly, we have 2FA through SMS, although this is better than no 2FA at all, I recommend you to avoid this if at all possible. If you can use an app or hardware token instead, use those! The reason why SMS is not safe is explained in detail later in this post, but I will describe it shortly here. People can call to your provider and pretend to be you (it’s very easy to do), and request them to redirect any SMS to their phone instead. People can also record your phone, or hack radio towers and access your SMSes.

Why

Simply put, if you don’t use 2FA today, you are risking your account. Instead of making intruders go through two steps of verification (to be identified as you, the account holder), they only have to get your password. This problem becomes even worse without a strong password, with symbols, upper/lower case letters, spaces, etc, or if you use re-use them. 2FA is put in place to prevent people from getting to your account, and it’s very easy to use, it cuts off a small piece of the convenience but it’s ultimately worth it in the end.

If you ever feel like it, you can check howsecureismypassword.net, and you can even see if your accounts have been compromised on haveibeenpwned.com. If you see that none of your emails/passwords have been used/found in breaches then you’re safe for now, but you could be more safe with 2FA enabled. If somebody somehow gains access to your passwords, you still don’t have to worry if you have 2FA enabled. Assuming the websites have taken proper security measures and follow a strict protocol, you’re the only one who can access the account because of your extra verification method. You should still change your password afterward.

Read more

…about 2FA:

…about the Disney+ incident:

Back to top

Keep software updated

Why

Believe it or not, it’s important to keep software and your OS updated so that you can get the newest security updates. (Note that it’s a good idea to opt-in for automatic security updates, but not regular updates). If you, however, know that whatever app/OS you’re using has a reputation of breaking things with their new updates, you can wait it out to see if users are reporting issues.

The sooner you install a new security update, the better. They’re released for a reason! Whenever somebody finds a security loophole, exploit or anything like that they are going to use it! Vulnerabilities will be exploited when found!

But wait

There is a slight catch about updates, though. Have you ever been told, “don’t be one of the first to update”? Sometimes updates bring with them disaster, like deleting files and more. Although this is rarely happening, it’s worth to keep an eye out, and if you’re skeptical about an update, search about it online and ask others if there are issues with it. Better safe than sorry!

Read more

Back to top

Use anti-virus programs

Why

This should speak for itself, but I’m stating it here again because it’s important. You can have the best password manager or security programs on your device. But, if you get a virus that records your keystrokes or gains access to your passwords you’re back to where you started, almost. Use trusted programs. I use Malwarebytes, so feel free to check it out.

There are also other programs such as McAfee,

How

Always search online for trusted reviews to make sure whatever you use is worth it. Most anti-virus programs come with a price. Also, note that Windows Defender or whatever default program that comes with your device should be sufficient.

Back to top

General security

Encrypt your files

Why

When I was younger, I always thought that nobody could access my data if they didn’t know the password to my OS. Turns out I was wrong. This is probably something many people fail to realize. The OS only protects from getting unauthorized access to your system and nothing more. Don’t get me wrong, it’s still important to have an OS-password, but your files are not safe, and isn’t that a huge concern? If you haven’t encrypted your files, anybody can just remove your storage device and gain access to all of your data. It’s that easy!

The process of gaining access to your unencrypted files is extremely difficult, and I will explain it right now:

  • Unmount the disk and plug it into another computer
  • You’re done

How

The solution to this is to simply encrypt your files. If you have Windows 10 Pro, you can use BitLocker. There are also other programs you can use if you don’t have the pro version, but use BitLocker if you can. It’s easy to set up and it’s very secure. Just the way we want it :wink: I’m not sure what programs you can use if you don’t have Windows, but a quick search online should give you plenty of information.

What

When you encrypt your files, they are gibberish that nobody can read without having the secret it was originally encrypted with (in theory, using a proper encryption algorithm). This is a huge security bonus because it prevents intruders from gaining access to important/confidential files that you don’t want to share. People who scan your disk tend to find important content, and use it for personal gains or just sell it to those who care. Either way, you’re risking files you own to fall in the wrong hands. And in all movies you’ve seen, that’s not something anyone wants.

Read more

Back to top

Use an iPhone

Why

Yep, you read it correctly. iPhones are generally more secure and harder to infiltrate than for example Android devices. However, this only applies to stock versions of the phone. Unless you’re using a custom, secure OS on your Android device, iPhone is the more safe way to go. I will be describing what you can do if you want to keep your Android device, or if you simply just don’t like iPhones.

Read more

Back to top

Use a VPN

Why / what

You have probably heard this so many times, and it’s very important, even though the ads from NordVPN are annoying. A VPN encrypts your traffic to prevent anybody else but you and the server you’re connecting to see the content. For example, without a VPN your ISP (Internet Service Provider) can see what website you’re connecting to and all your requests (not the content if you’re connecting using tls/SSL). With a VPN, all the ISP sees is the only server you’re connecting to.

Let’s say you visit roblox.com with a VPN because you’re worried about your ISP tracking your activity. If you are connected to a VPN server, all the traffic goes to that single server. If the server’s IP is 1.2.3.4, you’re always only sending your traffic to 1.2.3.4, but without a VPN, you’d be sending all the traffic to the website’s servers and the ISP can see what you’re doing. And this applies to all websites as well.

This is also even more important when using public networks (you really shouldn’t), those who are hosting the network may have evil intentions and can sniff out the data from your requests. Or, those who are connected to the network may have evil intentions. In these cases, you definitely should use a VPN to secure the information exchanged.

You have also probably heard there are better alternatives than a VPN to secure your traffic, and yes, that is right, but that requires more technical skills, takes longer, and is generally slow, so I found it to be better not to include it yet, but we’ll see what people are saying after this article has been published.

How

There are many providers out there claiming to the best, don’t trust the websites. Find legitimate websites, or trusted review websites that can confirm that this VPN provider is serious about what they’re doing and have been given certificates. For example, NordVPN claims that they do not log your traffic at all. Independent researches have verified their claim.

Some of the VPN providers I know of are NordVPN, ExpressVPN, CyberGhost VPN. There are of course others, but you’re going to have to find one that’s good for your needs. Your VPN provider should have a kill-switch, that prevents any traffic from going through if you’re not connected to a VPN/the connection suddenly drops. This ensures your information is still safe.

Read more

Back to top

Restrict usage of social media

Why

Cybercriminals who’re doing social engineering often like to stalk your social profiles for information that can connect to your passwords, identity, etc. For example, if you love dogs and post on Facebook your dog’s name, age and that you love your dog, there is a high probability that you have some account information tied to your dog. They can then reach out to you and say “Your dog is so cute, what’s its name?”, or “Omg your dog is so awesome, how old is it?”.

If you don’t want to do something like this, you have to be aware and remove any connections to what you post on social media to prevent people from gaining unauthorized access to your accounts. Also, beware that social media are the stalkers. They log everything you do for analytics and more, so by having an account on Facebook or Twitter you need to know that it’s not safe. Of course, this doesn’t apply to business accounts for game updates, but more related to your personal ones.

Read more

Back to top

Browser extensions

Why

Even though most of the browsers are safe today, there are always some vulnerabilities, and that’s why you should use some browser extensions to stay safer while you’re browsing. It can also be the websites developers’ fault as well for not forcing, for example, HTTPS connections when logging in. These extensions are made specifically for letting you be safer on the internet.

Note that some browser extensions are malicious, so be sure to always check online that it’s safe to use before you use it. We’re talking about your security here!

Which

The browser extensions you should use are the following:

HTTPS Everywhere

This extension ensures that every website you go to start with https:// which is the recommended security protocol. It automatically warns and prevents you from visiting the website you’re connecting to if it doesn’t support https. It’s great if you want to be sure any credentials you input are safely taken care of.

Link

uBlock Origin

This extension removes most ads and prevents tracking & unnecessary web requests for content that’s not related to the website you’re visiting. It improves page speed and is incredibly useful.

Link

PDF Viewer

This extension prevents any malicious content in PDF files to be executed on your device. It’s also much better than Chrome’s native PDF viewer.

Link

Back to top

Remove apps you don’t use

(and the accounts belonging to them)

Why

As I have previously stated, the more applications you have, the greater the chances are that at least one of them will have a vulnerability that gets exploited. As stated in this article, “Apps Are Not Pokemon. Stop Collecting Them.”.

The more software you have on your device, the greater attack surface you have, and you have more things that can go wrong, the more potential there is that software goes rogue. This also frees up disk space from your device so you can spend it on more useful stuff, and it also increases the overall disk speed. So there are benefits of doing this too!

Back to top

Post continues below…

47 Likes
Visualizememe - A Programmer's Portfolio
Virus in my game, I don't use free models, I work by myself and I have no plugins
A Developer’s Guide to Privacy and Private Information
How to protect your Roblox account: Advanced guide
#2

Over-the-average security

This section is for those who care more about being secure than the general people online. In this section, you may also face things that contradict what I’ve stated earlier in this post.

Regular 2FA is bad, use hardware tokens

Why

Previously in this post, I’ve stated that 2FA is important to use, and it truly is. Now, if you want to be even more secure, the time has come to use the secure methods. Get yourself a Yubikey right now and become as secure as you can be!

Google also last year forced every single employee to use a U2F security key for all of their accounts, and as you know, Google is a huge company with almost 100,000 employees. After this mandatory change, the results were 0 reported cases of account loss / successful phishing attempts. This alone just shows how much more secure you can become by having U2F token hardware.

If you’re still not convinced on why you should bother to make the change, you should check out the following websites:

Back to top

SMS is not secure

Why

As stated previously, I explained why SMS isn’t safe, and if you want to be over-the-average secure online, you’re going to have to ditch any OTP messages sent over SMS and start transitioning to proper 2FA methods that I talked about above. There are so many ways of intercepting these messages that it’s unbelievable people still use it. It is not secure!

Alternatives

There are so many, great, and free apps you can use to communicate with instead, some are even open-sourced. ( I will explain later why that can be a good thing). Signal is a great, free and open-sourced application that uses end-to-end (E2E) encryption so that in theory nobody can know what you’re talking about. It’s extremely intuitive, as it also allows you to perform encrypted calls, and on Android-based devices, you can use it as the standard app for SMS / voice.

Check Signal out here!

Read more:

Back to top

Social engineering

Excuse me, what?

I am confident you have heard about this before. It’s a cruel, but extremely effective way to gain access to information by playing on people’s feelings, identity and more. As I talked about before, if someone you talk to online has evil intentions, and you say you have a bad day, they can use the information to urge you to do something. For example, they can send you an email about “Do you have a lot of bad days? Here’s how to get rid of them”. They look into every single piece of information they can find about you and use it against you. It’s evil, yes, but it works. Humans trust even when they shouldn’t.

Are you chatting on Discord? Are you posting on social media about yourself? Then you’re a potential target. The more information you post about yourself, the more likely they’re able to get to you.

Measures to prevent this

Remove any information about yourself from any social media connected to any of your accounts. Security is only as good as the weakest link. You can remove information from 99% of the websites, but if there’s still some left on the last 1% you haven’t come that far. Always be suspicious when you receive any new updates that shouldn’t come uninvited. Just like the bad day example, how would you expect to receive an email like that if you never asked for it?

Also, slow down. For most of the social engineering attacks to work, they need you to react impulsively, they want you not to think about what you’re doing, why you’re doing it nor how you’re doing it. They play dirty, with your emotions, but it’s your responsibility to fight back by always making sure everything seems legitimate. For example, if you’re a popular developer, and then “Roblox” sends you “Developer Exchange unsuccessful” you’re probably going to click it right away and you’re wondering what in the world.

Or, what about the Nigerian prince who wants your help to transfer 20 million dollars worth of gold into your country?

Think about it, why do you have to hurry up to click it? Have I asked for this? Can I trust the source? Ask yourself questions about what you’re going to do before you’re doing it! It’s the same as “shoot first, ask questions later”. You react impulsively on mixed emotions, stop them. Stop, relax, breathe and think before doing something important to you.

There are many videos, articles, and guides online that can help you fight social engineering attacks, and I strongly recommend you to watch and learn from them. There are also videos where you can see people demonstrating social engineering in-real-life. If you know in what shape they come, you’re better prepared!

Read more

Back to top

Delete files securely

What / why

When you normally delete files on your OS today, the files aren’t gone. The references to them are “gone”. The data simply does not show up in the registry and the data they used previously, is now just marked as free space for the OS to use. This is nice and all, but it’s not safe. You can easily use a tool to regain access to the “hidden data”. It’s very simple.

How

This step is also easy, use a trusted file cleaning tool. I’ve seen some people using CCleaner, but you can also use for example McAfee Shredder Tool to delete these files you want permanently gone. Simply search online for tools, check their reviews and more.

Back to top

Use an Android phone with a custom OS

Why

Remember when I said iPhones were generally more secure than Android phones? For this section, this no longer applies. It only applies when you’re using the OS that comes as default on your phone. If you want a secure phone nowadays, you’re going to have to install a secure, custom OS.

How

There are several operating systems created from Android’s OS, that are more focused on security & privacy for the end-consumer. A good one is CopperheadOS, sadly it’s locked behind a payment wall. However, don’t fret! There are others out there that are free, for example, LineageOS. If you don’t like it, find something else!

Back to top

Separate your bank accounts

Why

Have you ever been wondering why all of your money is in one card, or you ever been wondering why you’re afraid of losing your debit/credit card? It’s because you’re afraid of losing your money if someone gets a hold of it. (Or you just don’t want to lose your card so you can pay for things IRL).

When someone gets ahold of your card, they can spend your money, and you don’t want someone else to take all of your money just because they have your card, right?

Solution

Instead of placing all of your eggs into one basket, separate your money. At least create an additional account, where you can put money “temporarily” that you don’t need at the moment. Then, should you ever lose your card, you don’t have to worry about someone taking all of your money.

The downside to this, is that each time you want to buy something, you might have to refill your spending account, but hey, you’re doing yourself a favor by reducing stress, is it not worth it?

Back to top

Pay with virtual cards

Why

By following this step, you’re making sure people don’t know your actual card information, and you can then drastically reduce the chances of someone abusing it too! If you ever use your normal card, enter its details into a website, you’re trusting that website a lot. Why sacrifice a good night’s sleep when you can use a service to prevent this from happening?

Solution

For example, privacy.com. It’s an amazing server, but sadly only available to U.S residents. Even though it’s only accessible there, there might be an additional solution for you, just search for “online virtual card” or “virtual card” to find another provider.

With i.e. Privacy.com, you can create as many virtual cards as you’d like, and you can set a “max spendings” for each virtual card, so no other service can take all of your money without you being able to do something about it. This protects your personal information and it’s recommended for everyone who cares about this!

Back to top

For the more demanding ones

Welcome, to the paranoid zone. In here, you will finally be getting rid of most of the convenience in your (mostly digital) life. It’s time to upper the standards of your security, and this section is here to help you with just that.

Secure any access point

It’s time to go through all of your access points and secure them with a password to increase the difficulty of an attack. For example, when you normally boot up your PC, you’re going to have to enter your BIOS password and then the OS password. It’s time to set an admin password on your BIOS too, so nobody can even start your computer without dealing with your password first.

If there ever is an option to secure an application with a password, now is the time to use it.

Back to top

Get rid of the cloud or secure it

Solution 1, get rid of The Cloud TM

The cloud is not as safe as you want to believe at first. You’re uploading files for someone else to host, and someone else that you don’t know can access the files. Unless you want to encrypt all of your files in the Cloud, you’re going to have to get rid of it. Download all of your files, transfer them to an external, physical drive and encrypt them (i.e with BitLocker). Make sure to have multiple copies should you ever lose one.

Solution 2, encrypt your files in The Cloud TM

This might be better for some, and this step makes your files in The Cloud TM more secure. There are tools to do this, for example, Boxcryptor, it’s a freemium service, and it works like a charm. You simply set the files to encrypt, and it encrypts them for you. It’s saving the encryption file in The Cloud TM using your password, so the security of this application depends on the strength of your password.

Back to top

Set traps for bad people

If you ever want to know when people are finally in your account, you’re going to have to set up traps for them. For example, your email is a popular option when someone gains access to your content. Send an email to yourself, that alerts you whenever it’s opened. Keep it unread but mark it as important, so it will be the first thing an intruder sees. And what’s more tempting than “Important: Your funds are on hold, please choose an account to transfer them to” in your inbox?

Back to top

Physical protection

You might feel safe online, but do you feel safe in the real world?

Kensington lock cable

You might have heard about this before, and you might not. A Kensington cable (or K-lock for short), is a cable that is used to prevent your computer from theft. Its goals are to 1) Prevent your laptop from being stolen, and 2) Prevent thieves from stealing your computer (mentally).

When thieves see someone caring about their stuff, and see them protect it, they’re more unlikely to attempt to steal it, due to higher chances of failure. They want easy targets. Have you ever left your PC on a table at school and went to the bathroom? Well, with one thief and 2 seconds it’s gone. If you have a Kensington cable, they will usually go target someone else. Why? Because thieves and criminals are simple that way. They want maximum $$$ for minimum work (usually).

Ripping the K-lock off also leaves a significant mark on your computer, and when they want to sell it to someone else they’re going to struggle to explain it and get less income. Alternatively, they have to come with specialized tools to cut it off.

Back to top

Use a better backpack

You probably haven’t thought about this, until now. Regular backpacks are pretty convenient, but impose a danger to your items in it, since anybody can pickpocket these days. Whether it be your phone, wallet, card or whatever else.

Go with an “opposite backpack”, such as a Riut bag. It’s not cheap, but it’s not expensive either. It looks cool, it protects your items and the materials used to produce it are of a higher quality. There are many sizes and different types so you can choose one that suits you better.

Back to top

Protect your devices from wireless signals

When you’re not using your devices, someone can still gain access to them. Whether it be a cybercriminal, or someone else, a Faraday bag is here to help. Faraday bags are made to block any wireless signals in/out from your devices, so you can’t be tracked, and you can’t be hacked.

Back to top

Protect your devices from Bad USBs

Have you ever installed an application, then the application requires administrator privileges? Well, you most certainly have and you’re probably used to this prompt:

Do you see a problem there? Well, I do. With a simple left-arrow click, or shift+tab press and enter you are giving administrator privileges. And although convenient, it’s not secure!

A Bad USB is used to exploit this functionality. It’s (usually) pretending to be a keyboard, and since computers trust mouse & keyboards by default, it can type anything, and thus it can open admin prompt and DELETE SYSTEM32!!! Or, install keyloggers, viruses, and all of that with admin privileges. And the second it’s pulled out again you have no clue what happened, or why it happened.

Step 1
There are multiple ways to combat this issue. The first one is to make sure Windows ask you for a password every time this prompt pops up, so they can’t do this!

Follow for example this guide: https://www.tenforums.com/tutorials/112634-change-uac-prompt-behavior-standard-users-windows.html

Step 2
Install software that automatically stops a possible malicious keyboard from entering commands fast. Bad USBs have to be fast, and they can’t stand on your side for 5 minutes while it’s typing in bad commands. Install software that stops these kinds of attacks!

Optional Step 3
Use USB-fillers on your computer, where you have to use a special tool to pull them out.
Search for “USB port lock” online, and you will find plenty of locks that prevent physical access.

An example of what it looks like https://encrypted-tbn0.gstatic.com/shopping?q=tbn:ANd9GcRdN8gA2rvxR3RPTy68QrgHxyQ72GJcRCYLFtYh7mmHXv1K6JX-p50ynh9mdBJkBsOb9kfiHAJ8Gif_yxg0ySI2Xo6WZ-vO_TpoXCpAtWuKa570wNqUkWOh&usqp=CAE

Back to top

Privacy filter

A privacy filter is simply a filter you put on your monitors/laptop screen, to prevent anyone else but you from being able to read what’s displayed. When dealing with confidential or personal files you don’t want someone else to see what you’re doing, or what’s there on the screen, and that is the exact purpose of this filter.

In Norway, at least, these cost about $70-80 so they are a bit costly, but depending on what you work as, they might be worth it!

Back to top

Conclusion

So, to those of you who some of this / of this, awesome! I hope you learned something new or gained more information about security and how to become more secure (because after all, that’s the goal of this post). I hope I can also apologize if you feel like I’m a bit paranoid, but I’m simply stating what I know here.

Again, if you feel I have written something poorly / incorrectly, or would like to add more to the table, be sure to reply or send me a PM and I will be happy to update the post! Also, if you want, please let me know what you think of this post, and if you found it useful!

Post Usefulness

  • Did you find this article useful?
  • Did you not like this article? (Please send a reply or a PM)
  • Did you learn something new after reading this article?
  • Do you think others will benefit from this article?

0 voters

On a scale from 1-10, how much did you find this article to be helpful, contributive, or in other ways a good article on this forum?

  • 0
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10

0 voters

Now, after reading this article, how safe do you think you are?

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10

0 voters

47 Likes
#3

6 posts were merged out for being off-topic

#4

Well that depends massively. I personally have a modified router with custom firmware. I then use OpenVPN to route all my traffic through a custom (open source) VPN hosted on one of my servers.

3 Likes
#5

That’s hardly the only use of a VPN. A VPN will encrypt you traffic which protects you from your ISP tracking you as well as network administrators tracking you. They can still see the sites you visit but not the content of them.

It can also be used to bypass network blocks like a school, etc. That’s not to mention just hiding your IP from websites who might save it.

2 Likes
#6

Goo job with this post! It gives security levels for all types of people, which is cool! I’ll make sure to share it with friends!

1 Like
#7

Regarding account security itself, I just generate 4 passwords every week and use 2FA only on my phone with mobile data. Most of this goes into levels of extreme paranoia, but still a good thing to know.

Getting rid of cloud is generally a worse idea regarding security. Data-loss is just as big of an issue as theft. Unless you have a reliable RAID 6 setup with each disk powered by its own grid and an anti-surge protection, it is almost impossible to be 100% protected against data-loss. I lost 3 disks in my RAID 5 during a thunderstorm (stupid me forgot to unplug) and the 4th was half-fried. It is much better to buy a premium subscription for enterprise level cloud.

1 Like
#8

One could say this post was slightly overkill :stuck_out_tongue:

Complete legend for this line! ^

Definitely found it interesting your recommended a password manager, as one of my primary concerns is if my Mac was stolen, knowing my OS password would give you access to my entire keychain.

1 Like
#9

Yep! This post is probably an overkill for most people, but I just want it out there to the public, so that it gets known at least :wink:

The entire purpose of this post is for people to see how secure you can become, and why it’s so important (and mainly what you can do). Using a password manager is a huge step for most people as they probably have been using one password for multiple accounts, which isn’t a recommended security practice. Any steps you take to increase your security matter!

And I also definitely recommend that you get started with a password manager, as it simplifies pretty much everything. There are some cons to use it (i.e all passwords in one place), but one can argue that the benefits outweigh them.

5 Likes
#10

Pro Tip: If you don’t have the money for a Faraday bag, you could also turn off your phone when you aren’t using it. This makes your phone impossible to hack during the duration that it is turned off (that is until Apple’s hardware backdoor is activated by a malicious actor/government or they send someone to steal your phone/your body).

If you want to increase laptop physical security (ie; usb blocker, kensington lock, privacy filter) you could also use a deadman’s switch. Essentially, you have some type of USB plugged into your laptop that is attached to your wrist/neck with a chain. That way, if someone tries to steal your laptop, a program on your laptop would automatically turn off the computer and wipe the entire drive. Furthermore, if security is required at the highest degree, you could perform full disk erasure via physical methods (thermite, explosives, etc) though I would not recommend this unless you have been authorized by an appropriate government body. They could also circumvent this by spraying your laptop with liquid nitrogen and extracting the RAM from the computer before the MOSFET capacitors fully discharge.

8 Likes
#11

Depending on your intended use, you may be subject to government intervention with the self-hosting of a Virtual Private Network (VPN). Commonly practiced in the United States of America (USA) a “pen trap” is used to monitor telephone or network-related traffic, this practice is similar to a subpoena. If you are not in the USA, a similar policy may be practiced by your government, even if your intention is not felonious. Though your private information is encrypted, tracking (locating) you is still possible.

2 Likes
#12

I mean I understand that security is a big feature but again you shouldn’t be worried if you are not browsing through suspicious websites or just clicking random links that you have found or someone has sent to you. If you have 2FA active then you should not be worried as long you haven’t used your Roblox credentials at random computers or suspicious websites. The use of a VPN is great for privacy and encryption but I guarantee you it’s not the best use, especially using public free VPNs.

In general, keeping your credentials away from false websites should keep your account safe. if you use a password manager then you should be protected but if you haven’t it’s a great solution to protect you from overused credentials from similar accounts.

Iphones are not a solution to keep a system protected that is completely false information. If you think using SMS to keep your account protected then you are completely wrong! Besides social media has nothing to do with hacking accounts, social media is great to collect information from communities and etc.

-BTW GREAT ARTICLE! :upside_down_face:

1 Like
#13

This is awesome! I’m super paranoid all the time so it’s good to know there are others out there like me. and now some hacker is going to take this information and use it to exploit me :joy:

2 Likes
#14

Password managers are a godsend. 20-64 character long unique passwords and I don’t have to remember a thing. They’re not particularly expensive either for a subscription, and in any case they will save you days of your life in the long run (plus give you much improved security).

Plus, 1Password let’s me know when my data or password has been leaked due to some crappy company’s negligence (thanks Facebook)

2 Likes
#15

This is not at all what I expected from an article titled “security” on a Roblox forum, but I enjoyed it. I like how you even went into physical security with locks and backpacks. Thanks for the resource!

2 Likes
#16

Overall, nice thread and a great introduction to online security!

This is not necessary as you think now-a-days. Sure, wind-back time a few years ago when most websites weren’t secured and you would, but virtually all websites now-a-days encrypt your information so that your connections are secure. VPNs do have legitimate uses; circumventing geoblocking, obfuscating traffic, bypassing content filtering, etc. These are great, and sometimes essential, for people living in countries where goverments suppress and punish certain beliefs… the majority of us in the western world though? These aren’t essential. You might as well save that £10/month and donate it to a charity - it will have a much better use.

Tom Scott sums it up wonderfully in one of his latest videos:

https://www.reddit.com/r/videos/comments/doawcl/this_video_is_sponsored_by_vpn_tom_scott_on/

For debit cards, you can add ‘daily caps’ (£50 limit a day for example), so even if you card is stolen or goes missing, you can cancel it right away without the worry of your entire account disappearing. Online transfers have also become a lot more secure recently; you can set caps on spending which require 2FA to process large amounts.

3 Likes
#17

The amount of random stuff I download…

1 Like
#18

:clap: Nice article :clap:

I would like to contribute two things to your guide… Browsers & Search Engines. As similarily stated above, some of these browsers and search engines will expose your data to big companies while surfing, just like Facebook and Google.

Browsers

Choosing the right browser will benefit you on one of these things: privacy, security, or stability. Some of the browsers that I am (or you are) familiar with are:

  • Chrome
  • Firefox
  • Safari
  • Opera
  • IE
  • Edge
  • Tor

Chrome is too much of a privacy/stability hog. Firefox only blocks trackers by default. Tor is outrageously slow, only for anonymity. I did like Opera once because of their “free VPN” however it is broken, then I got too bored to use Opera afterward. I don’t like Edge & Safari. Internet Explorer… does anybody use that anymore?

There is one browser that I did not include in my list is Brave. In my opinion, Brave is more secure than any other browser. Brave is built from the Chromium source. You can watch what Brave is here

Why Brave is different (and better) than Firefox and Chrome

  1. Brave blocks ads, trackers, third-party cookies, and upgrades to HTTPS by default

  2. Brave lets you get rewarded by watching privacy-respecting ads. You can opt-in/opt-out at any time. You can also be part of a Brave creator too! These rewards allow you to tip any verified Brave creator, like me.

  3. Brave lets you download Chrome extensions (obviously). Here are some of my favorites (all of them are open source):
    Privacy Redirect (Invidious, a Youtube private front end, is the icing on the cake!)
    Stylus (NOT TO BE CONFUSED WITH STYLISH AS THAT STEALS YOUR BROWSING HISTORY DATA)
    SponsorBlock (works with any Invidious instance too, not just Youtube!)
    Buster (works only on reCAPTCHA, just one click, that’s it)

  4. Brave is on a “mission to fix the internet”

  5. Brave tries to rip out as much Google as possible.

  6. Brave has built-in Tor browsing. It doesn’t have many features as the original.

  7. Brave is fully compatible with YubiKeys.

  8. Although Brave is technically built from Chromium, Chromium is not the same as Chrome though.

  9. InterPlanetary File System (IPFS) is integrated into Brave, this is great for bypassing censorship in your country!

  10. Want to know what’s happening today around the world? Brave Today has got you covered.

Don’t believe me that Brave is faster than Firefox? Brave has run a test performance on GC, Brave themselves, and Firefox. Watch it here

Fun fact about Brave: The person who made the browser, Brendan Eich, also co-founded Mozilla and made THE JavaScript language.

Honorable Mentions:

  1. Vivaldi: Created by the co-creator of Opera. open source, SUPER customizable UI, not fast on blocking ads and trackers as Brave does

  2. Ungoogled Chromium: An incredibly locked-down tight version of Chromium, a 100% de-googled browser, it’s not easy to install extensions and not so easy to update like the other Chromium-based browsers

Search Engines

There are search engines that invade privacy, such as Google (mostly Google), Bing, and Yahoo. And some search engines are safer to use. Three of the safest search engines I know are DuckDuckGo, Qwant, and StartPage. I like DuckDuckGo more than Qwant and StartPage.

Why choose DuckDuckGo than Google?

  1. DDG can save time. You can use this feature called !bangs. !Bangs are a shortcut for searches, like “!robloxg big paintball”. You can learn more about !bangs by simply searching “!bangs” by setting DDG as your default search engine.

  2. When Google got caught changing up searches, most primarily on politics, more people switched to DDG. For the first time ever, DDG had reached over 100 MILLION searches in a SINGLE DAY! BIG NOTE: I will NEVER be into politics.

  3. As you may know by searching already, DDG has a search filter. There is an all safe version here if you don’t feel comfortable with the search filter in the original DDG engine.

  4. They have a Tor circuit of DDG.

  5. It’s highly customizable. You can give DDG a super dark theme. You can sync themes across other devices too by bookmarking the link that’s given to you.

  6. DDG doesn’t care what you search up. Google, on the other hand, does.

  7. DDG has more features that Google doesn’t have, like a “youtube cheat sheet” or “qr a qr code generator exists on DDG”.

Conclusion

In conclusion, if you want faster, safer, more secure browsing, use Brave + DDG or Qwant. Qwant is more for users that live in Europe.

If you thought that I would say use Firefox, it ain’t safe anymore due to backdoor telemetry. Yes, that’s a thing. I would also give this article a good read on why Mozilla can’t be trusted, written by Mozilla themselves (AS I SAID: I will NEVER be into politics).

Edit 1/27/2021: Browser Honorable Mentions, more reasons why I like Brave and changed a reason, new reason why Mozilla is a traitor in conclusion, changed all Youtube links to an Invidious instance

8 Likes
#19

First and foremost, fantastic post.

While this post definitely helps to show how the reader can be more aware, it forget’s one rather important thing. Software, like all code, can always be compromised. It’s a matter of when or how an attacker can gain access to your system, your files or your code. While better security techniques can help stop an attacker, it’s more-so postponing or mitigating the eventual intended outcome. Just something to think about.

1 Like
#20

Another fact about Brave is that it is open source. Here is the Github Page. I never knew Brave existed until now. I got to try it out right now.

2 Likes