Between the recent news of Cambridge Analytica and the growth of ransomware attacks, it seems obvious that both privacy and security are important, but what should you do to protect yourself online?

This list will might seem paranoid: it is. And you should be, too.

Do backups. Lots of backups.

Theft, ransomware or just damaged hardware: it is really easy to lose some or all of your datas. You most certainly know someone who lost data, if not yourself.

Your backups should however be secured too (otherwise, you will gain in security, but lose privacy).

You can use RAID HDD, which means all your data are copied among several hard drives: if one dies, you can just change it and still be safe. The downside is that it does not work against theft and ransomware.

NAS is another good alternative: not cloud based (better for privacy), but still on another device. However, depending on how the connection between your computer and your NAS is made, it could be affected by a ransomware too.

Finally, there is end-to-end encrypted cloud based solutions, also known as “zero knowledge”, such as sync.com.

Install all updates

You should install updates. All of them. Even if you know that you will have to reboot your computer after, install them, right away. You might think that you do not need the brand new features, the current version suit your needs, but updates also often install security updates.

Even if you have an antivirus, a firewall, an anti-malware, if you have outdated softwares, you are an easy target.

Do not use an antivirus

WHAT?!

No, do not leave this list yet.

To be more precise, on Linux or Mac OS, you do not need one. On Windows, you should have Windows Defender pre-installed: just keep it.

Anti-virus are often just useless: they do not block attacks and just sit there, taking up memory. Sometimes, they will even block legitimate user actions. But the really bad point is that, often, anti-virus spy on you. What do they do with those data? Just enhancing themselves with anonymized data? Maybe. But maybe not. You should just not take that risk, as I said, they are often useless anyway.

For windows defender, you should keep it anyway: it does not take a lot of memory, and won’t be able to spy on you more than the windows OS already does.

Use a firewall

Once again, on Windows, you already have one: you should stick with it. MacOS also have one, keep it too. On linux, you have several good ones, iptables being one really known.

Trust no one

It might be someone you know, someone you are playing with, someone pretending being part of the staff of some online service or maybe one of your employees. And this person will maybe ask you for your password or anything personal. If you give what this person want, you have been fooled by social engineering.

This is in fact one of the worst security flaw: the humans.

Encrypt everything

It is the best way to protect your data in case of theft. You can use BitLocker on Windows and FileVault on Mac. You can also use VeraCrypt to only encrypt some files on your hard-drive or USB devices.

Also, in french, please do not say “crypter”.

Do not think it will only happens to others

Hackers will probably not target you, specifically. They will target everyone, just hoping someone will fall into their traps.

You might also think you have nothing of interest for a hacker, nothing to hide. But you have money, you have an identity, you have a computer with spare CPU and memory: that is all what a hacker want. Sometime, they will also just hack into your webcam, and then blackmail you, even if they do not know you, even from a foreign country.

Use strong authentication

You can authenticate in 3 ways:

  • What you know (eg: password)
  • What you have (eg: your smart phone with a specific app on it)
  • What you are (eg: your fingerprint)

A strong authentication is made of at least 2 of those 3 methods. Lots of services allow you to use an app like FreeOTP that generates temporary tokens under the name “2 factors authentication”. Some services also allow hardware (such as Yubikey) to generate those token.

Use a password manager

If you use the same password everywhere (or variants of the same password), you are doing it wrong.

You can also use passphrases, that are easier to remember that old style password, and passphrases are recommended by NIST. Unfortunately, several websites are so bad that they will prevent you to have password that are longer than X characters. Password managers allow you to avoid those trapped websites.

I advise you to use KeePass or KeePassXC with Syncthing to share your database across your devices or 1Password if you want to avoid the hassle of syncing manually.

Do not give real answers to secret questions

They are often easy to guess and you will use the same answers everywhere. Just consider it is a password, use some random characters string and store it in your password manager.

Do not trust blindly 3DSecure and HTTPS

Anyone can setup 3DSecure (the system that send you a SMS to check your payment before paying) or HTTPS. Both systems are free.

3DSecure is not meant to protect you, it is meant to protect the seller from people using stolen cards.

For HTTPS, the problem is that if you go to https://www.google.com, because of https, your connection will be secured, this is what you want, but you will also need to check that the URL is correct, as https://www.gooogle.comis also protected by HTTPS, but it is a different website, that might try to steal you google credentials.

Misc rules

  • Do not plugin an unknown USB key
  • Do not plug your own USB keys or phone in stranger USB port
  • On windows, display extensions of files
  • Check the sender of all mails
  • Do not blindly click on every link or attachment in a mail
  • If you use public wi-fi, use a VPN
  • Put thick tape on your webcam when you do not use it
  • Do not use the password manager shipped with your browser

Conclusion

Just be careful, and everything should be fine, but remember that zero-risk does not exist.