We are often asked “How can I be safer online?” Over the years we’ve accumulated 25 total recommendations, which we’ve divided into four categories:
- Easy: An action that you only have to take one-time! Occasional effort and minimal inconvenience. See our 15 “easy” recommendations for you below.
- Medium: Five somewhat more difficult, and non-free, recommendations below.
- Hard: These three recommendations are the difficult changes in behavior but you gain the greatest safety.
- Not worth it: Two pieces of advice from others you might consider skipping.
1. Set a customer service password on your mobile account
A common attack is for someone to call your phone company pretending to be you. You can assume the attacker will have access to all basic information about you, including date of birth, identification numbers, previous addresses, what bank you use, etc. (This information is readily available to attackers based on the many previous data breaches, which include major banks, telephony, insurance, retail, and health care providers.)
The attacker may be able to convince your phone company to forward calls and texts to a new number, or provision an entirely new sim card and line. This would often allow an attacker to complete multi factor authentication, voice authorization for bank wires, etc.
Solving this is as simple as a one time phone call to customer service. Ask for a voice password to be required for any future customer service interaction on the account.
2. Use Multi Factor Authentication for all cloud services
Note that to be most effective, you should complete the previous step as well.
Start with your email, because your email is typically the “reset the password” method for all other cloud accounts. Add a single phone number, most likely your mobile phone. This safeguard makes all your online accounts harder to attack.
Organizations should also require two factor authentication for their staff before allowing access to internal resources.
3. Use the least vulnerable web browser
One of the main risks you face is “drive by infection” of malware and viruses from general web browsing activity. Therefore it’s very important to use the most secure web browser available.
We would really love to be able to recommend Mozilla’s Firefox browser for because we feel very aligned with their goals and mission. Unfortunately, in recent years, Firefox has fallen far behind in the security game.
Google’s Chrome browser is the only browser we recommend based on the overall hardening, anti exploitation, sandboxing, and bug bounty attention it has received.
We are aware of course of Google’s various implications for individual privacy. For example, SpiderOak publicly ditched Google Analytics. Some of them, such as Project Zero and Golang, are great, but others give us pause. Google has a world class security team to protect you from other companies, but obviously Google itself presents different threats to your privacy.
4. Set browser plugins to let you choose when to run
Browser plugins are things like Flash and other multimedia components that offer additional viewing capabilities not supplied by the browser natively. Historically, before HTML5 video these were much more useful than they are today, but they are kept around for backward compatibility and to add extra features to some sites (such as screen sharing during a video conference or alternative video codes for streaming media).
It’s unnecessary to allow every website you visit, and every 3rd party advertisement served by those websites, to run browser plugins on your computer whenever it wants to.
Generally a plugin should only run when you chose (such as when you want to use a screen sharing application or interact with an animation) or on sites that you’ve specifically whitelisted to use that plugin.
Chrome gives you easy control over plugins.
Settings -> Advanced Settings -> Content Settings (under “Privacy”) -> Plugins Select “Let me Choose when to run plugin content”.
There’s a “Manage Exceptions” option if you want to whitelist some specifically chosen trusted sites to allow their plugins to run automatically if you need to.
5. Disable browser plugins you don’t need
In the same settings dialog as above, there’s an option “Manage Individual Plugins.” There you can enable and disable specific plugins. I disable all plugins except the Chrome PDF Viewer (see the discussion of Acrobat below.)
6. Develop the habit of site login via bookmark
Whenever you need to login to some site (e.g. enter your email address and password to complete the checkout on Amazon, access your bank, get your latest proof of insurance card for you car) cultivate the habit of first using a previously stored bookmark to navigate to the login page for that service.
Do not type in the URL manually, search for it on google, or especially do not follow a link from a text message or an email. A consistent habit of always using your previously stored bookmark to the login page will save you from many forms of phishing abuse.
Some people explain this one as just “don’t click on links in emails,” but it’s very hard to remember to not doing something. Instead make a solid habit of how to do things the right way. Bookmarks take just a moment to setup and save you time thereafter.
7. Uninstall Adobe Acrobat
Adobe Acrobat was designed in a different age, before the Internet. Acrobat has had vulnerabilities that allowed specially crafted PDFs to load malware onto your system for the last two decades. Undoubtedly more vulnerabilities remain.
The best way I know of to open PDFs for reading is inside Chrome’s PDF viewer. Even still, the PDFs are a difficult format to parse and more vulnerabilities are likely to be found.
Acrobat is OK if necessary for authoring your own PDFs, but not for opening PDFs you receive from other people.
8. Use email software built by companies with a strong security team
Basically this means: Use macOS Mail, Microsoft Outlook on Windows, or Gmail’s web interface, and nothing else. While there are a variety of other mail clients out there with nice user interface niceties, security reviewers are precious resources and only a few companies have well staffed security teams proactively flushing vulnerabilities from the software they publish. All of the aforementioned programs have had a variety of hardening over the years.
Plug: These days many organizations are using email mostly for communication outside of the organization. Internal communication is done with modern tools designed for efficiency and security, such as SpiderOak’s Semaphor.
9. Disable automatic loading of remote content in emails
Sometimes advertisers send emails which make reference to remote images, fonts, etc. If these remote resources are loaded automatically, they indicate to the sender that this specific email was received by you.
In macOS X Mail, this setting is under Preferences -> Viewing -> uncheck “Load remote content in messages”
10. Use the most recent version of your OS
Among Windows users there are many differing opinions on which version of the Windows GUI is the best. Among security experts, however, there’s general consensus that the most recent version of the operating system is the most secure. This is because with each new version, additional anti exploitation technology is added to the base system as part of Microsoft’s ongoing efforts to make the platform harder to attack. For example, there are vulnerabilities against Windows applications that are exploitable when the application is running on an older version of Windows, but are non-exploitable, or much harder, with newer versions.
Whatever version of your operating system you use, you’ll probably spend most of your time in your applications doing work anyway, so it’s best to just get used to the current OS offering.
11. Use a recent, well-updated version of your chosen mobile platform
Always running the most recent version of your operating system is even more important on mobile. Always apply patches and OS upgrades when they are available, as soon as you can. OS patches often fix one or more known vulnerabilities. Overall Apple does a much better job of keeping a large portion of the population of iOS users on a recent version.
In the Android ecosystem, sometimes it’s hard to upgrade older handsets, or updates are not provided by the vendor or carrier. If possible, the best Android phones seem to be those offered by Google directly (e.g. Nexus.)
12. Use full disk encryption
Have you ever accidentally left your laptop in the taxi? One day most of us are likely to suffer a burglary in which a computer is stolen from your car, home, or work.
The resolution to this nightmare scenario is pretty painless with a tiny amount of forethought. Enable full disk encryption on your computer, and when a device is lost, buy a new one, restore from backup (below), and file an insurance claim. Whoever has your lost computer is likely reduced to selling it for the value of the hardware, and none of your information will be compromised.
Full Disk Encryption is easy to turn on and for modern computers there’s no performance cost associated with it (i.e. it won’t make your computer behave any slower after the initial encryption pass is complete.)
In macOS, full disk encryption is called “FileVault” and turning it on takes about 30 seconds. Go to the Apple icon in the upper left, chose System Preferences, then “Security and Privacy.” From there chose the “FileVault” tab at the top. Push the buttons to turn FileVault on. (You can store the recovery key with Apple if you wish, write it down somewhere safe, or skip that step if you’re confident you can remember the login password for your account on this computer.)
Lastly, go to the “General” tab and make sure the “Require Password” option is selected with a reasonable timeout (15 minutes is probably safe.)
If you’re following the previous recommendations, your phone is probably already doing full disk encryption for you automatically. Set a strong passcode and use touch ID.
Note: full disk encryption has some weaknesses. For example, it’s not designed to stand up to continuous monitoring (e.g. where an attacker has the opportunity to take an image of your hard drive on multiple occasions over a period of time.) It will take care of the “lost machine” scenario just fine.
13. Manage passwords easily and effectively
If you reuse the same password on multiple sites, whenever one site is compromised, the credentials from that site can be used to login to your other accounts across the web. You should assume that all sites will be or already have been compromised, so if the password for a single site is compromised, any other sites with the same credentials are immediately compromised too.
But remembering many passwords is a fool’s errand. Remembering one strong and unique password is hard enough, but that’s all you need to do.
Instead of trying to remember passwords, use a password manager to generate and remember strong unique passwords for every site. This way, you only have to remember one password to unlock your password manager, and a single breach means only one site is compromised.
There are many different options for a password manager. These are the ones I recommend:
- Keychain Access on macOS. This is not really a password manager but it supports user added passwords and secure notes. You can find “Keychain Access” in the “Utilities” folder under Applications on macOS. It has an assistant to help you generate new passwords. If you let Chrome remember your passwords, Chrome is actually storing your passwords in the macOS keychain. I think this approach is most secure but it doesn’t work very well if you also need to access managed passwords from mobile.
- Encryptr by SpiderOak. This is a minimalist 100% free and open source option. It’s cloud based and syncs between all the devices you use it on (but all content is encrypted locally, and not stored as plaintext in the cloud.) As a security feature, it does not integrate with your web browser. (In the past, when various password managers that otherwise had good design have had vulnerabilities, it’s almost always been through their browser integration code.)
- 1Password by AgileBits. If you need a more sophisticated password manager with browser integration and paid upgrades like sharing passwords among a team, this is a strong choice.
14. Attach only known and trusted external hardware (USB, Firewire, etc.)
Over the years there have been a variety of vulnerabilities in each major operating system relating to connecting untrusted hardware. In some cases the hardware talks to the host computer in a way the host computer does not expect, exploiting a vulnerability and directly infecting the host.
A common penetration technique is for attackers to leave USB drives with malicious content scattered haphazardly through a parking lot, knowing that some people are likely to be curious what they might contain. As soon as they plug in the USB, their systems are compromised.
Events like these are common enough that some companies fill all USB ports on company computers with hot glue so it’s impossible to connect untrusted, unofficial hardware.
This also includes friends who might want to borrow a USB port on your computer to charge their phone. Direct them instead to a USB port on a power strip — not your computer.
15. Charge only from trusted devices
Similar to above: Never charge your phone via USB from an unknown/untrusted device. There’s a chance that whatever is on the other end of the USB cable can infect your phone. We recommend that you travel with the power adapter in addition to the USB cable.
There are devices called “USB condoms” which claim to pass the power along but block all data signals. However, in a world where 90% of Apple charging gear sold on Amazon turned out to be inferior counterfeit products, I’m reluctant to trust unofficial hardware accessories.
1. Use a Virtual Private Network (VPN), while understanding its limitations
A VPN or “Virtual Private Network” is a paid service that tunnels your internet traffic from your device to a VPN service somewhere in the cloud. Consequently, your network origin (including geography and IP address) is concealed. Many details of your network activity are also concealed from your ISP.
This arrangement protects you from your ISP and others building a large database of your web browsing activity. More importantly, it gives you some defense from network level attackers that would inject bad things into your network connection. For example, some ISPs inject their own advertisements into the web pages viewed by their customers. Rogue wifi hotspots may inject malware, or attempt man-in-the-middle traffic interception and alteration attacks.
Note that while a VPN gives you a measure of privacy while browsing, you should not expect your VPN to provide strong anonymity.
2. Use only white listed applications
Don’t use or allow others in your team to use random software from the Internet.
Instead, select software applications carefully. Provide a list of approved software which members of your team are allowed to use, and require approval before using other software. (If you adopt this arrangement, it’s necessary to give priority attention to reviewing new requests.)
For software that you use to work with strangers on the Internet, ideally it would be created by companies large enough to have a strong security team. Security folks are expensive.
3. Keep backups of your data
A good backup system protects you from all of these:
- Hardware failure
- Equipment loss
- Accidental deletions (retains deleted items)
- Accidental overwrites (retains old versions)
- Ransomeware infections (restore to a previous point in time)
There are many options for this today. You could even use SpiderOakONE or SpiderOak Groups for your team if you wanted. An important point of consideration is the confidentiality of those backups (e.g. are they meaningfully encrypted), and how long are deleted files and old versions retained before being purged by the backup system.
4. Whenever an email asks you to take a sensitive action, call the person to verify
We’ve heard stories from so many people that received emails asking them to wire money, send financial reports or other sensitive information, or open suspicious attachments.
Often those emails come from a source that looks like someone you know, but actually isn’t. The email will closely mimic the writing style and other attributes of the forged sender. (The design of email makes it very hard for humans to be sure that any given email is really from who you think it is.)
5. Secure your communications with end-to-end encryption
End-to-end encryption of communication means that only you and the other people you’re communicating with have the opportunity to observe the content of that communication. So as an attacker, if I wanted access to a conversation that was end-to-end encrypted, I would have to compromise one of the specific devices of the people involved in that conversation.
We recommend a few products for end to end encryption of communication:
- Apple’s iMessage and Facetime Audio and Video each do end-to-end encryption. The key exchange is arranged non-transparently by Apple and the source code is not available, so there is not an opportunity to be sure the key exchange and encryption is happening correctly. However, from conversations with engineers at Apple who have knowledge of these products, I have confidence in them, at least in the case that you haven’t been specifically targeted for wiretapping.
- OpenWhisperSystems provides an app called Signal on both iOS and Android. It has excellent security properties for individual or small group conversations. Use from a desktop is difficult however, so it’s only really practical for conversations where you don’t mind keying in all your content on the phone.
- Semaphor is SpiderOak’s own end-to-end encrypted collaboration app. It allows teams of people to work together securely, and it includes private messages, search, and file transfer. Within a team, each “channel” is individually encrypted, meaning only the members of a specific channel can read its contents. Semaphor works on desktop and mobile, supports enterprise features, integrations and bots.
1. Use semi anonymous devices for general browsing
Instead of using your main computer, allocate a separate device for things like reading the news and general browsing. This computer shouldn’t have any of your accounts (e.g. Amazon, Google) on it. Ideally, this computer shouldn’t even know your real name. Segregating this activity limits the risk to your working computer. If your separate device is compromised and tracking you with malware, the damage is minimal since it has no access to your real accounts.
2. Use isolated devices for sensitive tasks
Like above, but in the opposite direction. Let’s suppose you have one or two very sensitive activities, such as banking and investment accounts, that you want to protect very carefully.
One approach is to allocate a separate computer for those activities, and be sure those are the only activities this computer ever does. That device doesn’t receive your personal email, do web browsing, review documents from colleagues, etc. It only does these secure activities, and nothing else.
3. Use project specific encrypted volumes
If you work on sensitive projects in a sequential way (i.e. you don’t need access to all the data all the time, but only a few ongoing concerns at once), another way to limit scope of damage is to create new encrypted volumes for each project. Using Disk Utility on macOS, it’s easy to create a read/write encrypted volume. Under the hood, that volume is really just stored in a file that can be copied and backed up like normal. You can mount the volume and work with it as needed, and keep it unmounted the rest of the time.
MAYBE NOT WORTH IT?
1. Anti-Virus Software:
Many anti virus products have a history of introducing bad vulnerabilities themselves, and several of them seriously degrade the performance of your computer. However, one I’ve been watching lately is Cylance, which seems to take more of an “application whitelisting” approach, where the white list is created through machine learning across a wide population of software users. (Instead of trying to identify bad software, it identifies good software, and considers all other things bad software.)
Most people don’t use Tor, so although using Tor is supposed to make you anonymous, in some ways it makes you stand out. True anonymity is very hard to achieve (and the goals of security and anonymity are different things.)