Update 11/14/2017: This guide is now out of date. Please see our new, comprehensive guide.
The internet can sometimes be a scary place, where hackers steal hundreds of millions of passwords in one swoop, or cause large-scale blackouts. The future is probably not going to get better, with real-life disasters caused by internet-connected stuff, smart house robots that could kill you, flying hacker laptops, and the dangers of hackers getting your genetic data.
But here's the good news. There's actually no need to be scared. Hacking and data breaches are real, growing dangers, but there are basic steps that can keep you generally safe on the internet, and we're going to tell you what they are.
There are a few things you need to know before we get into the details of this guide. First, there's no perfect security. If someone is really out to hack you, and they have the resources to do so, they will. Second, the most important thing to think about when thinking about staying secure online is something you probably haven't thought about before, and that is what data you're trying to protect and from whom. In hacking lingo that's called "threat modeling."
No one security plan is identical to any other. What sort of protections you take all depend on who may try to get into your accounts, or to read your messages.
Is your threat an ex who might want to go through your Facebook account? Then making sure they don't know your password is a start. (Don't share critical passwords with people, no matter who they are; if we're talking Netflix, make sure you never reuse that password elsewhere.) Are you trying to keep opportunistic doxers from pulling together all different types of personal information on you, such as your birthday, which in turn can be used to find other details? Well, keeping an eye on what sort of stuff you publish publicly on social media would be a good idea. And two-factor authentication (more on that below) would go a long way to thwarting more serious criminals.
But, overestimating your threat can go the other way: if you start using custom operating systems, virtual machines or anything else technical when it's really not necessary (or you don't know how to use it), you too can suffer. At best, even the most simple tasks might take a while longer; in a worse scenario, you might be lulling yourself into a false sense of security with all sorts of gadgets and gizmos, while overlooking what actually matters to you and your particular threat.
With that in mind, here's a few basic things you can do to prevent the most common threats online.
KEEP YOUR APPS UP TO DATE
Probably the most important and basic thing you can do to protect yourself is using up-to-date software. That means using an updated version of whatever operating system you're using, and updating your apps and software. Bear in mind that you don't necessarily have to use the latest iteration of an operating system, such as, say, Windows 10. (In some cases, even slightly older versions of operating systems get patched. Sorry, that's not the case with Windows XP, stop using it!) What's most important is that your OS is still receiving security updates, and that you're applying them.
So if you come away with one lesson from this guide is: update, update, update, or patch, patch, patch.
Many common cyberattacks take advantage of flaws in outdated software such as old browsers or PDF readers. By keeping everything up to date, you have a way lower chance of becoming a victim of ransomware, for example.
We all have too many passwords to remember, which is why people just reuse the same ones over and over. And even though our brains aren't actually that bad at remembering passwords, it's almost impossible to remember twenty or more unique and strong passwords.
The good news is that the solution to these problem is already out there: password managers. These are apps that keep track of passwords for you, automatically help you create good passwords, and simplify your online life. If you use a manger, all you have to remember is one password, the one that unlocks the vault of your passwords.
Intuitively, you might think it's unwise to store your passwords on your computer. What if a hacker gets in? Surely it's better that I'm keeping them all in my head? Well, not really: for most people's threat models, the risk of a crook taking advantage of a shared password on a website is far greater than some sophisticated hacker dropping a load of super-fancy malware onto your device. Again, it's all about understanding your own threat model.
And if your employer asks you to change passwords periodically in the name of security, please tell them that's a terrible idea. If you use a password manager, two-factor authentication (see below), and have unique strong passwords for every account there's no need to change them all the time—unless the website gets breached or your password is stolen somehow.
Having unique, strong passwords is a great first step, but even those can be stolen. So for your most important accounts (think your main email, your Facebook and Twitter accounts) you might want to add an extra layer of protection known as two-factor (or two-step or 2FA) authentication.
By enabling two-factor you'll need something more than just your password to log into those accounts. Usually, it's a numerical code sent to your cellphone, or it can be a code created by an ad-hoc app (which is great if your cellphone doesn't have coverage at the time you're logging in).
There's been a lot of attention recently around how mobile phones may not be suitable as 2FA devices. Activist Deray McKesson's phone number was hijacked, meaning hackers could then have the extra security codes protecting accounts sent straight to them. And the National Institute of Standards and Technology (NIST), a part of the US government that writes guidelines on rules and measurements, including security, recently discouraged the use of SMS-based 2FA.
The attack on Deray was low tech: It essentially involved getting his phone company to issue a new SIM card to the attackers. It's hard to defend against that, and there are other ways to get those codes sent via SMS, as text messages can, in theory, be intercepted by someone leveraging vulnerabilities in the backbone that carries our conversations. There is also the possibility of using an IMSI-catcher, otherwise known as a Stingray, to sweep up your communications, and verification texts too.
But apart from the trick of getting a new SIM card, these are attacks that are not trivial to pull off, not just because they might requires specific hardware like Stingrays, but also because they are relatively expensive. So, realistically, though, for the vast majority of people, SMS 2FA is still a robust security measure that does what it's designed to do: add an extra layer on top of your password that might get phished or otherwise stolen.
You could, if the website allows it, use another 2FA option that isn't SMS-based, such as an authentication app on your smartphone (for example, Google Authenticator), or with a physical token like a Yubikey. If that option is available to you, it's great idea to use it. But it would be foolish to disregard SMS 2FA altogether, especially if you're not under targeted attack.
2FA is a great way to make it nearly impossible for average cybercriminals to break into your most important accounts. You can check out all the services that offer it and how to turn it on here.
DOs & DON'Ts
Don't use Flash: Flash is historically one of the most insecure pieces of software that's ever been on your computer. Hackers love Flash because it's had more holes than Swiss cheese. The good news is that a lot of the web has moved away from Flash so you don't really need it anymore to still enjoy a fully-featured and rich browsing experience. So consider purging it from your computer, or at least change the settings on your browser so you have to click to run Flash each time.
Do use antivirus: Yes, you've heard this before. But it's still (generally) true. Antiviruses are actually, and ironically, full of security holes, but if you're not a person who's at risk of getting targeted by nation-state hackers or pretty advanced criminals, having antivirus is still a good idea. Still, it's far from a panacea, and in 2016 you need more than that to be secure.
Do use some simple security plugins: Sometimes, all a hacker needs to pwn you is to get you to the right website—one laden with malware. That's why it's worth using some simple, install-and-forget-about-it plugins such as adblockers, which protect you from malvertising threats presented by the shadier sites you may wander across on the web. (We'd naturally prefer if you whitelisted Motherboard since web ads help keep our lights on.)
Another useful plugin is HTTPS Everywhere, which forces your connection to be encrypted (when the site supports it). This won't save you if the website you're going to has malware on it, but in some cases, it helps prevent hackers from redirecting you to fake versions of that site (if there's an encrypted one available), and will generally protect against attackers trying to tamper with your connection to the legitimate one.
Do use VPNs: If you're using the internet in a public space, be it a Starbucks, an airport, or even an Airbnb apartment, you are sharing it with people you don't know. And if some hacker is on your same network, they can mess up with your connection and potentially your computer.
Don't overexpose yourself for no reason: People love to share pretty much everything about their lives on social media. But please, we beg you, don't tweet a picture of your credit card, for example. More generally, it's a good mindset to realise that a post on social media is often a post to anyone on the internet who can be bothered to check your profile, even if it's guessing your home address through your running routes on a site like Strava, a social network for runners and cyclists.
Personal information such as your home address or high school (and mascot, which is a Google away) can then be used to find more information via social engineering schemes. The more personal information an attacker has, the more likely they are to gain access to one of your accounts. With that in mind, maybe consider increasing the privacy settings on some of your accounts too.
Don't open attachments without precautions: For decades, cybercriminals have hidden malware inside attachments such as Word docs or PDFs. Antiviruses sometimes stop those threats, but it's better to just use commons sense: don't open attachments (or click on links) from people you don't know, or that you weren't expecting. And if you really want to do that, use precautions, like opening the attachments within Chrome (without downloading the files). Even better, save the file to Google Drive, and then open it within Drive, which is even safer because then the file is being opened by Google and not your computer.
Do back up files: We're not breaking any news here, but if you're worried about hackers destroying or locking your files (such as with ransomware), then you need to back them up. Ideally, do it while you're disconnected to the network to an external hard drive so that even if you get ransomware, the backup won't get infected.
GO OUT THERE AND BE SAFE
That is all for now. Again, this is just meant to be a basic guide for average computer users. So if you're a human rights activist working in a dangerous country or a war zone, or an organization building IT infrastructure on the fly, this is certainly not enough, and you'll need more precautions.
But these are common sense essential tips that everyone should know about.
Of course, some readers will leap at the chance to point out everything that may have been missing from this guide, and we'd like to hear your feedback. Security is a constantly changing world, and what's good advice today might not be good advice tomorrow, so our goal is to keep this guide updated somewhat regularly, so, please, do reach out if you think we have something wrong or missing something.
And remember, always be vigilant!
Last updated on Nov. 25, 2016.
The Hacks We Can't See is Motherboard's theme week dedicated to the future of security and the hacks no one's talking about. Follow along here.