M-209 cryptographic device.

Cybersecurity Basics: Staying Safe Online

How To Stay Safe Online

The Internet can be a dangerous place. Criminal gangs steal and sell credit card numbers and banking details. "Crypto-locker" attacks take away all your personal data and demand payment to restore it. Email and Facebook accounts are hijacked, and on and on.

This page aims to be a "just enough" starting point. Basic, easy, important steps to improve security that everyone should use.

Yes, there are sophisticated and complex defenses, but start with these basics. I do consulting work and I write and teach training courses for U.S. government agencies and their contractors, but this page isn't for them.

Everyone needs to:

I have tried to put these in order with the most important first. The further you go through these suggestions, the better, but let's start with the most important and practical defenses.

Stay Up To Date

The most important thing for most people is staying up date. So many hacks and data thefts wouldn't have happened if people had only kept their systems up to date.

Yes, it feels tedious to do routine maintenance like updating your system. Here's a cybersecurity insight:

Security and convenience are inversely proportional.

That is, to make one go up you usually have to make the other go down. The goal of security is to make things impossible (or at least really difficult) for the bad guys. However, there is often some "collateral damage". Security improvements can inconvenience the good guys.

Good news: you can automate your updates!

On Windows, go to:
Start > Control Panel > System and Security

Windows 7 Control Panel

Click Start > Control Panel > System and Security

Windows 7 Control Panel > System and Security

Within System and Security you can control automatic updating, and manually find and apply updates.

In the Windows Update section, select Turn automatic updating on or off and turn it on. Problem solved, now your operating system will update itself automatically!

Windows 7 Control Panel > Automated updating

This system will update itself in the middle of the night.

You can also check for updates and apply them manually. Below, we see a system where 5 updates are available for the Windows operating system itself, plus 5 more for the Office 2010 software suite.

Windows 7 Control Panel > Manual update check

10 important updates are available, 5 for the Office software suite and 5 for the operating system. All of them have been selected.

Now we can apply the selected updates.

Windows 7 Control Panel > Manual update check

All 10 of those important updates are going to be installed. The 30 optional updates are foreign language packs.

The Microsoft Windows update tool will update the Windows operating system and applications, but that's it. You will have to manually update added packages like the Chrome browser, Adobe Reader, Java, and so on.

I showed Windows updates first, but of course other operating systems have tools for manual and automated updates. Here is the Update Manager running on a Linux Mint desktop It is going to update operating system components, user programs, and the third-party Chromium browser as soon as I click on the Install Updates button.

Linux Mint update manager

The Update Manager, actually the mintupdate program, on the Mint distribution of Linux.

You can even use the Update Manager to upgrade your system to newer versions of the distribution. Just click the Edit menu and see if an upgrade is available.

Linux Mint update manager upgrading to a new release

The Update Manager program upgrading to a new release of the Mint distribution of Linux.

This will eventually mean moving to a newer operating system, which may require you to buy new hardware.

See how insecure IE 6 on Windows XP would be

This is an annoyance, but it's necessary. Older systems simply don't have what we now realize are required security features. It's like how cars didn't have seatbelts even as an optional add-on until the late 1940s into the mid 1950s.

Don't try to be safe on the Internet using outdated systems.

Maintain Good Passwords

So now your software is all up to date. Now we have to deal with passwords.

Passwords Password
cracking

As I said, I work in cybersecurity. If you really want to know how passwords are stored and analyzed, or even how to crack passwords, I have plenty of details on other pages.

But our goal here is "just enough" for the typical user to be safer on the Internet. What do you really need to know? It's time for another cybersecurity insight:

If one human can think up and remember a password, another human can guess it. This is especially so when the attacker uses ever-growing dictionaries along with a password-cracking program incorporating techniques that have been tuned and improved since the late 1980s.

So, the solution is to use highly random passwords that no person could possibly remember. Use a different password for every account. This is easy: Use a password manager. Have it generate arbitrarily long and random password strings. Copy and paste those crazy strings into graphical and command-line password interfaces.

You don't have to type the long and complex passwords. In fact, you don't even see what they contain unless you go out of your way to ask the password manager to show them to you.

I use KeePassX. It works on Linux, MacOS, Windows, BSD, Android, and Apple iOS, and you can copy its encrypted database from one platform to another to keep all your devices in sync. And, it's completely free:
KeePassX

Alternatives include:

Free:
LastPass Encryptr Mitto Pasaffe Password Safe

"Freemium" — free for limited functionality, pay for all features:
Dashlane Enpass Intuitive Password Keeper

Proprietary — you must pay:
1Password mSecure SafeWallet

Built into the graphical desktop environment:
Keychain (macOS) KWallet (Linux, BSD) Seahorse (Linux, BSD) Revelation (Linux, BSD)

These tools store everything in an encrypted database, and so you have to enter a master password to decrypt and access the database (more on this below). That way, if you lose or someone steals your smart phone or tablet or laptop, no one has access to your password and PIN database.

Here's what KeePassX looks like on a computer. There's a much simpler view on a smart phone.

The KeePassX password manager is easy to use.

I can create new categories and sub-categories. Then I can move one of the entries to another location with simple drag and drop.

For the below example I went into the Financial area and created a new entry. I asked it to generate a random password. I can make that longer and shorter, and I can select the character classes it uses. Normally the password contents are hidden, I have clicked on the "eye" buttons to show what it has done.

KeePassX password manager generates a random password.

You can also make an entry that exists just for the "Notes" area. I have one named "Credit Cards" that has the number, expiration date, CVV number, PIN, and the 24-hour customer service telephone number for each of my cards. The "Username" and "Password" fields are empty, the data is all down in the "Notes" field.

As for website passwords, both Chrome and Firefox include password managers. You can ask your web browser to remember your passwords for sites. If you do that, set a master password. Unless, of course, it's on a computer you never take out of your house, and you trust everyone in the house.

Nothing is perfect

A password manager doesn't eliminate the security risk, it changes it.

Now there is one master password which you must enter to access the collection of stored passwords. That master password must be adequately strong.

What does "adequately strong" mean? Well, that depends!

In order to try to guess your master password for either a password manager like KeePassX or your browser, the attacker must have physical access to your computer, or be able to run hostile programs on it.

If you're careful about "malware" or malicious software, as I'll explain below, all we need to worry about is the physical access, and so...

Especially if you are trying to protect your privacy and/or personal identity from a potentially jealous or suspicious spouse or lover, or from dangerously curious children or siblings or parents or roommates, or any other threat with access to your devices, realize that the master password for your password manager or browser is truly the master key to everything.

My advice for do-it-yourself password design

Let's say you share a home with nosy people. You need a strong master password, one that you can remember but someone else can't guess even with high-speed password cracking software.

Think of a sentence. You have to remember this sentence, but no one else should be able to guess it. So do not use your personal slogan or a quote from your favorite movie or TV show or music or literature or scripture or anything that someone who knows you or knows about you would ever guess. Good luck with that.

Convert each word of the sentence to a character (or a few). Make some of them digits, or punctuation marks, or just drop the vowels. You can easily generate and remember a very complicated passsword. Something like this:

Sentence: I like to explain things to people.

Password: Il2xplnthngs2ppl.

Beware: password-cracking software tries combinations of two or three words with the vowels dropped, so don't rely entirely on that. Replace some words with "sound-alike" characters: "2" instead of "to" or "two" or "too", "@" instead of "at", and so on. Replace some letters with "look-alike" characters: "3" instead of "E", "5" instead of "s", "!" instead of "i", and so on. Maybe something like this:

Sentence: Superman, not Clark Kent, says "Up, up, and away!"

Password: SM,nCK,s^^&away!

Don't lock yourself out!

If you forget your password or delete your only copy of the database, you lose access to everything.

Keep a backup copy of the password database. I keep copies of my KeePassX file on my main desktop computer at home, and on my laptop, and on my smart phone. That way I don't have to go find the other device or wait until I get home to access sensitive data. And, if one device is damaged or lost or stolen, I still have all my passwords.

Record your master password somewhere. Or, if you're thinking up individual passwords yourself record all of them somewhere. (but why not use a password manager?) Depending on your situation, it might make sense to record your personal master password at your workplace. Or, on a slip of paper you keep with your cash.

A student in a class I once taught worked at the CIA. They were instructed to keep one-time password lists with their cash. Nothing is perfect, but you tend to be most careful with your personal cash, so your wallet or purse is probably the least dangerous place to keep something.

Separate your identities

Now that you have a tool that can generate and maintain highly complex passwords, take advantage of it. Use a different password on every site.

Or at least for the sites that matter. Sure, if the local newspaper requires that you "register an account" with your email address and a password just to see the local weather forecast, use "password" as your silly password on that silly site.

But if a site has any security or identity issues or sensitivity, use your password manager to generate and remember a complex password for it.

Be especially careful with your primary email identity. We have, perhaps unintentionally, drifted into this situation where your primary email address is the key to all your identities — the "recovery address" for various websites, for your utility payments, your health insurance, your bank accounts, and so on.

Should I change my passwords every 90 days? 60? 30?

Don't bother changing your passwords every so often.

I have much more detail here and here. The short version: In the early 1970s, some U.S. Department of Defense contractors estimated, based on some back-of-the-envelope calculations and guesses about Soviet computing technology of the era, that monthly changes would be helpful. Their wild guess became fossilized as U.S. government policies.

Policy is slowly becoming more reasonable.

The Chief Technologist for the U.S. Federal Trade Commission recently wrote about how mandatory password changes are harmful. I have links to more evidence here. Studies have shown that policies that enforce password change lead to weaker passwords.

Meanwhile, the author of the U.S. government policy dictating password complexity requirements, has now admitted that he really wrote that guidance without knowing much about information security or how passwords work. See the articles in Wall Street Journal and Gizmodo.

So:

  1. Use a password manager.
  2. Use it to generate your passwords, each one a long jumble of all character types.
  3. Have a unique password, a different complex jumble, for every account.
  4. Copy-and-paste them into place, they will be hard to type accurately.
  5. Generate and remember a strong master password with my sentence trick above.
  6. Change one when you have to.

Never Sign In On Shared Computers

Never sign in to any account on a computer you do not own, especially those in hotel lobbies or other public settings.

Seriously. Just don't.

Using the above advice about password managers, you should have your many accounts compartmentalized, each with its own unique and complex password. But...

Shared computers are frequently infected with key-logging software that collects all account identities (typically email addresses) and passwords and sends them to criminal gangs. You don't want to give away bits and pieces of your collection of accounts, even the "less important" ones.

Sure, use the hotel's computer. Check the weather forecast. Print out Google maps or Wikipedia explanations of what you're going to see in your day's explorations from the hotel. Just don't ever sign in to any account from a shared PC in the hotel lobby.

See the safe Road Warrior section below for how to safely sign in when you're away from home.

Email and Browse Safely

So your software is up to date, your passwords are impractical for anyone to guess, and you have unique passwords for every account that you easily access with a password manager. Now you're ready to get on the Internet!

Email tools

This isn't nearly as important as other items on this list, but it sure seems to me that a standalone mail program has multiple security advantages over web mail, which is to say viewing your mail in a web browser.

Personally, I prefer Thunderbird for reasons of both security and ease of use. Alternatives include SeaMonkey and Mailbird.

Yes, there is Microsoft Outlook, but its history of security and intercompatability problems makes me very leery. I suppose standalone email with Outlook is a little better than web mail with Explorer, but you can do better than either.

Email format

It is safer to view email as plain text mode. There are exploits that only work when you view email as HTML.

The problem, however, is that many organizations simply do not send messages that you can make any sense of without HTML viewing turned on. This is especially so for corporations communicating with their customers.

Depending on how you use email, plaintext message viewing may be impractical.

Safe browsing

Of course, keep your browser up to date! As I mentioned above, your browser updates may be separate from the operating system itself. So, set up automatic updates on your browser.

Updating Google Chrome Updating Mozilla Firefox

Learn how to "read" and understand your browser window. Learn how to make sense of the URL, what's in the box near the top of the browser window, the address of the page you're looking at. Also pay attention to the URLs you see at the bottom when you hover over a link.

Be careful about clicking on links on pages you don't have reason to trust, and especially in email from people you don't know.

Completely clean up after banking

When you finish your session of on-line banking (or any similarly sensitive activity), click the "Logout" button and also terminate all your browser tabs and windows. Don't just minimize the window, click the "X" in the upper right corner and end that browser session.

This is one of these inconveniences we unfortunately need in order to be safe on line.

Learn to be safely skeptical

If it's "Too good to be true", then it isn't true.

Take this "Phishing IQ Test". They show you a series of email messages and ask you to select "Legitimate" or "Phishing" (that is, a scam) for each.

Then the best part is that they show your score, and they explain the tell-tale warning signs for every example.

Also see the overview from PayPal and the additional quiz from the Washington Post.

SonicWALL Phishing IQ Test PayPal: Recognize fraudulent emails and websites Washington Post phishing quiz

Many people seem to use Facebook and other social media for nothing but forwarding hoaxes. Use the Snopes.com site to find the truth.
Snopes.com

Don't install Flash

Adobe, the company that makes it, has given up on Flash.

It seemed important in the early 2000s, but starting about 2007 video for the web started moving away from it.

Much of what you now see about "You must install Flash to view this content" is actually an attempt to trick you into installing malware instead.

Be Careful On Social Media

Everything you post on social media sites is now out of your control and it belongs to the social media companies.

Oh, you might be able to delete it or change it some of the time. But generally speaking, all of your postings belong to the social media company, who is free to sell it or repost it or do whatever they want with your data.

It gets worse.

The more you post on Facebook and other social media sites, the easier you make it for criminal gangs to steal your identity. Most Facebook users share information that makes it easy to answer the "security questions" used on many websites. Criminal gangs automatically download and analyze Facebook content to figure out who knows who and what interests they share. They then use that to generate convincing scam emails.

This image requires a Facebook GOLD Account.

When you give Facebook access to your contact list, they sell it to marketing companies. Then the "People you may know" suggestions expose sensitive information including:
Medical and psychiatric history Family secrets Other sensitive information

Avoid Viruses and Other Malware

Make sure that any anti-virus software is enabled, and that it is constantly updated.

The Windows operating system itself now includes Windows Defender, which you should definitely have turned on.

Good free anti-virus / anti-malware software includes the following. ZoneAlarm incorporates spyware detection and removal software.
Avira AVG Avast! ZoneAlarm ClamAV ClamXav

Yes, sure, if you're an NSA employee who very inappropriately takes home NSA offensive software, and you install that on your Windows PC, on which you had also installed Kaspersky software, then bad things might happen. But that went wrong in several ways at once that were not Kaspersky's doing. See New York Times and Washington Post stories for details.

As for non-free products, I have been very impressed with Kaspersky products. I would use Kaspersky anti-malware software on my personal machines if they ran Windows. I use Linux almost exclusively, rendering this moot for myself.

Kaspersky
Rescue
Disk

The Kaspersky Rescue Disk lets you safely boot and clean infected Windows systems that can't be cleaned with the normal tools.

Protect Your Files

There have been a lot of "crypto-locker" attacks, some of which take the form of "scareware" or "extortionware". Generally speaking, the exploit goes like this:

The user wanders into a a bad corner of the Internet using an unpatched browser. Remember how I told you to update everything earlier?

My investigation of a "Police Scareware" or "Extortionware" attack

They were enticed to look at the page through some clickbait about a funny video, or something amazing, or, most often, promises of porn. The page may have actually contained a funny video, or a cute animal, or an embarrassed cheerleader, or naked people, but it also included some malware that took over their unpatched browser or video player.

The malware then encrypts or deletes all their data.

There goes every picture and every video and every file they have. Every priceless picture and video and message from loved ones. All of their work.

All they have left is a message in somewhat broken English claiming that if they pay a few hundred to a few thousand dollars to some account in far eastern Europe, they may be able to get their pictures and videos and messages and work back again.

If they simply had made backups, this would only be a minor annoyance.

The critical detail here is to keep your backups off-line, not connected to your PC that gets infected by the malware and then immediately encrypts or deletes everything that it can find.

Copy your valuable data onto an external disk, and store that disk in a fireproof box.

How often should you do this? Do it once a year if you figure you can stand to lose the past year's data. More often to further limit loss. I keep duplicate copies of important data (pictures, work documents) on my desktop and laptop, and then I copy everything to the external disk every 6 or 12 months.

AWS Glacier cloud storage

It's pretty easy and cheap to use an external disk and a fireproof box.

There are a lot of cloud storage services for backup. These are more complicated, really beyond the scope of this page.

Don't rely on free cloud storage offered by your Internet service provider. That might work out just fine, but there have been a lot of examples of companies that offered free or extremely cheap online storage, only to take it away with very little notice.

Also notice that Windows has an easy interface for backing up data:

Backing up data: Windows 7 Control Panel > System and Security

Don't Fall for Scams

Bogus malware warning, a scam.

This popup is also a scam trying to infect your computer and steal your credit card number. Ignore this bogus "warning"!

Popup messages warning you about malware are scams.

Do not click to "download antispyware", do not click to "update Windows antivirus", do not call the phone number.

These are just as bogus as the phone calls claiming to be from Microsoft or your ISP. They want you to install spyware or give them your credit card number.

Hang up and ignore these.

Bogus malware warning, a scam.

This popup is yet another scam trying to infect your computer and steal your credit card number. Ignore this!

Bogus malware warning, a scam.

This popup is also a scam trying to infect your computer and steal your credit card number. Ignore this scam!

Be a Cautious "Road Warrior"

First, as mentioned above, never sign in to any account on a shared computer in a hotel lobby.

Second, realize that hotel networks, wireless or wired, are entirely insecure. Yes, there is an illusion of security as you have to enter a password or PIN for the router to forward your packets.

But this is just a "captive portal" system. All it accomplishes is to make the hotel's liability lawyers happy, and optionally, to increase revenue if you have to pay for the access. There is absolutely no security for the user in a hotel network. Anyone else in the hotel could be capturing all your data, including passwords and data content.

Only use a hotel network for entirely non-critical traffic (browsing random websites) or for communication that you are encrypting end-to-end through a corporate VPN (that is, a Virtual Private Network), or SSH, or a carefully configured TLS connection.

Travel provides more opportunities for losing your electronic devices. See below for how to protect data stored on phones, tablets, and laptops.

Advanced topic: see how a $25 per night hostel has far better network security than a business hotel costing at least ten times as much.

Even more advanced topic: you could carry an entire virtualized computer on a USB stick.

Protect Your Smart Phone or Tablet

Set up a strong PIN for identifying yourself when you talk to your provider. There is a class of attack where the criminals transfer your phone to a different provider. That's the first step in taking over your number, so they convince your bank that they are you.

Set up as long a PIN as you can, making it a random number that has nothing to do with your bank PIN or other authenticators. Again, use a password manager to generate and remember this for you.

Set up a screen lock. A PIN is best. Look in the Settings menu on either Android or iPhone.

The pattern you draw with your finger? Unless you are meticulous about cleaning your screen and replacing the screen protector frequently, you can easily see how to unlock the phone by holding it up to the light.

Face recognition sounds fantastic, but so far it's only so-so in performance. It has significant false reject (locking you out of your own phone) and false accept (letting someone in because they're "close enough") error rates.

Make sure that you have to enter the PIN to get into the phone immediately after turning it on. You don't want someone to bypass the lock by just turning it off and then back on again.

A second line of defense to consider would be to encrypt its storage. I don't, because I don't use my phone for email and I don't store any sensitive data on it. Yes, I use the KeePassX password manager, but remember that it stores its database in encrypted form.

But if you store any sensitive data on your phone, and this might include pictures (and please don't tell me the details of your pictures you don't want anyone to see), you should encrypt the phone's storage.

Be careful about installing apps. Especially on Android where there is less checking, but people have sneaked in malicious iPhone app activity at times.

And, of course, install all updates for your phone's operating system and your apps.

Maybe Encrypt Your Laptop

Finally, consider your threat environment. What do you store on your laptop? (Don't forget about email messages) And how likely is it that someone will steal your laptop, or otherwise try to access data stored on it?

You might want to encrypt your laptop's disk. However, this makes periodic backup much more important.

Microsoft has BitLocker, MacOs has FileVault, and Linux supports a variety of disk encryption systems.

Windows 7 Control Panel > System and Security

Within System and Security you can control automatic updating, and manually find and apply updates.

Maybe Go Further

You can set up Two-Factor Authentication. That means that it requires something you know (a password) and something you have (your phone). Several web sites now allow you to set up two-factor authentication (or 2FA) so that when you try to log in, they ask for your password and a code they send to your phone as a text message.

There are also 2FA apps for smart phones, like:
Google Authenticator

Ask your bank what two-factor authentication they support for on-line banking.

To go deeper into hardening Windows,
Windows Security From The Ground Up