How Not to Get Hacked. Tips to Boost Your Personal Cyber Security.

I would like to give some tips on getting cyber protected. Over time, I accumulated some knowledge, and I think it’s worth sharing because it’s very important, and ignoring it may cost you a lot. What do you think has more sensitive information pertaining to you, your house or your digital cyberspace (your computer or phone)?

This is intended for an average person looking to upgrade their everyday techniques to the next level without compromising their comfort and ease of logging in.

1) Analyze Your Most Vulnerable Websites.

Create a list of the most important services on which your life depends. For example, it is your private email account, cloud storage, banking, some social media with private messages etc. Make sure you upgrade the security of those services.

2) Use Password Manager

Use a password manager to generate and store your passwords. An example of a generated password is "%t&87&pQHrR@38sjXXFC&ghEnRqM8*3AZoVojkuWvWMk7aTE^Ub&rCV8Vf”. This is not something you can or want to remember or type in manually, you leave it for the password manager to take care of it.

For the highly important passwords such as your personal email, you may choose to store this long password in the vault, and then you append a secret identifier when you log in. That way nobody knows the full password if the password manager is compromised in any way because of a leaked master password. For example:

• Stored in the password manager vault: Mk7aTE^Ub&rCV8Vf
• Your secret identifier stored in your mind: 12345
• What is needed to log in: Mk7aTE^Ub&rCV8Vf12345

Two highlighted password managers for personal use:

• 1-Password: Most reputable on the market with a subscription fee.
• Bitwarden: Popular on the market, with freemium and premium plans. It’s open-source, which is amazing. I currently use this password manager.

These password managers are well integrated with your phone and your browser through extensions. Use it with 2FA.

3) Use 2FA (2-Factor-Authentication) where possible.

If someone gets ahold of your password, you are screwed. 2FA is the easiest way to protect against hackers because it is less likely that they will have your password and your mobile device unlocked.

• If you are using Google Authenticator (the most popular on the market), make sure you backup all the tokens. The app now allows you to export them. Save and store them in a safe place.
• Avoid using SMS text messages as your 2FA if you have other alternatives. SMS messages are the easiest to intercept in some corrupt countries. An attacker will have to clone a sim-card with your phone-number. Also, free third-party anti-spam plugins on your phone that access your SMS, compromise your 2FA because you cannot trust them. Also, if you are travelling, and your number is changing, then SMS 2FA is not practical at all.
• There are a lot of 2FA apps emerging on the market.
• Remember any type of 2FA is better than none.

It still makes no sense to me how some major banks in Canada still in 2021 do not use 2FA for clients to log in! HUH?!!!

4) Do not use Public Wi-fi without VPN

Do not use Public Wi-fi without VPN because your connection can be intercepted through a wi-fi package sniffer. HTTPS does encrypt your connection, but the fact that you are using public wi-fi creates a security concern.

5) VPNs do not Guarantee Anonymity

VPN providers do log the information about your session and your device. There is no such thing as "no-log-policy” that VPN providers falsely advertise. It’s a marketing sham and they lie when they say "no-log-policy” because in the user agreement they actually say exactly how they are using your session information to enforce the rules. If you want to stay truly anonymous, you cannot simply just rely on a VPN.

6) Check for Email being Part of Known Data breaches

Check whether your email has been part of the known data breaches. A website Have I Been Pwned will help you see of such data breaches https://haveibeenpwned.com/

7) Checking Rainbow Table (for tech-savvy players having a good Friday night time :D).

Check whether any of your obvious passwords are part of the rainbow table. A password manager does that for you automatically.

For example a password: 12345 generates a 256SHA hash: 5994471abb01112afcc18159f6cc74b4f511b99806da59b3caf5a9c173cacfc5 , you would need to check that hash in the public rainbow table. In this particular example, the hash exists in the rainbow table, and it is reversed back to the original “12345”. Do not generate a hash of your passwords through online websites because they may/will be automatically added to the rainbow table :D. If you want to check if hashes of your standard passwords are floating on the internet, you need to generate hash locally on your device and then check the hash on the rainbow table.

Here is an open-source local program that can generate hashes on your device if you want to play around. QuickHash: https://www.quickhash-gui.org

For Laptop Owners

8) Encrypt Your Laptop Drive

Make sure you have encryption on your disk storage. If you lose your laptop or it gets stolen, a bad person without knowing the password to your operating system account will have access to all your confidential files. They just will need to take the drive out of your laptop and connect it to a Linux system. And all your life is in the hands of the bad guys. Make sure you do the encryption of your disk partition. MacOS and Windows allow and encourage having encrypted drives.

9) Truly Erase your Drive before Selling your Computer (Deleting to Zero)

Do not ever ever sell your laptop or storage disk on Craigslist unless you are willing to clean it up properly. When you “delete” something on your hard drive, it doesn't get deleted, it can be recovered through some data recovery utilities. What you need is to format your drive to zero and that takes more than 10 seconds. Truly formatting the drive may take a few hours depending on the capacity of the drive and write-speed of the drive because essentially you are writing an array of zeros (or ones) to the drive. Yes, this removes your operating system, and you may need to reinstall the system from scratch back before selling the computer. For MacOS you need to go into recovery mode and perform this action from the Disk Utility. For Windows, you have to do it from a bootable USB if there is no recovery menu available on your computer. If your drive was encrypted, to begin with, that helps the case.

10) Do not share your System Password with Repair Shop

Do not disclose your system password when you give your laptop for repair in some locations. Whatever the reason they say to hand over your password, just don’t. They don’t need it to fix hardware on the computer. If they really need to access the system account, just create a Guest user on the spot. On Windows, with the system password, they can go into your browser and see all your Google Chrome passwords. On MacOS, with the password, they can go into the keychain and see all your iCloud passwords and Google Chrome passwords. Crazy!

For Phone Users

11) Avoid Typing Your Phone Password in Public Places.

All it takes is one HD CCTV video camera to know what your phone password is that unlocks everything. For iPhone users, the phone password unlocks the iCloud keychain for your Safari in the Settings, so anyone who holds your iPhone and knows your password can see all your saved Safari passwords. Try to using FaceID or TouchID as much as possible in public places.

Browser Stuff

12) Time to Switch to Brave

If you are fed up with Google Chrome’s tracking policies, it’s time to go for an open-source browser. My choice is Brave browser. It combines user-friendliness, and it is based on the open-source fork of Google Chrome, which allows you to install the exact same extensions that you use on your Google Chrome. Brave inherently blocks all ads, and it removes the trackers of you on the web.
Brave has the ability to integrate a crypto wallet natively for payments, and Brave can earn you rewards for viewing ads if you choose to.
Brave also natively supports Web3.0 for decentralized domains.

13) Avoid Google Chrome Saved Passwords

Do not store your passwords in the Google Chrome native password manager. Very bad bad practice. I was guilty of storing my own passwords there before. The problem is that all your passwords are linked to your Google Account. If your Google Account is compromised, your entire life is compromised. Also, when you log in with your Google Account in Google Chrome at work, your Google Account keychain will be stored on the computer. It all comes down to, whoever has access to your Windows corporate account, also has access to your Google Chrome passwords if you logged in.

14) Here is what will happen if your email is compromised:

• All your confidential emails are now exposed (obviously). Remember that day when you sent to HR your SIN, or the day when you sent your immigration documents, tax documents, bank documents, or other confidential stuff through email? All that is compromised.
• The hacker will go through a bunch of other critical services and will reset your passwords everywhere on social media. But how do they know my security questions? Well, having an open lifestyle comes with expenses. All the hacker needs is to collect enough information about you from the public domains to imposter you.
• If your Gmail is compromised, then your other passwords from Google Chrome are also compromised. A hacker will be on you nonstop to retrieve/download all information about you before you realize something happened.

15) Here is what will happen if your iCloud is compromised:

All your contacts, notes, browser stuff are compromised. Do you remember the day when you wrote down something confidential into your Notes app? It’s all compromised. Your photos are potentially compromised.

Once the hacker breaks through one most important gate, it becomes easier to break through the second gate because they know more about you.

For Extremely Confidential Passwords

16) Diversifying the Storage

If you are storing an extremely confidential password or seed phrase, do not keep it on the computer nor in any of the password managers.

What you need is to break down the password into 3 pieces: A-B-C.

You need to find three people you trust and give them the following pieces. A-B to the first person. B-C to the second person. C-A to the third person. So you need 2/3 of people to reconstruct your original password.

Summary:

• Use 2FA where possible,
• Use Password Manager for hot passwords,
• Improve security for critical websites.

I hope you had a fun time reading it, and hopefully, you decided to act on those tips.