Staying Secure in 2021

How can you make it less likely you’ll be hacked? Only a fool would describe any setup as “hacker proof”, but with every meaningful effort to adopt best practices, you’ll close off holes that will make it easy to attack you.

Secure your personal and business profiles alike and it’s much less likely that you’ll suffer identity theft, have to deal with annoying ransomware, or find your bank account unexpectedly empty.

I’ll walk you through some specific and actionable things you can do to help keep your private information private and the hackers at bay.

1) Use trusted hardware. As far as I can tell, only Apple, Google (with Pixel & Pixelbook), and Samsung (with Knox) do a reasonable job at “hardware root of trust” on their devices. This means that the first thing that boots up in your computer only loads trusted firmware, which only loads a trusted operating system, which only loads applications you want. If you’re using a random-brand Windows laptop or Android phone, you’re starting off from a less secure stance.

2) Use trusted software. This is probably most important for your browser. Google Chrome is a good choice. Safari and Firefox are also probably decent choices.

3) Stay up-to-date. Any time there is a new production (not beta) release of the browser or operating system, update right away. If it can be configured to auto-update, make it so.

4) Pick good passwords. Use non-reused, machine-generated passwords for all your accounts. Any time you create a new account that needs a password, have a password manager do it for you — 1Password, LastPass, Chrome’s built-in password manager, and Apple’s built-in iCloud Keychain are all reasonable answers. Even better, use “Log In With Google” (or Apple) style accounts when able. I have very seriously locked down my personal Google account and then logging in with this means that I have ease of use while making it pretty hard for a hacker who hasn’t gotten into my Google account (which is hard) to log in as me to a service.

5) Use a second-factor to authenticate. Ideally, use a security key. Buy a pair of security keys (either Yubikey or Google Titan). Enroll both and put one in a home safe or in the care of a loved one and keep the other with you. This will make it MUCH harder to phish you because someone can’t get into your account with just your username and your password. If your favorite service doesn’t support security keys, use Google Authenticator. Only if neither is available should you use SMS as your second factor — it’s shockingly easy to take over someone’s SMS number and use this with your password to get into your account. Given that it’s 2021, you should treat with distrust any service that doesn’t let you add a second factor of authentication.

6) Be cautious of the plugins and system software you install. Over time, bloat can build up. That scanner you used once three years ago for which you had to install a proprietary driver to get running? Probably should remove that. Every other year, consider carefully backing up your data and doing a factory reset to reinstall the universe from scratch. It’s quite effective at extending your computer’s lifetime — and your storage space! Make sure that important documents are stored on a secure cloud service you trust like Dropbox, iCloud, or Google Drive. That way if your device eats it, you still have a way to access your files. This lets you be much more cavalier about reinstalling everything.

Conversely, DO install a small, carefully-reviewed handful of defensive plugins and software; uBlock Origin will make your browsing faster and more secure and Bitdefender Shield will help keep an eye on apps running on your system.

7) If you use Google services at all, consider enabling Advanced Protection Program. It’s amazing that this is free. See https://landing.google.com/advancedprotection/ — you’ll have to enroll two security keys and you will lose the ability to get into your account in other ways.

8) Lock down your phone number to make SIM porting hacks more difficult. Contact your carrier and disable SIM porting (if you’re on Verizon, open the My Verizon app and enable Number Lock). Add a special security PIN.

9) Use encrypted end-to-end messaging. Signal works well for this. You can even use Facebook Messenger’s Secret Message mode. Add expiring messages by default; if it’s for the permanent record it should be in email, anyhow. SMS messages are basically plaintext / non-hidden — never send a password over SMS! Regular phone calls are similarly broadcasting information to the world. Do calls on end-to-end encrypted platforms like Facetime or Signal when possible. They’ll also generally sound better since you’ll get wideband encoding.

10) Don’t assume anything about an inbound caller based on the number they are calling from. It’s still easy to spoof caller ID. Never click a link sent to you over SMS unless it was expected as part of an exchange. Any entity calling you with an automated robocaller is fake — that’s not the IRS. The IRS will send you a letter when they are grumpy at you.

11) Keep your middleware up to date! Know how to check the random things in your house for updates — your modem, your router, your printer, your TV. These are common weak spots for OLD vulnerabilities to surface and get hacked. Set everything to auto-update if you can.

12) Hardwire everything. If you can plug it in to an Ethernet hardline, you probably should. This helps protect your communications physically as well as lowering latency and jitter, increasing speed, AND freeing up airtime for devices that don’t have an RJ45. Get a gigabit-to-Thunderbolt adapter for your laptop.