watchyourhack.com Open in urlscan Pro
2606:4700:3031::6815:116a  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Are you worried your ex might have invaded your Facebook account? That your
computer is being held hostage by ransomware? Or that hackers are pillaging your
bank account?

--------------------------------------------------------------------------------

contents: what are hackers . the basics . computers . phones & tablets . social
media . chatting & phone calls . advanced . closing notes

change: font . bigger . smaller . Dutch 🇳🇱

--------------------------------------------------------------------------------

This manual explains how to protect yourself from hackers, in layman’s terms.
Six professional hackers 👨‍💻 helped create this guide.

Watch Your Hack doesn’t guarantee complete and total safety. Such a thing
doesn’t exist on the internet. You can, however, make life as difficult as
possible for hackers and viruses by using these tips.

Now, before we start: don’t go cowering behind your computer. The chances of a
hacker targeting you in particular are very slim. Most dangers stem from the
fact that many people lack general knowledge about the internet and computers,
which can be exploited. So let’s get you up to speed with the most important
information. 👍


WHAT ARE HACKERS



Hackers generally exploit vulnerabilities on the internet or in the devices we
own. There are roughly two kinds of hackers: white hat and black hat. White hat
hackers 🤠 seek out (and sometimes publish) vulnerabilities to get companies to
fix them, making the internet a little bit safer, one discovery at a time.

When the media covers hackers, it’s usually black hat hackers 😈. The kind
without good intentions, who might be looking for ways to steal money or gain
access to devices to spy on people. They could also be interested in sensitive
files, such as nude pictures or a copy of your passport.

There are also hackers who try to gain access to other people’s devices for,
well, fun. These (mostly young) people think of hacking as mere mischief. They
should still be taken seriously though, despite their seemingly innocent
motives.

Finally, some hackers work on behalf of governments. Hackers employed by secret
services 🕵️ or the police 👮 are the most dangerous kind, but pose no threat to
most people. They usually hack terrorists, criminals and hostile regimes.


HOW DO HACKERS USUALLY GET INTO YOUR DEVICES, COMPUTERS AND ONLINE ACCOUNTS?

Hackers often start by stealing your password. Sometimes there just isn’t much
you can do about this. If a website where you have a profile or account gets
hacked, for instance, hackers could use your password and attempt to log into
your other accounts, such as your Gmail.

You might have also given out your password by accident. This happens via
phishing, which is a type of internet fraud that criminals use to try and get
their hands on specific login information. You’ve likely received a phishing
email before. This might have been a fake message about your bank account being
blocked or a reminder about a non-existent bill you haven’t paid.

Hackers also use email attachments. When you open an attachment that contains a
virus, your computer gets infected. This method is often used for spreading
ransomware: a type of virus that renders your device inoperable by locking all
of your files. The hackers will then demand money in exchange for handing over
control of your files back to you.

Viruses - also referred to as malware - also spread through downloads such as
torrents or installation files for a piece of software you want to use. You
might think that you’re downloading a movie or some software that helps keep
your computer fast and tidy, but in reality, you’re endangering yourself by
reeling in a virus.

A virus could also just end up on your computer through online ads and websites
that have been hacked. Even trusted websites can, unknowingly, spread viruses.
If you don’t update your software and your computer, you’re at risk of being
infected by these kinds of viruses.

Hackers can also infect your computer by using a flash drive. This method is
less prevalent, but still poses a substantial risk. It could be a flash drive
that you just ‘found’ on the street or that was given to you by someone. Anyone
with harmful intent can just pop one into your computer if you’ve gone off for a
quick toilet break.

Back to top ↑

--------------------------------------------------------------------------------


THE BASICS



Now that you know what hackers are and how they usually try to gain access, you
can start applying some tips 💡. These are the basics: a simple list of measures
everyone should take.


UPDATING

Lots of people consider updating to be time-consuming. In some cases that’s
true, but it’s also the most important form of protection ❗ to employ against
hackers. Many hacks are successful because they exploit out-of-date software.
Those contain many vulnerabilities that get fixed through security updates.

> The older the software, the easier it is for hackers to gain access.

Software runs on all kinds of devices: Windows or MacOS on your computer or
laptop, and Android or iOS on your mobile devices. Even your router and other
smart devices in your home run software. Make sure to check those regularly -
once a week - in case there are updates available for your devices, and install
them as soon as possible ⏰. In some cases updates can be installed
automatically. Windows, MacOS and the Google Chrome internet browser support
this feature.

It’s also important to update your apps and the software installed on your
computer, such as your internet browser, PDF reader and Microsoft Office. You
will often receive a notification if a new version is available.


PASSWORDS

Nowadays you need an account for practically every website or app, and all of
them require passwords. As human beings we have trouble remembering lots of
different passwords, so we often resort to using the same one for several
accounts.

While that does make things a lot easier to remember, it’s also very very
dangerous ⚠️. If a hacker gets a hold of your Spotify password, you wouldn’t
want that hacker to be able to gain access to your bank account as well. And if
you share your Netflix password with a friend, that person shouldn’t be able to
use it to log into your Gmail or Facebook.

That’s why it’s very important to use a different password for each website, app
and service. Simply changing one digit 1️⃣ or letter 🅰️ won’t do. Those kinds
of variations are easy to guess. Thankfully there’s a handy solution for this
problem: password managers.


PASSWORD MANAGERS

A password manager stores all of your passwords in a digital vault 🔑 and
secures them with one single master password. That way, you only have to
remember one password to access all of your accounts. These apps can easily
generate very complicated passwords, like 6ur7qvsZpb0ZkcuSW1u!V8ng!L^lb. A
password like that can’t be guessed or cracked.

Password managers can also fill out your login information when you’re visiting
a website for which you have a password stored. This alone protects you from a
lot of attacks. If a website address is incorrect, such as
wellsfargo.mybanklogin.com, the password manager won’t fill out your Wells Fargo
login information. You can also use a password manager to save notes 📓, such as
login codes, secret keys and answers to secret questions.

Good password managers are Bitwarden, 1Password and KeePass. If you’ve never
used a password manager before, trying the free version of Bitwarden is a great
way to get started.


BITWARDEN (FREE)

Bitwarden has become very popular over the past few years, and for good reason.
It’s open source, there’s an app for practically every platform and, last but
not least, you can use it for free. For 1 USD per month you’ll get access to
some more advanced options and 1 gigabyte of storage for your files. If you’re
willing to pay 3 USD per month, you can share passwords with family members. As
long as you understand how it works, you can even opt to manage your own
Bitwarden cloud.


1PASSWORD (3 USD PER MONTH)

1Password is known for its sleek design and good apps that work on a variety of
devices. The app has got a handy internet browser extension that generates
passwords and fills them out for you when visiting websites you can log into. A
1Password subscription works with a special type of security (a secret key),
requiring you to fill out dozens of numbers and letters to gain access to your
account.


KEEPASS (FREE)

KeePass is viewed as the safest password manager, because many security experts
use the app and draw on their expertise to make it even safer. The downside is
that the app looks quite old-fashioned, like some ancient Windows XP software.
Fortunately the KeePass community is full of passionate developers who make
great looking apps for KeePass, such as MacPass for MacOS. A good alternative is
KeePassXC, in many ways a better and more complete version of KeePass, which is
also being updated by a group of enthusiastic developers.

You might think: is a digital safe, well, safe? That’s a good question, and an
understandable concern: password managers are sometimes hacked. Therefore, it is
very important to use a good and strong password to keep your digital safe as
secure as possible.

In general, a password manager is always better than using the same or similar
password for every website.


A STRONG PASSWORD

Websites and apps often ask you to use a password with digits and numbers. But
what’s a strong password? Many people consider P@ssword007 to be one, but in
reality it’s quite easy to crack 🔨 for hackers. That’s why you might want to
consider thinking in passphrases instead of passwords.

Phrases are long but easy to remember, which are two prerequisites for a good
password. A passphrase like I eat 2 whole pizzas every week is easy to remember
and quite difficult to crack. Don’t hesitate to use spaces in your passwords; an
option that often gets overlooked.

It’s also possible to create a password by putting seemingly random words
together. Use Diceware if you choose to do so. Diceware is currently the safest
way to create a password you can actually remember.


THE BEST WAY TO SAVE PASSWORDS: A SUMMARY

 * Use a password manager, preferably one of the above.
 * Use a passphrase or Diceware for your password.
 * Write down ✍️ your password manager-password and keep it in a safe place, to
   ensure you never lose access to your password manager.
 * Use your password manager to generate passwords 20 characters or more and let
   the password manager store these passwords for you.


OTHER WAYS TO SAVE YOUR PASSWORDS


ICLOUD KEYCHAIN

The iCloud Keychain is a handy way to save passwords if you want to stick to
using Apple products 🍏 . Keychain can generate passwords and automatically fill
them out when you need them. The options are somewhat limited when compared to
other password managers, but Keychain is a safe choice, if - and that’s a big if
- you secure your iCloud account with a strong password and two-factor
authentication.


IN YOUR BROWSER

Browsers like Chrome and Firefox offer the option to save passwords. It’s a
pretty easy way to log into websites you use often, but the downside is that
browsers usually generate weak passwords. A password manager is a better choice.


A PASSWORD BOOK

Pen and paper 📝 can also be used as a password manager. Make sure to use unique
passwords and store them with care. And create a copy that you store in a
physical vault, should you need a backup. When you’re expecting company - like
friends, family, a mechanic or plumber - take extra care not to leave your list
of passwords out in the open.

A useful tip is to have all of your passwords start with the same word, which
you don’t write down in your password book. Simply remember it. If someone gets
a hold of your password booklet, they still won’t be able to use any of the
passwords you’ve written down, because they’re missing one essential component
that’s safely stored in your brain.


KEEP TRACK OF STOLEN PASSWORDS

No matter how strong your password is, it could still get stolen. That’s why
it’s important to check whether your passwords have been stolen by hackers. The
website Have I Been Pwned keeps track of hacked websites and warns you when your
information pops up. With the single click of a button, you can see if any one
of your accounts has been compromised. It’s recommended to do this every now and
then, just to be safe.

If you sign up for Have I Been Pwned, you even get a notification 🔔 when the
system detects your email address in stolen files. That way, you’ll know exactly
which of your passwords has been stolen, based on the service or website it was
taken from. If the site finds your email address amongst stolen files, you
should immediately change the corresponding password. If you do that, the
biggest threat - a hacker logging in using your password - has already been
averted.


TWO-FACTOR AUTHENTICATION

To limit the consequences of a stolen password, you can use two-factor
authentication (2fa), which is a relatively new security method.

You can activate two-factor authentication via the services you use, if they
support it. After logging in with your username and password, from now on you’ll
have to complete a second step. Usually, the service will ask you to enter a
code that’s been sent to your smartphone (using text messages or so-called
authentication apps).



Why go through all this trouble? If a hacker manages to get your login
information, that person will also need the code that is sent to your phone as
soon as they try to log in. It’s highly unlikely that they can access your phone
as well ⛔. Two-factor also alerts you to malicious login attempts, for instance
when you receive a code out of the blue. That way, you’ll know someone else has
tried to gain access. You can check which services, apps and sites support
two-factor authentication on this website. Google, Apple, Facebook, Instagram,
WhatsApp and Dropbox are just a few of the services offering two-factor
authentication features.


LOGIN CODES VIA TEXT MESSAGES

Receiving login codes via text messages is easy: you link your phone number to
an online service and enter the code that is sent to you to log onto the
corresponding website or app. Hackers can get access to these login codes by
intercepting your text messages 💬, but for most people this form of security is
sufficient.


CODES VIA AUTHENTICATOR APPS

A safer way of two-factor authentication is to use an authenticator app. These
apps let you scan a QR-code, which is like a barcode for your smartphone’s
camera. The QR-codes are provided by the service that you want to secure. After
you scan the QR-code, a security code appears on screen for 30 seconds, after
which a new code will be generated. These random codes allow you to authenticate
your login attempt, letting the online service know that it is really you who is
trying to access your account.

The apps of 1Password, Authy, Google and Microsoft can read these QR-codes to
generate login codes. Microsoft’s app lets you log into Outlook automatically.

Take caution when using Google Authenticator, however. If you lose the phone on
which you’ve installed the app, or if it gets reset, you will lose all of your
login codes. You have to backup yourself through the settings of Google
Authenticator. The other authenticator apps mentioned above can synchronise
codes across all devices on which you’re using them.


CHECK THE LOCK SYMBOL (BUT DON’T TRUST IT BLINDLY)

The lock 🔒 in the address bar of your internet browser shows that you’re using
an encrypted connection. This means that the information that you’re entering on
the website, like your password or credit card information, is being sent
securely and can’t easily be intercepted by a hacker. Make sure you only enter
sensitive information on websites that show this lock in the address bar. If the
website address starts with https://, that also means it’s secure.



Also be aware that the lock icon doesn’t mean you can actually trust the website
you’re visiting 🚫. Many phishing websites designed to steal your login
information use the lock to try and gain your trust. Pay extra close attention
to the website address, and check whether it’s correct or not.

 * Correct: https://www.facebook.com (facebook.com is the main domain)
 * Wrong: https://www.facebook.tech (.tech is not the correct domain extension)
 * Wrong: https://facebook.login.net (login.net is the main domain)
 * Wrong: https://www.faceb00k.com (the two o’s have been replaced with two
   zeros)


RUN BACKUPS

A backup lets you access your files if something goes wrong. What if your
computer breaks all of a sudden? What photos 📷, videos 📹 and documents 📃 do
you really want to save, and which files do you need for your administration?
Those are the files you should back up.

A backup safeguards your important files, even if your computer breaks down,
your phone gets stolen or ransomware makes your computer inaccessible. A backup
will get the show on the road again in no-time.

It’s recommended that you keep both online and offline backups. You can create
online backups with a cloud-service ☁️ like Dropbox, and offline backups using
an external hard drive. Make sure you check whether all saved files are still
there and working properly every now and then.


RECOGNISE PHISHING

Phishing attacks are usually easy to recognise. Take a fake email which was
seemingly sent by Bank of America, for example. The email claims that your debit
card has been blocked, even though you don’t have an account with Bank of
America 🏦. Logical thinking goes a very long way when it comes to protecting
yourself.

But phishing emails can also look very realistic. Therefore, it’s always a good
thing to check the sender’s email address. If the sender uses
@bankofamerica.bankmailservice.com, you will know that the email wasn’t actually
sent by Bank of America. If it was genuine, it should say @bankofamerica.com.

Pay attention to strange or incorrect use of language. Many phishing emails
contain grammatical and spelling errors and they might address you with Dear
sir/madam. Most organisations know who you are and address you with your first
name.

Often times phishing emails try to scare you 😨 by claiming that your bank
account has been blocked or that you have outstanding debt that needs to be
paid. They might even claim that you’ve won something 🤑. If you’re unsure about
the nature of an email, call the organisation that allegedly sent the email.
Don’t use the phone number listed in the email though! Look it up on the
official website.

Before clicking a link in an email, always check its authenticity. You can do
this by hovering your mouse 🖱️ over a link without clicking on it. The web page
where the link wants to take you will appear on your screen. You should be able
to see whether it is a valid link or a phishing attempt. On a mobile device, you
can press and hold the link to copy it. Create a new email and paste the link
into the body of the email to read the complete web address.

If you don’t trust an email or the links in it, use your internet browser to go
to the website of the organisation the email claims to be from, and log in
there. Usually, you’ll find all recent invoices and messages there. You can
always call 📞 the organisation to ask whether an email you received is actually
sent by them.

An important rule to live by:

> If it seems too good to be true, it probably is.

If you have a Google account, Password Alert - an internet browser plugin - can
be a big help. Password Alert sends you a warning when your Google password gets
entered on a fake login page. Installing this official Google plugin can be a
lifesaver, given how important Google and Gmail are to a lot of people.


DON’T JUST CLICK ON ANY LINK

It almost goes without saying that you shouldn’t just click on any link, even if
it’s sent by a friend or colleague. This is good advice for whatever situation
you’re in; whether you’ve received a link via email, through social media or in
a text message. A smartphone can be hacked by pressing the wrong link.

This doesn’t happen often, so don’t get scared of every link you receive. But if
you don’t trust it, inspect the link 👓 first using the methods described above.


BE CAREFUL WHEN OPENING EMAIL ATTACHMENTS AND DOCUMENTS

Email attachments require caution, just like links on the internet or in text
messages. Attachments are a common way for viruses to spread, which may give
hackers access to your device in the process. These viruses are usually hidden
in a seemingly innocent attachment, like a Word document. Hackers can also hide
their viruses in other places, like in Excel, PDF, ZIP or EXE files.

Word and Excel documents you can open safely, generally speaking. But beware of
a large yellow bar at the top of your screen. If you see one pop up in the
document you just opened, do not click on the button inside of the bar ⚠️.
Especially not when you’re being prompted to click on it. The yellow bar could
indicate that the document is infected with malware. If you don’t trust the
source of the document or the document itself, make sure to open it in Google
Docs. That way your computer won’t get infected if the document does in fact
contain a virus.



The best way to open PDF files is via your browser, by dragging the file to a
(new) tab. Or you can right click on the file and choose Open with > your
browser of choice.

There’s another way to safely view documents. The free application DANGERZONE
for Windows and MacOS converts potentially dangerous photos, PDF and Office
files in such a way that they are safe to open 👍.

Take extra caution before opening EXE files. There are very few instances where
that’s necessary. The exception is to install an application. Clicking on an EXE
file is never required to view a document 📄, for example. When it comes to ZIP
files, you can safely extract them. Do follow the precautions mentioned above
before opening the files inside.

If you don’t trust a file, you can download it ⬇️ to your computer, but don’t
open it! After downloading the file, upload it to VirusTotal. VirusTotal is a
website that analyses files and tells you if they contains viruses. Do take note
that Google and VirusTotal will have access to your file after uploading it.

It’s also recommended to turn off the hide file extensions option for Windows
and MacOS. This allows you to immediately see the actual extension of a file,
such as .docx or .pdf.


BE WARY OF PUBLIC WIFI

Public WiFi networks, such as Starbucks WiFi, are not safe. Hackers can track
your browsing habits and try to steal your login information. Use your 4G
connection instead, or create a password protected hotspot on your phone. A
hotspot (Android, iPhone) lets your laptop connect to the internet via your
smartphone’s 4G connection.

If you insist on using public WiFi networks, make sure you only log in to
websites that display a lock. Websites with a lock encrypt the information you
enter, which prevents easy access by hackers. This advice also holds up for WiFi
networks of restaurants 🍟 and hotels 🛏️. These might be password-protected,
but are still being used by a lot of people.

Pay attention to welcome screens when connecting to public wifi networks. These
pages may ask you to install an app, certificate or a piece of software.
Connecting to the internet doesn’t require you to do this, so it might be sign
of hackers trying to gain access to your smartphone or laptop. If you have
doubts, ask the network provider if the request is legitimate.

Finally, it’s important to realise that a password-protected wifi network isn’t
necessarily safe. These wifi networks can also be under a hacker’s control.


USE A VPN

It’s also strongly recommended that you use a virtual private network - VPN for
short - as soon as you connect to a public WiFi network. A VPN builds a digital
tunnel for your data traffic. That way, others won’t be able to see what you do
on the internet, protecting you against hackers.

Most people have heard of VPNs because of Netflix. A VPN allows you to trick the
internet into thinking you’re in a different country 🌎. By connecting to
American servers, users would also get access to the American version of
Netflix, for instance.

A VPN also comes in handy if you don’t want your internet provider to know what
you do online. You can keep a VPN connection running indefinitely. The one
downside is that it can slightly lower your internet speed 🐢.

The best and easiest paid VPN services are Freedome, iVPN and NordVPN, costing
three, five and seven USD per month respectively. AirVPN and Mullvad are aimed
at more experienced users.

Never use a free VPN service. These services are known to sell your private
information, like the websites you visit. If you’re short on cash, you can
always create a free account at ProtonVPN. This free service is more than enough
for those few occasions when you absolutely have to log onto a public wifi
network.


DON’T LEAVE YOUR THINGS UNGUARDED

This advice might seem somewhat obvious, but a lot of people leave their laptop
open while they’re off using the toilet 🚽. Aside from the risk of your property
being stolen, someone could also use your computer with criminal intent while
you’re not around, especially when your laptop isn’t closed and locked.

Always set your laptop’s automatic lock to a very short period (one minute).
Your device will then lock itself if you have to leave it unattended. This isn’t
a perfect safety measure, however. Always try to take your laptop with you if
you need to leave your seat or spot. Even if it’s just for a moment.

Back to top ↑

--------------------------------------------------------------------------------


COMPUTERS



Now let’s have a look at the device that’s easiest to hack: your computer 💻.


ANTIVIRUS IS STILL USEFUL

Most virus infections happen on Windows computers. These devices come equipped
with antivirus software called Defender. Defender is good, but Kaspersky
Anti-virus and BitDefender (respectively 30 and 34 USD per year) easily rival
Defender.

Defender has a feature that protects your most important folders against
ransomware or other harmful software that messes with your files. This feature
can be activated by going to Virus & threat protection -> Ransomware protection
-> Controlled Folder Access. You can also add extra folders there, such as a
folder with important business documents or pictures of your family 👨‍👨‍👧.

The use of 0Patch (free) and Hitman Pro.Alert (35 USD per year) is also
recommended. You can run both programs alongside antivirus software. This will
protect you against malware that uses vulnerabilities in your computer to, for
instance, track all the keystrokes made on your keyboard ⌨️.

If you own a Mac computer, you don’t necessarily need an antivirus. The Mac’s
operating system makes it harder for malware to infect your computer. That’s why
there aren’t a lot of viruses in circulation on Apple’s operating systems. If
you still want an antivirus, then Kaspersky Anti-virus (60 USD per year),
BitDefender (39 USD per year) or ESET Security (30 USD per year) are solid
choices.

Objective-See’s free security software for MacOS is also recommended: BlockBlock
blocks malware, OverSight blocks webcam spying and ReiKey blocks malware that
logs your keystrokes.

Paying for antivirus pays off. Paid versions of antivirus software are often
better and more expansive. If you’re not in a position to pay for an antivirus,
your best bet is to download and install the free version of Malwarebytes.


TURN ON AUTOMATIC UPDATES

As you might have guessed already: it’s important to update your devices. That’s
why we recommend installing updates automatically. Windows and MacOS support
this feature, but recently software like Google Chrome have introduced similar
options.

If software that doesn’t support automatic updates notifies you of a newly
available update, check the legitimacy ✅ of the notification first. Viruses are
often spread using fake notifications, like an update for Adobe Flash Player.
These usually appear as pop-ups on a website. If you want to make sure the
notification is legitimate, then open the software in question and manually
check to see if there’s an update available.


USE GOOGLE CHROME, ALONG WITH THESE TWO EXTENSIONS

Currently, Google Chrome is the safest and most user-friendly internet browser.
Firefox, Safari and Edge or also solid choices, as long as you avoid using
Internet Explorer. Also make sure to install the following two extensions:


UBLOCK ORIGIN

Adblocker uBlock Origin is a free extension that blocks ads and trackers on the
internet. It protects you from so-called malvertising: viruses that spread
through online ads. It also locks out organisations and companies that spy on
your browsing habits. Contrary to Adblock and Adblock Plus, uBlock Origin
doesn’t have a questionable business model. Do note that by using an adblocker,
you’re depriving websites of their much-needed revenue. By whitelisting your
favourite websites, you’re still allowing a company or person to profit from
your visit.


HTTPS EVERYWHERE

HTTPS Everywhere forces a secure connection when possible. If a hacker attempts
to intercept your connection to try and send you to a website with an unsecure
connection, HTTPS Everywhere will block the attempt. This extension can be
downloaded for free.

Pay attention to which extensions you install and don’t install too many.
Browser extensions can have quite far-reaching permissions and, in some cases,
even see what you type while using your internet browser. Thankfully, you can
view which permissions each extension has.


TURN OFF JAVASCRIPT AND MACROS, AND TURN ON YOUR FIREWALL

Hackers often use specific features in popular software to infect your computer
with malware. By turning these features off, you make their life harder. This
specifically concerns Javascript in Adobe Reader and the macros in Microsoft
Office. Turn both of them off.

A firewall, on the other hand, should be turned on. It’ll protect you from
external attacks. Do this on MacOS and preferably also on your router. Windows’
firewall is turned on by default. If you want some extra protection, take a look
at LuLu (free) or Little Snitch for MacOS and GlassWire for Windows. These apps
keep an eye 🔎 on what software connects to the internet.


REMOVE FLASH

Flash used to be an important technology for watching videos and playing games
in your browser 🎮. The software hasn’t been updated in a long while and is
becoming increasingly outdated, making it a security risk. The best option is to
simply remove Flash from your computer. Many browsers already have it turned off
by default and the recent websites no longer use this technology, so you won’t
lose any functionality.

Adobe offers programs to remove Flash from your Windows or MacOS computer.


SECURE YOUR ROUTER

Many people have trouble configuring their router, the device that lets you
access to the internet. That’s understandable: routers are tricky to operate 😕.
Every router works differently, so you’ll have to search online to find the
corresponding manual. Those manuals can help you implement the following tips.

 * Secure your WiFi network using the WPA2-AES protection option, use a long
   password or passphrase and turn off WiFi Protected Setup (WPS).
 * Turn off UPNP. This technology is unsafe and allows for easier access to your
   network and connected devices.
 * Update your router software.
 * Create a guest network with a password for your guests and miscellaneous
   smart devices, such as security cameras.
 * Make sure that the name of your network isn’t easily connected to you or your
   home. Don’t call it The Johnsons, for instance.
 * Be careful with port forwarding: only forward ports that are absolutely
   necessary.


FLASH DRIVES AND SMART DEVICES

A well-known hacker trick is to let a victim insert an infected flash drive into
their computer, after which the device is breached. Always be careful with flash
drives, whether you find a stick on the street or someone hands it to you as a
gift 🎁. If you don’t trust a flash drive, have a professional look at it or
throw it out.

You might also want to think about how much you really need all those smart
devices. Do you really need a rice cooker 🍚 that can connect to your WiFi
network? Is it really that important that your child’s action figure has a
camera that connects to the internet? All of these smart devices are potential
access points which hackers can use to breach your network. They can even take
over these devices entirely. Only buy smart devices you really need and
preferably use well-known brands.


SECURE ONLINE BANKING

Some people are scared to do their banking online. No need: online banking has
become very safe in recent years. You can use your bank’s website or mobile app
to transfer payments 💵. In most cases, the app is the safest option. It’s hard
for hackers and criminals to hijack these apps on recent versions of Android and
iOS.


CHECK SHORT LINKS

Short links are a staple of the internet. They are used to make long links,
well, short. Well-known services to shorten links are Bit.ly and TinyURL. Short
links are, unfortunately, often used to mask dangerous websites. That’s why it’s
never a bad idea to check where a short like is taking you before clicking on
it. You can use Urlscan.io to check whether a link leads to a potentially
dangerous website.


COVER YOUR WEBCAM AND CHECK YOUR SURROUNDINGS

Criminal hackers can watch you using your webcam. A hacker might blackmail you
using intimate pictures and videos of you. For instance, you could be secretly
filmed while undressing, masturbating or having sex 🍆🍑. By simply covering
your webcam with a piece of tape, you render your webcam useless to any
intruder. There are also more elegant options, like Soomz (12 USD for three
covers). You can also find many cheap webcam covers on the Chinese web shop
AliExpress.

Also take note of your surroundings if you’re using your laptop on a train or in
a coffee shop ☕. Can anyone see what you’re typing? Are you sure no one can see
personal information on your screen, like a password, home address or phone
number? Be aware of the situation you’re in when you’re using your devices in a
public space.


CHOOSE A CHROMEBOOK

If you’re not tech-savvy and just want to be able to browse the web, send emails
and watch videos, then a Chromebook might be the way to go. This laptop is cheap
and very secure, because it only runs Google’s Chrome internet browser. This
makes it hard for hackers to infect your computer with viruses. This laptop lets
you do everything you normally do in a browser. If you have a higher budget, an
iPad with a keyboard is a good way to go too.


REINSTALL YOUR COMPUTER FROM TIME TO TIME

Try reinstalling your computer once every three years. That means backing up
your files 📂, completely deleting your hard drive and reinstalling the
operating system (Windows, MacOS). It makes your computer faster and removes any
redundant and potentially harmful software.

Back to top ↑

--------------------------------------------------------------------------------


PHONES AND TABLETS



The smartphone 📱 is the most important device in many people’s lives, which is
why it’s incredibly important to make sure it’s properly secured, whether you
own an Android or iPhone.


GET AN IPHONE

Okay, that might sound a little blunt, but iPhones are generally more secure
than Android phones. That’s why people who might be at risk of being hacked,
like lawyers 👨‍💼 and politicians 👴 usually have an iPhone. iPhones are also
guaranteed to receive updates for five years after they have been released.

The safest Android phones are Pixel phones (formerly known as Nexus), made by
Google.


UPDATE AS SOON AS YOU CAN

This recurring tip is still high on the list: always update your mobile devices
as soon as you can ⏰. Updates fix security vulnerabilities that allow hackers to
infiltrate your smartphone or tablet. Also regularly update your apps. These can
contain security vulnerabilities too, giving hackers access to your private
information.


TURN ON ENCRYPTION

Encryption ensures that your data, such as your messages and pictures, are saved
in a digital vault 🔑. All iPhones and most Android phones have encryption
turned on by default, but some Android phones require you to manually turn on
encryption. The option to turn on encryption can be found by going to Settings >
Security.

What if, for instance, someone happens to find your phone and connects it to a
computer? Encryption ensures this person won’t be able to see all your chat logs
and pictures. These can only be viewed if the correct passcode is entered, which
is the key to your own digital vault. That’s why using a passcode to lock your
mobile devices when you’re not using them is very important.


USE A SIX-DIGIT PASSCODE AND THE FINGERPRINT SCANNER

By using a passcode, you prevent others from accessing your phone or tablet.
Choose a six-digit passcode that only you know and don’t pick a standard code
like 0-0-0-0-0-0, 1-2-3-4-5-6 or 1-1-2-2-3-3. It’s also not recommended to use
your birth date 🎂, just like any other combination based on personal
information. iPhones and some Android phones also allow you to turn on an option
that completely erases all contents from the phone if the wrong code is entered
more than ten times. This can function as an extra security method, but it can
also be quite risky if you don’t have a backup of your device.

In many cases, using the fingerprint scanner is easier. It works faster and is
safer because someone can’t just copy your fingerprint to unlock your phone. If
you want to temporarily turn off your fingerprint scanner, turn your device off
and on again. It’ll prompt you to enter your passcode to access your device. If
you don’t have a fingerprint scanner on your Android phone, you can also create
a pattern to unlock it.

Your SIM card also has a passcode. You can edit this code and change it to a
six-digit code in your smartphone’s settings, instead of using the standard
0-0-0-0. It’s a good idea to move all your contacts to your phone and remove
them from your SIM card. If you happen to lose your phone, your contacts’
personal information can’t be extracted from the SIM card.


ONLY INSTALL APPS FROM THE APP STORE OR GOOGLE PLAY

Most phones that contain malware are infected through apps that were not
installed using the official app stores. This usually happens when people want
to install a paid app or game for free. That ‘free’ app may have malware hidden
inside, used for stealing credit card 💳 information. This goes for both Android
and iOS phones.

Android poses another risk: there are lots of apps in the Google Play Store that
might seem legitimate, but contain malware anyway. Make sure you do your
research before downloading any app. Google the name of the app, read reviews
and check to see how many times the app has been installed so far. In short:
don’t just install any app on your Android phone or tablet.

It’s also important to check an app’s permissions. A flashlight app 🔦, for
instance, shouldn’t require access to your contacts. You can check and edit the
permissions of apps on both iOS and Android. For Android, go to Settings > Apps,
and for iOS go to Settings > Privacy.


ANTIVIRUS FOR YOUR MOBILE DEVICE

Android users may want to install an antivirus on their smartphone or tablet.
ESET (15 USD per year), BitDefender (15 USD per year) and Kaspersky (15 USD per
year) are all excellent choices. You can download free versions of the latter
two, but those offer less functionality.

Installing an antivirus on your iOS device is pointless. Apple’s operating
system doesn’t grant these apps the necessary permissions to scan your phone or
tablet for viruses. You may want to install the app iVerify (2,99 USD) instead,
which checks your operating system for abnormalities indicating your device may
have been compromised. iVerify also offers a bunch of useful instructions to up
your iPhone’s or iPad’s security.

On top of scanning for viruses, there’s a way to monitor which apps on your
Android device connect to the internet. You can find out what data is being sent
by your phone or tablet. Glasswire, the firewall for Windows, also has an
Android app (5USD per year) to block invasive or malicious apps from accessing
the internet.


REBOOT YOUR DEVICE

Restarting your phone or tablet is a good way to protect your device against
hackers. In many cases, rebooting gets rid of any malware that was previously
installed. Hackers will have a difficult time keeping access to your device
after you’ve restarted it. Restarting your phone or tablet on a regular basis
(once a week) has an added benefit too: the operating system will continue to
run smoothly 👍.


TURN OFF WIFI AND BLUETOOTH IF YOU DON’T NEED THEM

Third parties can follow you using WiFi and Bluetooth. They could track the
route you take to the bus stop, for instance. If you don’t need WiFi or
Bluetooth when you’re on the go, it’s a good idea to temporarily switch them off
using your device settings. You’ll also protect yourself from attacks via WiFi
and Bluetooth.

If you’ve connected to a WiFi network in the past, your mobile device will
automatically connect to that network when you’re nearby. This poses some risk.
Hackers often create fake WiFi networks with names that are the same as networks
you might’ve been connected to before, like Starbucks WiFi or McDonald's Free
WiFi. Because your mobile device recognises these networks, it’ll attempt to
automatically connect with them. It’s just another way for criminals to try and
monitor what you do on the internet while attempting to intercept passwords and
other personal information.

It’s wise to clean up your list of trusted WiFi networks from time to time. If
you connect to a hotel’s WiFi network 🏨, for instance, remove the network from
your device’s memory afterwards. Do this by opening your device’s settings and
pressing forget after selecting the WiFi network in question. You can also set
your Android and iOS device to not automatically connect to individual WiFi
networks in the WiFi settings.


DON’T SHOW NOTIFICATION PREVIEWS IN LOCK SCREENS

Notifications can contain sensitive information 🙈, like a password a friend
sent you using WhatsApp, or login codes sent via text messages. By hiding
notifications in the lock screen (Android, iOS) no one will be able to see the
contents. Only after unlocking your phone will you be able to see what the
notifications say.


BACK UP YOUR DEVICES

Backups are incredibly important. Should your phone get stolen, you can always
restore the backup on another phone. Google and Apple offer features that
completely back up your phone. For many users, pictures are the most important
thing on their phone. Back these up with services such as iCloud, Google Photos
and Dropbox. Don’t forget to turn on two-factor authentication for these
services.

Back to top ↑

--------------------------------------------------------------------------------


SOCIAL MEDIA



We share a large part of our lives on social media 🤳. Sometimes a little too
much. That may sound like an open invitation for hackers. This method of data
collection is also referred to as Open Source Intelligence (OSINT), which can be
used in a cyber attack.


BE CAREFUL ABOUT THE INFORMATION YOU SHARE

People often post pictures of their passport, driver’s licence and concert
tickets on social media. You might think gosh, that’s pretty dumb, and you’d be
right. It still happens a lot, though 🤦. The barcode on your concert ticket can
be used by anyone, and with a picture of your passport or driver’s license,
someone could open a loan in your name.

So be cautious of what you do and post on social media. Do you have an annoying
ex who’s keeping tabs on you? Don’t post on social media about where you are at
any given time. Waiting for something you ordered online 📦? A hacker could call
you, acting as an employee of the web shop in question, to ‘check your
information’. It’s mostly a matter of realising what the risks are to you.


MIND YOUR PRIVATE INFORMATION

Many companies only require a name, date of birth and address to verify that you
are who you say you are. This information is easily found online. People
celebrate their birthdays 🎈 on social media and indirectly say where they live,
by posting an Instagram picture of their new home 🏠, for example.

Using this method, one hacker has already managed to fool a telecom provider
into registering someone else’s phone number to his name. This also granted him
access to the victim’s WhatsApp messages. This method of hacking is also known
as social engineering; a form of cyber attack that requires manipulation.

The answers to your secret questions can often be found online too. It might be
the name of your first pet 🐱 or your mother’s birthplace. Be aware of this
fact.


GOOGLE YOURSELF

What does a hacker do when they want to collect information about a target?
That’s right: google the target’s name. Google yourself regularly to know what
personal information is available for anyone to see. You could, for instance,
set up a notification that emails you every time your name comes up in Google.
In some cases, it’s even possible to have information removed from the search
engine.


SET YOUR POSTS TO PRIVATE, AND LOG OUT

We post a lot on social media. That’s why it may be wise to set your profiles to
private. Do you share a lot of your private life on Facebook and Instagram? Then
set your Facebook profile to private (click here to see what that would look
like to anyone who isn’t your friend) and lock your Instagram account 🔒,
requiring users to ask for your permission if they want to follow you. The same
goes for Snapchat.

Twitter is a different story altogether. A lot of users use Twitter to reach as
many people as they can. If you have a public Twitter profile, pay extra
attention to what you post, from your location to your private information. And
log out of Twitter when necessary — especially when you’re using a public
computer or a friend’s laptop.


STAY ALERT WITH GOOGLE ALERTS

Google Alerts lets you monitor 👀 online content. Enter your own name as a
keyword and you’ll know exactly when your name gets mentioned on any website.
You can also monitor more sensitive information, like your home address, email
address or phone number. If a website publishes this information for whatever
reason, you’ll know right away and can subsequently choose to take action.


MAKE SAFE DIGITAL COPIES OF YOUR ID

It’s definitely possible to create a safe digital copy of your passport,
driver’s licence 🚗 or any other form of identification. The Dutch government
even released an app to help you do just that. It’s called KopieID(CopyID). The
app allows you to redact sensitive information, like your Citizen Service Number
or Social Security Number. You can add a watermark, describing the purpose of
the copy, such as copy for stay at hotel name on date such and such. Don’t
worry: the important parts of the app are in English.


CHECK WHICH DEVICES ARE LOGGED IN

Are you aware of all the devices you have used to access your accounts? And did
you remember to log out when you stopped using certain devices, like a friend’s
tablet or a public computer? To be sure, check the overview of active sessions
which Google, Apple, Microsoft, Facebook, Instagram, Twitter, Dropbox and
WhatsApp - among others - provide, and deactivate the ones you don’t recognise.


RUN SECURITY CHECKUPS

Many companies offer the option to go over your security settings, like Google,
Facebook and Dropbox. You can see on which devices you are logged in, and which
other services have access to your information. If you check your security
settings regularly, you’ll usually come across a device or service that doesn’t
require access 🛑 to your account anymore.


CHECK YOUR CONNECTED APPS

Linking apps with other apps or online services can be very convenient, or just
plain fun. Like scheduling sports sessions 🏋️ with friends via Google Calendar,
or working on a document together. In order to make use of these features, you
may have to give an app full access to your account. The full extent of the
access you’re giving is often hidden away in the fine print, so it can happen
without your explicit permission. Giving access to your accounts exposes them to
more security risks. If the app you’ve linked to an account gets hacked, your
account will also be affected. It is therefore recommended to regularly check
which of your apps are linked with and give access to what online services, such
as Google, Microsoft, Facebook, Twitter, Instagram and Linkedin.

Back to top ↑

--------------------------------------------------------------------------------


CHATTING AND PHONE CALLS



We send lots of messages 💬 and still call ☎️ from time to time. Let’s try to do
that as safely as we can. This chapter is about how you can communicate without
anyone listening in or reading your messages.


END-TO-END ENCRYPTION

Communication has become a lot safer since April 2016, which is when WhatsApp
introduced end-to-end encryption. This ensures that only the sender and receiver
can read the messages sent between them. If someone were to intercept end-to-end
encrypted messages, all they would see is gibberish.

You can compare it to sending a postcard. You write something on the back and
put a stamp on it. With normal encryption, the postman (in WhatsApp’s case) can
read what you wrote on the postcard. With messages sent through end-to-end
encryption, you’re basically putting the postcard in a sealed envelope ✉️. That
way, only the recipient can read what’s on the postcard.

End-to-end encryption doesn’t just work with sending messages. It also works
with sending and receiving pictures, videos, documents and location information.
You can also secure phone calls and video calls with end-to-end encryption.


WHATSAPP AND FACEBOOK

WhatsApp is owned by Facebook; a company that makes its money by collecting as
much information about its users as it can. Because of end-to-end encryption,
Facebook doesn’t know what kind of messages or pictures you’re sending. Facebook
can monitor who you’re communicating with. This type of information is known as
metadata.


ALTERNATIVES TO WHATSAPP

What chat app you use is a very personal choice. Some people value ease of use,
while others prefer apps that focus more on protecting their privacy. These are
five alternatives to WhatsApp.


SIGNAL

Signal is the safest and most privacy-friendly chat app. Just like with
WhatsApp, the app can be used on a computer and it’s possible to have it
automatically remove messages after a specified period of time (from a few
seconds after being sent to a week). Signal also hardly saves any information
about its users. The app doesn’t look that polished, however, and has fewer
features than its competitors.


TELEGRAM

Telegram is not the safest choice, because it saves messages in the cloud. Some
people like this, because if you switch phones you can start chatting exactly
where you left off. Saving all your messages, pictures and videos in the cloud
is very risky, however. Please be aware of this if you use Telegram. The reason
why people choose to use Telegram is because it’s one of the most user-friendly
chat apps out there.


IMESSAGE

Apple’s chat app only works with iPhones and iPads. Messages are encrypted with
end-to-end encryption and you can also use your MacBook or iMac to send and
receive messages. iMessage also supports a lot of other apps, letting you easily
order an Uber or share a navigational route, for instance. Note that Apple does
save metadata for up to a month.


THREEMA

The Swiss Threema is a favourite among journalists, because you only share a
username to communicate with each other. Journalists don’t have to give out
their phone number to use Threema. The app has a fancy design and lots of
features. There’s one downside: Threema costs 3 USD. As a result, it doesn’t
have as many users as the free apps.


WIRE

Wire garnered a lot of fans in a short period of time, which isn’t strange given
its features and design. The app bases its encryption method on Signal and
combines a sleek design with Telegram’s flexibility. That means you can chat
from your smartphone, computer and via your internet browser. Video calls, file
sharing and sending gifs are all protected by end-to-end encryption.


AUTOMATICALLY REMOVE MESSAGES

Hackers can’t steal what you don’t have. That goes for chat messages too. If
you’re having sensitive conversations, make sure those messages are
automatically removed 🗑️. WhatsApp, Signal, Telegram, Wickr Me and Wire support
this feature, amongst others.


VOICE AND VIDEO CALLS

You can use WhatsApp, Signal and FaceTime, amongst others, to make end-to-end
encrypted calls. This means that the service you use to make the call can’t see
or hear you. These apps are recommended when you make a call to discuss
sensitive topics. If you want to Skype with your cousin from Australia every now
and then, its lack of end-to-end encryption won’t matter much.

A regular old phone call is a safe communication method for most people. A
hacker can’t easily hack your phone call 📶. That would require a targeted
attack, carried out by an intelligence agency, for instance. We’ll talk more
about that later.


EMAIL

Email 📨 isn’t safe, contrary to many chat apps. Email in 2018 consists of
several different technologies cobbled together to make it all work. That
doesn’t make it safe or reliable. We use email in business situations and
because it’s commonly accepted, but send as little sensitive information through
email as you can.

Back to top ↑

--------------------------------------------------------------------------------


ADVANCED



Hats off to you for making it this far 👏! Your knowledge of cyber security has
already increased exponentially. In this chapter, you’ll find numerous advanced
tips to ward off online surveillance and persistent hackers.


CONSIDER YOUR PERSONAL RISK LEVEL

It’s important to consider which risks apply to you. Are you a woman 👩 using
the internet? Odds are you’ve had to protect yourself against harassment by men.
Are you a journalist? Then it’s possible that the government is trying to keep
tabs on you. Do you own a computer and a bank account? You get the picture:
anyone can be a target, but certain targets face bigger risks.

Take appropriate measures that correspond to your personal risk level. This
guide offers a lot of advice that everyone should follow, because many dangers
apply to, well, everyone. But for an active feminist 💪 with a Twitter account,
it’s even more important to keep your home address and phone number hidden from
most people.

Every situation is different and thus requires a different approach. If you
suspect your violent spouse is reading your emails and Whatsapp messages, you
can use the chat function of a video game, such as Words With Friends, to inform
a friend of your situation. It’s unlikely your spouse is keeping track of those
conversations as well.


RECOGNISE SPEAR PHISHING

We’ll start with the hardest piece of advice, because spear phishing is
notoriously difficult to recognise. Spear phishing is a form of phishing where
the person trying to trick you will send you a message that is made to fool you
specifically. A hacker could, for instance, gather information from your social
media profiles to provide the spear phishing message with credible information.

Let’s say your flight with Delta Airlines ✈️ has been delayed by an hour and you
post about it on Facebook. A hacker could use that information to send you an
email, detailing a ‘compensation offer’ from Delta. All you need to do is log in
(which gives the hacker your password) and fill out a form. All the while said
hacker is keeping track of what you’re typing.

Thankfully most people won’t ever have to deal with spear phishing. Spear
phishing usually happens to those who have a high risk of being targeted, such
as politicians, lawyers and journalists. It still pays to keep your guard up. If
you don’t trust something, find the company or organisation that supposedly sent
you the message by googling them, and call them to ask whether the message you
received is legitimate or not.


ENCRYPT YOUR HARD DRIVES AND BACKUPS

You can encrypt MacBooks and iMacs with the click of a button by turning on
FileVault. It’s incredibly simple and ensures that whoever finds or steals your
laptop doesn’t have access to your private files. Don’t wait: turn this feature
on right now.

Windows is a completely different story. Microsoft has kept its encryption
service Bitlocker exclusive to the Pro versions of Windows. That just happens to
be the version that consumers hardly ever use 🤷.

Thankfully there are some good alternatives to consider. Veracrypt is the safest
and most reliable option. Make sure to back up your files before encrypting your
hard drive. The encryption process can take hours and could go wrong in some
cases. With a backup, you’ll ensure the safety of your files.

While we’re on the subject: you can encrypt backups too. Consider encrypting
your external hard drive or flash drive with Veracrypt, for instance. Another
good app is Cryptomator, which immediately encrypts your files and uploads them
to the cloud. Take extra care of your password, however. Lose your password, and
you lose access to your files.


CREATE A VERY STRONG PASSWORD USING THE DICEWARE METHOD

The Diceware method is used by experts to create extremely strong passwords.
Diceware uses a random dice throw 🎲 and a long list of words to generate
passwords. Here’s a list (txt) of English words you could use.

You start by rolling dice. Do this five times in a row and note the value of
each throw. You’ll end up with a five-digit series of numbers that correspond
with a word from the list. For instance, if you throw 3-6-4-5-5, the word it
corresponds with is law.

Repeat this process seven times to make sure it’s absolutely safe. You’ll get a
series of seven completely random English words, such as limbo karma cosy ember
pool swipe wow. The Diceware method is currently the best way to create a strong
password that you can remember.


TWO-FACTOR AUTHENTICATION WITH A SECURITY KEY

Experts recommend using a physical usb key - also known as a security key - for
two-factor authentication. Connect your security key to services such as Google,
Facebook, Twitter and Dropbox and the next time you want to log in, you’ll be
prompted to use your usb key.

Insert the usb key into your computer and connect it to your smartphone to
authenticate your login attempt. The online service will check 👮 if the usb key
is linked to your account, and the usb key detects whether you’re logging onto
the correct app or website ✅. This protects you against phishing attempts and
fake websites, because the login attempt can only be successful if both your key
and the online service are valid.

It’s recommended that you purchase two security keys: one to keep on your person
at all times and another to put away safely as a backup. Link both usb keys to
the services for which you want to enable two-factor authentication. And don’t
forget to turn off the other forms of two-factor authentication you may have
enabled for these services, such as login codes via a text message.

Swedish manufacturer Yubico offers good encryption keys. The best choice would
be to go for the blue security key, which works with all major online services.
You can buy two of them for 49 USD. Yubikey 5 with nfc (45 USD) works with
Android phones, but functionality on iPhones is limited. There is also a version
that uses usb-c ports, which costs 55 USD.


TURN OFF AUTOMATIC COMPLETION AND TURN ON THE AUTOMATIC LOCK

Some password managers offer the option to automatically fill in your passwords
on websites. This is not secure. A hacker could fool your password manager with
a fake page. That’s why you should turn off this option.

It’s also smart to have your password manager lock itself automatically if you
haven’t used it for a certain period of time. That will keep your digital vault,
filled with your passwords, from being exposed any longer than necessary.


THE SMARTPHONE AS ESPIONAGE DEVICE

Smartphones are ideal devices for spying. Intelligence agencies 🕵️ can tap your
phone and request its location, or hackers can break in and turn on your
microphone and camera. Be aware of this.

Android and iOS keep track of where you’ve been 🔍 by default, and this
sensitive information could be shared with third parties. Both Android and iOS
allow you to turn off this feature, after which your phone won’t constantly keep
track of your location. This doesn’t prevent a hacker or intelligence agency
from tracking your location using your smartphone, however.

One extreme measure is turning your phone off and keeping it in a Faraday-cover
(which you can make yourself) or putting it in a microwave (which you should
never turn on if your phone is in there). That’s the only way to be absolutely
sure that no one can track your location.


FURTHER ENHANCE THE SECURITY OF YOUR SMARTPHONE

There are highly secure versions of Android that you can install on your phone,
such as CopperheadOS and GrapheneOS. These Android versions have extra security
measures built in and try to minimize the vulnerabilities in the system.

If you want to make your own Android phone even more secure, follow this manual.
It provides a number of useful tips, including the necessary steps to disable
Javascript via Chrome > Settings > Site settings > Javascript. A lot of websites
will stop working after that, but it makes your device a lot safer.

For iPhones it is recommended to disable iMessage and FaceTime via Settings >
Messages / FaceTime. These two services were shown to contain vulnerabilities in
the past. You can also disable AirDrop via Settings > General > Disable Airdrop,
and Javascript via Settings > Safari > Advanced. The iVerify app offers a few
more tips.

One last general rule: use your browser in favor of apps, as much as possible.
Other apps may contain vulnerabilities, while the browser is usually one of the
most secure apps on your smartphone 👍.


FURTHER ENHANCE THE SECURITY OF YOUR WINDOWS COMPUTER

Hardentools is an application designed by a group of hackers and cyber security
experts. It disables vulnerable parts of Windows, making it harder for hackers
to take over your computer. Take note that the application may also disable
things you’re actually using, like certain functions in Office or Adobe Reader.
If some part suddenly stops working, you can always switch it back on ⏪ via
Hardentools. At your own risk, of course.

There is no such tool for MacOS, but you can follow this long manual or
step-by-step plan. Be warned though. If you ‘re not sure what you are doing, you
run the risk of rendering your computer unusable.


BE WARY OF BACKING UP CHATS IN THE CLOUD

Many chat apps offer the option to save your chats in the cloud ☁️, via Google
Drive or iCloud. Be cautious of this. All messages are encrypted with end-to-end
encryption as soon as they’re sent, but they lose their encryption as soon as
the messages reach your phone, otherwise you wouldn’t be able to read them. If
you choose to back up your messages, they’ll be uploaded to the cloud without
encryption. An intelligence agency could request your chat history. Also note
that your messages can be backed up unencrypted by the people you’re chatting
with.


SAFE SECRET QUESTIONS

Answers to secret questions are often (mostly unintentional) available online,
like the name of your first pet 🐱 or your mother’s birth place. If a hacker
correctly answers your secret questions, they can reset your password and get
access to your online accounts, and lock you out in the #process. You’re much
better off answering secret questions with random answers, and saving those
answers using a password manager.

Do note that, in some cases, your answers may need to be spoken out loud. When
you’re calling customer service, for instance. Instead of a complicated sequence
of numbers and letters, you can also pick four random words
fox-sandwich-bike-wedding as your answer.


DIGITAL WEAK SPOT: YOUR PHONE NUMBER

Your mobile phone number 📱 might seem safe, but in reality it’s often the
weakest link in your online security. The number can give access to a password
reset, and as a result, the loss of one of your accounts. Hackers are aware of
this. They might try to hijack your phone number by calling your mobile carrier,
pretending to be you. These attacks are referred to as sim-swapping. If a hacker
gains control over your mobile phone number, they also gain access to the online
accounts linked to that number.

This is why you should ask your mobile carrier to set a password before helping
you (or someone pretending to be you) with any customer requests. That way, the
next time you call 📞 them, you’ll have tell them your password in order for
them to help you. If you really want to avoid becoming a victim of sim-swapping,
you’ll have to remove your phone number from all of your online accounts. It’s
safer to use both a security key and an authenticator app.


MIND LOCATION DATA IN PICTURES

When you use your smartphone to take a picture 🖼️, it stores all sorts of extra
information, such as the date, time and the exact location 🏘️ of where the
picture was taken. This information is also referred to as EXIF-data. When you
share these pictures on Facebook, Twitter, Instagram or WhatsApp, the EXIF-data
is removed automatically. However, when you upload a picture to your website, or
email it, the information can still be accessed by others. If you want to make
sure that the EXIF-data is removed, then use the website ImgClean.io before
uploading or emailing your pictures. ImgClean strips images of this extra
information and lets you download a clean version that is safe to distribute.


SECURE CALLS

If you want to call someone without the risk of having your call tapped 👂 and
your conversation being listened in on, it’s recommended that you use Signal.
Signal encrypts calls with end-to-end encryption. For many people this measure
might be excessive, but for people at risk like journalists and lawyers, it
might be necessary from time to time.

Calling via Signal (and WhatsApp) also protects you from IMSI-catchers. These
devices imitate telephone masts to tap your phone calls and messages.
IMSI-catchers are mostly used by intelligence agencies, but can also be made by
hackers.


ENCRYPTED EMAILING USING PROTONMAIL

ProtonMail is one of the most user-friendly services when it comes to sending
and receiving encrypted emails. The end-to-end encryption only works when both
the sender and receiver are using ProtonMail, however. With other email
addresses, such as Gmail or Outlook, ProtonMail asks you if you want to
password-protect the emails you send to them. The recipient then needs the
password to open the email. ProtonMail does this to add an extra layer of
security. An account with 500MB is free, but if you want more storage capacity
and added features, you have to pay from 5 to 20 USD a month.


BROWSE THE INTERNET USING TOR

The Tor internet browser sends your internet traffic through numerous computers.
This protects your privacy, because websites can’t find out where you’re from
and your provider won’t be able to see what you’re doing on the internet. That
might be handy for some people, but it can be an actual lifesaver for others in
countries like Iran and Russia. Tor also lets you visit blocked websites, which
is especially useful in a country like Turkey.

Tor also offers access to the dark web, which is the part of the internet that
you can’t visit with a normal internet browser. On the dark web you’ll mostly
find marketplaces for drugs and weapons, websites that share child pornography
and nazi communities.

> The downside of Tor’s anonymity is that it can also be used with nefarious
> intent.

Make sure you really need the Tor internet browser. Are you leaking confidential
information to the media? Then use Tor in a public coffee shop with WiFi to
maximise your anonymity. The internet is a lot slower using Tor, however, so
don’t use it to stream Netflix 📺. Websites can also see that you’re using Tor
to browse the web, which sometimes prompts them to prevent your login attempts.
Therefore, it’s not recommended to use Tor to conduct online banking, for
instance.


USE PGP (BUT ONLY IF YOU REALLY HAVE TO)

PGP, which stands for Pretty Good Privacy, is used to encrypt the contents and
attachments of emails with end-to-end encryption. It’s been one of the best ways
to encrypt your emails for years, but it’s also very complicated to use. Think
about whether you really need PGP 🤔. It’s easier to use Signal.

If you need PGP but don’t know how to set it up yourself, then check out Keybase
first. Keybase is a social network that allows you to encrypt messages with PGP
quite easily. Do you need more PGP features, such as file encryption? Reach out
to an expert for assistance.


OPENWRT ON YOUR ROUTER

A lot of manufacturers stop updating their routers after a certain time.
Therefore, it’s advised to install OpenWrt. The software is available for all
sorts of routers and is regularly updated to fix security vulnerabilities 🐛,
but is also difficult to install.

OpenWrt doesn’t work with WiFi modems that are provided and managed by your
internet provider. You can, however, buy your own router and connect that to
your internet provider’s modem. Set your wifi modem to Bridge/DMZ mode, so the
device only forwards the internet connection.


CHAT USING OTR

Off The Record (OTR) is a safe way to chat with people, just like Signal. OTR is
used with an email address and an app on your desktop (Adium for MacOS and
Pidgin for Windows and Linux) or smartphone (Conversations for Android and
ChatSecure for iOS). These apps let you chat with other OTR users, but most
people would still prefer Signal.


RUN YOUR OWN VPN

If you’re technically savvy, you can take matters into your own hands and run
your own VPN. The easiest option is Algo, which you install on your - preferably
new - server. You’ll manage your own secure internet connection and can connect
all your devices to it. Because Algo is easy to configure, you can also use it
to set up a temporary VPN.


BE WARY OF CERTIFICATES

Hackers sometimes try to install their own certificates on your computer,
smartphone or tablet, which allows them to keep track of what you’re doing, even
when you’re using https-secured websites. Usually, a victim is lured into
installing a certificate on their device to gain access to a public WiFi
network. In general, people shouldn’t ever have to install a certificate, so be
extra cautious when you’re being asked to do so. If necessary, ask whoever it
may concern whether the requested installation is legitimate.


USE A PRIVACY SCREEN

A privacy screen is a screen-film you place on your smartphone, laptop or tablet
screen. These screens block viewing angles, except for when you’re looking
straight at your screen, making sure that no one can see what you’re doing 👀 on
your devices. If your phone is lying face-up on a table, you’ll have to pick it
up and look straight at it to be able to read or see anything. Fellowes sells
good privacy screens, from 30 to 70 USD.


USE A ‘USB CONDOM’

Yup, ‘USB condom’ sounds pretty gross, but an USB Data Blocker like one from
PortaPow does exactly what that implies: it doesn’t transfer any data, only
electricity, when you’re charging a device via the USB port on your computer.
This prevents any malware from getting installed on your smartphone or tablet.
If you want to charge your device using an unfamiliar computer, an USB Data
Blocker prevents all malware attacks.


TAILS AND QUBES

These two operating systems are for experts only, because they’re difficult to
operate. Tails runs from from a flash drive that you connect to your computer,
and Qubes has such an option too. Disconnect the flash drive from the computer
and your PC will have no recollection of what you’ve done on it in the meantime.
Tails protects your privacy and offers all sorts of apps to do so, like Tor,
Thunderbird and PGP. Qubes offers the best protection and is used by people who
are targeted by (state-sponsored) hackers.

But remember: if you lack technical knowledge, using one of these operating
systems can reduce your online security. Sometimes it’s better to stick to
devices and services that you’re comfortable with. Don’t use them just because
you think it’s safer. And with that important piece of advice, this expansive
manual comes to a close.

Back to top ↑

--------------------------------------------------------------------------------


CLOSING NOTES

This expansive manual was created with the help of six professional hackers:
Maarten van Dantzig, Rik van Duijn, Melvin Lammerts, Loran Kloeze, Sanne
Maasakkers and Sijmen Ruwhof. The wonderful illustrations are made by Laura
Kölker. Copy editor Marcel Vroegrijk made sure that everything reads well. The
original Dutch version of Watch Your Hack was lovingly translated into English
by Kevin Shuttleworth and, once again, edited by Marcel Vroegrijk.

Do you know anyone that could use some security tips and tricks? Send them a
link to this website. You could, for instance, use email, Twitter, Facebook and
WhatsApp to share the link. Do you have any comments or suggestions? Let me know
via Twitter (@danielverlaan) or send me an email.

You can also donate 💰 to support Watch Your Hack. Wire an amount of your
choosing via PayPal, so I can buy myself a craft beer 🍺. Cryptocurrencies are
also accepted:

bitcoin: 1Psq1MmgPSKy8npnAvZASdtPD18EV61U3k
ethereum: 0x264510031A8F0b55432232F65337a67cA3Eb23bB
litecoin: Lg8sxK3bk4zvdmpHHLsV76gsw9v8wbAk2S

Watch Your Hack V7.3 (changelog)
Thanks to iA Writer for their Duospace-font
❤️ Lovingly built using Jekyll
© Daniël Verlaan, 2021