Make sure that image loading is turned off when you check your email on your laptop and phone. There are services that will notify the sender of an email when you open a message and sometimes even from where.
These services work by sending an invisible pixel that loads just like an image would. You may want to test some of these services (such as ToutApp or Yesware) to see what kinds of information they make available about people.
To turn off images in Gmail, click on the Gear icon, and then go to Settings->General->External Content. There’ll be a button that says “ask before displaying external content.” You can choose to allow or block images from specific senders.
It’s not just image loading that can give away your location, though. Checking into places on social media or registering publicly for events can do that as well. Eventbrite, Meetup, and other places may publish their guest lists publicly or make that information available to other members. Both Facebook and Twitter allow you to post your location as well, so double-check your settings. (Facebook’s Privacy Checkup can give you all sorts of information about what you’ve shared and are sharing.) You may feel comfortable publicizing this information. Just make sure you’re doing it deliberately and not signaling that your home is empty to thieves.
Malicious links or attachments can be harmful to your computer or other devices. Obviously, it’s a bad idea to click on spammy links, or to open attachments from strangers (especially .exe ones). That doesn’t mean you necessarily need to stop clicking on links or opening attachments altogether, though.
There are several options to keep you more secure:
If you use Gmail, you can open an attachment within Google Drive for some added protection.
For links, try scrolling over them to make sure the text on your page coincides with the actual URL. You can Google the URL or an article title instead of clicking on a link directly.
If someone’s sent you a shortened URL and you would like to expand it before deciding whether or not to click on it,LongURL allows you to do so.
You can scan suspicious links using a tool like VirusTotal. It is a free service that lets you scan suspicious links and attachments to see if they contain viruses, worms, trojans, and other types of malware. VirusTotal isn’t foolproof, but can reduce your risk of opening a malicious file. You’ll be sharing that file with the security companies so they can improve the scanning products.
Whether you’re on your phone, your laptop, your tablet, or a desktop computer, there’s never a convenient time to install patches and updates. It’s easy to continue blowing this off.
While you may not want to set everything up to update automatically, try not to put it off forever, either. Making sure you’ve got the newest software updates and bug fixes is an effective way to mitigate security risks and ideally patch up vulnerabilities before anyone can exploit them on your devices.
Check all of your electronic devices to make sure your apps and software are up-to-date. (If you’re curious, you can often check to see what’s new in the apps you’re updating, though sometimes serious security risks are downplayed as ‘minor fixes.’)
In addition to protecting your online data, you’ll want to protect your physical devices too. Some of this is common sense, like making sure not to leave your laptop and phone unattended. It’s also a good idea to be careful when plugging USB devices into your computer, since they may contain malware that could damage your system or expose your personal information, so make sure to only plug in a USB device into your personal computer if you trust the person who gave it to you.
You’ll also want to make sure your computer has full disk encryption. That way, if someone steals your laptop and copies the files, they’ll just see a jumbled mess. If you’re on a Mac, go to System Preferences -> Security and Privacy and turn FileVault on. You’ll want to keep the backup key in a safe location. If you’re a Windows user, follow the instructions to turn on Bitlocker here:https://technet.microsoft.com/en-us/library/c61f2a12-8ae6-4957-b031-97b4d762cf31.
Make sure to back up the data on your computer to an external hard drive kept in a separate, secure location so that you’ll have an extra copy of your data available in case of theft. You can set a calendar reminder to back up your data at regular intervals.
You’ll want to encrypt your phone as well. Ars Technica’s encryption guide has step-by-step instructions for how to do that on an iPhone (which is decrypted by default, but the encryption isn’t automatically tied to a password only you know), as well as Android and Windows phones.
Adobe Flash has a long history of security vulnerabilities, but uninstalling it completely can make many sites unusable. A good middle ground is to enable click-to-play, which will allow you to selectively use Flash. You can whitelist specific websites, choose to allow all plugins on a page during a specific site visit, or just click on grey boxes with Flash content when you want to play a specific video.
You’ll want to avoid using Flash Player on sketchy sites you’ve never heard of (especially those without https), but be aware that even sites you trust can be vulnerable, since many serve content from third-party ad network partners. If a popular site is infected with malicious advertising, you’re still somewhat vulnerable, but limiting Flash usage to sites you select will lower your risk. Additionally, enabling click-to-play will improve your browsing experience by making things faster to load, improving your battery life, and by decreasing ads and pop-ups.
When someone tries to reset a password, they’re often able to do so by answering security questions. Unfortunately, many of these questions are asking for information that’s either publicly available or very easy to find: Your date of birth, the name of your first pet, or your mother’s maiden name, for example. If an account doesn’t have two-step verification and you’re concerned about the possibility of someone trying to reset your account, consider giving the wrong answers for these questions.
You can make up a false location, date, or name, or answer a different question than the one asked—giving a place of birth when asked about a maiden name, for example. The only drawback with this approach is that can, of course, be difficult to remember what your security answers are, so make sure to store them in a safe place.
The best way to keep your online account secure is by using strong, unique passwords. That means that your password has to be complex enough that it’s hard to crack. You should also use a different password for each account in case one gets compromised. An easy way to memorize complex passphrases (which could be combinations of symbols and numbers and random letters) is to let a password manager do it for you.
Download a password manager such as as 1Password (around $50) or LastPass (which includes a free option or a $12/year one). Start generating new, unique passwords for your credit cards, bank accounts, social media accounts, email, domain registrar, hosting provider, cell phone company, etc. Accounts that are linked to your bank account, such as ones you buy books or food from, should also be changed. Changing passwords on all of your accounts can be time-consuming, but if you install a password manager, you can just change them as you use them. Make sure to save the new passwords to your password manager.
In addition to changing your password for each site you use, you may want to change your recovery email address for them as well. Consider creating a separate email account for password recovery requests, so that if you are somehow hacked, you can see all of the password reset requests in this email account and have a checklist for what needs to be reset. Keep this account secret. (Remember that keeping the password for your recovery email account secure is paramount, since all other accounts use password reset emails as a verification mechanism.)
A third-party application is a product that’s not part of the main service that you’re using, but that has access to your main account or its credentials. For apps that you aren’t using regularly, consider revoking access to third-party application permissions from Twitter, Facebook and your phone.
For example, Hootsuite is a third-party application that works with Twitter. When you link up a third-party app with your Twitter account, you will see a screen asking for permission for the app to use your account. The third-party service will detail what the application will and won’t be able to do. Typically, apps can see your email address, read your Tweets, see who you follow, follow new people, update your profile, and even post Tweets. Most of these apps don’t actually do all of these things, but some third-party applications don’t have security standards as high as the ones the ‘mother’ service uses.
Check out Twitter’s explanation of which apps you may want to give your username and password to and which ones you might not want to trust with that information. Thenrevoke access for any unnecessary apps in the Applications tab of your settings page.Facebook has that information as well. (Be aware that revoking third-party app permissions may mean you’ll need to manually log into certain apps if you want to use them on your phone.)
One of the best ways to keep your communications safer is to use end-to-end encryption, which encodes your messages in a way that only an authorized recipient can read it.Many options exist, but they’re not always easy to set up or use. Open Whisper Systems’ free and open source apps are an exception, and they allow iPhone and Android users to make encrypted phone calls and send secure text messages, pictures, and videos to one another for free. (Texts sent via iMessage are encrypted between iPhone users, but not between iPhone and Android). Calls and text messages use data, so you won’t have to pay SMS or MMS fees.
After registering and verifying your phone number, you’ll see which of your contacts are already using the app. When making an encrypted call, you’ll see a random pair of words that you can exchange with the person you’re speaking with. This pair of words should be identical on both phones.
Consider installing browser extensions or plugins to help minimize your online footprint. These tools primarily protect you from advertising, or from companies tracking you across multiple sites through cookies and other methods that track your browsing habits. However, this type of blocking also helps minimize the personal information websites can find out about you, which helps prevent them from being compiled or winding up online.
Ad blockers, such as Adblock Plus or Ghostery, will block out many ads and also protect you from ad-based malware being served through sites you trust. AdBlock relies on an external filtering list created by its users. Ghostery lets you see some of the trackers placed on web pages and lets you learn more about the companies working behind the scenes, so you can block scripts, images, etc. from companies you don’t trust. Sometimes these extensions make it difficult to use sites that you’re on, in which case you can selectively turn the block off for those URLs.
Privacy Badger doesn’t block all ads, but it will protect you from third parties trying to track you through spying ads or invisible trackers. It works with most antivirus software and trackers, however it is not compatible with the Avast antivirus extension. The cool thing about Privacy Badger is that if it renders a site unusable, you can look at a list of potential culprits and adjust the slider setting to improve functionality.