Watch Your Hack

Are you worried your ex might have invaded your Facebook account? That your computer is being held hostage by ransomware? Or that hackers are pillaging your bank account?


contents: what are hackers . the basics . computers . phones & tablets . social media . chatting & phone calls . advanced . closing notes

change: font . bigger . smaller . Dutch 🇳🇱


This manual explains how to protect yourself from hackers, in layman’s terms. Six professional hackers 👨‍💻 helped create this guide.

Watch Your Hack doesn’t guarantee complete and total safety. Such a thing doesn’t exist on the internet. You can, however, make life as difficult as possible for hackers and viruses by using these tips.

Now, before we start: don’t go cowering behind your computer. The chances of a hacker targeting you in particular are very slim. Most dangers stem from the fact that many people lack general knowledge about the internet and computers, which can be exploited. So let’s get you up to speed with the most important information. 👍

What are hackers

Hackers

Hackers generally exploit vulnerabilities on the internet or in the devices we own. There are roughly two kinds of hackers: white hat and black hat. White hat hackers 🤠 seek out (and sometimes publish) vulnerabilities to get companies to fix them, making the internet a little bit safer, one discovery at a time.

When the media covers hackers, it’s usually black hat hackers 😈. The kind without good intentions, who might be looking for ways to steal money or gain access to devices to spy on people. They could also be interested in sensitive files, such as nude pictures or a copy of your passport.

There are also hackers who try to gain access to other people’s devices for, well, fun. These (mostly young) people think of hacking as mere mischief. They should still be taken seriously though, despite their seemingly innocent motives.

Finally, some hackers work on behalf of governments. Hackers employed by secret services 🕵️ or the police 👮 are the most dangerous kind, but pose no threat to most people. They usually hack terrorists, criminals and hostile regimes.

How do hackers usually get into your devices, computers and online accounts?

Hackers often start by stealing your password. Sometimes there just isn’t much you can do about this. If a website where you have a profile or account gets hacked, for instance, hackers could use your password and attempt to log into your other accounts, such as your Gmail.

You might have also given out your password by accident. This happens via phishing, which is a type of internet fraud that criminals use to try and get their hands on specific login information. You’ve likely received a phishing email before. This might have been a fake message about your bank account being blocked or a reminder about a non-existent bill you haven’t paid.

Hackers also use email attachments. When you open an attachment that contains a virus, your computer gets infected. This method is often used for spreading ransomware: a type of virus that renders your device inoperable by locking all of your files. The hackers will then demand money in exchange for handing over control of your files back to you.

Viruses - also referred to as malware - also spread through downloads such as torrents or installation files for a piece of software you want to use. You might think that you’re downloading a movie or some software that helps keep your computer fast and tidy, but in reality, you’re endangering yourself by reeling in a virus.

A virus could also just end up on your computer through online ads and websites that have been hacked. Even trusted websites can, unknowingly, spread viruses. If you don’t update your software and your computer, you’re at risk of being infected by these kinds of viruses.

Hackers can also infect your computer by using a flash drive. This method is less prevalent, but still poses a substantial risk. It could be a flash drive that you just ‘found’ on the street or that was given to you by someone. Anyone with harmful intent can just pop one into your computer if you’ve gone off for a quick toilet break.

Back to top ↑


The basics

The basics

Now that you know what hackers are and how they usually try to gain access, you can start applying some tips 💡. These are the basics: a simple list of measures everyone should take.

Updating

Lots of people consider updating to be time-consuming. In some cases that’s true, but it’s also the most important form of protection ❗ to employ against hackers. Many hacks are successful because they exploit out-of-date software. Those contain many vulnerabilities that get fixed through security updates.

The older the software, the easier it is for hackers to gain access.

Software runs on all kinds of devices: Windows or MacOS on your computer or laptop, and Android or iOS on your mobile devices. Even your router and other smart devices in your home run software. Make sure to check those regularly - once a week - in case there are updates available for your devices, and install them as soon as possible ⏰. In some cases updates can be installed automatically. Windows, MacOS and the Google Chrome internet browser support this feature.

It’s also important to update your apps and the software installed on your computer, such as your internet browser, PDF reader and Microsoft Office. You will often receive a notification if a new version is available.

Passwords

Nowadays you need an account for practically every website or app, and all of them require passwords. As human beings we have trouble remembering lots of different passwords, so we often resort to using the same one for several accounts.

While that does make things a lot easier to remember, it’s also very very dangerous ⚠️. If a hacker gets a hold of your Spotify password, you wouldn’t want that hacker to be able to gain access to your bank account as well. And if you share your Netflix password with a friend, that person shouldn’t be able to use it to log into your Gmail or Facebook.

That’s why it’s very important to use a different password for each website, app and service. Simply changing one digit 1️⃣ or letter 🅰️ won’t do. Those kinds of variations are easy to guess. Thankfully there’s a handy solution for this problem: password managers.

Password managers

A password manager stores all of your passwords in a digital vault 🔑 and secures them with one single master password. That way, you only have to remember one password to access all of your accounts. These apps can easily generate very complicated passwords, like 6ur7qvsZpb0ZkcuSW1u!V8ng!L^lb. A password like that can’t be guessed or cracked.

Password managers can also fill out your login information when you’re visiting a website for which you have a password stored. This alone protects you from a lot of attacks. If a website address is incorrect, such as wellsfargo.mybanklogin.com, the password manager won’t fill out your Wells Fargo login information. You can also use a password manager to save notes 📓, such as login codes, secret keys and answers to secret questions.

Good password managers are Bitwarden, 1Password and KeePass. If you’ve never used a password manager before, trying the free version of Bitwarden is a great way to get started.

Bitwarden (free)

Bitwarden iconBitwarden has become very popular over the past few years, and for good reason. It’s open source, there’s an app for practically every platform and, last but not least, you can use it for free. For 1 USD per month you’ll get access to some more advanced options and 1 gigabyte of storage for your files. If you’re willing to pay 3 USD per month, you can share passwords with family members. As long as you understand how it works, you can even opt to manage your own Bitwarden cloud.

1Password (3 USD per month)

1Password icon1Password is known for its sleek design and good apps that work on a variety of devices. The app has got a handy internet browser extension that generates passwords and fills them out for you when visiting websites you can log into. A 1Password subscription works with a special type of security (a secret key), requiring you to fill out dozens of numbers and letters to gain access to your account.

KeePass (free)

KeePass iconKeePass is viewed as the safest password manager, because many security experts use the app and draw on their expertise to make it even safer. The downside is that the app looks quite old-fashioned, like some ancient Windows XP software. Fortunately the KeePass community is full of passionate developers who make great looking apps for KeePass, such as MacPass for MacOS. A good alternative is KeePassXC, in many ways a better and more complete version of KeePass, which is also being updated by a group of enthusiastic developers.

You might think: is a digital safe, well, safe? That’s a good question, and an understandable concern: password managers are sometimes hacked. Therefore, it is very important to use a good and strong password to keep your digital safe as secure as possible.

In general, a password manager is always better than using the same or similar password for every website.

A strong password

Websites and apps often ask you to use a password with digits and numbers. But what’s a strong password? Many people consider P@ssword007 to be one, but in reality it’s quite easy to crack 🔨 for hackers. That’s why you might want to consider thinking in passphrases instead of passwords.

Phrases are long but easy to remember, which are two prerequisites for a good password. A passphrase like I eat 2 whole pizzas every week is easy to remember and quite difficult to crack. Don’t hesitate to use spaces in your passwords; an option that often gets overlooked.

It’s also possible to create a password by putting seemingly random words together. Use Diceware if you choose to do so. Diceware is currently the safest way to create a password you can actually remember.

The best way to save passwords: a summary

Other ways to save your passwords

iCloud Keychain

Keychain iconThe iCloud Keychain is a handy way to save passwords if you want to stick to using Apple products 🍏 . Keychain can generate passwords and automatically fill them out when you need them. The options are somewhat limited when compared to other password managers, but Keychain is a safe choice, if - and that’s a big if - you secure your iCloud account with a strong password and two-factor authentication.

In your browser

Chrome iconBrowsers like Chrome and Firefox offer the option to save passwords. It’s a pretty easy way to log into websites you use often, but the downside is that browsers usually generate weak passwords. A password manager is a better choice.

A password book

Book iconPen and paper 📝 can also be used as a password manager. Make sure to use unique passwords and store them with care. And create a copy that you store in a physical vault, should you need a backup. When you’re expecting company - like friends, family, a mechanic or plumber - take extra care not to leave your list of passwords out in the open.

A useful tip is to have all of your passwords start with the same word, which you don’t write down in your password book. Simply remember it. If someone gets a hold of your password booklet, they still won’t be able to use any of the passwords you’ve written down, because they’re missing one essential component that’s safely stored in your brain.

Keep track of stolen passwords

No matter how strong your password is, it could still get stolen. That’s why it’s important to check whether your passwords have been stolen by hackers. The website Have I Been Pwned keeps track of hacked websites and warns you when your information pops up. With the single click of a button, you can see if any one of your accounts has been compromised. It’s recommended to do this every now and then, just to be safe.

If you sign up for Have I Been Pwned, you even get a notification 🔔 when the system detects your email address in stolen files. That way, you’ll know exactly which of your passwords has been stolen, based on the service or website it was taken from. If the site finds your email address amongst stolen files, you should immediately change the corresponding password. If you do that, the biggest threat - a hacker logging in using your password - has already been averted.

Two-Factor Authentication

To limit the consequences of a stolen password, you can use two-factor authentication (2fa), which is a relatively new security method.

You can activate two-factor authentication via the services you use, if they support it. After logging in with your username and password, from now on you’ll have to complete a second step. Usually, the service will ask you to enter a code that’s been sent to your smartphone (using text messages or so-called authentication apps).

Please, just use two-factor authentication

Why go through all this trouble? If a hacker manages to get your login information, that person will also need the code that is sent to your phone as soon as they try to log in. It’s highly unlikely that they can access your phone as well ⛔. Two-factor also alerts you to malicious login attempts, for instance when you receive a code out of the blue. That way, you’ll know someone else has tried to gain access. You can check which services, apps and sites support two-factor authentication on this website. Google, Apple, Facebook, Instagram, WhatsApp and Dropbox are just a few of the services offering two-factor authentication features.

Login codes via text messages

Receiving login codes via text messages is easy: you link your phone number to an online service and enter the code that is sent to you to log onto the corresponding website or app. Hackers can get access to these login codes by intercepting your text messages 💬, but for most people this form of security is sufficient.

Codes via authenticator apps

A safer way of two-factor authentication is to use an authenticator app. These apps let you scan a QR-code, which is like a barcode for your smartphone’s camera. The QR-codes are provided by the service that you want to secure. After you scan the QR-code, a security code appears on screen for 30 seconds, after which a new code will be generated. These random codes allow you to authenticate your login attempt, letting the online service know that it is really you who is trying to access your account.

Authy screenshotThe apps of 1Password, Authy, Google and Microsoft can read these QR-codes to generate login codes. Microsoft’s app lets you log into Outlook automatically.

Take caution when using Google Authenticator, however. If you lose the phone on which you’ve installed the app, or if it gets reset, you will lose all of your login codes. You have to backup yourself through the settings of Google Authenticator. The other authenticator apps mentioned above can synchronise codes across all devices on which you’re using them.

Check the lock symbol (but don’t trust it blindly)

The lock 🔒 in the address bar of your internet browser shows that you’re using an encrypted connection. This means that the information that you’re entering on the website, like your password or credit card information, is being sent securely and can’t easily be intercepted by a hacker. Make sure you only enter sensitive information on websites that show this lock in the address bar. If the website address starts with https://, that also means it’s secure.

The green lock

Also be aware that the lock icon doesn’t mean you can actually trust the website you’re visiting 🚫. Many phishing websites designed to steal your login information use the lock to try and gain your trust. Pay extra close attention to the website address, and check whether it’s correct or not.

Run backups

A backup lets you access your files if something goes wrong. What if your computer breaks all of a sudden? What photos 📷, videos 📹 and documents 📃 do you really want to save, and which files do you need for your administration? Those are the files you should back up.

A backup safeguards your important files, even if your computer breaks down, your phone gets stolen or ransomware makes your computer inaccessible. A backup will get the show on the road again in no-time.

It’s recommended that you keep both online and offline backups. You can create online backups with a cloud-service ☁️ like Dropbox, and offline backups using an external hard drive. Make sure you check whether all saved files are still there and working properly every now and then.

Recognise phishing

Phishing attacks are usually easy to recognise. Take a fake email which was seemingly sent by Bank of America, for example. The email claims that your debit card has been blocked, even though you don’t have an account with Bank of America 🏦. Logical thinking goes a very long way when it comes to protecting yourself.

But phishing emails can also look very realistic. Therefore, it’s always a good thing to check the sender’s email address. If the sender uses @bankofamerica.bankmailservice.com, you will know that the email wasn’t actually sent by Bank of America. If it was genuine, it should say @bankofamerica.com.

Pay attention to strange or incorrect use of language. Many phishing emails contain grammatical and spelling errors and they might address you with Dear sir/madam. Most organisations know who you are and address you with your first name.

Often times phishing emails try to scare you 😨 by claiming that your bank account has been blocked or that you have outstanding debt that needs to be paid. They might even claim that you’ve won something 🤑. If you’re unsure about the nature of an email, call the organisation that allegedly sent the email. Don’t use the phone number listed in the email though! Look it up on the official website.

Before clicking a link in an email, always check its authenticity. You can do this by hovering your mouse 🖱️ over a link without clicking on it. The web page where the link wants to take you will appear on your screen. You should be able to see whether it is a valid link or a phishing attempt. On a mobile device, you can press and hold the link to copy it. Create a new email and paste the link into the body of the email to read the complete web address.

If you don’t trust an email or the links in it, use your internet browser to go to the website of the organisation the email claims to be from, and log in there. Usually, you’ll find all recent invoices and messages there. You can always call 📞 the organisation to ask whether an email you received is actually sent by them.

An important rule to live by:

If it seems too good to be true, it probably is.

If you have a Google account, Password Alert - an internet browser plugin - can be a big help. Password Alert sends you a warning when your Google password gets entered on a fake login page. Installing this official Google plugin can be a lifesaver, given how important Google and Gmail are to a lot of people.

It almost goes without saying that you shouldn’t just click on any link, even if it’s sent by a friend or colleague. This is good advice for whatever situation you’re in; whether you’ve received a link via email, through social media or in a text message. A smartphone can be hacked by pressing the wrong link.

This doesn’t happen often, so don’t get scared of every link you receive. But if you don’t trust it, inspect the link 👓 first using the methods described above.

Be careful when opening email attachments and documents

Email attachments require caution, just like links on the internet or in text messages. Attachments are a common way for viruses to spread, which may give hackers access to your device in the process. These viruses are usually hidden in a seemingly innocent attachment, like a Word document. Hackers can also hide their viruses in other places, like in Excel, PDF, ZIP or EXE files.

Word and Excel documents you can open safely, generally speaking. But beware of a large yellow bar at the top of your screen. If you see one pop up in the document you just opened, do not click on the button inside of the bar ⚠️. Especially not when you’re being prompted to click on it. The yellow bar could indicate that the document is infected with malware. If you don’t trust the source of the document or the document itself, make sure to open it in Google Docs. That way your computer won’t get infected if the document does in fact contain a virus.

Kijk uit voor de gele balk

The best way to open PDF files is via your browser, by dragging the file to a (new) tab. Or you can right click on the file and choose Open with > your browser of choice.

There’s another way to safely view documents. The free application DANGERZONE for Windows and MacOS converts potentially dangerous photos, PDF and Office files in such a way that they are safe to open 👍.

Take extra caution before opening EXE files. There are very few instances where that’s necessary. The exception is to install an application. Clicking on an EXE file is never required to view a document 📄, for example. When it comes to ZIP files, you can safely extract them. Do follow the precautions mentioned above before opening the files inside.

If you don’t trust a file, you can download it ⬇️ to your computer, but don’t open it! After downloading the file, upload it to VirusTotal. VirusTotal is a website that analyses files and tells you if they contains viruses. Do take note that Google and VirusTotal will have access to your file after uploading it.

It’s also recommended to turn off the hide file extensions option for Windows and MacOS. This allows you to immediately see the actual extension of a file, such as .docx or .pdf.

Be wary of public WiFi

Public WiFi networks, such as Starbucks WiFi, are not safe. Hackers can track your browsing habits and try to steal your login information. Use your 4G connection instead, or create a password protected hotspot on your phone. A hotspot (Android, iPhone) lets your laptop connect to the internet via your smartphone’s 4G connection.

If you insist on using public WiFi networks, make sure you only log in to websites that display a lock. Websites with a lock encrypt the information you enter, which prevents easy access by hackers. This advice also holds up for WiFi networks of restaurants 🍟 and hotels 🛏️. These might be password-protected, but are still being used by a lot of people.

Pay attention to welcome screens when connecting to public wifi networks. These pages may ask you to install an app, certificate or a piece of software. Connecting to the internet doesn’t require you to do this, so it might be sign of hackers trying to gain access to your smartphone or laptop. If you have doubts, ask the network provider if the request is legitimate.

Finally, it’s important to realise that a password-protected wifi network isn’t necessarily safe. These wifi networks can also be under a hacker’s control.

Use a VPN

It’s also strongly recommended that you use a virtual private network - VPN for short - as soon as you connect to a public WiFi network. A VPN builds a digital tunnel for your data traffic. That way, others won’t be able to see what you do on the internet, protecting you against hackers.

Most people have heard of VPNs because of Netflix. A VPN allows you to trick the internet into thinking you’re in a different country 🌎. By connecting to American servers, users would also get access to the American version of Netflix, for instance.

A VPN also comes in handy if you don’t want your internet provider to know what you do online. You can keep a VPN connection running indefinitely. The one downside is that it can slightly lower your internet speed 🐢.

The best and easiest paid VPN services are Freedome, iVPN and NordVPN, costing three, five and seven USD per month respectively. AirVPN and Mullvad are aimed at more experienced users.

ProtonVPN iconNever use a free VPN service. These services are known to sell your private information, like the websites you visit. If you’re short on cash, you can always create a free account at ProtonVPN. This free service is more than enough for those few occasions when you absolutely have to log onto a public wifi network.

Don’t leave your things unguarded

This advice might seem somewhat obvious, but a lot of people leave their laptop open while they’re off using the toilet 🚽. Aside from the risk of your property being stolen, someone could also use your computer with criminal intent while you’re not around, especially when your laptop isn’t closed and locked.

Always set your laptop’s automatic lock to a very short period (one minute). Your device will then lock itself if you have to leave it unattended. This isn’t a perfect safety measure, however. Always try to take your laptop with you if you need to leave your seat or spot. Even if it’s just for a moment.

Back to top ↑


Computers

Computer

Now let’s have a look at the device that’s easiest to hack: your computer 💻.

Antivirus is still useful

Most virus infections happen on Windows computers. These devices come equipped with antivirus software called Defender. Defender is good, but Kaspersky Anti-virus and BitDefender (respectively 30 and 34 USD per year) easily rival Defender.

Defender has a feature that protects your most important folders against ransomware or other harmful software that messes with your files. This feature can be activated by going to Virus & threat protection -> Ransomware protection -> Controlled Folder Access. You can also add extra folders there, such as a folder with important business documents or pictures of your family 👨‍👨‍👧.

The use of 0Patch (free) and Hitman Pro.Alert (35 USD per year) is also recommended. You can run both programs alongside antivirus software. This will protect you against malware that uses vulnerabilities in your computer to, for instance, track all the keystrokes made on your keyboard ⌨️.

If you own a Mac computer, you don’t necessarily need an antivirus. The Mac’s operating system makes it harder for malware to infect your computer. That’s why there aren’t a lot of viruses in circulation on Apple’s operating systems. If you still want an antivirus, then Kaspersky Anti-virus (60 USD per year), BitDefender (39 USD per year) or ESET Security (30 USD per year) are solid choices.

Objective-See’s free security software for MacOS is also recommended: BlockBlock blocks malware, OverSight blocks webcam spying and ReiKey blocks malware that logs your keystrokes.

Paying for antivirus pays off. Paid versions of antivirus software are often better and more expansive. If you’re not in a position to pay for an antivirus, your best bet is to download and install the free version of Malwarebytes.

Turn on automatic updates

As you might have guessed already: it’s important to update your devices. That’s why we recommend installing updates automatically. Windows and MacOS support this feature, but recently software like Google Chrome have introduced similar options.

If software that doesn’t support automatic updates notifies you of a newly available update, check the legitimacy ✅ of the notification first. Viruses are often spread using fake notifications, like an update for Adobe Flash Player. These usually appear as pop-ups on a website. If you want to make sure the notification is legitimate, then open the software in question and manually check to see if there’s an update available.

Use Google Chrome, along with these two extensions

Currently, Google Chrome is the safest and most user-friendly internet browser. Firefox, Safari and Edge or also solid choices, as long as you avoid using Internet Explorer. Also make sure to install the following two extensions:

uBlock Origin

uBlock iconAdblocker uBlock Origin is a free extension that blocks ads and trackers on the internet. It protects you from so-called malvertising: viruses that spread through online ads. It also locks out organisations and companies that spy on your browsing habits. Contrary to Adblock and Adblock Plus, uBlock Origin doesn’t have a questionable business model. Do note that by using an adblocker, you’re depriving websites of their much-needed revenue. By whitelisting your favourite websites, you’re still allowing a company or person to profit from your visit.

HTTPS Everywhere

HTTPS Everywhere iconHTTPS Everywhere forces a secure connection when possible. If a hacker attempts to intercept your connection to try and send you to a website with an unsecure connection, HTTPS Everywhere will block the attempt. This extension can be downloaded for free.

Pay attention to which extensions you install and don’t install too many. Browser extensions can have quite far-reaching permissions and, in some cases, even see what you type while using your internet browser. Thankfully, you can view which permissions each extension has.

Turn off Javascript and macros, and turn on your firewall

Hackers often use specific features in popular software to infect your computer with malware. By turning these features off, you make their life harder. This specifically concerns Javascript in Adobe Reader and the macros in Microsoft Office. Turn both of them off.

A firewall, on the other hand, should be turned on. It’ll protect you from external attacks. Do this on MacOS and preferably also on your router. Windows’ firewall is turned on by default. If you want some extra protection, take a look at LuLu (free) or Little Snitch for MacOS and GlassWire for Windows. These apps keep an eye 🔎 on what software connects to the internet.

Remove Flash

Flash used to be an important technology for watching videos and playing games in your browser 🎮. The software hasn’t been updated in a long while and is becoming increasingly outdated, making it a security risk. The best option is to simply remove Flash from your computer. Many browsers already have it turned off by default and the recent websites no longer use this technology, so you won’t lose any functionality.

Adobe offers programs to remove Flash from your Windows or MacOS computer.

Secure your router

Many people have trouble configuring their router, the device that lets you access to the internet. That’s understandable: routers are tricky to operate 😕. Every router works differently, so you’ll have to search online to find the corresponding manual. Those manuals can help you implement the following tips.

Flash drives and smart devices

USB stick iconA well-known hacker trick is to let a victim insert an infected flash drive into their computer, after which the device is breached. Always be careful with flash drives, whether you find a stick on the street or someone hands it to you as a gift 🎁. If you don’t trust a flash drive, have a professional look at it or throw it out.

You might also want to think about how much you really need all those smart devices. Do you really need a rice cooker 🍚 that can connect to your WiFi network? Is it really that important that your child’s action figure has a camera that connects to the internet? All of these smart devices are potential access points which hackers can use to breach your network. They can even take over these devices entirely. Only buy smart devices you really need and preferably use well-known brands.

Secure online banking

Some people are scared to do their banking online. No need: online banking has become very safe in recent years. You can use your bank’s website or mobile app to transfer payments 💵. In most cases, the app is the safest option. It’s hard for hackers and criminals to hijack these apps on recent versions of Android and iOS.

Short links are a staple of the internet. They are used to make long links, well, short. Well-known services to shorten links are Bit.ly and TinyURL. Short links are, unfortunately, often used to mask dangerous websites. That’s why it’s never a bad idea to check where a short like is taking you before clicking on it. You can use Urlscan.io to check whether a link leads to a potentially dangerous website.

Cover your webcam and check your surroundings

Criminal hackers can watch you using your webcam. A hacker might blackmail you using intimate pictures and videos of you. For instance, you could be secretly filmed while undressing, masturbating or having sex 🍆🍑. By simply covering your webcam with a piece of tape, you render your webcam useless to any intruder. There are also more elegant options, like Soomz (12 USD for three covers). You can also find many cheap webcam covers on the Chinese web shop AliExpress.

Also take note of your surroundings if you’re using your laptop on a train or in a coffee shop ☕. Can anyone see what you’re typing? Are you sure no one can see personal information on your screen, like a password, home address or phone number? Be aware of the situation you’re in when you’re using your devices in a public space.

Choose a Chromebook

Chromebook iconIf you’re not tech-savvy and just want to be able to browse the web, send emails and watch videos, then a Chromebook might be the way to go. This laptop is cheap and very secure, because it only runs Google’s Chrome internet browser. This makes it hard for hackers to infect your computer with viruses. This laptop lets you do everything you normally do in a browser. If you have a higher budget, an iPad with a keyboard is a good way to go too.

Reinstall your computer from time to time

Try reinstalling your computer once every three years. That means backing up your files 📂, completely deleting your hard drive and reinstalling the operating system (Windows, MacOS). It makes your computer faster and removes any redundant and potentially harmful software.

Back to top ↑


Phones and tablets

Phones and tablets

The smartphone 📱 is the most important device in many people’s lives, which is why it’s incredibly important to make sure it’s properly secured, whether you own an Android or iPhone.

Get an iPhone

Okay, that might sound a little blunt, but iPhones are generally more secure than Android phones. That’s why people who might be at risk of being hacked, like lawyers 👨‍💼 and politicians 👴 usually have an iPhone. iPhones are also guaranteed to receive updates for five years after they have been released.

The safest Android phones are Pixel phones (formerly known as Nexus), made by Google.

Update as soon as you can

This recurring tip is still high on the list: always update your mobile devices as soon as you can ⏰. Updates fix security vulnerabilities that allow hackers to infiltrate your smartphone or tablet. Also regularly update your apps. These can contain security vulnerabilities too, giving hackers access to your private information.

Turn on encryption

Encryption ensures that your data, such as your messages and pictures, are saved in a digital vault 🔑. All iPhones and most Android phones have encryption turned on by default, but some Android phones require you to manually turn on encryption. The option to turn on encryption can be found by going to Settings > Security.

What if, for instance, someone happens to find your phone and connects it to a computer? Encryption ensures this person won’t be able to see all your chat logs and pictures. These can only be viewed if the correct passcode is entered, which is the key to your own digital vault. That’s why using a passcode to lock your mobile devices when you’re not using them is very important.

Use a six-digit passcode and the fingerprint scanner

By using a passcode, you prevent others from accessing your phone or tablet. Choose a six-digit passcode that only you know and don’t pick a standard code like 0-0-0-0-0-0, 1-2-3-4-5-6 or 1-1-2-2-3-3. It’s also not recommended to use your birth date 🎂, just like any other combination based on personal information. iPhones and some Android phones also allow you to turn on an option that completely erases all contents from the phone if the wrong code is entered more than ten times. This can function as an extra security method, but it can also be quite risky if you don’t have a backup of your device.

Fingerprint iconIn many cases, using the fingerprint scanner is easier. It works faster and is safer because someone can’t just copy your fingerprint to unlock your phone. If you want to temporarily turn off your fingerprint scanner, turn your device off and on again. It’ll prompt you to enter your passcode to access your device. If you don’t have a fingerprint scanner on your Android phone, you can also create a pattern to unlock it.

Your SIM card also has a passcode. You can edit this code and change it to a six-digit code in your smartphone’s settings, instead of using the standard 0-0-0-0. It’s a good idea to move all your contacts to your phone and remove them from your SIM card. If you happen to lose your phone, your contacts’ personal information can’t be extracted from the SIM card.

Only install apps from the App Store or Google Play

Most phones that contain malware are infected through apps that were not installed using the official app stores. This usually happens when people want to install a paid app or game for free. That ‘free’ app may have malware hidden inside, used for stealing credit card 💳 information. This goes for both Android and iOS phones.

Android poses another risk: there are lots of apps in the Google Play Store that might seem legitimate, but contain malware anyway. Make sure you do your research before downloading any app. Google the name of the app, read reviews and check to see how many times the app has been installed so far. In short: don’t just install any app on your Android phone or tablet.

It’s also important to check an app’s permissions. A flashlight app 🔦, for instance, shouldn’t require access to your contacts. You can check and edit the permissions of apps on both iOS and Android. For Android, go to Settings > Apps, and for iOS go to Settings > Privacy.

Antivirus for your mobile device

Android users may want to install an antivirus on their smartphone or tablet. ESET (15 USD per year), BitDefender (15 USD per year) and Kaspersky (15 USD per year) are all excellent choices. You can download free versions of the latter two, but those offer less functionality.

iVerify iconInstalling an antivirus on your iOS device is pointless. Apple’s operating system doesn’t grant these apps the necessary permissions to scan your phone or tablet for viruses. You may want to install the app iVerify (2,99 USD) instead, which checks your operating system for abnormalities indicating your device may have been compromised. iVerify also offers a bunch of useful instructions to up your iPhone’s or iPad’s security.

On top of scanning for viruses, there’s a way to monitor which apps on your Android device connect to the internet. You can find out what data is being sent by your phone or tablet. Glasswire, the firewall for Windows, also has an Android app (5USD per year) to block invasive or malicious apps from accessing the internet.

Reboot your device

Restarting your phone or tablet is a good way to protect your device against hackers. In many cases, rebooting gets rid of any malware that was previously installed. Hackers will have a difficult time keeping access to your device after you’ve restarted it. Restarting your phone or tablet on a regular basis (once a week) has an added benefit too: the operating system will continue to run smoothly 👍.

Turn off WiFi and Bluetooth if you don’t need them

Third parties can follow you using WiFi and Bluetooth. They could track the route you take to the bus stop, for instance. If you don’t need WiFi or Bluetooth when you’re on the go, it’s a good idea to temporarily switch them off using your device settings. You’ll also protect yourself from attacks via WiFi and Bluetooth.

If you’ve connected to a WiFi network in the past, your mobile device will automatically connect to that network when you’re nearby. This poses some risk. Hackers often create fake WiFi networks with names that are the same as networks you might’ve been connected to before, like Starbucks WiFi or McDonald's Free WiFi. Because your mobile device recognises these networks, it’ll attempt to automatically connect with them. It’s just another way for criminals to try and monitor what you do on the internet while attempting to intercept passwords and other personal information.

It’s wise to clean up your list of trusted WiFi networks from time to time. If you connect to a hotel’s WiFi network 🏨, for instance, remove the network from your device’s memory afterwards. Do this by opening your device’s settings and pressing forget after selecting the WiFi network in question. You can also set your Android and iOS device to not automatically connect to individual WiFi networks in the WiFi settings.

Don’t show notification previews in lock screens

Notifications can contain sensitive information 🙈, like a password a friend sent you using WhatsApp, or login codes sent via text messages. By hiding notifications in the lock screen (Android, iOS) no one will be able to see the contents. Only after unlocking your phone will you be able to see what the notifications say.

Back up your devices

Backups are incredibly important. Should your phone get stolen, you can always restore the backup on another phone. Google and Apple offer features that completely back up your phone. For many users, pictures are the most important thing on their phone. Back these up with services such as iCloud, Google Photos and Dropbox. Don’t forget to turn on two-factor authentication for these services.

Back to top ↑


Social media

Social media

We share a large part of our lives on social media 🤳. Sometimes a little too much. That may sound like an open invitation for hackers. This method of data collection is also referred to as Open Source Intelligence (OSINT), which can be used in a cyber attack.

Be careful about the information you share

People often post pictures of their passport, driver’s licence and concert tickets on social media. You might think gosh, that’s pretty dumb, and you’d be right. It still happens a lot, though 🤦. The barcode on your concert ticket can be used by anyone, and with a picture of your passport or driver’s license, someone could open a loan in your name.

So be cautious of what you do and post on social media. Do you have an annoying ex who’s keeping tabs on you? Don’t post on social media about where you are at any given time. Waiting for something you ordered online 📦? A hacker could call you, acting as an employee of the web shop in question, to ‘check your information’. It’s mostly a matter of realising what the risks are to you.

Mind your private information

Many companies only require a name, date of birth and address to verify that you are who you say you are. This information is easily found online. People celebrate their birthdays 🎈 on social media and indirectly say where they live, by posting an Instagram picture of their new home 🏠, for example.

Using this method, one hacker has already managed to fool a telecom provider into registering someone else’s phone number to his name. This also granted him access to the victim’s WhatsApp messages. This method of hacking is also known as social engineering; a form of cyber attack that requires manipulation.

The answers to your secret questions can often be found online too. It might be the name of your first pet 🐱 or your mother’s birthplace. Be aware of this fact.

Google yourself

Google iconWhat does a hacker do when they want to collect information about a target? That’s right: google the target’s name. Google yourself regularly to know what personal information is available for anyone to see. You could, for instance, set up a notification that emails you every time your name comes up in Google. In some cases, it’s even possible to have information removed from the search engine.

Set your posts to private, and log out

We post a lot on social media. That’s why it may be wise to set your profiles to private. Do you share a lot of your private life on Facebook and Instagram? Then set your Facebook profile to private (click here to see what that would look like to anyone who isn’t your friend) and lock your Instagram account 🔒, requiring users to ask for your permission if they want to follow you. The same goes for Snapchat.

Twitter is a different story altogether. A lot of users use Twitter to reach as many people as they can. If you have a public Twitter profile, pay extra attention to what you post, from your location to your private information. And log out of Twitter when necessary — especially when you’re using a public computer or a friend’s laptop.

Stay alert with Google Alerts

Google Alerts lets you monitor 👀 online content. Enter your own name as a keyword and you’ll know exactly when your name gets mentioned on any website. You can also monitor more sensitive information, like your home address, email address or phone number. If a website publishes this information for whatever reason, you’ll know right away and can subsequently choose to take action.

Make safe digital copies of your ID

It’s definitely possible to create a safe digital copy of your passport, driver’s licence 🚗 or any other form of identification. The Dutch government even released an app to help you do just that. It’s called KopieID(CopyID). The app allows you to redact sensitive information, like your Citizen Service Number or Social Security Number. You can add a watermark, describing the purpose of the copy, such as copy for stay at hotel name on date such and such. Don’t worry: the important parts of the app are in English.

Check which devices are logged in

Are you aware of all the devices you have used to access your accounts? And did you remember to log out when you stopped using certain devices, like a friend’s tablet or a public computer? To be sure, check the overview of active sessions which Google, Apple, Microsoft, Facebook, Instagram, Twitter, Dropbox and WhatsApp - among others - provide, and deactivate the ones you don’t recognise.

Run Security Checkups

Many companies offer the option to go over your security settings, like Google, Facebook and Dropbox. You can see on which devices you are logged in, and which other services have access to your information. If you check your security settings regularly, you’ll usually come across a device or service that doesn’t require access 🛑 to your account anymore.

Check your connected apps

Linking apps with other apps or online services can be very convenient, or just plain fun. Like scheduling sports sessions 🏋️ with friends via Google Calendar, or working on a document together. In order to make use of these features, you may have to give an app full access to your account. The full extent of the access you’re giving is often hidden away in the fine print, so it can happen without your explicit permission. Giving access to your accounts exposes them to more security risks. If the app you’ve linked to an account gets hacked, your account will also be affected. It is therefore recommended to regularly check which of your apps are linked with and give access to what online services, such as Google, Microsoft, Facebook, Twitter, Instagram and Linkedin.

Back to top ↑


Chatting and phone calls

Chatting and phone calls

We send lots of messages 💬 and still call ☎️ from time to time. Let’s try to do that as safely as we can. This chapter is about how you can communicate without anyone listening in or reading your messages.

End-to-end encryption

Communication has become a lot safer since April 2016, which is when WhatsApp introduced end-to-end encryption. This ensures that only the sender and receiver can read the messages sent between them. If someone were to intercept end-to-end encrypted messages, all they would see is gibberish.

You can compare it to sending a postcard. You write something on the back and put a stamp on it. With normal encryption, the postman (in WhatsApp’s case) can read what you wrote on the postcard. With messages sent through end-to-end encryption, you’re basically putting the postcard in a sealed envelope ✉️. That way, only the recipient can read what’s on the postcard.

End-to-end encryption doesn’t just work with sending messages. It also works with sending and receiving pictures, videos, documents and location information. You can also secure phone calls and video calls with end-to-end encryption.

WhatsApp and Facebook

WhatsApp is owned by Facebook; a company that makes its money by collecting as much information about its users as it can. Because of end-to-end encryption, Facebook doesn’t know what kind of messages or pictures you’re sending. Facebook can monitor who you’re communicating with. This type of information is known as metadata.

Alternatives to WhatsApp

What chat app you use is a very personal choice. Some people value ease of use, while others prefer apps that focus more on protecting their privacy. These are five alternatives to WhatsApp.

Signal

Signal iconSignal is the safest and most privacy-friendly chat app. Just like with WhatsApp, the app can be used on a computer and it’s possible to have it automatically remove messages after a specified period of time (from a few seconds after being sent to a week). Signal also hardly saves any information about its users. The app doesn’t look that polished, however, and has fewer features than its competitors.

Telegram

Telegram iconTelegram is not the safest choice, because it saves messages in the cloud. Some people like this, because if you switch phones you can start chatting exactly where you left off. Saving all your messages, pictures and videos in the cloud is very risky, however. Please be aware of this if you use Telegram. The reason why people choose to use Telegram is because it’s one of the most user-friendly chat apps out there.

iMessage

iMessage iconApple’s chat app only works with iPhones and iPads. Messages are encrypted with end-to-end encryption and you can also use your MacBook or iMac to send and receive messages. iMessage also supports a lot of other apps, letting you easily order an Uber or share a navigational route, for instance. Note that Apple does save metadata for up to a month.

Threema

Threema iconThe Swiss Threema is a favourite among journalists, because you only share a username to communicate with each other. Journalists don’t have to give out their phone number to use Threema. The app has a fancy design and lots of features. There’s one downside: Threema costs 3 USD. As a result, it doesn’t have as many users as the free apps.

Wire

Wire iconWire garnered a lot of fans in a short period of time, which isn’t strange given its features and design. The app bases its encryption method on Signal and combines a sleek design with Telegram’s flexibility. That means you can chat from your smartphone, computer and via your internet browser. Video calls, file sharing and sending gifs are all protected by end-to-end encryption.

Automatically remove messages

Hackers can’t steal what you don’t have. That goes for chat messages too. If you’re having sensitive conversations, make sure those messages are automatically removed 🗑️. WhatsApp, Signal, Telegram, Wickr Me and Wire support this feature, amongst others.

Voice and video calls

You can use WhatsApp, Signal and FaceTime, amongst others, to make end-to-end encrypted calls. This means that the service you use to make the call can’t see or hear you. These apps are recommended when you make a call to discuss sensitive topics. If you want to Skype with your cousin from Australia every now and then, its lack of end-to-end encryption won’t matter much.

A regular old phone call is a safe communication method for most people. A hacker can’t easily hack your phone call 📶. That would require a targeted attack, carried out by an intelligence agency, for instance. We’ll talk more about that later.

Email

Email 📨 isn’t safe, contrary to many chat apps. Email in 2018 consists of several different technologies cobbled together to make it all work. That doesn’t make it safe or reliable. We use email in business situations and because it’s commonly accepted, but send as little sensitive information through email as you can.

Back to top ↑


Advanced

Advanced

Hats off to you for making it this far 👏! Your knowledge of cyber security has already increased exponentially. In this chapter, you’ll find numerous advanced tips to ward off online surveillance and persistent hackers.

Consider your personal risk level

It’s important to consider which risks apply to you. Are you a woman 👩 using the internet? Odds are you’ve had to protect yourself against harassment by men. Are you a journalist? Then it’s possible that the government is trying to keep tabs on you. Do you own a computer and a bank account? You get the picture: anyone can be a target, but certain targets face bigger risks.

Take appropriate measures that correspond to your personal risk level. This guide offers a lot of advice that everyone should follow, because many dangers apply to, well, everyone. But for an active feminist 💪 with a Twitter account, it’s even more important to keep your home address and phone number hidden from most people.

Every situation is different and thus requires a different approach. If you suspect your violent spouse is reading your emails and Whatsapp messages, you can use the chat function of a video game, such as Words With Friends, to inform a friend of your situation. It’s unlikely your spouse is keeping track of those conversations as well.

Recognise spear phishing

We’ll start with the hardest piece of advice, because spear phishing is notoriously difficult to recognise. Spear phishing is a form of phishing where the person trying to trick you will send you a message that is made to fool you specifically. A hacker could, for instance, gather information from your social media profiles to provide the spear phishing message with credible information.

Let’s say your flight with Delta Airlines ✈️ has been delayed by an hour and you post about it on Facebook. A hacker could use that information to send you an email, detailing a ‘compensation offer’ from Delta. All you need to do is log in (which gives the hacker your password) and fill out a form. All the while said hacker is keeping track of what you’re typing.

Thankfully most people won’t ever have to deal with spear phishing. Spear phishing usually happens to those who have a high risk of being targeted, such as politicians, lawyers and journalists. It still pays to keep your guard up. If you don’t trust something, find the company or organisation that supposedly sent you the message by googling them, and call them to ask whether the message you received is legitimate or not.

Encrypt your hard drives and backups

You can encrypt MacBooks and iMacs with the click of a button by turning on FileVault. It’s incredibly simple and ensures that whoever finds or steals your laptop doesn’t have access to your private files. Don’t wait: turn this feature on right now.

Windows is a completely different story. Microsoft has kept its encryption service Bitlocker exclusive to the Pro versions of Windows. That just happens to be the version that consumers hardly ever use 🤷.

Thankfully there are some good alternatives to consider. Veracrypt is the safest and most reliable option. Make sure to back up your files before encrypting your hard drive. The encryption process can take hours and could go wrong in some cases. With a backup, you’ll ensure the safety of your files.

Cryptomator iconWhile we’re on the subject: you can encrypt backups too. Consider encrypting your external hard drive or flash drive with Veracrypt, for instance. Another good app is Cryptomator, which immediately encrypts your files and uploads them to the cloud. Take extra care of your password, however. Lose your password, and you lose access to your files.

Create a very strong password using the Diceware method

The Diceware method is used by experts to create extremely strong passwords. Diceware uses a random dice throw 🎲 and a long list of words to generate passwords. Here’s a list (txt) of English words you could use.

You start by rolling dice. Do this five times in a row and note the value of each throw. You’ll end up with a five-digit series of numbers that correspond with a word from the list. For instance, if you throw 3-6-4-5-5, the word it corresponds with is law.

Repeat this process seven times to make sure it’s absolutely safe. You’ll get a series of seven completely random English words, such as limbo karma cosy ember pool swipe wow. The Diceware method is currently the best way to create a strong password that you can remember.

Two-factor authentication with a security key

Experts recommend using a physical usb key - also known as a security key - for two-factor authentication. Connect your security key to services such as Google, Facebook, Twitter and Dropbox and the next time you want to log in, you’ll be prompted to use your usb key.

Yubikey iconInsert the usb key into your computer and connect it to your smartphone to authenticate your login attempt. The online service will check 👮 if the usb key is linked to your account, and the usb key detects whether you’re logging onto the correct app or website ✅. This protects you against phishing attempts and fake websites, because the login attempt can only be successful if both your key and the online service are valid.

It’s recommended that you purchase two security keys: one to keep on your person at all times and another to put away safely as a backup. Link both usb keys to the services for which you want to enable two-factor authentication. And don’t forget to turn off the other forms of two-factor authentication you may have enabled for these services, such as login codes via a text message.

Swedish manufacturer Yubico offers good encryption keys. The best choice would be to go for the blue security key, which works with all major online services. You can buy two of them for 49 USD. Yubikey 5 with nfc (45 USD) works with Android phones, but functionality on iPhones is limited. There is also a version that uses usb-c ports, which costs 55 USD.

Turn off automatic completion and turn on the automatic lock

Some password managers offer the option to automatically fill in your passwords on websites. This is not secure. A hacker could fool your password manager with a fake page. That’s why you should turn off this option.

It’s also smart to have your password manager lock itself automatically if you haven’t used it for a certain period of time. That will keep your digital vault, filled with your passwords, from being exposed any longer than necessary.

The smartphone as espionage device

Smartphones are ideal devices for spying. Intelligence agencies 🕵️ can tap your phone and request its location, or hackers can break in and turn on your microphone and camera. Be aware of this.

Android and iOS keep track of where you’ve been 🔍 by default, and this sensitive information could be shared with third parties. Both Android and iOS allow you to turn off this feature, after which your phone won’t constantly keep track of your location. This doesn’t prevent a hacker or intelligence agency from tracking your location using your smartphone, however.

One extreme measure is turning your phone off and keeping it in a Faraday-cover (which you can make yourself) or putting it in a microwave (which you should never turn on if your phone is in there). That’s the only way to be absolutely sure that no one can track your location.

Further enhance the security of your smartphone

There are highly secure versions of Android that you can install on your phone, such as CopperheadOS and GrapheneOS. These Android versions have extra security measures built in and try to minimize the vulnerabilities in the system.

If you want to make your own Android phone even more secure, follow this manual. It provides a number of useful tips, including the necessary steps to disable Javascript via Chrome > Settings > Site settings > Javascript. A lot of websites will stop working after that, but it makes your device a lot safer.

For iPhones it is recommended to disable iMessage and FaceTime via Settings > Messages / FaceTime. These two services were shown to contain vulnerabilities in the past. You can also disable AirDrop via Settings > General > Disable Airdrop, and Javascript via Settings > Safari > Advanced. The iVerify app offers a few more tips.

One last general rule: use your browser in favor of apps, as much as possible. Other apps may contain vulnerabilities, while the browser is usually one of the most secure apps on your smartphone 👍.

Further enhance the security of your Windows computer

Hardentools iconHardentools is an application designed by a group of hackers and cyber security experts. It disables vulnerable parts of Windows, making it harder for hackers to take over your computer. Take note that the application may also disable things you’re actually using, like certain functions in Office or Adobe Reader. If some part suddenly stops working, you can always switch it back on ⏪ via Hardentools. At your own risk, of course.

There is no such tool for MacOS, but you can follow this long manual or step-by-step plan. Be warned though. If you ‘re not sure what you are doing, you run the risk of rendering your computer unusable.

Be wary of backing up chats in the cloud

Many chat apps offer the option to save your chats in the cloud ☁️, via Google Drive or iCloud. Be cautious of this. All messages are encrypted with end-to-end encryption as soon as they’re sent, but they lose their encryption as soon as the messages reach your phone, otherwise you wouldn’t be able to read them. If you choose to back up your messages, they’ll be uploaded to the cloud without encryption. An intelligence agency could request your chat history. Also note that your messages can be backed up unencrypted by the people you’re chatting with.

Safe secret questions

Answers to secret questions are often (mostly unintentional) available online, like the name of your first pet 🐱 or your mother’s birth place. If a hacker correctly answers your secret questions, they can reset your password and get access to your online accounts, and lock you out in the #process. You’re much better off answering secret questions with random answers, and saving those answers using a password manager.

Do note that, in some cases, your answers may need to be spoken out loud. When you’re calling customer service, for instance. Instead of a complicated sequence of numbers and letters, you can also pick four random words fox-sandwich-bike-wedding as your answer.

Digital weak spot: your phone number

Your mobile phone number 📱 might seem safe, but in reality it’s often the weakest link in your online security. The number can give access to a password reset, and as a result, the loss of one of your accounts. Hackers are aware of this. They might try to hijack your phone number by calling your mobile carrier, pretending to be you. These attacks are referred to as sim-swapping. If a hacker gains control over your mobile phone number, they also gain access to the online accounts linked to that number.

This is why you should ask your mobile carrier to set a password before helping you (or someone pretending to be you) with any customer requests. That way, the next time you call 📞 them, you’ll have tell them your password in order for them to help you. If you really want to avoid becoming a victim of sim-swapping, you’ll have to remove your phone number from all of your online accounts. It’s safer to use both a security key and an authenticator app.

Mind location data in pictures

When you use your smartphone to take a picture 🖼️, it stores all sorts of extra information, such as the date, time and the exact location 🏘️ of where the picture was taken. This information is also referred to as EXIF-data. When you share these pictures on Facebook, Twitter, Instagram or WhatsApp, the EXIF-data is removed automatically. However, when you upload a picture to your website, or email it, the information can still be accessed by others. If you want to make sure that the EXIF-data is removed, then use the website ImgClean.io before uploading or emailing your pictures. ImgClean strips images of this extra information and lets you download a clean version that is safe to distribute.

Secure calls

If you want to call someone without the risk of having your call tapped 👂 and your conversation being listened in on, it’s recommended that you use Signal. Signal encrypts calls with end-to-end encryption. For many people this measure might be excessive, but for people at risk like journalists and lawyers, it might be necessary from time to time.

Calling via Signal (and WhatsApp) also protects you from IMSI-catchers. These devices imitate telephone masts to tap your phone calls and messages. IMSI-catchers are mostly used by intelligence agencies, but can also be made by hackers.

Encrypted emailing using ProtonMail

ProtonMail is one of the most user-friendly services when it comes to sending and receiving encrypted emails. The end-to-end encryption only works when both the sender and receiver are using ProtonMail, however. With other email addresses, such as Gmail or Outlook, ProtonMail asks you if you want to password-protect the emails you send to them. The recipient then needs the password to open the email. ProtonMail does this to add an extra layer of security. An account with 500MB is free, but if you want more storage capacity and added features, you have to pay from 5 to 20 USD a month.

Browse the internet using Tor

Tor iconThe Tor internet browser sends your internet traffic through numerous computers. This protects your privacy, because websites can’t find out where you’re from and your provider won’t be able to see what you’re doing on the internet. That might be handy for some people, but it can be an actual lifesaver for others in countries like Iran and Russia. Tor also lets you visit blocked websites, which is especially useful in a country like Turkey.

Tor also offers access to the dark web, which is the part of the internet that you can’t visit with a normal internet browser. On the dark web you’ll mostly find marketplaces for drugs and weapons, websites that share child pornography and nazi communities.

The downside of Tor’s anonymity is that it can also be used with nefarious intent.

Make sure you really need the Tor internet browser. Are you leaking confidential information to the media? Then use Tor in a public coffee shop with WiFi to maximise your anonymity. The internet is a lot slower using Tor, however, so don’t use it to stream Netflix 📺. Websites can also see that you’re using Tor to browse the web, which sometimes prompts them to prevent your login attempts. Therefore, it’s not recommended to use Tor to conduct online banking, for instance.

Use PGP (but only if you really have to)

PGP, which stands for Pretty Good Privacy, is used to encrypt the contents and attachments of emails with end-to-end encryption. It’s been one of the best ways to encrypt your emails for years, but it’s also very complicated to use. Think about whether you really need PGP 🤔. It’s easier to use Signal.

If you need PGP but don’t know how to set it up yourself, then check out Keybase first. Keybase is a social network that allows you to encrypt messages with PGP quite easily. Do you need more PGP features, such as file encryption? Reach out to an expert for assistance.

OpenWrt on your router

A lot of manufacturers stop updating their routers after a certain time. Therefore, it’s advised to install OpenWrt. The software is available for all sorts of routers and is regularly updated to fix security vulnerabilities 🐛, but is also difficult to install.

OpenWrt doesn’t work with WiFi modems that are provided and managed by your internet provider. You can, however, buy your own router and connect that to your internet provider’s modem. Set your wifi modem to Bridge/DMZ mode, so the device only forwards the internet connection.

Chat using OTR

Adium iconOff The Record (OTR) is a safe way to chat with people, just like Signal. OTR is used with an email address and an app on your desktop (Adium for MacOS and Pidgin for Windows and Linux) or smartphone (Conversations for Android and ChatSecure for iOS). These apps let you chat with other OTR users, but most people would still prefer Signal.

Run your own VPN

If you’re technically savvy, you can take matters into your own hands and run your own VPN. The easiest option is Algo, which you install on your - preferably new - server. You’ll manage your own secure internet connection and can connect all your devices to it. Because Algo is easy to configure, you can also use it to set up a temporary VPN.

Be wary of certificates

Hackers sometimes try to install their own certificates on your computer, smartphone or tablet, which allows them to keep track of what you’re doing, even when you’re using https-secured websites. Usually, a victim is lured into installing a certificate on their device to gain access to a public WiFi network. In general, people shouldn’t ever have to install a certificate, so be extra cautious when you’re being asked to do so. If necessary, ask whoever it may concern whether the requested installation is legitimate.

Use a privacy screen

A privacy screen is a screen-film you place on your smartphone, laptop or tablet screen. These screens block viewing angles, except for when you’re looking straight at your screen, making sure that no one can see what you’re doing 👀 on your devices. If your phone is lying face-up on a table, you’ll have to pick it up and look straight at it to be able to read or see anything. Fellowes sells good privacy screens, from 30 to 70 USD.

Use a ‘USB condom’

Yup, ‘USB condom’ sounds pretty gross, but an USB Data Blocker like one from PortaPow does exactly what that implies: it doesn’t transfer any data, only electricity, when you’re charging a device via the USB port on your computer. This prevents any malware from getting installed on your smartphone or tablet. If you want to charge your device using an unfamiliar computer, an USB Data Blocker prevents all malware attacks.

Tails and Qubes

Qubes iconThese two operating systems are for experts only, because they’re difficult to operate. Tails runs from from a flash drive that you connect to your computer, and Qubes has such an option too. Disconnect the flash drive from the computer and your PC will have no recollection of what you’ve done on it in the meantime. Tails protects your privacy and offers all sorts of apps to do so, like Tor, Thunderbird and PGP. Qubes offers the best protection and is used by people who are targeted by (state-sponsored) hackers.

But remember: if you lack technical knowledge, using one of these operating systems can reduce your online security. Sometimes it’s better to stick to devices and services that you’re comfortable with. Don’t use them just because you think it’s safer. And with that important piece of advice, this expansive manual comes to a close.

Back to top ↑


Closing notes

This expansive manual was created with the help of six professional hackers: Maarten van Dantzig, Rik van Duijn, Melvin Lammerts, Loran Kloeze, Sanne Maasakkers and Sijmen Ruwhof. The wonderful illustrations are made by Laura Kölker. Copy editor Marcel Vroegrijk made sure that everything reads well. The original Dutch version of Watch Your Hack was lovingly translated into English by Kevin Shuttleworth and, once again, edited by Marcel Vroegrijk.

Do you know anyone that could use some security tips and tricks? Send them a link to this website. You could, for instance, use email, Twitter, Facebook and WhatsApp to share the link. Do you have any comments or suggestions? Let me know via Twitter (@danielverlaan) or send me an email.

You can also donate 💰 to support Watch Your Hack. Wire an amount of your choosing via PayPal, so I can buy myself a craft beer 🍺. Cryptocurrencies are also accepted:

bitcoin: 1Psq1MmgPSKy8npnAvZASdtPD18EV61U3k
ethereum: 0x264510031A8F0b55432232F65337a67cA3Eb23bB
litecoin: Lg8sxK3bk4zvdmpHHLsV76gsw9v8wbAk2S

Watch Your Hack V7.3 (changelog)
Thanks to iA Writer for their Duospace-font
❤️ Lovingly built using Jekyll
© Daniël Verlaan, 2021