Don't Panic! A Web-surfer's Guide to Online Security

Until fairly recently, most people didn’t spend a lot of time worrying about their online security. That’s changed over the last few years, as identity theft, fraudulent charges, and ransomware attacks have disrupted the lives of millions.

In a world where personal information increasingly lives online and new security breaches are reported every day, it’s more important than ever to know how to keep safe and secure online, but it can often feel overwhelming.

The good news is that there are some fairly simple and straightforward things that a person can do to dramatically reduce the risk of being hacked and exposing themselves or their employers. 

Here are a few of the best practices we follow at Palantir to help us and our clients improve their security online:

Manage Your Passwords

If you’ve ever had an account with LinkedIn, Adobe, Yahoo, Dropbox, Tumblr, MySpace, or any one of the dozens of high-profile sites that have had security breaches over the last few years, your email address, username and password for those sites are probably for sale on the dark web. If you want to find out if you’ve been potentially compromised in one of these breaches, you can enter your email address or username at haveibeenpwned.com.

Once they obtain information about you, hackers can then run scripts that test your credentials to see if they work on other sites. In other words, if you’ve ever used the same password on multiple sites, and one of those sites is compromised, it’s highly likely that hackers will be able to use that information to log in as you on other sites as well. The easiest way to mitigate this is by using a password manager.

• Password management programs like Bitwarden, 1Password, and Dashlane securely store all of your login credentials and integrate with your browser so that you only need to remember one password to log into any site. 
• When migrating your accounts into the password manager, change your passwords to use unique, randomly generated secure passwords so that you don’t end up using the same credentials on multiple sites. Prioritize email and social media first before moving on to banking and other accounts, and delete any accounts you’re no longer using.
• An increasing number of sites are now supporting passkeys, a secure login protocol that allows you to sign into websites and apps without entering a password. Passkeys are stored on your local device or password manager and are resistant to phishing and other attacks. If a site offers you the option of signing in via passkey, this is a great way to reduce the risk of having your account compromised in the case of a security breach.

Use Two-Factor Authentication

Some of the most highly publicized data breaches of the last few years were caused by people simply clicking on malicious links or attachments that showed up in their email inboxes.  

Phishing attacks can also allow attackers to gain access to the accounts of everyday users on sites like PayPal, Amazon, and Uber, where they can make fraudulent charges that might go unnoticed for days or weeks, especially if they also have access to the victim’s email account and can cover their tracks. Even when discovered, it’s usually impossible to catch the perpetrators.

The simplest way to avoid a phishing attack is not to login into any websites from a link in an email, or click on unknown attachments, even if that email purports to be “from” someone you know. With the increasing sophistication of these attacks, however, being able to judge whether an email is legitimate or not can be difficult even for sophisticated users.

That’s where two-factor authentication comes in. The idea is that there are multiple ways to authenticate yourself online: via something you know (a password), something you have (a phone, security key, or other device), or something you are (biometric data like a fingerprint or eye scan). Being able to authenticate someone against two or more of those factors is much more secure than using just a password. Many of the most widely used sites on the web support two-factor authentication, which may also be referred to as two-step verification, login verification, or 2FA. 

• At the very least, two-factor authentication should be enabled for sites and services that are common attack vectors such as email, social media, and file hosting. Enabling two-factor authentication varies from site-to-site, so you may need to go digging around your account settings.
• Where possible, set up two-factor authentication using a one-time password (OTP), which is more secure than text message authentications. Popular OTP authenticator tools include Authy, Duo, and Google Authenticator, as well as some password managers.
• For additional security, consider getting a security key, which enables you to validate your login on supported sites using a small device that fits on your keychain. Because they’re inexpensive and easy-to-use, security keys like the Yubikey are an increasingly attractive option, especially as they are increasingly supported by more sites and online services. 

Secure Your Hardware

If your computer, smartphone, or device is lost or stolen, you don’t want someone else to be able to access the information on it. In addition to making sure your device is locked with a secure password or passcode that’s at least six characters, you also need to have encryption enabled in order to ensure data security. Disk encryption does not change the way you use your computer or device; it simply makes it incredibly difficult for someone who doesn’t have your password to retrieve data from it.

• To enable disk encryption on recent versions of Windows, you just turn on device encryption, and on macOS you need to set up FileVault. If you have an Apple iPhone or iPad running a recent version of iOS or PadOS, encryption is enabled by default, as it is on most recent Android devices.
• It’s also important to keep your software up-to-date and install operating system security updates as soon as they become available. Ransomware attacks usually exploit security vulnerabilities that primarily impact users running older, unpatched operating systems. Some hardware vulnerabilities can only be mitigated through operating system updates.

Secure your Network

Any time you’re on someone else’s wifi network, whether that’s at your workplace or the neighborhood coffeeshop, it’s possible for others to monitor and and intercept your web traffic, even if it’s password-protected.  

• The easiest way to ensure your privacy and security while on someone else’s network is to use a Virtual Private Network (VPN), which routes all of your internet traffic through a private, encrypted server. There are a ton of VPN providers out there, some better than others. We recommend checking out recently-updated reviews on sites like CNET and Wirecutter when making your choice.

Even within your own home, it’s important to keep your wifi network secured so that others can’t use it that you may end up being held responsible for by your internet service provider.

• Secure your in-home wifi network by changing the admin password on your router, keeping your router’s firmware updated, and making sure your network is set up to use WPA2 security with a secure password. 
• If your wifi router is more than a couple years old and/or you’re using one that was provided by your internet provider, then you probably either want to buy a new one or upgrade to a mesh networking system. In addition to improving your security, you’ll probably also improve your network’s speed and performance as well!
   

Browse Safely and Privately

Even if you’re using a secure password and two-factor authentication, it’s still possible for attackers to intercept your login credentials on insecure websites. As a rule of thumb, you should never enter any information on a website that doesn’t use the HTTPS protocol to secure the connection between your browser and the site. Sites that don’t use HTTPS transmit data “in the clear”, making it much easier for a malicious third party to intercept.

• Browsers usually indicate that a site is using HTTPS by showing a small lock icon somewhere in the address bar.
• The HTTPS Everywhere browser plugin forces sites to use the SSL connection if available.

Over the last few years, online ad networks have increasingly become a vector for distributing malicious software that can be used to scrape personal information, including passwords from user's systems. Because of the way that today's ad networks work, publishers often have no control over what ads appear on their site or whether they contain malicious scripts. 

Even when used legitimately, ad networks gather a tremendous amount of information about people’s browsing habits and history, often without their knowledge or permission. While we at Palantir believe that data privacy is a human right, the United States has yet to address this issue on a national scale. 

In the meantime, many users have installed ad blocking software, which is controversial because it undermines the business model of many websites that provide free content to users. However, it is also the best way to mitigate against advertising malware and third-party tracking software. 

• Privacy Badger provides you with a greater level of control and security than running your browser in “incognito” or “anonymous” mode.
• Firefox, Safari, and other privacy-focused browsers also have built-in tools that enable you to block trackers and make sure that sensitive data like passwords, cookies, and your browsing history isn’t stored on your computer or device.
• Google is a great search engine, but it also keeps a full record of your search history by default and tracks you across the web in order to serve you targeted advertising. If this is something that concerns you, consider a privacy-oriented alternative, like DuckDuckGo. 

Don’t Panic!

While there’s no way to completely protect yourself from all possible threats online, following the recommendations in this article will greatly reduce the risk of having your information or identity compromised.

While they may seem intimidating at first, password managers, two-factor authenticators, and other online security tools are getting easier to use all the time, and once you’ve started using them, they quickly become second nature. What added inconvenience they do cause is more than offset by the time and expense of dealing with even a single incident of identity theft or fraud caused by someone compromising one of your accounts.

While we’ve focused here primarily on the issues that most people in the United States are likely to encounter while using the internet for everyday tasks, it is important to keep in mind that activists, journalists, and others more likely to be targets of online abuse may need to take additional steps to protect themselves online. The key is being conscious of what information you’re putting online and who has access to it.

Cybersecurity is a rapidly changing field, and it’s often hard to keep track of current best practices. We’ll review and update this article periodically to reflect new threats and mitigation tactics as they emerge. If you have any questions in the meantime, just drop us a line.