Cybersec 101: How to Protect Yourself Online
This post was co-authored by Bojan Perkov and Andrej Petrovski.
Databases, servers, algorithms – these things not only make up so many things in our world and make them work, but also have more and more direct influence on our lives.
Who gets a job and who gets fired, who gets state aid or which child goes to which school are just some of the questions we are increasingly relying on technology, in its various forms, to answer.
With the emergence of the COVID-19 pandemic, millions of 9-to-5 office employees around the world suddenly became remote workers, on endless video-calls from their living rooms.
If there was a time when our “offline” and “online” selves finally became one, it was no doubt during the pandemic. Ever-extending lockdowns, travel restrictions and social distancing made us turn to glowing-screen devices and online services as our safest chance to experience the world and things we hold dear.
If there was a time when our “offline” and “online” selves finally became one, it was no doubt during the pandemic.
In these circumstances we need to protect our digital identities and assets even more, especially with the increase of cybercrime due to the pandemic.
Using vulnerable home devices with outdated operating systems, software and firmware, and working on public WiFi networks without a VPN are great risk factors exposing people to various technical attacks.
Ransomware, phishing and smishing may seem like things that happen to other people, but one mistake can prove very costly. If the adversary is a skilled malicious hacker group, a nation state or some other actor with advanced capabilities, the damage for organisations and individuals in terms of stolen or destroyed data can be beyond repair.
Ransomware, phishing and smishing may seem like things that happen to other people, but one mistake can prove very costly
Journalists, human rights defenders (HRD) and other public interest watchdogs should particularly be wary of technical attacks on their digital infrastructure and assets, as they keep very sensitive information regarding the identity of sources or victims of abuse.
In a world of global organised crime, high-level corruption schemes and abuses of power, journalists and HRD rely more and more on information given to them by whistleblowers, people who could suffer serious damage in life if their identity is leaked. Therefore, public interest watchdogs must be able to protect the identity of their sources, especially in the digital realm. One of the ways this can be achieved is by anonymous document submission through platforms such as SecureDrop.
…public interest watchdogs must be able to protect the identity of their sources, especially in the digital realm
An organisation is as safe as its most vulnerable members, at every step of the digital process (occurring now in a domestic environment).
So, let’s examine some of these steps, starting from the beginning: access, or login credentials. A good and strong password is essential, or so goes the mantra that everybody has heard countless times, and yet bad passwords are still one of the most commonly used points of entry by malicious actors.
There’s no way we can memorise dozens of long, meaningless sets of characters – that we should also change from time to time – but the worst solution is to let the browser memorise them for us. We have password managers for that like KeePass, KeePassXC or Bitwarden, that also enable users to automatically generate unique, long and random passwords that are very hard to crack by guessing, dictionary attacks or brute force.
There’s no way we can memorise dozens of long, meaningless sets of characters, but the worst solution is to let the browser memorise them for us
Another strongly recommended move would be to turn on 2-step verification on every account we use. Also, an increasing segment of online traffic has already switched to virtual private networks, so why not start using a reliable VPN?
End-to-end encryption (E2EE) should be used on as many services as possible: email, chat, collaborative documents.
Switching to email providers which offer built-in E2EE, like ProtonMail or Tutanota, may seem too complicated and even expensive, but it offers much more protection compared to “free” services such as Gmail.
As for messaging apps, Signal received a lot of attention at the start of 2021, after the changes to WhatsApp’s data sharing practices were announced and users started ditching the Facebook-owned app for alternatives. Although it requires a valid phone number for registration, Signal provides E2EE chats by default, as well as group audio and video calls for up to 8 members.
When it comes to teamwork, Cryptpad offers an encrypted and open source online collaboration suite (storage drive, documents, spreadsheets, polls, presentations, etc.) which can also be self-hosted to accommodate the specific needs of a collective.
When we need files stored on hard drives encrypted, VeraCrypt is an excellent choice that supports various platforms. When drives are well encrypted, even if devices get stolen or tampered with, it is virtually impossible to access the files stored on them without the decryption password.
A cybersecurity toolkit
SHARE Foundation has been providing free tech and legal support, as well as digital security training, to online media and civil society organisations since 2014, the same year we started monitoring cases of digital rights violations in Serbia.
During this time, we encountered numerous cases of technical attacks against journalists and activists, ranging from DDoS to malicious code injection attacks.
In 2020, SHARE partnered with Balkan Investigative Reporting Network (BIRN) to expand the monitoring process to 5 additional countries in Southeast Europe – Bosnia and Herzegovina, Croatia, Hungary, North Macedonia and Romania. Currently there are more than 1,500 cases in the umbrella database encompassing all six monitored countries.
Given that the problems with digital security are becoming more common among civil society and media organisations, SHARE Foundation developed an open platform called Cybersecurity Toolkit.
In times of scarcity and uncertainty, growing pressures and complexities of our daily lives, there are reliable technical solutions that can help us reduce digital risks
It provides one-stop instructions and possible solutions to problems with websites, applications or devices, but also offers guidance and knowledge of good practices in protecting information systems and all our digital goods. A feature that makes this Toolkit particularly important is that it’s focused on legal and practical counselling for victims of technology-based violence or harassment.
In times of scarcity and uncertainty, growing pressures and complexities of our daily lives, there are reliable technical solutions that can help us reduce digital risks and focus instead on what’s really important, whatever that may be for each of us. Stay safe.
Bojan Perkov is a Policy Researcher at the SHARE Foundation. Andrej Petrovski is Director of Tech.