Hats off to you for making it this far 👏! Your knowledge of cyber security has already increased exponentially. In this chapter, you’ll find numerous advanced tips to ward off online surveillance and persistent hackers.

Consider your personal risk level

It’s important to consider which risks apply to you. Are you a woman 👩 using the internet? Odds are you’ve had to protect yourself against harassment by men. Are you a journalist? Then it’s possible that the government is trying to keep tabs on you. Do you own a computer and a bank account? You get the picture: anyone can be a target, but certain targets face bigger risks.

Take appropriate measures that correspond to your personal risk level. This guide offers a lot of advice that everyone should follow, because many dangers apply to, well, everyone. But for an active feminist 💪 with a Twitter account, it’s even more important to keep your home address and phone number hidden from most people.

Every situation is different and thus requires a different approach. If you suspect your violent spouse is reading your e-mails and Whatsapp messages, you can use the chat function of a video game, such as Words With Friends, to inform a friend of your situation. It’s unlikely your spouse is keeping track of those conversations as well.

Recognise spear phishing

We’ll start with the hardest piece of advice, because spear phishing is notoriously difficult to recognise. Spear phishing is a form of phishing where the person trying to trick you will send you a message that is made to fool you specifically. A hacker could, for instance, gather information from your social media profiles to provide the spear phishing message with credible information.

Let’s say your flight with Delta Airlines ✈️ has been delayed by an hour and you post about it on Facebook. A hacker could use that information to send you an email, detailing a ‘compensation offer’ from Delta. All you need to do is log in (which gives the hacker your password) and fill out a form. All the while said hacker is keeping track of what you’re typing.

Thankfully most people won’t ever have to deal with spear phishing. Spear phishing usually happens to those who have a high risk of being targeted, such as politicians, lawyers and journalists. It still pays to keep your guard up. If you don’t trust something, find the company or organisation that supposedly sent you the message by googling them, and call them to ask whether the message you received is legitimate or not.

Encrypt your hard drives and backups

You can encrypt MacBooks and iMacs with the click of a button by turning on FileVault. It’s incredibly simple and ensures that whoever finds or steals your laptop doesn’t have access to your private files. Don’t wait: turn this feature on right now.

Windows is a completely different story. Microsoft has kept its encryption service Bitlocker exclusive to the Pro versions of Windows. That just happens to be the version that consumers hardly ever use 🤷.

Thankfully there are some good alternatives to consider. Veracrypt is the safest and most reliable option. Make sure to back up your files before encrypting your hard drive. The encryption process can take hours and could go wrong in some cases. With a backup, you’ll ensure the safety of your files.

While we’re on the subject: you can encrypt backups too. Consider encrypting your external hard drive with Veracrypt, for instance. Another good app is Cryptomator, which immediately encrypts your files and uploads them to the cloud. Take extra care of your password, however. Lose your password, and you lose access to your files.

Create a very strong password using the Diceware method

The Diceware method is used by experts to create extremely strong passwords. Diceware uses a random dice throw 🎲 and a long list of words to generate passwords. Here’s a list (pdf) of English words you could use.

You start by rolling dice. Do this five times in a row and note the value of each throw. You’ll end up with a five-digit series of numbers that correspond with a word from the list. For instance, if you throw 3-6-4-5-5, the word it corresponds with is limbo.

Repeat this process seven times to make sure it’s absolutely safe. You’ll get a series of seven completely random English words, such as limbo krebs hoyt ember cometh swipe zaire. The Diceware method is currently the best way to create a strong password that you can remember.

Two-factor authentication with a security key

Experts recommend using a physical usb key - also known as a security key - for two-factor authentication. Connect your security key to services such as Google, Facebook, Twitter and Dropbox and the next time you want to log in, you’ll be prompted to use your usb key.

Insert the usb key into your computer and connect it to your smartphone to authenticate your login attempt. The online service will check 👮 if the usb key is linked to your account, and the usb key detects whether you’re logging onto the correct app or website ✅. This protects you against phishing attempts and fake websites, because the login attempt can only be successful if both your key and the online service are valid.

It’s recommended that you purchase two security keys: one to keep on your person at all times and another to put away safely as a backup. Link both usb keys to the services for which you want to enable two-factor authentication. And don’t forget to turn off the other forms of two-factor authentication you may have enabled for these services, such as login codes via a text message.

Swedish manufacturer Yubico offers good encryption keys. The best choice would be to go for the blue security key, which works with all major online services. You can buy two of them for 36 USD. Yubikey 5 with nfc (45 USD) works with Android phones, but functionality on iPhones is very limited. There is also a version that uses usb-c ports, which costs 50 USD.

Turn off automatic completion and turn on the automatic lock

Some password managers offer the option to automatically fill in your passwords on websites. This is not secure. A hacker could fool your password manager with a fake page. That’s why you should turn off this option, for instance in LastPass.

It’s also smart to have your password manager lock itself automatically if you haven’t used it for a certain period of time. That will keep your digital vault, filled with your passwords, from being exposed any longer than necessary.

The smartphone as espionage device

Smartphones are ideal devices for spying. Intelligence agencies 🕵️ can tap your phone and request its location, or hackers can break in and turn on your microphone and camera. Be aware of this.

Android and iOS keep track of where you’ve been 🔍 by default, and this sensitive information could be shared with third parties. Both Android and iOS allow you to turn off this feature, after which your phone won’t constantly keep track of your location. This doesn’t prevent a hacker or intelligence agency from tracking your location using your smartphone, however.

One extreme measure is turning your phone off and keeping it in a Faraday-cover (which you can make yourself) or putting it in a microwave (which you should never turn on if your phone is in there). That’s the only way to be absolutely sure that no one can track your location.

Be wary of backing up chats in the cloud

Many chat apps offer the option to save your chats in the cloud ☁️, via Google Drive or iCloud. Be cautious of this. All messages are encrypted with end-to-end encryption as soon as they’re sent, but they lose their encryption as soon as the messages reach your phone, otherwise you wouldn’t be able to read them. If you choose to back up your messages, they’ll be uploaded to the cloud without encryption. An intelligence agency could request your chat history. Also note that your messages can be backed up unencrypted by the people you’re chatting with.

Safe secret questions

Answers to secret questions are often (mostly unintentional) available online, like the name of your first pet 🐱 or your mother’s birth place. If a hacker correctly answers your secret questions, they can reset your password and get access to your online accounts, and lock you out in the #process. You’re much better off answering secret questions with random answers, and saving those answers using a password manager.

Do note that, in some cases, your answers may need to be spoken out loud. When you’re calling customer service, for instance. Instead of a complicated sequence of numbers and letters, you can also pick four random words fox-sandwich-bike-wedding as your answer.

Digital weak spot: your phone number

Your mobile phone number 📱 might seem safe, but in reality it’s often the weakest link in your online security. The number can give access to a password reset, and as a result, the loss of one of your accounts. Hackers are aware of this. They might try to hijack your phone number by calling your mobile carrier, pretending to be you. These attacks are referred to as sim-swapping. If a hacker gains control over your mobile phone number, they also gain access to the online accounts linked to that number.

This is why you should ask your mobile carrier to set a password before helping you (or someone pretending to be you) with any customer requests. That way, the next time you call 📞 them, you’ll have tell them your password in order for them to help you. If you really want to avoid becoming a victim of sim-swapping, you’ll have to remove your phone number from all of your online accounts. It’s safer to use both a security keyand an authenticator app.

Mind location data in pictures

When you use your smartphone to take a picture 🖼️, it stores all sorts of extra information, such as the date, time and the exact location 🏘️ of where the picture was taken. This information is also referred to as EXIF-data. When you share these pictures on Facebook, Twitter, Instagram or WhatsApp, the EXIF-data is removed automatically. However, when you upload a picture to your website, or email it, the information can still be accessed by others. If you want to make sure that the EXIF-data is removed, then use the website ImgClean.io before uploading or emailing your pictures. ImgClean strips images of this extra information and lets you download a clean version that is safe to distribute.

Secure calls

If you want to call someone without the risk of having your call tapped 👂 and your conversation being listened in on, it’s recommended that you use Signal. Signal encrypts calls with end-to-end encryption. For many people this measure might be excessive, but for people at risk like journalists and lawyers, it might be necessary from time to time.

Calling via Signal (and WhatsApp) also protects you from IMSI-catchers. These devices imitate telephone masts to tap your phone calls and messages. IMSI-catchers are mostly used by intelligence agencies, but can also be made by hackers.

Encrypted emailing using ProtonMail

ProtonMail is one of the most user-friendly services when it comes to sending and receiving encrypted emails. The end-to-end encryption only works when both the sender and receiver are using ProtonMail, however. With other email addresses, such as Gmail or Outlook, ProtonMail asks you if you want to password-protect the emails you send to them. The recipient then needs the password to open the email. ProtonMail does this to add an extra layer of security. An account with 500MB is free, but if you want more storage capacity and added features, you have to pay from 5 to 20 USD a month.

Browse the internet using Tor

The Tor internet browser sends your internet traffic through numerous computers. This protects your privacy, because websites can’t find out where you’re from and your provider won’t be able to see what you’re doing on the internet. That might be handy for some people, but it can be an actual lifesaver for others in countries like Iran and Russia. Tor also lets you visit blocked websites, which is especially useful in a country like Turkey.

Tor also offers access to the dark web, which is the part of the internet that you can’t visit with a normal internet browser. On the dark web you’ll mostly find marketplaces for drugs and weapons, websites that share child pornography and nazi communities.

The downside of Tor’s anonymity is that it can also be used with nefarious intent.

Make sure you really need the Tor internet browser. Are you leaking confidential information to the media? Then use Tor in a public coffee shop with WiFi to maximise your anonymity. The internet is a lot slower using Tor, however, so don’t use it to stream Netflix 📺. Websites can also see that you’re using Tor to browse the web, which sometimes prompts them to prevent your login attempts. Therefore, it’s not recommended to use Tor to conduct online banking, for instance.

Use PGP (but only if you really have to)

PGP, which stands for Pretty Good Privacy, is used to encrypt the contents and attachments of emails with end-to-end encryption. It’s been one of the best ways to encrypt your emails for years, but it’s also very complicated to use. Think about whether you really need PGP 🤔. It’s easier to use Signal.

If you need PGP but don’t know how to set it up yourself, then check out Keybase first. Keybase is a social network that allows you to encrypt messages with PGP quite easily. Do you need more PGP features, such as file encryption? Reach out to an expert for assistance.

OpenWrt on your router

A lot of manufacturers stop updating their routers after a certain time. Therefore, it’s advised to install OpenWrt. The software is available for all sorts of routers and is regularly updated to fix security vulnerabilities 🐛.

OpenWrt doesn’t work with WiFi modems that are provided and managed by your internet provider. You can, however, buy your own router and connect that to your internet provider’s modem. Set your wifi modem to Bridge/DMZ mode, so the device only forwards the internet connection.

Chat using OTR

Off The Record (OTR) is a safe way to chat with people, just like Signal. OTR is used with an email address and an app on your desktop (Adium for MacOS and Pidgin for Windows and Linux) or smartphone (Conversations for Android and ChatSecure for iOS). These apps let you chat with other OTR users, but most people would still prefer Signal.

Run your own VPN

If you’re technically savvy, you can take matters into your own hands and run your own VPN. The easiest option is Algo, which you install on your - preferably new - server. You’ll manage your own secure internet connection and can connect all your devices to it. Because Algo is easy to configure, you can also use it to set up a temporary VPN.

Create your own security camera

NSA whistleblower Edward Snowden worked on Haven, which is a free Android app that turns your old smartphone into a smart security camera. This won’t be useful unless you think a hacker is trying to physically access your devices to obtain your information, by connecting a malware-infected flash drive to your laptop, for instance.

Haven uses the cameras, microphones, light sensors and accelerometer of a phone to monitor movement and sound. Put the old smartphone in your hotel room, and you’ll be alerted as soon as someone enters the room. Haven also makes pictures and records videos of the intruder. Snowden also refers to Haven as a portable digital watchdog 🐶.

iPod Touch with Signal

Smartphones are constantly connecting to cell towers to receive phone calls, texts and data. That leaves one heck of a trail of (meta)data, which intelligence agencies can abuse. People at risk, such as journalists, lawyers and politicians, need to be aware of this. An iPod Touch with Signal is a safe way to communicate in such situations. Apple’s music player uses the latest version of iOS, has access to the App Store and allows wifi-calling and messaging via Signal. To create a Signal account, you need a (temporary) phone number. Buy a prepaid SIM card or register a VoIP number. This tip applies to iPads (without LTE functionality) too, although those won’t fit your pocket so easily.

Be wary of certificates

Hackers sometimes try to install their own certificates on your computer, smartphone or tablet, which allows them to keep track of what you’re doing, even when you’re using https-secured websites. Usually, a victim is lured into installing a certificate on their device to gain access to a public WiFi network. In general, people shouldn’t ever have to install a certificate, so be extra cautious when you’re being asked to do so. If necessary, ask whoever it may concern whether the requested installation is legitimate.

Use a privacy screen

A privacy screen is a screen-film you place on your smartphone, laptop or tablet screen. These screens block viewing angles, except for when you’re looking straight at your screen, making sure that no one can see what you’re doing 👀 on your devices. If your phone is lying face-up on a table, you’ll have to pick it up and look straight at it to be able to read or see anything. Fellowes sells good privacy screens, from 30 to 70 USD.

Use a ‘USB condom’

Yup, ‘USB condom’ sounds pretty gross, but the SyncStop does exactly what that implies: it doesn’t transfer any data, only electricity, when you’re charging a device via the USB port on your computer. This prevents any malware from getting installed on your smartphone or tablet. If you want to charge your device using an unfamiliar computer, the SyncStop prevents all malware attacks.

Tails and Qubes

These two operating systems are for experts only, because they’re difficult to operate. Both Tailsand Qubes run from a flash drive that you connect to your computer. Disconnect the flash drive from the computer and your PC will have no recollection of what you’ve done on it in the meantime. Tails protects your privacy and offers all sorts of apps to do so, like Tor, Thunderbird and PGP. Qubes offers the best protection and is used by people who are targeted by (state-sponsored) hackers.

But remember: if you lack technical knowledge, using one of these operating systems can reduce your online security. Sometimes it’s better to stick to devices and services that you’re comfortable with. Don’t use them just because you think it’s safer. And with that important piece of advice, this expansive manual comes to a close.

Did this answer your question?