A cyber security and privacy cheatsheet for the individual, with a list of things you should think about doing for yourself (and how soon you should consider doing them).

Security on the internet can be an overwhelming thing to research - I spend a lot of time doing it, so I'd like to help save you the headaches. What follows are things that are important to your cyber security, as well as preserving your human rights.

You don't need to be tech-savvy to get a lot out of this page. The aim of this page is to help seal off any leaky areas in your online habits and security setup that you may have missed or been unaware of. Most recommendations are intended to be as accessible as possible too, usually meaning a simple suggestion followed by basic justification. If things are confusing, and/or you'd just like to understand them better, my email is below.

Feedback for this page is always welcome. Be sure to keep checking back for updates. Thank you to everyone who has already helped shape it into something readable to humans!

Urgency i.e.
RED you should probably consider doing something about this yesterday.
ORANGE is urgent but less of an imminent danger.
YELLOW is still important, but likely a lower risk issue or something that can be relegated to a time after RED/ORANGE items are addressed.
GREY is mostly informational, and often just important to be aware of more than anything else.

MFA - or Multi Factor Authentication - just means having multiple security checks when logging in to something. Usually this means a password AND a one-time code, or a fingerprint, face scan, or many other methods of authentication to prove it's really you logging in.

TODO: Make absolutely certain you have MFA setup for ALL essential services such as finance and government, as well as anywhere that stores a lot of your personal data like your email provider, Facebook, Instagram and LinkedIn.

Organisations and government services are increasingly mandating MFA. Anywhere you don't MFA you are one step away from having your money or identity stolen. It’s like locking the front door, but keeping the backdoor wide open. All a criminal needs is your password, and given how many times passwords get leaked by tech companies, it’s likely you’re already vulnerable. MFA protects you, even if your password has been leaked. You will be surprised at how little protection and support there exists if you are a victim of ID theft - often you can’t get your money back. And just because you haven’t been caught up in a public breach that’s in the news (like Optus) you can’t assume your password is safe. IBM released a report that said most companies take 277 days to discover and report a breach. What that means is any major company could have already been breached and you wouldn’t know about it for almost a year, which is plenty time for a hacker to make off with your money or data.

HOW TO SETUP MFA: If you opt for using a one-time passcode (OTP) authenticator app, I recommend Aegis or Raivo. For privacy reasons, I would avoid Google Authenticator, but if you're already using it that's still much better than not having a second factor, so don't panic.

Please also do not use your phone number as the second factor if you can help it. While it's not highly likely, phone numbers and messages can be tampered with, intercepted, and stolen; it's not a system that was designed as a mechanism for authentication. It’s also slower and less reliable than OTP authenticators, so save yourself the frustration and install one. Read more here and here in case you needed more convincing on why relying on your phone number as authentication is not a secure solution.

Some more info here on where and how to set up MFA.

Keep it secret, keep it safe.

A password manager is a tool and/or service that can securely generate and store unique passwords and secret notes for you on an account-by-account basis. The take-away here is: when using a password manager you only need to remember one master password rather than a number of different ones.

TODO: You should be using one by now. If you are not already doing so you're running an unnecessarily high risk to your identity and finances. (Unless you're using one-time pads, or writing down complex, unique passphrases in a physical notebook you keep on you or locked away at all times. Then carry on I respect the hustle.)

This is an increasingly serious and urgent thing that you should be very concerned with doing something about. And, while password managers are ultimately a band-aid solution to a problem that is intrinsically insecure, passwords are unlikely to go away any time soon, so we need to make do as best we can. You will soon have the option to use passkeys for a lot of services instead, which is an improvement. But passkeys also come with their own issues, and are unlikely to be adopted ubiqitously in short time. Most password managers will also provide passkey support, however, so it's worth getting set up with one regardless.

All of that being said, if you don't already have a password manager service, I recommend BitWarden (if you're lazy like me), 1Password (similarly accessible, great UI), or KeePass (if you want more configurability and isolation, and don't mind the extra effort in managing it).

Integrating a password manager into your life might be annoying at first, but once you're up and running, it's one of the very few security solutions that benefits both security and convenience at the same time. Most managers have browser extensions and mobile apps, which make things nice and easy.

I will also add that if you're using LastPass, you should strongly consider moving to another service because they’ve been hacked multiple times.

What should I do if I've been pwned?! If you know your password or login/personal details have been leaked, you should play it safe and change that password ASAP. You can check here to see if and where your email and phone number have been leaked or stolen.

More great info on using passwords/phrases here.
And more info here on password managers.

This is self-explanatory - make sure you have auto-update enabled and ensure that you connect to WiFi often enough if you've disabled updating through mobile data.

It's likely none of you need to do anything here, but it's important to call this out anyway. Updating takes almost no time, and keeps you safe.

Don't ignore auto-updates on your browser or personal computer (even if they can be frustrating to wait on). Find time to make sure they're done ASAP.

Android Setup

iPhone/Apple Setup

If you don't need an app or browser extension, remove it. Or just don't install it to begin with.

The more apps or services you have with access to your device in some way, the wider the attack surface of your device. Your phone's operating system (or desktop internet browser) might be relatively secure, but installing a vulnerable app or extension can create a backdoor that bypasses all that great security completely. Here's just one of the many examples of why this can be a huge problem.

Importantly, don't download extensions or apps that aren't verified or endorsed. Reviews are easy to fake, so if you're unsure, do a bit of research to see if it's legit.

Spend a little time reviewing the permissions the app/extension/plugin asks for when you do install something. Even if it seems trustworthy. Many apps will try to gain access to much more than their purpose calls for. While this is not always done with malicious intent, it will create that much larger an attack surface for your device.

UPDATE: Be especially critical of AI-powered extensions. They are the greatest security nightmare - kind of like leaving matches or a lighter with a toddler near your very dry barn.

It sucks, but device versions (e.g. Apple iPhone 12, Google Pixel 4 etc) as well as operating system versions (e.g. Android 11, iOS 17 etc) have an end-of-life date beyond which the manufacturer or developer no longer support that version for security updates.

When buying a new phone (or laptop, or anything that requires regular updates) it is important to consider the support life. All vendors and developers should provide a timeframe for how long a particular device or operating system will be supported. This is important because it means getting timely security updates that patch vulnerabilities that might get exploited by malicious actors, leading to a compromise or leak of your sensitive accounts and data. It's worth adding this to the list of considerations when you're looking at buying a new phone - or updating an operating system - to know how long it will receive those important security updates.

Many device and system lifecycles are tracked here. If yours is not in there, a quick Google should help you find more information, ideally from the manufacturer/developer themselves.

I wish there was a silver bullet for this, but unfortunately it all comes down to educating yourself, and being vigilant (especially with untrusted channels).

Scams are getting more sophisticated every day, and with AI tools picking up a lot of the slack in places that made scams easier to spot, it's more important than ever that you are critical of any communication you receive that isn't obviously authentic and trusted.

Some useful rules of thumb in protecting yourself against scams:

• Never send money anywhere unless it's through legitimate channels, and to legitimate destinations. If someone says they want to send YOU money, be even more critical of this.
• Never give out your secret information - no legitimate service or entity should ever ask for your password or one-time passcode.
• Try to avoid ever sharing any personal information. Occasionally organisations and institutions like banks need to confirm your identity over the phone, in which case they should only need a DOB, or address, at most. Never tell anyone information if they were the one to call you. You’re better off asking them if you can call back, and then calling back on a secure number you found on an official website.
• Never share access to your devices.
• Never let emotional triggers drive how you react to a communication that's come out of the blue - scammers leverage empathy and panic to get you to make a rash decision. If you’re given a very short timeframe to react, or the message is related to criminal offences or unexpected debt, chances are good it’s fake.

What to do if I've been scammed, or know someone who has?
[Taken from ABC News]
Here's what an ACCC spokesperson says to do after you have been scammed:

• Contact your bank or financial institution as soon as possible if you have lost money
• Contact the platform on which you were scammed and provide details about your experience
• Tell your friends and family about your experience for support and to help protect them from scams
• The ACCC also encourages you to make a report on the Scamwatch website, subscribe to their Scamwatch radar alerts and stay updated via Twitter.
• You can report fake websites as well as websites suspected of hosting or distributing malware to Google for review.

ID Support NSW makes it easier for people to access help if their NSW Government proof of identity credentials are stolen or fraudulently used.
This guide has a lot more useful information that's useful to read up on.
This one goes into financial protections more specifically.

More on this soon, but in the meantime read up on one case of scam/ransomware masquerading as legitimate software over here.

Especially online shopping sites. These can seem legitimate, with top Google search results and sophisticated looking designs and URLs. See this story about ways to watch out for online shop scams.

Try to never open a http link (not https) unless you really trust where it comes from. HTTP links leave you open to an attacker watching your browsing activity, along with any data you input to that site. Browsers generally have warnings for this these days, but it's good to be aware of it.

Example:
'http://legitlookingsite.com' = bad
'https://whatever.com' = better

Google Transparency Report can be useful to identify a dodgy looking site.

Be careful with links you follow in general - you can usually see where something is going to take you by hovering your pointer over it and looking in the bottom left corner of your browser (or holding down on it on mobile).

More info here.

Don't use public charging ports. Use your own cable.

Never use public WiFi if you can help it. Even in places that seem trustworthy, like airports. If you have to, at least try and ascertain if the access point name is the correct one - it's very easy to spoof an access point name, and capture traffic going through it.

• Don't use a login pattern to access your phone. PINs and fingerprints are better, primarily because they're harder to observe/steal.
• Try not to leave your bluetooth on when you're not using it. There are many ways it can be used to mess with your device, as well as track you without your consent.
• If you're anxious about online shopping and exposing your credit/debit card details to do so, you can look into temporary, virtual cards to compartmentalise your funds. These offer a lot of the same protections as your existing cards, but reduce the harm potential for your card details getting leaked. Check with your bank if they offer such a service/account - most large banks do these days. Otherwise, look into services like Revolut for this - I've used this service before myself and it was very convenient and fast, especially as a travel card.
• Implicit trust is part of human nature, but can be a dangerous thing.

• Citizen Lab Security Planner From the guys who keep people like the NSO Group accountable, a security planner not dissimilar to this page on what to do to protect yourself and your data online.
• Cyber Safety Advice + Security Quiz A great summary of useful security tips, as well as a quiz to test your knowledge. Give it a try, and if you fail, it’s a good sign you should do a bit more research.
• Electronic Frontier Foundation (EFF) Security and Privacy Guide

If you're of the mindset that your privacy is not sacred, and/or that you're not fussed because you have nothing to hide or aren't committing any crimes, then please have a read through the below. I'm not looking to change your mind, just to help you make as educated a choice as possible.

The Value of Privacy

Most places do NOT need your real personal details. Unless it's a financial or government service, consider using an alias. You do not owe anyone this information, and they do not need it. If you're worried about mail collection, post offices usually just need to see the address on your ID. Alternatively, you can tell them the alias is a business name. Your date of birth is often used as a security check, so never give it out to companies that don’t need it. Use a fake birthday instead, like 1/1/2000.

The same is also important in sharing your phone number and email - these constitute part of your identity, and you should generally consider them as private/secret as your own address or even credit card details in some cases (on this note, consider using email aliases such as Firefox Relay or Anonaddy)

There are some more useful tips on keeping a low profile online here. Ask me about equivalent services in Australia.

If you don't need an app, program, or browser extension, remove it.

The more apps or services you have with access to your device in some way, the more of your personal data is being mined - and usually without your consent or awareness. Most apps and extensions gather much more data than they actually need to provide the service you downloaded them for originally. Keep this in mind when you install a new app or extension, or when you have a bunch of mobile games etc just sitting there clunking up your phone's interface (and stealing your data all the while!).

Use the browser where possible instead.

This is usually true, but not always: Every service that provides great convenience generally also sells/mines lots of your personal data and builds your entire personal profile from that data. This data is most often sold on to third parties or government, or stolen by cybercriminals in a breach/leak. Unfortunately what is often also true is that many services are clunky, do not provide much convenience at all, and still steal an enormous amount of your data.

There are plenty of great services that do not steal swathes of your data, of course. But more often than not, services/products (e.g. Alexa, your car, home surveillance devices, phones in general) provide marginal utility compared to how much they observe and mine from your profile. That is their entire point. The company behind the service does not care if you're able to easily spin up your favourite gardening playlist or reliably keep an eye on the exterior of your home. They just want to listen to every conversation and interaction you have in your private space because that information allows them to shape society to their profit-centric benefit. This is not a conspiracy/edgy opinion, it is simply the core nature of late-stage capitalism and/or the even more grotesque monster it turned into.

These are duplicitous designs added to apps and sites that try to trick you into doing something you didn't mean to, like Facebook making it difficult to delete your account, clicking the "Accept All Cookies" button because it looked like you had to, or Amazon tricking you into signing up for Prime. The links below cover this in detail, so I won't say much more other than that you should be aware of these things, especially in contexts requiring you to update a subscription, or on sign up to/deactivating a service.

An excellent source on deceptive online tactics used by corps/business/orgs.

More reading here.

If you use a VPN, make sure you agree with their values and policies.

VPNs do not provide you with anonymity, so be critical of which providers you do go with. Many capture, store, and happily sell or handover all of your internet activity.

I can't recommend most services currently available. If you decide to start using one, or to switch to a new one, however, Mullvad, Proton VPN, and IVPN have generally good practices and operational records, and are easy to use.

• Don't use Chrome or Edge browsers, including on your phone.
• Don't use facial recognition to login to your devices.
• Be mindful that all of your browsing data (unless you're on VPN/use Tor) is logged by your ISP.
• Don't use services like PayPal or Google Pay if you can help it - just pay straight through your card. Paypal and GPay track everything you buy and - would you believe it - sell that data on too. And they don't necessarily provide the buyer protections you think you might get from them. As well as that, they're not banks at the end of the day, and do not have the level of security and government support that banks do when it comes to protecting your money.
• Move to Signal/Element/ChatSecure messenger instead of Facebook. Even Whatsapp is better, though not by much.
• Don't use social login (i.e. when a service offers logging in with your Google/Facebook/etc account).
• Clear your browser data every week or two (if not history, at least cookies and other site data).
• Don't post pictures on social media or anywhere public of any sensitive or personal information, e.g. your travel boarding pass.

• Privacy guide and useful tooling
• More recommended privacy tooling (platform-centric, with clear alternatives to popular services)

Protecting yourself is important, but you should also try to educate those less savvy in your life about the items and concepts outlined here. It's never been a more critical time to be cognisant of our online presence and vulnerability.

TODO: Talk to friends and family about how to be safe online.

More reading here.

Either in the cloud somewhere, or on a local USB/storage drive. If you can, do this in more than one place. And do it regularly. I don't recommend using Dropbox as they have also been hacked multiple times and have yet to show they can be trusted with your files - use Google Drive if you don't care about privacy, or Mega.io/Sync.com if you do.

This should include not just your photo albums, media, and documents, but things relating to your identity and ability to access services. E.g. consider setting up a recovery email address with a different service, and exporting and backing up your MFA authenticator codes regularly and safely (or making sure they're accessible on another device).

Our phones are essential, and losing/breaking them beyond use can be a nightmare scenario. Try to keep the last working phone you had around in case you need to move your SIM over to make calls/access other critical services etc. You should also perform an Android or iPhone cloud backup regularly. This is generally automated, but here are guides on ensuring you're setup for backups anyway: Android, Apple

In the event you do lose your phone, consider using Google's Find My Android or Apple's Find My to try and track it down again. And try to act quickly after your device is lost.

If you're like me and absorb information better visually, Naomi Brockwell discusses most of the above in really easy to understand ways. Check her channel out!
NBTV Youtube

Feb 19th - Updated contact email

Nov 19th - Added device security update end-of-life advice and bluetooth awareness points under Security - General section

Oct 20th - Added Privacy Value intro section, changelog

Mar 23rd - Added NBTV reference and some minor syntax updates.

Jun 29th - Added wifi jacking article and minor spelling fixes.