How to Stay Safe Online: Tips for Personal Security

env #security

How I learned to "start worrying" and love the illusion of feeling safe.

Digital security and privacy have become more important than ever. With cyber threats constantly evolving, it is crucial to stay up-to-date with best practices and take proactive measures to protect your online presence. This comprehensive guide covers a wide range of security and privacy recommendations for various platforms and scenarios, aiming to help you fortify your digital life.

General

• Use a password manager: 1Password or Bitwarden.
  • Never reuse passwords.
• Don't store real passwords of critical accounts in password managers.
  • Instead, store the password altered by a secret rule that only you know.
  • Apply to accounts related to your real-world identity or money.
• Avoid using your password manager to generate one-time password.
  • Instead, use a separate authenticator app.
  • Otherwise, it would become a single point of failure if compromised.
• Use different emails and different passwords when registering services.
  • Use a secure email provider if possible: Proton Mail.
• Always enable 2FA, but avoid SMS-based 2FA when possible.
  • Be aware of SIM swap attack.
  • Use Yubikey.
• Install any security updates as soon as possible.
• Don't blindly click on any website you see in your Google search results; they could be scams!
  • Instead, add your frequently visited websites to your bookmarks.
• Do things that can ease your paranoia.
• Read Personal Security Checklist.

Privacy

• Read Awesome Privacy.
• Read The Hitchhiker's Guide to Online Anonymity.

macOS

• Use an application firewall and network monitor: Little Snitch.
• Create separate browser profiles for different usages.
  • One for daily activities.
  • One for financing activities, and don't install any extensions other than the password manager for this profile.
  • Use Incognito mode.
  • Even better: use separate computers.
• The fewer browser extensions installed, the better.
  • Be aware of developers might sell their extension to someone else.
• Disable all browser extensions when updating passwords.
• Don't use any apps that can read your clipboard or what you type.
• Don't use third-party input tools.
• Automatically lock your screen when idle.
  • System Settings > Lock Screen > Require password after screen saver begins or display is turned off
• Set one of Hot Corners to "Lock Screen" and always trigger it when you're away from keyboard.
  • System Settings > Desktop & Dock > Hot Corners
• Disable AirDrop and Handoff.
  • System Settings > General > Airdrop & Handoff > Off
• Exclude sensitive folders from Spotlight.
  • System Settings > Siri & Spotlight > Spotlight Privacy
• Turn on FileVault which provides full disk encryption.
• Power off your computer when not in use, in order for the disk to be encrypted.
• Use Dangerzone if you are working with PDFs.
• Use an ad blocker: uBlock Origin.
• Read macOS Security and Privacy Guide.

iOS

• Change the default PIN of your SIM card.
  • Settings > Cellular > SIM PIN > Change PIN
• Disable Predictive Text.
  • Settings > General > Keyboards > Predictive
  • Settings > General > Transfer or Reset iPhone > Reset > Reset Keyboard Dictionary
• Don't use third-party keyboard apps.
• Turn off AirDrop.

Crypto

• For large amounts of assets, always store them in hardware wallets or multisig wallets.
• Use multiple hardware wallets from different vendors; don't put all your eggs in one basket.
  • Some should only hold assets and never interact with DeFi apps.
  • Some are used for trading or DeFi stuff.
  • Or use an old phone to create wallets, and NEVER connect it to the Internet.
• Write your seed phrases on paper or metal, and store them in a (physical) safe.
  • Modify the seed phrase with a secret rule that only you know.
  • Keep at least 2 copies in different locations.
  • Never store a hardware wallet's seed phrase digitally, NEVER.
• Verify backups of your seed phrases every 6 months.
• Use multisig wallets, such as Gnosis Safe.
• Only store a small amount of assets in hot wallets.
  • If you follow this rule, it might be acceptable to store the seed phrase in a password manager.
  • Furthermore, encrypt the seed phrase before storing it.
• Rotate your hot wallets regularly.
• When transferring tokens to a new address, always send a small amount first, and make sure you can transfer out.
  • It may waste gas, but it's better than losing funds.
• Add addresses to contacts or whitelists.
• Always approve tokens with the exact amount, never use type(uint256).max.
  • It may waste gas, but it's better than losing funds.
• Always check the slippage setting before swapping.
• Review your token approvals regularly: Revoke.cash.
• Signing could be dangerous.
  • If it's a clear, human-readable message, it's probably safe to sign.
  • If it contains a large amount of data, read carefully before signing.
  • Especially, there are "permit" signatures.
• Use browser extensions or wallets that can simulate transactions.
  • Wallet Guard
  • Stelo
  • Scam Sniffer
• Learn to decode a transaction.
  • Search the first 10 characters on Ethereum Signature Database
  • Simulate the transaction raw data on Tenderly.
• Use Etherscan's Watch List to monitor your account activities.
• Website (domain or frontend code) can be hacked, even if smart contracts are secure.
• Read Blockchain Dark Forest Selfguard Handbook.
• Read officercia.eth's articles.

Developer

• Always create API keys with minimum permissions.
• Create distinct API keys for different purposes, services, or machines.
• Sign your Git commits.
• If you're unsure, run the program or script inside a non-root container.
• The fewer IDE/editor plugins installed, the better.
• Enable GitHub Copilot only for specific languages or files.
  • Especially, disable it for .env files or any file types that may contain sensitive data.

Wi-Fi

• Always change the default password of your router or IoT devices.
• Keep your router firmware up-to-date.
• Only use WPA3-Personal.
• Avoid using public Wi-Fi.

Physical

• Cover your laptop's camera with a sticky note.
• Be cautious when plugging USB devices into your computer.
• Be vigilant for keyloggers.
  • Bring your own keyboard and USB hub when necessary.
• Shred or redact sensitive documents.
  • Instead of simply disposing of them in the trash.
• Don't reveal information during "inbound" calls.
  • Only share sensitive data during outbound calls or communications that you initiate.
• Use a certified and well-protected extension cord.
• Get fire and earthquake insurance for your house.