Surfing the internet is no joke when security is concerned. It's no secret that companies are regularly getting breached whilst at the same time trying to convince us that they take the privacy and security of our data very seriously 🙄🧐. It can be seen as a worrying time to be alive right now, especially as more and more of our everyday activities are shifted to "digital" tools, thereby increasing the opportunity for our private personal data to be stolen. With seemingly no choice but to embrace our "digital", we definitely need to take more responsibility of our online security to limit any such damage that may or may not come out way.\n\nAnother Day, Another Breach, FFS!\n\nI was inspired to write this because recently, a popular Virtual Private Network (VPN) provider was breached, and the secret key used to set up encrypted connections spilled online for the internet to see 😔. If you aren't aware, VPNs are used by many people in a bid to hide their identities online. Instead of your unique IP address provided by your Internet Service Provider (ISP), you hop onto someone else's network and use their assigned IP address to access online resources. This has enabled people to circumvent restrictions imposed by their ISP, get around region-locked content for services like Netflix (a user in Australia watching movies not available to them but available to US Netflix users) and "perhaps" hide their identities online (more on this later on). These VPN services are seemingly big business at the moment, and many of the providers have VERY aggressive marketing campaigns going on at the time of writing this.\n\nSo NordVPN, along with TorGuard (no relation to the onion-routing browser) and VikingVPN became the latest companies caught with their pants around their ankles, and unfortunately the real victims are any users whose traffic was potentially compromised. This makes for very sobering reading even after a few rounds of triple vodka-cokes.\n\nNordVPN Confirms it was Hacked\n\nNordVPN Breach FAQ – What Happened and What's At Stake?\n\nThis isn't a piece about whether or not you should use VPN services. They have their place, and are useful for certain use cases. From a technical standpoint, I do wonder about who controls the traffic on the VPN network, and an attacker gaining privileged access on that network is a concern. However, if you do your research and understand what you are paying for, then have at it! For further information, check out the link below, which whilst having a negative title, gives some great insights into what to expect and what not to expect.\n\nDon't Use VPN Services.\n\nMy Inspiration\n\nBecause of the publicised breaches of VPN providers, people I know were understandably worried. With something so "techy", it can be hard to understand what it all means, and what you ultimately need to do in response. Currently, due to the sheer consistency of breaches and the awfully generic, cookie-cutter responses spewed out by breached companies, we run the risk of people almost becoming desensitised and accepting this as a part of life which CANNOT be allowed to happen!\n\nWoman who's seen one too many breaches and is thoroughly bored of it all!\n\nFortunately in light of the curtain being pulled back on the claims made by VPN companies, a security-conscious colleague of mine actually reached out and asked me what my top five recommendations were for being safe online. I had to really think about this as I'm not the supreme overlord of security, nor am I am authority on such matters. My advice was well received and appreciated, so I thought I'd share it more widely.\n\nStrong Password Hygiene\n\nStrong Password Hygiene is integral to keeping yourself safe online. This includes setting strong passwords/pass-phrases that are unique for every service that you use. Enlist the help of a password manager, as there is no way you'll be able to remember lots and lots of super secure passwords. You can check password strength using the fantastic tool made by the developers of Dropbox (try going for the maximum 4 score each time) as well as the How Secure is My Password tool.\n\nInteractive Zxcvbn\n\nHow Secure is My Password\n\nYou should also check to see if any of your accounts have been compromised in known breaches, which is possible using the excellent Have I Been Pwned. Make sure you change your password for any accounts that have been affected.\n\nHave I Been Pwned\n\nUse Two-Factor Authentication\n\nTurn on two-factor authentication where available and use hardware-tokens first like the YubiKey as these are the most secure and software-tokens second like Authy, Google Authenticator, Microsoft Authenticator etc. The extra security provided is an immense step up! Try to avoid SMS-based two-factor, due to security concerns as well as newer privacy concerns.\n\nStandards Body Warned SMS 2FA is Insecure and Nobody Listened\n\nFacebook's Two-Factor Authentication Puts Security and Privacy at Odds\n\nNever Trust a Platform to Put Privacy Ahead of Profit\n\nEncrypted Browsing with HTTPS is Your Ally\n\nPrioritise sites that use secure HTTPS connections, as your data will be sent in a manner that will likely only be read by you and that site. This means that middlemen such as the network you are on (and others on that network), your internet service provider and any other snoopers and hackers will have an EXTREMELY hard time observing your traffic. It also prevents your traffic from being modified in transit by people who control the network, as well as attackers.\n\nComcast Injects Copyright Warnings into Browsers, Raising Privacy Concerns\n\nCurrently, you can tell the use of secure connections by the presence of a lock (often green), soon however this will disappear as the base state will be secure and any sites that don't use encrypted connections will be flagged as insecure.\n\nChrome will Mark All HTTP Sites as 'Not Secure' Starting in July\n\nScrutinise the Resources that You Use\n\nBe very mindful of the applications you install on your devices and the websites that you visit, as this is a potential minefield can can open you up to a world of pain. Apps require permissions, and the more permissions that you give away, the larger the attack surface that you create for yourself. Only install applications which are strictly necessary, and when you don't use them anymore, bin them! Only install applications from reputable developers, vet them and DO YOUR RESEARCH. Malicious apps exist and unused apps can still use previously obtained permissions to capture information about you, like location, contacts, messages etc .\n\nAndroid PDF App with Just 100m Downloads Caught Sneaking Malware into Mobes\n\nThe Sound of Silence is Actually the Sound Of a Malicious Smart Speaker App Listening in on You\n\nApple is Adding New Privacy Features in iOS 13 That'll Hurt Facebook\n\nThere have also been cases where simply visiting sites has compromised devices.\n\nMysterious iOS Attack Changes Everything We Know About iPhone Hacking\n\nValue Your Privacy\n\nDo everything you can to stop your data from ending up in the hands of those who spy on us as we surf the internet in peace. In many cases, they have shown that our privacy (obviously) and security aren't high up on their list of priorities.\n\nMarketing Firm Exactis Leaked a Personal Info Database With 340 Million Records\n\n2 Billion Unencrypted Records Leaked In Marketing Data Breach --What To Do Next\n\nRevealed: 50 Million Facebook Profiles Harvested for Cambridge Analytica in Major Data Breach\n\nI personally use the Privacy Badger tracker blocker to block web page trackers from phoning home with my behavioural data, and Ghostery is another option.\n\nEFF's Privacy Badger\n\nGhostery\n\nEarlier I mentioned that using a VPN "perhaps" hides your identity online by obfuscating you IP address. In reality, this method has been superseded by far cleverer techniques, including the art of Fingerprinting. Whenever you surf the internet, a lot of supplementary data is also sent with each of your requests, including your browser, your operating system, features permitted, the languages you want the page to be written in etc and tools exist to statistically predict your identity based on this extra data. You can check how trackable you are online using the Am I Unique service, as well as Panopticlick by the Electronic Frontier Foundation (EFF) who fought for our rights in the digital world. When your results come in, be sure to try and follow the advice provided to make it very difficult to spy on your behaviour.\n\nAm I Unique\n\nEFF's Panopticlick\n\nFinally, when you visit sites which like to bother you with annoying pop-ups and purposefully convoluted options menus, read those annoying cookie/tracking notices and ACTUALLY TAKE THE TIME and turn that stuff off if it displeases you. I'm many cases, the site designers have taken the time to make selecting your advert preferences as difficult and confusing as possible (using actual Dark Patterns), but this doesn't mean you should just accept the gobbling up of your data. For me, if someone has gone out of their way to confuse me like this, I will go out of my way as a means of protest. How dare you?!\n\nDark Patterns\n\nDark Patterns Twitter\n\nAsshole Design Reddit\n\nFor me, it is such a shame that the Do Not Track protocol didn't take off (advertisers of course hated it and ignored it), as for the price of a simple piece of extra data sent in every request "DNT:1", a website would know to turn that tracking stuff off! Instead, fingerprinting tools now use it as an extra metric to more accurately identify you on the web 😂🤣🙉🙈! How ironic!\n\n'Do Not Track,' the Privacy Tool Used by Millions of People, Doesn't Do Anything\n\nApple is Withdrawing Safari's Do Not Track Feature\n\nStaying Safe Online\n\nAccounts which have been thoroughly locked down!\n\nUnfortunately, whilst our lives are becoming more and more reliant on the internet and digital tools, it seems that we have a long journey towards relying on others to take our privacy and security seriously. Breaches are common, and we have to take responsibility for our information even when it is being managed by someone else. By securing our accounts, prioritising secure connections, limiting the tools we used to ones we vet and properly manage and actually valuing our own privacy, we can make great strides. No solution is the magic bullet (no matter what VPN providers and other companies proclaim), and it is up to us to look after ourselves, and each other.\n\nTake care and all the best. Si.