In my day-to-day work as an ethical hacker (I prefer the term penetration tester, but whatever floats your boat) I encounter a bunch of common security mistakes that let me gain unauthorized access to your computer systems. It makes my work day a lot easier when someone's left a password written down on their desk—but I'm not the only one who's lazy and likes an easy win.
Economically driven black-hat hackers are usually looking for the lowest-hanging fruit, and with a few easy changes, you can make it far harder for someone to casually breach your security and invade your privacy. To that end, I've compiled a list of the top five habits you should change while using the internet—from a hacker's perspective. You may already know a couple, but the others could be the difference between you getting hacked, and keeping yourself safe.
1. Use a VPN
Encryption is important, and in an ideal world, every website would be using TLS with HTTP Strict Transport Security as a minimum. Unfortunately, this is not a perfect world, so for everything else, we have virtual private networks (VPNs). They create an encrypted tunnel that routes your internet traffic between your device and a provider's VPN servers, which is essential if you’re traveling and connecting to open Wi-Fi points a lot. Seriously. Go out one day with a copy of Wireshark installed on your laptop one day and see what sort of information you’re blasting out over Free Airport Wi-Fi through your phone. It's not pretty.
Admittedly, there's some debate among security experts over whether you should use a VPN. Valid arguments exist against using VPNs, primarily centered around entrusting the routing of your data to a potentially untrusted third party. My argument is this: You already trust your ISP, who cannot operate without the government's consent. Your government is also probably spying on you. Why not make it just a little bit harder? While I wouldn't advocate for using any VPN provider you come across, opting for an audited, no-log VPN can provide a degree of protection against government surveillance you wouldn’t have otherwise.
More importantly, a high-quality VPN offers two key benefits: firstly, it obscures your IP address, significantly complicating attempts to trace your actual location; secondly, it filters out common malware distributors and compromised advertisers through DNS blocks. Blocking ads already reduces a huge malware vector, so I’d recommend one for this alone.
2. Utilize a JavaScript blocker or whitelist
The architecture of the internet means that much of the content you encounter in your browser is delivered via JavaScript. While JavaScript can make websites look and feel better, it also serves as a vector for an enormous array of attacks, including clickjacking, denial of service, cross-site scripting and request forgery, and even arbitrary code execution in some cases.
By employing a JavaScript blocker or whitelist, you can selectively allow scripts from trusted sources while mitigating the risks associated with malicious or intrusive scripts. This mitigates attacks that spawn from malicious adverts and drastically reduces the chances of having your session credentials stolen in a drive-by attack. NoScript is still the gold standard for Javascript blocking suites. I use that and uBlock Origin to cover most of my bases online.
3. Stalk yourself
Very few people have any idea how much information about their personal life is out on the internet, just waiting for someone to connect the dots. I often use LinkedIn to scrape information about a company’s employees, technologies, and physical locations, but dealing with targeted hackers requires a slightly different approach.
Take a piece of information that is publically available, such as your email address or a username you use. By using basic open-source intelligence techniques and some dedicated googling, you'll be astounded by how much personal data is readily accessible, including your real name, address, and more.
If you can see it, so can someone else. Tackle your online presence and trim out anything you don't want a stranger to see. Don't underestimate the power of social engineering when it comes to hacking your devices.
Once you have an idea of the steps someone would have to take to link your online and real identities, removing or deleting this information from your online accounts can sever the link. This makes it far more challenging for malicious actors to exploit your personal information (in turn, making it far less likely you’ll be the victim of a deranged Call of Duty player with too much time on their hands).
This is particularly important for platforms like Facebook and Twitter. You'd be surprised how many answers to security questions you can find from a quick scroll through someone's Facebook wall or Twitter feed. While you're at it, make sure you explore the privacy settings offered by social media sites to ensure that only people you know can access your personal information. Becoming a master of open-source intelligence (OSINT) doesn't happen overnight, but even a little effort is better than nothing.
4. Update your apps
Yes, it's boring advice. Unfortunately, it's the basic precautions that often make the critical difference between success and failure in cybersecurity. Outdated software versions cause headaches for security professionals everywhere, so please, regularly update your OS and your software (especially if it connects to the internet). Merely glancing at the Common Vulnerabilities and Exposures list will give you an idea of the sheer abundance of software exploits out there.
A zero-day exploit is when a vulnerability has been disclosed but not patched yet, so cybercriminals jump on it. Those security updates on your computer are usually what fix these issues, so don't underestimate them.
This is even more important for mobile devices, which are often repositories of highly sensitive information—a hacker's paradise. You’ve probably heard about the Pegasus spyware at some point, which leveraged several complex exploits inside the iOS and Android operating systems to hack prominent media figures' phones completely remotely via text messages.
Phones aren't the only place where these attacks happen, however. Old browsers, in particular, are easy targets for zero-click malware attacks which leave your computer compromised with just a visit to a suspicious link.
If you must maintain an old operating system for legacy purposes, such as running deprecated software versions, consider isolating them as virtual machines or air-gapped systems that lack internet connectivity.
5. Stop re-using your passwords
I'm sure you've been told this a thousand times, but there's a reason for it. There are countless insecure sites and apps out there that you entrust your passwords to. Some of them still save their passwords in plaintext or unsalted MD5 (essentially, worthless encryption that's not protecting you).
If you reuse them, it's a ticking time bomb if one of those platforms gets hacked, and your password begins floating around the dark web. Once that happens, it's just a matter of time before someone tries your email-password combination against popular websites and gets a hit.
Even if your credentials haven't been leaked, using common passwords makes you vulnerable to attacks. Brute force attacks often use compiled password lists from data breaches, massively cutting down on the time it takes to actually find login credentials that work.
When I'm trying to break into a system, I don't look at one user and try every password I know. I try the most common three passwords against every user on the system. It's depressing how often this works. Change your password!
That said, it can be hard to remember a password for every site you're ever going to log into. You should consider using a password manager (or, at the absolute very least, enabling two-factor authentication). You can also check if any of your accounts have been compromised or if you're using a commonly exploited password through tools like haveibeenpwned.
Trust nothing
There are numerous other measures you can take online to safeguard your personal information, but the five steps above are paramount. In my experience, hackers often succeed not due to extraordinary technical prowess or sophisticated engineering feats, but rather by exploiting human laziness and oversight. If someone has left the back door open, why bother trying to pick the lock? By making a few changes to your habits, you can significantly reduce the likelihood of falling victim to a hack attack (and make my job a lot harder).
Here's a bonus tip: if you ever get a weird email from someone you trust asking you to check out a file, go call them and make sure they sent it. Trust me on this one. spear phishing works far more often than it should.
Andreas is a digital privacy advocate and researcher. He's previously uncovered the data economy of the UK charity sector, and believes online privacy is a right, not a luxury.
