Don’t be the Reason Your Employer Got Hacked While Working From Home!

I created this list of tools a while ago for friends exploring privacy and security related software and I decided to expand it into this article after having a few other people asking me about tools and tips for how to stay safe and protect your privacy.

I’m not a security professional, I’m just a regular person who started paying more attention to this stuff after having some of my accounts compromised and now I help the organizations I work with and people in my life to stay safe online.

I wrote this to be relevant for anyone but is also worth some extra thought for anyone working from home for a company that could be the target of hackers (almost everyone with a job they can do remotely). 

As the world has adjusted to “social distancing” as a lot more private information is being shared online in any number new ways. Ransomware, data breaches and new kinds of attacks are happening more and more in our increasingly online world and you don’t have to be a celebrity or a politician to be at risk.

This is a guide for how you can avoid being the reason your company is vulnerable to this kind of attack and also help you keep your personal information and private pictures and other files safe from the automated hacks that so many people have become victims of in recent years.

Know Your Threat Model 

Figuring out how to stay secure and private online depends on your “threat model”. For most of us the bottom line of privacy and security is that we would like our private information like our banking pin codes and medical records to be safe. Generally we would all prefer that our private photos and messages remained private. But increasingly everyone doesn’t want to be the reason their company was hacked and lost money or worse the personal information of their customers.  Even if you aren’t worried about keeping your own passwords and secrets private I’m pretty sure the place you work does care about their information being secure.

Most of us are more at risk from hackers that send phishing emails or other forms of generic direct messages to thousands of people as opposed to more targeted attacks but that doesn’t mean we shouldn’t be worried about more targeted attacks too if our passwords aren’t secure.

For some people like activists, journalists, cryptocurrency investors or celebrities there may be an additional layer of concerns that lead to the need for even more caution and some specific tools not listed below. That being said the tools listed below are all useful to a wide range of people regardless of your threat model. 

Security and privacy and different but connected. Being good a security will increase your privacy in terms of who has access to your files and personal information. But not everything that is good for security is also good for privacy.

Starting with Your Devices

If security is the main goal then Apple and Google products do a good job especially if you do the most important thing which is using a different strong password with each account and two factor Authentication (also know as 2FA… see below for more details) but both companies harvest your data and use it to build a profile of you for marketing and the personalization of your experience on the devices among other things. Google sells your data but Apple keeps it all for themselves. Both are good at security. 

Apple claims to not share your information whereas Google sells your data as part of their business model. Apple also has more of a “walled garden” and does a fair amount to control what apps are on the platform and what information they have access to which is good in terms of security.

That being said if you are on an iPhone and using Facebook tools like Messenger, WhatsApp or Instagram)  or any of the Google tools like Gmail, Google Maps, Google search, Google Calendar etc you are still giving permission for a lot of your data to be tracked and sold just like if you were on an Android phone. Apple has limited tracking between apps recently which is good but still within those apps you are giving away a lot of data.

 If privacy is your priority that will lead you to reducing your use of some of the services I just mentioned regardless of what kind of device you use. Personally I use all of those apps but I like to at least have privacy focused apps as secondary options that don’t share your data for all the basic services. This gives me options to use for personal conversations or a place to talk strategy at work as well as better options for online shopping and keeping my personal information private. 

Desktops and Laptops

Windows is inherently less secure than MAC OS and the most secure is Linux or Chrome OS operating systems just given the number of viruses and malware written specifically for Windows. All operating systems can be hacked and most of us aren’t going to change devices unless we have to. Windows is also more widely used because its generally less expensive.

The important thing is being aware of the risks associated with the operating systems we use and finding the right tools to protect those system. Generally its the apps we use and the sites we visit or the messages we receive via email, SMS or other messaging service that create problems.  Its important to be very careful about what you click on. It’s also smart to have your important files stored in encrypted storage either online or offline on a hard drive.

A good starting point for increased privacy is using DuckDuckGo as the search engine you use in your browser or even switching to Firefox from Google Chrome entirely so you know you won’t be re-targeted by ads immediately everywhere you go online.  Using the built in privacy settings in your browser is a good idea no matter which browser you use. This applies to phones and desktops or laptops.

Perhaps the most important thing you can do in terms of security is to take a look at if your existing accounts that may have been part of any hacks or “data breaches”. If you put your email into this tool from Mozilla it will compare it against a large database of all known data breaches and show you if any of your accounts associated with your email has been compromised. This is a free service from Firefox. You will find out if you need to go change your password anywhere right away or if any other information about you has been leaked. Its scary to see how many data breaches take place. Its a big reason the tools and tips in this article are important.

Its very important to not use the same user name and password on multiple different services. The most common way to get hacked is for people to use lists of emails and passwords from one breach to try to access user accounts on other services. This can be done with bots and often you won’t even know you have lost access to your accounts until its too late. If nothing else use better passwords for work and banking and medical stuff.  Passwords managers are a god send in terms of better password management. If you only do one thing from this site switching to using a password manager should be it.  

Password Manager There are a ton of different options in this category. Just using the password manager built into your browser is better than nothing but ideally you would use a tool like BitWarden or LastPass. I prefer BitWarden because its open source and the pricing is better than LastPass for more advanced features.

 Convenient browser extensions exist for both these tools that work on Firefox or Chrome and Safari too. That makes it a really convenient way to manage all your passwords in apps and on your browser. You can also manage secure notes and credit card information for filling form fields when paying for things. The real hardcores generally opt for KeyPass which doesn’t connect to the internet but that involves a bit more work to get it set up and to transfer stuff from one place to another. I’m guessing if you are reading this you probably aren’t one of those hardcore privacy focused people you are just a regular person who wants to be a bit more secure, in that case I would suggest BitWarden and their browser extension. The free version is good enough for most people and it works great on desktop and on the phone.

Two Factor Authentication (2FA) tokens – Using a second way to identify you when you log into a site after you enter your password or “Two factor authentication” (2FA) might be a bit annoying when you are trying to log into something but it really is essential for anything important. Unfortunately not many banks or credit card companies have it set up on their websites which I find bizarre. But you probably can use it for many important things like your works email system and your own email (which is probably used for back up codes for anything you lose access to and can be exploited by hackers to get access to anything where its used that way).  Its way better to use an app that creates authentication tokens as opposed to using SMS text messages for 2FA. Unfortunately sharing your phone number can be a vulnerability. “Sim jacking” is what hackers call it when they pretend to be you and get services transferred away from your phone to their phone and then they have the ability to get around your 2FA. More on that below.

So for 2FA I love Authy. Again works on all platforms and easy to set up and secure and easy to restore from backup (unlike Google Authenticator). Good User experience compared to other options. Some say it is more secure to use something that doesn’t connect to the internet but unless you are particularly at risk of being targeted by hackers its still way better than not using 2FA and its convenient and easy to set up.

Phone numbers (+ sms text)

Its generally best to not use your own cell number for online shopping or sharing it in other ways online.  Sim jacking happens because hackers find your phone number associated with your name during data breaches. Your phone number can also be a way to track you remotely because your cellphone sends “pings” regularly to cell towers and this is actually reasonably easy information to get your hands on sadly.  Even if you aren’t concerned about that to some people the most important reason not to use your own phone number for online shoping is because it will dramatically reduce the amount of spam calls you get on your phone.

This tool is also useful for getting secondary phone numbers in different area codes, separate work/ personal numbers and it’s great for online shopping or online dating. As mentioned before this is especially important as increasingly hackers use SIM hacking to take over peoples cell phones. Avoid using SMS text messages for 2 factor authentication. 

Sudo is a great app for both iPhone and Android and has a desktop version for Mac (hopefully soon on Windows as well). They give you a free phone number you can use for online shopping, dating etc. It can also be useful if you want to use a separate number for work and personal use. The paid plans are reasonable if you want to make this your primary phone. Experts suggest never giving anyone your actual phone number and just using the forwarding numbers created by a service like Sudo. There are other options but I think this one is the best and easiest to set up. Services like Twillio can do even more and are customizable but it takes some knowledge and time to set up. 

Instant Messaging and Video Calls (end to end encrypted) Instead of using WhatsApp or Facebook Messenger a lot of people are switching to Signal or other end to end encrypted apps for messaging and video calls internationally. In fairness Whatsapp also has this kind of encryption but given its owned by Facebook and still sells your metadata many have decided to go with other options. Of course you can only talk to people if they are also using these platforms. The recent rush towards Signal has made that a lot easier. Signal has been one of my favourite apps for years and its just gotten better 

Signal is a non-profit project. Its an open source messaging alternative started by one of the former founders of WhatsApp. Its very popular and dependable. Until recently it didn’t have video messaging on mobile but now it works well on all platforms (although you need to use linux to add it to a chromebook if you have one). That being said it is probably the most trusted and broadly used end to end encrypted messaging tool ever made. Even Edward Snowden recommends it. 

Secure email that doesn’t sell your data 

Protonmail is serious about privacy and security. They host their servers in an abandoned nuclear fall out shelter in Switzerland. Emails between Protonmail accounts is end to end encrypted meaning nobody can read them besides you and the other person you are talking to (if you both use ProtonMail or another end to end encrypted email service). That being said emails sent to any traditional email client are no more safe than anything else in the sense that your emails are still being scanned and stored on their servers and accessible by staff or others potentially. 

From a security point of view Gmail and other large providers are actually very secure. The bigger concern is privacy. They scan all emails for marketing and re-targeting purposes and staff at Gmail ultimately have full access to your messages. I personally have used Gmail since it launched and will continue to for some things but I have moved all my banking, health and personal email to Protonmail.

I also use Fastmail for all my online shopping. They also don’t scan your emails and I wanted to keep my email addresses separate so that if any of those services I use are hacked they don’t have information about my more personal accounts. This might be a step too far for many people. It could be good enough to switch to either Fastmail or Protonmail or even to just ensure your gmail is secured properly. Again its just a matter of your priorities. If you care about your privacy than these two apps are better options than gmail.

Secure note taking that isnt harvesting your data.  This is a great simple free note taking tool that isn’t scanning everything you write for their marketing purposes. The paid version has more advanced editors for html and other code languages as well as mark down and to do lists etc. The free version is just plain text but still useful. Syncs easily with Google drive and drop box if you want to do that too. 

The gold standard for secure 2 Factor Authentication … Yubikey. The hardest security to bypass. Still not enough sites and apps use it but Bitwarden and LastPass do (with the paid versions) as well as all Google suite products, DropBox, Facebook and some other important things. Can also be used to log into your computers account via Hello Windows on PCs. Its a good idea to have at least two of these keys that you keep seperate in case you lose one and never to leave them plugged into your computer . Its like leaving a key in your front door.

File sharing for bigger files done directly peer to peer and encrypted (no company server in the middle where others can read things).  I would have said FireFox Send but that doesn’t seem to be available any more. Here is another decent option if you don’t want to use DropBox or Google Docs.

You could also use for large file sharing and storage and they use good encryption and security features. Its a data storage tool like google Drive wheres as Tresorit is just a way to send a large file. It creates a link you can share via email or direct message or whatever.  Often I will just use Signal to share files unless they are huge. For the real hardcores you can use Onion Share on the TOR network but that is beyond the needs of most people. If you are primarily worried about security then using Google Docs or Air Drop in the Apple ecosystem are secure as long as your passwords are secure.

VPNs and DNS – At home and on public wifi

There are way too many Virtual Private Network (VPN) options. If you watch youtube videos you likely have seen a ton of ads for them. Although they all might be better than using a public wifi network in a coffee shop or airport without them the problem is many VPNs actually track all of your web traffic for marketing and re-targeting purposes. I like Proton VPN, if you use ProtonMail you have access to it automatically. They also do not track your web traffic and they have a free version that works pretty well. You can pay a bit more and its really fast and private.

Finally what about the information your web service provider or your mobile phone data provider has? Your DNS records are a history of every website you ever visited that they have total access to.

According to Wikipedia the Domain Name System (DNS) is a hierarchical and decentralized naming system for computers, services, or other resources connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities.

Long story short your DNS also contains a history of all your web traffic. The simplest way to avoid this is to use a tool like Cloudflares

They have desktop and mobile versions. They also help speed up your internet because all the tracking etc that many website are loading behind the scenes are blocked. Cloudflare is a very popular website security tool that helps block hacking attacks like denial of service attacks if you have a website. They claim to not track any of your individual or company data. Personally I trust them more than my internet or phone company. There are other ways to do private DNS routing but this is by far the easiest. You just install the app and flip a switch to turn it on. It also works as a VPN so its like two things in one and its free.

Open Source? 

Wherever possible I tried to prioritize open source apps. Open source projects are generally better for security because experts can review the code and provide reassurance that the networks are secure. Also they often have a community of people looking for bugs and fixing them. 

This is far from an exhaustive lists, its just tools that have worked well for me.  I have some mixed feelings about a bunch of the tools that are out there. Nothing is perfect but that doesn’t mean something isn’t better than nothing. For those that want to completely do-google their lives I would suggest searching for videos (ironically on youtube which is owned by google) and you will find a lot of videos as well links to articles on website that walk you through how to set up custom ROMs on some specific Android phone. You can also find places to buy a phone that someone else has set up with privacy and security in mind. But again that is well beyond what most people will feel the need to do in their own lives. Just taking a few steps outlined above can make save you from some serious headaches at work and in your personal life. It can actually make things more convenient and less stressful if you put a little time into setting things up.

Feel free to get in touch if you have any questions or suggestions for other tools or tips. Good luck out there.