At this point in the book, I’ve covered most of the technical topics that require background and longer explanations. However, there are a handful of other topics that I want to touch on because I feel they’re important. In this chapter, each section will have its own checklist with just a brief introduction. It’ll be sort of like a lightning round!
When Bad Things Happen
Up until this point, the entire book has pretty much been about preventing bad things from happening. Sometimes despite our best efforts, we still get bitten by misfortune. In this section, I will try to walk you through the recovery process for some common cyber-calamities, or at least point you to websites that can help you.
Tip 12-1. Email Account Is Hacked
Immediately change your password and use LastPass to create a strong, unique one. Until you change your password, the bad guys can continue to use your account for their nefarious purposes, all the while pretending to be you.
If you used this same password anywhere else, you need to change the passwords on those sites, as well. Again, let LastPass create strong, unique passwords for those sites.
You might want to change your security questions. Consider choosing answers that are not true, or add some strange prefix or suffix to your answers like “not” or whatever—making it basically impossible to guess the correct answers. And then make a note of whatever you used in LastPass for that site (use the notes section at the bottom of the website’s vault card).
Look in your inbox for any emails about password changes or password reset requests that you did not initiate—like for your bank account, a social media account, or whatever. As I discussed earlier in the book, most password recovery procedures involve sending you an email to reset your password. If you find evidence of a successful password change, you should assume those accounts are compromised. Inspect them closely for bad transactions and change the passwords on those accounts, as well.
Look at your Sent folder to see whether any spam or scam emails were sent on your behalf. You may also want to contact any recipients of those emails to let them know they did not come from you and may be malicious.
Check your email settings to see whether anything looks amiss. For example, make sure someone didn’t add or change your email signature (an optional bit of text that is automatically included at the bottom of every email you send). Check your auto-forwarding and vacation/away settings, as well.
You should probably inform your email provider that your account was hacked but that you have changed your password. They may be able to take some action against the attackers.
Finally , this would be a good time to enable two-factor authentication, if it’s available. If you had had this in the first place, your account probably would never have been hacked.
Tip 12-2. Website Password Breach
If you get a notice from a website where you have an account saying that there has been a “security breach,” they will usually tell you that you should change your password. That’s precisely what you should do, right away. As a further precaution, don’t use any links in the email (just in case it’s a fraud). Log in to your account by manually entering the web address or using a browser bookmark or favorite.
What the email may not tell you is that if you use this same password on any other websites, then you better change your password on those sites, too (and make it unique this time). If the website breach email says that credit card numbers were also lost, you should keep a close eye on your credit card account, looking for purchases that you didn’t make.
That’s “have I been pwned.” The term pwn (rhymes with “own”) is hacker lingo for dominating or defeating someone. If you’ve been pwned, you’ve been successfully hacked. This site maintains an up-to-date catalog of all the known server breaches, indexed by email address. You enter your email address and the site will tell you whether that address was part of a known breach.
Tip 12-3. You Suspect You Have a Virus
If your files are held hostage for money, see the next tip.
Your computer is suddenly more sluggish or less responsive.
Your computer appears to be working hard even when you’re not using it. For example, the fans are blowing full tilt or the hard drive light is flashing constantly.
Unwanted windows or applications are popping up all the time.
Computer or web browser settings change without you doing it.
You’re getting windows popping up out of nowhere, including ads or warnings of computer problems.
- 1.
If you haven’t already installed antivirus software, do that immediately (see Chapter 5) and run a full scan.
- 2.You can download and install special, on-demand virus checkers.
Malwarebytes “for home” version (Mac or Windows): https://www.malwarebytes.com/mwb-download
If you have a Windows machine, you can also try downloading and running Microsoft Safety Scanner: https://www.microsoft.com/en-us/wdsi/products/scanner
- 3.
If you can’t seem to shake the virus, you might have to completely delete this user account. (If the account was your admin account, you might even need to completely wipe the entire computer and start over.) If you are pretty sure you know when things started going haywire, you can try using your backup software to bring your entire computer back to a point in time prior to the suspected infection date.
Tip 12-4. You’ve Got Ransomware!
If you get a pop-up message or big scary screen telling you that all of your files have been encrypted and you must pay money to fix it, you’re the victim of ransomware. If you have a full backup of your system (see Chapter 3), you can simply restore your system to a point in time prior to the ransomware infection and you’re done. That’s why the backup is so crucial.
If your backup is only for your files (and not your entire system), then you’ll need to delete the infected user account and then restore the files from backup.
If all else fails and you really need those files back, then you can always pay the ransom. In most cases, you will get your files back. If you didn’t, word would get around, and no one would pay. It’s in their best interests to bend over backward helping you. Some of these guys actually have tech support that you can call… I’m not kidding. You will probably be asked to pay with Bitcoin or some other anonymous payment method. Again, they should provide with all the help you need to do this.
In some cases today, particularly for business ransomware attacks, the bad guys have added a new twist: if you don’t pay, they will release your files to the public. This is something that having a backup can’t fix. If this happens to you, you’ll have to decide if the ransom is worth paying. Of course, that doesn’t guarantee that they won’t come back again later for more money, if they feel you’re really concerned about the files being put on public display.
Tip 12-5. Restoring a Lost or Messed-Up File
Mac OS Time Machine: https://support.apple.com/en-us/HT203981
Windows 10 File History: https://support.microsoft.com/en-us/help/17143/windows-10-back-up-your-files
Backblaze: https://www.backblaze.com/restore.html
And When I Die…
So, what happens to all your various online accounts when you die? That’s a question most people probably never ask themselves until it’s literally too late. While most people are aware that they should have a will and healthcare directives, only about 40 percent of Americans actually have any estate docs. But how many people take the time to handle their digital estates? What should happen to all your emails, photos, music, forum posts, dating site info, social media accounts, and so on? In this section, I’ll give you some tips on how to manage your digital affairs.
Tip 12-6. Get a Will
I can’t stress this enough. If you have a spouse or children, you really need to have a will in place. Every state has different rules about what happens to your stuff if you die without a will, but these processes can take a long time, and the default rules may not suit your needs at all.
When you go to get your will, talk to your lawyer about handling your digital assets, as well. They should at least be able to tell you what your state law says about this subject. Be aware, however, that this area of law is very new and evolving quickly.
Tip 12-7. Add a Backup to Your Safety Deposit Box
Again, this is not really a digital thing, but it’s important. Many banks will not honor a will or power of attorney to allow access to a safety deposit box. I have no idea why this one thing is treated specially, but it is. So, make sure that your spouse and perhaps one of your children have been approved to access your safety deposit box.
One weird caveat to this. At least my bank, in order to remove someone from this access list, all parties on the list must be present. So don’t go too crazy.
Tip 12-8. Save Your Passwords Somewhere Safe
Your successors may need immediate access to things like bank accounts, investments, insurance, computer accounts, and so forth. You should therefore print off a list of your most important passwords and keep them in a safe place. Better yet, print off some one-time passwords for LastPass, which will work even if you change your master password. You might put these printouts in your safety deposit box or in a fireproof safe. LastPass also has a Family Plan that can allow access after a period of time—sort of dead man’s switch. If you don’t respond within a time period, your chosen successor will be given access to your password vault. Just make sure that whoever needs these passwords knows where they are and knows how to get to them.
Tip 12-9. Ensure Access to Two-Factor Device
If you’ve followed my advice on setting up two-factor authentication where you can, that means your successors will also need access to your two-factor authentication device. This will most likely be your cell phone. So, make sure that your cell phone account can remain active (so your phone can receive SMS messages) and that your authenticator app is accessible. If your cell phone is locked (and it should be), you should write down your PIN or passcode somewhere. You can also usually add a second biometric signature to unlock your device, but sometimes these fail. You want the PIN or passcode.
If by some misfortune your loved one dies without doing this, your best bet will be to try to access their accounts from known devices and in known locations. This might prevent the two-factor code from being needed, at least for a period of time.
You might want to add your cell phone as the two-factor authentication device. If the deceased used Authy or a similar authenticator app that allows for transfer to a new device, you should try to transfer it to your phone.
Tip 12-10. Appoint a “Digital Executor”
While you might want to simply hand over all your passwords to your beneficiaries when you die, you might actually have some parts of your digital life that you want to die with you. The only way to accomplish this is to appoint some third party who you trust to take care of this for you after your death. Your lawyer might be a good choice. You will need to carefully document what you want done with each account. You will only want these passwords and instructions to be opened after your death, which is something your lawyer should be able to arrange for you.
If you do a little Googling, you can find that people are starting to write articles about what to do with your digital life when you die. Search for digital estate planning . These services are in a massive state of flux. I had links to two of them in the first edition of my book, and they’re already either out of business or merged with some other company.
Speaking of Google, social media accounts can be particularly finicky. Their policies can be weird and they’ve been changing as this issue has become more prevalent.
Frank Moraes, "Why You Should Prepare for Your Digital Afterlife [2020 Edition]," Who's Hosting This?, March 13, 2020.
https://www.whoishostingthis.com/blog/2020/03/13/digital-afterlife.
Leigh Anderson, “You Need to Deal With Your Digital Legacy Right Now,” Life Hacker, November 15, 2017, https://lifehacker.com/you-need-to-deal-with-your-digital-legacy-right-now-1820407514.
Mariella Moon, “What You Need to Know About Your Digital Life After Death,” Engadget, December 10, 2014, https://www.engadget.com/2014/12/10/online-life-after-death-explainer.
Catey Hill, “5 Steps to Creating Your Digital Estate Plan,” Next Avenue, May 6, 2012, https://www.nextavenue.org/5-steps-creating-your-digital-estate-plan.
Tip 12-11. Stop ID Theft After Death
Send a copy of the death certificate to the IRS.
Send a copy of the death certificate to the Social Security Administration.
Cancel their driver’s license (and any other professional license they may hold).
Notify the three credit bureaus: Equifax, Experian, and TransUnion.
Notify their banks and financial institutions.
Notify their health insurance provider(s).
Gold Stars and Tinfoil Hats
We’ve covered well over 150 different tips on mostly simple and mostly free things you can do to improve your computer safety. While some of these tips involved some effort and some of them may have impinged on your convenience, they were quite tame compared to the items in this section! Just for fun, I’m going to lay out some truly “pro” tips for taking things to the next level. These are for the tinfoil hat and black helicopter crowd.1 I am by no means recommending that you need to do any of these things. For that reason, I’m not going to painstakingly lay out the steps required to do them. However, I thought it would be fun to show you the lengths that some people go to in order to be super secure. These are roughly in order of effort and cost or just plain paranoia level.
Tip 12-12. Install NoScript
Tip 12-13. Install Haven on an Old Android Phone
Tip 12-14. Add a Dedicated Guest Wi-Fi Router
While most modern routers provide a “guest network” option, you still have to trust that the router software maker implemented that security feature properly. If you have some Internet-enabled devices in your home that you don’t fully trust (like Internet of Things devices) or if you have a lot of strangers in your house who want to use your Wi-Fi, you might want to consider beefing up your security and having a dedicated Wi-Fi router for your guests and IoT devices. Having a dedicated router for this untrusted traffic is the safest way to make sure that guests and rogue devices cannot access your private home network.
Tip 12-15. Install Little Snitch (Mac OS Only)
Tip 12-16. Use Top-Shelf Security and Privacy Tools
More than any other website I’ve found on privacy, this one always goes the extra mile and doesn’t screw around with half measures. Many of the tools I’ve recommended are listed here, but there are many more. For this book, I’ve tried to find the right compromise between security and convenience. Not these guys. If you really want to take things to the next level, this is the website for you.
Tip 12-17. Install Custom Wi-Fi Router Software
DD-WRT: https://dd-wrt.com
OpenWRT: https://openwrt.org
Tip 12-18. Install and Use PGP
Tip 12-19. Use Tor to Protect Your Identity
Tip 12-20. Need to Blow the Whistle? Use SecureDrop
Tip 12-21. Set Up a Virtual Machine
One way to contain some secret activities is to have a whole separate computer specifically for this purpose (see the next tip). However, this will obviously incur some significant costs. You can get many of the same benefits by having a virtual computer running on your regular computer. This is called creating a virtual machine (VM). A VM runs its own operating system that is separate from the OS running on the host computer. So, all the web surfing, file downloads, emails, and so on will exist in a sort of container. VMs have the interesting capability of creating snapshots. You can basically take a picture of the virtual computer in some state and return to that state at any time. So, you can do your dirty deeds and then revert to the snapshot… it’s like it never happened! While you can pay money for VM software, there’s a perfectly good free alternative called VirtualBox. This software runs on both Mac OS and Windows.
Installing VirtualBox: https://www.virtualbox.org
Installing Ubuntu: https://www.wikihow.com/Install-Ubuntu-on-VirtualBox
Tip 12-22. Use a Dedicated Secure Computer
While a VM is cheap and easy, you can never really be certain that there won’t be some sort of information leakage between your VM and your host operating system. If you want to go full tilt, you really need a dedicated machine that is completely separate from anything you would normally use. You can save money by buying a used machine, but of course you can’t be 100 percent sure that the person you bought it from hasn’t somehow compromised it, so you’d better just get a new one from a big-box store.
If you want to really go the cheap route, you can buy a Raspberry Pi minicomputer. For just $35, you can have a fully functional Linux computer that’s about the size of a deck of cards! Of course, you’ll need to buy a case and a power supply for it, plus an SD card for the “hard drive,” but you can get all of that for about $60. All you need is a monitor, keyboard, and mouse, and you’re set!
Tip 12-23. Sandbox Your Windows Apps
In security terms, "sandboxing" means to run software in a sort of virtual container. The application running inside this container is not allowed to access any files, settings, or devices outside the container—at least not without explicit permissions. Web browsers will sometimes put a media player in a sandbox because these web apps are often targets for hackers.
The Pro and Enterprise versions of Windows 10 have a built-in security feature called Windows Sandbox. But assuming you have the Home version (like most people), that doesn't help you.
If you're really determined, you can use a free, open source tool called Sandboxie. This tool was originally created by Sophos but was released as open source in 2020. You may still be able to find regular Sandboxie installers, but to get the latest features and fixes, you may have to actually compile the software yourself. If you're interested, check it out here:
Tip 12-24. Shut Your Pi Hole
Here’s another fun use for a Raspberry Pi minicomputer: create a custom DNS server that will block all ads for your entire household. There’s an open source software project called Pi Hole that acts as a custom DNS server. The beauty of this solution is that it can block access to known tracking and advertising websites. And when you set this up as the DNS server for your home network, all the devices in your home will automatically get the benefits.
These computers have lots of other fun uses, as well, like creating a little VPN server or a Minecraft server or a media server. The possibilities are nearly endless. Check this site for more fun ideas:
Tip 12-25. Use Open Source Hardware
I’ve told you about open source software—software code that is available for anyone (including security experts) to review and vet. But what about the hardware? What if China is slipping in little hacking chips into the motherboard3? This is called a supply chain attack: compromise a part of a computer before it’s even assembled.
There’s at least one company I’ve found that strives to address this niche market: Purism. I’m not claiming that these devices are impervious to supply chain attacks, or that the software they put on this hardware is perfectly secure. But I can tell you that these guys are trying really hard to do these things. They make desktop and laptop computers, and even a mobile phone.
Purism: https://puri.sm
Tip 12-26. Go Silent
Tip 12-27. Completely and Securely Erase a Hard Drive
Tip 12-28. Roll the Dice for Security
For thousands of years, humans have loved a good game of chance. And the go-to method for generating random outcomes was a set of (unloaded) dice. You can use this same time-honored technology to generate some seriously strong passwords. The most common method is using regular six-sided dice—but you don’t use the numbers, you use those numbers to select random words from a special list. The result is a passphrase—like a password, but made of words you can remember. Now you may recall from Chapter 4 that passwords should never contain actual words. But passphrases make up for this by being much longer than a regular password and by being truly random.
The wonderful folks at the Electronic Frontier Foundation (EFF), working with crypto guru Bruce Schneier, developed a system for generating passphrases. See the link below for a full explanation—not only of how to use it, but why it’s truly secure. (Maybe buy some EFF dice and support their work, too.)
Bruce consulted on this next-gen dice generator tool, called DiceKeys, that even kicks this up a notch.
One of my favorite humorists is Randall Munroe, mostly because he’s geeky like me. He’s written some great books like “What If...”. But he also pens a great comic called XKCD, and this one comic has immortalized the whole passphrase concept.
But Randall also addresses the reality of real-life security weaknesses (i.e., you and me).