How to Protect Yourself

🔑 Use Unique Passwords Everywhere

Password reuse is the single biggest vulnerability for most people. One leaked database can unlock dozens of your accounts.

• Install a reputable password manager (Bitwarden, 1Password, or KeePassXC for local-only storage)
• Generate a unique, random password for every site and service
• Prioritize email accounts first — they're the master key to everything else
• Check haveibeenpwned.com to see if your email has appeared in known breaches

📱 Enable Two-Factor Authentication (2FA)

Even if your password is stolen, 2FA prevents account takeover in most cases.

• Use an authenticator app (Aegis on Android, Raivo on iOS) rather than SMS codes when possible
• SMS-based 2FA is much better than nothing, but can be bypassed via SIM swapping
• Enable 2FA on: email, banking, social media, password manager, domain registrars
• Store backup codes somewhere physically secure offline

🔄 Keep Everything Updated

The majority of successful attacks exploit known vulnerabilities that were already patched — on systems that hadn't been updated.

• Enable automatic updates for your operating system
• Update apps regularly, especially browsers and email clients
• Update router and IoT device firmware (check manufacturer websites)
• Replace devices that no longer receive security updates

🎣 Recognize Phishing

Phishing — fake messages designed to steal credentials or install malware — accounts for a huge percentage of successful attacks.

• Be skeptical of any unsolicited communication asking you to click a link or provide information
• Check sender email addresses carefully — look for subtle misspellings in domain names
• When in doubt, navigate directly to the website rather than clicking any link
• Urgency is a red flag — "your account will be suspended in 24 hours" is a classic manipulation tactic
• No legitimate organization will ask for your password via email

💾 Back Up Your Data

Ransomware and hardware failure are both real. A good backup strategy makes them recoverable problems instead of disasters.

• Follow the 3-2-1 rule: 3 copies, 2 different media types, 1 off-site
• Keep one backup that is physically disconnected from your computer (an external drive you unplug after backing up)
• Cloud backup provides the off-site copy — use an encrypted service
• Test your backups periodically by actually restoring a file

🔧 Essential Router Settings

• Change the default admin username and password immediately — these are published online for most routers
• Disable remote administration (WAN-side access to the admin panel) unless you specifically need it
• Disable UPnP (Universal Plug and Play) — it allows devices on your network to automatically open ports, which malware exploits
• Disable WPS (Wi-Fi Protected Setup) — the PIN method has known vulnerabilities
• Enable the router firewall if it has one and isn't on by default
• Check for and install firmware updates from the manufacturer

📶 Wi-Fi Security

• Use WPA3 encryption if your router supports it; WPA2 with AES (not TKIP) is the acceptable minimum
• Use a strong, random Wi-Fi password — at least 16 characters
• Don't broadcast an SSID that identifies you personally or your location
• Create a separate guest network for visitors and IoT devices — this isolates them from your main network
• Consider disabling SSID broadcast for your main network (obscurity is not security, but it reduces casual scanning)

🔁 Consider Custom Firmware

For advanced users, open-source router firmware like OpenWrt or DD-WRT can provide significantly better security than manufacturer firmware, including more frequent updates and greater transparency about what the software actually does.

• Research compatibility before purchasing — not all routers are supported
• Community-supported firmware often patches vulnerabilities faster than manufacturers
• Gives you full visibility and control over traffic routing rules
• Allows running a local DNS resolver to block tracking domains across your whole network

🌐 Use Encrypted DNS

By default, your DNS queries (every website you look up) are sent unencrypted to your ISP, who logs and may sell this data. Encrypted DNS hides your browsing activity from your ISP.

• Configure DNS over HTTPS (DoH) or DNS over TLS (DoT) in your browser or operating system
• Reputable providers include Cloudflare (1.1.1.1), NextDNS, and Quad9
• Consider setting this at the router level so all devices on your network benefit
• Pi-hole with DNS over HTTPS provides both ad blocking and encrypted queries

🏠 Create an IoT Network Segment

Keep your smart home devices on a separate network from computers and phones containing sensitive data.

• Use your router's guest network or VLAN capability to create a separate segment for smart TVs, thermostats, cameras, etc.
• Configure the network to prevent devices on this segment from communicating with your main devices
• A compromised smart fridge on an isolated network cannot access your banking passwords
• Some routers have built-in IoT protection modes that monitor for unusual behavior from these devices

📸 Camera & Microphone Hygiene

• Use physical webcam covers when your camera isn't in use — software-only indicators can be bypassed
• Review which apps have permission to access your camera and microphone on smartphones
• Be aware that smart speakers are always listening for wake words — this data is processed in the cloud
• Disable microphone access for apps that don't need it for their core function
• External USB microphones and webcams can be unplugged when not in use

📱 Mobile Device Security

• Enable full-disk encryption (default on modern iOS and Android)
• Use a strong PIN or passphrase — 6-digit minimum, alphanumeric is much stronger
• Enable Find My Device and remote wipe capabilities
• Only install apps from official stores; review permissions before installing
• Be cautious about charging at public USB ports — use a data blocker or carry your own charger
• Enable automatic screen lock with a short timeout

💬 Use End-to-End Encrypted Messaging

End-to-end encryption means only you and your recipient can read messages — not the app company, not your carrier, not governments making data requests.

• Signal is widely considered the gold standard — open source, independently audited, minimal metadata retention
• WhatsApp uses Signal's protocol but retains more metadata about who you talk to and when
• Standard SMS and most chat apps are not end-to-end encrypted for all messages
• Enable disappearing messages for sensitive conversations
• Note: even with E2E encryption, the person you're talking to can screenshot or forward messages

🔒 Email Privacy

Standard email is essentially a postcard — readable by every server it passes through. Encrypted email is significantly more private.

• ProtonMail and Tutanota offer end-to-end encrypted email with a good privacy track record
• For existing email, use PGP/GPG encryption for sensitive messages (requires both parties to set it up)
• Avoid opening email attachments from unknown senders
• Use email aliases for services you don't fully trust — SimpleLogin and AnonAddy are good options
• Remember: email metadata (who you email, when) is harder to protect than email content

🌐 VPN Use — The Reality

A VPN shifts trust from your ISP to your VPN provider — it doesn't make you anonymous. Understand what it actually does and doesn't do.

• A VPN hides your traffic from your ISP and makes your IP address less identifiable to websites
• Your VPN provider can still see your traffic if it's not otherwise encrypted
• Look for providers with audited no-logs policies and that have been tested via legal cases: Mullvad and ProtonVPN have strong track records
• Free VPNs often monetize by selling your data — they may be worse than no VPN
• A VPN does not protect against tracking via browser fingerprint, cookies, or logged-in accounts

🧅 Tor Browser for High-Sensitivity Browsing

Tor routes traffic through multiple relays, making it very difficult to trace back to you. It's much slower than regular browsing and has some limitations.

• Use Tor Browser (not just any browser configured to use Tor) — it has critical anti-fingerprinting measures built in
• Don't log into personal accounts via Tor — you defeat the anonymity purpose
• Don't resize the browser window — window size can be used for fingerprinting
• Appropriate for: researching sensitive topics, anonymous reporting, accessing sites blocked in your country
• Not appropriate for: general everyday browsing where speed matters

📡 RF & Signal Hygiene (Dummy Antennas & Faraday)

Your devices broadcast radio signals continuously — Wi-Fi, Bluetooth, cellular, and NFC can all reveal your location and enable attacks. Physical RF isolation provides protection that no software can.

• A Faraday bag or cage blocks all radio signals — use for devices you want to be completely isolated
• Faraday bags are practical for storing phones during sensitive meetings or while traveling in high-risk areas
• Turn off Bluetooth and Wi-Fi when not actively using them — they reduce your radio footprint
• "Dummy" or passive antennas replace active antennas on some hardware to eliminate radio transmission capability while keeping physical appearance unchanged
• Airplane mode disables most but not necessarily all radio hardware depending on device
• Purpose-built security phones (e.g., some Purism devices) allow physical hardware kill switches for cameras, microphones, and radios

🖥 Operating System Choices

Your choice of operating system significantly affects your security and privacy baseline.

• Windows requires more active effort to secure — disable unnecessary telemetry, use a standard (non-admin) account for daily use
• macOS has generally good security defaults but sends more data to Apple than many users realize
• Linux distributions (especially Ubuntu, Fedora, or Tails for portable use) offer more transparency and control
• Tails OS boots from a USB drive, leaves no trace on the computer, and routes all traffic through Tor
• For high-sensitivity work, consider a dedicated separate device that never touches personal accounts
• Qubes OS provides strong compartmentalization by running different activities in isolated virtual machines

🔐 Full Disk Encryption

If your device is stolen or seized, full disk encryption ensures your data is inaccessible without the decryption key.

• iOS and modern Android encrypt by default when a passcode is set
• Windows: enable BitLocker (Pro/Enterprise) or VeraCrypt for Home editions
• macOS: enable FileVault in System Preferences
• Linux: LUKS encryption is available at install time on most distributions
• External drives and USB sticks: encrypt these too — VeraCrypt is cross-platform and free
• Use a strong passphrase, not a short PIN, for encryption — it's only entered on boot

🧠 Social Engineering Defense

The most sophisticated technical defenses in the world can be bypassed by tricking someone into voluntarily handing over access.

• Verify the identity of anyone claiming to be IT support or security personnel before granting access
• Organizations should have clear procedures for verifying identity — know yours
• Be suspicious of any request that bypasses normal procedures, even if the person seems authoritative
• Slow down and think during high-pressure situations — urgency and authority are the two primary levers of social engineering
• It's always acceptable to hang up and call back on a known-good number to verify identity

🏘 Community & Mutual Resilience

Individual security measures are important, but community resilience provides protection that individuals cannot achieve alone.

• Share threat information with neighbors and community members — awareness is collective
• Know how your community would communicate if internet and cellular service were unavailable
• Amateur (ham) radio provides resilient communication that doesn't depend on any central infrastructure
• Community mesh networks can maintain local communication even if backbone internet is disrupted
• Document and store important information physically as well as digitally — don't assume continuous access to cloud services
• Build relationships with technically knowledgeable people in your community who can help in a crisis

💡 Power & Infrastructure Independence

Grid-dependent infrastructure is vulnerable to both cyberattacks and physical disruptions. Some level of independence dramatically improves resilience.

• A UPS (uninterruptible power supply) protects electronics from power fluctuations and provides short-term power during outages
• Solar with battery storage provides meaningful energy independence for lights and device charging
• Keep a hand-crank or solar-powered weather radio for emergency communications
• Have a plan for food and water that doesn't depend on continuously operating refrigeration or tap water
• Know where your home's utility shutoffs are and how to use them
• A power bank for phones can extend communication capability significantly after a disruption

📚 Security Foundation Sites

• EFF's Surveillance Self-Defense (ssd.eff.org) — excellent threat-model-based guides
• PrivacyGuides.org — well-maintained, community-reviewed tool recommendations
• Security in a Box (securityinabox.org) — focused on at-risk communities
• CISA (cisa.gov) — US government cybersecurity guidance

🔍 Check Your Exposure

• HaveIBeenPwned.com — check if your email appeared in known data breaches
• Shodan.io — see what your internet-facing devices look like to the outside world
• Qualys SSL Labs — test your website's SSL/TLS configuration
• BrowserLeaks.com — see what your browser reveals about you to websites