How-To Guides: Beginner

Digital Security in the Crypto Age

By The Bot Guy | November 8, 2021

This is a blueprint for the steps that any crypto investor should take to make sure that they are protected from potential threats that could result in the loss of their cryptocurrency. Here I outline the potential threats as well as options to mitigate their risk.

 

Digital Security

It’s kind of an oxymoron to use a super secure system efficiently.  Security and usability often butt heads but I’m here to tell you that it doesn’t have to be the case.  If you are smart with your methods, you can retain the proper level of security without giving up too much usability when it comes to crypto.  You just need to understand and plan accordingly.

I have the benefit of witnessing first hand what improper security looks like in the traditional IT world. In my past life I dealt with security education, firewall deployment, and remediation of post-hacked traditional IT systems.  I watched as the threat landscape turned from funny to deadly serious.  Nation-state actors are now focussing their deep pockets on hacking and general IT malfeasance.

When hacking began, it was seen as a sport – a way for folks to stress test each other’s technology.  But now hacking and hacking prevention have spurred several multi-billion dollar industries making it clear that anyone going up against an entire country of resources will lose.

Thankfully, in crypto, you don’t need to worry that a whole country is after you. However,you may need to worry that a lot of people worldwide would prefer your crypto to be in their wallets and not yours.  With this new highly technical and unforgiving crypto environment, it’s important to learn from the past and pull forward proper security regiments to keep yourself and your crypto safe.

One thing I will refer to a LOT below is having proper digital hygiene.  This is SO important but difficult to define.  The best way I can describe a person with proper digital hygiene is a person who doesn’t leave a trace online.  A person who operates in the shadows; whose interactions are quick and sparse.  They can hop in and out and do so by touching minimal hack points…

If you read, understand, and do most of what’s listed below, you can consider yourself one of the few who have proper digital hygiene. You can relax as your infrastructure is better than Equifax or any other large companies tasked with protection of our personally identifiable information (PI) that have failed us.

Types of Risk in a Crypto-Focused World

Before we dig into the methods used for protection, you must understand that a traditional banking environment is no different than a crypto banking environment.  In fact, my bank account logins follow the same routine that my crypto logins follow.  There is no difference from a crypto holder’s perspective. But from the provider’s perspective, there are far more things that need securing in the crypto world.

This relates to us (crypto users) in that it provides several new kinds of risk that must be managed and properly accounted for within our daily usage of these fiscal networks.

Things like Platform risk, Asset risk, and Technology risk are unique to the crypto ecosystem. These concepts are just as important for us to understand as protection from hackers and human error avoidance.

Never Give Your Keys to Anyone

If you take anything from this article, it’s this:  never give out the keys to your crypto.  As you’d imagine, these keys unlock your crypto and allow the user to spend it just like the keys to your car will let a thief drive it away from you.

Think of crypto being held somewhere similar to cash being held in a bank.  You have a username and password to log into your bank online and in the crypto world, logging in is somewhat easier as there’s really only one thing you need.  Your private key or Mnemonic phrase also known as a “seed phrase”.  They are related but different and both unlock your crypto for you to use.

ALL crypto is stored on the blockchain.  It’s NOT in your wallet, it’s NOT on your hardware wallet, it’s NOT in your investment account. It’s ALL on the blockchain and the only way to know who owns what and who holds the keys.

“Not your keys, not your crypto…”  ← this is an important crypto mantra which means hold your keys close at all times.  If you lose the keys then you are no longer able to use that crypto.

NO ONE WILL EVER CALL, EMAIL, OR WRITE YOU TO ASK FOR YOUR SEED PHRASE OR ANY PASSWORDS.  Do not ever give those out.

Platform Risks

The easiest crypto-specific risk to understand is platform risk.  I define a platform as a unique holder of your crypto.  Blockfi, Binance, Nexo, Celsius, SushiSwap, Trader Joe, Harvest Finance, YakYield, Kucoin, etc… all of these are platforms.  Each of these platforms are run by a company (or a DAO) and each platform has users that need support and liquidity.

Anytime you put money into a platform, your first question should be, can I take this money out later?  That’s the first test you must perform.  Deposit a little crypto and withdraw a little, just to make sure you can do a round trip.  Check if there are any withdrawal limits and make sure your crypto on that platform doesn’t exceed that withdrawal limit so if needed you can pull it all at once.

I like to think of platform risk being mitigated by spreading yourself out wide – but not too wide that your usability suffers.  Let me pose an example.  Say you wanted to trade crypto. You’ll need an exchange account and as you see on this site, there are quite a few exchanges.  Actually about 500 in total at the time of this writing.  

Side note, please understand that this site ONLY posts reviews on reliable exchanges and we encourage you to seek those out as a way to accomplish your goals.

To handle the platform risk easily, acquire 2 exchange accounts and split your investment between both. You can think the same thing about auto-compounding platforms like BlockFI, NEXO, and Celsius. In fact,I have an account on each and, you guessed it, I have my “investment” funds split between the three plus a few more.

As you get involved and learn more and more, it may become apparent that one platform works better for you, so don’t be afraid to put more on that platform. But please read up on their methods of security.  Again, you can be certain we wouldn’t post a review of a non-secure platform, exchange or tool but at some point you will be presented with something that Crypto Exchange Reviews hasn’t had a chance to review.  In this case, you must rely on properly vetted third parties that will review these platforms for you.  Such companies include coingecko.com ; coinmarketcap.com ; cointelegraph.com ; cryptopanic.com ; coinmarketcal.com.

Once your assets are split properly between a few platforms, keep the split alive even if you choose to abandon a platform.  The more segmented you are, the more protected you are by default.  If one of the platforms gets hacked, or investigated and assets frozen it would certainly suck. But at least it won’t affect the other platforms housing your remaining crypto.

Asset risks

This is the easiest risk vector to understand.  DON’T BUY IT UNLESS YOU KNOW IT….  There are a lot of garbage assets in crypto. It’s my belief that at least 70% of what’s out there will not be around in 2 or so years.  This moment in history  is similar to when Google, Yahoo, Amazon, Facebook and other juggernauts arose from the flames of the dot com bubble.

I’m not indicating that crypto is a bubble, I’m just saying that I believe this bull cycle will spell the end of many cryptos that just don’t have what it takes to make it beyond the hype phase of this new asset class.  Some will crash and burn like SQUID while others will fizzle out, while others will be abandoned only to later on get spun back up.  It’s tough to know what is safe to buy and hold.

I can’t come out and tell you what to buy and what not to buy, but the mantra in crypto is “do your own research.”  In other words, don’t go out and buy something just because a friend told you to.  Look it up, see if it solves a problem and, most importantly, will that problem continue to exist if the crypto market prices are depressed in a bear market?

The best way to research an asset (or coin, they mean the same thing) is to start at coingecko.com.  Search for the asset, click on it and view the details.  Here below is SOL (as it’s recently gotten a lot of attention.)

https://www.coingecko.com/en/coins/solana

Everything you need to know is usually in the header as seen here:

Solana

Price is listed for both USD and BTC as well as their relative movement in red or green.

To be clear, I am not encouraging you to buy SOL or even saying this is a good buy at this price (this is an old example and in fact it would have been a strong buy as it’s over $200 at the time I’m writing this but I never give financial advice).  I’m only using SOL as an example and, as seen above, the price at the time of this article was $121.46 (scroll down on CoinGecko to see the SOL price chart).  It shows the price relative to Bitcoin and the percentage gain / drop. In this case SOL lost .19% against Bitcoin but gained 3.3% against the US dollar over the past day.

On the right, the dashboard gives you the accurate links to click through and view the project. This is a trick I use as some projects have fake clones and it’s important to always visit the real sites.  Clicking on the right gives you access to the proper site for the proper coin / asset.  If you click on any of them and get an error, move on….  In other words, if a coin doesn’t have a working, SECURE, website it’s a hard pass for me.

Lastly, you can see the details about the market cap, trading volume and circulation.  These details are just as important as the price information in my opinion.  Some crypto assets do not have a limit, similar to the likes of DOGE.  In other words, there is no cap on how many DOGE can exist in the world but, in this case, the absolute maximum number of SOL that can exist is 488,630,611. I couldn’t tell you why that’s not a round number, but in my book this is a strong indicator of a scarcity factor and this is good.  If there isn’t a way to create more SOL, there’s no way to dilute the SOL supply.

If you take a look at the circulating supply, it’s only 290,716,340 which is the total number of SOL that have been released to the public.  This is about half of all the SOL that will ever be released.  Multiplying the circulation supply by price will give you the market cap. Multiplying the max supply by price will give you the fully diluted market cap.  Each coin has its own tokenomics indicating the rules baked in to mint more tokens and who within the ecosystem is awarded the newly minted crypto.

Be sure to weigh your decisions wisely based on the information available. Consider other questions like: who backs a project?  Who is involved in the project?  Have they had success with other crypto endeavors?  These are all great data points to add to your thesis purchasing and holding a crypto.

Another detail to note is that each asset has its own list of platforms that it’s usable on.  You can click on the “Markets” tab and see what platform(s) list the token.  In general, as an asset enters the market, it will only be available in a few places at first. Over time, if the asset is proven to be of value, more platforms will integrate the asset and you will have more opportunity to buy and sell.  Look for good named listings before considering a project to invest in as this means that the review process was completed for that asset on those platforms.

I recommend noobs pick a few platforms and stick within the top 100 coins when starting out.  This isn’t a guarantee of safety, but it gives beginners better chances for success.  Usually people start with BTC, ETH, and LTC; the oldest and most reliable Cryptos..

Technology Risk

As with anything else, technology is wonderful when it works, but really makes for bad days when it doesn’t.  I have to be honest: I’ve made mistakes in the past. Mistakes like sending crypto to the wrong address or doing a transaction where the transaction cost was greater than the reward.

Each platform has a different technology stack.  This is what we refer to as the series of layered technologies and systems that are used to build a platform like lego blocks.  Let’s take a website as an example.  The technology stack would need to include a server, the firmware for that server (BIOS,) the server operating system (OS), the program that runs on the OS and serves the page to the internet, perhaps a database program that delivers the data to the program that serves the page to the internet, networking components that physically connect the server to the internet, routers, firewalls, and DNS servers / settings, etc…

Crypto takes this concept up a notch because some of this SAME technical infrastructure is carried over into crypto and built upon with the crypto-native technologies.  How these pieces work together can define the success of a project before any work begins.  Properly thought out and meticulously planned infrastructures tend to do far better in crypto than things built in a day.

We all can’t be super scientists here and it’s not reasonable to imagine even I could break down each of the 10000+ crypto assets from a technical perspective.  One thing that is certain is that the technology that exists now is very diverse and somewhat obtuse.  Keeping with the theme of spreading out your crypto on multiple platforms, it’s then important to keep a certain balance between technologies.  Take for example hard and soft wallets.

There are 2 ways to store crypto – a Hardware and Software wallet.  It’s important not to store all your crypto in one or the other.  Split it up as the technology behind each is different.  You don’t need to split evenly, just make sure if you were to forget your password for any one wallet and one thing were to vanish overnight you won’t be destroyed financially.  The likelihood of this happening isn’t great, but you plan for the worse and hope for the best.

Let’s pretend I had 100 BTC (I wish.). I wouldn’t keep all of them in the same hardware wallet – that would be suicide if I lost the key or something stupid happened.  I’d split that asset among many – maybe even 10 or so software / hardware wallets – just as you’d want multiple banks to hold large funds.

Hacking Risk

OK, when thinking about crypto risk, be honest, hacking is probably the first thing that comes to your mind.

I have several friends that have fallen victim to hackers in a big way and I must admit that I too have fallen prey to many crypto scams.  The key is to never ever keep everything in one place.  That’s the only reason I still stand and live to fight another day; diversification of technology and platforms.  Oh and I protect myself by having good digital hygiene. Just like I brush my teeth and take a shower, I make sure my digital environment is properly clean.

My working environment must be free from viruses and running quickly to keep me on top of what I need to do to grow my portfolio.  This also allows me to free my time and mental energy to focus.

Password Protection

Digital hygiene is a loaded concept that goes beyond just regular virus scans however and in order to ensure you have a proper setup you must focus first on passwords.  They stink but are needed to live in a digital world.

Password management is all about balancing security and usability.  Passwords must be secure but you must also be able to hop in and out of many platforms in any given day, so your system must be usable.  No more is it ok to have the same password for everything, sorry… 

For passwords to be secure and still usable it gets tricky…

Passwords are the single most attacked thing

First off, know that the weakest part of any system is it’s password.  Actually folks in the SaaS sector say that the “user” is the weakest part of any system, but it’s really that users tend to use insecure passwords like “password123” or their username.  Things go south quickly in those cases so do NOT use easily guessable passwords.

It’s important to know that passwords are easy to hack.  There are many hacking programs written just to figure out passwords.  Some programs use brute-force strategies to try a million passwords in a short amount of time.  Other programs attempt to use dictionary words to guess complex passwords.

To be safe, your password for ANYTHING must be more than 8 characters, unique, contain at least 1 uppercase, 1 lowercase letter, numbers, no repeating numbers or letters in a row, no dictionary words, no special dates, and a symbol.  This is what’s called a “secure password.”  But how can you securely log into all your sites all the time with these crazy passwords?  As it turns out, to be completely secure is to fight with the usability of your systems.

This is where a password manager program comes in.  I have used one for a few years and I started the process of making my password management fully secure.  I find that it’s easier to log into places because I have my password manager as an extension on my browser. I simply search within that extension for the website I want to log into and click a button.  The website pops open and the username and crazy password is entered securely by the password manager.  I click login and select the stairs or wonder what block the computer thinks is a traffic light… and once I get through all the people traps I’m in.

I find it takes much less time to log into anywhere once I made the jump to password management. I also have the added benefit of seeing my passwords as a whole and start to understand just how “secure” I am.  Lastpass.com or ZOHO Vault are the two I recommend the most.

It’s important to note that Hacking starts with information gathering.  If a hacker knows nothing about you, they can’t hack you – so the more you put out there, the more they can know about you and the more of a target you can become.  In that vein, there is no need to announce what tools you use to secure yourself, hide in plain sight is what I always say.

NO PASSWORDS IN BROWSERS

I know it’s really easy to use the browser to store your passwords and you probably have done this already.  I’m here to tell you that this is deadly. 

Your browser is by far the easiest thing for a hacker to attack if they were to hack your computer.  The browser database is the first thing they will go for.  That database is NOT encrypted and there are easy tools to pull out the passwords.  Get an app that specializes in password storage like lastpass or Zoho Vault – there are a bunch out there.  Do your own research or check our site out, we recommend a few.

Wallet credentials

No matter what you call it, the information you use to log into your crypto wallet opens the vault and allows you to spend your crypto.  This information must never get into the wrong hands because folks can spend your crypto without needing your permission.

Seed phrases, also called Mnemonic phrases, are typically used to secure a wallet.  This is a series of words and must be remembered in order and typed in to restore a wallet to a new device.  This is NOT what you use to log in each day as that would be onerous.

Each wallet gives the ability to load with or without credentials as that’s a function of the wallet developer.   The important take away is that these words should be guarded with your life as they are the keys to your life.

It’s certainly ok if you wish to store these in your password manager, but note that all password managers are built and maintained by companies and you MUST implicitly trust the company in order to rest easily.  Companies like Equifax, TJ Maxx, and even McAfee have had breaches, so picking a place to put your secure information isn’t just about finding the largest name in the book or picking the best looking browser plugin.

Now what if you lose all your computers, phones, or have a fire / flood?  What then do you do?  Look to paper, write these down, store them in a safe or safety deposit box.  Have some NON digital backup no matter what – you may just thank yourself later on.

Attack surfaces

A “hack” is an exploit of an existing system or process to render a non-desirable outcome.  Not all hacks are malicious and not all hackers use a hack to gain access to your funds.

When security specialists think of securing an environment we think of the attack surfaces that need securing.  Think of a house – there are many ways to get into a house.  Sure you can go through the walls, ceiling, doors, windows, cellar, etc. Compare this concept to any technology system, component, or environment – there are many ways to get in and with each entry point there needs to be a proper solution to keep hackers out.  Like making walls out of hard materials or locking doors…

Below I dissect each attack surface and attempt to provide guidance on how you can protect yourself in general.  The following is NOT crypto specific but my recommendations can help you protect yourself against attacks aimed at draining your checking account or even attacks on general computer use. 

Cell phones

Cell phones open up new avenues for hackers to leverage.  There’s a few things to consider when using a cell phone.  Your stored data at rest is the first attack surface.  Hackers may attempt to hack your phone and steal your data / crypto directly from it.  Prevention for this is as easy as throwing away your android and getting an iPhone or installing proper antivirus onto your android.

This isn’t to say that iPhones are perfect. In fact there are many known viruses that can attack an iPhone. But in general, I find it’s far easier to hide in the middle of the room with what everyone else has.  Who is a hacker going to go after?  Someone with a super crazy setup with an ultra secure extremely expensive phone with custom software on it and brags about it on social media, or some schmoe like you and me with an iPhone who keeps quiet with their successes?  Become the noise, not the signal that the hacker is looking for.

Data in transit is another story though – this is when you go to a website, load an app, or send / receive text messages / phone calls, etc.  No matter the device, once data leaves your phone it’s on the internet.  You have control over the stream that contains that information and why not give that stream the MOST protection it can have by using a VPN?

VPNs

VPNs (Virtual Private Networks) keep your traffic hidden from your ISP.  It also wraps your sessions in a security layer which pretty much prevents hackers from spying on your traffic.  Imagine that with every transaction you send out to the internet, there is a security wrapper around it guarding against seeing inside.  This is a VPN.  It wraps around your usage and encrypts it end to end.

VPNs are easy to install and can be used on all computers, most iPhones and android devices.  I recommend PureVPN or NordVPN.

Using a VPN goes for ANY device, not just phones.  The VPN I use is set up on all my machines and can be turned on and off within my brave browser easily.

That’s another tangent – Brave is the most secure browser and has ALL Web 3.0 components inbuilt so crypto works better on brave.  Ironically most all other sites load much quicker in Brave because the browser ignores a lot of the analytics code on most sites.

SMS general usage

Got a weird text message?  OK, DON’T CLICK IT if you don’t know what it is…seriously.  And don’t click if it’s on a phone that you use for crypto.  Whatever you do, just don’t click it…unless you knew it was coming.

Not to freak you out, but Pegasus (spyware) gives complete control over an iPhone without the user doing anything.  It’s installed on a phone when a hacker sends a link to an unsuspecting mark.  When they click the link, their phone has been had.  Pegasus is an actual company that built this and sells to nation states.  It’s quite honestly the scariest thing that I have heard of in my whole career because no matter the iOS device you have or how secure or how new or how up to date it is,it can be compromised with one click on one link.  It was found on Jamal Khashoggi wife’s phone and the FBI believes this is how he was tracked.

Pegasus copies the phone data and streams in real time the user actions as well as their location to servers run by the hackers.  It can be used to make an exact copy of a phone and technically could be used to steal crypto.

There is some good news in that Apple has apparently released an IOS upgrade that fixes this issue, but not all of us have that upgrade and there’s no knowing if you have a phone already infected if the upgrade will close the hole and kick out the hackers.

Realistically this is not something you should worry about. But if you get a link from a friend that seems out of character, think twice before clicking. Ask yourself; was I expecting a link from this person? Can the link be verified through other means like calling them and asking if they actually sent it?

SIM Swapping

This is a relatively new fear for the digitally connected.  Sim swapping occurs when a bad person moves your cell phone service to another phone without your consent.  This has happened to many people I know and in general it’s one of the reasons I don’t recommend bragging about your crypto wins on social media.  Humbleness will go far in staying out of a crypto hackers’ sights.

Your phone number is yours and you can move it from one cell carrier to another.  Some cell carriers allow you to put a pin on your phone to block it from being ported and some allow you to have a password on file that needs to be said before a phone can be ported.  This sounds great, no worries, right?

OK, here’s the saddest part of this article.  All of us are susceptible to being taken advantage of via social engineering.  I have fallen for things, just as I’m sure you have in the past.  Social engineering is when a potential mark is manipulated by the perpetrator in a predictable way.

For example, someone calls you from the “IRS” and says you need to pay or else you will go to jail.   We all know that the IRS doesn’t work like this and it’s easy to see that this is not real. Unfortunately, some elderly folks who don’t have their proper wits about them may just pay because it’s easier than understanding what’s going on.  Once you pay, you’ll never get out of the system as you will be seen as an “easy mark.”

It almost doesn’t matter what the cell carrier says they provide for protection because social engineering works at all levels.  Get a properly trained sim swap hacker on the phone with someone deep within customer support of a large cell carrier and there’s no knowing what procedures the support rep can be sweet talked into skipping.

Ironically most of the sim swaps I know of happened internally. Sometimes folks working for the carriers are bribed to perform sim swaps.  Some employees earn more money switching phone numbers to crooks’ phones than they earn selling new phone lines.

Thankfully we found a 100% solution to this. It’s a company called efani.  I use efani for my cell service and I recommend everyone else does as well.  At efani you get a 5 million dollar insurance policy against sim swapping and an 11-step verification process to port a number out of their system. There’s also the added bonus that I know and trust all of them.  That’s enough for me and my use cases, but why do crooks want your phone number anyhow?  2FA….

2-Factor Authentication (2FA)

Most web providers now realize a username and password isn’t enough to warrant proper security and protection for their clients.  They needed something else… so they came up with 2FA, or 2-factor authentication.

2FA is all about you requesting, receiving, and entering a short code into the website you are logging into.  It’s usually met with a time constraint so oftentimes you feel rushed, but really it’s a long time when you take your time and hey if you miss the time horizon, just do it again – it’s no big deal.

2FA is the pain-in-the-butt extra process that uses our phone, email or a physical device along with the correct username and password to authenticate a user.

There are many types of 2FA and not all are built the same.

SMS / Text messaging 2FA

The first and easiest to understand is the “code” that is sent to your phone via text.  This code is plugged into the website you are logging into, verifying that you are, indeed, the owner of the account.

This is why hackers want to sim swap people; if they are able to gain the access credentials to a crypto exchange, they then need the code sent to the text messages in order to complete that login process or they use the 2FA process to reset the password and gain access to the system.  

A hacker can’t get this code unless they have a phone nearby that rings with that text and hence they sim swap your number onto a random phone so they can retrieve that text as well.

My cell service is with efani and they protect me from being sim swapped, so this form of 2FA is safe for me, but others without sim protection should be aware of the risks this poses.  Your cell phone number is universally known and yet such a key bit of information to authenticate you into your money apps.

Call up your cell phone carrier and ask them what they do to protect you – each carrier is different, but it’s super important to do.

If you are safe from sim swaps I believe this is the second safest and easiest to use option to pick; second only to an Application-based 2FA.

Application-based 2FA

I believe this is actually the best method to perform a 2FA authentication, but it comes with a price that I don’t like to pay.  There are apps like Google Authenticator that display random numbers all the time. So, if you want to log into something you can look up that app and copy the code to gain access.

This number is then verified by the provider you are logging into and if what you enter is what the number should be you are allowed in.

Many believe this is the best 2FA out there because the app can be backed up and the key (similar to crypto private keys) can be recorded in a safe place (in case you lose your phone with the app installed.)  You can even have the app and your codes on multiple devices.

I don’t like this because I don’t like letting Google know what I log into and when – color me overly paranoid, it’s ok.  This is your safest bet though if you don’t care about filling the Google profile on yourself.

Physical Device 2FA

This is supposed to be the best way to do 2FA – it’s a physical device that plugs into the USB of your computer and does something similar to the app, but performs the process via hardware.  I used to use an RSA card in my first job out of college as they invented this technology.  I think it used a small bit of decaying matter decaying at a known rate to suggest the next number sets inside a credit card sized device.  I’m not certain how today’s physical keys work, but I know many people who swear by them.  Yubikey is a good example of this.

Personally I don’t see myself having a hardware key because I can’t quite guarantee I’ll be able to have it around all the time when I need it so for that reason alone I don’t use this for 2FA.

Email 2FA

This is another method used to retrieve the “code” to log into your site.  It’s the least safe, but it is still protection.  In general most folks have their email on their phones anyhow.  A sim swap won’t move the email over to the hackers phone, but it will allow the hacker to attempt to reset the mark’s email password via the 2FA and get into their email.  Once a hacker is into a mark’s email, they have everything they need since most everything allows you to reset passwords via email. 🙁

Email is also inherently not secure by nature.  Most email programs send the actual email through the internet in plain text, readable by any number of intermediate stops between your sending email server and the receiving one.  While I don’t think folks are sitting in between reading all the emails, I do think our emails exist on server logs in the bowls of many large interchange companies responsible for the internet backbone.

I encourage you to get a proton email account and use their web interface to send the emails.   In this case they claim to send the email more securely, but in general the Proton email service is private enough – just don’t add it to any of your devices or Outlook / Mac Mail or anything as sending and receiving emails in an email client is the main challenge to our security.

eMail

BY FAR the least secure attack surface is eMail.  Electronic Mail (email or eMail) was one of the first things created on the internet and it hasn’t changed much since then.  In former speaking engagements, I refer to the fact that email is text-based–which begs the question of how attachments are sent.  Rather than building a way to securely attach files to an email, the eMail engineers decided to encode all attachments into text and decode this information on the receiving end.

This approach was a result of there being so many email clients, servers, and companies in the mix, it was easier to augment the text-based email protocol than it was to build a fully secure, non-text based version of email.  This means that, to this day, you can read every non encrypted message sent through a router in clear text.  So, yes, the email you send can be spied on by any number of engineers or hackers in-between your email server and the email server you sent the message to.

Of course the chances of your emails being read are slim, but know that Google’s terms and conditions allow them to read your emails by their indexing engines and build a profile on you.  They use the information about the content of your email along with your search history to target the ads it shows you in hopes that you’ll buy more.

There is also no verification on the other end that your email was the one that was delivered. So, it is feasible that your message could change mid-stream, though unlikely still.  This leads to the single most critical concept to understand when learning how better to improve personal security: Phishing.

Phishing

A phishing email is one you didn’t ask for that pretends it’s from a person or authority you know and asks you for something.  They usually land in your inbox posing as a bank or a company that you have an account with and are usually after your credentials.

These messages are usually linked to a website that is setup to look like one you are familiar with.  IF you click through and enter your credentials, the hacker at the other end will collect them and try them out. This means that if they get into a bank or crypto account, they will drain the money / crypto.

These emails are bad news and let me be the first to tell you that you didn’t win a million dollars and, if you had, you’d probably remember entering the contest and already provided the necessary details.

I believe phishing emails exist because of the poor authentication protocols in the email technology.  IMAP, POP3, SMTP – these have all been around forever (and certainly ActiveSync is going to take over) but it’s all susceptible to misuse as email itself isn’t force-verified.

If it was required to personally sign each email being sent we would not have phishing, spam, or general misuse of email.

Say with EACH email you needed to verify yourself.  If this was the case, there would be no more spam and no more phishing emails at all because who would want to sign an email that is attempting to steal other peoples stuff or waste their time?

But alas, this didn’t happen. The world grew up with a very ugly glue that holds us together.  Put simply, email sucks, but what would suck more is if we didn’t have it.  I know many businesses that run on email. Forget spreadsheets, email is the true workforce of the digital era.

Let’s separate the spam from the ham (yes that’s the term… “ham” refers to valid email). Those emails you get saying you won – all crap, junk, and a special kind of evil called phishing.  There is an entire industry that has been born out of spoofing people based on the insecurities of email.  A long time ago I put up a web form that would send you an email from Bill Gates.  Certainly this wasn’t an actual email from the real Bill Gates, but if you opened it, you’d believe it was.  

This lapse in common sense has opened up a messy labyrinth of deception called Phishing.

How to detect Phishing

The point is, if you see something that’s alarming, go to the website ON YOUR OWN – do NOT click the email.  For example, I got an email just the other day saying that Home Depot credited me $135 and I should click to see my balance.

Putting my common sense to work I stopped and thought, I do have a Home Depot credit card though I hadn’t returned anything lately.  So I went to the website to log into that account via my password manager (NOT by clicking the email) and I noticed the bank mentioned on the email was wrong.  The email said “Capital One” but the Home Depot card was with CitiBank.  I logged in anyhow and there was a $0 balance because I haven’t used that card in awhile.

That was a phishing email and they were preying on me to click and log in via their fake website that was probably setup to look like the real Home Depot website though I didn’t click it so I don’t know for certain.

In short, if you receive a fishy email, just go to the site your normal way and check it out – do not click it!

What to do when you see it

OK, so you found a phishing email – what should you do?

Delete it, empty your trash and remember the way it looks… because you’ll undoubtedly get a few hundred more in your lifetime that look and feel just like that message.  These things come in waves, really annoying waves that initially thwart the email filters and find their way to your inbox. But once the spam filters find this piece of spam, they’ll block it – until the hacker updates it to look a little different, then it starts the cycle over again.

It’s really annoying and those of us who have more than one email address spend more time sifting through crap than using email on any given day.

Keep safe from phishing

Aside from having a proper email spam filter in place and perhaps enrolling in a phishing prevention program like mimecast or ironscales, the biggest and most important thing you can do is to turn off outside images in your email client. This is annoying because your known-good emails also will look strange, but the known-bad emails won’t tip off the sender that you are a real person.  To explain this I need to let you in on a secret: your email reading is tracked…

Most emails have an invisible little hidden pixel that reports back to a tracking server when you open the email.  This is why I send TEXT ONLY emails, so my emails can’t be tracked. But in general any marketing email coming from a company has a tracking pixel on it. This pixel allows the sender to tell if you read the email, when, how frequently, and how long it took you to read it.  Bizarre huh…

It’s one thing for a marketing email to relay if you are really interested enough to read something.  That’s creepy but not deadly.  It’s another thing altogether to have a phishing email register that you are a real person.  Even clicking on the email to look at it registers that you read it and by reading a phishing email your email address is marked as a “live email.”  This means that the frequency you receive crap emails will increase.

A “Live email” – that’s what they refer to you as if you show them you are a real person.  You are a “live email” and your email address has just become more valuable on the dark web.

All of this magical ability can be shut off with one process.  It’s different depending on the device and email client you use to read your emails.  This may cause you a ton of clicking during the day but should lower your likelihood of getting future phishing / spam emails.

Shut off your email client’s remote image loading no matter what – on all your devices that read email.  This is the secret to reading emails without tipping off the bad people.  You can always (on a per-email basis) load the images on known-good emails that you want to see the images on.  You can feel safe as you look over a piece of crap phishing email because those hackers are NOT being made aware that you are looking at the message.  From their vantage point they sent an email that was never opened, so your email address goes to the bottom of their list.

And hey,“If it looks fishy, let it sit.”  Meaning, don’t click but confirm first via backchannels.  If it’s from your bank and it says something horrible, call your bank and verify.  DON’T call the phone number the email says is your bank, call the number on the back of your debit card.  If the email is from a friend asking you to send them a gift card, call your friend and ask if they sent the email to you.  Remember, just because it’s an email doesn’t mean you need to resolve it in seconds.  It’s prudent to verify before you take action in whatever other means you have at your disposal.  Usually just typing the website in a web browser and / or logging in on your own with your password manager is the best way to verify (like my Home Depot email above).  Again, I never even allowed the images to load so the hacker doesn’t know I opened and read the email and certainly doesn’t know I logged into the site and proved the email was trash.

OLD emails, old email servers…

OK, I think we all have “an old email that we used forever” and I’m here to tell you that it is most likely more susceptible to hacking than newer emails with newer technology.  Microsoft and Google have come far with their products Office365 and GSuite.  Although I dislike Google personally, both of those technologies have been tried and tested and I approve of email served through them for business.

I ran email servers for many companies over these past 2 decades.  I have seen the good, the bad, and the ugly and when older email servers get ugly, they get really ugly really quickly.  One thing I have learned with crypto is that a solid email provider is needed and, to be honest, I don’t trust any large or small company with my email. Instead, I turn to a completely private email service like protonmail.

I use them and haven’t yet had an issue, so too does most everyone I have met in the crypto world.  They have a free product that I use and a paid product I’m sure I will upgrade to over time.

The reason I don’t trust Microsoft or Google is that my email account is wide open for them to read.  They can release portions of my messages to anyone and have in the past opened their networks for governments even without a warrant.  And most other email servers out there that IT people like me can buy, install and run to deliver email have flaws or missed security patches.

The kicker is that most older email hosting applications give the administrator the ability to impersonate any one of the users on their email servers and then have complete access to all of their email.  The admin can send and receive email directly from any email box on the system anytime.  Great for IT admins troubleshooting, but really bad for security and privacy.

Also, most email servers have the ability to do global searches that can be run on all email accounts as well.  All kinds of security holes and potential for miss-use exist within email hosting softwares – it’s important to realize this risk when using the services.  If you have a non-name brand email service, call their support and ask if these issues exist in their back end.

It may not matter if all you do is use an email to connect with people from college, but put that email address onto a 2FA for a crypto account and that ups the need for your email address to be secured.  Just be safe and try not to use older emails that have been around forever.  If for no other reason than these email addresses have likely been on the dark web for longer and at some point I’m sure you’ve tipped them off that they are “live emails.”

Computers

Everyone needs a computer to do anything online, remember that a smartphone is a specialized computer that may or may not also work to accomplish your needs.

Each computer has several components in common: RAM, CPU, something to store data, inputs and outputs as well as some physical mechanism to go online.  You can think of this as the “hardware stack.”  For example, the hardware stack I use in my office is an iMac with 16GBs of RAM, a 3GHz processor, a 1TB hard drive, trackpad, keyboard and two extra monitors.  No matter how well these components are tested they can be taken advantage of. But only if the proper maintenance isn’t performed.

It’s like driving a car without an oil change in 3 years.  

Here are the attack surfaces contained within each computer, no matter the make / model or when it was manufactured.

Operating System (OS)

The OS / operating system interfaces with everything on the computer no matter if it’s hardware or software.  The OS translates computer program actions and allows for you to do what you need to do.  If you print something, the OS facilitates the process to send the print job to the printer, it connects and bam you have a printed piece of paper.

There are three kinds of OSes in the world today: Windows; Mac; and Linux.  Each of these main flavors have many children such as iOS and iPadOS for mac and 400+ linux distros plus all the sub-versions of windows (95, 98, vista, 10, 11, etc) over the years.

I’m going to make many people frustrated by saying this, but if you have crypto I believe the best OS for you to have is MacOS.

MANY of my colleagues would be quick to point out that there are viruses for MacOS and there are MANY secure Linux OS distros built specifically for these crypto needs. And still more will say that they’ve only ever used Windows and can’t / won’t learn a new OS.

At the end of the day, your digital hygiene is the most important and so long as you have proper digital hygiene it shouldn’t be a problem what OS you use but using Windows requires more thought, time, energy, and cost to maintain properly than a Mac.

You can get an antivirus program for a mac just the same as you can for Windows and you don’t need to re-learn everything to use a mac.  Linux is another story.  Although there are really cool things going on in Linux, it’s probably never going to make it mainstream as there are major compatibility issues.  Furthermore, running Linux is still sadly a specialized setup that non-technical folks will have a hard time getting support on. 

The usability of a Mac is different yet the same as Windows.  Everything is doable in a different but similar way and once you learn those ways you may realize it’s better or you may hate it.  This isn’t why I say Apple is better.  It’s the same for usability and security – but where it does excel is under the hood.

You see, under the hood of Windows is DOS and / or an NT Kernel.  Those things are so full of holes it’s crazy. But under the hood of a mac is linux… or well, a specialized version of linux.  This gives users of macs the ability to have their cake and eat it too.  They can enjoy a relatively easy to use computer and mobile device ecosystem while knowing that the base-level of all their devices are permission based.

What do I mean about being “permission based?”  Basically NOTHING can happen on a clean Mac or a clean ios device without you providing permission for that to happen.  This is important because under the hood of a windows machine there are so many services running without your permission.  Each of these windows services can be appended at any time without you knowing.  Sure it’s hard to do this, but hackers have all the time in the world to come up with their next attacks.  The access to the underlying Windows OS is (IMHO) wide open as compared to a Mac and access for hackers to the underlying Linux system is further limited.

Windows has gotten better and honestly for anything else it’s fine. But I only trust my crypto on Mac and have what I believe to be a solid footing to run the applications that crypto needs.

AntiVirus (AV) / Malware Protection

NO MATTER WHAT you need programs to monitor and scan your computer to keep it protected from viruses and malware.  Two types of AV programs exist and I believe it is important to have both on your computer.  Traditional “signature based” AV and “behaviour based” AV.

Signature based AV was the first type of protection created.  Most of the known names in the industry are (or started as) a signature based protection program.  This technology uses massive databases called “virus definitions” and are sync’d down to every computer running their software.  There are known public virus definition services as well that AV companies subscribe to and integrate into their application.

The database contains a list of file hashes that are known to be bad and the AV program hashes a file and compares.  If it’s on the list, it’s bad – if it isn’t on the list, it’s unknown at this point.  This hash is different from the crypto hash, but basically every file can be hashed and a series of seemingly random characters produced.

The process to hash a file isn’t important but these characters are ALWAYS the same if the file is hashed on any computer and even if the file name or location is different.  So the signature based AV programs keep an ever growing list of “bad file hashes” and they routinely hash the files on your computer to compare. If one file hash on your computer matches a hash in the database then that file is sent to the quarantine.

This is important because it can find files sitting idle that perhaps were downloaded as an email attachment or left over from something you did a long time ago.  These files will get cleared eventually by such an AV program like AVG as that’s signature based.

Lately there have been large advances in the manufacturing of computer viruses. In fact, a single virus can be presented with many hashes on many computers. As a result the industry can no longer rely solely on the hashing mechanism since the “bad file” list can’t be updated quickly enough.  What newer AV programs do is they watch the user behaviour and flag things that aren’t common.  These are called Behaviour based AV programs.

Imagine excel is running and using 1GB of RAM.  Suddenly it tries to look at RAM outside of the 1GB it’s using. Clearly this shouldn’t be allowed and a behaviour based AV will stop this activity,  flagging it for the computer user to approve or not.  Even better AV programs will just kill the process.

The benefit of behavior based protection is that no matter what program is infected the bad things it can do are quelled almost immediately without performing it’s “hacking” action.  Also, these companies build a behaviour profile that is usually analyzed by the developers to better harden their programs.  This is more in line with what is going on now in the security world as it’s a bit like the wild west as computer viruses are programmed to change over time.

I can’t really recommend the best AV because it doesn’t exist. However here are a few that make the top of the list: avg.com ; webroot.com ; crowdstrike.com ; sentinelone.com ; malwarebytes.com. These are all great choices and ones I have used in the past.

Applications

Applications are needed to do just about anything on a computer.  Even smartphones need “apps” to do stuff.  To do DEFI one needs to use dAPPS as well.  The OS doesn’t ship with much and certainly nothing capable of holding crypto.  Each application installed on your computer contains a tiny bit of risk.  It’s all about mitigating risk and doing so without compromising on form and function.

Take a normal business Windows desktop in your office at work.  Add to that Netflix, Spotify, Microsoft Office, Outlook, and an email account and you will see that the computer runs much slower than when it was application-less.  This is because all apps put on a windows computer take a little portion of that computer as its own.  The permission is given when you install and the installation puts in many sub-components that fire up, sometimes even when you aren’t using the application.

On a Mac, you need to give permission for those applications to use resources when they are not running.  The Mac will ask you for your password and give you the permissions that the app wants. If that application strays away from those permissions and tries to do something else, you get asked again.  In Windows, you give a blanket permission at the beginning when you install an application to do whatever it wants.

OK, so great, why does this matter?

It matters because in the crypto world, applications process your wealth, and you always want to know what an application is doing with your wealth.  Say for example you install a software wallet – wouldn’t you like to know if that is running in the background?  On a Mac, I don’t know of a way to run an application in the background without alerting the user at least once to register the service. However on windows, I know of several ways an application can be spawned and not tip off the user that it’s being run.

Perhaps it’s only a matter of time before these exploits come to the Mac world. But for me, Mac appears the safest now and I recommend ONLY LOADING THE APPLICATIONS YOU NEED.  No email, no chat, no MS office – nothing on your crypto computer except your crypto and a few antivirus / cleaning / protective utilities.  If you can, dedicate an entire computer (perhaps a laptop) to your crypto.  Don’t store all of your crypto on there, but use that computer to do all your transactions.

Some folks go the extra mile and store the computer in a safe when not transacting crypto.  My portfolio isn’t large enough to do this and my crypto is constantly in motion, so settling down into a groove can’t happen for me until this bull market is done..

Internet

To connect, or not to – that’s the question. Truly, what’s the point of having a computer and NOT connecting it to the internet.  It’s a funny question because most folks don’t understand the difference between a connected and not-connected computer.

Cellular Service

First off, all smartphones are always connected, even if they do NOT have cell service, aren’t activated, or are brand new in the package.  It’s just the way the world works.  A cell phone has a few two-way radio antennas in it and those antennas are programmed to check the network every so often.  Sure they don’t check as frequently when they aren’t configured, but they do check even if the network checks go unanswered.  This is why your phone dies if you just leave it somewhere for a while without anything running on it.  The cellphone needs to reach out to the network and say “are you there” and the network says “sure am” then your cell phone says “is there a phone call or text for me” and the network answers.

OK, that’s a massive oversimplification – but what isn’t is the fact that in the USA we have gone through several cell technologies in rapid succession.  There was 1g, 2g, 3g, 4g, LTE, and now 5g. Each of these layers of technology on the internet need a unique chip and processing ability in the phones that run on those networks.  Those chips and bi-directional antennas that service each network are unique, so if you buy a phone now it may have up to 5 different chips and be communicating on 5 different networks simultaneously.

As of this article the 3G network is being sunsetted – good riddance, I found cell service to be spotty and data speeds unreliable on 3G – I won’t miss it.

Having these networks accessible without a call drop is great if you go into a bad cell area and the LTE isn’t available, then the phone can fall back on 4g or even 3g — but, if you are looking for a secure phone, one that doesn’t have exposure to many networks all at once, they don’t yet exist though 5G promises to provide the consolidation landscape to remove the lesser used networks.

This is one reason why I consider general cell phone usage insecure. That is until I found efani. Their Black Seal product truly puts the security back into phones.

General Internet Guidelines

First off, no matter the device you are logging into and no matter if it’s crypto or not, you should always log out / disconnect when you are done with a web session.  It’s just good practice.  In the crypto world being connected survives a computer reboot, so it’s always good to disconnect. It’s just a pet peeve for me to have folks stay logged into sites forever.

Holding that aside, the paid version of AVG and Webroot have decent software firewalls.  These will block your computer from connecting to known malicious sites.  It does this by adding a little filter that checks as you browse the internet. If it sees a known bad website it will just display an error rather than allow you to visit that website.

Also use brave.com as a web browser – it’s literally the best browser out there and you get paid crypto for using it.  BAT to be specific.  I switched to Brave about a year ago and I haven’t looked back.  Brave is built on top of chromium just like Chrome is, so it offers the exact same convenience and speed as Chrome but without Google watching over you.  Brave is completely private and has a built-in VPN that allows you to easily mask your location and encrypt all of your internet traffic.

Using brave with a privacy focussed search engine like presearch.org or duckduckgo.com gives the best protection possible.  Brave does some really cool things too: it limits or eliminates ads on sites and blocks many malicious scripts that might be doing stuff like tracking what sites you go to and reporting back to a master database.  Brave gives the cleanest internet experience I have ever seen and has all the Web 3.0 tools baked in.

Web 3.0

Many of you may have heard that Web 3.0 is here!  Woo hoo!  Most of you will ask what happened to Web 1.0 and 2.0?  The answer is that all three exist at once now.  Let’s follow the trajectory.

When I first saw the internet it was text only and I used the tab and space buttons on the keyboard to navigate.  No mouse, no videos, no noise, no images, nothing but words and links.  I’d tab over to a link and hit the spacebar to follow that link.  This was Web 1.0 and I experienced this for the first time around 1992 in my high school library on a projector on the wall.  My first thought was, damn, that’s 15 minutes of my life I won’t get back…

Fast forward a little, Netscape came about and allowed for images to be used. Then things like social media and streaming apps entered the scene and bam — Web 2.0 was born.  This is the internet that you all know and love but it was missing something: native internet-based money.

Sure, it was eventually possible to spend FIAT on the internet with e-commerce but trust me when I say it was difficult to accomplish this feat.  I worked in the e-Commerce industry since its inception and let me tell you it was a bit of a mess.  I was involved in the development, support, hosting, securing, and merchant services aspects of e-Commerce environments.  There is so much complexity and when all of the required service costs were added together it drove the prices to facilitate a transaction up to nearly 10% of a transaction.  Of course larger companies paid smaller percentages and technically oriented companies could self-host or develop the site in house and reduce costs, but in general a web budget of 10% web-revenue (including fees) was sought after.  There was no real “internet money”; money that can be used online easily, efficiently, effectively, via the browser, and non-cost prohibitive.

Enter Crypto to close this loop and the past 2 years solid have been focussed on building out the Web 3.0 that we see coming to fruition before our eyes.  Web 3.0 is still in its infancy, but crypto has been brought into the main fold, allowing for secure payments and storage of assets.  Most importantly, crypto has very few gatekeepers and middle men (or middle women.)  So, fees to transact with crypto are far lower.

For example, I can send hundreds of thousands of dollars worth of digital assets across the world securely within minutes for a total fee comparable to 1 dollar.  This just isn’t possible within the traditional financial ecosystem.  Be it e-commerce or traditional money management fiat-based ecosystems they tend to cost much more and be overly complex to navigate.

Crypto Cronies

Crypto adds one more element to look out for – fakes. Just like Gucci has fakes, so too do some projects in the crypto sphere, and these fakes eat your crypto.  Just like the phishing threats, these fake sites pose as a real site and aim to take advantage of the non-discerning eye.

First thing I noticed in crypto is that it is a losing battle to keep track of all the proper crypto project websites as I have used a thousand or so over the last few years.  Throughout this time the one thing that hasn’t changed are sites like this one and/or coingecko.com; known resource sites that will always point you in the right direction.  If I have a question on a url for a tool, I usually just go to coingecko, look up the token, make sure it’s the right project, and go to the project website directly from the link on coingecko.  This, I find, is the safest way to get into lesser known crypto projects properly.

As for tools, they have the posers as well – don’t go searching the google play store because you will find several versions of each project and you do NOT want to pick the wrong wallet because what goes in does not necessarily come out.  Case in point, Metamask (a major component of Web 3.0) had a fake wallet in the google play store – anyone who transferred crypto to it got their crypto stolen.  It has since been removed, but that got me thinking that if they can do that on one project, they will do it again on others.

Again, go to the proper website and click their link to download their software.  Don’t trust, verify.

BIOS / Firmware

The lowest level software on every digital device is the BIOS or Firmware.  BIOS (Basic Input and Output System) and Firmware (usually on mobile and IOT devices) both do the same job.  They expose the underlying hardware to the OS and other software packages that need access.  They are the hardware gatekeepers.  So, my 16GBs of RAM is used by my OS THROUGH the BIOS.  My camera on my iPhone is used by iOS THROUGH the Firmware.  The BIOS / Firmware gives the OS permission and sets the rules that dictate hardware usage.

Did you know that the ATM you get money from has loaded firmware that needs updating also.  

One thing people don’t know is that BIOS updates are rather important.  There are very few viruses for BIOS but when an exploit is noticed it tends to blow up worldwide. This is because people don’t know or understand that BIOS needs to be upgraded so the same BIOS can sit on a machine for decades without a change – thus a single BIOS virus can have massive impact even after a patch or fix is created.

It’s always recommended to apply all hardware and OS updates and security patches to all of your computing devices.  At least once a month you should go through this process.  If you have a Windows computer, once a year or so you should check the website of your motherboard manufacturer to make sure your bios version is up to date.

All windows computers come with an update utility baked into the OS so it should be simple to keep up to date with the OS updates.  Also, with large computer factory companies like Lenovo, Dell, HP, and others they have utilized inline updates and can deliver all updates easily via a process needing to be run once a month.  With non-name-brand windows computers the updating process is difficult because there is no standard way to propagate updates.

Linux has an in-built package management system and depending on which version of linux you have it will look different and/or be a different command to run (if you are geeky like me.)  Running this gives all os, application, and driver updates as well as security patches but wont give firmware or BIOS updates.

Apple Hardware

Mac / iOS / iPAD etc has a single push update / upgrade for any firmware, os, security patches and anything else needed all with an easy push of one button.  You can even schedule it to happen overnight on your mobile devices so you don’t lose productive time.

This is yet another reason why I like Macs, they just work…

General Network maintenance

Nothing is safe if your network is compromised.  The network you have holds together all your computing devices and allows them to access each other and the internet.  Certainly we all have a mesh of wires in our houses that perhaps we know (or don’t know) where they go and what they do…but this is where problems can hide.

Put a gap between your network and the provider’s network

Your ISP (internet service provider) has their network running up to the hand-off to you.  This hand-off point is called the D-Mark.  The install agent hangs a bunch of boxes on the wall and they point you to a piece of tech that you plug your network into and viola you have internet.  This box connects your house to their network.  Some ISPs give a harmless modem without any bells and whistles while others give out a complete modem, firewall, and wifi network creator.  No matter what you are given, the most important thing to do is to put a gap between your network and the provider’s network.

Basically you want whatever happens in your network to not touch the ISP router unless it needs the internet.  This prevents your ISP from seeing your activity within your network.  So basically you DO NOT want to USE the cable router/modem for anything but a glorified connection to the outside world.  DO NOT use the wifi from it, in fact, ask the tech to deactivate the wifi, and don’t plug anything into it except your internal network router.

Something else to note if you have Comcast / xFinity they put a public hotspot.  Yes, that’s right, your internet connection could be used by any other Comcast / xFinity customer at any time.  I feel this is dishonest, but who am I to say anything – just get it turned off and you should be fine.

You’ll need to buy a decent firewall / router / wifi device – Linksys is a good (and easy to use) brand.  It SHOULD cost you in the $100 – $300 range.  You can get routers cheaply, but a cheap router will cause more problems than it will prevent.  That’s the only real way to be secure on wifi, to make the wireless network yourself and put a really secure SSID and password in.

WEP and WEP2 are two of the earlier wireless authorization technologies. Unfortunately there are tools hackers can use to mass-guess those passwords, so keep them long and annoying EVEN if you upgrade to WEP3.  Sure they can guess it, but it’s not very practical to sit outside someone’s house and hack – so if they can’t get in easily, they’ll move on.  I have my wifi network separated from my wired network and the third (business) network is completely isolated.  I use eero as my wifi and it kinda sucks, but it’s easy to use.  I’ll probably replace that over the next year or so.

Separate your IOT devices from your main wifi

Just about everything is internet connected at this point.  Fridges, crock pots, air conditioners, heaters, thermostats. You name it and someone figured out how to internetitfy it.  These are called IOT (Internet Of Things) devices and by the nature of what they are, they are extremely insecure and present a ton of security risk.

The best thing to do with these devices is to separate them from your normal wifi used for your laptops and phones.  Put the IOT devices on their own wifi and don’t use that network for anything else.  This will isolate their internet requests and keep the IOT off your real networks.  You can (if you want) use your guest network, that’s at least a little better than having everything all together.

That’s another thing – have a guest network. If people come over your house, the last thing you want to do is put their dirty, non-secure devices onto your wireless network with your crypto computers. Take the extra few minutes to set up a few wireless networks and separate out your devices from the others.  Don’t give up your private wifi and change your private wifi password frequently.

What to do after you have been hacked

I can’t stress enough that, once you have been hacked, you HAVE to assume they know EVERYTHING.  The black market for PI data is tiered and incredibly interconnected.  The fresh (virgin) data just hacked is worth the most.  Hackers will separate out these records and merge together existing dark web data to sell the fresh hacks that have full profiles at a premium.  Also, famous people go with the first batch.  Hackers will sell this data to the highest bidder.

Once little time elapses the hackers will resell the list to a set of new hackers and those hackers try to hack the already hacked…. It’s a vicious cycle and if you have been hacked once they will come back.  That’s when the real horror starts and you can avoid being the victim several times if you go on a massive password changing binge, securing yourself one site at a time.

If you have been hacked, change EVERYTHING!  NO MATTER HOW LONG IT TAKES.

Re-do ALL of your passwords with secure passwords as this does two things.  It confirms you still have access to those sites and blocks out the hacker from using the “old” security details to get in.  I’d even say to change all passwords before you look at the damage – start with the accounts that have the most money in them, and if you have the ability to freeze the account do it as you log into it to change your password.

How to best move into password management

It’s REALLLLY annoying to change passwords (I know) but it’s a must if you want to stay safe.  There are a few ways to onboard your passwords into a password management system.  First you need to pick the product and second install it on your browser.  The easiest way I have found to on-board a password manager is to log into all your sites (perhaps as you change the passwords to make them more secure) and allow the new password manager to “notice” as you log into your sites normally.  It should prompt you to save the passwords and, over time, you’ll eventually get the majority inputted.  Delete the passwords from your old storage mechanism as you move them so you can keep track of what is left to move in.  This is if you haven’t yet been hacked.

If you have been hacked, going through and resetting everything should give you the opportunity to store the new passwords in your new password manager.

MAKE SURE YOU BACK UP your passwords. And by this I don’t mean write them all down, I mean, make sure your password manager has a proper backup / restore routine.  In fact, try it out and make sure you can back up and restore.

The best advice for high net worth individuals is to leave a trail with your lawyer just in case you aren’t here anymore – hopefully not for many decades will it matter, but proper planning prevents lost crypto.  Perhaps there is a single password for your password manager and that password may need to be stored with a will or something like that.

Don’t be too scared

Certainly my objective here is to scare you enough to take these things seriously, but if you do even half of the above suggestions you’ll be less likely to ever need to be worried.  The most important thing to do is to stop and think through things logically.  If you have been hacked, take note as to what was affected and what was not.  Take stock in the differences and learn from that horrible situation.  Perhaps there is an old email you should stop using, or perhaps you used the same credentials on 16 crypto sites and those 16 were the only ones affected by the hack. Think through the scenario: is that same username / password on non-crypto sites?  If yes, change it.

At the end of the day, you still need to use your computer, phone and connect to the internet, so being super paranoid only gets you so far.  Remember that you must still be able to perform normal things and perhaps writing down all your passwords in a book by your computer isn’t the best as you use secure passwords.  That will take forever to log into anywhere.

Bite your security upgrade off in smaller chunks, use your downtime when the market is sideways to move forwards a bit on your security initiatives.  Set aside an hour a week to reset passwords and on-board them into your new password manager.  You’ll be done much quicker if you stick to a regimented routine.

Spend time thinking and researching before you dive into a new project or coin / asset with your hard earned money.  Read up on something that is complex from many sources before you try it and if you do want to do complex things like liquidity mining you should really understand what you are doing and try smaller amounts of crypto at first.  Measure your success in percentages and expand if / and only if it makes sense.

The bottom line is that there will always be crooked people out there looking for a quick buck.  It’s our job to make sure they don’t get this easy money from us.  As I once learned, Proper Preparation Prevents Poor Performance.  Are you properly prepared for your future?