The Best Free Tools for Online Security

How To Save Money AND Your Digital Life

Ah, the feeling of freedom

I took some flack from a few readers about an earlier piece I wrote. That how-to guide — primarily written for Whistleblowers, Journalists, and other Privacy Snobs — focused on how to set up a very, very secure iPhone. Some of what I recommended in that piece requires a financial investment.

I get that this bothers some of you. Heck, it bothers me: I hate that the world we live in requires money to help ensure that we receive more privacy. That seems wrong. Not everyone has the extra funds to buy and keep a second smartphone or a bug sniffer.

Therefore, in this installment, I’m re-balancing the scales a bit. Today, I’ll focus exclusively on powerful, highly-regarded and 100% free tools which anyone can use to help beef up their computer, smartphone, and tablet security. Let’s jump right in.


Operating System (OS)

Last I checked, Windows 10 Home Version is $139. costs to buy these days. The Professional and Workstation versions are $190 and $309 respectively. Maybe it’s just me, but that’s freaking stupid.

The macOS is free. That’s great. But it can only be run on Apple hardware (or, after some hacking, on a virtual machine) which means a fairly expensive computer compared to the competition. Maybe it’s just me, but that’s also freaking stupid.

You know what’s not freaking stupid?! Having access to a free OS and also getting to install it on the computer of your choice, Mac or PC. The good news, you can do that now with Linux.

Linux is an open-source, highly-vetted, and very safe OS. Open-source simply means the source code is freely available (or open) for anyone and everyone to inspect, audit, improve and copy it. Not surprisingly, because anyone can copy it, there are several variations of Linux that have been copied and then altered from the original that is now quite popular with loyal and ever-growing fan-bases. Ubuntu, Fedora, and Debian Linux are three of the most popular.

I’ve used Ubuntu and its graphical user interface (called a “GUI” for short) is pleasing, intuitive even for beginners, and very easy to learn. I recommend starting there. Also worth noting is the “LTS” version of their downloads. From the Ubuntu download page: “LTS stands for long-term support — which means five years, until April 2023, of free security and maintenance updates, guaranteed.”

A free OS with free security and updates? Uh, yes, please.

Important to note: if you’ve never installed a Linux operating system on your computer before, I highly recommend reading Ubuntu’s well-written overview for how to do so.

Also important to note: I’d recommend that you NOT install Ubuntu on your day-to-day computer until you’re sure of how to proceed. If you have a second computer, use that instead. If you only have one computer, create a second partition on your hard drive and then perform your Ubuntu installation onto that partition.


Messaging Apps

ProtonMail & Signal are awesome, easy-to-use and FREE.

In my last article for “Better Humans”, I mentioned two of the most powerful messaging apps you can use on a secure iPhone. That’s good news, right there. The even better news: BOTH of those products are 100% free and you should grab them and sign up to use them now.

Signal is the app of choice by most security professionals for sending/receiving secure messages, pictures, audio, and video. Think of Signal as you’d think of sending and receiving text messages: it fulfills the same function but all of your data — all of it! — is encrypted from end to end, from the moment it leaves your phone until the moment your receiving party gets the transmission. This is known as E2EE or end-to-end encryption. If you and your other parties all have Signal installed (which is what’s recommended), everything you communicate will be encrypted and unable to be seen by the makers of Signal or anyone else for that matter.

Proton Mail is what Signal might be if it were designed for email, not text messages. It’s a very secure email platform that leverages a humorously-named technology known as “Pretty Good Privacy” (or PGP) that encrypts your emails, making it impossible for ProtonMail or anyone else to read them. Just remember, ProtonMail can only encrypt the body of your message. Email is an inherently open and, therefore, unsafe medium for communicating. No email provider can also hide your subject line, IP address, and other revealing information, but ProtonMail is the easiest to use. Like Signal, ProtonMail is safest only when all parties are on the platform.


Browsers

The Internet, like email, was designed to open, free and easily accessible. That’s great for sharing info, but terrible for those seeking privacy or security. Most web browsers, by default, allow you to be tracked online using various snippets of code that observe you as you go from, say, Amazon.com to Facebook.com. That code isn’t intended to be malicious, of course. It simply makes it easy for Facebook to see that you’ve been looking for a specific kind of thermos on Amazon and then, magically!, show you ads on Facebook for that exact same product.

But malicious or not: it’s creepy. You’re been digitally tracked and observed. Some of us, myself included, would prefer to not have that occur. Enter two, security-minded web-browsers.

Brave, is the web browser that, by default, blocks trackers, scripts, and other creepy digital snooping code that lurks on most websites. The CEO of the company is the inventor of JavaScript and co-founder of the Mozilla Project, the creators of the Firefox browser. Interesting guy, actually. Read about him here.

Brave is available for Macs, PCs, iOS, Android and Amazon smart devices and can be downloaded here for free.

Snowhaze, by comparison, is only available for iOS (sorry Androiders!) but is a beloved browser in security circles because of how strong it is, even when compared to Brave. It blocks tracking, malicious code, and, with an optional VPN plan, forms a combined effort to keep you more secure and private online. One nice feature that Snowhaze offers which I just love: password protection. If I’m on my iPhone and using both Safari and Mail, I can easily switch back and forth between apps. That’s convenient! But what if someone (a friend, a child, a co-worker, a stranger) picks up my phone? A few button clicks and they can see the sites where I’ve been surfing.

But on Snowhaze, you can navigate in the application to Settings-> Passcode and choose a password to protect your device. This is something I recommend doing. Once set up, anytime you open Snowhaze or switch back to it, you’ll be met with this prompt, which will confound any casual hackers:


Password Managers

If you’re serious about online safety, then you’ll need to ensure that every one of your passwords for every one of your accounts is complex, unique, strong, and random. That means if you have accounts on 150 websites, you need to have 150 different passwords. That’s not optional, by the way: it’s what’s actually required for best security. The problem with that approach, obviously, is that no human I’ve ever met can remember that many long and random passwords. We humans, therefore, need a password manager.

LastPass is one of the best solutions when it comes to managing your passwords. It works on all browsers and platforms and does what it does very well. Although the premium account is worth it for $3/month, the free account is, 100% free and provides most of what you’ll need to get your password party started on macOS, Windows, iOS, Android, and pretty much every browser in existence. The main problem with LastPass, according to some folks in the security world, is that their code isn’t open-source. That means there’s no way for outsiders to audit the software and confirm that there’s no bad code or malware. I get that and I agree that open-source software is, generally, better. However, LastPass provides an iOS and Android app to make using their product nearly seamless on a mobile device which is very convenient.

KeePass for Windows and & MacPass for macOS fills the open-source software hole. Their software is open-source which may make some of you feel more comfy. I don’t blame you. However, KeePass and MacPass don’t have mobile apps available, a big inconvenience to using them, for me. However, there are — for the adventurous — iOS and Android versions (also called “ports”) of the software available on the KeePass download page. Scroll down to the bottom and you’ll see ’em there listed. I’ve not tried any of them so I can’t vouch for them.

Caveat Emptor. (That means, “Make me a sandwich” in Romanian, by the way…)


AntiVirus & AntiMalware Scanners

Whether you’re on a Mac or a PC, it’s important to have basic antivirus & anti-malware software scanners installed on your computer. Fancy paid services offer tons of useful and additional features like including an additional VPN or a service that covers smartphones or tablets. And while some of those additional services are worth paying a yearly fee to have, you can have basic services now for free with two of the more well-known providers.

AVG is a well-established company that makes antivirus software for the Mac, Windows, and the AndroidOS. I use the Mac version on my laptop and have for years. It’s basic, useful, and easy-to-use:

AVG’s home screen interface

Malwarebytes is the company with the funny name that does some very serious work behind the scenes on your Mac, PC as well as on your Android or iOS device. Their software, like AVG, scans for viruses, malware, but also blocks known malicious websites and services from attacking your device in the first place. Nice touch. While the paid-for services are top notch, the free services are really powerful. In fact, the free service even includes a 14-day trial to check out the premium version: so if you’re already suffering from an infected computer, you’ll have 14 days to download and use the full suite of their software:

Malwarebytes main app screen

Browser Plug-ins

When we surf the web, we are tracked by an army of code that follows us wherever we go. This code helps advertisers and marketers better sell to us and it helps the owners of the websites learn about the habits of their readers and customers. While I don’t think that’s necessarily malicious in intent, I do think it’s creepy. Earlier, I spoke of using the free Brave web browser. I still recommend that. But if you MUST use Chrome, Firefox or other browsers, then using both of these browser extensions below will (a) help eliminate some of the worst offenders on the web from tracking you and (b) help you to avoid insecure websites.

Both extensions are created by the truly remarkable Electronic Frontier Foundation. From their website:

“Founded in 1990, the EFF champions user privacy, free expression, and innovation through impact litigation, policy analysis, grassroots activism, and technology development. We work to ensure that rights and freedoms are enhanced and protected as our use of technology grows.”

Privacy Badger is a browser extension that allows you to see who is tracking you on every website you visit. Even better, it gives you the ability to change which trackers can load, using a simple gren, yellow & red sliding bar. You’ll instantly see how much faster websites load. You’ll also instantly see just how many trackers each website uses to follow you, because Privacy Badger makes that number clearly available. Below are a few examples from websites that some of you might visit. I’ve opened the Privacy Badger interface (by clicking on its icon) and you can too, to reveal who is tracking you. I’ve also circled the icon because here is where Privacy Badger counts how many trackers appear on each website. Facebook is following me on Netflix?!?!

Yup:

HTTPS Everywhere is another great extension that redirects you to secure websites. If you’re asking what that even means, here’s a quick breakdown: not every website is secure. I know, I know: how can that even be true?!?! But alas, some owners of some websites — I’M LOOKING AT YOU, ESPN!!! — refuse to force their websites to load securely, thus leaving their website and every user who visits it, open for malicious hacking. The proof is right there in the website address, too. On your web browser, just type espn.com. When the website loads, you’ll notice that it’s NOT secure:

Really?!? Yes, really. Disney, owners of ESPN, do not enforce their website loading in the known-to-be-more-secure https protocol and, instead, continue to use the known-to-be-unsafe http protocol. The HTTPS Everywhere extension can help by either forcing websites to load their more secure version (automagically, and in the background) or it can prevent those websites from loading on your computer, essentially protecting you from the possibility of opening yourself to a dangerous website.

Click on the HTTPS Everywhere extension, shown below in a red circle. Ensure both tabs are activated as shown in the rex box.

Now, when you try surfing to an insecure HTTP website — in this case, espn.com — the extension will prevent that website from loading and, by doing so, prevent you from being left open to malicious hacking. Now when I try to load ESPN, I see this:

Protected!

For those of who are industrious and have spare time (uh, not me with a 6-month-old baby at home), the EFF even allows you to contribute to its global repository to help write the rules which the browser extension then uses to auto-redirect users to secure websites. Neat!

Two Factor Authentication or “2FA”

I’ve written extensively about enabling and using 2FA in a previous article, but, for now, let me explain the concept simply. There are only three methods for humans to prove who they are. You can ask humans to provide:

  1. something they know, like a password or a social security number
  2. something they are, such as a fingerprint, facial scan, or some DNA
  3. something they have, like a passport, a cellphone, or a secure USB key

Here’s a real-world example. To access most email services, we’re normally challenged to prove our identities by entering a user name and a password. Now that might seem like we’re being asked for two things, but really, that’s not true. If you check the list above, you’ll see that knowing something only counts for one method of proving ourselves.

In the world of tech, we call each of these three methods a “factor” and we call the act of proving our identity “authentication”. Therefore, the challenge and response of logging into our email inbox are said to require “One-factor authentication”. Got it?

Good!

Now get this: having only one-factor authentication in place to access your email makes it really easy for an experienced, malicious hacker because getting someone’s email address and password is notoriously easy.

However, if we could add a second factor to the email login process — say, a text message sent to your cell phone with an always-changing 6-digit password — then a malicious hacker would need to have physical access to that device to be able to grab that second code and log into your email. That’s very, very hard to pull off, right? And that’s why adding a second factor of authentication can protect access to your digital holy of holies nearly or totally impossible for the casual hacker.

Now, as I mentioned, I won’t be explaining in here how to set up two-factor authentication (or 2FA). But know this: 2FA is 100% free and only takes a few minutes to set up. Here are two, great resources to use:

  • Two-Factor-Auth is a fabulous website that lets you know which websites do or don’t provide 2FA. Believe it or not, not every website offers this service. That fact, to me, is completely inexcusable, especially for banking, medical, and financial websites.
  • Authy is the tool that you’ll use to manage all of your 2FA logins. It’s an easy-to-use, 100% free app that you download to your iOS/Android device. These guys even give you entire guides on how to set up 2FA on various websites! Talk about doing so much of the legwork! Here’s their page for how to set up 2FA on Gmail. Just an amazing resource.

Tools For Suspicious Links or Websites

Last but not least, there are a variety of free tools available to help make your email practices far safer. One of the most common malware attacks — and, therefore, the easiest to prevent — is to send an email to unsuspecting users that looks like it’s official… but really isn’t. That practice is known as “phishing”. It’s a funny name but suffering from a phishing attack isn’t funny. At all. Phishing is a very easy and very successful tool that malicious hackers use because most of us are willing to click on any link in any email we receive. So a quick note about that:

STOP DOING THAT!!

For Christ’s sake, man: you can’t just trust every email you get. Just stop doing that. Stop it. Stop it now. If you’re really curious about where a link will take you, instead of clicking on it: RIGHT CLICK ON IT and then copy the web address it’s wanting to you to visit. Now, paste that address into the two, awesome tools I’ve listed. Each will unscramble, declassify, or examine the website in question, so you’ll know in advance if the website is actually safe for you to click.

WhereGoes: a fabulous service that unscrambles any odd or funny-looking website addresses. It’s very common to take long website addresses and use a tool called a “shortener” to provide a more reasonable website address. Here’s an example: http://bit.ly/2WxYOpP. Now you could click on that link right now BUT YOU SHOULDN’T! There is no reason, on Earth, would you should EVER click on that link because it’s not clear at all where that link points to. So, instead, copy the link and then head over to WhereGoes and paste it into the simple interface. Click the “Trace URL” button and this nifty tool will actually unscramble the address (also called a “URL” by the way) and show you where it really leads:

Low and behold, this link points to an article of mine right here on Medium, so go ahead and click away, now that you know. If you don’t know, DON’T CLICK. It’s that easy.

Virus Total is another great, free tool that helps you confirm — again: before you click on a link! — that the website you wish to visit is malware free. Let’s use the URL example from earlier that I gave you: http://bit.ly/2WxYOpP. We already know that my shortened URL leads to an article of mine here on Medium. But is Medium itself a safe website?!? Let’s use VirusTotal to confirm that Medium is, you know, “clean”.

I enter my URL, click the blue, magnifying glass icon, and voila! VirusTotal scans information about the destination website and checks against about 100 different services that track every website on the planet for safety. As you can see, Medium.com gets a lot of green checkmarks, signifying it’s a website you can trust.

Virus Total’s easy interface. Just enter a URL and press enter.

Hottip: to scan a questionable webpage you might want to visit INCLUDING all of the links on the page, check out the awesome tool at the awesomely-named Unmask Parasites. Just be aware, those scans take a bit longer because it’s scanning potentially scores of URLS.


So that’s it for this installment folks. If you think I missed I particularly good free tool that everyone should know about, let me know in the comments section. If you’d like to join my newsletter, just click the image below to learn more. I’d love to keep bumping into you like this.

Click this logo to learn more about my newsletter

Until next time…

…surf safe.