Many times, perhaps most of the time, the first step in a company getting hacked is an email message. That's why this is the first topic.
You never know who sent an email message, so think carefully before taking action based on a single message. It is fairly easy to forge the FROM address of an email. Be especially careful about doing anything involving money, passwords or personal information based on one lousy email message. Techies can look at the hidden email headers to get an idea who really sent a given message, but this is not a skill taught in nerd school. If you can figure out how to display the header of an email message, you can copy/paste it into www.iplocation.net/trace-email which will parse the header and tell you the sending/source IP address, country, ISP and organization. A similar tool is Email Header Analyzer by MxToolbox. DNS Checker also offers an Email Header Analyzer. And more. The Message Header Analyzer produces a very detailed report but the person(s) behind it are unknown. The Google Admin Toolbox analyzer shows the status of SPF, DKIM and DMARC in a very clearly labelled way.
Might help.
In light of the above, victims might trust that an email was legit, if it knew something about us. However, our personal information has leaked time and time again, so including information about you, specifically, is no indication that the sender is who they claim to be or that the message is legit. For example, Starwood was hacked, so an email about the time you stayed at the Westin hotel in Cleveland in the summer of 2018, may not be from Starwood. Bad guys know you stayed there too.
It is easy to assume that when you reply to an email message, the reply goes to the person that sent the message. Sure, this is the case almost all the time - but not all the time. Internet email has a rarely used ReplyTo feature that lets the sender specify an email address to receive replies. An email message from DonaldDuck@gmail.com might have a ReplyTo address of DonaldDuck@hotmail.com or DonaldDuck@aol.com or DonaldDuck@anyfreeservice.com. The ReplyTo address can be anything, but copying the sender's name while changing the domain makes it more likely the scam will not be noticed. If the ReplyTo is used in conjunction with a spoofed sender email address, then a victim can be fooled into an ongoing conversation with bad guys.
Maybe your email software will display the ReplyTo field, maybe it won't. Gmail hides the ReplyTo address until you actually reply.
Links: Links in email and web pages are complicated. Unless you are a techie it can be almost impossible to know where you will end up after clicking on a link. If an email message has a link to login to a service, DO NOT click it. Go to the website of the service on your own and login there.
The more urgent the plea for you to take action, the more likely the message is a scam. Bad guys don't want you to have a chance to think
about the issue or check with others.
An email password is more important than many people think. In that light, make sure it is at least 12 characters long and that you do not use the password for anything else. If you use password manager software, do not keep the email password in the password manager. Keep it on paper instead.
When bad guys learn your email password, they are likely to send scam messages to everyone in your address book. So that you see these messages as soon as possible, consider having both your own email address and a secondary one that also belongs to you, in your email address book.
Terminology: "Phishing" means scam. A phishing email is lying to you about something. "Spear Phishing" is a scam specifically targeted at you. In a spear phish, the bad guys will have researched you and they use the information about you as the part of the lure in their scam. For example, they might learn who does the money transfers in a company, then pretend to be the boss and order a fake money transfer.
Email attachments: Word documents, spreadsheets and PDF files are often malicious. The safest way to open any file attached to an email message is on a Chromebook running in Guest mode. The next safest option is to open it on an iOS device. The third safest environment is from Google Drive (hopefully from a Chromebook or an iOS device). Upload the attachment to Google Drive and open it from Google Drive. The least safe environment to deal with email attachments is Windows. If you must use Windows or macOS, download the attached file and go to VirusTotal.com to scan it with many different anti-virus programs before opening it. Any type of attached file can be dangerous.
Secure Email: The only two companies offering this, that I know of, are ProtonMail and Tutanota. Neither company can read your email while it is stored on their servers. Messages sent between their customers are also safe from prying eyes. Email from either company to any other email provider can either be secure or not, but it is a very different type of security. In October 2021, I wrote about this: Using ProtonMail encrypted messages with a normal email account. Both companies offer free limited accounts. Both can be used with software on your computer but webmail lets the browser prove that encryption is being used in transit. Webmail can also be used on a Chromebook running in Guest mode to insure that no trace of your actions is left behind. Episode 149 of the Privacy, Security, & OSINT podcast was on Secure Email with a comparison of ProtonMail and Tutanota. Interesting point in the podcast: you may want to configure each service not to automatically save every email address you correspond with in the your Contacts list.
If you use webmail, you should have a local (on your computer) backup of your contacts/address book. For Gmail, go to contacts.google.com and look for "Export" in the left side vertical column. Google offers three possible formats for the backup file, it can not hurt to make three backups, one in each format. Make a note to do this backup every few months.
An email with a password protected attachment, that has the password in the body of the email message, is surely malicious. This is a trick bad guys use to prevent anti-virus programs from detecting malicious software. If you try to open an attached file on Windows and it fails to open, you can still get infected with a virus.
An email that asks you to logon to read an encrypted message is a scam.
REPORTING: Emails that pretend to be from a trusted organization for the purpose of stealing passwords or other personal information can be reported to Cisco PhishTank, SpamCop and the Anti-Phishing Working Group. Registration is required. You can also report any and all SPAM to SpamCop.
Links from Daniel Aleksandersen. Sophos is also willing to accept SPAM and malicious emails on their
Submit a Sample page.
If the scam came from Hotmail or Outlook, report it to abuse@outlook.com. If the scam came from Gmail, then report it to abuse@gmail.com.
If you have an email account with a recovery email address (Gmail does this) you should check every now and then (yearly?) that the recovery email address is still valid. It is used for things like resetting the password.
Taking a step back, it seems to me like we are living in a time much like the one before seat belts were required in cars. The current norm, reading email on a computer with sensitive or important files (or LAN based access to such files), is much too risky. If you are not reading email on a Chromebook or an iOS device, you are doing it wrong. Using any other OS, in a corporate environment, is job security for the IT department and the assorted security companies they employ. I say this as someone who does not work in corporate IT.
There are two big issues with passwords: how to create the dozens that we all need and how to retrieve them after they are created.
It is tempting to avoid both problems by re-using a password. NEVER re-use passwords. This is the most important thing about passwords for two reasons. First, companies are hacked all the time, leaking passwords that bad guys then try at other systems/websites. This is made worse by the fact that so many different websites/companies use an email address as a userid. So, if a re-used password leaks it can open up access to multiple accounts. This article, Credential stuffing explained: How to prevent, detect and defend against it (Lucian Constantin Oct 2019) explains that the automated use of stolen usernames and passwords to access accounts is low risk, high reward for cybercriminals.
There are millions of articles on the best way to deal with passwords. Almost every one of them is wrong. Typically, the author offers the best solution for them, not for you. There is no single approach to the two basic problems (creating and retrieving) that is appropriate for everyone.
Computer techies always recommend a software solution. This is stupid on many levels. There is nothing wrong with storing passwords on paper. Even someone who uses a password
management program, should still store a small number of their passwords on paper.
Another piece of bad advice that is frequently repeated is that random passwords are good. They are not, because they ignore the human factor - they are impossible to remember and hard to type. Specifically, passwords such as "kdnH54#sadweD" and "mkJy$sCFqw" should be avoided in favor of something akin to "99HeavyRedbaseballs" or
"reallyoldLemon$$trees". String together a few words (no mis-spellings needed) and add a number or a special character and use mixed case. Good enough. Typically, the length
of a password is far more important than its randomness.
Almost every computer nerd recommends password management software. I disagree. Techies that say this are thinking inside the box and over valuing
the need for randomness in passwords. They also underestimate the hassle of new software for non techies.
"I was never able to find a way to set people up on a password manager in the time available. Let me be very clear: I would like all people to use a password manager ... But I never found a way to get people onto 1password in a single training session. The setup process has a lot of moving parts, involving the desktop app, browser plugin, online service, mobile app, and app store. It requires repeatedly typing a long master passphrase. And then, once it is all set up, you have to train people on the unrelated skill of how to use the thing, starting with their most sensitive accounts. And then you leave. In the end, I told candidates to generate unique passwords and save them in the notes app on their phone, or write them down on a card they kept in their wallet."
John Opdenakker is a rare techie willing to admit that password managers are not the best solution for everyone. He writes: "Knowing that many online services give password manager users a hard time, it's not very likely that non tech savvy people will be able to use them ... for a lot of users, like my mum or dad ... I recommended them to use different passwords for their accounts and write them down in a password book."
Try using a formula to generate your passwords. A simple formula is to start every password with the same string of characters. Then, you can chose very simple passwords to append to the constant beginning. For example, a baseball fan might start every password with "BaseballRules!" Then, if "jungle" was their password for Amazon.com, the actual password is "BaseballRules!jungle" And, all you would have to remember would be that your Amazon password is "jungle". Pretty easy. Amazon. Jungle. And, the miserable password "book" for Barnes and Noble, becomes a good password ("BaseballRules!book") when run through the formula. Perhaps the worst password is the word password. But, as Leo Notenboom points out, "1234 password 1234" is a pretty good password. And, while I would not use this particular password, it can illustrate a simple formula: start and end every password with the same number, then put a word in the middle surrounded by spaces.
You can check if any of your passwords have leaked in a data breach at haveibeenpwned.com/Passwords. Of course, someone else may have been using the same password. The best passwords have never leaked and a formula (above) should produce globally unique passwords fairly easily.
Storing passwords: Using a formula lets you write down just the easy/right part of the password and still be secure. If someone saw your password list and read that "book" was your Barnes and Noble password, it would be useless without the formula. Passwords written on paper can not be hacked; just be sure to xerox the list every now and then in case you lose it.
Traveling passwords: Paper passwords work everywhere, no matter the device, the Operating System or the software being used. I use a password manager for a small number of passwords and its useless on a Chromebook running in Guest mode which is where I do my sensitive transactions.
Some passwords are much more important than others. Which, of your many passwords, would be the worst for bad guys to obtain? Keep those passwords off your computers. Store them on multiple pieces of paper in multiple places. Or, store them on a USB flash drive which is rarely connected to a computer.
If you visit a web page, everyone knows that HTTPS encrypts the content of the page. But that's not the whole story. As this blog by DuckDuckGo points out, parts of the URL are not encrypted. For example, if you visit https:// cancer.mayoclinic.org /isitcontagious.html
the fact that you visited the Mayo Clinic website and were interested in cancer will be visible to anyone watching network data transmissions. However, that you wondered whether cancer was contagious is not visible. In techie terms, everything after the domain name (isitcontagious.html) is encrypted in transit, however the domain name (mayoclinic.org) and sub-domains (cancer) are not encrypted.
The concept of secure websites, indicated by HTTPS or a lock icon, is, in many ways, a scam. The security that people tout refers to a small piece of a large pie. Specifically, it refers to in-flight data; data being transmitted back and forth between your computer and a website. If, while traveling over the Internet, the data/web page is encrypted, then the entire site is said to be secure. Fact is, dozens of things can still leak your sensitive data. Take the just-discussed EV/DV validation of websites. Without real identity verification (EV), you could "securely" send passwords to bad guys. Another scam is that encryption is a binary thing, that it is either on or off. In reality, it is quite complicated. So much so, that there are security rating websites (next topic). Perfect Forward Secrecy (PFS) is another factor, one that is hardly every discussed. Without PFS spy agencies can very likely (no one knows for sure) decrypt the encrypted data traveling over the Internet. Another factor is keeping private encryption keys private. If they leak (its just a string of bits), encrypted data can, again, be decrypted. No one knows how well any website protects its private keys. Then too, many websites continue to support older security/encryption protocols with known flaws (TLS 1.0 and 1.1). And, websites have different sections, each section has its own security profile; one section may be more secure than another. For example, in 2016, I blogged about how www.ssa.gov was secure while secure.ssa.gov was not (since fixed). And, nothing about encryption in transit tells you anything about the strength of the security on the back end (think Facebook storing passwords in plain text) or
whether software running on the back end is being updated with bug fixes (think Equifax), how good their defenses are against attacks, who they share your data with or whether the data is left publicly available to anyone who knows where to look, no attacking needed (this happens a lot). I could go on. Anyone who tells you to trust a website because it is secure, is either un-informed or lying on purpose because it serves their needs.
A great website for evaluating the encryption used by a website is the Qualys SSL Server Test. Ironically, it does not have extended identity protection. Still, it offers both a ton of technical information about encryption and a simple letter grade at the top. I suggest testing your most important sites: banking, email and any website holding your sensitive information. Every site should get either and A or A+. Anything else is a failure. The orange horizontal stripes under the letter grade are security failures. To be thorough, you need to check each section of a website. For example, at the US Social Security Administration, you would check both www.ssa.gov and secure.ssa.gov. To put this in perspective, again, encryption is a small piece of a large pie. Nothing about the strength of the encryption used to send/receive data tells you anything about whether passwords are stored in plain text, or whether bug fixes are applied to the software running the website, or any other aspect of security.
Some websites use secret questions as a way to identify you should you forget your password. Never answer these truthfully. You don't want
the answer to be anything that someone could either guess or learn about you. In fact, don't even give reasonable answers. If it asks for the name of a person, use the name of a place instead. You never know if the answers are case sensitive or not, so it is safer to only use lower case. In my opinion, it is also safer to avoid spaces and special characters too. Just like passwords, these questions and answers need to be saved somewhere that you can find them later. Nothing wrong with paper and pencil.
Any website that you can access with just a userid/password is not really secure. Stepping up the security requires a second factor/thingie. See the topic on Two Factor Authentication for more.
When someone calls you, you NEVER know who they are. Callerid can be spoofed just like the FROM address in email. With so many companies being hacked and leaking data, the caller may know things that, at first, it seems only a legitimate caller would know. As with email: think carefully before taking action based on a single phone call, especially any action involving money, passwords or personal information.
If anyone calls you, and their story ends with you paying them with a gift card or by wiring money, it is a scam.
When someone calls you, you NEVER know who they are
The more urgent the need to send money, the more likely the call is a scam. Bad guys don't want to give you a chance to think about their made-up situation.
When someone calls you, you NEVER know who they are
18 tips on how not to get scammed when your phone rings by
Ben Rothke in Medium (July 2022). An impressive list. Some highlights: ask a lot of questions, ask to call them back and, if the caller asks you to install software, it is a scam.
In the US, calls claiming to be from the Social Security Administration are a popular scam. That said, the SSA does sometimes call people. In their article, What should I do if I get a call claiming there's a problem with my Social Security number or account?, they say
"If there is a problem, we will mail you a letter. Generally, we will only contact you if you have requested a call or have ongoing business with us. .... We may call you in some situations, but will never threaten you, suspend your SSN or demand immediate payment from you" Social Security numbers do not get suspended. This January 2020 advisory from SSA, explains how they work. Report Social Security impersonation scams to 800-269-0271 or secure.ssa.gov/ipff/home. More: Beware of Calls Saying Your Social Security Number is Suspended (Bleeping Computer April 2019).
In the US, Medicare never calls you.
When someone calls you, you NEVER know who they are
Apple does not call their customers out of the blue. Neither does Microsoft or Windows. Some scammers pretending to be Apple make calls that display an Apple logo, address and their real phone number. More here and here. Contact Apple at
support.apple.com/contact
See the iOS topic, specifically, the sub-section for iOS 13, for two ways to block callers that are not in the address book
One problem with blocking unwanted calls, is that the definition of "unwanted" changes over time. If a loved one is having medical issues, you certainly want anyone involved in their care
to be able to reach you at any time. Other times too, you may want to disable any call blocking you have in place.
Unwanted calls can be reported to the US Government. Probably a waste of time.
In the news: Voice Phishers Targeting Corporate VPNs by Brian Krebs (Aug. 2020). The headline is wrong it is not voice phishing, just normal scams targeting employees of large corporations. In large part these scams depend on fake corporate websites, so understanding the rules for domain names (above) is a critical defense.
Router: I have a whole website devoted to Router Security. At the least, try to make the eight router configuration changes in the short list on the home page.
When it comes to making router changes, the first step, logging into the router, is likely to be the hardest. To make this easier, I suggest writing down the necessary info (router IP address or vendor-supplied name, router userid, router password) on a piece of paper and taping it to the router face down. Maybe include Wi-Fi passwords on the paper too.
Networking equipment (router or combination modem/router) provided by Internet Service Providers is typically insecure and low quality. Anything you buy at retail is likely to be more secure. It may also be cheaper in the long run and makes you a lesser target (a million people are not using the same router model).
Ethernet is more secure than Wi-Fi, so whenever possible connect via Ethernet for sensitive work. It's also faster. USB to Ethernet adapters cost about $15.
Use a Guest Wi-Fi network both for visiting humans and for IoT devices. Better yet, if your router supports it, use VLANs to further segregate devices (requires a techie). More here.
At this point, it is common knowledge that Wi-Fi encryption should use WPA2 rather than the ancient WPA or WEP. If given a choice, WPA2 AES is more secure than WPA2 TKIP. Note that a long Wi-Fi password can prevent a brute force guessing attack; passwords should be 14 characters or longer. More here.
All of the smart assistants (from Amazon, Google and Apple) sometimes record at the wrong time. That is, they record without a person having said the wake word. And, since
all three companies send some recordings to contractors, to help improve the system, strangers may hear your embarrassing conversations. Tony Soprano would not have allowed Siri in his home.
Google lets you access your history, delete past recordings and automatically delete your data every couple of months. Amazon lets you manually delete past recordings and disable human review of
Alexa recordings. Initially, Apple lost at this privacy game, they did not have any way to opt out. In early Aug 2019 they took their first step and did more in iOS 13.2.
Disaster: Alexa and Google Home abused to eavesdrop and phish passwords by Dan Goodin October 2019. Everyone's worst fear came true. Malicious apps were developed that listened all the time. Wake word? We don't need no [expletive] wake word. Germany's Security Research Labs developed the apps and they passed the Amazon and Google security-vetting process. Some of the apps logged all conversations within earshot of the device and sent a copy to the app developer. Others mimicked the voice used by Alexa and Google Home to falsely claim a device update was available and prompted the victim user for a password to enable the update. Yikes. More: Malicious Apps on Alexa or Google Home Can Spy or Steal Passwords by Ionut Ilascu Oct. 2019.
Another privacy issue with Alexa is that the devices phone home to Amazon and to others, even when they are not being used. No one knows why.
Article: Alexa has been eavesdropping on you this whole time by Geoffrey Fowler May 2019. Amazon keeps a copy of everything Alexa records after it hears the wake word. Fowler listened to 4 years of his recordings and found that dozens of times it recorded when it should not. It even picked up some sensitive conversations. There are instructions for deleting these recordings via the Alexa app. Hear your archive at www.amazon.com/alexaprivacy.
Also from Fowler: Amazon collects data about third-party devices even when you do not use Alexa to operate them. For example, Sonos keeps track of what albums, playlists or stations you listen to and shares that information with Amazon. You can tell Amazon to delete everything it has learned about your home, but you can not look at this data or stop Amazon from continuing to collect it.
Researchers examined 90,000 Alexa Skills. Only a fraction have a privacy policy. When you ask Alexa a question, you have no idea where the answer comes from. Want to research a skill? It is easy for an attacker to impersonate any well-known manufacturer or service provider. Yes, Amazon certifies skills before they get published, but, the skill can change how it behaves at any time. From Why would you ever trust Amazon's Alexa after this? by Chris Matyszczyk for ZDNet (Feb 2021).
Amazon has policies for skills published in the Alexa Skills Store. But, they are not enforced. In an academic study that lasted a full year, researchers created 234 skills that all violated a policy.
They all got approved. From Academics smuggle 234 policy-violating skills on the Alexa
Skills Store by Catalin Cimpanu for ZDNet (July 2020). They also identified 52 problematic skills already available on the Alexa store, all targeted at children.
Alex initial configuration: the app wants to "periodically upload your contacts" - say Later (there is no NO). The app also wants to verify your phone number when first configured, there is no need for this, skip it.
Alexa Defenses in the Settings of the Alexa app:
Amazon Sidewalk started rolling out in Nov. 2020. It is on by default. To turn if off from the Alexa app: -> More tab (at the bottom) -> Settings -> Account Settings -> Amazon Sidewalk. Toggle off the Enabled button
Turn off voice purchasing: Menu -> Settings -> Alexa Account -> Voice Purchasing. If you want to use Voice Purchasing then perhaps disable one-click payments. Or, set a spoken pin to stop anyone else from shopping using your account.
Settings -> Alexa Privacy -> "Manage How Your Data Improves Alexa". This may have changed to "Manage Your Alexa Data". There are two options to prevent humans from
listening to your recordings.
Settings -> Alexa Privacy -> Review Voice History. Enable the deletion by voice option. Then delete saved recordings. After enabling this option, you can say "Alexa, delete everything I said today" or "Delete what I just said"
Settings -> Alexa Privacy -> Manage Skill Permissions. Control which, if any, skills should have access to your name, your location, your street address, etc.
Notifications -> Amazon shopping. Turn off "Receive personalized recommendations and deals based on your shopping activity." if you don't want Alexa to nag you to buy stuff. Maybe also disable "requests to rate products you’ve purchased" and "Order Updates (Inc. Subscribe & Save)"
APPLE (Siri, Apple Watch and HomePod smart speakers)
If an Apple Watch detects it has been raised and then hears speech, Siri is activated. To prevent this, disable the Siri side button on the iPhone: Settings -> Siri & Search -> toggle off "Press Side Button for Siri".
Defense as of mid-Aug 2019: If both Siri and dictation are disabled, Apple will delete your data and recent voice recordings. To disable Siri: Settings > Siri & Search -> Turn off both the Listen and Press Button options. To disable dictations: Settings -> General -> Keyboard -> turn off Enable Dictation.
This process will change.
Defense added in iOS 13.2: When upgrading to 13.2, which was released at the end of Oct. 2019, users see a pop-up message offering the ability to opt-out of having their voice commands stored and saved. It is called "allowing Apple to store and review audio of your Siri and Dictation interactions". Later, this can be adjusted in the Privacy settings under "Analytics & Improvements" where there are multiple options about sharing Analytics as well as the option to "Delete Siri & Dictation History" and an option to stop sharing voice recording with Apple. Also in Settings -> Siri, you can tell Apple to delete all the Siri voice recordings that it has stored.
GOOGLE ASSISTANT
Again from Fowler article: Google used to record conversations with its Assistant ("Hey Google") but in 2018, they stopped doing so by default on new setups. You can check the settings of your Assistant at myaccount.google.com /activitycontrols/audio. Look to Pause recordings. This How-ToGeek article adds instructions for deleting the previously saved recordings.
The Nest thermostat, made by Google, phones home every 15 minutes, reporting the climate in the home and whether there is anyone moving around. The data is saved forever. (also from the Fowler article)
Google Defense: in the Google Home app: Account -> More settings (under Google Assistant) -> Your data in the Assistant -> turn off Voice & Audio Activity. While there, also go to Manage Activity to review and/or delete voice recordings.
To delete Google Assistant voice recordings, start at myaccount.google.com /intro/activitycontrols. Scroll to "Voice & Audio Activity" where Paused means disabled. Or, you can use these voice commands: "Hey Google, delete what I just said" or "Delete what I said on [date]" or "Delete my last conversation". This only works for the last 7 days.
You can use the Voice Match function to insure your personal results are only available to you. See how.
MICROSOFT: SKYPE, CORTANA and XBOX
In Aug. 2019, Joseph Cox of Motherboard revealed that"Contractors working for Microsoft are listening to personal conversations of Skype users conducted through the app’s translation service ... [and] ... Microsoft contractors are also listening to voice commands that users speak to Cortana, the company's voice assistant." Shortly thereafter, Cox revealed that Microsoft Contractors Listened to Xbox Owners in Their Homes. As with all the other companies, recordings were sometimes triggered by mistake. At the Microsoft Account Privacy Settings page you can delete any recordings Microsoft has of you.
General Defense: I own a smart speaker and it is powered off 99% of the time. When I want to use it, I plug it in and wait 30 seconds for it to start up.
Future: At some point, the US Government may force one of these companies to let it listen in on a target 24x7. If that happens, would you be surprised?
It's bad. Real bad. The only real defense is a VPN that blocks trackers, and for good luck, ads too. Also see the Location Tracking topic.
Android Defense: Turn off Ad Personalization and periodically reset the Android advertising ID. On Android 7, 8, 9, 10, and 12 both options are at: Settings -> Google -> Ads. On Android 12 you can go further and delete the Advertising ID at: Settings -> Privacy -> Ads -> Delete advertising ID.
Android Defense: At Settings -> Google. Google Account is the master list of everything Google. In Networking, maybe disable the Wi-Fi assistant. Check Nearby to see if any apps are sharing data. In Search, Assistant & Voice: Under General, look at Recent pages, Discover and Personal results. Under Voice, consider not allowing Bluetooth requests with the device locked (may be called Bluetooth headset). Also review Google Assistant.
Things are bad: Android, iOS beam telemetry to Google, Apple even when you tell them not to – study by
Thomas Claburn for The Register (April 2021). According to an academic study, Android and iOS phones transmit telemetry back to Google and Apple, even when users have chosen not to send analytics data. iPhones even rat out your LAN buddies when using Wi-Fi. They phone home the MAC addresses of other devices on a LAN. Yikes. Apple said nothing when pressed for comment. The defense is to use VLANs.
Things are bad: iPhone Privacy Is Broken…and Apps Are to Blame by Joanna Stern in the Wall Street Journal (May 2019). Most apps are tracking you in ways you cannot avoid. Privacy controls are a scam. Interesting tidbit: paid apps spied the same as their free siblings. Defense: Privacy Pro SmartVPN from Disconnect.
Things are bad: In a tweet thread Robert G. Reeve explains how, after spending a week with his mother, he is seeing ads for her brand of toothpaste. (May 2021)
iOS Defense: The above two articles both suggested partial defenses: Disable "Background App Refresh" (Settings -> General) and Enable "Limit Ad Tracking" (Settings -> Privacy -> Advertising). While there, I would also suggest clicking on Reset Advertising Identifier.
iOS Defenses: From 7 iPhone privacy settings you should enable now (Jack Morse June 2019). Review apps that have Camera (Settings -> Privacy -> Camera) and Microphone (Settings -> Privacy -> Microphone) access. Maybe turn Live Photos off. Turn off lock screen message previews (Settings -> Notifications -> Messages -> Show Previews). Reset your Advertising Identifier (Settings -> Privacy -> Advertising). Use a long (up to 9 digits) voicemail password (Settings -> Phone -> Change Voicemail Password).
Stop Apple from spying on you. Details are in the iOS topic. As of iOS14: Settings -> Privacy -> Analytics & Improvements. While there, take a look at the Analytics Data.
Things are bad: Perhaps the most damning article: I spy: How Android phones keep tabs on our every move (March 2019) is about the security hole that are the pre-installed Android apps. Based on an academic study that analyzed 1,742 phones from 214 manufacturers. 91% of the pre-installed apps are not in the Google Play store. No defense offered.
Defense: Some VPNs can block tracking and/or ads. For more, see the VPN topic.
iOS Defense: What should be a great defense against apps and web pages that track iOS users is the Guardian Mobile Firewall from Sudo Security. I say "should" because the app is new, it was released Aug. 1, 2019. Terminology, however, is being abused. It is not a firewall. It is a VPN that does tracker blocking. The VPN part is free, tracker blocking is $100/year or $10/month. It does not block ads and it does not offer a whitelist or blacklist that you can manually update. Everything points to the people behind the app being trustworthy. Read more from Glenn Fleishman (March 2019) Lily Hay Newman (July 2019) and Sudo Security (June 2019) and me (August 2019).
Things are bad on Android: Thousands of Android Apps Break Google's Privacy Rules by Paul Wagenseil Feb. 2019. Researchers examined 24,000 Android apps and found that 70 percent were breaking the rules by sending out permanent IDs that ad networks can use to track you. The researchers notified Google of the policy violations and got no response.
More bad on Android: TikTok Tracked User Data Using Tactic Banned by Google from The Wall Street Journal (Aug 2020). The article is about TikTok but that one app is not important. What is important, is that the app was able to learn the MAC address of an Android device even though Google had tried to prevent apps from doing so. Google's first attempt at blocking access to the MAC address was not foolproof and when told about this, Google did nothing to improve their blocking.
My Defense: Use a phone and a tablet. Let most of the spying happen on the tablet, keeping the phone relatively clean. Each should use a different account be it an Apple or Google Apple account. The tablet account should use a throw-away email address. The phone should, as much as possible, be limited to apps needed while traveling. The tablet can have everything. For example, I will not install the MLB (baseball) app on my phone as it wants way too many permissions.
Both Android and iOS want you to keep Wi-Fi and Bluetooth enabled for a number of reasons. Android may well use them both even if they appear to be disabled. And, if they really are disabled, each Operating System has a number of ways to automatically turn them back on. I suggest checking an Android device by searching the Settings for the words "scan" and "scanning". Plus, there are many other options for sharing data, that you might want to disable, at least as a starting point, to reduce your attack surface.
IOS CONTROL CENTER SCAM
iOS 11 and 12 have two ways to disable Wi-Fi and Bluetooth. One works, the other is a scam. The Control Center, which is what you see when swiping up from the bottom of the screen is the scam. The Settings app is the real deal. That is, when you disable these in Settings they are really disabled and stay that way until you re-enable them.
In September 2017, Lorenzo Franceschi-Bicchierai wrote about this: Turning Off Wi-Fi and Bluetooth in iOS 11's Control Center Doesn’t Actually Turn Off Wi-Fi or Bluetooth. Quoting: "Apple wants the iPhone to be able to continue using AirDrop, AirPlay, Apple Pencil, Apple Watch, Location Services, and other features, according to the documentation". As of iOS 12, the Wi-Fi message is "Disconnecting nearby Wi-Fi until tomorrow." When tomorrow? Doesn't say (its 5 AM local time). And, "nearby"? There is no such thing a near and far Wi-Fi.
Noted hacker Samy Kamkar tweeted on May 19, 2019: "This is so deceptive. When you 'disable' WiFi and Bluetooth in iOS Control Center and they gray out, they're technically still enabled. Even with Airplane Mode on, your device continues to transmit and your name can even be discovered nearby via AirDrop!". He later added "It's deceptive because it remains active after saying 'Disconnected until tomorrow'. Only the 'normal' Bluetooth functionality returns the following day, the phone itself keeps transmitting privacy-evading, identifiable BLE packets.".
ULTRA WIDE BAND (UWB)
Intro: While Wi-Fi and Bluetooth were designed to transfer data, UWB lets devices locate themselves in three dimensions. UWB radios are in newer (as of Jan. 2022) Android phones from Google, Samsung and others. On the Apple, side, it was introduced with the iPhone 11 (2019) and Apple watch Series 6 (2020). Perhaps the biggest use of UWB so far, is in Apple AirTags and AirDrop.
Pixel 6 Pro: The Pixel 6 Pro now lets you disable a wireless tech you hardly need by Jay Bonggolto (Jan 2022). Starting Dec. 2021, you can turn UWB on and off if you have a Pixel 6 Pro. Other phones? It does not say. UWB is used by Nearby Share and a digital car key feature. The article does not say if this applies to Android 11 or 12 or both. Settings -> Connected Devices -> Connection preferences. And how nice of Google to add a feature that could not be turned off.
iPhone 11: From What Is Ultra Wideband, and Why Is It In the iPhone 11? by Chris Hoffman Sept. 2019. iOS 13.1 on the iPhone 11 has a new Ultra Wideband radio. It is the first smartphone to offer UWB which only works over a short distance, shorter than Bluetooth. UWB allows an iPhone to precisely detect where objects are in physical space. AirDrop will suggest sharing with other iPhones that you point at. Longer term, it could be used to locate lost objects. Can you turn it off? Don't know.
ANDROID SCAN EVEN WITH BLUETOOTH OFF
Android 9: Settings -> Security and Location -> Location -> Advanced -> Scanning -> Bluetooth scanning. Description: "Allow apps and services to scan for nearby devices at any time, even when Bluetooth is off. This can be used, for example, to improve location-based features and services.".
Android 8.1: Settings -> Connections -> Location -> Improve accuracy -> Bluetooth scanning. Description: "Improve location accuracy by allowing apps and services to scan for and connect to nearby devices automatically via Bluetooth, even while Bluetooth is turned off."
Android 8.1: Settings -> Security and Location -> Location -> Scanning -> Bluetooth scanning. Description: "Improve location by allowing system apps and services to detect Bluetooth devices at any time."
Android 7.0: Settings -> Location -> Scanning -> Bluetooth scanning. Pretty much same description.
Nearby Device Scanning: I have seen an Android 8.1 Samsung tablet use Bluetooth scanning to find nearby devices, again, with Bluetooth seemingly disabled. The feature was called Nearby Device Scanning and it was enabled by default. The description said "Scan for and connect to nearby devices easily. Available devices will appear in a pop-up or on the notification panel. Nearby device scanning uses Bluetooth Low Energy scanning and the microphone. Bluetooth Low Energy scanning can be used even while Bluetooth is turned off on this device." The path to the setting was: Settings -> Connections -> More connection settings -> Nearby device scanning.
ANDROID SCAN EVEN WITH WIFI OFF
Android 12: Search settings for "Wifi scanning". Text says "Allow apps and services to scan for Wi-Fi networks at any time, even when Wi-Fi is off. This can be used, for example, to improve location-based features and services". See a screen shot of the setting and a warning about it from Android itself. Warning: turning off this option does not stick. That is, when you do something (I don't know what) it turns itself back on and Android is again scanning WiFi networks when Wi-Fi seems to be off, but is not.
Android 9: Settings -> Security and Location -> Location -> Advanced -> Scanning -> Wi-Fi scanning. Description: "Allow apps and services to scan for Wi-Fi networks at any time, even when Wi-Fi is off. This can be used, for example, to improve location-based features and services."
Android 8.1 Samsung: Settings -> Connections -> Location -> Improve accuracy -> Wi-Fi scanning. Description: "Improve location accuracy by allowing apps and services to scan for Wi-Fi networks automatically, even while Wi-Fi is turned off."
Android 7.0: Settings -> Location -> Scanning -> Wi-Fi scanning. Pretty much same description.
Android 6 in the Advanced WLAN section, look for Scanning Always available. Description: "Let Google's location service and other apps scan for networks even when WLAN is off."
Android 9: Network and Internet -> Wi-Fi -> Wi-Fi preferences -> Turn on Wi-Fi automatically. Description: "Wi-Fi will turn back on near high quality saved networks, like your home network." This requires both Location and Wi-Fi scanning to be enabled.
Android 8.1: Settings -> Connections -> Wi-Fi -> Advanced -> Turn of Wi-Fi automatically. Description: "Turn on Wi-Fi in places where you use Wi-Fi frequently".
ANDROID WIFI AND OPEN NETWORKS
Google wants you on-line even if it means using an insecure Open Wi-Fi network. To that end, Android might automatically connect to an open network, or, notify you when it finds one. See Connect automatically to open Wi-Fi networks.
Samsung v9 tablet: Settings -> Connections -> Wi-Fi -> Advanced -> turn off Network notification ("Receive notifications when open networks in range are detected").
Google v9 Pixel phone: Settings -> Network and Internet -> Wi-Fi -> Wi-Fi preferences -> disable Open network notification ("when automatic connection isn't available"). There may also be an option here to Connect to open networks.
Android v8: Settings -> Network & Internet -> Wi-Fi -> Wi-Fi preferences -> Open network notification
This 2017 article does not say what version of Android it applies to. At Settings -> Wireless -> Gear icon -> are two relevant optons: Network Notification and Use open Wi-Fi automatically. Disable each.
ANDROID WIFI AUTO-CONNECT
Android 8.1 AT&T phone: Settings -> Connections -> Wi-Fi -> Advanced -> Auto connect to AT&T Wi-Fi.
Android 8.1 AT&T phone: Settings -> Connections -> Wi-Fi -> Advanced -> Hotspot 2.0. Description: "Automatically connect to Wi-fi access points that support Hotspot 2.0"
NFC (Near Field Communication) is yet another wireless option for sharing data, but only between devices that are two inches apart.
On Android, search the Settings for "NFC". On Android 9, its at: Settings -> Connected devices -> Connection preferences -> NFC. The description is "When this feature is turned on, you can beam app content to another NFC-capable device by holding the devices close together. For example, you can beam web pages, YouTube videos, contacts and more. Just bring the devices together (typically back to back) and then tap your screen. The app determines what gets beamed." NFC is the basis for Android Beam (aka NFC Beaming), yet another sharing protocol. Not every Android phone supports NFC. Another reason to disable NFC: Android bug lets hackers plant malware via NFC beaming by Catalin Cimpanu (Nov. 2019). An excellent article. Android 8, 9 and 10 are impacted. The bug was fixed in October 2019 but so few Android devices will get the fix. If NFC is needed, you can leave it enabled, just be sure to disable NFC file beaming as explained in the article.
On iOS, NFC is used for Apple Pay and reading NFC tags. iOS 12 added background tag reading, where the system automatically looks for nearby tags whenever the screen is illuminated. In Settings, tap "Wireless and Networks" then "More" to see the NFC option. More here and here. This June 2019 article, Apple Expands NFC on iPhone in iOS 13, says there are enhancements to Apple Pay for NFC in iOS 13 and new support for peer-to-peer pairing. That is, just like Android Beam, NFC can be used to transfer movies or music between devices.
Wi-Fi Direct allows two Wi-Fi devices to directly communicate without a router in the middle.
It is popular on HP printers and some smart TVs as I always see some of each, when scanning from an Android device. HP printers create SSIDs like "DIRECT-xx-HP OfficeJet 4650" Sony TVs create SSIDs like "Direct-xx-BRAVIA". Wi-Fi Direct is also enabled on Roku Express devices. Background: What is Wi-Fi Direct? (June 2019).
Android: I have checked a few Android devices and they all enable Wi-Fi direct without a way to disable it. It seems, however, that Wi-Fi direct scanning does not happen until you ask for it.
Android 9: Settings -> Network and Internet -> Wi-Fi -> Wi-Fi preferences -> Advanced -> Wi-Fi Direct
Android 8.1: Settings -> Connections -> Wi-Fi -> Wi-Fi Direct
Android 8.1: Settings -> Network and Internet -> WLAN -> WLAN Preferences -> Advanced -> WLAN Direct
Android 7.0: Settings -> Wi-Fi -> Advanced -> Wi-Fi Direct
October 24, 2019: Wi-Fi Direct just became a very big
deal. A bug in the Wi-Fi Direct driver from Realtek (RTLWIFI) lets bad guys crash or hack a Linux/Android device that has Wi-Fi enabled; even if the device is not connected to any Wi-Fi network. The bug is specific to Wi-Fi Direct but since Android users can not disable Wi-Fi Direct, Android devices are vulnerable whenever Wi-Fi is enabled. Many Android devices will never be patched.
iOS: iOS has supported Wi-Fi Direct since version 7. It is part of AirDrop, Airplay and AirPrint.
iOS 12: There are no settings for Wi-Fi Direct. When I scanned for nearby Wi-Fi networks, none of the Wi-Fi Direct networks that I could see from Android showed up. When I tried to print a web page, Safari found no AirPrint enabled printers. Perhaps because of the way my iOS device was configured? Don't know.
AirDrop on iOS is used for easily sharing files between iOS devices. It is configured at: Settings -> General -> AirDrop. The safest option is to disable it ("Receiving Off"). The most dangerous option is enable anyone in the world to send you files ("Everyone"). The third option only lets people in your Contacts send you files via AirDrop ("Contacts Only"). I suggest leaving it off and only enabling it when needed. In July 2021 an airplane was delayed for hours when a teenager used AirDrop to send passengers a picture of a gun.
AirDrop uses both Bluetooth and Wi-Fi. Bluetooth is used to find sharing partners and Wi-Fi, because it's faster, is used to transfer large files. The Wi-Fi is a form of Wi-Fi Direct, thus the two Apple devices do not have to be on the same Wi-Fi network to exchange data. In fact, they don't have to be connected to any Wi-Fi network or to the Internet. See a
How To. WARNING: With Wi-Fi and Bluetooth off, if you enable AirDrop, it turns on both of them without notification. See The feature Apple needs to change in AirDrop (April 2019) and When Grown-Ups Get Caught in Teens' AirDrop Crossfire (June 2019).
Bluetooth on iOS: It was previously known that Bluetooth allowed anyone nearby to learn the current status of the device, device name, Wi-Fi status, iOS version and more. In July 2019 it was revealed that Bluetooth can leak the phone number when using AirDrop or sharing Wi-Fi passwords. The leaking of phone numbers has been observed in iOS 10, 11, 12 and the beta of 13. You can disable AirDrop but have to remember not to share Wi-Fi passwords. More here and here and here.
One of the Privacy Settings in iOS v12 is Bluetooth Sharing. Apps that are enabled for Bluetooth Sharing can share data even when you are not using them.
Android Direct Share: Description: "Share content with specific people directly from the sharing panel in any app. The Direct Share icons will appear at the top of the sharing panel if an app supports this function." Find it on Android 8.1 with: Settings -> Advanced Features. Not sure if this uses Bluetooth, Wi-Fi or what.
iOS 13: has a new "Find My" feature. When an Apple device is offline and sleeping, it sends out a secure (says Apple) Bluetooth beacon that can be detected by any nearby Apple device. These nearby devices (even those that are not yours) phone home to Apple to help you find a lost device. I have read that the Bluetooth beacons are even sent in Airplane mode. Not sure yet how to defend against this (turn off Bluetooth?) or if we even need to defend against it. Too new as of June 8, 2019.
There have been many bugs and data leaks involving Bluetooth, so its best to turn on it when needed, then turn it off when done. Be aware though, as I describe here in the
Mobile Scanning and Sharing section, that both iOS and Android may not turn off Bluetooth when you think its off. Another reason to have it off:
If you leave a laptop, tablet or phone in a car, bad guys can scan for cars with Bluetooth devices in them as per: Thieves Are Using Bluetooth to Target Vehicle Break-Ins by Wes Siler (Dec 2019).
Bluetooth devices have names and the names may identify the device which is not a good thing to do in public. Give your Bluetooth devices names that do not identify them or you to people nearby. how you do this will be different on different devices.
Android 12 on a Pixel phone: Settings -> Connected Devices -> Connection preferences -> Bluetooth -> Device name. Bluetooth must be on to do this.
Android 10 on Pixel phone: same as above
iOS 15.6 on iPad: Settings -> General -> About -> Name
Below are some articles about the many bugs in Bluetooth.
Sept 2020: Billions of devices vulnerable to new 'BLESA' Bluetooth security flaw by
Catalin Cimpanu for ZDNet. The BLESA (Bluetooth Low Energy Spoofing Attack) vulnerability impacts devices running the Bluetooth Low Energy (BLE) protocol. It turns out that the official BLE specification did not contain strong-enough language to describe the reconnection process. When previously connected devices, re-connect, they are supposed to re-authenticate but the re-authentication was optional, not mandatory. Many devices, such as Android and IoT will never be patched. iOS and Windows devices are not vulnerable.
Sept 2020: Bluetooth Unveils Its Latest Security Issue, With No Security Solution by Shoshana Wodinsky in Gizmodo. The bug is called BLURtooth and there is no patch. When a mobile device links to a Bluetooth-powered device, such as speakers, the connection can be hijacked to give an attacker access to any bluetooth-powered app or service on the phone.
The most secure Operating Systems in widespread use are iOS and ChromeOS (the system on Chromebooks).
Do not use Windows. Windows is a cesspool of hacking, ransomware, bugs and vulnerabilities. Has been for decades. With Windows 8 Microsoft lost all credibility. With Windows 10 Microsoft spies on you and has taken control over the installation of bug fixes. And, the quality of the bug fixes to Windows 10 is disgraceful, sometimes causing more problems than they solve. There is no Windows topic here because the best defense is avoiding it.
Leo Laporte, aka, the Tech Guy is a bona fide techie. For years, he used all three desktop OSs (Windows, macOS, Linux) and now, he also uses Chromebooks. He has always fairly judged the pros and cons of each operating system. But, as of March 2020, he has given up on Windows. Too many bugs, flaws and problems. In discussing a Windows bug on the March 24, 2020 episode of the Security Now podcast he said "I swear to god, I don't run Windows on any machines anymore. It's just ridiculous."
Windows 10 makes it clear that the corporate mind set at Microsoft has changed - they view Windows 10 as their computer, not yours. It is crammed full of junky software that very few people care about, much of which can not be removed. And, even the removal is a scam, as the crapware comes back if you logon with a different userid. Likewise, the spying (aka telemetry, customization) can only be partially disabled. Home edition users are forced to beta test bug fixes and even Professional edition users have limited options for delaying or preventing the installation of bug fixes. Microsoft know whats best for you and its bug fixes all the time. Only the largest of corporations can fully opt out of the spying, junky software and forced "updates" in Windows 10. How? Microsoft has a clean version of Windows 10 called LTSC (or LTSB) that the public can not get. See a screen shot of the difference.
Then too, there is incompetence. Examples abound. Consider the monthly bug fixes for Windows that were released in April 2019. As documented by Woody Leonhard,
nine different Windows patches conflicted with four different antivirus products, leading to multiple problems. Quoting Woody: "...whoever made the decision to release the six (now nine) problematic Windows patches either: Didn't know they'd wreak havoc on millions of computers, or Didn't care. You can choose which one's worse."
If you do use Windows, use portable software when available. A great source is PortableApps.com. Portable software is harder for malware to find and corrupt and, most importantly, can be easily backed up. Normal Windows apps can not be backed up because they, and their dependencies, are scattered all over.
I agree with the commonly held belief that an Apple Mac computer (macOS) is safer than Windows. However, it is slightly safer, not drastically safer. Both are ancient and the world has changed dramatically since they were designed. On the hardware side, Apple fans have been critical of the hardware in their laptops for many years, especially the keyboards. For more, see the macOS topic.
Start using a Chromebook. Chromebooks are laptop computers that are drastically safer than Windows and macOS. Their operating system, ChromeOS, is the newest available system and thus the most advanced. It was designed, by Google, with security in mind. There are no viruses on a Chromebook. In addition to security, Chromebooks are extremely reliable. In what is virtually a revolution in computing, Chromebooks require no care and feeding on your part. They self-update quickly and quietly. They don't ask you or even tell you about bug fixes. The just do it. Thus, end users (you) can not screw them up. Chromebooks are not for everyone and not for every purpose. They are perfect for kids, seniors and non techies. Chromebooks are the home office of Defensive Computing. You normally use a Google account to logon to a Chromebook, but there is also a Guest mode that anyone can use without logging on.
---------ADDITIONAL CHROMEBOOK INFO-----------
Guest mode starts and ends with a totally clean version of ChromeOS. That is, when Guest mode starts, there is no visible history of anything. Factory fresh if you will. When Guest mode ends, all activity is removed. Downloaded files, for example, are deleted. It's as if it never happened. Guest mode uses the Chrome browser, but without extensions. You can't even install an extension in Guest mode. It is the most secure environment available to non techies. It is perfect for online banking, opening suspicious email attachments and avoiding any and all website tracking.
Originally, Chromebooks just ran the Chrome web browser (simplifying a bit). Later, Google added the ability to run Android apps, and, just recently, added Linux apps too. With an Android based emulator app, some Windows programs can also run on a Chromebook (requires an Intel CPU). Guest mode does not run Android, Linux or Windows apps, just the Chrome browser native to ChromeOS.
Every computer company that makes Windows laptops, also makes Chromebooks. Most, but not all models have a touch screen. I suggest going for a touch screen. Models touted as 2-in-1 have a screen that can rotate fully around, letting them function as tablets too. Low end models start around $200. Mainstream models top out around $500 but there are some models that go up to $1,000.
Chromebooks are your best defense against malicious USB flash drives. See the Extra Credit section for more on this.
Google is up-front about how long a Chromebook will get software updates. Details for individual Chromebook models are in their Auto Update policy document. The latest models can get support for six years. For example, in June 2019, it showed the Acer Chromebook Spin 311 (R721T) would get updates until June 2025.
Chromebooks have a full range of remote control options where they are the controller. This might be used to give a Chromebook access to software that runs on another operating system. However, options are limited for the Chromebook being controlled remotely. The only option for full remote control that I know of is the Chrome Remote Desktop extension from Google. To me, it is a pain to setup and use. There is a Team Viewer Quick Start app for Android that, once its installed, is very simple to use. It gives view-only access to the entire Chromebook (not just to the Android side) to a remote person.
Linux: Linux on a desktop/laptop computer is relatively safe. Whether it is inherently more secure than Windows or MacOS is debatable. OS expert Daniel Micay
tweeted "The Linux kernel uses a fundamentally insecure architecture, insecure tools, and has a development culture treating correctness and especially security as an afterthought. It ultimately needs to replaced..." (Oct 2019). Either way, it is a lesser target which makes it more secure. In addition, Windows and macOS want to spy on your activity in ways that Linux does not. Typically, however, it is not a realistic option. Few computers ship with Linux pre-installed and installing it is too difficult for non-techies. Also, where does a non techie go with their inevitable Linux questions and problems? And, the many distributions (flavors of Linux) and package managers makes it even harder to get help. That said, for help picking a distro see Why I Switched From Ubuntu to Manjaro Linux by Dave McKay (Aug 2019).
As for hardware, ZaReason and System76 offer both laptops and desktops with Linux pre-installed.
At System76 the desktops and laptops both start at $1,000, but they also offer a micro sized computer with their Pop!_OS Linux starting at $520.
Purism, Star Labs and
Think Penguin make just laptops. In June 2022, HP released their DEV ONE laptop with Pop!_OS pre-installed for $1,100 (more). LAC Portland offered current Lenovo Thinkpads for those of us addicted to their keyboards. I say "offered" because as of June 2022 everything was out of stock. As for pricing, Linux laptops are often on the high side. For example, the Librem 13 laptop starts at $1,400. One exception is Pine64 which started taking orders for their $200 PineBook Pro laptop in July 2019. See reviews here and here and here. Since then, it has often been out of stock. As of early June 2022, Pine64 was planning on offering the Pinebook Pro at the end of June for $220. The Ministry of Freedom in England offers cheap, but older Lenovo laptops.
On both Windows and macOS, it is safer to logon to the computer as a restricted (a.k.a. limited, standard) user rather than an unrestricted (i.e. administrator, admin or root) user. In each system, restricted users are limited in the changes they can make to the system without approval from an unrestricted user. This limits the damage that malicious software, that makes its way onto your computer can do. Any computer with a single userid is just asking for trouble. On a new Windows or macOS computer, consider creating two users based on your first name: MichaelAdmin and MichaelRestricted, for example. On an existing computer, create a new admin user, logon to it and then modify the existing userid to be restricted. This does not apply on a Chromebook.
FYI: We can see the progression of Operating Systems in how they handle software updates. On ChromeOS all software is updated automatically. It is king of the hill in this regard. On Android and iOS, the apps can update automatically, but not the OS itself. On Windows, macOS and Linux, it's chaos.
ENCRYPTION
For encrypting files on a computer running Windows, Mac OSX or Linux, I suggest using VeraCrypt. The software is free and open source. It offers an advanced mode that encrypts entire hard drive partitions, but most people should use the simple mode which creates a single large password-protected file. You then store your sensitive files inside this file. On Windows, you get access to this big file by "mounting" it, which is nerd lingo for assigning it to a drive letter. I have not used it on Linux or Mac OSX. VeraCrypt is a version of the discontinued TrueCrypt software. See Wikipedia for more.
Top of the line encryption, is end-to-end. It is offered by some messaging apps and by some cloud file storage services. Pretty much everyone and everything offers encryption in transit. File storage systems like Microsoft OneDrive, Apple iCloud, Dropbox and Google Drive offer encryption in transit and encryption at rest. However, these companies can still read your files. They do not offer end-to-end encryption. Some companies that always use end-to-encryption for file storage are Spider Oak, Tresorit, sync.com and Proton Drive. Backblaze offers it as an option.
One way to evaluate a file storage/backup service is to ask what happens if you lose/forget the password/key? If the answer is that they can not help you, that you have lost access to your data, then the vendor is using end-to-end encryption. For background, see iCloud: Who holds the key? by Matthew Green.
Texting suffers from the same spam, scam and phishing as email. And, just like email, you can not trust the displayed identity of the sender. Caller ID spoofing is easy.
Several mobile service providers allow you to block the sender by forwarding unwanted texts to 7726 (or "SPAM"). More here.
August 2022: Spam Texts Are Surging. Here’s How to Avoid Being Swindled. from the Wall Street Journal. The article mentions two third party apps for blocking malicious text messages: TextKiller (from Robokiller) and Nomorobo. Both require a yearly fee. One uploads your address book, one does not.
In March 2021, we learned of another way for bad guys to get your text messages. In this scheme, voice calls and 4G/LTE data still work. Only text messages are sent to the bad guy. The only way you know this has happened, is when, eventually, you don't get a text message that you were expecting. Bad guys simply fill out a Letter of Authorization form with fake information. From: A Hacker Got All My Texts for $16 by Joseph Cox for Vice and It's time to stop using SMS for anything by Lucky225.
Consider using Libre Office instead of Microsoft Office. It can read/write files in the Office file formats. Libre Office is free, safer and simpler. It runs on Windows, macOS and Linux.
Look at this research and you will never use Word or Excel for anything sensitive. Microsoft Office phones home to sixty different servers. Yes, 60. MS Office & Teams: Network Connection Target Hosts by Helge Klein (March 2021).
When first installing Office 365 decline the option to send Microsoft "optional diagnostic and usage data" as shown here.
If you have sensitive information, be very wary of using Office 365 as described here Newsrooms, let's talk about Office 365 by Martin Shelton (Jan. 2020)
Another installation-time warning from Microsoft says "Office includes experiences that connect to online services ... When you use these experiences, Office collects service diagnostic data. In addition, some of these services analyze your content to deliver suggestions and recommendations. To adjust these privacy settings, go to File > Account > Account Privacy"
Connected Experiences in Office by Microsoft, applies to Office 365 and says Microsoft will " ... use your Office content to provide design recommendations, editing suggestions, data insights, and similar features ... If you'd like to turn these experiences off, go to any Office 365 application ... and go to File > Account > Manage Settings (In Outlook it's under Office Account). There you can disable or enable, either category (or both)".
Office 2016: In Word 2016, I did File -> Account and there was no option at all for Account Privacy. Instead, there was an option to "Sign in to Office". So, what level of spying is employed in this case? I don't know.
Oregon FBI Tech Tuesday: Securing Smart TVs
(Nov 2019). A smart TV is a computer that bad guys might be able to hack into. Many Smart TVs have microphones so that you can shout at them to change the channel. Yet another thing that can be hacked. A number of smart TVs also have built-in cameras. If you can find the camera, but tape over it. Some TVs use the camera for facial recognition so the TV knows who is watching and can suggest programming appropriately. Ugh. Suggested defense: know exactly what features your TV has and how to control those features. Do a net search on the TV model using words like "microphone," "camera" and "privacy."
Also, review security settings.
Smart TVs getting hacked: Watch a Drone Take Over a Nearby Smart TV by Andy Greenberg in Wired (Aug 2019). About hacking into smart TVs that use the internet-connected HbbTV standard. Weaknesses in HbbTV could be combined with vulnerabilities in Samsung smart TVs to gain full remote access to the television sets. This remote access persists even after the TV is turned off.
Samsung and Roku Smart TVs Vulnerable to Hacking, Consumer Reports Finds (Feb 2018). Much ado about nothing. They found flaws in sets from TCL using the Roku TV platform and in Samsung, which uses their own Tizen operating system. Other brands that use the Roku TV platform, are also vulnerable, as are Roku boxes. However, the Roku attack has to come from your home and I have the defense in the
TV watches you topic (first item). The article does not walk you through the defensive configuration. The Samsung attack can only be exploited "if the user had previously employed a remote control app on a mobile device that works with the TV, and then opened the malicious web page using that device."
SURGE PROTECTORS
(topic created Nov. 28, 2019) top
When there is too much electricity a surge protector is designed to absorb the overload and perhaps even die, to protect the devices plugged into it. Some surge protectors look like a power strip, but there is a big difference.
As a rule, you get what you pay for with surge protectors. If you need to protect something very important or very expensive, than spend more for the surge protector.
It is very likely that any surge protector will eventually fail. What then? Some will continue providing un-protected power after they have failed. Others will cut off the power rather than leave you unprotected.
Be sure to look for a surge protector that has a visible indicator of whether it is providing protection or not. Also, a Ground indicator is good to have.
Surge protectors are sold based on Joules which is not the most important criteria. PenLight, a power company in the US, says"Joule ratings can be misleading ... Joule ratings are an unreliable measurement for determining a products surge capacity because there is no test standard. The Joule rating listed on a surge protector’s package is determined using an unknown method by the manufacturer."
What is a surge? There is no one answer, different devices kick in at different levels. The amount of extra electricity that is allowed is referred to as both the let-through voltage and the clamping voltage. The lower the let-through voltage, the better the protection. The lowest (best) UL 1449 rating is 330 volts. You may see devices rated for 400 or 500 volts.
Clamping response time is how quickly the device responds to a surge. Faster is better. Nanoseconds (billionths of a second) are good. Picoseconds (trillionths of a second) are the best.
If you can't get the above specs for any particular surge protector, it might be that the vendor does not want you to know them because they are poor.
If Internet access is important, then, at the least, protect the modem and router with a surge protector. If Internet access is very important, then protect them with a UPS.
Surges are not limited to electrical lines, they can also be carried by telephone lines and cable TV coaxial cables. Some surge protectors also offer protection for cable and telephone lines.
Anyone concerned with being tracked on-line needs to be familiar with web browser fingerprinting. Without using cookies, fingerprinting can convert the web browser on your computer into a unique identifier. Fingerprinting stems from looking at many, seemingly trivial, aspects of your computer and browser and combining that information into a profile/identifier. Most of the time, these profiles turn out to be unique, which lets websites track your behavior without cookies. Some attributes that are examined are: the computer operating system, what time zone are you in, what language your computer is using, how much RAM memory the computer has, the screen height and width in pixels, what web browser you are using, what version of the browser, what fonts are installed, what plug-ins are installed, what audio and video formats are supported by the browser, and much more.
April 3, 2023: Even when using a VPN, there are many ways that a web browser can still spy on you. One way to counter this is to use the Tor browser. However, Tor is brutally slow, so Mullvad just released a new web browser, the Mullvad Browser. Basically, this is the Tor browser but without Tor. The Mullvad Browser can be used with any OS level VPN or even without a VPN at all. Both the Tor and Mullvad browsers have many customizations that avoid fingerprinting, that is, they try to make all users of the software appear to be the same. The Mullvad browser is free and available for Windows, macOS and Linux. There is no Mobile version. It uses the Mullvad DoH DNS service that is available to everyone, not just Mullvad customers. They offer two free DNS services, the default one does not block ads, but this can be changed.
Testing: one website for testing the fingerprinting of a web browser is amiunique.org. As of Nov. 15, 2019 they had collected 1,408,000 fingerprints. By March 12, 2020 it was up to 1,713,000.
Testing: the EFF has offered an online test similar to amiunique.org since 2010. It used to be called Panopticlick but now
it is called Cover Your Tracks. In August 2021, I tried this on Windows. Brave with OpenDNS and no plug-ins did well: "your browser has a randomized fingerprint". Firefox using NextDNS and with uBlock Origin and Privacy Badger installed, failed, it had a unique fingerprint.
Testing: fingerprintjs.com/demo is a demo of how good fingerprinting can be from a company offering it as a service.
ChromeOS Defense: An excellent defense against fingerprinting is a Chromebook in Guest Mode. All Chromebooks of the same model running the same version of ChromeOS should share a fingerprint. Interesting fact: only 0.23% of the devices tested by amiunique.org were Chromebooks.
Tor Browser Defense: The Tor browser has a number of anti-fingerprinting features enabled by default. It runs on Windows, macOS, Android and Linux. Note however that websites will be very slow to load.
Firefox Defense: As of version 72, released in Jan. 2020, fingerprint defense is on by default. The browser blocks third-party requests from companies known to engage in fingerprinting. To verify this, look in Options -> Privacy & Security. To see if it blocked anything on the currently display web page click on the shield to the left of the address bar. See a screen shot from Computerworld and one from
metageek.com (desktop Firefox v73 March 2020).
Brave defense: Brave has two generations of defense. In March 2020 Brave announced their second defensive approach - randomizing fingerprintable values in ways that are imperceptible to humans, but which confuse fingerprints. Quoting: "This approach is fundamentally different from existing fingerprinting defense approaches ... [that] attempt to make all browsers look identical to websites (an impossible goal). Brave's new approach aims to make every browser look completely unique, both between websites and between browsing sessions." They claim this provides the strongest fingerprinting protections of any popular browser. Not sure when it will be released.
Their older defense is the Device Recognition option in the Settings. I found that it worked, see it reporting that it blocked two fingerprint attempts by Ars Technica. I tried both fingerprinting test websites (above) and, on each one, their first generation blocker blocked a fingerprinting attempt.
Defense: Disconnect offers a free browser extension that blocks trackers. Maybe it also blocks fingerprinting. They partnered with Mozilla in providing the Firefox defense.
Unrealistic Defense: Turn off JavaScript in your web browser. Easier said than done. Without JavaScript most websites will break. The only way to even attempt this defense is to use more than one web browser. Disable JavaScript in the one where you need privacy and use another browser when you don't mind being tracked.
No defense: Private browsing mode does not prevent fingerprinting. Neither does a VPN or the Tor network. Blocking cookies also does nothing.
No defense: Chrome, of course, offers no defense. Tracking people is what Google does.
FYI: The deviceinfo.me website shows many of the computer attributes used in fingerprinting.
OS Defense: The Tails operating system might be a defense. It is a version of Linux that runs off a boot CD/DVD/USB flash drive and always uses the Tor network and the Tor browser. Everyone using the same version of Tails will have much in common. However, attributes of the screen will differ. Also, it is a big pain to setup. And, again, the Tor network alone, is no defense.
PROTECTING CHILDREN FROM BAD ADULTS
(topic added Dec 10, 2019) top
This is not a subject I am at all familiar with. Thus, nothing but links and not many at that. Feel free to help me add to this topic.
Just like web pages migrated from insecure HTTP to encrypted HTTPS, so too, DNS is changing. Legacy DNS uses plain text over UDP (not important) on port 53 (also just for techies). New DNS is encrypted using either DNS over HTTPS (DoH) or DNS over TLS (DoT). New DNS uses TCP on port 853 or 443.
The Test Your DNS Servers page on my RouterSecurity.org website lists many ways to determine what service is providing DNS to both your web browser and your operating system. It also offers an explanation of both old DNS and the new secure DNS.
The DNS Providers page on my RouterSecurity.org website lists some trustworthy DNS providers and the various services they offer.
Android leads the way among operating systems. Version 9, 10, 11 and 12 have a Private DNS feature that uses DoT system-wide. This setting even over-rides DNS from an active VPN. See the Android topic for more. Android versions 4 through 8 can use the Intra app from the Jigsaw division of Google. It installs as a VPN but only to get control of DNS. More. The Quad9 Connect app enables encrypted DNS from Quad9.
As of July 2020, Windows does not support encrypted DNS. Windows 10 will in the future.
Encrypted DNS was added to macOS in version 11 released around October 2020.
iOS 13 does not offer system-wide encrypted DNS The Cloudflare 1.1.1.1 app offers it on iOS 13 but only with their own DNS service which does no blocking. The NextDNS and Adguard apps both offer blocking and encrypted DNS on iOS 13.
iOS 14, released around October 2020, includes system-wide encrypted DNS (DoH) but it is complicated (on Android 9, 10 and 11 it is simple). I suggest reading the instructions for iOS 14 from your preferred DNS provider. There are at least three places within iOS where DNS can be specified. Which ones take precedence? One source is individual apps. Does encrypted DNS specified by an app over-ride competing specifications elsewhere in the system? Which apps do this? I don't know how you can tell. On a system level, DNS can be specified at Settings -> VPN & Network -> DNS. Then too, like any OS, DNS can come from a VPN. iOS also has profiles. NextDNS lets you generate an Apple Configuration Profile. This requires you to have a NextDNS account and it must be downloaded using Safari on the iOS device, which they don't say. With a VPN active, I found that the NextDNS profile was ignored and DNS from the VPN was being used instead. As explained by OpenDNS (DNS Resolver Selection in iOS 14 and macOS 11) its complicated.
Without OS-wide support, you can still configure a browser to use encrypted DNS, at least on desktop OSs.
How to configure web browsers on Windows to use Encrypted DNS (as of March 3, 2021)
Chrome version 87: Settings -> Privacy and security -> Security section -> Use secure DNS
Firefox version 86: Options -> General -> Network Settings -> Settings button -> Enable DNS over HTTPS
Brave version 1.20.108: Settings -> Additional Settings -> Privacy and security -> Security section -> Use secure DNS
Opera version 74.0.3911.160 Settings -> Basic -> System -> Use DNS-over-HTTPS instead of the system’s DNS settings
Edge version 88.0.705.81 was miserable in my tests. To find the setting:
Settings -> Privacy, search, and services -> Security section -> Use secure DNS to specify how to lookup the network address for websites
On Windows 10 Home service pack 2004 with bug fixes as of Feb. 2021, I could not turn this on. The error was "This setting is turned off for managed browsers".
There was nothing managed about the browser. On Windows 10 Pro service pack 2004 with bug fixes as of Nov. 2020, I was able to turn the setting on but when I selected Quad9 as the
DNS provider, it warned "Please verify that this is a valid provider". It also did not support NextDNS. Typical Microsoft.
Vivaldi version 3.6.2165.36 does not support encrypted DNS
I read (but have not verified) that forcing encrypted DNS in a browser can break captive portals
DNS over HTTPS at Github has a list of publicly available DoH servers
Note that encrypted DNS is nice but not great security. Network observers can still see the IP addresses you communicate with and the domain names of secure web sites you visit. Not the full URL, just the domain name. And, it does nothing for HTTP web pages. Both a VPN and Tor hide everything, but, each is end-to-middle encryption,
not end-to-end.
As with VPNs and Tor, you can not hide the fact that you are using encrypted DNS. A network observer can see the initial old style DNS lookup for the encrypted DNS server name.
In the video settings, turn on both the touch-up feature and "Always show video preview dialog when joining a meeting". Note that on a Chromebook, the Zoom PWA does not offer the touch-up feature.
In the early days of Zoom (2020) it changed too quickly for me to keep up with it, so in August 2020, I removed my suggestions. To see the suggestions as they existed on May 5, 2020 click this button:
All the ways Slack (and your boss) tracks you and how to stop it by Matt Burgess for Wired (October 2020). By default, Slack never deletes your messages or files. The biggest risk for many people is bad passwords and the lack of two-factor authentication. Private channels and DMs could be revealed during a legal case or other type of investigation. When adding a new person to a Slack channel they are able to see past messages and files, including any gossip about them.
7 Slack privacy settings you should enable now by Jack Morse in Mashable (July 2019). In the paid version of Slack, the article explains how to tell if your boss can read your direct messages. How to tweak the retention settings on your direct messages. The Chrome browser extension Shhlack, can encrypt messages. Use Signal instead for real privacy. Some Slack accounts track edits and maintain records of the messages before they were edited.
What if All Your Slack Chats Were Leaked? by Gennie Gebhart in NY Times (July 2019). No defense, just things to be aware of. "Slack stores everything you do on its platform by default - your username and password, every message you've sent, every lunch you’ve planned ... That data is not end-to-end encrypted, which means Slack can read it, law enforcement can request it, and hackers ... can break in and steal it." On the free Slack service, all messages are kept forever.
How to Use Ring's New Control Center for Better Privacy and Security by Daniel Wroclawski of Consumer Reports (Jan 2020). To get to the new dashboard in the app, tap the menu button at the top-left, then Control Center. It includes some new privacy controls and needs to reviewed periodically.
We Tested Ring's Security. It's Awful by Joseph Cox for Vice (Dec 2019). Great article about many things Ring could do to improve security. Read this before making a decision on trusting Ring. Some take-aways: change the password (even if its unique), add two factor authentication (everyone suggests this) and at initial setup give it a phony address and phone number (my idea, not tested).
We're not rescinding our recommendation of Ring’s cameras. Here's why by Mike Prospero for Toms Guide (Dec 2019). Suggested defense: Don’t share video or incident reports with the Neighbors app because it might let others learn where you live. And be aware that sharing video with a law enforcement agency will tell them your name and address and the video might be shared with other agencies.
Ring Neighbors Is the Best and Worst Neighborhood Watch App by the Wirecutter (Sept 2019). From the article: There are no federal privacy regulations regarding home security cameras. Ring's privacy policy states that the company may supply video footage without notice based on "requests by government agencies" and "reasonable government request." A review of the privacy policies for Ring and Neighbors found a number of clauses that felt dicey such as the right to collect contact information, details about your Wi-Fi network, connections to third-party services and more.
How to Avoid Being Scammed by Fake Job Ads by Cezary Podkul for Pro Publica (Oct 2021).
Phony job advertisements are proliferating, often as part of identity-theft schemes. The article has 10 tips. Tip 3: Be wary of job ads touting the need to verify your identity at the outset. Tip 4: Take the text of the job ad and put it in Google.
Know that job boards do not validate that the person posting a job is actually affiliated with the company.
An excellent scam/noscam indicator is whether you deal with someone who gives you a Gmail account or someone using the actual company domain. That said, this requires an understanding of the rules for Domain Names (topic number 2 above) so you don't get tricked into thinking michael@exxonjobs.com is the same as michael@exxon.com.
Keeping a laptop battery fully charged at all times shortens its lifespan. Batteries last the longest when operating between 30 and 80 percent charged. A laptop that is plugged in all the time, should be set to never charge over 80 percent. In the best case, the battery should normally be charged somewhere in the 30-80 percent range and, when you expect to need it, then charge it up to 100%.
September 22, 2023: How to turn on 80% charging limit on the iPhone 15 to save battery health by June Wan for ZDNet. Finally finally finally, some iPhones get a feature that laptops (Lenovo at least) have had for years and years. To extend the life span of the battery, you can limit it to an 80% charge. This is only available on an iPhone 15. Settings -> Battery tab -> Battery Health & Charging -> Charging Optimization. The option is "80% Limit".
What to do with a swollen battery by Sam Goldheart and others for iFixit. Undated. Very long article. Removal and disposal of a swollen battery can be dangerous, but leaving a swollen battery inside a device can also cause serious harm. Read all warnings carefully and proceed at your own risk. All batteries are hazardous waste and must be disposed of properly.
Laptop batteries can swell in size. A swollen battery should be replaced and kept cool. I would contact the hardware manufacture for specific instructions. See the Dell Swollen Battery Information and Guidance.
Scammers love to trick people into sending them money on a gift card.
An excellent article from the FTC: Gift Card Scams. May 2021. It says to report the scam at
ReportFraud.ftc.gov. Report it even if you did not pay. There is also a link to report to your state attorney general. If you lost money to a gift card scam, they suggest reporting it to local law enforcement. Alternate link
A drug store put up a warning side right in front of their gift cards. A picture of this was tweeted by @dotornot2 May 17, 2022.
No tech company will call you about a problem, any problem
If you get a phone call and callerid says it is from a tech company, the callerid has been faked
The warning on your computer about a virus or malware is almost definitely a scam
If the warning has a phone number to call, it is definitely a scam
Any situation that requires you to install software is a scam
Every attempt to access your computer is malicious
The safest computer for non technical people is a Chromebook. Right off the bat, it offers immunity from scammers calling and claiming to be from Microsoft, Windows or Apple. Most likely the bad guys do not have scripts, yet, that target Chrome OS users. Then too, a Chromebook requires no ongoing care and feeding making it a perfect fit for non technical people.
Web3 is Going Just Great website by Molly White where she documents cases of crypto malfeasance.
More from Molly: The Blockchain collection articles about blockchains. Started Jan. 2022. These
articles require an understanding of concepts such as the blockchain, cryptocurrencies, and NFTs. For that, she suggests her Glossary
Protecting Yourself from Identity Theft by Bruce Schneier May 2019. No good news here. Quoting: "there's nothing we can do to protect our data from being stolen by cybercriminals and others." True, but nonetheless, an easy out for anyone too lazy to do the things suggested here.
How to Securely Get Rid of Your Devices by Lucian Constantin for Vice. Nov 2018. Covers phones, laptops, hard drives, SSDs. In some cases, data can not be securely wiped.
Speaking of reading, be aware that much, if not most, of the security and privacy advice offered in the main stream media is wrong. They hire reporters, not nerds. The New York Times, in particular offers sub-optimal computing advice.
All the credit/blame for this site falls on me, Michael Horowitz. If I left out anything important, or something is not clear, let me know at defensivecomputing -at- michaelhorowitz dot com.
Website Average Daily Page Views: August 2023: 558
See the
website change log
2023: Jan 724 | Feb 853 | March 782 | April 694 | May 618 | June 617 | July 497 2022: Jan 368 | Feb 315 | March 320 | April 328 | May 367 | June 379 | July 685 | Aug 1,568 | Sept 671 | Oct 664 | Nov 901 | Dec 1,222 2021: Jan 337 | Feb 377 | March 332 | April 246 | May 282 | June 227 | July 214 | Aug 275 | Sept 290 | Oct 315
| Nov 411 | Dec 293 2020: Jan 212 | Feb 377 | March 303 | April 296 | May 317 | June 267 | July 258 | Aug 282 | Sept 279 | Oct 333 |
Nov 318 | Dec 332 2019: . . . . . . . . . . . . .
. . . . . . .
. . . . . . Aug 176 | Sept 178 |
Oct 194 | Nov 180 | Dec 200
