A Defensive Computing Checklist by Michael HorowitzLast Updated: July 8, 2020
This is a list of both things to be aware of and specific defensive steps that we can take in response to the common threats of 2019. No list like this can ever be complete, nor would anyone want it to be complete as that list would never end. I tried to limit this to the most important issues, still its long (25,000 words).
There is a bit of "Ball Four" here. Back in the 1970s, Jim Bouton's book told the inside story about what it was like to be a major league baseball player
and about the players themselves. He offered a new perspective on baseball. People need a new perspective on computing. Much of the advice offered by
techies is flatly wrong. They mean well but are either mis-informed or merely parroting back an accepted principal.
Some of the advice is right for other techies, but wrong for the general public. Perhaps the most famous advice that turned out to be wrong, was
the suggestion to periodically change your passwords. Ugh. Then too, we had "Use Tor, Use Signal." Ouch.
The other source of advice, the main stream media, is also frequently wrong both by commission and by omission. Far too many articles are written by Art History majors covering tech this year, after covering some other beat previously and before they move on to yet another area. Very few main stream media stories (I'm looking at you WaPo and NY Times) are written by actual nerds. They don't even seem to be reviewed by qualified nerds. Case in point from July 2019: A report came out about web browser extensions that spy on you. This triggered long articles in the Washington Post and Ars Technica. Neither article suggested using a Chromebook, where Guest mode does not allow any extensions.
Why trust me? I am a long time independent techie (About Me) with nothing to sell.
This site will never be popular. The state of things in 2019 is that screaming THINGS ARE BAD! THINGS ARE BAD! gets attention. Offering people dull
boring errands to protect themselves gets no attention.
If you find any of this too advanced or too mired in buzzwords, please let me know (see bottom of page).
Some parts of this page are not displayed until you click a button. To see everything (for printing or searching), CLICK HERE.
You are seeing the entire page.
Many times, perhaps most of the time, the first step in a company getting hacked is an email message. That's why this is the first topic.
You never know who sent an email message, so think carefully before taking action based on a single message. It is fairly easy to forge the FROM address of an email. Techies can look at the hidden email headers to get an idea who really sent a given message, but this is not a skill taught in nerd school. Be especially careful about doing anything involving money, passwords or personal information based on one lousy email message.
In light of the above, we might be tempted to trust that an email was legit, if it knew something about us. However, our personal information has leaked time and time again, so including information about you, specifically, is no indication that the sender is who they claim to be or that the message is legit. For example, Starwood was hacked, so an email about the time you stayed at the Westin hotel in Cleveland in the summer of 2018, may not be from Starwood. Bad guys know you stayed there too.
Links: Links in email and web pages are complicated. Unless you are a techie it can be almost impossible to know where you will end up after clicking on a link. If an email message has a link to login to a service, DO NOT click it. Go to the website of the service on your own and login there.
The more urgent the plea for you to take action, the more likely the message is a scam. Bad guys don't want you to have a chance to think
about the issue or check with others.
Terminology: "Phishing" means scam. A phishing email is lying to you about something. "Spear Phishing" is a scam specifically targeted at you. In a spear phish, the bad guys will have researched you and they use the information about you as the part of the lure in their scam. For example, they might learn who does the money transfers in a company, then pretend to be the boss and order a fake money transfer.
Email attachments: Word documents, spreadsheets and PDF files are often malicious. The safest way to open any file attached to an email message is on a Chromebook running in Guest mode. The next safest option is to open it on an iOS device. The third safest environment is from Google Drive (hopefully from a Chromebook or an iOS device). Upload the attachment to Google Drive and open it from Google Drive. The least safe environment to deal with email attachments is Windows. If you must use Windows or macOS, download the attached file and go to VirusTotal.com to scan it with many different anti-virus programs before opening it. Any type of attached file can be dangerous.
Secure Email: The only two companies offering this, that I know of, are ProtonMail and Tutanota. Neither company can read your email while stored on their servers. Messages sent between their customers are also safe from prying eyes. Email from either company to any other email provider is not secure. Both offer free limited accounts. Both can be used with software on your computer but webmail lets the browser prove that encryption is being used in transit. Webmail can also be used on a Chromebook running in Guest mode to insure that no trace of your actions is left behind. Episode 149 of the Privacy, Security, & OSINT podcast was on Secure Email with a comparison of ProtonMail and Tutanota. Interesting point in the podcast: you may want to configure each service not to automatically save every email address you correspond with in the your Contacts list.
An email with a password protected attachment, that has the password in the body of the email message, is surely malicious. This is a trick bad guys use to prevent anti-virus programs from detecting malicious software. If you try to open an attached file on Windows and it fails to open, you can still get infected with a virus.
An email that asks you to logon to read an encrypted message is a scam.
Use multiple email addresses. This both avoids putting too many eggs in one basket and increases your privacy by hiding your real email address. Far too many systems use an email address as their unique identifier, so when one system gets hacked, bad guys are halfway to hacking into your other accounts. At the least, have a second email address for things you really don't care about. A step up from that is to use an email forwarding service. The ultimate Defensive Computing goal is to use a different email address with every service that requires one. Of course, no one wants to check multiple inboxes, and you do not have to.
MULTIPLE EMAIL ADDRESSES (Last Update: May 18, 2020)
You can get dozens of alternate email addresses with a forwarding service such as 33mail.com, anonaddy.com or simplelogin.io. These are best for receiving email. Responding with your alternate address may cost money or not be an option at all.
SimpleLogin is an email forwarding service. They offer 15 forwarded email addresses for free, for $30/year the service is unlimited. They use the term alias incorrectly. Their service forwards emails, it is not a second name for a single inbox.
AnonAddy also offers email forwarding. You get a username with them and your email address is something like
Ten Minute Mail offers a random email address that is good for only 10 minutes (but you can get another 10 minutes just by clicking a button). You are assigned the email address as soon as you visit the website home page. Received emails also show up on the website home page. You need do nothing, other than give out the email address. The service uses multiple rotating domain names. It is a free service with no ads and donations are accepted. See a screen shot.
My method is to register my own domain, such as michaelhorowitz.com. Many companies register domains, they are called Registrars. Many registrars offer free email forwarding. There is often no limit on the number of forwarded email addresses. One upside is that you can change email providers without anyone knowing or caring. There are two ways to do this. One is to manually create forwarding rules for each service such as: firstname.lastname@example.org and email@example.com. The other is to setup "catchall" forwarding such that any and every email to your domain gets forwarded.
Gmail offers email forwarding as a free service. If you are, for example, firstname.lastname@example.org and you coach a soccer team but don't want the soccer moms to have your real email address, you could create email@example.com and forward it firstname.lastname@example.org. This does not scale well, however.
Gmail also lets you add a plus sign at the end of your Gmail userid to make unique email addresses. You could, for example, be email@example.com and firstname.lastname@example.org. Basically, this is an alias. Sounds great, but, some (too many, in my experience) websites consider an email address with a plus sign to be invalid.
Still another approach is to use aliases. An alias offers multiple names for one single email address/inbox. The advantage is that forwarding is not needed. Email providers differ in whether they offer aliases at all, and, in how many they offer. With iCloud Mail, you can have up to three active email aliases. At Fastmail, cheaper accounts offer a few aliases, more expensive accounts offer more.
As of April 2020, the Firefox Private Relay is in beta testing and not yet open to the public. It will be another
email forwarding service.
As a side benefit, multiple email addresses helps to confirm the legitimacy of an email message. If you get a message from your power company warning that the power will be cut off if you don't pay immediately, and it did not come from the email address you use only with them, then its clearly fake.
Another side benefit is that it helps you detect who shared your email address with their "business partners" (spammers).
Need some motivation for creating multiple email addresses? See how often your email address(s) have been included in a data breach at haveibeenpwned.com
If you opt for using your own personal domain, then you can use the Domain Search feature of haveibeenpwned.com to subscribe to your domain and be notified when any of your email addresses have been stolen in a data breach. Way cool. This also lets you download every breach involving your domain as this screen shot demonstrates.
Taking a step back, it seems to me like we are living in a time much like the one before seat belts were required in cars. The current norm, reading email on a computer with sensitive or important files (or LAN based access to such files), is much too risky. If you are not reading email on a Chromebook or an iOS device, you are doing it wrong. Using any other OS, in a corporate environment, is job security for the IT department and the assorted security companies they employ. I say this as someone who does not work in corporate IT.
UNDERSTANDING DOMAIN NAMES
(Last update: March 5, 2020) top
Fake websites are an extremely common scam. To identify the fakes, you need to understand the rules for domain names. Some domain names are: google.com, columbia.edu, irs.gov and RouterSecurity.org. Many scam website names look legit to someone who does not know the rules. And, there are lots of rules and scams targeted at people that don't know the rules.
Never re-use passwords. We all need dozens or hundreds of passwords, yet we can remember just a few. Nonetheless, this is a very important rule. Companies are hacked all the time, leaking passwords that bad guys then try at other systems/websites.
This article, Credential stuffing explained: How to prevent, detect and defend against it (Lucian Constantin Oct 2019) notes that the automated use of stolen usernames and passwords to access accounts is low risk, high reward for cybercriminals.
Almost every computer nerd recommends password management software. I disagree. Techies that say this are thinking inside the box and over valuing
the need for randomness in passwords. They also underestimate the hassle of new software for non techies.
"I was never able to find a way to set people up on a password manager in the time available. Let me be very clear: I would like all people to use a password manager ... But I never found a way to get people onto 1password in a single training session. The setup process has a lot of moving parts, involving the desktop app, browser plugin, online service, mobile app, and app store. It requires repeatedly typing a long master passphrase. And then, once it is all set up, you have to train people on the unrelated skill of how to use the thing, starting with their most sensitive accounts. And then you leave. In the end, I told candidates to generate unique passwords and save them in the notes app on their phone, or write them down on a card they kept in their wallet."
John Opdenakker is a rare techie willing to admit that password managers are not the best solution for everyone. He writes: "Knowing that many online services give password manager users a hard time, it's not very likely that non tech savvy people will be able to use them ... for a lot of users, like my mum or dad ... I recommended them to use different passwords for their accounts and write them down in a password book."
Try using a formula to generate your passwords. A simple formula is to start every password with the same string of characters. Then, you can chose very simple passwords to append to the constant beginning. For example, a baseball fan might start every password with "BaseballRules!" Then, if "jungle" was their password for Amazon.com, the actual password is "BaseballRules!jungle" And, all you would have to remember would be that your Amazon password is "jungle". Pretty easy. Amazon. Jungle. And, the miserable password "book" for Barnes and Noble, becomes a good password ("BaseballRules!book") when run through the formula. Perhaps the worst password is the word password. But, as Leo Notenboom points out, "1234 password 1234" is a pretty good password. It's also easy to remember. There's a formula: start and end every password with "1234". I expanded on the use of formulas in my Aug. 2019 blog The world's BEST password advice.
You can check if any of your passwords have leaked in a data breach at haveibeenpwned.com/Passwords. Of course, someone else may have been using the same password. The best passwords have never leaked and a formula (above) should produce globally unique passwords fairly easily.
Storing passwords: Using a formula lets you write down just the easy/right part of the password and still be secure. If someone saw your password list and read that "book" was your Barnes and Noble password, it would be useless without the formula. Passwords written on paper can not be hacked; just be sure to xerox the list every now and then in case you lose it.
Traveling passwords: Paper passwords work everywhere, no matter the device, the Operating System or the software being used. I use a password manager and its useless on a Chromebook running in Guest mode which is where I do my sensitive transactions.
All that said, no single approach is appropriate for everyone.
Some passwords are much more important than others. Which, of your many passwords, would be the worst for bad guys to obtain? Keep those passwords off your computers. Store them on multiple pieces of paper in multiple places. Or, store them on a USB flash drive which is rarely connected to a computer.
Everyone is told there are two types of websites: secure (HTTPS) and not secure (HTTP). In fact there are three types of websites. The third type is a "secure" site that has gone the extra mile and offers proof of its identity.
In another type of attack, a web browser may display the correct something.citi.com, and yet, the website could still be a fake. To prevent this, companies that take this stuff seriously pay extra to have their identities verified. You can see this extra identity validation at, for example, citi.com which says "Citigroup Inc. (US)" just to left of online.citi.com in the address bar (see example). Bank of America does the same thing as you would expect any financial company to do. In contrast, my dinky websites, such as this one and my personal site (michaelhorowitz.com) do not have identity verification (see contrast). If the website of your financial institution has this extra identity protection, get in the habit of looking for it. If this information is not provided, take that as a bad sign about the company and its website. In techie terms, my websites are Domain Validated (DV), the Citigroup and Bank of America websites have Extended Validation (EV). The home office of incompetence, Equifax, does not offer identity verification. Not a surprise. What is surprising is that neither does Amazon.com (shown in the screen shots).
Web browsers have always been inconsistent in how they indicate that a site has had its identity verified. Worse still, each browser constantly fiddled with their padlock display. As an illustration, this image, from Twitter user Cryptoki, shows eight different browsers indicating this in eight different ways. Internet Explorer was, by far, the best. It turned the entire address bar green, a visual clue that no one could miss. Most browsers displayed the verified company name in green, somewhere on the address bar.
An inconsistent User Interface is the good old days. As of September 2019 (give or take) there will be no user interface, at least, not one that is visible by default.
The two major web browsers, Chrome and Firefox have decided to hide this. Already, many web browsers fail to indicate a verified identity in any way. Why have Google and Mozilla decided to remove the indicators of a verified identity? Because you are stupid. They won't say that directly, but that is clearly what they are thinking. They point out that non-techies do not understand what it means for a website to have a verified identity. Never mind that, in no small part, this is their own fault for not having a standard indicator. Given this lack of understanding, rather than try to educate the public, they are taking their ball home so we can't play the game. Nerds at their worst.
As with email messages, the content of a fake website can look exactly like the real thing. Anyone can copy images and text and fonts from the real site and use them to make a fake site.
If you visit a web page, everyone knows that HTTPS encrypts the content of the page. But that's not the whole story. As this blog by DuckDuckGo points out, parts of the URL are not encrypted. For example, if you visit https://cancer.mayoclinic.org/isitcontagious.html
the fact that you visited the Mayo Clinic website and were interested in cancer will be visible to anyone watching network data transmissions. However, that you wondered whether cancer was contagious is not visible. In techie terms, everything after the domain name (isitcontagious.html) is encrypted in transit, however the domain name (mayoclinic.org) and sub-domains (cancer) are not encrypted.
The concept of secure websites, indicated by HTTPS or a lock icon, is, in many ways, a scam. The security that people tout refers to a small piece of a large pie. Specifically, it refers to in-flight data; data being transmitted back and forth between your computer and a website. If, while traveling over the Internet, the data/web page is encrypted, then the entire site is said to be secure. Fact is, dozens of things can still leak your sensitive data. Take the just-discussed EV/DV validation of websites. Without real identity verification (EV), you could "securely" send passwords to bad guys. Another scam is that encryption is a binary thing, that it is either on or off. In reality, it is quite complicated. So much so, that there are security rating websites (next topic). Perfect Forward Secrecy (PFS) is another factor, one that is hardly every discussed. Without PFS spy agencies can very likely (no one knows for sure) decrypt the encrypted data traveling over the Internet. Another factor is keeping private encryption keys private. If they leak (its just a string of bits), encrypted data can, again, be decrypted. No one knows how well any website protects its private keys. Then too, many websites continue to support older security/encryption protocols with known flaws (TLS 1.0 and 1.1). And, websites have different sections, each section has its own security profile; one section may be more secure than another. For example, in 2016, I blogged about how www.ssa.gov was secure while secure.ssa.gov was not (since fixed). And, nothing about encryption in transit tells you anything about the strength of the security on the back end (think Facebook storing passwords in plain text) or
whether software running on the back end is being updated with bug fixes (think Equifax), how good their defenses are against attacks, who they share your data with or whether the data is left publicly available to anyone who knows where to look, no attacking needed (this happens a lot). I could go on. Anyone who tells you to trust a website because it is secure, is either un-informed or lying on purpose because it serves their needs.
A great website for evaluating the encryption used by a website is the Qualys SSL Server Test. Ironically, it does not have extended identity protection. Still, it offers both a ton of technical information about encryption and a simple letter grade at the top. I suggest testing your most important sites: banking, email and any website holding your sensitive information. Every site should get either and A or A+. Anything else is a failure. The orange horizontal stripes under the letter grade are security failures. To be thorough, you need to check each section of a website. For example, at the US Social Security Administration, you would check both www.ssa.gov and secure.ssa.gov. To put this in perspective, again, encryption is a small piece of a large pie. Nothing about the strength of the encryption used to send/receive data tells you anything about whether passwords are stored in plain text, or whether bug fixes are applied to the software running the website, or any other aspect of security.
Some websites use secret questions as a way to identify you should you forget your password. Never answer these truthfully. You don't want
the answer to be anything that someone could either guess or learn about you. In fact, don't even give reasonable answers. If it asks for the name of a person, use the name of a place instead. You never know if the answers are case sensitive or not, so it is safer to only use lower case. In my opinion, it is also safer to avoid spaces and special characters too. Just like passwords, these questions and answers need to be saved somewhere that you can find them later. Nothing wrong with paper and pencil.
Any website that you can access with just a userid/password is not really secure. Stepping up the security requires a second factor/thingie. See the topic on Two Factor Authentication for more.
To take money from an ATM requires both a plastic card and a password. Two things. Two factors. In computing "two factors" refers to needing a password and something else to gain access to a system. Thus, a stolen password becomes useless as its only half the story. The robotic response from every computer nerd is to use Two Factor Authentication (2FA). But, it is not that simple. In the topic on SIM Swaps there are links to articles by people who became vulnerable by using 2FA. First they had their cellphone number stolen, but that was done to abuse 2FA text messages and change the passwords on many accounts. No 2FA text messages, no password changes. And, everything breaks, so you need to be up to speed on the fallback system for when 2FA breaks. There are different types of 2FA and no one right answer for everyone.
Perhaps the least secure type of 2FA, is a temporary code sent in a text message to a cellphone. It is very popular. Less popular, is the use of email for the exact same purpose. In the US, the Social Security Administration does this. Still another option is a phone call where a temporary code is spoken aloud. Or, a phone call where all you need to do is touch a button on the phone.
A more secure type of 2FA involves a Time Based Onetime Password (TOTP) generated by an app running on a mobile device. Two such apps are Authy and Google Authenticator.
A problem with both of these types of 2FA is a scam website. If you enter both your password and the temporary code into a scam website, the bad guys have it. See the topic on Understanding Domain Names for more.
The most secure option involves a physical thingy you connect to a computer/tablet/phone that verifies your identity. No thingy no access. Some downsides: the thingies cost money, different computing devices require different thingies, not many systems support this type of 2FA and the software on the thingies might be buggy.
You never know who calls you on the phone. Callerid can be spoofed just like the FROM address in email, so the same advice holds: think carefully before taking action based on a single phone call, especially any action involving money, passwords or personal information.
If anyone calls you, and their story ends with you paying them with a gift card or by wiring money, it is a scam.
The more urgent the need to send money, the more likely the call is a scam. Bad guys don't want to give you a chance to think about their made-up situation.
In the US, calls claiming to be from the Social Security Administration are a popular scam. Social Security numbers do not get suspended. The real Social Security Administration will never call to threaten your benefits. Beware of Calls Saying Your Social Security Number is Suspended (Bleeping Computer April 2019). This January 2020 advisory from SSA, explains how they work. Report Social Security impersonation scams to 800-269-0271 or oig.ssa.gov/report
Apple does not call their customers out of the blue. Neither does Microsoft or Windows. Some scammers pretending to be Apple make calls that display an Apple logo, address and their real phone number. More here and here. Contact Apple at
Considering the many data breaches of personal information, along with the legal sharing of it, ID theft is all too likely. Here are some things to do to in preparation.
Bad guys might try to open a credit card in your name. To prevent this, you can get a credit freeze with
Bad guys might use your credit card to buy themselves stuff. You can be alerted to this by having your credit card company notify you, in real time, about charges on your account.
Americans should open an account with the IRS (irs.gov) to prevent bad guys from opening
an account in your name and getting your tax refund. Even if you never use this account, it is safer to have it. Brian Krebs: has more (January 2018).
Americans should also open an account with the Social Security Administration (ssa.gov) regardless of their age. This prevents bad guys with your stolen information from opening an account as you, and, for many people, is the only way to verify that their earnings are correctly reported.
When you logon to the My Social Security website, it reports the last time you logged on. If you can track this yourself, then you can be sure no one has stolen
your identity and logged on as you.
According to this article, the Social Security Administration has greatly curtailed the number of paper statements it mails. It now mails statements only to people over 60 who are not yet getting benefits and who have not set up digital accounts.
After an account is opened, you can block all electronic access to it. Of course, this blocking is only as good as the defenses against bad guys unblocking it and I don't know what those defenses are.
The phone number of the Social Security Administration is 800-772-1213
The Social Security Administration does not threaten to arrest people. Social Security numbers can not be suspended. These are common scams.
Neither the IRS nor Social Security does a good enough job of identifying people. They both know where you live, they could send a code via postal mail to verify who you are ... but, no. The Social Security Administration uses Equifax data to verify your identity and we all know that Equifax was hacked in 2017 and lost their crown jewels (our personal information). If you have a credit freeze with Equifax, then you can not open a Social Security account. You can't make this stuff up.
A free annual credit report, available at annualcreditreport.com can't hurt. However, two things about the site are a sham. For one, it says that
you can order reports online. When I last tried this in December 2018, it was not true, reports had to be ordered via postal mail, and, I was not told this until
after I entered all my personal information. Also, the site has not opted for extra identity validation for itself (see topic on VERIFIED WEBSITE IDENTITY).
Requests on paper are the way to go.
A SIM swap is Identity Theft in which bad guys steal your mobile phone number and get it assigned to one of their phones. They do this because a phone number is often used to prove identity, with forgotten passwords. Other terms for this are SIM Hijacking and a port-out scam.
Defense: A phone number from TextNow is a safer way to use a phone number for 2FA. For more see the Phone Number Hiding topic.
This is my idea, I have not seen anyone else suggest it.
Defense: Have the customer service number(s) for your cell company saved on your phone. Also save other information that could prove your identity to the cell company such as the credit card used to pay the bill, the date the account was opened, etc. And, save everything you need to logon to their website.
Defense: To defend against SIM swaps, you can create a security code with your cellphone provider. This code needs to be provided over the phone, or in person at a store, before account changes are made. T-Mobile sometimes calls it an Account PIN, sometimes they call it a Port Validation feature (see Protect against phone number port-out scams).
Verizon calls it both an Account PIN and a Billing Password. AT&T calls it a Security Passcode.
How to Protect Yourself Against a SIM Swap Attack by Brian Barrett in Wired (Aug. 2018) has details on how to setup the extra PIN code for each cellphone company.
Verizon Defense: Call *611 and ask for a Port Freeze on your account (from here. Their website offers Two Factor Authentication which they also call Enhanced authentication. But it is only SMS. And even when its off, it is on (personal experience). I tried to turn it on (Jan 2020) and it broke the Verizon wireless website.
Poor defense: The PIN code defense is far from perfect. Brian Krebs wrote (Nov. 2018) that there is no defense against malicious employees of the cellphone company. He also wrote about lazy employees who ignore the system. Matthew Miller had his T-Mobile phone number stolen from him twice, despite having a PIN code on file.
He writes that T-Mobile has two PIN codes, one for when you call into customer service, and another port validation PIN (6 -15 digits). After reading his story, you might want to avoid T-Mobile entirely. Then too, the TrickBot malware is known to modify the signon page for cellphone companies to steal these pin codes.
(Secureworks Aug. 2019)
Defense: If you use either AT&T or T-Mobile, and your PIN(s) were set prior to August 2018, change the PIN(s). In August 2018 were learned that T-Mobile was hacked and bad guys stole their customer billing information. In the same month, we learned that both AT&T and T-Mobile had their customer PINS exposed to the world.
Defense: Use a land line for two factor authentication rather than a cellphone number, if possible. Rather than a text, the company calls you and speaks the temporary code. Apple supports this. A similar option, championed by Lorenzo Franceschi-Bicchierai (July 2018) is a Google Voice phone number.
Immediately Afterwards: check that you still have access to your most important accounts. Email, bank, credit cards, etc.
Afterwards: The US Federal Trade Commission runs identitytheft.gov where you can both report the identity theft and learn how to recover from it.
Defending email from password resets: ProtonMail can block all password resets. In the web interface, click Settings and there is an option to "Allow password reset". Tutanota does not allow two factor authorization with text messages, they only support the stronger options: Time Based Onetime Passwords (TOTP) and physical keys like Yubikey. In the Email section, I discuss using multiple email addresses. This avoids having too many eggs in any one basket, should an email account get hacked. Consider that email may well be important enough to pay for, if for no other reason than to get tech support when things go bad. I suggest ProtonMail, Mailbox.org or Tutanota.
Lawsuits: AT&T Faces New $1.8 Million Lawsuit Over Sim Hijacking Attack by Karl Bode (Oct 2019). This is just the latest in a series of lawsuits attempting to hold cellphone carriers accountable. A subscriber had both his identity and life savings stolen via SIM swap. A different subscriber sued AT&T last year for $220 million. T-Mobile was also sued last year.
Things are bad: Lawmakers Prod FCC to Act on SIM Swapping (Brian Krebs Jan 2020). The Republican FCC protects the cell companies, not consumers. Some Democrats in Congress are mad. Other countries protect consumers.
Things are bad: A study by researchers at Princeton University: An Empirical Study of Wireless Carrier Authentication for SIM Swaps (Jan 2020). Quoting: "We examined the authentication procedures used by five prepaid wireless carriers when a customer attempts to change their SIM card, or SIM swap. We found that all five carriers use insecure authentication challenges that can easily be subverted by attackers." See also a Twitter thread by Arvind Narayanan.
Another guys story: How Twitter CEO Jack Dorsey's Account Was Hacked (Wired Aug. 2019) A SIM swap gave the bad guys access to his phone number. Then, they sent texts to his Twitter account, which appeared as Tweets, without needing to know his Twitter password.
Big picture. As a rule, adding two factor authentication (2FA) makes an account more secure. But, in mid-2019 a couple techies wrote about being victimized by SIM swaps (articles are linked above), which, in turn, made it possible for bad guys to change many of their passwords. In these cases, the use of 2FA made them vulnerable. For more on the pros/cons of 2FA see the Two Factor Authentication section.
What to expect: In June 2019, I tried to add Extra Security to an AT&T mobile phone number. The web page explaining exactly what this does was broken, so I don't know what it really does. Also, the system is poorly designed. When I first signed in to the AT&T website it sent a text with a one-time code to the phone. Had I been a victim of SIM swapping, this would have locked me out of the website. Dealing with AT&T is hard, you need to keep track of a userid (for which there are two definitions) a password, an Access ID (beats me), an email address, a security passcode and two security questions. When I got in to the website, it forced me to pick two new security questions even though I had already set this up long ago. Why? It didn't say. To add the mythical Extra Security: click on your first name is the top menu bar (on the right), then Profile, then Sign-in Info. Perhaps chose a particular phone number. Then, click on Manage Extra Security in the Wireless passcode section. Then turn on the checkbox for Add Extra Security to my account. Then enter your passcode. Whew.
What to expect: In July 2019, I changed the passcode on an AT&T mobile phone number. The process starts by logging in to www.att.com/wireless/ which includes entering a code sent to the phone via a text message. Then, click on the account holder's first name in the upper right corner -> Profile -> Big box for SignIn Info -> click on the "Get a new passcode" link -> enter the last 4 digits of the social security number and the zip code -> then get a text message with another temporary code -> enter this code -> then, finally enter the new passcode. What is a valid passcode? They don't say. Must it be numeric? How long can it be? None of your business. At the end, you get another text message that the code was changed.
Choosing: Web browsers are one area where the wisdom of the crowd does not apply. In the old days, the crowd used Internet Explorer, now it's Google's Chrome browser. Don't use either one. Or Edge. On a desktop Operating System (Windows, macOS, Linux) I suggest using either Firefox or the Brave browser. Brave has ad blocking and tracker blocking built in, it is based on Chrome, supports all Chrome extensions and also runs on Android and iOS. See some supporting articles:
It's Time to Switch to a Privacy Browser by David Nield in Wired (June 2019). Good article that covers the DuckDuckGo browser (iOS, Android and an extension), the Ghostery browser, Brave, Tor and much more.
Then too, there is the issue of certificate revocation. It is a poorly designed system and does not work very well. But all browsers support it - except Chrome. Chrome does its own thing in this regard and their system only works with a very small number of websites. In contrast, Cloudflare is working to improve this with OCSP Stapling.
Track me not: If the websites you visit are determined to track you it is all but impossible to prevent it. Still, you can fight back. The biggest hammer in the toolbox to avoid being tracked is Guest mode on a Chromebook, which insures that all traces of your activity are erased when you exit Guest Mode. One step down, is private/incognito mode in your web browser. You are still tracked, but only until you close the browser. For background, see What Does Private Browsing Mode Do? by Martin Shelton July 2018. Another option is to manually delete cookies and other tracking data in your browser. In Chrome and Brave, enter
chrome://settings/siteData in the address bar, then click the Remove All button. In Firefox, enter about:preferences#privacy and click on the Clear Data button. Perhaps bookmark these URLs. Firefox can automatically delete cookies when the browser shuts down. Using the same Firefox URL, turn on the checkbox for "Delete cookies and site data when Firefox is closed".
Web browser extensions are a double-edged sword. If you let them, they can read and modify the contents of every displayed page. This is necessary, for example, with an ad blocking extension. However, it can be abused too. When installing extensions pay close attention to the permissions it requests. I have seen non-techies be tricked into installing malicious extensions. It is a good idea to periodically review the extensions installed in your browser and remove any you really don't need. To display the installed extensions, use these address bar URLs (perhaps bookmark them): In chrome
chrome://extensions, in Brave
brave://extensions, in Firefox
about:addons. I blogged about potentially dangerous extensions here and here and here. A Reddit user wrote Why I removed Grammarly chrome extension and deleted my Grammarly account in March 2019. Sam Jadali spent much time researching malicious extensions and issued a detailed report called DataSpii that served as the basis for articles in the Washington Post and
Ars Technica (July 2019). Neither article suggested a Chromebook in Guest mode which does not allow extensions. Best to avoid extensions from Avast and AVG. Brian Krebs covered this in Feb 2020:
The Case for Limiting Your Browser Extensions.
Install an ad blocker extension in your web browser. I say this not because it makes web pages load faster (it does) but because ads have been
abused too many times to install malicious software or take you to scam websites. Even Chromebook users can be scammed at websites (no malware though). One highly recommended ad-blocker is uBlock Origin by Raymond Hill. The down sides are that some sites won't display without their ads and that it prevents sites from earning needed revenue. But, the ad blocker can be disabled on sites you wish to support. No website can be trusted to only show non-malicious ads because the website itself does not choose the ads. Except Krebs on Security.
In desktop Firefox, review the Content Blocking (about:preferences#privacy) settings which offers defense against trackers and more. As of version 67, it should default to Standard, maybe raise it to Strict or Customize it. See the documentation on this. Mozilla also has a Facebook Container extension that blocks Facebook from tracking you around the
web. Firefox users should also take a look at about:telemetry. It's intimidating, but look to see that "upload is disabled".
From PrivacyTools.io: Firefox: Privacy Related "about:config" Tweaks.
Public Wi-Fi is always dangerous, whether a password is required or not.
If possible, keep your main/regular computing devices away from public networks. A Chromebook is a great substitute.
Even with all the protection in the world, like that described below, there are some things best avoided on any public network.
Wi-Fi networks are like children, the people who create it can give it any name at all. Bad guys can create wireless networks with the same
name (SSID) as a legitimate network. The official term for this is an Evil Twin network. Non techies can not distinguish an Evil Twin from the legit network it is
pretending to be. Neither can a computer/phone/tablet, which will happily connect to the evil twin network. Techies might look at the MAC address of a
wireless network, but even that can be spoofed if the bad guy knows how.
Typically, we focus on the fact that public Wi-Fi networks provide Internet access. This, however, ignores the other thing they provide, DNS. DNS is the system
that translates a website name (cnn.com) into an IP address. Malicious DNS can send you to scam copies of websites or all sorts of malicious websites. The fake
CNN site says you need to download software and bingo, your computer is hacked. Eating food found in the street is as safe as using DNS from strangers. More on
DNS and links to check the DNS servers currently in effect, see my RouterSecurity.org site.
In the old days, the fear with public Wi-Fi was limited to people intercepting plain text HTTP. Most websites now use HTTPS which encrypts data in transit.
However, HTTPS is both flawed and complicated and should not be your sole defense. The Qualys SSL Server Test
is an excellent site for illustrating both the complexity of HTTPS and that many websites do it poorly. Also, you can not tell if a mobile app is using HTTPS or not.
The solution to Evil Twin, DNS and HTTPS problems is to use either a VPN or Tor. Both hide your Internet activity from the router creating the public network and the ISP providing it Internet access. For more on VPNs, see the VPN topic here. To insure they are working, check your Public IP address before and after connecting. Also, check your DNS
servers before and after. A VPN should provide its own DNS servers, check with your VPN company to learn what their policy is. Many provide DNS on the VPN server itself which is especially easy to validate.
If a VPN or Tor is too much for you, then on mobile devices, use the Cloudflare 184.108.40.206 app available on Android
and iOS. Originally, it only provided DNS, now it can also, optionally, provide
Another danger with public Wi-Fi networks comes on the LAN side. That is, your computing device can be attacked by other users of the same network. Some VPN software offers an excellent defense against this. Look for an option in the software that will cut you off from other devices on the same network. Bad guys can not attack a computer they can't see. For more on this, see the VPN topic.
Disable Wi-Fi when you are not using it. It is not sufficient to simply disconnect from a public network.
One way to avoid public Wi-Fi is to use the 4G/LTE data connection on a smartphone. With the hotspot feature, this data connection can be shared with a laptop. To do this, the phone creates a Wi-Fi network that the laptop connects to. One, or both, of the devices should be connected to a VPN.
A public Wi-Fi network will always learn the MAC address of the Wi-Fi adapter in your computing device, even when using a VPN. To prevent this being tracked, you need to modify the MAC address (see Networking topic) before enabling Wi-Fi. To be really anonymous, use a computing device that was purchased with cash.
If you often use a public network, then consider a privacy screen protector. This limits the field of view for the screen to hopefully block someone sitting nearby from seeing what you are doing. 3M sells privacy screens for laptops, tablets and phones. Both Dell and Lenovo sell them for their laptops. See Laptop Privacy Filters: What to Look For and Why You Need One b Brett Nuckles (June 2018)
Router: I have a whole website devoted to Router Security. At the least, try to make the eight router configuration changes in the short list on the home page.
When it comes to making router changes, the first step, logging into the router, is likely to be the hardest. To make this easier, I suggest writing down the necessary info (router IP address or vendor-supplied name, router userid, router password) on a piece of paper and taping it to the router face down. Maybe include Wi-Fi passwords on the paper too.
Networking equipment (router or combination modem/router) provided by Internet Service Providers is typically insecure and low quality. Anything you buy at retail is likely to be more secure. It may also be cheaper in the long run and makes you a lesser target (a million people are not using the same router model).
Ethernet is more secure than Wi-Fi, so whenever possible connect via Ethernet for sensitive work. It's also faster. USB to Ethernet adapters cost about $15.
Use a Guest Wi-Fi network both for visiting humans and for IoT devices. Better yet, if your router supports it, use VLANs to further segregate devices (requires a techie). More here.
At this point, it is common knowledge that Wi-Fi encryption should use WPA2 rather than the ancient WPA or WEP. If given a choice, WPA2 AES is more secure than WPA2 TKIP. Note that a long Wi-Fi password can prevent a brute force guessing attack; passwords should be 14 characters or longer. More here.
A VPN prevents spying on your online activity by anyone you an see (anyone on the same local network). For this reason, it should always be used on public Wi-Fi networks. A VPN also prevents spying by the ISP connecting you to the Internet. In the US, ISPs are allowed to spy on their customers and sell that data. A "secure" website prevents others on your LAN and your ISP from reading the content of web pages. However, they can still tell which websites you visited. In some cases, just the website name gives away too much information. VPNs hide everything.
In addition, a VPN will change your public IP address, so you can pretend to be in a different physical location. It also should change the DNS servers used to translate computer names to IP address. For an introduction to DNS see my RouterSecurity.org site.
Before VPN: Before connecting to a VPN, check both your public IP address and DNS servers. Many sites show your IP address, one is ipchicken.com. To see your DNS servers, use one or more of the DNS testers listed on my RouterSecurity.org site.
After VPN: Verify that both the public IP address and DNS servers have changed. Most VPN companies provide their own DNS servers. You should verify with your VPN provider what DNS servers they use. It is very dangerous to use unknown DNS servers.
After VPN: You also should check for WebRTC leaks. Many, not all, web browsers support WebRTC which can expose your public IP address despite the VPN. On iOS, both Safari and Chrome do not support it. There are links to assorted tester pages on my RouterSecurity.org site.
See also How to disable WebRTC in Firefox? from PrivacyTools.io.
After VPN: One last test, for IP version 6 connectivity at test-ipv6.com. To me, IPV6 is a potential avenue for data to leak out of your computer without going through the VPN. In the past, some VPN providers had this problem. I prefer no IPV6 at all, so the good results on this test are "No IPv6 address detected" and "You appear to be able to browse the IPv4 Internet only. You will not be able to reach IPv6-only sites." This site is also reachable by its IP address at 220.127.116.11. The Mullvad VPN client for Windows has a configuration option to disable IPv6. Other VPN clients may also offer this.
Avoid free VPNs. More specifically, avoid VPNs that are always free. Some commercial VPN providers offer limited accounts for free. If you can't pay, use the free service from ProtonVPN, Tunnelbear or Windscribe. On iOS, there is also a free version of the Guardian Firewall + VPN app.
Choosing: If using a VPN on a public network, look for an option in the VPN client software that will cut you off from other devices on the same network. There is no standard name, but it may be called something like "Local File Sharing". Mullvad on Windows calls it "Local Network Sharing". Windscribe on Android calls it "Allow LAN traffic". This feature makes your device invisible to other devices on the same network. Bad guys can not attack a computer they can't see. Test that this feature really works with a LAN scanning app such as Fing. Test it in each direction, on your mobile device and on a another LAN-resident device. Not all VPN software offers this feature. No review of any VPN ever considers this feature, so you are on your own. In the old days, the advice used to be to disable File and Printer sharing, but this is a much better solution. Note that iOS does not seem to support this. I tested OpenVPN, Windscribe, ProtonVPN, Lockdown Apps and the Guardian firewall, and none blocked LAN side access to an open port (behind a router). I have not tested macOS or Android.
Choosing: As a rule, a VPN does not block ads or tracking, that job falls to your web browser. But there are exceptions. This may be a great reason to pick a particular VPN provider. If you connect to one of these VPNs from a router, it can block ads/tracking on any device connected to the router.
On Android, there are three versions of the Blokada ad-blocker. The free version that blocks ads is not allowed in the Play Store. It installs a VPN, but only to block ads by intercepting DNS requests. There was a trivial version in the Play Store that also installed a VPN but all it did was modify the DNS servers. Currently (Feb.2020) the version in the Play Store is called Blokada Slim and it combines the older DNS changer with a fairly new, real, VPN called Blokada Tunnel which costs 5 Euros/month (roughly $5.50 in US dollars). Great feature: customized white and black lists.
Android 9 and 10: There is an interesting conflict between a VPN and the Private DNS feature. Each wants to be in charge of the system-wide DNS. In my test of Android 10 with three VPN providers, Private DNS won out every time. This was not a DNS leak, the DNS requests went through the VPN tunnel and the Private DNS resolver sees requests coming from the VPN server, not from the VPN client. However, in my test with Android 9, the VPN DNS won out. Beats me why. If Private DNS wins, and you use NextDNS, then any VPN can be used alongside the ad and tracker blocking from NextDNS. The best of both worlds. I tested with multiple DNS testers on my RouterSecurity.org site.
Choosing: One downside of a VPN, compared to Tor, is that the VPN company normally knows who you are. To prevent that, look for a VPN provider that takes cash, Bitcoin or gift cards. Many do.
Choosing: One consideration in choosing a VPN provider is their client software. I suggest looking for a VPN provider whose client software is Open Source, which means that anyone can review it. Both ProtonVPN and Mullvad created software and made it open source. Many VPN companies will let you use Open Source OpenVPN software on your computing devices.
Choosing: Sometimes using a VPN you may want as much privacy as possible. Other times, you may care more about speed. If so, look for VPN client software that shows you how busy a VPN server is before you connect to it. If you want privacy, pick a busy server where its easier to get lost in the crowd. The ProtonVPN client software does this, Mullvad does not. Freedome is designed to be as simple as possible, it hides all server information. Perfect Privacy provides this information on a web page.
Choosing: Many VPN companies rent their servers. It is more secure if the VPN provider owns their servers. Many VPN companies use a VPS (Virtual Private Server). It is more secure to not use virtualization (called a bare-metal server or a dedicated server). It is also more secure if a VPN server runs totally in RAM and never writes to the hard disk (called RAM-disk mode). Most VPN companies are mum on these points. A good survey on these two points is at Restore Privacy. It says: ProtonVPN and VPN.ac use dedicated bare-metal servers, all ExpressVPN servers use RAM-disk mode, Perfect Privacy uses bare-metal servers running in RAM-disk mode, OVPN uses dedicated bare-metal servers running in RAM disk mode, that they own. Mullvad owns some of their servers but most are rented.
Choosing: Some criteria that are irrelevant in picking a VPN provider: whether they log or not (everyone claims not to) and speed (it will always vary). When it comes to the number of servers, everyone is wrong on this. More is not better. Companies that own their own servers will have fewer than those that just rent a VPS.
Choosing: As noted in the Android topic, Exodus reports on trackers and permissions of Android apps. VPNs with no trackers: ProtonVPN, Freedome, Tunnelbear and IVPN. Windscribe and ExpressVPN have 2 trackers. NordVPN has 5.
All of the smart assistants (from Amazon, Google and Apple) sometimes record at the wrong time. That is, they record without a person having said the wake word. And, since all three companies send some recordings to contractors, to help improve the system, strangers may hear your embarrassing conversations. Tony Soprano would not have allowed Siri in his home. Google lets you access your history, delete past recordings and automatically delete your data every couple of months. Amazon lets you manually delete past recordings and disable human review of Alexa recordings. Initially, Apple lost at this privacy game, they did not have any way to opt out. In early Aug 2019 they took their first step and did more in iOS 13.2.
Disaster: Alexa and Google Home abused to eavesdrop and phish passwords by Dan Goodin October 2019. Everyone's worst fear came true. Malicious apps were developed that listened all the time. Wake word? We don't need no [expletive] wake word. Germany's Security Research Labs developed the apps and they passed the Amazon and Google security-vetting process. Some of the apps logged all conversations within earshot of the device and sent a copy to the app developer. Others mimicked the voice used by Alexa and Google Home to falsely claim a device update was available and prompted the victim user for a password to enable the update. Yikes. More: Malicious Apps on Alexa or Google Home Can Spy or Steal Passwords by Ionut Ilascu Oct. 2019.
Another privacy issue with Alexa is that the devices phone home to Amazon and to others, even when they are not being used. No one knows why.
Article: Alexa has been eavesdropping on you this whole time by Geoffrey Fowler May 2019. Amazon keeps a copy of everything Alexa records after it hears the wake word. Fowler listened to 4 years of his recordings and found that dozens of times it recorded when it should not. It even picked up some sensitive conversations. There are instructions for deleting these recordings via the Alexa app. Hear your archive at www.amazon.com/alexaprivacy.
Also from Fowler: Amazon collects data about third-party devices even when you do not use Alexa to operate them. For example, Sonos keeps track of what albums, playlists or stations you listen to and shares that information with Amazon. You can tell Amazon to delete everything it has learned about your home, but you can not look at this data or stop Amazon from continuing to collect it.
Alexa Defense: Turn off voice purchasing in the app: Menu -> Settings -> Alexa Account -> Voice Purchasing. If you want to use Voice Purchasing then perhaps disable one-click payments. Or, set a spoken pin to stop anyone else from shopping using your account.
Alex initial configuration: the app wants to "periodically upload your contacts" - say Later (there is no NO). The app also wants to verify your phone number when first configured, there is no need for this, skip it.
Alexa Defenses in the Alexa app:
Settings -> Alexa Privacy -> Manage How Your Data Improves Alexa. There are two options to prevent humans from listening to your recordings
Settings -> Alexa Privacy -> Review Voice History. Enable the deletion by voice option. Then delete saved recordings. After enabling this option, you can say "Alexa, delete everything I said today" or "Delete what I just said"
APPLE (Siri, Apple Watch and HomePod smart speakers)
If an Apple Watch detects it has been raised and then hears speech, Siri is activated. To prevent this, disable the Siri side button on the iPhone: Settings -> Siri & Search -> toggle off "Press Side Button for Siri".
Defense as of mid-Aug 2019: If both Siri and dictation are disabled, Apple will delete your data and recent voice recordings. To disable Siri: Settings > Siri & Search -> Turn off both the Listen and Press Button options. To disable dictations: Settings -> General -> Keyboard -> turn off Enable Dictation.
This process will change.
Defense added in iOS 13.2: When upgrading to 13.2, which was released at the end of Oct. 2019, users see a pop-up message offering the ability to opt-out of having their voice commands stored and saved. It is called "allowing Apple to store and review audio of your Siri and Dictation interactions". Later, this can be adjusted in the Privacy settings under "Analytics & Improvements" where there are multiple options about sharing Analytics as well as the option to "Delete Siri & Dictation History" and an option to stop sharing voice recording with Apple. Also in Settings -> Siri, you can tell Apple to delete all the Siri voice recordings that it has stored.
Again from Fowler article: Google used to record conversations with its Assistant ("Hey Google") but in 2018, they stopped doing so by default on new setups. You can check the settings of your Assistant at myaccount.google.com/activitycontrols/audio. Look to Pause recordings. This How-ToGeek article adds instructions for deleting the previously saved recordings.
The Nest thermostat, made by Google, phones home every 15 minutes, reporting the climate in the home and whether there is anyone moving around. The data is saved forever. (also from the Fowler article)
Google Defense: in the Google Home app: Account -> More settings (under Google Assistant) -> Your data in the Assistant -> turn off Voice & Audio Activity. While there, also go to Manage Activity to review and/or delete voice recordings.
To delete Google Assistant voice recordings, start at myaccount.google.com/intro/activitycontrols. Scroll to "Voice & Audio Activity" where Paused means disabled. Or, you can use these voice commands: "Hey Google, delete what I just said" or "Delete what I said on [date]" or "Delete my last conversation". This only works for the last 7 days.
You can use the Voice Match function to insure your personal results are only available to you. See how.
MICROSOFT: SKYPE, CORTANA and XBOX
In Aug. 2019, Joseph Cox of Motherboard revealed that"Contractors working for Microsoft are listening to personal conversations of Skype users conducted through the app’s translation service ... [and] ... Microsoft contractors are also listening to voice commands that users speak to Cortana, the company's voice assistant." Shortly thereafter, Cox revealed that Microsoft Contractors Listened to Xbox Owners in Their Homes. As with all the other companies, recordings were sometimes triggered by mistake. At the Microsoft Account Privacy Settings page you can delete any recordings Microsoft has of you.
General Defense: I own a smart speaker and it is powered off 99% of the time. When I want to use it, I plug it in and wait 30 seconds for it to start up.
New permission in Android 10: only let an app know your location when the app is open. Also new, periodic reminders about apps that are accessing your location in the background. Configure: Settings -> Apps and Notifications -> pick an app -> Permissions and Location. Or, Settings -> Privacy -> Permission manager -> Location ->
click an app. If upgrade from v9 to v10, all existing apps need to be checked.
iOS13: Settings -> Privacy -> Location Services and then choose, for each app, when it can access your location. While there, also configure "Share My Location" as you prefer. And, still more: configure each of the 13 System Services and the 4 Product Improvement services - whether they can access your location.
iOS 13 added a new Location permission: share your location with an app just once. The next time the app wants it, it has to ask. iOS 12 only allowed sharing always, never or when the app was in use. iOS 13 also added periodic pop-ups when apps use your location in the background. A sort of FYI.
iOS 13 Location: iOS 12 let you grant an app permission to track your location all the time when the app was installed. iOS 13 limits install-time location permissions to while the app is in use. To let an app track your location at all times, you have to go into the System Settings. iOS 13 treats this as a bad thing a periodically warns you about how often your location was used and lets you disable it. Sound good? But Apple does not warn customers about their own location tracking. By default, iOS users agree to 18 separate location-tracking system services during setup, including Apple's own location-based advertisements. Apple can add new features that utilize location tracking without asking for permission. From here: Apple says recent changes to operating system improve user privacy, but some lawmakers see them as an effort to edge out its rivals by Reed Albergotti in WaPo (Nov 2019).
For iOS version 12, do Settings -> Privacy -> Location Services to see a list of apps. Each app is assigned one of three rules: never see your location, always see your location or only see it while using the app. Also here is a link to System Services and their location usage.
Does a weather app really need your current location? Maybe just give it a couple zip codes where you often are instead, and only give it access to your current location when traveling.
A second approach, is to still let the phone know where you are now, but tell Google not keep a history of where you have been.
Disable Location History: This April 2019 article says to go to myactivity.google.com, select "Activity Controls" and turn off both "Web & App Activity" and "Location History" This May 2019 article by David Nield in Wired covers all the bases both for a Google account and on a mobile device. This article offers a different path to the same features: turn off "Location History" at myaccount.google.com/privacycheckup and turn off "Web & App Activity" at myaccount.google.com/activitycontrols.
Keep a Location History but Automatically Delete it after a while: Start at myactivity.google.com, click on Activity controls, scroll to Location history, click Manage Activity, look for an icon shaped like a nut and then click Automatically delete location history. Whew.
First find the Location section of system Settings (see the 3rd approach below). Then click on Google Location History to pause it (it can not be disabled, only paused). On Android 10, Location History is buried under "Advanced"). Note: this is done for a Google account, not for a device, thus you must be on-line to make changes. You may also want to click on Show All Activity Controls to see the Web and App Activity and pause that too. From Google: Manage your Android device's location settings. The article states that, with Location disabled, you can still get local search results and ads based on your public IP address. You can test this with a VPN.
Yet another click-path: Android 8: Settings -> Users and Accounts. Android 9: Settings -> Accounts. Select an account, then click on Google Account. Find the Data and Personalization section, then the Activity controls section. Again, look for Location History and Web and App Activity. Lots more here too, such as Ad personalization.
A third approach is to disable Location Services entirely. On Android, the "Use Location" option is the master on/off switch for Location services. Here are some paths to find it.
Android 7 and 10: Settings -> Location
Android 9: Settings -> Biometrics and security -> Location
Android 8 and 9: Settings -> Security and Location -> Location
On iOS13 there is only one path: Settings -> Privacy -> Location Services -> Turn Location Services OFF
My advice, the fourth approach, is to prevent iOS and Android from knowing your location in the first place. To do this:
Turn off 4G/LTE Internet
Turn off Wi-Fi
Turn off Bluetooth
Turn off GPS by disabling "Location" (Android) or "Location Services" (iOS)
With these four things disabled, a phone can still make/receive calls and text messages. A dedicated GPS app can be used to confirm the status of GPS. Note that your location can still be tracked by the cell tower the phone is talking to, but, this only provides a general idea of where you are rather than a precise location. The next step would be to enable airplane mode, and the step after that, is to turn the phone off.
For months, I thought I was the only person suggesting this. However, in Dec. 2019, Proton (the company behind ProtonMail and ProtonVPN) said that a basic principle of using any smartphone is "...turn off all the connectivity you do not need. This goes for whatever smartphone, and whichever operating system, you have." In the June 26, 2020 episode of The Privacy, Security, & OSINT Show the show host, Michael Bazzell, suggested the same thing.
Note that even with Bluetooth and Wi-Fi disabled, an Android device may still use either or both to determine your location. For more, see the topic on Mobile Scanning and Sharing.
Taking a step back, consider who is the enemy here? That is, who is it we don't want tracking us. Some people/articles focus on apps. But, it also the Operating System vendors, Apple and Google, that learn our location. And, of course, the cell phone companies, who are being being sued for selling location data. Another reason for my approach to defense.
Cameras: On many computing devices the camera may embed the current location of the device in a photograph. I am no expert on disabling this in every operating system, so ... when you are away from home and posting photos on social media, people can tell you are away from home. If you are far, it is an invitation to rob your home. If you post photos taken at home, people can learn where you live. Spend the time to learn how to stop the camera from doing this.
On iOS 13, I am pretty sure this can not be disabled but if you use the OS to share a photo there is an option to remove the location information. If you copy the photo on iOS 13 the location information is included. IrfanView on Windows reveals all the hidden information in pictures.
It's bad. Real bad. The only real defense is a VPN that blocks trackers, and for good luck, ads too. Also see the Location Tracking topic.
Android Defense: Turn off Ad Personalization and periodically reset the Android advertising ID. On Android 7, 8, 9 and 10, both options are at: Settings -> Google -> Ads.
Android Defense: At Settings -> Google. Google Account is the master list of everything Google. In Networking, maybe disable the Wi-Fi assistant. Check Nearby to see if any apps are sharing data. In Search, Assistant & Voice: Under General, look at Recent pages, Discover and Personal results. Under Voice, consider not allowing Bluetooth requests with the device locked (may be called Bluetooth headset). Also review Google Assistant.
Things are bad: iPhone Privacy Is Broken…and Apps Are to Blame by Joanna Stern in the Wall Street Journal (May 2019). Most apps are tracking you in ways you cannot avoid. Privacy controls are a scam. Interesting tidbit: paid apps spied the same as their free siblings. Defense: Privacy Pro SmartVPN from Disconnect.
iOS Defense: The above two articles both suggested partial defenses: Disable "Background App Refresh" (Settings -> General) and Enable "Limit Ad Tracking" (Settings -> Privacy -> Advertising). While there, I would also suggest clicking on Reset Advertising Identifier.
iOS Defenses: From 7 iPhone privacy settings you should enable now (Jack Morse June 2019). Review apps that have Camera (Settings -> Privacy -> Camera) and Microphone (Settings -> Privacy -> Microphone) access. Maybe turn Live Photos off. Turn off lock screen message previews (Settings -> Notifications -> Messages -> Show Previews). Reset your Advertising Identifier (Settings -> Privacy -> Advertising). Use a long (up to 9 digits) voicemail password (Settings -> Phone -> Change Voicemail Password).
Stop Apple from spying on you (iOS 12): Settings -> Privacy -> Analytics. Turn off Share iPad Analytics and also turn off Share iCloud Analytics. While there, take a look at the Analytics Data. And also: Settings -> Privacy -> Location Services (if its Off, turn it on for a minute) -> System Services -> turn off the four checkboxes in the Product Improvement section.
Things are bad: Perhaps the most damning article: I spy: How Android phones keep tabs on our every move (March 2019) is about the security hole that are the pre-installed Android apps. Based on an academic study that analyzed 1,742 phones from 214 manufacturers. 91% of the pre-installed apps are not in the Google Play store. No defense offered.
Defense: Some VPNs can block tracking and/or ads. For more, see the VPN topic.
iOS Defense: What should be a great defense against apps and web pages that track iOS users is the Guardian Mobile Firewall from Sudo Security. I say "should" because the app is new, it was released Aug. 1, 2019. Terminology, however, is being abused. It is not a firewall. It is a VPN that does tracker blocking. The VPN part is free, tracker blocking is $100/year or $10/month. It does not block ads and it does not offer a whitelist or blacklist that you can manually update. Everything points to the people behind the app being trustworthy. Read more from Glenn Fleishman (March 2019) Lily Hay Newman (July 2019) and Sudo Security (June 2019) and me (August 2019).
Things are bad on Android: Thousands of Android Apps Break Google's Privacy Rules by Paul Wagenseil Feb. 2019. Researchers examined 24,000 Android apps and found that 70 percent were breaking the rules by sending out permanent IDs that ad networks can use to track you. The researchers notified Google of the policy violations and got no response.
My Defense: Use a phone and a tablet. Let most of the spying happen on the tablet, keeping the phone relatively clean. Each should use a different account be it an Apple or Google Apple account. The tablet account should use a throw-away email address. The phone should, as much as possible, be limited to apps needed while traveling. The tablet can have everything. For example, I will not install the MLB (baseball) app on my phone as it wants way too many permissions.
Future: I know of three companies working on releasing a phone running Linux. The Librem 5 from Purism will be $700. It has been delayed a number of times and, as of Jan 2020, is still not finished. It will run PureOS, have a user-replaceable battery and three hardware kill switches (WiFi & Bluetooth, Cellular baseband, Cameras & mic). The PinePhone from Pine64 will be able to run multiple Linux distros. It started shipping in January 2020.
Necuno Solutions is working on a phone that will be manufactured in Finland.
Replacing Android: In Dec. 2019, Ludovic Rembert wrote that LineageOS was the most developed (and stable) alternative version of Android but he warned that installing it requires technical knowledge. Max Eddy wrote about installing LineageOS on an old Android phone (May 2019).
Extra secure Android: As of Sept. 2019, it is still early for GrapheneOS a version of Android focused on privacy and security. It is built from a bare minimal version of Android (AOSP) without Google apps and services. Being Android, it preserves all the standard software and hardware security features. Currently it is only supported on the Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a and Pixel 3a XL.
Both Android and iOS want you to keep Wi-Fi and Bluetooth enabled for a number of reasons. Android may well use them both even if they appear to be disabled. And, if they really are disabled, each Operating System has a number of ways to automatically turn them back on. I suggest checking an Android device by searching the Settings for the words "scan" and "scanning". Plus, there are many other options for sharing data, that you might want to disable, at least as a starting point, to reduce your attack surface.
IOS CONTROL CENTER SCAM
iOS 11 and 12 have two ways to disable Wi-Fi and Bluetooth. One works, the other is a scam. The Control Center, which is what you see when swiping up from the bottom of the screen is the scam. The Settings app is the real deal. That is, when you disable these in Settings they are really disabled and stay that way until you re-enable them.
In September 2017, Lorenzo Franceschi-Bicchierai wrote about this: Turning Off Wi-Fi and Bluetooth in iOS 11's Control Center Doesn’t Actually Turn Off Wi-Fi or Bluetooth. Quoting: "Apple wants the iPhone to be able to continue using AirDrop, AirPlay, Apple Pencil, Apple Watch, Location Services, and other features, according to the documentation". As of iOS 12, the Wi-Fi message is "Disconnecting nearby Wi-Fi until tomorrow." When tomorrow? Doesn't say (its 5 AM local time). And, "nearby"? There is no such thing a near and far Wi-Fi.
Noted hacker Samy Kamkar tweeted on May 19, 2019: "This is so deceptive. When you 'disable' WiFi and Bluetooth in iOS Control Center and they gray out, they're technically still enabled. Even with Airplane Mode on, your device continues to transmit and your name can even be discovered nearby via AirDrop!". He later added "It's deceptive because it remains active after saying 'Disconnected until tomorrow'. Only the 'normal' Bluetooth functionality returns the following day, the phone itself keeps transmitting privacy-evading, identifiable BLE packets.".
ANDROID SCAN EVEN WITH BLUETOOTH OFF
Android 9: Settings -> Security and Location -> Location -> Advanced -> Scanning -> Bluetooth scanning. Description: "Allow apps and services to scan for nearby devices at any time, even when Bluetooth is off. This can be used, for example, to improve location-based features and services.".
Android 8.1: Settings -> Connections -> Location -> Improve accuracy -> Bluetooth scanning. Description: "Improve location accuracy by allowing apps and services to scan for and connect to nearby devices automatically via Bluetooth, even while Bluetooth is turned off."
Android 8.1: Settings -> Security and Location -> Location -> Scanning -> Bluetooth scanning. Description: "Improve location by allowing system apps and services to detect Bluetooth devices at any time."
Android 7.0: Settings -> Location -> Scanning -> Bluetooth scanning. Pretty much same description.
Nearby Device Scanning: I have seen an Android 8.1 Samsung tablet use Bluetooth scanning to find nearby devices, again, with Bluetooth seemingly disabled. The feature was called Nearby Device Scanning and it was enabled by default. The description said "Scan for and connect to nearby devices easily. Available devices will appear in a pop-up or on the notification panel. Nearby device scanning uses Bluetooth Low Energy scanning and the microphone. Bluetooth Low Energy scanning can be used even while Bluetooth is turned off on this device." The path to the setting was: Settings -> Connections -> More connection settings -> Nearby device scanning.
ANDROID SCAN EVEN WITH WIFI OFF
Android 9: Settings -> Security and Location -> Location -> Advanced -> Scanning -> Wi-Fi scanning. Description: "Allow apps and services to scan for Wi-Fi networks at any time, even when Wi-Fi is off. This can be used, for example, to improve location-based features and services."
Android 8.1 Samsung: Settings -> Connections -> Location -> Improve accuracy -> Wi-Fi scanning. Description: "Improve location accuracy by allowing apps and services to scan for Wi-Fi networks automatically, even while Wi-Fi is turned off."
Android 7.0: Settings -> Location -> Scanning -> Wi-Fi scanning. Pretty much same description.
Android 6 in the Advanced WLAN section, look for Scanning Always available. Description: "Let Google's location service and other apps scan for networks even when WLAN is off."
Android 9: Network and Internet -> Wi-Fi -> Wi-Fi preferences -> Turn on Wi-Fi automatically. Description: "Wi-Fi will turn back on near high quality saved networks, like your home network." This requires both Location and Wi-Fi scanning to be enabled.
Android 8.1: Settings -> Connections -> Wi-Fi -> Advanced -> Turn of Wi-Fi automatically. Description: "Turn on Wi-Fi in places where you use Wi-Fi frequently".
ANDROID WIFI AND OPEN NETWORKS
Google wants you on-line even if it means using an insecure Open Wi-Fi network. To that end, Android might automatically connect to an open network, or, notify you when it finds one. See Connect automatically to open Wi-Fi networks.
Samsung v9 tablet: Settings -> Connections -> Wi-Fi -> Advanced -> turn off Network notification ("Receive notifications when open networks in range are detected").
Google v9 Pixel phone: Settings -> Network and Internet -> Wi-Fi -> Wi-Fi preferences -> disable Open network notification ("when automatic connection isn't available"). There may also be an option here to Connect to open networks.
Android v8: Settings -> Network & Internet -> Wi-Fi -> Wi-Fi preferences -> Open network notification
This 2017 article does not say what version of Android it applies to. At Settings -> Wireless -> Gear icon -> are two relevant optons: Network Notification and Use open Wi-Fi automatically. Disable each.
ANDROID WIFI AUTO-CONNECT
Android 8.1 AT&T phone: Settings -> Connections -> Wi-Fi -> Advanced -> Auto connect to AT&T Wi-Fi.
Android 8.1 AT&T phone: Settings -> Connections -> Wi-Fi -> Advanced -> Hotspot 2.0. Description: "Automatically connect to Wi-fi access points that support Hotspot 2.0"
NFC (Near Field Communication) is yet another wireless option for sharing data, but only between devices that are two inches apart.
On Android, search the Settings for "NFC". On Android 9, its at: Settings -> Connected devices -> Connection preferences -> NFC. The description is "When this feature is turned on, you can beam app content to another NFC-capable device by holding the devices close together. For example, you can beam web pages, YouTube videos, contacts and more. Just bring the devices together (typically back to back) and then tap your screen. The app determines what gets beamed." NFC is the basis for Android Beam (aka NFC Beaming), yet another sharing protocol. Not every Android phone supports NFC. Another reason to disable NFC: Android bug lets hackers plant malware via NFC beaming by Catalin Cimpanu (Nov. 2019). An excellent article. Android 8, 9 and 10 are impacted. The bug was fixed in October 2019 but so few Android devices will get the fix. If NFC is needed, you can leave it enabled, just be sure to disable NFC file beaming as explained in the article.
On iOS, NFC is used for Apple Pay and reading NFC tags. iOS 12 added background tag reading, where the system automatically looks for nearby tags whenever the screen is illuminated. In Settings, tap "Wireless and Networks" then "More" to see the NFC option. More here and here. This June 2019 article, Apple Expands NFC on iPhone in iOS 13, says there are enhancements to Apple Pay for NFC in iOS 13 and new support for peer-to-peer pairing. That is, just like Android Beam, NFC can be used to transfer movies or music between devices.
Wi-Fi Direct allows two Wi-Fi devices to directly communicate without a router in the middle.
It is popular on HP printers and some smart TVs as I always see some of each, when scanning from an Android device. HP printers create SSIDs like "DIRECT-xx-HP OfficeJet 4650" Sony TVs create SSIDs like "Direct-xx-BRAVIA". Wi-Fi Direct is also enabled on Roku Express devices. Background: What is Wi-Fi Direct? (June 2019).
Android: I have checked a few Android devices and they all enable Wi-Fi direct without a way to disable it. It seems, however, that Wi-Fi direct scanning does not happen until you ask for it.
Android 9: Settings -> Network and Internet -> Wi-Fi -> Wi-Fi preferences -> Advanced -> Wi-Fi Direct
Android 8.1: Settings -> Connections -> Wi-Fi -> Wi-Fi Direct
Android 8.1: Settings -> Network and Internet -> WLAN -> WLAN Preferences -> Advanced -> WLAN Direct
Android 7.0: Settings -> Wi-Fi -> Advanced -> Wi-Fi Direct
October 24, 2019: Wi-Fi Direct just became a very big
deal. A bug in the Wi-Fi Direct driver from Realtek (RTLWIFI) lets bad guys crash or hack a Linux/Android device that has Wi-Fi enabled; even if the device is not connected to any Wi-Fi network. The bug is specific to Wi-Fi Direct but since Android users can not disable Wi-Fi Direct, Android devices are vulnerable whenever Wi-Fi is enabled. Many Android devices will never be patched.
iOS: iOS has supported Wi-Fi Direct since version 7. It is part of AirDrop, Airplay and AirPrint.
iOS 12: There are no settings for Wi-Fi Direct. When I scanned for nearby Wi-Fi networks, none of the Wi-Fi Direct networks that I could see from Android showed up. When I tried to print a web page, Safari found no AirPrint enabled printers. Perhaps because of the way my iOS device was configured? Don't know.
Google Nearby, aka Nearby Device Scanning
is designed to seamlessly let two Android devices talk to each other.
I found this enabled by default on an Android 8.1 Samsung tablet. The description said "Scan for and connect to nearby devices easily ... Nearby devices scanning uses Bluetooth Low Energy scanning and the microphone. Bluetooth Low Energy scanning can be used even while Bluetooth is turned off on this device.". The path to the setting was: Settings -> Connections -> More connection settings. I have read that this also uses Wi-Fi and audio to find nearby Android devices. Creepy. More here, here and here.
Google AirDrop: According to this Jan. 2020 article Google is working on an AirDrop competitor. Originally called Fast Share, then called Nearby Sharing or Nearby Share. As of June 2020, it is in beta testing. It will work with Android devices running version 6 and later and with Chromebooks. It transfers photos, videos, links and tweets. The recipient has to have the feature enabled and has to approve any transfer before it happens. It uses Bluetooth for device discovery and Wi-Fi Direct for file transfer. It will only work when devices are very close together, perhaps just one foot. Beats me what this means for the older Google Nearby feature (above).
AirDrop on iOS is best disabled by default and enabled when needed. It uses both Bluetooth and Wi-Fi. Bluetooth is used to find partners and Wi-Fi, because it's faster, is used to transfer large files. The Wi-Fi is a form of Wi-Fi Direct, thus the two Apple devices do not have to be on the same Wi-Fi network to exchange data. In fact, they don't have to be connected to any Wi-Fi network or to the Internet. See a How To. An important thing to be aware of is whether an iOS device can receive data from anyone or only from people in the Contacts. Configured at Settings -> General -> AirDrop. WARNING: With Wi-Fi and Bluetooth off, if you enable AirDrop, it turns on both without notification. See The feature Apple needs to change in AirDrop (April 2019) and When Grown-Ups Get Caught in Teens' AirDrop Crossfire (June 2019).
Bluetooth on iOS: It was previously known that Bluetooth allowed anyone nearby to learn the current status of the device, device name, Wi-Fi status, iOS version and more. In July 2019 it was revealed that Bluetooth can leak the phone number when using AirDrop or sharing Wi-Fi passwords. The leaking of phone numbers has been observed in iOS 10, 11, 12 and the beta of 13. You can disable AirDrop but have to remember not to share Wi-Fi passwords. More here and here and here.
One of the Privacy Settings in iOS v12 is Bluetooth Sharing. Apps that are enabled for Bluetooth Sharing can share data even when you are not using them.
Android Direct Share: Description: "Share content with specific people directly from the sharing panel in any app. The Direct Share icons will appear at the top of the sharing panel if an app supports this function." Find it on Android 8.1 with: Settings -> Advanced Features. Not sure if this uses Bluetooth, Wi-Fi or what.
iOS 13: has a new "Find My" feature. When an Apple device is offline and sleeping, it sends out a secure (says Apple) Bluetooth beacon that can be detected by any nearby Apple device. These nearby devices (even those that are not yours) phone home to Apple to help you find a lost device. I have read that the Bluetooth beacons are even sent in Airplane mode. Not sure yet how to defend against this (turn off Bluetooth?) or if we even need to defend against it. Too new as of June 8, 2019.
iPhone 11 and UWB: From What Is Ultra Wideband, and Why Is It In the iPhone 11? by Chris Hoffman Sept. 2019. iOS 13.1 on the iPhone 11 has a new Ultra Wideband radio. It is the first smartphone to offer UWB which only works over a short distance, shorter than Bluetooth. UWB allows an iPhone to precisely detect where objects are in physical space. AirDrop will suggest sharing with other iPhones that you point at. Longer term, it could be used to locate lost objects. Can you turn it off? Don't know.
The most secure Operating Systems in widespread use are iOS and ChromeOS (the system on Chromebooks).
Do not use Windows. Windows is a cesspool of hacking, ransomware, bugs and vulnerabilities. Has been for decades. With Windows 8 Microsoft lost all credibility. With Windows 10 Microsoft spies on you and has taken control over the installation of bug fixes. And, the quality of the bug fixes to Windows 10 is disgraceful, sometimes causing more problems than they solve. There is no Windows topic here because the best defense is avoiding it.
Leo Laporte, aka, the Tech Guy is a bona fide techie. For years, he used all three desktop OSs (Windows, macOS, Linux) and now, he also uses Chromebooks. He has always fairly judged the pros and cons of each operating system. But, as of March 2020, he has given up on Windows. Too many bugs, flaws and problems. In discussing a Windows bug on the March 24, 2020 episode of the Security Now podcast he said "I swear to god, I don't run Windows on any machines anymore. It's just ridiculous."
Windows 10 makes it clear that the corporate mind set at Microsoft has changed - they view Windows 10 as their computer, not yours. It is crammed full of junky software that very few people care about, much of which can not be removed. And, even the removal is a scam, as the crapware comes back if you logon with a different userid. Likewise, the spying (aka telemetry, customization) can only be partially disabled. Home edition users are forced to beta test bug fixes and even Professional edition users have limited options for delaying or preventing the installation of bug fixes. Microsoft know whats best for you and its bug fixes all the time. Only the largest of corporations can fully opt out of the spying, junky software and forced "updates" in Windows 10. How? Microsoft has a clean version of Windows 10 called LTSC (or LTSB) that the public can not get. See a screen shot of the difference.
Then too, there is incompetence. Examples abound. Consider the monthly bug fixes for Windows that were released in April 2019. As documented by Woody Leonhard,
nine different Windows patches conflicted with four different antivirus products, leading to multiple problems. Quoting Woody: "...whoever made the decision to release the six (now nine) problematic Windows patches either: Didn't know they'd wreak havoc on millions of computers, or Didn't care. You can choose which one's worse."
If you do use Windows, use portable software when available. A great source is PortableApps.com. Portable software is harder for malware to find and corrupt and, most importantly, can be easily backed up. Normal Windows apps can not be backed up because they, and their dependencies, are scattered all over.
I agree with the commonly held belief that an Apple Mac computer (macOS) is safer than Windows. However, it is slightly safer, not drastically safer. Both are ancient and the world has changed dramatically since they were designed. On the hardware side, Apple fans have been critical of the hardware in their laptops for many years, especially the keyboards. For more, see the macOS topic.
Start using a Chromebook. Chromebooks are laptop computers that are drastically safer than Windows and macOS. Their operating system, ChromeOS, is the newest available system and thus the most advanced. It was designed, by Google, with security in mind. There are no viruses on a Chromebook. In addition to security, Chromebooks are extremely reliable. In what is virtually a revolution in computing, Chromebooks require no care and feeding on your part. They self-update quickly and quietly. They don't ask you or even tell you about bug fixes. The just do it. Thus, end users (you) can not screw them up. Chromebooks are not for everyone and not for every purpose. They are perfect for kids, seniors and non techies. Chromebooks are the home office of Defensive Computing. You normally use a Google account to logon to a Chromebook, but there is also a Guest mode that anyone can use without logging on.
---------ADDITIONAL CHROMEBOOK INFO-----------
Guest mode starts and ends with a totally clean version of ChromeOS. That is, when Guest mode starts, there is no visible history of anything. Factory fresh if you will. When Guest mode ends, all activity is removed. Downloaded files, for example, are deleted. It's as if it never happened. Guest mode uses the Chrome browser, but without extensions. You can't even install an extension in Guest mode. It is the most secure environment available to non techies. It is perfect for online banking, opening suspicious email attachments and avoiding any and all website tracking.
Originally, Chromebooks just ran the Chrome web browser (simplifying a bit). Later, Google added the ability to run Android apps, and, just recently, added Linux apps too. With an Android based emulator app, some Windows programs can also run on a Chromebook (requires an Intel CPU). Guest mode does not run Android, Linux or Windows apps, just the Chrome browser native to ChromeOS.
Every computer company that makes Windows laptops, also makes Chromebooks. Most, but not all models have a touch screen. I suggest going for a touch screen. Models touted as 2-in-1 have a screen that can rotate fully around, letting them function as tablets too. Low end models start around $200. Mainstream models top out around $500 but there are some models that go up to $1,000.
Chromebooks are your best defense against malicious USB flash drives. See the Extra Credit section for more on this.
Google is up-front about how long a Chromebook will get software updates. Details for individual Chromebook models are in their Auto Update policy document. The latest models can get support for six years. For example, in June 2019, it showed the Acer Chromebook Spin 311 (R721T) would get updates until June 2025.
Chromebooks have a full range of remote control options where they are the controller. This might be used to give a Chromebook access to software that runs on another operating system. However, options are limited for the Chromebook being controlled remotely. The only option for full remote control that I know of is the Chrome Remote Desktop extension from Google. To me, it is a pain to setup and use. There is a Team Viewer Quick Start app for Android that, once its installed, is very simple to use. It gives view-only access to the entire Chromebook (not just to the Android side) to a remote person.
Linux: Linux on a desktop/laptop computer is relatively safe. Whether it is inherently more secure than Windows or MacOS is debatable. OS expert Daniel Micay
tweeted "The Linux kernel uses a fundamentally insecure architecture, insecure tools, and has a development culture treating correctness and especially security as an afterthought. It ultimately needs to replaced..." (Oct 2019). Either way, it is a lesser target which makes it more secure. Typically, however, it is not a realistic option. Few computers ship with Linux pre-installed and installing it is too difficult for non-techies. Also, where does a non techie go with their inevitable Linux questions and problems? And, the many distributions (flavors of Linux) and package managers makes it even harder to get help. That said, for help picking a distro see Why I Switched From Ubuntu to Manjaro Linux by Dave McKay (Aug 2019).
On both Windows and macOS, it is safer to logon to the computer as a restricted (a.k.a. limited, standard) user rather than an unrestricted (i.e. administrator, admin or root) user. In each system, restricted users are limited in the changes they can make to the system without approval from an unrestricted user. This limits the damage that malicious software, that makes its way onto your computer can do. Any computer with a single userid is just asking for trouble. On a new Windows or macOS computer, consider creating two users based on your first name: MichaelAdmin and MichaelRestricted, for example. On an existing computer, create a new admin user, logon to it and then modify the existing userid to be restricted. This does not apply on a Chromebook.
FYI: We can see the progression of Operating Systems in how they handle software updates. On ChromeOS all software is updated automatically. It is king of the hill in this regard. On Android and iOS, the apps can update automatically, but not the OS itself. On Windows, macOS and Linux, it's chaos.
A very common scam on Macs is a pop-up window saying that you need to install a new version of Flash. Don't.
Firewalls: Firewalls control the flow of data on a network, each direction.
For blocking unsolicited incoming connections, macOS includes a firewall but it is off by default. This is a miserable default. Turn it on.
Flor controlling outbound network activity, the Little Snitch firewall is a great product according to everyone. It offers total control over outgoing network traffic. It is not free and the initial setup takes time/effort as you have to decide what to allow and what to block. Does it also control incoming data? This is not clear from their website.
A free outbound firewall is LuLu. It does not offer quite as much control as Little Snitch but is still a big improvemnt over nothing.
Turn off the Universal Clipboard (aka Handoff) feature because it shares the clipboard with your iPhone. Instructions and background from Quincy Larson.
The free KnockKnock program from Objective-See looks for software installed on the system and can run it through VirusTotal.com to check if the software is malicious. It is not an always-on anti-virus program, you run manually.
Software: Leo Laporte, aka The Tech Guy, recommends Disk Inventory X, a disk usage utility for Mac OS X. It shows the sizes of files and folders so you can easily see which folders are consuming the most disk space. The software is free and open source.
Software: Leo Laporte, aka The Tech Guy, recommends OnyX a free multi-function utility. It can clean up temp files, verify the structure of the system files, remove problematic folders and files, rebuild various databases and indexes and run other assorted maintenance tasks.
If you have an AppleID, then Apple is tracking you. According to Michael Bazzell (Oct 2019) macOS Catalina and Mojave can both be clean installed and used without an Apple ID.
macOS is not a priority for Apple as this story illustrates: On Feb. 22, 2019 a researcher reported a flaw in macOS to Apple. They acknowledged the flaw then stopped responding to his emails. After three months he disclosed the bug. After four months Apple still has not fixed the problem.
ChromeOS is the operating system on Chromebook laptops and Chromeboxes (tiny desktop computers). These are some configuration suggestions.
Bluetooth is enabled by default. If you don't need it, turn it off.
When a Chromebook wakes up from sleeping, it can either be ready to use immediately, or, require either a PIN or the Google account password to unlock it. There is no one right choice, just be aware that you can opt for security or convenience. The option is in Settings, look for Screen Lock. It is called "Show lock screen when waking from sleep".
When you first setup a new Gmail account on a Chromebook, there is an option to send telemetry to Google. Look for this and uncheck it. I don't know if this can be changed after the fact.
Chromebooks are Wi-Fi creatures, but you can also plug an Ethernet adapter into a USB port and make them more secure by using Ethernet for the Internet connection. It automatically uses Ethernet when available, still, you are safer if you disable the Wi-Fi.
Own a Chromebook? Starting around Feb. 2020 (Chrome OS v80) the expiration date of the Operating System will be displayed in Settings, in the About Chrome OS section. Look for the "Update Schedule".
Kids: How to securely set up your own Chromebook for your kid’s remote school learning by Kevin C. Tofel (April 2020). Process starts at Settings -> People -> Parental Controls -> "Set up" button while logged on as the child. Family Link is the name of this feature and it lets adults allow access to only specified websites, limit screen time and approve/block Android apps. Adult gets prompted to install the Family Link mobile app on their phone - it is optional.
iOS users should hold off installing new versions of the operating system for a few weeks. Thereafter, do not wait to install the bug fixes that follow. iOS version 13, in particular, has been a disaster with a flood of bugs fixes in the weeks just after it was released. That said, this advice pre-dates iOS 13.
This App Will Tell You if Your iPhone Gets Hacked by Lorenzo Franceschi-Bicchierai for Vice (Nov 2019). About the iVerify app from security firm Trail of Bits. It costs $3. The app also includes how-to guides for improving privacy and reducing the chances of getting hacked.
Medical Emergency: First responders are trained to look at phones for emergency contacts and medical information. To configure: Health app -> your profile photo -> Medical ID -> Edit. Fill in anything an emergency responder should know. Make sure "Show when locked" is turned on, then Done. To see it, from the lock screen, tap on Emergency Call and then Medical Info. More here: Emergency contacts on your phone: Set it up right now by Jason Cipriani (Feb 2020).
All apps can read the clipboard, even when they are not running. This flew under the radar until June 2020 when beta versions of iOS 14 started reporting on it. Many apps were doing it. The camera app embeds your location in every photo. Copy a picture and apps can learn your location without having location access. There is no defense (that I know of) in iOS 13. In iOS 14 there is a warning, not yet (July 4, 2020) sure if there will be a defense.
iOS Defense: Do not use the Safari web browser. I say this both because it is a prime target for hackers and because there have been a number of vulnerabilities with it, such as this one in Jan. 2020.
iOS 13: Silence unknown callers is a great feature. If someone who is not in your Address Book calls, the phone will not ring, the call will go to voicemail. The call does show up in Recent Calls list. Enable it: Settings -> Phone -> Silence Unknown Callers.
iOS 13: Be sure to review everything in Settings -> Privacy
iOS 13: You can set an iOS device to erase all data after too many failed attempts to enter the PIN/passcode. In Settings, go to "Touch ID & Passcode" or "Face ID & Passcode". Then, Erase Data. Seems like the only choice is 10 bad passcodes.
iOS 13.3.1: For the iPhone 11 only. Settings -> Privacy -> Location Services -> System Services -> Networking and Wireless has a new Location
toggle for the ultra-wideband service. This was a bug fix because the U1 chip was broadcasting your location even with the normal location settings turned off.
The Jumbo privacy assistant is an iOS app to increase your privacy on Facebook, Twitter, Amazon, Google and Alexa. It was released in April 2019. It adjusts the 30-odd Facebook privacy settings, deletes old tweets, erases Google Search history and deletes the voice recordings stored by Alexa. More. Geoffrey Fowler, of the Washington Post, who focuses on Privacy, said it was his favorite app of 2019: "In clear language and colorful illustrations, it explains the real choices we have and makes recommendations like you'd get from a really clued-in friend."
One thing to learn from Jeff Bezos having his iPhone hacked is to periodically check the data used by the apps on your phone. I don't know if this is possible on an iPhone.
iOS 13 Parental Controls: Guided Access can limit iOS to a single app. Enable it with: Settings -> Accessibility -> Guided Access
iOS 13 Parental Controls: Screen Time can set all sorts of limits. Enable it with: Settings -> Screen Time. Prevent kids from using certain apps, installing new apps, disable in-app purchases, block access to certain websites and control who kids are are able to contact. It also does assorted usage auditing. More from Apple (Dec 2019) and Macrumors (Dec 2019).
To require a password before using an app, see How to Lock Apps on iPhone and iPad by Rosa Reyes (Nov. 2019). Covers five different techniques that work with iOS 13, iOS 12, iOS 11 and earlier: Screen Time, Restrictions (aka Parental Controls),
Guided Access, Touch ID / Face ID and, on jailbroken phones, third-party apps.
Backup: Back up iPhone by Apple for both iOS 13 and 12. No date. From their iPhone User Guide.
Anything copied to the iOS clipboard/pasteboard can be read by any app. If a picture is copied, then GPS location information, which is embedded in the image, is easily available to apps. Tested with iOS 13.3. Apple was told about this in Jan. 2020 and they will not change anything. The defense should be to deny the camera app access to location information, but iOS can not do that. From: Security demo reminds iOS users that any app (or widget) can read the clipboard silently by Benjamin Mayo (Feb 2020)
Three system-wide ad and tracker blockers:
The Guardian Firewall +VPN app from Sudo Security blocks trackers, phishing, malware and page hijackers. It does not claim to block block ads. The app is free to install and see what it will block if you pay for the app. You can pay by the day, month ($10), quarter or year ($100). The paid app is a real VPN. Blocking is done at the VPN server, not on the iOS device. From a trustworthy source. See About the Guardian iOS Firewall App by me (Aug 2019). Website: guardianapp.com
The Lockdown app blocks both ads and trackers. It is open source and blocking is free.
Blocking is done on the iOS device, nonetheless, it installs as a VPN and can not run alongside a real VPN. When it is active, you do not see a VPN indicator. In my testing I found that the app said it was on even when it was off. It has a blacklist but no white list. There is a paid upgrade to a VPN but the website (lockdownhq.com) says nothing about who created the app and for that reason I can not recommend the paid VPN.
As of Feb. 2020, the list of blocked domains had not been updated for 7 months.
Both apps log what they block, and you can see the log on the iOS device, but neither pinpoints the app being blocked. Neither logs what they they did not block. Both claim to be a firewall, but they are not, at least, not in the traditional sense. They are domain blockers. iOS does not have a firewall.
The nextdns.io app competes more with Lockdown than Guardian. I prefer it over Lockdown because it is more functional and more customizable. To begin with, it logs all DNS activity, not just blocked domains, which helps you create your own black list. It also does white listing. It can apply to one device, multiple devices or an entire LAN. Logging is both customizable and optional. The app itself can be password protected. NextDNS also does encrypted DNS with DoT and DoH. Like Lockdown, it installs as a VPN but you do see an active VPN indicator on the status bar when it is running. One drawback is that the logs are not visible in the app, you have to use the nextdns.io website to see them.
To lock an iOS device, a password/passcode is more secure than a fingerprint or your face. In the US, the government can not compel you to reveal the password. The longer the password/passcode, the more secure.
Update June 18, 2020: On iOS 13.5.1 (tested on an iPad) it seems that that it is no longer possible to block the camera from storing location information.
Block the camera from having access to location information: Settings -> Privacy tab -> Location Services -> Camera -> select Never. To check if a photo includes location info: swipe up while viewing the picture in the photos app. If it does have location info there will be a map. To share the photo without location info, click the share button, click Options near the top of the screen, then switch off the toggle for Location.
Apple can read your iCould backups. To backup an iPhone securely, back it up to a Mac or Windows PC and password protect it. More.
iOS 13: As of June 6, 2019 it is early on this. Sign up for a website or app with your Apple ID and there is a new option to hide your email address. Do so, and Apple will create a new email address specifically for the one website or app. When the site or app sends you email, Apple forwards it to your real email address. Good thing? The downside to this is that Apple has access to your email and knows what apps and websites you use. See the Extra Credit section for better options.
You can tell when a web browser is using a secure encrypted connection. Not so with mobile apps. Apple was supposed to mandate that iOS apps only use encrypted communication. They call this mandate App Transport Security (ATS). But, it's a scam and there is no defense.
FYI: iOS network security seems poor and nothing can be done about it. For one thing, TCP/IP ports are closed rather than stealth (see nmap scan).
iOS 13, and many earlier versions, seem to have a backdoor. TCP port 62078 is open and can not be closed - there is no firewall in iOS. The port is not listed in TCP and UDP ports used by Apple software products. This open port has been known about at least since 2013
(here and here and here). I tested multiple VPNs (OpenVPN, Windscribe, ProtonVPN, Lockdown firewall and the Guardian firewall) and none blocked access to the port.
FYI: Apple is not honest enough to admit when the software has been abandoned. That is, when there are no more bug fixes being issued because the software is too old. Just like Android, iOS lies and tells you the software is up to date. This October 2019 tweet by Will Dormann has examples.
It is common knowledge that Apple iOS devices are safer than Android and I agree with that. One reason, is that you do not find pre-installed spyware or malware on iPhones (more below). Also, there is no consistency with Android. No expert can tell someone how to configure an Android device because they all have a different set of options. This is illustrated below in the item about factory resets after too many bad passwords.
Pre-installed crap: A Nov. 2019 report from Kryptowire looked at pre-installed threats (bugs and vulnerabilities) on phones sold by US carriers. They looked at a range of Android devices, from low-end to flagship. See also their Mobile Vulnerability Analysis) (PDF).
The safest Android phones are the Pixel line from Google which is updated at the start of every month with bug fixes. Pixel phones are also less likely to come with pre-installed bugs, malware and/or spyware. My guess is that Pixel phones purchased from Google will be safer than those from a cell company. That said, phones running the "Android One" version of the operating system should also be safe, and cheaper. Android One is said to get OS updates for 2 years and bug fixes for 3 years. I have not seen confirmation of this. The updates come from Google.
Medical Emergency: First responders are trained to look at our phones for emergency contacts and medical information. In general, search Settings for "Emergency information" On Samsung: Phone app -> Contacts tab -> My Profile -> bottom of the page. On Pixel with Android 10: Settings -> About phone -> Emergency information. There is one section for Medical information and another for Emergency contacts. To see the emergency information: When prompted to enter the passcode to unlock a phone, tap on the word Emergency, then you are on your own as each Android phone is different. On a Pixel with Android 10 there is an Emergency Information button at the top of the screen. More here: Emergency contacts on your phone: Set it up right now by Jason Cipriani (Feb 2020).
Set a lock screen message in the hope that a lost device is found by an honest person. Something like: If found please call 111-222-3333 or email email@example.com. I use an email address that is auto-forwarded to more than one email address. A baby mailing list, if you will.
Android 8: Settings -> Security and Location -> Lock screen preferences -> Lock screen message
Android 9: Settings -> Lock screen -> Contact information
Android 10: Settings -> Display -> Advanced -> Lock screen display -> Lock screen message
A big reason for Android's security problems are the lack of bug fixes. Most Android devices are shamefully vulnerable both because fixes are late in being issued (if they are ever issued) and then late in being installed. Here's an idea: before buying an Android phone try to find out when bug fixes for it will be released. Lotsa luck. The correct answer is once a month. Better still, try to find out when the last bug fixes for the phone will be issued, that is, when the software will be abandoned. You will not get an answer to either question.
Android Defense: Only install apps from the Play store (miserable name for the app store). Do not use side loading (aka sideloading) to install apps from outside the Play store. Side loading is OFF by default. Also, do not install apps that come to you via Telegram or WhatsApp messages. If you must sideload, APK Mirror is a trustworthy source. Android 8 and 9: Settings -> Apps & Notifications -> Advanced -> Special App Access -> Install Unknown Apps. For each app capable of sideloading, it will say "Not allowed" by default. Again, this is the safe setting.
Android 10 (aka Q): When an app asks for access to location data, there is a new option to only allow this while the app is in use. Also, there is a new Privacy section in system Settings.
You may be able to set an Android device to erase all data after too many failed attempts to enter the PIN/passcode. On one Android 10 device: Settings -> Lock screen -> Secure lock settings -> Auto factory reset (after 15 bad passcodes). However, two other Android 10 devices and an Android 8 device had no option for this at all. I have read that it might be at Settings -> Security & Location -> Screen lock.
The first time you power on an Android 10 device: Turn off Allow Scanning. This allows apps and services to scan for WiFi networks and nearby devices at any time, even when Wi-Fi or Bluetooth is off. Also, turn off the option to send usage and diagnostic data.
One thing to learn from Jeff Bezos having his iPhone hacked is to periodically check the data used by the apps on your phone. Android 10 reports Wi-Fi usage separately from 4G/LTE usage. Both are in the Network and Internet section. Then Wi-Fi -> Wi-Fi data usage -> see example. And, Mobile network -> App data usage -> see example.
Gboard is the Google Keyboard app. If it is installed, go to Settings and search for Gboard. Turn off the "Share usage statistics" option. This sends keyboard usage statistics to Google. Maybe also disable the "Improve Gboard" option.
Ads: Android 10: Settings -> Privacy -> Advanced > Ads. Turn on "Opt out of Ads Personalization". Or, it might be at: Settings -> Google -> Ads. While there, also click on "Reset advertising ID". The Ads Personalization option may not exist on Android 8 or 9, so try searching in Settings for "ads". A January 2020 report from the Norwegian Consumer Council points out that there is no OS enforcement of your opting out of personalized ads, it is up to each app to honor this request. So, a scam.
Usage & diagnostics: In Android 10: Settings -> Privacy -> Advanced -> and disable Usage & diagnostics.
The Android Play Store allows many apps to share the same name. Before installing an app, check who created it, to insure it is really the app you think it is.
The Jumbo Privacy + Security app increases your privacy on Facebook, Twitter, Amazon, Google and Alexa. It adjusts Facebook privacy settings, deletes old tweets, erases Google Search history, deletes voice recordings stored by Alexa and more. As of Jan 2, 2020 it was rated 687 times in the app store with an average rating of 4.8 (very high). More here and here.
To learn about the trackers and permissions in Android apps (both how many, and which ones) see Exodus, the privacy audit platform for Android applications. The MLB app (baseball) is a cesspool of spying.
appcensus.io evaluated Android apps and reports on the data they phone home with. I looked at the site in Feb. 2020 and it seemed to have been abandoned.
System wide ad and/or tracker blocking:
Private DNS on Android 10 is a single OS setting that changes the DNS server system-wide, for all Wi-Fi and 4G/LTE networks. It uses DoT for encrypted DNS. You can combine this with DNS based ad and tracker blocking to get blocking without having to install an app or define a VPN. The really amazing aspect of this is that it works even in combination with a VPN (I tested four VPNs). My preferred DNS blocker is
nextdns.io (more below). You can also use AdGuard by specifying dns.adguard.com or dns-family.adguard.com.
Private DNS on Android 9 differs from Android 10 when it comes to VPNs. By default, an active VPN on Android 9 will impose its DNS servers and the Private DNS will be ignored. The one exception I found is Mullvad, which does not have their own Android app, but relies instead on the OpenVPN app. There is an option in the OpenVPN app to specify your own DNS servers. Mullvad generally ignores this, except when you connect to them on a specific port.
Private DNS does not exist on Android 8 or earlier. These older versions require changing DNS settings for each Wi-Fi network and again for 4G/LTE. You will need to install an app that, no doubt, will create a phony VPN just to get control over DNS.
For DNS based blocking, I suggest nextdns.io. It is a fairly new player in the field and is in beta as of Feb. 2020. Documentation is miserable and the number of features is extensive, so it expect it to take some time. Sign up for a free account. Tweaking of the block rules can be done at any time. Make a note of the DNS over TLS hostname, it will be something like abc123.dns.nextdns.io. Turn on Private DNS and set the DNS over TLS hostname as the "Private DNS provider hostname". Extra credit: identify the device in the (optional) logs by using a name like harveyphone-abc123.dns.nextdns.io as the hostname.
The Blokada ad blocker is free, open source and not allowed in the Play Store. Google profits off ads, so they do no like ad blockers in the Play Store. Thus, you have to side load the app. It installs a VPN, but only to enable the intercepting of all DNS requests. It is not a real VPN and it can not run alongside a real VPN. It may also block some trackers. Great feature: customized white and black lists. Blokada also offers a paid VPN in the Play Store, see the VPN topic for details. More: How Blokada works and Blokada Help.
The Lumen Privacy Monitor spies on the apps that spy on you. It seems to have been abandoned, but I found it functional on Android 9 and10. It was/is from the International Computer Science Institute at UC Berkeley. It is not a VPN, but it installs as a VPN and thus can not run alongside a real VPN. It shows all the domains an app calls out to and lets you block them just for the one app or system-wide. It also shows how often an app uses HTTPS vs. HTTP. Although it identifies ad/tracker domains, it does not block anything by default. It reports on data leaks, showing both the type of data that was leaked and which app leaked it. It intercepts TLS, a feature that requires you to install their certificate. There is no one list of blocked domains, so when a blocked domain stops an app from working, ugh. It does not replace or encrypt DNS. It phones home as part of the research project. Website haystack.mobi.
To lock an Android device, a password/passcode is more secure than a fingerprint or your face. In the US, the government can not compel you to reveal the password. The longer the password/passcode, the more secure.
Block the camera from having access to location information. Android 10: Settings -> Privacy -> Permissions manager -> Location -> Camera app -> choose Deny. On some Android devices, camera apps have their own GPS setting. To see if a photo has location info, view it in the Google Photos app and swipe up. The Google Photos app can strip location info from a photo before you share it: Open the Google Photos app, click the hamburger menu in top left -> Settings -> turn on Remove geo location. This only works in the Google Photos app. Also see the Location Tracking topic.
Also see the Mobile OS Spying section which has some privacy focused Android alternatives.
The simple question, does an Android device have the latest available bug fixes, is far too hard to answer. iOS does this much better.
Finding the right place in the Settings to check for OS updates has always been like navigating a rat maze
For years the initial screen has lied to us and said that the device is up to date on patches/bug fixes. Many times, it said it last checked hours ago, yet when I clicked on the CheckForUpdates button, it found a missing update (last verified Feb. 2020 with a Pixel 3A running Android 10).
Android is not honest enough to admit when the software has been abandoned. That is, when there are no more bug fixes being issued because the software is too old. Like iOS, Android lies and tells you the software is up to date. This October 2019 tweet by Will Dormann has examples.
For messaging apps, End-to-End encryption is the top of the line. It means that data/files are encrypted before leaving your device and stay encrypted until they arrive at the destination device. End to end encryption is offered by Signal, Wickr, Wire, WhatsApp and others. Be aware however that end to end encryption does not protect messages stored on the device that sent them or the device that received them. If either device is seized, the messages probably can be read (there may be an app configuration setting for this). On mobile devices, messages can also leak if: the sender's device was hacked, the recipient's device was hacked or the recipient is simply not trustworthy and leaks messages, either on purpose or by accident. Even with messages that self-destruct, the recipient can take a picture of their screen showing a message. On Android, someone could be tricked into installing a hacked app from outside the Play store. Even within the Play store, there may be multiple apps with the exact same name. A scam copy of an app can look exactly like the real thing, do what the real app does, but, also leak messages.
Mobile is probably not the best place for secure communication. On mobile devices, you can not see the end to end encryption, so you have to take it on faith that data is really encrypted. In contrast, with secure websites, the browser indicates when encryption is used and assorted websites can test and verify the encryption. Also, when looking at a website, you can tell what computer you are communicating with. In contrast, this is hidden when using mobile apps. As for erasing messages after you send them, a Chromebook in Guest mode does not have this problem as everything is erased when you log off. Absolutely Everything.
There are at least a dozen or more software programs that claim to offer secure communication. Amongst techies, Signal is well regarded. It's security is very good, but not perfect. It is worshiped like a religion despite using phone numbers, which obviously identify you, as userids. Techies seemed focused on encryption while ignoring anonymity. This is a mistake, it can be critically important to hide who you communicate with. The exact same thing happened with PGP, which encrypted the body of email messages while leaving the sender and recipient visible. Competing with Signal is Wickr which does text messaging, audio calls, video calls, file transfer and more.
On the Feb. 21, 2020 episode of his Privacy, Security, & OSINT podcast, Michael Bazzell recommended Wickr over Wire and Signal. For Signal, he suggested using it with a Google Voice number that is only used with Signal.
My suggestion for secure communication is to use plain old simple boring webmail, but, only between two users of the same secure email provider. Two good choices would be ProtonMail and Tutanota. Neither company can read messages sent between their customers. Both offer free limited accounts. Using webmail means that the browser can prove that encryption is being used. Webmail can also be used on a Chromebook running in Guest mode. Guest mode offers a virgin OS, with no information about you at all, and it is guaranteed to leave no trace of your actions. I am out of step here with every techie in the world.
Most off-site file services can read your files. They may say that your files are encrypted in transit, but that matters not at all. They may say that your files are stored encrypted, but that too does not matter. What does matter is who can decrypt the stored files. Use Windows? Use the OneDrive feature? Then Microsoft can read the
files you store there. Likewise, Apple can read anything stored in iCloud. And Google can read files stored on Google Drive (used by Android and ChromeOS), Dropbox can read your files too, and Amazon can read files stored on their Drive offering. And, if they can read your files, think what the US Government can compel them to do. To evaluate any file storage/backup service ask what happens if you lose/forget the password/key? If the answer is that they can't help you, and you have lost access to your data, then the vendor can not read your files. Me? I encrypt my files before sending them off-site.
No doubt there are many defensive strategies for Facebook, with the strongest one being avoidance. That's what I do. This section may be a bit haphazard because not being a Facebook user, I can't verify things.
Facebook's surveillance is hard to avoid. They partner with websites, apps and stores to track you when you are not using Facebook. Geoffrey Fowler of WaPo wrote about this in Jan. 2020: Facebook will now show you exactly how it stalks you - even when you’re not using Facebook. The article is focused on a new "Off-Facebook Activity" tool. To be spied on, you don't have to be logged in to the Facebook app or website. Companies can report other identifying information to Facebook, enough to match you to your Facebook account. Fowler found that Home Depot told Facebook when he visited its online store, viewed an item or added an item to a shopping cart. Other spies he found were The Atlantic, Amazon's Ring app, the Peet’s Coffee app, Pete Buttigieg's website and the website for an HIV drug.
To see information Facebook knows about your activity in other apps and on other websites, see Off-Facebook Activity. From Facebook, you can get to the same data with Settings -> Your Facebook Information -> Off-Facebook Activity. This was introduced in Jan. 2020. Fowler (above) suggests clicking on "Clear History" to remove that data. To have Facebook stop using your off-Facebook activity,
look for "Manage Future Activity" and then make sure "Future Off-Facebook Activity" is turned off. Note the word "using" - they will still collect the data.
In Timeline settings turn on the option to review posts you are tagged in before the post
appears on your timeline. Settings -> Timeline and Tagging -> Review section -> enable both options.
In the Facial Recognition settings, set "Do you want Facebook to be able to recognize you in photos and videos?" to No.
In the Ad Preferences settings: Under Your information, turn off
ads based on your relationship status, employer, job title and education. Under Ad settings, set "Ads based on data from partners" and "Ads
based on your activity on Facebook Company Products that you see elsewhere" to Not allowed. Also, set "Ads that include your social actions" to No One.
Change "Who can see your friends list" from Public to Friends or Only me.
Consider only letting friends see your posts rather than making them public.
Consider changing who can send you friend requests. It defaults to Everyone. Another option is "Friends of Friends."
Consider restrictions for "How people can find and contact you."
Turn off Location and Face recognition.
Set the default privacy setting for future posts to "Friends".
Restrict the visibility of your past posts to Only Friends with "Limit The Audience for Old Posts on Your Timeline" -> Limit Last Posts. Anything that was shared publicly or with friends of friends will be changed.
Clearview AI does facial recognition and was profiled in the New York Times (Jan. 2020). They copy pictures from many sources including Facebook. To block them, change a privacy setting, so that search engines can not link to your profile.
Configure: This ZDNet article has some tweaks for Facebook settings.
Configure: For help configuring Facebook for maximum privacy, consider the Jumbo mobile app. There are links to it in both the iOS and Android topics.
Don't share: your birthday, your current location or that you will be away from home for a while.
Goes without saying: use a long password for Facebook, and one that you do not use anywhere else.
From John Opdenakker (Oct. 2019). If you get a friend request from someone you don't know it's better not to accept it. This might be a scam and your online security and privacy might be in danger. Facebook friends can see all your profile information and even information about your friends. They can abuse this information to scam you and your friends.
In August 2019 we learned that Facebook Paid Contractors to Transcribe Users' Audio Chats (Bloomberg) just like all the providers of Voice Assistants. Contractors (it's always contractors, never employees) transcribed audio from people who opted in to having their Messenger app voice chats transcribed.
Facebook inflated the average time users viewed video on the platform. Facebook to Pay $40M Under Proposed Settlement in Video Metrics Suit October 2019. Professor Scott Galloway summed this up: The viewership metrics were inflated by 150 to 900%. Whole companies shifted their strategy to video. Companies going bankrupt, people losing jobs, FB gets away with 0.18% of annual income ($40M / $22B), a slap on the wrist.
Quite a quote about Facebook: "morally bankrupt pathological liars who enable genocide (Myanmar)" (ZDNet April 2019)
Facebook does not remove bad guys until they are publicly shamed in a high profile way (Brian Krebs, April 2019)
Fake reviews, fake products, fake sales and toxic products. Even Amazon's Choice is purposely misleading.
Amazon sells hand sanitizers that people buy as a defense against the COVID-19 coronavirus. To do that job, a sanitizer needs to be 60% alcohol. Many sanitizers have no alcohol and depend on benzalkonium chloride instead. Will Amazon do anything to protect us? No. Not only are ineffective products not flagged as such, then too, there is the price gouging on said products. When queried, Amazon said nothing. From: You Might Be Buying a Hand Sanitizer That Won’t Work for Coronavirus (March 2020) by Marshall Allen and Lisa Song of ProPublica.
Fake "choice": Amazon's Choice is a label awarded by an algorithm based on customer reviews, price, and, of course, whether the product is in stock. After all, selling is what Amazon does. Two outlets have exposed it as a scam. First: 'Amazon's Choice' Does Not Necessarily Mean A Product Is Good by Nicole Nguyen of Buzzfeed (June 2019). The article documents many bad products marked as an 'Amazon Choice'. Amazon declined to answer questions about exactly how items are selected. The article also discusses fake products on Amazon. Then: Amazon’s Choice Isn't the Endorsement It Appears by the Wall Street Journal (Dec 2019). They examined 27,100 Amazon’s Choice items. Nearly 1,600 appeared to have been manipulated to get the Choice label. Worse, many Choice products were dangerous. Some products products have safety concerns, some make false claims and some violate Amazon's own policies. Amazon chose the word "Choice" rather than "Recommends" because they knew it was a scam.
Fake Reviews: Manipulating Amazon reviews: Inside Amazon’s Fake Review Economy by Nicole Nguyen of BuzzFeed (May 2018). There is a vast web of review fraud. Merchants pay for positive reviews. Sellers trying to play by the rules are struggling to stay afloat amid a sea of fraudulent reviews and Amazon is all but powerless to stop it. This article: Her Amazon Purchases Are Real. The Reviews Are Fake. by Nicole Nguyen (Nov. 2019), profiles a woman who gives 5 star reviews in exchange for keeping the items for free. One take-away is that this activity could be detected by Amazon, if they cared.
Fake Reviews: One type of fraud is re-using reviews. Sellers take an existing product page, then update the photo and description to show an entirely different product. The goal is to retain the existing reviews so the product looks more legitimate. Few people buy a product with few reviews. Here's Another Kind Of Review Fraud Happening On Amazon by
Nicole Nguyen of BuzzFeed (May 2018). Hijacked Reviews on Amazon Can Trick Shoppers (Consumer Reports Aug 2019) Suggested defense: read the god and bad reviews and some old reviews. Just relying on the star rating and the number of reviews leaves you vulnerable to this scam.
Fake Reviews: Another reason not to trust Amazon reviews, from one of the above articles, was the story of a one-star review that was removed by Amazon after
the buyer got a refund. The buyer could not get Amazon to restore the bad review.
Fake Helpful Reviews: Also from the above article - some sellers hire people to hit the 'Helpful' button on a particular review so that it appears first.
Fake sales: A warning about fake sales on Prime Day from Ars Technica. Quoting: "... most of this year's Prime Day deals aren't really deals at all. Amazon will promote thousands of 'discounts' over the next two days, but with that much volume, the majority of those offers will naturally have less-than-special prices or apply to less-than-desirable products. Many 'deal prices' are relative to MSRPs that products have not sold at for months..." (July 2019)
Batteries: Test them immediately. This is a lesson I learned the hard way. In January 2020 I bought a package of AA Duracell batteries. In April 2020, I opened the package only to discover that they were all dead. The package claimed that the batteries last 10 years in storage. The batteries were dated March 2028 and they were sold by Amazon.
Defense: Before buying from an unknown seller, be aware that you probably have no recourse for defective products. More here (Kate Cox July 2019)
and here (Louise Matsakis July 2019).
Sometimes, as seen here, it costs only 4 cents more to buy from Amazon.
Defense: From Nicole Nguyen: Do a search to see if the company selling the product has a legitimate website. Also check if the item has been reviewed by a publication or site dedicated to consumer products. And, Here's One Way To Tell If An Amazon Product Is Counterfeit by Nicole Nguyen of BuzzFeed (March 2018).
Does Amazon know your Wi-Fi password? They want to save it to make setting up new Alexa devices easier. To check, login to Amazon, click Accounts & Lists at the top of the page, then Your apps and devices, then go to the Preferences tab, look for the Saved Wi-Fi Passwords section.
Privacy: Amazon tracks everything you do. It is best to do your virtual window shopping in Private Browsing Mode while not logged in. Then, from another browser, login and go directly to the items you want to buy.
Data: You can request the data Amazon has stored about you. Episode 165 (April 10, 2020) of The Privacy, Security, & OSINT podcast discussed this and offered this link: How Do I Request My Data? The show warned that Amazon requires a phone number, they send a text with a PIN code to the phone and they store the phone number as part of the account information.
A security hole: A stranger's TV went on spending spree with my Amazon account – and web giant did nothing about it for months by Shaun Nichols Oct. 2019. Smart TVs and Roku devices do not appear in the list of devices associated with your Amazon account. Yet, each can be used to buy stuff. This story is about a Smart TV that was making purchases billed to someone who did not own the TV. How it happened is a mystery. Changing the Amazon password and 2FA did not stop the TV. There is no real defense. The response from Amazon was quite poor.
FYI: You Might Be Buying Trash on Amazon - Literally by Wall Street Journal (Dec 2019). After becoming aware of dumpster divers selling discarded garbage on Amazon, the reporters did just that. It was easy. Amazon did not ask about the origins of the stuff they sold or, for food, the sell-by date. Warehouse workers are supposed to identify problematic products but often there is too much stuff and too few workers, so things get missed, both accidentally and on-purpose.
Defending against Google tracking involves changing options in your Google account, which can be done on a website, as well as configuring options on your mobile device(s), when doing Google searches, in Google Assistant and in Nest devices. There is a lot to it.
Google Account: See what Google knows about your travels using their Maps Timeline. Sometime in Oct or Nov 2019, Google will introduce a new Incognito mode in the Google Maps app. To turn it on: tap on the account icon in the upper-right corner, then click Turn on Incognito mode.
Automatic Deleting: start at myaccount.google.com /activitycontrols. Note that if something is in a Paused status, it is still keeping a history. To set it to auto-delete, you will have to enable it first. Several Google products, including YouTube, can be set to auto-delete here. As of Oct. 2019 the only choices are auto-delete after 3 or 18 months. To auto-delete search history, use Web & App Activity. Then again, see Google's auto-delete tools are practically worthless for
privacy by Jared Newman October 2019
Searching: Minimize Google tracking by not being signed in to Google when making queries. You can tell if you are signed in by checking the upper right corner of the screen (see screen shots). A single letter in a circle means you are signed in, a blue "Sign in" button means you are not. Or, use a search engine that does not record your search history such as DuckDuckGo. See Top 5 Private Search Engines by Security Trails (Dec. 2019).
Google Maps: is full of fake business listings. Big June 2019 story in the Wall Street Journal. More here and here. Hundreds of thousands of fake listings are created each month. Total scam businesses estimated at 11 million. In 2018, Google removed more than 3 million fake businesses. Google's PR response included this: "it's important that we make it easy for legitimate businesses to get their business profiles on Google". Translation: nothing will change. Here is how to report one fake and how to report multiple fakes.
Browsing: Here is another reason not to be logged on to Google all the time - the latest version of their reCaptcha might be logging every web page you visit.
If you have Nest Cam or Nest thermostat be aware that according to this April 2019 article in the Washington post, Nest security is sub-optimal. The article suggests using a unique password (always a good idea) and two factor authentication with the device.
Taking a step back ... Google? Really? In a camera in your home? Really?
Speaking of Nest: the Nest camera, Nest Hello doorbell and Dropcam cameras no longer (as of Aug 2019) let owners disable the status light that indicates the camera is on. Google did this for privacy reasons but some people don't like advertising the camera's existence to intruders in a dark room. Just cover the light with tape. And, be sure to apply bug fixes to the Nest Cam IQ (Aug 2019).
Google Calendar: A new type of SPAM. Bad guys can email invites to scam events and Google will add them to your calendar without your confirmation. To stop this, go to calendar.google.com, login, click the gear icon, go to Settings, then Event settings, then "Automatically add invitations" and select "No, only show invitations to which I have responded". Maybe also disable automatically adding events from Gmail to your calendar.
Artificial Intelligence allows bad guys to learn someone's voice and vocal patterns and then manipulate it to scam people. Not sure if there is an official term for
this yet, perhaps voice fraud, voice phishing, vishing, deep voice, voice cloning, voice swapping or deepfake audio.
Background: Deepfake Audio Used to Impersonate Senior Executives (CPO Magazine July 2019). The attacks seen so far have used background noise to mask imperfections, for example simulating someone calling from a spotty cellular phone connection or being in a busy area with a lot of traffic.
Defense: How To Spot Deepfake Audio Fraud (Aug. 2019). The quality of the fake voice can be excellent for non-conversational audio, such as a statement. However, it suffers when engaged in a conversation. When in doubt, call the person back.
Another installation-time warning from Microsoft says "Office includes experiences that connect to online services ... When you use these experiences, Office collects service diagnostic data. In addition, some of these services analyze your content to deliver suggestions and recommendations. To adjust these privacy settings, go to File > Account > Account Privacy"
Connected Experiences in Office by Microsoft, applies to Office 365 and says Microsoft will " ... use your Office content to provide design recommendations, editing suggestions, data insights, and similar features ... If you'd like to turn these experiences off, go to any Office 365 application ... and go to File > Account > Manage Settings (In Outlook it's under Office Account). There you can disable or enable, either category (or both)".
Office 2016: In Word 2016, I did File -> Account and there was no option at all for Account Privacy. Instead, there was an option to "Sign in to Office". So, what level of spying is employed in this case? I don't know.
To improve the security and privacy of Twiiter, logon to twitter.com in a browser, then do: More -> Settings and Privacy -> Privacy and Safety and
Turn off Location information
Turn off Photo tagging
Turn off Personalization and data
Review options to "Recieve messages from anyone" and "Discoverability and contacts"
You can configure an account to accept Direct Messages (DMs) from just people following you or from anyone in the world.
Don't share: your birthday, your current location or that you will be away from home for a while.
Two Factor Authentication: As of Nov. 22, 2019, Twitter lets you get started with 2FA using an Authenticator app. In the old days you had to start with SMS first which meant giving them your phone number. From twitter.com do: Settings & Privacy -> Account -> Security -> Two-Factor Authentication.
TweetDelete is a service that can mass delete Twitter posts based on their age or specific text they contain.
Twitter account security and privacy 101 by John
Opdenakker (June 2019). NOTE: As of Nov 22, 2019 the section on 2FA is obsolete. Also, Privacy settings. Fallback if 2FA fails is a one-time use password.
If you care about privacy, you are probably better off using Twitter in a web browser, rather than the Twitter app.
NAS stands for Network Attached Storage. Think external hard drive with an Ethernet port that plugs into a router. Two large vendors are Synology and QNAP.
Avoid using the default admin account. First, create a new admin account. Then, either disable the system default admin account, or, make the password for it very long and very random.
Don't allow direct access to the NAS from the Internet. On Synology, that means avoiding QuickConnect. Also, disable UPnP in the router to prevent the NAS from opening ports for itself. My Test your Router page links to many websites that offer tests of the firewall in a router.
If open ports are necessary, do not use the default ports.
Synology offers a Security Advisor app that runs on the NAS. QNAP offers both a Malware Remover and a Security Counselor app in their App Center.
Both companies offer protection from brute force password guessing. For Synology it is Auto Block (Control Panel -> Security -> Auto Block tab in DSM 5 and Control Panel -> Security -> Account tab in DSM 6). For QNAP it is Network Access Protection.
If the NAS file system supports snapshots, take the time to get up to speed on the feature. This is a big deal. Speaking of snapshots, consider stepping up to a FreeNAS box from iXsystems that runs ZFS. The Mini is their entry level model.
As always, disable features not being used; perhaps SSH and Telnet access.
Roku and FireTV: Leave them powered off when not in use. Less spying and you save on electricity.
Roku: Check these settings:
System -> Advanced System Settings -> Control by Mobile Apps -> disable "Network Access" (verified on Roku OS 9.1.0)
Privacy -> Advertising -> turn the Limiting of ad tracking on and reset the Advertising ID
Privacy -> Microphone -> Channel microphone access -> Never allow
System -> Screen Mirroring -> set Screen Mirroring Mode to either Prompt or Never Allow
Fire TV: Go to Settings -> Preferences -> Advertising ID and Disable Interest based ads
Roku TV: From How to Disable Interactive Pop-Up Ads on Your Roku TV by Chris Hoffman October 2019. As of Roku OS 9.2, the TVs display pop-up advertisements over commercials on live TV. If an advertiser has partnered with Roku, that advertiser can display an interactive pop-up ad over the normal commercial. This only applies to Roku TVs, not the external sticks or boxes. To disable it: Settings -> Privacy -> Smart TV Experience -> disable "Use info from TV inputs".
Things are bad: You watch TV. Your TV watches back by Geoffrey Fowler for the Washington Post September 2019. No defense offered. Discusses ACR (automatic content recognition) on Smart TVs. Quote: "some TVs record and send out everything that crosses the pixels on your screen. It doesn’t matter whether the source is cable, an app, your DVD player or streaming box." They watched the data a TV transmits using IoT Inspector software from Princeton University.
Defense: The article above notes that a profile is formed based on the public IP address of your home. One defense is to connect the TV to a router running VPN client software. This hides your public IP address.
Defense: a router that supports outbound firewall rules, such as the Pepwave Surf SOHO, can block the TV from phoning home. First, watch where it sends data, then block these transmissions one a time (in case some of them are necessary). Using a Raspberry Pi running Pi-Hole for DNS should also be able to block a TV from phoning home. Or, a free account at OpenDNS lets you audit the DNS on your home network and block some domains.
Defense: one type of attack comes from the LAN. Roku, and perhaps competing devices, can accept commands using HTTP from the LAN. To prevent this, isolate the streaming box. If using Wi-Fi, connect it to a Guest network. Some, not all, routers will isolate Guest network users from each other, blocking this type of attack. More advanced users can put the streaming box in a VLAN. The first suggested Roku setting above, should also block this, but it only applies to Roku and may change in the future.
There are many articles about blocking Roku monitoring by blocking access to assorted domains and sub-domains. For a long time now I have blocked all access from my LAN to scribe.logs.roku.com and cooper.logs.roku.com. My Roku box works just fine without these. I chose them because they were the most popular logs my Roku box was accessing.
Roku networking: I have seen a Roku 2XS running firmware 9.1.0 make outbound requests to the Google DNS server at 18.104.22.168, port 53, using TCP. This is suspicious for multiple reasons, one being that the router assigns other DNS servers. Thus, the use of 22.214.171.124 is hard coded into either the Roku system or one of the channels. One reason to do this is to avoid DNS based restrictions in the router. Also, UDP is the norm for DNS, not TCP. I have not captured the actual packets.
More Roku networking: I always see the same Roku 2XS box making outbound connections to IP address 172.29.243.255. This should never occur as this is a private IP address, one that can never exist on the Internet. These connections use UDP and both the source and destination port are always 1975. This seems to be part of the OS, I see it even when just powering on and not using any channels. I contacted Roku about this and they would not explain why this happens.
SMART TVS GETTING HACKED
(topic created Dec. 4, 2019) top
Oregon FBI Tech Tuesday: Securing Smart TVs
(Nov 2019). A smart TV is a computer that bad guys might be able to hack into. Many Smart TVs have microphones so that you can shout at them to change the channel. Yet another thing that can be hacked. A number of smart TVs also have built-in cameras. If you can find the camera, but tape over it. Some TVs use the camera for facial recognition so the TV knows who is watching and can suggest programming appropriately. Ugh. Suggested defense: know exactly what features your TV has and how to control those features. Do a net search on the TV model using words like "microphone," "camera" and "privacy."
Also, review security settings.
Smart TVs getting hacked: Watch a Drone Take Over a Nearby Smart TV by Andy Greenberg in Wired (Aug 2019). About hacking into smart TVs that use the internet-connected HbbTV standard. Weaknesses in HbbTV could be combined with vulnerabilities in Samsung smart TVs to gain full remote access to the television sets. This remote access persists even after the TV is turned off.
Samsung and Roku Smart TVs Vulnerable to Hacking, Consumer Reports Finds (Feb 2018). Much ado about nothing. They found flaws in sets from TCL using the Roku TV platform and in Samsung, which uses their own Tizen operating system. Other brands that use the Roku TV platform, are also vulnerable, as are Roku boxes. However, the Roku attack has to come from your home and I have the defense in the
TV watches you topic (first item). The article does not walk you through the defensive configuration. The Samsung attack can only be exploited "if the user had previously employed a remote control app on a mobile device that works with the TV, and then opened the malicious web page using that device."
(topic created Nov. 28, 2019) top
When there is too much electricity a surge protector is designed to absorb the overload and perhaps even die, to protect the devices plugged into it. Some surge protectors look like a power strip, but there is a big difference.
As a rule, you get what you pay for with surge protectors. If you need to protect something very important or very expensive, than spend more for the surge protector.
It is very likely that any surge protector will eventually fail. What then? Some will continue providing un-protected power after they have failed. Others will cut off the power rather than leave you unprotected.
Be sure to look for a surge protector that has a visible indicator of whether it is providing protection or not. Also, a Ground indicator is good to have.
Surge protectors are sold based on Joules which is not the most important criteria. PenLight, a power company in the US, says"Joule ratings can be misleading ... Joule ratings are an unreliable measurement for determining a products surge capacity because there is no test standard. The Joule rating listed on a surge protector’s package is determined using an unknown method by the manufacturer."
What is a surge? There is no one answer, different devices kick in at different levels. The amount of extra electricity that is allowed is referred to as both the let-through voltage and the clamping voltage. The lower the let-through voltage, the better the protection. The lowest (best) UL 1449 rating is 330 volts. You may see devices rated for 400 or 500 volts.
Clamping response time is how quickly the device responds to a surge. Faster is better. Nanoseconds (billionths of a second) are good. Picoseconds (trillionths of a second) are the best.
If you can't get the above specs for any particular surge protector, it might be that the vendor does not want you to know them because they are poor.
If Internet access is important, then, at the least, protect the modem and router with a surge protector. If Internet access is very important, then protect them with a UPS.
Surges are not limited to electrical lines, they can also be carried by telephone lines and cable TV coaxial cables. Some surge protectors also offer protection for cable and telephone lines.
Unplug computers, modems, routers and expensive electronics. Th power may come back on with a damaging surge.
Unplug all wires that feed into these devices. A power surge can also be transmitted over the coaxial cable used by cable TV or the phone line used by DSL
If you have a UPS, consider plugging a lamp into it, preferably, one with an LED bulb.
(last updated May 5, 2020) top
Anyone concerned with being tracked on-line needs to be familiar with web browser fingerprinting. Without using cookies, fingerprinting can convert the web browser on your computer into a unique identifier. Fingerprinting stems from looking at many, seemingly trivial, aspects of your computer and browser and combining that information into a profile/identifier. Most of the time, these profiles turn out to be unique, which lets websites track your behavior without cookies. Some attributes that are examined are: the computer operating system, what time zone are you in, what language your computer is using, how much RAM memory the computer has, the screen height and width in pixels, what web browser you are using, what version of the browser, what fonts are installed, what plug-ins are installed, what audio and video formats are supported by the browser, and much more.
Testing: one website for testing the fingerprinting of a web browser is amiunique.org. As of Nov. 15, 2019 they had collected 1,408,000 fingerprints. By March 12, 2020 it was up to 1,713,000.
Testing: the Panopticlick website from the EFF is similar to amiunique.org and dates all the way back to 2010. Fingerprinting has been an issue for a long time.
Testing: fingerprintjs.com/demo is a demo of how good fingerprinting can be from a company offering it as a service.
ChromeOS Defense: An excellent defense against fingerprinting is a Chromebook in Guest Mode. All Chromebooks of the same model running the same version of ChromeOS should share a fingerprint. Interesting fact: only 0.23% of the devices tested by amiunique.org were Chromebooks.
Tor Browser Defense: The Tor browser has a number of anti-fingerprinting features enabled by default. It runs on Windows, macOS, Android and Linux. Note however that websites will be very slow to load.
Firefox Defense: As of version 72, released in Jan. 2020, fingerprint defense is on by default. The browser blocks third-party requests from companies known to engage in fingerprinting. To verify this, look in Options -> Privacy & Security. To see if it blocked anything on the currently display web page click on the shield to the left of the address bar. See a screen shot from Computerworld and one from
metageek.com (desktop Firefox v73 March 2020).
Brave defense: Brave has two generations of defense. In March 2020 Brave announced their second defensive approach - randomizing fingerprintable values in ways that are imperceptible to humans, but which confuse fingerprints. Quoting: "This approach is fundamentally different from existing fingerprinting defense approaches ... [that] attempt to make all browsers look identical to websites (an impossible goal). Brave's new approach aims to make every browser look completely unique, both between websites and between browsing sessions." They claim this provides the strongest fingerprinting protections of any popular browser. Not sure when it will be released.
Their older defense is the Device Recognition option in the Settings. I found that it worked, see it reporting that it blocked two fingerprint attempts by Ars Technica. I tried both fingerprinting test websites (above) and, on each one, their first generation blocker blocked a fingerprinting attempt.
Defense: Disconnect offers a free browser extension that blocks trackers. Maybe it also blocks fingerprinting. They partnered with Mozilla in providing the Firefox defense.
No defense: Private browsing mode does not prevent fingerprinting. Neither does a VPN or the Tor network. Blocking cookies also does nothing.
No defense: Chrome, of course, offers no defense. Tracking people is what Google does.
FYI: The deviceinfo.me website shows many of the computer attributes used in fingerprinting.
OS Defense: The Tails operating system might be a defense. It is a version of Linux that runs off a boot CD/DVD/USB flash drive and always uses the Tor network and the Tor browser. Everyone using the same version of Tails will have much in common. However, attributes of the screen will differ. Also, it is a big pain to setup. And, again, the Tor network alone, is no defense.
PROTECTING CHILDREN FROM BAD ADULTS
(topic added Dec 10, 2019) top
This is not a subject I am at all familiar with. Thus, nothing but links and not many at that. Feel free to help me add to this topic.
You are safer when WhatsApp does not automatically download stuff (pictures, audio, video, documents) because you never know if the file is malicious. To prevent automatic downloads:
iPhone: Configuring auto-download from WhatsApp. By default, it automatically downloads images over a cellular connection. Audio and video will automatically download on Wi-Fi. To change this: WhatsApp -> Settings -> Data and Storage Usage. Tap on photos, audio, videos and documents and choose Never, Wi-Fi, or Wi-Fi and Cellular.
Android: Configuring auto-download from WhatsApp. By default, it automatically downloads images over your cellular connection. Other types of files? Doesn't say. To configure: WhatsApp -> More options -> Settings -> Data and storage usage -> Media auto-download. There is no Never option, instead you have uncheck a bunch of checkboxes as per the video.
From one of the articles below: Scammers all over the world have figured how best to game the Airbnb platform: by engaging in bait and switches;
charging guests for fake damages; persuading people to pay outside the Airbnb app; and, when all else fails, engaging in clumsy or threatening demands for
five-star reviews to hide the evidence of what they have done.
I Accidentally Uncovered a Nationwide Scam on Airbnb by
Allie Conti for Vice (Oct 2019). While searching for the person who grifted them in Chicago, the author discovered how easy it is for users of the short-term rental platform to get exploited. Much of the blame falls on Airbnb's loosely written rules and even looser enforcement.
In April 2019, Brian Krebs wrote about a service called Land Lords that creates Airbnb scams. A key piece of these scams are domains that look like airbnb.com, but, are not. The scam domain in the article was airbnb.longterm-airbnb.co.uk.
It looked exactly like the real Airbnb website and requested victims to sign. The fake site forwarded the legit Airbnb credentials to the real Airbnb, but only after recording them. Other domains used to scam Airbnb were: airbnb.longterm-airbnb.co.uk,
airbnb.request-online.com and airbnb-invoice.com. For another defense against this scam see the topic below on verified website identities.
TAX FILING IN US
(topic expanded Jan. 2, 2020) top
Many developed countries allow most citizens to file their taxes for free. In the US, this was the stated intent, but the scheme was corrupted. According to Pro Publica, TurboTax tricked customers into paying for tax preparation they could have gotten for free. TurboTax even has a service with the word "free" in it - that is/was not free. US taxpayers owe a debt to Pro Publica for their reporting on this.
PHONE NUMBER HIDING
(Topic added Feb 20, 2020) top
Hide your phone number by having more than one and giving out an alternate phone number when appropriate. I once checked my coat at a museum and rather than give me a ticket, they wanted my phone number. Ugh.
TextNow offers Wi-Fi only phone numbers (my term) that do voice and texting. Its a VOIP phone number and also works over 4G/LTE. The service is free with ads or $3/month without ads. No phone needed, its an app, so it can be installed on a tablet. Or multiple tablets. Or, an old Wi-Fi only cellphone. When a call comes in, and no device with the app installed is on-line, they take a message and email you that you missed a call. They also send a text transcript of any message left by the caller. I have used it for a while without ads and without complaint. If nothing else, its a great defense against SIM Swaps as no cellphone companies are involved.
In January 2020, TextNow started offering cellphone numbers on the Sprint network. If you have a phone that works on Sprint, they charge $10 for a SIM card. The service is free with ads or $10/month without ads.
Ting.com can be used for a permanent secondary, rarely used, cellphone number. To me, it makes the most sense to use it on an old cellphone. They do CDMA on Sprint or GSM on T-Mobile. It costs $6/month for the number and then you pay monthly for what you use: $3 for up to 100 minutes of talking, $3 for up to 100 texts and $3 for up to 100MB of data.
I have heard good things about textverified.com. They give you short-term use of a non-VOIP phone number that can be used for SMS and Text Verification on their website. They get the text and display it on their site. The explanation of their services for new users is miserable however, I could make little sense of it.
Google Voice is free but I would rather not have Google know more about me than they already do. Plus, it requires a cellphone number when you sign up, not the best way to hide said number.
In episode 141 (Oct 2019) of his Security, Privacy and OSIN podcast, Michael Bazzell told of how he gets a phone number for a week for $2.50. He buys two pre-paid Mint Mobile SIM cards for $5 on Amazon. Each comes with a one week free, limited trial. He uses them to setup assorted social media accounts. Once setup, converting the accounts to 2FA means never needing the phone number again.
On the June 26, 2020 episode of The Privacy, Security, & OSINT Show the show host, Michael Bazzell, went into detail on using a Mint Mobile pre-paid SIM card as part of a private cellphone number. He suggested buying the SIM cards at Best Buy and paying cash. Amazon also sells them.
There are many other companies offering similar services.
Just like web pages migrated from insecure HTTP to encrypted HTTPS, so too, DNS is changing. Legacy DNS uses plain text over UDP (not important) on port 53 (also just for techies). New DNS is encrypted using either DNS over HTTPS (DoH) or DNS over TLS (DoT). New DNS uses TCP on port 853 or 443.
Android leads the way among operating systems. Version 9 and 10 have a Private DNS feature that uses DoT system-wide. See the Android topic for more. Android versions 4 through 8 can use the Intra app from the Jigsaw division of Google. It installs as a VPN but only to get control of DNS. More. The Quad9 Connect app enables encrypted DNS from Quad9.
As of July 2020, macOS and Windows do not support encrypted DNS. Windows 10 will in the future. macOS will in version 11 due around October 2020.
I don't know the status on either Linux or ChromeOS.
iOS 13 does not offer system-wide encrypted DNS. It will be supported in iOS 14 due around October 2020. The Cloudflare 126.96.36.199 app offers it on iOS 13 but only with their own DNS service which does no blocking. The NextDNS and Adguard apps both offer blocking and encrypted DNS on iOS 13.
Without OS-wide support, you can still configure a browser to use encrypted DNS.
Firefox is the best at handling encrypted DNS. Firefox DNS-over-HTTPS from Mozilla shows how to configure encrypted DNS for use with Cloudflare. As of March 2020, NextDNS and Cloudflare are the only two encrypted DNS providers trusted by Mozilla. NextDNS users with a NextDNS account should specify https://dns.nextdns.io/xxxxxx/MikeyFirefox where xxxxx is the NextDNS configuration ID and "MikeyFirefox" is an optional identifier for one specific instance of Firefox. To prevent fallback to plain text DNS see either the setup instructions from NextDNS or Trusted Recursive Resolver from Mozilla. Firefox also allows you specify domains that should not use Encrypted DNS. This is done with about:config and the network.trr.excluded-domains parameter. See the first link for details.
Safari does not support encrypted DNS
Chrome has two separate mechanisms (as of May 2020) for enabling encrypted DNS and is planning on adding a third mechanism. One available method involves turning on a flag and probably changing the operating system DNS servers. This strikes me as silly. The other uses run-time parameters passed to the browser when its invoked. The advantage of the second method is that it works the same with and without a VPN. From here I verified (Chrome 80 on Windows Feb. 2020) that these parameters force Cloudflare:
From here (Jan 2020) I verified that the parameters below force the use of OpenDNS for encrypted DNS:
And, to use NextDNS here is a sample for Windows that includes invoking the browser.
Where 999999 is your NextDNS configuration ID and Chrome3 is an identifier for this instance of Chrome in the optional NextDNS logs.
Note: the line breaks above are for readability only.
When encrypted DNS gets added to the browser settings it will be called Secure DNS and it will be in the Security section. This May 20, 2020 article by Martin Brinkmann has a screen shot of what it will look like.
Note that encrypted DNS is nice but not great security. Network observers can still see the IP addresses you communicate with and the domain names of secure web sites you visit. Not the full URL, just the domain name. And, it does nothing for HTTP web pages. Both a VPN and Tor hide everything, but, each is end-to-middle encryption, not end-to-end.
As with VPNs and Tor, you can not hide the fact that you are using encrypted DNS. A network observer can see the initial old style DNS lookup for the encrypted DNS server name.
Despite a history of poor security practices, Zoom has become the most popular video conferencing system. Zoom conferences are called meetings and someone has to be the leader. The leader (a.k.a host) starts the meeting and invites others to join. Each meeting has a unique number, 9 to 11 digits long. Zoom is available both Free and Paid. Free accounts are called Basic. A Basic user can host a meeting with up to 100 participants. If there are 3 or more participants in a free meeting, it is limited to 40 minutes. Lingo: PMI is Personal Meeting ID which is, in effect, the Zoom userid.
FOR MEETING OWNERS/HOSTS
Do not share your Zoom meeting ID publicly. Or, if you must, then frequently change the meeting ID.
Each Zoom user has a Personal Meeting ID. When creating a meeting can use the PMI or generate a new random one. Random IDs are safer.
Passwords: One of the two best ways to keep bad guys out of a meeting is for the meeting to be password protected. Without a password, bad guys can guess Zoom meeting IDs. By default Zoom includes the password in emailed invitations, so meetings can still be entered with a single click on a link. To prevent passwords in invitations, turn off the "Embed password in meeting link for one-click join" setting.
The other great way to keep bad guys out of a meeting is to enable the virtual waiting room. With it, each potential participant who connects to the meeting is initially put in a queue and the host has to approve them before they actually get into the meeting. Not sure who someone is? The meeting host can ask the participant to turn on their camera before being let in.
Maybe disable the "Join Before Host" option.
Disable video for everyone but the host. This is a biggie and, initially, this was not the default. This can be configured either in the pre-meeting Settings or during the meeting (Share Screen -> Advanced Sharing Settings). Look for "The host does not need to grant screen share access for another participant to share their screen"
During a meeting: green Share Screen button -> Click the arrow next to it to see video options -> Advanced Sharing Options -> make sure that "Who Can Share" is set to "Only Host".
During a meeting, disable audio from participants. Click on Manage Participants -> More button -> turn on "Mute Participants On Entry" and turn off
"Allow Participants To Unmute Themselves". Participants request their audio be turned on via Chat.
Configure the meeting so that everyone is muted by default and only gets un-muted when they are invited to talk by the meeting host.
Maybe disable the annotation feature. It allows participants to draw offensive words or shapes over the host's presentation. Annotation can happen even when screen sharing is limited.
Maybe disable private chats
Maybe disable public chatting. Even with it off, participants can communicate with the meeting host (or co-host if there is one)
If the meeting is large, enabling a "co-host" lets someone else share in the moderating.
People can join Zoom meetings using either computer audio or a regular telephone. Outsiders may be able to bypass the meeting password if they join a meeting using audio on a telephone. This is because there is a separate option for requiring telephone users to enter a password. Not sure if this changed on April 5, 2020 when passwords became mandatory.
FOR MEETING PARTICIPANTS
Zoom meetings can be joined in a web browser, without installing software, but Zoom pulls tricks to make you install their software. You have to click to join a meeting, ignore the large instruction to "download & run Zoom" and look, instead, for a tiny text link to join in the browser. A meeting host can make the "join from your browser" display automatically but the process is convoluted. For details see PSA: Yes you can join a Zoom meeting in the browser by
Natasha Lomas (March 2020).
Consider anything typed into a meeting, with the Chat feature, to be visible to the entire world.
May 5, 2020: I looked at the Zoom software on Windows and it stinks. To begin with, the software runs out of a non-standard directory, one meant for data C:\Users\userid\AppData\Roaming\Zoom\bin\Zoom.exe
The software can not be updated until you sign in to Zoom. Even after signing in, there is no message that tells you there is a new version, instead you have to
know the secret handshake - to click on your initials. Even then, you have to click on the check for updates link and you are shown a progress bar. Progress of
what? None of your business.
There is nothing private about Zoom meetings. Zoom can see all the video and hear all the audio. From: Zoom meetings aren't end-to-end encrypted, despite misleading marketing by Micah Lee and Yael Grauer for The Intercept (March 2020). FaceTime is end-to-end encrypted, but it only works on Apple devices. WhatsApp is also end-to-end encrypted but it is limited to four video callers at a time.
Company personality: Google, Facebook, Microsoft and others publish transparency reports that describe how many government requests for user data they receive and how many of those they comply with. Zoom does not publish a transparency report. From the article above.
History: In July 2019 we learned of two security flaws in Zoom for Mac users. One flaw was so bad that Apple updated macOS to fix it. Even worse, Zoom was told of these flaws and given time to fix them. They chose to do nothing until they were publicly shamed. See Zoom Vulnerability Lets Hackers Hijack Your Webcam by Joseph Cox (June 2019). A bug allows websites to turn on a Mac users' webcam without their consent or perhaps knowledge. Even if a user has uninstalled the app, Zoom still leaves a web server up and running on the users' computer, allowing Zoom to still download software onto the machine. This isn't an oversight, it was a deliberate decision by Zoom so that can re-install their software if a user visits a Zoom conference link. More here: Zoom Vulnerability from Bruce Schneier.
We Tested Ring's Security. It's Awful by Joseph Cox for Vice (Dec 2019). Great article about many things Ring could do to improve security. Read this before making a decision on trusting Ring. Some take-aways: change the password (even if its unique), add two factor authentication (everyone suggests this) and at initial setup give it a phony address and phone number (my idea, not tested).
We're not rescinding our recommendation of Ring’s cameras. Here's why by Mike Prospero for Toms Guide (Dec 2019). Suggested defense: Don’t share video or incident reports with the Neighbors app because it might let others learn where you live. And be aware that sharing video with a law enforcement agency will tell them your name and address and the video might be shared with other agencies.
Slack:7 Slack privacy settings you should enable now by Jack Morse July 2019.
This article (July 2019) offers no defenses, just things to be aware of. "Slack stores everything you do on its platform by default - your username and password, every message you've sent, every lunch you’ve planned ... That data is not end-to-end encrypted, which means Slack can read it, law enforcement can request it, and hackers ... can break in and steal it." On the free Slack service, all messages are kept forever.
Venmo: Make it private: Settings -> Privacy -> Default posting settings. Also, retroactively privatize Venmo posts: Past Payments -> Change all to private. From How to Venmo Without Being a Monster by Angela Lashbrook (Jan. 2020). See also the Venmo Security page.
Traveling on an airplane? The QR code on your phone or paper boarding pass contains lots of personal information. Keep it hidden and destroy paper boarding passes after the flight.
MetroPCS customers can take one of two defensive steps against a sim swap attack made far too easy by poor security at MetroPCS. April 2019
Verizon Wireless customers can review their marketing settings at vzw.com/myprivacy or by calling 800-333-9956. I suspect that most people will not want
their CPNI shared with Verizon "affiliates and agents".
Many reporters that cover technology are Art History majors that do not understand the stuff they write about. Thus, they often make bad Defensive Computing suggestions. For example, have you ever seen an article suggest using a Chromebook in Guest Mode when accessing sensitive/financial websites? I have not. Don't take computing advice from the mainstream media.
Be very wary of files sent to you that you did not ask for. This applies on both desktop and mobile Operating Systems. Sometimes, just downloading them is enough to get infected with malware. Open these files on a Chromeook running in Guest Mode.
URL shorteners (aka link shorteners), such as bit.ly, Twitter's t.co and Flipboard's flip.it, hide the ultimate destination of a link. You can check where a shortened link actually goes at Link Expander or unshort.link or URLEX or checkshorturl.com. Going a step further are urlscan.io and VirusTotal which offer opinions on whether the ultimate destination URL is malicious or not. In January 2020, Simon Frey (of unshort.link) introduced an extension for Firefox and Chrome that checks short links against a blacklist and prevents them from tracking you.
The more you know about DNS the better. My Router Security website has both a short and long explanation along with a list of websites that show your currently used DNS servers. Get in the habit of checking the active DNS servers, especially when traveling.
Before you use a new USB flash drive, plug it into a Chromebook running in Guest mode and format it from there. In the same vein, If you don't know where a flash drive came from, the only computer you should plug it into is a Chromebook running in Guest mode. Malicious USB flash drives are a common tactic for infecting the computers of people who have not read this website. Running Linux off a bootable CD/DVD disc is also a safe environment. However, a USB flash drive can also destroy a computer. The usbkill.com drive overloads the circuits, converting a computer into a paper weight. So, a low end Chromebook is probably best.
Speaking of USB, the cables normally carry both data and electricity. Data can be a problem, as it is an avenue through which a device can be hacked. Companies, such as Adafruit, PortaPow and SyncStop sell USB cables/adapters that only do power. They may be called Power-Only, Charge-Only, Data Block or a USB condom. The attack is called Juice Jacking (maybe Juice-Jacking). Without a power-only cable, you can still be protected by plugging into an electric outlet rather than a USB port. Or, use your portable charger, or, get a charge in a car. Also, don't use someone else's cable or charger. More here
There is a chance that the camera on a computing device could be activated without your being aware of it. The defense is old school: cover the camera lens with something opaque (band-aid, tape). Try to avoid adhesive directly over the lens.
Whenever you are offered the choice to Login With Google or Login With Facebook, don't do it. iOS 13 will introduce a new competing system: Login with Apple. As of July 2019, it is too soon to form an opinion on it, but it will let Apple read your email, something they could not do without it.
A very sneaky trick that some websites pull is making third party cookies look like first party cookies. Everyone allows first party cookies so this lets you be tracked. The website trackingthetrackers.com tests for this and reports on it. Great service.
The Princeton IoT Inspector software only runs on macOS High Sierra and Mojave (not Catalina as of Feb 2020). It lets you spy on the IoT devices that normally spy on you.
At dehashed.com you can search for your physical address, email address, userid and/or phone number to see if they have been leaked in a data breach.
I read an article that said victims of Identity Theft should go to ftccomplaintassistant.gov and I wondered if that site was legitimate. That is, is it really from the Federal Trade Commission, a division of the US Government? We have already seen that just having "FTC" in the name means nothing. The FTC has their own website at ftc.gov, so why the need for another domain name? Instead of a new domain, they could (read should) have used complaintassistant.ftc.gov or ftc.gov/complaintassistant. Both leave no doubt that they are from the FTC.
On thing pointing to its being a scam is that the home page of ftc.gov has a link to identitytheft.gov for reporting identity theft. There is no link on the FTC home page to ftccomplaintassistant.gov. And, identitytheft.gov has its own assistant (identitytheft.gov/Assistant) which does not link to ftccomplaintassistant.gov.
Looking at the ftccomplaintassistant.gov site, the first thing to notice is that it does not have the extra identity assurance. If it is legit, that would be pretty ironic, eh? In techie terms the site is Domain Validated (DV) rather than having Extended Validation (EV).
All domains have to be registered and whoever pays for the registration can chose to make their identity public, or not. Looking up this information is called a Whois search and every company that registers domains offers a Whois search. However, this turned out to be a dead end. I could find no Whois information for any .gov websites.
A couple things point to the site being legit. There is a page on ftc.gov with consumer information about Identity Theft and it has a link to "File a Consumer Complaint" that goes to ftccomplaintassistant.gov. And, while the home page of identitytheft.gov has no links to ftccomplaintassistant.gov, an examination of the underlying html (i.e. page source) showed that pulls in a script from chat.ftccomplaintassistant.gov.
So, is it legit? I would have to call the FTC on the phone and ask them.
On a related note, ftccomplaintassistant.com is definitely bad news. That was an easy call.
Protecting Yourself from Identity Theft by Bruce Schneier May 2019. No good news here. Quoting: "there's nothing we can do to protect our data from being stolen by cybercriminals and others." True, but nonetheless, an easy out for anyone too lazy to do the things suggested here.
Fake job scams: How a remote tech writing gig proved to be an old-school scam (Ars Technica June 2019). Also: List of Fake Job Scam Examples. A June 2019 tweet from Ian Sigalow shows another side of the scam. Defense: be aware that job boards do not validate that the person posting a job is actually affiliated with the company. One way to do so, is to look for an email address at the company's public domain name. For example, don't believe a job offer from Chevron is legit, until you correspond with someone who has a chevron.com email address. Also, watch out for a job interview via text chat and questions about electronic deposits.
The Operational Security website by Justin Carroll covers Digital Security, Privacy and Physical Security. Seems pretty good.
Speaking of reading, be aware that much, if not most, of the security and privacy advice offered in the main stream media is wrong. They hire reporters, not nerds. The New York Times, in particular offers sub-optimal computing advice.
securityplanner.org from Citizen Lab is a mixed bag. For example, they recommend the Chrome browser. And, their trust in HTTPS is dangerously mis-placed. Last updated June 2019.
Watch Your Hack created by six professional hackers. Last updated Jan. 2019
PrivacyTools.io is a bit more oriented to a techie audience than this site.
Digital Safety Kit for journalists from the Committee to Protect Journalists. Last Updated July 2019. This is much more a checklist than this site. In my opinion, the lack of context or background info makes these recommendations barely useful. The topic on encrypted email is really bad.
GetSafeOnline claims to be "the UK's leading source of unbiased, factual and easy-to-understand information on online safety." I heard a segment on BBC radio 4 about two people in England who were scammed out of money in their bank accounts. Both were interesting and useful stories. This was followed by advice from GetSafeOnline and the advice was, in my opinion, bad. I would look elsewhere for advice. Compare their advice for being safe on Public Wi-Fi networks to mine.
All the credit/blame for this site falls on me, Michael Horowitz. If I left out anything important, or something is not clear, let me know at defensivecomputing -at- michaelhorowitz dot com.
If you see any ads, something (computer, browser or router) has been hacked.
Average Daily Page Views: June 2020: 267
May 2020: 317
April 2020: 296
March 2020: 303
February 2020: 377 January 2020: 212 December 2019: 200 November 2019: 180 October 2019: 194
September 2019: 178 August 2019: 176