This is a list of both things to be aware of and specific defensive steps that we can take in response to the common threats of 2019. No list like this can ever be complete, nor would anyone want it to be complete as that list would never end. I tried to limit this to the most important issues, still its long (25,000 words).
Some parts of this page are not displayed until you click a button. To see everything (for printing or searching), CLICK HERE.
Fake websites are an extremely common scam. To identify the fakes, you need to understand the rules for domain names. Some domain names are: google.com, columbia.edu, irs.gov and RouterSecurity.org. Many scam website names look legit to someone who does not know the rules. And, there are lots of rules and scams targeted at people that don't know the rules.
Everyone is told there are two types of websites: secure (HTTPS) and not secure (HTTP). In fact there are three types of websites. The third type is a "secure" site that has gone the extra mile and offers proof of its identity.
To take money from an ATM requires both a plastic card and a password. Two things. Two factors. In computing "two factors" refers to needing a password and something else to gain access to a system. Thus, a stolen password becomes useless as its only half the story. The robotic response from every computer nerd is to use Two Factor Authentication (2FA). But, it is not that simple. In the topic on SIM Swaps there are links to articles by people who became vulnerable by using 2FA. First they had their cellphone number stolen, but that was done to abuse 2FA text messages and change the passwords on many accounts. No 2FA text messages, no password changes. And, everything breaks, so you need to be up to speed on the fallback system for when 2FA breaks. There are different types of 2FA and no one right answer for everyone.
You never know who calls you on the phone. Callerid can be spoofed just like the FROM address in email, so the same advice holds: think carefully before taking action based on a single phone call, especially any action involving money, passwords or personal information.
Considering the many data breaches of personal information, along with the legal sharing of it, ID theft is all too likely. Here are some things to do to in preparation.
A SIM swap is Identity Theft in which bad guys steal your mobile phone number and get it assigned to one of their phones. They do this because a phone number is often used to prove identity, with forgotten passwords. Other terms for this are SIM Hijacking and a port-out scam.
Public Wi-Fi is always dangerous, whether a password is required or not.
A VPN prevents spying on your online activity by anyone you an see (anyone on the same local network). For this reason, it should always be used on public Wi-Fi networks. A VPN also prevents spying by the ISP connecting you to the Internet. In the US, ISPs are allowed to spy on their customers and sell that data. A "secure" website prevents others on your LAN and your ISP from reading the content of web pages. However, they can still tell which websites you visited. In some cases, just the website name gives away too much information. VPNs hide everything.
In addition, a VPN will change your public IP address, so you can pretend to be in a different physical location. It also should change the DNS servers used to translate computer names to IP address. For an introduction to DNS see my RouterSecurity.org site.
All of the smart assistants (from Amazon, Google and Apple) sometimes record at the wrong time. That is, they record without a person having said the wake word. And, since all three companies send some recordings to contractors, to help improve the system, strangers may hear your embarrassing conversations. Tony Soprano would not have allowed Siri in his home. Google lets you access your history, delete past recordings and automatically delete your data every couple of months. Amazon lets you manually delete past recordings and disable human review of Alexa recordings. Initially, Apple lost at this privacy game, they did not have any way to opt out. In early Aug 2019 they took their first step and did more in iOS 13.2.
Bloomberg reported in April 2019 that Amazon Workers Are Listening to What You Tell Alexa. There are options in the app to disable this (Settings -> Alexa Account -> Alexa Privacy -> Manage How Your Data Improves Alexa) but they may not be honored.
Another privacy issue with Alexa is that the devices phone home to Amazon and to others, even when they are not being used. No one knows why.
Article: Alexa has been eavesdropping on you this whole time by Geoffrey Fowler May 2019. Amazon keeps a copy of everything Alexa records after it hears the wake word. Fowler listened to 4 years of his recordings and found that dozens of times it recorded when it should not. It even picked up some sensitive conversations. There are instructions for deleting these recordings via the Alexa app. Hear your archive at www.amazon.com/alexaprivacy.
Also from Fowler: Amazon collects data about third-party devices even when you do not use Alexa to operate them. For example, Sonos keeps track of what albums, playlists or stations you listen to and shares that information with Amazon. You can tell Amazon to delete everything it has learned about your home, but you can not look at this data or stop Amazon from continuing to collect it.
Alexa Defense: Turn off voice purchasing in the app: Menu -> Settings -> Alexa Account -> Voice Purchasing. If you want to use Voice Purchasing then perhaps disable one-click payments. Or, set a spoken pin to stop anyone else from shopping using your account.
Alex initial configuration: the app wants to "periodically upload your contacts" - say Later (there is no NO). The app also wants to verify your phone number when first configured, there is no need for this, skip it.
Alexa Defenses in the Alexa app:
Settings -> Alexa Privacy -> Manage How Your Data Improves Alexa. There are two options to prevent humans from listening to your recordings
Settings -> Alexa Privacy -> Review Voice History. Enable the deletion by voice option. Then delete saved recordings. After enabling this option, you can say "Alexa, delete everything I said today" or "Delete what I just said"
Apple contractors 'regularly hear confidential details' on Siri recordings by Alex Hern in The Guardian (July 2019). Accidental activations pick up extremely sensitive personal information, fairly often. The story came from a whistleblower; not a good look for Apple.
If an Apple Watch detects it has been raised and then hears speech, Siri is activated. To prevent this, disable the Siri side button on the iPhone: Settings -> Siri & Search -> toggle off "Press Side Button for Siri".
Apple Suspends Listening to Siri Queries Amid Privacy Outcry by Mark Gurman of Bloomberg (Aug 2019).
Defense as of mid-Aug 2019: If both Siri and dictation are disabled, Apple will delete your data and recent voice recordings. To disable Siri: Settings > Siri & Search -> Turn off both the Listen and Press Button options. To disable dictations: Settings -> General -> Keyboard -> turn off Enable Dictation. This process will change.
Defense added in iOS 13.2: When upgrading to 13.2, which was released at the end of Oct. 2019, users see a pop-up message offering the ability to opt-out of having their voice commands stored and saved. It is called "allowing Apple to store and review audio of your Siri and Dictation interactions". Later, this can be adjusted in the Privacy settings under "Analytics & Improvements" where there are multiple options about sharing Analytics as well as the option to "Delete Siri & Dictation History" and an option to stop sharing voice recording with Apple. Also in Settings -> Siri, you can tell Apple to delete all the Siri voice recordings that it has stored.
Again from Fowler article: Google used to record conversations with its Assistant ("Hey Google") but in 2018, they stopped doing so by default on new setups. You can check the settings of your Assistant at myaccount.google.com/activitycontrols/audio. Look to Pause recordings. This How-ToGeek article adds instructions for deleting the previously saved recordings.
The Nest thermostat, made by Google, phones home every 15 minutes, reporting the climate in the home and whether there is anyone moving around. The data is saved forever. (also from the Fowler article)
Google Defense: in the Google Home app: Account -> More settings (under Google Assistant) -> Your data in the Assistant -> turn off Voice & Audio Activity. While there, also go to Manage Activity to review and/or delete voice recordings.
To delete Google Assistant voice recordings, start at myaccount.google.com/intro/activitycontrols. Scroll to "Voice & Audio Activity" where Paused means disabled. Or, you can use these voice commands: "Hey Google, delete what I just said" or "Delete what I said on [date]" or "Delete my last conversation". This only works for the last 7 days.
You can use the Voice Match function to insure your personal results are only available to you. See how.
In Aug. 2019, Joseph Cox of Motherboard revealed that "Contractors working for Microsoft are listening to personal conversations of Skype users conducted through the app’s translation service ... [and] ... Microsoft contractors are also listening to voice commands that users speak to Cortana, the company's voice assistant." Shortly thereafter, Cox revealed that Microsoft Contractors Listened to Xbox Owners in Their Homes. As with all the other companies, recordings were sometimes triggered by mistake. At the Microsoft Account Privacy Settings page you can delete any recordings Microsoft has of you.
There are four approaches here, and I am the very rare person suggesting the fourth one.
With these four things disabled, a phone can still make/receive calls and text messages. A dedicated GPS app can be used to confirm the status of GPS. Note that your location can still be tracked by the cell tower the phone is talking to, but, this only provides a general idea of where you are rather than a precise location. The next step would be to enable airplane mode, and the step after that, is to turn the phone off.
For months, I thought I was the only person suggesting this. However, in Dec. 2019, Proton (the company behind ProtonMail and ProtonVPN) said that a basic principle of using any smartphone is "...turn off all the connectivity you do not need. This goes for whatever smartphone, and whichever operating system, you have."
Bonus benefit 1: better battery life.
Bonus benefit 2: Billboards will not track you. See Digital Billboards Are Tracking You. And They Really, Really Want You to See Their Ads by Thomas Germain of Consumer Reports. Nov. 2019
Note that even with Bluetooth and Wi-Fi disabled, an Android device may still use either or both to determine your location. For more, see the topic on Mobile Scanning and Sharing.
Taking a step back, consider who is the enemy here? That is, who is it we don't want tracking us. Some people/articles focus on apps. But, it also the Operating System vendors, Apple and Google, that learn our location. And, of course, the cell phone companies, who are being being sued for selling location data. Another reason for my approach to defense.
It's bad. Real bad. The only real defense is a VPN that blocks trackers, and for good luck, ads too. Also see the Location Tracking topic.
Both Android and iOS want you to keep Wi-Fi and Bluetooth enabled for a number of reasons. Android may well use them both even if they appear to be disabled. And, if they really are disabled, each Operating System has a number of ways to automatically turn them back on. I suggest checking an Android device by searching the Settings for the words "scan" and "scanning". Plus, there are many other options for sharing data, that you might want to disable, at least as a starting point, to reduce your attack surface.
iOS 11 and 12 have two ways to disable Wi-Fi and Bluetooth. One works, the other is a scam. The Control Center, which is what you see when swiping up from the bottom of the screen is the scam. The Settings app is the real deal. That is, when you disable these in Settings they are really disabled and stay that way until you re-enable them.
In September 2017, Lorenzo Franceschi-Bicchierai wrote about this: Turning Off Wi-Fi and Bluetooth in iOS 11's Control Center Doesn’t Actually Turn Off Wi-Fi or Bluetooth. Quoting: "Apple wants the iPhone to be able to continue using AirDrop, AirPlay, Apple Pencil, Apple Watch, Location Services, and other features, according to the documentation". As of iOS 12, the Wi-Fi message is "Disconnecting nearby Wi-Fi until tomorrow." When tomorrow? Doesn't say (its 5 AM local time). And, "nearby"? There is no such thing a near and far Wi-Fi.
Noted hacker Samy Kamkar tweeted on May 19, 2019: "This is so deceptive. When you 'disable' WiFi and Bluetooth in iOS Control Center and they gray out, they're technically still enabled. Even with Airplane Mode on, your device continues to transmit and your name can even be discovered nearby via AirDrop!". He later added "It's deceptive because it remains active after saying 'Disconnected until tomorrow'. Only the 'normal' Bluetooth functionality returns the following day, the phone itself keeps transmitting privacy-evading, identifiable BLE packets.".
Android 9: Settings -> Security and Location -> Location -> Advanced -> Scanning -> Bluetooth scanning. Description: "Allow apps and services to scan for nearby devices at any time, even when Bluetooth is off. This can be used, for example, to improve location-based features and services.".
Android 8.1: Settings -> Connections -> Location -> Improve accuracy -> Bluetooth scanning. Description: "Improve location accuracy by allowing apps and services to scan for and connect to nearby devices automatically via Bluetooth, even while Bluetooth is turned off."
Android 8.1: Settings -> Security and Location -> Location -> Scanning -> Bluetooth scanning. Description: "Improve location by allowing system apps and services to detect Bluetooth devices at any time."
Android 7.0: Settings -> Location -> Scanning -> Bluetooth scanning. Pretty much same description.
Android 6: Settings -> WLAN -> advanced -> scanning settings -> Bluetooth scanning
Nearby Device Scanning: I have seen an Android 8.1 Samsung tablet use Bluetooth scanning to find nearby devices, again, with Bluetooth seemingly disabled. The feature was called Nearby Device Scanning and it was enabled by default. The description said "Scan for and connect to nearby devices easily. Available devices will appear in a pop-up or on the notification panel. Nearby device scanning uses Bluetooth Low Energy scanning and the microphone. Bluetooth Low Energy scanning can be used even while Bluetooth is turned off on this device." The path to the setting was: Settings -> Connections -> More connection settings -> Nearby device scanning.
Android 9: Settings -> Security and Location -> Location -> Advanced -> Scanning -> Wi-Fi scanning. Description: "Allow apps and services to scan for Wi-Fi networks at any time, even when Wi-Fi is off. This can be used, for example, to improve location-based features and services."
Android 8.1 Samsung: Settings -> Connections -> Location -> Improve accuracy -> Wi-Fi scanning. Description: "Improve location accuracy by allowing apps and services to scan for Wi-Fi networks automatically, even while Wi-Fi is turned off."
Android 7.0: Settings -> Location -> Scanning -> Wi-Fi scanning. Pretty much same description.
Android 6 in the Advanced WLAN section, look for Scanning Always available. Description: "Let Google's location service and other apps scan for networks even when WLAN is off."
Android 6: Settings -> WLAN -> advanced -> scanning settings -> WLAN scanning
Android 9: Network and Internet -> Wi-Fi -> Wi-Fi preferences -> Turn on Wi-Fi automatically. Description: "Wi-Fi will turn back on near high quality saved networks, like your home network." This requires both Location and Wi-Fi scanning to be enabled.
Android 8.1: Settings -> Connections -> Wi-Fi -> Advanced -> Turn of Wi-Fi automatically. Description: "Turn on Wi-Fi in places where you use Wi-Fi frequently".
Google wants you on-line even if it means using an insecure Open Wi-Fi network. To that end, Android might automatically connect to an open network, or, notify you when it finds one. See Connect automatically to open Wi-Fi networks.
Samsung v9 tablet: Settings -> Connections -> Wi-Fi -> Advanced -> turn off Network notification ("Receive notifications when open networks in range are detected").
Google v9 Pixel phone: Settings -> Network and Internet -> Wi-Fi -> Wi-Fi preferences -> disable Open network notification ("when automatic connection isn't available"). There may also be an option here to Connect to open networks.
Android v8: Settings -> Network & Internet -> Wi-Fi -> Wi-Fi preferences -> Open network notification
This 2017 article does not say what version of Android it applies to. At Settings -> Wireless -> Gear icon -> are two relevant optons: Network Notification and Use open Wi-Fi automatically. Disable each.
Android 8.1 AT&T phone: Settings -> Connections -> Wi-Fi -> Advanced -> Auto connect to AT&T Wi-Fi.
Android 8.1 AT&T phone: Settings -> Connections -> Wi-Fi -> Advanced -> Hotspot 2.0. Description: "Automatically connect to Wi-fi access points that support Hotspot 2.0"
On Android, search the Settings for "NFC". On Android 9, its at: Settings -> Connected devices -> Connection preferences -> NFC. The description is "When this feature is turned on, you can beam app content to another NFC-capable device by holding the devices close together. For example, you can beam web pages, YouTube videos, contacts and more. Just bring the devices together (typically back to back) and then tap your screen. The app determines what gets beamed." NFC is the basis for Android Beam (aka NFC Beaming), yet another sharing protocol. Not every Android phone supports NFC. Another reason to disable NFC: Android bug lets hackers plant malware via NFC beaming by Catalin Cimpanu (Nov. 2019). An excellent article. Android 8, 9 and 10 are impacted. The bug was fixed in October 2019 but so few Android devices will get the fix. If NFC is needed, you can leave it enabled, just be sure to disable NFC file beaming as explained in the article.
On iOS, NFC is used for Apple Pay and reading NFC tags. iOS 12 added background tag reading, where the system automatically looks for nearby tags whenever the screen is illuminated. In Settings, tap "Wireless and Networks" then "More" to see the NFC option. More here and here. This June 2019 article, Apple Expands NFC on iPhone in iOS 13, says there are enhancements to Apple Pay for NFC in iOS 13 and new support for peer-to-peer pairing. That is, just like Android Beam, NFC can be used to transfer movies or music between devices.
The most secure Operating Systems in widespread use are iOS and ChromeOS (the system on Chromebooks).
I am not a Mac user, so all I have to offer are links.
ChromeOS is the operating system on Chromebook laptops and Chromeboxes (tiny desktop computers). These are some configuration suggestions.
It is common knowledge that Apple iOS devices are safer than Android and I agree with that. One reason, is that you do not find pre-installed spyware or malware on iPhones (more below). Also, there is no consistency with Android. No expert can tell someone how to configure an Android device because they all have a different set of options. This is illustrated below in the item about factory resets after too many bad passwords.
No doubt there are many defensive strategies for Facebook, with the strongest one being avoidance. That's what I do. This section may be a bit haphazard because not being a Facebook user, I can't verify things.
And, as a reminder, Facebook bad.
Not a big user of Instagram personally, so the recommendations below are all from others.
Fake reviews, fake products, fake sales and toxic products. Even Amazon's Choice is purposely misleading.
Defending against Google tracking involves changing options in your Google account, which can be done on a website, as well as configuring options on your mobile device(s), when doing Google searches, in Google Assistant and in Nest devices. There is a lot to it.
Texting suffers from the same spam, scam and phishing as email. And, just like email, you can not trust the displayed identity of the sender.
Artificial Intelligence allows bad guys to learn someone's voice and vocal patterns and then manipulate it to scam people. Not sure if there is an official term for this yet, perhaps voice fraud, voice phishing, vishing, deep voice, voice cloning, voice swapping or deepfake audio.
NAS stands for Network Attached Storage. Think external hard drive with an Ethernet port that plugs into a router. Two large vendors are Synology and QNAP.
Note: This is separate and distinct from smart TVs spying on you which requires no hacking.
When there is too much electricity a surge protector is designed to absorb the overload and perhaps even die, to protect the devices plugged into it. Some surge protectors look like a power strip, but there is a big difference.
When all the power goes out, do this.
Anyone concerned with being tracked on-line needs to be familiar with web browser fingerprinting. Without using cookies, fingerprinting can convert the web browser on your computer into a unique identifier. Fingerprinting stems from looking at many, seemingly trivial, aspects of your computer and browser and combining that information into a profile/identifier. Most of the time, these profiles turn out to be unique, which lets websites track your behavior without cookies. Some attributes that are examined are: the computer operating system, what time zone are you in, what language your computer is using, how much RAM memory the computer has, the screen height and width in pixels, what web browser you are using, what version of the browser, what fonts are installed, what plug-ins are installed, what audio and video formats are supported by the browser, and much more.
This is not a subject I am at all familiar with. Thus, nothing but links and not many at that. Feel free to help me add to this topic.
I don't use WhatsApp, so all I can offer are these links.
From one of the articles below: Scammers all over the world have figured how best to game the Airbnb platform: by engaging in bait and switches; charging guests for fake damages; persuading people to pay outside the Airbnb app; and, when all else fails, engaging in clumsy or threatening demands for five-star reviews to hide the evidence of what they have done.
Many developed countries allow most citizens to file their taxes for free. In the US, this was the stated intent, but the scheme was corrupted. According to Pro Publica, TurboTax tricked customers into paying for tax preparation they could have gotten for free. TurboTax even has a service with the word "free" in it - that is/was not free. US taxpayers owe a debt to Pro Publica for their reporting on this.
Hide your phone number by having more than one and giving out an alternate phone number when appropriate. I once checked my coat at a museum and rather than give me a ticket, they wanted my phone number. Ugh.
Just like web pages migrated from insecure HTTP to encrypted HTTPS, so too, DNS is changing. Legacy DNS uses plain text over UDP (not important) on port 53 (also just for techies). New DNS is encrypted using either DNS over HTTPS (DoH) or DNS over TLS (DoT). New DNS uses TCP on port 853 or 443.
When encrypted DNS gets added to the browser settings it will be called Secure DNS and it will be in the Security section. This May 20, 2020 article by Martin Brinkmann has a screen shot of what it will look like.
Despite a history of poor security practices, Zoom has become the most popular video conferencing system. Zoom conferences are called meetings and someone has to be the leader. The leader (a.k.a host) starts the meeting and invites others to join. Each meeting has a unique number, 9 to 11 digits long. Zoom is available both Free and Paid. Free accounts are called Basic. A Basic user can host a meeting with up to 100 participants. If there are 3 or more participants in a free meeting, it is limited to 40 minutes. Lingo: PMI is Personal Meeting ID which is, in effect, the Zoom userid.
FOR MEETING OWNERS/HOSTS
FOR MEETING PARTICIPANTS
FROM ZOOM
OTHER ZOOM INFO
I have never used a Ring doorbell. Thus, nothing but links.
The items below are defensive measures that apply to just one website or just one system.
Lots of other people and places offer Defensive Computing advice, though they don't call it that.
Whew! Seems like a lot, it is a lot.
All the credit/blame for this site falls on me, Michael Horowitz. If I left out anything important, or something is not clear, let me know at defensivecomputing -at- michaelhorowitz dot com.
This site does not use cookies. None of the links here are affiliate links, I do not profit from this site in any way. Thus, there are no ads here either. If you see any ads, something (computer, browser or router) has been hacked.
| Last Updated May 23, 2020 | Total Page Views 97,353 | Page Views Today 48 | Previous Page View 8.9 minutes ago |
Website by Michael Horowitz |
top |
