This is a list of both things to be aware of and specific defensive steps that we can take in response to the common threats of 2019. No list like this can ever be complete, nor would anyone want it to be complete as that list would never end. I tried to limit this to the most important issues, still its long (10,000 words). Techies will find some of this obvious but they are likely to learn something nonetheless. Non techies may find some of it too advanced; if so, please let me know (see bottom of page).

Some parts of this page are not displayed until you click a button. To see everything (perhaps for printing?), click this button:

You are seeing the entire page.

1. EMAIL
   
   Many times, perhaps most of the time, the first step in a company getting hacked is an email message. That's why this is the first topic.
   
   
   • You never know who sent an email message, so think carefully before taking action based on a single message. It is fairly easy to forge the FROM address of an email. Techies can look at the hidden email headers to get an idea who really sent a given message, but this is not a skill taught in nerd school. Be especially careful about doing anything involving money, passwords or personal information based on one lousy email message.
   • In light of the above, we might be tempted to trust that an email was legit, if it knew something about us. However, our personal information has leaked time and time again, so including information about you, specifically, is no indication that the sender is who they claim to be or that the message is legit. For example, Starwood was hacked, so an email about the time you stayed at the Westin hotel in Cleveland in the summer of 2018, may not be from Starwood. Bad guys know you stayed there too.
   • The use of official logos and images in an email message also does not indicate legitimacy. See How to spot suspicious emails and Dealing with Fake 'Ask Leo' which examines a scam email message for telltale signs.
   • The more urgent the plea for you to take action, the more likely it is to be a scam. Bad guys don't want you to have a chance to think about the issue or check with others.
   • Terminology: "Phishing" means scam. A phishing email is lying to you about something. "Spear Phising" is a scam specifically targeted at you. The bad guys will have researched you and then use that information as the part of lure in their scam.
   • Email attachments: Word documents, spreadsheets and PDF files are often malicious. The safest way to open any file attached to an email message is on a Chromebook running in Guest mode. The next safest option is to open it on an iOS device. The third safest environment is from Google Drive (hopefully from a Chromebook or an iOS device). Upload the attachment to Google Drive and open it from Google Drive. The least safe environment to deal with email attachments is Windows. If you must use Windows or macOS, download the attached file and go to VirusTotal.com to scan it with many different anti-virus programs before opening it. Any type of attached file can be dangerous.
   • An email with a password protected attachment, that has the password in the body of the email message, is surely malicious. This is a trick bad guys use to prevent anti-virus programs from detecting malicious software. If you try to open an attached file on Windows and it fails to open, you can still get infected with a virus.
   • An email that asks you to logon to read an encrypted message is a scam.
   • Taking a step back, it seems to me like we are living in a time much like the one before seat belts were required in cars. The current norm, reading email on a computer with sensitive or important files (or LAN based access to such files), is much too risky. If you are not reading email on a Chromebook or an iOS device, you are doing it wrong. Using any other OS, in a corporate environment, is job security for the IT department and the assorted security companies they employ. I say this as someone who does not work in corporate IT.
2. UNDERSTANDING DOMAIN NAMES   top

   Fake websites are an extremely common scam. To identify the fakes, you need to understand the rules for domain names. Some domain names are: google.com, columbia.edu, irs.gov and RouterSecurity.org. Many scam website names look legit to someone who does not know the rules. And, there are lots of rules and scams.

   • A domain name usually consists of two parts separated by a period. Sometimes a domain with a country code, such as UK for the United Kingdom, consists of three parts. An example is the British newspaper the Daily Mirror at mirror.co.uk.
   • Domain names are not case sensitive. GOOGLE.com and Google.com and google.com are the same thing.
   • The full web page identifier (URL to techies) consists of sub-domains on the left, a domain name in the middle, a slash, and finally, the unique name of the web page on the website. For example, if you visit the IRS website and want to work for them, you end up at

      www.jobs.irs.gov/application-process/application-process/how-apply  where

     www.jobs  is the subdomain
     irs.gov  is the domain name, and
     application-process/application-process/how-apply is the specific web page at the IRS website.

     Some web browsers, such as the desktop version of Firefox, help you identify the domain name by highlighting it in the address bar.

   • Sub-domains help a big organization logically chop themselves into smaller pieces. Technically speaking, the classic three Ws to the left of the domain name is a sub-domain. Any string of letters, dashes and numbers can be at the left of the domain name. No matter what's there, it is all part of the same domain. Sub-domains are optional. Three examples:
     1. The math department at Columbia University might be math.columbia.edu or www.math.columbia.edu or nerds.math.columbia.edu. They are all part of the Columbia.edu domain, so they all belong to Columbia University.
     2. This website is DefensiveComputingChecklist.com. The name Defensive.ComputingChecklist.com (with a period between Defensive and Computing) is not me. It is the "Defensive" sub-domain of the ComputingChecklist.com domain. Likewise, Defensive.Computing.Checklist.com (periods between each word) is the "Defensive.Computing" sub-domain of the Checklist.com domain.
     3. The domain citi.com belongs to Citibank. Simple rule: anything that ends with ".citi.com" (note the leading period) is also Citibank. For example: secure.citi.com, jobs.citi.com, online.citi.com, a.b.c.d.e.citi.com, some-thing-else.citi.com, any.thing.at.all.citi.com.
   • The flip side of the last example is that just having "citi" in a domain name means nothing. For example, these domain names have no relationship to Citibank: citionlinebanking.com, citi-online-banking.com, citi.onlinebanking.com, citi-thebank.com, citibank-online.com, citibankingonline.com, secureciti.com and TrustUsWeAreCitibank.com. When I go to citi.com, I end up at online.citi.com. Perhaps the best fraudulent domain is onlineciti.com. If you ignore the one missing period, it looks legit. Sadly, this domain is available today (April 3, 2019) for bad guys to buy. Oh, and citibankonline.com is really Citibank.
   • Another way people are fooled is by using a legitimate domain name as a sub-domain. For example: citi.com.badguy.com is part of the badguy.com domain, and citi.com.securebanking.com is part of the securebanking.com domain. In spatial terms, "citi.com" on the far left is a scam, "citi.com" on the far right (just before the first slash), is Citibank. In May 2019, Eset reported that update.asuswebstorage.com.ssmailer.com was pretending to be part of the Asus Web Storage system. Repeating myself, the domain name ends at the first slash.
   • And, of course, dot com is not the only thing that website/domain names end with. Sure, apple.com is the company that makes iPhones, what about apple.net, apple.org, apple.gov, apple.me, apple.us, apple.cn, apple.jobs, apple.app, apple.site, apple.edu, apple.biz, apple.name, apple.io, apple.theater, apple.talk, apple.tv and apple.movie? Assume nothing. They may belong to the iPhone vendor, they may not. Some of these do, some do not. Citibank customers, accustomed to online banking at citi.com, should not assume that citi.somethingelse also belongs to their bank. That's not he way the system works.
   • Still another trick involves a scam site on a legit domain. For example, the Microsoft Azure system lets customers create websites addressable as a subdomain of their legitimate windows.net domain. Bad guys abusing this have used names like capitalexchangowa.z29.web.core.windows.net and office43l2v3rgq5y3xpy.z13.web.core.windows.net. Read more and see an example.
   • In a different scam, you start out at a legitimate domain and then get automatically re-directed to the bad guys. The legitimate domain is not run by bad guys, just by nerds that are technically incompetent. This is simply bad programming. The home office of incompetence is, of course, the US Government and many government websites were found to have this problem. Examples:
     www.weather.gov/cgi-bin/nwsexit.pl?url=http://badguys.com
     outreach.senate.gov/iqextranet/iqClickTrk.aspx?redirect=https://badguys.com
     healthfinder.gov/api/outlink/search/http/badguys.com
     www.nyc.gov/html/exit-page.html?url=https://badguys.com
     Background info: A Year Later, U.S. Government Websites Are Still Redirecting to Hardcore Porn (Dell Cameron June 2019) and Phishing campaign spoofs local-government websites to rip off small businesses (Benjamin Freed June 2019)
   • Some real life domain name scams:

     In April 2019, Brian Krebs wrote about a service called Land Lords that creates Airbnb scams. A key piece of these scams are domains that look like airbnb.com, but, are not. The scam domain in the article was
     airbnb.longterm-airbnb.co.uk
     It looked exactly like the real Airbnb website and requested victims to sign. The fake site forwarded the legit Airbnb credentials to the real Airbnb, but only after recording them. Other domains used to scam Airbnb were:
     airbnb.longterm-airbnb.co.uk
     airbnb.pt-anuncio.com
     airbnb.request-online.com
     airbnb-invoice.com
     A reader of the article claimed to have also seen airbnb.com.longterm-listing.com. For another defense against this scam see the topic below on verified website identities. The real www.airbnb.co.uk has this extra verification.

     When, also in April 2019, Krebs wrote about Wipro being hacked by phishing/scam email messages, the phony domain name he cited was
     securemail.wipro.com.internal-message.app
     Who even knew that a legitimate domain name can end in dot app? The bad guys loved using their internal-message.app domain so much they also may have used
     securemail.capgemini.com.internal-message.app to scam employees of CapGemini and
     secure.rackspace.com.internal-message.app to phish people at Rackspace.

     In May 2019 Eset found www.google.com.dns-report.com being used by bad guys.

     Arguably the biggest domain name screw-up ever, was by Equifax in 2017. I say this not because they were hacked, but because of their reaction. The Equifax domain is equifax.com. To post their response to the hacking incident, they created a new website: equifaxsecurity2017.com. They should have named their response website something like security2017.equifax.com or equifax.com/security2017. A techie exposed Equifax for the fools they are by registering a scam website securityequifax2017.com. In the ultimate irony, the official Equifax twitter account, sent people to the scam site. You can't make this stuff up. And, now that you have read this far, you know more about domain names than the techies at Equifax.

     Spectrum is my ISP. Recently an email arrived from myaccount@spectrumemails.com warning of something. Is this really from Spectrum? I knew it was, because I created an email address that only they have. More on this tactic in the Extra Credit section at the bottom of this page.

   • Finally, some good news about domain names. You may be able to see who owns a domain. Companies that register domains are called "Registrars" and they are required to make information about domains public. This database is referred to as "Whois" and, in the Whois system, the domain owner is referred to as the "Registrant." Some Registrars offering a Whois lookup are: Namecheap, Gandi, pair Domains, eNom and Tucows Domains. DomainTools also offers a Whois lookup. Other useful information provided by Whois, is a technical contact, an administrative contact, the name of the Registrar and, for techies, the authoritative DNS servers. That said, a domain owner may not want their contact information public. If you look up this domain (DefensiveComputingChecklist.com) for example, you will not find my home address. While people may want to hide, legitimate companies have no reason to do so. Needless to say, a bad guys hide their identity. However, law enforcement can always knock on the door of a registrar to see who paid for a domain.
3. VERIFIED WEBSITE IDENTITY   top

   Everyone is told there are two types of websites: secure (HTTPS) and not secure (HTTP). In fact there are three types of websites. The third type is a "secure" site that has gone the extra mile and offers proof of its identity.

   • In another type of attack, a web browser may display the correct something.citi.com, and yet, the website could still be a fake. To prevent this, companies that take this stuff seriously pay extra to have their identities verified. You can see this extra identity validation at, for example, citi.com which says "Citigroup Inc. (US)" just to left of online.citi.com in the address bar (see example). Bank of America does the same thing as you would expect any financial company to do. In contrast, my dinky websites, such as this one and my personal site (michaelhorowitz.com) do not have identity verification (see contrast). If the website of your financial institution has this extra identity protection, get in the habit of looking for it. If this information is not provided, take that as a bad sign about the company and its website. In techie terms, my websites are Domain Validated (DV), the Citigroup and Bank of America websites have Extended Validation (EV). The home office of incompetence, Equifax, does not offer identity verification. Not a surprise. What is surprising is that neither does Amazon.com (shown in the screen shots). Sadly, there is a trend in web browsers to suppress the visual indication of sites offering identity verification. If your browser does not show the difference, use a different browser.
   • As with email messages, the content of a fake website can look exactly like the real thing. Anyone can copy images and text and fonts from the real site and use them to make a fake site.
4. SECURE WEBSITES   top
   
   
   • The concept of secure websites, indicated by HTTPS or a lock icon, is, in many ways, a scam. The security that people tout refers to a small piece of a large pie. Specifically, it refers to in-flight data; data being transmitted back and forth between your computer and a website. If, while traveling over the Internet, the data/web page is encrypted, then the entire site is said to be secure. Fact is, dozens of things can still leak your sensitive data. Take the just-discussed EV/DV validation of websites. Without real identity verification (EV), you could "securely" send passwords to bad guys. Another scam is that encryption is a binary thing, that it is either on or off. In reality, it is quite complicated. So much so, that there are security rating websites (next topic). Perfect Forward Secrecy (PFS) is another factor, one that is hardly every discussed. Without PFS spy agencies can very likely (no one knows for sure) decrypt the encrypted data traveling over the Internet. Another factor is keeping private encryption keys private. If they leak (its just a string of bits), encrypted data can, again, be decrypted. No one knows how well any website protects its private keys. Then too, many websites continue to support older security/encryption protocols with know flaws (TLS 1.0 and 1.1). And, websites have different sections, each section has its own security profile; one section may be more secure than another. For example, in 2016, I blogged about how www.ssa.gov was secure while secure.ssa.gov was not (since fixed). And, nothing about encryption in transit tells you anything about the strength of the security on the back end (think Facebook storing passwords in plain text) or whether software running on the back end is being updated with bug fixes (think Equifax), how good their defenses are against attacks, who they share your data with or whether the data is left publicly available to anyone who knows where to look, no attacking needed (this happens a lot). I could go on. Anyone who tells you to trust a website because it is secure, is either un-informed or lying on purpose because it serves their needs.
   • A great website for evaluating the encryption used by a website is the Qualys SSL Server Test. Ironically, it does not have extended identity protection. Still, it offers both a ton of technical information about encryption and a simple letter grade at the top. I suggest testing your most important sites: banking, email and any website holding your sensitive information. Every site should get either and A or A+. Anything else is a failure. The orange horizontal stripes under the letter grade are security failures. To be thorough, you need to check each section of a website. For example, at the US Social Security Administration, you would check both www.ssa.gov and secure.ssa.gov. To put this in perspective, again, encryption is a small piece of a large pie. Nothing about the strength of the encryption used to send/receive data tells you anything about whether passwords are stored in plain text, or whether bug fixes are applied to the software running the website, or any other aspect of security.
   • Any website that you can access with just a userid/password is not really secure. There are many ways companies can increase the security of websites by making it harder to logon. The official term for this is two factor authentication (2FA). One approach is that the company sends customers an email message with a temporary code that the customer has to enter, after, they already entered a userid/password. Another common technique is to send a temporary code as a text to a phone. Or, a normal phone call with some type of response that proves a human answered the call. Or a normal phone call where a computer tells you the temporary code. There are also mobile apps (such as Authy and Google Authenticator) that can generate temporary secondary codes. The most secure option involves a physical thingy you connect to a computer/tablet/phone that verifies your identity. Most systems, however, do not support this. Two factor authentication is overkill for many websites, but it is something you really want to have on any banking or financial sites you use. Perhaps for email too. To see if the companies you deal with offer this, go to twofactorauth.org. This is also known as MFA, Multi-Factor Authentication. More: Two-Factor Authentication Keeps the Hackers Out by Leo Notenboom (June 2016).
   • Some websites use secret questions as a way to identify you should you forget your password. Never answer these truthfully. You don't want the answer to be anything that someone could either guess or learn about you. In fact, don't even give reasonable answers. If it asks for the name of a person, make the answer the name of a place instead. You never know if the answers are case sensitive or not, so it is safer to only use lower case. In my opinion, it is also safer to avoid spaces and special characters too. Just like passwords, these questions and answers need to saved somewhere that you can find them later. Nothing wrong with paper and pencil.
5. PASSWORDS   top
   
   
   • Never re-use passwords. We all need dozens or hundreds of passwords, yet we can remember just a few. Nonetheless, this is a very important rule. Companies are hacked all the time, leaking passwords that bad guys then try at other systems/websites.
   • Almost every computer nerd recommends password management software. I disagree. Techies that say this are thinking inside the box and over valuing the need for randomness in passwords. They also underestimate the hassle of new software for non techies.

     In May 2019, Maciej Cegłowski wrote What I Learned Trying To Secure Congressional Campaigns. Among things that went badly were his attempt at getting non-techies to use a password manager. Quoting:

     "I was never able to find a way to set people up on a password manager in the time available. Let me be very clear: I would like all people to use a password manager ... But I never found a way to get people onto 1password in a single training session. The setup process has a lot of moving parts, involving the desktop app, browser plugin, online service, mobile app, and app store. It requires repeatedly typing a long master passphrase. And then, once it is all set up, you have to train people on the unrelated skill of how to use the thing, starting with their most sensitive accounts. And then you leave. In the end, I told candidates to generate unique passwords and save them in the notes app on their phone, or write them down on a card they kept in their wallet."

   • Try using a formula to generate your passwords. A simple formula is to start every password with the same string of characters. Then, you can chose very simple passwords to append to the constant beginning. For example, a baseball fan might start every password with "BaseballRules!" Then, if "jungle" was their password for Amazon.com, the actual password is "BaseballRules!jungle" And, all you would have to remember would be that your Amazon password is "jungle". Pretty easy. Amazon. Jungle. And, the miserable password "book" for Barnes and Noble, becomes a good password ("BaseballRules!book") when run through the formula. Perhaps the worst password is the word password. But, as Leo Notenboom points out, "1234 password 1234" is a pretty good password. It's also easy to remember. There's a formula: start and end every password with "1234". Love your dog? Start your passwords with "rover-" or "fido/"
   • You can check if any of your passwords have leaked in a data breach at haveibeenpwned.com/Passwords. Of course, someone else may have been using the same password. The best passwords have never leaked and a formula (above) should produce globally unique passwords fairly easily.
   • Storing passwords: Using a formula lets you write down just the easy/right part of the password and still be secure. If someone saw your password list and read that "book" was your Barnes and Noble password, it would be useless without the formula. Passwords written on paper can not be hacked; just be sure to xerox the list every now and then in case you lose it.
   • Traveling passwords: Paper passwords work everywhere, no matter the device, the Operating System or the software being used. I use a password manager and its useless on a Chromebook running in Guest mode which is where I do my sensitive transactions.
   • All that said, no single approach is appropriate for everyone.
   • Some passwords are much more important than others. Which, of your many passwords, would be the worst for bad guys to obtain? Keep those passwords off your computers. Store them on multiple pieces of paper in multiple places. Or, store them on a USB flash drive which is rarely connected to a computer.
6. PHONE CALLS   top

   You never know who calls you on the phone. Callerid can be spoofed just like the FROM address in email, so the same advice holds: think carefully before taking action based on a single phone call, especially any action involving money, passwords or personal information.

   • iOS 13 can send callers not in your contacts straight to voicemail.
   • Those (not really) IRS calls from FTC. Report IRS impersonation scams here.
   • Imposter scams from FTC
   • Beware of Calls Saying Your Social Security Number is Suspended (Bleeping Computer April 2019). Report Social Security impersonation scams to 800-269-0271 or oig.ssa.gov/report
   • Apple does not call their customers out of the blue. Some scammers pretending to be Apple make calls that display an Apple logo, address and their real phone number. More here and here. Contact Apple at support.apple.com/contact
   • Unwanted calls can be reported to the US Government. Probably a waste of time.
7. IDENTITY THEFT   top

   Considering the many data breaches of personal information, along with the legal sharing of it, ID theft is all too likely. Here are some things to do to in preparation.

   • Bad guys might try to open a credit card in your name. To prevent this, you can get a credit freeze with TransUnion and Experian and Equifax.
   • Bad guys might use your credit card to buy themselves stuff. You can be alerted to this by having your credit card company notify you, in real time, about charges on your account.
   • Americans should open an account with the IRS (irs.gov) to prevent bad guys from opening an account in your name and getting your tax refund. Even if you never use this account, it is safer to have it. Brian Krebs: has more (January 2018).
   • Americans should also open an account with the Social Security Administration (ssa.gov) regardless of their age. This prevents bad guys with your stolen information from opening an account as you, and, for many people, is the only way to verify that their earnings are correctly reported.

     When you logon to the My Social Security website, it reports the last time you logged on. If you can track this yourself, then you can be sure no one has stolen your identity and logged on as you.

     According to this article, the Social Security Administration has greatly curtailed the number of paper statements it mails. It now mails statements only to people over 60 who are not yet getting benefits and who have not set up digital accounts.

     After an account is opened, you can block all electronic access to it. Of course, this blocking is only as good as the defenses against bad guys unblocking it and I don't know what those defenses are.

     The phone number of the Social Security Administration is 800-772-1213

     For more see Crooks Hijack Retirement Funds Via SSA Portal by Brian Krebs.

     The Social Security Administration does not threaten to arrest people. Social Security numbers can not be suspended. These are common scams.

     Neither the IRS nor Social Security does a good enough job of identifying people. They both know where you live, they could send a code via postal mail to verify who you are ... but, no. The Social Security Administration uses Equifax data to verify your identity and we all know that Equifax was hacked in 2017 and lost their crown jewels (our personal information). If you have a credit freeze with Equifax, then you can not open a Social Security account. You can't make this stuff up.

   • Bad guys may try to impersonate you to get your cellphone number assigned to their telephone, a process known as a SIM swap. They do this because a phone number is often used to prove identity, with things like forgotten passwords. To defend against this, you can create a security code with your cellphone provider. This code needs to be provided over the phone, or in person at a store, before account changes are made. T-Mobile calls it an Account PIN. Verizon calls it both an Account PIN and a Billing Password. AT&T calls it a Security Passcode. The defense, however, is far from perfect. Brian Krebs wrote in Nov. 2018 that there is no defense against malicious employees of the cellphone company. He also wrote about lazy employees who ignore the system. Much of the world has fixed this problem, but the US remains vulnerable. More: Why Phone Numbers Stink As Identity Proof by Brian Krebs March 2019 and The SIM Swapping Bible: What To Do When SIM-Swapping Happens To You by CipherBlade and MyCrypto June 2019.
   • A free annual credit report, available at annualcreditreport.com can't hurt. However, two things about the site are a sham. For one, it says that you can order reports online. When I last tried this in December 2018, it was not true, reports had to be ordered via postal mail, and, I was not told this until after I entered all my personal information. Also, the site has not opted for extra identity validation for itself (see topic on VERIFIED WEBSITE IDENTITY). Requests on paper are the way to go.
   • Background: Identity Theft info from the FTC. 11 Ways to Tell If Your Identity Has Been Stolen by Paul Wagenseil April 2019. The Identity Theft Resource Center (idtheftcenter.org) offers free assistance for ID theft. They may be well-meaning, but their computer advice, is shamefully ancient and lame.
8. WEB BROWSERS   top
   
   
   • Choosing: Web browsers are one area where the wisdom of the crowd does not apply. In the old days, the crowd used Internet Explorer, now it's Google's Chrome browser. Don't use either one. Or Edge. I am not a big Apple user, so I don't have an opinion on Safari. I suggest using either Firefox or the Brave browser. Brave has ad blocking and tracker blocking built in. It is based on Chrome, supports all Chrome extensions and runs on Windows, macOS, Linux, Android and iOS. See I protected my privacy by ditching Chrome for Brave–and so should you (Michael Grothaus March 2019) and How I'm locking down my cyber-life (Larry Sanger Jan. 2019). The HTML pingback feature is but one of hundreds of features in a web browser. But, we can use it to judge which browsers care about our privacy (Firefox, Brave) and which do not (all the rest). See this article by Lawrence Abrams for details.
   • Track me not: If the websites you visit are determined to track you it is all but impossible to prevent it. Still, you can fight back. One approach is to use private/incognito mode in your web browser. For background, see What Does Private Browsing Mode Do? by Martin Shelton July 2018. Another option is to manually delete cookies and other tracking data in your browser. In Chrome and Brave, enter chrome://settings/siteData in the address bar, then click the Remove All button. In Firefox, enter about:preferences#privacy and click on the Clear Data button. Perhaps bookmark these URLs. Firefox can automatically delete cookies when the browser shuts down, something Chrome and Brave do not support. Using the same Firefox URL, turn on the checkbox for "Delete cookies and site data when Firefox is closed". The biggest hammer in the toolbox to avoid being tracked is Guest mode on a Chromebook.
   • Install an ad blocker in your web browser. I say this not because it makes web pages load faster (it does) but because ads have been abused too many times to install malicious software or take you to scam websites. Even Chromebook users can be scammed at websites (no malware though). One highly recommended ad-blocker is uBlock Origin by Raymond Hill. I realize that this prevents sites from earning revenue to which I can only say that the ad blocker can be disabled on sites you wish to support. However, no website can be trusted to only show non-malicious ads because the website itself does not choose the ads. It's a mess.
   • Install a tracker blocker such as Privacy Badger from the EFF or Disconnect.
   • In desktop Firefox, review the Content Blocking (about:preferences#privacy) settings which offers defense against trackers and more. As of version 67, it should default to Standard, maybe raise it to Strict or Customize it. See the documentation on this. Mozilla also has a Facebook Container extension that blocks Facebook from tracking you around the web.
   • Web browser extensions can, if you let them, read and modify the contents of every displayed page. This is necessary, for example, with an ad blocking extension. However, it can be abused to, so when installing extensions pay close attention to the permissions it requests. It is a good idea to periodically review the extensions installed in your browser and remove any you really don't need. I have seen non-techies be tricked into installing malicious extensions. To display the installed extensions, use these address bar URLs (perhaps bookmark them): In chrome chrome://extensions, in Brave brave://extensions, in Firefox about:addons. I blogged about potentially dangerous extensions here and here and here. A Reddit user wrote Why I removed Grammarly chrome extension and deleted my Grammarly account in March 2019.
9. PUBLIC WIFI   top

   Public Wi-Fi is always dangerous, whether a password is required or not. It is best to keep your main/regular computing devices away from public networks. If possible, use a Chromebook on public networks. Regardless of the computing device:

   1. Anyone can name a Wi-Fi network anything. As a result, bad guys can create wireless networks with the same name (SSID) as a legitimate network. The official term for this is an Evil Twin network. Non techies can not distinguish an Evil Twin from the legit network it is pretending to be. Neither can a computer/phone/tablet which will happily connect to the evil network. Techies can look at the MAC address of a wireless network, but even that can be spoofed if the bad guy knows how.
   2. Use either a VPN (not a free one) or Tor on a public network. Both hide your activity from the router creating the public network which is a good thing whether the network is an Evil Twin or not. More in the Networking topic below. If this is too much, then on mobile devices, use the Cloudflare 1.1.1.1 app available on Android and iOS.
   3. After connecting to the network, and starting the VPN or Tor or Cloudflare, check the DNS servers actually in effect. If using a VPN, the DNS servers should be from the VPN provider. It is very dangerous to use unknown DNS servers.
   4. Even with all the protection in the world, there are some things best avoided on any public network. You never know who is watching over your shoulder.
   5. Disable Wi-Fi when not using it. It is not sufficient to simply disconnect from the public network.

   If you must use your regular devices on a public network, then have a techie check them for open TCP/IP ports. This probably will be done with the nmap utility. Check for all 65,500 TCP ports, looking especially for file sharing ports. If file sharing is enabled, then learn how to disable it and verify that its ports get closed when its disabled.

   One way to avoid public Wi-Fi with a laptop, is to use the 4G/LTE connection on a phone for Internet access. That is, make the phone into a hotspot and connect the laptop to the phone's Wi-Fi network. One, or both, of the devices should be connected to a VPN.

10. SMART SPEAKERS   top
    • AMAZON ALEXA

      Bloomberg reported in April 2019 that Amazon Workers Are Listening to What You Tell Alexa. There are options in the app to disable this (Settings -> Alexa Account -> Alexa Privacy -> Manage How Your Data Improves Alexa) but they may not be honored.

      Another privacy issue with Alexa is that the devices phone home to Amazon and to others, even when they are not being used. No one knows why.

      Article: Alexa has been eavesdropping on you this whole time by Geoffrey Fowler May 2019. Amazon keeps a copy of everything Alexa records after it hears the wake word. Fowler listened to 4 years of his recordings and found that dozens of times it recorded when it should not. It even picked up some sensitive conversations. There are instructions for deleting these recordings via the Alexa app. Hear your archive at www.amazon.com/alexaprivacy.

      Also from Fowler: Amazon collects data about third-party devices even when you do not use Alexa to operate them. For example, Sonos keeps track of what albums, playlists or stations you listen to and shares that information with Amazon. You can tell Amazon to delete everything it has learned about your home, but you can not look at this data or stop Amazon from continuing to collect it.

    • SIRI: Apple records Siri queries and you can not delete them (also from Fowler article). However, Apple says they are not linked to you when saved.
    • GOOGLE ASSISTANT

      Again from Fowler article: Google used to record conversations with its Assistant ("Hey Google") but in 2018, they stopped doing so by default on new setups. You can check the settings of your Assistant at myaccount.google.com/activitycontrols/audio. Look to Pause recordings. This How-ToGeek article adds instructions for deleting the previously saved recordings.

      The Nest thermostat, made by Google, phones home every 15 minutes, reporting the climate in the home and whether there is anyone moving around. The data is saved forever. (also from the Fowler article)

11. LOCATION TRACKING   top

    There are three approaches here, and I am the only person (as far as I know) to suggest the third one.

    1. The first approach is to play whack-a-mole; to configure access to location data on an app-by-app basis. This strikes me as ridiculous.
       • For Android 9, from Google: Choose which apps use your Android device's location.
       • For iOS version 12, do Settings -> Privacy -> Location Services to see a list of apps. Each app is assigned one of three rules: never see your location, always see your location or only see it while using the app. Also here is a link to System Services and their location usage.
       • iOS 13 lets you share your location to an app just once. The next time the app wants it, it has to ask.
       • Does a weather app really need your current location? Maybe just give it a couple zip codes where you often are instead, and only give it access to your current location when traveling.
    2. The second approach, on Android, is to still let the phone know where you are now, but tell Google not keep a history of where you have been. This requires disabling two different location history features.
       • This article says to turn off "Location History" at myaccount.google.com/privacycheckup and turn off "Web & App Activity" at myaccount.google.com/activitycontrols. This article says to go to myactivity.google.com, select "Activity Controls" and turn off "Web & App Activity" and "Location History" This May 2019 article by David Nield in Wired covers all the bases both for a Google account and on a mobile device.
       • Android 8 and 9: Settings -> Security and Location -> Location -> Use Location is the master on/off switch for Location services. On Android 7, do Settings -> Location. From here, on all three versions, you can click on Google Location History to pause it. Note: this is done for a Google account, not for the device. From there, click on Show All Activity Controls to see the Web and App Activity and pause that too. From Google: Manage your Android device's location settings. The article states that, with Location disabled, you can still get local search results and ads based on your public IP address. You can test this with a VPN.
       • Yet another click-path: Android 8: Settings -> Users and Accounts. Android 9: Settings -> Accounts. Select an account, then click on Google Account. Find the Data and Personalization section, then the Activity controls section. Again, look for Location History and Web and App Activity. Lots more here too, such as Ad personalization.
    3. My advice is prevent iOS and Android from knowing your location in the first place. To do this:
       • Turn off 4G/LTE Internet
       • Turn off Wi-Fi
       • Turn off Bluetooth
       • Turn off GPS by disabling "Location" (Android) or "Location Services" (iOS)

       With these four things disabled, a phone can still make/receive calls and text messages. However, your location can be still tracked by the cell tower the phone is talking to, but, this only provides a general idea of where you are rather than a precise location. The next step would be to enable airplane mode and the step after that is to turn the phone off. A dedicated GPS app can be used to confirm the status of GPS. A side benefit of having this stuff disabled is better battery life.

       Note that even with Bluetooth and Wi-Fi disabled, an Android device may still use either or both to determine your location. For more, see the topic on Mobile Scanning and Sharing.

       Taking a step back, consider who is the enemy here? That is, who is it we don't want tracking us. Some people/articles focus on apps. But, it also the Operating System vendors, Apple and Google, that learn our location. And, of course, the cell phone companies, who are being being sued for selling location data. Another reason for my approach to defense.

    4. Background: This December 2018 article in the NY Times, documents the tracking, but not defense. Same for this article. Google has a history with location tracking. See also London Underground to begin tracking passengers through Wi-Fi hotspots (May 2019). The only defense is to disable Wi-Fi. See the Mobile Scanning topic to learn how to insure that Wi-Fi is really off and stays off. In Stores, Secret Surveillance Tracks Your Every Move (June 2019) about Location Tracking with Bluetooth.
12. NETWORKING   top
    
    
    • Networking equipment (router or combination modem/router) provided by Internet Service Providers is typically insecure and low quality. Anything you buy at retail is likely to be more secure. It may also be cheaper in the long run and makes you a lesser target (a million people are not using the same router model). I have a whole website devoted to Router Security. At the least, try to make the router configuration changes in the short list on the home page. Comcast customers see this.
    • Ethernet is more secure than Wi-Fi, so whenever possible connect via Ethernet for sensitive work. It's also faster. USB to Ethernet adapters cost about $15.
    • Speaking of Ethernet, Google knows nearly every Wi-Fi password in the world. And if Google knows them, what are the odds that Apple (via iOS) does not?
    • Use a Guest Wi-Fi network both for visiting humans and for IoT devices. Better yet, if your router supports it, use VLANs to further segregate devices (requires a techie). More here.
    • At this point, it is common knowledge that Wi-Fi encryption should use WPA2 rather than the ancient WPA or WEP. If given a choice, WPA2 AES is more secure than WPA2 TKIP. Note that a long Wi-Fi password can prevent a brute force guessing attack; passwords should be 14 characters or longer. More here.
    • When it comes to making router changes, the first step, logging into the router, is likely to be the hardest. To make this easier, I suggest writing down the necessary info (IP address, userid, password) on a piece of paper and taping it to the router face down. Maybe include Wi-Fi passwords too.
    • A VPN prevents spying on your online activity by anyone you an see (anyone on the same local network) and by the ISP connecting you to the Internet. In the US, ISPs are allowed to spy on their customers and sell that data. A "secure" website prevents others on your LAN and your ISP from reading the content of web pages. However, they can still tell which websites you visited. In some cases, just the website name gives away too much information. VPNs hide everything. Picking a VPN provider is mind bogglingly difficult. Even agreeing on the criteria to judge them with is impossible. See one attempt and another and another. I have my opinions on good/trustworthy VPN providers, email me for my suggestions.
    • One of the Privacy Settings in iOS v12 is Bluetooth Sharing. Apps that are enabled for Bluetooth Sharing can share data even when you are not using them.
13. MOBILE SCANNING AND SHARING   top

    Both Android and iOS want you to keep Wi-Fi and Bluetooth enabled for a number of reasons. Android may well use them both even if they appear to be disabled. And, if they really are disabled, each Operating System has a number of ways to automatically turn them back on. I suggest checking an Android device by searching the Settings for the words "scan" and "scanning". Plus, there are many other options for sharing data, that you might want to disable, at least as a starting point, to reduce your attack surface.

    • IOS CONTROL CENTER SCAM

      iOS 11 and 12 have two ways to disable Wi-Fi and Bluetooth. One works, the other is a scam. The Control Center, which is what you see when swiping up from the bottom of the screen is the scam. The Settings app is the real deal. That is, when you disable these in Settings they are really disabled and stay that way until you re-enable them.

      In September 2017, Lorenzo Franceschi-Bicchierai wrote about this: Turning Off Wi-Fi and Bluetooth in iOS 11's Control Center Doesn’t Actually Turn Off Wi-Fi or Bluetooth. Quoting: "Apple wants the iPhone to be able to continue using AirDrop, AirPlay, Apple Pencil, Apple Watch, Location Services, and other features, according to the documentation". As of iOS 12, the Wi-Fi message is "Disconnecting nearby Wi-Fi until tomorrow." When tomorrow? Doesn't say (its 5 AM local time). And, "nearby"? There is no such thing a near and far Wi-Fi.

      Noted hacker Samy Kamkar tweeted on May 19, 2019: "This is so deceptive. When you 'disable' WiFi and Bluetooth in iOS Control Center and they gray out, they're technically still enabled. Even with Airplane Mode on, your device continues to transmit and your name can even be discovered nearby via AirDrop!". He later added "It's deceptive because it remains active after saying 'Disconnected until tomorrow'. Only the 'normal' Bluetooth functionality returns the following day, the phone itself keeps transmitting privacy-evading, identifiable BLE packets.".

    • ANDROID SCAN EVEN WITH BLUETOOTH OFF

      Android 9: Settings -> Security and Location -> Location -> Advanced -> Scanning -> Bluetooth scanning. Description: "Allow apps and services to scan for nearby devices at any time, even when Bluetooth is off. This can be used, for example, to improve location-based features and services.".

      Android 8.1: Settings -> Connections -> Location -> Improve accuracy -> Bluetooth scanning. Description: "Improve location accuracy by allowing apps and services to scan for and connect to nearby devices automatically via Bluetooth, even while Bluetooth is turned off."

      Android 8.1: Settings -> Security and Location -> Location -> Scanning -> Bluetooth scanning. Description: "Improve location by allowing system apps and services to detect Bluetooth devices at any time."

      Android 7.0: Settings -> Location -> Scanning -> Bluetooth scanning. Pretty much same description.

      Android 6: Settings -> WLAN -> advanced -> scanning settings -> Bluetooth scanning

      Nearby Device Scanning: I have seen an Android 8.1 Samsung tablet use Bluetooth scanning to find nearby devices, again, with Bluetooth seemingly disabled. The feature was called Nearby Device Scanning and it was enabled by default. The description said "Scan for and connect to nearby devices easily. Available devices will appear in a pop-up or on the notification panel. Nearby device scanning uses Bluetooth Low Energy scanning and the microphone. Bluetooth Low Energy scanning can be used even while Bluetooth is turned off on this device." The path to the setting was: Settings -> Connections -> More connection settings -> Nearby device scanning.

    • ANDROID SCAN EVEN WITH WIFI OFF

      Android 9: Settings -> Security and Location -> Location -> Advanced -> Scanning -> Wi-Fi scanning. Description: "Allow apps and services to scan for Wi-Fi networks at any time, even when Wi-Fi is off. This can be used, for example, to improve location-based features and services."

      Android 8.1 Samsung: Settings -> Connections -> Location -> Improve accuracy -> Wi-Fi scanning. Description: "Improve location accuracy by allowing apps and services to scan for Wi-Fi networks automatically, even while Wi-Fi is turned off."

      Android 7.0: Settings -> Location -> Scanning -> Wi-Fi scanning. Pretty much same description.

      Android 6 in the Advanced WLAN section, look for Scanning Always available. Description: "Let Google's location service and other apps scan for networks even when WLAN is off."

      Android 6: Settings -> WLAN -> advanced -> scanning settings -> WLAN scanning

    • ANDROID TURN WIFI BACK ON

      Android 9: Network and Internet -> Wi-Fi -> Wi-Fi preferences -> Turn on Wi-Fi automatically. Description: "Wi-Fi will turn back on near high quality saved networks, like your home network." This requires both Location and Wi-Fi scanning to be enabled.

      Android 8.1: Settings -> Connections -> Wi-Fi -> Advanced -> Turn of Wi-Fi automatically. Description: "Turn on Wi-Fi in places where you use Wi-Fi frequently".

    • ANDROID WIFI AUTO-CONNECT

      Android 8.1 AT&T phone: Settings -> Connections -> Wi-Fi -> Advanced -> Auto connect to AT&T Wi-Fi.

      Android 8.1 AT&T phone: Settings -> Connections -> Wi-Fi -> Advanced -> Hotspot 2.0. Description: "Automatically connect to Wi-fi access points that support Hotspot 2.0"

    • Google Nearby, aka Nearby Device Scanning is designed to seamlessly let two Android devices talk to each other. I found this enabled by default on an Android 8.1 Samsung tablet. The description said "Scan for and connect to nearby devices easily ... Nearby devices scanning uses Bluetooth Low Energy scanning and the microphone. Bluetooth Low Energy scanning can be used even while Bluetooth is turned off on this device.". The path to the setting was: Settings -> Connections -> More connection settings. I have read that this also uses Wi-Fi and audio to find nearby Android devices. Creepy. More here, here and here.
    • NFC (Near Field Communication) is yet another wireless option for sharing data, but only between devices that are two inches apart.

      On Android, search the Settings for "NFC". On Android 9, its at: Settings -> Connected devices -> Connection preferences -> NFC. The description is "When this feature is turned on, you can beam app content to another NFC-capable device by holding the devices close together. For example, you can beam web pages, YouTube videos, contacts and more. Just bring the devices together (typically back to back) and then tap your screen. The app determines what gets beamed." NFC is the basis for Android Beam, yet another sharing protocol. Not every Android phone supports NFC.

      On iOS, NFC is used for Apple Pay and reading NFC tags. iOS 12 added background tag reading, where the system automatically looks for nearby tags whenever the screen is illuminated. In Settings, tap "Wireless and Networks" then "More" to see the NFC option. More here and here. This June 2019 article, Apple Expands NFC on iPhone in iOS 13, says there are enhancements to Apple Pay for NFC in iOS 13 and new support for peer-to-peer pairing. That is, just like Android Beam, NFC can be used to transfer movies or music between devices.

    • Wi-Fi Direct allows two Wi-Fi devices to directly communicate without a router in the middle. I have checked a few Android devices and they all enable Wi-Fi direct without a way to disable it. It seems, however, that Wi-Fi direct scanning does not happen until you ask for it, so no big deal. Its popular on HP printers and some smart TVs as I always see some of each, when scanning from an Android device. HP printers create SSIDs like "DIRECT-xx-HP OfficeJet 4650"
      Android 9: Settings -> Network and Internet -> Wi-Fi -> Wi-Fi preferences -> Advanced -> Wi-Fi Direct
      Android 8.1: Settings -> Connections -> Wi-Fi -> Wi-Fi Direct
      Android 8.1: Settings -> Network and Internet -> WLAN -> WLAN Preferences -> Advanced -> WLAN Direct
      Android 7.0: Settings -> Wi-Fi -> Advanced -> Wi-Fi Direct
    • AirDrop on iOS uses both Bluetooth and Wi-Fi. Bluetooth is used to find partners and Wi-Fi, because it's faster, is used to transfer large files. The Wi-Fi is a form of Wi-Fi Direct, thus the two Apple devices do not have to be on the same Wi-Fi network to exchange data. In fact, they don't have to be connected to any Wi-Fi network or to the Internet. See a How To. The important thing to be aware of is whether an iOS device can receive data from anyone or only from people in the Contacts. Configured at Settings -> General -> AirDrop. WARNING: With Wi-Fi and Bluetooth off, if you enable AirDrop, it turns on both Wi-Fi and Bluetooth without notification. See The feature Apple needs to change in AirDrop (April 2019) and When Grown-Ups Get Caught in Teens' AirDrop Crossfire (June 2019).
    • Android Direct Share: Description: "Share content with specific people directly from the sharing panel in any app. The Direct Share icons will appear at the top of the sharing panel if an app supports this function." Find it on Android 8.1 with: Settings -> Advanced Features. Not sure if this uses Bluetooth, Wi-Fi or what.
    • Warnings about Bluetooth security from Lily Hay Newman in Wired: Hey, Turn Bluetooth Off When You're Not Using It (Sept 2017), Bluetooth's Complexity Has Become a Security Risk (May 2019).
    • iOS 13: has a new "Find My" feature. When an Apple device is offline and sleeping, it sends out a secure (says Apple) Bluetooth beacon that can be detected by any nearby Apple device. These nearby devices (even those that are not yours) phone home to Apple to help you find a lost device. I have read that the Bluetooth beacons are even sent in Airplane mode. Not sure yet how to defend against this (turn off Bluetooth?) or if we even need to defend against it. Too new as of June 8, 2019.
    • Apple AirPlay: coming ....
14. DESKTOP OPERATING SYSTEM   top

    The most secure Operating Systems in widespread use are iOS and ChromeOS (the system on Chromebooks).

    • Do not use Windows. Windows is a cesspool of hacking, ransomware, bugs and vulnerabilities. Has been for decades. With Windows 8 Microsoft lost all credibility. With Windows 10 Microsoft spies on you and has taken control over the installation of bug fixes.

      Windows 10 makes it clear that the corporate mind set at Microsoft has changed - they view Windows 10 as their computer, not yours. It is crammed full of junky software that very few people care about, much of which can not be removed. And, even the removal is a scam, as the crapware comes back if you logon with a different userid. Likewise, the spying (aka telemetry, customization) can only be partially disabled. Home edition users are forced to beta test bug fixes and even Professional edition users have limited options for delaying or preventing the installation of bug fixes. Microsoft know whats best for you and its bug fixes all the time. Only the largest of corporations can fully opt out of the spying, junky software and forced "updates" in Windows 10. How? Microsoft has a clean version of Windows 10 called LTSC (or LTSB) that the public can not get. See a screen shot of the difference.

      Then too, there is incompetence. Examples abound. Consider the monthly bug fixes for Windows that were released in April 2019. As documented by Woody Leonhard, nine different Windows patches conflicted with four different antivirus products, leading to multiple problems. Quoting Woody: "...whoever made the decision to release the six (now nine) problematic Windows patches either: Didn't know they'd wreak havoc on millions of computers, or Didn't care. You can choose which one's worse."

      And, Windows is fractured, in that there are many interfaces to the underlying system. For example: .NET, ActiveX and Silverlight. Windows 8 introduced Tile World apps (aka store apps, Metro apps, Universal Windows Platform apps, and a dozen more names). Few Windows developers bothered with Tile World and now (May 2019), it appears to be on the way out. See Woody Leonhard and Paul Thurrott for more. Tile World apps are just another example of incompetence. Microsoft does not know what their developers or their customers want.

    • Everyone knows that an Apple Mac computer (macOS) is safer than Windows. This is true, but not drastically so. Both are ancient and the world has changed dramatically since they were designed.
    • On both Windows and macOS, it is safer to logon to the computer as a restricted (a.k.a. limited, standard) user rather than an unrestricted (i.e. administrator, admin or root) user. In each system, restricted users are limited in the changes they can make to the system without approval from an unrestricted user. This limits the damage that malicious software, that makes its way onto your computer can do. Any computer with a single userid is just asking for trouble. On a new Windows or macOS computer, consider creating two users based on your first name: MichaelAdmin and MichaelRestricted, for example. On an existing computer, create a new admin user, logon to it and then modify the existing userid to be restricted. This does not apply on a Chromebook.
    • Before buying an Apple laptop, read about their ongoing keyboard problems here (March 2019) and here: Apple lied to me about the MacBook Air and now we have a problem (May 2019).
    • Start using a Chromebook. Chromebook laptop computer are drastically safer than Windows and macOS. Their operating system, ChromeOS, is the newest available system and the most advanced. It was designed, by Google, with security in mind. They are a revolution in computing in that they don't need any care and feeding. No viruses. End users (you) can not screw them up. Chromebooks are not for everyone and not for every purpose. They are perfect for kids, seniors and non techies. More people should be using them, they are the home office of Defensive Computing. You normally use a Google account to logon to a Chromebook, but there is also a Guest mode that anyone can use without logging on.
      ---------ADDITIONAL CHROMEBOOK INFO-----------

      Guest mode starts and ends with a totally clean version of ChromeOS. That is, when Guest mode starts, there is no visible history of anything. Factory fresh if you will. When Guest mode ends, all activity is removed. Downloaded files, for example, are deleted. It's as if it never happened. Guest mode uses the Chrome browser, but without extensions. You can't even install an extension in Guest mode. It is the most secure environment available to non techies. It is perfect for online banking, opening suspicious email attachments and avoiding any and all website tracking.

      Originally, Chromebooks just ran the Chrome web browser (simplifying a bit). Later, Google added the ability to run Android apps, and, just recently, added Linux apps too. With an Android based emulator app, some Windows programs can also run on a Chromebook (requires an Intel CPU). Guest mode does not run Android, Linux or Windows apps, just the Chrome browser native to ChromeOS.

      Every computer company that makes Windows laptops, also makes Chromebooks. Most, but not all models have a touch screen. I suggest going for a touch screen. Models touted as 2-in-1 have a screen that can rotate fully around, letting them function as tablets too. Low end models start around $200. Mainstream models top out around $500 but there are some models that go up to $1,000.

      Google is up-front about how long a Chromebook will get software updates. Details for individual Chromebook models are in their Auto Update policy document. The latest models can get support for six years. For example, in June 2019, it showed the Acer Chromebook Spin 311 (R721T) would get updates until June 2025.

      Chromebooks have a full range of remote control options where they are the controller. This might be used to give a Chromebook access to software that runs on another operating system. However, options are limited for the Chromebook being controlled remotely. The only option for full remote control that I know of is the Chrome Remote Desktop extension from Google. To me, it is a pain to setup and use. There is a Team Viewer Quick Start app for Android that, once its installed, is very simple to use. It gives view-only access to the entire Chromebook (not just to the Android side) to a remote person.

      For more about Chromebooks see:

      -- Everything you knew about Chromebooks is wrong by Mike Elgan May 2018
      -- The Handiest Chromebooks For Hardworking Students by Christopher Null March 2019
      -- Wake up and smell the Chrome by me Aug. 2012
      -- Defensive Computing for online finances: Go with Chrome OS by me July 2012
      
    • Linux: Linux on a desktop/laptop computer is pretty safe, but, nonetheless, not a realistic option. For one, getting it installed is too difficult for non-techies. And, the few laptops that ship with Linux pre-installed are fairly expensive. Also, where does a non techie go with their inevitable questions and problems? And, the many distros and package managers make almost every Linux install unique, which makes it even harder to get help when needed.
    • FYI: We can see the progression of Operating Systems in how they handle software updates. On ChromeOS all software is updated automatically. It is king of the hill in this regard. On Android and iOS, the apps can update automatically, but not the OS itself. On Windows, macOS and Linux, it's chaos.
15. ENCRYPTION   top
    
    
    • Use Windows? Use the OneDrive feature? Then Microsoft can read the files you store there. Likewise, Apple can read anything stored in iCloud. And Google can read files stored on Google Drive (used by Android and ChromeOS), Dropbox can read your files too, and Amazon can read files stored on their Drive offering. And, if they can read your files, think what the US Government can compel them to do. To evaluate any file storage/backup service ask what happens if you lose/forget the password/key? If the answer is that they can't help you, and you have lost access to your data, then the vendor can not read your files. Me? I encrypt my files before sending them off-site.
    • There are at least a dozen or more software programs that claim to offer secure communication. Amongst techies, Signal is worshiped like a religion despite its using phone numbers, which obviously identify you, as userids. Nerds seemed focused on encryption while ignoring anonymity. My suggestion for secure communication is to use email from one ProtonMail user to another. ProtonMail can not read your messages. They offer free limited accounts. And, for the Proton Mail webmail system (which is where anyone should start) you can use your web browser to verify the encrypted connection between your computer and protonmail.com. Their website is usable on a Chromebook running in Guest mode - you are much safer if the operating system can not leak any information about you because it does not have any information about you. I am out of step here with every techie in the world, yet, they are wrong.
16. IOS AND ANDROID   top
    
    
    • It is common knowledge that Apple iOS devices are safer than Android and I agree with that. One reason, is that you do not find unremovable backdoors (ZDNet June 2019) built into the firmware of iPhones.
    • iOS users should hold off installing new versions of iOS for a few weeks. Thereafter, do not wait to install the bug fixes that follow.
    • The safest Android phones are the Pixel line from Google. They are the only Android phones anyone should consider buying.
    • A big reason for Android's security problems are the lack of bug fixes. Most Android devices are shamefully vulnerable both because fixes are late in being issued (if they are ever issued) and then late in being installed. Here's an idea: before buying an Android phone try to find out when bug fixes for it will be released. Lotsa luck. The correct answer is once a month. Better still, try to find out when the last bug fixes for the phone will be issued, that is, when the software will be abandoned. You will not get an answer to either question.
    • You can tell when a web browser is using a secure encrypted connection. Not so with mobile apps. Apple was supposed to mandate that iOS apps only use encrypted communication. They call this mandate App Transport Security (ATS). But, it's a scam and there is no defense.
    • iOS 13: As of June 6, 2019 it is early on this. Sign up for a website or app with your Apple ID and there is a new option to hide your email address. Do so, and Apple will create a new email address specifically for the one website or app. When site or app sends you email, Apple forwards it to your real email address. Good thing? The downside to this is that Apple has access to your email and knows what apps and websites you use. See the Extra Credit section for better options.
    • Android Q: (version 10) As of June 6, 2019 it is early on this. When an app asks for access to location data, there is a new option to only allow this while the app is in use. Also, there is a new Privacy section in system Settings.
17. MOBILE OS SPYING   top

    It's bad. Real bad. The only real defense is a VPN that blocks trackers, and for good luck, ads too. Also see the Location Tracking topic.

    • Things are bad: It's the middle of the night. Do you know who your iPhone is talking to? by Geoffrey Fowler in the Washington Post (May 2019). He found 5,400 app trackers spying on him.
    • Things are bad: iPhone Privacy Is Broken…and Apps Are to Blame by Joanna Stern in the Wall Street Journal (May 2019). Most apps are tracking you in ways you cannot avoid. Privacy controls are a scam. Interesting tidbit: paid apps spied the same as their free siblings. Defense: Privacy Pro SmartVPN from Disconnect.
    • iOS Defense: The above two articles both suggested partial defenses: Disable "Background App Refresh" (Settings -> General) and Enable "Limit Ad Tracking" (Settings -> Privacy -> Advertising).
    • iOS Defenses: From 7 iPhone privacy settings you should enable now (Jack Morse June 2019). Review apps that have Camera (Settings -> Privacy -> Camera) and Microphone (Settings -> Privacy -> Microphone) access. Maybe turn Live Photos off. Turn off lock screen message previews (Settings -> Notifications -> Messages -> Show Previews). Reset your Advertising Identifier (Settings -> Privacy -> Advertising). Use a long (up to 9 digits) voicemail password (Settings -> Phone -> Change Voicemail Password).
    • Android Defense: Turn off Ad Personalization and periodically reset the Android advertising ID. On Android 7, 8 and 9, both options are at: Settings -> Google -> Ads.
    • Android Defense: At Settings -> Google. Google Account is the master list of everything Google. In Networking, maybe disable the Wi-Fi assistant. Check Nearby to see if any apps are sharing data. In Search, Assistant & Voice: Under General, look at Recent pages, Discover and Personal results. Under Voice, consider not allowing Bluetooth requests with the device locked (may be called Bluetooth headset). Also review Google Assistant.
    • Things are bad: Perhaps the most damning article: I spy: How Android phones keep tabs on our every move (March 2019) is about the security hole that are the pre-installed Android apps. Based on an academic study that analyzed 1,742 phones from 214 manufacturers. 91% of the pre-installed apps are not in the Google Play store. No defense offered.
    • Defense: the Freedome VPN from F-Secure blocks trackers on iOS, Android, Windows and macOS. The Windscribe VPN offers what they call a "One-of-a-kind customizable server-side domain blocking tool" that blocks ads and trackers. And, you can customize it. They call the feature R.O.B.E.R.T.
    • Defense: This ingenious new iPhone app is a powerful way to foil data snoops (by Glenn Fleishman March 2019) about the upcoming Guardian Mobile Firewall which combines a VPN and tracking protection. It is expected to be released June 14, 2019.
    • Things are bad on Android: Thousands of Android Apps Break Google's Privacy Rules by Paul Wagenseil Feb. 2019. Researchers examined 24,000 Android apps and found that 70 percent were breaking the rules by sending out permanent IDs that ad networks can use to track you. The researchers notified Google of the policy violations and got no response.
18. FACEBOOK   top

    No doubt there are many defensive strategies for Facebook, with the strongest one being avoidance. That's what I do, so all I can offer are these links.

    • This ZDNet article has some tweaks for Facebook settings
    • Mozilla created a Facebook container extension for Firefox. They claim it prevents Facebook from tracking you around the web.
    • Hands off my data! 15 default privacy settings you should change right now by Geoffrey Fowler in Washington Post June 2018.

    And, as a reminder, Facebook bad.

    Quite a quote about Facebook: "morally bankrupt pathological liars who enable genocide (Myanmar)" (ZDNet April 2019)

    Facebook does not remove bad guys until they are publicly shamed in a high profile way (Brian Krebs, April 2019)

    Mark Zuckerberg leveraged Facebook user data to fight rivals and help friends, leaked documents show NBC News April 2019

19. GOOGLE   top

    Defending against Google tracking involves changing options in your Google account, which can be done on a website, as well as configuring options on your mobile device(s), when doing Google searches, in Google Assistant and in Nest devices. There is a lot to it.

    • This May 2019 article in Wired: All the Ways Google Tracks You - And How to Stop It, touches most of the bases, configuring: a Google account, Android, iOS and searching. A must read.
    • Google Account: Most tracking is configured at myaccount.google.com/activitycontrols
    • Google Account: Do a Google Privacy Checkup
    • Google Account: See what Google knows about your travels using their Maps Timeline.
    • GMAIL: Google uses Gmail to track a history of things you buy - and it's hard to delete (CNBC May 2019). And, it can't be stopped. See your purchase history. Read Google's doc on this: See your purchases, reservations and subscriptions. The day before flying, Uber offered me a discount for getting to the airport. Pretty sure it was Gmail that told Uber about my trip.
    • GMAIL avoidance: Here is a list of Privacy-Conscious Email Providers. In addition to privacy, it may be worth paying for email from a company, such as Fastmail or Mailbox.org, if for no other reason than to get technical support.
    • Searching: Minimize Google tracking by not being signed in to Google when making queries. You can tell if you are signed in by checking the upper right corner of the screen (see screen shots). A single letter in a circle means you are signed in, a blue "Sign in" button means you are not. Or, use a search engine that do not record your search history such as DuckDuckGo and Startpage
    • The Smart Speakers section has a sub-section with Google Assistant defenses
    • The Location Tracking topic has a lot of defenses for Android and Google users
    • If you have Nest Cam or Nest thermostat be aware that according to this April 2019 article in the Washington post, Nest security is sub-optimal. The article suggests using a unique password (always a good idea) and two factor authentication with the device. Taking a step back ... Google? Really? In a camera in your home? Really?
20. EXTRA CREDIT   top
    
    
    • Use multiple email addresses. Far too many systems use an email address as their unique identifier, so when one system gets hacked, bad guys are halfway to hacking into your other accounts. Having multiple email addresses avoids putting too many eggs in one basket. At the least, use one email address for business and one for personal messages. The next step would be to create a sacrificial email address for things you don't really care about.

      The ultimate goal is to use a different email address with every service that requires one. Of course, no one wants to check multiple inboxes, and you do not have to. Email forwarding allows multiple email addresses to end up in one inbox. Gmail offers email forwarding as a free service. Gmail also lets you add a plus sign at the end of your Gmail userid to make unique email addresses, but some (too many, in my experience) websites consider an email address with a plus sign to be invalid.

      Having dozens of email addresses, yet just one or two inboxes, is an achievable goal, but it requires a nerd to set up. It can be done in two ways: you can own a domain that allows email forwarding or you can use an email provider that offers aliases.

      As a side benefit, using many email addresses helps you detect who shared your email address with their "business partners" (spammers).

      Need some motivation for creating multiple email addresses? See how often your email address(s) have been included in a data breach at haveibeenpwned.com

      If you opt for using your own personal domain as the mechanism for having multiple email addresses (great choice) then you can use the Domain Search feature of haveibeenpwned.com to subscribe to your domain and be notified when any of your email addresses have been stolen in a data breach. Way cool.

      In July 2016, I wrote Defending yourself from Amazon.com which makes the case for having a dedicated Amazon email address.

    • Fake reviews: Spotting fake reviews is a skill we all need to learn. Which? magazine has a short video (April 2019). The website fakespot.com analyzes reviews at Amazon, Best Buy, Sephora, Steam, Walmart, TripAdvisor and Yelp.
    • There is a chance that the camera on a computing device could be activated without your being aware of it. The defense is old school: cover the camera lens with something opaque (band-aid, tape). Try to avoid adhesive directly over the lens.
    • If you are working on sensitive documents, then consider not using Word. See my blog: Is Word 2016 spying on users?
    • At dehashed.com you can search for your physical address, email address, userid and/or phone number to see if they have been leaked in a data breach.
    • Can you tell if a website is legit?

      IS FTCCOMPLAINTASSISTANT.GOV LEGIT?

      I read an article that said victims of Identity Theft should go to ftccomplaintassistant.gov and I wondered if that site was legitimate. That is, is it really from the Federal Trade Commission, a division of the US Government? We have already seen that just having "FTC" in the name means nothing. The FTC has their own website at ftc.gov, so why the need for another domain name? Instead of a new domain, they could (read should) have used complaintassistant.ftc.gov or ftc.gov/complaintassistant. Both leave no doubt that they are from the FTC.
      
      On thing pointing to its being a scam is that the home page of ftc.gov has a link to identitytheft.gov for reporting identity theft. There is no link on the FTC home page to ftccomplaintassistant.gov. And, identitytheft.gov has its own assistant (identitytheft.gov/Assistant) which does not link to ftccomplaintassistant.gov.

      Looking at the ftccomplaintassistant.gov site, the first thing to notice is that it does not have the extra identity assurance. If it is legit, that would be pretty ironic, eh? In techie terms the site is Domain Validated (DV) rather than having Extended Validation (EV).

      All domains have to be registered and whoever pays for the registration can chose to make their identity public, or not. Looking up this information is called a Whois search and every company that registers domains offers a Whois search. However, this turned out to be a dead end. I could find no Whois information for any .gov websites.

      A couple things point to the site being legit. There is a page on ftc.gov with consumer information about Identity Theft and it has a link to "File a Consumer Complaint" that goes to ftccomplaintassistant.gov. And, while the home page of identitytheft.gov has no links to ftccomplaintassistant.gov, an examination of the underlying html (i.e. page source) showed that pulls in a script from chat.ftccomplaintassistant.gov.

      So, is it legit? I would have to call the FTC on the phone and ask them.

      On a related note, ftccomplaintassistant.com is definitely bad news. That was an easy call.

21. ONE OFFS   top

    The items below are defensive measures that apply to just one website or just one system.

    • Quoting ProPublica: "TurboTax uses deceptive design and misleading advertising to trick lower-income Americans into paying to file their taxes, even though they are eligible to do it for free." More here. (April 2019) The free tax filing site is turbotax.intuit.com/taxfreedom
    • Twitter: Twitter URLs Can Be Manipulated to Spread Fake News and Scams by Ionut Ilascu June 2019. Not sure what the defense here is, other to be aware of this.
    • WhatsApp: How to minimise targeted ads on social media: WhatsApp undated from Privacy International. Upgrading WhatsApp Security by Martin Shelton Feb. 2017.
    • MetroPCS customers can take one of two defensive steps against a sim swap attack made far too easy by poor security at MetroPCS. April 2019
    • The Jumbo privacy assistant is an iOS app to increase your privacy on Facebook, Twitter, Google and Alexa. It was released in April 2019. It adjusts the 30-odd Facebook privacy settings to give you the most private version possible. It deletes old tweets, erases Google Search history and deletes the voice recordings stored by Alexa. Future plans are for an Android app and to deal with Instagram and Tinder. More.
    • This May 2019 article by Sergiu Gatlan for Bleeping Computer has defensive steps for Office 365.
22. READING LIST   top
    
    
    • Leo Notenboom on The One Thing Every Non-technical Person Needs to Know. Hard to pick just one thing, but he offers good advice.
    • Protecting Yourself from Identity Theft by Bruce Schneier May 2019. No good news here. Quoting: "there's nothing we can do to protect our data from being stolen by cybercriminals and others." True, but nonetheless, an easy out for anyone too lazy to do the things suggested here.
    • Cars spy on us: Your Car Knows When You Gain Weight by Bill Hanvey, CEO of the Auto Care Association. May 20, 2019. Not much in the way of defense.
    • Hands off my data! 15 default privacy settings you should change right now by Geoffrey Fowler in Washington Post June 2018. Advice for Facebook, Google, Amazon, Windows 10 and Apple
    • Give up your password or go to jail: Police push legal boundaries to get into cellphones (NBC News June 2019). "... police need a warrant to search a cellphone, the question of whether police can force someone to share a passcode is far from settled, with no laws on the books and a confusing patchwork of differing judicial decisions."
    • Here's how to view, download, and delete your personal information online by Stan Horaczek June 2019. Covers Instagram, Myspace, Apple, Google, Microsoft, Amazon, Snapchat, Twitter and data brokers.
    • Fake job scams: How a remote tech writing gig proved to be an old-school scam (Ars Technica June 2019). Also: List of Fake Job Scam Examples. A June 2019 tweet from Ian Sigalow shows another side of the scam. Defense: be aware that job boards do not validate that the person posting a job is actually affiliated with the company. One way to do is to insist they have an email address at the company's public domain name. Also, watch out for a job interview via text chat and questions about electronic deposits.
    • IoT devices are infamous for poor security. These articles offer advice before you buy: How to buy IoT gadgets sensibly (Tony Gee May 2019) and How to buy smart - and secure - gadgets (Dan Seitz March 2019).
    • My competition: The Motherboard Guide to Not Getting Hacked (November 2018). 21,300 words. Cyber security 101: Protect your privacy from hackers, spies, and the government by Charlie Osborne and Zack Whittaker (May 2019). Very long. And, Security Guide by Maciej Cegłowski.

Whew! Seems like a lot, it is a lot.

Welcome to an exclusive club. There is not yet one single web page that links to this website, not even to trash it. Keeps the riff-raff out :-)

All the credit/blame for this site falls on me, Michael Horowitz. If I left out anything important let me know at defensivecomputing -at- michaelhorowitz dot com.

This site does not use cookies. And, there are no ads here either. If you see any ads, something (computer, browser or router) has been hacked.