A Defensive Computing Checklist     by Michael Horowitz

This is a list of both things to be aware of and specific defensive steps that we can take in response to the common threats of 2019. No list like this can ever be complete, nor would anyone want it to be complete as that list would never end. I tried to limit this to the most important issues, still its long (10,000 words).

Some parts of this page are not displayed until you click a button. To see everything (perhaps for searching or printing), click this button:

SECTIONS: Email, Understanding Domain Names, Passwords, Verified Website Identity, Secure Websites, Two Factor Authentication, Phone calls, Identity Theft, SIM Swaps, Web Browsers, Public Wi-Fi, Networking, Voice Assistants (a.k.a. Smart Speakers), Location Tracking, Mobile OS Spying, Mobile Scanning and Sharing, Desktop Operating System, iOS and Android, Chrome OS, Encryption, Facebook, Amazon, Google, SPAM Texts, Scam Voices, Twitter, NAS, TV Watches You, One Offs, Extra Credit, Reading List, The Competition
  1. EMAIL

    Many times, perhaps most of the time, the first step in a company getting hacked is an email message. That's why this is the first topic.

    • You never know who sent an email message, so think carefully before taking action based on a single message. It is fairly easy to forge the FROM address of an email. Techies can look at the hidden email headers to get an idea who really sent a given message, but this is not a skill taught in nerd school. Be especially careful about doing anything involving money, passwords or personal information based on one lousy email message.
    • In light of the above, we might be tempted to trust that an email was legit, if it knew something about us. However, our personal information has leaked time and time again, so including information about you, specifically, is no indication that the sender is who they claim to be or that the message is legit. For example, Starwood was hacked, so an email about the time you stayed at the Westin hotel in Cleveland in the summer of 2018, may not be from Starwood. Bad guys know you stayed there too.
    • The use of official logos and images in an email message also does not indicate legitimacy. See How to spot suspicious emails and Dealing with Fake 'Ask Leo' which examines a scam email message for telltale signs.
    • The more urgent the plea for you to take action, the more likely it is to be a scam. Bad guys don't want you to have a chance to think about the issue or check with others.
    • Terminology: "Phishing" means scam. A phishing email is lying to you about something. "Spear Phishing" is a scam specifically targeted at you. In a spear phish, the bad guys will have researched you and they use the information about you as the part of the lure in their scam. For example, they might learn who does the money transfers in a company, then pretend to be the boss and order a fake money transfer.
    • Email attachments: Word documents, spreadsheets and PDF files are often malicious. The safest way to open any file attached to an email message is on a Chromebook running in Guest mode. The next safest option is to open it on an iOS device. The third safest environment is from Google Drive (hopefully from a Chromebook or an iOS device). Upload the attachment to Google Drive and open it from Google Drive. The least safe environment to deal with email attachments is Windows. If you must use Windows or macOS, download the attached file and go to VirusTotal.com to scan it with many different anti-virus programs before opening it. Any type of attached file can be dangerous.
    • An email with a password protected attachment, that has the password in the body of the email message, is surely malicious. This is a trick bad guys use to prevent anti-virus programs from detecting malicious software. If you try to open an attached file on Windows and it fails to open, you can still get infected with a virus.
    • An email that asks you to logon to read an encrypted message is a scam.
    • Emails that pretend to be from a trusted organization for the purpose of stealing passwords or other personal information can be reported to Cisco PhishTank, SpamCop and the Anti-Phishing Working Group. Registration is required. You can also report any and all SPAM to SpamCop. Links from Daniel Aleksandersen. Sophos is also willing to accept spam and malicious emails on their Submit a Sample page.
    • Taking a step back, it seems to me like we are living in a time much like the one before seat belts were required in cars. The current norm, reading email on a computer with sensitive or important files (or LAN based access to such files), is much too risky. If you are not reading email on a Chromebook or an iOS device, you are doing it wrong. Using any other OS, in a corporate environment, is job security for the IT department and the assorted security companies they employ. I say this as someone who does not work in corporate IT.

    Fake websites are an extremely common scam. To identify the fakes, you need to understand the rules for domain names. Some domain names are: google.com, columbia.edu, irs.gov and RouterSecurity.org. Many scam website names look legit to someone who does not know the rules. And, there are lots of rules and scams targeted at people that don't know the rules.

  3. PASSWORDS   top

    • Never re-use passwords. We all need dozens or hundreds of passwords, yet we can remember just a few. Nonetheless, this is a very important rule. Companies are hacked all the time, leaking passwords that bad guys then try at other systems/websites.
    • Almost every computer nerd recommends password management software. I disagree. Techies that say this are thinking inside the box and over valuing the need for randomness in passwords. They also underestimate the hassle of new software for non techies.
    • Try using a formula to generate your passwords. A simple formula is to start every password with the same string of characters. Then, you can chose very simple passwords to append to the constant beginning. For example, a baseball fan might start every password with "BaseballRules!" Then, if "jungle" was their password for Amazon.com, the actual password is "BaseballRules!jungle" And, all you would have to remember would be that your Amazon password is "jungle". Pretty easy. Amazon. Jungle. And, the miserable password "book" for Barnes and Noble, becomes a good password ("BaseballRules!book") when run through the formula. Perhaps the worst password is the word password. But, as Leo Notenboom points out, "1234 password 1234" is a pretty good password. It's also easy to remember. There's a formula: start and end every password with "1234". I expanded on the use of formulas in my Aug. 2019 blog The world's BEST password advice.
    • You can check if any of your passwords have leaked in a data breach at haveibeenpwned.com/Passwords. Of course, someone else may have been using the same password. The best passwords have never leaked and a formula (above) should produce globally unique passwords fairly easily.
    • Storing passwords: Using a formula lets you write down just the easy/right part of the password and still be secure. If someone saw your password list and read that "book" was your Barnes and Noble password, it would be useless without the formula. Passwords written on paper can not be hacked; just be sure to xerox the list every now and then in case you lose it.
    • Traveling passwords: Paper passwords work everywhere, no matter the device, the Operating System or the software being used. I use a password manager and its useless on a Chromebook running in Guest mode which is where I do my sensitive transactions.
    • All that said, no single approach is appropriate for everyone.
    • Some passwords are much more important than others. Which, of your many passwords, would be the worst for bad guys to obtain? Keep those passwords off your computers. Store them on multiple pieces of paper in multiple places. Or, store them on a USB flash drive which is rarely connected to a computer.

    Everyone is told there are two types of websites: secure (HTTPS) and not secure (HTTP). In fact there are three types of websites. The third type is a "secure" site that has gone the extra mile and offers proof of its identity.

    • In another type of attack, a web browser may display the correct something.citi.com, and yet, the website could still be a fake. To prevent this, companies that take this stuff seriously pay extra to have their identities verified. You can see this extra identity validation at, for example, citi.com which says "Citigroup Inc. (US)" just to left of online.citi.com in the address bar (see example). Bank of America does the same thing as you would expect any financial company to do. In contrast, my dinky websites, such as this one and my personal site (michaelhorowitz.com) do not have identity verification (see contrast). If the website of your financial institution has this extra identity protection, get in the habit of looking for it. If this information is not provided, take that as a bad sign about the company and its website. In techie terms, my websites are Domain Validated (DV), the Citigroup and Bank of America websites have Extended Validation (EV). The home office of incompetence, Equifax, does not offer identity verification. Not a surprise. What is surprising is that neither does Amazon.com (shown in the screen shots).
    • Web browsers have always been inconsistent in how they indicate that a site has had its identity verified. Worse still, each browser constantly fiddled with their padlock display. As an illustration, this image, from Twitter user Cryptoki, shows eight different browsers indicating this in eight different ways. Internet Explorer was, by far, the best. It turned the entire address bar green, a visual clue that no one could miss. Most browsers displayed the verified company name in green, somewhere on the address bar.
    • An inconsistent User Interface is the good old days. As of September 2019 (give or take) there will be no user interface, at least, not one that is visible by default. The two major web browsers, Chrome and Firefox have decided to hide this. Already, many web browsers fail to indicate a verified identity in any way. Why have Google and Mozilla decided to remove the indicators of a verified identity? Because you are stupid. They won't say that directly, but that is clearly what they are thinking. They point out that non-techies do not understand what it means for a website to have a verified identity. Never mind that, in no small part, this is their own fault for not having a standard indicator. Given this lack of understanding, rather than try to educate the public, they are taking their ball home so we can't play the game. Nerds at their worst.
    • As with email messages, the content of a fake website can look exactly like the real thing. Anyone can copy images and text and fonts from the real site and use them to make a fake site.

    • If you visit a web page, everyone knows that HTTPS encrypts the content of the page. But that's not the whole story. As this blog by DuckDuckGo points out, parts of the URL are not encrypted. For example, if you visit
      the fact that you visited the Mayo Clinic website and were interested in cancer will be visible to anyone watching network data transmissions. However, that you wondered whether cancer was contagious is not visible. In techie terms, everything after the domain name (isitcontagious.html) is encrypted in transit, however the domain name (mayoclinic.org) and sub-domains (cancer) are not encrypted.
    • The concept of secure websites, indicated by HTTPS or a lock icon, is, in many ways, a scam. The security that people tout refers to a small piece of a large pie. Specifically, it refers to in-flight data; data being transmitted back and forth between your computer and a website. If, while traveling over the Internet, the data/web page is encrypted, then the entire site is said to be secure. Fact is, dozens of things can still leak your sensitive data. Take the just-discussed EV/DV validation of websites. Without real identity verification (EV), you could "securely" send passwords to bad guys. Another scam is that encryption is a binary thing, that it is either on or off. In reality, it is quite complicated. So much so, that there are security rating websites (next topic). Perfect Forward Secrecy (PFS) is another factor, one that is hardly every discussed. Without PFS spy agencies can very likely (no one knows for sure) decrypt the encrypted data traveling over the Internet. Another factor is keeping private encryption keys private. If they leak (its just a string of bits), encrypted data can, again, be decrypted. No one knows how well any website protects its private keys. Then too, many websites continue to support older security/encryption protocols with known flaws (TLS 1.0 and 1.1). And, websites have different sections, each section has its own security profile; one section may be more secure than another. For example, in 2016, I blogged about how www.ssa.gov was secure while secure.ssa.gov was not (since fixed). And, nothing about encryption in transit tells you anything about the strength of the security on the back end (think Facebook storing passwords in plain text) or whether software running on the back end is being updated with bug fixes (think Equifax), how good their defenses are against attacks, who they share your data with or whether the data is left publicly available to anyone who knows where to look, no attacking needed (this happens a lot). I could go on. Anyone who tells you to trust a website because it is secure, is either un-informed or lying on purpose because it serves their needs.
    • A great website for evaluating the encryption used by a website is the Qualys SSL Server Test. Ironically, it does not have extended identity protection. Still, it offers both a ton of technical information about encryption and a simple letter grade at the top. I suggest testing your most important sites: banking, email and any website holding your sensitive information. Every site should get either and A or A+. Anything else is a failure. The orange horizontal stripes under the letter grade are security failures. To be thorough, you need to check each section of a website. For example, at the US Social Security Administration, you would check both www.ssa.gov and secure.ssa.gov. To put this in perspective, again, encryption is a small piece of a large pie. Nothing about the strength of the encryption used to send/receive data tells you anything about whether passwords are stored in plain text, or whether bug fixes are applied to the software running the website, or any other aspect of security.
    • Some websites use secret questions as a way to identify you should you forget your password. Never answer these truthfully. You don't want the answer to be anything that someone could either guess or learn about you. In fact, don't even give reasonable answers. If it asks for the name of a person, use the name of a place instead. You never know if the answers are case sensitive or not, so it is safer to only use lower case. In my opinion, it is also safer to avoid spaces and special characters too. Just like passwords, these questions and answers need to be saved somewhere that you can find them later. Nothing wrong with paper and pencil.
    • Any website that you can access with just a userid/password is not really secure. Stepping up the security requires a second factor/thingie. See the topic on Two Factor Authentication for more.

    To take money from an ATM requires both a plastic card and a password. Two things. Two factors. In computing "two factors" refers to needing a password and something else to gain access to a system. Thus, a stolen password becomes useless as its only half the story. The robotic response from every computer nerd is to use Two Factor Authentication (2FA). But, it is not that simple. In the topic on SIM Swaps there are links to articles by people who became vulnerable by using 2FA. First they had their cellphone number stolen, but that was done to abuse 2FA text messages and change the passwords on many accounts. No 2FA text messages, no password changes. And, everything breaks, so you need to be up to speed on the fallback system for when 2FA breaks. There are different types of 2FA and no one right answer for everyone.

    • Perhaps the least secure type of 2FA, is a temporary code sent in a text message to a cellphone. It is very popular. Less popular, is the use of email for the exact same purpose. In the US, the Social Security Administration does this. Still another option is a phone call where a temporary code is spoken aloud. Or, a phone call where all you need to do is touch a button on the phone.
    • A more secure type of 2FA involves a Time Based Onetime Password (TOTP) generated by an app running on a mobile device. Two such apps are Authy and Google Authenticator.
    • A problem with both of these types of 2FA is a scam website. If you enter both your password and the temporary code into a scam website, the bad guys have it. See the topic on Understanding Domain Names for more.
    • The most secure option involves a physical thingy you connect to a computer/tablet/phone that verifies your identity. No thingy no access. Some downsides: the thingies cost money, different computing devices require different thingies, not many systems support this type of 2FA and the software on the thingies might be buggy.
    • To check if the companies you deal with offer 2FA, see twofactorauth.org.
    • Google 2FA supports multiple one-time use backup codes, a great feature. How to retrieve your Google 2FA backup codes by Jack Wallen (Aug 2018)
    • Background: Two-Factor Authentication Keeps the Hackers Out by Leo Notenboom (June 2016). Two-Factor Authentication: Who Has It and How to Set It Up by Eric Griffith (March 2019).
  7. PHONE CALLS   top

    You never know who calls you on the phone. Callerid can be spoofed just like the FROM address in email, so the same advice holds: think carefully before taking action based on a single phone call, especially any action involving money, passwords or personal information.


    Considering the many data breaches of personal information, along with the legal sharing of it, ID theft is all too likely. Here are some things to do to in preparation.

    • Bad guys might try to open a credit card in your name. To prevent this, you can get a credit freeze with TransUnion and Experian and Equifax.
    • Bad guys might use your credit card to buy themselves stuff. You can be alerted to this by having your credit card company notify you, in real time, about charges on your account.
    • Americans should open an account with the IRS (irs.gov) to prevent bad guys from opening an account in your name and getting your tax refund. Even if you never use this account, it is safer to have it. Brian Krebs: has more (January 2018).
    • Americans should also open an account with the Social Security Administration (ssa.gov) regardless of their age. This prevents bad guys with your stolen information from opening an account as you, and, for many people, is the only way to verify that their earnings are correctly reported.
    • A free annual credit report, available at annualcreditreport.com can't hurt. However, two things about the site are a sham. For one, it says that you can order reports online. When I last tried this in December 2018, it was not true, reports had to be ordered via postal mail, and, I was not told this until after I entered all my personal information. Also, the site has not opted for extra identity validation for itself (see topic on VERIFIED WEBSITE IDENTITY). Requests on paper are the way to go.
    • Background: Identity Theft info from the FTC. 11 Ways to Tell If Your Identity Has Been Stolen by Paul Wagenseil April 2019. The Identity Theft Resource Center (idtheftcenter.org) offers free assistance for ID theft. They may be well-meaning, but their computer advice, is shamefully ancient and lame.
  9. SIM SWAP   top

    A SIM swap is Identity Theft in which bad guys steal your mobile phone number and get it assigned to one of their phones. They do this because a phone number is often used to prove identity, with forgotten passwords. Another term for it is a port-out scam.

    • One guys story: SIM swap horror story: I've lost decades of data and Google won't lift a finger By Matthew Miller of ZDNet (June 2019). This should convince people to take defensive steps. After getting control of his T-Mobile phone number, bad guys used it change the password on his Google and Twitter accounts and used his bank account to buy $25,000 of Bitcoin. Article has some suggested defenses too.
    • How Twitter CEO Jack Dorsey's Account Was Hacked (Wired Aug. 2019) A SIM swap gave the bad guys access to his phone number. Then, they sent texts to his Twitter account, which appeared as Tweets, without needing to know his Twitter password.
    • Danger: A few people have noted that the first sign of trouble was no cell reception on their phone. For one person, the first hint of trouble was a text message from T-Mobile about a call to them that he did not make.
    • Defense: To defend against SIM swaps, you can create a security code with your cellphone provider. This code needs to be provided over the phone, or in person at a store, before account changes are made. T-Mobile sometimes calls it an Account PIN, sometimes they call it a Port Validation feature (see Protect against phone number port-out scams). Verizon calls it both an Account PIN and a Billing Password. AT&T calls it a Security Passcode. How to Protect Yourself Against a SIM Swap Attack by Brian Barrett in Wired (Aug. 2018) has details on how to setup the extra PIN code for each cellphone company.
    • Defense: How to Stop Your Mobile Number from Being Hijacked by Paul Wagenseil (March 2018). Most victims seem to use T-Mobile. AT&T has two defenses: both a passcode and Extra Security to enforce the use of the passcode.
    • T-Mobile Defense: T-Mobile Has a Secret Setting to Protect Your Account From Hackers That It Refuses to Talk About by Lorenzo Franceschi-Bicchierai for Vice (Sept 2019). A feature called NOPORT requires customers to physically come to a store and present a photo ID in order to request their number to be ported out to a different carrier or a new SIM card. This is separate and distinct from their Port Validation.
    • Poor defense: The PIN code defense is far from perfect. Brian Krebs wrote (Nov. 2018) that there is no defense against malicious employees of the cellphone company. He also wrote about lazy employees who ignore the system. Matthew Miller had his T-Mobile phone number stolen from him twice, despite having a PIN code on file. He writes that T-Mobile has two PIN codes, one for when you call into customer service, and another port validation PIN (6 -15 digits). After reading his story, you might want to avoid T-Mobile entirely. Then too, the TrickBot malware is known to modify the signon page for cellphone companies to steal these pin codes. (Secureworks Aug. 2019)
    • Defense: If you use either AT&T or T-Mobile, and your PIN(s) were set prior to August 2018, change the PIN(s). In August 2018 were learned that T-Mobile was hacked and bad guys stole their customer billing information. In the same month, we learned that both AT&T and T-Mobile had their customer PINS exposed to the world.
    • Defense: Use a land line for two factor authentication rather than a cellphone number, if possible. Rather than a text, the company calls you and speaks the temporary code. Apple supports this. A similar option, championed by Lorenzo Franceschi-Bicchierai is a Google Voice phone number.
    • Afterwards: The US Federal Trade Commission runs identitytheft.gov where you can both report the identity theft and learn how to recover from it.
    • Defending email from password resets: ProtonMail can block all password resets. In the web interface, click Settings and there is an option to "Allow password reset". Tutanota does not allow two factor authorization with text messages, they only support the stronger options: Time Based Onetime Passwords (TOTP) and physical keys like Yubikey. In the Extra Credit section below, I discuss using multiple email addresses. This avoids having too many eggs in any one basket, should an email account get hacked. Consider that email may well be important enough to pay for, if for no other reason than to get tech support when things go bad. I suggest ProtonMail, Mailbox.org or Tutanota.
    • Background: Much of the world has fixed this problem, but the US remains vulnerable. Why Phone Numbers Stink As Identity Proof by Brian Krebs (March 2019). Wave of SIM swapping attacks hit US cryptocurrency users by Catalin Cimpanu for ZDNet (June 2019).
    • Big picture. As a rule, adding two factor authentication (2FA) makes an account more secure. But, in mid-2019 a couple techies wrote about being victimized by SIM swaps (articles are linked above), which, in turn, made it possible for bad guys to change many of their passwords. In these cases, the use of 2FA made them vulnerable. For more on the pros/cons of 2FA see the Two Factor Authentication section.
    • What to expect: In June 2019, I tried to add Extra Security to an AT&T mobile phone number. The web page explaining exactly what this does was broken, so I don't know what it really does. Also, the system is poorly designed. When I first signed in to the AT&T website it sent a text with a one-time code to the phone. Had I been a victim of SIM swapping, this would have locked me out of the website. Dealing with AT&T is hard, you need to keep track of a userid (for which there are two definitions) a password, an Access ID (beats me), an email address, a security passcode and two security questions. When I got in to the website, it forced me to pick two new security questions even though I had already set this up long ago. Why? It didn't say. To add the mythical Extra Security: click on your first name is the top menu bar (on the right), then Profile, then Sign-in Info. Perhaps chose a particular phone number. Then, click on Manage Extra Security in the Wireless passcode section. Then turn on the checkbox for Add Extra Security to my account. Then enter your passcode. Whew.
    • What to expect: In July 2019, I changed the passcode on an AT&T mobile phone number. The process starts by logging in to www.att.com/wireless/ which includes entering a code sent to the phone via a text message. Then, click on the account holder's first name in the upper right corner -> Profile -> Big box for SignIn Info -> click on the "Get a new passcode" link -> enter the last 4 digits of the social security number and the zip code -> then get a text message with another temporary code -> enter this code -> then, finally enter the new passcode. What is a valid passcode? They don't say. Must it be numeric? How long can it be? None of your business. At the end, you get another text message that the code was changed.
    • Defense: The SIM Swapping Bible: What To Do When SIM-Swapping Happens To You by CipherBlade and MyCrypto (June 2019). Overwhelming article.
  10. WEB BROWSERS   top

    • Choosing: Web browsers are one area where the wisdom of the crowd does not apply. In the old days, the crowd used Internet Explorer, now it's Google's Chrome browser. Don't use either one. Or Edge. On a desktop Operating System (Windows, macOS, Linux) I suggest using either Firefox or the Brave browser. Brave has ad blocking and tracker blocking built in, it is based on Chrome, supports all Chrome extensions and also runs on Android and iOS. Another good Android choice might be the DuckDuckGo browser. See some supporting articles:
    • Track me not: If the websites you visit are determined to track you it is all but impossible to prevent it. Still, you can fight back. The biggest hammer in the toolbox to avoid being tracked is Guest mode on a Chromebook, which insures that all traces of your activity are erased when you exit Guest Mode. One step down, is private/incognito mode in your web browser. You are still tracked, but only until you close the browser. For background, see What Does Private Browsing Mode Do? by Martin Shelton July 2018. Another option is to manually delete cookies and other tracking data in your browser. In Chrome and Brave, enter chrome://settings/siteData in the address bar, then click the Remove All button. In Firefox, enter about:preferences#privacy and click on the Clear Data button. Perhaps bookmark these URLs. Firefox can automatically delete cookies when the browser shuts down. Using the same Firefox URL, turn on the checkbox for "Delete cookies and site data when Firefox is closed".
    • Get ad blocking and tracker blocking from a VPN. Some VPN providers offer both as a service. Rather than deal with just one browser or just one computer, this can help any device connected to the VPN. It can also help with mobile apps. If you connect to a VPN from a router, it can block ads/tracking on any device. Some VPN providers that offer this are Freedome from F-Secure, Perfect Privacy, Privacy Pro SmartVPN from Disconnect, the Guardian Mobile Firewall and Windscribe.
    • Web browser extensions are a double-edged sword. If you let them, they can read and modify the contents of every displayed page. This is necessary, for example, with an ad blocking extension. However, it can be abused too. When installing extensions pay close attention to the permissions it requests. I have seen non-techies be tricked into installing malicious extensions. It is a good idea to periodically review the extensions installed in your browser and remove any you really don't need. To display the installed extensions, use these address bar URLs (perhaps bookmark them): In chrome chrome://extensions, in Brave brave://extensions, in Firefox about:addons. I blogged about potentially dangerous extensions here and here and here. A Reddit user wrote Why I removed Grammarly chrome extension and deleted my Grammarly account in March 2019. Sam Jadali spent much time researching malicious extensions and issued a detailed report called DataSpii that served as the basis for articles in the Washington Post and Ars Technica (July 2019). Neither article suggested a Chromebook in Guest mode which does not allow extensions.
    • Install an ad blocker extension in your web browser. I say this not because it makes web pages load faster (it does) but because ads have been abused too many times to install malicious software or take you to scam websites. Even Chromebook users can be scammed at websites (no malware though). One highly recommended ad-blocker is uBlock Origin by Raymond Hill. The down sides are that some sites won't display without their ads and that it prevents sites from earning needed revenue. But, the ad blocker can be disabled on sites you wish to support. No website can be trusted to only show non-malicious ads because the website itself does not choose the ads. Except Krebs on Security.
    • Install a tracker blocker extension such as Privacy Badger from the EFF or Disconnect.
    • In desktop Firefox, review the Content Blocking (about:preferences#privacy) settings which offers defense against trackers and more. As of version 67, it should default to Standard, maybe raise it to Strict or Customize it. See the documentation on this. Mozilla also has a Facebook Container extension that blocks Facebook from tracking you around the web.
    • Test your web browser: This is only for techies. deviceinfo.me, SSL Client Test from Qualys SSL Labs and How's My SSL?
  11. PUBLIC WIFI   top

    Public Wi-Fi is always dangerous, whether a password is required or not. It is best to keep your main/regular computing devices away from public networks. If possible, use a Chromebook on public networks. Regardless of the computing device:

    1. Anyone can name a Wi-Fi network anything. As a result, bad guys can create wireless networks with the same name (SSID) as a legitimate network. The official term for this is an Evil Twin network. Non techies can not distinguish an Evil Twin from the legit network it is pretending to be. Neither can a computer/phone/tablet which will happily connect to the evil network. Techies can look at the MAC address of a wireless network, but even that can be spoofed if the bad guy knows how.
    2. Use either a VPN (not a free one) or Tor on a public network. Both hide your activity from the router creating the public network which is a good thing whether the network is an Evil Twin or not. More in the Networking topic below. If this is too much, then on mobile devices, use the Cloudflare app available on Android and iOS.
    3. After connecting to the network, and starting the VPN or Tor or Cloudflare, check the DNS servers actually in effect. If using a VPN, the DNS servers should be from the VPN provider. It is very dangerous to use unknown DNS servers.
    4. Even with all the protection in the world, there are some things best avoided on any public network. You never know who is watching over your shoulder.
    5. Disable Wi-Fi when not using it. It is not sufficient to simply disconnect from the public network.

    If you must use your regular devices on a public network, then have a techie check them for open TCP/IP ports. This probably will be done with the nmap utility. Check for all 65,500 TCP ports, looking especially for file sharing ports. If file sharing is enabled, then learn how to disable it and verify that its ports get closed when its disabled.

    One way to avoid public Wi-Fi with a laptop, is to use the 4G/LTE connection on a phone for Internet access. That is, make the phone into a hotspot and connect the laptop to the phone's Wi-Fi network. One, or both, of the devices should be connected to a VPN.

  12. NETWORKING   top

    • Networking equipment (router or combination modem/router) provided by Internet Service Providers is typically insecure and low quality. Anything you buy at retail is likely to be more secure. It may also be cheaper in the long run and makes you a lesser target (a million people are not using the same router model). I have a whole website devoted to Router Security. At the least, try to make the router configuration changes in the short list on the home page. Comcast customers see this.
    • Ethernet is more secure than Wi-Fi, so whenever possible connect via Ethernet for sensitive work. It's also faster. USB to Ethernet adapters cost about $15.
    • Speaking of Ethernet, Google knows nearly every Wi-Fi password in the world. And if Google knows them, what are the odds that Apple (via iOS) does not?
    • Use a Guest Wi-Fi network both for visiting humans and for IoT devices. Better yet, if your router supports it, use VLANs to further segregate devices (requires a techie). More here.
    • At this point, it is common knowledge that Wi-Fi encryption should use WPA2 rather than the ancient WPA or WEP. If given a choice, WPA2 AES is more secure than WPA2 TKIP. Note that a long Wi-Fi password can prevent a brute force guessing attack; passwords should be 14 characters or longer. More here.
    • When it comes to making router changes, the first step, logging into the router, is likely to be the hardest. To make this easier, I suggest writing down the necessary info (IP address, userid, password) on a piece of paper and taping it to the router face down. Maybe include Wi-Fi passwords too.
    • A VPN prevents spying on your online activity by anyone you an see (anyone on the same local network) and by the ISP connecting you to the Internet. In the US, ISPs are allowed to spy on their customers and sell that data. A "secure" website prevents others on your LAN and your ISP from reading the content of web pages. However, they can still tell which websites you visited. In some cases, just the website name gives away too much information. VPNs hide everything. Picking a VPN provider is mind bogglingly difficult. Even agreeing on the criteria to judge them with is impossible. See one attempt and another and another. I have my opinions on good/trustworthy VPN providers, email me for my suggestions.
    • One of the Privacy Settings in iOS v12 is Bluetooth Sharing. Apps that are enabled for Bluetooth Sharing can share data even when you are not using them.

    All of the smart assistants (from Amazon, Google and Apple) sometimes record at the wrong time. That is, they record without a person having said the wake word. And, since all three companies send some recordings to contractors, to help improve the system, strangers may hear your embarrassing conversations. Tony Soprano would not have allowed Siri in his home. Google lets you access your history, delete past recordings and automatically delete your data every couple of months. Amazon lets you manually delete past recordings and disable human review of Alexa recordings. Initially, Apple lost at this privacy game, they did not have any way to opt out. In early Aug 2019 they took their first step and did more in iOS 13.2.


      Bloomberg reported in April 2019 that Amazon Workers Are Listening to What You Tell Alexa. There are options in the app to disable this (Settings -> Alexa Account -> Alexa Privacy -> Manage How Your Data Improves Alexa) but they may not be honored.

      Another privacy issue with Alexa is that the devices phone home to Amazon and to others, even when they are not being used. No one knows why.

      Article: Alexa has been eavesdropping on you this whole time by Geoffrey Fowler May 2019. Amazon keeps a copy of everything Alexa records after it hears the wake word. Fowler listened to 4 years of his recordings and found that dozens of times it recorded when it should not. It even picked up some sensitive conversations. There are instructions for deleting these recordings via the Alexa app. Hear your archive at www.amazon.com/alexaprivacy.

      Also from Fowler: Amazon collects data about third-party devices even when you do not use Alexa to operate them. For example, Sonos keeps track of what albums, playlists or stations you listen to and shares that information with Amazon. You can tell Amazon to delete everything it has learned about your home, but you can not look at this data or stop Amazon from continuing to collect it.

      Alexa Defense: Turn off voice purchasing in the app: Menu -> Settings -> Alexa Account -> Voice Purchasing. First configuration: the app wants to "periodically upload your contacts" - say Later (there is no NO). The app also wants to verify your phone number when first configured, there is no need for this, skip it.

      Alexa Defenses in the Alexa app:
      Settings -> Alexa Privacy -> Manage How Your Data Improves Alexa. There are two options to prevent humans from listening to your recordings
      Settings -> Alexa Privacy -> Review Voice History. Enable the deletion by voice option. Then delete saved recordings. After enabling this option, you can say "Alexa, delete everything I said today" Coming in Oct or Nov 2019, is a new Alexa command: "delete what I just said"

    • APPLE (Siri, Apple Watch and HomePod smart speakers)

      Apple contractors 'regularly hear confidential details' on Siri recordings by Alex Hern in The Guardian (July 2019). Accidental activations pick up extremely sensitive personal information, fairly often. The story came from a whistleblower; not a good look for Apple.

      If an Apple Watch detects it has been raised and then hears speech, Siri is activated. To prevent this, disable the Siri side button on the iPhone: Settings -> Siri & Search -> toggle off "Press Side Button for Siri".

      Apple Suspends Listening to Siri Queries Amid Privacy Outcry by Mark Gurman of Bloomberg (Aug 2019).

      Defense as of mid-Aug 2019: If both Siri and dictation are disabled, Apple will delete your data and recent voice recordings. To disable Siri: Settings > Siri & Search -> Turn off both the Listen and Press Button options. To disable dictations: Settings -> General -> Keyboard -> turn off Enable Dictation. This process will change.

      Defense added in iOS 13.2: When upgrading to this release, users will see a pop-up message offering the ability to opt-out called "allowing Apple to store and review audio of your Siri and Dictation interactions". Later, this can be adjusted in the Privacy settings under "Analytics & Improvements" where there are multiple options about sharing Analytics as well as the option to "Delete Siri & Dictation History".


      Again from Fowler article: Google used to record conversations with its Assistant ("Hey Google") but in 2018, they stopped doing so by default on new setups. You can check the settings of your Assistant at myaccount.google.com/activitycontrols/audio. Look to Pause recordings. This How-ToGeek article adds instructions for deleting the previously saved recordings.

      The Nest thermostat, made by Google, phones home every 15 minutes, reporting the climate in the home and whether there is anyone moving around. The data is saved forever. (also from the Fowler article)

      Google Defense: in the Google Home app: Account -> More settings (under Google Assistant) -> Your data in the Assistant -> turn off Voice & Audio Activity. While there, also go to Manage Activity to review and/or delete voice recordings.

      To delete Google Assistant voice recordings, start at myaccount.google.com/intro/activitycontrols. Scroll to "Voice & Audio Activity" where Paused means disabled. Or, you can use these voice commands: "Hey Google, delete what I just said" or "delete what I said on [date]" This only works for the last 7 days.


      In Aug. 2019, Joseph Cox of Motherboard revealed that "Contractors working for Microsoft are listening to personal conversations of Skype users conducted through the app’s translation service ... [and] ... Microsoft contractors are also listening to voice commands that users speak to Cortana, the company's voice assistant." Shortly thereafter, Cox revealed that Microsoft Contractors Listened to Xbox Owners in Their Homes. As with all the other companies, recordings were sometimes triggered by mistake. At the Microsoft Account Privacy Settings page you can delete any recordings Microsoft has of you.

    • General Defense: I own a smart speaker and it is powered off 99% of the time. When I want to use it, I plug it in and wait 30 seconds for it to start up.
    • How to Delete Voice Recordings From Alexa, Google Assistant, Facebook Portal, and Siri by Brendan Hesse Aug. 2019
    • Future: At some point, the US Government may force one of these companies to let it listen in on a target 24x7. If that happens, would you be surprised?

    There are three approaches here, and I am the only person (as far as I know) to suggest the third one.

    1. The first approach is to play whack-a-mole; to configure access to location data on an app-by-app basis. This strikes me as ridiculous.
      • For Android 9, from Google: Choose which apps use your Android device's location.
      • New permission in Android 10: only let an app know your location when the app is open. Also new, periodic reminders about apps that are accessing your location in the background. Configure: Settings -> Apps and Notifications -> pick an app -> Permissions and Location. Or, Settings -> Privacy -> Permission manager -> Location -> click an app. If upgrade from v9 to v10, all existing apps need to be checked.
      • For iOS version 12, do Settings -> Privacy -> Location Services to see a list of apps. Each app is assigned one of three rules: never see your location, always see your location or only see it while using the app. Also here is a link to System Services and their location usage.
      • iOS 13 will add a new Location permission: share your location with an app just once. The next time the app wants it, it has to ask. iOS 12 allowed sharing always, never or when the app was in use. In addition, iOS 13 will add periodic pop-ups when apps use your location in the background. A sort of FYI.
      • Does a weather app really need your current location? Maybe just give it a couple zip codes where you often are instead, and only give it access to your current location when traveling.
    2. The second approach, is to still let the phone know where you are now, but tell Google not keep a history of where you have been.
      • Disable Location History: This April 2019 article says to go to myactivity.google.com, select "Activity Controls" and turn off both "Web & App Activity" and "Location History" This May 2019 article by David Nield in Wired covers all the bases both for a Google account and on a mobile device. This article offers a different path to the same features: turn off "Location History" at myaccount.google.com/privacycheckup and turn off "Web & App Activity" at myaccount.google.com/activitycontrols.
      • Keep a Location History but Automatically Delete it after a while: Start at myactivity.google.com, click on Activity controls, scroll to Location history, click Manage Activity, look for an icon shaped like a nut and then click Automatically delete location history. Whew.
      • Android 8 and 9: Settings -> Security and Location -> Location -> Use Location is the master on/off switch for Location services. On Android 7, do Settings -> Location. From here, on all three versions, you can click on Google Location History to pause it. Note: this is done for a Google account, not for the device. From there, click on Show All Activity Controls to see the Web and App Activity and pause that too. From Google: Manage your Android device's location settings. The article states that, with Location disabled, you can still get local search results and ads based on your public IP address. You can test this with a VPN.
      • Yet another click-path: Android 8: Settings -> Users and Accounts. Android 9: Settings -> Accounts. Select an account, then click on Google Account. Find the Data and Personalization section, then the Activity controls section. Again, look for Location History and Web and App Activity. Lots more here too, such as Ad personalization.
    3. My advice is prevent iOS and Android from knowing your location in the first place. To do this:

      • Turn off 4G/LTE Internet
      • Turn off Wi-Fi
      • Turn off Bluetooth
      • Turn off GPS by disabling "Location" (Android) or "Location Services" (iOS)

      With these four things disabled, a phone can still make/receive calls and text messages. However, your location can be still tracked by the cell tower the phone is talking to, but, this only provides a general idea of where you are rather than a precise location. The next step would be to enable airplane mode and the step after that is to turn the phone off. A dedicated GPS app can be used to confirm the status of GPS. A side benefit of having this stuff disabled is better battery life.

      Note that even with Bluetooth and Wi-Fi disabled, an Android device may still use either or both to determine your location. For more, see the topic on Mobile Scanning and Sharing.

      Taking a step back, consider who is the enemy here? That is, who is it we don't want tracking us. Some people/articles focus on apps. But, it also the Operating System vendors, Apple and Google, that learn our location. And, of course, the cell phone companies, who are being being sued for selling location data. Another reason for my approach to defense.

    4. Background: This December 2018 article in the NY Times, documents the tracking, but not defense. Same for this article. Google has a history with location tracking. See also London Underground to begin tracking passengers through Wi-Fi hotspots (May 2019). The only defense is to disable Wi-Fi. See the Mobile Scanning topic to learn how to insure that Wi-Fi is really off and stays off. In Stores, Secret Surveillance Tracks Your Every Move (June 2019) about Location Tracking with Bluetooth.
  15. MOBILE OS SPYING   top

    It's bad. Real bad. The only real defense is a VPN that blocks trackers, and for good luck, ads too. Also see the Location Tracking topic.

    • Things are bad: It's the middle of the night. Do you know who your iPhone is talking to? by Geoffrey Fowler in the Washington Post (May 2019). He found 5,400 app trackers spying on him.
    • Things are bad: iPhone Privacy Is Broken…and Apps Are to Blame by Joanna Stern in the Wall Street Journal (May 2019). Most apps are tracking you in ways you cannot avoid. Privacy controls are a scam. Interesting tidbit: paid apps spied the same as their free siblings. Defense: Privacy Pro SmartVPN from Disconnect.
    • iOS Defense: The above two articles both suggested partial defenses: Disable "Background App Refresh" (Settings -> General) and Enable "Limit Ad Tracking" (Settings -> Privacy -> Advertising).
    • iOS Defenses: From 7 iPhone privacy settings you should enable now (Jack Morse June 2019). Review apps that have Camera (Settings -> Privacy -> Camera) and Microphone (Settings -> Privacy -> Microphone) access. Maybe turn Live Photos off. Turn off lock screen message previews (Settings -> Notifications -> Messages -> Show Previews). Reset your Advertising Identifier (Settings -> Privacy -> Advertising). Use a long (up to 9 digits) voicemail password (Settings -> Phone -> Change Voicemail Password).
    • iOS Defense: How to Check and Tighten All Your iPhone’s Privacy Settings by Tim Brookes July 2019
    • Stop Apple from spying on you (iOS 12): Settings -> Privacy -> Analytics. Turn off Share iPad Analytics and also turn off Share iCloud Analytics. While there, take a look at the Analytics Data. And also: Settings -> Privacy -> Location Services (if its Off, turn it on for a minute) -> System Services -> turn off the four checkboxes in the Product Improvement section.
    • Android Defense: Turn off Ad Personalization and periodically reset the Android advertising ID. On Android 7, 8 and 9, both options are at: Settings -> Google -> Ads.
    • Android Defense: At Settings -> Google. Google Account is the master list of everything Google. In Networking, maybe disable the Wi-Fi assistant. Check Nearby to see if any apps are sharing data. In Search, Assistant & Voice: Under General, look at Recent pages, Discover and Personal results. Under Voice, consider not allowing Bluetooth requests with the device locked (may be called Bluetooth headset). Also review Google Assistant.
    • Things are bad: Perhaps the most damning article: I spy: How Android phones keep tabs on our every move (March 2019) is about the security hole that are the pre-installed Android apps. Based on an academic study that analyzed 1,742 phones from 214 manufacturers. 91% of the pre-installed apps are not in the Google Play store. No defense offered.
    • Defense: the Freedome VPN from F-Secure blocks trackers on iOS, Android, Windows and macOS. The Windscribe VPN offers what they call a "One-of-a-kind customizable server-side domain blocking tool" that blocks ads and trackers. And, you can customize it. They call the feature R.O.B.E.R.T.
    • iOS Defense: What should be a great defense against apps and web pages that track iOS users is the Guardian Mobile Firewall from Sudo Security. I say "should" because the app is new, it was released Aug. 1, 2019. Terminology, however, is being abused. It is not a firewall. It is a VPN that does tracker blocking. The VPN part is free, tracker blocking is $100/year or $10/month. It does not block ads and it does not offer a whitelist or blacklist that you can manually update. Everything points to the people behind the app being trustworthy. Read more from Glenn Fleishman (March 2019) Lily Hay Newman (July 2019) and Sudo Security (June 2019) and me (August 2019).
    • Things are bad on Android: Thousands of Android Apps Break Google's Privacy Rules by Paul Wagenseil Feb. 2019. Researchers examined 24,000 Android apps and found that 70 percent were breaking the rules by sending out permanent IDs that ad networks can use to track you. The researchers notified Google of the policy violations and got no response.
    • My Defense: Use a phone and a tablet. Let most of the spying happen on the tablet, keeping the phone relatively clean. Each should use a different account be it an Apple or Google Apple account. The tablet account should use a throw-away email address. The phone should, as much as possible, be limited to apps needed while traveling. The tablet can have everything. For example, I will not install the MLB (baseball) app on my phone as it wants way too many permissions.
    • Future: I know of three companies working on releasing a phone running Linux. The Librem 5 from Purism will be $700 when it is released in the 3rd quarter of 2019. It will run PureOS, have a user-replaceable battery and three hardware kill switches (WiFi & Bluetooth, Cellular baseband, Cameras & mic). See specs. The PinePhone from Pine64 will be able to run multiple Linux distros. It's not yet available. Necuno Solutions is working on a phone that will be manufactured in Finland.
    • Replacing Android: Max Eddy writes about installing LineageOS on an old Android phone. May 2019.
    • Extra secure Android: As of Sept. 2019, it is still early for GrapheneOS a version of Android focused on privacy and security. It is built from a bare minimal version of Android (AOSP) without Google apps and services. Being Android, it preserves all the standard software and hardware security features. Currently it is only supported on the Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a and Pixel 3a XL.

    Both Android and iOS want you to keep Wi-Fi and Bluetooth enabled for a number of reasons. Android may well use them both even if they appear to be disabled. And, if they really are disabled, each Operating System has a number of ways to automatically turn them back on. I suggest checking an Android device by searching the Settings for the words "scan" and "scanning". Plus, there are many other options for sharing data, that you might want to disable, at least as a starting point, to reduce your attack surface.


      iOS 11 and 12 have two ways to disable Wi-Fi and Bluetooth. One works, the other is a scam. The Control Center, which is what you see when swiping up from the bottom of the screen is the scam. The Settings app is the real deal. That is, when you disable these in Settings they are really disabled and stay that way until you re-enable them.

      In September 2017, Lorenzo Franceschi-Bicchierai wrote about this: Turning Off Wi-Fi and Bluetooth in iOS 11's Control Center Doesn’t Actually Turn Off Wi-Fi or Bluetooth. Quoting: "Apple wants the iPhone to be able to continue using AirDrop, AirPlay, Apple Pencil, Apple Watch, Location Services, and other features, according to the documentation". As of iOS 12, the Wi-Fi message is "Disconnecting nearby Wi-Fi until tomorrow." When tomorrow? Doesn't say (its 5 AM local time). And, "nearby"? There is no such thing a near and far Wi-Fi.

      Noted hacker Samy Kamkar tweeted on May 19, 2019: "This is so deceptive. When you 'disable' WiFi and Bluetooth in iOS Control Center and they gray out, they're technically still enabled. Even with Airplane Mode on, your device continues to transmit and your name can even be discovered nearby via AirDrop!". He later added "It's deceptive because it remains active after saying 'Disconnected until tomorrow'. Only the 'normal' Bluetooth functionality returns the following day, the phone itself keeps transmitting privacy-evading, identifiable BLE packets.".


      Android 9: Settings -> Security and Location -> Location -> Advanced -> Scanning -> Bluetooth scanning. Description: "Allow apps and services to scan for nearby devices at any time, even when Bluetooth is off. This can be used, for example, to improve location-based features and services.".

      Android 8.1: Settings -> Connections -> Location -> Improve accuracy -> Bluetooth scanning. Description: "Improve location accuracy by allowing apps and services to scan for and connect to nearby devices automatically via Bluetooth, even while Bluetooth is turned off."

      Android 8.1: Settings -> Security and Location -> Location -> Scanning -> Bluetooth scanning. Description: "Improve location by allowing system apps and services to detect Bluetooth devices at any time."

      Android 7.0: Settings -> Location -> Scanning -> Bluetooth scanning. Pretty much same description.

      Android 6: Settings -> WLAN -> advanced -> scanning settings -> Bluetooth scanning

      Nearby Device Scanning: I have seen an Android 8.1 Samsung tablet use Bluetooth scanning to find nearby devices, again, with Bluetooth seemingly disabled. The feature was called Nearby Device Scanning and it was enabled by default. The description said "Scan for and connect to nearby devices easily. Available devices will appear in a pop-up or on the notification panel. Nearby device scanning uses Bluetooth Low Energy scanning and the microphone. Bluetooth Low Energy scanning can be used even while Bluetooth is turned off on this device." The path to the setting was: Settings -> Connections -> More connection settings -> Nearby device scanning.


      Android 9: Settings -> Security and Location -> Location -> Advanced -> Scanning -> Wi-Fi scanning. Description: "Allow apps and services to scan for Wi-Fi networks at any time, even when Wi-Fi is off. This can be used, for example, to improve location-based features and services."

      Android 8.1 Samsung: Settings -> Connections -> Location -> Improve accuracy -> Wi-Fi scanning. Description: "Improve location accuracy by allowing apps and services to scan for Wi-Fi networks automatically, even while Wi-Fi is turned off."

      Android 7.0: Settings -> Location -> Scanning -> Wi-Fi scanning. Pretty much same description.

      Android 6 in the Advanced WLAN section, look for Scanning Always available. Description: "Let Google's location service and other apps scan for networks even when WLAN is off."

      Android 6: Settings -> WLAN -> advanced -> scanning settings -> WLAN scanning


      Android 9: Network and Internet -> Wi-Fi -> Wi-Fi preferences -> Turn on Wi-Fi automatically. Description: "Wi-Fi will turn back on near high quality saved networks, like your home network." This requires both Location and Wi-Fi scanning to be enabled.

      Android 8.1: Settings -> Connections -> Wi-Fi -> Advanced -> Turn of Wi-Fi automatically. Description: "Turn on Wi-Fi in places where you use Wi-Fi frequently".


      Android 8.1 AT&T phone: Settings -> Connections -> Wi-Fi -> Advanced -> Auto connect to AT&T Wi-Fi.

      Android 8.1 AT&T phone: Settings -> Connections -> Wi-Fi -> Advanced -> Hotspot 2.0. Description: "Automatically connect to Wi-fi access points that support Hotspot 2.0"

    • Google Nearby, aka Nearby Device Scanning is designed to seamlessly let two Android devices talk to each other. I found this enabled by default on an Android 8.1 Samsung tablet. The description said "Scan for and connect to nearby devices easily ... Nearby devices scanning uses Bluetooth Low Energy scanning and the microphone. Bluetooth Low Energy scanning can be used even while Bluetooth is turned off on this device.". The path to the setting was: Settings -> Connections -> More connection settings. I have read that this also uses Wi-Fi and audio to find nearby Android devices. Creepy. More here, here and here.
    • NFC (Near Field Communication) is yet another wireless option for sharing data, but only between devices that are two inches apart.

      On Android, search the Settings for "NFC". On Android 9, its at: Settings -> Connected devices -> Connection preferences -> NFC. The description is "When this feature is turned on, you can beam app content to another NFC-capable device by holding the devices close together. For example, you can beam web pages, YouTube videos, contacts and more. Just bring the devices together (typically back to back) and then tap your screen. The app determines what gets beamed." NFC is the basis for Android Beam, yet another sharing protocol. Not every Android phone supports NFC.

      On iOS, NFC is used for Apple Pay and reading NFC tags. iOS 12 added background tag reading, where the system automatically looks for nearby tags whenever the screen is illuminated. In Settings, tap "Wireless and Networks" then "More" to see the NFC option. More here and here. This June 2019 article, Apple Expands NFC on iPhone in iOS 13, says there are enhancements to Apple Pay for NFC in iOS 13 and new support for peer-to-peer pairing. That is, just like Android Beam, NFC can be used to transfer movies or music between devices.

    • Wi-Fi Direct allows two Wi-Fi devices to directly communicate without a router in the middle. I have checked a few Android devices and they all enable Wi-Fi direct without a way to disable it. It seems, however, that Wi-Fi direct scanning does not happen until you ask for it, so no big deal. Its popular on HP printers and some smart TVs as I always see some of each, when scanning from an Android device. HP printers create SSIDs like "DIRECT-xx-HP OfficeJet 4650"
      Android 9: Settings -> Network and Internet -> Wi-Fi -> Wi-Fi preferences -> Advanced -> Wi-Fi Direct
      Android 8.1: Settings -> Connections -> Wi-Fi -> Wi-Fi Direct
      Android 8.1: Settings -> Network and Internet -> WLAN -> WLAN Preferences -> Advanced -> WLAN Direct
      Android 7.0: Settings -> Wi-Fi -> Advanced -> Wi-Fi Direct
    • AirDrop on iOS is best disabled by default and enabled when needed. It uses both Bluetooth and Wi-Fi. Bluetooth is used to find partners and Wi-Fi, because it's faster, is used to transfer large files. The Wi-Fi is a form of Wi-Fi Direct, thus the two Apple devices do not have to be on the same Wi-Fi network to exchange data. In fact, they don't have to be connected to any Wi-Fi network or to the Internet. See a How To. An important thing to be aware of is whether an iOS device can receive data from anyone or only from people in the Contacts. Configured at Settings -> General -> AirDrop. WARNING: With Wi-Fi and Bluetooth off, if you enable AirDrop, it turns on both without notification. See The feature Apple needs to change in AirDrop (April 2019) and When Grown-Ups Get Caught in Teens' AirDrop Crossfire (June 2019).
    • Bluetooth on iOS: It was previously known that Bluetooth allowed anyone nearby to learn the current status of the device, device name, Wi-Fi status, iOS version and more. In July 2019 it was revealed that Bluetooth can leak the phone number when using AirDrop or sharing Wi-Fi passwords. The leaking of phone numbers has been observed in iOS 10, 11, 12 and the beta of 13. You can disable AirDrop but have to remember not to share Wi-Fi passwords. More here and here and here.
    • Android Direct Share: Description: "Share content with specific people directly from the sharing panel in any app. The Direct Share icons will appear at the top of the sharing panel if an app supports this function." Find it on Android 8.1 with: Settings -> Advanced Features. Not sure if this uses Bluetooth, Wi-Fi or what.
    • Warnings about Bluetooth security from Lily Hay Newman in Wired: Hey, Turn Bluetooth Off When You're Not Using It (Sept 2017), Bluetooth's Complexity Has Become a Security Risk (May 2019).
    • iOS 13: has a new "Find My" feature. When an Apple device is offline and sleeping, it sends out a secure (says Apple) Bluetooth beacon that can be detected by any nearby Apple device. These nearby devices (even those that are not yours) phone home to Apple to help you find a lost device. I have read that the Bluetooth beacons are even sent in Airplane mode. Not sure yet how to defend against this (turn off Bluetooth?) or if we even need to defend against it. Too new as of June 8, 2019.
    • iPhone 11 and UWB: From What Is Ultra Wideband, and Why Is It In the iPhone 11? by Chris Hoffman Sept. 2019. iOS 13.1 on the iPhone 11 has a new Ultra Wideband radio. It is the first smartphone to offer UWB which only works over a short distance, shorter than Bluetooth. UWB allows an iPhone to precisely detect where objects are in physical space. AirDrop will suggest sharing with other iPhones that you point at. Longer term, it could be used to locate lost objects. Can you turn it off? Don't know.
    • Apple AirPlay: coming ....

    The most secure Operating Systems in widespread use are iOS and ChromeOS (the system on Chromebooks).

    • Do not use Windows. Windows is a cesspool of hacking, ransomware, bugs and vulnerabilities. Has been for decades. With Windows 8 Microsoft lost all credibility. With Windows 10 Microsoft spies on you and has taken control over the installation of bug fixes. And, the quality of the bug fixes to Windows 10 is disgraceful, sometimes causing more problems than they solve.
    • Everyone knows that an Apple Mac computer (macOS) is safer than Windows. This is true, but not drastically so. Both are ancient and the world has changed dramatically since they were designed. Then too, consider this story: On Feb. 22, 2019 a researcher reported a flaw in macOS to Apple. They acknowledged the flaw then stopped responding to his emails. After three months he disclosed the bug. After four months Apple still has not fixed the problem.
      --It is probably best to hold off before installing the Catalina version of macOS that was released in early Oct. 2019. See: How bad is Catalina? It's almost Apple Maps bad: MacOS 10.15 pushes Cupertino's low bar for code quality lower still by Thomas Claburn of The Register Oct 11, 2019
      --Ongoing laptop keyboard problems: Apple apologizes to people having problems with the MacBook's controversial keyboard CNBC March 2019
      --More keyboard problems: Apple lied to me about the MacBook Air and now we have a problem by By Chris Matyszczyk May 2019
      --Buying a used Mac laptop: How to avoid scams and find the best deals by David Gewirtz August 2019
      --Setting up a Mac for young children by Mark Stockley of Sophos Oct. 2018
    • Start using a Chromebook. Chromebooks are laptop computers that are drastically safer than Windows and macOS. Their operating system, ChromeOS, is the newest available system and thus the most advanced. It was designed, by Google, with security in mind. There are no viruses on a Chromebook. In addition to security, Chromebooks are extremely reliable. In what is virtually a revolution in computing, Chromebooks require no care and feeding on your part. They self-update quickly and quietly. They don't ask you or even tell you about bug fixes. The just do it. Thus, end users (you) can not screw them up. Chromebooks are not for everyone and not for every purpose. They are perfect for kids, seniors and non techies. Chromebooks are the home office of Defensive Computing. You normally use a Google account to logon to a Chromebook, but there is also a Guest mode that anyone can use without logging on.
    • Linux: Linux on a desktop/laptop computer is relatively safe. Whether it is inherently more secure than Windows or MacOS is debatable. OS expert Daniel Micay tweeted "The Linux kernel uses a fundamentally insecure architecture, insecure tools, and has a development culture treating correctness and especially security as an afterthought. It ultimately needs to replaced..." (Oct 2019). Either way, it is a lesser target which makes it more secure. Typically, however, it is not a realistic option. Few computers ship with Linux pre-installed and installing it is too difficult for non-techies. Also, where does a non techie go with their inevitable Linux questions and problems? And, the many distributions (flavors of Linux) and package managers makes it even harder to get help. That said, for help picking a distro see Why I Switched From Ubuntu to Manjaro Linux by Dave McKay (Aug 2019). As for hardware, Think Penguin, System76 and ZaReason offer both laptops and desktops with Linux pre-installed. Purism and Star Labs make just laptops. LAC Portland offers current Lenovo Thinkpads for those of us addicted to their keyboards. As for pricing, Linux laptops are often on the high side. One exception is Pine64 which will start taking orders for their $200 PineBook Pro laptop in July 2019. The Ministry of Freedom in England offers cheap, but older Lenovo laptops.
    • On both Windows and macOS, it is safer to logon to the computer as a restricted (a.k.a. limited, standard) user rather than an unrestricted (i.e. administrator, admin or root) user. In each system, restricted users are limited in the changes they can make to the system without approval from an unrestricted user. This limits the damage that malicious software, that makes its way onto your computer can do. Any computer with a single userid is just asking for trouble. On a new Windows or macOS computer, consider creating two users based on your first name: MichaelAdmin and MichaelRestricted, for example. On an existing computer, create a new admin user, logon to it and then modify the existing userid to be restricted. This does not apply on a Chromebook.
    • FYI: We can see the progression of Operating Systems in how they handle software updates. On ChromeOS all software is updated automatically. It is king of the hill in this regard. On Android and iOS, the apps can update automatically, but not the OS itself. On Windows, macOS and Linux, it's chaos.
  18. CHROME OS   top

    ChromeOS is the operating system on Chromebook laptops and Chromeboxes (tiny desktop computers). These are some configuration suggestions.

    • Bluetooth is enabled by default. If you don't need it, turn it off.
    • When a Chromebook wakes up from sleeping, it can either be ready to use immediately, or, require either a PIN or the Google account password to unlock it. There is no one right choice, just be aware that you can opt for security or convenience. The option is in Settings, look for Screen Lock. It is called "Show lock screen when waking from sleep".
    • When you first setup a new Gmail account on a Chromebook, there is an option to send telemetry to Google. Look for this and uncheck it. I don't know if this can be changed after the fact.
    • Chromebooks are Wi-Fi creatures, but you can also plug an Ethernet adapter into a USB port and make them more secure by using Ethernet for the Internet connection. It automatically uses Ethernet when available, still, you are safer if you disable the Wi-Fi.
    • Buying a Chromebook? Check how long it will get bug fixes from Google here. In June 2019, the Chromebook with the longest expiration date expired in June 2025. Have a Chromebook? See How To: Check How Long Until Your Chromebook Stops Getting Updates.
  19. IOS AND ANDROID   top

    • It is common knowledge that Apple iOS devices are safer than Android and I agree with that. One reason, is that you do not find unremovable backdoors (ZDNet June 2019) built into the firmware of iPhones.
    • iOS users should hold off installing new versions of iOS for a few weeks. Thereafter, do not wait to install the bug fixes that follow.
      Update Oct. 1, 2019: Sure enough, iOS 13 was updated three times in its first 11 days. It was not not to predict.
    • The safest Android phones are the Pixel line from Google. That said, phones running the "Android One" version of the operating system should also be safe, and cheaper. Android One is said to get OS updates for 2 years and bug fixes for 3 years. I have not seen confirmation of this. Also, like the Pixel line, updates come from Google.
    • Neither operating system is honest enough to admit when the software has been abandoned. That is, when there are no more bug fixes being issued because the software is too old. Both systems lie and tell you the software is up to date. This October 2019 tweet by Will Dormann has four such examples.
    • A big reason for Android's security problems are the lack of bug fixes. Most Android devices are shamefully vulnerable both because fixes are late in being issued (if they are ever issued) and then late in being installed. Here's an idea: before buying an Android phone try to find out when bug fixes for it will be released. Lotsa luck. The correct answer is once a month. Better still, try to find out when the last bug fixes for the phone will be issued, that is, when the software will be abandoned. You will not get an answer to either question.
    • Android Defense: Do not install apps that come to you via Telegram or WhatsApp messages. Only install apps from the Play store (miserable name for the app store).
    • iOS Defense: Dealing with a stolen iPhone Sept. 2019 by Marc Rogers
    • You can tell when a web browser is using a secure encrypted connection. Not so with mobile apps. Apple was supposed to mandate that iOS apps only use encrypted communication. They call this mandate App Transport Security (ATS). But, it's a scam and there is no defense.
    • iOS 13: As of June 6, 2019 it is early on this. Sign up for a website or app with your Apple ID and there is a new option to hide your email address. Do so, and Apple will create a new email address specifically for the one website or app. When site or app sends you email, Apple forwards it to your real email address. Good thing? The downside to this is that Apple has access to your email and knows what apps and websites you use. See the Extra Credit section for better options.
    • Android Q: (version 10) As of June 6, 2019 it is early on this. When an app asks for access to location data, there is a new option to only allow this while the app is in use. Also, there is a new Privacy section in system Settings.
  20. ENCRYPTION   top

    • For messaging apps, End-to-End encryption is the top of the line. It means that data/files are encrypted before leaving your device and stay encrypted until they arrive at the destination device. End to end encryption is offered by Signal and WhatsApp and others. On mobile devices, you can not see the end to end encryption, so you have to take it on faith that data is really encrypted. In contrast, with secure websites, the browser indicates when encryption is used. Still, end to end encryption does not protect messages stored on the device that sent them or the device that received them. If either device is seized, game over. A Chromebook in Guest mode does not have this problem as everything is erased. EVERYTHING. On mobile devices messages can still leak if: the sender's device was hacked, the recipient's device was hacked or the recipient is simply not trustworthy and leaks messages either on purpose or by accident. Even with messages that self-destruct, the recipient can take a picture of their screen showing a message. Also, on Android, someone could be tricked into installing a hacked app from outside the Play store. Even within the Play store,there may be multiple apps with the exact same name. A scam copy of an app can look exactly like the real thing, do what the real app does, but, also leak messages.
    • There are at least a dozen or more software programs that claim to offer secure communication. Amongst techies, Signal is well regarded. It's security is very good, but not perfect. It is worshiped like a religion despite using phone numbers, which obviously identify you, as userids. Nerds seemed focused on encryption while ignoring anonymity. The exact same thing happened with PGP, which encrypted the body of email messages while leaving the sender and recipient visible. My suggestion for secure communication is to use plain old simple boring webmail, but, only between two users of the same secure email provider. Two good choices would be ProtonMail and Tutanota. Neither company can read messages sent between their customers. Both offer free limited accounts. Using webmail means that the browser can prove that encryption is being used, something no mobile app can do. Webmail can also be used on a Chromebook running in Guest mode, which is much more secure than any iOS or Android device could ever hope to be. Guest mode offers a virgin OS, with no information about you at all, and it is guaranteed to leave no trace of your actions. I am out of step here with every techie in the world, yet, they are wrong and I am right.
    • Most off-site file services can read your files. They may say that your files are encrypted in transit, but that matters not at all. They may say that your files are stored encrypted, but that too does not matter. What does matter is who can decrypt the stored files. Use Windows? Use the OneDrive feature? Then Microsoft can read the files you store there. Likewise, Apple can read anything stored in iCloud. And Google can read files stored on Google Drive (used by Android and ChromeOS), Dropbox can read your files too, and Amazon can read files stored on their Drive offering. And, if they can read your files, think what the US Government can compel them to do. To evaluate any file storage/backup service ask what happens if you lose/forget the password/key? If the answer is that they can't help you, and you have lost access to your data, then the vendor can not read your files. Me? I encrypt my files before sending them off-site.
  21. FACEBOOK   top

    No doubt there are many defensive strategies for Facebook, with the strongest one being avoidance. That's what I do, so all I can offer are these links.

    And, as a reminder, Facebook bad.

  22. AMAZON   top

    Fake reviews, fake products, fake sales and toxic products. Even Amazon's Choice is misleading.

    • Fake books: What Happens After Amazon’s Domination Is Complete? Its Bookstore Offers Clues by David Streitfeld in the New York Times (June 2019). One book publisher bought 34 copies of their book on Amazon, as a test, and 30 were counterfeit. Amazon's business model is to have the same laid-back approach to bad guys as Facebook and YouTube. Follow-up by Streitfeld (Aug. 2019) about counterfeit George Orwell books: Paging Big Brother: In Amazon’s Bookstore, Orwell Gets a Rewrite. Eleven fake books were sold by Amazon as new. The author tried to find a way to report the counterfeit books, but failed.
    • Toxic products: Huge expose from the Wall Street Journal Amazon Has Ceded Control of Its Site. The Result: Thousands of Banned, Unsafe or Mislabeled Products. Subhead: Amazon is unable or unwilling to effectively police third-party sellers on its site (August 2019). The Journal found 4,152 items for sale that have been declared unsafe by U.S. government agencies, are deceptively labeled or are banned by federal regulators. Big-box retailers would not sell this stuff. Along with the expose, the Journal published a Defensive Shopping article: Amazon Shoppers: This Is How to Safety-Proof Your Order. A month earlier, Vice had this story: Amazon Won't Stop Selling Toxic Products In the U.S. Amazon knows that some creams and cosmetics are dangerous, yet they allows them to be sold nonetheless, and without warnings.
    • Defense: Before buying from an unknown seller, be aware that you probably have no recourse for defective products. More here (Kate Cox July 2019) and here (Louise Matsakis July 2019). Sometimes, as seen here, it costs only 4 cents more to buy from Amazon.
    • Fake "choice": 'Amazon’s Choice' Does Not Necessarily Mean A Product Is Good by Nicole Nguyen of Buzzfeed (June 2019). 'Amazon’s Choice' is a label awarded by an algorithm based on customer reviews, price, and, of course, whether the product is in stock. After all, selling is what Amazon does. The article documents many bad products marked as an 'Amazon Choice'. Amazon declined to answer questions about exactly how items are selected. The article also discusses fake products on Amazon.
    • Fake Reviews: Manipulating Amazon reviews: Inside Amazon’s Fake Review Economy by Nicole Nguyen of BuzzFeed (May 2018). There is a vast web of review fraud. Merchants pay young men (mostly) for positive reviews. Sellers trying to play by the rules are struggling to stay afloat amid a sea of fraudulent reviews and Amazon is all but powerless to stop it.
    • Fake Reviews: Even the FTC is involved. FTC Brings First Case Challenging Fake Paid Reviews on an Independent Retail Website (Feb 2019)
    • Fake Reviews: One type of fraud is re-using reviews. Sellers take an existing product page, then update the photo and description to show an entirely different product. The goal is to retain the existing reviews so the product looks more legitimate. Few people buy a product with few reviews. Here's Another Kind Of Review Fraud Happening On Amazon by Nicole Nguyen of BuzzFeed (May 2018). Hijacked Reviews on Amazon Can Trick Shoppers (Consumer Reports Aug 2019) Suggested defense: read the god and bad reviews and some old reviews. Just relying on the star rating and the number of reviews leaves you vulnerable to this scam.
    • Fake Reviews: Another reason not to trust Amazon reviews, from one of the above articles, was the story of a one-star review that was removed by Amazon after the buyer got a refund. The buyer could not get Amazon to restore the bad review.
    • Fake Helpful Reviews: Also from the above article - some sellers hire people to hit the 'Helpful' button on a particular review so that it appears first.
    • Defensive advice from Nicole Nguyen: Do a search to see if the company selling the product has a legitimate website. Also check if the item has been reviewed by a publication or site dedicated to consumer products. And, Here's One Way To Tell If An Amazon Product Is Counterfeit by Nicole Nguyen of BuzzFeed (March 2018).
    • Defense: Spotting fake reviews is a skill we all need to learn. Which? magazine has a short video (April 2019). The website fakespot.com analyzes reviews at Amazon, Best Buy, Sephora, Steam, Walmart, TripAdvisor and Yelp. ReviewMeta analyzes Amazon product reviews and filters out reviews that look unnatural. It also recommends similar products with trusted reviews. More suggestions: How to Spot Fake User Reviews: Amazon, Best Buy and More by Louis Ramirez (Feb. 2018) and Is It Really Five Stars? How to Spot Fake Amazon Reviews by Joanna Stern (WSJ Dec. 2018).
    • A warning about fake sales on Prime Day from Ars Technica. Quoting: "... most of this year's Prime Day deals aren't really deals at all. Amazon will promote thousands of 'discounts' over the next two days, but with that much volume, the majority of those offers will naturally have less-than-special prices or apply to less-than-desirable products. Many 'deal prices' are relative to MSRPs that products have not sold at for months..." (July 2019)
    • Defense: In July 2016, I wrote Defending yourself from Amazon.com which makes the case for having a dedicated Amazon email address.
    • Amazon Alexa is in the Voice Assistant section
  23. GOOGLE   top

    Defending against Google tracking involves changing options in your Google account, which can be done on a website, as well as configuring options on your mobile device(s), when doing Google searches, in Google Assistant and in Nest devices. There is a lot to it.

    • This May 2019 article in Wired: All the Ways Google Tracks You - And How to Stop It, touches most of the bases, configuring: a Google account, Android, iOS and searching. A must read. Similar: Are you ready? Here is all the data Facebook and Google have on you by Dylan Curran for The Register (March 2018)
    • Google Account: Most tracking is configured at myaccount.google.com/activitycontrols
    • Google Account: Do a Google Privacy Checkup
    • Google Account: See what Google knows about your travels using their Maps Timeline. Sometime in Oct or Nov 2019, Google will introduce a new Incognito mode in the Google Maps app. To turn it on: tap on the account icon in the upper-right corner, then click Turn on Incognito mode.
    • Automatic Deleting: start at myaccount.google.com/activitycontrols. Note that if something is in a Paused status, it is still keeping a history. To set it to auto-delete, you will have to enable it first. Several Google products, including YouTube, can be set to auto-delete here. As of Oct. 2019 the only choices are auto-delete after 3 or 18 months. To auto-delete search history, use Web & App Activity. Then again, see Google's auto-delete tools are practically worthless for privacy by Jared Newman October 2019
    • GMAIL: Google uses Gmail to track a history of things you buy (Todd Haselton, Megan Graham CNBC May 2019). The story said you needed to delete the Gmail message to remove a purchase. However, later research found that there is no way to delete your purchase history. And Google also tracks your Reservations, Subscriptions and Payment Methods. See it all here. From Google: See your purchases, reservations and subscriptions. The day before flying recently, Uber offered me a discount for getting to the airport. Gmail told Uber about my trip, I found it in the reservations and confirmations page.
    • GMAIL avoidance: Privacy-Conscious Email Providers from PrivacyTools.io, These 4 Gmail alternatives put your privacy first (Fastcompany Aug 2019), and a comparison of many email providers from thatoneprivacysite.net. In addition to privacy, it may be worth paying for email to get technical support.
    • Searching: Minimize Google tracking by not being signed in to Google when making queries. You can tell if you are signed in by checking the upper right corner of the screen (see screen shots). A single letter in a circle means you are signed in, a blue "Sign in" button means you are not. Or, use a search engine that do not record your search history such as DuckDuckGo and Startpage
    • Google Maps: is full of fake business listings. Big June 2019 story in the Wall Street Journal. More here and here. Hundreds of thousands of fake listings are created each month. Total scam businesses estimated at 11 million. In 2018, Google removed more than 3 million fake businesses. Google's PR response included this: "it's important that we make it easy for legitimate businesses to get their business profiles on Google". Translation: nothing will change. Here is how to report one fake and how to report multiple fakes.
    • Browsing: Here is another reason not to be logged on to Google all the time - the latest version of their reCaptcha might be logging every web page you visit.
    • The Voice Assistants section has a sub-section with Google Assistant defenses
    • The Location Tracking topic has a lot of defenses for Android and Google users
    • If you have Nest Cam or Nest thermostat be aware that according to this April 2019 article in the Washington post, Nest security is sub-optimal. The article suggests using a unique password (always a good idea) and two factor authentication with the device. Taking a step back ... Google? Really? In a camera in your home? Really?
    • Speaking of Nest: the Nest camera, Nest Hello doorbell and Dropcam cameras no longer (as of Aug 2019) let owners disable the status light that indicates the camera is on. Google did this for privacy reasons but some people don't like advertising the camera's existence to intruders in a dark room. Just cover the light with tape. And, be sure to apply bug fixes to the Nest Cam IQ (Aug 2019).
    • Google Calendar: A new type of SPAM. Bad guys can email invites to scam events and Google will add them to your calendar without your confirmation. To stop this, go to calendar.google.com, login, click the gear icon, go to Settings, then Event settings, then "Automatically add invitations" and select "No, only show invitations to which I have responded". Maybe also disable automatically adding events from Gmail to your calendar.
    • The complete list of alternatives to all Google products by Sven Taylor of Restore Privacy June 2019
    • Tip: If bad guys have taken control of your Google account, start here: Tips to complete account recovery steps
    • You can ask Google to remove sensitive personal information from its search results.
  24. SPAM TEXTS   top
    • Several mobile service providers allow you to block the sender by forwarding unwanted texts to 7726 (or "SPAM")
    • The FTC on Text Message Spam. Complain to them about it at ftccomplaintassistant.gov under "Robocalls, Unwanted Telemarketing, Text, or SPAM".
    • From the FCC: Stop Unwanted Robocalls and Texts. The FCC is running their own scam. They say to file a complaint with them at their Consumer Complaint Center but there is no option there to gripe about SPAM texts.
    • Both iOS and Android let you block the spammer from ever texting you again.
  25. SCAM VOICES   top

    Artificial Intelligence allows bad guys to learn someone's voice and vocal patterns and then manipulate it to scam people. Not sure if there is an official term for this yet, perhaps voice fraud, voice phishing, vishing, deep voice, voice cloning, voice swapping or deepfake audio.

  26. TWITTER   top
    • Twitter account security and privacy 101 by John Opdenakker June 2019. Give Twitter your phone number, setup 2FA using text messaging, expand 2FA to use an authentication app or a security key, then get rid of text messages. Also Privacy settings. Fallback if 2FA fails is a one-time use password.
    • TweetDelete is a service that can mass delete Twitter posts based on their age or specific text they contain.
    • Twitter URLs Can Be Manipulated to Spread Fake News and Scams by Ionut Ilascu June 2019. Not sure what the defense here is, other than just being aware of this.
  27. NAS   top

    NAS stands for Network Attached Storage. Think external hard drive with an Ethernet port that plugs into a router. Two large vendors are Synology and QNAP.

    • Avoid using the default admin account. First, create a new admin account. Then, either disable the system default admin account, or, make the password for it very long and very random.
    • Don't allow direct access to the NAS from the Internet. On Synology, that means avoiding QuickConnect. Also, disable UPnP in the router to prevent the NAS from opening ports for itself. My Test your Router page links to many websites that offer tests of the firewall in a router.
    • If open ports are necessary, do not use the default ports.
    • Synology offers a Security Advisor app that runs on the NAS. QNAP offers both a Malware Remover and a Security Counselor app in their App Center.
    • Both companies offer protection from brute force password guessing. For Synology it is Auto Block in the Control Panel. For QNAP it is Network Access Protection.
    • If the NAS file system supports snapshots, take the time to get up to speed on the feature. This is a big deal. Speaking of snapshots, consider stepping up to a FreeNAS box from iXsystems that runs ZFS. The Mini is their entry level model.
    • As always, disable features not being used; perhaps SSH and Telnet access.
    • More from Synology about security is here and from QNAP here.
  28. TV WATCHES YOU   top
    • Roku box: Leave it powered off when not in use. I have done some investigating of its network traffic and do not like what I have seen. Plus, you will save on electricity. And check these settings:
      System -> Advanced System Settings -> Control by Mobile Apps -> disable Network Access
      Privacy -> Advertising -> turn the Limiting of ad tracking on and reset the Advertising ID
      System -> Screen Mirroring -> set Screen Mirroring Mode to either Prompt or Never Allow
    • Roku TV: From How to Disable Interactive Pop-Up Ads on Your Roku TV by Chris Hoffman October 2019. As of Roku OS 9.2, the TVs display pop-up advertisements over commercials on live TV. If an advertiser has partnered with Roku, that advertiser can display an interactive pop-up ad over the normal commercial. This only applies to Roku TVs, not the external sticks or boxes. To disable it: Settings -> Privacy -> Smart TV Experience -> disable "Use info from TV inputs".
    • How to Turn Off Smart TV Snooping Features by Consumer Reports. Last updated: September 2019. Smart TVs collect data about what you watch with a technology called ACR. Only covers TVs, nothing on Roku, Apple TV or Chromecast.
    • You watch TV. Your TV watches back by Geoffrey Fowler for the Washington Post September 2019. Things are bad. No defense offered. Discusses ACR (automatic content recognition) on Smart TVs. Quote: "some TVs record and send out everything that crosses the pixels on your screen. It doesn’t matter whether the source is cable, an app, your DVD player or streaming box." They watched the data a TV transmits using IoT Inspector software from Princeton University.
    • Defense: The article above notes that a profile is formed based on the public IP address of your home. One defense is to connect the TV to a router running VPN client software. This hides your public IP address.
    • Defense: a router that supports outbound firewall rules, such as the Pepwave Surf SOHO, can block the TV from phoning home. First, watch where it sends data, then block these transmissions one a time (in case some of them are necessary). Using a Raspberry Pi running Pi-Hole for DNS should also be able to block a TV from phoning home. Or, a free account at OpenDNS lets you audit the DNS on your home network and block some domains.
    • There are many articles about blocking Roku monitoring by blocking access to assorted domains and sub-domains. For a long time now I have blocked all access from my LAN to scribe.logs.roku.com and cooper.logs.roku.com. My Roku box works just fine without these. I chose them because they were the most popular logs my Roku box was accessing.
    • Watching You Watch: The Tracking Ecosystem of Over-the-Top TV Streaming Devices (PDF) by Hooman Mohajeri Moghaddam, Gunes Acar, Ben Burgess, Arunesh Mathur, Danny Yuxing Huang, Nick Feamster, Edward W. Felten, Prateek Mittal and Arvind Narayanan. A very detailed look at the spying and advertising on an Amazon Fire TV and Roku. Early 2019.
    • Goes without saying: don't connect a TV to the Internet (other than maybe to update the firmware).
  29. ONE OFFS   top

    The items below are defensive measures that apply to just one website or just one system.

  30. EXTRA CREDIT   top

    • Use multiple email addresses. Far too many systems use an email address as their unique identifier, so when one system gets hacked, bad guys are halfway to hacking into your other accounts. Having multiple email addresses avoids putting too many eggs in one basket. At the least, use one email address for business and one for personal messages. The next step would be to create a sacrificial email address for things you don't really care about.
    • Bluetooth is bad and you should stop using it (Mashable Aug 2019). There have been many bugs and data leaks involving Bluetooth, so its best to turn on it when needed, then turn it off when done. But, as I describe here in the Mobile Scanning and Sharing section, both iOS and Android may not turn off Bluetooth when you think its off.
    • The more you know about DNS the better. My Router Security website has both a short and long explanation along with a list of websites that show your currently used DNS servers. Get in the habit of checking the active DNS servers, especially when traveling.
    • Before you use a new USB flash drive, plug it into a Chromebook running in Guest mode and format it from there. In the same vein, If you don't know where a flash drive came from, the only computer you should plug it into is a Chromebook running in Guest mode. Malicious USB flash drives are a common tactic for infecting the computers of people who have not read this website.
    • Speaking of USB, the cables normally carry both data and electricity. Data can be a problem, as it is an avenue through which a device can be hacked. Companies, such as Adafruit, sell cables that only do power. They may be called Power-Only, Charge-Only, Data Block or a USB condom. Without a power-only cable you can still be protected by using your cable and plugging into an electric outlet rather than a USB port. Also, don't use someone else's cable or charger. Finally, charge from your portable battery. More here
    • There is a chance that the camera on a computing device could be activated without your being aware of it. The defense is old school: cover the camera lens with something opaque (band-aid, tape). Try to avoid adhesive directly over the lens.
    • Speaking of laptop computers, they have microphones that are typically impossible to mute. This article: Why your laptop's always-listening microphone should be as easy to block as your webcam (June 2019) mentions some models that can disable the microphone. My T series Thinkpad can. The $200 PineBook Pro Linux laptop can also mute the mic. On macOS, you can install OverSight to be warned both when the mic is activated and when something accesses the webcam.
    • Defensive search engine: This article describes a search engine trick pulled off by special interest groups. They scam people by abusing the data void for newly invented keywords. See The far right is dominating the information wars through keyword signaling by Corey Doctorow October 2019
    • Whenever you are offered the choice to Login With Google or Login With Facebook, don't do it. iOS 13 will introduce a new competing system: Login with Apple. As of July 2019, it is too soon to form an opinion on it, but it will let Apple read your email, something they could not do without it.
    • If you are working on sensitive documents, then consider not using Word. Me: Is Word 2016 spying on users? (May 2019) and The Verge: German schools ban Microsoft Office 365 amid privacy concerns (July 2019) and Ars Technica: Office 365 declared illegal in German schools due to privacy risks (July 2019).
    • At dehashed.com you can search for your physical address, email address, userid and/or phone number to see if they have been leaked in a data breach.
    • Why You Need to Make a 'When I Die' File - Before It's Too Late (August 2019). The article is about much more than computers, but serves as a reminder to plan, somehow, for the right people to obtain all your passwords when you are no longer around.
    • Can you tell if a website is legit?
  31. READING LIST   top


    Lots of other people and places offer Defensive Computing advice, though they don't call it that.

Whew! Seems like a lot, it is a lot.

All the credit/blame for this site falls on me, Michael Horowitz. If I left out anything important, or something is not clear, let me know at defensivecomputing -at- michaelhorowitz dot com.

This site does not use cookies. None of the links here are affiliate links, I do not profit from this site in any way. Thus, there are no ads here either. If you see any ads, something (computer, browser or router) has been hacked.

Last Updated
October 20, 2019
Page Views

Page Views

Page View

24.8 minutes ago
Change Log Website by  
Michael Horowitz