This is a list of both things to be aware of and specific defensive steps that we can take in response to the common threats of 2019. No list like this can ever be complete, nor would anyone want it to be complete as that list would never end. I tried to limit this to the most important issues, still its long (25,000 words).
Some parts of this page are not displayed until you click a button. To see everything (for printing or searching), CLICK HERE.
Fake websites are an extremely common scam. To identify the fakes, you need to understand the rules for domain names. Some domain names are: google.com, columbia.edu, irs.gov and RouterSecurity.org. Many scam website names look legit to someone who does not know the rules. And, there are lots of rules and scams targeted at people that don't know the rules.
Everyone is told there are two types of websites: secure (HTTPS) and not secure (HTTP). In fact there are three types of websites. The third type is a "secure" site that has gone the extra mile and offers proof of its identity.
To take money from an ATM requires both a plastic card and a password. Two things. Two factors. In computing "two factors" refers to needing a password and something else to gain access to a system. Thus, a stolen password becomes useless as its only half the story. The robotic response from every computer nerd is to use Two Factor Authentication (2FA). But, it is not that simple. In the topic on SIM Swaps there are links to articles by people who became vulnerable by using 2FA. First they had their cellphone number stolen, but that was done to abuse 2FA text messages and change the passwords on many accounts. No 2FA text messages, no password changes. And, everything breaks, so you need to be up to speed on the fallback system for when 2FA breaks. There are different types of 2FA and no one right answer for everyone.
You never know who calls you on the phone. Callerid can be spoofed just like the FROM address in email, so the same advice holds: think carefully before taking action based on a single phone call, especially any action involving money, passwords or personal information.
Considering the many data breaches of personal information, along with the legal sharing of it, ID theft is all too likely. Here are some things to do to in preparation.
A SIM swap is Identity Theft in which bad guys steal your mobile phone number and get it assigned to one of their phones. They do this because a phone number is often used to prove identity, with forgotten passwords. Other terms for this are SIM Hijacking and a port-out scam.
Public Wi-Fi is always dangerous, whether a password is required or not.
A VPN prevents spying on your online activity by anyone you an see (anyone on the same local network). For this reason, it should always be used on public Wi-Fi networks. A VPN also prevents spying by the ISP connecting you to the Internet. In the US, ISPs are allowed to spy on their customers and sell that data. A "secure" website prevents others on your LAN and your ISP from reading the content of web pages. However, they can still tell which websites you visited. In some cases, just the website name gives away too much information. VPNs hide everything.
In addition, a VPN will change your public IP address, so you can pretend to be in a different physical location. It also should change the DNS servers used to translate computer names to IP address. For an introduction to DNS see my RouterSecurity.org site.
All of the smart assistants (from Amazon, Google and Apple) sometimes record at the wrong time. That is, they record without a person having said the wake word. And, since all three companies send some recordings to contractors, to help improve the system, strangers may hear your embarrassing conversations. Tony Soprano would not have allowed Siri in his home. Google lets you access your history, delete past recordings and automatically delete your data every couple of months. Amazon lets you manually delete past recordings and disable human review of Alexa recordings. Initially, Apple lost at this privacy game, they did not have any way to opt out. In early Aug 2019 they took their first step and did more in iOS 13.2.
Bloomberg reported in April 2019 that Amazon Workers Are Listening to What You Tell Alexa. There are options in the app to disable this (Settings -> Alexa Account -> Alexa Privacy -> Manage How Your Data Improves Alexa) but they may not be honored.
Another privacy issue with Alexa is that the devices phone home to Amazon and to others, even when they are not being used. No one knows why.
Article: Alexa has been eavesdropping on you this whole time by Geoffrey Fowler May 2019. Amazon keeps a copy of everything Alexa records after it hears the wake word. Fowler listened to 4 years of his recordings and found that dozens of times it recorded when it should not. It even picked up some sensitive conversations. There are instructions for deleting these recordings via the Alexa app. Hear your archive at www.amazon.com/alexaprivacy.
Also from Fowler: Amazon collects data about third-party devices even when you do not use Alexa to operate them. For example, Sonos keeps track of what albums, playlists or stations you listen to and shares that information with Amazon. You can tell Amazon to delete everything it has learned about your home, but you can not look at this data or stop Amazon from continuing to collect it.
Researchers examined 90,000 Alexa Skills. Only a fraction have a privacy policy. When you ask Alexa a question, you have no idea where the answer comes from. Want to research a skill? It is easy for an attacker to impersonate any well-known manufacturer or service provider. Yes, Amazon certifies skills before they get published, but, the skill can change how it behaves at any time. From Why would you ever trust Amazon's Alexa after this? by Chris Matyszczyk for ZDNet (Feb 2021).
Amazon has policies for skills published in the Alexa Skills Store. But, they are not enforced. In an academic study that lasted a full year, researchers created 234 skills that all violated a policy. They all got approved. From Academics smuggle 234 policy-violating skills on the Alexa Skills Store by Catalin Cimpanu for ZDNet (July 2020). They also identified 52 problematic skills already available on the Alexa store, all targeted at children.
Alex initial configuration: the app wants to "periodically upload your contacts" - say Later (there is no NO). The app also wants to verify your phone number when first configured, there is no need for this, skip it.
Alexa Defenses in the Settings of the Alexa app:
Apple contractors 'regularly hear confidential details' on Siri recordings by Alex Hern in The Guardian (July 2019). Accidental activations pick up extremely sensitive personal information, fairly often. The story came from a whistleblower; not a good look for Apple.
If an Apple Watch detects it has been raised and then hears speech, Siri is activated. To prevent this, disable the Siri side button on the iPhone: Settings -> Siri & Search -> toggle off "Press Side Button for Siri".
On the June 26, 2020 episode of The Privacy, Security, & OSINT Show the show host, Michael Bazzell, suggested disabling SIRI completely.
Apple Suspends Listening to Siri Queries Amid Privacy Outcry by Mark Gurman of Bloomberg (Aug 2019).
Defense as of mid-Aug 2019: If both Siri and dictation are disabled, Apple will delete your data and recent voice recordings. To disable Siri: Settings > Siri & Search -> Turn off both the Listen and Press Button options. To disable dictations: Settings -> General -> Keyboard -> turn off Enable Dictation. This process will change.
Defense added in iOS 13.2: When upgrading to 13.2, which was released at the end of Oct. 2019, users see a pop-up message offering the ability to opt-out of having their voice commands stored and saved. It is called "allowing Apple to store and review audio of your Siri and Dictation interactions". Later, this can be adjusted in the Privacy settings under "Analytics & Improvements" where there are multiple options about sharing Analytics as well as the option to "Delete Siri & Dictation History" and an option to stop sharing voice recording with Apple. Also in Settings -> Siri, you can tell Apple to delete all the Siri voice recordings that it has stored.
Again from Fowler article: Google used to record conversations with its Assistant ("Hey Google") but in 2018, they stopped doing so by default on new setups. You can check the settings of your Assistant at myaccount.google.com/activitycontrols/audio. Look to Pause recordings. This How-ToGeek article adds instructions for deleting the previously saved recordings.
The Nest thermostat, made by Google, phones home every 15 minutes, reporting the climate in the home and whether there is anyone moving around. The data is saved forever. (also from the Fowler article)
Google Defense: in the Google Home app: Account -> More settings (under Google Assistant) -> Your data in the Assistant -> turn off Voice & Audio Activity. While there, also go to Manage Activity to review and/or delete voice recordings.
To delete Google Assistant voice recordings, start at myaccount.google.com/intro/activitycontrols. Scroll to "Voice & Audio Activity" where Paused means disabled. Or, you can use these voice commands: "Hey Google, delete what I just said" or "Delete what I said on [date]" or "Delete my last conversation". This only works for the last 7 days.
You can use the Voice Match function to insure your personal results are only available to you. See how.
In Aug. 2019, Joseph Cox of Motherboard revealed that "Contractors working for Microsoft are listening to personal conversations of Skype users conducted through the app’s translation service ... [and] ... Microsoft contractors are also listening to voice commands that users speak to Cortana, the company's voice assistant." Shortly thereafter, Cox revealed that Microsoft Contractors Listened to Xbox Owners in Their Homes. As with all the other companies, recordings were sometimes triggered by mistake. At the Microsoft Account Privacy Settings page you can delete any recordings Microsoft has of you.
There are four approaches here, and I am the very rare person suggesting the fourth one.
With these four things disabled, a phone can still make/receive calls and text messages. A dedicated GPS app can be used to confirm the status of GPS. Note that your location can still be tracked by the cell tower the phone is talking to, but, this only provides a general idea of where you are rather than a precise location. The next step would be to enable airplane mode, and the step after that, is to turn the phone off.
For ages, I was the only person suggesting this. Then, some allies showed up:
Bonus benefit 1: better battery life.
Bonus benefit 2: Billboards will not track you. See Digital Billboards Are Tracking You. And They Really, Really Want You to See Their Ads by Thomas Germain of Consumer Reports. Nov. 2019
Note that even with Bluetooth and Wi-Fi disabled, an Android device may still use either or both to determine your location. For more, see the topic on Mobile Scanning and Sharing.
Taking a step back, consider who is the enemy here? That is, who is it we don't want tracking us. Some people/articles focus on apps. But, it also the Operating System vendors, Apple and Google, that learn our location. And, of course, the cell phone companies, who are being being sued for selling location data. Another reason for my approach to defense.
It's bad. Real bad. The only real defense is a VPN that blocks trackers, and for good luck, ads too. Also see the Location Tracking topic.
Both Android and iOS want you to keep Wi-Fi and Bluetooth enabled for a number of reasons. Android may well use them both even if they appear to be disabled. And, if they really are disabled, each Operating System has a number of ways to automatically turn them back on. I suggest checking an Android device by searching the Settings for the words "scan" and "scanning". Plus, there are many other options for sharing data, that you might want to disable, at least as a starting point, to reduce your attack surface.
iOS 11 and 12 have two ways to disable Wi-Fi and Bluetooth. One works, the other is a scam. The Control Center, which is what you see when swiping up from the bottom of the screen is the scam. The Settings app is the real deal. That is, when you disable these in Settings they are really disabled and stay that way until you re-enable them.
In September 2017, Lorenzo Franceschi-Bicchierai wrote about this: Turning Off Wi-Fi and Bluetooth in iOS 11's Control Center Doesn’t Actually Turn Off Wi-Fi or Bluetooth. Quoting: "Apple wants the iPhone to be able to continue using AirDrop, AirPlay, Apple Pencil, Apple Watch, Location Services, and other features, according to the documentation". As of iOS 12, the Wi-Fi message is "Disconnecting nearby Wi-Fi until tomorrow." When tomorrow? Doesn't say (its 5 AM local time). And, "nearby"? There is no such thing a near and far Wi-Fi.
Noted hacker Samy Kamkar tweeted on May 19, 2019: "This is so deceptive. When you 'disable' WiFi and Bluetooth in iOS Control Center and they gray out, they're technically still enabled. Even with Airplane Mode on, your device continues to transmit and your name can even be discovered nearby via AirDrop!". He later added "It's deceptive because it remains active after saying 'Disconnected until tomorrow'. Only the 'normal' Bluetooth functionality returns the following day, the phone itself keeps transmitting privacy-evading, identifiable BLE packets.".
Android 9: Settings -> Security and Location -> Location -> Advanced -> Scanning -> Bluetooth scanning. Description: "Allow apps and services to scan for nearby devices at any time, even when Bluetooth is off. This can be used, for example, to improve location-based features and services.".
Android 8.1: Settings -> Connections -> Location -> Improve accuracy -> Bluetooth scanning. Description: "Improve location accuracy by allowing apps and services to scan for and connect to nearby devices automatically via Bluetooth, even while Bluetooth is turned off."
Android 8.1: Settings -> Security and Location -> Location -> Scanning -> Bluetooth scanning. Description: "Improve location by allowing system apps and services to detect Bluetooth devices at any time."
Android 7.0: Settings -> Location -> Scanning -> Bluetooth scanning. Pretty much same description.
Android 6: Settings -> WLAN -> advanced -> scanning settings -> Bluetooth scanning
Nearby Device Scanning: I have seen an Android 8.1 Samsung tablet use Bluetooth scanning to find nearby devices, again, with Bluetooth seemingly disabled. The feature was called Nearby Device Scanning and it was enabled by default. The description said "Scan for and connect to nearby devices easily. Available devices will appear in a pop-up or on the notification panel. Nearby device scanning uses Bluetooth Low Energy scanning and the microphone. Bluetooth Low Energy scanning can be used even while Bluetooth is turned off on this device." The path to the setting was: Settings -> Connections -> More connection settings -> Nearby device scanning.
Android 9: Settings -> Security and Location -> Location -> Advanced -> Scanning -> Wi-Fi scanning. Description: "Allow apps and services to scan for Wi-Fi networks at any time, even when Wi-Fi is off. This can be used, for example, to improve location-based features and services."
Android 8.1 Samsung: Settings -> Connections -> Location -> Improve accuracy -> Wi-Fi scanning. Description: "Improve location accuracy by allowing apps and services to scan for Wi-Fi networks automatically, even while Wi-Fi is turned off."
Android 7.0: Settings -> Location -> Scanning -> Wi-Fi scanning. Pretty much same description.
Android 6 in the Advanced WLAN section, look for Scanning Always available. Description: "Let Google's location service and other apps scan for networks even when WLAN is off."
Android 6: Settings -> WLAN -> advanced -> scanning settings -> WLAN scanning
Android 9: Network and Internet -> Wi-Fi -> Wi-Fi preferences -> Turn on Wi-Fi automatically. Description: "Wi-Fi will turn back on near high quality saved networks, like your home network." This requires both Location and Wi-Fi scanning to be enabled.
Android 8.1: Settings -> Connections -> Wi-Fi -> Advanced -> Turn of Wi-Fi automatically. Description: "Turn on Wi-Fi in places where you use Wi-Fi frequently".
Google wants you on-line even if it means using an insecure Open Wi-Fi network. To that end, Android might automatically connect to an open network, or, notify you when it finds one. See Connect automatically to open Wi-Fi networks.
Samsung v9 tablet: Settings -> Connections -> Wi-Fi -> Advanced -> turn off Network notification ("Receive notifications when open networks in range are detected").
Google v9 Pixel phone: Settings -> Network and Internet -> Wi-Fi -> Wi-Fi preferences -> disable Open network notification ("when automatic connection isn't available"). There may also be an option here to Connect to open networks.
Android v8: Settings -> Network & Internet -> Wi-Fi -> Wi-Fi preferences -> Open network notification
This 2017 article does not say what version of Android it applies to. At Settings -> Wireless -> Gear icon -> are two relevant optons: Network Notification and Use open Wi-Fi automatically. Disable each.
Android 8.1 AT&T phone: Settings -> Connections -> Wi-Fi -> Advanced -> Auto connect to AT&T Wi-Fi.
Android 8.1 AT&T phone: Settings -> Connections -> Wi-Fi -> Advanced -> Hotspot 2.0. Description: "Automatically connect to Wi-fi access points that support Hotspot 2.0"
On Android, search the Settings for "NFC". On Android 9, its at: Settings -> Connected devices -> Connection preferences -> NFC. The description is "When this feature is turned on, you can beam app content to another NFC-capable device by holding the devices close together. For example, you can beam web pages, YouTube videos, contacts and more. Just bring the devices together (typically back to back) and then tap your screen. The app determines what gets beamed." NFC is the basis for Android Beam (aka NFC Beaming), yet another sharing protocol. Not every Android phone supports NFC. Another reason to disable NFC: Android bug lets hackers plant malware via NFC beaming by Catalin Cimpanu (Nov. 2019). An excellent article. Android 8, 9 and 10 are impacted. The bug was fixed in October 2019 but so few Android devices will get the fix. If NFC is needed, you can leave it enabled, just be sure to disable NFC file beaming as explained in the article.
On iOS, NFC is used for Apple Pay and reading NFC tags. iOS 12 added background tag reading, where the system automatically looks for nearby tags whenever the screen is illuminated. In Settings, tap "Wireless and Networks" then "More" to see the NFC option. More here and here. This June 2019 article, Apple Expands NFC on iPhone in iOS 13, says there are enhancements to Apple Pay for NFC in iOS 13 and new support for peer-to-peer pairing. That is, just like Android Beam, NFC can be used to transfer movies or music between devices.
There have been many bugs and data leaks involving Bluetooth, so its best to turn on it when needed, then turn it off when done. Be aware though, as I describe here in the Mobile Scanning and Sharing section, that both iOS and Android may not turn off Bluetooth when you think its off. Another reason to have it off: If you leave a laptop, tablet or phone in a car, bad guys can scan for cars with Bluetooth devices in them as per: Thieves Are Using Bluetooth to Target Vehicle Break-Ins by Wes Siler (Dec 2019).
Below are some articles about the many bugs in Bluetooth.
The most secure Operating Systems in widespread use are iOS and ChromeOS (the system on Chromebooks).
I am not a Mac user, so all I have to offer are links.
ChromeOS is the operating system on Chromebook laptops and Chromeboxes (tiny desktop computers).
It is common knowledge that Apple iOS devices are safer than Android and I agree with that. One reason, is that you do not find pre-installed spyware or malware on iPhones (more below). Also, there is no consistency with Android. No expert can tell someone how to configure an Android device because they all have a different set of options. This is illustrated below in the item about factory resets after too many bad passwords.
No doubt there are many defensive strategies for Facebook, with the strongest one being avoidance. That's what I do. This section may be a bit haphazard because not being a Facebook user, I can't verify things.
And, as a reminder, Facebook bad.
Not a big user of Instagram personally, so the recommendations below are all from others.
Fake reviews, fake products, fake sales and toxic products. Even Amazon's Choice is purposely misleading.
Defending against Google tracking involves changing options in your Google account, which can be done on a website, as well as configuring options on your mobile device(s), when doing Google searches, in Google Assistant and in Nest devices. There is a lot to it.
Texting suffers from the same spam, scam and phishing as email. And, just like email, you can not trust the displayed identity of the sender.
Artificial Intelligence allows bad guys to learn someone's voice and vocal patterns and then manipulate it to scam people. Not sure if there is an official term for this yet, perhaps voice fraud, voice phishing, vishing, deep voice, voice cloning, voice swapping or deepfake audio.
NAS stands for Network Attached Storage. Think external hard drive with an Ethernet port that plugs into a router. Two large vendors are Synology and QNAP.
Note: This is separate and distinct from smart TVs spying on you which requires no hacking.
When there is too much electricity a surge protector is designed to absorb the overload and perhaps even die, to protect the devices plugged into it. Some surge protectors look like a power strip, but there is a big difference.
When all the power goes out, do this.
Anyone concerned with being tracked on-line needs to be familiar with web browser fingerprinting. Without using cookies, fingerprinting can convert the web browser on your computer into a unique identifier. Fingerprinting stems from looking at many, seemingly trivial, aspects of your computer and browser and combining that information into a profile/identifier. Most of the time, these profiles turn out to be unique, which lets websites track your behavior without cookies. Some attributes that are examined are: the computer operating system, what time zone are you in, what language your computer is using, how much RAM memory the computer has, the screen height and width in pixels, what web browser you are using, what version of the browser, what fonts are installed, what plug-ins are installed, what audio and video formats are supported by the browser, and much more.
This is not a subject I am at all familiar with. Thus, nothing but links and not many at that. Feel free to help me add to this topic.
I don't use WhatsApp, so all I can offer are these links.
From one of the articles below: Scammers all over the world have figured how best to game the Airbnb platform: by engaging in bait and switches; charging guests for fake damages; persuading people to pay outside the Airbnb app; and, when all else fails, engaging in clumsy or threatening demands for five-star reviews to hide the evidence of what they have done.
Many developed countries allow most citizens to file their taxes for free. In the US, this was the stated intent, but the scheme was corrupted. According to Pro Publica, TurboTax tricked customers into paying for tax preparation they could have gotten for free. TurboTax even has a service with the word "free" in it - that is/was not free. US taxpayers owe a debt to Pro Publica for their reporting on this.
Hide your phone number by having more than one and giving out an alternate phone number when appropriate. I once checked my coat at a museum and rather than give me a ticket, they wanted my phone number. Ugh.
Just like web pages migrated from insecure HTTP to encrypted HTTPS, so too, DNS is changing. Legacy DNS uses plain text over UDP (not important) on port 53 (also just for techies). New DNS is encrypted using either DNS over HTTPS (DoH) or DNS over TLS (DoT). New DNS uses TCP on port 853 or 443.
Zoom is changing too quickly for me to keep up with it all, so in August 2020, I removed this topic. The topic was last updated May 5, 2020. To see the topic as it existed then:
All the ways Slack (and your boss) tracks you and how to stop it by Matt Burgess for Wired (October 2020). By default, Slack never deletes your messages or files. The biggest risk for many people is bad passwords and the lack of two-factor authentication. Private channels and DMs could be revealed during a legal case or other type of investigation. When adding a new person to a Slack channel they are able to see past messages and files, including any gossip about them.
7 Slack privacy settings you should enable now by Jack Morse in Mashable (July 2019). In the paid version of Slack, the article explains how to tell if your boss can read your direct messages. How to tweak the retention settings on your direct messages. The Chrome browser extension Shhlack, can encrypt messages. Use Signal instead for real privacy. Some Slack accounts track edits and maintain records of the messages before they were edited.
What if All Your Slack Chats Were Leaked? by Gennie Gebhart in NY Times (July 2019). No defense, just things to be aware of. "Slack stores everything you do on its platform by default - your username and password, every message you've sent, every lunch you’ve planned ... That data is not end-to-end encrypted, which means Slack can read it, law enforcement can request it, and hackers ... can break in and steal it." On the free Slack service, all messages are kept forever.
See the Slack Privacy Policy.
I have never used a Ring doorbell. Thus, nothing but links.
This section is about payment apps (aka pay apps) such as PayPal, Venmo, Cash App, AppleCash, Google Pay and Zelle.
The items below are defensive measures that apply to just one website or just one system.
Lots of other people and places offer Defensive Computing advice, though they don't call it that.
Whew! Seems like a lot, it is a lot.
All the credit/blame for this site falls on me, Michael Horowitz. If I left out anything important, or something is not clear, let me know at defensivecomputing -at- michaelhorowitz dot com.
This site is as clean as clean gets. There are no ads. There are no trackers. It does not set any cookies. None of the links here are affiliate links, I do not profit from this site in any way. No need to believe me. You can test for setting cookies at cookieserve.com. Here is a screen shot of the clean bill of health. You can also test at Blacklight a website privacy inspector from The Markup. You can click here to run a live test of this site. For reference, here is a screen shot of a Blacklight scan from Sept. 23, 2020. If you see any ads here, something (your computer, browser or router) has been hacked.
Last Updated March 7, 2021 | Total Page Views 183,822 | Page Views Today 118 | Previous Page View 5.5 minutes ago |
Website by Michael Horowitz |
top |