A Defensive Computing Checklist    by Michael Horowitz

NOTE: I gave a presentation on Defensive Computing at the HOPE conference in July 2022

HOME | Full Site Index | Domain Names | VPNs | iOS | Android | About | Rules of the Road | DC Presentation |

EXTRA CREDIT

• Be very wary of files sent to you that you did not ask for. This applies on both desktop and mobile Operating Systems. Sometimes, just downloading them is enough to get infected with malware. Open these files on a Chromebook running in Guest Mode.
• Kaspersky has an Online Privacy Checker that is not that. It is a static list of configuration suggestions for Instagram, Facebook, WhatsApp, TikTok, Twitter, Youtube, Google, Skype, LinkedIn, VK, Windows, macOS, iOS, Android, Edge, Firefox and Chrome. Each product has three levels of privacy options. The site is very slow and amateurish. There are no last update dates and it does not say which version(s) of the software it is targeting. Also, the navigation is confusing. The site copyright is 2021, so it may have already been abandoned. Not that it can't be useful. Here are some examples:
  1. Firefox on Windows Medium Privacy
  2. Facebook on Android High Privacy
  3. Android High Privacy
• The website JustGetMyData is a directory of links for you to obtain your data from assorted services. It rates each company as to whether the process is easy,medium or hard. Easy: Google, Facebook, Apple, Tinder. Hard: Zoom, Microsoft, Adobe, Craigslist. A companion website, JustDeleteMe offers links to delete your account from assorted services. More: This Simple Tool Will Help You See What Websites Know About You by Matthew Gault of Vice (Jan. 2021). Michael Bazzell has a Data Removal Guide for removing your personal information from data broker and credit reporting services (Last updated April 2022).
• Don't take computing advice from the mainstream media. Many reporters that cover technology are Art History majors that do not understand the stuff they write about. Thus, they often make bad Defensive Computing suggestions. For example, have you ever seen an article suggest using a Chromebook in Guest Mode when accessing sensitive/financial websites? I have not.
• Mobile Device Best Practices from the National Security Agency. October 2020. A two page PDF. Some of it is just a round-up the usual suspects. But also: disable Location, Bluetooth and Wi-Fi when not using them. Power cycle the phone weekly.
• Thinking about selling your Echo Dot - or any IoT device? Read this first by Dan Goodin of Ars Technica (July 2021). Wiping your data from any IoT device before getting rid of it can be hard.
• The more you know about DNS the better. My Router Security website has both a short and long explanation along with a list of websites that show your currently used DNS servers. Get in the habit of checking the active DNS servers, especially when traveling.
• Before you use a new USB flash drive, plug it into a Chromebook running in Guest mode and format it from there. In the same vein, If you don't know where a flash drive came from, the only computer you should plug it into is a Chromebook running in Guest mode. Malicious USB flash drives are a common tactic for infecting the computers of people who have not read this website. Running Linux off a bootable CD/DVD disc is also a safe environment. However, a USB flash drive can also destroy a computer. The usbkill.com drive overloads the circuits, converting a computer into a paper weight. So, a low end Chromebook is probably best. More on the USB Flash Drive page.
• There is a chance that the camera on a computing device could be activated without your being aware of it. The defense is old school: cover the camera lens with something opaque (band-aid, tape). Try to avoid adhesive directly over the lens.
• Speaking of laptop computers, they have microphones that are typically impossible to mute. This article: Why your laptop's always-listening microphone should be as easy to block as your webcam (June 2019) mentions some models that can disable the microphone. My T series Thinkpad can. Laptops from Framework have hardware off-switches for both the microphone and webcam. They are also extremely repairable (Sept 2021). The $200 PineBook Pro Linux laptop can also mute the mic. On macOS, you can install OverSight to be warned both when the mic is activated and when something accesses the webcam. Or, you can buy the Mic-Lock microphone blocker for $7 (as of Feb 2020). It plugs into the 3.5mm microphone/headphone port on a laptop, phone, or tablet and tricks the device into thinking that a microphone is connected. For more on this, see the Dec 13, 2019 episode of the Privacy, Security and OSINT podcast, Camera & Microphone Blocking. In Windows 10, turn off the mic at: Settings -> Privacy -> Microphone. In macOS turn it off at: System Preferences -> Security & Privacy -> Privacy -> Microphone.
• Scam Alerts from the FTC
• Defensive search engine: This article describes a search engine trick pulled off by special interest groups. They scam people by abusing the data void for newly invented keywords. See The far right is dominating the information wars through keyword signaling by Corey Doctorow October 2019
• Whenever you are offered the choice to Login With Google or Login With Facebook, don't do it. iOS 13 will introduce a new competing system: Login with Apple. As of July 2019, it is too soon to form an opinion on it, but it will let Apple read your email, something they could not do without it.
• A very sneaky trick that some websites pull is making third party cookies look like first party cookies. Everyone allows first party cookies so this lets you be tracked. The website trackingthetrackers.com tests for this and reports on it. Great service.
• The Princeton IoT Inspector software only runs on macOS High Sierra and Mojave (not Catalina as of Feb 2020). It lets you spy on the IoT devices that normally spy on you.
• At dehashed.com you can search for your physical address, email address, userid and/or phone number to see if they have been leaked in a data breach.
• Why You Need to Make a 'When I Die' File - Before It's Too Late (August 2019). The article is about much more than computers, but serves as a reminder to plan, somehow, for the right people to obtain all your passwords when you are no longer around.
• Can you tell if a website is legit?

  IS FTCCOMPLAINTASSISTANT.GOV LEGIT?

  I read an article that said victims of Identity Theft should go to ftccomplaintassistant.gov and I wondered if that site was legitimate. That is, is it really from the Federal Trade Commission, a division of the US Government? We have already seen that just having "FTC" in the name means nothing. The FTC has their own website at ftc.gov, so why the need for another domain name? Instead of a new domain, they could (read should) have used complaintassistant.ftc.gov or ftc.gov/complaintassistant. Both leave no doubt that they are from the FTC.
  
  On thing pointing to its being a scam is that the home page of ftc.gov has a link to identitytheft.gov for reporting identity theft. There is no link on the FTC home page to ftccomplaintassistant.gov. And, identitytheft.gov has its own assistant (identitytheft.gov/Assistant) which does not link to ftccomplaintassistant.gov.

  Looking at the ftccomplaintassistant.gov site, the first thing to notice is that it does not have the extra identity assurance. If it is legit, that would be pretty ironic, eh? In techie terms the site is Domain Validated (DV) rather than having Extended Validation (EV).

  All domains have to be registered and whoever pays for the registration can chose to make their identity public, or not. Looking up this information is called a Whois search and every company that registers domains offers a Whois search. However, this turned out to be a dead end. I could find no Whois information for any .gov websites.

  A couple things point to the site being legit. There is a page on ftc.gov with consumer information about Identity Theft and it has a link to "File a Consumer Complaint" that goes to ftccomplaintassistant.gov. And, while the home page of identitytheft.gov has no links to ftccomplaintassistant.gov, an examination of the underlying html (i.e. page source) showed that pulls in a script from chat.ftccomplaintassistant.gov.

  So, is it legit? I would have to call the FTC on the phone and ask them.

  On a related note, ftccomplaintassistant.com is definitely bad news. That was an easy call.

JUICE JACKING

USB cables normally carry both data and electricity. Data can be a problem, as it is an avenue through which a device can be attacked. The attack is called Juice Jacking (maybe Juice-Jacking) and the potential danger was first raised back in 2011. There are multiple defenses (see below) but the most commonly suggested defense is a USB cable that only does power. These cables go by multiple names: Power-Only cables, Charge-Only cables, USB Data Blockers or a USB condom.

1. This excellent article USB Data Blocker Teardown (Aug 2020) explains three different types of USB data blockers.
2. For an intro see How to Protect Yourself From Public USB Charging Ports by Chris Hoffman for How To Geek. August 2018.
3. Protect your data with a USB condom by Adrian Kingsley-Hughes for ZDNet. April 11, 2023. With two different popular types of USB ports, you may need multiple USB condoms: There are: USB-A-to-USB-A, USB-A-to-USB-C, and USB-C-to-USB-C.
4. Adafruit makes the PortaPow USB condom
5. SyncStop also sells USB cables/adapters that only do power.

There are a number of other defenses too:

1. Obvious: Rather using a public USB cable, plug into an electric outlet with your own cable and adapter
2. Obvious: Use your own portable charger/battery
3. Get a charge in your car, if possible
4. If you are desperate, Brian Krebs suggests that a phone is much safer if its powered off. This from his April 14, 2023 article: Why is 'Juice Jacking' Suddenly Back in the News?

The Krebs article was one a number of articles in April 2023 that asked just how likely such an attack is. It was probably the best. Another was: Actually, Charging Your Phone in a Public USB Port Is Fine by Heather Tal Murphy for Slate. April 13, 2023. Despite the click bait headline, the article does recommend using a USB condom. It is mostly a takedown of how the tech press works. It says there are no known instances of a phone being hacked due to plugging into a public USB port. Still, this assumes that installing malware on a phone is the only danger and ignores the issue of files that might be visible over the data connection - files that can be copied and thus leave no trace on the phone. The article also says that new Android and iPhones ask whether you want to share data or charge only when they plug into a USB port that is set up to capture data. Of course, a victim can answer the question wrong. And, the articles does not not define "new" so its not clear when this feature was added.

 

Copyright 2019 - 2023