There are two big issues with passwords: how to create the dozens that we all need and how to retrieve them after they are created.
When someone calls you, you NEVER know who they are. Callerid can be spoofed just like the FROM address in email. With so many companies being hacked and leaking data, the caller may know things that, at first, it seems only a legitimate caller would know. As with email: think carefully before taking action based on a single phone call, especially any action involving money, passwords or personal information.
It's bad. Real bad. The only real defense is a VPN that blocks trackers, and for good luck, ads too. Also see the Location Tracking topic.
Both Android and iOS want you to keep Wi-Fi and Bluetooth enabled for a number of reasons. Android may well use them both even if they appear to be disabled. And, if they really are disabled, each Operating System has a number of ways to automatically turn them back on. I suggest checking an Android device by searching the Settings for the words "scan" and "scanning". Plus, there are many other options for sharing data, that you might want to disable, at least as a starting point, to reduce your attack surface.
iOS 11 and 12 have two ways to disable Wi-Fi and Bluetooth. One works, the other is a scam. The Control Center, which is what you see when swiping up from the bottom of the screen is the scam. The Settings app is the real deal. That is, when you disable these in Settings they are really disabled and stay that way until you re-enable them.
In September 2017, Lorenzo Franceschi-Bicchierai wrote about this: Turning Off Wi-Fi and Bluetooth in iOS 11's Control Center Doesn’t Actually Turn Off Wi-Fi or Bluetooth. Quoting: "Apple wants the iPhone to be able to continue using AirDrop, AirPlay, Apple Pencil, Apple Watch, Location Services, and other features, according to the documentation". As of iOS 12, the Wi-Fi message is "Disconnecting nearby Wi-Fi until tomorrow." When tomorrow? Doesn't say (its 5 AM local time). And, "nearby"? There is no such thing a near and far Wi-Fi.
Noted hacker Samy Kamkar tweeted on May 19, 2019: "This is so deceptive. When you 'disable' WiFi and Bluetooth in iOS Control Center and they gray out, they're technically still enabled. Even with Airplane Mode on, your device continues to transmit and your name can even be discovered nearby via AirDrop!". He later added "It's deceptive because it remains active after saying 'Disconnected until tomorrow'. Only the 'normal' Bluetooth functionality returns the following day, the phone itself keeps transmitting privacy-evading, identifiable BLE packets.".
Intro: While Wi-Fi and Bluetooth were designed to transfer data, UWB lets devices locate themselves in three dimensions. UWB radios are in newer (as of Jan. 2022) Android phones from Google, Samsung and others. On the Apple, side, it was introduced with the iPhone 11 (2019) and Apple watch Series 6 (2020). Perhaps the biggest use of UWB so far, is in Apple AirTags and AirDrop.
Pixel 6 Pro: The Pixel 6 Pro now lets you disable a wireless tech you hardly need by Jay Bonggolto (Jan 2022). Starting Dec. 2021, you can turn UWB on and off if you have a Pixel 6 Pro. Other phones? It does not say. UWB is used by Nearby Share and a digital car key feature. The article does not say if this applies to Android 11 or 12 or both. Settings -> Connected Devices -> Connection preferences. And how nice of Google to add a feature that could not be turned off.
iPhone 11: From What Is Ultra Wideband, and Why Is It In the iPhone 11? by Chris Hoffman Sept. 2019. iOS 13.1 on the iPhone 11 has a new Ultra Wideband radio. It is the first smartphone to offer UWB which only works over a short distance, shorter than Bluetooth. UWB allows an iPhone to precisely detect where objects are in physical space. AirDrop will suggest sharing with other iPhones that you point at. Longer term, it could be used to locate lost objects. Can you turn it off? Don't know.
Android 9: Settings -> Security and Location -> Location -> Advanced -> Scanning -> Bluetooth scanning. Description: "Allow apps and services to scan for nearby devices at any time, even when Bluetooth is off. This can be used, for example, to improve location-based features and services.".
Android 8.1: Settings -> Connections -> Location -> Improve accuracy -> Bluetooth scanning. Description: "Improve location accuracy by allowing apps and services to scan for and connect to nearby devices automatically via Bluetooth, even while Bluetooth is turned off."
Android 8.1: Settings -> Security and Location -> Location -> Scanning -> Bluetooth scanning. Description: "Improve location by allowing system apps and services to detect Bluetooth devices at any time."
Android 7.0: Settings -> Location -> Scanning -> Bluetooth scanning. Pretty much same description.
Android 6: Settings -> WLAN -> advanced -> scanning settings -> Bluetooth scanning
Nearby Device Scanning: I have seen an Android 8.1 Samsung tablet use Bluetooth scanning to find nearby devices, again, with Bluetooth seemingly disabled. The feature was called Nearby Device Scanning and it was enabled by default. The description said "Scan for and connect to nearby devices easily. Available devices will appear in a pop-up or on the notification panel. Nearby device scanning uses Bluetooth Low Energy scanning and the microphone. Bluetooth Low Energy scanning can be used even while Bluetooth is turned off on this device." The path to the setting was: Settings -> Connections -> More connection settings -> Nearby device scanning.
Android 12: Search settings for "Wifi scanning". Text says "Allow apps and services to scan for Wi-Fi networks at any time, even when Wi-Fi is off. This can be used, for example, to improve location-based features and services". See a screen shot of the setting and a warning about it from Android itself. Warning: turning off this option does not stick. That is, when you do something (I don't know what) it turns itself back on and Android is again scanning WiFi networks when Wi-Fi seems to be off, but is not.
Android 9: Settings -> Security and Location -> Location -> Advanced -> Scanning -> Wi-Fi scanning. Description: "Allow apps and services to scan for Wi-Fi networks at any time, even when Wi-Fi is off. This can be used, for example, to improve location-based features and services."
Android 8.1 Samsung: Settings -> Connections -> Location -> Improve accuracy -> Wi-Fi scanning. Description: "Improve location accuracy by allowing apps and services to scan for Wi-Fi networks automatically, even while Wi-Fi is turned off."
Android 7.0: Settings -> Location -> Scanning -> Wi-Fi scanning. Pretty much same description.
Android 6 in the Advanced WLAN section, look for Scanning Always available. Description: "Let Google's location service and other apps scan for networks even when WLAN is off."
Android 6: Settings -> WLAN -> advanced -> scanning settings -> WLAN scanning
Android 9: Network and Internet -> Wi-Fi -> Wi-Fi preferences -> Turn on Wi-Fi automatically. Description: "Wi-Fi will turn back on near high quality saved networks, like your home network." This requires both Location and Wi-Fi scanning to be enabled.
Android 8.1: Settings -> Connections -> Wi-Fi -> Advanced -> Turn of Wi-Fi automatically. Description: "Turn on Wi-Fi in places where you use Wi-Fi frequently".
Google wants you on-line even if it means using an insecure Open Wi-Fi network. To that end, Android might automatically connect to an open network, or, notify you when it finds one. See Connect automatically to open Wi-Fi networks.
Samsung v9 tablet: Settings -> Connections -> Wi-Fi -> Advanced -> turn off Network notification ("Receive notifications when open networks in range are detected").
Google v9 Pixel phone: Settings -> Network and Internet -> Wi-Fi -> Wi-Fi preferences -> disable Open network notification ("when automatic connection isn't available"). There may also be an option here to Connect to open networks.
Android v8: Settings -> Network & Internet -> Wi-Fi -> Wi-Fi preferences -> Open network notification
This 2017 article does not say what version of Android it applies to. At Settings -> Wireless -> Gear icon -> are two relevant optons: Network Notification and Use open Wi-Fi automatically. Disable each.
Android 8.1 AT&T phone: Settings -> Connections -> Wi-Fi -> Advanced -> Auto connect to AT&T Wi-Fi.
Android 8.1 AT&T phone: Settings -> Connections -> Wi-Fi -> Advanced -> Hotspot 2.0. Description: "Automatically connect to Wi-fi access points that support Hotspot 2.0"
On Android, search the Settings for "NFC". On Android 9, its at: Settings -> Connected devices -> Connection preferences -> NFC. The description is "When this feature is turned on, you can beam app content to another NFC-capable device by holding the devices close together. For example, you can beam web pages, YouTube videos, contacts and more. Just bring the devices together (typically back to back) and then tap your screen. The app determines what gets beamed." NFC is the basis for Android Beam (aka NFC Beaming), yet another sharing protocol. Not every Android phone supports NFC. Another reason to disable NFC: Android bug lets hackers plant malware via NFC beaming by Catalin Cimpanu (Nov. 2019). An excellent article. Android 8, 9 and 10 are impacted. The bug was fixed in October 2019 but so few Android devices will get the fix. If NFC is needed, you can leave it enabled, just be sure to disable NFC file beaming as explained in the article.
On iOS, NFC is used for Apple Pay and reading NFC tags. iOS 12 added background tag reading, where the system automatically looks for nearby tags whenever the screen is illuminated. In Settings, tap "Wireless and Networks" then "More" to see the NFC option. More here and here. This June 2019 article, Apple Expands NFC on iPhone in iOS 13, says there are enhancements to Apple Pay for NFC in iOS 13 and new support for peer-to-peer pairing. That is, just like Android Beam, NFC can be used to transfer movies or music between devices.
There have been many bugs and data leaks involving Bluetooth, so its best to turn on it when needed, then turn it off when done. Be aware though, as I describe here in the Mobile Scanning and Sharing section, that both iOS and Android may not turn off Bluetooth when you think its off. Another reason to have it off: If you leave a laptop, tablet or phone in a car, bad guys can scan for cars with Bluetooth devices in them as per: Thieves Are Using Bluetooth to Target Vehicle Break-Ins by Wes Siler (Dec 2019).
Bluetooth devices have names and the names may identify the device which is not a good thing to do in public. Give your Bluetooth devices names that do not identify them or you to people nearby. how you do this will be different on different devices.
Below are some articles about the many bugs in Bluetooth.
The most secure Operating Systems in widespread use are iOS and ChromeOS (the system on Chromebooks).
For encrypting files on a computer running Windows, Mac OSX or Linux, I suggest using VeraCrypt. The software is free and open source. It offers an advanced mode that encrypts entire hard drive partitions, but most people should use the simple mode which creates a single large password-protected file. You then store your sensitive files inside this file. On Windows, you get access to this big file by "mounting" it, which is nerd lingo for assigning it to a drive letter. I have not used it on Linux or Mac OSX. VeraCrypt is a version of the discontinued TrueCrypt software. See Wikipedia for more.
Top of the line encryption, is end-to-end. It is offered by some messaging apps and by some cloud file storage services. Pretty much everyone and everything offers encryption in transit. File storage systems like Microsoft OneDrive, Apple iCloud, Dropbox and Google Drive offer encryption in transit and encryption at rest. However, these companies can still read your files. They do not offer end-to-end encryption. Some companies that always use end-to-encryption for file storage are Spider Oak, Tresorit, sync.com and Proton Drive. Backblaze offers it as an option.
One way to evaluate a file storage/backup service is to ask what happens if you lose/forget the password/key? If the answer is that they can not help you, that you have lost access to your data, then the vendor is using end-to-end encryption. For background, see iCloud: Who holds the key? by Matthew Green.
Texting suffers from the same spam, scam and phishing as email. And, just like email, you can not trust the displayed identity of the sender. Caller ID spoofing is easy.
Consider using Libre Office instead of Microsoft Office. It can read/write files in the Office file formats. Libre Office is free, safer and simpler. It runs on Windows, macOS and Linux.
The Chromebook topic has information on running Office on ChromeOS.
Note: This is separate and distinct from smart TVs spying on you which requires no hacking.
When there is too much electricity a surge protector is designed to absorb the overload and perhaps even die, to protect the devices plugged into it. Some surge protectors look like a power strip, but there is a big difference.
Just like web pages migrated from insecure HTTP to encrypted HTTPS, so too, DNS is changing. Legacy DNS uses plain text over UDP (not important) on port 53 (also just for techies). New DNS is encrypted using either DNS over HTTPS (DoH) or DNS over TLS (DoT). New DNS uses TCP on port 853 or 443.
All the ways Slack (and your boss) tracks you and how to stop it by Matt Burgess for Wired (October 2020). By default, Slack never deletes your messages or files. The biggest risk for many people is bad passwords and the lack of two-factor authentication. Private channels and DMs could be revealed during a legal case or other type of investigation. When adding a new person to a Slack channel they are able to see past messages and files, including any gossip about them.
7 Slack privacy settings you should enable now by Jack Morse in Mashable (July 2019). In the paid version of Slack, the article explains how to tell if your boss can read your direct messages. How to tweak the retention settings on your direct messages. The Chrome browser extension Shhlack, can encrypt messages. Use Signal instead for real privacy. Some Slack accounts track edits and maintain records of the messages before they were edited.
What if All Your Slack Chats Were Leaked? by Gennie Gebhart in NY Times (July 2019). No defense, just things to be aware of. "Slack stores everything you do on its platform by default - your username and password, every message you've sent, every lunch you’ve planned ... That data is not end-to-end encrypted, which means Slack can read it, law enforcement can request it, and hackers ... can break in and steal it." On the free Slack service, all messages are kept forever.
See the Slack Privacy Policy.
I have never used a Ring doorbell. Thus, nothing but links.
Scammers love to trick people into sending them money on a gift card.
Some simple rules to know for defense:
The safest computer for non technical people is a Chromebook. Right off the bat, it offers immunity from scammers calling and claiming to be from Microsoft, Windows or Apple. Most likely the bad guys do not have scripts, yet, that target Chrome OS users. Then too, a Chromebook requires no ongoing care and feeding making it a perfect fit for non technical people.
Background info:
Whew! Seems like a lot, it is a lot.
All the credit/blame for this site falls on me, Michael Horowitz. If I left out anything important, or something is not clear, let me know at defensivecomputing -at- michaelhorowitz dot com.
| This Page Last Updated May 6, 2025 | Site Page Views TOTAL 1,191,016 | Site Page Views TODAY 508 |
Website by Michael Horowitz |
top |
