Overview
[If you're planning to make big changes to your situation, do the big changes first. Such as: changing to Linux, changing to Firefox, starting to use a password manager, changing email provider. Then do the smaller tweaks and additions.]
Password security
Use the password and security features of your device and software; many people don't even bother to set a password !
It's especially important on smartphones, because a lot of smartphone apps don't even have a "log out" feature. They assume that if you have the phone and were able to log in once a while ago, you must be the account owner, no account password needed.
Don't use the same password on multiple sites. If one site is breached, all the others become vulnerable.
Do NOT use Facebook login (or Google, or Apple, or Microsoft) as your login to lots of other web sites. Not only does it let your activity get shared to Facebook (or etc), but if Facebook (or etc) ever deactivates your account for some reason, you've lost access to those other sites too. Similarly, don't use a Microsoft login to your Windows PC, use a local login.
Really, you should have only 2 or 3 passwords you remember; the rest should be in a password manager.
See my Authentication page.
Managers of Other Information
Don't let web sites or browsers save your important data if you can avoid it. Store it in specialized encrypted, private "manager" applications on your machine.
Some types of "managers":
- Password Manager: see
Password Manager section of my Authentication page.
I use KeePassXC.
- Financial / Budget Manager: ???
- Bookmark Manager: store your bookmarks separate from your browser(s), use same set in multiple
browsers, sync across devices, better UI and searching etc.
But most of them store your info in their cloud server.
Srikanth AN article
Top Best Alternatives article
LinkAce
Or: use your password manager to store bookmarks. - Address Book / Contact Manager: best if integrated with email.
- Calendar: best if integrated with email.
- To-Do List: best if integrated with calendar/email.
- Notes: maybe Standard Notes
Most of the PIMs I see are more complex than I want, and don't say anything about encrypting their database. Probably best to pick a simple PIM and put its database inside an encrypted container.
Osmo (Linux only, database not encrypted, files under ~/.config/osmo and ~/.local/share/osmo by default)
If you don't use a specialized application, you could use a text file inside an encrypted container. But you'd lose the ability to sort by various fields, alert on calendar events, view the calendar in standard calendar format, have a tree-view for to-do items, etc.
Password on phone-company account
Mobile-service providers often let you set a PIN to control changes to account settings. So if you (or a scammer) calls them and says "move this phone number to a different SIM", the provider won't do it unless the proper PIN (AKA "number-porting PIN") or password is given. This can stop "SIM Swapping" (AKA "SIM Hijacking" or "Port Out Fraud", but really it's "phone-number hijacking" or "number-porting").
Or maybe you can tell them you've been a victim before, you want extra flags or security questions on your account.
Days after you set a PIN on your account, call your provider again and try to make a change, and see if they actually do ask for the PIN.
If someone steals your phone number (AKA "SIM-swap"), it's much easier to recover if there is a second phone on the same account/plan. You can ask the provider to send codes to that second phone number to verify your identity.
Emily Price's "Add a PIN to Your Smartphone Account"
Zack Whittaker's "Cybersecurity 101: How to protect your cell phone number and why you should care"
Brendan Hesse's "How to Prevent and Respond to a SIM Swap Scam"
CipherBlade's "The SIM Swapping Bible: What To Do When SIM-Swapping Happens To You"
If you're going to abandon a phone number, first remove it from any accounts that may have it, and inform your contacts. Assume that the number will be re-issued to some new customer within a year. What will happen if they start getting calls or messages intended for you ?
Give 'them' as little data as possible
Don't let web sites save your credit-card data.
If possible, give them a fake phone number and address.
Don't fill in profile fields that are optional.
Use fake data as answers to security questions
If you give fake data as your mother's maiden name, town where you were born, etc, no attacker can look that up somewhere and know what answer to give. Of course, you have to save those questions and answers yourself (in your password manager).
Note: If your bank or other company confirms your identity by asking for last 4 digits of your SSN, this is bad security. Your SSN can leak in many ways, and it's very hard to change it.
Same for some credit-reporting agencies which confirm your identity by asking things such as "which of these 4 types of car did you own ?". The answers can be leaked easily, and you can't change them. Bad security.
Installing software
This is a tough area. Software is complicated, mysterious, powerful.
"Software" includes desktop applications, phone apps, browser extensions, browser bookmarklets, system extensions, editor extensions, more.
Mostly you have to:
- Trust the developer who created the software.
- Trust the place you're downloading the software from.
- Trust that the file you download is valid.
There are partial solutions:
- Check the reputation of the software and the developer.
- Download from a reputable place, which also may audit the software.
- Verify that the file you download comes from the developer.
- Run the software in a "sandbox" to limit what it can do.
- Monitor file and network accesses done by the software.
- Use software that is more limited by design (web pages instead of installed applications).
- Use less software in general.
Linux downloading:
Verify downloaded file's hash or signature if possible. Merlijn Sebrechts' "How to verify the source of a Snap package" How to do for Flatpaks ? Many deb's are unsigned. All rpm's are signed ?
Verifying a hash confirms that the file received by your machine matches the file on the source site. If someone has compromised that site, or if that site is not the original source of the software, verifying the hash doesn't protect you.
Verifying a signature confirms that the file received by your machine was signed by someone who possesses the private key that matches the public key on the source site. An attacker would have to get the private key as well as compromise that site, so the signature is a higher level of protection (assuming that the public key is known-good some other way).
Xiao Guoan's "How to Verify PGP Signature of Downloaded Software on Linux"
Alexandru Andrei's "How to Verify Authenticity of Linux Software with Digital Signatures"
Linux sandboxing: see my "Linux Network and Security Controls" page and my (Linux) "VMs and Containers/Bundles" page.
Windows downloading:
Computer Hope's "How to verify the checksum of an installer file"
Martin Brinkmann's "How to verify Digital Signatures of programs in Windows"
Windows GUI installer: always choose the Custom / Advanced option, which may give you more visibility of and control over what is installed.
Windows 10 Home sandboxing:
For various files and folders, set which applications are allowed to access them.
Brendan Hesse's "Why You Should Use Windows Defender's Ransomware Prevention"
Vamsi Krishna's "7 of the Best Sandbox Applications for Windows 10"
Karanpreet Singh's "10 of the Best Sandbox Applications for Windows 10"
TheWindowsClub's "SandBoxie lets you run Programs in a secured environment on Windows 10"
What software is running in the system ?
Launched at system startup:
Martin Brinkmann's "Manage Windows Startup Programs with Startup Sentinel" (Windows)
Run Task Manager or equivalent, and look at what apps are running. Do you recognize all of them and know what they do ?
Software updating
Run the newest stable version of your operating system, and turn on auto-updating. Same for browsers, anti-virus, VPN.
(And this from openSUSE Tumbleweed:)
But this is a major problem for Android smartphones: on older phones, you can't update the OS to a newer version, unless you install a "custom ROM". Android's update mechanism is somewhat broken, because phone vendors have no incentive to test and provide updates. At some point, it might be best to buy a new phone (or flash a custom ROM), just to get onto newer software.
See Android Custom ROMs section of my Android page.
For less-important software, I might turn off auto-updating from inside the app. I don't want a lot of little check-for-update background processes running all the time, and I don't have confidence that the maker of some genealogy application or something has invested a lot of effort into making their update process secure.
Keep an eye out for news about the software you use.
A corollary of "do updates" is "don't use software that has been end-of-lifed or abandoned". If you're using something where the vendor no longer provides updates, you're vulnerable.
The more I think about it, updating is a major security issue for all OS's. What controls guarantee that an installer or updater will update only the application or component it is associated with ? Is the communication channel encrypted ?
If something is updated through Windows Update or Linux's manager (Update Manager, on Mint) or an app store, maybe you can have some confidence that the process is efficient and secure. But if an individual app is reaching out of your system to its update server every day in some unknown way, that is questionable. If you have 20 such apps doing so every day, an attacker has lots of surface to attack, and there is lots of traffic for you to monitor or analyze for threats. Not to mention lots of little look-for-update processes running in the background all the time, maybe.
What is the long-term solution for this ? Lobby Microsoft to let third-party apps use the Windows Update mechanism ? On Linux, only install apps via the main software manager on the system ? Add some kind of OS controls so an installer/updater can touch only the associated component's folder and registry tree ? I assume Windows Update and Linux's managers and app stores use TLS on their connection back to the server; true ?
In response, someone pointed out: evilgrade
Browser
General recommendation: use Firefox or Brave.
In general, you don't want a browser too far derived from its base mainstream browser, or with too small a development team. You want to get security updates quickly.
On Linux, consider running the browser either in a container (snap or flatpak) or in a security context (Firejail or AppArmor).
Idea: After you install a browser, disconnect from the internet, launch the browser for the first time, turn off telemetry and other features you don't want, quit, connect to internet again, launch the browser again.
Don't log in to a cloud service associated with your browser, such as Google Chrome login or Firefox login. That's a recipe for having unknown ties between browser and service, including automatic backups or sharing, telemetry, etc.
Set your browser to update automatically; browsers contain security features that should be kept up to date.
Set your browser to ask you each time a page wants to do certain things: download a file, use camera or microphone, etc.
Don't keep a lot of tabs open and logged-in to sensitive sites (financial) if you don't have to.
Things you may want to turn off:
- Any "suggestion" or "prediction" feature (probably sends your keystrokes to a server).
- Any "usage-reporting" or "telemetry" or "let vendor run studies" features.
- Any "crash-reporting" feature (I leave this one enabled).
- Any "syncing" feature.
- Any cryptocurrency-wallet feature.
- Any "password-remembering", "payment methods", "address-remembering" features.
- Any "security-screening" or "safe-browsing" feature (debatable; maybe your VPN or ad-blocker does this; apparently now browsers use Update API which avoids sending your URLs out to a server).
These days, users probably spend 90% of their time in a browser. So, take the time to go through ALL of your browser's settings/options. Generally turn off things that send data to a cloud service. Turn off features you don't need.
From someone on reddit 11/2018:
"Chrome has a whole host of services that send data to/from Google (auto-complete, prediction services, spell check, translation, safe browsing, etc...). ... if you don't want Google to know anything about you, you can't use Google products." [Also password syncing, and "login to Google automatically logs you in to Chrome". And check options carefully to see what is turned on.]
So: ungoogled-chromium (have to uninstall Chromium first, if it's installed)
Daniel Gray's "Firefox Privacy: 2021 update"
Brian King's "Towards a Quieter Firefox"
Martin Brinkmann's "Each Firefox download has a unique identifier"
yokoffing / Better-Fox
Douglas J. Leith's "Web Browser Privacy: What Do Browsers Say When They Phone Home?"
Unix Sheikh's "Choose your browser carefully"
Brave's "Comparing the Network Behavior of Popular Browsers on First-Run"
Use as few browser extensions/plug-ins/add-ons as possible; each additional extension installed means a greater chance of getting a malicious extension or a security hole or a performance hit.
Chris Hoffman's "Browser Extensions Are a Privacy Nightmare: Stop Using So Many of Them"
Matt Frisbie's "Let's build a Chrome extension that steals everything"
If you can, avoid using browser extensions associated with other applications on your machine, such as anti-virus or VPN or password manager. The combination of application and extension gives enormous access to all of your data, inside and outside your browser, and an easy connection to the internet.
To see what's running/open in your browser and how much RAM each is taking:
In Firefox, type "about:processes" and "about:memory" ("about:performance" is an older, less accurate alternative) in the address bar, or click Hamburger / More / Task Manager.
In Chrome, type Shift-Esc, or click "..." / More tools / Task manager.
Use an "ad-blocker" add-on in your browser to protect against ads that contain malware (malvertising).
I use uBlock Origin:
uBlock Origin
Get from uBlock - installation ?
Add filter https://raw.githubusercontent.com/DandelionSprout/adfilt/master/ClearURLs%20for%20uBo/clear_urls_uboified.txt
Add and activate "Fanboy's Social Blocking list".
Let's Block It!'s "Available filter templates"
Add filter rules:
*$websocket
||accounts.google.com/gsi/iframe/select$subdocument
*$font,third-party,domain=~openbank.es|~reddit.com
Adblock Plus's "How to write filters"uBlock's "Static filter syntax"
uBlock's "Dynamic filtering: quick guide"
uBlock's "Blocking mode"
Important: use it to turn off JavaScript on sites that can tolerate that.
Maybe: enable setting "block remote fonts" or add filter "$font,third-party" (article1, article2), but it will break icons on a lot of sites.
Maybe do: Blocking mode: hard mode
uBlock Origin
Remove tracking parameters from URLs:
ClearURLs by Kevin R.
[Firefox 102 implements "Query Parameter Stripping".]
[uBlock Origin with filter https://raw.githubusercontent.com/DandelionSprout/adfilt/master/ClearURLs%20for%20uBo/clear_urls_uboified.txt does same.
Test via Firefox Query Stripping test
An add-on that tries to protect you from look-alike domain names (e.g. "amaz0n.com"): Donkey Defender (but not updated in 3+ years)
If you hover your mouse over this link, do you see "apple.com" in the browser's status bar ? If so, your browser has a vulnerability. The link address actually is "https://www.xn--80ak6aa92e.com/". In Firefox, in about:config, change "IDN_show_punycode" to true.
Show what your browser reveals to a web site: BrowserSpy.dk (click tests on left side of page)
Some sites (eBay, banks ?) use WebSockets to do a port-scan of your system (to localhost, from the web page, from the inside !), to see if you look like an IoT device that is part of a botnet (article1, article2). If you want to stop this scanning, in uBlock Origin go to the Dashboard and then My Filters and add a rule "*$websocket". (I'm told Adblock Plus uses same filter syntax.) (New uBlock Origin: go to Settings - Filter lists - Privacy and enable "Block access to LAN".) An add-on that tries to protect you from this scanning (and other things): Behave! by Minded Security. Test before and after with WebSockets test. The block in uBlock Origin may break some sites (but it didn't break any of my bank logins, but broke eBay login).
Is there any add-on that monitors what certificates and extensions are installed/enabled in your browser, and values of all of the settings, and warns you if anything has changed between quit/relaunch of the browser ?
Chrome browser has a "Safety Check" feature that is useful. article
Test your browser:
HTML5test (different score when using HTTP: HTML5test ?)
badssl (click on various links)
badssl dashboard
How's My SSL ?
Cloudflare's "Browsing Experience Security Check" (ESNI/ECH)
Kephyr's "Pop-up killer test"
Martin Brinkmann's "The ultimate Online Privacy Test Resource List"
PrivacyTests.org
XSinator.com
Browsers are far too bloated and complicated, we should re-design them:
Drew DeVault's "The reckless, infinite scope of web browsers"
Open Hub's analysis of Firefox (30M lines including comments and blanks, in 48 programming languages)
Move many functions out to add-ons or external apps or OS stacks or OS features:
- Bookmarking, link-sharing.
- Password management (and auto-fill).
- History.
- Media-handling (audio, video, etc).
- Reader mode, and text-to-speech.
- Networking (DNS, proxy, socks, DNS over HTTPS, VPN should be in OS network stack).
- Caching (should be in OS network stack).
- Certificates (use OS store or keyring, or secret server).
- Search engines, suggestions, predictive typing in address bar.
- Ad-blocking.
- Header-setting (do not track, GPC, user-agent).
- Security policy (HTTPS Everywhere, padlock icon, tracking protection, malware-blocking, site whitelist/blacklist).
- Cookie and site local storage and management.
- Language and appearance settings (get from system settings).
- Language translation (Firefox).
- PDF edit (Firefox).
- Image-edit, calculator, speed test, unit conversion (Edge).
- Download manager.
- File and application handling (save or open, where to open, ask each time, etc).
- Browser update (use the OS mechanism, not a custom mechanism built into browser).
- Add-on update (use a separate app, or the OS update mechanism).
- Sync (use apps such as rsync, Syncthing, etc).
- Screenshot.
The browser proper should just do:
- Page rendering.
- DOM.
- Page operation (scrolling, buttons, etc).
- Scripting with DOM and hooks to storage etc.
- Page/DOM dev tools.
- Application framework (tabs, menus, windows, connecting everything together).
Maybe I just want a minimal browser. On Linux: I've tried about 8-10 of them, and so far they all have fatal flaws, except GNOME Web (Epiphany). But that browser isn't very minimal, and is working to add more features.
Maybe I could start with Firefox, delete the code-modules I don't want, and build a custom version.
Java OSGi article
Also: We need better control of browser add-ons:
Apparently, today, when you do a web request or get a response, all installed add-ons get a chance to process/modify it, in parallel or in unspecified order. Then their modifications (including discarding it) get merged somehow.
Instead, the user should be able to specify:
- Rules for order of execution of add-ons.
- Domain whitelist/blacklist for each add-on.
- Information accessible by each add-on.
- Types of operation (request/response, HTTP/HTTPS, GET/POST, etc) that can be processed by each add-on.
- Changes allowed by each add-on.
Manufacturer's software
Your machine may come with manufacturer's apps (for launching, printing, help, support, updating, diagnostics, recovery) pre-installed and doing stuff in the background. How secure is that software ?
Bill Demirkapi's "Remote Code Execution on most Dell computers" (offered more as an example of how much is going on in the background, rather than a realistic threat)
Peleg Hadar's "OEM Software Puts Multiple Laptops At Risk"
Dan Timpson's "Lenovo's Superfish Adware and the Perils of Self-Signed Certificates"
Wang Wei's "Pre-Installed Keylogger Found On Over 460 HP Laptop Models"
OS Settings
Don't log in to a cloud service associated with your OS, such as Microsoft login or AppleID. That's a recipe for having unknown ties between OS and service, including automatic backups or sharing, telemetry, etc.
For example: "... Apple's universal clipboard functionality, which means that anything I copy on my Mac or iPad can be read by my iPhone, and vice versa. So, if TikTok is active on your phone while you work, the app can basically read anything and everything you copy on another device: passwords, work documents, sensitive emails, financial information. Anything." from Zak Doffman article.
Run as few operating-system services as possible; turn off the ones you don't need.
Look for privacy and security settings in the OS settings / control panel.
All for Windows only:
Mayank Parmar's "Windows 10 Privacy Guide: Settings Everyone Should Use"
Martin Brinkmann's "Comparison of Windows 10 Privacy tools"
Windows 10 Ameliorated
Chris Titus' "Windows 10 Optimization Guide"
4sysops' "Windows 10 privacy settings"
Privatezilla
Dedoimedo's "Windows 10 annoyances"
Set file-explorer to show file extensions, so you can see file type.
Enable file-previews.
Set view to "details".
Don't open downloaded files in browser, first look at them in explorer.
Computer firmware
There might be firmware in: management engine, motherboard, Linux microcode on top of the MB/BIOS firmware, HDD, SSD, GPU, keyboard, mouse, printer, router, TV, more. Motherboard firmware can be BIOS or UEFI.
Usually you have to manually check for updates to the firmware, on the manufacturer's web site. But in Linux maybe do "sudo fwupdmgr get-devices" (see Linux Firmware section).
Record firmware version number from your ISP's router every now and then, to make sure they're updating it.
Brendan Hesse's "How to Check Your USB Devices for Unsafe Firmware" (but see the comments)
Jessie Frazelle's "Why open source firmware is important for security"
Catalin Cimpanu article about infected firmware in smartphones
Dan Goodin's "Google confirms that advanced backdoor came preinstalled on Android devices"
Gwern's "How Many Computers Are In Your Computer?"
Dan Luu's "CPU backdoors"
See my "Security Engines" page
Separate computers for separate functions
It may be tempting to run a web server and database and routing software and network-storage disk and your personal stuff (browser, password manager, files, etc) all on the same box. It can be done, under Windows or Linux etc. But that greatly increases the chance of some bug or exploit, some incoming attacker being able to access your personal files. It's better to run all the server (incoming) stuff on one box, and all the personal (outgoing) stuff on another box. And set the firewall rules on each box to allow only what is needed on that box.
Even better, run server-stuff on some commercial hosting service. Let them worry about 24/365 availability, bandwidth, disk space, updating, etc. But you'll have to pay for it.
Turn off the computer
When not using the computer, turn it off, so attacks can't get in. Maybe turn off your entire LAN (by turning off the router) when going on vacation ? But then updates won't happen.
Maybe put critical data on a thumb-drive or external drive, and only mount that drive for brief periods when you need to use that data. Separate drives for personal, work, school, family data ?
Connection security (protecting 'data in motion')
Encrypt network
Use encryption on your connection: encrypted Wi-Fi, maybe VPN (see VPN section of my "Connection Security and Privacy" page).
On your home network, make connections using Ethernet cables instead of Wi-Fi where possible (client device is close to router/modem). Wired connection is faster and more secure than wireless (and old custom wireless is worst of all; at least Wi-Fi and Bluetooth have been improved). Similar when transferring data between phone and PC: using a USB cable is more secure than emailing the data or using some other across-the-internet method. Similar with printer: use a USB cable.
Consider having separate home networks for your critical (computers, file server, phones) and untrusted (TV, refrigerator, security camera, baby monitor, game consoles, guest, etc) devices. This may mean having to use two routers.
When choosing a name for your home Wi-Fi network, choose something unusual but bland such as "network2793". Don't include your name or address or brand of router in the network name; that information would help an attacker. And the network name may be included in bug reports and such. article Add "_optout_nomap" at the end of the name to opt out of Microsoft and Google location services.
wikiHow's "How to Secure Your Wireless Home Network"
Eric Griffith's "13 Tips for Public Wi-Fi Hotspot Security"
Decent Security's "Router configuration - easy security and improvements"
David Murphy's "How to Make Your Wi-Fi Router as Secure as Possible"
Easy Linux tips project's "Wireless security: four popular myths and 12 tips"
Lifehacker's "Top 10 Ways to Stay Safe On Public Wi-Fi Networks"
Smart Home Gear Guide's "17 Lockdown Strategies To Secure Your Wi-Fi Network From Hackers"
Chris Hoffman's "How to See Who's Connected to Your Wi-Fi Network"
Michael Horowitz's "Hiding on a Wi-Fi network"
But: Nick Mediati's "The EFF wants to improve your privacy by making your Wi-Fi public"
From discussion on reddit, and elsewhere:
Securing home Wi-Fi:
- Use the WPA2 protocol. It has now been broken but the chances anyone will use it against you are slim. [Use AES, not TKIP. Use WPA3 if available.]
- Use a strong passphrase. Longer is better than more complex.
- If you have a guest network, isolate it so it can access your internet but not your local network.
- If you have a guest network, see if it hides devices from each other (sometimes called "Layer 2 Isolation").
- Where possible, use 5 Ghz. It doesn't have good penetration so it's less likely to broadcast your network to your neighbors. Otherwise some routers will let you adjust the power of your broadcast.
- Don't bother with MAC address filtering. It's just a headache and it's easy to bypass.
- Apply any patches that are available, to clients and router.
- Turn off WPS and uPnP and access to web interface/console from Wi-Fi.
- Probably turn off telnet, SNMP, TFTP and SMI; they're usually unencrypted and/or insecure.
You could look in your router admin to check what devices are connected. Supposedly there are TWO lists: a list of devices which obtained an address via DHCP (which may not include all devices), and also a MAC address list of all connected devices.
Test your router configuration (turn off VPN first):
See the Port scanning or router testing section of my Testing Your Security and Privacy page.
Turn off any VPN, use IPChicken to get your network's current public IP address, then paste that into your browser's address bar, and see how your router responds when someone from outside tries to access your router on port 80. Also try the address with ":443" appended to it.
Alan Henry's "Why You Should Start Using a VPN (and How to Choose the Best One for Your Needs)"
VPN Comparison by That One Privacy Guy
Encrypt your traffic: use HTTPS web sites
Definitely use HTTPS to all of your sensitive sites: email, financial.
ilGur's "Smart HTTPS" browser extension
Firefox 83 has added a similar capability natively in the browser.
If you're using a mail application (such as Thunderbird) or an FTP application, make sure they're using encryption on their connection to the server.
But not every HTTPS site implements security to the same level; you can test a site using:
CDN77's "TLS Checker"
Qualys SSL Labs' "SSL Server Test"
testssl.sh
See my "Connection Security and Privacy" page about proxy and VPN.
Application-level encryption
See my "Secure Communication" page.
Data encryption (protecting 'data at rest')
See "Data Encryption" section of my "Computer Theft Recovery" page
Specific problems
Known bad software:
Do not use these:
- Adobe Flash (AKA Adobe Shockwave Player AKA Shockwave Flash).
To uninstall, close browser, then uninstall Flash from your PC: in Windows 10, right click the Start button > Apps and Features > Adobe Flash Player NPAPI > uninstall.
Maybe use VLC instead, and Open in VLC media player add-on in Firefox. - Apple QuickTime for Windows.
Neil Schloth's "QuickTime for Windows: A Cautionary Tale" - Java plugin in browser.
Joel Hruska's "Oracle is finally killing the Java browser plug-in" - Microsoft Silverlight plugin in browser ? Deprecated but not bad ?
In Windows 10, uninstall through Settings > Apps. But uninstall failed on my system. So I did "Fix it for me" in How to clean a corrupted Silverlight installation and then reinstall Silverlight, and that got rid of it. - Avast anti-virus
Known to sell your browser history. - Dell Cameron's "Do Not, I Repeat, Do Not Download Onavo, Facebook's Vampiric VPN Service"
- Thorin Klosowski's "Web of Trust Sells Your Browsing History, Uninstall It Now"
Remote-access software:
Be very careful if you have remote-access software installed on your computer for some reason. If someone hacks it or it's misconfigured, the attacker can do anything you can do sitting at the computer, and it will look just like you doing it.
Jason Fitzpatrick's "How to Lock Down TeamViewer for More Secure Remote Access"
Rick Rouse's "Protect your Windows PC from hackers by disabling Quick Assist / Remote Assistance"
Aggregation services:
- Don't use online financial/budget aggregation services that will connect to all of your bank accounts and
credit-card accounts and Amazon etc to consolidate the data and summarize what's happening.
They just have too much access to your data, and can sell it. Instead, maybe find a local
desktop application, download CSV files from your banks etc, and import the CSV files into
the local application.
Jason Baker's "5 open source personal finance tools for Linux" - Online income-tax-filing services ? You're giving a LOT of info to them, from many sources.
But they're very convenient, and you need something that is updated every year. You could use
paper forms instead, if your affairs are fairly simple.
OpenTaxSolver (OTS) - Don't use online mailbox-client services that will connect to all of your email accounts and
show everything in one web page.
They just have too much access to your data, and can sell it. Instead, use a local
application such as Thunderbird or K-9 Mail.
Things that are full of telemetry (but hard to stop using):
- Windows 10.
- Chrome browser (maybe use Chromium or ungoogled-chromium).
Turn off macroes in Microsoft Office.
Remove bloatware installed by computer's manufacturer: those system-tray applications that offer manufacturer's Help Center or Support or Driver Updater, for example. They're poor quality, constantly-running, and probably offer a huge attack surface.
A bit suspicious, and a general way to stop specific applications from running in Windows:
Martin Brinkmann's "How to block the Chrome Software Reporter Tool"
Wireless devices are less secure than wired devices, and often wireless has greater range than you'd expect. Old custom wireless is worst of all; at least Wi-Fi and Bluetooth have been improved.
Turn off features you don't use
Either turn them off permanently, or enable them only when you want to use them.
Don't use Bluetooth, mobile Hotspot, mobile tethering, NFC, Z-Wave, Zigbee, infrared, Cortana, Siri, location/GPS services, voice controls ? Turn them off completely, at the OS level. Don't use some old applications ? Uninstall them, or turn off their update background services.
Rick Rouse's "How to turn off 'File and Printer Sharing' in Microsoft Windows"
Maybe turn off location-monitoring services and apps in your smart-phone and browser. But your cell-phone company will always know where your phone is, if it's turned on, or maybe even just if it has a battery in it. And various map and taxi apps will be unhappy that they can't read your location.
Turn off services you're not going to use for a while. Turn off any remote-access service when you're at home.
Turn off the whole device if you're not going to use it for a while. Does your internet-connected computer need to be running 24/7 ?
Put tape over the webcam on your laptop.
Or software:
Kioskea's "Windows 8.1 - Prevent apps from using your webcam or microphone?"
Turn off the microphone on your laptop or smartphone.
Maybe put a dummy plug into the external microphone jack.
Tape over the built-in microphone opening doesn't really work.
Or software:
Alan Henry's "How to Stop Web Sites from Potentially Listening to Your Microphone" (Chrome only)
Jignesh Padhiyar's "How to Find and Prevent Apps from Accessing Your iPhone's Microphone in iOS 7"
Kioskea's "Windows 8.1 - Prevent apps from using your webcam or microphone?"
The highest-confidence solution: physically unplug the built-in microphone inside the case, and always use an external microphone (plugged in only when you need it).
Note: iPhones have 1 to 4 microphones, depending on model. Most Android phones have 1, some have 2.
Note: Video-call apps may continue to use the microphone even when you are on "mute" in the app. Likely this is because turning microphone off/on can be a slow operation in the OS, or can affect the way network traffic is handled. For example, "on iOS you can't just start and stop input stream separately from output, but you have to stop the entire audio session and restart it in output-only category." Bluetooth headset might add a complication too. Some apps have a feature to warn you when you're muted but actually talking: "hey, do you know you're on mute ?". So audio input may continue to flow to the app, and maybe even to the server, while you are "muted".
Know the features of your devices
- Does your TV have a microphone, a camera, Wi-Fi, a wired internet connection ?
Nicole Nguyen's "If you have a smart TV, take a closer look at your privacy settings"
Chris Hoffman's "How to Stop Your Smart TV From Spying on You"
Carey Parker's "Your TV is Watching You"
BBC's "Samsung TVs should be regularly virus-checked, the company says"
Smart TV may speak a number of protocols; maybe turn off "direct" if you're not using that. - What connectivity does your car have ? Does it suck data out
of the smartphone you connect to it ? Does it take video of you ?
Modern cars essentially are smartphones with wheels, with all the vulnerabilities of smartphones.
Maybe don't put your exact home address in the navigation system; if someone stole your car they'd have your keys and your home address (but your registration papers have your home address too). Does the car have updatable software, and passwords ? Is it wirelessly connected to your garage-door opener or home Wi-Fi ?
If you're the second owner, does the first owner still have access ? If you sell it, how can you wipe your info out of it ?
Rental car: don't connect your smartphone to the car. All of your contacts may get sucked out, and made available to the rental car company, or to the next person who rents that car.
Anything with a Wi-Fi chip (car, smartphone, laptop, TV, etc): "forget" as many saved networks as you can. Otherwise the device constantly is broadcasting attempts to connect to those networks (may apply only to "hidden" networks ?).
Matt Burgess's "How Your New Car Tracks You"
Jon Keegan and Alfred Ng's "Who Is Collecting Data from Your Car?"
The Zebra's "What Data Does Your Car Collect on You?"
Rachel Murray's "Connected cars: How syncing your phone to vehicles could put your data at risk"
"Privacy4Cars" app (article)
- Do some of your devices have their own cell-network connection ? What data flows over that ?
Can you control that ?
Carey Parker's "The Rise of Cellular IoT"
- Does your phone enable spending money, via Apple account or in-app purchases ?
Very dangerous if your children get access to your phone.
- Is your phone sharing photos to your Google or Apple account ?
- Is your phone analyzing your photos to see if you're doing anything bad ?
Jeffrey Paul's "Apple Has Begun Scanning Your Local Image Files Without Consent" - Does your phone (fixed-line or mobile) have voice-mail ? Can you disable that ? Have
you set a good password on it ? Some password-reset or account-recovery procedures may
send a code via voice call, and if that ends up in voice mail and an attacker can guess
your voice-mail password, they can get the code.
- Does your home alarm system have an "installer" account that lets the company
see the status and cameras etc ?
Unredacted Magazine issue 1 page 9
- Apparently some devices (such as Roku) come with "privacy" policies that allow them to
report to the manufacturer about other devices on your LAN.
- If you must have a "smart home assistant" with a microphone in it, consider
using something open-source instead of Alexa or Siri or whatever:
Mycroft. Or look for products to block
Alexa when you're not using it, or just put a bowl over top of it.
- Be aware that a "smart home assistant" can be triggered by words similar to
the expected "wake word", and send your sentence to be analyzed and saved in the cloud.
article
- If you attach a hard drive or flash drive to your router to share it, does
your router automatically allow FTP access to it from the whole world ? Some routers do.
- What EXIF data is in the photos your phone creates ?
How to remove the data:
Joel Lee's "3 Ways To Remove EXIF MetaData From Photos (And Why You Might Want To)"
EXIF Purge
ExifTool ("exiftool -overwrite_original -all= FILENAMES")
A lot of other kinds of documents can contain meta-data too; for example see right-hand column of Metadata2Go
Nikita Mazurov's "Don't Trust Cropping Tools" - What buyer-data is recorded in the MP3's or other media you buy through iTunes, Amazon, etc ?
How to remove the data (maybe):
Alan Henry's "Desiccate Scrubs Personal Data from iTunes and Amazon-Bought Tunes" - Is your Kindle or other e-reader reporting what books you read and how you read them, page by page ?
If it has a camera, in the future will it be able to read your expressions as you read a book ?
Null Sweep's "Kindle Collects a Surprisingly Large Amount of Data"
Martin Kaste's "Is Your E-Book Reading Up On You?" - Can your device be remote-wiped or have files deleted by the manufacturer ?
WD My Book Live disaster - Is your device or router providing access to others who have bought the same
device or service ? See Amazon Sidewalk, Comcast Xfinity Wi-Fi Hotspot, FON, Jazztel, more.
- Does your printer do Wi-Fi ? I set mine up to do so. Very convenient, but see if it
has an administration page.
My printer actively looks onto to the internet for firmware updates, which I would like to block. In printer admin page, disable updates ? In router, block printer's IP address (if it's a fixed address) or MAC address ? - Color laser printers often put coded tracking info on the printed page:
EFF's "List of Printers Which Do or Do Not Display Tracking Dots"
DEDA - tracking Dots Extraction, Decoding and Anonymisation toolkit
Apparently no one makes a FOSS laser-printer. - Printers store pages in internal memory:
Hackworth's "Could Your Printer Be A Security Risk Because It Saves A Copy Of Your Data?".
- Physical access: If your computer has a connector that exposes a memory bus (PCIe, ExpressCard, Thunderbolt),
a sophisticated attacker could attach a spy device to that connector and read internal traffic.
If your computer/phone has USB or NFC or FireWire, maybe an attacker could attach a device that pretended
to be a keyboard.
Mozilla's "*privacy not included"
David Murphy's "How to Keep Your Internet-Connected Device From Spying on You"
Using router/modem supplied by your ISP:
See Router And Modem section of my Connection Security page
From someone on reddit:
If your ISP can access your modem (and if you're using an ISP-supplied modem, it'd be foolish to assume they can't),
they can see anything your modem can potentially log (think SSIDs, MACs) via a little-known protocol known as CWMP.
And this is to not even begin the implications that they could not simply be retrieving logs, but actively tampering
with data. So yes, do not use ISP-given devices, get your own. This is critical.
At the least, your ISP-supplied router could be reporting names and MAC addresses of all devices on your LAN. Names may be easy to change to something uninformative such as "laptop1". But MAC addresses could be more revealing, and used for tracking. Harrison Sand's "Your ISP is Probably Spying On You"
From someone on reddit:
> Do ISPs update router firmware and watch for malware ?
Routers, in general, are not updated if they are not the latest and greatest router in their class. Long term support is typically lacking unless you install a 3rd party firmware. European ISPs are typically far better at updating their software than American and Canadian ISPs due to no laws requiring ISPs accountable to update their software if possible. More damning, routers typically don't even have patches available as they were discontinued support long ago.
So it sounds like if you can't find firmware updates for your router, and it's more
than a couple of years old, maybe best to just replace it. If it's ISP-owned, maybe
ask if they have a newer model available, and if you can upgrade for low or no fee.
If you own it, replace it or install
DD-WRT
or
OpenWrt
on it.
Routers, in general, are not updated if they are not the latest and greatest router in their class. Long term support is typically lacking unless you install a 3rd party firmware. European ISPs are typically far better at updating their software than American and Canadian ISPs due to no laws requiring ISPs accountable to update their software if possible. More damning, routers typically don't even have patches available as they were discontinued support long ago.
Ways to avoid the ISP-supplied router/modem:
[Note: things get more complicated if the router is providing cable-TV service
in addition to internet.]
- Ask ISP if you can replace it with a router/modem you own yourself.
From someone on reddit:
"Google for modem compatibility lists. You can generally find a site that sorts by state and ISP and lists which current model modems would or should work."
If you replace the modem, you'll have to register/configure the new modem with your ISP.
If you want to run custom software in the router you own, see Router And Modem section of my Connection Security page. - Check router's admin page, or ask ISP, if their router/modem can be set into "bridge mode", so you
can add your own router behind it.
This amounts to turning off the router and Wi-Fi in the ISP-supplied router/modem box, using router and Wi-Fi in your own new router box, and connecting the two boxes via an Ethernet cable. Connect all home devices (except telephone ?) to your box, not the ISP's box. Now the ISP-supplied box doesn't have access to your LAN, it just sees what comes out of the bridge-Ethernet port of your new router box. See Router And Modem section of my Connection Security page.
Michael Horowitz's "Router Security"
Michael Horowitz's "Using VLANs for Network Isolation"
"Complexity is the enemy of security."
Keep it simple. If you have your smartphone controlling your door-locks and security-cameras and automatically uploading photos to Instagram and accessing your LAN and the internet and the cell network, you really don't know everything that is happening and everything that can go wrong. Better to have some compartmentalization, some things that happen only on one device or happen only manually.
Know the vulnerabilities of your devices
"The 'S' in 'IoT' stands for 'Security'."
-- from Grumpy Old Geeks Podcast
Are there any known security flaws in your internet-connected devices, especially devices you can't update ? For example, security cameras: article1, article2. And home Wi-Fi routers: article3.
For each of your devices, read the manual, and do some internet searches for "exploit/vulnerability/hack/problem MANUFACTURERNAME model NNN".
Are your devices getting updates from the manufacturer ? Are any of your devices past their end-of-life and now totally unsupported ?
Compromised devices can be threats in several ways:
- Can send your personal data out to somewhere on internet.
- Can attack other devices on your LAN.
- Can attack other devices on the internet (be part of a botnet).
Some of the simpler-looking devices (tablets) may be the most vulnerable, because you probably don't install anti-virus on them, and they may not get security updates. Yet they're in your trusted local network, and could attack other devices.
Rhett Jones's "A New Reason to Not Buy These Cheap Android Devices: Complimentary Malware"
Especially dangerous are all-in-one devices with multiple connections. A fax-modem-copier-printer-scanner may connect to both a phone line and to your LAN; a flaw could let an attack come in the phone line and onto the LAN. A simpler attack could exhaust your expensive toner cartridges. Is the firmware updatable ? Is the manufacturer known and providing updates ? Don't leave the device powered on 24/365 unless absolutely necessary. Or unplug it from phone line and/or LAN except when needed.
A smartphone probably is connected to both the cell data network and to your LAN; that's a potential vulnerability.
Game consoles seem to be fairly secure, from what I read. Since they're going to be sold for years and in hundreds of millions of units, and used to handle DRM and in-game purchases, I guess the manufacturers work hard to make them secure. Usually they communicate mostly to the manufacturer's central game servers, which are walled gardens. The biggest issue may be that they also provide communication services: what could other players say or send to your child as they're playing the game ?
Heard on a podcast: Nintendo is notorious for resetting your privacy options each time the software is updated; check the settings often.
Proton VPN's "The complete guide to online gaming privacy"
Interesting items from "Hackable?" podcasts:
Host invited hackers to attack his home LAN and devices. Some of the hackers were local (just outside his house), others were far away across the internet.
- Local hackers were able to set up a fake router with same Wi-Fi network name,
force all the LAN devices to reconnect, and they connected to the fake router.
Since many of those devices store the Wi-Fi password, that password was revealed
to the fake router.
- The admin credentials of the home router appeared in an old data breach,
and hadn't been changed since then.
- IoT devices on the LAN had various default or hard-coded admin credentials.
- Once onto the LAN, hackers were able to intercept traffic from security webcams that
were set to LAN-only and thus thought safe.
- Once onto the LAN, hackers were able to provide a MITM DNS, and redirect traffic
to send the user to a fake Facebook login page, and capture the login credentials.
- A fax/printer connected to a phone line was vulnerable to
some malicious document faxed to it. Then it was used to access documents
across the LAN and fax/send them out to the hackers.
YourThings Scorecard (evaluations of a number of common devices)
Devin Coldewey's "Cheap Internet of Things gadgets betray you even after you toss them in the trash"
Amyra Sheldon's "12 Ways To Enforce IoT Security In Your Smart House"
OWASP's "Internet of Things (IoT) Top 10 2018" (PDF)
Brian Krebs' "Some Basic Rules for Securing Your IoT Stuff"
Router Security's "Test Your Router" (also cameras, printers, etc)
Testing webcam / security camera from inside (LAN side):
Assuming camera's LAN IP address is 192.168.0.100:
192.168.0.100 /err.htm
192.168.0.100:10554
192.168.0.100:81
192.168.0.100:23 (Telnet)
192.168.0.100:2323 (Telnet)
192.168.0.100
If test from LAN side gives suspicious results, investigate from WAN side.
Testing networked printer from inside (LAN side):
Assuming printer's LAN IP address is 192.168.0.100:
192.168.0.100:23 (Telnet)
192.168.0.100:2323 (Telnet)
192.168.0.100
Probably ports 9100, 631, 515 will be open on the LAN side; this is normal. But they shouldn't be exposed on the WAN side.
If test from LAN side gives suspicious results, investigate from WAN side.
Mobile devices are vectors for infection
Suppose you routinely carry your phone / tablet / laptop / USB stick from home to work and back, connecting to Wi-Fi or plugging in at each place. And your partner does the same with their devices and their work. And the kids carry devices from home to school and back, and to friend's houses, connecting to Wi-Fi in each place. Maybe some of you use Wi-Fi in fast-food places or hotels or something.
Any of these systems could carry malware from one network to another, if not properly protected and isolated.
A sophisticated attacker could try to take advantage of this situation. Suppose they want to get data from the corporation you work for. So they sit outside your house probing the Wi-Fi, and find your kid's phone is vulnerable. They use that to attack your laptop, get some malware onto the laptop, and the next day you take that laptop to work.
Segment, isolate, compartmentalize, protect, test. Don't assume that "inside the router" means "safe".
Similar connections occur if you access personal email or cloud storage from your work computer, or the kids access school email or group homework-project docs or their sports-team docs on a home computer. Malware can be copied from one place to the other.
Similar connections occur if you "sync" multiple machines, including your work and personal devices. Malware can be copied from one place to the other. Data (contacts, documents) that should stay on one side or the other could be copied across.
Public computers in print shops or internet cafes are the worst. Assume they are full of malware. Probably 3/4 of the times I've plugged a USB stick into a print shop computer to print an airline ticket, the stick has come back infected.
Would you know if your device was compromised ?
Set honeytraps on your devices:
- Alert if your files have been accessed by an intruder:
For example, create an attractive dummy file "ALL_MY_PASSWORDS.txt" in your root directory and then have a program alert you if anything accesses that file.
Raymond.cc's "10 Tools to Monitor Files and Folders for Changes in Real Time"
- Alert if someone uses Windows Explorer to look into a folder on your disk (if machine has internet access):
Use Canarytokens and select "Windows Folder" option. Also see "desktop.ini share + zip-files" in Canarytokens.org - Quick, Free, Detection for the Masses. But it works in any folder, not just ZIP-compressed folders. - For Linux, see
Honeypots section of my Using Linux page.
Have log-files:
- How can you turn on logging ?
- Is there anything useful in the logs ? Do they record logins, commands run, etc ?
Do you know how to read them and understand them ?
- Are the logs copied to somewhere else for storage ? (Called "log shipping".)
Otherwise an intruder could erase them.
Send with rsyslog, analyze with
LOGalyze or
LogAnalyzer ?
Or use a cloud service (Papertrail) ?
- How long are the logs kept ? How long a time-period do they cover ?
Routinely use a non-Administrator account
This issue is a bit overblown, for a desktop single-user machine. In such a situation, all the interesting files are owned by the non-admin user. The only added risks from compromise of the admin account would be that the attacker might be able to do privileged operations such as spying on all LAN traffic.
I think this issue is a bit overblown in Win10, also. If you install Win10 and only log in as "administrator", really what you're doing is running in an "administrator-capable" account. If you try to do something that requires actual administrator privileges, you will see a "UAC" dialog and have to click "yes" to achieve administrator privileges. If you're running in a "normal" user account and try to do something that requires actual administrator privileges, you will see a "UAC" dialog and have to type an administrator password to achieve administrator privileges.
Rick Rouse's "Why you should use a 'Standard' user account in Windows"
From someone on reddit, about Windows:
> If I already have my account as admin, is there a way to demote it?
Create another user account. Name it Admin or Bambi or whatever floats your boat at that particular second. Set that account as a system administrator. Log out of your current account and into the new account. Change your normal account to a standard user. Log out of the new admin account and back into your regular account.
All of this is done through the 'User accounts' control panel applet.
Create another user account. Name it Admin or Bambi or whatever floats your boat at that particular second. Set that account as a system administrator. Log out of your current account and into the new account. Change your normal account to a standard user. Log out of the new admin account and back into your regular account.
All of this is done through the 'User accounts' control panel applet.
Similar in Linux: use a normal user account, and "sudo" when you need to do something as root.
But see: xkcd's "Authorization"
Keep account security info up-to-date
If your bank or credit card company sends you a security alert, but they send it to your old dead email address or old postal address, it doesn't do any good.
If you have a login problem somewhere, and the web site says "no problem, verify by clicking link in your email", but they send it to your old dead email address, you're in trouble.
If you never receive routine communications or verifications from your account at some company, figure out why and fix it, don't let it slide.
Monitor your accounts for evidence of problems
At this point, there have been so many and such huge breaches (e.g. at OPM, Equifax, Anthem, more) that you should assume your Social Security number and DOB and credit-card info and email address have been stolen.
In some industries (e.g insurance), companies tend to share data with each other, or feed their data into a central brokerage. So a breach at one company you don't even use could expose your data that you gave to another company.
Alerts:
- Set Firefox Monitor
to monitor your email addresses.
- Set up Google Alerts about your email addresses.
Maybe also an alert on your home postal address ?
- Some services (such as Privacy.com, Transferwise) can be set to
send you an email every time a transaction occurs.
- Some of the credit-agencies may send you an email if a credit card is created or closed under your name.
- Maybe use an identity-theft warning service.
- The property registry in your town or county may support sending
an alert to you if anything is changed about your property (new mortgage, sale, title change).
See Check your accounts section of my Testing Your Security and Privacy page.
Report freezing:
Maybe freeze your credit (a "credit freeze" or "security freeze"; usually free to apply and maybe $5 to remove) or institute a fraud alert (free, but not as good). You don't want a "credit lock", which is a blanket term invented to cover a number of products.
US credit agencies: Equifax, Experian, TransUnion, Innovis, NCTUE, SageStream.
Jason Lloyd's "Why You Should Freeze Your Credit Report"
FTC's "What To Know About Credit Freezes and Fraud Alerts"
William Charles' "Two Credit Bureaus You Should Freeze Before You Apply For A U.S. Bank Credit Card"
AJ Dellinger's "Equifax Operates Another Credit Bureau, and You Can't Freeze Your Report Online"
IntelTechniques' "Data Request Guide"
From Brian Krebs' "The Lowdown on Freezing Your Kid's Credit":
Some fans of my series explaining why I recommend that all adults place a freeze on their credit files
have commented that one reason they like the freeze is that they believe it stops the credit bureaus
from making tons of money tracking their financial histories and selling that data to other companies.
Let me make this abundantly clear: Freezing your credit will not stop the bureaus from splicing,
dicing and selling your financial history to third parties; it just stops new credit accounts
from being opened in your name.
Also, a credit freeze does not prevent a background check (by govt or corporation etc) from getting your data.
Even if you have a credit freeze enabled, still check your credit reports every year or two, to make sure nothing incorrect or fraudulent appears on them. OTOH, if you intend to never take out a loan or otherwise need those accounts, maybe DON'T correct bad info, leave it to confuse the databases.
I think third-party credit-monitoring or fraud-alerting services may not be a good idea. If you consider using one, check their privacy policy to see if they will have the right to sell your data.
Freeze to avoid a thief opening a bank account in your name: ChexSystems
Probably best for you to open online access to each of your bank accounts, and secure the access properly, instead of leaving an opportunity for a thief to call the bank and enable online access.
Maybe freeze your salary/employment history report.
Salary/employment history agencies: Equifax Workforce Solutions (AKA The Work Number, AKA TALX), AccuSource, InVerify.
[I requested my TALX report. It only had the very last year of my work history (I retired almost 20 years ago), but it did have my employer, job title, and salary for that year.]
Alicia Adamczyk's "How to Review (and Dispute) the Salary Data Equifax Collects on You"
KrebsOnSecurity's "How to Opt Out of Equifax Revealing Your Salary History"
Get a report, but probably best not to try to freeze this: Early Warning (bank fraud organization; article). [Specify an email address that they already have on file. Apparently can't create an account from Europe or through VPN; may have to paper-mail form to them.]
European credit-reporting agencies:
Spain: Asnef-Equifax
Spain: RAI (Registro de Aceptaciones Impagadas)
Spain: Experian España
Spain: CIRBE
Germany: Schufa
UK: TransUnion / Callcredit
many more ...
Haven Mortgages' "Credit Bureaus Around the World" (PDF)
USA insurance-claims (CLUE) report:
Julia Kagan's "CLUE Report"
"Access Your LexisNexis Consumer Disclosure Report"
Bruce Schneier's "Protecting Yourself from Identity Theft"
Kelli B. Grant and Katie Young's "How to protect yourself from medical identity theft"
Beth Skwarecki's "What Happens to Your Stolen Medical Data"
You can set a PIN on your IRS filings. But ID verification is tough, and you have to get a new PIN each year.
IRS's "Get An Identity Protection PIN (IP PIN)"
I think anyone can create an online account with the IRS, and better that you do it before some scammer does it for you:
IRS's "View Your Account Information"
New program ID.me ? Can use foreign phone number, but have to use US address that matches driver's license.
Apparently the US Post Office has a notification service where they send email to you when something is about to be delivered. You want to register for this before some bad actor does so in your name.
Creating an account before some bad actor does so in your name is called "planting your flag". Maybe do this with the credit-reporting agencies, IRS, USPS, SSA, your state's unemployment agency, your ISP, etc.
Brian Krebs' "Why & Where You Should Plant Your Flag"
FWDSD's "Why You Need to Plant Your Flag"
Sign up for your online US Social Security account (may require a trip to a SS office).
Carissa Ratanaphanyarat's "Your Social Security Number Was Stolen! Now What?"
Brian Krebs' "Crooks Hijack Retirement Funds Via SSA Portal"
When someone uses your public reputation to get jobs:
Relja Damnjanovic's "Freelancer Identity Theft: It Happened to Me - Here's What You Should Know"
The Markup's "What To Do if Denied Housing or Apartment Due to Inaccurate Background Report"
You can opt-out of some tracking:
Opting out of everything probably is impossible, and a game of Whack-A-Mole. But at least hit some of the top places.
If you're using a PO Box or PMB to hide your real address, probably don't opt-out in places where they have only your PO Box or PMB address. You want to have your data associated with that address, not your real location. All Things Secured article
Don't copy a standard opt-out request letter or email from some workbook, and send that to services. They're aware of standard formats, and ignore them. Instead, compose a request in your own words. Don't say you're doing it "for privacy", instead say your family has been getting strange phone calls giving personal information and threats, and is feeling endangered and stalked. Emphasize that you need your data removed from both their search results and their deeper listings.
Often the first response to a "remove my data" request is an automated response. Respond to it and repeat your request, maybe changing it a little.
Some opt-out services (on data-brokers, and on such services as Yahoo Mail) work by putting a cookie on your computer, telling their advertising code not to track you. But this conflicts with my desire to delete all cookies every time I close the browser.
A couple of US states have registries of data-brokers ( Vermont and California), so maybe you can use those to find opt-out addresses.
LexisNexis' "Individual Requests for Information Suppression Policy"
SageStream Opt Out
Acxiom Opt Out
Palantir privacy statement
World Privacy Forum's "Top Ten Opt Outs" (2015)
World Privacy Forum's "Data Brokers Opt Out List" (2013)
Yael Grauer's "Here's a Long List of Data Broker Sites and How to Opt-Out of Them"
yaelwrites / Big-Ass-Data-Broker-Opt-Out-List
Steven Melendez and Alex Pasternack's "Here are the data brokers quietly buying and selling your personal information"
Michael Bazzell's "Personal Data Removal Workbook & Credit Freeze Guide" (PDF)
StopDataMining.me's "Opt Out List"
ParanoidsBible's "The Master Opt-Out List"
Michael Franco's "How to Reclaim Your Digital Privacy From Online Tracking"
Elizabeth Harper's "How to Remove Yourself From People Search Directories"
NotMyPlate.com - Stop parking apps from exposing your location
Alicia Adamczyk's "Run a Comprehensive Background Check on Yourself"
There are some mass-opt-out services, but they just store preferences in cookies in your browser, so if you delete cookies, your preferences are deleted:
EU: Your Online Choices
USA: WebChoices
Idea:
Instead of opt-out lists/sites, I'd like:
- A big comma-separated list of email addresses, so I can paste the whole list into the BCC field in my email client
and send one "please delete my info from your site" email to all of them in one operation.
[A version of this, but results are small: PrivacyBot. Requires a GMail address, and you're supposed to be a California resident. Sends email to N brokers requesting deletion. You could scrape the email addresses and send your own bulk message from a non-GMail account. But most results will be: "go to our opt-out web page", or "give proof of residency", or "we don't have info about you".] - A browser add-on or app that will let me push one button, and the add-on/app
will go to N opt-out web pages and fill in the forms to
tell each of them "please delete my info from your site".
From interesting audio podcast interview of a guy who runs people-search sites, The Complete Privacy & Security Podcast episode 071:
There are maybe 6 big players in the people-search industry ( Pipl's "Removal from Search Results", BeenVerified, Spokeo, TruthFinder, Radaris, MyLife, Intelius ), and a hundred subsidiaries/affiliates of them, and a hundred smaller competitors. And maybe 3000 web sites, owned by those companies. But they may create dozens of new web sites every week or month, trying to get into the top-ten results on Google Search.
Some of the companies make money through ads, but mostly they make money when someone views their free report and decides to subscribe to get their full report.
These companies are scraping data from everywhere: from each other, from govt, from companies such as real-estate agencies, from any account you create that allows sharing your data with third parties, etc. Some governments will sell driver's license data or car registration data. Utility companies (gas, water, electric, sewage, ISP) will sell your data (Unredacted Magazine issue 1 page 8).
Getting a company to "delete your record" is not best, because your info probably will flow back in from somewhere else a week or a month later, and they'll treat it as a new record because they no longer have a record of you. It's better to have them "block your info", so they keep a record but don't give it out (if they're ethical).
Disinformation can work, but it won't hide any real information, and you have to be consistent, using the same false info again and again, as many places as possible.
Name, address, phone are the key items used to correlate data from various places, but I'm sure SSN, DOB, credit-card number are used when available.
Some big services used by private investigators and law-enforcement: Tracers, TLO, IRBsearch.
Michael Bazzell's "Personal Data Removal Workbook & Credit Freeze Guide" (PDF)
Kristen V Brown's "Deleting Your Online DNA Data Is Brutally Difficult"
Michael Bazzell's "Hiding from the Internet"
Wolfie Christl's "Corporate Surveillance in Everyday Life"
Michael Bazzell's "Credential Exposure Removal Guide" (remove/hide your info from data breach sites)
Remove phone and email from Facebook
Reece Rogers' "How to Remove Your Personal Info From Google's Search Results"
Removal services:
Abine DeleteMe ($130/year; review)
Removaly ($120/year)
Kanary ($90/year)
Incogni ($85/year)
IDX Privacy - Forget Me ($156/year; only does automated removals)
EasyOptOuts ($20/year; removes 3 times per year)
Comparison chart
Comparison article
Permisson Slip phone app
My experience with EasyOptOuts since 7/2022:
I first obtained a free report from Optery, to see what info about me was out there. Then used that info while signing up for EasyOptOuts.
EasyOptOuts says limited to current or recent US residents, and age 18+.
You don't set a username/password for your account, they just want your primary email address, I guess any authentication later will be done through that.
IIRC, at sign-up you can give:
- Nicknames, married name, and other alternatives to your official name.
- Up to 5 email addresses.
- Up to 5 phone numbers.
- Current postal address plus up to 3 more postal addresses.
- Names of up to 10 relatives.
They ask for year of birth but not day and month of birth.
They don't ask for SSN or driver's license or passport number.
They don't ask for web site address or social media account names.
I actually live in Spain now, but didn't give any of my Spain info, because it didn't show up in Optery, and also I think EasyOptOuts doesn't support international postal addresses.
I paid with a Privacy.com virtual card. PayPal or real credit card also supported. Without me specifying, this got set up as an automatic payment happening once/year.
Welcome email says first opting-out could take up to 2 weeks.
Got email the next day, saying they requested opt-outs for me, but some sites take up to 2 weeks to do it. Says:
- Found my data and requested opt-out: 119 sites.
- Didn't find my data and so did not request opt-out: 4 sites.
- Not searchable, so requested opt-out blindly: 7 sites.
[Note: in following, I am NOT using the EasyOptOuts list of sites. But so far, every site in Optery list also is in EasyOptOuts list.]
A day later, checked some of the sites listed in the Optery report (although I may not be searching exactly the way Optery was searching):
- FastPeopleSearch/Golookup: my info is gone !
- Intelius: info still there.
- ZabaSearch: info still there.
8 days after signing up, checked some of the sites listed in the Optery report:
- FastPeopleSearch/Golookup: my info is gone !
- Intelius: my info is gone !
- ZabaSearch: info still there.
- PeopleFinders: my info is gone !
- Advanced-People-Search: info still there.
- ClustrMaps: my info is gone !
- InstantCheckmate (don't do Save Report, it's for-pay): info still there.
- PrivateEye: info still there.
15 days after signing up, more from Optery report, didn't check sites previously clean:
- ZabaSearch: info still there.
- Advanced-People-Search: info still there.
- InstantCheckmate: info still there.
- PrivateEye: info still there.
- PublicRecordsNow: info still there.
- SearchPeopleFree: my info is gone !
- NewEnglandFacts: my info is gone !
- OnlineSearches: my info is gone !
4/26/2023 checked:
- FastPeopleSearch/Golookup: gone
- Intelius: gone
- PeopleFinders: gone
- ZabaSearch: gone
- Advanced-People-Search: gone
- PrivateEye: gone
- PublicRecordsNow: gone
- NewEnglandFacts: gone
- VeriPages: gone
- SearchQuarry: gone
- Dataveria: gone
If you're a victim of Identity Theft:
- Immediately report it to your banks and other financial companies. Cancel cards and get new ones.
- Immediately report it as "fraud alert" to one or more of the credit-reporting agencies.
- If you know or suspect how it was done, change password and/or make report to that source.
- Review past transactions going back a year or more; this may have been going on for a while.
Dispute any fraudulent charges, correct any wrong info on credit reports.
- Make a report to local police, even if they will do absolutely nothing about it and even if
the problem is entirely online, not local. You will be
putting a sworn statement on the record, and that will be useful to give to your banks, use in court, etc.
- File identity-theft report with FTC: IdentityTheft.gov
- Do items in the Report freezing section above, if you haven't done them already.
- Change important passwords, even if they may seem unrelated to this problem.
- Check social media postings to see if they could have revealed info used to create this problem.
- Get copies of your credit reports every couple of months for the foreseeable future.
Neil J. Rubenking's "5 Ways Identity Theft Can Ruin Your Life"
Kelli B. Grant and Katie Young's "How to protect yourself from medical identity theft"
Damon Kennedy's "What To Do If Your Identity Is Stolen"
OSINT Framework
Simplify your life
Do you really need email accounts at N different providers ? Each one has to be secured. Really need accounts at Twitter, LinkedIn, Facebook, Snapchat, Instagram, Flickr, YouTube, 20 different online stores, etc ? Really need 5 credit cards and accounts at 5 banks ? Each one is a possible security or privacy problem.
Reduce, simplify. But you do need a backup email account, and a second bank account and debit card, IMO.
Be smart
Be aware of security threats, and don't fall for them. Know how to recognize spam, scams (composite scam), phishing attempts. False alerts that say "something is wrong with your computer, better run this scanning software right away !". Be especially careful when downloading and installing software.
One way to think of it: be wary of any "incoming" stuff. Email you receive, SMS or WhatsApp texts you receive, Facebook posts or comments you receive, a USB drive you find on the ground, a USB drive given/mailed to you, a phone call you receive, software you download, a recommendation that you do or install something. "Incoming" == "potential threat".
Be wary of threats in search results. Lots of sites have been set up to provide "GMail Support phone number" or similar in search-engine results. But these big vendors with free services (Google, Facebook, WhatsApp, etc) deliberately do not HAVE a phone support number you can call. They have hundreds of millions or billions of free users; the LAST thing they want is for users to be able to call humans at their company. Any search result that gives you such a phone number is trying to connect you to a scammer. At best, they'll try to sell you something. At worst, they'll try to install ransomware, hijack your accounts, steal your money, and sell your information.
Be especially wary of downloading and running semi-legal stuff: game mods, overclocking software, cracked or cracking software, pirated stuff. These are more likely than usual to contain malware.
Check to see if a web site is suspect:
Scambunkers
Lenny Zeltser's "Tools for Looking up Potentially Malicious Websites"
When you see scams or spam or abuse, report them if you can. You may save someone else from getting scammed or abused.
PhishTank
StopBadware
Google's "Safe Browsing" (report links at bottom-right)
If something strange starts happening with your phone (service turned off, or lots of SMS messages, or requests to confirm transactions you didn't initiate), or similar in your email (requests to confirm transactions you didn't initiate), react immediately, don't let it slide. You may be under attack. Check your key accounts and devices. Call your bank and phone service provider. Run anti-virus scans. Don't panic, but check on things.
If you receive a 2FA code on your phone when you didn't try to login, someone may have your username and password for that account, or may have just your email address and requested a password-reset for that account. Check your account and probably you should change your password.
If you get a flood of messages, don't just click "accept" or something to make the flood stop. You may be confirming a password reset on your account. Read the messages carefully.
Sometimes a scammer will say they just sent a code to your phone, and you have to read it back to them to confirm your phone number. Don't do it ! They may have requested a password-reset for one of your accounts, and the code is coming from Google or Facebook or wherever the account is. If you give the code to the scammer, they'll take over your account.
Often a scammer in a controlled environment (dating site, or AirBNB, or EBay) will say "let's move to Discord" or some other site. They're trying to get you away from the rules and financial controls of the original site, to scam you.
If you're selling something, a scammer may send a fake payment confirmation to you. article
Apparently PayPal lets anyone send an invoice to you through PayPal, and it will look official. Gavin Anderegg's "A Novel PayPal Scam"
Common elements of a scam: gift cards, Western Union, time-pressure, reward too good to be true, keep it secret.
Phishing:
Phishing is when someone sends you something to trick you into giving away important information (such as your username and password, or credit card details).
Phishing attempts usually come through email, but also they could be done through Instant Messaging, chat, SMS, a Facebook post, a web page you find through searching, even paper mail.
People rightly are told to be suspicious of links and domain names. Be doubly suspicious of QR codes, which really just resolve to a link (URL). Don't just blindly scan a QR code and assume it sent you to a legit page.
My quiz about phishing emails to home users: Go to Phishing Test page 1 of 6
Google's "Phishing Quiz"
[I got only 6/8. I think that quiz proves that users need a LOT more help from browsers and email clients. Maybe email pages should have:
- A same-origin policy to require all email addresses and links to be in the same domain.
- An icon next to every URL so you can click and see the owner of the domain.
- Text of every link forced to match exactly the URL of the link.
SonicWall's "How is your Phishing IQ?"
PhishingBox's "Phishing Test"
OpenDNS's "Phishing Quiz"
WeLiveSecurity's phishing quiz (video)
ProProfs' "5kazen Quiz - Phishing Scams"
Tyler Omoth's "10 quick tips to identifying phishing emails"
Michael Horowitz's "Evaluating a phishing email"
Ask Leo's "7 Signs of Phishing to Watch For"
Wikipedia's "Phishing"
Send any suspect links or files to VirusTotal for checking. (Maybe also URLVoid or urlscan.io or Zscaler's Zulu or Trend Micro's "Site Safety Center" or Talos Intelligence or Hybrid Analysis or Joe Sandbox)
Report any suspicious emails to the company they're pretending to come from (e.g. phishing at paypal.com), or to your email provider, or to FTC Report Fraud.
Report any phishing or look-alike web sites to Google Safe Browsing or Microsoft SmartScreen or Netcraft Anti-Phishing or PhishTank.
Don't click on a link in the email to report it or say "no, I didn't request a password reset"; that link could be malicious.
A browser add-on that tries to protect you from look-alike domain names (e.g. "amaz0n.com"): Donkey Defender
Be especially careful in a big-money rushed situation such as closing a real-estate transaction (buying a house). A scammer may jump into the middle of the process and send you an email saying "okay, send the deposit money to bank account NNNNNNN, ASAP !". Always find out up front how and where the money will be transferred, and get it in writing. If there is any change, get the new info in person and in writing (or at least initiate a phone call to verify such things).
Don't copy/paste scripts or commands straight from an untrusted web page onto the shell/commandline. Instead copy/paste them into a text editor and see if they look the same. Then copy from there to shell if you wish. [Or in Firefox set dom.event.clipboardevents.enabled = false.] See Brian Tracy's "Don't Copy Paste Into A Shell" and example.
IP Logging:
Generally, clicking on a link is not enough to hurt you. Your browser will load a web page. There is a small chance that code on that page could find some vulnerability in your browser, if you haven't kept your software updated. But it's unlikely.
A bigger risk is that the page could fool you into doing something bad, such as giving your login credentials.
A valid risk is that the page could collect as much information as possible about you and your browser and machine, and send that information somewhere. At a minimum, it could record your IP address ("IP logging"). It could record what browser you're using, what OS you're using, etc. All the stuff listed in the Browser fingerprinting section.
If you're using a VPN, and have turned on privacy and anti-tracking settings in your browser, maybe there will not be much info. But suppose the link looks like something you really want to see ("we tried to deliver a package to you"), and the page says "blocked because you're using a VPN; turn off your VPN" ? You might do it. Then the attacker could find out more information.
Watch out for fleeceware apps or sites: subscriptions that say $10/year in big print and then $10/week next to the button where you're paying.
Watch out for ridiculously-priced items on web sites such as eBay or Craigslist. Some people buy things on Amazon for $20 and then put them for sale on eBay for $40 to see if anyone will bite.
Watch out for deceptive items for sale. It may look like they're selling a phone, when in fact they're selling a case for a phone or a model of a phone.
Max Eddy's "How To Protect Yourself From Social Engineering"
Alan Henry's "Why Social Engineering Should Be Your Biggest Security Concern"
Decent Security's "How Computers Get Infected"
Deceptive Design's "What is deceptive design?""
Watch out for accounts with open-ended financial commitments.
Jessica Wachtel's "It Happened to Me: How I Suddenly Owed AWS $13,000 ..."
"I got a strange email from you, your account must be hacked !":
This does not necessarily mean someone has been "hacked".
Perhaps some software scanned Facebook, found that A and B are Friends, and found A's email address
in A's Facebook profile. Then a scammer sends an email to A, with a few cosmetic changes to make it look like it
came from B, and saying "hey, this is B, check out this [dodgy] site" or something.
A says to B "I got a strange email from you, your account must be hacked !".
One way to check: A's email client may have a "show details" button or link, where you can see the actual email address the email originated from. It probably isn't B's email address, even though the displayed "from" name is "B".
One way to check: A's email client may have a "show details" button or link, where you can see the actual email address the email originated from. It probably isn't B's email address, even though the displayed "from" name is "B".
If you start getting a flood of junk emails from many sites, it could be that someone is harassing you, or it could be something more serious: If someone manages to break into your Amazon account, for example, and place an order, they might flood your InBox with junk so you overlook the real order confirmation email from Amazon.
Some scams work by trying to claim a special bond. We're members of the same religion or political party, for example.
And of course scams are not just online, they also can come via phone or snail-mail or in person.
Alan Henry's "Five Common Scams Directed at Seniors (and How to Avoid Them)"
FTC's "Phone Scams"
ACCC's "Scamwatch - Types of scams"
Jessica Truong's "5 Most Common Phone Scams"
If you get scammed, report it to local police. Sometimes scammers are fairly local, not in some faraway country. Sometimes police will be able to combine your info with that of other victims to see a pattern that you don't see.
Miscellaneous
Kashmir Hill's "10 Incredibly Simple Things You Should Be Doing To Protect Your Privacy"
Andrew Cunningham's "A beginner's guide to beefing up your privacy and security online"
Consumer Reports' "Keep Your Data Secure With a Personalized Plan"
Proton VPN's "12 mistakes that can get your data hacked - and how to avoid them"
Decent Security's "Windows Security From The Ground Up"
Wired's "Guide to Digital Security"
Linux workstation security checklist
PRISM Break
Security-in-a-Box
Kashmir Hill's "Journalist Invited Hackers To Hack Him. Learn From The Mistakes."
Adam Clark Estes' "How to Encrypt Everything"
Spread Privacy's "How to Set Up Your Devices for Privacy Protection"
Jesse Smith's "Does physical access mean root access?"
Justin Carroll's "Thirty-Day Security Challenge"
Open Reference Architecture for Security and Privacy
Filippo Valsorda's "I'm throwing in the towel on PGP, and I work in security"
Proton's "The Proton Mail guide to taking control of your online privacy"
Fried's "The Ultimate Guide to Online Privacy"
Michael Horowitz's "A Defensive Computing Checklist"
Lissy93 / personal-security-checklist
CISA's "Tips"
kaiiyer / rajappan's "Privacy Guides"
Andy Greenberg's "How To Bust Your Boss Or Loved One For Installing Spyware On Your Phone"
Physical security and preparation
- Is your computer on a stable surface with no exposed cables,
so it won't fall on the floor ? Does your phone have a case to protect it when (not if) you drop it ?
A screen-cover is a good idea too.
- Is your laptop's AC adapter secure,
so it won't fall on the floor, maybe damaging the power connector on the laptop ?
- Is your computer protected from power surges ? A
UPS
is better than a cheap extension-cord surge protector.
- Is your AC electricity properly grounded ?
- Is your computer protected from overheating ? This is very
important. Buy a fan-tray to put underneath it.
Don't ever set it on a bed or sofa or carpet to use it; you'll block the ventilation.
- Is your computer protected from liquids ? Both from someone spilling a coffee or soda on it,
and from rain coming in through an open window ? How about a pet going wild while you're sleeping ?
- Are your devices protected from the fingers of your toddler or the paws of your cat ? Maybe
tape cardboard flaps over power switches so one errant poke doesn't cause you grief. Maybe
knot/tie cables around something so a yank on the cable doesn't pull it out of the computer or damage the connector.
- How good are the locks on your house or apartment or car ?
What is the weakest point of entry ? Alarm system ?
Justin Carroll's "Basic Alarm System Best Practices" - Buy a cable-lock (about $15) for your laptop. Useful any time you need to leave the laptop
in your car, or in an AirBnB room or hotel room or dorm room, or briefly unattended in a cafe or library or at school.
Check the manual to see what kind of lock-slot your laptop has; there are several kinds
(Avram Piltch's "Laptop Lock Buying Guide: 5 Things You Need to Know").
- A fireproof "money and document bag" ($35 or so) or
small fireproof box or safe ($50 to $200) to store your backup drives ?
See "Fire Protection" section of my "Disaster Preparation" page. - Paper-shredder for documents you throw away.
- Deterrence: motion-activated lights, security-service sticker, alarm system, security cameras,
dog (or fake evidence of a dog).
Be careful with security cameras. There are laws about what they can record and how you have to notify about them. Always consider how they could be breached and used to spy on you. Keep them mainly on the exterior or entrances of your home, not on sensitive interior rooms. Do you want "alerting/monitoring" (able to see what is happening now, from work or something), or "evidence" (go back a day and see what happened) ? Maybe have two systems, one of each type, covering different areas. - Be aware that people can make a copy of your house-key if they can get a good photo of it.
For example: KeyMe.
- Disaster preparation. A huge field in its own right. Just a few tidbits:
- If the power goes out, how will you power your devices ?
- If the power goes out, will anything critical such as door-locks stop working ?
- If you never power down your various devices (phone, computer), test what happens if you do power them down: turn them off and back on. Do you know the passwords ?
- If your power hasn't failed in a long time, test what happens if it does go out: turn off all the power in your whole house and turn it back on.
- If you get evacuated, or cut off from your home, can you access electronic copies of your ID and medical documents ?
Almost Secure's "South Korea's online security dead end"