mirror of
https://github.com/Lissy93/personal-security-checklist.git
synced 2024-10-01 01:35:37 -04:00
1931 lines
92 KiB
YAML
1931 lines
92 KiB
YAML
- title: Authentication
|
||
slug: authentication
|
||
description: Securing your online account login credentials
|
||
icon: password
|
||
color: yellow
|
||
intro: >-
|
||
Most reported data breaches are caused by the use of weak, default or stolen passwords
|
||
(according to [this Verizon report](http://www.verizonenterprise.com/resources/reports/rp_dbir-2016-executive-summary_xg_en.pdf)).
|
||
Use long, strong and unique passwords, manage them in a secure password manager, enable
|
||
2-factor authentication, keep on top of breaches and take care while logging into your accounts.
|
||
checklist:
|
||
- point: Use a Strong Password
|
||
priority: Recommended
|
||
details: >-
|
||
If your password is too short, or contains dictionary words, places or names- then it can be easily
|
||
cracked through brute force, or guessed by someone. The easiest way to make a strong password, is by
|
||
making it long (12+ characters)- consider using a 'passphrase', made up of many words. Alternatively,
|
||
use a password generator to create a long, strong random password. Have a play with
|
||
[HowSecureIsMyPassword.net](https://howsecureismypassword.net), to get an idea of how quickly common
|
||
passwords can be cracked. Read more about creating strong passwords:
|
||
[securityinabox.org](https://securityinabox.org/en/passwords/passwords-and-2fa/)
|
||
|
||
- point: Don't reuse Passwords
|
||
priority: Recommended
|
||
details: >-
|
||
If someone was to reuse a password, and one site they had an account with suffered a leak, then a
|
||
criminal could easily gain unauthorized access to their other accounts. This is usually done through
|
||
large-scale automated login requests, and it is called Credential Stuffing. Unfortunately this is all
|
||
too common, but it's simple to protect against- use a different password for each of your online accounts
|
||
|
||
- point: Use a Secure Password Manager
|
||
priority: Recommended
|
||
details: >-
|
||
For most people it is going to be near-impossible to remember hundreds of strong and unique passwords.
|
||
A password manager is an application that generates, stores and auto-fills your login credentials for you.
|
||
All your passwords will be encrypted against 1 master passwords (which you must remember, and it should be
|
||
very strong). Most password managers have browser extensions and mobile apps, so whatever device you are on,
|
||
your passwords can be auto-filled. A good all-rounder is [BitWarden](https://bitwarden.com), or see
|
||
[Recommended Password Managers](https://github.com/Lissy93/awesome-privacy#password-managers)
|
||
|
||
- point: Avoid sharing passwords
|
||
priority: Recommended
|
||
details: >-
|
||
While there may be times that you need to share access to an account with another person, you should
|
||
generally avoid doing this because it makes it easier for the account to become compromised. If you
|
||
absolutely do need to share a password for example when working on a team with a shared account this
|
||
should be done via features built into a password manager.
|
||
|
||
- point: Enable 2-Factor Authentication
|
||
priority: Recommended
|
||
details: >-
|
||
2FA is where you must provide both something you know (a password) and something you have (such as a
|
||
code on your phone) to log in. This means that if anyone has got your password (e.g. through phishing,
|
||
malware or a data breach), they will not be able to log into your account. It's easy to get started,
|
||
download [an authenticator app](https://github.com/Lissy93/awesome-privacy#2-factor-authentication)
|
||
onto your phone, and then go to your account security settings and follow the steps to enable 2FA. Next
|
||
time you log in on a new device, you will be prompted for the code that displays in the app on your phone
|
||
(it works without internet, and the code usually changes every 30-seconds)
|
||
|
||
- point: Keep Backup Codes Safe
|
||
priority: Recommended
|
||
details: >-
|
||
When you enable multi-factor authentication, you will usually be given several codes that you can use if
|
||
your 2FA method is lost, broken or unavailable. Keep these codes somewhere safe to prevent loss or
|
||
unauthorized access. You should store these on paper or in a safe place on disk (e.g. in offline storage
|
||
or in an encrypted file/drive). Don't store these in your Password Manager as 2FA sources and passwords
|
||
and should be kept separately.
|
||
|
||
- point: Sign up for Breach Alerts
|
||
priority: Optional
|
||
details: >-
|
||
After a website suffers a significant data breach, the leaked data often ends up on the internet. There
|
||
are several websites that collect these leaked records, and allow you to search your email address to check
|
||
if you are in any of their lists. [Firefox Monitor](https://monitor.firefox.com), [Have I been pwned](https://haveibeenpwned.com)
|
||
and [DeHashed](https://dehashed.com) allow you to sign up for monitoring, where they will notify you if your
|
||
email address appears in any new data sets. It is useful to know as soon as possible when this happens, so
|
||
that you can change your passwords for the affected accounts. Have I been pwned also has domain-wide
|
||
notification, where you can receive alerts if any email addresses under your entire domain appear (useful if
|
||
you use aliases for [anonymous forwarding](https://github.com/Lissy93/awesome-privacy#anonymous-mail-forwarding))
|
||
|
||
- point: Shield your Password/ PIN
|
||
priority: Optional
|
||
details: >-
|
||
When typing your password in public places, ensure you are not in direct line of site of a CCTV camera and
|
||
that no one is able to see over your shoulder. Cover your password or pin code while you type, and do not
|
||
reveal any plain text passwords on screen
|
||
|
||
- point: Update Critical Passwords Periodically
|
||
priority: Optional
|
||
details: >-
|
||
Database leaks and breaches are common, and it is likely that several of your passwords are already somewhere
|
||
online. Occasionally updating passwords of security-critical accounts can help mitigate this. But providing
|
||
that all your passwords are long, strong and unique, there is no need to do this too often- annually should be
|
||
sufficient. Enforcing mandatory password changes within organisations is [no longer recommended](https://duo.com/decipher/microsoft-will-no-longer-recommend-forcing-periodic-password-changes),
|
||
as it encourages colleagues to select weaker passwords
|
||
|
||
- point: Don’t save your password in browsers
|
||
priority: Optional
|
||
details: >-
|
||
Most modern browsers offer to save your credentials when you log into a site. Don’t allow this, as they are
|
||
not always encrypted, hence could allow someone to gain access into your accounts. Instead use a dedicated
|
||
password manager to store (and auto-fill) your passwords
|
||
|
||
- point: Avoid logging in on someone else’s device
|
||
priority: Optional
|
||
details: >-
|
||
Avoid logging on other people's computer, since you can't be sure their system is clean. Be especially cautious
|
||
of public machines, as malware and tracking is more common here. Using someone else's device is especially
|
||
dangerous with critical accounts like online banking. When using someone else's machine, ensure that you're in a
|
||
private/ incognito session (Use Ctrl+Shift+N/ Cmd+Shift+N). This will request browser to not save your credentials,
|
||
cookies and browsing history.
|
||
|
||
- point: Avoid password hints
|
||
priority: Optional
|
||
details: >-
|
||
Some sites allow you to set password hints. Often it is very easy to guess answers. In cases where password hints
|
||
are mandatory use random answers and record them in password manager (`Name of the first school: 6D-02-8B-!a-E8-8F-81`)
|
||
|
||
- point: Never answer online security questions truthfully
|
||
priority: Optional
|
||
details: >-
|
||
If a site asks security questions (such as place of birth, mother's maiden name or first car etc), don't provide
|
||
real answers. It is a trivial task for hackers to find out this information online or through social engineering.
|
||
Instead, create a fictitious answer, and store it inside your password manager. Using real-words is better than
|
||
random characters, [explained here](https://news.ycombinator.com/item?id=29244870)
|
||
|
||
- point: Don’t use a 4-digit PIN
|
||
priority: Optional
|
||
details: >-
|
||
Don’t use a short PIN to access your smartphone or computer. Instead, use a text password or much longer pin.
|
||
Numeric passphrases are easy crack, (A 4-digit pin has 10,000 combinations, compared to 7.4 million for a
|
||
4-character alpha-numeric code)
|
||
|
||
- point: Avoid using SMS for 2FA
|
||
priority: Optional
|
||
details: >-
|
||
When enabling multi-factor authentication, opt for app-based codes or a hardware token, if supported. SMS is
|
||
susceptible to a number of common threats, such as [SIM-swapping](https://www.maketecheasier.com/sim-card-hijacking)
|
||
and [interception](https://secure-voice.com/ss7_attacks). There's also no guarantee of how securely your phone
|
||
number will be stored, or what else it will be used for. From a practical point of view, SMS will only work when
|
||
you have signal, and can be slow. If a website or service requires the usage of a SMS number for recovery consider
|
||
purchasing a second pre-paid phone number only used for account recovery for these instances.
|
||
|
||
- point: Avoid using your PM to Generate OTPs
|
||
priority: Advanced
|
||
details: >-
|
||
Many password managers are also able to generate 2FA codes. It is best not to use your primary password manager
|
||
as your 2FA authenticator as well, since it would become a single point of failure if compromised. Instead use a
|
||
dedicated [authenticator app](https://github.com/Lissy93/awesome-privacy#2-factor-authentication) on your phone or laptop
|
||
|
||
- point: Avoid Face Unlock
|
||
priority: Advanced
|
||
details: >-
|
||
Most phones and laptops offer a facial recognition authentication feature, using the camera to compare a snapshot
|
||
of your face with a stored hash. It may be very convenient, but there are numerous ways to [fool it](https://www.forbes.com/sites/jvchamary/2017/09/18/security-apple-face-id-iphone-x/)
|
||
and gain access to the device, through digital photos and reconstructions from CCTV footage. Unlike your password-
|
||
there are likely photos of your face on the internet, and videos recorded by surveillance cameras
|
||
|
||
- point: Watch out for Keyloggers
|
||
priority: Advanced
|
||
details: >-
|
||
A hardware [keylogger](https://en.wikipedia.org/wiki/Hardware_keylogger) is a physical device planted between
|
||
your keyboard and the USB port, which intercepts all key strokes, and sometimes relays data to a remote server.
|
||
It gives a hacker access to everything typed, including passwords. The best way to stay protected, is just by
|
||
checking your USB connection after your PC has been unattended. It is also possible for keyloggers to be planted
|
||
inside the keyboard housing, so look for any signs that the case has been tampered with, and consider bringing your
|
||
own keyboard to work. Data typed on a virtual keyboard, pasted from the clipboard or auto-filled by a password
|
||
manager can not be intercepted by a hardware keylogger.
|
||
|
||
- point: Consider a Hardware Token
|
||
priority: Advanced
|
||
details: >-
|
||
A U2F/ FIDO2 security key is a USB (or NFC) device that you insert while logging in to an online service, in to
|
||
verify your identity, instead of entering a OTP from your authenticator. [SoloKey](https://solokeys.com) and
|
||
[NitroKey](https://www.nitrokey.com) are examples of such keys. They bring with them several security benefits,
|
||
since the browser communicates directly with the device and cannot be fooled as to which host is requesting
|
||
authentication, because the TLS certificate is checked. [This post](https://security.stackexchange.com/a/71704) is
|
||
a good explanation of the security of using FIDO U2F tokens. Of course it is important to store the physical key
|
||
somewhere safe, or keep it on your person. Some online accounts allow for several methods of 2FA to be enabled
|
||
|
||
- point: Consider Offline Password Manager
|
||
priority: Advanced
|
||
details: >-
|
||
For increased security, an encrypted offline password manager will give you full control over your data.
|
||
[KeePass](https://keepass.info) is a popular choice, with lots of [plugins](https://keepass.info/plugins.html) and
|
||
community forks with additional compatibility and functionality. Popular clients include: [KeePassXC](https://keepassxc.org)
|
||
(desktop), [KeePassDX](https://www.keepassdx.com) (Android) and [StrongBox](https://apps.apple.com/us/app/strongbox-password-safe/id897283731)
|
||
(iOS). The drawback being that it may be slightly less convenient for some, and it will be up to you to back it up,
|
||
and store it securely
|
||
|
||
- point: Consider Unique Usernames
|
||
priority: Advanced
|
||
details: >-
|
||
Having different passwords for each account is a good first step, but if you also use a unique username, email or
|
||
phone number to log in, then it will be significantly harder for anyone trying to gain unauthorised access. The easiest
|
||
method for multiple emails, is using auto-generated aliases for anonymous mail forwarding. This is where
|
||
[anything]@yourdomain.com will arrive in your inbox, allowing you to use a different email for each account (see
|
||
[Mail Alias Providers](https://github.com/Lissy93/awesome-privacy#anonymous-mail-forwarding)). Usernames are easier,
|
||
since you can use your password manager to generate, store and auto-fill these. Virtual phone numbers can be generated
|
||
through your VOIP provider
|
||
softwareLinks:
|
||
- title: Password Managers
|
||
url: https://github.com/Lissy93/awesome-privacy#password-managers
|
||
- title: 2-Factor Authentication
|
||
url: https://github.com/Lissy93/awesome-privacy#2-factor-authentication
|
||
|
||
- title: Web Browsing
|
||
slug: web-browsing
|
||
description: Avoiding tracking, censorship, and data collection online
|
||
icon: browser
|
||
intro: >-
|
||
Most websites on the internet will use some form of tracking, often to gain
|
||
insight into their users behaviour and preferences. This data can be incredibly
|
||
detailed, and so is extremely valuable to corporations, governments and intellectual
|
||
property thieves. Data breaches and leaks are common, and deanonymizing users web
|
||
activity is often a trivial task.
|
||
|
||
|
||
There are two primary methods of tracking; stateful (cookie-based), and stateless
|
||
(fingerprint-based). Cookies are small pieces of information, stored in your browser
|
||
with a unique ID that is used to identify you. Browser fingerprinting is a highly
|
||
accurate way to identify and track users wherever they go online. The information
|
||
collected is quite comprehensive, and often includes browser details, OS, screen
|
||
resolution, supported fonts, plugins, time zone, language and font preferences,
|
||
and even hardware configurations.
|
||
|
||
|
||
This section outlines the steps you can take, to be better protected from threats,
|
||
minimise online tracking and improve privacy.
|
||
checklist:
|
||
- point: Block Ads
|
||
priority: Recommended
|
||
details: >-
|
||
Using an ad-blocker can help improve your privacy, by blocking the trackers that ads implement.
|
||
[uBlock Origin](https://github.com/gorhill/uBlock) is a very efficient and open source browser addon,
|
||
developed by Raymond Hill. When 3rd-party ads are displayed on a webpage, they have the ability to
|
||
track you, gathering personal information about you and your habits, which can then be sold, or used
|
||
to show you more targeted ads, and some ads are plain malicious or fake. Blocking ads also makes pages
|
||
load faster, uses less data and provides a less cluttered experience.
|
||
|
||
- point: Ensure Website is Legitimate
|
||
priority: Basic
|
||
details: >-
|
||
It may sound obvious, but when you logging into any online accounts, double check the URL is correct.
|
||
Storing commonly visited sites in your bookmarks is a good way to ensure the URL is easy to find. When
|
||
visiting new websites, look for common signs that it could be unsafe: Browser warnings, redirects,
|
||
on-site spam and pop-ups. You can also check a website using a tool, such as: [Virus Total URL Scanner](https://www.virustotal.com/gui/home/url),
|
||
[IsLegitSite](https://www.islegitsite.com), [Google Safe Browsing Status](https://transparencyreport.google.com/safe-browsing/search)
|
||
if you are unsure.
|
||
|
||
- point: Watch out for Browser Malware
|
||
priority: Basic
|
||
details: >-
|
||
Your system or browser can be compromised by spyware, miners, browser hijackers, malicious redirects,
|
||
adware etc. You can usually stay protected, just by: ignoring pop-ups, be wary of what your clicking,
|
||
don't proceed to a website if your browser warns you it may be malicious. Common signs of browser malware
|
||
include: default search engine or homepage has been modified, toolbars, unfamiliar extensions or icons,
|
||
significantly more ads, errors and pages loading much slower than usual. These articles from Heimdal
|
||
explain [signs of browser malware](https://heimdalsecurity.com/blog/warning-signs-operating-system-infected-malware),
|
||
[how browsers get infected](https://heimdalsecurity.com/blog/practical-online-protection-where-malware-hides)
|
||
and [how to remove browser malware](https://heimdalsecurity.com/blog/malware-removal).
|
||
|
||
- point: Use a Privacy-Respecting Browser
|
||
priority: Recommended
|
||
details: >-
|
||
[Firefox](https://www.mozilla.org/en-US/firefox/new) (with a few tweaks) and [Brave](https://brave.com)
|
||
are secure, private-respecting browsers. Both are fast, open source, user-friendly and available on all
|
||
major operating systems. Your browser has access to everything that you do online, so if possible, avoid
|
||
Google Chrome, Edge and Safari as (without correct configuration) all three of them, collect usage data,
|
||
call home and allow for invasive tracking. Firefox requires a few changes to achieve optimal security,
|
||
for example - [arkenfox](https://github.com/arkenfox/user.js/wiki) or [12byte](https://12bytes.org/firefox-configuration-guide-for-privacy-freaks-and-performance-buffs/)'s
|
||
user.js configs. See more: [Privacy Browsers](https://github.com/Lissy93/awesome-privacy#browsers).
|
||
|
||
- point: Use a Private Search Engine
|
||
priority: Recommended
|
||
details: >-
|
||
Using a privacy-preserving, non-tracking search engine, will reduce risk that your search terms are not
|
||
logged, or used against you. Consider [DuckDuckGo](https://duckduckgo.com), [Qwant](https://www.qwant.com),
|
||
or [SearX](https://searx.me) (self-hosted). Google implements some [incredibly invasive](https://hackernoon.com/data-privacy-concerns-with-google-b946f2b7afea)
|
||
tracking policies, and have a history of displaying [biased search results](https://www.businessinsider.com/evidence-that-google-search-results-are-biased-2014-10).
|
||
Therefore Google, along with Bing, Baidu, Yahoo and Yandex are incompatible with anyone looking to protect
|
||
their privacy. It is recommended to update your [browsers default search](https://duckduckgo.com/install)
|
||
to a privacy-respecting search engine.
|
||
|
||
- point: Remove Unnecessary Browser Addons
|
||
priority: Recommended
|
||
details: >-
|
||
Extensions are able to see, log or modify anything you do in the browser, and some innocent looking
|
||
browser apps, have malicious intentions. Websites can see which extensions you have installed, and may
|
||
use this to enhance your fingerprint, to more accurately identify/ track you. Both Firefox and Chrome
|
||
web stores allow you to check what permissions/access rights an extension requires before you install it.
|
||
Check the reviews. Only install extensions you really need, and removed those which you haven't used in a while.
|
||
|
||
- point: Keep Browser Up-to-date
|
||
priority: Recommended
|
||
details: >-
|
||
Browser vulnerabilities are constantly being [discovered](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=browser)
|
||
and patched, so it’s important to keep it up to date, to avoid a zero-day exploit. You can [see which browser
|
||
version you're using here](https://www.whatismybrowser.com/), or follow [this guide](https://www.whatismybrowser.com/guides/how-to-update-your-browser/)
|
||
for instructions on how to update. Some browsers will auto-update to the latest stable version.
|
||
|
||
- point: Check for HTTPS
|
||
priority: Recommended
|
||
details: >-
|
||
If you enter information on a non-HTTPS website, this data is transported unencrypted and can therefore
|
||
be read by anyone who intercepts it. Do not enter any data on a non-HTTPS website, but also do not let
|
||
the green padlock give you a false sense of security, just because a website has SSL certificate, does
|
||
not mean that it is legitimate or trustworthy. [HTTPS-Everywhere](https://www.eff.org/https-everywhere)
|
||
(developed by the [EFF](https://www.eff.org/)) used to be a browser extension/addon that automatically
|
||
enabled HTTPS on websites, but as of 2022 is now deprecated. In their [accouncement article](https://www.eff.org/)
|
||
the EFF explains that most browsers now integrate such protections. Additionally, it provides instructions
|
||
for Firefox, Chrome, Edge and Safari browsers on how to enable their HTTPS secure protections.
|
||
|
||
- point: Use DNS-over-HTTPS
|
||
priority: Recommended
|
||
details: >-
|
||
Traditional DNS makes requests in plain text for everyone to see. It allows for eavesdropping and
|
||
manipulation of DNS data through man-in-the-middle attacks. Whereas DNS-over-HTTPS performs DNS
|
||
resolution via the HTTPS protocol, meaning data between you and your DNS resolver is encrypted.
|
||
A popular option is Cloudflare's 1.1.1.1, or compare providers- it is simple to enable in-browser.
|
||
Note that DoH comes with its own issues, mostly preventing web filtering.
|
||
|
||
- point: Multi-Session Containers
|
||
priority: Recommended
|
||
details: >-
|
||
Compartmentalisation is really important to keep different aspects of your browsing separate. For
|
||
example, using different profiles for work, general browsing, social media, online shopping etc
|
||
will reduce the number associations that data brokers can link back to you. One option is to make
|
||
use of Firefox Containers which is designed exactly for this purpose. Alternatively, you could
|
||
use different browsers for different tasks (Brave, Firefox, Tor etc).
|
||
|
||
- point: Use Incognito
|
||
priority: Recommended
|
||
details: >-
|
||
When using someone else's machine, ensure that you're in a private/ incognito session. This will
|
||
prevent browser history, cookies and some data being saved, but is not fool-proof- you can still
|
||
be tracked.
|
||
|
||
- point: Understand Your Browser Fingerprint
|
||
priority: Recommended
|
||
details: >-
|
||
Browser Fingerprinting is an incredibly accurate method of tracking, where a website identifies you
|
||
based on your device information. You can view your fingerprint at amiunique.org- The aim is to be
|
||
as un-unique as possible.
|
||
|
||
- point: Manage Cookies
|
||
priority: Recommended
|
||
details: >-
|
||
Clearing cookies regularly is one step you can take to help reduce websites from tracking you.
|
||
Cookies may also store your session token, which if captured, would allow someone to access your
|
||
accounts without credentials. To mitigate this you should clear cookies often.
|
||
|
||
- point: Block Third-Party Cookies
|
||
priority: Recommended
|
||
details: >-
|
||
Third-party cookies placed on your device by a website other than the one you’re visiting. This
|
||
poses a privacy risk, as a 3rd entity can collect data from your current session. This guide explains
|
||
how you can disable 3rd-party cookies, and you can check here ensure this worked.
|
||
|
||
- point: Block Third-Party Trackers
|
||
priority: Recommended
|
||
details: >-
|
||
Blocking trackers will help to stop websites, advertisers, analytics and more from tracking you in
|
||
the background. Privacy Badger, DuckDuckGo Privacy Essentials, uBlock Origin and uMatrix (advanced)
|
||
are all very effective, open source tracker-blockers available for all major browsers.
|
||
|
||
- point: Beware of Redirects
|
||
priority: Optional
|
||
details: >-
|
||
While some redirects are harmless, others, such as Unvalidated redirects are used in phishing attacks,
|
||
it can make a malicious link seem legitimate. If you are unsure about a redirect URL, you can check
|
||
where it forwards to with a tool like RedirectDetective.
|
||
|
||
- point: Do Not Sign Into Your Browser
|
||
priority: Optional
|
||
details: >-
|
||
Many browsers allow you to sign in, in order to sync history, bookmarks and other browsing data across
|
||
devices. However this not only allows for further data collection, but also increases attack surface
|
||
through providing another avenue for a malicious actor to get hold of personal information.
|
||
|
||
- point: Disallow Prediction Services
|
||
priority: Optional
|
||
details: >-
|
||
Some browsers allow for prediction services, where you receive real-time search results or URL auto-fill.
|
||
If this is enabled then data is sent to Google (or your default search engine) with every keypress,
|
||
rather than when you hit enter.
|
||
|
||
- point: Avoid G Translate for Webpages
|
||
priority: Optional
|
||
details: >-
|
||
When you visit a web page written in a foreign language, you may be prompted to install the Google Translate
|
||
extension. Be aware that Google collects all data (including input fields), along with details of the current
|
||
user. Instead use a translation service that is not linked to your browser.
|
||
|
||
- point: Disable Web Notifications
|
||
priority: Optional
|
||
details: >-
|
||
Browser push notifications are a common method for criminals to encourage you to click their link, since
|
||
it is easy to spoof the source. Be aware of this, and for instructions on disabling browser notifications,
|
||
see this article.
|
||
|
||
- point: Disable Automatic Downloads
|
||
priority: Optional
|
||
details: >-
|
||
Drive-by downloads is a common method of getting harmful files onto a users device. This can be mitigated
|
||
by disabling auto file downloads, and be cautious of websites which prompt you to download files unexpectedly.
|
||
|
||
- point: Disallow Access to Sensors
|
||
priority: Optional
|
||
details: >-
|
||
Mobile websites can tap into your device sensors without asking. If you grant these permissions to your
|
||
browser once, then all websites are able to use these capabilities, without permission or notification.
|
||
|
||
- point: Disallow Location
|
||
priority: Optional
|
||
details: >-
|
||
Location Services lets sites ask for your physical location to improve your experience. This should be
|
||
disabled in settings. Note that there are still other methods of determining your approximate location.
|
||
|
||
- point: Disallow Camera/ Microphone access
|
||
priority: Optional
|
||
details: >-
|
||
Check browser settings to ensure that no websites are granted access to webcam or microphone. It may also
|
||
be beneficial to use physical protection such as a webcam cover and microphone blocker.
|
||
|
||
- point: Disable Browser Password Saves
|
||
priority: Optional
|
||
details: >-
|
||
Do not allow your browser to store usernames and passwords. These can be easily viewed or accessed.
|
||
Instead use a password manager.
|
||
|
||
- point: Disable Browser Autofill
|
||
priority: Optional
|
||
details: >-
|
||
Turn off autofill for any confidential or personal details. This feature can be harmful if your browser
|
||
is compromised in any way. Instead, consider using your password manager's Notes feature.
|
||
|
||
- point: Protect from Exfil Attack
|
||
priority: Optional
|
||
details: >-
|
||
The CSS Exfiltrate attack is a method where credentials and other sensitive details can be snagged with
|
||
just pure CSS. You can stay protected, with the CSS Exfil Protection plugin.
|
||
|
||
- point: Deactivate ActiveX
|
||
priority: Optional
|
||
details: >-
|
||
ActiveX is a browser extension API that built into Microsoft IE, and enabled by default. It's not commonly
|
||
used anymore, but since it gives plugins intimate access rights, and can be dangerous, therefore you should
|
||
disable it.
|
||
|
||
- point: Disable WebRTC
|
||
priority: Optional
|
||
details: >-
|
||
WebRTC allows high-quality audio/video communication and peer-to-peer file-sharing straight from the
|
||
browser. However it can pose as a privacy leak. To learn more, check out this guide.
|
||
|
||
- point: Spoof HTML5 Canvas Sig
|
||
priority: Optional
|
||
details: >-
|
||
Canvas Fingerprinting allows websites to identify and track users very accurately. You can use the
|
||
Canvas-Fingerprint-Blocker extension to spoof your fingerprint or use Tor.
|
||
|
||
- point: Spoof User Agent
|
||
priority: Optional
|
||
details: >-
|
||
The user agent tells the website what device, browser and version you are using. Switching user agent
|
||
periodically is one small step you can take to become less unique.
|
||
|
||
- point: Disregard DNT
|
||
priority: Optional
|
||
details: >-
|
||
Enabling Do Not Track has very limited impact, since many websites do not respect or follow this. Since
|
||
it is rarely used, it may also add to your signature, making you more unique.
|
||
|
||
- point: Prevent HSTS Tracking
|
||
priority: Optional
|
||
details: >-
|
||
HSTS was designed to help secure websites, but privacy concerns have been raised as it allowed site
|
||
operators to plant super-cookies. It can be disabled by visiting chrome://net-internals/#hsts in
|
||
Chromium-based browsers.
|
||
|
||
- point: Prevent Automatic Browser Connections
|
||
priority: Optional
|
||
details: >-
|
||
Even when you are not using your browser, it may call home to report on usage activity, analytics and
|
||
diagnostics. You may wish to disable some of this, which can be done through the settings.
|
||
|
||
- point: Enable 1st-Party Isolation
|
||
priority: Optional
|
||
details: >-
|
||
First party isolation means that all identifier sources and browser state are scoped using the URL bar
|
||
domain, this can greatly reduce tracking.
|
||
|
||
- point: Strip Tracking Params from URLs
|
||
priority: Advanced
|
||
details: >-
|
||
Websites often append additional GET parameters to URLs that you click, to identify information like
|
||
source/referrer. You can sanitize manually, or use an extension like ClearUrls to strip tracking data
|
||
from URLs automatically.
|
||
|
||
- point: First Launch Security
|
||
priority: Advanced
|
||
details: >-
|
||
After installing a web browser, the first time you launch it (prior to configuring its privacy settings),
|
||
most browsers will call home. Therefore, after installing a browser, you should first disable your internet
|
||
connection, then configure privacy options before reenabling your internet connectivity.
|
||
|
||
- point: Use The Tor Browser
|
||
priority: Advanced
|
||
details: >-
|
||
The Tor Project provides a browser that encrypts and routes your traffic through multiple nodes, keeping
|
||
users safe from interception and tracking. The main drawbacks are speed and user experience.
|
||
|
||
- point: Disable JavaScript
|
||
priority: Advanced
|
||
details: >-
|
||
Many modern web apps are JavaScript-based, so disabling it will greatly decrease your browsing experience.
|
||
But if you really want to go all out, then it will really reduce your attack surface.
|
||
softwareLinks:
|
||
- title: Privacy Browsers
|
||
url: https://github.com/Lissy93/awesome-privacy#browsers
|
||
- title: Search Engines
|
||
utl: https://github.com/Lissy93/awesome-privacy#search-engines
|
||
- title: Browser Extensions
|
||
url: https://github.com/Lissy93/awesome-privacy#browser-extensions
|
||
- title: Browser & Bookmark Sync
|
||
url: https://github.com/Lissy93/awesome-privacy#browser-sync
|
||
color: emerald
|
||
|
||
- title: Email
|
||
slug: email
|
||
description: Protecting the gateway to your online accounts
|
||
icon: email
|
||
intro: >-
|
||
Nearly 50 years since the first email was sent, it's still very much a big part
|
||
of our day-to-day life, and will continue to be for the near future. So considering
|
||
how much trust we put in them, it's surprising how fundamentally insecure this
|
||
infrastructure is. Email-related fraud
|
||
[is on the up](https://www.csoonline.com/article/3247670/email/email-security-in-2018.html),
|
||
and without taking basic measures you could be at risk.
|
||
|
||
|
||
If a hacker gets access to your emails, it provides a gateway for your other
|
||
accounts to be compromised (through password resets), therefore email security
|
||
is paramount for your digital safety.
|
||
|
||
|
||
The big companies providing "free" email service, don't have a good reputation
|
||
for respecting users privacy: Gmail was caught giving
|
||
[third parties full access](https://www.wsj.com/articles/techs-dirty-secret-the-app-developers-sifting-through-your-gmail-1530544442)
|
||
to user emails and also [tracking all of your purchases](https://www.cnbc.com/2019/05/17/google-gmail-tracks-purchase-history-how-to-delete-it.html).
|
||
Yahoo was also caught scanning emails in real-time [for US surveillance agencies](http://news.trust.org/item/20161004170601-99f8c)
|
||
Advertisers [were granted access](https://thenextweb.com/insider/2018/08/29/both-yahoo-and-aol-are-scanning-customer-emails-to-attract-advertisers)
|
||
to Yahoo and AOL users messages to “identify and segment potential customers by picking up on contextual buying signals, and past purchases.”
|
||
|
||
checklist:
|
||
- point: Have more than one email address
|
||
priority: Recommended
|
||
details: >-
|
||
Consider using a different email address for security-critical communications from trivial mail such
|
||
as newsletters. This compartmentalization could reduce the amount of damage caused by a data breach,
|
||
and also make it easier to recover a compromised account.
|
||
|
||
- point: Keep Email Address Private
|
||
priority: Recommended
|
||
details: >-
|
||
Do not share your primary email publicly, as mail addresses are often the starting point for most
|
||
phishing attacks.
|
||
|
||
- point: Keep your Account Secure
|
||
priority: Recommended
|
||
details: >-
|
||
Use a long and unique password, enable 2FA and be careful while logging in. Your email account
|
||
provides an easy entry point to all your other online accounts for an attacker.
|
||
|
||
- point: Disable Automatic Loading of Remote Content
|
||
priority: Recommended
|
||
details: >-
|
||
Email messages can contain remote content such as images or stylesheets, often automatically loaded
|
||
from the server. You should disable this, as it exposes your IP address and device information, and
|
||
is often used for tracking. For more info, see [this article](https://www.theverge.com/2019/7/3/20680903/email-pixel-trackers-how-to-stop-images-automatic-download).
|
||
|
||
- point: Use Plaintext
|
||
priority: Optional
|
||
details: >-
|
||
There are two main types of emails on the internet: plaintext and HTML. The former is strongly preferred
|
||
for privacy & security as HTML messages often include identifiers in links and inline images, which can
|
||
collect usage and personal data. There's also numerous risks of remote code execution targeting the HTML
|
||
parser of your mail client, which cannot be exploited if you are using plaintext. For more info, as well
|
||
as setup instructions for your mail provider, see [UsePlaintext.email](https://useplaintext.email/).
|
||
|
||
- point: Don’t connect third-party apps to your email account
|
||
priority: Optional
|
||
details: >-
|
||
If you give a third-party app or plug-in full access to your inbox, they effectively have full unhindered
|
||
access to all your emails and their contents, which poses significant security and privacy risks.
|
||
|
||
- point: Don't Share Sensitive Data via Email
|
||
priority: Optional
|
||
details: >-
|
||
Emails are very easily intercepted. Furthermore, you can’t be sure of how secure your recipient's
|
||
environment is. Therefore, emails cannot be considered safe for exchanging confidential information,
|
||
unless it is encrypted.
|
||
|
||
- point: Consider Switching to a Secure Mail Provider
|
||
priority: Optional
|
||
details: >-
|
||
Secure and reputable email providers such as Forward Email, ProtonMail, and Tutanota allow for end-to-end
|
||
encryption, full privacy as well as more security-focused features. Unlike typical email providers, your
|
||
mailbox cannot be read by anyone but you, since all messages are encrypted.
|
||
|
||
- point: Use Smart Key
|
||
priority: Advanced
|
||
details: >-
|
||
OpenPGP does not support Forward secrecy, which means if either your or the recipient's private key is
|
||
ever stolen, all previous messages encrypted with it will be exposed. Therefore, you should take great
|
||
care to keep your private keys safe. One method of doing so, is to use a USB Smart Key to sign or decrypt
|
||
messages, allowing you to do so without your private key leaving the USB device.
|
||
|
||
- point: Use Aliasing / Anonymous Forwarding
|
||
priority: Advanced
|
||
details: >-
|
||
Email aliasing allows messages to be sent to [anything]@my-domain.com and still land in your primary inbox.
|
||
Effectively allowing you to use a different, unique email address for each service you sign up for. This means
|
||
if you start receiving spam, you can block that alias and determine which company leaked your email address.
|
||
|
||
- point: Subaddressing
|
||
priority: Optional
|
||
details: >-
|
||
An alternative to aliasing is subaddressing, where anything after the `+` symbol is omitted during mail delivery.
|
||
This enables you to keep track of who shared/ leaked your email address, but unlike aliasing, it will not protect
|
||
against your real address being revealed.
|
||
|
||
- point: Use a Custom Domain
|
||
priority: Advanced
|
||
details: >-
|
||
Using a custom domain means that you are not dependent on the address assigned by your mail provider. So you can
|
||
easily switch providers in the future and do not need to worry about a service being discontinued.
|
||
|
||
- point: Sync with a client for backup
|
||
priority: Advanced
|
||
details: >-
|
||
To avoid losing temporary or permanent access to your emails during an unplanned event (such as an outage or
|
||
account lock), Thunderbird can sync/ backup messages from multiple accounts via IMAP and store locally on your
|
||
primary device.
|
||
|
||
- point: Be Careful with Mail Signatures
|
||
priority: Advanced
|
||
details: >-
|
||
You do not know how secure of an email environment the recipient of your message may have. There are several
|
||
extensions that automatically crawl messages, and create a detailed database of contact information based upon
|
||
email signatures.
|
||
|
||
- point: Be Careful with Auto-Replies
|
||
priority: Advanced
|
||
details: >-
|
||
Out-of-office automatic replies are very useful for informing people there will be a delay in replying, but all
|
||
too often people reveal too much information- which can be used in social engineering and targeted attacks.
|
||
|
||
- point: Choose the Right Mail Protocol
|
||
priority: Advanced
|
||
details: >-
|
||
Do not use outdated protocols (below IMAPv4 or POPv3), both have known vulnerabilities and out-dated security.
|
||
|
||
- point: Self-Hosting
|
||
priority: Advanced
|
||
details: >-
|
||
Self-hosting your own mail server is not recommended for non-advanced users, since correctly securing it is
|
||
critical yet requires strong networking knowledge.
|
||
|
||
- point: Always use TLS Ports
|
||
priority: Advanced
|
||
details: >-
|
||
There are SSL options for POP3, IMAP, and SMTP as standard TCP/IP ports. They are easy to use, and widely
|
||
supported so should always be used instead of plaintext email ports.
|
||
|
||
- point: DNS Availability
|
||
priority: Advanced
|
||
details: >-
|
||
For self-hosted mail servers, to prevent DNS problems impacting availability- use at least 2 MX records, with
|
||
secondary and tertiary MX records for redundancy when the primary MX record fails.
|
||
|
||
- point: Prevent DDoS and Brute Force Attacks
|
||
priority: Advanced
|
||
details: >-
|
||
For self-hosted mail servers (specifically SMTP), limit your total number of simultaneous connections, and maximum
|
||
connection rate to reduce the impact of attempted bot attacks.
|
||
|
||
- point: Maintain IP Blacklist
|
||
priority: Advanced
|
||
details: >-
|
||
For self-hosted mail servers, you can improve spam filters and harden security, through maintaining an up-to-date
|
||
local IP blacklist and a spam URI realtime block lists to filter out malicious hyperlinks.
|
||
color: teal
|
||
softwareLinks:
|
||
- title: Secure Email Providers
|
||
url: https://github.com/Lissy93/awesome-privacy#encrypted-email
|
||
- title: Mail Forwarding
|
||
url: https://github.com/Lissy93/awesome-privacy#anonymous-mail-forwarding
|
||
- title: Pre-Configured Mail Servers
|
||
url: https://github.com/Lissy93/awesome-privacy#pre-configured-mail-servers
|
||
- title: Email Clients
|
||
url: https://github.com/Lissy93/awesome-privacy#email-clients
|
||
|
||
- title: Messaging
|
||
slug: messaging
|
||
description: Keeping your communications private and secure
|
||
icon: messaging
|
||
intro: ''
|
||
checklist:
|
||
- point: Only Use Fully End-to-End Encrypted Messengers
|
||
priority: Recommended
|
||
details: >-
|
||
End-to-end encryption is a system of communication where messages are encrypted on your device and
|
||
not decrypted until they reach the intended recipient. This ensures that any actor who intercepts
|
||
traffic cannot read the message contents, nor can anybody with access to the central servers where
|
||
data is stored.
|
||
|
||
- point: Use only Open Source Messaging Platforms
|
||
priority: Recommended
|
||
details: >-
|
||
If code is open source then it can be independently examined and audited by anyone qualified to do
|
||
so, to ensure that there are no backdoors, vulnerabilities, or other security issues.
|
||
|
||
- point: Use a "Trustworthy" Messaging Platform
|
||
priority: Recommended
|
||
details: >-
|
||
When selecting an encrypted messaging app, ensure it's fully open source, stable, actively maintained,
|
||
and ideally backed by reputable developers.
|
||
|
||
- point: Check Security Settings
|
||
priority: Recommended
|
||
details: >-
|
||
Enable security settings, including contact verification, security notifications, and encryption.
|
||
Disable optional non-security features such as read receipt, last online, and typing notification.
|
||
|
||
- point: Ensure your Recipients Environment is Secure
|
||
priority: Recommended
|
||
details: >-
|
||
Your conversation can only be as secure as the weakest link. Often the easiest way to infiltrate a
|
||
communications channel is to target the individual or node with the least protection.
|
||
|
||
- point: Disable Cloud Services
|
||
priority: Recommended
|
||
details: >-
|
||
Some mobile messaging apps offer a web or desktop companion. This not only increases attack surface but
|
||
it has been linked to several critical security issues, and should therefore be avoided, if possible.
|
||
|
||
- point: Secure Group Chats
|
||
priority: Recommended
|
||
details: >-
|
||
The risk of compromise rises exponentially, the more participants are in a group, as the attack surface
|
||
increases. Periodically check that all participants are legitimate.
|
||
|
||
- point: Create a Safe Environment for Communication
|
||
priority: Recommended
|
||
details: >-
|
||
There are several stages where your digital communications could be monitored or intercepted. This includes:
|
||
your or your participants' device, your ISP, national gateway or government logging, the messaging provider,
|
||
the servers.
|
||
|
||
- point: Agree on a Communication Plan
|
||
priority: Optional
|
||
details: >-
|
||
In certain situations, it may be worth making a communication plan. This should include primary and backup
|
||
methods of securely getting in hold with each other.
|
||
|
||
- point: Strip Meta-Data from Media
|
||
priority: Optional
|
||
details: >-
|
||
Metadata is "Data about Data" or additional information attached to a file or transaction. When you send a
|
||
photo, audio recording, video, or document you may be revealing more than you intended to.
|
||
|
||
- point: Defang URLs
|
||
priority: Optional
|
||
details: >-
|
||
Sending links via various services can unintentionally expose your personal information. This is because,
|
||
when a thumbnail or preview is generated- it happens on the client-side.
|
||
|
||
- point: Verify your Recipient
|
||
priority: Optional
|
||
details: >-
|
||
Always ensure you are talking to the intended recipient, and that they have not been compromised. One method
|
||
for doing so is to use an app which supports contact verification.
|
||
|
||
- point: Enable Ephemeral Messages
|
||
priority: Optional
|
||
details: >-
|
||
Self-destructing messages is a feature that causes your messages to automatically delete after a set amount
|
||
of time. This means that if your device is lost, stolen, or seized, an adversary will only have access to the
|
||
most recent communications.
|
||
|
||
- point: Avoid SMS
|
||
priority: Optional
|
||
details: >-
|
||
SMS may be convenient, but it's not secure. It is susceptible to threats such as interception, sim swapping,
|
||
manipulation, and malware.
|
||
|
||
- point: Watch out for Trackers
|
||
priority: Optional
|
||
details: >-
|
||
Be wary of messaging applications with trackers, as the detailed usage statistics they collect are often very
|
||
invasive, and can sometimes reveal your identity as well as personal information that you would otherwise not
|
||
intend to share.
|
||
|
||
- point: Consider Jurisdiction
|
||
priority: Advanced
|
||
details: >-
|
||
The jurisdictions where the organisation is based, and data is hosted should also be taken into account.
|
||
|
||
- point: Use an Anonymous Platform
|
||
priority: Advanced
|
||
details: >-
|
||
If you believe you may be targeted, you should opt for an anonymous messaging platform that does not require
|
||
a phone number, or any other personally identifiable information to sign up or use.
|
||
|
||
- point: Ensure Forward Secrecy is Supported
|
||
priority: Advanced
|
||
details: >-
|
||
Opt for a platform that implements forward secrecy. This is where your app generates a new encryption key
|
||
for every message.
|
||
|
||
- point: Consider a Decentralized Platform
|
||
priority: Advanced
|
||
details: >-
|
||
If all data flows through a central provider, you have to trust them with your data and meta-data. You cannot
|
||
verify that the system running is authentic without back doors.
|
||
softwareLinks:
|
||
- title: Secure Messaging Apps
|
||
url: https://github.com/Lissy93/awesome-privacy#encrypted-messaging
|
||
- title: P2P Messaging Platforms
|
||
url: https://github.com/Lissy93/awesome-privacy#p2p-messaging
|
||
color: cyan
|
||
|
||
|
||
- title: Social Media
|
||
slug: social-media
|
||
description: Minimizing the risks associated with using online communities
|
||
icon: social
|
||
intro: >
|
||
Online communities have existed since the invention of the internet, and give
|
||
people around the world the opportunity to connect, communicate and share.
|
||
Although these networks are a great way to promote social interaction and
|
||
bring people together, that have a dark side - there are some serious
|
||
[Privacy Concerns with Social Networking Services](https://en.wikipedia.org/wiki/Privacy_concerns_with_social_networking_services),
|
||
and these social networking sites are owned by private corporations,
|
||
and that they make their money by collecting data about individuals and
|
||
selling that data on, often to third party advertisers.
|
||
|
||
Secure your account, lock down your privacy settings, but know that even
|
||
after doing so, all data intentionally and non-intentionally uploaded is
|
||
effectively public. If possible, avoid using conventional social media networks.
|
||
checklist:
|
||
- point: Secure your Account
|
||
priority: Recommended
|
||
details: >-
|
||
Social media profiles get stolen or taken over all too often. To protect your account: use a unique
|
||
and strong password, and enable 2-factor authentication.
|
||
|
||
- point: Check Privacy Settings
|
||
priority: Recommended
|
||
details: >-
|
||
Most social networks allow you to control your privacy settings. Ensure that you are comfortable with
|
||
what data you are currently exposing and to whom.
|
||
|
||
- point: Think of All Interactions as Public
|
||
priority: Recommended
|
||
details: >-
|
||
There are still numerous methods of viewing a users 'private' content across many social networks.
|
||
Therefore, before uploading, posting or commenting on anything, think "Would I mind if this was totally public?"
|
||
|
||
- point: Think of All Interactions as Permanent
|
||
priority: Recommended
|
||
details: >-
|
||
Pretty much every post, comment, photo etc is being continuously backed up by a myriad of third-party
|
||
services, who archive this data and make it indexable and publicly available almost forever.
|
||
|
||
- point: Don't Reveal too Much
|
||
priority: Recommended
|
||
details: >-
|
||
Profile information creates a goldmine of info for hackers, the kind of data that helps them personalize
|
||
phishing scams. Avoid sharing too much detail (DoB, Hometown, School etc).
|
||
|
||
- point: Be Careful what you Upload
|
||
priority: Recommended
|
||
details: >-
|
||
Status updates, comments, check-ins and media can unintentionally reveal a lot more than you intended
|
||
them to. This is especially relevant to photos and videos, which may show things in the background.
|
||
|
||
- point: Don't Share Email or Phone Number
|
||
priority: Recommended
|
||
details: >-
|
||
Posting your real email address or mobile number, gives hackers, trolls and spammers more munition to
|
||
use against you, and can also allow separate aliases, profiles or data points to be connected.
|
||
|
||
- point: Don't Grant Unnecessary Permissions
|
||
priority: Recommended
|
||
details: >-
|
||
By default many of the popular social networking apps will ask for permission to access your contacts,
|
||
call log, location, messaging history etc. If they don’t need this access, don’t grant it.
|
||
|
||
- point: Be Careful of 3rd-Party Integrations
|
||
priority: Recommended
|
||
details: >-
|
||
Avoid signing up for accounts using a Social Network login, revoke access to social apps you no longer
|
||
use.
|
||
|
||
- point: Avoid Publishing Geo Data while still Onsite
|
||
priority: Recommended
|
||
details: >-
|
||
If you plan to share any content that reveals a location, then wait until you have left that place.
|
||
This is particularly important when you are taking a trip, at a restaurant, campus, hotel/resort, public
|
||
building or airport.
|
||
|
||
- point: Remove metadata before uploading media
|
||
priority: Optional
|
||
details: >-
|
||
Most smartphones and some cameras automatically attach a comprehensive set of additional data (called
|
||
EXIF data) to each photograph. Remove this data before uploading.
|
||
|
||
- point: Implement Image Cloaking
|
||
priority: Advanced
|
||
details: >-
|
||
Tools like Fawkes can be used to very subtly, slightly change the structure of faces within photos in a
|
||
way that is imperceptible by humans, but will prevent facial recognition systems from being able to recognize
|
||
a given face.
|
||
|
||
- point: Consider Spoofing GPS in home vicinity
|
||
priority: Advanced
|
||
details: >-
|
||
Even if you yourself never use social media, there is always going to be others who are not as careful,
|
||
and could reveal your location.
|
||
|
||
- point: Consider False Information
|
||
priority: Advanced
|
||
details: >-
|
||
If you just want to read, and do not intend on posting too much- consider using an alias name, and false
|
||
contact details.
|
||
|
||
- point: Don’t have any social media accounts
|
||
priority: Advanced
|
||
details: >-
|
||
Social media is fundamentally un-private, so for maximum online security and privacy, avoid using any
|
||
mainstream social networks.
|
||
|
||
softwareLinks:
|
||
- title: Alternative Social Media
|
||
url: https://github.com/Lissy93/awesome-privacy#social-networks
|
||
- title: Alternative Video Platforms
|
||
url: https://github.com/Lissy93/awesome-privacy#video-platforms
|
||
- title: Alternative Blogging Platforms
|
||
url: https://github.com/Lissy93/awesome-privacy#blogging-platforms
|
||
- title: News Readers and Aggregation
|
||
url: https://github.com/Lissy93/awesome-privacy#news-readers-and-aggregation
|
||
color: blue
|
||
|
||
|
||
- title: Networks
|
||
slug: networks
|
||
description: Safeguarding your network traffic
|
||
icon: network
|
||
intro: >
|
||
This section covers how you connect your devices to the internet securely,
|
||
including configuring your router and setting up a VPN.
|
||
checklist:
|
||
- point: Use a VPN
|
||
priority: Recommended
|
||
details: >-
|
||
Use a reputable, paid-for VPN. This can help protect sites you visit from logging your real IP, reduce
|
||
the amount of data your ISP can collect, and increase protection on public WiFi.
|
||
|
||
- point: Change your Router Password
|
||
priority: Recommended
|
||
details: >-
|
||
After getting a new router, change the password. Default router passwords are publicly available,
|
||
meaning anyone within proximity would be able to connect.
|
||
|
||
- point: Use WPA2, and a strong password
|
||
priority: Recommended
|
||
details: >-
|
||
There are different authentication protocols for connecting to WiFi. Currently, the most secure options
|
||
are WPA2 and WPA3 (on newer routers).
|
||
|
||
- point: Keep router firmware up-to-date
|
||
priority: Recommended
|
||
details: >-
|
||
Manufacturers release firmware updates that fix security vulnerabilities, implement new standards, and
|
||
sometimes add features or improve the performance of your router.
|
||
|
||
- point: Implement a Network-Wide VPN
|
||
priority: Optional
|
||
details: >-
|
||
If you configure your VPN on your router, firewall, or home server, then traffic from all devices will
|
||
be encrypted and routed through it, without needing individual VPN apps.
|
||
|
||
- point: Protect against DNS leaks
|
||
priority: Optional
|
||
details: >-
|
||
When using a VPN, it is extremely important to exclusively use the DNS server of your VPN provider or
|
||
secure service.
|
||
|
||
- point: Use a secure VPN Protocol
|
||
priority: Optional
|
||
details: >-
|
||
OpenVPN and WireGuard are open source, lightweight, and secure tunneling protocols. Avoid using PPTP
|
||
or SSTP.
|
||
|
||
- point: Secure DNS
|
||
priority: Optional
|
||
details: >-
|
||
Use DNS-over-HTTPS which performs DNS resolution via the HTTPS protocol, encrypting data between you
|
||
and your DNS resolver.
|
||
|
||
- point: Avoid the free router from your ISP
|
||
priority: Optional
|
||
details: >-
|
||
Typically they’re manufactured cheaply in bulk in China, with insecure propriety firmware that doesn't
|
||
receive regular security updates.
|
||
|
||
- point: Whitelist MAC Addresses
|
||
priority: Optional
|
||
details: >-
|
||
You can whitelist MAC addresses in your router settings, disallowing any unknown devices to immediately
|
||
connect to your network, even if they know your credentials.
|
||
|
||
- point: Change the Router’s Local IP Address
|
||
priority: Optional
|
||
details: >-
|
||
It is possible for a malicious script in your web browser to exploit a cross-site scripting vulnerability,
|
||
accessing known-vulnerable routers at their local IP address and tampering with them.
|
||
|
||
- point: Don't Reveal Personal Info in SSID
|
||
priority: Optional
|
||
details: >-
|
||
You should update your network name, choosing an SSID that does not identify you, include your flat
|
||
number/address, and does not specify the device brand/model.
|
||
|
||
- point: Opt-Out Router Listings
|
||
priority: Optional
|
||
details: >-
|
||
WiFi SSIDs are scanned, logged, and then published on various websites, which is a serious privacy
|
||
concern for some.
|
||
|
||
- point: Hide your SSID
|
||
priority: Optional
|
||
details: >-
|
||
Your router's Service Set Identifier is simply the network name. If it is not visible, it may receive
|
||
less abuse.
|
||
|
||
- point: Disable WPS
|
||
priority: Optional
|
||
details: >-
|
||
Wi-Fi Protected Setup provides an easier method to connect, without entering a long WiFi password, but
|
||
WPS introduces a series of major security issues.
|
||
|
||
- point: Disable UPnP
|
||
priority: Optional
|
||
details: >-
|
||
Universal Plug and Play allows applications to automatically forward a port on your router, but it has
|
||
a long history of serious security issues.
|
||
|
||
- point: Use a Guest Network for Guests
|
||
priority: Optional
|
||
details: >-
|
||
Do not grant access to your primary WiFi network to visitors, as it enables them to interact with other
|
||
devices on the network.
|
||
|
||
- point: Change your Router's Default IP
|
||
priority: Optional
|
||
details: >-
|
||
Modifying your router admin panel's default IP address will make it more difficult for malicious scripts
|
||
targeting local IP addresses.
|
||
|
||
- point: Kill unused processes and services on your router
|
||
priority: Optional
|
||
details: >-
|
||
Services like Telnet and SSH that provide command-line access to devices should never be exposed to the
|
||
internet and should also be disabled on the local network unless they're actually needed.
|
||
|
||
- point: Don't have Open Ports
|
||
priority: Optional
|
||
details: >-
|
||
Close any open ports on your router that are not needed. Open ports provide an easy entrance for hackers.
|
||
|
||
- point: Disable Unused Remote Access Protocols
|
||
priority: Optional
|
||
details: >-
|
||
When protocols such as PING, Telnet, SSH, UPnP, and HNAP etc are enabled, they allow your router to be
|
||
probed from anywhere in the world.
|
||
|
||
- point: Disable Cloud-Based Management
|
||
priority: Optional
|
||
details: >-
|
||
You should treat your router's admin panel with the utmost care, as considerable damage can be caused
|
||
if an attacker is able to gain access.
|
||
|
||
- point: Manage Range Correctly
|
||
priority: Optional
|
||
details: >-
|
||
It's common to want to pump your router's range to the max, but if you reside in a smaller flat, your
|
||
attack surface is increased when your WiFi network can be picked up across the street.
|
||
|
||
- point: Route all traffic through Tor
|
||
priority: Advanced
|
||
details: >-
|
||
VPNs have their weaknesses. For increased security, route all your internet traffic through the Tor
|
||
network.
|
||
|
||
- point: Disable WiFi on all Devices
|
||
priority: Advanced
|
||
details: >-
|
||
Connecting to even a secure WiFi network increases your attack surface. Disabling your home WiFi and
|
||
connect each device via Ethernet.
|
||
color: violet
|
||
softwareLinks:
|
||
- title: Virtual Private Networks
|
||
url: https://github.com/Lissy93/awesome-privacy#virtual-private-networks
|
||
- title: Mix Networks
|
||
url: https://github.com/Lissy93/awesome-privacy#mix-networks
|
||
- title: Router Firmware
|
||
url: https://github.com/Lissy93/awesome-privacy#router-firmware
|
||
- title: Open Source Proxies
|
||
url: https://github.com/Lissy93/awesome-privacy#proxies
|
||
- title: DNS Providers
|
||
url: https://github.com/Lissy93/awesome-privacy#dns
|
||
- title: Firewalls
|
||
url: https://github.com/Lissy93/awesome-privacy#firewalls
|
||
- title: Network Analysis Tools
|
||
url: https://github.com/Lissy93/awesome-privacy#network-analysis
|
||
- title: Self-Hosted Network Security Tools
|
||
url: https://github.com/Lissy93/awesome-privacy#self-hosted-network-security
|
||
|
||
|
||
- title: Mobile Devices
|
||
slug: mobile-devices
|
||
description: Reduce invasive tracking for cells, smartphones and tablets
|
||
icon: mobile
|
||
intro: >
|
||
Smart phones have revolutionized so many aspects of life and brought the world
|
||
to our fingertips. For many of us, smart phones are our primary means of communication,
|
||
entertainment and access to knowledge. But while they've brought convenience
|
||
to whole new level, there's some ugly things going on behind the screen.
|
||
|
||
Geo-tracking is used to trace our every move, and we have little control over
|
||
who has this data- your phone is even able to
|
||
[track your location without GPS](https://gizmodo.com/how-to-track-a-cellphone-without-gps-or-consent-1821125371).
|
||
Over the years numerous reports that surfaced, outlining ways in which your
|
||
phone's [mic can eavesdrop](https://www.independent.co.uk/life-style/gadgets-and-tech/news/smartphone-apps-listening-privacy-alphonso-shazam-advertising-pool-3d-honey-quest-a8139451.html),
|
||
and the [camera can watch you](https://www.businessinsider.com/hackers-governments-smartphone-iphone-camera-wikileaks-cybersecurity-hack-privacy-webcam-2017-6)- all without your knowledge or consent.
|
||
And then there's the malicious apps, lack of security patches and potential/ likely backdoors.
|
||
|
||
Using a smart phone generates a lot of data about you- from information you
|
||
intentionally share, to data silently generated from your actions.
|
||
It can be scary to see what Google, Microsoft, Apple and Facebook know about
|
||
us- sometimes they know more than our closest family. It's hard to comprehend
|
||
what your data will reveal, especially in conjunction with other data.
|
||
|
||
This data is used for
|
||
[far more than just advertising](https://internethealthreport.org/2018/the-good-the-bad-and-the-ugly-sides-of-data-tracking/) -
|
||
more often it's used to rate people for finance, insurance and employment.
|
||
Targeted ads can even be used for fine-grained surveillance (see [ADINT](https://adint.cs.washington.edu))
|
||
|
||
More of us are concerned about how
|
||
[governments use collect and use our smart phone data](https://www.statista.com/statistics/373916/global-opinion-online-monitoring-government/),
|
||
and rightly so, federal agencies often
|
||
[request our data from Google](https://www.statista.com/statistics/273501/global-data-requests-from-google-by-federal-agencies-and-governments/),
|
||
[Facebook](https://www.statista.com/statistics/287845/global-data-requests-from-facebook-by-federal-agencies-and-governments/),
|
||
Apple, Microsoft, Amazon, and other tech companies. Sometimes requests are
|
||
made in bulk, returning detailed information on everybody within a certain geo-fence,
|
||
[often for innocent people](https://www.nytimes.com/interactive/2019/04/13/us/google-location-tracking-police.html).
|
||
And this doesn't include all of the internet traffic that intelligence agencies around the world have unhindered access to.
|
||
checklist:
|
||
- point: Encrypt your Device
|
||
priority: Recommended
|
||
details: >-
|
||
In order to keep your data safe from physical access, use file encryption. This will mean if your
|
||
device is lost or stolen, no one will have access to your data.
|
||
|
||
- point: Turn off connectivity features that aren’t being used
|
||
priority: Recommended
|
||
details: >-
|
||
When you're not using WiFi, Bluetooth, NFC etc, turn those features off. There are several common threats
|
||
that utilise these features.
|
||
|
||
- point: Keep app count to a minimum
|
||
priority: Recommended
|
||
details: >-
|
||
Uninstall apps that you don’t need or use regularly. As apps often run in the background, slowing your
|
||
device down, but also collecting data.
|
||
|
||
- point: App Permissions
|
||
priority: Recommended
|
||
details: >-
|
||
Don’t grant apps permissions that they don’t need. For Android, Bouncer is an app that allows you to grant
|
||
temporary/ 1-off permissions.
|
||
|
||
- point: Only install Apps from official source
|
||
priority: Recommended
|
||
details: >-
|
||
Applications on Apple App Store and Google Play Store are scanned and cryptographically signed, making them
|
||
less likely to be malicious.
|
||
|
||
- point: Be Careful of Phone Charging Threats
|
||
priority: Optional
|
||
details: >-
|
||
Juice Jacking is when hackers use public charging stations to install malware on your smartphone or tablet
|
||
through a compromised USB port.
|
||
|
||
- point: Set up a mobile carrier PIN
|
||
priority: Recommended
|
||
details: >-
|
||
SIM hijacking is when a hacker is able to get your mobile number transferred to their sim. The easiest way
|
||
to protect against this is to set up a PIN through your mobile provider.
|
||
|
||
- point: Opt-out of Caller ID Listings
|
||
priority: Optional
|
||
details: >-
|
||
To keep your details private, you can unlist your number from caller ID apps like TrueCaller, CallApp, SyncMe,
|
||
and Hiya.
|
||
|
||
- point: Use Offline Maps
|
||
priority: Optional
|
||
details: >-
|
||
Consider using an offline maps app, such as OsmAnd or Organic Maps, to reduce data leaks from map apps.
|
||
|
||
- point: Opt-out of personalized ads
|
||
priority: Optional
|
||
details: >-
|
||
You can slightly reduce the amount of data collected by opting-out of seeing personalized ads.
|
||
|
||
- point: Erase after too many login attempts
|
||
priority: Optional
|
||
details: >-
|
||
To protect against an attacker brute forcing your pin, set your device to erase after too many failed
|
||
login attempts.
|
||
|
||
- point: Monitor Trackers
|
||
priority: Optional
|
||
details: >-
|
||
εxodus is a great service which lets you search for any app and see which trackers are embedded in it.
|
||
|
||
- point: Use a Mobile Firewall
|
||
priority: Optional
|
||
details: >-
|
||
To prevent applications from leaking privacy-sensitive data, you can install a firewall app.
|
||
|
||
- point: Reduce Background Activity
|
||
priority: Optional
|
||
details: >-
|
||
For Android, SuperFreeze makes it possible to entirely freeze all background activities on a per-app basis.
|
||
|
||
- point: Sandbox Mobile Apps
|
||
priority: Optional
|
||
details: >-
|
||
Prevent permission-hungry apps from accessing your private data with Island, a sandbox environment.
|
||
|
||
- point: Tor Traffic
|
||
priority: Advanced
|
||
details: >-
|
||
Orbot provides a system-wide Tor connection, which will help protect you from surveillance and public WiFi threats.
|
||
|
||
- point: Avoid Custom Virtual Keyboards
|
||
priority: Optional
|
||
details: >-
|
||
It is recommended to stick with your device's stock keyboard. If you choose to use a third-party keyboard app,
|
||
ensure it is reputable.
|
||
|
||
- point: Restart Device Regularly
|
||
priority: Optional
|
||
details: >-
|
||
Restarting your phone at least once a week will clear the app state cached in memory and may run more smoothly
|
||
after a restart.
|
||
|
||
- point: Avoid SMS
|
||
priority: Optional
|
||
details: >-
|
||
SMS should not be used to receive 2FA codes or for communication, instead use an encrypted messaging app,
|
||
such as Signal.
|
||
|
||
- point: Keep your Number Private
|
||
priority: Optional
|
||
details: >-
|
||
MySudo allows you to create and use virtual phone numbers for different people or groups. This is great for
|
||
compartmentalisation.
|
||
|
||
- point: Watch out for Stalkerware
|
||
priority: Optional
|
||
details: >-
|
||
Stalkerware is malware that is installed directly onto your device by someone you know. The best way to get
|
||
rid of it is through a factory reset.
|
||
|
||
- point: Favor the Browser, over Dedicated App
|
||
priority: Optional
|
||
details: >-
|
||
Where possible, consider using a secure browser to access sites, rather than installing dedicated applications.
|
||
|
||
- point: Consider running a custom ROM (Android)
|
||
priority: Advanced
|
||
details: >-
|
||
If you're concerned about your device manufacturer collecting too much personal information, consider a
|
||
privacy-focused custom ROM.
|
||
color: fuchsia
|
||
softwareLinks:
|
||
- title: Mobile Apps, for Security + Privacy
|
||
url: https://github.com/Lissy93/awesome-privacy#mobile-apps
|
||
- title: Encrypted Messaging
|
||
url: https://github.com/Lissy93/awesome-privacy#encrypted-messaging
|
||
- title: Mobile Operation Systems
|
||
url: https://github.com/Lissy93/awesome-privacy#mobile-operating-systems
|
||
|
||
|
||
- title: Personal Computers
|
||
slug: personal-computers
|
||
description: Securing your PC's operating system, data & activity
|
||
icon: computer
|
||
intro: >
|
||
Although Windows and OS X are easy to use and convenient, they both are far from secure.
|
||
Your OS provides the interface between hardware and your applications, so if
|
||
compromised can have detrimental effects.
|
||
checklist:
|
||
- point: Keep your System up-to-date
|
||
priority: Recommended
|
||
details: >-
|
||
System updates contain fixes/patches for security issues, improve performance, and sometimes add new
|
||
features. Install new updates when prompted.
|
||
|
||
- point: Encrypt your Device
|
||
priority: Recommended
|
||
details: >-
|
||
Use BitLocker for Windows, FileVault on MacOS, or LUKS on Linux, to enable full disk encryption. This
|
||
prevents unauthorized access if your computer is lost or stolen.
|
||
|
||
- point: Backup Important Data
|
||
priority: Recommended
|
||
details: >-
|
||
Maintaining encrypted backups prevents loss due to ransomware, theft, or damage. Consider using
|
||
Cryptomator for cloud files or VeraCrypt for USB drives.
|
||
|
||
- point: Be Careful Plugging USB Devices into your Computer
|
||
priority: Recommended
|
||
details: >-
|
||
USB devices can pose serious threats. Consider making a USB sanitizer with CIRCLean to safely check USB
|
||
devices.
|
||
|
||
- point: Activate Screen-Lock when Idle
|
||
priority: Recommended
|
||
details: >-
|
||
Lock your computer when away and set it to require a password on resume from screensaver or sleep to
|
||
prevent unauthorized access.
|
||
|
||
- point: Disable Cortana or Siri
|
||
priority: Recommended
|
||
details: >-
|
||
Voice-controlled assistants can have privacy implications due to data sent back for processing. Disable
|
||
or limit their listening capabilities.
|
||
|
||
- point: Review your Installed Apps
|
||
priority: Recommended
|
||
details: >-
|
||
Keep installed applications to a minimum to reduce exposure to vulnerabilities and regularly clear
|
||
application caches.
|
||
|
||
- point: Manage Permissions
|
||
priority: Recommended
|
||
details: >-
|
||
Control which apps have access to your location, camera, microphone, contacts, and other sensitive
|
||
information.
|
||
|
||
- point: Disallow Usage Data from being sent to the Cloud
|
||
priority: Recommended
|
||
details: >-
|
||
Limit the amount of usage information or feedback sent to the cloud to protect your privacy.
|
||
|
||
- point: Avoid Quick Unlock
|
||
priority: Recommended
|
||
details: >-
|
||
Use a strong password instead of biometrics or short PINs for unlocking your computer to enhance
|
||
security.
|
||
|
||
- point: Power Off Computer, instead of Standby
|
||
priority: Recommended
|
||
details: >-
|
||
Shut down your device when not in use, especially if your disk is encrypted, to keep data secure.
|
||
|
||
- point: Don't link your PC with your Microsoft or Apple Account
|
||
priority: Optional
|
||
details: >-
|
||
Use a local account only to prevent data syncing and exposure. Avoid using sync services that compromise
|
||
privacy.
|
||
|
||
- point: Check which Sharing Services are Enabled
|
||
priority: Optional
|
||
details: >-
|
||
Disable network sharing features you are not using to close gateways to common threats.
|
||
|
||
- point: Don't use Root/Admin Account for Non-Admin Tasks
|
||
priority: Optional
|
||
details: >-
|
||
Use an unprivileged user account for daily tasks and only elevate permissions for administrative changes
|
||
to mitigate vulnerabilities.
|
||
|
||
- point: Block Webcam + Microphone
|
||
priority: Optional
|
||
details: >-
|
||
Cover your webcam when not in use and consider blocking unauthorized audio recording to protect privacy.
|
||
|
||
- point: Use a Privacy Filter
|
||
priority: Optional
|
||
details: >-
|
||
Use a screen privacy filter in public spaces to prevent shoulder surfing and protect sensitive
|
||
information.
|
||
|
||
- point: Physically Secure Device
|
||
priority: Optional
|
||
details: >-
|
||
Use a Kensington Lock to secure your laptop in public spaces and consider port locks to prevent
|
||
unauthorized physical access.
|
||
|
||
- point: Don't Charge Devices from your PC
|
||
priority: Optional
|
||
details: >-
|
||
Use a power bank or AC wall charger instead of your PC to avoid security risks associated with USB
|
||
connections.
|
||
|
||
- point: Randomize your hardware address on Wi-Fi
|
||
priority: Optional
|
||
details: >-
|
||
Modify or randomize your MAC address to protect against tracking across different WiFi networks.
|
||
|
||
- point: Use a Firewall
|
||
priority: Optional
|
||
details: >-
|
||
Install a firewall app to monitor and block unwanted internet access by certain applications, protecting
|
||
against remote access attacks and privacy breaches.
|
||
|
||
- point: Protect Against Software Keyloggers
|
||
priority: Optional
|
||
details: >-
|
||
Use key stroke encryption tools to protect against software keyloggers recording your keystrokes.
|
||
|
||
- point: Check Keyboard Connection
|
||
priority: Optional
|
||
details: >-
|
||
Be vigilant for hardware keyloggers when using public or unfamiliar computers by checking keyboard
|
||
connections.
|
||
|
||
- point: Prevent Keystroke Injection Attacks
|
||
priority: Optional
|
||
details: >-
|
||
Lock your PC when away and consider using USBGuard or similar tools to protect against keystroke
|
||
injection attacks.
|
||
|
||
- point: Don't use commercial "Free" Anti-Virus
|
||
priority: Optional
|
||
details: >-
|
||
Rely on built-in security tools and avoid free anti-virus applications due to their potential for
|
||
privacy invasion and data collection.
|
||
|
||
- point: Periodically check for Rootkits
|
||
priority: Advanced
|
||
details: >-
|
||
Regularly check for rootkits to detect and mitigate full system control threats using tools like
|
||
chkrootkit.
|
||
|
||
- point: BIOS Boot Password
|
||
priority: Advanced
|
||
details: >-
|
||
Enable a BIOS or UEFI password to add an additional security layer during boot-up, though be aware of
|
||
its limitations.
|
||
|
||
- point: Use a Security-Focused Operating System
|
||
priority: Advanced
|
||
details: >-
|
||
Consider switching to Linux or a security-focused distro like QubeOS or Tails for enhanced privacy and
|
||
security.
|
||
|
||
- point: Make Use of VMs
|
||
priority: Advanced
|
||
details: >-
|
||
Use virtual machines for risky activities or testing suspicious software to isolate potential threats
|
||
from your primary system.
|
||
|
||
- point: Compartmentalize
|
||
priority: Advanced
|
||
details: >-
|
||
Isolate different programs and data sources from one another as much as possible to limit the extent of
|
||
potential breaches.
|
||
|
||
- point: Disable Undesired Features (Windows)
|
||
priority: Advanced
|
||
details: >-
|
||
Disable unnecessary Windows "features" and services that run in the background to reduce data collection
|
||
and resource use.
|
||
|
||
- point: Secure Boot
|
||
priority: Advanced
|
||
details: >-
|
||
Ensure that Secure Boot is enabled to prevent malware from replacing your boot loader and other critical
|
||
software.
|
||
|
||
- point: Secure SSH Access
|
||
priority: Advanced
|
||
details: >-
|
||
Take steps to protect SSH access from attacks by changing the default port, using SSH keys, and
|
||
configuring firewalls.
|
||
|
||
- point: Close Un-used Open Ports
|
||
priority: Advanced
|
||
details: >-
|
||
Turn off services listening on external ports that are not needed to protect against remote exploits and
|
||
improve security.
|
||
|
||
- point: Implement Mandatory Access Control
|
||
priority: Advanced
|
||
details: >-
|
||
Restrict privileged access to limit the damage that can be done if a system is compromised.
|
||
|
||
- point: Use Canary Tokens
|
||
priority: Advanced
|
||
details: >-
|
||
Deploy canary tokens to detect unauthorized access to your files or emails faster and gather
|
||
information about the intruder.
|
||
color: pink
|
||
softwareLinks:
|
||
- title: Secure Operating Systems
|
||
url: https://github.com/Lissy93/awesome-privacy#desktop-operating-systems
|
||
- title: Linux Defenses
|
||
url: https://github.com/Lissy93/awesome-privacy#linux-defences
|
||
- title: Windows Defenses
|
||
url: https://github.com/Lissy93/awesome-privacy#windows-defences
|
||
- title: Mac OS Defenses
|
||
url: https://github.com/Lissy93/awesome-privacy#mac-os-defences
|
||
- title: Anti-Malware
|
||
url: https://github.com/Lissy93/awesome-privacy#anti-malware
|
||
- title: Firewalls
|
||
url: https://github.com/Lissy93/awesome-privacy#firewalls-1
|
||
- title: File Encryption
|
||
url: https://github.com/Lissy93/awesome-privacy#file-encryption
|
||
|
||
|
||
|
||
- title: Smart Home
|
||
slug: smart-home
|
||
description: Using IoT devices without compromising your privacy
|
||
icon: home
|
||
intro: >-
|
||
Home assistants (such as Google Home, Alexa and Siri) and other internet connected
|
||
devices collect large amounts of personal data (including voice samples, location data,
|
||
home details and logs of all interactions). Since you have limited control on what is
|
||
being collected, how it's stored, and what it will be used for, this makes it hard to
|
||
recommend any consumer smart-home products to anyone who cares about privacy and security.
|
||
|
||
Security vs Privacy: There are many smart devices on the market that claim to increase
|
||
the security of your home while being easy and convenient to use (Such as Smart Burglar
|
||
Alarms, Internet Security Cameras, Smart Locks and Remote access Doorbells to name a few).
|
||
These devices may appear to make security easier, but there is a trade-off in terms of
|
||
privacy: as they collect large amounts of personal data, and leave you without control
|
||
over how this is stored or used. The security of these devices is also questionable,
|
||
since many of them can be (and are being) hacked, allowing an intruder to bypass
|
||
detection with minimum effort.
|
||
|
||
The most privacy-respecting option, would be to not use "smart" internet-connected
|
||
devices in your home, and not to rely on a security device that requires an internet
|
||
connection. But if you do, it is important to fully understand the risks of any given
|
||
product, before buying it. Then adjust settings to increase privacy and security.
|
||
The following checklist will help mitigate the risks associated with
|
||
internet-connected home devices.
|
||
checklist:
|
||
- point: Rename devices to not specify brand/model
|
||
priority: Recommended
|
||
details: >-
|
||
Change default device names to something generic to prevent targeted attacks by obscuring brand or model information.
|
||
|
||
- point: Disable microphone and camera when not in use
|
||
priority: Recommended
|
||
details: >-
|
||
Use hardware switches to turn off microphones and cameras on smart devices to protect against accidental recordings or targeted access.
|
||
|
||
- point: Understand what data is collected, stored and transmitted
|
||
priority: Recommended
|
||
details: >-
|
||
Research and ensure comfort with the data handling practices of smart home devices before purchase, avoiding devices that share data with third parties.
|
||
|
||
- point: Set privacy settings, and opt out of sharing data with third parties
|
||
priority: Recommended
|
||
details: >-
|
||
Adjust app settings for strictest privacy controls and opt-out of data sharing with third parties wherever possible.
|
||
|
||
- point: Don't link your smart home devices to your real identity
|
||
priority: Recommended
|
||
details: >-
|
||
Use anonymous usernames and passwords, avoiding sign-up/log-in via social media or other third-party services to maintain privacy.
|
||
|
||
- point: Keep firmware up-to-date
|
||
priority: Recommended
|
||
details: >-
|
||
Regularly update smart device firmware to apply security patches and enhancements.
|
||
|
||
- point: Protect your Network
|
||
priority: Recommended
|
||
details: >-
|
||
Secure your home WiFi and network to prevent unauthorized access to smart devices.
|
||
|
||
- point: Be wary of wearables
|
||
priority: Optional
|
||
details: >-
|
||
Consider the extensive data collection capabilities of wearable devices and their implications for privacy.
|
||
|
||
- point: Don't connect your home's critical infrastructure to the Internet
|
||
priority: Optional
|
||
details: >-
|
||
Evaluate the risks of internet-connected thermostats, alarms, and detectors due to potential remote access by hackers.
|
||
|
||
- point: Mitigate Alexa/ Google Home Risks
|
||
priority: Optional
|
||
details: >-
|
||
Consider privacy-focused alternatives like Mycroft or use Project Alias to prevent idle listening by voice-activated assistants.
|
||
|
||
- point: Monitor your home network closely
|
||
priority: Optional
|
||
details: >-
|
||
Use tools like FingBox or router features to monitor for unusual network activity.
|
||
|
||
- point: Deny Internet access where possible
|
||
priority: Advanced
|
||
details: >-
|
||
Use firewalls to block internet access for devices that don't need it, limiting operation to local network use.
|
||
|
||
- point: Assess risks
|
||
priority: Advanced
|
||
details: >-
|
||
Consider the privacy implications for all household members and adjust device settings for security and privacy, such as disabling devices at certain times.
|
||
color: red
|
||
softwareLinks:
|
||
- title: Home Automation
|
||
url: https://github.com/Lissy93/awesome-privacy#home-automation
|
||
- title: AI Voice Assistants
|
||
url: https://github.com/Lissy93/awesome-privacy#ai-voice-assistants
|
||
|
||
|
||
- title: Personal Finance
|
||
slug: personal-finance
|
||
description: Protecting your funds, financial accounts and transactions
|
||
icon: finance
|
||
intro: >-
|
||
Credit card fraud is the most common form of identity theft (with [133,015 reports in the
|
||
US in 2017 alone](https://www.experian.com/blogs/ask-experian/identity-theft-statistics/)),
|
||
and a total loss of $905 million, which was a 26% increase from the previous year.
|
||
The with a median amount lost per person was $429 in 2017.
|
||
It's more important than ever to take basic steps to protect yourself from falling victim
|
||
|
||
Note about credit cards: Credit cards have technological methods in place to
|
||
detect and stop some fraudulent transactions. Major payment processors implement
|
||
this, by mining huge amounts of data from their card holders, in order to know
|
||
a great deal about each persons spending habits. This data is used to identify
|
||
fraud, but is also sold onto other data brokers. Credit cards are therefore good
|
||
for security, but terrible for data privacy.
|
||
checklist:
|
||
- point: Sign up for Fraud Alerts and Credit Monitoring
|
||
priority: Recommended
|
||
details: >-
|
||
Enable fraud alerts and credit monitoring through Experian, TransUnion, or Equifax to be alerted of suspicious activity.
|
||
|
||
- point: Apply a Credit Freeze
|
||
priority: Recommended
|
||
details: >-
|
||
Prevent unauthorized credit inquiries by freezing your credit through Experian, TransUnion, and Equifax.
|
||
|
||
- point: Use Virtual Cards
|
||
priority: Optional
|
||
details: >-
|
||
Utilize virtual card numbers for online transactions to protect your real banking details. Services like Privacy.com and MySudo offer such features.
|
||
|
||
- point: Use Cash for Local Transactions
|
||
priority: Optional
|
||
details: >-
|
||
Pay with cash for local and everyday purchases to avoid financial profiling by institutions.
|
||
|
||
- point: Use Cryptocurrency for Online Transactions
|
||
priority: Optional
|
||
details: >-
|
||
Opt for privacy-focused cryptocurrencies like Monero for online transactions to maintain anonymity. Use cryptocurrencies wisely to ensure privacy.
|
||
|
||
- point: Store Crypto Securely
|
||
priority: Advanced
|
||
details: >-
|
||
Securely store cryptocurrencies using offline wallet generation, hardware wallets like Trezor or ColdCard, or consider long-term storage solutions like CryptoSteel.
|
||
|
||
- point: Buy Crypto Anonymously
|
||
priority: Advanced
|
||
details: >-
|
||
Purchase cryptocurrencies without linking to your identity through services like LocalBitcoins, Bisq, or Bitcoin ATMs.
|
||
|
||
- point: Tumble/ Mix Coins
|
||
priority: Advanced
|
||
details: >-
|
||
Use a bitcoin mixer or CoinJoin before converting Bitcoin to currency to obscure transaction trails.
|
||
|
||
- point: Use an Alias Details for Online Shopping
|
||
priority: Advanced
|
||
details: >-
|
||
For online purchases, consider using alias details, forwarding email addresses, VOIP numbers, and secure delivery methods to protect your identity.
|
||
|
||
- point: Use alternate delivery address
|
||
priority: Advanced
|
||
details: >-
|
||
Opt for deliveries to non-personal addresses such as PO Boxes, forwarding addresses, or local pickup locations to avoid linking purchases directly to you.
|
||
color: purple
|
||
softwareLinks:
|
||
- title: Virtual Credit Cards
|
||
url: https://github.com/Lissy93/awesome-privacy#virtual-credit-cards
|
||
- title: Cryptocurrencies
|
||
url: https://github.com/Lissy93/awesome-privacy#cryptocurrencies
|
||
- title: Crypto Wallets
|
||
url: https://github.com/Lissy93/awesome-privacy#crypto-wallets
|
||
- title: Crypto Exchanges
|
||
url: https://github.com/Lissy93/awesome-privacy#crypto-exchanges
|
||
- title: Other Payment Methods
|
||
url: https://github.com/Lissy93/awesome-privacy#other-payment-methods
|
||
- title: Budgeting Tools
|
||
url: https://github.com/Lissy93/awesome-privacy#budgeting-tools
|
||
|
||
- title: Human Aspect
|
||
slug: human-aspect
|
||
description: Avoiding social engineering security risks
|
||
icon: human
|
||
intro: >-
|
||
Many data breaches, hacks and attacks are caused by human error.
|
||
The following list contains steps you should take, to reduce the risk of this
|
||
happening to you. Many of them are common sense, but it's worth takin note of.
|
||
|
||
checklist:
|
||
- point: Verify Recipients
|
||
priority: Recommended
|
||
details: >-
|
||
Emails can be easily spoofed. Verify the sender's authenticity, especially for sensitive actions, and prefer entering URLs manually rather than clicking links in emails.
|
||
|
||
- point: Don't Trust Your Popup Notifications
|
||
priority: Recommended
|
||
details: >-
|
||
Fake pop-ups can be deployed by malicious actors. Always check the URL before entering any information on a popup.
|
||
|
||
- point: Never Leave Device Unattended
|
||
priority: Recommended
|
||
details: >-
|
||
Unattended devices can be compromised even with strong passwords. Use encryption and remote erase features like Find My Phone for lost devices.
|
||
|
||
- point: Prevent Camfecting
|
||
priority: Recommended
|
||
details: >-
|
||
Protect against camfecting by using webcam covers and microphone blockers. Mute home assistants when not in use or discussing sensitive matters.
|
||
|
||
- point: Stay protected from shoulder surfers
|
||
priority: Recommended
|
||
details: >-
|
||
Use privacy screens on laptops and mobiles to prevent others from reading your screen in public spaces.
|
||
|
||
- point: Educate yourself about phishing attacks
|
||
priority: Recommended
|
||
details: >-
|
||
Be cautious of phishing attempts. Verify URLs, context of received messages, and employ good security practices like using 2FA and not reusing passwords.
|
||
|
||
- point: Watch out for Stalkerware
|
||
priority: Recommended
|
||
details: >-
|
||
Be aware of stalkerware installed by acquaintances for spying. Look out for signs like unusual battery usage and perform factory resets if suspected.
|
||
|
||
- point: Install Reputable Software from Trusted Sources
|
||
priority: Recommended
|
||
details: >-
|
||
Only download software from legitimate sources and check files with tools like Virus Total before installation.
|
||
|
||
- point: Store personal data securely
|
||
priority: Recommended
|
||
details: >-
|
||
Ensure all personal data on devices or in the cloud is encrypted to protect against unauthorized access.
|
||
|
||
- point: Obscure Personal Details from Documents
|
||
priority: Recommended
|
||
details: >-
|
||
When sharing documents, obscure personal details with opaque rectangles to prevent information leakage.
|
||
|
||
- point: Do not assume a site is secure, just because it is `HTTPS`
|
||
priority: Recommended
|
||
details: >-
|
||
HTTPS does not guarantee a website's legitimacy. Verify URLs and exercise caution with personal data.
|
||
|
||
- point: Use Virtual Cards when paying online
|
||
priority: Optional
|
||
details: >-
|
||
Use virtual cards for online payments to protect your banking details and limit transaction risks.
|
||
|
||
- point: Review application permissions
|
||
priority: Optional
|
||
details: >-
|
||
Regularly review and manage app permissions to ensure no unnecessary access to sensitive device features.
|
||
|
||
- point: Opt-out of public lists
|
||
priority: Optional
|
||
details: >-
|
||
Remove yourself from public databases and marketing lists to reduce unwanted contacts and potential risks.
|
||
|
||
- point: Never Provide Additional PII When Opting-Out
|
||
priority: Optional
|
||
details: >-
|
||
Do not provide additional personal information when opting out of data services to avoid further data collection.
|
||
|
||
- point: Opt-out of data sharing
|
||
priority: Optional
|
||
details: >-
|
||
Many apps and services default to data sharing settings. Opt out to protect your data from being shared with third parties.
|
||
|
||
- point: Review and update social media privacy
|
||
priority: Optional
|
||
details: >-
|
||
Regularly check and update your social media settings due to frequent terms updates that may affect your privacy settings.
|
||
|
||
- point: Compartmentalize
|
||
priority: Advanced
|
||
details: >-
|
||
Keep different areas of digital activity separate to limit data exposure in case of a breach.
|
||
|
||
- point: WhoIs Privacy Guard
|
||
priority: Advanced
|
||
details: >-
|
||
Use WhoIs Privacy Guard for domain registrations to protect your personal information from public searches.
|
||
|
||
- point: Use a forwarding address
|
||
priority: Advanced
|
||
details: >-
|
||
Use a PO Box or forwarding address for mail to prevent companies from knowing your real address, adding a layer of privacy protection.
|
||
|
||
- point: Use anonymous payment methods
|
||
priority: Advanced
|
||
details: >-
|
||
Opt for anonymous payment methods like cryptocurrencies to avoid entering identifiable information online.
|
||
|
||
color: indigo
|
||
- title: Physical Security
|
||
slug: physical-security
|
||
description: Taking measures to prevent IRL security incidents
|
||
icon: physical
|
||
intro: >-
|
||
Public records often include sensitive personal data (full name, date of birth,
|
||
phone number, email, address, ethnicity etc), and are gathered from a range of
|
||
sources (census records, birth/ death/ marriage certificates, voter registrants,
|
||
marketing information, customer databases, motor vehicle records, professional/
|
||
business licenses and all court files in full detail). This sensitive personal
|
||
information is
|
||
[easy and legal to access](https://www.consumerreports.org/consumerist/its-creepy-but-not-illegal-for-this-website-to-provide-all-your-public-info-to-anyone/),
|
||
which raises some [serious privacy concerns](https://privacyrights.org/resources/public-records-internet-privacy-dilemma)
|
||
(identity theft, personal safety risks/ stalkers, destruction of reputations, dossier society)
|
||
|
||
|
||
CCTV is one of the major ways that the corporations, individuals and the government
|
||
tracks your movements. In London, UK the average person is caught on camera about
|
||
500 times per day. This network is continuing to grow, and in many cities around
|
||
the world, facial recognition is being rolled out, meaning the state can know
|
||
the identity of residents on the footage in real-time.
|
||
|
||
Strong authentication, encrypted devices, patched software and anonymous web
|
||
browsing may be of little use if someone is able to physically compromise you,
|
||
your devices and your data. This section outlines some basic methods for physical security
|
||
|
||
checklist:
|
||
- point: Destroy Sensitive Documents
|
||
priority: Recommended
|
||
details: Shred or redact sensitive documents before disposal to protect against identity theft and maintain confidentiality.
|
||
|
||
- point: Opt-Out of Public Records
|
||
priority: Recommended
|
||
details: Contact people search websites to opt-out from listings that show personal information, using guides like Michael Bazzell's Personal Data Removal Workbook.
|
||
|
||
- point: Watermark Documents
|
||
priority: Recommended
|
||
details: Add a watermark with the recipient's name and date to digital copies of personal documents to trace the source of a breach.
|
||
|
||
- point: Don't Reveal Info on Inbound Calls
|
||
priority: Recommended
|
||
details: Only share personal data on calls you initiate and verify the recipient's phone number.
|
||
|
||
- point: Stay Alert
|
||
priority: Recommended
|
||
details: Be aware of your surroundings and assess potential risks in new environments.
|
||
|
||
- point: Secure Perimeter
|
||
priority: Recommended
|
||
details: Ensure physical security of locations storing personal info devices, minimizing external access and using intrusion detection systems.
|
||
|
||
- point: Physically Secure Devices
|
||
priority: Recommended
|
||
details: Use physical security measures like Kensington locks, webcam covers, and privacy screens for devices.
|
||
|
||
- point: Keep Devices Out of Direct Sight
|
||
priority: Recommended
|
||
details: Prevent devices from being visible from outside to mitigate risks from lasers and theft.
|
||
|
||
- point: Protect your PIN
|
||
priority: Recommended
|
||
details: Shield your PIN entry from onlookers and cameras, and clean touchscreens after use.
|
||
|
||
- point: Check for Skimmers
|
||
priority: Recommended
|
||
details: Inspect ATMs and public devices for skimming devices and tampering signs before use.
|
||
|
||
- point: Protect your Home Address
|
||
priority: Optional
|
||
details: Use alternative locations, forwarding addresses, and anonymous payment methods to protect your home address.
|
||
|
||
- point: Use a PIN, Not Biometrics
|
||
priority: Advanced
|
||
details: Prefer PINs over biometrics for device security in situations where legal coercion to unlock devices may occur.
|
||
|
||
- point: Reduce exposure to CCTV
|
||
priority: Advanced
|
||
details: Wear disguises and choose routes with fewer cameras to avoid surveillance.
|
||
|
||
- point: Anti-Facial Recognition Clothing
|
||
priority: Advanced
|
||
details: Wear clothing with patterns that trick facial-recognition technology.
|
||
|
||
- point: Reduce Night Vision Exposure
|
||
priority: Advanced
|
||
details: Use IR light sources or reflective glasses to obstruct night vision cameras.
|
||
|
||
- point: Protect your DNA
|
||
priority: Advanced
|
||
details: Avoid sharing DNA with heritage websites and be cautious about leaving DNA traces.
|
||
|
||
color: lime
|