From e5a6332b2bfd90d265c611325d8b6c66ed11e486 Mon Sep 17 00:00:00 2001 From: Alicia Sykes Date: Thu, 9 Apr 2020 23:41:15 +0100 Subject: [PATCH 01/15] Adds JustDeleteMe and Local CERT links --- 4_Privacy_And_Security_Links.md | 77 +++++++++++++++++++++++++++++---- 1 file changed, 68 insertions(+), 9 deletions(-) diff --git a/4_Privacy_And_Security_Links.md b/4_Privacy_And_Security_Links.md index 7ae0aaf..d903a3d 100644 --- a/4_Privacy_And_Security_Links.md +++ b/4_Privacy_And_Security_Links.md @@ -7,7 +7,7 @@ - **Information and Guides** - [Getting Started Guides](#getting-started-guides) - - [How-To Guides](#how-to-guides) + - [Specific How-To Guides](#how-to-guides) - [Notable Articles](#notable-articles) - [Blogs](#blogs) - **Media** @@ -39,10 +39,10 @@ - [PrismBreak](https://prism-break.org/en/all) - Secure app alternatives - [The VERGE guide to privacy](https://bit.ly/2ptl4Wm) - Guides for securing mobile, web and home tech - [Email Self-Defense](https://emailselfdefense.fsf.org) - Complete guide to secure email -- [TwoFactorAuth.org](https://twofactorauth.org) - Check which websites support 2FA - [Security Planner](https://securityplanner.org) - Great advise for beginners - [My Shaddow](https://myshadow.org) - Resources and guides, to help you take controll of your data - +- [TwoFactorAuth.org](https://twofactorauth.org) - A direcory of websites, apps and services supporting 2FA +- [Just Delete Me](https://justdeleteme.xyz) - A directory of direct links to delete your account from web services ## How-To Guides @@ -175,13 +175,72 @@ This section has moved to [here](https://github.com/Lissy93/personal-security-ch ## Government Organisations -- [UK National Cyber Security Center](https://www.ncsc.gov.uk) -- [US Cybersecurity - NIST](https://www.nist.gov/topics/cybersecurity) - -## Cybercrime -- [Consumer Fraud Reporting](http://consumerfraudreporting.org) - US's Catalogue of online scams currently circulating, and a means to report cases -- [Action Fraud](https://www.actionfraud.police.uk) - UK’s national reporting centre for fraud and cyber crime +- **Citizen/ Small business Advice and Infrormation** + - [UK National Cyber Security Center](https://www.ncsc.gov.uk) + - [US Cybersecurity - NIST](https://www.nist.gov/topics/cybersecurity) + - [Stay Safe Online](https://staysafeonline.org) - US government-backed project, aimed to inform and educate individuals and small businesses about basic digital security +- **Cybercrime** + - [Consumer Fraud Reporting](http://consumerfraudreporting.org) - US's Catalogue of online scams currently circulating, and a means to report cases + - [Action Fraud](https://www.actionfraud.police.uk) - UK’s national reporting centre for fraud and cyber crime +- **CERT** - Your local jurisdiction will likely have a Computer emergency response team (historically known as CERT). Who is in charge of handline handles domestic and international computer security incidents. + - Australia - [auscert.org.au](https://www.auscert.org.au) + - Austria - [cert.at](https://www.cert.at) + - Bangladesh - [cirt.gov.bd](https://www.cirt.gov.bd) + - Bolivia - [cgii.gob.bo](https://cgii.gob.bo) + - Brazil - [cert.br](https://www.cert.br) + - Canada - [cyber.gc.ca](https://cyber.gc.ca/en/about-cyber-centre) + - China - [cert.org.cn](https://www.cert.org.cn) + - Columbia - [colcert.gov.co](http://www.colcert.gov.co) + - Croatia - [carnet.hr](https://www.carnet.hr) + - Czech Republic - [csirt.cz](https://csirt.cz) + - Denmark - [cert.dk](https://www.cert.dk) + - Ecuador - [ecucert.gob.ec](https://www.ecucert.gob.ec) + - Egypt - [egcert.eg](https://www.egcert.eg) + - Estonia - [ria.ee / CERT-EE](https://ria.ee/en/cyber-security/cert-ee.html) + - Finland - [kyberturvallisuuskeskus.fi](https://www.kyberturvallisuuskeskus.fi/en/homepage) + - France - [cert.ssi.gouv.fr](https://www.cert.ssi.gouv.fr) + - Germany - [cert-bund.de](https://www.cert-bund.de) + - Ghana - [nca-cert.org.gh](https://nca-cert.org.gh) + - Hong Kong - [hkcert.org](https://www.hkcert.org) + - Iceland - [cert.is](https://www.cert.is) + - India - [CERT-IN](https://www.cert-in.org.in) + - Indonesia - [idsirtii.or.id](https://idsirtii.or.id) + - Iran - [cert.ir](https://cert.ir) + - Italy - [cert-pa.it](https://www.cert-pa.it) + - Japan - [JPCERT](https://www.jpcert.or.jp) + - Kyrgyzstan - [cert.gov.kg](http://cert.gov.kg) + - Luxembourg - [circl.lu](https://circl.lu) + - Macau - [mocert.org](www.mocert.org) + - Malaysia - [mycert.org.my](http://www.mycert.org.my) + - Morocco - [educert.ma](http://www.educert.ma) + - Netherlands - [ncsc.nl](https://www.ncsc.nl) + - New Zealand - [cert.govt.nz](https://www.cert.govt.nz) + - Nigeria - [cert.gov.ng](https://cert.gov.ng) + - Norway - [norcert](https://www.nsm.stat.no/norcert) + - Pakistan - [pakcert.org](http://www.pakcert.org) + - Papua New Guinea - [pngcert.org.pg](https://www.pngcert.org.pg) + - Philippines - [cspcert.ph](https://cspcert.ph) + - Poland - [cert.pl](https://www.cert.pl) + - Portugal - [cncs.gov.pt/certpt](https://www.cncs.gov.pt/certpt) + - Qatar - [qcert.org](https://qcert.org) + - Rep of Ireland - [ncsc.gov.ie](https://www.ncsc.gov.ie) + - Romania - [cert.ro](https://www.cert.ro) + - Russia - [gov-cert.ru](http://www.gov-cert.ru) / [cert.ru](https://www.cert.ru) + - Singapore - [csa.gov.sg/singcert](https://www.csa.gov.sg/singcert) + - Slovenia - [sk-cert.sk](https://www.sk-cert.sk) + - South Korea - [krcert.or.kr](https://www.krcert.or.kr) + - Spain - [incibe.es](https://www.incibe.es) + - Sri Lanka - [cert.gov.lk](https://www.cert.gov.lk) + - Sweden - [cert.se](https://www.cert.se) + - Switzerland - [govcert.ch](https://www.govcert.ch) + - Taiwan - [twcert.org.tw](https://www.twcert.org.tw) + - Thailand - [thaicert.or.th](https://www.thaicert.or.th) + - Tonga [cert.to](https://www.cert.to) + - Ukraine - [cert.gov.ua](https://cert.gov.ua) + - UAE - [tra.gov.ae/aecert](https://www.tra.gov.ae/aecert) + - United Kingdom - [ncsc.gov.uk](https://www.ncsc.gov.uk) + - United States - [us-cert.gov](https://www.us-cert.gov) ## Data and API's From f0977f5b9c607fa9c76833afacf8a7ac837b4bb9 Mon Sep 17 00:00:00 2001 From: Alicia Sykes Date: Sat, 11 Apr 2020 17:53:11 +0100 Subject: [PATCH 02/15] Adds Pi Stuff --- 5_Privacy_Respecting_Software.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/5_Privacy_Respecting_Software.md b/5_Privacy_Respecting_Software.md index 7a0f703..065eca0 100644 --- a/5_Privacy_Respecting_Software.md +++ b/5_Privacy_Respecting_Software.md @@ -915,6 +915,27 @@ This list is intended to aid you in auditing the security of your own systems, a - [Wireshark] - Popular, powerful feature-rich network protocol analyser. Lets you analyse everything that is going on in your network in great detail - [Zeek] - Powerful intrusion detection system and network security monitoring, that (rather than focusing on signatures) decodes protocols and looks for anomalies within the traffic +## Bonus #7 - Raspberry Pi/ IoT Security Software + +- [OnionPi](https://github.com/breadtk/onion_pi) - Create an Anonymizing Tor Proxy using a Raspberry Pi +- [CIRCLean](https://www.circl.lu/projects/CIRCLean) - A Pi-based USB Sanitizer, plug an untrusted USB in, and get clean files out +- [Pi Hole](https://pi-hole.net) - A network-wide ad-block, that improves network performance as well as privacy +- [Project Alias](https://github.com/bjoernkarmann/project_alias) - Gives you full-control, and better privacy of your Google Home or Alexa +- [Raspiblitz](https://github.com/rootzoll/raspiblitz) - Build your own Bitcoin & Lightning Node on a Pi, see also [Trezor](https://github.com/trezor/trezor-firmware) wallet +- [PiVPN](https://www.pivpn.io) - Simple low-cost yet secure VPN, for the Raspberry Pi (or set up manually, as outlined in [this guide](https://pimylifeup.com/raspberry-pi-vpn-server/)) +- [DeauthDetector](https://github.com/spacehuhn/DeauthDetector) - Detect deauthentication frames using an ESP8266, useful to be aware of ongoing wireless attacks +- [IPFire](https://www.ipfire.org) - Hardened open source firewall to prevent common attacks on your network. Capable of running on a Pi +- [SquidGuard](http://www.squidguard.org) - Fast and free URL redirector, which can work well as a home caching server +- [E2guardian](http://e2guardian.org) - Comprehensive content filtering, with powerful configuration options + + +USB-based projects include: +- [DBAN](https://dban.org) - Bootable hard drive erasers for destroying data +- [Syncthing](https://syncthing.net) - Create automated backups to an external medium +- [KeePass Portable](https://keepass.info/download.html) - Portable password manager. For hardware-encrypted password manager, see [HardPass 2.0](https://hackaday.io/project/21227-hardpass02-hardware-passwd-manager-w-smart-card) +- [VeraCrypt](https://www.veracrypt.fr) - Full drive encryption for USB devices + +See more [hardware-based security solutions](/6_Privacy_and-Security_Gadgets.md) [Amass]: https://github.com/OWASP/Amass [CloudFail]: https://github.com/m0rtem/CloudFail From 4f94510da71420b8805c2b4f810b0748b27fb93b Mon Sep 17 00:00:00 2001 From: Alicia Sykes Date: Wed, 15 Apr 2020 17:54:40 +0100 Subject: [PATCH 03/15] Adds header analyse --- 5_Privacy_Respecting_Software.md | 1 + 1 file changed, 1 insertion(+) diff --git a/5_Privacy_Respecting_Software.md b/5_Privacy_Respecting_Software.md index 065eca0..087fa3b 100644 --- a/5_Privacy_Respecting_Software.md +++ b/5_Privacy_Respecting_Software.md @@ -298,6 +298,7 @@ A selection of free online tools and utilities, to check, test and protect **[Is Legit?](https://www.islegitsite.com/)** | Checks if a website or business is a scam, before buying something from it **[Deseat Me](https://www.deseat.me)** | Tool to help you clean up your online presence- Instantly get a list of all your accounts, delete the ones you are not using **[10 Minute Mail](https://10minemail.com/)** | Generates temporary disposable email address, to avoid giving your real details +**[MXToolBox Mail Headers](https://mxtoolbox.com/Public/Tools/EmailHeaders.aspx)** | Tool for analyzing email headers, useful for checking the authenticity of messages, as well as knowing what info you are revealing in your outbound messages **[33Mail](http://33mail.com/Dg0gkEA)** | Automatically generates new email aliases, the first time you use them, to avoid revealing your real email address. Unlike 10 Minute Mail, these email addresses are permanent, and get forwarded to your real email inbox #### Word of Warning From 5fbf7ead0f5b5a0ea9a4d5eb9a7f8a08def14e30 Mon Sep 17 00:00:00 2001 From: Alicia Sykes Date: Thu, 16 Apr 2020 22:01:36 +0100 Subject: [PATCH 04/15] Adds TED Talk by Denelle Dixon --- 4_Privacy_And_Security_Links.md | 1 + 1 file changed, 1 insertion(+) diff --git a/4_Privacy_And_Security_Links.md b/4_Privacy_And_Security_Links.md index d903a3d..2138e82 100644 --- a/4_Privacy_And_Security_Links.md +++ b/4_Privacy_And_Security_Links.md @@ -107,6 +107,7 @@ - [The 1s and 0s behind cyber warfare](https://www.ted.com/talks/chris_domas_the_1s_and_0s_behind_cyber_warfare), by Chris Domas - [State Sanctioned Hacking - The Elephant in the Room](https://youtu.be/z-A2MxHmnU4) - Historic, economic and demographic overview of the growing threat to the U.S. from Chinese cyber invasions, by Frank Heidt - [How the IoT is Making Cybercrime Investigation Easier](https://youtu.be/9CemONO6vrY) - How our data is changing the nature of "evidence" in digital forensics, by Jonathan Rajewski + - [Online Privacy Doesn't Exist](https://youtu.be/LgWrD3EJ1Do) - The unexpected dangers our digital breadcrumbs can lead to, by Denelle Dixon - **Conferences** - [DEF CON 27](https://www.youtube.com/playlist?list=PL9fPq3eQfaaA4qJEQQyXDYtTIfxCNA0wB) - Collection of talks from DEF CON 2019, Vegas - [RSA Conference](https://www.youtube.com/user/RSAConference) - Collection of security talks from the RSA conferences From 5caa709fdba04e2042c06d98863582c2997ca436 Mon Sep 17 00:00:00 2001 From: Alicia Sykes Date: Fri, 17 Apr 2020 16:59:29 +0100 Subject: [PATCH 05/15] Organizes How-To Guides in a more logical layout --- 4_Privacy_And_Security_Links.md | 37 +++++++++++++++++++++------------ 1 file changed, 24 insertions(+), 13 deletions(-) diff --git a/4_Privacy_And_Security_Links.md b/4_Privacy_And_Security_Links.md index 2138e82..cecbb57 100644 --- a/4_Privacy_And_Security_Links.md +++ b/4_Privacy_And_Security_Links.md @@ -47,22 +47,32 @@ ## How-To Guides -- Complete guide to configureing Firefox for Privacy + Speed: via [12bytes](https://12bytes.org/7750) -- Overview of projects working on next-generation secure email: via [OpenTechFund](https://github.com/OpenTechFund/secure-email) -- ISP and DNS privacy tips: via [bluz71](https://bluz71.github.io/2018/06/20/digital-privacy-tips.html) -- Layers of Personal Tech Security: via [The Wire Cutter](https://thewirecutter.com/blog/internet-security-layers) -- Improving security on iPhone: via [lifehacker](https://lifehacker.com/the-privacy-enthusiasts-guide-to-using-an-iphone-1792386831) -- Protect against SIM-swap scam: via [wired](https://www.wired.com/story/sim-swap-attack-defend-phone) -- Is your Anti-Virus spying on you: via [Restore Privacy](https://restoreprivacy.com/antivirus-privacy) -- How to use Vera Crypt: via [howtogeek](https://www.howtogeek.com/108501/the-how-to-geek-guide-to-getting-started-with-truecrypt) -- How to enable DNS over HTTPS: via [geekwire](https://geekwire.co.uk/privacy-and-security-focused-dns-resolver) -- How to resolve DNS leak issue: via [DNSLeakTest](https://www.dnsleaktest.com/how-to-fix-a-dns-leak.html) -- Windows data sending: via [The Hacker News](https://thehackernews.com/2016/02/microsoft-windows10-privacy.html) -- How to spot a phishing attack: via [EFF](https://ssd.eff.org/en/module/how-avoid-phishing-attacks) +- **Threat Protection** + - Protect against SIM-swap scam: via [wired](https://www.wired.com/story/sim-swap-attack-defend-phone) + - How to spot a phishing attack: via [EFF](https://ssd.eff.org/en/module/how-avoid-phishing-attacks) + - Protection from Identity Theft: via [Restore Privacy](https://restoreprivacy.com/identity-theft-fraud) +- **Netowkring** + - How to enable DNS over HTTPS: via [geekwire](https://geekwire.co.uk/privacy-and-security-focused-dns-resolver) + - How to resolve DNS leak issue: via [DNSLeakTest](https://www.dnsleaktest.com/how-to-fix-a-dns-leak.html) + - Protect against WebRTC Leaks: via [Restore Privacy](https://restoreprivacy.com/webrtc-leaks) + - ISP and DNS privacy tips: via [bluz71](https://bluz71.github.io/2018/06/20/digital-privacy-tips.html) + - Complete guide to configureing Firefox for Privacy + Speed: via [12bytes](https://12bytes.org/7750) + - Beginners guide on getting started with Tor: via [ProPrivacy](https://proprivacy.com/privacy-service/guides/ultimate-tor-browser-guide) + - How to Use a VPN and Tor together: via [ProPrivacy](https://proprivacy.com/vpn/guides/using-vpn-tor-together) +- **Communication** + - Overview of projects working on next-generation secure email: via [OpenTechFund](https://github.com/OpenTechFund/secure-email) +- **Devices** + - Layers of Personal Tech Security: via [The Wire Cutter](https://thewirecutter.com/blog/internet-security-layers) + - Improving security on iPhone: via [lifehacker](https://lifehacker.com/the-privacy-enthusiasts-guide-to-using-an-iphone-1792386831) +- **Software** + - How to use Vera Crypt: via [howtogeek](https://www.howtogeek.com/108501/the-how-to-geek-guide-to-getting-started-with-truecrypt) ## Notable Articles -- Turns Out Police Stingray Spy Tools Can Indeed Record Calls: Article on [Wired](https://www.wired.com/2015/10/stingray-government-spy-tools-can-record-calls-new-documents-confirm) +- Windows data sending: via [The Hacker News](https://thehackernews.com/2016/02/microsoft-windows10-privacy.html) +- Is your Anti-Virus spying on you: via [Restore Privacy](https://restoreprivacy.com/antivirus-privacy) +- Turns Out Police Stingray Spy Tools Can Indeed Record Calls: via [Wired](https://www.wired.com/2015/10/stingray-government-spy-tools-can-record-calls-new-documents-confirm) +- UK Police Accessing Private Phone Data Without Warrant: via [Restore Privacy](https://restoreprivacy.com/uk-police-accessing-phone-data) ## Blogs - [Spread Privacy](https://spreadprivacy.com) - Raising the standard of trust online, by DuckDuckGo @@ -76,6 +86,7 @@ - [OONI](https://ooni.org/post), Internet freedom and analysis on blocked sites - [Pixel Privacy](https://pixelprivacy.com/resources) - Online privacy guides - [The Privacy Project](https://www.nytimes.com/interactive/2019/opinion/internet-privacy-project.html) - Articles and reporting on Privacy, by the NYT +- [The Tin Hat](https://thetinhat.com) - Tutorials and Articles for Online Privacy From f48ac7b1937d3535a971404a0aaeaf71b36fd7ad Mon Sep 17 00:00:00 2001 From: Alicia Sykes Date: Fri, 17 Apr 2020 17:25:05 +0100 Subject: [PATCH 06/15] Adds True Random Number Generator --- 6_Privacy_and-Security_Gadgets.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/6_Privacy_and-Security_Gadgets.md b/6_Privacy_and-Security_Gadgets.md index 6348ff1..07efa27 100644 --- a/6_Privacy_and-Security_Gadgets.md +++ b/6_Privacy_and-Security_Gadgets.md @@ -76,6 +76,7 @@ If you are confident with electronics, then you could also make: - **USB Data Blocker** - By simple removing the data wires from a USB adapter, you can create a protector to keep you safe while charing your device in public spaces. See [this guide](https://www.instructables.com/id/Making-a-USB-Condom) for more info (note: fast charge will not work) - **Hardware Encrypted Password Manager** - Even better than a software-encrypted password manager, is the [hardpass0.2](https://bit.ly/3bg4Xi4) which is a very simple hardware-encrypted USB store, using [GnuPG Smart card](https://www.g10code.com/p-card.html), [GNU Password Standard](https://www.passwordstore.org/) and this [source code](https://github.com/girst/hardpass-passwordmanager) all running on a [Pi Zero](https://amzn.to/2Sz0vU4). See also the [Zamek Project](https://bit.ly/36ZJrec), using this [source code](https://github.com/jareklupinski/zamek) to achive a similar functioning hardware-password manager - **U2F USB Token** - Similar to the FIDO2 2-factor authentication USB keys, [U2f-Zero](https://github.com/conorpp/u2f-zero) by Conor Patrick, lets you turn a Pi Zero into a second-factor auth method. Note: project no longer activley maintained, see [NitroKey](https://github.com/nitrokey) instead +- **True Random Number Generator- Standalone** - The [FST-01](https://www.gniibe.org/FST-01/fst-01.html) is an open source hardware RNG with good documentation, and see the [neug source code](https://salsa.debian.org/gnuk-team/gnuk/neug) - **PC auto-lock Flash Drive** - Turn a flash drive into a lock/ unlock key for your PC, allowing you to quickly lock your device when needed [deprecated] - **Headless Pi Zero SSH server** - Create an small test server, that you can SSH into for development, in order to not have to run risky or potentially dangerous code or software directly on your PC, see [this artticle](https://openpunk.com/post/5) for getting started @@ -85,6 +86,7 @@ If you are confident with electronics, then you could also make: We can go even further, these products are far from essential and are maybe a little over-the-top. But fun to play around with, if you really want to avoid being tracked! - **Self-Destroying PC** - The ORWL PC will wipe all data if it is compromised, and has many other safeguards to ensure no one other than you can access anything from your drive. Comes with QubeOS, Windows or Linux, and requires both a password and fob to log in. See more: [orwl.org](https://orwl.org) +- **True Random Number Generator** - FST-01SZ is a tiny stand alone USB 32-bit computer based on a free hardware design. (NeuG is an implementation of a TRNG for GD32F103 MCU). See More: [Free Software Foundation: Shop](https://shop.fsf.org/storage-devices/neug-usb-true-random-number-generator) - **Card Skimmer Detector** - Ensure an ATM or card reader does not have an integrated skimming device. See more at [Lab401](https://lab401.com/products/hunter-cat-card-skimmer-detector) - **Voice Changer** - Useful to disguise voice, while chatting online. See more: [UK](https://amzn.to/3bXqpsn) | [US](https://amzn.to/2PqUEyz) - **Ultra-Sonic Microphone Jammer** - Blocks phones, dictaphones, voice assistants and other recording devices. Uses built-in transducers to generate ultrasonic signals that can not be heard by humans, but cause indistinct noise, on redording devices, making it impossible to distinguish any details of the conversations. See more [UK](https://amzn.to/2Hnk63s) | [US](https://amzn.to/2v2fwVG) From 05d1fd94a14ef368da95669fc3a7c5bce08bb161 Mon Sep 17 00:00:00 2001 From: Alicia Sykes Date: Fri, 17 Apr 2020 17:41:35 +0100 Subject: [PATCH 07/15] Adds TED talk, and removes obsolete links --- 4_Privacy_And_Security_Links.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/4_Privacy_And_Security_Links.md b/4_Privacy_And_Security_Links.md index cecbb57..581c03e 100644 --- a/4_Privacy_And_Security_Links.md +++ b/4_Privacy_And_Security_Links.md @@ -22,7 +22,6 @@ - **Organisations** - [Foundations](#foundations) - [Government Organisations](#government-organisations) - - [Cybercrime](#cybercrime) - **Research** - [Data and API's](#data-and-apis) - [Academic Journals](#academic-journals) @@ -58,8 +57,10 @@ - ISP and DNS privacy tips: via [bluz71](https://bluz71.github.io/2018/06/20/digital-privacy-tips.html) - Complete guide to configureing Firefox for Privacy + Speed: via [12bytes](https://12bytes.org/7750) - Beginners guide on getting started with Tor: via [ProPrivacy](https://proprivacy.com/privacy-service/guides/ultimate-tor-browser-guide) + - Beginners guide to I2P: via [The Tin Hat](https://thetinhat.com/tutorials/darknets/i2p.html) - How to Use a VPN and Tor together: via [ProPrivacy](https://proprivacy.com/vpn/guides/using-vpn-tor-together) - **Communication** + - Configure your email client securly, from scratch - via [FSF](https://emailselfdefense.fsf.org) - Overview of projects working on next-generation secure email: via [OpenTechFund](https://github.com/OpenTechFund/secure-email) - **Devices** - Layers of Personal Tech Security: via [The Wire Cutter](https://thewirecutter.com/blog/internet-security-layers) @@ -87,6 +88,7 @@ - [Pixel Privacy](https://pixelprivacy.com/resources) - Online privacy guides - [The Privacy Project](https://www.nytimes.com/interactive/2019/opinion/internet-privacy-project.html) - Articles and reporting on Privacy, by the NYT - [The Tin Hat](https://thetinhat.com) - Tutorials and Articles for Online Privacy +- [FOSS Bytes- Cyber Security](https://fossbytes.com/category/security) - News about the latest exploits and hacks @@ -112,6 +114,7 @@ - [The Power of Privacy](https://youtu.be/KGX-c5BJNFk) by The Guardian - [Why Privacy matters, even if you have nothing to hide](https://youtu.be/Hjspu7QV7O0) by The Hated One - **TED Talks** + - [How Online Trackers Track You, and What To Do About It](https://youtu.be/jVeqAemtC6w) by Luke Crouch - [Why you should switch off your home WiFi](https://youtu.be/2GpNhYy2l08) by Bram Bonné - [Why Privacy Matters](https://www.ted.com/talks/glenn_greenwald_why_privacy_matters), by Glenn Greenwald - [Fighting viruses, defending the net](https://www.ted.com/talks/mikko_hypponen_fighting_viruses_defending_the_net), by Mikko Hypponen @@ -119,6 +122,7 @@ - [State Sanctioned Hacking - The Elephant in the Room](https://youtu.be/z-A2MxHmnU4) - Historic, economic and demographic overview of the growing threat to the U.S. from Chinese cyber invasions, by Frank Heidt - [How the IoT is Making Cybercrime Investigation Easier](https://youtu.be/9CemONO6vrY) - How our data is changing the nature of "evidence" in digital forensics, by Jonathan Rajewski - [Online Privacy Doesn't Exist](https://youtu.be/LgWrD3EJ1Do) - The unexpected dangers our digital breadcrumbs can lead to, by Denelle Dixon + - [Data is the new gold, who are the new thieves?](https://youtu.be/XNF-rGiGb50) - Introduction and demonstration of the power of data, by Tijmen Schep - **Conferences** - [DEF CON 27](https://www.youtube.com/playlist?list=PL9fPq3eQfaaA4qJEQQyXDYtTIfxCNA0wB) - Collection of talks from DEF CON 2019, Vegas - [RSA Conference](https://www.youtube.com/user/RSAConference) - Collection of security talks from the RSA conferences @@ -262,7 +266,7 @@ This section has moved to [here](https://github.com/Lissy93/personal-security-ch - [URLScan](https://urlscan.io) - Service scanning for malisious domains - [Dehashed](https://www.dehashed.com/breach) - Data Breaches and Credentials - [VirusTotal](https://developers.virustotal.com/v3.0/reference) - Detailed virus scans of software -- Hosts to block: https://someonewhocares.org/hosts/ and https://github.com/StevenBlack/hosts +- Hosts to block: [someonewhocares/ hosts](https://someonewhocares.org/hosts) and [StevenBlack/ hosts](https://github.com/StevenBlack/hosts) ## Academic Journals From d1eb06a395e605f45fb729c468371ca6efc004f5 Mon Sep 17 00:00:00 2001 From: Jess Date: Fri, 17 Apr 2020 09:44:34 -0700 Subject: [PATCH 08/15] Added financial contributors to the README --- README.md | 32 +++++++++++++++++++++++++++++++- 1 file changed, 31 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index b151f9e..1c15798 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,5 @@ [![Awesome](https://awesome.re/badge-flat2.svg)](https://github.com/zbetcheckin/Security_list) -[![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg?style=flat-square)](http://makeapullrequest.com) +[![Financial Contributors on Open Collective](https://opencollective.com/personal-security-checklist/all/badge.svg?label=financial+contributors)](https://opencollective.com/personal-security-checklist) [![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg?style=flat-square)](http://makeapullrequest.com) [![License](https://img.shields.io/badge/LICENSE-CC_BY_4.0-00a2ff?&style=flat-square)](https://creativecommons.org/licenses/by/4.0/) [![Contributors](https://img.shields.io/github/contributors/lissy93/personal-security-checklist?color=%23ffa900&style=flat-square)](https://github.com/Lissy93/personal-security-checklist/graphs/contributors) @@ -334,3 +334,33 @@ http://www.linkedin.com/shareArticle?mini=true&url=https://github.com/Lissy93/pe [![Share on Facebook](https://img.shields.io/badge/Share-Facebook-4267b2?style=for-the-badge&logo=Facebook)](https://www.linkedin.com/shareArticle?mini=true&url=https%3A//github.com/Lissy93/personal-security-checklist&title=The%20Ultimate%20Personal%20Cyber%20Security%20Checklist&summary=%F0%9F%94%92%20A%20curated%20list%20of%20100%2B%20tips%20for%20protecting%20digital%20security%20and%20privacy%20in%202020&source=) [![Share on Mastodon](https://img.shields.io/badge/Share-Mastodon-56a7e1?style=for-the-badge&logo=Mastodon)](https://mastodon.social/web/statuses/new?text=Check%20out%20the%20Ultimate%20Personal%20Cyber%20Security%20Checklist%20by%20%40Lissy93%20on%20%23GitHub%20%20%F0%9F%94%90%20%E2%9C%A8) + +## Contributors + +### Code Contributors + +This project exists thanks to all the people who contribute. [[Contribute](CONTRIBUTING.md)]. + + +### Financial Contributors + +Become a financial contributor and help us sustain our community. [[Contribute](https://opencollective.com/personal-security-checklist/contribute)] + +#### Individuals + + + +#### Organizations + +Support this project with your organization. Your logo will show up here with a link to your website. [[Contribute](https://opencollective.com/personal-security-checklist/contribute)] + + + + + + + + + + + From b3f34e2b39516800854e9a47df893f32f2088d5a Mon Sep 17 00:00:00 2001 From: Alicia Sykes Date: Fri, 17 Apr 2020 18:54:33 +0100 Subject: [PATCH 09/15] Revert "Activating Open Collective" --- README.md | 32 +------------------------------- 1 file changed, 1 insertion(+), 31 deletions(-) diff --git a/README.md b/README.md index 1c15798..b151f9e 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,5 @@ [![Awesome](https://awesome.re/badge-flat2.svg)](https://github.com/zbetcheckin/Security_list) -[![Financial Contributors on Open Collective](https://opencollective.com/personal-security-checklist/all/badge.svg?label=financial+contributors)](https://opencollective.com/personal-security-checklist) [![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg?style=flat-square)](http://makeapullrequest.com) +[![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg?style=flat-square)](http://makeapullrequest.com) [![License](https://img.shields.io/badge/LICENSE-CC_BY_4.0-00a2ff?&style=flat-square)](https://creativecommons.org/licenses/by/4.0/) [![Contributors](https://img.shields.io/github/contributors/lissy93/personal-security-checklist?color=%23ffa900&style=flat-square)](https://github.com/Lissy93/personal-security-checklist/graphs/contributors) @@ -334,33 +334,3 @@ http://www.linkedin.com/shareArticle?mini=true&url=https://github.com/Lissy93/pe [![Share on Facebook](https://img.shields.io/badge/Share-Facebook-4267b2?style=for-the-badge&logo=Facebook)](https://www.linkedin.com/shareArticle?mini=true&url=https%3A//github.com/Lissy93/personal-security-checklist&title=The%20Ultimate%20Personal%20Cyber%20Security%20Checklist&summary=%F0%9F%94%92%20A%20curated%20list%20of%20100%2B%20tips%20for%20protecting%20digital%20security%20and%20privacy%20in%202020&source=) [![Share on Mastodon](https://img.shields.io/badge/Share-Mastodon-56a7e1?style=for-the-badge&logo=Mastodon)](https://mastodon.social/web/statuses/new?text=Check%20out%20the%20Ultimate%20Personal%20Cyber%20Security%20Checklist%20by%20%40Lissy93%20on%20%23GitHub%20%20%F0%9F%94%90%20%E2%9C%A8) - -## Contributors - -### Code Contributors - -This project exists thanks to all the people who contribute. [[Contribute](CONTRIBUTING.md)]. - - -### Financial Contributors - -Become a financial contributor and help us sustain our community. [[Contribute](https://opencollective.com/personal-security-checklist/contribute)] - -#### Individuals - - - -#### Organizations - -Support this project with your organization. Your logo will show up here with a link to your website. [[Contribute](https://opencollective.com/personal-security-checklist/contribute)] - - - - - - - - - - - From cac79c559ca9e24c166f865685b93994d630b4d0 Mon Sep 17 00:00:00 2001 From: Alicia Sykes Date: Tue, 21 Apr 2020 21:53:34 +0100 Subject: [PATCH 10/15] Updates 2FA apps, and adds Session --- 5_Privacy_Respecting_Software.md | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/5_Privacy_Respecting_Software.md b/5_Privacy_Respecting_Software.md index 087fa3b..cd7fcc4 100644 --- a/5_Privacy_Respecting_Software.md +++ b/5_Privacy_Respecting_Software.md @@ -109,7 +109,11 @@ If you are using a deprecated PM, you should migrate to something actively maint *Check which websites support multi-factor authentication: [twofactorauth.org](https://twofactorauth.org)* -**Note:** Don't use your password manager to also store your 2-FA tokens- use a separate application. +#### Notable Mentions + +[WinAuth](https://winauth.github.io/winauth) *(Windows)*, [mattrubin - authenticator](https://mattrubin.me/authenticator) *(iOS)*, [Authenticator by World](https://gitlab.gnome.org/World/Authenticator) *(GNOME, Linux)*, [OTPClient](https://github.com/paolostivanin/OTPClient) *(Linux)*, [gauth](https://github.com/gbraad/gauth) *(Self-Hosted, Web-based)* + +For KeePass users, [TrayTop](https://keepass.info/plugins.html#traytotp) is a plugin for managing TOTP's- offline and compatible with Windows, Mac and Linux. **See also** [2FA Security Checklist](/README.md#2-factor-authentication) @@ -131,8 +135,9 @@ Without using a secure app for instant messaging, all your conversations, meta d | Provider | Description | | --- | --- | **[Signal](https://signal.org/)** | Probably one of the most popular, secure private messaging apps that combines strong encryption (see [Signal Protocol](https://en.wikipedia.org/wiki/Signal_Protocol)) with a simple UI and plenty of features. It's widely used across the world, and easy-to-use, functioning similar to WhatsApp - with instant messaging, read-receipts, support for media attachments and allows for high-quality voice and video calls. It's cross-platform, open-source and totally free. Signal is [recommended](https://twitter.com/Snowden/status/661313394906161152) by Edward Snowden, and is a perfect solution for most users -**[KeyBase](keybase.io/inv/6d7deedbc1)** | KeyBase allows encrypted real-time chat, group chats, and public and private file sharing. It also lets you cryptographically sign messages, and prove your ownership to other social identities (Twitter, Reddit, GitHub, etc), and send or receive Stella or BitCoin to other users. It's slightly more complex to use than Signal, but has some great cryptography features, and is good for group chats +**[Session](https://getsession.org)** | Session is a fork of Signal, however unlike Signal it does not require a mobile number (or any other personal data) to register, instead each user is identified by a public key. It is also decentralized, with servers being run by the community though [Loki Net](https://loki.network), messages are encrypted and routed through several of these nodes. All communications are E2E encrypted, and there is no meta data. **[Silence](https://silence.im/)** | If you're restricted to only sending SMS/MMS, then Silence makes it easy to encrypt messages between 2 devices. This is important since traditional text messaging is inherently insecure. It's easy-to-use, reliable and secure- but has fallen in popularity, now that internet-based messaging is often faster and more flexible +**[KeyBase](keybase.io/inv/6d7deedbc1)** | KeyBase allows encrypted real-time chat, group chats, and public and private file sharing. It also lets you cryptographically sign messages, and prove your ownership to other social identities (Twitter, Reddit, GitHub, etc), and send or receive Stella or BitCoin to other users. It's slightly more complex to use than Signal, but it's features extend much further than just a messaging app. Keybase core is built upon some great cryptography features, and it is an excellant choice for managing public keys, signing messages and for group chats. **[OpenPGP](https://www.openpgp.org/)** | Provides cryptographic privacy and authentication, PGP is used to encrypt messages sent over existing chat networks (such as email or message boards). Slightly harder to use (than IM apps), slower, but still widely used. Using [GnuPG](https://gnupg.org/download/index.html), encrypts messages following the OpenPGP standard, defined by the IETF, proposed in [RFC 4880](https://tools.ietf.org/html/rfc4880) (originally derived from the PGP software, created by Phil Zimmermann, now owned by [Symantec](https://www.symantec.com/products/encryption)). **Note** there have been vulnerabilities found in the OpenPGP and S/MIME, defined in [EFAIL](https://efail.de/), so although it still considered secure for general purpose use, it may be better to use an encrypted messaging or email app instead- especially for sensitive communications. #### Other Notable Mentions @@ -147,9 +152,9 @@ With [Peer-to-Peer](https://en.wikipedia.org/wiki/Peer-to-peer) networks, there | Provider | Description | | --- | --- | +**[Matrix](https://matrix.org)** + **[Riot](https://about.riot.im)** client | Matrix is a decentralized open network for secure communications, with E2E encryption with Olm and Megolm. Along with the Riot client, it supports VOIP + video calling and IM + group chats. Since Matrix has an open specification and Simple pragmatic RESTful HTTP/JSON API it makes it easy to integrates with existing 3rd party IDs to authenticate and discover users, as well as to build apps on top of it. **[Session](https://getsession.org)** + **[LokiNet](https://loki.network)** client | Loki is an open source set of tools that allow users to transact and communicate anonymously and privately, through a decentralised, encrypted, onion-based network. Session is a desktop and mobile app that uses these private routing protocols to secure messages, media and metadata. **[Briar](https://briarproject.org)** | Tor-based Android app for P2P encrypted messaging and forums. Where content is stored securely on your device (not in the cloud). It also allows you to connect directly with nearby contacts, without internet access (using Bluetooth or WiFi). -**[Matrix](https://matrix.org)** + **[Riot](https://about.riot.im)** client | Matrix is a decentralized open network for secure communications, with E2E encryption with Olm and Megolm. Along with the Riot client, it supports VOIP + video calling and IM + group chats. Since Matrix has an open specification and Simple pragmatic RESTful HTTP/JSON API it makes it easy to integrates with existing 3rd party IDs to authenticate and discover users, as well as to build apps on top of it. **[Riochet](https://ricochet.im)** | Desktop instant messenger, that uses the Tor network to rendezvous with your contacts without revealing your identity, location/ IP or meta data. There are no servers to monitor, censor, or hack so Ricochet is secure, automatic and easy to use. **[Jami](https://jami.net)** | P2P encrypted chat network with cross-platform GNU client apps. Jami supports audio and video calls, screen sharing, conference hosting and instant messaging. **[Tox](https://tox.chat)** + **[qTox](https://qtox.github.io)** client | Open source, encrypted, distributed chat network, with clients for desktop and mobile- see [supported clients](https://tox.chat/clients.html). Clearly documented code and multiple language bindings make it easy for developers to integrate with Tox. @@ -160,9 +165,9 @@ With [Peer-to-Peer](https://en.wikipedia.org/wiki/Peer-to-peer) networks, there ## Encrypted Email -Email, is not secure- your messages can be easily intercepted and read. Corporations scan the content of your mail, to build up a profile of you, either to show you targeted ads or to sell onto third-parties. Through the [Prism Program](https://en.wikipedia.org/wiki/PRISM_(surveillance_program)), the government also has full access to your emails not end-to-end encrypted. This applies to Gmail, Outlook Mail, Yahoo Mail, GMX, ZoHo, iCloud, AOL and more. +Email is not secure- your messages can be easily intercepted and read. Corporations scan the content of your mail, to build up a profile of you, either to show you targeted ads or to sell onto third-parties. Through the [Prism Program](https://en.wikipedia.org/wiki/PRISM_(surveillance_program)), the government also has full access to your emails (if not end-to-end encrypted) - this applies to Gmail, Outlook Mail, Yahoo Mail, GMX, ZoHo, iCloud, AOL and more. -The below email providers are private, end-to-end encrypted (E2EE) and safe. +The below email providers are private, end-to-end encrypted (E2EE) and reasonably secure. This should be used in conjunction with [good email practices](/README.md#emails) | Provider | Description | | --- | --- | From b793f7c65e5c4ac2c01cbbef32c1a42ab703a96f Mon Sep 17 00:00:00 2001 From: Alicia Sykes Date: Wed, 22 Apr 2020 00:14:34 +0100 Subject: [PATCH 11/15] Adds additional podcasts Adds links to: - The Privacy, Security, & OSINT Show - Smashing Security --- 4_Privacy_And_Security_Links.md | 34 +++++++++++++++++++++++++++++---- 1 file changed, 30 insertions(+), 4 deletions(-) diff --git a/4_Privacy_And_Security_Links.md b/4_Privacy_And_Security_Links.md index 581c03e..0a4428c 100644 --- a/4_Privacy_And_Security_Links.md +++ b/4_Privacy_And_Security_Links.md @@ -93,20 +93,46 @@ ## Books -- [Permanent Record](https://amzn.to/30wxxXi) (by Edward Snowden) -- [Sandworm](https://amzn.to/2FVByeJ) (by Andy Greenberg) +- [Permanent Record](https://amzn.to/30wxxXi) by Edward Snowden +- [Sandworm](https://amzn.to/2FVByeJ) by Andy Greenberg ## Podcasts -- [Darknet Diaries] (by Jack Rhysider): Stories from the dark sides of the internet. Listen on [Stitcher][da-stitch] -- [CYBER] (by Motherboard, Vice): News and analysis about the latest cyber threats. Listen on [Stitcher][cy-stitch] +- [Darknet Diaries] by Jack Rhysider: Stories from the dark sides of the internet. Listen on [Stitcher][da-stitch] + - Listen on [Stitcher][da-stitch], [iTunes][da-itunes], [Spotify][da-spotify], [PocketCasts][cy-pocketcasts] +- [CYBER] by Motherboard: News and analysis about the latest cyber threats + - Listen on [Stitcher][cy-stitch], [SoundCloud][cy-soundcloud], [iTunes][cy-itunes], [Spotify][cy-spotify], [PocketCasts][cy-pocketcasts] +- [The Privacy, Security, & OSINT Show] by Michael Bazzell: Comprehensive guides on Privacy and OSINT + - Listen on [Stitcher][tp-stitcher], [SoundCloud][tp-soundcloud], [iTunes][tp-itunes], [Spotify][tp-spofify], [PocketCasts][tp-pocketcasts] +- [Smashing Security] by Graham Cluley and Carole Theriault: Casual, opinionated and humerous chat about current cybersecurity news + - Listen on [Stitcher][sm-stitcher], [iTunes][sm-itunes], [Spotify][sm-spofify], [PocketCasts][sm-pocketcasts] + [Darknet Diaries]: https://darknetdiaries.com [da-stitch]: https://www.stitcher.com/podcast/darknet-diaries +[da-itunes]: https://podcasts.apple.com/us/podcast/darknet-diaries/id1296350485 +[da-spotify]: https://open.spotify.com/show/4XPl3uEEL9hvqMkoZrzbx5 +[da-pocketcasts]: https://pca.st/darknetdiaries [CYBER]: https://www.vice.com/en_us/article/59vpnx/introducing-cyber-a-hacking-podcast-by-motherboard [cy-stitch]: https://www.stitcher.com/podcast/vice-2/cyber +[cy-soundcloud]: https://soundcloud.com/motherboard +[cy-itunes]: https://podcasts.apple.com/us/podcast/cyber/id1441708044 +[cy-spotify]: https://open.spotify.com/show/3smcGJaAF6F7sioqFDQjzn +[cy-pocketcasts]: https://pca.st/z7m3 +[The Privacy, Security, & OSINT Show]: https://inteltechniques.com/podcast.html +[tp-stitcher]: https://www.stitcher.com/podcast/michael-bazzell/the-complete-privacy-security-podcast +[tp-soundcloud]: https://soundcloud.com/user-98066669 +[tp-itunes]: https://podcasts.apple.com/us/podcast/complete-privacy-security/id1165843330 +[tp-spofify]: https://open.spotify.com/show/6QPWpZJ6bRTdbkI7GgLHBM +[tp-pocketcasts]: https://pca.st/zdIq + +[Smashing Security]: https://www.smashingsecurity.com +[sm-stitcher]: https://www.stitcher.com/podcast/smashing-security +[sm-itunes]: https://podcasts.apple.com/gb/podcast/smashing-security/id1195001633 +[sm-spofify]: https://open.spotify.com/show/3J7pBxEu43nCnRTSXaan8S +[sm-pocketcasts]: https://pca.st/47UH ## Videos - **General** From bc0888880ab996e7cfcf09e3e9912c8a72893eed Mon Sep 17 00:00:00 2001 From: Alicia Sykes Date: Wed, 22 Apr 2020 00:42:33 +0100 Subject: [PATCH 12/15] Adds items: Travel firewall, shredder, device timer --- 6_Privacy_and-Security_Gadgets.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/6_Privacy_and-Security_Gadgets.md b/6_Privacy_and-Security_Gadgets.md index 07efa27..89a8647 100644 --- a/6_Privacy_and-Security_Gadgets.md +++ b/6_Privacy_and-Security_Gadgets.md @@ -47,6 +47,7 @@ A curated list of (DIY and pre-built) devices, to help preserve privacy and impr **Anonabox**
[![__](https://i.ibb.co/L177XDJ/24.jpg)](https://amzn.to/2UWtP8E) | Plug-and-play Tor router, that can be used with public WiFi while travelling, or at home. Anonabox provides easy access to the deep web and lets you bypass censorship, protect your location, deter data collection and more. It can also be used with a VPN, or for online hosting. Of course you could build a similar product your self using a Raspberry Pi and a WiFi range extender **Deauth Detector**
[![__](https://i.ibb.co/BqNGRCW/19.jpg)](https://amzn.to/2HtUy4B) | Most WiFi hacks begin by sending deauth packets, so that connected clients will briefly be disconnected to the network. This [ESP8266](https://en.wikipedia.org/wiki/ESP8266) comes pre-flashed with [@SpaceHuhn's](https://github.com/spacehuhn) deauth detector (which you can view [here, on GitHub](https://github.com/spacehuhn/DeauthDetector)). Once it detects [deauthentication or disassociation frames](https://mrncciew.com/2014/10/11/802-11-mgmt-deauth-disassociation-frames), it will activate a speaker to notify you **Librem 5**
[![__](https://i.ibb.co/3TNh5Vt/l5-v1-front-100x100.png)](https://shop.puri.sm/shop/librem-5/) | Security and Privacy focused smart phone by Purism. With hardware kill switches and specially designed software, this device runs Linux, and does not track you. It Separates CPU from Cellular Baseband, uses IP-Native Communication First and Decentralized Communication by Default. The source code is user-controlled, and has layered security protection. Purism also have [other security-focused products](https://puri.sm/products) +**Slate Travel Router**
[![__](https://i.ibb.co/Nt7hmfW/ar750s-ext-1000x1000.jpg)](https://www.gl-inet.com/products/gl-ar750s/) | The GL-AR750S-Ext can serve as a Wi-Fi access point, a pfSense firewall or a portable router with always-on VPN connectivity. It's great for controlling your network (firewall, VPN, ad-block, web filtering, data limits and more) when traveling or away from home @@ -99,6 +100,9 @@ We can go even further, these products are far from essential and are maybe a li - **Faraday Cases** - A Faraday cage or Faraday shield is an enclosure used to block electromagnetic fields. This can be really useful for electronics, since many devices are constantly transmitting and recieving, which is the worst when you are trying to avoid being tracked. Their have been numerous reportings that governments can apparently track phones, even when they are [powered off](https://slate.com/technology/2013/07/nsa-can-reportedly-track-cellphones-even-when-they-re-turned-off.html), and since smart phones often do not have removable batteries, the only option is often to shield them from any em waves. See [SilentPocket.com](https://silent-pocket.com/collections/all-products) | [Faraday Box](https://amzn.to/3cj9z7r) | [Faraday Phone Pouch](https://amzn.to/38faum5) - **Forensic bridge kit** - Allows for write blocking to prevent unauthorized writing to a device, and for crating images with out modifying data. See more: [Amazon](https://www.amazon.com/dp/B00Q76XG5W) - **Stand-alone Drive Eraser** - Allows you to erase drives, without connecting them to your PC. Availible in different modesls for different needs. See More: [Amazon](https://www.amazon.com/StarTech-com-Hard-Drive-Eraser-Standalone/dp/B073X3YZNL) +- **Shredder** - It is important to safely dispose of any documents that contain personal information. This is a very affordable shredder - it cuts pieces into security level P-4 sizes (5/32" by 15/32"). It also shreds credit cards into the same size. [Amazon](https://www.amazon.com/AmazonBasics-6-Sheet-High-Security-Micro-Cut-Shredder/dp/B00Q3KFX8U) +- **Device Timer** - This non-smart device can be used to turn various devices (such as lights or radio) on or off at certain times. It's useful to deter people when you are away. [Amazon](https://www.amazon.com/Century-Digital-Programmable-Packaging-Security/dp/B00MVF16JG) + ## Network Security From d89046c16ec727b23a8f717078575b072441b966 Mon Sep 17 00:00:00 2001 From: Alicia Sykes Date: Wed, 22 Apr 2020 22:40:08 +0100 Subject: [PATCH 13/15] Adds many useful, awesome privacy browser add-ons Adds: Decentraleyes, Self-Destructing Cookies, AmIUnique, Track Me Not, and Lightbeam --- 5_Privacy_Respecting_Software.md | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/5_Privacy_Respecting_Software.md b/5_Privacy_Respecting_Software.md index cd7fcc4..f3ba6d1 100644 --- a/5_Privacy_Respecting_Software.md +++ b/5_Privacy_Respecting_Software.md @@ -244,10 +244,15 @@ The following browser add-ons give you better control over what content is able **[uBlock Origin](https://github.com/gorhill/uBlock)** | Block ads, trackers and malware sites. **Download**: [Chrome][ublock-chrome] \ [Firefox][ublock-firefox] **[ScriptSafe](https://github.com/andryou/scriptsafe)** | Allows you yo block the execution of certain scripts. **Download**: [Chrome][script-safe-chrome] \ [Firefox][script-safe-firefox] **[WebRTC-Leak-Prevent](https://github.com/aghorler/WebRTC-Leak-Prevent)** | Provides user control over WebRTC privacy settings in Chromium, in order to prevent WebRTC leaks. **Download**: [Chrome][web-rtc-chrome]. For Firefox users, you can do this through [browser settings](https://www.privacytools.io/browsers/#webrtc). Test for WebRTC leaks, with [browserleaks.com/webrtc](https://browserleaks.com/webrtc) +**[Decentraleyes](https://decentraleyes.org)** | Prevents requests for common scripts hosted on 3rd-party CDNs, by serving local versions instead. Protects privacy by evading tracking imposed by large delivery networks, and will also improve page load times. Works out-of-the-box and plays nicely with regular content blockers. **Download**: [Chrome][decentraleyes-chrome] \ [Firefox][decentraleyes-firefox] \ [Opera][decentraleyes-opera] \ [Pale Moon][decentraleyes-pale-moon] \ [Source][decentraleyes-source] **[Vanilla Cookie Manager](https://github.com/laktak/vanilla-chrome)** | A Whitelist Manager that helps protect your privacy, through automatically removing unwanted cookies. **Download**: [Chrome][vanilla-cookie-chrome] **[Privacy Essentials](https://duckduckgo.com/app)** | Simple extension by DuckDuckGo, which grades the security of each site. **Download**: [Chrome][privacy-essentials-chrome] \ [Firefox][privacy-essentials-firefox] **[Firefox Multi-Account Containers](https://addons.mozilla.org/en-US/firefox/addon/multi-account-containers/)** | Firefox Multi-Account Containers lets you keep parts of your online life separated into color-coded tabs that preserve your privacy. Cookies are separated by container, allowing you to use the web with multiple identities or accounts simultaneously. **Download**: [Firefox](https://addons.mozilla.org/en-US/firefox/addon/multi-account-containers/) **[Temporary Containers](https://github.com/stoically/temporary-containers)** | This Extension, combined with Firefox Multi-Account Containers, let's you isolate cookies and other private data for each web site. **Download**: [Firefox](https://github.com/stoically/temporary-containers) +**[Self-Destructing Cookies](https://add0n.com/self-destructing-cookies.html)** | Prevents websites from tracking you by storing unique cookies (note Fingerprinting is often also used for tracking). It removes all related cookies whenever you end a session. **Download**: [Chrome][self-destructing-cookies-chrome] \ [Firefox][self-destructing-cookies-firefox] \ [Opera][self-destructing-cookies-opera] \ [Source][self-destructing-cookies-source] +**[Lightbeam](https://github.com/mozilla/lightbeam-we)** | Visualize in detail the servers you are contacting when you are surfing on the Internet. Created by Gary Kovacs (former CEO of Mozilla), presented in his [TED Talk](https://www.ted.com/talks/gary_kovacs_tracking_our_online_trackers). **Download**: [Firefox][lightbeam-firefox] \ [Source][lightbeam-source] +**[Track Me Not](http://trackmenot.io)** | Helps protect web searchers from surveillance and data-profiling, through creating meaningless noise and obfuscation, outlined in their [whitepaper][tmn-whitepaper]. **Download**: [Chrome][tmn-chrome] \ [Firefox][tmn-firefox] \ [Source][tmn-source] +**[AmIUnique Timeline](https://amiunique.org/timeline)** | Enables you to better understand the evolution of browser fingerprints (which is what websites use to uniquely identify and track you). **Download**: [Chrome][amiunique-chrome] \ [Firefox][amiunique-firefox] #### Word of Warning *Be careful when installing unfamiliar browser add-ons, since some can compromise your security and privacy. The above list however are all open source, verified and safe extensions* @@ -293,6 +298,7 @@ A selection of free online tools and utilities, to check, test and protect | --- | --- | **[';--have i been pwned?](https://haveibeenpwned.com)** | Checks if your credentials (Email address or Password) have been compromised in a data breach **[εxodus](https://reports.exodus-privacy.eu.org)** | Checks how many, and which trackers any Android app has. Useful to understand how data is being collected before you install a certain APK, it also shows which permissions the app asks for +**[Am I Unique?](https://amiunique.org)** | Show how identifiable you are on the Internet by generating a fingerprint based on device information. This is how many websites track you (even without cookies enabled), so the aim is to not be unique **[Panopticlick](https://panopticlick.eff.org/)** | Check if your browser safe against tracking. Analyzes how well your browser and add-ons protect you against online tracking techniques, and if your system is uniquely configured—and thus identifiable **[Browser Leak Test](https://browserleaks.com)** | Shows which of personal identity data is being leaked through your browser, so you can better protect yourself against fingerprinting **[IP Leak Test](https://ipleak.net)** | Shows your IP address, and other associated details (location, ISP, WebRTC check, DNS, and lots more) @@ -1073,9 +1079,26 @@ http://www.linkedin.com/shareArticle?mini=true&url=https://git.io/Jv66u&title=Th [script-safe-chrome]: https://chrome.google.com/webstore/detail/scriptsafe/oiigbmnaadbkfbmpbfijlflahbdbdgdf?hl=en-GB [script-safe-firefox]: https://addons.mozilla.org/en-GB/firefox/addon/script-safe/ [web-rtc-chrome]: https://chrome.google.com/webstore/detail/webrtc-leak-prevent/eiadekoaikejlgdbkbdfeijglgfdalml?hl=en-GB +[decentraleyes-chrome]: https://chrome.google.com/webstore/detail/decentraleyes/ldpochfccmkkmhdbclfhpagapcfdljkj +[decentraleyes-firefox]: https://addons.mozilla.org/en-US/firefox/addon/decentraleyes +[decentraleyes-pale-moon]: https://addons.palemoon.org/addon/decentraleyes +[decentraleyes-opera]: https://addons.opera.com/en/extensions/details/decentraleyes +[decentraleyes-source]: https://git.synz.io/Synzvato/decentraleyes [vanilla-cookie-chrome]: https://chrome.google.com/webstore/detail/vanilla-cookie-manager/gieohaicffldbmiilohhggbidhephnjj?hl=en-GB [privacy-essentials-chrome]: https://chrome.google.com/webstore/detail/duckduckgo-privacy-essent/bkdgflcldnnnapblkhphbgpggdiikppg?hl=en-GB [privacy-essentials-firefox]: https://addons.mozilla.org/en-GB/firefox/addon/duckduckgo-for-firefox/ +[self-destructing-cookies-chrome]: https://chrome.google.com/webstore/detail/self-destructing-cookies/igdpjhaninpfanncfifdoogibpdidddf +[self-destructing-cookies-firefox]: https://addons.mozilla.org/en-US/firefox/addon/self-destructing-cookies-webex/ +[self-destructing-cookies-opera]: https://addons.opera.com/en/extensions/details/self-destructing-cookies/ +[self-destructing-cookies-source]: https://github.com/joue-quroi/self-destructing-cookies +[lightbeam-firefox]: https://addons.mozilla.org/en-US/firefox/addon/lightbeam-3-0/ +[lightbeam-source]: https://github.com/mozilla/lightbeam-we +[tmn-chrome]: https://chrome.google.com/webstore/detail/trackmenot/cgllkjmdafllcidaehjejjhpfkmanmka +[tmn-firefox]: https://addons.mozilla.org/en-US/firefox/addon/trackmenot/ +[tmn-whitepaper]: http://trackmenot.io/resources/trackmenot2009.pdf +[tmn-source]: https://github.com/vtoubiana/TrackMeNot +[amiunique-chrome]: https://chrome.google.com/webstore/detail/amiunique/pigjfndpomdldkmoaiiigpbncemhjeca +[amiunique-firefox]: https://addons.mozilla.org/en-US/firefox/addon/amiunique [//]: # (ANDROID APP LINKS) [Island]: https://play.google.com/store/apps/details?id=com.oasisfeng.island From 8e7c4b86fc2a266f23f56c3d4b544c2e00542756 Mon Sep 17 00:00:00 2001 From: Alicia Sykes Date: Thu, 23 Apr 2020 20:50:41 +0100 Subject: [PATCH 14/15] Adds articles on Phone Tracking and Car Data --- 4_Privacy_And_Security_Links.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/4_Privacy_And_Security_Links.md b/4_Privacy_And_Security_Links.md index 0a4428c..e499fc9 100644 --- a/4_Privacy_And_Security_Links.md +++ b/4_Privacy_And_Security_Links.md @@ -70,8 +70,10 @@ ## Notable Articles +- Twelve Million Phones, One Dataset, Zero Privacy: via [NY Times](https://www.nytimes.com/interactive/2019/12/19/opinion/location-tracking-cell-phone.html) - Windows data sending: via [The Hacker News](https://thehackernews.com/2016/02/microsoft-windows10-privacy.html) - Is your Anti-Virus spying on you: via [Restore Privacy](https://restoreprivacy.com/antivirus-privacy) +- What does your car know about you?: via [Washington Post](https://www.washingtonpost.com/technology/2019/12/17/what-does-your-car-know-about-you-we-hacked-chevy-find-out) - Turns Out Police Stingray Spy Tools Can Indeed Record Calls: via [Wired](https://www.wired.com/2015/10/stingray-government-spy-tools-can-record-calls-new-documents-confirm) - UK Police Accessing Private Phone Data Without Warrant: via [Restore Privacy](https://restoreprivacy.com/uk-police-accessing-phone-data) @@ -169,7 +171,7 @@ See also: [awesome-sec-talks](https://github.com/PaulSec/awesome-sec-talks) by @ - [VirusTotal](https://www.virustotal.com) - Analyse a suspicious web resource for malware - [ScamAdviser](https://www.scamadviser.com) - Check if a website is a scam, before buying from it - [Deseat Me](https://www.deseat.me) - Clean up your online presence -- [33Mail](http://33mail.com/Dg0gkEA) or [Anonaddy](https://anonaddy.com) Avoid revealing your real email address, by auto-generating aliases for each accound +- [33Mail](http://33mail.com/Dg0gkEA) or [Anonaddy](https://anonaddy.com) or [SimpleLogin](https://simplelogin.io?slref=bridsqrgvrnavso) Protect your email address, by auto-generating unique permant aliases for each account, so all emails land in your primary inbox - [Panopticlick](https://panopticlick.eff.org) - Check if, and how your browser is tracking you - [Disroot](https://disroot.org) - A suit of online tools, with online freedom in mind - [Blocked by ORG](https://www.blocked.org.uk) - Check if your website is blocked by certain ISPs From 7ad45ccd26bbc7e76b04e92b5dc224ff721aab1b Mon Sep 17 00:00:00 2001 From: Alicia Sykes Date: Thu, 23 Apr 2020 21:12:39 +0100 Subject: [PATCH 15/15] Adds more email aliasing and catch-all forwarders Adds: SimpleLogin and ForwardEmail --- 5_Privacy_Respecting_Software.md | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/5_Privacy_Respecting_Software.md b/5_Privacy_Respecting_Software.md index f3ba6d1..5462f0d 100644 --- a/5_Privacy_Respecting_Software.md +++ b/5_Privacy_Respecting_Software.md @@ -42,7 +42,7 @@ Be aware that no software is perfect- there will always be bugs and vulnerabilit - [Proxies](#proxies) - [DNS Providers](#dns) - [Firewalls](#firewalls) - - [Firewall Analysis](#firewall-analysis) + - [Network Analysis](#network-analysis) - [Cloud Hosting](#cloud-hosting) - [Domain Registrars](#domain-registrars) - **Productivity** @@ -181,20 +181,22 @@ See [OpenTechFund- Secure Email](https://github.com/OpenTechFund/secure-email) f #### Other Notable Mentions [HushMail](https://www.hushmail.com/tapfiliate/?tap_a=44784-d2adc0&tap_s=724845-260ce4&program=hushmail-for-small-business), [StartMail](https://www.startmail.com), [Kolab Now](https://kolabnow.com), [Posteo](https://posteo.de), and [Disroot](https://disroot.org/en) -#### Alias Services +### Alias Services Revealing your real email address online can put you at risk. Email aliasing allows messages to be sent to [anything]@my-domain.com and still land in your primary inbox. This protects your real email address from being revealed. Aliases are generated automatically, the first time they are used. This approach lets you identify which provider leaked your email address, and block an alias with 1-click. - **[Anonaddy](https://anonaddy.com)** - An open source anonymous email forwarding service, allowing you to create unlimited email aliases. Has a free plan. - **[33Mail](http://33mail.com/Dg0gkEA)** - A long-standing aliasing service. As well as receiving, 33Mail also lets you reply to forwarded addresses anonymously. Free plan, as well as Premium plan ($1/ month) if you'd like to use a custom domain -- **[ProtonMail](https://protonmail.com/pricing) Visionary** - If you already have ProtonMail's Visionary package, then an implementation of this feature is available. However not the most price-effective, and does not include dashboard +- **[SimpleLogin](https://simplelogin.io?slref=bridsqrgvrnavso)** - Fully open source (view on [GitHub](https://github.com/simple-login)) allias service with many additional features. Can be self-hosted, or the managed version has a free plan, as well as hosted premium option ($2.99/ month) for using custom domains +- **[ProtonMail](https://protonmail.com/pricing) Visionary** - If you already have ProtonMail's Visionary package, then an implementation of this feature is available. Very secure, however not the most price-effective (€30/month), and does not include dashboard +- **[ForwardEmail](https://forwardemail.net)** - Simple open source catch-all email forwarding service. Easy to self-host (see on [GitHub](https://github.com/forwardemail/free-email-forwarding)), or the hosted version has a free plan as well as a ($3/month) premium plan -Alternatively you could host your own service +Alternatively you could host your own catch-all email service. [Mailu](https://github.com/Mailu/Mailu) can be configured to accept wildcards, or for Microsoft Exchange see [exchange-catchall](https://github.com/Pro/exchange-catchall) -#### Self-Hosted Email +### Self-Hosted Email If you do not want to trust an email provider with your messages, you can host your own mail server. Without experience, this can be notoriously hard to correctly configure, especially when it comes to security. You may also find that cost, performance and features make it a less attractive option. If you do decide to go down this route, [Mail-in-a-box](https://mailinabox.email/), is an easy to deploy, open source mail server. It aims to promote decentralization, innovation, and privacy on the web, as well as have automated, auditable, and idempotent system configuration. Other ready-to-go self-hosted mail options include [Mailu](https://mailu.io/1.7/) and [Mail Cow](https://mailcow.email/), both of which are docker containers. -#### Mail Clients +### Mail Clients Email clients are the programs used to interact with the mail server. For hosted email, then the web and mobile clients provided by your email service are usually adequate, and may be the most secure option. For self-hosted email, you will need to install and configure mail clients for web, desktop or mobile. - **Desktop** - [Mozilla Thunderbird](https://www.thunderbird.net) is an open source, highly customizable, secure and private desktop email client, for Windows, macOS, and Linux. If you are using ProtonMail, then you can use the [ProtonMail Bridge](https://protonmail.com/bridge/thunderbird), to sync your emails to either Thunderbird or Microsoft Outlook. In terms of security, the disadvantage, is that most desktop clients do not support 2FA, so it is important to keep your computer secured, however they are not vulnerable to the common browser attacks, that a web client would be.