gf4
/
personal-security-checklist
mirror of https://git.hackliberty.org/Awesome-Mirrors/personal-security-checklist
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix typo (Quant > Qwant)

pull/121/head
fireneat 2022-04-07 16:05:57 +02:00
parent 2df21f514a
commit ca257997dd
No known key found for this signature in database
GPG Key ID: 9421D16756F3A9A1
1 changed files with 14 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
README.md
View File

@ -79,7 +79,7 @@ This section outlines the steps you can take, to be better protected from threat
**Ensure Website is Legitimate** | Basic | It may sound obvious, but when you logging into any online accounts, double check the URL is correct. When visiting new websites, look for common signs that it could be unsafe: Browser warnings, redirects, on-site spam and pop-ups. You can also check a website using a tool, such as: [Virus Total URL Scanner](https://www.virustotal.com/gui/home/url), [IsLegitSite](https://www.islegitsite.com), [Google Safe Browsing Status](https://transparencyreport.google.com/safe-browsing/search) if you are unsure
**Watch out for Browser Malware** | Basic | Your system or browser can be compromised by spyware, miners, browser hijackers, malicious redirects, adware etc. You can usually stay protected, just by: ignoring pop-ups, be wary of what your clicking, don't proceed to a website if your browser warns you it may be malicious. Common sighs of browser malware include: default search engine or homepage has been modified, toolbars, unfamiliar extensions or icons, significantly more ads, errors and pages loading much slower than usual. These articles from Heimdal explain [signs of browser malware](https://heimdalsecurity.com/blog/warning-signs-operating-system-infected-malware), [how browsers get infected](https://heimdalsecurity.com/blog/practical-online-protection-where-malware-hides) and [how to remove browser malware](https://heimdalsecurity.com/blog/malware-removal)
**Use a Privacy-Respecting Browser** | Recommended | [Firefox](https://www.mozilla.org/en-US/firefox/new) and [Brave](https://brave.com) are secure, private-by-default browsers. Both are fast, open source, user-friendly and available on all major operating systems. Your browser has access to everything that you do online, so if possible, avoid Google Chrome, Microsoft IE and Apple Safari as (without correct configuration) all three of them, collect usage data, call home and allow for invasive tracking. See more: [Privacy Browsers](/5_Privacy_Respecting_Software.md#browsers)
**Use a Private Search Engine** | Recommended | Using a privacy-preserving, non-tracking search engine, will reduce risk that your search terms are not logged, or used against you. Consider [DuckDuckGo](https://duckduckgo.com), [Quant](https://www.qwant.com), or [SearX](https://searx.me) (self-hosted). Google implements some [incredibly invasive](https://hackernoon.com/data-privacy-concerns-with-google-b946f2b7afea) tracking policies, and have a history of displaying [biased search results](https://www.businessinsider.com/evidence-that-google-search-results-are-biased-2014-10). Therefore Google, along with Bing, Baidu, Yahoo and Yandex are incompatible with anyone looking to protect their privacy. It is recommended to update your [browsers default search](https://duckduckgo.com/install) to a privacy-respecting search engine
**Use a Private Search Engine** | Recommended | Using a privacy-preserving, non-tracking search engine, will reduce risk that your search terms are not logged, or used against you. Consider [DuckDuckGo](https://duckduckgo.com), [Qwant](https://www.qwant.com), or [SearX](https://searx.me) (self-hosted). Google implements some [incredibly invasive](https://hackernoon.com/data-privacy-concerns-with-google-b946f2b7afea) tracking policies, and have a history of displaying [biased search results](https://www.businessinsider.com/evidence-that-google-search-results-are-biased-2014-10). Therefore Google, along with Bing, Baidu, Yahoo and Yandex are incompatible with anyone looking to protect their privacy. It is recommended to update your [browsers default search](https://duckduckgo.com/install) to a privacy-respecting search engine
**Remove Unnecessary Browser Addons** | Recommended | Extensions are able to see, log or modify anything you do in the browser, and some innocent looking browser apps, have malicious intentions. Websites can see which extensions you have installed, and may use this to enhance your fingerprint, to more accurately identify/ track you. Both Firefox and Chrome web stores allow you to check what permissions/access rights an extension requires before you install it. Check the reviews. Only install extensions you really need, and removed those which you haven't used in a while
**Keep Browser Up-to-date** | Recommended | Browser vulnerabilities are constantly being [discovered](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=browser) and patched, so its important to keep it up to date, to avoid a zero-day exploit. You can [see which browser version your using here](https://www.whatismybrowser.com/), or follow [this guide](https://www.whatismybrowser.com/guides/how-to-update-your-browser/) for instructions on how to update. Some browsers will auto-update to the latest stable version
**Check for HTTPS** | Recommended | If you enter information on a non-HTTPS website, this data is transported unencrypted and can therefore be read by anyone who intercepts it. Do not enter any data on a non-HTTPS website, but also do not let the green padlock give you a false sense of security, just because a website has SSL certificate, does not mean that it is legitimate or trustworthy. <br>[HTTPS-Everywhere](https://www.eff.org/https-everywhere) (developed by the EFF) is a lightweight, open source (on [GitHub](https://github.com/EFForg/https-everywhere)) browser addon, that by enables HTTPS encryption automatically on sites that are known to support it. Is included in Brave, Tor and mobile Onion-Browser, and is available for [Chromium](https://chrome.google.com/webstore/detail/https-everywhere/gcbommkclmclpchllfjekcdonpmejbdp), [Firefox](https://addons.mozilla.org/en-US/firefox/addon/https-everywhere/) and [Opera](https://addons.opera.com/en/extensions/details/https-everywhere/)
@ -101,7 +101,7 @@ This section outlines the steps you can take, to be better protected from threat
**Disallow Camera/ Microphone access** | Optional | Check browser settings to ensure that no websites are granted access to [webcam](https://www.howtogeek.com/210921/how-to-disable-your-webcam-and-why-you-should/) or microphone. It may also be beneficial to use [physical protection](/6_Privacy_and-Security_Gadgets.md) such as a webcam cover and microphone blocker
**Disable Browser Password Saves** | Optional | Do not allow your browser to store usernames and passwords. These can be easily viewed or accessed. Chrome does protect this data behind your Windows credentials, but these can be simple to obtain thanks to password reset utilities such as [Offline NT Password and Registry Editor](https://www.lifewire.com/offline-nt-password-and-registry-editor-review-2626147). Instead use a password manager
**Disable Browser Autofill** | Optional | Turn off autofill for any confidential or personal details. This feature was designed to make online shopping and general browsing more convenient, but storing this sensitive information (names, addresses, card details, search terms etc) can be extremely harmful if your browser is compromised in any way. Instead, if essential, consider using your password manager's Notes feature to store and fill your data
**Protect from Exfil Attack** | Optional | The CSS Exfiltrate attack is a where credentials and other sensitive details can be snagged with just pure CSS, meaning even blocking JavaScript cannot prevent it, read more [this article](https://www.mike-gualtieri.com/posts/stealing-data-with-css-attack-and-defense) by Mike Gualtieri. You can stay protected, with the CSS Exfil Protection plugin (for [Chrome](https://chrome.google.com/webstore/detail/css-exfil-protection/ibeemfhcbbikonfajhamlkdgedmekifo) and [Firefox](https://addons.mozilla.org/en-US/firefox/addon/css-exfil-protection/)) which sanitizes and blocks any CSS rules which may be designed to steal data. Check out the [CSS Exfil Vulnerability Tester](https://www.mike-gualtieri.com/css-exfil-vulnerability-tester) to see if you could be susceptible.
**Protect from Exfil Attack** | Optional | The CSS Exfiltrate attack is a where credentials and other sensitive details can be snagged with just pure CSS, meaning even blocking JavaScript cannot prevent it, read more [this article](https://www.mike-gualtieri.com/posts/stealing-data-with-css-attack-and-defense) by Mike Gualtieri. You can stay protected, with the CSS Exfil Protection plugin (for [Chrome](https://chrome.google.com/webstore/detail/css-exfil-protection/ibeemfhcbbikonfajhamlkdgedmekifo) and [Firefox](https://addons.mozilla.org/en-US/firefox/addon/css-exfil-protection/)) which sanitizes and blocks any CSS rules which may be designed to steal data. Check out the [CSS Exfil Vulnerability Tester](https://www.mike-gualtieri.com/css-exfil-vulnerability-tester) to see if you could be susceptible.
**Deactivate ActiveX** | Optional | [ActiveX](https://en.wikipedia.org/wiki/ActiveX) is a browser extension API that built into Microsoft IE, and enabled by default. It's not commonly used by legitimate sites any more, but since it gives plugins intimate access rights, and can be dangerous, therefore you should disable it ([see how](https://www.howtogeek.com/162282/what-activex-controls-are-and-why-theyre-dangerous/))
**Disable WebRTC** | Optional | [WebRTC](https://webrtc.org/) allows high-quality audio/video communication and peer-to-peer file-sharing straight from the browser. However it can pose as a privacy leak, especially if you are not using a proxy or VPN. In FireFox WebRTC can be disabled, by searching for, and disabling `media.peerconnection.enabled` in about:config. For other browsers, the [WebRTC-Leak-Prevent](ttps://github.com/aghorler/WebRTC-Leak-Prevent) extension can be installed. [uBlockOrigin](https://github.com/gorhill/uBlock) also allows WebRTC to be disabled. To learn more, [check out this guide](https://buffered.com/privacy-security/how-to-disable-webrtc-in-various-browsers/)
**Spoof HTML5 Canvas Sig** | Optional | [Canvas Fingerprinting](https://en.wikipedia.org/wiki/Canvas_fingerprinting) allows websites to identify and track users very accurately though exploiting the rendering capabilities of the [Canvas Element](https://en.wikipedia.org/wiki/Canvas_element). You can use the [Canvas-Fingerprint-Blocker](https://add0n.com/canvas-fingerprint-blocker.html) extension to spoof your fingerprint or use [Tor](https://www.torproject.org) - Check if you are susceptible [here](https://webbrowsertools.com/canvas-fingerprint/)
@ -125,7 +125,7 @@ This section outlines the steps you can take, to be better protected from threat
## Emails
Nearly 50 years since the first email was sent, it's still very much a big part of our day-to-day life, and will continue to be for the near future. So considering how much trust we put in them, its surprising how fundamentally insecure this infrastructure is. Email-related fraud [is on the up](https://www.csoonline.com/article/3247670/email/email-security-in-2018.html), and without taking basic measures you could be at risk.
Nearly 50 years since the first email was sent, it's still very much a big part of our day-to-day life, and will continue to be for the near future. So considering how much trust we put in them, its surprising how fundamentally insecure this infrastructure is. Email-related fraud [is on the up](https://www.csoonline.com/article/3247670/email/email-security-in-2018.html), and without taking basic measures you could be at risk.
If a hacker gets access to your emails, it provides a gateway for your other accounts to be compromised (through password resets), therefore email security is paramount for your digital safety.
@ -151,7 +151,7 @@ The big companies providing "free" email service, don't have a good reputation f
**Be Careful with Auto-Replies** | Advanced | Out-of-office automatic replies are very useful for informing people there will be a delay in replying, but all too often people reveal too much information- which can be used in social engineering and targeted attacks
**Choose the Right Mail Protocol** | Advanced | Do not use outdated protocols (below IMAPv4 or POPv3), both have known vulnerabilities and out-dated security.
**Self-Hosting** | Advanced | Self-hosting your own mail server is not recommended for non-advanced users, since correctly securing it is critical yet requires strong networking knowledge - [read more](https://www.reddit.com/r/selfhosted/comments/6h88qf/on_selfhosted_mail_servers/). That being said, if you run your own mail server, you will have full control over your emails. [Mail-in-a-box](https://github.com/mail-in-a-box/mailinabox) and [docker-mailserver](https://github.com/tomav/docker-mailserver) are ready-to-deploy correctly-configured mail servers that provide a good starting point
**Always use TLS Ports** | Advanced | There are SSL options for POP3, IMAP, and SMTP as standard TCP/IP ports. They are easy to use, and widely supported so should always be used instead of plaintext email ports. By default, the ports are: POP3= 995, IMAP=993 and SMTP= 465
**Always use TLS Ports** | Advanced | There are SSL options for POP3, IMAP, and SMTP as standard TCP/IP ports. They are easy to use, and widely supported so should always be used instead of plaintext email ports. By default, the ports are: POP3= 995, IMAP=993 and SMTP= 465
**DNS Availability** | Advanced | For self-hosted mail servers, to prevent DNS problems impacting availability- use at least 2 MX records, with secondary and tertiary MX records for redundancy when the primary MX record fails
**Prevent DDoS and Brute Force Attacks** | Advanced | For self-hosted mail servers (specifically STMP), limit your total number of simultaneous connections, and maximum connection rate to reduce the impact of attempted bot attacks
**Maintain IP Blacklist** | Advanced | For self-hosted mail servers, you can improve spam filters and harden security, through maintaining an up-to-date local IP blacklist and a spam URI realtime block lists to filter out malicious hyperlinks. You may also want to activate a [reverse DNS lookup](https://en.wikipedia.org/wiki/Reverse_DNS_lookup) system
@ -180,10 +180,10 @@ The big companies providing "free" email service, don't have a good reputation f
**Enable Ephemeral Messages** | Optional | You cannot always rely on the physical security of your device. Self-destructing messages is a really neat feature the causes your messages to automatically delete after a set amount of time. This means that if your device is lost, stolen or seized, an adversary will only have access to the most recent communications. Unlike remote erase, disappearing messages does not require your device to be remotely accessible or have signal. You are able to vary this time frame from weeks all the way down to just a few seconds, depending on your threat model. Without disappearing messages enabled, you should periodically delete conversation history, in case your device is breached
**Avoid SMS** | Optional | SMS may be convenient, but it's [not secure](https://en.wikipedia.org/wiki/SMS#Vulnerabilities). It is susceptible to threats, such as [interception](https://en.wikipedia.org/wiki/IMSI-catcher), [sim swapping](https://www.schneier.com/blog/archives/2020/01/sim_hijacking.html), manipulation and [malware](https://www.securitynewspaper.com/2019/09/13/hack-any-mobile-phone-with-just-a-sms). If you must use SMS, then you should encrypt messages before sending. One option is to use [Silence](https://silence.im/), an Android app that provides end-to-end encryption for SMS
**Watch out for Trackers** | Optional | A tracker is a piece of software meant to collect data about you or your usages. Be wary of messaging applications with trackers, as the detailed usage statistics they collect are often very evasive, and can sometimes reveal your identity as well as personal information that you would otherwise not intend to share. You can check how many, and which trackers a given app uses, by searching it in [Exodus Privacy](https://reports.exodus-privacy.eu.org/en/)
**Consider Jurisdiction** | Advanced | The jurisdictions where the organisation is based, and data is hosted should also be taken into account. As in some territories, organisations are forced to comply with local government regulations, which can require them to keep logs of all users interactions and metadata, or hand over encryption keys. Where possible, avoid [Five Eyes](https://en.wikipedia.org/wiki/Five_Eyes) and other [International Cooperatives](https://en.wikipedia.org/wiki/Five_Eyes#Other_international_cooperatives), and countries with poor respect for user privacy such as China, Russia, Singapore and Malaysia.
**Consider Jurisdiction** | Advanced | The jurisdictions where the organisation is based, and data is hosted should also be taken into account. As in some territories, organisations are forced to comply with local government regulations, which can require them to keep logs of all users interactions and metadata, or hand over encryption keys. Where possible, avoid [Five Eyes](https://en.wikipedia.org/wiki/Five_Eyes) and other [International Cooperatives](https://en.wikipedia.org/wiki/Five_Eyes#Other_international_cooperatives), and countries with poor respect for user privacy such as China, Russia, Singapore and Malaysia.
**Use an Anonymous Platform** | Advanced | If you believe you may be targeted, you should opt for an anonymous messaging platform that does not require a phone number, or any other personally identifiable information to sign up or use. Even using false or temporary information (such as a burner sim, VOIP number, temporary or forwarding email address, made-up details etc) cannot be grantee anonymity, and may put you at risk. As well as this you should download the app over Tor, outside of Google Play / Apple App Store, create an anonymous identity, only run the app while connected through Tor and ideally sandbox it to prevent data leaks (using a separate profile, virtual machine or even a secondary device)
**Ensure Forward Secrecy is Supported** | Advanced | Opt for a platform that implements [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy). This is where your app generates a new encryption key for every message. It means that if your adversary has obtained the private encryption key from one party, they will not be able to use it to decrypt any previously captured messages
**Consider a Decentralized Platform** | Advanced | If all data flows through a central provider, you have to trust them with your data and meta-data. You cannot verify that the system running is authentic without back doors, and they may be subject to local laws, court orders or censorship, and if that provider ceases to operate, the entire network will be unavailable for that duration. Whereas with a decentralized system, there are no central servers to compromise, and no single point of failure. It cannot be raided, shut down, or forced to turn over data. Some decentralized platforms also route traffic through the Tor network, which provides an additional layer of anonymity and security.
**Consider a Decentralized Platform** | Advanced | If all data flows through a central provider, you have to trust them with your data and meta-data. You cannot verify that the system running is authentic without back doors, and they may be subject to local laws, court orders or censorship, and if that provider ceases to operate, the entire network will be unavailable for that duration. Whereas with a decentralized system, there are no central servers to compromise, and no single point of failure. It cannot be raided, shut down, or forced to turn over data. Some decentralized platforms also route traffic through the Tor network, which provides an additional layer of anonymity and security.
**Recommended Software**
- [Secure Messaging Apps](/5_Privacy_Respecting_Software.md#encrypted-messaging)
@ -199,7 +199,7 @@ Secure your account, lock down your privacy settings, but know that even after d
**Security** | **Priority** | **Details and Hints**
--- | --- | ---
**Secure your Account** | Recommended | Profiles media profiles get stolen or taken over all too often. To protect your account: use a unique and strong password, and enable 2-factor authentication. See the [Authentication](#authentication) section for more tips
**Check Privacy Settings** | Recommended | Most social networks allow you to control your privacy settings. Ensure that you are comfortable with what data you are currently exposing and to whom. But remember, privacy settings are only meant to protect you from other members of the social network- they do not shield you or your data from the owners of the network. See how to set privacy settings, with [this guide](https://securityinabox.org/en/guide/social-networking/)
**Check Privacy Settings** | Recommended | Most social networks allow you to control your privacy settings. Ensure that you are comfortable with what data you are currently exposing and to whom. But remember, privacy settings are only meant to protect you from other members of the social network- they do not shield you or your data from the owners of the network. See how to set privacy settings, with [this guide](https://securityinabox.org/en/guide/social-networking/)
**Think of All Interactions as Public** | Recommended | There are still numerous methods of viewing a users 'private' content across many social networks. Therefore, before uploading, posting or commenting on anything, think "Would I mind if this was totally public?"
**Think of All Interactions as Permanent** | Recommended | Pretty much every post, comment, photo etc is being continuously backed up by a myriad of third-party services, who archive this data and make it indexable and publicly available almost [forever](https://www.inc.com/meredith-fineman/what-we-post-online-is-forever-and-we-need-a-reminder.html). Sites like Ceddit, and [/r/undelete](https://www.reddit.com/r/undelete/), [Politwoops](https://projects.propublica.org/politwoops/), The [Way Back Machine](https://archive.org/web/) allow anyone to search through deleted posts, websites and media. Therefore it's important to not unintentially reveal too much information, and to consider what the implications would be if it were to go 'viral'
**Don't Reveal too Much** | Recommended | Profile information creates a goldmine of info for hackers, the kind of data that helps them personalize phishing scams. Avoid sharing too much detail (DoB, Hometown, School etc)
@ -253,7 +253,7 @@ This section covers how you connect your devices to the internet securely, inclu
**Route all traffic through Tor** | Advanced | VPNs have their weaknesses - you are simply moving your trust from your ISP/ mobile carrier to a VPN provider - Tor is much more anonymous. For increased security, route all your internet traffic through the Tor network. On Linux you can use [TorSocks](https://gitweb.torproject.org/torsocks.git) or [Privoxy](https://www.privoxy.org/), for Windows you can use [Whonix](https://www.whonix.org/), and on OSX [follow this instructions](https://maymay.net/blog/2013/02/20/howto-use-tor-for-all-network-traffic-by-default-on-mac-os-x/), for Kali see [TorGhost](https://github.com/SusmithKrishnan/torghost). Alternatively, you can use [OnionPi](https://learn.adafruit.com/onion-pi/overview) to use Tor for all your connected devices, by [configuring a Raspberry Pi to be a Tor Hotspot](https://lifehacker.com/how-to-anonymize-your-browsing-with-a-tor-powered-raspb-1793869805). Though see also [potential drawbacks](https://github.com/Lissy93/personal-security-checklist/issues/19).
**Disable WiFi on all Devices** | Advanced | Connecting to even a secure WiFi network increases your attack surface. Disabling your home WiFi and connect each device via Ethernet, and turning off WiFi on your phone and using a USB-C/ Lightening to Ethernet cable will protect against WiFi exploits, as Edward Snowden [says here](https://twitter.com/snowden/status/1175431946958233600?lang=en).
**Recommended Software**
**Recommended Software**
- [Virtual Private Networks](/5_Privacy_Respecting_Software.md#virtual-private-networks)
- [Mix Networks](/5_Privacy_Respecting_Software.md#mix-networks)
- [Router Firmware](/5_Privacy_Respecting_Software.md#router-firmware)
@ -343,7 +343,7 @@ Although Windows and OS X are easy to use and convenient, they both are far from
**Make Use of VMs** | Advanced | If your job, or any of your activity could endanger your system, or put you at risk, then virtual machines are a great tool to isolate this from your primary system. They allow you to test suspicious software, and analyse potentially dangerous files, while keeping your host system safe. They also provide a host of other features, from quick recovery using snapshots, to the ability to replicate configurations easily, and have multiple VMs running simultaneously. Taking this a step further, VMs can be use for compartmentalization, with a host system performing the single task of spawning VMs (systems like [ProxMox](https://www.proxmox.com/en/), is designed for exactly this). Be aware that virtual machines do not guarantee security, and vulnerabilities, named [VM-Escapes](https://en.wikipedia.org/wiki/Virtual_machine_escape), may allow for data in memory to leak into the host system
**Compartmentalize** | Advanced | Security by [Compartmentalization](https://en.wikipedia.org/wiki/Compartmentalization_(information_security)) is a strategy, where you isolate different programs and data sources from one another as much as possible. That way, attackers who gain access to one part of the system are not able to compromise all of the users privacy, and corporate tracking or government surveillance shouldn't be able to link together different compartments. At the simplest level, you could use separate browsers or [multi-account containers](https://support.mozilla.org/en-US/kb/containers) for different activities, but taking it further you could have a virtual machine for each category (such as work, shopping, social etc). Alternativley, consider [Qubes OS](https://www.qubes-os.org), which is designed for exactly this, and sandboxes each app in it's own Xen Hypervisor VM, while still providing great user experience
**Disable Undesired Features (Windows)** | Advanced | Microsoft Windows 10 is far from lean, and comes with many bundles "features" that run in the background, collecting data and using resources. Consider disabling: Windows Script Host, AutoRun + AutoPlay, powershell.exe and cmd.exe execution via Windows Explorer, and the execution of commonly abused file extensions. In MS Office, consider disabling Office Macros, OLE object execution, ActiveX, DDE and Excel Links. There are tools that may make these fixes, and more easier, such as [HardenTools](https://github.com/securitywithoutborders/hardentools), or [ShutUp10](https://www.oo-software.com/en/shutup10). Note: This should only be done if you are competent Windows user, as modifying the registry can cause issues
**Secure Boot** | Advanced | For Windows users, ensure that [Secure Boot](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-secure-boot) is enabled. This security standard, ensures that your device boots only to trusted software when the PC starts. It prevents malware, such as a rootkit from maliciously replacing your boot loader, which could have serious consequences. Some Linux distros also work with secure boot (if they've applied to have their boot loaders signed by Microsoft), while others are incompatible (in which case, secure boot will need to be disabled)
**Secure Boot** | Advanced | For Windows users, ensure that [Secure Boot](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-secure-boot) is enabled. This security standard, ensures that your device boots only to trusted software when the PC starts. It prevents malware, such as a rootkit from maliciously replacing your boot loader, which could have serious consequences. Some Linux distros also work with secure boot (if they've applied to have their boot loaders signed by Microsoft), while others are incompatible (in which case, secure boot will need to be disabled)
**Secure SSH Access** | Advanced | If you access your system remotely, via SSH you should take steps to protect it from automated and targeted attacks. Change the port away from 22, use SSH keys to authenticate, disallow root login with a password and consider using a firewall, and only allow certain IPs to gain SSH access, consider using a Virtual Private Cloud as a gateway. Carry out regular service audits, to discover the services running on your system. For more info, see [this guide, on OpenSSH security tweeks](https://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html)
**Close Un-used Open Ports** | Advanced | Some daemons listen on external ports, if they are not needed, then they are [exposed to exploits](https://www.acunetix.com/blog/articles/danger-open-ports-trojan-trojan/). Turning off these listening services will protect against some remote exploits, and may also improve boot time. To check for listening services, just run `netstat -lt`
**Implement Mandatory Access Control** | Advanced | Restricting privileged access enables users to define rules, that limit how applications can run, or affect other processes and files. This means, that if a vulnerability is exploited, or your system is compromised, the damage will be limited. There are many options available, such as [Rule Set Based Access Control](https://www.rsbac.org/), [AppArmor](https://gitlab.com/apparmor) or [SELinux](https://github.com/SELinuxProject)
@ -379,8 +379,8 @@ The most privacy-respecting option, would be to not use "smart" internet-connect
**Be wary of wearables** | Optional | Wearable smart devices allow companies to log even more data than ever before; they can track your every move to know exactly where you are and what you are doing at any given time. Again, you as the consumer have no control over what is done with that data.
**Don't connect your home's critical infrastructure to the Internet** | Optional | While a smart thermostat, burglar alarm, smoke detector and other appliances may seem convenient, they by design can be accessed remotely, meaning a hacker can gain control of your entire home, without even needing to be nearby. And by breaching multiple devices, the effects can be very serious.
**Mitigate Alexa/ Google Home Risks** | Optional | It is a known fact that voice-activated assistants collect a lot of personal data, and open the door to a mirage of security issues. Consider switching to [Mycroft](https://mycroft.ai/) which is an open source alternative, with much better privacy. Alternativley, if you wish to continue using your current voice assistant, check out [Project Alias](https://github.com/bjoernkarmann/project_alias), which prevents idle listening
**Monitor your home network closely** | Optional | Check your local network for suspicious activity. One of the easier methods to do this is with [FingBox](https://amzn.to/38mdw8F), but you can also do it directly [through some routers](https://www.howtogeek.com/222740/how-to-the-monitor-the-bandwidth-and-data-usage-of-individual-devices-on-your-network/).
**Deny Internet access where possible** | Advanced | If possible deny the device/ app internet access, and use it only on your local network. You can configure a firewall to block certain devices from sending or receiving from the internet.
**Monitor your home network closely** | Optional | Check your local network for suspicious activity. One of the easier methods to do this is with [FingBox](https://amzn.to/38mdw8F), but you can also do it directly [through some routers](https://www.howtogeek.com/222740/how-to-the-monitor-the-bandwidth-and-data-usage-of-individual-devices-on-your-network/).
**Deny Internet access where possible** | Advanced | If possible deny the device/ app internet access, and use it only on your local network. You can configure a firewall to block certain devices from sending or receiving from the internet.
**Assess risks** | Advanced | Assess risks with your audience and data in mind: Be mindful of whose data is being collected, e.g. kids. Manage which devices can operate when (such as turning cameras off when you are at home, or disabling the internet for certain devices at specific times of day)
**Recommended Software**
@ -398,7 +398,7 @@ Note about credit cards: Credit cards have technological methods in place to det
**Sign up for Fraud Alerts and Credit Monitoring** | Recommended | A Fraud Alert is a note on your credit report, that asks any business seeking your credit report to contact you to confirm your identity before granting credit in your name. Credit Monitoring tracks your credit history, and will alert you to any suspicious activity. You can enable fraud alerts and credit monitoring through credit the bureau's websites: [Experian](https://www.experian.com/fraud/center.html), [TransUnion](https://www.transunion.com/fraud-alerts) or [Equifax](https://www.freeze.equifax.com/)
**Apply a Credit Freeze** | Recommended | A credit freeze will prevent anyone from requesting your credit report, hence stop someone applying for a financial product in your name, or a corporation requesting your details without your consent. You will need to temporarily disable your credit freeze before getting a loan, or any other financial product. You can freeze your credit through credit the bureau's website: [Experian](https://www.experian.com/freeze/center.html), [TransUnion](https://www.transunion.com/credit-freeze) and [Equifax](https://www.freeze.equifax.com/)
**Use Virtual Cards** | Optional | Virtual card numbers let you pay for items without revealing your real card or banking details. They also offer additional features, such as single-use cards and spending limits for each card. This means you will not be charged more than you specified, or ongoing subscriptions or in the case of a data breach. [Privacy.com](https://privacy.com/join/VW7WC), [MySudo](https://mysudo.com/) and [others](/5_Privacy_Respecting_Software.md#virtual-credit-cards) offer this service
**Use Cash for Local Transactions** | Optional | Unlike any digital payment method, cash is virtually untraceable. Using cash for local and everyday purchases will prevent any financial institution building up a comprehensive data profile based on your spending habits
**Use Cash for Local Transactions** | Optional | Unlike any digital payment method, cash is virtually untraceable. Using cash for local and everyday purchases will prevent any financial institution building up a comprehensive data profile based on your spending habits
**Use Cryptocurrency for Online Transactions** | Optional | Unlike card payments, most cryptocurrencies are not linked to your real identity. Many blockchains have a public record, of all transaction matadata, on a public, immutable ledger. So where possible, opt for a privacy-focused currency, such as [Monero](https://www.getmonero.org) or [ZCash](https://z.cash). If you are using a widley- supported currency (such as [Tether](https://tether.to/), [BitCoin](https://bitcoin.org/), [LiteCoin](https://litecoin.com/), [Ripple](https://ripple.com/xrp/), [Etherium](https://ethereum.org/en/) etc), take steps to [distance yourself from the transaction details](https://coinsutra.com/anonymous-bitcoin-transactions/). See more [privacy-respecting crypto currencies](/5_Privacy_Respecting_Software.md#cryptocurrencies).
**Store Crypto Securely** | Advanced | Generate wallet address offline, never let your private key touch the internet and preferably avoid storing it on an internet-connected device. Use a secure wallet, such as [Wasabi](https://www.wasabiwallet.io/), or a hardware wallet, like [Trezor](https://trezor.io/) or [ColdCard](https://coldcardwallet.com/). For long-term storage consider a paper wallet, or a more robust alternative, such as [CryptoSteel](https://cryptosteel.com/how-it-works)
**Buy Crypto Anonymously** | Advanced | If you are buying a common cryptocurrency (such as BitCoin), purchasing it from an exchange with your debit/ credit card, will link directly back to your real identity. Instead use a service like [LocalBitcoins](https://localbitcoins.com), an anonymous exchange, such as [Bisq](https://bisq.network), or buy from a local BitCoin ATM ([find one here](https://coinatmradar.com)). Avoid any exchange that implements [KYC](https://en.wikipedia.org/wiki/Know_your_customer)
@ -450,7 +450,7 @@ Many data breaches, hacks and attacks are caused by human error. The following l
Public records often include sensitive personal data (full name, date of birth, phone number, email, address, ethnicity etc), and are gathered from a range of sources (census records, birth/ death/ marriage certificates, voter registrants, marketing information, customer databases, motor vehicle records, professional/ business licenses and all court files in full detail). This sensitive personal information is [easy and legal to access](https://www.consumerreports.org/consumerist/its-creepy-but-not-illegal-for-this-website-to-provide-all-your-public-info-to-anyone/), which raises some [serious privacy concerns](https://privacyrights.org/resources/public-records-internet-privacy-dilemma) (identity theft, personal safety risks/ stalkers, destruction of reputations, dossier society)
CCTV is one of the major ways that the corporations, individuals and the government tracks your movements. In London, UK the average person is caught on camera about 500 times per day. This network is continuing to grow, and in many cities around the world, facial recognition is being rolled out, meaning the state can know the identity of residents on the footage in real-time.
CCTV is one of the major ways that the corporations, individuals and the government tracks your movements. In London, UK the average person is caught on camera about 500 times per day. This network is continuing to grow, and in many cities around the world, facial recognition is being rolled out, meaning the state can know the identity of residents on the footage in real-time.
Strong authentication, encrypted devices, patched software and anonymous web browsing may be of little use if someone is able to physically compromise you, your devices and your data. This section outlines some basic methods for physical security
@ -464,7 +464,7 @@ Strong authentication, encrypted devices, patched software and anonymous web bro
**Secure Perimeter** | Recommended | Maintain physical and structural integrity to all locations where devices with personal info are stored, and ensure steps have been put in place to stop any unauthorized access. Minimize external access: doors, windows, vents. Maintain locking devices responsibly: Keep keys safe, don't use guessable combinations, have multiple locks, change locks after a breach or potential risk. Consider intrusion detection systems, such as alarms and closed circuit monitoring. Make sure walls are structurally sound, and if there is a drop ceiling, ensure walls continue up into the ceiling. When inside - don't trust door chain lock and cover door peep hole
**Physically Secure Devices** | Recommended | Use a Kensington lock to secure your device. Never leave devices unattended. Cover your web cam, consider a microphone block or disable it when not in use, use a USB data blocker when charging devices, use a privacy screen when working in public spaces
**Keep Devices Out of Direct Sight** | Recommended | It is possible for an adversary to [communicate with voice assistants with lasers](https://arstechnica.com/information-technology/2019/11/researchers-hack-siri-alexa-and-google-home-by-shining-lasers-at-them/) at a certain frequency. This can be mitigated by keeping devices out direct line of sight from windows. Any electronics visible from outside, may also pose a risk from theft, and hence should be stored somewhere safe
**Protect your PIN** | Recommended | When entering a code or password (such as unlocking device, withdrawing money from an ATM, or inputting a building access code), ensure that no one is watching over your shoulder, and they you are not in direct line of sight of a camera. Cover the keypad while entering the code to shield your PIN. After entering your PIN on a touch screen device, wipe over the screen to ensure your PIN can not be determined from smudge marks left by skin.
**Protect your PIN** | Recommended | When entering a code or password (such as unlocking device, withdrawing money from an ATM, or inputting a building access code), ensure that no one is watching over your shoulder, and they you are not in direct line of sight of a camera. Cover the keypad while entering the code to shield your PIN. After entering your PIN on a touch screen device, wipe over the screen to ensure your PIN can not be determined from smudge marks left by skin.
**Check for Skimmers** | Recommended | Before entering your card into an ATM, check for any signs that it may have been tampered with. You could use a card [skimmer detector](https://lab401.com/products/hunter-cat-card-skimmer-detector), or try to pull the card intake device to ensure it's firmly fitted. Watch out for other signs of compromise, such as small cameras, keypad covers or blockage on the cash out slot. This also applies to any public device that requires biometric or personal data to complete an action.
**Protect your Home Address** | Optional | Don't set your home address in your phones settings, instead consider selecting a location in a similar region to where you live. Consider storing devices in faraday cage when at your home address. For deliveries, consider using an alias names, and if possible a forwarding or pickup address for receiving online deliveries. You could also combine this with anonymous payment (such as virtual card numbers/ privacy.com, cryptocurrency or cash), and a forwarding email address or VOIP number
**Use a PIN, Not Biometrics** | Advanced | For situations where law enforcement may be involved (such as a protest, or journalism), if your device is seized, authorities can not force you to hand over your device pin code, however they can ask for your fingerprint or face scan to unlock a device. Therefore in these situations disable biometric unlock.