gf4
/
personal-security-checklist
mirror of https://git.hackliberty.org/Awesome-Mirrors/personal-security-checklist
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Creates Network section: for VPN and Router config

pull/4/head
Alicia Sykes 2020-01-08 11:59:35 +00:00 committed by GitHub
parent 8e6f3d8e94
commit d9ecf0284f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 23 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
README.md
View File

@ -7,11 +7,10 @@
[![-](/_assets/1_passwords.jpg) Passwords](#passwords)<br>
[![-](/_assets/2_2fa.jpg) 2 Factor Authentication](#2-factor-authentication)<br>
[![-](/_assets/3_web.jpg) Browsing the Web](#browser-and-search)<br>
[![-](/_assets/4_vpn.jpg) VPN](#vpn)<br>
[![-](/_assets/5_email.jpg) Email](#emails)<br>
[![-](/_assets/6_social.jpg) Social Media](#social-media)<br>
[![-](/_assets/4_vpn.jpg) Networking](#networking)<br>
[![-](/_assets/7_devices.jpg) Mobile Phones](#mobile-devices)<br>
[![-](/_assets/9_router.jpg) Routers](#your-router)<br>
[![-](/_assets/10_os.jpg) Personal Computer](#personal-computers)<br>
## Passwords
@ -69,17 +68,6 @@ For more browser security pointers, check out: [Heres How To Get Solid Browse
**Disable JavaScript** | Advanced | Many modern web apps are JavaScript based, so disabling it will greatly decrease your browsing experience. But if you really want to go all out, then it will reduce your attack surface. Read more about the growing [risk of JavaScript malware](https://heimdalsecurity.com/blog/javascript-malware-explained/).
**Route all desktop traffic via Tor** | Advanced | [Whonix](https://www.whonix.org/) allows for fail-safe, automatic, and desktop-wide use of the Tor network. It's based on Debian, and runs in in a virtual machine. Straigt-forward to install on Windows, OSX or Linux.
## VPN
A Virtual Private Network (VPN) protects your IP, and allows you to more securely connect to the internet. Use it when connecting to public WiFi or to restrict your ISP from seeing all sites you've visited. Note, VPNs are not a perfect solution, and it is important to select a reputable provider, to entrust your data with. Tor provides greater anonimity.
**Security** | **Priority** | **Details and Hints**
--- | --- | ---
**Use a VPN** | Recommended | Use a reputable, paid-for VPN. Choose one which does not keep and logs and preferably is not based under a [5-eyes](https://en.wikipedia.org/wiki/Five_Eyes) jurisdiction. See [That One Privacy Site](https://thatoneprivacysite.net/) for a detailed comparison. As of 2020, [NordVPN](https://nordvpn.com/) and [SurfShark](https://surfshark.com/) are both good all-rounders (for speed, simplicity and security), and [Mullvad](https://mullvad.net/) and [DoubleHop](https://www.doublehop.me/) are excelland for security.
**Configure your router to use VPN** | Optional | If you set your VPN up on your router, then data from all devices on your home network is encrypted as it leaves the LAN. Again, it's important to select a secure VPN provider, as they will see what your ISP previously had been logging. Follow a guide from your router manufacturer or VPN provider, or see [this article](https://www.howtogeek.com/221889/connect-your-home-router-to-a-vpn-to-bypass-censorship-filtering-and-more/) to get started. Note that depending on your internet connection, and VPN provider, this could slow down your internet.
**Stay protected from DNS Leaks** | Optional | A DNS leak is the act of monitoring, storing and filtering your DNS traffic at ISP level. To prevent this you can either use a DNS server provided by your VPN, or use [CloudFlares DNS](https://1.1.1.1/) (set nameservers to `1.1.1.1`), or maintain your own DNS server. You can check your protection, by running a [DNS Leak Test](https://www.dnsleaktest.com/), or run `nslookup whoami.akamai.net` in your terminal. Read more about [preventing DNA Leaks](https://securitytrails.com/blog/what-is-dns-leak-how-can-i-prevent-it).
**Use a secure Protocol** | Optional | [OpenVPN](https://en.wikipedia.org/wiki/OpenVPN) is widley used, and currently considered a secure [tunneling protocol](https://en.wikipedia.org/wiki/Tunneling_protocol), it's also open source, lightweight and effiecient. [L2TP](https://en.wikipedia.org/wiki/Layer_2_Tunneling_Protocol) can be good, but only when configured correctly, whereas it's much harder to go wrong with OpenVPN. Don't use [PPTP](https://en.wikipedia.org/wiki/Point-to-Point_Tunneling_Protocol), which is now legacy, and not considered secure, and avoid [SSTP](https://en.wikipedia.org/wiki/Secure_Socket_Tunneling_Protocol) (proprietary, owned by Microsoft and due to lack of transparency, could be vulnrable to exploits). [IKEv2](https://en.wikipedia.org/wiki/Internet_Key_Exchange) and [WireGuard](https://www.wireguard.com/) *(experimental)* are also good options.
**Use the Tor Network** | Advanced | VPNs have their weaknesses, since the provider knows your real details, whereas Tor is anonymous. For optimum security, route all your internet traffic through tthe Tor network. On Linux you can use [TorSocks](https://gitweb.torproject.org/torsocks.git) and [Privoxy](https://www.privoxy.org/), for Windows you can use [Whonix](https://www.whonix.org/), and on OSX [follow thsese instructions](https://maymay.net/blog/2013/02/20/howto-use-tor-for-all-network-traffic-by-default-on-mac-os-x/). Finally, you can use [OnionPi](https://learn.adafruit.com/onion-pi/overview) to use Tor for all your connected devices, by [configuring a Raspberry Pi to be a Tor Hotspot](https://lifehacker.com/how-to-anonymize-your-browsing-with-a-tor-powered-raspb-1793869805)
## Emails
@ -109,6 +97,28 @@ These links are also useful for additional simple measures that you can take to
**Remove metadata before uploading media** | Optional | Most smartphones and some cameras automatically attach a comprehensive set of additional data to each photograph., This usually includes things like time, date, location, camera model, user etc. Remove this data before uploading. See [this guide](https://www.makeuseof.com/tag/3-ways-to-remove-exif-metadata-from-photos-and-why-you-might-want-to/) for more info.
**Dont have any social media accounts** | Advanced | It may seem a bit extreme, but if your serious about data privacy and security, stay away from entering information on any social media platform.
## Networking
This section covers how you connect your devices to the internet, including configuring your router and setting up a VPN.
A Virtual Private Network (VPN) protects your IP, and allows you to more securely connect to the internet. Use it when connecting to public WiFi or to restrict your ISP from seeing all sites you've visited. Note, VPNs are not a perfect solution, and it is important to select a reputable provider, to entrust your data with. Tor provides greater anonimity.
**Security** | **Priority** | **Details and Hints**
--- | --- | ---
**Use a VPN** | Recommended | Use a reputable, paid-for VPN. Choose one which does not keep and logs and preferably is not based under a [5-eyes](https://en.wikipedia.org/wiki/Five_Eyes) jurisdiction. See [That One Privacy Site](https://thatoneprivacysite.net/) for a detailed comparison. As of 2020, [NordVPN](https://nordvpn.com/) and [SurfShark](https://surfshark.com/) are both good all-rounders (for speed, simplicity and security), and [Mullvad](https://mullvad.net/) and [DoubleHop](https://www.doublehop.me/) are excelland for security.
**Dont use a default router password** | Recommended | Change your router password- [here is a guide as to how](https://www.lifewire.com/how-to-change-your-wireless-routers-admin-password-2487652).
**Use WPA2** | Recommended | WPA and WEP make it very easy for a hacker to gain access to your router. Use a [WPA2](https://en.wikipedia.org/wiki/Wi-Fi_Protected_Access) password instead. Ensure it is strong: 12+ alpha-numeric characters, avoiding dictionary words.
**Keep router firmware up-to-date** | Recommended | Manufacturers release firmware updates that fix security vulnerabilities, implement new standards and sometimes add features/ improve the performance your router. It's important to have the latest firmware installed, to avoid a malicious actor exploiting an un-patched vulnerability. You can usually update your router by navigating to [192.168.0.1](192.168.0.1) or [192.168.1.1](192.168.1.1) in your browser, entering the credentials on the sticker on the back of you of your router (not your WiFi password!), and following the on-screen instructions. Or follow a guide from your routers manufacturer: [Asus](https://www.asus.com/support/FAQ/1005484/), [D-Link](https://eu.dlink.com/uk/en/support/faq/routers/mydlink-routers/dir-810l/how-do-i-upgrade-the-firmware-on-my-router), [Linksys (older models)](https://www.linksys.com/us/support-article?articleNum=140365), [NetGear](https://kb.netgear.com/23442/How-do-I-update-my-NETGEAR-router-s-firmware-using-the-Check-button-in-the-router-web-interface) and [TP-Link](https://www.tp-link.com/us/support/faq/688/). Newer Linksys and Netgear routers update automatically, as does Google's router.
**Configure your router to use VPN** | Optional | If you set your VPN up on your router, then data from all devices on your home network is encrypted as it leaves the LAN. Again, it's important to select a secure VPN provider, as they will see what your ISP previously had been logging. Follow a guide from your router manufacturer or VPN provider, or see [this article](https://www.howtogeek.com/221889/connect-your-home-router-to-a-vpn-to-bypass-censorship-filtering-and-more/) to get started. Note that depending on your internet connection, and VPN provider, this could slow down your internet.
**Stay protected from DNS Leaks** | Optional | A DNS leak is the act of monitoring, storing and filtering your DNS traffic at ISP level. To prevent this you can either use a DNS server provided by your VPN, or use [CloudFlares DNS](https://1.1.1.1/) (set nameservers to `1.1.1.1`), or maintain your own DNS server. You can check your protection, by running a [DNS Leak Test](https://www.dnsleaktest.com/), or run `nslookup whoami.akamai.net` in your terminal. Read more about [preventing DNA Leaks](https://securitytrails.com/blog/what-is-dns-leak-how-can-i-prevent-it).
**Use a secure VPN Protocol** | Optional | [OpenVPN](https://en.wikipedia.org/wiki/OpenVPN) is widley used, and currently considered a secure [tunneling protocol](https://en.wikipedia.org/wiki/Tunneling_protocol), it's also open source, lightweight and effiecient. [L2TP](https://en.wikipedia.org/wiki/Layer_2_Tunneling_Protocol) can be good, but only when configured correctly, whereas it's much harder to go wrong with OpenVPN. Don't use [PPTP](https://en.wikipedia.org/wiki/Point-to-Point_Tunneling_Protocol), which is now legacy, and not considered secure, and avoid [SSTP](https://en.wikipedia.org/wiki/Secure_Socket_Tunneling_Protocol) (proprietary, owned by Microsoft and due to lack of transparency, could be vulnrable to exploits). [IKEv2](https://en.wikipedia.org/wiki/Internet_Key_Exchange) and [WireGuard](https://www.wireguard.com/) *(experimental)* are also good options.
**Ideally hide your SSID** | Optional | An SSID (or Service Set Identifier) is simply your network name. If it is not visible, it is much less likely to be targeted. You can usually hide it after logging into your router admin panel, [see here for more details](https://www.lifewire.com/hide-your-wireless-network-from-your-internet-leeching-neighbors-2487655).
**Avoid the free router from your ISP** | Optional | Typically theyre manufactured cheaply in bulk in China, and firmware updates which fix crucial security flaws arent released regularly. Consider an open source based router, such as [Turris MOX](https://www.turris.cz/en/mox/overview/)
**Use the Tor Network** | Advanced | VPNs have their weaknesses, since the provider knows your real details, whereas Tor is anonymous. For optimum security, route all your internet traffic through tthe Tor network. On Linux you can use [TorSocks](https://gitweb.torproject.org/torsocks.git) and [Privoxy](https://www.privoxy.org/), for Windows you can use [Whonix](https://www.whonix.org/), and on OSX [follow thsese instructions](https://maymay.net/blog/2013/02/20/howto-use-tor-for-all-network-traffic-by-default-on-mac-os-x/). Finally, you can use [OnionPi](https://learn.adafruit.com/onion-pi/overview) to use Tor for all your connected devices, by [configuring a Raspberry Pi to be a Tor Hotspot](https://lifehacker.com/how-to-anonymize-your-browsing-with-a-tor-powered-raspb-1793869805)
**Kill unused process and services on your router** | Advanced | Services like Telnet and SSH (Secure Shell) that provide command-line access to devices should never be exposed to the internet and should also be disabled on the local network unless they're actually needed. In general, [any service thats not used should be disabled](https://www.securityevaluators.com/knowledge/case_studies/routers/soho_service_hacks.php) to reduce attack surface.
## Mobile Devices
Most smart phone apps will run in the background, collecting and logging data, making network requests and ultimately creating a clear picture of you you are, just from your data. This is a big problem from both a security and privacy perspective.
@ -129,17 +139,6 @@ SMS texting and traditional phone calls are not secure, so it's imprortant to av
**Consider running a custom ROM if you have an Android device** | Advanced | Your default OS tracks information about your usage, and app data, constantly. Consider a security-focused custom ROM, such as [Lineage](https://lineageos.org) or [CopperheadOS](https://copperhead.co/android/).
## Your Router
**Security** | **Priority** | **Details and Hints**
--- | --- | ---
**Dont use a default password** | Recommended | Change your router password- [here is a guide as to how](https://www.lifewire.com/how-to-change-your-wireless-routers-admin-password-2487652).
**Use WPA2** | Recommended | WPA and WEP make it very easy for a hacker to gain access to your router. Use a [WPA2](https://en.wikipedia.org/wiki/Wi-Fi_Protected_Access) password instead. Ensure it is strong: 12+ alpha-numeric characters, avoiding dictionary words.
**Keep router firmware up-to-date** | Recommended | Manufacturers release firmware updates that fix security vulnerabilities, implement new standards and sometimes add features/ improve the performance your router. It's important to have the latest firmware installed, to avoid a malicious actor exploiting an un-patched vulnerability. You can usually update your router by navigating to [192.168.0.1](192.168.0.1) or [192.168.1.1](192.168.1.1) in your browser, entering the credentials on the sticker on the back of you of your router (not your WiFi password!), and following the on-screen instructions. Or follow a guide from your routers manufacturer: [Asus](https://www.asus.com/support/FAQ/1005484/), [D-Link](https://eu.dlink.com/uk/en/support/faq/routers/mydlink-routers/dir-810l/how-do-i-upgrade-the-firmware-on-my-router), [Linksys (older models)](https://www.linksys.com/us/support-article?articleNum=140365), [NetGear](https://kb.netgear.com/23442/How-do-I-update-my-NETGEAR-router-s-firmware-using-the-Check-button-in-the-router-web-interface) and [TP-Link](https://www.tp-link.com/us/support/faq/688/). Newer Linksys and Netgear routers update automatically, as does Google's router.
**Ideally hide your SSID** | Optional | An SSID (or Service Set Identifier) is simply your network name. If it is not visible, it is much less likely to be targeted. You can usually hide it after logging into your router admin panel, [see here for more details](https://www.lifewire.com/hide-your-wireless-network-from-your-internet-leeching-neighbors-2487655).
**Avoid the free router from your ISP** | Optional | Typically theyre manufactured cheaply in bulk in China, and firmware updates which fix crucial security flaws arent released regularly. Consider an open source based router, such as [Turris MOX](https://www.turris.cz/en/mox/overview/)
**Kill unused process and services** | Advanced | Services like Telnet and SSH (Secure Shell) that provide command-line access to devices should never be exposed to the internet and should also be disabled on the local network unless they're actually needed. In general, [any service thats not used should be disabled](https://www.securityevaluators.com/knowledge/case_studies/routers/soho_service_hacks.php) to reduce attack surface.
## Personal Computers
Although Windows and OS X are easy to use and convenient, they both are far from secure. Your OS provides the interface between hardware and your applications, so if compromised can have detrimental effects.