Understanding the Internet
A great introduction by the EFF.
It's important to understand that there are several, easy and readily available, software that allow the interception of your data. For example: Wireshark, Kismet, Firesheep, Etheral, Caim & Abel, etc...
For this reason it's important to always use SSL (for example, only accept HTTPS instead of HTTP).
Another important security care is to have a VPN set. Check this guide out.
Protection from DNS Leak
Even with a VPN, you still can leak information through your DNS (see https://www.dnsleaktest.com).
- If you use Firefox, configure at about:config:
network.proxy.socks_remote_dns: True browser.safebrowsing.enabled: False browser.safebrowsing.malware.enabled: False
- Do not depend on your ISP for DNS lookup. Instead, edit your
/etc/resolv.confto add the name server from your VPN. For example, if you are using PIA:
nameserver 22.214.171.124 nameserver 126.96.36.199
I also recommend OpenDNS.
If you are a Linux user, you can use tcpdump to see real time DNS traffic.
Securing your Browser
For privacy preserving search engines, change your defaults to Faroo, YaCy, or DuckDuckGo.
To protect yourself from some threats, use the following addons to Firefox and Chrome:
- Adblock Plus: oﬀers a few in its dropdown menu and you may wish to learn about the strengths of each. A good ﬁlter to start protecting your privacy is EasyList.
A guide on how to create your own Adblock Plus ﬁlters can be found at http://adblockplus.org/en/filters.
Ghostery: reveals all the surveillance technology which might be (and often is) embedded in a web page.
Every time you load a web page, the server software on the web site generates a record of the page viewed in a log file. This is not always a bad thing. When you log in to a website, there is a need for a way to establish your identity and keep track of who you are in order to save your preferences, or present you with customized information. It does this by passing a small file to your browser and storing a corresponding reference on the web server.
A more convenient option, supported by current browsers is private browsing or incognito mode. This opens a temporary browser window that does not save the history of pages viewed, passwords, downloaded files or cookies. Upon closing the private browsing window, all of this information is deleted.
Your ISP knows everything you search and do. For privacy activities, the best option is to browse with Tor or I2P. However, no solution is 100% safe!
Tor bundle, (close-to-anonymous) browsing works great for simple web browsing.
However, if you want to operate hidden service, you need to download and install the actual Tor client:
$ apt-get install tor $ service tor start $ proxychains iceweasel
This is proxying to iceweasel. The default port is 9050.
You can also set up a webserver at Tor's network. The best option is ThttpD (instead of mainstream servers such as Apache).
$ java -jar i2pinstall_0.9.13.jar
$ cd ~/i2p/ $ ./ip2router start
I2P works on networks under firewall, but it can work better if you add rules to port 20000:
$ sudo iptables -I INPUT 1 -i wlan0 -p tcp --tcp-flags SYN,RST,ACK SYN --dport 20000 -m conntrack --ctstate NEW -j ACCEPT $ sudo iptables -I INPUT 1 -i wlan0 -p udp --dport 20000 -m conntrack --ctstate NEW -j ACCEPT
The previous command opens the page http://127.0.0.1:7657/configadvanced.
Wait for the connection and you are ready to browse anonymously.
The last thing needed is to set up a proxy to I2P either by your network configuration or through your browser.
If desired, you can also manually setup other tunnels at http://127.0.0.1:7657/i2ptunnel/list
The common messaging platforms are open to the world. To protect yourself you should encrypt your messages. Some solutions are:
Or using temporary email services:http://www.ghacks.net/2007/05/28/list-of-20-temporary-email-services, https://www.guerrillamail.com, http://www.mintemail.com.
When using IRC or USENET, it's important to set up a SSL tunnel (stunnel, for example).
Encrypt your Data
If you want to use a web service and be sure that your provider cannot read your messages, then you’ll need to use something like GPG with which you can encrypt the email.
The header of the email however will still contain the IP (Internet address) that the email was sent from alongside other compromising details.
Lean about PGP. Here is my guide.
Encrypt your email
You can use a plugin such as MailEnvelope or setup Thunderbird with OpenPGP, disabling the option of keeping message in the server.
Encrypt your Home Directory
On Linux distributions you can encrypt the home directory and entire drive during installation.
Note: Encryption does not protect you if and when your machine is already compromised and your keystrokes and/or activity is being logged.
All Operating Systems (Linux, windows, mac) support virtual memory. You can encrypt the pagefile or swap space to prevent unauthorized people from reading your virtual memory:
- Cryptsetup (*nix)
- GnuPG (windows, linux)
Encrypt your hardware
TrueCrypt was discontinued in 2014. You can still find its source code at TCNext, however this code is currently not being maintained.
Mobiles are unsafe by definition. First, you should root it. Second, I recommend to set up a VPN, use Tor, and encrypt everything.
Android Developers should not* enable USB debugging on your phone by default. This allows an attacker using the Android adb shell on a computer to access your phone’s hard disk without unlocking the phone.
Apps for Security
Securing your Wireless Connection
Find your router
This is done by locating the address of your default gateway. Typing the following in the terminal will give a list where the gateway is the address we want, you can open this in your browser:
$ route -n
If the gateway doesn't work for you, the 3 other most common router IPs are 192.168.1.1, 192.168.0.1, and 192.168.100.1.
WEP (Wired Equivalent Protection) 64-bit and 128-bit: WEP is an old, outdated wireless encryption standard. Never use WEP encryption, which can be hacked within seconds. Never ever. In fact you should make fun of your friends that do.
WPA (Wi-Fi Protected Access): WPA is also referred as WPA-Personal. This is a new version of the wireless encryption standard and more secure than WEP.
WPA2: This is the latest wireless encryption standard that provides the best encryption. Always use WPA2, if both your wireless router and laptop wireless adapter supports it.
Change the Name of Your SSID
Use MAC Address filters
The MAC addressing is a layer two (datalink) function. Find the HWaddr by typing:
For every device you want to be able to access your Wi-Fi. This is just a layer of security because you can change a MAC address on Linux simply by typing:
$ ifconfig eth0 down $ ifconfig eth0 hw ether [new MAC address] $ ifconfig eth0 up
Use the Router Firewall
Another good feature to look for here is the firewall logs, and you should make it a habit to check these often.
Disable Remote Admin Access.
Change the Default Admin Password.
Verify UdP vulnerabilities:
Stop using Crappy Password
If you use weak passwords, they can be guessed by brute-force attacks.
Use a password holder, for example Keepass.
Verify if your email is compromised at https://shouldichangemypassword.com.
Always checksum documents you download
$ sha1sum file $ md5sum file
Documents (e.g. pictures) can hold information about your location, equipment, and more. Before posting online, always remove metadata from documents.
Never post pictures directly from your phone. Remove metadata before posting pictures online.
Be careful with PDFs!
Be wary of opening PDF files using Adobe Reader or other proprietary PDF readers.
Closed source PDF readers have been known to be used to execute malign code embedded in the PDF body.
You can use PDF readers which have been tested for known vulnerabilities:
- Linux: Evince, Sumatra PDF
- OS X: Preview
- Windows: Evince