Last Updated: January 22, 2020
·
3.791K
· bt3gl

Simple Online Security Guide

Understanding the Internet

Picture

A great introduction by the EFF.

It's important to understand that there are several, easy and readily available, software that allow the interception of your data. For example: Wireshark, Kismet, Firesheep, Etheral, Caim & Abel, etc...

For this reason it's important to always use SSL (for example, only accept HTTPS instead of HTTP).

Another important security care is to have a VPN set. Check this guide out.

Protection from DNS Leak

Even with a VPN, you still can leak information through your DNS (see https://www.dnsleaktest.com).

  • If you use Firefox, configure at about:config:
network.proxy.socks_remote_dns: True 
browser.safebrowsing.enabled: False
browser.safebrowsing.malware.enabled: False
  • Do not depend on your ISP for DNS lookup. Instead, edit your /etc/resolv.conf to add the name server from your VPN. For example, if you are using PIA:
nameserver 209.222.18.222
nameserver 209.222.18.218
  • I also recommend OpenDNS.

  • If you are a Linux user, you can use tcpdump to see real time DNS traffic.

Securing your Browser

For privacy preserving search engines, change your defaults to Faroo, YaCy, or DuckDuckGo.

To protect yourself from some threats, use the following addons to Firefox and Chrome:

  • Adblock Plus: offers a few in its dropdown menu and you may wish to learn about the strengths of each. A good filter to start protecting your privacy is EasyList.

A guide on how to create your own Adblock Plus filters can be found at http://adblockplus.org/en/filters.

  • DoNotTrackMe.

  • Ghostery: reveals all the surveillance technology which might be (and often is) embedded in a web page.

  • User-Agent Switcher

  • FlagFox

  • WorldIP

  • RefControl

  • TACO

  • Element Hider

  • BetterPrivacy

  • Google Sharing Add-on

Cookies

Every time you load a web page, the server software on the web site generates a record of the page viewed in a log file. This is not always a bad thing. When you log in to a website, there is a need for a way to establish your identity and keep track of who you are in order to save your preferences, or present you with customized information. It does this by passing a small file to your browser and storing a corresponding reference on the web server.

Have the habit of cleaning cookies in your browser. Because of cookies, it’s important to develop a habit for thinking before you click on links to sites while logged into your accounts. One technique is to use another browser entirely that is not logged into your accounts as a tool for testing the safety of a link.

A more convenient option, supported by current browsers is private browsing or incognito mode. This opens a temporary browser window that does not save the history of pages viewed, passwords, downloaded files or cookies. Upon closing the private browsing window, all of this information is deleted.

Anonymizing Browsing

Your ISP knows everything you search and do. For privacy activities, the best option is to browse with Tor or I2P. However, no solution is 100% safe!

Tor

Tor bundle, (close-to-anonymous) browsing works great for simple web browsing.

However, if you want to operate hidden service, you need to download and install the actual Tor client:

$ apt-get install tor
$ service tor start
$ proxychains iceweasel 

This is proxying to iceweasel. The default port is 9050.

You can also set up a webserver at Tor's network. The best option is ThttpD (instead of mainstream servers such as Apache).

I2P

I2P can be downloaded at https://geti2p.net/en/download. To install:

$ java -jar i2pinstall_0.9.13.jar 

To start:

$ cd ~/i2p/
$ ./ip2router start

or

$ ./runplain.sh 

I2P works on networks under firewall, but it can work better if you add rules to port 20000:

$ sudo iptables -I INPUT 1 -i wlan0 -p tcp --tcp-flags SYN,RST,ACK SYN --dport 20000 -m conntrack --ctstate NEW -j ACCEPT
 $ sudo iptables -I INPUT 1 -i wlan0 -p udp --dport 20000 -m conntrack --ctstate NEW -j ACCEPT

The previous command opens the page http://127.0.0.1:7657/configadvanced.
Wait for the connection and you are ready to browse anonymously.

The last thing needed is to set up a proxy to I2P either by your network configuration or through your browser.

If desired, you can also manually setup other tunnels at http://127.0.0.1:7657/i2ptunnel/list
.

Messaging

The common messaging platforms are open to the world. To protect yourself you should encrypt your messages. Some solutions are:

When using IRC or USENET, it's important to set up a SSL tunnel (stunnel, for example).

Encrypt your Data

If you want to use a web service and be sure that your provider cannot read your messages, then you’ll need to use something like GPG with which you can encrypt the email.

The header of the email however will still contain the IP (Internet address) that the email was sent from alongside other compromising details.

Lean about PGP. Here is my guide.

Encrypt your email

You can use a plugin such as MailEnvelope or setup Thunderbird with OpenPGP, disabling the option of keeping message in the server.

Encrypt your Home Directory

On Linux distributions you can encrypt the home directory and entire drive during installation.

Note: Encryption does not protect you if and when your machine is already compromised and your keystrokes and/or activity is being logged.

All Operating Systems (Linux, windows, mac) support virtual memory. You can encrypt the pagefile or swap space to prevent unauthorized people from reading your virtual memory:

Encrypt your hardware

TrueCrypt was discontinued in 2014. You can still find its source code at TCNext, however this code is currently not being maintained.

Mobile

Mobiles are unsafe by definition. First, you should root it. Second, I recommend to set up a VPN, use Tor, and encrypt everything.

Android Developers should not* enable USB debugging on your phone by default. This allows an attacker using the Android adb shell on a computer to access your phone’s hard disk without unlocking the phone.

Apps for Security

Securing your Wireless Connection

Find your router

This is done by locating the address of your default gateway. Typing the following in the terminal will give a list where the gateway is the address we want, you can open this in your browser:

$ route -n

If the gateway doesn't work for you, the 3 other most common router IPs are 192.168.1.1, 192.168.0.1, and 192.168.100.1.

Use encryption:

  • WEP (Wired Equivalent Protection) 64-bit and 128-bit: WEP is an old, outdated wireless encryption standard. Never use WEP encryption, which can be hacked within seconds. Never ever. In fact you should make fun of your friends that do.

  • WPA (Wi-Fi Protected Access): WPA is also referred as WPA-Personal. This is a new version of the wireless encryption standard and more secure than WEP.

  • WPA2: This is the latest wireless encryption standard that provides the best encryption. Always use WPA2, if both your wireless router and laptop wireless adapter supports it.

Change the Name of Your SSID

Use MAC Address filters

The MAC addressing is a layer two (datalink) function. Find the HWaddr by typing:

$ ifconfig

For every device you want to be able to access your Wi-Fi. This is just a layer of security because you can change a MAC address on Linux simply by typing:

$ ifconfig eth0 down
$ ifconfig eth0 hw ether [new MAC address]
$ ifconfig eth0 up

Use the Router Firewall

Another good feature to look for here is the firewall logs, and you should make it a habit to check these often.

Disable Remote Admin Access.

Change the Default Admin Password.

Verify UdP vulnerabilities:

At https://www.grc.com/x/ne.dll?rh1dkyd2.

Others

Stop using Crappy Password

If you use weak passwords, they can be guessed by brute-force attacks.

Use a password holder, for example Keepass.

Verify if your email is compromised at https://shouldichangemypassword.com.

Always checksum documents you download

$ sha1sum file
$ md5sum file

Metadata

Documents (e.g. pictures) can hold information about your location, equipment, and more. Before posting online, always remove metadata from documents.

Never post pictures directly from your phone. Remove metadata before posting pictures online.

Be careful with PDFs!

Be wary of opening PDF files using Adobe Reader or other proprietary PDF readers.
Closed source PDF readers have been known to be used to execute malign code embedded in the PDF body.

Do not execute code via JavaScript.

You can use PDF readers which have been tested for known vulnerabilities:

  • Linux: Evince, Sumatra PDF
  • OS X: Preview
  • Windows: Evince

6 Responses
Add your response

What is nameservers - 209.222.18.222 and 209.222.18.218? You suggest me to share all my internet-activity to servers about which I hear for the first time?

No thanks ;)

over 1 year ago ·

Sorry, this was my personal notes. These are the namesevers from PIA, a really good VPN that has a great policy on logging, etc. You do whatever you want with your machines.

over 1 year ago ·

PIA being Private Internet Access (https://www.privateinternetaccess.com/)

over 1 year ago ·

Correct, thanks! :)

over 1 year ago ·

Your first link is broken. Could it be this? https://ssd.eff.org/

over 1 year ago ·

Thanks, this was the guide.

over 1 year ago ·