Information and opinion:
Updated 5/1/2022 News and press-releases: Chrome hacked.
We still recommend Firefox browser (free) or for security, privacy, and function, or TOR browser (also free) for anonymity.
We still suggest KeePass or KeePassXC for password management.
Updated 7/30/2021 Some links and information from the Federal Trade Commission
Updated 8/29/2020: Checklist for Small Office/Home Office (SOHO ) basic security
Updated 6/10/2019: DIY directions to remove your personal information from data aggregator clearinghouse sites.
H A R D E N . I T
We make things work for people. TM
HARDEN IT IS NOT CURRENTLY ACCEPTING NEW CLIENTS
Lifelock and an antivirus are not enough. iPhone use does not ensure privacy nor security. Learn to protect yourself.
https://www.ftc.gov/news-events/press-releases/2015/12/lifelock-pay-100-million-consumers-settle-ftc-charges-it-violated
Here are some resources for you as well as some topics for research and discussion which are currently under active review by HardenIT. We accept no fees, commissions, or other payments from any of the entities associated with these topics, technologies, or links.
Security test tools
DNS spoofability test
https://www.grc.com/dns/dns.htm
DNSSEC
HTML5 VPN/ISP speed test
https://speedof.me/
IP/DNS/WebRTC Leaktest with platform, browser details
https://ipleak.net/
https://ipleak.org
Windows login/data leak by Perfect Privacy
https://msleak.perfect-privacy.com/
E-mail spoofability check
https://www.ipvoid.com/email-spoof-check/
yahoo addresses are spoofable
protonmail addreses are not spoofable
Port scanner
simple, advanced, clear: https://www.ipfingerprints.com/portscan.php
https://pentest-tools.com/network-vulnerability-scanning/tcp-port-scanner-online-nmap
single: http://www.speedguide.net/portscan.php?port=999&tcp=1&udp=1
McAfee hackerwatch hitme port scan firewall probe
https://www.hackerwatch.org/probe/
Audit my PC digital footprint:
https://www.auditmypc.com/digital-footprint.a
Password or login already compromised
haveibeenpwned.com
Password Strength Checker
https://ae7.st/g/test.html password12345 reported as 13 entropy, 13 length
E-mail@79 reported as 29 entropy, 9 length
rumkin password12345 reported as 47.2bits entropy, length 13, "reasonable"
E-mail@79 reported as 40.4 bits entropy, length 9, "reasonable", charset 94
my1login password12345 as "very weak"
E-mail@79 "strong"
Password Training:
https://xkcd.com/936/
Surface scan for several types of attacks
http://securitypreview.zscaler.com/
https://www.shodan.io/host/YOURIP
address SSL Verification: https://www.ssllabs.com/ssltest/analyze.html?d=hardenit.net&hideResults=on&latest
Browser security checker
https://browsercheck.qualys.com/?scan_type=js
Speed test recommended:
http://securespeedtest.com/ Is secure in that it does not create a database of your IP, ISP, location, etc., other than its normal server logs. It does not operate over https, and does contain some web-bugs or tracking code including Oracle and Google analytics for ad service.
OKLA, AT&T, Xfinity, others offer speed tests, but they collect IP addresses, device info, location, and any PII they can to share broadly with providers and internet services in order to sell, upgrade, and improve service.
Communications
Secure Video JITSI
meet.jit.si
works over VPN
New standard prototype for secure communication
2 party end-to-end secure with TLS
3 party unidirectional security. Meeting host could record, other participants cannot.
optional TLS secured tunnels to firewalled Jitsi video server
128-bit AES
optional 256-bit AES, double-encrypted SRTP
DTLS-SRTP (SIP, SDP, TCP/TLS, RTP x UDP and TCP, persistent sessions with ICE, Mikey-Sakkes keys, and rekeying) https://tools.ietf.org/html/rfc5763
play youtube video or
record to youtube
not regionally sensitive
password protect meetings
compatible with classic voice phones
Slack, Android, iOS
Soon end-to-end encrypted with multiple streams using HIPS with Chrome WebRTC API
Perfect Forward Secrecy
paid: webEX Cisco
interoperability with GDrive, Microsoft Teams, Canvas
2 party end-to-end secure with TLS
TLS secured tunnels to firewalled Cisco Video Server
Optional recordings stored at 256-bit AES
https://www.techradar.com/news/cisco-webex-phishing-attack-wants-to-steal-your-logins
secure messaging MATRIX framework
open source
open federation
Riot / RIOTX
end-to-end encrypted
web, desktop, Android, iOS
https://matrix.org/faq
FREE
Email is not a highly secure method of information exchange.
It is authenticationless. Anyone with access to a mail server can send a message from that server which appears to originate from any user.
protonmail
open source
256-Bit AES
free / paid
Outlook SMIME, GPG, PGP
https://support.office.com/en-us/article/encrypt-email-messages-373339cb-bf1a-4509-b296-802a39d801dc
Anti-Malware
2019 Summary Chart
Bitdefender Top 3 by AV Comparitives in Enhanced real-world protection, Real-world protection, and Malware protection tests.
https://www.av-comparatives.org/wp-content/uploads/2020/02/sum-2019-award-table-600x237.pngSince December of 2010, BitDefender has scored near perfect for protection in each monthly test by AV Test. https://www.av-test.org/en/antivirus/home-windows/manufacturer/bitdefender/
AV Comparitives found Bitdefender products for MacOS, Windows, and enterprise-level end-point protection all to be highly effective.
They are in German trust zone, EU privacy policy.
https://www.av-comparatives.org/tests/malware-protection-test-march-2020/
https://www.av-test.org/en/antivirus/home-windows/
Mobile Consistent top-performer, trusted brand, U.S.-based
iOS
Android
HouseCall for Home Networks.
https://www.trendmicro.com/en_us/forHome/products/free-tools.html
@+Avast - Former Soviet development, Prague, Czech Republic. AVG detection engine, spyware. https://www.vice.com/en_us/article/qjdkq7/avast-antivirus-sells-user-browsing-data-investigation (Vice magazine also collects copious amounts of user data.)
@AVG - russian - owned by Avast,
@*Avira - 24p, spammy https://www.av-test.org/en/antivirus/home-windows/manufacturer/avira/ German company, office in China. 3 major past critical flaws.
avc @+5Bitdefender- 7 AVComparitives Product of the Year 2019 for Advanced+ level in all 7 tests
*Bullguard
+Checkpoint
avc 2ESET 2
+*F-secure 24fp
avc +*3G Data 3
@Intego
*K7 False positives
avc @+*8Kaspersky - russian link - compromised 2017 Israeli spies found russians using Kaspersky labs to target networks. Not only moscow-based so subject to ????? LAWS.
McAfee 25fp
*7Microsoft 9
@*NortonLifeLock 25fp
Panda False Positives
+Seqrite
+symantec
Total AV False Positives
TrendMicro https://www.av-test.org/en/antivirus/home-windows/manufacturer/trend-micro/
avc 4Total Defense 6
@+*1Trend Micro 1
avc *6VIPRE 8
Webroot PCMag Editor's Choice 21 times Light footprint, AV Labs has found it's protection to be insufficient many times.
Mention 360 total security- Free, 4 detection engines
passwords
rules
entropy
managers
web browser
firefox (best browser, requires security tuning, fastest, most compatible, best supported, less spying)
Tor (bootable disk, or private browser)
Brave - Chromium (from Google Chrome browser)
Privacy
built-in Adblocking
tor built in
edge
EXTENSIONS
adblockers (privacy and tracking/ reality bend, confirmation bias research)
noscript (website spoofing and intercept attacks)
eff.org
https-everywhere
privacy badger
duckduckgo
tor
firewall
TESTS: https://www.howsmyssl.com
vpn
Tests: My IP
DNS Leak
WebRTC leak
Tech Standards:
https://techwiser.com/vpn-protocol-explained/
DVPN/VPN0
https://brave.com/vpn0-a-privacy-preserving-distributed-virtual-private-network/
WireGuard
https://www.wireguard.com/
benchmarks: https://www.wireguard.com/performance/
IPsec/IKEv2 (L2TP)
OpenVPN
https://openvpn.net/community/
vendor help:
https://help.ui.com/hc/en-us/articles/115005445768-UniFi-USG-UDM-Configuring-L2TP-Remote-Access-VPN
https://wiki.mikrotik.com/wiki/Manual:Interface/L2TP
https://support.microsoft.com/en-us/help/926179/how-to-configure-an-l2tp-ipsec-server-behind-a-nat-t-device-in-windows
VPN Comparison Chart: By thebestvpn.com https://docs.google.com/spreadsheets/d/e/2PACX-1vRh1eSvC9A9hvNE9m1ZgfZQu5GtREEXtKQ25BmCLveYduOl4kVc5gDO7Mj28oOboAv-VTIMtY7JdKpP/pubhtml#
Services:
NordVPN: Panama, OpenVPN, NordLynx (Wiregaurd+doubleNAT), OnionVPN, IKEv2IPsec, double VPN, Custom DNS: AES-256. Paid.
Android, WindowsXP - 10, iOS, Mac, Linux, Routers (Tomato/EdgeRouter/MikroTik/Endian/OpenWRT/AsusWRT/pfSense/), Blackberry, Rasberry Pi
ProtonVPN: Swiss, Open Source CERN/MIT dev, OpenVPN, IKEv2: AES-256; RSA-2048 key exchange; HMAC with SHA-256 authentication, no logs, bomb-sheltered data server, QuoVadis Trustlink Schweiz AG Certificate Authority
Free for 1 end-point, low cost for commercial IMAP/SMTP bridge for Outlook, Mozilla, etc., responsive support, GDPR
Android, Windows, iOS, Mac, Linux, Routers (AsusWRT/Tomato/DD-WRT/Vilfo)
mullguard: Sweden, OpenVPN, Wireguard: AES-256, RSA-4096 certificates, SHA-512 server authentication, no logs, no dedicated IP, accepts bit-coin/crypto anonymous payment
WindScribe
Surfshark: British Virgin Islands, OpenVPN, IKEv2: AES-256-GCM, no logs, telemetry, google analytics, camoflage mode,
Android, Windows, Linux, Consoles (Xbox, Playstation), iOS, Mac, Routers (RP4, DD-WRT, AsusWRT)
tunnelbear Canada, Owned by McAfee,
Android, Windows, macOS, iOS, Linux
firewall - less common. Handle mostly through router and IPS IDF
IP tables
Stateful Packet Inspecion (SPI)/Dynamic Packet Inspection (DPI) - Firewall method that keeps track of connections as used on routers and smart switches to block content which intrudes upon active sessions.
Deep Packet Inspection (DPI) - a method of examining the data inside packets before passing to classify and filter by type and content.
IDS and IPS - Intrusion detection system which notices and reports suspicious traffic or patters of behavior by errors or possible attackers, Intrusion Prevention System an attached piece of hardware or software which monitors and controls network traffic to interfere with attacks or correct imbalances.
Windows defender firewall - Built-in end-point web filtering for Windows 10.
Tinywall - Lightweight end-point protection for 64-bit Windows. Malware Protection, hosts file protection. Free for single, private use. Denies by default. No ads or telemetry.
https://tinywall.pados.hu/reviews.php
Shorewall- Debian/GNU gateway config/firewall tool GPL, SPI. Highly configurable. Controls multiple firewalls over multiple platforms. Meta config deployment tool.
https://shorewall.org/
PfSense - IPS/IDS BSD-based, x86 only, DDNS, OpenVPN, Microsoft Azure and AWS support, runs in VMWare low hardware requirements, scales up very high very easily, can be installed on $500-$700 hardware
http://www.pfsense.org/
lacks UTM by default, requires SQUID and SNORT config, supports HAProxy for routing much less expensive than over AWS
Hardware compatibility: https://www.pfsense.org/hardware/
Config help: https://www.marcoach.nl/pfsense-utm-firewall/
uses: http://www.fail2ban.org/
OPNsense - PfSense fork, BSD-based, DPI, open source, simple setup, supports OpenVPN, routes
https://opnsense.org/
OpenWRT - network-level firewall without end-point protections
https://openwrt.org/
smoothwall. Open Source, Debian, i586 only 64-bit and 32-bit. Not useful as a router. Lmited zones. Snort IDS, Free, scalable.
http://www.smoothwall.org/
Symantec - suitable for small businesses: cost $30/user annually
IPCop - Not useful as a router. Limited zones. Discontinued.
IPFire - Linux, Easy setup, free, SPI and filtering, zone-based protections
http://www.ipfire.org/
simplewall - UTM, filtering, feature rich, scales easilly, free version for home. Paid support only.
https://www.simplewallsoftware.com/free/
ClearOS by HP, scalable, simple install, command-line functional, will route. Free "Community" edition and pricing for small business and enterprise
Check Point Linux UTM- Firewall, IDS, IPS, AV, scales up, supports AWS, difficult install and advanced config
Fortinet - UTM, suitable for network-level deployment, scalable, feature rich, difficult management, fine-grained traffic control
Cisco ASA / FTD - https://www.techradar.com/news/these-critical-cisco-bugs-need-patching-immediately
Palo Alto - UTM, Firewall, IDS, IPS, AV, network, mobile security, app IDs, fine-grained app control.
Juniper
https://tinywall.pados.hu/features.php
hardware
Protectli Vault. OS Agnostic open-source software (PfSense, Untangle, etc), fast quiet hardware, 4G LTEfailover available, 2, 4 or 6 ports, UPS available, start around $200
https://protectli.com/
sonicWALL (DELL) TZ-215 IPS/IDS comparable to pricing of pfsense builds, does include UTM, lacks other features, easy to configure, offers UTM features like anti-virus, etc for additional fees which add up.
ubiquiti: good performing routers only, not a complete solution
Sophos XG Firewall, IPS, VPN, anti-malware, AI
intel x86, dual network interface and 4-core cpu, 6GB RAM, replaces OS
Sophos UTM, Firewall, VPN, IPS, anti-malware, AI
intel x86, dual network interface and 4-core cpu, 6GB RAM, replaces OS
Cisco ASA 5500-x
Hardware:
https://techwiser.com/vpn-protocol-explained/
IPS
cisco ASA
FILE ANALYSIS
McAfee FileInSight
mcafee.com/enterprise/en-us/downloads/free-tools/fileInsight.html (32-bit & MS Windows)
DNS sec
openDNS (Cisco) free family adult content blocker
https://www.opendns.com/setupguide/#familyshield
208.67.222.123 antiphising, antiporn
208.67.220.123 antiphishing, antiporn
Cloudflare Encrypted DNS (DNS over TLS)
1.1.1.1 fast
1.0.0.1 fast
1.1.1.2 Antimalware
1.1.1.3 Antimalware and antiporn
comodo DNS filtered
8.26.56.26 antiphishing
8.20.247.20 antiphishing
safeDNS
Quad9
9.9.9.9 antiphishing
149.112.112.112 antiphishing
Verisign Secure DNS
64.6.64.6
64.6.65.6
CleanBrowsing Encrypted DNSSEC (DNS over TLS/HTTPS, DNSCrypt/SimpleDNScrypt)
https://cleanbrowsing.org/filters
185.228.168.9 Antimalware, Antiphishing
185.228.169.9 Antimalware, Antiphishing
2a0d:2a00:1::2 Antimalware, Antiphishing
2a0d:2a00:2::2 Antimalware, Antiphishing
185.228.168.10 Antiporn, Antiphishing, Antimalware
185.228.169.11 Antiporn, Antiphishing, Antimalware
2a0d:2a00:1::1 Antiporn, Antiphishing, Antimalware
2a0d:2a00:2::2 Antiporn, Antiphishing, Antimalware
185.228.168.168 Youtube to safe mode, AntiVPN, AntiProxy, Antiporn, Antiphishing, Antimalware
185.228.169.168 Youtube to safe mode, AntiVPN, AntiProxy, Antiporn, Antiphishing, Antimalware
2a0d:2a00:1:: Youtube to safe mode, AntiVPN, AntiProxy, Antiporn, Antiphishing, Antimalware
2a0d:2a00:2:: Youtube to safe mode, AntiVPN, AntiProxy, Antiporn, Antiphishing, Antimalware
ADblocking
Browser extensions
DNS filtering
Pi-Hole (Rasbian, Ubuntu, Debian, Fedora, CentOS)
a UTM
phone service
set pin
device set sim PIN
device lock
don't run root
encrypt device
don't run developer mode
iPhones
encryption
location
double edged
cloud storage
secure
free MEGA.nz 15gb, 50gb teaser. Very secure. Works with VPN, end-to-end and at least 256-AES
tresorit - double the price, maximally secure 256 AES
UPS
APC - High reliability of core function compared to other consumer and commercial systems, well-sourced, replacable batteries, durable components.
Windows PC Config
disable DCOM
type "component services" in search
click on Atom/Ion icon
Expand "Component services" under "Console Root" folder
Expand "Computers"
Right-click on the computer desired ("My Computer")
click "Properties"
click on the "Default properties" tab.
uncheck the Enable Distributed COM on this computer box
click Apply
anti-spam link: <a href="https://www.auditmypc.com/freescan/antispam.html" target="_blank">Anti Spam</a>
Security: Some is better than none-- enough is best.
Security: More than enough is good-- enough is best.
Privacy: some is better than none-- more is more comfortable.
Safety: Lifesavers save, learning to swim prevents.
Liberty: The ability to have my choices respected-- the power to have them honored.
Freedom: Liberty, in motion.
Owned resources: practices.
Secure. Patch/security/critical/optional, Antimalware/blacklist/heuristic, VPN IPsec, firewall, adblocking/blacklist/behavior, no remember logins
Private. VPN/Ipsec, no sharing WiFi, no broadcast SSID, no device discovery,
Obscure. Obfuscation, anonymization, disable telemetry, disable tracking, disable idents/frequently renew, roll IPs, Tor
Leased resources: practices. Privacy policies, advanced settings, know your rights, enforce rights, minimal, multi-factor, limit information sharing, no remember logins.
Borrowed/public resources: recommendations. Variety of VPN over WiFi. Layer a proxy. Private browsing modes on borrowed browsers. Logout of all accounts. Break sessions, renew IP addresses. Reboot systems. Use caution. HTTPS/Encrypted email. Low trust. As necessary, check software. Update defs, if ok. Guest mode on phones. Boot into safe mode with networking for some things.
There are several significant threats to personal information security online. 1. Google platform / Amazon Alexa --Online Personal Assistants.
https://myactivity.google.com/myactivity
https://www.google.com/maps/timeline
use ad blockers / tracking blockers
firefox - good privacy policy / practices
- Turn off telemetry
- regular updates
- active community with massive testing and user hours
- founded to promote privacy
- compatibility unlikely to be blocked if detected
duckduckgo
great privacy policy - sponsors privacy legislation
https
tracking blockers
privacy badger
behavior-based for unknown threats
privacy policy EFF supports privacy
tor browser
best privacy
unknown vendors / motives / exploits
/ VPN without leaks over Tor if desired.
use an offline personal assistant
2. Social media breaches
a. Personal info set to Public (own worst enemy / oversharing)
- full name on Facebook
- birthdate on Facebook, Instagram, LinkdIn
- maiden name (Facebook, classmates.com)
- family connections (Facebook, familytree)
- check-ins / location (facebook, google)
- bragging about trips (all social media, blogs)
- personal sharing in public (all social media, blogs)
- club/schedule/ work schedule online (all social media, blogs)
- Employer (Facebook, non-reputable resume sites)
- phone number (all social media, craigslist, ubereats, UPS, etc.)
- email address (all social media, resume sites, craigslist, jambajuice, ubereats, etc.)
- phishing games "how much do you know about me..., have you ever..., birthdate name games..." (All social media, Youtube, craigslist)
- Bad data policies and practices by Facebook, others
Facebook has pledged and is required since 2011 to respect your privacy and responsibly handle your information. It is Facing the largest FTC fine in history for violating these terms. Experts predict they will not change their behavior.
https://www.consumerreports.org/privacy/a-record-ftc-fine-wont-fix-facebook-privacy-experts-say/?EXTKEY=AMSNLF01
UK citizens have a right to be forgotten https://ruben.verborgh.org/facebook/?
b. Facebook app platform
facebook is presently suing 1 app platform for misuse of data
the largest facebook data breach was by an app
- breaches others
- steals pictures, facts
- posts your pictures outside of your sharing settings
c. non-reputable resume sites
d. E-mail chain letters
3. advertiser /robocall/ public records aggregators
- 192.com/people
- 411.com
- www.addressess.com
- anywho.com/whitepages
- arrestfacts.com
- beenverified.com
- checkpeople.com
- dobsearch.com / peoplefinder dob search
- dmv.com
- golookup.com : @ https://golookup.com/support/optout
- findpeoplesearch.com/classic.php
- instantcheckmate.com
- intelius.com
- lexis-nexis
- peekyou.com
- peoplefinders.com
- peoplesearching.com
- peoplesmart.com/find
- people.yellowpages.com/whitepages
- persopo.com
- pipl.com
- publicrecordsnow.com
- radaris.com
- searchbug.com/peoplefinder
- skipease.com
- spokeo
- thatsthem.com
- truepeoplesearch.com
- truthfinder.com
- usapeoplesearch.com
- ussearch.com
- whitepages.com
- verispy.com
- zabasearch.com
- reversecelllookup enle.info?4onD
- netdetective.com
-intuit
-hrblock
- @ lifewire.com/google-people-search
- 1.
remedies ===== removal instructions
ref: onlinesafety.feministfrequency.com/en/#preventing-doxxing
rsaconference.com/writable/presentations/file_upload/hum-t19_hum-t19.pdf
deleteme by abine
TCPA
major advert org opt-outs
robocall defender appliances/services
donotcall.gov stops "legitimate" unsolicited sales calls.
4. public freemail accounts
/ content ownership
/ spam
/ phishing
growing sophistication: closeness in appearance to authentic
solution domain IPs, encryption, throwaway emails, two-factor authentication
5. Android/Microsoft phone settings: games and apps with poor privacy policies
/tracking location
tools: block your number
howto T-mobile, https://www.t-mobile.com/resources/how-to-block-your-number
1 call AT&T *67 [other number] # ||| all calls ON https://www.att.com/olam/passthroughAction.myworld?actionType=ManageVoipFeaturesRedirect&customerType=U all call blocking OFF https://www.att.com/olam/passthroughAction.myworld?actionType=ManageVoipFeaturesRedirect&customerType=U
1 call Verizon *67
all calls verizon https://myaccount.verizonwireless.com/clp/login?redirect=/vzw/accountholder/uc/UCServiceBlocks.action
or my verizon app [ The My Verizon App
Tap the menu in the top left to open it.
Tap Devices.
Find the device you want to add Caller ID Blocking to and tap Manage.
Tap Controls.
Tap Adjust Service blocks.
Find Caller ID Blocking and tap the switch so it's green.] per https://www.verizonwireless.com/support/caller-id-block-faqs/
install Bestee offline Personal Assistant to replace Google.
6. Browser settings / PC leaks.
iPhone/iPsd/iPod https://support.mozilla.org/en-US/kb/install-firefox-your-ipad-iphone-or-ipod
check privacy settings:
Firefox: On Windows PC, Ctrl-Shift-P for new window in private mode.
Options > Privacy & Security
Essential settings
Be sure that duckduckgo and privacy badger, etc are allowed in private windows.
Uncheck allow firefox to send data
Home > uncheck Recommended by Pocket
or Sponsored Stories
Search > select the DuckDuckGo from the drop-down list, if not already set.
Privacy and Security > Custom > check Trackers
> check cookies & Select 3rd party cookies from the drop-down list
> Check cryptominers
> check Fingerprinters
> Send do not track > Select the Always bullet
> delete cookies and site data when Firefox is closed.
> Logins and passwords
uncheck Ask to Save logins and passwords (unless using Firefox as your password manager)
check Use a master password. Set a strong password.
*scroll down >Firefox Data Collection
uncheck Allow Firefox to send technical data
uncheck Allow Firefox to send backlogged crash reports
>Security
make sure Blocks and Warn are all checked.
> Certificates > Select Ask Every Time.
Do query OCSP responder servers to validate.
Focus: Options > Privacy & Security
Chrome: chrome://settings/
or [3 dot vertical stack below "x" in upper right-hand corner of window] then Settings > Advanced > Privacy and security
chrome://flags/
chrome://pages/
Chromium
PEOPLE
Normal: Pause/Turn off Google sync.
Normal: Autocomplete: on
enhanced: off
Normal: show suggestions when not found: on
enhanced: off
All: Safe Browsing: on
All: Help improve Safe Browsing: off
All: Help improve Chrome features: off
All: Make Searches and browsing better: off
All: Enhanced spell check: off
AUTOFILL
PASSWORDS
All: Offer to save: off
Auto sign-in: off
PAYMENT METHODS
All: Save and fill: off
Normal: Addresses and more: on/optional
enhanced: addresses and more: off
SEARCH ENGINE
All: search engine used in address bar > select DuckDuckGo
ADVANCED
(last, resets browser) Normal: Allow Chrome sign-in: off
All: Send a do-not-track request.
All: Allow sites to check if you have a payment method saved: OFF
Normal: Preload: on
enhanced: preload: OFF
all: manage certificates: use a certificate
>PRIVACY AND SECURITY
>SITE SETTINGS
>COOKIES
normal: allow: on
enhanced: off
all: keep local: on
all: Block third: on
>LOCATION
all: ask first
>CAMERA
all: ask first
>Microphone
all : ask first
>notifications
all: ask first
>javascript
normal: allow
enhanced: disable
>flash normal: ask first
enhanced: disable
>popups, redirects: off
> background sync: off
OR install Brave for Windows 64-bit (x64)
Windows 32-bit (w32)
macOS (OSX)
Linux
Android (Google play)
/ Amazon Store
iPad, iPhone, iPod (Apple store)
Review settings above.
Edge: Settings > Advanced settings
Safari: Preferences > Security and Preferences > Privacy
Opera:
Internet Explorer: discontinue use.
7. Malware
It seems Kaspersky Labs leaked to Russia / Russian intelligence
=======solutions
antivirus On the basis of Protection. How effective is it in real life?
Privacy. Does the company collect user data, plant advertising trackers, or otherwise exploit the relationship such as by exporting to foreign intelligence agencies?
Cost. free for personal use is nice.
Performance. How much does it slow down the computer?
Respect. Are there popup annoyances or sneaky upsells, time-wasters and riders?
Ease of use. Can a novice use at as necessary?
Dependencies. Is an active connection to the internet required if things have already gotten weird? Will it work without a vulnerable technology like Flash installed?
There are many very effective antivirus applications out there. Avira, a past favorite lost points due to new popup ads which steal focus from other windows whether movies or games, plus sneaky add-ons which must be opted out of during the install process. The popups can be disabled through some registry hacks, but some software including Malwarebytes Antimalware will read these policiy modifications as a malware threat and you may recieve a popup window on startup that says a certain thing could not load for reasons, creating a new set of annoyances. Norton is effective and a good choice, but not free. As with other multifaceted security packages, we have noticed bloat and decreased system performance. Vipre free used to lead for speed, silence, and effectiveness, but has discontinued it's free version offering only a 30-day trial. Avast offers tons of features including a VPN, but slows down computers and may breach personal data. Bitdefender is free but does require an email address and free (painless) registration. It does collect some data. Kaspersky has likely leaked or sold information to Russian intelligence (https://www.bloomberg.com/news/articles/2017-07-11/kaspersky-lab-has-been-working-with-russian-intelligence), 2017 and was banned from U.S. government systems (https://gizmodo.com/trump-signs-ban-on-kaspersky-software-1821235669). AdvIntel claims Russian group Fxmsp hacked TrendMicro, Symantec, and McAfee. TrendMicro admits it, Symantec denies it and McAfee refuses to comment other than to have a spokesperson say they're investigating the possibility. (https://www.cbronline.com/news/trend-micro-symantec-fxmsp). Because the extent to which they have been compromised is unknown, we do not recommend any product from Kaspersky, Symantec, or McAfee, and recommend caution with TrendMicro. ZoneAlarm uses an engine licensed by Kaspersky. Avast heavy and is suspect regarding privacy. AVG uses the Avast engine. Avira is obnoxious. F-prot, Vipre, and Norton, and BullGuard all offer excellent protection, with limited-time free trial options only. Windows Defender fell short on zero-day tests in the past and consistently has higher-than-industry average false positives meaning more disruptions without better protection. Bitdefender missed zero threats on AV-comparitives.org tests in 2015, 2016, 2017, 2018, and so far in 2019 with extremely low false positives and very fast scans. It performed better than Windows Defender for zero-day (previously uncatalogued) threats. It is offered for free. Bitdefender is available for Android and Mac and both versions have been consistently approved by https://www.av-comparatives.org/test-results/ whereas Webroot, Avira, and others have failed.
- refs https://www.av-test.org/en/antivirus/home-windows/ GmbH (german company)
- https://www.av-comparatives.org/comparison/
Tom's hardware guide (https://www.tomsguide.com/us/best-free-antivirus,review-6003.html) selected Kaspersky as the top free antivirus, overlooking the Russian Intelligence connection we consider a dealbreaker. Next on the list was BitDefender. Paul Wagenseil said "It's best for users who want a set-it-and-forget-it security solution..."
other site benchmarks
Run an online scan instantly for free using F-secure
or Panda
antiransomware malwarebytes antimalware beta. This was hard to locate directly from the vendor. Malwarebytes flagship product, AntiMalware has been a highly recommended compliment to antivirus software by most in the industry for years. For reasons of increased overhead, the substantial limits to the free version and the high potential for false positives in the free version, we did not recommend Malwarebytes AntiMalware, but instead MalwareBytes Anti-Ransomware Beta 9
which offers realtime protection against ransomware since this is a major threat AVs have failed to intercept or have caught too late. Antimalware was the most effective against a real-world threat in tests. It can not be run alongside Malwarebytes AntiMalware as they do utilize some of the same code, which causes conflicts.
antiphish
Phishing is trying to trick you to steal your information. Email phishing is the most common form. Website phishing is next. Adverts may spoof legitimate sites displaying logos or trademarks that don't belong to them in order to make you think they are legitimate.
Phishing is considered the greatest threat to corporate security presently. Phishing has gone from "An African prince will to you pay you $50,000 to hold his inheritance for a just few days" to messages appearantly from your boss's email address demanding all employees to log into the corporate intranet website and update some specific records to maintain database currency, functionality, or legal compliance. They may include links with text that reads a legitimate link, but actually direct to somewhere else and may include work order #s and the corporate letterhead or signature.
If a site seems suspicious, try checking it out with https://www.phishtank.com/
Phishtank provides much of the information relied upon by ClamAV and other popular software for phishing detection and protection.
8. Network Hackers
Internet Foreign states, foreign hacktivist and crime syndicates, cybergangs, lone criminals, competing business, political rivals, and known persons with anger or vendetta may threaten the security of anyone with a network connected device without ever coming near the person or machine.
(cyberscoop.com/chinese-hacking-dhs-cisa-webinar
nationalinterest.org/commentary/five-ways-china-spies-10008)
(china pervasive access to 80% of telecoms)
(study finds half of VPN apps tied to China ft.com/content/e5567d8a-ee65-11e8-89c8-d36339d835c0 top10vpn.com/free-vpn-app-investigation/)
Firewall for home routers Cisco OpenDNS home.
for home PC ZoneAlarm is a viable option for replacing Windows Firewall. ZoneAlarm is double-edged. On the one hand, it offers full stealth mode which hides unused ports from hackers rather than advertising them as closed. It also comes with a reasonably effective Antivirus
wifi
War-drivers are people who use wireless antennae and portable computers to identify and penetrate private WiFi networks. Sniffing, scraping, spoofing, and decrypting are some of their activities. Sometimes the motive is curiosity, other times greed, occasionally mayhem. Wireless technology means people can use short-range attacks on your computer without ever touching it. wifi tools - Instantly learn if your router DNS has been hijacked using this free router check tool
from F-secure.
- NetSpot.
Free for Android
, Windows
(with .NET 4.5+
required), or Mac (OSX 10.6.8 - 10.12 Sierra )
- Wireshark
for Windows 64-bit (x64)
, Windows 32-bit (w32)
, PortableApps (32-bit)
(for the PortableApps Platform
), or MacOS 10.12 and up (x64)
or most any Linux/Unix 3rd distro
soho routers [type cmd at the start menu in Windows or load your MacOS terminal or Linux terminal how to access/default user pass list/phone scan app and port list]
cell-phone device hackers
IMSI catchers Harris brand Stingray II can simulate up to 4 4G or 3G towers at a time.
When tested, fake-cell systems beat anti-fake cell apps https://www.wired.com/story/stingray-detector-apps/
Such as Darshak for Android
, Fake cell-tower Catcher for Android
Cell-phone fake cell-tower manufacturers claim their products can create bubbles where services are denied without the cell-user ever knowing, intercept, redirect, and create fake calls and text messages. https://info.publicintelligence.net/Gamma-GSM.pdf
for Android
, and iOS
Straighttalk block own 1 call *67
modems High-speed modems should be secured both physically and by changing their default admin user name and password.
default usernames and passwords
Wireless repeaters should generally be avoided since they typically do not have firmware patches for any vulnerabilities which may be discovered. They decrease the ability to detect rogue access points. They may extend the attack surface of the wireless signal to eavesdroppers. Directional antennae use is recommended to achieve strongest local signal with least vulnerable range. Directional antanne use may also reduce environmental flooding and channel saturation, which makes directed attacks less likely.
passwords
firewalls zoneAlarm still recieves top marks, but we can not recommend our time-tested favorite stealth-mode firewall today for 4 reasons. 1. It has integrated Kaspersky antivirus, 2. it noticeably slows down a computer 3. It requires registration which has some privacy concerns. 4. It has no lab test results. We recommend Windows Firewall augmented with TinyWall, an IpSec VPN Tunnel and OpenDNS.
better than none.
anti-malware / antivirus / antiphishing Windows Defender, Bitdefender, Windows Firewall, Malware Bytes anti-ransomware beta
drive encryption Veracrypt. Simple, open, free with donations accepted. AES, full-disk.
man-in-the-middle / TLS
=====Solutions
VPN
====many VPNs tied to China / Chinese intelligence, especially free VPNs
Our trusted list Free: ProtonVPN, CyberGhost, OperaVPN
Our trusted list for paid: NordVPN
ExpressVPN
Our recommendation for free ProtonVPN
Our recommendation for paid NordVPN
IPsec
IPsec is an internet security stack of interlocking protocols and methods. SSL@128 with TLS 1.3 @ AES-256 is recommended for VPNs and is supported by our recommended paid VPN for *ix, Android, iOS, and Windows.
SSL-interception is a normal network management tool deployed by some administrators which uses a wildcard certificate, breaking TLS. It is not recommended to install wildcard certificates on any personal device, nor on any device which transmits personal information. We recommend users consider all networks running SSL-interception to be untrusted with the necessary exception of certain VPNs and anonymizers.
strong passwords/ password manager
(keepassXC or Keepass 2.42)
multi-factor authentication
Multi-factor authentication/multifactor verification means a combination of metrics.
Metrics means things that can be measured. Good multifactor authentication typically draws verification from multiple classes of metrics.
It A few common classes of metrics include:
Something you know (password, mother's maiden name, account number)
Something you have (cell phone, key card, etc.)
Something you are (fingerprint, retina, voice)
Somewhere you are (IP address associated with local network / GPS / source domain)
Various metrics have various vulnerabilities and fault tolerances. For example, a voice reader might have a 30% chance of a false positive (accepting any similar-sounding voice) before the false negative threshold is below 50% (doesn't work on the first try about half the time). Something you know is vulnerable whenever what is known is also known by others, especially, data aggregators. Where you grew up, your birthdate, mother's maiden name, which high school you graduated from, and which hospital you were born in can all often be found in public records and deep web searches.
Most accounts are set up for something you know plus something you have multifactor, but Capcha is an example of something you know multifactor.
proper use of Airplane mode / network discovery
tethering / hotspot creation
9. Advertisers and scams
donotcall.gov stops legitimate telemarketers
FTC.gov/abuse / fraud --- report illigitimate telemarketing scams
1-877-FTC-HELP ftc.gov/robocalls
FCC
"prescreened" loan and insurance offers
To opt out for five years: Call toll-free 1-888-5-OPT-OUT (1-888-567-8688)
or
visit www.optoutprescreen.com
and
return the signed Permanent Opt-Out Election form above.
or
Experian
Opt Out
P.O. Box 919
Allen, TX 75013
and
TransUnion
Name Removal Option
P.O. Box 505
Woodlyn, PA 19094
and
Equifax, Inc.
Options
P.O. Box 740123
Atlanta, GA 30374
and
Innovis Consumer Assistance
P.O. Box 495
Pittsburgh, PA 15230
Include Full Name, telephone number, social security number, birthdate.
10. Product registrations / bad business / grift
BBB.org
Attorney General's office
credit card company fraud
Credit freeze / identity theft insurance / identity theft protection
talk about mail / phone / email / websites
Monitor your credit regularly with CreditKarma.com
annually with annualcreditreport.com
Both free. Have reciepts text-messaged to you instantly from your credit card companies.
Do-it-yourself is equally effective: https://www.consumerreports.org/cro/magazine/2013/01/don-t-get-taken-guarding-your-id/index.htm
If victim of credit card theft, home invasion, pick-pocket, etc. Get police report. Qualify for free credit freeze from 3 bereaus, Experian, Equifax, and Transunion.
update: Lifelock https://www.consumerreports.org/money/No-longer-trust-LifeLock/ "...the only thing it says it will do is “notify you,” “We do not interfere with law enforcement’s enforcement of laws by disrupting criminal operations.”"
Identity theft predictions for 2019 https://www.idtheftcenter.org/2019-trends-and-predictions-for-identity-theft-data-privacy-and-cybersecurity/
https://www.idtheftcenter.org/marriott-data-breach-what-you-need-to-know-and-steps-to-take/
credit cards limits of liability
debit card limits of liability virtually none. Effectively a "cash card," pre-paid gift cards included.
prepaid cards great for online purchases.
paypal layer of insulation, third-party verification of sites, free, simple, online e-wallet.
visapay / etc.
e-wallets only Paypal or Visa. They have the capital to cover loss in a breach event. They have track records of success.
read about data de-anonymization
https://spreadprivacy.com/data-anonymization/
read about secure internet connections
https://spreadprivacy.com/secure-web-connection/
==================
TOP PRIORITY:
affects all Android users, chrome users, gmail users, etc.
"OK Google, delete all those recordings you made of me without my permission."
myactivity.google.com login>activity>[three bars menu] delete activity by>delete by date>"All time">delete>delete
Activity controls > web and app> manage> pause (slider)
> location > manage > pause
> Youtube watch
> Youtube search
>Ads > ad personlization > off
Security>Google apps with account access>remove most
>data and personalization>wb and app activity> manage> choose to delete automatically > 3 months
=================
Data storage, security, recovery
recuva by piriform to recover files - forensic software for system restoration
encrypt SDCards and storage on Android phones
encrypt drives in Windows
bitlocker built-in
safer alternative ?
encrypted cloud storage most secure
mega
network security, privacy
password guidelines not generators, yes managers,128-bit, 256-bit AES, haveibeenpwned, strength-checker
antivirus - labs/results
antimalware - pc / tablet malwarebytes antiransomeware
browser security privacy reviews firefox, eff browser extensions, duck-duck-go, avira
VPN tls, onion-over-ip, obfuscation
privacy disposable email, encrypted freemail, disposable phone numbers
people search databases/data aggregation doxing
data breaches
Doxing & swatting
removal services - removal process
Deletme by albine is recommended by other Security researchers. We do not endorse them as we offer similar services for a fee alongside our directions for DIYs. We do consider Albine Deleteme a viable alternative to our services based upon reputation, method, and the quality of their other products. Most other paid services known to us offer "deletion" by hacky automatic scripts. We use manual requests and proprietary non-automatic tactics as parts of a strategy to produce a persistent and progressive privacy improvement.
government websites
TCPA
Information sharing and preferences / Rights management
advertising opt-outs
do-not-call.gov
http://www.aboutads.info/choices/
disable voice operated PIMs (how to privacy https://venturebeat.com/2019/04/16/how-to-prevent-alexa-cortana-siri-google-assistant-and-bixby-from-recording-you/ KYLE WIGGERS@KYLE_L_WIGGERS APRIL 16, 2019 6:30 AM)
android phone Wiser, 2014-present. Privacy policy is of concern. Free
"Grand Launcher" simplifies system, voice mode for blind. Made by Mariusz Bednarczyk (free 1 week/$1.99)
enabling/using digital personal assistants
@@ Hey, Bestee https://heybestee.com/ Offline:Private works w limited permissions
- android
Data bot app
Hound / SoundHound
lyra
Robin
Siri Apple (iOS/Mac built-in)
"OK Google" Google Assistant (Google Android Built-in)
smart voice assistant
"Hey, Cortana" Cortana - Windows (Windows built-in)
Alexa - Amazon
Bixby - Samsung
Voice controls/tools
Soundhound - discover music by singing or humming a sample
Read Aloud Browser addon for Chrome. Reads web-pages reasonably well, adjustable accent, tone, speed. Free, works well.
Dictation (speech to text)
communication enhancement
video calls/ videochat
Skype
Apple Facetime
Google Duo
Facebook video chat
Social media platforms: NEVER share when you're out-of-town, dis FB apps, no check-ins GPS
Instagram (https://www.makeuseof.com/tag/how-to-schedule-posts-on-instagram/)
Facebook
Snapchat
Tumblr
Twitter
TikTok
Pintrest
LinkedIn
Harden IT offers solutions to meet your present and future needs.
"We make things work for people." TM
3 Antivirus companies hacked by Russians
https://www.cbronline.com/news/trend-micro-symantec-fxmsp
1 in 9 People just had their data breached 8-March-2019
https://nordvpn.com/blog/verifications-io-breach-800-million/
Earlier Breaches, Check your email for breached passwords
https://haveibeenpwned.com/
Firefox is only full-function browser with decent user privacy defaults. (Disable telemetry in settings).
chrome steals data, tracks across devices
opera steals data, tracks even when tracking is "off"
Edge constantly sends tele
Internet Explorer, MS exec says "not to be used."
HTTPS everywhere plugin
https://www.eff.org/https-everywhere at minimum
Privacy Badger plugin
https://www.eff.org/privacybadger
DuckDuckGo plugin
https://www.duckduckgo.com
KeePassXC
https://www.keepassxc.org
KeePass
https://keepass.info
add HaveIBeenPwnd (HIBP) plugin.
https://github.com/andrew-schofield/keepass2-haveibeenpwned
Credit Karma free credit monitoring (use only over VPN/encrypted connections)
http://www.creditkarma.com
Adgaurd (scroll to the bottom for Betas)
https://adguard.com/en/welcome.html
Physical Security
FIND YOUR PHONE
https://ievaphone.com/call-my-phone Good privacy policy
CLOUD STORAGE
overall sync. end-to-end, Canadian privacy laws, 256 AES TLS
free: Mega has more features, ease of use 128-bit AES
messaging
secure browser
max secure: tresorit is most secure 256 AES
compatibility: pcloud has decent security, high compatibility, low price: sync any folder, P:drive 256 AES and TLS
StrongSwan app for Android IPSec with IKEv2, 128-bit AES over NordVPN
NordVPN runs a vast, fast, and highly secure network. NordVPN allows connection of up to 6 devices with unlimited bandwidth, has a low price and high trust rating. It is one of few not tied to Chinese hackers and operates in a virtually warrantless jurisdiction. It offers touch-button optional Onion over IP (tor network tunnel), obfuscation (de-regionalization), double-encryption, high-encryption, and free certificate (TLS) for strongSwan to set up IKEv2 128-bit AES with TLS IPSec. It is lowest in price amongst paid VPNs and is either the second-fastest or fastest of all depending upon market and who you're asking. 3-year special rate is under $4/ month.
Russian hacking, North Korean hacking, and Chinese hacking have compromised many resources from time to time and presently.
We recommend thoroughly investigating any free VPN apps and checking against a reputable list of Chinese owned/connected VPN companies. A survey found 90% [cite] of the most popular VPN apps had such connections. Kaspersky antivirus has appearantly been supplying Russian Intelligence. Facebook was slow to respond to Russian bot-posts and targeted ads intended to disrupt the free and democratic election process of these sovereign United States of America.
Protonmail is based in Switzerland which makes digital privacy rights the legal default. Protonmail doesn't require personally identifiable information to create a free account with end-to-end encrypted email. The Android app is clean, small, and light.
Proton company also offers a free VPN connection with limited access to their servers (i.e. 1/1,000), and a strict limit on monthly data (throughput limit).
==================
SOCIAL MEDIA
facebook privacy checkup https://www.facebook.com/help/443357099140264/
8 steps to secure your facebook privacy https://www.abine.com/blog/2019/8-steps-to-secure-your-facebook-privacy-settings/
--f-droid open source android apps
routers and switches prebuilt security configs.
windows policy tools
iPhone myths
=============================================================================================
Privacy policy: This is a hosted page. Ionos may track or print you if you do not take precautions. Harden IT does not control Ionos. ccording to Ionos, Ionos cookies do not contain personal information. Ionos claims their log file data does not link to personally identifiable information. Ionos uses Google analytics. This poses some privacy concerns. https://www.ionos.com/terms-gtc/terms-privacy/#c810
Harden IT does NOT use this website to collect ANY information about you EVER.
Harden IT does NOT sell personal information. Period.
Harden IT will NOT share your information without your express permission or without service of a legal warrant (and we are unlikely to have anything much to share in such a case). We may generate a client list, interest list, accounts recievable and accounts payable, class list, or group list for ordinary and customary business as we present it. We do NOT participate in data mining, NOR trade in personal information.
Cookie policy: Harden IT may generate cookies to allow you to set your preference for presentation of information. We do not use them for any other purpose.
Financial disclosures:
Harden IT does not participate in click-based advertising schemes or any affiliate programs-- all recommendations made are our best efforts to provide a more useful, safe, and private world, with special attention and focus on the user experience of the World Wide Web.
session-creation vulnerabilities and interventions--- clients detection and prevention of evil-twins, wireshark, stingray, etc.
See topics, information, resources, and thoughts below
For owned resources: practices and advice. Secure. Patch/security/critical/optional, Antimalware/blacklist/heuristic, VPN IPsec, firewall, adblocking/blacklist/behavior, no remember logins, secure offsite backups
Private. VPN/Ipsec, no sharing WiFi, no broadcast SSID, no device discovery,
Obscure. Obfuscation, anonymization, disable telemetry, disable tracking, disable idents/frequently renew, roll IPs, Tor
Leased resources: practices. Privacy policies, advanced settings, know your rights, enforce rights, minimal, multi-factor, limit information sharing, no remember logins.
For borrowed/public resources:
recommendations.
Variety of VPN over WiFi. Layer a proxy. Private browsing modes on borrowed browsers. Logout of all accounts. Break sessions, renew IP addresses. Reboot systems. Use caution. HTTPS/Encrypted email. Low trust. As necessary, check software. Update defs, if ok. Guest mode on phones. Boot into safe mode with networking for some things.
Someone recently asked the difference between public/private key pairs and certificates. There are a few decent explanations here:
https://www.experts-exchange.com/questions/28309725/What-is-the-difference-between-a-certificate-and-a-Private-Public-key-pair.html In short, RSA keys are the basis for many asynchronous key exchange technologies where there is a public key and a private key for each party in an exchange., but RSA is not the only crypto method for forward secret async crypto. AES is used for synchronous key exchange meaning that both parties in a communication must have both the public and secret keys. Certificates are online IDs which can be hosted by a third party which are used for verification purposes. They contain originator IDs or names, domains, public keys, sometimes, and encryption method used. Public keys are used to encrypt the message being sent to the public key owner, private keys held by the owner can decrypt the messages encrypted using the public key.
There are several significant threats to personal information security online.
Here are some notes, topics, and related links:Section
1.
Google platform / Amazon Alexa --Online Personal Assistants. The ONLY personal assistant we can presently recommend is Bestee for Android. It is rough around the edges, but it doesn't invade your privacy. All other (known) personal assistants are double agents. They are designed to help the machine work the way you want and to spy on you as much as you will allow, plus a little more.
https://myactivity.google.com/myactivity
https://www.google.com/maps/timeline
use ad blockers / tracking blockers
firefox - good privacy policy / practices
- Turn off telemetry
- regular updates
- active community with massive testing and user hours
- founded to promote privacy
- compatibility unlikely to be blocked if detected
duckduckgo
great privacy policy - sponsors privacy legislation
https
tracking blockers
privacy badger
behavior-based for unknown threats
privacy policy EFF supports privacy
tor browser
best privacy
unknown vendors / motives / exploits
/ VPN without leaks over Tor if desired.
use an offline personal assistant
Section 2.
Social media breaches
a. Personal info set to Public (own worst enemy / oversharing)
- full name on Facebook
- birthdate on Facebook, Instagram, LinkdIn
- maiden name (Facebook, classmates.com)
- family connections (Facebook, familytree)
- check-ins / location (facebook, google)
- bragging about trips (all social media, blogs)
- personal sharing in public (all social media, blogs)
- club/schedule/ work schedule online (all social media, blogs)
- Employer (Facebook, non-reputable resume sites)
- phone number (all social media, craigslist, ubereats, UPS, etc.)
- email address (all social media, resume sites, craigslist, jambajuice, ubereats, etc.)
- phishing games "how much do you know about me..., have you ever..., birthdate name games..." (All social media, Youtube, craigslist)
- Bad data policies and practices by Facebook, others
Facebook has pledged and is required since 2011 to respect your privacy and responsibly handle your information. It is Facing the largest FTC fine in history for violating these terms. Experts predict they will not change their behavior.
https://www.consumerreports.org/privacy/a-record-ftc-fine-wont-fix-facebook-privacy-experts-say/?EXTKEY=AMSNLF01
UK citizens have a right to be forgotten https://ruben.verborgh.org/facebook/?
b. Facebook app platform
facebook is presently suing 1 app platform for misuse of data
the largest facebook data breach was by an app
- breaches others
- steals pictures, facts
- posts your pictures outside of your sharing settings
c. non-reputable resume sites
d. E-mail chain letters
Section 3. public records aggregators, please see the Personal Information Opt-Out Do-It-Yourself (PI Opt-Out DIY)
page here for directions. See below for some suggested reads and a few more topics to ask us about.
advice on onlinesafety.feministfrequency.com/en/#preventing-doxxing
rsaconference.com/writable/presentations/file_upload/hum-t19_hum-t19.pdf
deleteme by abine
FCRA
TCPA
HIPAA
FERPA
major advert org opt-outs
robocall defender appliances/services
donotcall.gov stops "legitimate" unsolicited sales calls.
Section 4.
public freemail accounts / content ownership
/ spam
/ phishing
growing sophistication: closeness in appearance to authentic communications.
==solution== user education, private domain IPs, encryption, throwaway emails, two-factor authentication
Section 5.
Android/Microsoft phone settings: games and apps with poor privacy policies
/tracking location
: block your number: Here is how yo block your number when making calls from your cell phone. This typically works only when making calls to non-commercial phone systems-- so personal phone to personal phone only.
howto T-mobile, https://www.t-mobile.com/resources/how-to-block-your-number
1 call AT&T *67 [other number] # ||| all calls ON https://www.att.com/olam/passthroughAction.myworld?actionType=ManageVoipFeaturesRedirect&customerType=U all call blocking OFF https://www.att.com/olam/passthroughAction.myworld?actionType=ManageVoipFeaturesRedirect&customerType=U
1 call Verizon *67
all calls verizon https://myaccount.verizonwireless.com/clp/login?redirect=/vzw/accountholder/uc/UCServiceBlocks.action
or my verizon app [ The My Verizon App
Tap the menu in the top left to open it.
Tap Devices.
Find the device you want to add Caller ID Blocking to and tap Manage.
Tap Controls.
Tap Adjust Service blocks.
Find Caller ID Blocking and tap the switch so it's green.] per https://www.verizonwireless.com/support/caller-id-block-faqs/
install Bestee offline Personal Assistant to replace Google.
Section 6.
Browser settings / PC leaks.
iPhone/iPad/iPod https://support.mozilla.org/en-US/kb/install-firefox-your-ipad-iphone-or-ipod Then....
check privacy settings:
Firefox: On Windows PC, Ctrl-Shift-P for new window in private mode.
Options > Privacy & Security
Essential settings
Be sure that duckduckgo and privacy badger, etc are allowed in private windows.
Uncheck allow firefox to send data
Home > uncheck Recommended by Pocket
or Sponsored Stories
Search > select the DuckDuckGo from the drop-down list, if not already set.
Privacy and Security > Custom > check Trackers
> check cookies & Select 3rd party cookies from the drop-down list
> Check cryptominers
> check Fingerprinters
> Send do not track > Select the Always bullet
> delete cookies and site data when Firefox is closed.
> Logins and passwords
uncheck Ask to Save logins and passwords (unless using Firefox as your password manager)
check Use a master password. Set a strong password.
*scroll down >Firefox Data Collection
uncheck Allow Firefox to send technical data
uncheck Allow Firefox to send backlogged crash reports
>Security
make sure Blocks and Warn are all checked.
> Certificates > Select Ask Every Time.
Do query OCSP responder servers to validate.
Focus: Options > Privacy & Security
Chrome: chrome://settings/
or [3 dot vertical stack below "x" in upper right-hand corner of window] then Settings > Advanced > Privacy and security
chrome://flags/
chrome://pages/
Chromium
PEOPLE
Normal: Pause/Turn off Google sync.
Normal: Autocomplete: on
enhanced: off
Normal: show suggestions when not found: on
enhanced: off
All: Safe Browsing: on
All: Help improve Safe Browsing: off
All: Help improve Chrome features: off
All: Make Searches and browsing better: off
All: Enhanced spell check: off
AUTOFILL
PASSWORDS
All: Offer to save: off
Auto sign-in: off
PAYMENT METHODS
All: Save and fill: off
Normal: Addresses and more: on/optional
enhanced: addresses and more: off
SEARCH ENGINE
All: search engine used in address bar > select DuckDuckGo
ADVANCED
(last, resets browser) Normal: Allow Chrome sign-in: off
All: Send a do-not-track request.
All: Allow sites to check if you have a payment method saved: OFF
Normal: Preload: on
enhanced: preload: OFF
all: manage certificates: use a certificate
>PRIVACY AND SECURITY
>SITE SETTINGS
>COOKIES
normal: allow: on
enhanced: off
all: keep local: on
all: Block third: on
>LOCATION
all: ask first
>CAMERA
all: ask first
>Microphone
all : ask first
>notifications
all: ask first
>javascript
normal: allow
enhanced: disable
>flash normal: ask first
enhanced: disable
>popups, redirects: off
> background sync: off
OR install Brave for <a href="https://laptop-updates.brave.com/latest/winx64">Windows 64-bit (x64)</a> <a href="https://laptop-updates.brave.com/latest/winia32">Windows 32-bit (w32)</a> <a href="https://laptop-updates.brave.com/latest/osx">macOS (OSX)</a> <a href="https://brave-browser.readthedocs.io/en/latest/installing-brave.html#linux">Linux</a> <a href="https://play.google.com/store/apps/details?id=com.brave.browser&hl=en">Android (Google play)</a> / <a href="https://www.amazon.com/Brave-Software-Browser-Fast-AdBlock/dp/B01M27C0RQ/ref=sr_1_2?s=mobile-apps&ie=UTF8&qid=1477686541&sr=1-2">Amazon Store</a><a href="https://geo.itunes.apple.com/us/app/brave-web-browser/id1052879175?mt=8">iPad, iPhone, iPod (Apple store)</a> Review settings above.
Edge: Settings > Advanced settings
Safari: Preferences > Security and Preferences > Privacy
Opera:
Internet Explorer: discontinue use.
Section 7.
Malware
It seems Kaspersky Labs leaked to Russia / Russian intelligence and several other major AV engine developers have been hacked recently.
======= solutions
For those in need of immediate free protection, install Windows Defender for PCs. After this, we evaluate antivirs using several factors.
Protection. How effective is it in real life?
Privacy. Does the company collect user data, plant advertising trackers, or otherwise exploit the relationship such as by exporting to foreign intelligence agencies?
Cost. free for personal use is nice.
Performance. How much does it slow down the computer?
Respect. Are there popup annoyances or sneaky upsells, time-wasters and riders?
Ease of use. Can a novice use at as necessary?
Dependencies. Is an active connection to the internet required if things have already gotten weird? Will it work without a vulnerable technology like Flash installed?
Avira, a past favorite lost points due to new popup ads which steal focus from other windows whether movies or games, plus sneaky add-ons which must be opted out of during the install process. The popups can be disabled through some registry hacks, but some software including Malwarebytes Antimalware will read these policiy modifications as a malware threat and you may receive a popup window on startup that says a certain thing could not load for reasons, creating a new set of annoyances. Norton is effective and a good choice, but not free. As with other multifaceted security packages, we have noticed bloat and decreased system performance. Vipre free used to lead for speed, silence, and effectiveness, but has discontinued it's free version offering only a 30-day trial. Avast offers tons of features including a VPN, but slows down computers and may breach personal data. Bitdefender is free but does require an email address and free (painless) registration. It does collect some data. Kaspersky has likely leaked or sold information to Russian intelligence (https://www.bloomberg.com/news/articles/2017-07-11/kaspersky-lab-has-been-working-with-russian-intelligence), 2017 and was banned from U.S. government systems (https://gizmodo.com/trump-signs-ban-on-kaspersky-software-1821235669). AdvIntel claims Russian group Fxmsp hacked TrendMicro, Symantec, and McAfee. TrendMicro admits it, Symantec denies it and McAfee refuses to comment other than to have a spokesperson say they're investigating the possibility. (https://www.cbronline.com/news/trend-micro-symantec-fxmsp). Because the extent to which they have been compromised is unknown, we do not recommend any product from Kaspersky, Symantec, or McAfee, and recommend caution with TrendMicro. ZoneAlarm uses an engine licensed by Kaspersky. Avast heavy and is suspect regarding privacy. AVG uses the Avast engine. Avira is obnoxious. F-prot, Vipre, and Norton, and BullGuard all offer excellent protection, with limited-time free trial options only. Windows Defender fell short on zero-day tests in the past and consistently has higher-than-industry average false positives meaning more disruptions without better protection. Bitdefender missed zero threats on AV-comparitives.org tests in 2015, 2016, 2017, 2018, and so far in 2019 with extremely low false positives and very fast scans. It performed better than Windows Defender for zero-day (previously uncatalogued) threats. It is offered for free. Bitdefender is available for Android and Mac and both versions have been consistently approved by https://www.av-comparatives.org/test-results/ whereas Webroot, Avira, and others have failed.
- refs https://www.av-test.org/en/antivirus/home-windows/ GmbH (german company)
- https://www.av-comparatives.org/comparison/
Tom's hardware guide (https://www.tomsguide.com/us/best-free-antivirus,review-6003.html) selected Kaspersky as the top free antivirus, overlooking the Russian Intelligence connection we consider a dealbreaker. Next on the list was BitDefender. Paul Wagenseil said "It's best for users who want a set-it-and-forget-it security solution..." Unfortunately, BitDefender is presently somehow broken. Forums full of users are complaining that it is blocking legitimate sites such as banks and Yahoo. These malformed behaviors were
confirmed as of 6/5/2019. BitDefender was removed from systems here.
Update 6/10/2019: Bitdefender seems to be working again. These online scanners have been top tier in lab tests for years. While OFFLINE solutions are strongly recommended, periodic checks using these services may augment a system with an installed AV scanner: Run an online scan "instantly" (after you install some software) for free using <a href="https://download.sp.f-secure.com/tools/F-SecureOnlineScanner.exe">
F-secure</a> or <a href="http://acs.pandasoftware.com/pandacloudcleaner/installers/activescan/PandaCloudCleaner.exe">
Panda</a>
There are many very effective antivirus applications out there and most will agree that bigger is better for the reasons that they have more resources for talent, big data analysis, user base, independent security audits, patch frequency, and virus definition list update frequency. Marketwatch listed the biggest global providers recently. https://www.marketwatch.com/press-release/mobile-antivirus-market-2019-industry-size-by-global-major-companies-profile-competitive-landscape-and-key-regions-2025-research-reports-world-2019-06-05?mod=mw_quote_news All of the solutions discussed above are represented on the list including 3 that were likely hacked, 1 that likely colluded with Russia, and 2 online types. We don't see Norton.
antiransomware malwarebytes antimalware beta. This was hard to locate directly from the vendor. Malwarebytes flagship product, AntiMalware has been a highly recommended compliment to antivirus software by most in the industry for years. For reasons of increased overhead, the substantial limits to the free version and the high potential for false positives in the free version, we did not recommend Malwarebytes AntiMalware, but instead <a href="https://malwarebytes.box.com/s/6vqfgzs9ci86fbga4nt95yq5uytppg1b">MalwareBytes Anti-Ransomware Beta 9</a> which offers realtime protection against ransomware since this is a major threat AVs have failed to intercept or have caught too late. Antimalware was the most effective against a real-world threat in tests. It can not be run alongside Malwarebytes AntiMalware as they do utilize some of the same code, which causes conflicts.
antiphish
Phishing is trying to trick you to steal your information. Email phishing is the most common form. Website phishing is next. Adverts may spoof legitimate sites displaying logos or trademarks that don't belong to them in order to make you think they are legitimate.
Phishing is considered the greatest threat to corporate security presently. Phishing has gone from "An African prince will to you pay you $50,000 to hold his inheritance for a just few days" to messages appearantly from your boss's email address demanding all employees to log into the corporate intranet website and update some specific records to maintain database currency, functionality, or legal compliance. They may include links with text that reads a legitimate link, but actually direct to somewhere else and may include work order #s and the corporate letterhead or signature.
If a site seems suspicious, try checking it out with <a href="https://www.phishtank.com/">https://www.phishtank.com/</a> Phishtank provides much of the information relied upon by ClamAV and other popular software for phishing detection and protection.
8.
Network Hackers Internet Foreign states, foreign hacktivist and crime syndicates, cybergangs, lone criminals, competing business, political rivals, and known persons with anger or vendetta may threaten the security of anyone with a network connected device without ever coming near the person or machine. Believe it or not, they probably will.
(cyberscoop.com/chinese-hacking-dhs-cisa-webinar
nationalinterest.org/commentary/five-ways-china-spies-10008)
(china pervasive access to 80% of telecoms)
(study finds half of VPN apps tied to China ft.com/content/e5567d8a-ee65-11e8-89c8-d36339d835c0 top10vpn.com/free-vpn-app-investigation/)
wifi Keep router and switch OSs up-to-date.
login to your router using the methods explained later here.
Be sure your DNS is not hijacked. https://www.f-secure.com/en_US/web/home_us/router-checker
Always use a strong password, certificate, or other authentication method with AES 128 or stronger.
Use AAA. Authentication, Authorization, Accounting
<ul><h3>wifi tools</h3> <li><a href="https://www.netspotapp.com/features.html">NetSpot</a> Free for <a href="https://play.google.com/store/apps/details?id=com.etwok.netspotapp&referrer=utm_source%3Dnetspotapp%26utm_medium%3Dbanner">Android</a>, <a href="https://cdn.netspotapp.com/download/Win/NetSpot.exe">Windows</a> (with <a href="https://www.deploymaster.com/dotnetfx.html">.NET 4.5+</a> required), or <a href="https://cdn.netspotapp.com/download/NetSpot.dmg">Mac (OSX 10.6.8 - 10.12 Sierra )</a>
<li><a href="">Wireshark </a> for <a href="https://2.na.dl.wireshark.org/win64/Wireshark-win64-3.0.1.exe">Windows 64-bit (x64)</a>, <a href="https://2.na.dl.wireshark.org/win32/Wireshark-win32-3.0.1.exe">Windows 32-bit (w32)</a>, <a href="https://2.na.dl.wireshark.org/win32/WiresharkPortable_3.0.1.paf.exe">PortableApps (32-bit)</a> (for the <a href="https://portableapps.com/download">PortableApps Platform</a>), or <a href="https://2.na.dl.wireshark.org/osx/Wireshark%203.0.1%20Intel%2064.dmg">MacOS 10.12 and up (x64)</a> or <a href="https://www.wireshark.org/download.html#thirdparty">most any Linux/Unix 3rd distro</a>
soho routers [type cmd at the start menu in Windows or load your MacOS terminal or Linux terminal how to access/default user pass list/phone scan app and port list]
modems routers
service use AAA / show cdp neighbors detail
Via David Dalton's Cisco I class at YVC.
service-password encryption
security password min-length #
login block-for #seconds attempts # within #seconds
host @hostname
ip domain-name @anyname.any
crypto key generate $RSA $type?
#keysize
username @username secret @password
user @username privelege #privlevel secret @password
line con 0
password @password
exec-timeout #seconds
login local
line vty 0 15
password @password
exec-timeout #seconds
login local
transport input ssh
exit
line aux 0
password @password
login local
Change username lines on backup configs.
passwords
firewalls
anti-malware / antivirus / antiphishing
drive encryption
man-in-the-middle / use TLS (v1.3 recommended)
=====Solutions
VPN
====many VPNs tied to China / Chinese intelligence, especially
End-devices
free VPNs
IPsec IPsec is a collection of tools which create a suite for complete internet security at the application layer.
firewalls URLs
level4 packet filter (IPs & ports), level7 content
Stateful monitors ack #s
firewalls can be on end-points, switches, routers
strong passwords/ password manager KeePassXC
multi-factor authentication password plus confirmation code
proper use of Airplane mode / network discovery
tethering / hotspot creation
9. Advertisers and scams
General: http://optout.aboutads.info/?c=2&lang=EN Adchocies Digital Advertising Alliance Opt-out
opt-out-of-all targeted marketing members Load this, run it through several times for best results. Many sites will represent as temporarilly unavailable. Some will often push through on subsequent attempts. Once these cookies are set, enable the block all third party cookies policy in your browser and browser extensions.
About the Verizon Ad/Tracking network <a href="https://policies.oath.com/us/en/oath/privacy/index.html">Oath</a> is AOL and Yahoo owned by Verizon and called Verizon Media.
It shares with.........................................
Adxpose (comScore product)
Audience Science
comScore/ScorecardResearch - to opt-out of having your information shared with comScore/ScorecardResearch, click here.
DoubleVerify
Google Analytics
Integral Ads
KN Dimestore
Nielsen*
and
these widgets
1und1
Accuen
Acuity
Acxiom
Ad Supply
Ad-x
ad4mat
Adara Media
Adblade
AdClear
Adconion
Add2
Addroid
AddThis
Adelphic
AdForm
AdGear
Adimo
AdInterax
Adition
AdJuggler Inc
Adjust
Adjust
Adledge
Adloox
ADMAN
Admotion
Adnanny
adNET
Adnologies
Adobe
Adometry
Adrime
AdRiver
Adroll
Adscale
AdSpirit
AdUnity
Advanse
Adventori
Advertising.com
AdvertServe
Adzerk
Affiliate Window
Affilinet
Aggregate Knowledge
Alenty
Amazon
AppNexus
AppsFlyer
Arrivalist
Atlas
Audience Science
Augur
Aunica
Authenticated Digital
BannerFlow
Barometric
Batch Media
BidSwitch
Bidtellect
Big Mobile
Blue Kai
BlueCava
Brainient
Brand.net
Bridge Track
Brightroll
C3 Metrics
Caraytech
Cardlytics
Casale Media
Catho Online Ltda
Celtra
Chango
Clickdistrict
Clinch Labs
Clipcentric
Cog Research
Cognitive Match
Collective Media
ComScore
Comune
Connexity
Connextra
Conversant
Conversion Logic
Coremetrics, Inc.
Create.js
Crisp Media
Criteo
Datalogix
DataXu
Datran
DBA Gamut
Dianomi
Digilant
Digital Control
Digital Flow
Direct Response Media
DotAndMedia
Dotomi
DoubleClick
DoubleVerify
Drawbridge
Dstillery
DynAd
Econda
Effective Measure
eGentic
Emediate
Emma Solutions
Engage BDR
Epom
ESV Digital
Eulerian
Eurozest
Everstring
Evidon
Exactag
Experian
Explido
Exponential
Extreme Reach
Eyereturn
EyeView Digital
Facebook
Facilitate
Factor TG/Symphony AM
Federated Sample
Flashtalking
Flite
FreeWheel
Fuisz Media
Gemius
GFK
GMI
Goldspot Media
GroupM Server
GumGum
GWIQ Audience Analytics
Hasoffer
Henrex
Herolens
HipCricket
Hiro Media
Hitpath (WebApps)
HotTraffic
Hurra
I Behavior KBMG
Iforex
Impact Radius
Improve Digital
Innity
Innovid
InsightExpress
Integral Ad Science
intelliAd
Interactive Sports (C.I) Ltd
Interpolls Network
Interrogare
Invite Media
iPromote
Jenjo
Jivox
JustPremium
Kantar Worldpanel
Knorex
Kochava
Kpsule
Krux
Kuaizi
Legolas Media
Lifestreet
Liquidus
LiveRail
LiveRamp
Lotame
Magnetic
Marchex Sales
Markit On Demand
Mashero
Massmotionmedia
Maxpoint Interactive
Media Armor
media.ventive
Mediaglu
Medialets
MediaMath
Meetrics
Metaapes
Metrixlab
Miaozhen
Millward Brown Digital
Mixpo Inc
Moat
Mobile 5
Mov.Ad
MP Newmedia
myThings
nakedToast
Navegg USA
Neodata
Neowauk
Netseer
Next Audience
Next Performance
NexTag, Inc.
NextPerformance
Nielsen DTVR
Nielsen OCR
Ninth Decimal
Nugg.Ad
O2 Telefonica
Okra Media
On Device Research
OneByAOL
Ooyala
OpenX
Optimise
OsAdsPro
OwnerIQ
P-Click
PaperG, Inc.
Parship Greatviews
PayPal
Phluant
Pictela
Pixalate
Piximedia
PK4 Media Video - XPS Video
Placed
Platform 161
Plexop
Plista GmbH
PointRoll
Predicta
Procter & Gamble
Project Sunblock
Quantcast
Quarter Media
Quisma
R-Advertising
Radium One
Rakuten Attribution
RealVu
Redintelligence
Relona
Republic Project
Research Now
Rich Relevance
RichMedia Studio
Rocket Fuel
Roi Media Part e Propaganda Ltda
Rubicon Project
Sam4Mobile
Scenestealer
Scoota
Sekindo
Servemotion
Session M
Shopzilla
Signal
SimpleReach
Simplytics
SiteScout
Sizmek
Skenzo (Media.net)
SMART AdServer
Soho Media
Spark Flow
Sparklit
Spartoo
Specific Media
Speedshift Media
Spongecell
SpotXchange
Stickyads.tv
Streamwize
Struq
Taboola
TagCommander
TagMan
Tail
TapAd
TapIt Media Group
TapSense
Target Performance
Telemetry
The ADEX
The Cobalt Group
The Trade Desk
Tradedoubler
Trend Research
TruEffect
TRUSTe
TubeMogul
Turbo
Turn Inc.
Turner
twiago
Underdog Media
Undertone
Unicast (Viewpoint)
ValueAd
Varick Media Mangement
Velti
VideoGenie
Videology
Vindico Group
Visible Measures
Visual IQ
VIVALU
Vizu
Vizury Brasil
Walmart
Wayfair
WDA
Weborama
White Ops
Wishabi
X+1
Xaxis
xplosion
Yabuka
Yieldr
ZANOX
Zedo
Zentrick
and
these content providers
ABC
Astrology.com/iVillage
Cars.com
Healthline
Match.com
Monster Inc.
Nokia Maps
Orbitz
PriceGrabber
Shopzilla
Spotify
Team Fan Shop (Pro Football Weekly)
Tenor
TripAdvisor
TrueCar
Turner
Vast (Autos)
Zillow
and these video content providers
ABC News
Blastro.com
Blip.tv
CNBC
CNN
CollegeHumor.com
Dailymotion
Ebaumsworld.com
Ehow.com
Fox News
Gametrailers.com
Good Morning America
Guardian News
Hulu
Metacafe
Metatube.com
Myspace.com
NBC
NFL
PBS
Ustream
Vevo
Videobash.com
Vimeo
Washington Post
Worldstarhiphop.com
YouTube
and
these game developers
Masque Publishing
Big Fish
and
these search partners
Chitika
Google
Media.net
Microsoft
NetSeer
Yandex
and
Apple as a Biometric Tech Provider
Other networks operating in similar ways include:
Amazon
Which collects recordings of your voice and sounds around your device through Alexa apps.
Apple Siri
which collects recordings of your voice and the sounds around your device.
Google
which collects recordings of your voice through the voice
keyboard and sounds around your device
through Google Assistant.
and website content providers:
Abaca Technology Corporation
Authentication Metrics
Aviary
Bankrate
Bloomreach (Commerce SEO)
Branch.io
Detroit Trading Company
Dropbox
Google
HelloWorld, Inc.
HortonWorks
Lashback
Luminate
Manilla
Outbrain
Paypal
Project Slice
SigFig
Symantec
Trend Micro
Truedomain
Urban Airship
Katch (Yahoo Real Estate)
<a href="http://optout.networkadvertising.org/?c=1#!%2F">appnexus (to opt-out, for each browser you use, allow cookies from adnxs.com and disable add-ons and adblockers. Be sure not to be in privacy mode and not to have any social media sites open. Click this link for the Network Advertising Initiative, wait for the scan to run, then click the "opt-out of all" button. Several will likely fail. NAI advises to request each site individually, but this is also likely to fail. Some ISPs will block them automatically, some routers, proxies, antimalware apps, and plugins screen these. )</a> by Xandr are used by Microsoft. Each site and their affiliates and third parties they do business with have their own privacy and usage policies, but there does not seem to be a clear way of removing information or opting out of all Verizon, partner, provider, and affiliate offers or their tracking.
Opting out Mobile: Android: http://www.tomsguide.com/faq/id-2330002/android-smartphone-opt-google-info-likeness-ads.html
https://support.apple.com/en-us/HT202074
http://choice.microsoft.com/en-in/opt-out#optout-windows-instruction
donotcall.gov stops legitimate telemarketers
FTC.gov/abuse / fraud --- report illigitimate telemarketing scams
1-877-FTC-HELP ftc.gov/robocalls
FCC
"prescreened" loan and insurance offers
To opt out for five years: Call toll-free 1-888-5-OPT-OUT (1-888-567-8688)
or
visit www.optoutprescreen.com
and
return the signed Permanent Opt-Out Election form above.
or
Experian
Opt Out
P.O. Box 919
Allen, TX 75013
and
TransUnion
Name Removal Option
P.O. Box 505
Woodlyn, PA 19094
and
Equifax, Inc.
Options
P.O. Box 740123
Atlanta, GA 30374
and
Innovis Consumer Assistance
P.O. Box 495
Pittsburgh, PA 15230
Include Full Name, telephone number, social security number, birthdate.
10. Product registrations / bad business / grift
BBB.org
Attorney Generals office
credit card company fraud
superpages.com optout of Yellow Pages Delivery
Credit freeze / identity theft insurance / identity theft protection
consumer reports about lifelock found it useless.
You can freeze your own credit for free and lifelock only reports
many cards offer credit monitoring for free with free annual memberships
citibank is one.
creditkarma.com offers free credit score checking plus reasonably good estimates of what is affecting your score with 2 credit beureas as well as offers a free tool to see how different events might. So, you can create an account for free and then log in and it will say you have an Experian score of 670 and an Equifax score of 690, for example. The thing to watch out for with this site is that it is a commercial website and it expects to make money providing these services for free. It offers ads to credit card and insurance companies and makes suggestions to help you find products that they expect will benefit you, but will surely benefit them by way of a commission.
They offer an app for Android and iOS (both iPad and iPhone)
talk about mail / phone / email / websites
freemail is almost always retained on foreign servers which are mined for information about you. Yahoo or Hotmail may own every message that they are holding even if it has your name on the email address. They probably own the address, too. It's like your seat on a plane. It is assigned to you, but that only gives you the right to use it. They place ads in front of you hoping to sell more, and they may track you, catalog your interests, note your memberships and accounts, learn your associations and contacts. They may be one of the larger deepweb violatiors of privacy. Even leased or privately owned email service is generally not secure and can not be authenticated any more than a letter dropped in the mail can be. Letters and email are like in that each message is considered to be from whom it is from because of what the sender claims on the envelope address field, not because the postman states that is where it was picked up. Internet send mail transfer protocol (SMTP) is sessionless. Nobody logs in to anything. It is unsecure. All messages are sent unencrypted as plain, readable text. Today, most traffic is placed into tunnels while it is transported to prevent interception between handlers, but any handler can read any mail that it handles with rare exception. There are several secure message technologies, some of which use standard SMTP.
Phones are now more AND less secure than they used to be. Originally, wired phones were the only phones. A signal was generated at one end and transmitted through a route of wires to the other end. This meant there were only basically two ways to listen to a conversation. 1. Be the operator and jack in with a monitor or 2. tap the wire somewhere along that chain. Both required physical access to the equipment. Of course, physical access and some minimal technical knowledge was all it took. Conversations were unencrypted a vulnerable to eavesdropping. Cordless phones extended the range of the wire by jumping to a two way radio which soon included encryption so that no just anybody within range who had a radio tuner could eavesdrop. That same radio concept has been applied to the larger segments of transmission, so a phone call made on a land line might travel for a few thousand feet over copper to a phone service provider and then be transmitted by broadcast antennae to a tower on the hill then routed the rest of the way accross the country that way, or maybe even bounced off of a satellite. Now, cell phones use stronger encryption between the phone or handset itself and the first cell tower, but the first cell tower can be a fake. It could also be a tower that communicates on an older, less secure technology. One way in which phones are less secure is there are now many more potential fault points in the secure communication and many more opportunities for many more actors to eavesdrop or record conversations. Tools and information about how to conduct attacks is widely available, and similar technology is used by most carriers. There are two dominant protocols today, CDMA and GSM. GSM is used globally and is the protocol used by AT&T, T-Mobile, and Virgin in the United States and is the only tech used in most of the rest of the world. It uses SIM cards as IDs. Anything with a replaceable SIM card whether it's an alert bracelet, WiMi router, phablet, iPhone, or flip phone is using GSM at 2G, 3G, 4G, or 4G LTE. Verizon and Sprint use CDMA, which uses the ID of the phone or device itself. CDMA and GSM refer to how mobile devices communicate with cell towers. There are a few other older techs, but they are no longer supported by towers of any major network. All carriers and even WiFi internet will likely migrate to the 5G protocol in coming years because it is faster and more secure than CDMA, GSM, and 802.11g technologies. 5G is not to be confused with the 5G-sounding offerings by AT&T called 5GLTE, 5Gx, 5Gt, or any other name. AT&Ts "5G"-ish thing is actually 4G LTE with a twist, not anything related to the new, ultrafast 5G standard. AT&T is now in court for allegedly misleading consumers who may think they offer 5G now-- they do not.
credit cards limits of liability
credit cards have a legal limit of liability of $50, however the terms of most cards include "zero fraud liability," which means the credit card company will not require you to pay any portion of debt that is not yours if your card is used without permission. An interesting twist of the law than many people may not know is that when a credit card is used fraudulently, while you may file a police report and collect any losses incurred, the credit card company is actually the victim of the criminal charge of fraud or theft. Normally, they own the card that you are using and it is their money that is stolen.
debit card limits of liability
debit cards and Visa/Mastercard/store gift cards are generally regarded as cash. Debit cards are linked directly to a bank account you own just as your own checks. If someone uses a debit card with your pin without your permission you are the one who has lost the money and you are a victim of a crime. Unless your contract with your bank amends it, the law leaves the liability with you.
Prepaid cards.
Laws regarding gift cards and gift certificates have been modified and clarified. Presently, they are to be treated by both the bearers and vendors as cash in that they are presumed to belong to whomever presents them, and they can never expire. Commonly, Visa, Mastercard and other credit card-style gift cards are linked to individual accounts of cash which may be refilled or depleted and which have additional terms attached to them such as usage fees, non-usage service fees and annual fees.
paypal
Paypal is a service which acts as a secure proxy between buyers and sellers.
visapay / etc.
e-wallets
11. Physical security.
Physical security. If a child can toddle over and accidentally destroy your data with a cup of juice, you don't have any useful security, no matter how expensive or high-tech.
Backup, Backup, and lockup your backups.
Tips about securing your home: https://www.safehome.org/resources/guide-securing-home/
We recommend dogs as an early alert system; sufficient lighting and visible cameras with conspicuous legal signage as psychological deterrents, high fences, shrubs and walls as well as alarms as physical deterrents. Good weatherproof night-day vision 4-8 camera systems may be obtained for under $500 and implemented using motion-detection. Broadband streaming of video to cloud storage or websites for viewing by smartphone, or laptop while away is generally integrated into the firmware for modern video systems. Cloud storage varies in price by provider and program. Email alerts can usually be configured on an address that can send notifications to a personal phone, which can then view video streams from the cloud or private web server.
"Green zones" such as a turf yard should both remove cover for people to sneak through and reduce risk of loss by fire. Rocks or bushes are good for preventing vehicles with uncouncious operators from harming structures and people inside. Hard to "bump" deadbolts with secure keysets are preferred to door-knob-integrated types of locks. Uninterubtable power supply (UPS) battery backups which can run a modem and camera system from an hour to 24 hours are common in the marketplace and reasonably affordable. Small to large fire safes which can be effectively hidden should contain documents, backup storage, spare keys, serial numbers and receipts for valuables, photographs or digital video of the home's interior including valuables, and a master list of passwords. Making the insurance company's job easy in the event of loss helps to enable quick restoration of materials and systems from cloud and/or safed backups.
Data storage, security, recovery
recuva by piriform to recover files - forensic software for system restoration
encrypt SDCards and storage on Android phones
encrypt drives in Windows
bitlocker built-in
safer alternative ?
encrypted cloud storage most secure
MEGA Privacy
mega.nz 15GB Free
network security, privacy
password guidelines not generators, yes managers,128-bit, 256-bit AES, haveibeenpwned, strength-checker
antivirus - labs/results
antimalware - pc / tablet malwarebytes antiransomeware
browser security privacy reviews firefox, eff browser extensions, duck-duck-go, avira
VPN tls, onion-over-ip, obfuscation
privacy disposable email, encrypted freemail, disposable phone numbers
people search databases/data aggregation doxing
data breaches
Doxing & swatting
removal services - removal process
Deletme by albine is recommended by other Security researchers. We do not endorse them as we offer similar services for a fee alongside our directions for DIYs. We do consider Albine Deleteme a viable alternative to our services based upon reputation, method, and the quality of their other products. Most other paid services known to us offer "deletion" by hacky automatic scripts. We use manual requests and proprietary non-automatic tactics as parts of a strategy to produce a persistent and progressive privacy improvement.
government websites
TCPA
Information sharing and preferences / Rights management
advertising opt-outs
do-not-call.gov
http://www.aboutads.info/choices/
disable voice operated PIMs (how to privacy https://venturebeat.com/2019/04/16/how-to-prevent-alexa-cortana-siri-google-assistant-and-bixby-from-recording-you/ KYLE WIGGERS@KYLE_L_WIGGERS APRIL 16, 2019 6:30 AM)
android phone Wiser, 2014-present. Privacy policy is of concern. Free
"Grand Launcher" simplifies system, voice mode for blind. Made by Mariusz Bednarczyk (free 1 week/$1.99)
enabling/using digital personal assistants
@@ Hey, Bestee https://heybestee.com/ Offline:Private works w limited permissions
- android
Data bot app
Hound / SoundHound
lyra
Robin
Siri Apple (iOS/Mac built-in)
"OK Google" Google Assistant (Google Android Built-in)
smart voice assistant
"Hey, Cortana" Cortana - Windows (Windows built-in)
Alexa - Amazon
Bixby - Samsung
Voice controls/tools
Soundhound - discover music by singing or humming a sample
Read Aloud Browser addon for Chrome. Reads web-pages reasonably well, adjustable accent, tone, speed. Free, works well.
Dictation (speech to text)
communication enhancement
video calls/ videochat
Skype
Apple Facetime
Google Duo
Facebook video chat
Social media platforms: NEVER share when you're out-of-town, dis FB apps, no check-ins GPS
Instagram (https://www.makeuseof.com/tag/how-to-schedule-posts-on-instagram/)
Facebook
Snapchat
Tumblr
Twitter
TikTok
Pintrest
LinkedIn
Harden IT offers solutions to meet your present and future needs.
"We make things work for people." TM
Firefox is only full-function browser with decent user privacy defaults. (Disable telemetry in settings).
chrome steals data, tracks across devices
opera steals data, tracks even when tracking is "off"
Edge constantly sends tele
Internet Explorer, MS exec says "not to be used."
HTTPS everywhere plugin
https://www.eff.org/https-everywhere
If you must use a Chrome-based browser, we recommend Brave because it a privacy and security focussed dev with the largest community, so it may have reasonable security patch update intervals. If you have any questions about Brave browser, contact their Cheif Security Officer https://www.reddit.com/r/BATProject/comments/9p04su/im_yan_zhu_braves_chief_information_security/
KeePass
https://keepass.info
add HaveIBeenPwnd (HIBP) plugin.
https://github.com/andrew-schofield/keepass2-haveibeenpwned
crackstation.net
ophcrack
rainbow tables
hash suite free
input type change - browser developer tools
refog monitor keylogger
protonVPN FREE is now without a data cap or bandwidth limit. It is fast and secure, it works without leaks. Runs UDP and TCP, kill switch. The only requirements are an email address for free trial account with expiration and a single device per account.
CLOUD STORAGE
overall sync. end-to-end, Canadian privacy laws, 256 AES TLS
free: Mega has more features, ease of use 128-bit AES
messaging
secure browser
max secure: tresorit is most secure 256 AES
compatibility: pcloud has decent security, high compatibility, low price: sync any folder, P:drive 256 AES and TLS
StrongSwan app for Android IPSec with IKEv2, 128-bit AES-SHA1 over NordVPN, PrtonVPN, ExpressVPN
OpenVPN is an open-source, highly compatible VPN security suite which runs on UDP. It has passed rigorous independent security auditing and has been available to the security community and internet users at large for a long time without discovery of any critical vulnerabilities. It is considered secure.
IPSec w/ IKEv2 x TLS
IPSec is a joint venture by Cisco and Microsoft to create the most highly secure internet protocol ever. The Edward Snowden whistleblower report to Wikileaks documented NSA attempts to inject vulnerabilities during development. Because the source code is proprietary, inspection for NSA, Microsoft, or Cisco backdoors has been impossible. IKEv2 is a process for handling certificates and for two-way-authentication which works against spoofed websites and servers. IKEv2 has been integrated into Windows since version 7, as well as modern *ix and iOS and Android. IPsec resolves faster than OpenVPN and uses TCP for session resilience. Because it is native, fault-tolerant, and faster, while potentially equally secure, it is recommended for portable devices. With the proper encryption set, IPSec tunnels with IKEv2 authentication through TLS is suitable for HIPAA-compliance and government devices which require secure data-transport. It is considered more secure than HTTPS which is HTTP inside an SSL tunnel.
IKEv2 is the 2nd generation of Internet Key Exchange technology. It supports Enterprise Authentication Protocol (EAP) authentication, Mobile Internet Key Exchange (MOBIKE) which allows it to hop networks dynamically as phones do when moving within range of different towers and out of range of others, it has tunnel awareness to re-establish lost connections, it is not broken by SNAT or DNAT (but is broken by both), and it supports AES, 3DES, Camillia, and ChaCha20 ciphers, SHA-1 hashing, 256-bit encryption. IKEv2 offers advantages over L2TP and PPTP. It has one significant weakness. It can be hacked if the Preshared key (PSK) is cracked, so it is important to use a key with enough entropy to prevent compromise.
TLS is an essential element of a truly secure connection because it creates "end-to-end" encryption, eliminates man-in-the-middle attacks EXCEPT where &&&&&
HTTPS interception warning: Some networks-- usually guest WiFi networks use HTTPS interception which requires you to install a generic certificate to authenticate with the guest network which decrypts your web requests and then re-encrypts them hijacking the SSL session and authenticating themselves with the host website. While this does provide 1 layer of obfuscation for the user between itself and the web host, it creates additional security issues. 1 issue is that the generic key is publically available and can be used by malicious network systems outside of the network that had you instal it. Because the generic certificate does not uniquely authenticate using a third party CA validator, the authenticity and identity of the session-managing agent can not be confirmed. The second serious issue we have with this is that HTTPS interception is technically a man-in-the middle attack pattern. A properly configured browser or security software setup that is protecting your device will trigger and warn about this. This gives hackers and easy way to defeat the end-point protection of BYOD users and guests inside the range of these networks. Anyone could easilly create an evil twin wifi hotspot and catch logins. It is easy for a hacker to gain your permission to intercept and see unencrypted versions of all of your normally encrypted network traffic since you installed a certificate they can mimic. Your device can not make the distinction between an evil twin within the range of the safe network and an appliance on the safe network itself. Good browsers or antimalware will continue to warn the user they might be getting "man-in-the-middled" (as they actually are), thus the name for the fake certificate used by Smoothwall, "MITM Certificate Authority (CA)." The natural consequence is that a. the person changes configurations to suppress these warnings to avoid being annoyed, or b. the person remains annoyed by good security software warnings and automatically disregards more and more legitimate warnings.
NordVPN runs a vast, fast, and highly secure network. NordVPN allows connection of up to 6 devices with unlimited bandwidth, has a low price and high trust rating. It offers one of few mobile apps not associated with Chinese hackers and operates in a virtually warrantless jurisdiction. It offers touch-button optional Onion over IP (tor network tunnel), obfuscation (de-regionalization), double-encryption, high-encryption, and free certificate (TLS) for strongSwan to set up IKEv2 128-bit AES with TLS IPSec. It is lowest in price amongst paid VPNs and is either the second-fastest or fastest of all depending upon market and who you're asking. 3-year special rate is under $4/ month.
Russian hacking, North Korean hacking, and Chinese hacking have compromised many resources from time to time and presently.
We recommend thoroughly investigating any free VPN apps and checking against a reputable list of Chinese owned/connected VPN companies. A survey found 90% [cite] of the most popular VPN apps had such connections. Kaspersky antivirus has appearantly been supplying Russian Intelligence. Facebook was slow to respond to Russian bot-posts and targeted ads intended to disrupt the free and democratic election process of these sovereign United States of America.
Protonmail is based in Switzerland which makes digital privacy rights the legal default. Protonmail doesn't require personally identifiable information to create a free account with end-to-end encrypted email. The Android app is clean, small, and light.
Proton company also offers a free VPN connection with limited access to their servers (i.e. 1/1,000), and a strict limit on monthly data (throughput limit).
Secure messeging
WhatsApp has been recommended by many IT pros because most people already run the Facebook platform and the level of encryption is considered acceptable, however the worst type of vulnerability known as "Remote Code Execution" was successfully exploited. Here is the (very tiny) report by Facebook about the breaches. https://www.facebook.com/security/advisories/cve-2019-3568
In short, remote code execution was possible on devices running iOS, Windows, and Android. Using both WhatsApp and WhatsApp for business. Remote code execution means that a hacker is able to run their own commands or programs on your machine without ever touching it. We do not recommend WhatsApp nor any Facebook platform based upon the popularity of the target, the history of weak code, the history of poor privacy policies, the history of poor privacy policy enforcement, and the number of successful attacks against users ranging from data theft to account hijacking to remote code execution.
Presently, for secure messaging as part of a suite, Mega is recommended, as a standalone (recommended) we recommend Signal. which is available for Android, iOS, though for a robust engine which supports chat rooms with an IRC feel, Matrix is making a very strong showing in it's early stages.
===========
Yarovaya law (http://www.icnl.org/research/library/files/Russia/Yarovaya.pdf) Russian companies MUST store your data,for this reason we connot recommend any Russian-based products or services as privacy enhancement tools.
Adgaurd is NOT recommended because of this. It routes traffic through Russian servers and it is non-authoritative, so it doesn't even do it's own DNS resolving.
Name No Logs(Private) DNSSECF DNSCrypt DNSoverHTTPS (DoH) DNSoverTLS (DoT) Safety Filtered
Google No?
8.8.8.8
8.8.4.4
1.0.0.1
1.1.1.1 Cloudflare has been breached https://github.com/pirate/sites-using-cloudflare
nslookup -type=any hardenit.net
as per Matteo@Cloudflare community, only Cloudflare rejects "any" requests, so failure is confirmation.
1.1.1.1/help test to see if you are using 1.1.1.1.
199.85.126.20 Nord DNS
8.8.8.8 Google
8.26.56.26 Comodo DNS
8.20.247.20 Comodo DNS Blocks malicious sites, does log.
9.9.9.9 CleanerDNS IBM, PCH, GCA (rumored law-enforcement), logs https://www.quad9.net/policy/ Some privacy concerns, though they claim "no PII collected," no IP logging, no info sales.
Good protection for any IoT devices! Blocks access to malicious sites. Us
CleanBrowsing
https://cleanbrowsing.org/ip-address All standard DNS, DNSSEC, DNS over Https, DNS over TLS, DNSCrypt, No Logs, No web bugs or trackers found on website.
Security filter for phishing and malware
185.228.168.9
185.228.169.9
2a0d:2a00:1::2
2a0d:2a00:2::2
Adult filter and Security filter. Adult domains blocked, search engines to safe mode
185.228.168.10
185.228.169.11
2a0d:2a00:1::1
2a0d:2a00:2::1
Family filter, Adult filter, Security filter. Proxies, VPNs & Mixed Adult Content blocked; Youtube to safe mode
185.228.168.168
185.228.169.168
2a0d:2a00:1::
2a0d:2a00:2::
OpenDNS Use Cloudflare DNS-over-HTTP/2 (as per jedisct1@cloudflare community) and https://www.opendns.com/setupguide/
208.67.222.222
208.67.220.220
https://welcome.opendns.com/ to verify
Reminder, Cloudflare HAS BEEN BREACHED. Instructions for Xbox, WiiU gaming platforms here. https://support.opendns.com/hc/en-us/articles/115003048283-Changing-DNS-on-Popular-Gaming-Systems-PS4-XBox1-WiiU-
HTTPS encrypts everything after the domain name. i.e. https://www.eff.org/p$p876o%u$%^we@as08dE. SNI is an experimental standard that encrypts the domain name as well. i.e. https://s%98^hn$w*&93b-g09(83kmp%0mso$dbhj5w4^5
If you're not using the Tor browser, here's the quick way to secure Firefox with ESNI:
In the browser address bar, type "about:config"
ACCEPT and continue
Scroll down the (alphabetical list) for network.security.esni.enabled and double-click to change it to "True."
Scroll ato network.trr.mode and set it's value to "2," if it isn't already.
Go to: https://www.cloudflare.com/ssl/encrypted-sni/# and click "Check my Browser."
To see your current maximum security settings. Mind that websites must support the protocols in order for your browser to use these enhancements.
DNS.watch
German privacy laws, "No bullshit" policy.
https://dns.watch/how-to directions for a few OSs
For most routers, plug into the network and use 192.168.0.1
All No logging, DNSSEC enabled:
84.200.69.80 resolver1.dns.watch
2001:1608:10:25::1c04:b12f resolver1.dns.watch or Explicit v6 FQDN: resolver2v6.dns.watch
84.200.70.40 resolver2.dns.watch
2001:1608:10:25::9249:d69b resolver2.dns.watch or Explicit FDQN resolver1v6.dns.watch
We recommend selecting a variety of Domain Name Sservers based on the device type and usage. Generally, on a home network, you'll want to set the DNS at your router for simplicity. For most home users, your router will be at http://192.168.1.1 or http://192.168.1.2. If that doesn't work, check the chart for the administration interface for your device. It should require a login. Try the following combinations of defaults first unless you know a password has already been set.
admin (password blank)
admin admin
admin password
admin root
root root
root (password blank)
admin (your wifi password)
If none of these work for you, check the chart for defaults for your model.
Then, immediately locate "Maintenence" (toward top on Linksys and D-link) or "System Settings" on a Belkin.
Netgear Advanced > Setup > Internet Setup > Domain name Server (DNS) address
Xyzel Maintenence > Administration > Administrator https://www.zyxel.com/support/Zyxel-password-changing-procedure-20161213-v2.pdf
We recommend changing your administrator account name to "Pedro" or something and using a unique password, but using your wifi password is easy to remember and slightly better than nothing.
After you have secured your router with a password, locate the DNS settings. Depending on your router, it may be in "Basic Settings," "WAN settings," "advanced," or even "WiFi settings"
https://forum.xda-developers.com/general/xda-university/guide-how-to-change-dns-android-device-t3273769 Here is a list of different ways to (re)configure DNS mostly on rooted Android devices. There are some directions for those on non-rooted devices. Generally, DNS is protected on newer versions of Android, so many apps will not work.
Comodo has directions here for most computer operating systems and a generic step-by-step for routers.
wireshark
https://www.paessler.com/prtg
OpenDNS
=======
SOCIAL MEDIA
facebook privacy checkup https://www.facebook.com/help/443357099140264/
8 steps to secure your facebook privacy https://www.abine.com/blog/2019/8-steps-to-secure-your-facebook-privacy-settings/
--f-droid open source android apps
https://www.sans.org/security-resources/policies
HIPAA https://www.sans.org/security-resources/policies/server-security/pdf/workstation-security-for-hipaa-policy
EHRs, HIPAA Rule requires "physical, administrative, and technical safeguards" including access controls, encryption, and auditing. Safety must be ensured while data is created, accessed, stored in "dormant state," and while in transit, specifically whele transmiting. (https://www.healthit.gov/buzz-blog/privacy-and-security-of-ehrs/privacy-security-electronic-health-records)
routers and switches prebuilt security configs
windows policy tools
iPhone myths
OSWASP.org top 10 web security vulnerabilities
https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
The United Kingdom's National Cyber Security Center offers some free security guidance for a variety of specific platforms (iOS 12, Ubuntu 18.04 LTS, Windows 10 1809) here:
https://www.ncsc.gov.uk/collection/end-user-device-security/platform-specific-guidance
Cryptify Call 3 https://www.cryptify.com/security/
Claims to offer end-to-end secure voice communication using MIKEY-SAKKE for Key Exchange and AES for media encryption. It has recieved certification for government use for secure communications up to NATO "Restricted" and UK "Official" levels. MIKEY-SAKKE is not forward secure, meaning a key compromised at one point in time allows everything prior to be decrypted. Goodin of Ars Technica describes describes Steven J. Murdoch's analysis: https://arstechnica.com/tech-policy/2016/01/phone-crypto-scheme-facilitates-undetectable-mass-surveillance/
++Mikey-Sakke method is not recommended, however, if your goal is secrecy from easvesdropping by other-than-government actors, this free app can offer some improvement over traditional cellular.
IKEv2 can be used with PFS which is perfect forward secrecy. Keys are stored in RAM, so once a system is rebooted, old keys are lost and nothing is floating around waiting to be hacked. It uses unique (non-duplicated) keys and expirations so that even if your device isn't powered off, a new key will be generated to virtually reset the timer on any sorts of hacks in progress.
Randomness: here's a list of CSPRNG modules for assorted langs from crackstation.net
PHP mcrypt_create_iv, openssl_random_pseudo_bytes
Java java.security.SecureRandom
Dot NET (C#, VB) System.Security.Cryptography.RNGCryptoServiceProvider
Ruby SecureRandom
Python os.urandom
Perl Math::Random::Secure
C/C++ (Windows API) CryptGenRandom
Any language on GNU/Linux or Unix Read from /dev/random or /dev/urandom
cryptool.org
https://docs.pi-hole.net/main/prerequesites/#supported-operating-systems is a great local ad-blocking DNS filter for an entire network when deployed on an ARM or CentOS linux OS distro.