Privacy

Discussion in 'General Chat' started by bluecigar, Oct 6, 2018.

  1. bluecigar

    bluecigar
    Active Member

    Joined:
    Jul 11, 2009
    Messages:
    220
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    18
    Ratings:
    +8
    Hi,

    Firstly, apologies if this has already been discussed in detail. I've had a quick look at the forums and didn't find a thread, however if there is one please feel free to link me to it.

    I work in the IT industry so would consider myself reasonably tech-savvy, however I haven't kept as up to date as I believe that I should have with regards to security / privacy over the past few years.

    I find myself becoming increasingly aware that my (our) privacy is becoming more and more threatened. I use the following services:

    • iCloud - Sync of media, backup of iOS configuration etc
    • Outlook (free) - personal mail
    • Sky broadband
    • Social media (Facebook, Twitter, Instagram) - fairly static on these to be honest, but registered and use the mobile apps every day
    I'm sure that there a more, but I suppose that the above are the main ones.

    I use LastPass for password management, with mostly unique passwords for accounts, and will be using 2FA where possible.

    I'm interested in what everyone does with regards to increasing their privacy (if at all), taking into consideration the above, but also privacy when web browsing, hardware (servers / firewalls) for home etc.

    I'm not going to go extreme, but I'm considering private mail hosting services (such as Proton Mail), private media hosting on my own hardware (or encrypted Virtual Machine within a cloud service such as Azure), hardware for at home etc. They probably won't be too difficult to implement, but it would be good to see what everyone else is doing.

    Thanks,
    Craig
     
  2. rousetafarian

    rousetafarian
    Moderator

    Joined:
    Aug 17, 2007
    Messages:
    22,418
    Products Owned:
    1
    Products Wanted:
    2
    Trophy Points:
    166
    Location:
    NW
    Ratings:
    +14,413
    Perhaps a forum username change may be a small step, if not to improve security necessarily but enhance forum anonymity.
     
  3. rousetafarian

    rousetafarian
    Moderator

    Joined:
    Aug 17, 2007
    Messages:
    22,418
    Products Owned:
    1
    Products Wanted:
    2
    Trophy Points:
    166
    Location:
    NW
    Ratings:
    +14,413
    I once hosted a meeting at Sophos HQ in Oxfordshire with the keynote speaker being an authority/subject matter expert, called Dr James Lyne.

    The premise for the day was to discuss the implementaion of client security, encryption, 2FA etc amongst other things and my gob was literally smacked listening to him and watching the guys go about their day.

    Employing hackers wearing Crocs seemed there norm, and this must have been 10 years ago when two factor authentication etc was only theoretical. My point is they always have a way through, brute force or otherwise.
     
  4. bluecigar

    bluecigar
    Active Member

    Joined:
    Jul 11, 2009
    Messages:
    220
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    18
    Ratings:
    +8
    Hi,

    Many thanks for your response.

    Use unique or anonymous usernames. That's a good idea - common sense to be honest!! To be honest it's something that I should do - probably more to me being lazy than anything else.
     
  5. rousetafarian

    rousetafarian
    Moderator

    Joined:
    Aug 17, 2007
    Messages:
    22,418
    Products Owned:
    1
    Products Wanted:
    2
    Trophy Points:
    166
    Location:
    NW
    Ratings:
    +14,413
    We have some very knowledgable security guys on here (Financial Services IIRC) so this could turn into a great thread, thanks for starting it up.
     
  6. rousetafarian

    rousetafarian
    Moderator

    Joined:
    Aug 17, 2007
    Messages:
    22,418
    Products Owned:
    1
    Products Wanted:
    2
    Trophy Points:
    166
    Location:
    NW
    Ratings:
    +14,413
    Do you object to me moving this to a possibly better forum?
     
  7. bluecigar

    bluecigar
    Active Member

    Joined:
    Jul 11, 2009
    Messages:
    220
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    18
    Ratings:
    +8
    Thanks - I was hoping that it could drive a discussion about privacy. I'm really interested to hear opinions on this, and what people are doing about it.

    Not at all, I was unsure of where to post this anyway. Please feel free to move this to a more appropriate forum.
     
  8. Tempest

    Tempest
    Distinguished Member

    Joined:
    Jan 11, 2002
    Messages:
    7,706
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    166
    Location:
    Horley, Surrey
    Ratings:
    +2,943
    On this topic.
    Whilst I'm very aware it's not regarded as a secure storage app for placing very important details such as passwords and banking details.

    OneNote, that's linked to your Microsoft account.
    Would you consider things saved in your OneNote to be totally and utterly insecure, or quire secure as it's only accessible via your Windows Account name and Password?

    I've started using OneNote quite a bit now, as it's a nice handy place to keep information, bit like an on-line diary etc.
    I'm not placing things like Passwords or account details in it of course, but at the same time I am writing some things, that whilst not exactly secrets, I'd still rather was pretty safe from others.
     
  9. Trollslayer

    Trollslayer
    Distinguished Member

    Joined:
    Feb 11, 2007
    Messages:
    22,908
    Products Owned:
    0
    Products Wanted:
    1
    Trophy Points:
    166
    Location:
    Poole
    Ratings:
    +8,597
    For non critical logins I have a few simple personal patterns for logins and passwords.
    For vital (banking and my broker) i have ones that are keyed to small personal things that no one knows these days. They also don't show up in google searches, and I have a standard response if someone asks "That would be telling".
     
  10. bluecigar

    bluecigar
    Active Member

    Joined:
    Jul 11, 2009
    Messages:
    220
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    18
    Ratings:
    +8
    I use LastPass Secure Notes for some information that I may need to remember. Not critical information though. It's only accessible in the website using your credentials.
     
  11. Tempest

    Tempest
    Distinguished Member

    Joined:
    Jan 11, 2002
    Messages:
    7,706
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    166
    Location:
    Horley, Surrey
    Ratings:
    +2,943
    Call me a Silly Old Hector, but I just don't fancy the idea of storing my more secure passwords etc online in anything and the auto fill stuff for any banking or similar use.

    I use a similar program, all encrypted being a l-o-n-g password, and it's synced between 2 computers, my phone and my tablet, all locally, so the only place my encrypted data file exists is on my physical devices.
     
  12. Trollslayer

    Trollslayer
    Distinguished Member

    Joined:
    Feb 11, 2007
    Messages:
    22,908
    Products Owned:
    0
    Products Wanted:
    1
    Trophy Points:
    166
    Location:
    Poole
    Ratings:
    +8,597
    [​IMG]
    It was a great kid's series.
     
  13. pinnocchio

    pinnocchio
    Well-known Member

    Joined:
    Dec 5, 2005
    Messages:
    2,414
    Products Owned:
    1
    Products Wanted:
    0
    Trophy Points:
    116
    Location:
    London
    Ratings:
    +532
    Few simple rules......

    1. Have more then one email account:-

    A REAL one that you ONLY use for people you know and who know you - You never use this for commercial contacts or public usage.

    A 'disposable' one that you use for private ongoing commercial contacts - make sure it use a 'blind' name (i.e. not your actual name in the email address).

    A 'disposable' one you use ONLY for public use such as forums, social media, one off commercial contacts - again make sure it's not your actual name.

    2. Speaking personally I would never use a password 'saver' app, while they are convenient they also become a single point of failure to all your data, if, heaven forbid it get's compromised and you don't realise, everything you use potentially becomes compromised. Instead try to come up with a methodology that's only known to you.

    For example, you might find it easier to remember a sentence like “The first house I ever lived in was 613 Fake Street. Rent was $400 per month.” You can turn that sentence into a password by using the first digits of each word, so your password would become TfhIeliw613FS.Rw$4pm. This is a strong password at 21 digits. Now maybe include something like the 2nd and 4th characters of the forum/website name you are using it on somewhere in the same position every time you need to create a new password.

    So for example, using the above, for AVForums it would be 'TfhIeli V w613FS.R o w$4pm' the single V and o being the second and forth letters of AVForums, obviously in real usage you wouldn't have the spaces.

    Whereas using the same password system on Facebook would be 'TfhIeli a w613FS.R e w$4pm'

    Sure, a true random password might include a few more numbers and symbols and upper-case letters scrambled around, but it’s not bad at all. If you want to get cute you can offset the second and fourth letters, so instead of using V and o for AVForums instead use t and P (subtract two letters from the V and invert the case and add one letter to the o and invert the case), you get the gist, this allows you to create memorable yet unique passwords that are quite difficult for an attacker to crack and even if they crack one it would be very difficult for them to work out your personalised system for password generation.

    Best of all, it’s memorable. You just need to remember your phrase to be able to work out what password you may have used to logon to a website even a while ago.

    Lastly, understand that brute force technology means that any password now based on a simple phrase is surprisingly easily crackable using the parallel computing power of graphics cards and password lists. You are far better trying to come up with a personalised system known only to you but based upon a memorable model and methodology.

    Password cracking - Wikipedia
     
  14. Trollslayer

    Trollslayer
    Distinguished Member

    Joined:
    Feb 11, 2007
    Messages:
    22,908
    Products Owned:
    0
    Products Wanted:
    1
    Trophy Points:
    166
    Location:
    Poole
    Ratings:
    +8,597
    Yes but are you worth that much effort?
    If you are worth targeting then ask yourself why.
     
  15. Tempest

    Tempest
    Distinguished Member

    Joined:
    Jan 11, 2002
    Messages:
    7,706
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    166
    Location:
    Horley, Surrey
    Ratings:
    +2,943
    I will admit, I use Gmail for most of my emails.
    I'm kinda a little concerned that I know my email is open to others, so if some hacker wanted to know I have a doctors appointment, or my bank statement is now available, or I have just paid a bill with my credit card ending in 3654 or my council tax number has been updated.

    But it's very handy if I'm honest, that Google itself will kinda work with you, as it can alert you to things it scans in the emails.

    I suppose I don't feel I'm THAT important in reality,
    And there are never any actual financial passwords or such, but there are receipts from purchases and such like.
     
  16. Trollslayer

    Trollslayer
    Distinguished Member

    Joined:
    Feb 11, 2007
    Messages:
    22,908
    Products Owned:
    0
    Products Wanted:
    1
    Trophy Points:
    166
    Location:
    Poole
    Ratings:
    +8,597
    I have my own domain - £2.30 per month for email and £24 per year for the domain itself.
     
  17. Tempest

    Tempest
    Distinguished Member

    Joined:
    Jan 11, 2002
    Messages:
    7,706
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    166
    Location:
    Horley, Surrey
    Ratings:
    +2,943
    I used to do that and got bored after a few years. ;)
     
  18. pinnocchio

    pinnocchio
    Well-known Member

    Joined:
    Dec 5, 2005
    Messages:
    2,414
    Products Owned:
    1
    Products Wanted:
    0
    Trophy Points:
    116
    Location:
    London
    Ratings:
    +532
    Seriously?

    You think all of the people who decide to target you are rational and logical?

    nightmare neighbour internet abuse - Google Search

    Your mindset should be "I need to protect myself because I have no idea why someone might decide to latch onto me", that's your starting point.
     
  19. imightbewrong

    imightbewrong
    Distinguished Member

    Joined:
    Dec 6, 2005
    Messages:
    52,108
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    167
    Location:
    Romford-ish
    Ratings:
    +32,321
    Rather than doing that, if you really believe that 256 bit encryption can be broken, why not use a password app to store you passwords (most of mine are > 100 characters where permitted, so individually nice and strong) but keep a bit of the password in your head. E.g. random password + something per site, or just a one off thing, or know that you added n junk characters to remove. Combine that with needing 2FA on sites for new ip addresses etc.

    One of the nice things about the password apps is how easy it is to change your password - for example with many popular sites you can click a button and you have a new complex password for somewhere like Amazon - and you don't even know what it is, which is good in a torture scenario. Very hard/tedious to rotate your passwords when using a system like the above.

    The simpler you can make something secure, the more likely it is to be secure.
     
  20. pinnocchio

    pinnocchio
    Well-known Member

    Joined:
    Dec 5, 2005
    Messages:
    2,414
    Products Owned:
    1
    Products Wanted:
    0
    Trophy Points:
    116
    Location:
    London
    Ratings:
    +532
    I don't believe that 256 bit encryption will be broken anytime soon, although if someone can make a low cost quantum computing breakthrough who knows.

    But my concern regarding an app based on a phone or elsewhere isn't about 256 bit encryption....it would be a different attack vector.

    Let's say....disenfranchised staff member at the app writer, who has been shut out of the company float
    /purchase/merger etc.... That staff member takes it upon themselves to slightly modify the code on the app so that when the app is run the password(s) for that user account are forwarded onto a third party site. The app doesn't even need the code to be directly embedded, it could be pulled in real time from a third party malware site without the user or the app publisher necessarily knowing so that when they decide to 'switch off' the hack there may not even be an audit trail of the code.

    This is just one quick example I can think of.

    I wouldn't claim my suggestion for passwords is either perfect or the only methodology. But as you're keeping ALL the information in your head you are never relying on an external single point of failure/weakness.
     
  21. Trollslayer

    Trollslayer
    Distinguished Member

    Joined:
    Feb 11, 2007
    Messages:
    22,908
    Products Owned:
    0
    Products Wanted:
    1
    Trophy Points:
    166
    Location:
    Poole
    Ratings:
    +8,597
    Risk = severity of event times the probability of event.
    By ignoring the probability you risk missing lower severity risks that are much higher probability and require different management.
     
  22. xar

    xar
    Well-known Member

    Joined:
    Jan 31, 2013
    Messages:
    1,623
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    116
    Location:
    Edinburgh
    Ratings:
    +964
    In terms of the broader area of privacy, try the website doileak.com from any browser. I use nordvpn on several of my devices but recently discovered most browsers have a feature called webrtc where your device/browser and the website communicate directly thus bypassing the VPN. I had no idea.

    Have subsequently disabled webrtc and a few other features on all browsers.

    Must admit I do need to improve passwords, but do tend to use the text/phone verification method these days .
     
  23. Retro Oswald

    Retro Oswald
    Distinguished Member

    Joined:
    Oct 20, 2005
    Messages:
    21,219
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    166
    Location:
    Ashford, Kent
    Ratings:
    +2,411
    I've tried to delete as much online presence as possible.

    1. Got Apple to delete the Apple ID of 3 other accounts I've had over the years
    2. Deleted my gmail account
    3. Deleted my LinkedIn, Facebook and twitter. Only have instagram left
    4. Spent days removing myself from online email databases.

    I doubt anyone was really Interested in me anyway but I'm glad to have reduced my online presence.

    Forums is one where I wish I could still go and get wiped from history but I've learnt to just not joint new forums in future
     
  24. imightbewrong

    imightbewrong
    Distinguished Member

    Joined:
    Dec 6, 2005
    Messages:
    52,108
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    167
    Location:
    Romford-ish
    Ratings:
    +32,321
    Password alone is no good with two-factor - there's really quite a lot to do to crack it. As I say, if you 'encode' your information it's no good anyway.

    Having every single password being completely different is a big win.
     
  25. Trollslayer

    Trollslayer
    Distinguished Member

    Joined:
    Feb 11, 2007
    Messages:
    22,908
    Products Owned:
    0
    Products Wanted:
    1
    Trophy Points:
    166
    Location:
    Poole
    Ratings:
    +8,597
    Thanks, just disabled WebRTC in Chrome.
     
  26. bluecigar

    bluecigar
    Active Member

    Joined:
    Jul 11, 2009
    Messages:
    220
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    18
    Ratings:
    +8
    Doileak.com seems very informative. I didn't know about webrct. Looks like one to disable, unless it removes some features that I'm not aware of?

    The reason that I use LastPass is that I can have totally random passwords for more or less every site. I suppose the challenge is that these passwords are protected by one master password, however this can be protected by 2FA.

    I don't want to completely remove my online presence, but where possible I'd like to protect my identity. This, for me, will start with the home network, which is protected by my Sky Router only (not taking into account device security such as Windows Firewall). I might be being totally paranoid, but a device that Sky could possibly access and monitor my internal network doesn't sit right with me, regardless of what I'm doing.
     
  27. Bl4ckGryph0n

    Bl4ckGryph0n
    Distinguished Member

    Joined:
    Sep 11, 2003
    Messages:
    39,070
    Products Owned:
    10
    Products Wanted:
    13
    Trophy Points:
    166
    Location:
    ::1/128
    Ratings:
    +12,831
    As it is regarding privacy, and I've been an ethical hacker from the moment I was born, I won't go into details about what it is that I do to secure my privacy. The reason being, these day we are the biggest leak and the easiest hack in our security setup.

    But yes some of the things I do;
    - Use a password manager, and even I fell into a trap of convenience and reusing a password when I was in the recent BA attack. I've sorted my own mess and it is now a unique one for each site, there really isn't an excuse especially with superb iOS integration in both sites and apps as well now.
    - Do not use the Google Suite of applications and operating systems for stuff I want to keep private.
    - Never ever install software from questionable places including operating systems. Anyone remember the Chinese origin phones that came out of the distributor with a compromised ROM on Android?
    - Enable an outbound firewall, the amount of applications that send 'analytic' data home is just beyond believe. First element to go on a device and then I carefully allow each connection and request.
    - Encrypt email content where it matters, you may have SSL between you and your postbox but you have little control over what happens next.
    - When researching a topic like for a potential patent, do not use the google browser or search engine. You can't hide you tracks fully but patent trolls and other teams are reviewing for ideas.
    - Don't keep Alexa or Google home listening to your conversations.
    - Don't use anything free unless you are happy that you've become the product.
    - Happy to unfriend people who keep spamming me, be it via facebook or other compromised channels. It is interesting to see how many still don't get that them holding your contact details and being compromises compromised you.

    Check Have I Been Pwned: Check if your email has been compromised in a data breach and I have been several times :) Most of it is harmless and annoying, but if you are the kind that falls for phishing, smishing, vishing, or pharming, and no shame there as today they've become very very good at what they do, then it is definitely worth while to note.
     
    Last edited: Oct 7, 2018
  28. Bl4ckGryph0n

    Bl4ckGryph0n
    Distinguished Member

    Joined:
    Sep 11, 2003
    Messages:
    39,070
    Products Owned:
    10
    Products Wanted:
    13
    Trophy Points:
    166
    Location:
    ::1/128
    Ratings:
    +12,831
    That is the easiest to one to fix, just get your own router and make your network off that one. It is also easy when changing provider as you only have to swap out the boundary device and to have to change any internal network settings :)
     
    Last edited: Oct 7, 2018
  29. Bl4ckGryph0n

    Bl4ckGryph0n
    Distinguished Member

    Joined:
    Sep 11, 2003
    Messages:
    39,070
    Products Owned:
    10
    Products Wanted:
    13
    Trophy Points:
    166
    Location:
    ::1/128
    Ratings:
    +12,831
    Oh and before everyone runs off and disables WebRTC please do review again what it is actually leaking :) No VPN software will be able to block that, it's a browser feature :) Safari won't do it at all, Chrome does, as does Firefox, but neither actually provide your real IP address.....However when using Brave it does support that protocol as well, and that one actually does provide your real internal network IP address.

    But before people panic, remember this is your internal network IP address, not the public IP address of your router and ISP. So in combination with several proxy chains and non-logging VPN connections it doesn't really mean much.

    Well, I say that however... Web Real Time Communications could be used to enable your camera and take those dodgy photos :p If you send me 1/3 of a bitcoin then I'll promise not to forward them to your friends and family :D:rotfl:
     
    Last edited: Oct 7, 2018
  30. bluecigar

    bluecigar
    Active Member

    Joined:
    Jul 11, 2009
    Messages:
    220
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    18
    Ratings:
    +8
    It absolutely is. I played around with pfSense yesterday. Thinking that I'm going to install it on an old laptop for the time being to see how it works. Going to drop it in between the Sky router and my access point and have it handle the routing and firewalling. Probably going to install snort too, as it seems to be the recommended package to install.

    I've never thought about the outbound rules. I was aware that the outbound firewall was open, but I just left it. How did you identify which traffic to allow / deny?
     

Share This Page

Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice