In the spirit of crime prevention by making spying on computer users harder for the criminals or governments, computer security should be high enough so that computer crime can only happen
with the help of inside people, the modern computer information age in my view can be reduced to point and click wholesale set-it-and-forget-it automated spying on users with the ability to
pinpoint individuals much like multi-giga-pixel space orbiting spy satelites focusing in (tracking) dime size objects relaying real time information to authorized parties, similarly in the present
information age intelligence organizations likely subscribe to massive amounts of private/public data with the ability to know-current/predict-future and relate singled out users to other users
or groups worldwide all accomplished with slight of hand behind the scenes magic brought to life with millions of lines of programming code tieing together vast databases of information automaticaly
collected/corelated/related about users all done with an innocent false front face of market/business/consumer reasearch to better serve consumers, in the spirit of freedom from such virtual digital
intrusion into end users privacy I use and recommend:
1. CPU that protects from data execution buffer (over/under)run attacks.
2. Properly configured robust modern Operating System with file level permission, (but WinNT_4-7 will do), I am intimidated by "C:\windows\winsxs" just keeps on growing and getting bigger all the time ... there is also the issue of all those .dll files hanging around just waiting to be linked in on the fly into anything ...
3. IPsec turned on, (request security, or MD5 integrity checking at least) if you can vpn back to office network then out to internet (more-secure), also since there are 0-255 types of IP protocols like ICMP=1, TCP=6, UDP=17 the rest may pose security risk so block unless specifically needed...
4. TOR (onion routing) and Privoxy network addons, when configured right it means to me that your firewall refuses to let programs connect to the WAN except trough Privoxy and Privoxy goes only troughTOR to get
to the WAN (block "UDP-53 and TCP-80 in/out" DNS also goes trough TOR) and within your torified tunnel use SSL for your connections, you'r firewall can catch programs attempting connections outside your rules so check the logs, also remember that TOR just minimizes interception by
the "listening" man in the middle (by encrypting your network packets and randomizing where they pop out on the tor network) but does nothing for security of email/data stored on public servers once it reaches them safely, for that you want a PGP type encrypted/signed mail/data and it is likely a good idea to encrypt mail/data on your every day computing
device as well in case of theft/loss plus it would be great if you can get your friends and relatives to follow you because without them you'r the only one "not-leaking/clean/secure" and ... you can also check/tune-up your "leaky-computing-system" via these websites:
surveillance self-defense,
privacy.net,
Breadcrumbs,
panopticlick.eff.org,
flash-security,
FlashCookies,
Flash-Cokies-Lawsuit,
I used flash for a long time and now I uninstalled it so far not missing anything important by removing flash, one can also use 'KFC.exe' to remove flash-cokies,
SSL-Fortify-Check,
show-ip.net,
cloakfish.com,
phaster.com,
computer-security-problems-described,
stillistener.com,
Tomato + OpenVPN,
Cryptome.org
...
You can install privoxy multiple times in different directories
runing on different ports with different browser ID personalities used with a variety of browsers all installed at the same time; Safari, Firefox, Firebird, IE, Netscape, Opera, Mozilla, by doing this you add another layer of security against exploits targeting "specific" browsers, by pretending to be the "specific"
exploitable browser an attack for that browser does not effect the actual browser you are using, store your unwanted cookies in privoxy's cookie "jar.log" and delete them... block "facebook.com" and "analytics.google.com" or "google-analytics.com" tracking sites with their code snipits plugging into everything that may work (spy-on-you) in conjunction with flash cookies...
also the new government gimick "opt-in" of NOT-BE-TRACKED list is for children who believe in santa, jesus, budha or mohamed... once you OPT-IN they have to keep track of you by definition in order to NOT-TRACK you ... duhh ... more
Until you can trust a platform/computing-device run it in a proxy network configuration just to see what it does, enable logging of every step it takes over networks, sort of stepping it trough a debugger, also do the same every time you or it updates it's self, in a way see if it made any changes that deem it un-trustworthy... You have to set up different proxy ports for each networked device you own
so that they log all of their network connections/actions separately for later analisys... not nearly as complicated as stepping executable files trough debuggers and very much worth doing in my opinion... also TCP/UDP "port" scan all of your devices looking for open ports and blocking any found at network/device firewall level, find and remove software causing open listening ports that you do not specificaly want...
6. Check for Rootkits and remove them if you can!!!
One way is to back up your files, reformat your partitions or disks and restore everything from the backup, then hunt down + delete the .dll, .exe
files or registry settings that install the rootkit and employ a granular firewall that authorizes individual .dll, .exe or .sys files network
connection... but lets face it, it is nearly impossible to remove good rootkits, some really good rootkits don't even store a file on your computer to run
from instead these load trough a "hole" (assembly[PC->JSR]=JumpToSubRoutine) in the operating system (???) while your computer is running and after they are finished doing whatever
they do they simply "poof" out of existence without a trace, (block all protocols you don't use/need: raw...)
...
so pay attention to ports opening and closing (stealthily) by looking at your firewall logs after you clean up and lock down your computer, I have noticed for instance
it to be a "good-idea" for "me" to block (in/out) [idea-1,idea-2] some of these found "listening" on my win-7
(25, 135-139, 143, 445, 631, 903, 1025, 2223, 2745, 3127, 3140, 5000, 5535, 6129, 6969, 7734, 7735, 17300, 17500, 21636, 27347, ...) but I also like to block
"svchost.exe port 80" (in/out) to "any-where-special" like "65.55.119.90" & "65.54.95.28" & "96.17.8.154" & "65.55.13.86" & "65.54.95.200" & "198.87.182.144" & "128.241.220.104" on and on and on and on ... after I started blocking my "svchost.exe" on "port 80" to
every-where it resulted in very positive "less and less" spanning of second copies of "explorer.exe" (sessions) that were "cought" constantly probing input/output from keyboard (possible ?= keylogger =? .dll loaded)
...
After you block TCP port 80 and UDP port 53 and [65.54.0.0-65.55.254.254 (unblock these if/when using hotmail/skydrive/windows-update)] and are using TOR for all outbound connections you may
still want to pay attention to some recurring TOR servers which could give you taaainted TOR network description files, by simply blocking IPs of suspicious TOR servers you further improve your
resistance to man-in-the-middle interception/decryption/DNS-poisoning of your computer communications, unhappy "man in the middle" monitors may try to discourage use of TOR by reseting/cutting encrypted
network connections, these could be attempts to route your TOR traffic trough TOR servers that "man in the middle" attackers have keys to, or it could just be intentionally delaying your TOR secure
network traffic... (TOR will greatly interfere with private/corporate/.gov spying on-you operations that insert under the cover of "legitimate-business-advertising-user-tracking" in real-time custom tailored
"pictures/advertisings/cookies" into your "webpage/html-email" user experience at the "last-mile" "up-close-and-personal" or "custom-tailored" to you that only you would look at, things like
"pictures/advertisings/cookies" the "man-in-the-middle" at the "last-mile" can replace/insert "on-the-fly" into your internet experience which ONLY YOU are EXPOSED TO compulsorily down the "wire" ...)
Essentially the attackers are using an in-between caching-forwarding proxy keeping logs of sites visited and cached copies of pictures sounds videos sites deliver and may "grab & hold" or "replace" media in the cache, and as
long as internet commuications are "un-encrypted" like voice telephones then anyone in-between can do this, (like communist dictatorship post offices) if internet traffic is encrypted then the whole encryption infastructure
would likely berequired to have back doors built in for governments and their authorized agents to continnue as if there was no encryption at all... so use SSL over tor-network for a start...
Also I anticipate (with almost certain inability to do anything about) technologies first being used candlesteinly then later becoming public (802.11a-b-? => now-public-WiFi), one example may be hardware level short range gHz wireless rootkits build directly into actual CPUs to which your only defense
may be to compute in an RF shielded building/room... All these modern technologies have made information security a nightmare, typewriter produced and fileing cabinet stored information on paper of simpler times of 1970s made spying harder and defending easier... ((as of feb-2011 I am 99%
positive (via ruling out other leaks) that there exist a built in RF rootkit implemented on the silicon of amd-TK53 CPU (and likely all new CPUs have this) responsible for deleting/mod/add files in left on runing win-7 environment via short range wireless control [or-sensitive-overhead-satelite]...))
Some day someone will take pity on me and tell me why I have a rash of people seeking me out with iphones scanning
RF frequencies near my laptop that may be emmitting some sort of 802.11(?)/bluethoot rootkit like signals from my win7 Acer laptop...
7. Install only those programs/software that you need and trust. Could create a clean pre-rootkit (pre-spyware-infected) image of your Operating System stored separately from your data and revert back to this clean image whenever you suspect you're infected, saves time compared to a fresh install and reconfiguration of your Operating System...
8. ** Go Slow on updates, most older software still works without as much scammers, spyware, back doors, adware or CRAP (aka DRM) enforced by public law (DMCA)...
Some exceptions do apply, for instance proven security holes germane to your instance or installation with available patches are always a good idea to patch...
9. Pocket computers/phones (linux-Android) are probably better off rooted with a working firewall running TOR with privoxy localy filtering tracking websites and cokies, only then you may have a reasonable expectation of data security (files NOT read/listed/modified/added) (more, How-To install TOR on Android)...
also I have a huge security problem letting Android spy on me for "conveniance-sake" so I change my Google password and I don't update my Android devices with the new password, I do this after I download and install all apps I might be needing from market but after that I refuse to let Android know my new Google password, why? because I believe for
"convenience-sake" versions of Android "backs-up-to-Google-servers" your website/wifi passwords everyone thought were ONLY going to be stored locally, I would rather be inconvenienced than to allow law-enforcement/inteligence-agency proxy data collection wharehouse "Google/Apple" collect my passwords and distribute them trough
to authorized contract hackers/employees updating them with my latest passwords for wifi networks and websites, instead I would much rather prefer everyone spying on users to be inconvenianced by going trough the trouble of cracking my secure wifi networks (not-bypassing-them) and individually presenting their arguments in court obtaining court orders or National Security letters
directing cooperation to each and every different/any website to which I have strong and different password for, but that could just be me, you might be OK with everyone deemed authorized to use/view your accounts protected by passwords and stored on Android devices (recently-found-out-to-be) backed up by Google servers easily accessed all from one location by authorized personel...
((I think it is time for "honest" one google account holders to create a different google account for each android device they own (generic device-names@google.com not used for email but only for market and purposefuly cut off from main google email for security) for separation of data spillage/leakage and tie/add these devices (google-ids) into their one main google accounts (if they want to)...))
9b. Cable television boxes (property-of-TV-companies) are best if relocated to a metal shielded ventilated white noise equiped enclosure, just in case nearby would be spies attempt to interact with "cable-company-property" covertly in RF range or likely listening (inband-cable-RF-signals) to microphone audio range covering entire house (think-OnStar)...
9c. Android/Apple devices creating an account to download applications from "Market" then and later at any time (with same account/password) likely can all be remotely managed via "pushed-updates" and "applications-pulled-off" your devices that are NOT even allowed to be "rooted" by end user, so because every device creates an account or uses an existing account to interact with
"Market" at root level you have no privacy/controll because every single application you download from "Market" is tracked and can later be deleted or modified on your Adndroid/Apple devices, each person can potentionaly be tracked and individualy can be targeted with weaker version of software deliberately pushed on to select customers, (can be just for a weekend conference) also
if back end servers like "Market" have complete controll/picture of software/data loaded/created on your devices then you should know "this" and not think/treat Android/Apple devices as "safe" as if they were laptop/desktop computers that you more or less have full controll over, these Android/Apple devices the "companies/governments" have full controll over (!!!), you have to
delete/remove google account (from each Android device) used in market (add it back whenever using device on "Market") and root/firewall your Android to resist/fight "root" controll over your devices... ((I suspect Windows 8 will be app/market "non-rooted-end-user" computing model for spying/controll reasons))
10. Sometimes features on Win-7 OS can help "others" play tricks with your sense of temporal anchoring via (a) policies and (b) file-versioning, for me I noticed my files were dancing around in temporal flux when I allowed system restore to run, like a rootkit was doing things to my files that I am NOT accustomed to have done to my files, files reverting back
to older versions (newer versions stolen???), having to put my ideas into writing more than once, ... I think this was due to rootkit operators and I now recommend turning this feature ON ... in case of infection detection one can quickly "step-back" to an earlier clean system state ...
11. Using public/company computers for personal communication is risky because keylogers can intercept everything you type, owners/managers may snapshot into jpg files things displayed on screen, or capture hold/analyze/replay network packets generated by your activity,
so keep personal computing personal by NOT using public/company computing platforms, if you must use a suspected insecure/monitored computer system then just prior change your regular strong password to something easy/common on a trusted platform and when done using insecure/monitored computer system quickly change your password back to regular strength also on a secure trusted computer...
12. Rights and responsibilities asigned to workers should be restricted with the principles of least priviledge in mind to cary out their job, remaining guarded to outside social engineering hackers targeting your workers could go a long way in terms of computer security... (see: Ghost in Wire by: Kevin Mitnick)
(**) going slow means to me that just because some published obscure attack on software finds a weakness and an update is released I do not
necessarily jump on the update because the obscure attack is not relevant to my use of effected software and I am secure, moreover I am more
suspicious of deliberate holes in patches which you do not expose yourself to by using older software that may be more secure... it's always
a balancing act between many things like convenience-->security-->peace-of-mind-->healthy-paranoia... but if you are one of those people invested heavily in "conveniance" and belief in others will do for you what you must do for your self then... at least try to think of Murphys LAW from time to time (anything that can go wrong will eventualy go wrong) I believe this is the law of the universe and all things that depend on "other" people to suceed will fail, you got yourself only to depend on...
Questions or comments call me on Skype!
Of course there are NO guarantees in life nor should anyone expect any guarantees with these advices, however I will say that I am only writing about things that I experienced personally and I strongly believe that these settings will help make a persons computing secure from prying eyes of man in the middle attacks even if you are computing from the same location trough the same network provider (I am NO Julian Asange yet I routinely use two simultaneous TOR connections multiplexing my privoxy outputs into TORs running as servers that generate their own fingerprints/keys which I often change by renaming them), however computing from mobile platform
(no-home-network-to-be-wiretapped) with random internet locations will greatly increase your already more secure computer communications, (could go for extra easy step of deleting computername entry in TCPIP/Parameters registry setting (now-you-look-like-lots-of-pocket-computers-ipods-androids) and randomly change your wifi MAC hardware address, computer TimeZone, add/delete few seconds from computerClock, vary screen resolution, vary versions of browser plugins) *** [for experts using a stock machine and allowing it to be infected with the latest 64bit win7 rootkit one can compare the infected os with original configuration helping to deduce/study/extract/expose
the rootkit used... looking at differences in .dll, .exe, .sys, capturing network traffic installing the rootkit is of great value and a primary objective!] *** ... I also think that after completing all these steps you will have control over your computer communications comparable to having at will secret access to physical time travel to any-time-you-want and secondary cloaking device to become anyone-you-want to effect world change...
If you are not competent to configure everything at once (nor-was-I-when-I-started+I-was-naive-not-at-all-suspicious), try incrementally configuring one thing at a time, wait and see how your change - changes things - , then a short time later try implementing more security ideas, going slow this way you don't overload yourself and you can back out of anything you inadvertently get into. (1) add privoxy to your computer and configure browsers to use it plus keep tuneing privoxy to prevent connections to tracking domains/websites, install privoxy on a stable server to act as an html proxy on behalf of all computers at your home/office/business... (2) add tor and configure privoxy and browsers to use tor... (3) restrict DNS to go trough tor only, install privoxy multiple directories and run them simultaneously
on different ports, configure browsers for newly installed privoxys, try to use DNS trough tor only and lock down firewall as well...
To many chiefs not enough indians! <- The US Cyber Security Command tells Congress: the command staff is in place, but we are having trouble filling many of the remaining positions
“This is going to take time for us to generate the force,” General Alexander
Yah, maybe they can outsurce this!!! (Well on the way to Luke Wilson's movie "IDIOCRACY" based in year 2505 ... ) ... are we there yet?? ... are we there yet??. ... are we there yet???
(go back),