The Ultimate Privacy Guide

If you’re here you probably know that your privacy is more jeopardized than ever before! By reviewing a vast amount of online privacy and security best practices, here we’ve come up with an ultimate privacy guide for you. All you need to know about protecting your privacy online is right here in this guide!

As we’ve put a notable amount of effort into this in an attempt to make it the only guide to internet privacy, security, and anonymity that readers would need, it turned out to be lengthy. So, it’s not a must for you to read it at all once – you can simply click on the index links below and read what interests you. With that said, here’s your information on Internet privacy, anonymous browsing, Tor, VPNs, Dark web, encryption, Bitcoin and more!

Introduction

There is no such thing as being 100% secure without disconnecting access to the internet. However, if you manage and mitigate the risks, the latter are positive steps in ensuring you remain safe and secure, but a key factor is being ‘disciplined‘.

The bottom line is that we all wish to have privacy, whether in our private emails or when we’re browsing the internet. Article 8 of the Human Rights Act clearly states that we’re all entitled to privacy. However, in some countries privacy is not an option, thus it is our view that having privacy must be respected.

Privacy must extend, preserve, and overlap with respect to each individual. Equally, data security and its privacy should be key objectives for the individual as they take ownership.

Compiling this, I foresee readers will find the following categories relevant:

• Everyday users,
• Best practices,
• Techie bits, and
• Other snippets.

Areas are ‘book marked’, this way a reader can quickly look for an area that appeals to them.

Everyday Users

• Antivirus
• Passwords
• Storage
• Clearing Browsing
• Encrypt files/folders

Best practices

• BIOS password
• Hi/Low tech solutions
• Social networking
• Instant messaging

Techie bits

• VM ware
• WhoNix
• Flash player
• Changing DNS servers
• GNU privacy
• Encrypted Web Mail
• Securing mobile browser
• Cookies
• Bit Torrent

Other snippets

• Government services
• Encryption key length
• Cypher
• NIST
• End-to-End Encryption
• Metadata
• VPN
• Tor & Onion Routing
• The Deep Web and Dark Web
• Bitcoin

An Operating System (OS) is a primary programme for all computers, and this article focuses on Windows 10. Windows 10 comes with Windows Defender to protect Users from malware and other potentially unwanted software. Furthermore, it also comes with Windows Firewall to protect the users from hackers and malicious software.

Antivirus solutions bring on potential benefits and I’ve opted to review 4 products, but there will be more available should you wish to search on your own:

Some free alternatives are AVG and Avast Antivirus; these can be upgraded for a fee if users desire further protection than what the free offering provides. But when used with the built-in Windows 10 tools, it provides the user with an adquate baseline security.

Symantec service also offers Norton Utilities, costing £40 annually, ensuring integrity to the user.

The dreaded Passwords

Given the current state of the internet, we read see people constantly following bad practices of people using passwords like ‘12345’, ‘user’ or even ‘password’ – how ridiculous! But there are tools on the internet to help create secure passwords, in fact Norton offers a free tool for those who don’t use their product. Alternatively, you can use KeePass to assist in you using a strong secure password. You may even find a password vault in your AV product that allows you to store passwords, which in fact would only require you to remember the password to the vault. It is recommended that you search the internet for suitable alternatives; the choice is yours, as is the risk.

Storage

Users can use a flash drive or Removable Hard Drive (RHD) for external storage, the option is up to the users. However, one aspect of computer usage you may wish to consider is to use the computer as a tool, but keep any data or files you wish to retain on the USB key or RHD.

One further requirement would be to have the device as a hardened, encrypted device, one of which I would highly recommend is the Iron Key series of products. These not exactly cheap, but you may wish to consider the value of your personal data, family photos, financial data, other sensitive information, and what you consider as important to you.

Another option the user has is to use the ‘Cloud’. Most cloud solutions require ongoing payments, however you would find that the cloud is an alternative that is offered by Microsoft, Apple, Google, and more reputable companies. These solutions are easy to use with accessibility from anywhere with an internet connection, but gained this convenience in a tradeoff for security.

Clear Browsing

Something all users of the internet must do is to set their browser to clear all data from their session after exiting, or conversely you cando it manually. However, I highly recommend that this should be an automated process – it saves time and ensures that it won’t be overlooked at the end of the day. As we all know, ‘Next time never comes around’!

When encrypting files/folders, the following could be beneficial

Encrypting files and folders is the users’ choice, and most opt not to because it can be expensive if they’re using a commercial product. However, with a quick internet search, you’ll find that there are free and reputable products available. It is common sense to protect your data, but it does take time and your will have to be patient, so do document your exact needs and work out the process that you want to have in place. Some tools for this include:

• Cypherix
• Life hacker
• Ax Crypt

The easiest way to do this is to pick a ‘free’ day, find the software that works best for your needs and circumstances, and do what you need to do all in one shot. It is far more manageable than spanning it out over several days.

Cloud Encryption Service

By implementing automatic encryption brings benefits for privacy before being uploaded and should be transparent in its process. Using SpiderOak comes with a price, that can be synched for all your devices. Mind you I’m taken with SpiderOak principles, being:

• Blindly trusting vendors,
• Privacy is everything,
• Control is yours,
• Encryption overcomes usability.

It can be used with iOS and Android applications as well, so diversity sells the product. As for cost, well you get 2GB free, but £7 per month is levied for 100GB if users so choose.

SpiderOak offers a combination of RSA and AES encryption.

Ultimately, the ‘risk’ is yours, just as the final decision is yours. As always, it’s worth noting that doing a comprehensive research is key, so define your requirements and review regularly is paramount.

BIOS passwords

BIOS passwords – this may sound a technical thing and really if you’re not sure, then you can always ask for assistance. However, it makes good sense to password protect your BIOS settings on your computer, this way it would make things harder for the criminal if stolen. Within the BIOS script you are given the option to password protect. Likewise, users can also password protect their harddrive during the initial boot process.

Hi/Low technical solutions

Though I’ve mentioned passwords already, they do get referred to again and again since the password is a basic yet fundamental requirement when using a computer. So I would like to review the low technical aspect of settings passwords.

You need to use a combination of letters, numbers, and characters – some of which need to be memorizable and others don’t. Use the spectrum of the keyboard, a-z, 1-9, and all the other symbols. Consider using spaces within the password if they’re allowed, or even using an acronym that means something to you. ‘Cornflakes for breakfast’ or the key letters or words from a favourite phrase or poem.

On the high technical aspect end, you could use a password manager, like KeePass. There are a plethora of systems available on the internet, but you must be comfortable using the one you choose. After all, it’s your passwords!

Social networking

This is a highly charged subject, but ultimately the decision to use Social networking’ is yours – once you’ve posted something online, you can’t undo the action, so don’t moan about it afterwards. For me it’s a useful tool, I use Twitter to post articles, though I more regularly use Facebook.

I don’t sharing information with my friends and followers since I can control what I share with them in the first place. The same applies with non-friends – in the basic script on Facebook about yourself, you should only provide minimal amounts of data. Configuring your privacy settings will also help you keep your posts, tweets, photos, and more data private from the general public.

Instant Messaging

Instant messaging has been making a ressurgence, with many users opting for IM services over data rather than text messaging. Twitter Direct Messages, Facebook Messenger, Line, Kik, Wickr, and even Tinder have been seeing increased usage and popularity.

Should you be using VoIP, chat or IM services on a PC rather than a mobile device, encryption is a requisite. Many services, such as Jitsi, are free for users. That said, some free offerings are:

• Pidgin + OTR for windows is a free, open-source IM client. It allows chat on AIM, Google Talk, Yahoo, and MSN. Off the road (OTR) provides strong encryption. This, along with GnuPG, is a product that has stood the test of time.
• Addium (OSX) is worthy of consideration specifically for Mac users, noting the differences in inherent OS security.
• Developed by the Guardian project, the Chatsecure application for Windows, OSX, iOS, Linux and Android is worth trying, though may not always be the most reliable.

Techie Bits

Not being a CISSP or Cisco technophobe, I consider this area could be useful for the technicians in the internet arena. However, up and coming computer users may find the subject areas useful as stepping stones to explore the more technical aspects of privacy and security.

VM Ware

For those who are Virtual Machine users, VM Ware brings an additional level of security for sandboxing new software, configurations, or processes. For the less technically-inclined, a VM essentially creates a virtual harddrive within a harddrive. The added benefit here is that the VM can be completely encrypted and the host cannot be infected by the majority of malware or viruses even when caught by the VM host.

The big drawbacks is speed and, unfortunately, prices. The upside is that you will have an enterprise-level software, but it will cost you a few hundred USD. Mind you, the entry level brings a free Virtual Box and VMware Player (not much into games myself!!).

However, running 2 operating systems is costly in terms of speed and is processing resources. What are your true requirements and what can you truly afford to function as?

WhoNix

Moving forward in the virtual world and working in a Virtual Box, the virtual machine goes further by ensuring DNS leakage doesn’t prevail. Even more so, malware with root privileges’ keep the integrity of the true IP. The simple principal is:

Surreptitiously, it separates two factors. The first is the Whonix Gateway via Tor, whilst the second as the Whonix workstation ensures isolation and routes all of its connections via the Tor gateway. By isolating the workstation from any internet connection makes this a crafty solution.

Flash player and cookies

Though Flash Player does have many benefits, and is virtually required for modern internet usage, it also has many problems and you as the owner must decide on what to allow. Check the ‘Flash Player Settings Manager’, and pay particular attention to Camera and Microphone Settings. As you approve sites, this should be a process that you go through – it is recommended to handle each site on a case-by-case basis from a security-oriented perspective.

Flash is disabled by default on browser settings, so as the new owner, you must review settings. Now whether you wish to allow Flash on ‘Trusted’ web sites is your choice.

Flash Cookies must be managed as well. The threat remains high, the use remains insidious, and this should remain paramount to the user. If you want to have the likes of YouTube, this requires Flash, therefore it’s equal that you need to have Flash Cookies approved for the site – this should go without saying. As for a cleaner, I recommend CCleaner, but checkout the internet to see if something else may suit you better.

Changing DNS Servers

We’re used to the conventional way of typing things into the address bar. But when it comes to referring to Domain Name System (DNS), this is done by IP number. In fact, should you wish to venture into the Deep Web or Dark Web, it’s all done by IP number.

However, if its additional security you’re looking for, Open DNS Home will bring:

• Faster, more reliable home Internet
• Built-in fraud and phishing protection
• Parental controls that protect every device in your home, instantly
• Customizable filtering and security

A further option you have is to use a VPN to enhance your security.

GNU Privacy Guard

Ensuring your email preserves its integrity, the diagram below depicts how PGP is enacted. The privacy guard was driven by the German government who has released GnuPG, or GPG which it’s also known as.

But the internet has a myriad of tools that can be used like Windows Gpg4win, EnigMail, Mozilla Thunderbird, or SeaMonkey which gives a lot more.

And there’s always PGP for mobile. We can’t exclude mobile devices, as the way of the world is driving our daily lives to be more mobile by necessity.

Encrypted Web Mail

What’s provided are some third-party services to secure your communications.

The products:

• Hushmail
• Mailvelope
• Safe-mail
• Enlocked

This is a highly charged subject from all corners of the globe. However, I’ve tried to select 4 products that brings to you, the user, integrity as an alternative option for securing your email. These are the options we’ve come across that we’ve found to be worthwhile, so review at your convenience!

A positive is the functionality as they will work on Gmail, Hotmail, Yahoo! and GMX using Firefox or Chrome, so it’s not a bad option when you consider the status quo of the internet.

Mobile browser security

The risks I consider are:

• The internet itself
• Java script and cross-site scripting (XSS)
• Adobe Flash.

All three are risks, and yes they are part of modern life, but you must mitigate all three.

Flash cookies

Cookies, Flash cookies, and ‘zombie’ cookies must be managed and you can’t get away from it. But there are things that you can do, like disabling cookies in your browser.

Consider using IBM Trusteer Rapport. Albeit not a direct cookie tool, it provides a weekly report on your activity on the internet. You may also consider using the Trend Home Call, as this will provide you with a concise report of vulnerabilities.

But there are good cookies, like those that you need for your everyday activities.

If you need a cleaner in the cloud that gives greater functionality, try using CCleaner – it’s good for Windows and OSX, and actually does what it says it will in its advertisement.

The good news is that Flash Cookies are in the decline, but don’t be seduced – you must maintain the discipline.

If you have large files or folders to move around, try Bit torrent.

An excellent précis for Bit Torrent can be reviewed here. It’s a method of moving big data around, but in an encrypted manner – a bit similar to Dropbox. Functionality caters to Windows, OSX and Linux, however there is not a cloud service at present.

Government Services

We’ve all read about the likes of the Edward Snowden debacle, whether conservative, labour, democratic, republican, democratic, or whatever your governments’ gambit may be. We all have to call upon our respective governments for one reason or another.

With the NSA or GCHQ, they have a function to perform and yes, there are the inter-government agreements that will always abound. We can’t get away from it, and you’d be oblivious to think it doesn’t happen.

Is it to provide structured processes in the cyber criminal world, or for the protection of children? Each perspective has its value and depends on which side of the fence you prefer to sit. For my sin, I take the pragmatic perspective, for there will always be good and bad.

This article is not to define the right or wrong, but to let the reader decide.

Encryption key length, a quick overview:

No. of Years to crack AES with 128-bit Key = (3.4 x 10³⁸) / [(10.51 x 10¹²) x 31536000] = (0.323 x 10²⁶)/31536000
= 1.02 x 10¹⁸
= 1 billion billion years

Time to crack Cryptographic Key versus Key size

So is it your banking details, family photos or something more sensitive?

Now notwithstanding the recent reports of China’s fastest computer in the world, the fastest computer in 2011 is the Fujitsu K computer and has the capability of a peak speed of 10.51 petaflops, so What’s the size of the key? Could you remember it?

As users we should be trying to implement something you can remember, and it all comes down to risk. You could utilise a more automated system, but then there would be a cost. Maybe biometrics is the answer, after all we all have unique fingerprints and an iris!

On the risk perspective, I store all my data offline, working towards the goal of total offline working and only transferring data and accessing the internet when I need to! I could ramble on further about speeds or petaflops, but realistically would this have a great impact.

A quick delve into Cypher

Encryption key length is the key number about the mathematics in encryption. It’s the algorithm that defines the weakness, rather than the actual key length, which leads to the breaking of the encryption, believe it or not.

Be advised that OpenVPN using the OpenSSL library is subject to Heartbleed bug.

The most common cyphers are Blowfish and AES in the OpenVPN arena. However RSA is used for the whole process using SHA-1 and SHA-2 to authenticate the data. AES is the currently the preferred key for encryption, though given time this will change.

Let’s look at the NIST function …..

A quick précis of NIST can be viewed here.

Some may find this too complex or not appropriate, however having been involved in information security all my working life, I find they are an excellent repository. It’s all about being ‘fit for the purpose’ and it’s up to the readers choice, but it’s great for privacy – all the more so in the commercial world.

So, the NSA and GCHQ have cracked the 1028 bit encryption as used by RSA; this has inevitably led to some VPN offerings to be ranked up to 2048 or 4096 bits, though I do wonder where will it stop!

As Edward Snowden revealed, the new program is titled ‘Cheesy Name’. The battle has ensued with GCHQ purporting to have cracked it with their super computers. The integrity is questionable, however the word get out that it’s cracked, and this is the motivator to up the ante –  where is the evidence and audit proof!

This brings into question SSL, TLS and HTTPS, but the positive news is that there is the counter arguments and so much more for the poor old ‘user’.

End-end encryption

What is End-to-end encryption? Well, it essentially means that all data is encrypted at your end and decrypted at the receiving end – it inherently prevents ‘middle man’ attacks from occurring. Effectively, the middle man must be regarded as suspect, therefore end-to-end-encryption is a must for security.

An interesting subject of contention is Microsoft; whilst they encrypt all emails and those on Sky Drive, they have the keys for emails and files of over 250 million worldwide users. As a US company, they are subject to US laws and authorities (i.e. the NSA and FBI). Use at your own risk.

Metadata

A good insight into Metadata by Wikipedia can be viewed here, though be advised that it’s lengthy.

Encryption won’t stop the collection of metadata. For example, using a securely encrypted end-to-end voice service, your ISP could identify who you’re calling, location the sender, duration of call and maybe more data. Hypothetically it could derive the nature of your call if they have enough data and other intelligence.

Technologies such as TOR and VPN make it hard to collect metadata, and this could be seen as a benefit to the individual, though it depends on the circumstances, but all that could be seen is that your connecting via VPN if you configure it properly.

VPN, TOR, Deep Net and Dark Net

Virtual Private Networks use anonymise your activity and protects your data and using TOR. They hide your true IP address and encrypt your internet connection in an attempt to ensure users’ privacy.

The VPN server is placed between your ISP and the internet, with the VPN tunnel precluding the data, but there is a cost involved for most true services and this should be kept in mind. The encryption hides the data and your ISP can’t view it, so the trust factor comes into play. To find the best VPN for your needs and desires, we recommend using Top VPN Software as your industry guide.

Tor (originally The Onion Router), is free software, but you must have the confidence to configure it. Tor is based on ‘The onion routing project’ which was developed in the mid-1990s at the US Naval Research Lab, with further refining by DARPA in 1998. A question I have here, can we now thank the US Navy for the problems we have today and that of the cyber criminal? As they say, a picture tells a thousand words. Onion routing is:

In this example, Router A sends it to Router B, which decrypts another layer to learn its next destination. Router B sends it to Router C, which removes the final layer of encryption and transmits the original message to its destination.

Benefits:

• Secure,
• Anonymous,
• Good for public WiFi and firewalls,
• Free

Drawbacks:

• Slow speed,
• Poor for P2P,
• Problems with streaming,
• Copyright violations persist on exit nodes.

The Dark Web is that part of the World Wide Web that exists on darknets. It’s an overlay of networks that utilise the public Internet, but requires special configurations and authorization to access it.

Deep Web – A good analogy of the deep web is depicted in the following:

Source: http://www.sickchirpse.com/deep-web

Just like an iceberg, much is below the surface. Its size is 400 to 500 larger than the surface web, consisting of 7.5 petabytes. Much of the deep web’s information is buried deep down, as such traditional search engines are unable to index it.

In 2004, research estimated that the worldwide web had more than 300,000 websites, and in 2006 there were 14,000 in Russia alone.

When it comes to the dark web, the websites are publicly visible although their IP addresses of the servers that run them aren’t. Their identity is hidden by using Tor encryption, so it’s not black magic.

The principle is that both ends of a connection need to be running Tor, as IP addresses are bounced through layers of encryption as equal to the location. Secrecy is layered, making its magnitude is multiplied. It’s having the knowledge to use Tor that could be perceived as the lynch-pin. Some users don’t use Tor but employ I2P or other specialized browsers, but the principle is the same.

An important thing to note, that there are legitimate reasons for using the dark web. It could be for journalistic purposes, or if a person is living in a totalitarian regime. It’s not all comprised of the morally questionable activities that many make it out to be.

So in principle, the deep web refers to all web pages that can’t be found, including registration forms, databases, pages behind paywall, unique account pages, etc. The key thing is not knowing how to gain access to the data, and of course, there’s always the question of encryption.

The dark web does exist, be it for scientific purposes or tabloid rationale. There is available advice for using Tor or learning about the dark web, be it the deep web or the dark web. I reserve the right to refrain from this, but if you wish to go forward, it’s your freedom and risk to do so.

Bitcoin

What is Bitcoin? Bitcoin is a decentralized, open-source virtual currency that operates using peer-to peer technology. A revolutionary concept that requires no middle man to function. Whether this is a good investment or not is debateable.

As a cryptocurrency, Bitcoins can be bought, traded, invested, and used to buy goods and services just like any other form of money. Although nowhere near as widely accepted as ‘regular’ currency, this is changing fast with many countries and consumers recognizing it especially in the realm of digital services such as VPN that aim to improve users’ anonymity.

One important thing to understand is that Bitcoin is not inherently anonymous. The exciting thing is that with care it can be made so, just like traditional money laundering.

For maximum anonymity:

• Create a disposable email address,
• Create a Bitcoin wallet,
• Always use anonymous details, that won’t reveal the real you,
• Tumble your Bitcoin
• Do research on the use of Bitcoin, be aware of charges though!

Cash options:

• Bitcoin,
• Prepaid cards,
• Purchase online,
• Conventional cash and cheques.

Finally, I’d like to think that the Internet is a vast repository that we can all benefit from. Attempting to configure a catch all for digital privacy or any other technical solution is nearly impossible, but that said, we hope that this has served as a valuable resource!

Top/Featured Image: By g4ll4is / Flickr