Skip to main content

Privacy considerations for home users

In light of the recent new stories regarding the recently signed legislation allowing ISP's to be able to sell your data
http://www.vox.com/new-money/2017/3/29/15107110/republican-isp-data-privacy

Here are a couple ideas and tips about privacy in general.


  • Don't panic - a lot of the info was already being gathered, this isn't that large of a change regarding scope, it's more of a change to who can profit or sell it (which is a shift for sure).

  • Remember a lot of the services you use today already gather your browser, activity, and search info (google, bing, yahoo, facebook, etc.).

  • ISP's haven't implemented this yet, expect to see new terms of service in an upcoming bill, or an email sent to you, etc.
If you would like to take some steps to try to preserve your privacy, here are some ideas and examples:

  • VPN (Virtual Private Network) - this in essence creates an encrypted tunnel between two points on the Internet. One point being your system or home network, and the other being the VPN endpoint device or system. Not all VPN's are created equal, you have little to no visibility to what your VPN provider will do with your data and how they will manage it (yes they can potentially also sell/mine/store/transmit/receive a search warrant). In some cases this may be even "worse" than your ISP.

  • Use a browser plug in to obscure your activity. Depending on the type of browser plug in, it can encrypt your traffic, obscure it, or generate a lot of meaningless traffic with the intent of obscuring your actual traffic.   

  • Use file level encryption (such as PGP) for encrypting stand alone files that you transmit across the Internet. Be sure to manage your keys appropriately (never share your private key, and store it safely).



 I don't see much of a specific risk at this point, I will continue to encrypt sensitive documents (mostly using PGP) and anything I send across the internet that I don't want casual eyes looking at. Browser history I think is probably already exposed thanks to Google, etc. so I don't think this changes much, except who is/can sell your info. I will use VPNs for work activity (already have) but that's probably it.



Additional links and tool options

VPN references:


  • http://lifehacker.com/5940565/why-you-should-start-using-a-vpn-and-how-to-choose-the-best-one-for-your-needs
  • https://arstechnica.com/security/2016/06/aiming-for-anonymity-ars-assesses-the-state-of-vpns-in-2016/
VPN providers:

https://www.privateinternetaccess.com/pages/network/



Browser plug-ins:

https://cs.nyu.edu/trackmenot/

Comments

Post a Comment

Popular posts from this blog

Requirements for Information Security

If you want to get into Information Security you HAVE to be a/have this skill... Why this is total BS. Almost daily I see someone posting on twitter, trying to be helpful to folks who are looking to get into InfoSec. Often I see "If you want to be in Information Security (Cyber Security) then you HAVE to be a programmer" or "If you want to be successful you have to be a hacker/have a criminal record/have abused systems without permission" etc. While having technical capabilities (such as programming) and having the ability to compromise a system shows a specific skillset neither are required. When talking to people who are interested in Information Security I often refer to it as a cake, there are tons of slices, many flavors, many pieces and parts you can sample, choose to focus on, will be expected to know something about, etc. Incident Response and Forensics (my current focus) is not the only part of Information Security, and certainly not the only part tha
Post a Comment
Read more

Busting the myth of the malicious insider

The Myth of the Insider Threat Too often after the announcement of a new breach, the first reaction from the victim company and the media is "another malicious insider attack".  Case in point, I was catching up on news from various sources and came across the following: http://www.idgconnect.com/abstract/19647/lessons-sage-leak " “We believe there has been some unauthorised access using an internal login to the data of a small number of our UK customers so we are working closely with the authorities to investigate the situation,” the Newcastle, England-headquartered firm said in a statement." Of course an internal login was used to access the data, as part of the attack lifecycle, during your reconnaissance phase you identify accounts to target for possible compromise, based on the access/role of the individual.   Phishing attacks or other simply attacks are often successful in gathering login credentials for individual users, which can then of
Post a Comment
Read more
Weekly recap and why you should be concerned about "attackers" even if you have "nothing to hide" Why you should be aware of, defend against, and prevent attackers... even at home: I often hear from future victims "well I don't have anything to hide/anything of value/why would they target me!?" It's really not about you, usually the attackers aren't looking for your data (if they get it, or have easy access to it, they may try to profit from it, but the people doing the compromising aren't usually the same folks that monetize). What the attackers want are compromised systems they can use to do what they want at scale. So if they can compromise 50 systems, they can send 50X the amount of SPAM... 100 systems, 100X, etc. Some operations get paid based on the number of emails they can send per day. Of course the email will likely not just be SPAM, but may also be malicious (ransomware, etc.). http://thehackernews.com/2017/09/linux-ma
Post a Comment
Read more