Please note that many of my security related posts are more a collection of links and information to nifty resources instead of supplementary information on the subject online security. Much of this I am writing down as a "note to self". I might not have tested the tools myself, so do some research before you start using them.
Been awhile since my previous security related post, and since then we've had PRISM. Unless you've lived under a rock you should have heard much about it. To understand PRISM in more details I recommend the following resources:
Security Now #408 : Security expert Steve Gibson talks about PRISM, and how it most likely is done.
Security Now #413 : How much tinfoil is needed to stay secret?
TWIG #202 : Laporte, Jarvis and Trapani talks about PRISM in a not too technical way.
You might ask yourself what the remedy is, I guess you will have to stay off the Internet completely if you want to avoid NSA and other agencies from keeping you under surveillance (if they want to, that is). There are tools that makes it way harder for anyone to get anything readable out of the data you generate and send across the Internet. But then again, if you are flagged as an interesting person, within the right agency, they might just get direct access to your devices, like your laptop and mobile phone. And if you take extreme precautions to encrypt all your data that itself might be enough to get a red flag alongside your name. Because then the government might start thinking "What is this guy hiding from us?". That aside, some handy tools are listed below.
|Pink Floyd Debris Rainbow. Prism break. (src: www.upphotos.net)|
Check out prism-break.org for an overview of tools to use for staying more private on the Internet. For other relevant tools to "break the PRISM", see below.
|For more info go to crypto.cat.|
A tool that is not mention on the page above is Cryptocat, which lets you chat with privacy.
Threema is a mobile messaging app that puts security first. With true end-to-end encryption, you can rest assured that only you and the intended recipient can read your messages. Unlike other popular messaging apps (including those claiming to use encryption), even we as the server operator have absolutely no way to read your messages.
When a Silent Circle subscriber makes a phone call, sends a text or video chats with another Silent Circle member, that transmission is secured and encrypted end-to-end from their iPhone, Android device, iPad or Windows computer on our crystal-clear secure network.
WhisperSystems, Security, simplified. Open Source security for mobile devices.
There are different browser plugins for stopping tracking, I've earlier written about Privacy Fix, which I'm using. As well you have disconnect.me. An alternative to these plugins are Ghostery. However an independent plugin for stopping tracking is Abine's DoNotTrackMe (Privacy Fix and Ghostry are assumingly now bought by some advertising companies, ouch).
Luckily BankID, the hackers best friend, has decided to implement a non Java version of their crappy login solution. Until that is launched many in Norway is still stuck with having to use Java for accessing their bank online. I know, it is insane.
I have solved this with running a 64-bit version of Java RE (JRE). Since Chrome is 32-bit Java doesn't work in my main browser. So to run Java I have installed a portable 64-bit version of Firefox, namely Waterfox.
Test what version of Java you are using at javatester.org. To be safe that page should not find any Java version in your browser at all.
Are you in doubt Java is unsafe? Well, in the US Homeland Security warns people about running Java on their computers. And below is what Kaspersky Lab writes:
"In 2012 cybercriminals switched their primary focus to Java. While Adobe Reader was attacked in 28% of security incidents involving vulnerability exploits, Java security holes were responsible for 50% of attacks. Windows components and Internet Explorer were only exploited in only 3% of incidents."
And as well, when you install Java Oracle tries to trick you into installing malware.
Check out java-0day.com, that shows days since last known Java 0-day exploit.
Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331”.
Skype with care – Microsoft is reading everything you write.
OpenVPN on home router.
To prevent hacking, disable Universal Plug and Play now.
Tools for a Safer PC.
Keep it secret, keep it safe: A beginner’s guide to Web safety.
Other handy tools and resources
hashcat, advanced password recovery aka. password cracking tool.
DeadDrop is a server application intended to let news organizations and others set up an online drop box for sources. It's open source software written by Aaron Swartz in consultation with a volunteer team of security experts. In addition to Aaron's code, the project includes installation scripts and set-up instructions both for the software, and for a hardened Ubuntu environment on which to run it.
I've got a ProXPN account, which I use when I don't want to go black for my ISP, on public networks and so on..
Mailinator is a free disposable email address service created in 2003 by Paul Tyma. The idea is to let a user invent a new email address on the fly, whenever needed, for instance while filling a form on a website. (wikipedia)
Tor Mail is a Tor Hidden Service that allows anyone to send and receive email anonymously.
This product is produced independently from the Tor® anonymity software and carries no guarantee from The Tor Project about quality, suitability or anything else.
Sandboxie runs your programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer.
Adobe PDF Reader is know for bad security flaws, and is unnecessary heavy. Try out Sumatra PDF instead. It is this reader I have used for the last years. I don't have any Adobe software on my PC no more.
Unmask Parasites is a simple online web site security service that helps reveal _hidden_illicit content (parasites) that hackers insert into benign web pages using various security holes.
GRCs Fingerprints: Secure browser connections can be intercepted and decrypted by authorities who spoof the authentic site's certificate. But the authentic site's fingerprint CANNOT be duplicated!
Gpg4win enables users to securely transport emails and files with the help of encryption and digital signatures. Encryption protects the contents against an unwanted party reading it. Digital signatures make sure that it was not modified and comes from a specific sender.
Make sure your memories don’t turn into just memories. With Jungle Disk, your important documents, treasured photos, home movies, and more are always within reach. You can even select where to store your files—Jungle Disk works seamlessly with both Rackspace® Cloud Files and Amazon S3.
SSL Server Test : This free online service performs a deep analysis of the configuration of any SSL web server on the public Internet. Please note that the information you submit here is used only to provide you the service. We don't use the domain names or the test results, and we never will.