Updated 1 October 2024

 

ONLINE SECURITY GUIDE

INTRODUCTION

These suggestions have been collated from many external sources that the author does not endorse and are primarily aimed at users that find themselves in need of greater security, privacy and anonymity for their electronic communications. The assumption is that your computer is running a version of MS Windows, but again the suggestions can apply to other operating systems or platforms that have similar software.

There is no such thing as a 100% secure communication over an electronic medium such as the global internet or telephony network. Many of the suggestions here do provide varying levels of security, privacy and anonymity (SPA). When these tools are implemented properly and used in conjunction with each other, your personal SPA will be greatly improved. By covering your tracks, you can reduce your chances of being on the receiving end of any unpleasantness. Needless to say, great care must be taken with your communications. Even with all the security in place, your SPA can still be compromised by the use of weak passphrases, the opening of attachments from unknown senders, inserting USB drives of dubious origins into your computer systems or careless revelations of identifiable details. The user (ie. you) is often the weakest link. Do stay safe by practising safe computing.

Disclaimer

This is not a complete guide and not all software is covered. Under no circumstances shall the author or CEMB be liable for direct, indirect, special, incidental, or consequential damages resulting from the use, misuse, or inability to use the software, even if the author or CEMB has been advised of the possibility of such damages. Ensure you’ve received the permission of the owner or operator of the computers or other devices before attempting any of the suggestions in this article. Use at your own risk.

Although not covered here, you may wish to invest in a number of suitable FARADAY POUCHES OR BAGS to shield your mobile devices from surveillance or theft. There are also companies that can be hired to discreetly perform electronic or physical sweeps for hidden surveillance devices, eg. ADVANCED SWEEPING.

MOBILE DEVICES

Before your mobile devices can be secured it behooves you to reconsider your approach to Contact Management, which can make things easier during subsequent steps. Although this step is optional, it’s highly recommended. The majority of mobile devices run versions of either the Apple iOS or Google Android operating systems. You need to start by updating your contacts. If they are linked / synchronised with an email address (eg. Gmail), then log in to your email account (on a PC) and update your contacts from there. All changes will then propagate to your linked devices, assuming you’ve selected Google in your Contact’s Display Preferences settings.

To update your contacts, change all telephone numbers to the proper international (E.164/ENUM) format. For example, consider the British phone number 07123 456789, you need to do the following to it:

  1. Drop all leading zeros
  2. Remove all non-numeric characters
  3. Prepend the relevant country code

The British phone number 07123 456789 will become +447123456789. This is the preferred format so update all telephone numbers for as many of your contacts as you can. Get into the habit of storing numbers in this format. Make a note of your own number in this format, you’ll need it later.

Always apply all software or operating system updates as soon as they become available. These include much needed security fixes. If you’re confident and are technically proficient, you may replace the device’s operating system with a custom one like:

If you’re feeling particularly adventurous, you may consider investing in a cleaner hardware and software stack solution such as MURENA.

Signal

On mobile devices, secure communication is of the utmost importance. Install the free open-source application SIGNAL and follow the link to get the SIGNAL PRIVATE MESSENGER application. This is a free, open-source application that makes use of your smartphone’s mobile data connection or wifi calling features. You will need to complete a short activation process using your own mobile number (in the above international format), then you’ll be good to go. Remember to activate the LTE / WiFi-Calling feature on your smartphone, as well as various WiFi-Calling and Privacy settings (including the App Security, Always Relay and Sealed Sender switches) in SIGNAL too. For more information and a better description of how to switch to this application, see this article: SWITCH TO SIGNAL. There is also a Signal application available for desktop computers. Phone encryption and periodic clearance of search and location histories are advised. Consider locking individual apps or folders, set a strong passphrase and the remote lock, locate and erase feature.

The Android app TRACKERCONTROL allows users to monitor and control the widespread, ongoing, hidden data collection in mobile apps about user behaviour (‘tracking’) by using Android’s VPN functionality, to analyse apps’ network communications locally on the Android device. This is accomplished through a local VPN server, to enable network traffic analysis by TrackerControl. Another application to note for your mobile device is ORBOT. This lets you route your internet browsing over the TOR network. There are desktop versions of some of the encrypted instant messaging applications below.

Modify each of your wifi network connections (or better still, the relevant settings in your router, see below) to ensure that you use the IP addresses displayed in the DNS Resolvers table (below) as your DNS, unless you decide to use a Private DNS. Then you’ll need to specify a suitable hostname, see the page: Publicly Available DNS Servers.

In your iOS mobile device, follow these instructions to configure it to use a suitable hostname: Setting up Private DNS on an iOS device.

In your Android mobile device, follow these instructions to configure it to use a suitable hostname: Setting up Private DNS on an Android device.

Reset your Advertising ID within your Google settings on a regular basis. Disable the wifi and location features if you’re in a public place and they’re not needed, this can easily be done by temporarily enabling the airplane or flight mode feature. Ensure that you encrypt your mobile device. This may take some time, you need to ensure your device is charging during this crucial step and must not be interrupted. Afterwards, enable PIN / Passcodes and even SIM PIN and Voicemail PIN to further secure your smart phone. Before you sell or dispose of your mobile device:

  1. Backup / export all your personal or important information (files, images, contacts, etc) to your encrypted cloud or any other external storage.
  2. Delink your device from your Apple / Gmail accounts, etc.
  3. Delete all images or other personal files from your device.
  4. Clear all messaging and call history, including any notifications and search or browsing history.
  5. Clear all contacts and password keys from your mobile device, inc. SIM.
  6. Uninstall as many applications as you can, inc. clearing SD storage.
  7. Forget all networks or wireless access points.
  8. Ensure that you then encrypt your mobile device again.
  9. Perform a hard reset of your mobile device.
  10. You may then remove the SIM card and battery (if possible), then physically destroy the mobile device if you wish to dispose of it.

For additional security, consider enabling two-factor authentication (2FA) for various online services using a suitably secure authenticator application (avoid 2FA via SMS). Online guides to securing your iPhone or MacBook are also available here:

NETWORKS

If you have access to the router and can update its settings, log in to it using your computer’s web browser then note the existing DNS IP addresses in case you need to undo this step. These would be the addresses for your Internet Service Provider’s DNS. Consider changing the existing DNS IP addresses to ones provided by one of the following services:

DNS RESOLVERS
Service FQDN Preferred IPv4 Server Alternative IPv4 Server Preferred IPv6 Server Alternative IPv6 Server
DNS EU dns0.eu 193.110.81.0 185.253.5.0 2a0f:fc80:: 2a0f:fc81::
CloudFlare one.one.one.one 1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001
Quad9 dns.quad9.net 9.9.9.9 149.112.112.112 2620:fe::fe 2620:fe::9
OpenDNS n/a 208.67.222.222 208.67.220.220 2620:0:ccc::2 2620:0:ccd::2
DNS.sb dns.sb 185.222.222.222 45.11.45.11 2a09:: 2a11::
Publicly Available DNS Servers

Save your updated configuration then restart your router. When WPA3-certified routers and compatible devices become more readily available, do consider upgrading your hardware to make use of this new wireless standard for improved security. It is also recommended that you have separate MODEM and ROUTER hardware where possible.

COMPUTERS

If you’re truly concerned that your privacy may have been compromised, don’t use your own computer. Go to an internet cafe or other public service such as a library and use the computer there if you can. Otherwise you should be reasonably safe by using your own computer with the following suggestions. Avoid using versions of MS Windows; these are a relatively non-secure set of Operating Systems. Try to use linux distributions such as:

Take great care when copying to a USB drive (or optical media such as CD, DVDs, etc) then running on a suitable computer. Many of these Linux (and BSD) distributions can be run directly from optical media or USB so you can use them before installing anything on your computer. Take the time to learn about open-source operating systems, start by bookmarking the DISTROWATCH site.

Several other tools for various purposes are as follows:

Take great care to configure any anonymisation networks as a Relay, not as an Exit Node. Many well-known social media and other hidden services, including illicit services, are accessible via various anonymisation networks which provide improved end-to-end security.

Other useful applications are:

Email is a very important service for many reasons. Presently there are many email service providers that offer varying levels of security. JMAP is an official open API standard for modern email clients, with efforts underway to completely redesign modern email with intrinsic security by incorporating this standard.

But what if you’re unable to use the new JMAP email services? There is a simple process that you can use to communicate using any email service. Here’s how it works:

  1. Person A registers with a new email account and notes the login credentials (ie. username and password).
  2. Person A logs in and drafts a message, but does not send it. The message is saved in the drafts folder.
  3. Person A logs out.
  4. Person A gives the login credentials to their trusted contact Person B, in person.
  5. Person B then logs in to the same email account.
  6. Person B can then read the saved message from Person A in the drafts folder, then deletes it.
  7. Person B replies by creating a new message and saves that into the drafts folder.
  8. Person B logs out.
  9. Person A can then log back in and read the saved message from Person B before composing a reply as above.

This communication can take place without a single message being emailed through any server or domain, which makes surveillance very difficult. This requires participants to access the same email account and some degree of coordination between them. Also, remember to change your email settings to disallow tracking and other features. There are many helpful tips available online, specifically how to improve your email’s SPA.

A number of free, online, disposable email providers are also available:

Your browsers are important too:

If your Operating System is a 64-bit OS, use 64-bit versions of these browsers. Be sure to keep them updated and configured properly at all times. Do remember to disable any tracking or DNS prefetching before use. To test whether your browser is protected against online tracking techniques:

Set your home page in your browsers to one of:

To share files:

In each browser you should search for and install the following extensions / add-ons / plugins:

There are also free applications that can be downloaded and installed for secure instant messaging:

PORTMASTER FIREWALL

An open-source application firewall such as SAFING PORTMASTER has a feature that can help you conceal your browsing from surveillance efforts.

The OTR site lets you send secure, anonymous messages to your contacts. A facility for self-destructing one-way messages is also available. This is purely browser-based, no installation of any software is necessary. You should also consider using services or extensions that function as secure VPNs or dVPNs such as:

If you’d prefer to set up your own VPN Server, then you may use this resource as a starting point:

These let you route your browsing activities through virtual private networks or remote proxies located in different jurisdictions. Don’t access your email, financial or other personal sites through them, unless they have sufficient security in place, nor should you use any untrusted proxy with handling your personal business (ie. those that require login credentials or financial information). Ensure that whichever browser you use, you’re familiar with its Incognito or Private Browsing Mode and that it’s configured to clear its cache automatically when it’s closed.

Further information and reviews are contained in these excellent resources:

Cipher

After emptying your computer’s Recycle Bin, you may use some useful MS Windows commands, eg. CIPHER ensures that no deleted files in a directory can be recovered.

Other useful software:

  • SPACEBARCHAT – Alternative to Discord.
  • JAMI – Alternative to Skype and Zoom.
  • MASTODON – Alternative to X.
  • MINDS – Alternative to Facebook.
  • VENTOY – Bootable USB solution.
  • NOTESNOOK – Alternative to Evernote.
  • LIBREOFFICE – Alternative to Microsoft Office.
  • OPENDESK – Alternative Office Suite.
  • USBIMAGER – Writes compressed disk images to USB drives and creates backups.
  • BALENAETCHER – Burn images to SD Cards and USB drives.
Firmware

There are also two further technologies that aim to replace the proprietary firmware found in most modern computers. They are:

There is a great deal of further information regarding counter surveillance that couldn’t be included because it’s outside the scope of this article.

SUMMARY

On computers, many tools can be installed and most websites can be accessed by any modern browser. Check your browser’s privacy and security settings and schedule it to clear your entire cache and history (especially when your browser is closed) periodically. Consider limiting your cached web content to 0MB and enable tracking protection. Ensure you sign up to a JMAP-compliant email service. Updating your DNS / Router settings is highly recommended. Harden your social media privacy settings (SECURE FACEBOOK) by placing your associates in distinct groups and setting their permissions accordingly, or better yet, try to keep your presence on social media to a minimum.

Remember to SIGN OUT or LOG OUT of every site that you have used, when you’re done.

Do install and use the secure SIGNAL application to communicate with others.

Be aware that an increasing quantity of your personal information, contacts, views, habits and locations can be scraped from your online presence and sold to third parties. If this point is of particular concern, consider using MINDS and MASTODON. Keep in mind that most popular communication, productivity and social media apps are not as secure as the ones detailed in this article.

There are several new or upcoming protocols and technologies that will greatly improve your SPA including:

Hopefully the information provided here will guide you in securing your online presence more effectively and assure your personal safety.