Web security

Sooo…
This might be a very broad question but here goes.
I hear a lot about layered security lately, so I was wondering what kind of security measure’s people on the forum take to stay safe/hidden/keep your privacy.

There are some obvious ones like a VPN or firewall but what other kind of stuff do people do, like Qubes OS , Tor or Quad9 DNS?.
I would love to hear about people’s security strategy’s.

I don’t really do much privacy-wise.

On the security side of things,
Network:

  • PFSense
  • Pi-hole
  • OpenVPN server for my android phone so I can make use of the pi-hole on the go.

Local Machines… network monitor like Glasswire and a decent anti-virus (I use ESET NOD32).

3 Likes

A couple of simple things to check is make sure that you dont have any ports forwarded that are not needed.

Second, make sure you turn off your router setting that controls response to anonymous pings from the WAN. Some folks with bad intention ping random addresses to look for a response. If they get one, they know they have found a router. Next they will begin to look for open ports to exploit.

Also, turn off your SSID broadcast. This can make easily accessing your WiFi a pain in the ass, and will not stop someone that is determined to try and hack your router’s WiFi. It will stop less informed folks.

These may be simpler solutions than what you were looking for, but they are sound advice. These settings are available on almost all routers.

EDIT: mobile keyboards suck.

3 Likes

In the process of beefing up my own stuff. Here’s what I’m either doing already, recently started implementing or what I’m working on

  • pfSense
  • Linux whenever possible (work forces me to use Windows)
  • VPN
  • Protonmail
  • Browser plugins to block ads and trackers
  • anonymous prepaid credit card
  • Have as little accounts as possible
  • Never use your actual name or address.
    1)For accounts that require an address I’m now using an existing street in a nearby city with a house number slightly higher than the actual highest one in that street.
    2)For online purchases I’m looking into getting a PO box and slightly misspelling my name.
1 Like

One shouldn’t forget browser addons like uBlock Origin and NoScript. These are useful as well. Besides, in order to increase the general security of my system(s) I have a couple of VMs, which I’m using for various tasks. For example, I can only recommend a browser VM in order to further isolate your system from the web.

@Novasty: Your Pi-Hole made me curious. Any idea if it works properly, if I’m using OpenVPN? As far as I know, DNS requests will be tunneled through this VPN, thus the Pi-Hole wouldn’t be used on systems running a VPN…

Linux is not inherently secure. I wish this rumor would drown in a fire. Even the Kali people said the distro does nothing to provide anonymity out of the box. You still have a lot of work besides just “uze lynox”. There are websites dedicated to pwning Linux with thousands of VMs to learn to tear it to shreds. Adding a GUI made out of fucking JavaScript and more open protocols is going to fist you even harder.

The primary reason Linux is “secure” is because no one uses it. Work “forces” you to use Windows? When’s the last time they were breached, and was it attributed directly to a flaw in Windows? Most people get rekt because of ignorance, arrogance, or being just plain stupid. It’s incredibly hard to actually attack Windows. Most guides will tell you to not update the OS and leave the firewall off, which no one does, unless they’re anti telemetry zealots.

The OP didn’t even say what they’re hiding from. Just regular web browsing Ghostery, a VPN, ublock origin, and the modern noScript is enough.

If they’re trying to hide from Google, Facebook, whatever, then using Linux does dick to fight that. Your unique footprint is still a big fucking footprint in their space. You would be better servered building a live USB or spinning up a different VM every time you want to browse the web. How fucking tedious.

Everyone always forgets the big fat elephant in the room, YOUR ISP. They’re still collecting metadata, encrypted or not, and know what anime you’re watching, what foot cream you’re buying, or what you’re getting off to. Even to use a VPN you still have to connect to your provider.

Have compartmental VMs and workstations. Use one VM just for IntelliJ, one VM just for Amazon, one VM just for Netflix, use Windows just for Steam, use Ubuntu Studio just for music. I can’t imagine living that way but that will segregate your tasks and “muh privacy” will be intact.

Use pfSense as a WAN and LAN. Create vLANs for each of your VMs and workstations. Put mobile and consoles on a separate subnet. Put anything Alexa, Google, and public on a separate subnet, or if you can afford it, get an entirely separate ISP connection. I have AT&T and FiOS at my home, AT&T is for InfoSec stuff and FiOS is for everything else.

How far are you willing to go? I only ask because, unless you do this for a living, it’s a second job and a half keeping up with this. If Linux is private enough for you then go for it. But let me tell you, someone can snap a picture of you on your webcam on Linux as easy as they can using Mac or Windows. They just have to alter their malware. Chances are if they’re good enough to write that for Windows they’re good enough to write it for Linux, too.

If you want to hide from a nation state or the U.S. government there is a foolproof way to do that.

  1. Go to your router.
  2. See that big looking phone cable?
  3. Rip it out
  4. Done

Getting offline is the only way to stay secure from the big dogs.

If you want to go balls deep and don’t look back, then learn Go, Python, and PowerShell. Master the Unix stack, TCP/IP stack, and shell code. Create some images with software and drivers preloaded, and fire off a new install into a segregated VM when you want to browse the web or chat on a forum. Learn C and write your own kernel and software, unique that you can’t send upsteam but unless it’s a specific 0 day targeted at you you won’t be affected.

Then, get a job at the NSA making $400,000 a year and enjoy your fucking life.

5 Likes

Yea it works over the VPN

1 Like

Thx good to know, now I’ve to figure out how my router’s DNS settings can be changed…while there are settings like “primary dns server”, I can’t enter anything the router accepts. (Furthermore, it doesn’t even accept its very own default settings when I click on apply).

OS-> QubesOS + whonix gateway
VPN -> ProtonVPN
Email-> Protonmail | Riseup
Browser-> Firefox
Addons-> HTTPS | Privacy Badger | Ghostery | Multi-Account Containers | Cookies AutoDelete

My main concerns are account security and malware from criminal use if compromised. (this should in theory be everyone’s main priority).

To that goal, i use password managers and keep my systems up to date, and use a bit of common sense on the web.

My main email account uses multi factor authentication in case that password is ever compromised.

These are the primary things you really need to cover to ensure good security, more so than AV. AV is next on the list but passwords, and OS and application updates are the top two.


Most of the replies here seem to be more around privacy from something not web security. It would be interesting to see what people goals are in this regard?

Privacy from who and why? And what tools you use to mitigate those.

I have some privacy relate tools like adblocker etc. but in reality this is less because of privacy and more because of annoying ads.

seeing from this perspective everything starts with the good use of the system, the fact of downloading a pdf or other document can compromise the machine, the use of sandbox (or) is a good alternative to open or test material that could compromise the operating system

I wish the idea that GNU/Linux is completely secure would die down too. Unfortunately you will always have people that say if you go against the norm then it is the best thing out there and will keep you safe.

It’s the same with the mentality of set it and forget it. Like a program should automatically know what a person wants without interaction and should keep them safe from harm. Because this sort of technology is new, it’ll take a long time to be refined.

Yes, absolutely true!
*I believe that there will be systems to be developed and easy to use for the average user, because security and privacy is a right for everyone and not only for users with more knowledge, this in a general concept…

Hi,

Nice list we’re getting here :slight_smile:
Its not like I’m trying to or will ever be capable of hiding from a governement as @anon79053375 said.
I’m just interested in technology and security and was wondering what kinds of things I never thought about security-wise.

I think we can all agree that there’s no one solution fits all kind of thing and that security is a constant struggle not a reachable goal.
You can look at this post like an attempt at identifying what sort of layers to concider and what options/programs correspond to those.
[Totally agree with @Cobra92fs and @Eden about how important it is to keep stuff up to date,check ports,multi factor etc. but I concider those as general ‘good practices’ so didn’t specifically include it here]

-Mail [Protonmail | Riseup]
-Browser Add-on [uBlock Origin | NoScript | HTTPS | Privacy Badger | Ghostery | Multi-Account Containers | Cookies AutoDelete]
-Browser [Tor]
-Antivirus […]
-OS [Qubes OS | Whonix | Multiple VM’s for different tasks]
-DNS [PI-HOLE]
-Firewall [PFSense | Glasswire]
-VPN [PIA | ProtonVPN]

1 Like

I think you missed the point when it comes to technology and security.

1 Like

What point is that?

Think about the basic lock and its evolution. Technology and security go hand in hand, but at the same time compete with each other.
The majority of key locks out there are easy (relatively speaking and nothing illegal) to open because of the way they are designed. It’s no different when it comes to computers with either hardware or software.

There’s no one solution, but its not a constant struggle.

One of the main things that isn’t really thought of day to day by people who “want to be secure” is the question “From what?”

A lot of people here are really bad for not considering that question and the end result can end up being just making your life unnecessarily hard.

You need a clear goal of what it is you perceive as a security problem for you, what the risks are that you feel you need to protect yourself from, how likely those risks are to happen, and then put in some controls appropriate to those answers so you have enough security for your needs.

Your list [just for example] seems to be trying to cover at least three different threat areas, but only actually covers one of them somewhat sufficiently and its not a security issue but more of an ad privacy issue. That’s why its important to identify what the problem your trying to solve is, because it ends up that people just think there solving it when they really aren’t.

It’s not even good practices, those will be at the top of almost every scenario you can come up with when it comes to your security in a digital world. The worse thing is some people don’t even do it.

1 Like

There’s various types of web security and the OP didn’t specify which, so I wasn’t really referring to one kind or another.
A lot of what I do is privacy-related, not on a government of a Google level, but to stop at least online sellers etc from getting my actual data and selling it to spammers etc. Another bunch of stuff is malware-related or general data security.

I’ll try to address your post paragraph by paragraph, although I probably won’t cover all of it.

I’m not worried about targeted attacks. If a slightly competent hacker or a government agency wants to pwn you, you’re going to get pwned no matter what OS you’re using.
I’ve had to disinfect so many people’s machines that I’ve become very wary of malware, so that’s my main concern. Luckily I never had to deal with it on my own machines, never want to do so either.
99% of malware is written for Windows. By using Linux you drastically lower the odds of encountering anything that could actually infect your machine.
Okay, uBlock Origin, Ghostery etc will already filter out the malicious ads, but still that’s nowhere near as effective as using an OS that just isn’t targeted anywhere near as much.

Indeed. I work mostly from home and need to use a Windows-specific scanner (or at least Linux support for it is a complete disaster and makes everything a lot more complicated than it needs be) and custom windows-only software.
Sure, I could put Windows in a VM, pass through the USB ports etc, but at that point you might as well just dual boot.
Oh, and of course I can look for another job etc. But that would be a bit ridiculous.

Using Linux would actually make it easier for them to identify you, so for that purpose you’re better off with a very basic Windows setup indeed. That being said …
Completely blocking Facebook is easy enough on either OS. The full list of their domains is publicly available so you can block their cookies, put them in your hosts file etc. Blocking them will break all images that are hosted on FB, but IIRC that’s about all of it. No big deal IMO.
Similar story with Twitter and Linkedin etc for those who want to take it that far.
Blocking Google is a lot more difficult. Putting google,com in your hosts file will basically break any site that uses captcha etc. Still, blocking cookies and social buttons etc will reduce the amount of data they get somewhat.

As soon as you connect to the VPN provider the ISP has no way of knowing what data is being transferred. So I’m not sure where you get the idea that they’re able to get metadata from your encrypted traffic. Once the tunnel is established between your PC and your VPN, your ISP will only see random gibberish and to their knowledge all of it is going to the same address.
Sure, if you don’t use a VPN all bets are off, especially in the US. Over here it’s not that critical because European privacy laws are very strict even pre-GDPR. ISPs mostly know better than to abuse or sell customer data. They’re also smaller so the potential gains are small, meaning that the fines will more than compensate for whatever profit they make from that data.

1 Like

This.

My reply was certainly based more on keeping your network safe from bad actors on the Internet. This was how I understood the OPs question. I can see how others read it and went in a different direction. This isnt a bad thing, as a lot of good information has been posted.

As far as staying safe on the web, I think good browsing habits are the number one solution. It will not prevent all issues, no amount of careful browsing will, but it will limit exposure. I think this is key.