/Family-Security-Review

Every six months I walk my family, roomates, and friends through a security and privacy review. Here is what is on my checklist

The UnlicenseUnlicense

Family Security and Privacy Review

Every six months I walk my family, roommates, and friends through a security and privacy review. Also it serves as a conversation regarding its importance and a sharing of news, rumors, and new concerns. Here is what is on my checklist:

Privacy

  • Change all device names to something else
  • Set up connecting devices to generate random MAC addresses when connecting to WiFi
  • Check which 3rd-party apps have access to your Google account, specifically making sure they can't access gmails or google drive
  • Make sure no app tokens have been generated on dropbox/box/mega/onedrive accounts
  • Make sure no app tokens have been generated on any reddit/twitter/facebook/github accounts
  • With a fresh device, on a never used wifi, do a google search for each other's names and handles, share findings
  • Ensure phones have disk encryption enabled
  • Ensure computing devices have disk encryption enabled
  • Perform CloudFlare's Browsing Experience Security Check
  • Consider using encrypted-sni
  • Review the cost/benefit of disabling what'sApp backups
  • Google for any leaks of your biometric information
  • Use a browser that is NOT Chrome, or Edge. Suggestions include Brave Browser, Waterfox, and Firefox
  • If using Firefox, Use Firefox Monitor
  • If using Firefox, Use Facebook Continers extension by Mozilla (The creators of firefox)
  • Turn off personalized ads on Google Products
  • Turn off personalized ads on Windows 10
  • Consider using an sms encryption app like Signal. Avoid using telegram or WhatsApp
  • Opt-out of interest-based advertising by companies participating in the Digital Advertising Alliance (“DAA”) at the DAA’s Choice Page, located at http://www.aboutads.info/choices
  • Perform a privacy & security check of Windows 10 using the open source PrivateZilla

Security

  • Make sure 2fa is enabled for all your accounts. Especially any financial, social, and mission-critical sites
  • Make sure 2fa does not use Text message (SMS). DuckDuckGo "ss7 protocol hack"
  • Consider using a YubiKey
  • Make a list of all financial/401k/HSA/retirement/investment/loan Accounts
  • Walk through your account list and change your passwords
  • Make sure financial accounts have correct mailing address
  • Make sure USPS mail forwarding is renewed on any previous residences
  • Review emergency contacts on phones
  • Review emergency medical information on phones
  • Review blocked numbers and contacts on phones
  • Review blocked numbers and contacts on social media sites
  • Create/review code words for each other
  • Create/review code phrases for each other
  • Create/review a cognitive key
  • Review Yubikey usage
  • Ensure all devices are still getting updates, without any issues. Note any devices or software that are no longer supported
  • Review any Cryptocurrency wallets and balances
  • Review your sms encryption app for zero days or bad press coverage
  • Consider using keybase
  • Review Computers for installed software induced vulnerabilities and backdoors. Remember: "Freeware is killware"
  • Check https://haveibeenpwned.com/
  • Review your choice of mesh network apps, to make sure they still can be trusted. A mesh network chat app can continue to work after your government has disabled internet
  • Make sure your home router/modem has up-to-date firmware. Consider buying your own instead of leasing from your ISP
  • Change your SSID name and password
  • Unlink your e2e chat apps from other devices. Relink where appropriate. i.e. web.whatsapp.com, signal app, telegram, keybase.io, etc

Practices

  • Keep a list of all the apps/software/sites you and your family uses or has accounts with
  • In this list, flag which are closed-source
  • In this list, flag which are developed in countries you do not trust
  • Make it a happen to check the settings or preferences of any app you install or use
  • After creating an account on a service or website check the settings. Look for privacy or security settings
  • Consider being more intentional and strategic with how you choose your passwords. Consider the pros/cons of my password system

Contingency

  • Make sure all of your devices are backed up and secured
  • Download a copy of your facebook @ facebook.com/download
  • Download a copy of all data from your gmail account
  • Pick a random site or service that you use. Imagine if you woke up one day with it all deleted. Prepare your next steps
  • Plan for a sim swap attack against you or your family. Have a checklist prepared
  • Plan for your house burning down. Would you still have all your passwords? Would you lose access to any crypto currencies?
  • Consider putting your passwords and accounts in an encrypted file. Place this file inside a password protected archive folder. Give this archive to two of your trusted friends, but to each of them only one password. This can serve as a backup or deadman switch.
  • Consider expanding a mesh network of your choice by running the software or hardware. Like goTenna Mesh

Education

  • View how an ad agency profiles you, using outbrain's interest viewer tool
  • Read EFF's Surveillance Self-Defense List
  • Government run troll farms will use your social media accounts to like or comment on posts without your knowledge. Use 2fa!
  • Learn that sms based 2fa can not be trusted and is easily hacked. DuckDuckGo "ss7 protocol hack"
  • Understand the importance of paying for a VPN
  • Understand what a The Five Eyes (FVEY) country is and how that list has been expanded to include others.
  • Understand that your location is tracked from the sky from the moment you leave your house from space: https://www.youtube.com/watch?v=13BahrdkMU8
  • Understand that the Slaughterbots dramatization is a warning and is coming soon: https://www.youtube.com/watch?v=HipTO_7mUOw
  • Understand the OSI 7 layer stack and how privacy can be compromised in any of the layers
  • Read and follow ways to secure your home network and modem/router @ RouterSecurity.org
  • Read other Security Review lists i.e. A Defensive Computing Checklist by Michael Horowitz
  • Learn that WhatsApp stores backups of your chats in plaintext on google's servers in a free data sharing agreement.

We need to talk about security and privacy in order to share tips and tricks and discuss how effective they are. I hope this list helps. Please open an issue ticket with updates or suggestions.

Always check the settings