Basic Security FAQ: Essential Questions and Answers

By Ava McKinneyOnline Safety

Basic Security FAQ (Essential Questions)

1. Where is the best place to store information?

It’s best to store all your information in cloud services that support client-side encryption (such as Mega, pCloud, and others). You can read more about these in a separate article. If you’re already using something like Google Drive, you can integrate encryption programs like TrueCrypt or Rohos Disk with your cloud storage.

2. How can I communicate most securely?

We’ve already covered this topic in detail here.

3. How are users identified?

Let’s look at a couple of ways users are tracked that many people forget about. Most users just change their IP and feel safe. More advanced users also delete cookies and think they’re protected. However, every browser and system has a nearly unique fingerprint. This method collects information about your browser, plugins, operating system, installation times (where available), and more. This data is unique enough to identify a user with 70-75% accuracy, which is significant at the initial stage.

Browser and OS fingerprinting systems are now used by all social networks. For example, if you visit a site where your fingerprint is recorded, then later visit another site (like a social network) without a VPN, you can be identified. Since 2012, data matching by fingerprints is a second stage of user tracking, and authorities have access to this data. IP addresses (even under VPN) and timing analysis are also used. In all data centers across Europe, Russia, etc., equipment is installed to record all traffic (SORM, Solera, E-Detective, etc.). This equipment logs all incoming and outgoing traffic, and packet timing and size are analyzed to identify users, even those behind VPNs. Real client IPs can be obtained without requesting data from VPN providers.

4. Is using a virtual machine enough to hide (change) your fingerprint?

A virtual machine will hide your fingerprint and transmit its own. You need to reset parameters and periodically reinstall the system in the VM, changing its settings. If you use a VM on remote hosting, don’t use it unless it’s specially configured (gateway, mixing, VPN, migration, etc.), especially if you’re the only client on that VM.

5. Do providers store user data?

The Russian Federal Security Service (FSB) aims to have full control over user data on the Internet. According to a Ministry of Communications order, since July 1, 2014, all providers must install equipment to record and store at least 12 hours of Internet traffic data. Full access to this data must be provided to security services. Data collected includes phone numbers, IP addresses, user account names, email addresses (mail.ru, yandex.ru, rambler.ru, gmail.com, yahoo.com, etc.), ICQ chat IDs, IMEI numbers, VoIP identifiers, and more. The order also requires providing FSB with the location of user devices for VoIP services (Google Talk, Skype, etc.).

Many experts consider this order unconstitutional, as it allows data collection and storage without a court order. This equipment is part of SORM but is now more targeted for subscriber surveillance. The minimum security measure is to stop using IM clients and switch to Jabber with mandatory OTR encryption, and to avoid all IP telephony except for services with encrypted calls and IP masking (using SIP proxying on the server side).

6. How can I check routes and protect myself from the service itself?

To check anonymity, do the following:

  1. Log into the server and check the incoming IP. Enable server logs, log in again, and check the security audit for the IP used to connect (if there’s no protection, your home IP will show).
  2. Check the outgoing IP and make sure it doesn’t match the incoming one.
  3. Check if traffic is going through the JAP service by setting the JAP server address in your proxy settings and testing if it works (see instructions).

This is the simplest way to check routes. However, anonymity isn’t real if the service can monitor you. To protect yourself, use traffic encryption. Each machine should have a VPN client from a third-party company (paid for by the service), encrypting traffic through their gateways so they can’t monitor it. However, there’s still a risk of access to your hard drive data. For this, each machine has an additional encrypted hard drive, but you should also use the installed data encryption program on your desktop for extra protection.

7. Is it useful to use a crypto phone? Does it make sense if only I have one, or do both parties need one?

Both parties need to have a crypto phone; otherwise, it’s pointless. In fact, the ones sold and certified in Russia are doubly pointless.

8. Who transmits secrets via the Internet or cellular networks? Why should an average user encrypt Skype conversations?

People discuss all sorts of things online. It’s not always pleasant to have someone watching, and remember that all Skype messages go through Microsoft’s servers, which means your conversations could be used against you later. Even sharing confidential data is common, so encryption is important.

9. Are ports logged when browsing the Internet on your servers?

Currently, there are 8 incoming IPs, each serving its own group of clients. There are over 1,000 outgoing IPs. It’s impossible to identify a user by port, as ports aren’t linked to specific machines or Internet access. For every 10 client connections, there are about 100 “parasitic” ones, making it nearly impossible to filter addresses. True anonymity is achieved only by using a large number of dynamically changing incoming and outgoing routes with traffic mixing for all clients.

10. What should I do if my VPN disconnects?

Many users get exposed when their VPN disconnects, as services like Skype, ICQ, and WebMoney can quickly log your real IP before you reconnect. To prevent this, you should change your routing so that the Internet disconnects if the VPN drops. This can be done by deleting the gateway in your network settings after connecting to the VPN. Many VPN services now offer programs to do this, but it’s safer to use a simple batch script. Routing determines how your Internet traffic flows—directly, through a VPN, or even through multiple VPNs for extra paranoia.

11. Is it effective to set a BIOS password on modern motherboards?

Setting a BIOS password on any motherboard is pointless for security. Instead, use a combined password on an encrypted partition with a key, or better yet, a dual system with TrueCrypt. Storing sensitive data on a machine that could be physically accessed is not secure, even if encrypted. For hobbyists, use encryption and hidden containers plus a dual system. “Everything should be like a magician’s trick: in plain sight and open, so no one suspects anything is hidden. With local encryption, it’s obvious you’re hiding something, and if someone wants, they’ll make you give up your passwords.” On older BIOS, removing the battery resets it; on newer ones, the password is stored in ROM and can only be reset with soldering. If your PC is seized, it’s easy to reset the password.

12. If I have a 3G modem and can change SIM cards daily, is this service still relevant? Does the modem have an ID, or does changing SIMs and modems help? Do computers have unique IDs?

A 3G modem has both a network address and an IMEI, which can be used to track you even if you change SIM cards. The computer itself doesn’t directly relate to the modem, but it does reveal hardware and system IDs. If you don’t use protection systems (besides VPN), at least use a virtual machine on your local computer.

13. Are there basic recommendations for beginners to protect their PC from hackers and malware? (Not about anonymity.)

If you’re on Windows and in a LAN, here are some simple tips:

  • Install a firewall and antivirus (recommendation: Agnitum).
  • Disable all shares on your PC, even administrative ones like C$ (these are being targeted again).
  • Avoid accepting files from people you don’t know well.
  • It’s not required, but it’s a good idea to enable two-factor authentication and encrypt all valuable data (or keep it on a flash drive or in the cloud).

14. Do operators store information about SIM cards that have been used in a modem?

Yes, this data is stored by the operator.

15. Which virtual machine do you recommend for home use?

The simplest option is to install VirtualBox.

Chipillino Onion Club

Leave a Reply