Help PLEASE

Let me begin by saying I stumbled on this site while trying in futility to understand what I need to do to maintain my security online. I am a recovering techno-phobe and probably a complete and total techno-tard for life. Still, I find myself in a situation where I need to protect my privacy online and need a solution(s) that I can somehow "get", apply, and count on.

My specific needs have to do with:

1. Keeping government agencies from infringing on my rights by tracking my private browsing history or other IP activity
2. Keeping the websites I access off my computer
3. Protecting my personal information (sign in and passwords) from hackers

I am NOT concerned about accessing sites that are somehow blocked, posting private websites, etc. I'd just like to be able to hide my IP address to the best degree possible.

Oh yeah, and if I did not make it clear in the first paragraph, this "something" I use needs to be pretty user-friendly without a complicated set up. And I'd prefer to keep my speed as fast as possible, but would take a bit of a hit there for a big bump in security.

Some have recommended TOR to me, along with portable firefox. In the course of trying to do a search through the Tor toolbar they installed on my USB drive, my virus software gave me a warning and through trying to bypass that I learned that "tor-proxy.net" is now Anonymox.com.

Thus, I began research on the details of what those two services actually do (about 4% of which I think I actually comprehend) and then stumbled on another site called xerobank. I have spent two days reading and researching these options when I came upon this site. I read some threads on this site (extremely helpful) through which I learned about another service, called Perfect Privacy. That put me over the official edge... I am now so overwhelmed that I cannot see straight.

So, my question is simply this. Considering my goals and needs, is there someone here who can help me divide an conquer. Since I don't know a VPN from a SSH from a Blue Moon, it would help to know which of these is really important to my goals. I sense that there is so much out there and my needs might be simpler than all the stuff I am reading.

At the end of the day I would like to have the tools on my USB so I can bounce across my various computers.

Any help would be greatly appreciated. Thanks so much in advance.

 

You'll get a ton of advice on this, as you're in the right place

My advice, on a pretty easy to do level for a beginner, would be:

Use TrueCrypt to create a container that will hold your browsing/email programs. Since you want to have really good passphrases for a bunch of things, I would get familiar with KeePass Portable. This will be the one passphrase that you will have to remember. Inside KeePass you can then have it generate impossibly long, hard (impossible?) to guess passwords for the TrueCrypt Volume and other programs like LastPass.

Inside the container, put Firefox Portable, Thunderbird Portable, and the Tor Browser Bundle. Install LastPass Free in FireFox. While KeePass can be configured to fill in web data, it is not as simple as LastPass. I stick with LastPass for web site log ins and use KeePass for everything else.

Tor is great, especially to check Tormail.net accounts, but it is really slow. Use it if you REALLY need to be stealthy somewhere, but for everyday browsing, with plug-ins, etc... it really isn't going to be fun.

For that every day browsing, purchase VPN access. This will keep you away from ISP eyes. There is a thread on here discussing the merits of most of the providers. It doesn't sound like making a direct payment to a VPN provider will bother you too much, which will help...paying anonymously is a little complicated. The provider I use will accept cash in the mail if you like though (Mullvad in Sweden). Or just pop $7 on your credit card and try them out for a month. Speed is good, 1080p YouTube videos don't buffer at all.

That's a good basic starting point...you can get crazy from there. Run Linux if you can. If Windows, check the other sections for HIPS protection recommendations (Defense Wall, Comodo, Online Armor, etc...) Oh! and Sandboxie for your browser.

PD

Edit: Oh, all that above (except the VPN client unless they make an OpenVPN Portable) can be run off of a flash drive. Put KeePass and TrueCrypt Portable 'in the open' and have your container on there for everything else.

 

Good advice from above - would never go near Xerobank as a VPN provider, though.

 

PaulyDefran gave some great advice. I will second his recommendation of Keepass as well and the creation of a truecrypt container with portable Firefox in it. I would also recommend using a VPN as well. For some help in choosing a VPN I recommend taking some time to read through this thread: https://www.wilderssecurity.com/showthread.php?t=285780
to get some ideas. I personally like BolehVPN but that is just me. Two things to look for in a VPN:

1. NO LOGS! Meaning no logging of your IP that you use when connected to their service and no logging of your activity.

2. Make sure they use OpenVPN. If they dont FORGET about it. PPTP or anything else is not nearly as secure.

There are many more things to look for but this gives you a basic start.

 

Start with a high-quality 30GB USB drive. Unless you really need high security, do not encrypt the entire drive, because mistakes can happen. You can add a Truecrypt file volume later, if you need it. Make sure that it's formatted as FAT, which Windows, Mac and Lixux can all read.

It sounds like you want a portable computer. There are two options: a bootable USB drive, and virtual machine (VM). I recommend a VM. There's always some risk booting a machine with a "foreign" OS, and sometimes it just won't work, because of hardware limitations or whatever. On the other hand, the risk of leaving traces behind on the host machine is greater with a VM. Using a bootable USB drive, you don't even need to mount the host drive(s). But start with a VM, I think.

To run your VM, I recommend VirtualBox. It's free, easy to use, and reliable. You can have it on all of your machines, and your friends would love playing with it too. Use the 64-bit version if possible.

As the VM, I recommend Ubuntu 10.10 Desktop. Or you can use the latest release, if you like Unity. There is no personal information attached to a Linux system. Also, a full installation needs less than 5GB (but use a 10GB-20GB dynamic disk to leave space for downloads). Installing Ubuntu in VirtualBox is easy. Just google for instructions. Just select your USB drive as the VM location. If you want the added security, use the alternate install ISO, and select encrypted LVM at the disk partitioning step of the wizard. With that, everything in the VM will be encrypted, except for the boot partition.

It sounds like -BolehVPN.net would be a good choice for you. It's fairly popular among torrent freaks, so using it won't attract too much attention. There are instructions for installing on Linux. If you need more security, you could use a multihop VPN, such as iVPN.

One other thing. Never mix identities on a particular machine. If you need multiple identities, use multiple VMs, using a different exit IP address (and a different VPN account, if it really matters) for each.

 

I stand in awe and gratitude. Thank you so much to all for the detailed advice.

This morning I signed back on to this site and was astounded that there were several pages of new posts since I posted this. I don't have any idea who you people are, but I find you amazing. Your brains are, well, pretty darn full and wired for performance.

Now, on to my request for help and attempt to make use of this wonderful information. I had a physical a few weeks ago and my doc suggested that I do some crossword puzzles to keep my brain active. HA - he obviously did not know about this site. EVERYTHING I read takes such concentration. I am looking up definitions and reading Wiki articles until my brain wants to explode. Still, I barely understand 15% of what I am taking in. Its taken me three years to venture this deep into the water and even after all that was provided, I still need a LOT of clarification. I am new here and really don't know how to respond, but I surely don't want to impose or be out of line.

I took several hours to work through the feedback and suggestions I have been given and summarized them in a form that makes sense to my techno-resistant mind. But that page is very long and I would be uncomfortable just posting it because its so much work to just read, much less respond to.

Are there folks on this site who offer services (for hire) to help a person like me... a single person working in a highly discreet world who needs a LOT of consulting to get her security up and running? I have tried to find someone locally, but I get frightened off by the notion that they might put some kind of code or something on my computer that will compromise me.

Not sure what my next step should be... I still have a dozen or so questions after reading what's been posted by these very generous posters. And I know I am a TPITA ~ Snipped ~ because I am so ignorant about this stuff.

Suggestions?

Thanks again so much!

 

This tutorial is a bit dated, but I believe it's still good.

 

I'm sure that there are many security professionals on Wilders. But would you trust them any more than those you found locally? If I needed a consultant, -Rayservers.com and -Cryptohippie.net would be on my short list.

Please don't worry about it. There are no dumb questions, as they say. In asking, you may be helping others.

 

Thanks, SF, VERY helpful.

 

Thanks, I have no idea how to go about hiring someone. ALL this is totally new and foreign to me and I fear my naivete. I appreciate the referrals to some resources for reliable, qualified and secure professionals. The folks I spoke with locally were those who advertised through local sources for internet stuff, but none seemed to have credentials I felt good enough about. Again, I wouldn't know a falsified credential from chopped liver and I have a bunch to lose if I make a mistake.

Appreciate everyone's help.

 

I can help you over PM if you want and give you help setting everything up. I know I can't show any Credentials but I won't charge you anything. Some tips I can give over the forums:

TOR is all about privacy and if used right no one can track you. However TOR is NOT for security. Do NOT use it with personal details as rouge nodes are out their and can view them!

VPN's are much better for security but not so much Privacy as the VPN knows who you are and where you are browsing.

I recommend using Full Disk Encryption as this will protect EVERYTHING on your drives. Containers can leak back into the unencrypted space.

Linux is a good idea. It is Open Source and less likely to be backdoored/leaking data.

 

She wants something portable, on a USB drive. Full disk encryption of the USB drive won't help, because information will still leak back to the boot disk. I don't recommend a fully encrypted bootable USB as her first project. An Ubuntu VM with encrypted LVM (full disk encryption) is much easier, but not as secure. TAILS on USB is another way to go, but Tor is slow and there's no history (because it's a read only LiveCD).

 

TOR provides pseudo anonymity (in other words partial anonymity), NOT total anonymity. And it provides little or no privacy. If you have a good firewall, it will reveal some incoming port connections - which are obviously hacker attempts.

In terms of VPN, try to get a couple of VPN accounts without purchasing records - preferably those that offers free promo with normal features.

Then, the most imperative part of anonymity and privacy is having a fully encrypted hard disk. You can try Truecrypt, Diskcryptor or Bestcrypt. This is your lifeline.

Base connection (eg. public Wifi) Encrypted HDD w VPN1 -> VM OS w VPN2 + TOR.

 

As the saying goes, there's more than one way to skin a cat and something you really need to consider, is that going down the road of security and privacy is something you really need to seriously invest time and effort into, because any quickie shortcuts you're looking for is not going to help you in the long run as things change, or you run into problems.

@x942 if you need to help someone, please help in the forum so others can read and learn too...

About encryption, people seem to be under the misconception about running things in an encrypted container like this is somehow going to protect you, it's not. When you use something that's encrypted, it has to be decrypted in order to work. Encryption is when you lock and close something, that's your security, not when you're using it. This also goes for having encrypted partitions, it does nothing while you are using them, it just helps when the box is shut off to keep people out.

I don't know why people seem to think encryption has something to do with not leaving traces behind also, well it doesn't, traces can be left behind just as easy...

Many people have their own ideas too about all this, but most of what you see will be pretty much the same, give or take a few things.

So the simple replies and answers;

1. VPN services
2. Tor or Tails
3 Change of OS if running Windows; Linux or OSX
4. Use Firefox and good Addons; (Better Privacy, NoScript, Addblock Plus, Ghostery, RequestPolicy is really great but it makes for more work)
5. If you using Windows get the free Comodo Firewall
6. If you're using Windows get 'Sandboxie'

Also Windows users will tell you 1001 different ways to go about Security, truth is, you don't need all of it, all you need is a good firewall, as I mentioned above, use Sandboxie and then either us Avira or Avast antivirus, for free these can't be beat. Also a few malware scanners helps too, like Malwarebytes, SuperAntiSpyware, etc...

Did anyone here mention, Browser Fingerprinting? ---> NOPE, learn a little about browser fingerprinting, it's not BS, it makes you more traceable...

https://wiki.mozilla.org/Fingerprinting

So what do we do about this fingerprinting, here's one solution I've been working on;

https://www.wilderssecurity.com/showthread.php?t=309748

The point I'm trying to make, just when you think you've got it figured out, guess again, I've been at this cat and mouse game over 10 years and I'm still learning, so don't expect any quick fix rush to get things done like yesterday IF you really care and I stress IF you really care about your security and privacy, you can certainly do some things at this very moment, but the process of learning, really learning it, it's going to take time and effort if you care...

Take it slow, read this forum front and back, ask lots of questions and keep digging and learning all over the internet...


Here's some links for those Windows apps;

http://personalfirewall.comodo.com/free-download.html
http://www.sandboxie.com/


CHEERS

 

One question at the OP, if you will indulge me - what is your motivation for wanting to go such measures to hide your online info etc? It might give us a better idea at which techniques might be more suitable for you.

 

The comments on encryption are valid, of course, but I still believe that that is an essential layer. The ease of use these days makes it almost a no-brainer, so why not? Especially for a 'losable' USB drive. A lot of data breaches have come from stolen laptops, a hot key can dismount within seconds, and setting up laptop shut down on screen close, and hanging on tight for 10 seconds is very doable. Containers keep prying eye's on shared family computers, away from bookmarks, history, and emails in the case of Thunderbird portable. Again, valid points about mounted crypto, but it's still the first thing I do after OS install/Updates and anti-malware.

PD

 

Will do

This is what I do when I need to go incognito (Now this is a little complicated but works very well).

1) I use a laptop with NO OS on it. The Hard Drive is Encrypted with TrueCrypt (or other software).

2) I boot from a Live USB. This is either Ubuntu or TAILS.

3) I log on to public WiFi with a spoofed Mac Address this way in the event it is tracked back to public WiFi no one can match my computer to it.

4) Anything I want saved is saved to the encrypted Hard Drive.

5) A quick unplug of the flash drive and TAILS turns off the computer wiping RAM Preventing any cold boot attacks.


It works great. But great anonymity takes a while to do. It IS complicated to setup. But if you are comfortable with it this setup is next to, if not, impossible to track down. Even if you were tracked through TOR to the open WiFi all they would have (at best) is a fake MAC address so they can never pin it on you.


The less complicated way is to do what was already mentioned in this thread.

 

@x942

That's a cool setup. What's on the hard drive? Software?

 

Software, Pentesting (hacking) tools, Files, logs etc.

I do IT consulting so I normally use this set up to prove just how "hidden" someone can be if they really want to be. Since the tools are linux based I can run them on tails and I encrypted them so there'sno way to prove they're there.

 

Hey guys, we need to cut right to the chase and get at the heart of the matter and clear the air around here, there's way to much incorrect information going on.

1. When you have an encrypted partition or container, as soon as you open it there is no encryption it's been decrypted and anyone getting on the box at the moment can get into anything you are doing.

2. The encryption is only good when it's turned off, like when you haven't unlocked it and you don't want anyone getting in, or the computer was stolen, etc... Many people make it seem like having encrypted partition makes you more private and secure while you are using the encryption, it does not, it only helps when you haven't accessed it and opened it.

3. A lot of people seem to think you just simply need to have encryption to maintain some level of privacy or keep tracks off your computer and this is not true. The thing is, what is your level of security you need to achieve, what is the goal here? Most people seem to think you better have encryption or you're not safe or secure and that isn't true either. The thing is, who are you protecting yourself against is the question? A good clean box, strong login password on like Unix/Linux/OSX with someone who has good experience can be safer than someone with hardly any experience using Windows and not understanding any of this and how to apply it.

4. Traces and tracks left behind, there is big confusion here that people seem to think that unless you are using Tails you are leaving traces and tracks all over the place, this is not true at all. You can use Windows, OSX and Linux just as safely as Tails leaving nothing behind, the question is do you know how to do this and yes it can be done real easy, it's just basic cleaning up after yourself, knowing how to clean a cache and temp areas and files out, etc...

5. Mac Spoofing, I'm not an expert on it, but I had the good fortune of speaking to someone that use to be one of Sonicwalls top engineers and he simply put it, spoofing a mac doesn't do anything for helping to hide or protect you, it's about penetration testing.

If we're going to want privacy and security then people around here need to start understanding the technologies and how to apply them.

What I find out on the internet like most places, is people just all follow what seems to be common knowledge, which is nothing more then common confusion.

For starters I would never recommend to anyone that is very serious about all this to stick to Windows for online activities, it's just not safe enough for the average computer user, or fairly experienced user to keep up with.

All systems have their pros and cons and I certainly like Windows for a lot of things, but if we're going to sit around here talking extreme levels of security and we're still pushing Windows, then forget it, that's a big joke, when you compare the out of the box experience of security to Unix/Linux/OSX...

Heck, even go out and get an Apple, they're popular and a lot safer then Windows...

So I'm the alternative OS guy, never uses encryption, never uses Tails, has great password strength on the system, strong firewall(s) and a hardened system, also kept clean, it's everything anyone would want, but the truth is, you have to be willing to learn.

Security is education bottom line and you can't replace that with a lot of tools, because with all the tools and no education, someone will find away around your tools for your lack of education and I hope that makes a lot of sense. The truth is, this is what it's really all about, not just some quick fix...

Cheers

 

@DasFox I 100% agree with you! Well Put! The only thing is MAC Spoofing does provided privacy:

Let's say you leak your public IP when surfing behind TOR. Now the attacker traces this to the hotspot (let's say Starbucks) if you MAC address is logged on that router AND they have a witness putting you there - well they have you now.

BUT if you used a fake one they have NOTHING. the router logs show the faked one and not the real one, the would analyze your hardware and see it doesn't match. Game over. No proof nothing.

That said you are right. Over the internet it provides nothing. But as a precaution against them tracking it down to that router it does provide an extra layer of privacy. But I digress as this is outside of the scope of this thread.

 

That's true. If it matters, you shut down whenever you're not using the machine. Linux boots and shuts down quickly enough that it's not too inconvenient.

Also, see -http://www.wilderssecurity.com/showthread.php?t=314260 about homomorphic encryption schemes that allow processing of encrypted data, by untrusted machines, without decrypting it in the process. It's unworkable now, but in a few years

 

Your exactly right as far as I am aware if you use Firefox portable in a truecrypt container you should be good to go. All you have to worry about is clearing the DNS cache. I have ran several tests with recuva and diskdigger to confirm this. More on this here as well: https://www.wilderssecurity.com/showthread.php?t=286468

 

Inline, above.

PD

 

Whew, I read every one of these and think my retention went up about 20%. Who'd have thunk in just a few days...

More responses to questions when I return from my weekend trip. Thanks again for everyone's patience and great ideas.