This website was last updated on Saturday, June 13, 2015 5:42 PM CST
Below is a checklist of actions that an ordinary person can take in an effort to better secure their computer, network, and identifying information. Longer than some, shorter than others, implementing this list should make you, your equipment, and your information just a little more safe than you were before.
At the same time, some of these steps have the potential to damage your computer/router. If you decide to try them, you do so at your own risk! Every system is unique in its own way, and what works on one system may not work on yours. If you don't know how to do one of these items, it is your responsibility to either (a) learn how, or (b) skip onto something else. These recommendations were tested on systems using:
  • Windows 7 Ultimate Edition running on computers using custom components
  • Netgear Nighthawk R7000 running DD-WRT v24-sp2 (02/16/2015) kongac - build 26285M
  • Moto-X running Android 4.4 and 5.0
  • Ubuntu 15 (32-bit version) running on an old Dell laptop
Any suggestions preceded by the header "Theoretically..." are yet to be tested or successfully implemented.
Please go to the bottom of the website to submit any recommendations you would like to share to make this list more comprehensive than it already is.
Hardware
Keep computer/monitor/router in locked/secure room
Put your router in a central location, limiting wifi signal to neighbors/passersby
Block the lens of any web camera when not in use
Disconnect any microphones when not in use
Avoid sharing flash drives or other USB devices from other computers
Turn the computer/monitor/router off when not in use
Use CablesOnline 2-Way A/B RJ45 Metal Rotary Manual Switch Box (Amazon) to turn your wired Internet connection on and off, or between different Internet-connected devices, as needed
Put a privacy screen on your monitor
Use a surge protector and uninterruptible power supply
Theoretically, it is possible to...
Use wifi-blocking wallpaper (metapaper) as reported here, once available.
MS Windows OS Computer
Create and use a standard MS Windows account for ongoing, frequent use while reserving an administrative account for special occasions, e.g. installing software
Necessitate use of long random-character passwords to log in to each account
Use a screensaver that locks after a brief period of non-use
Use Windows Update on auto-update settings for the operating system, Internet Explorer, etc
Check to make sure the latest installed software updates are applied:
  1. Use File Hippo update checker
  2. Use Secunia's Personal Software Inspector
Use Enhanced Mitigation Experience Toolkit (EMET) from Microsoft on maximum security settings
Use BitLocker to encrypt data on your internal hard drive(s), secured with a 40+ random-character password stored in LastPass (see below)
Use BitLocker to encrypt all data on your portable/disconnecting drives, again with a secure password
Install antivirus and firewall software configured to the highest security settings:
Install an anti-keylogger program:
Consider other forms of anti-malware:
Clean private, potentially hackable items off your computer:
  1. CCleaner (from Piriform) / CCEnhancer (from SingularLabs)
  2. Privacy Eraser
Use Disk Scrubber (Summit) to overwrite free space on hard drives
After disconnecting from the Internet and disabling antivirus software (to prevent false positives), run Detekt.exe (as administrator) to scan Windows for traces of surveillance spyware
Don't install Java, or if already installed, un-install it (using Control Panel and from any Browser plug-ins)
Run .exe files safely using Sandboxie
Regularly back up hard drive data to portable drives, not to the cloud
Use Quicken/financial software on your general use computer and store its data on a portable drive that is disconnected when not in use
Theoretically, it is possible to...
Change Microsoft Windows logon to require Yubikey two-factor authentication, OR...
Use Rohos Logon key to logon to MS Windows with Yubikey
Use BitLocker to encrypt your operating system drive
Use Yubikey as two-factor authentication for harddrive decryption
Harden the security on your computer by using Department of Defense Security Technical Implementation Guides (STIGs). STIGs are available for Windows, Linux, Mac OS X, iOS, and other operating systems. STIGs are also available for products ranging from Internet Explorer, Chrome, and Firefox to Microsoft Office, Java, and Symantec Endpoint. The entire list can be found here.
Router / Network
Upgrade from standard router software to the latest DD-WRT / Tomato firmware
Change the default name and password(s) of the router admin area to maximum length and complexity allowed (60 characters)
Change the default internal router IP address (typically 192.168.1.1) to a different IP address to prevent CSRF (cross-site request forgery) attacks. The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private networks (cited from this article):
  • 10.0.0.0 - 10.255.255.255
  • 172.16.0.0 - 172.31.255.255
  • 192.168.0.0 - 192.168.255.255
Reduce the default DHCP address range to the minimum necessary for users and guests
Enable the SPI (statefull packet inspection) firewall
Disable IPv6 on the router or, if IPv6 services are needed, replace the router with a IPv6 certified one. A list of approved devices can be found here
Disable responses to any outside ICMP requests (pings)
Disable Universal Plug-n-Play service on router
Disable remote management of router
Set the router to WiFi broadcast on the 5 GHz band only, limiting access to modern devices
Only turn on 2.4 GHz band when needed by older devices
Reduce the default wifi broadcast power to the minimum coverage necessary
Disable SSID broadcasting
Disable WPS
Enable WPA2 with AES encryption
Enable cookie filtering
Enable MAC address filtering
Have each device connected to the internal network claim a static IP address
Enable OpenVPN on your DD-WRT router with a VPN service (below)
Turn the router off when not in use, e.g. Belkin Remote Switch Power Strip
Forward port 80 to a non-used IP address on the network to prevent ROM-0 configuration file downloading
Consider separate passwords for the 5 GHz and 2.4 GHz bands
Virtual Private Network (VPN)
Sign up for a VPN service that:
  1. Does not log
  2. Uses AES-256 data encryption (or better)
  3. Uses SHA-256 data authentication (or better) to prevent man-in-the-middle attacks
  4. Uses RSA-4096 handshake encryption
  5. Uses SOCKS5 proxy
  6. May be used with your phones/tablets
  7. Allows for payment using untrackable currency, e.g. Bitcoin, gift cards
The following websites may be helpful in selecting a VPN service:
  1. BestVPN.com
  2. Greycoder.com
  3. Torrentfreak.com
Avoid PPTP (Point-to-Point Tunneling Protocol)
Change the default password for the VPN service to the maximum length and complexity allowed
Theoretically, it is possible to...
Prepare for VPN failure and DNS Leaks:
  1. Install Guavi's VPNCheck Pro to shut down the main network connection or programs - appears to be intended for desktop clients, not easily configured with router firmware
  2. Install VPNetMon software to close programs if the IP of the VPN is no longer detected
  3. Block Internet access with a firewall when the vpn fails
  4. Changing TCP/IP routes
Disable port forwarding to other server gateways in the VPN to maintain privacy
Configure your vpn "to use TCP on port 443 which makes it extremely difficult to block as it looks like standard HTTP over SSL traffic."
Internet Browsers
Use one browser for financial tasks (e.g. Chrome)
Set aside another browser (FireFox) for daily use in which Javascript & Flash are disabled
Always use private browsing and never remember history
Disable cookies completely, use a cookie whitelist to save individual ones when necessary
Use DuckDuckGo or Ixquick search engines, rather than Google/Bing/Yahoo, etc
Use Disconnect Search or StartPage if you need Google, Bing, Yahoo results
When accessing financial websites, use pre-established bookmarks only
Avoid Internet Explorer - Quicken integration and many other sites force down-shifting from higher security/privacy settings
Install the following add-ons for Chrome to minimize malware/surveillance:
Adblock
Adblocker for GMail
Click&Clean
Disconnect
DNSSEC Validator
FIDO U2F
Ghostery
Google Analytics Opt-out Add-on
HTTPS Everywhere
IBA Opt-Out (by Google)
KB SSL Enforcer
Keep My Opt-Outs
LastPass Password Manager
Norton Security Toolbar
Pixelblock
Privacy Badger
ScriptBlock
TLSA Validator
Vanilla Cookie Manager
Webmail Adblocker
WebRTC Block
WOT
Install the following add-ons for Firefox to minimize malware/surveillance:
Adblock Plus
Adblock Plus Pop-up Addon
Better Privacy
Click&Clean
Advanced Cookie Manager
Disconnect
DNSSEC/TLSA Validator
DuckDuckGo Plus
Facebook Disconnect
Flashblock
Ghostery
HTTPS-Everywhere
Locationbar2
No Google Analytics
Norton Security Toolbar
NoScript
Privacy Badger
Secure Sanitizer
ShareMeNot
WOT
Prevent home IP-address leakage through WebRTC in FireFox Browser:
  • Type: "About:Config" in address bar
  • Acknowledge warning
  • Toggle "media.peerconnection.enabled" to "false"
Avoid posting identifying information on social networking sites, if you must use them at all
Use Tor Browser Bundle when VPN is unavailable
E-mail
Disable image display in e-mail
Do not open attachments or links in e-mail
Set up separate e-mail addresses for different tasks:
  1. family/friends
  2. finances/investments
  3. shopping/customer accounts
  4. work, etc
Set up separate e-mail when you expect providing an e-mail address will result in receiving:
  1. spam
Set up a filter that alerts when any e-mail with an attachment arrives
Switch to a more secure e-mail service/client:
  • Tutanota, an open-source, free, encrypted e-mail provider
  • Fastmail, which does not scan your messages - $15/year/account
  • Blur to mask your personal e-mail address - $45/year
  • MyKolab, an encrypted e-mail provider - $11/month
  • Peerio, for secure messaging and file sharing
  • End-to-End Encrypted e-mail service, once it's made available by Google (currently under development)
 
Theoretically, it is possible to...
Set up e-mail to display in non-html, no-image/text-only format, e.g. Alpine, Popcorn-style e-mail clients
Passwords
Require passwords to use your computer/tablet/phone
Use a password manager for websites:
Avoid using any character combination that may be found in the dictionary. Instead...
Use maximum-length, random character sequences for both website user IDs & passwords
Use all character types:
  • lower-case letters (a, b, c, d, ...)
  • upper-case letters (A, B, C, D, ...)
  • numbers (1, 2, 3, 4, ...)
  • special characters (!, @, #, $, ...)
Reduce use of "a", "e", "o", "i", "r, "n"; Emphasize "f", "j", "q", "v", "w", "y", "z"
Reduce use of "0", "1", "2", "3"
Avoid 1337-speak word/number combinations
Avoid starting passwords with letters in favor of numbers & special characters, to be different than most others
Make every user ID & password unique to its location
Have a short number of characters that you add to every password or verifier to complete it so that if your password manager were ever compromised, a hacker would still not have all they need to enter your accounts
Use multi-factor authentication when possible
  1. Yubikey: LastPass, Google
  2. Company-issued security token: Charles Schwab
  3. Texting: Vanguard, Fidelity, T.Rowe Price, some banks
  4. E-mail: Treasury Direct
  5. Google Authenticator: Evernote
  6. VIP Access: Fidelity
Track the maximum character length of permitted passwords
  1. Vanguard - 20 characters
  2. Fidelity - 20 characters
  3. T.Rowe Price - 10 characters
  4. Charles Schwab - 8 characters
  5. Treasury Direct - 16 characters for passwords, 64 characters for security question verifiers
  6. FIA Card Services - 20 characters
  7. PayPal - 20 Characters, 50 characters for security question verifiers
  8. Intuit/Quicken - 32 characters
  9. IPVanish - 16 characters
  10. Private Internet Access - website allows 60 characters (or more), but...
  11. DD-WRT only allows 32 characters
  12. ebay - 20 characters for security question verifiers
  13. Firefox - 35 characters (or more)
  14. Google - 35 characters (or more)
  15. Tutanota.de - 50 characters (or more)
  16. Wickr - 25 characters (or more)
Change passwords often, checking for increased length capability
Use complex random character combinations for security question verifiers, e.g. mother's maiden name
LastPass (Password Manager)
Use the maximum password iterations (PBKDF2) your system supports, e.g. 200,000
Set the LastPass website & bookmarklet auto log-off to 30 minutes or less
Only allow logins from your home country or VPN / Anonymous Proxy
Disallow logins from the Tor network
Check setting to kill other sessions on login
Prompt for LastPass master password when
  1. Edit secure notes
  2. Fill or edit form fill data
  3. Edit shares
  4. Switch or edit identities/roles
Use multifactor authentication, e.g. Yubikey, Google's Authenticator, etc.
Print and secure Google Authenticator backup verification codes
Regularly run LastPass's Security Challenge
 
Theoretically, it is possible to...
Use a virtual keyboard to prevent recording by keyloggers
Use Auto-Password Change in LastPass (once it is no longer in beta)
Cell Phone
Turn off cell phone when not in use and store it in a radiation-shielded enclosure such as:
Set a password to enter/unlock cell phone
Set cell phone to lock after a brief period of inactivity
Set phone to encrypt data storage when turned off
Manually turn off Wi-Fi, Bluetooth, NFC (Near Factor Communication), and Location when not in use
Set your phone to receive the 5GHz band only
Put black electrical tape over the camera when not in use
Put black electrical tape over the microphone when not in frequent use (to at least muffle)
When installing apps, opt for those that are advertising-free, for reduced corporate tracking
Update system and installed apps regularly, e.g. Google Play
Under Google system settings:
  • opt-out of interest-based ads
  • periodically reset your advertising ID
  • allow remote lock and erase
Use Lookout (antivirus/malware detector) and their related apps - $30/year
Enable remote wiping of data
Use Mobiwall (firewall) or Disconnect (advertising/tracker filter) - both use VPN technology
Use Smarter Wifi Manager or WiFi Privacy Police to prevent your phone from connecting to open wifi networks, continually broadcasting the names of WiFi networks it has previously connected to, and being subject to man-in-the-middle attacks
Use LastPass Password Mgr Premium - $12/year, and require two-factor authentication via Yubikey and NFC (Near Factor Communciation)
Use a text messaging app that provides encryption:
  1. Wickr-Top Secret Messenger by Wickr Inc
  2. TextSecure Private Messenger by Open Whisper Systems
  3. ChatSecure by The Guardian Project
Use a phone call app that provides encryption:
  1. Redphone by Open Whisper Systems
  2. CSipSimple by Regis Montoya
  3. Silent Phone by Silent Circle
  4. Secure Mobile by SiRRAN Communications Ltd
  5. Seecrypt SC3 by Seecrypt
Use Orbot: Proxy with Tor and Orweb: Private Web Browser for browsing or, for a less challenging experience...
Install and use a VPN service app, e.g Private Internet Access, which will necessitate turning off Mobiwall and Disconnect during use
Stop using the Chrome browser in any phone with an Android OS prior to version 4.4 installed
Set up telephone passwords with financial companies that permit it:
  • Fidelity
  • T.Rowe Price
  • Vanguard
Set up voice recognition with financial companies that permit it: Vanguard
Use Call Control-Call Blocker to limit who is able to reach you by phone
Sign up for the National Do Not Call Registry: 1-888-382-1222
 
Theoretically, it is possible to...
Encrypt specific files and folders in Android using
  1. Droid Crypt
  2. Encryption Manager
  3. File Encrypt+
  4. AnDisk Encryption
Use Uber Device Lock app and Yubikey or NFC (Near Field Communication) tags for two-factor authentication to enter/unlock Android cell phone - Requires Tasker and/or Locale
Use a caller ID app to better identify unknown callers
Replace Droid 4 Android OS with Replicant or CyanogenMod, due to discontinued support for any version prior to Android 4.4
Credit Card
Receive all financial statements electronically rather than by mail
Use a shredder to dispose of any identifying information on paper
Request e-mail/text alerts from financial accounts for transactions
Conduct transactions with mobile e-payment when possible:
Use an RFID shielded wallet to prevent credit card embedded-chip info theft
Carry the minimum cards necessary in your wallet
  • Driver's license or local ID
  • Health insurance card
  • Credit card
Minimize use of ATMs to avoid skimming, use your credit cards for purchases instead
Don't use debit cards, they don't offer the protections that credit cards do
Use a 2-hour fireproof safe to store important documents
  • Birth certificate
  • Social Security card
  • Passport
  • Record of possessions (in case of fire/theft)
  • Infrequently used credit cards
  • Tax returns
  • Financial documents needed to support tax returns
  • Portable back-up drives
Periodically request that your information be removed from online public databases
Theoretically, it is possible to...
Use temporary credit card numbers when shopping online
Use MaskMe by Abine - one time use credit cards
Not use store credit cards in online accounts, instead use LastPass Form Fill to enter payment details
Obtain and use a taxpayer ID instead of your Social Security number
Security Freezes
Credit monitoring services do little more than notify you when your identity has already been stolen. While no method is 100% effective, security freezes are the best form of identity theft protection at this time.
Place freezes on your major consumer credit reports
  1. Equifax: 1-888-298-0045, 1-800-685-1111, 1-866-640-2273
  2. Experian: 1-888-397-3742
  3. TransUnion: 1-888-909-8872
Place freezes on your other consumer specialty reports
  1. Advanced Resolution Services: 1-800-392-8911
  2. Certegy: 1-866-544-0234
  3. ChexSystems: 1-800-513-7125, 1-800-887-7652
  4. Clarity Services Inc.: 1-866-390-3118
  5. CoreLogic (Credco/SafeRent): 1-877-532-8778
  6. Innovis: 1-800-540-2505
  7. LexisNexis Risk Solutions Bureau LLC: 1-866-897-8126
  8. National Consumer Telecom & Utilities Exchange: 1-866-343-2821
  9. RealPage: 1-866-934-1124
  10. SageStream, LLC: 1-888-395-0277
It should be possible to freeze your consumer report with the following agencies, however they have not yet published a method for applying a freeze to their reports
  1. Accurate Background: 1-800-216-8024
  2. American DataBank: 1-800-200-0853
  3. Contemporary Information Corp.: 1-800-288-4757 (Option 5)
  4. DataX, Ltd.: 1-800-295-4790
  5. Early Warning Services, LLC: 1-800-325-7775
  6. EmployeeScreenIQ: 1-800-235-3954 (Option 5)
  7. FactorTrust, Inc.: 1-866-910-8497
  8. First Advantage Corporation: 1-888-215-3727
  9. General Information Services, Inc. (GIS): 1-800-265-4917
  10. HireRight Solutions, Inc: 1-800-381-0645
  11. Info Cubic: 1-877-360-4636
  12. Insurance Information Exchange: 1-866-560-7015
  13. Insurance Services Office, Inc (ISO) (A-PLUS Property Reports): 1-800-709-8842
  14. IntelliCorp: 1-866-202-1436
  15. MIB, Inc.: 1-866-692-6901
  16. Millman IntelliScript: 1-877-211-4816
  17. PRBC/MicroBilt: 1-888-222-7621, 1-877-PRBC-123 (Option 1)
  18. Pre-employ.com: 1-800-300-1821 (extension 199)
  19. Professional Screening & Information, Inc.: 1-877-235-7574
  20. Screening Reports, Inc: 1-866-389-4042
  21. SterlingBackcheck: 1-877-424-2457
  22. TeleCheck Services, Inc.: 1-800-366-2425
  23. Tenant Data Services: 1-800-228-1837 (Option 6)
  24. The Retail Equation: 1-800-652-2331
  25. Trak 1 Technology: 1-918-779-7000
Opt Out of Advertising
Data is being collected about you all the time. Much of it is being used to target you with advertising. Here's how you can opt out:
Get yourself removed from from Acxiom's marketing
Eliminate pre-screened offers of credit and insurance www.optoutprescreen.com
In addition...
Theoretically, it is possible to...
Check for DNS leaks at DNSLeakTest.com and fix them here
Use an IP blocker (e.g. PeerBlock) to avoid connecting with known bad websites
Use fakenamegenerator.com to create fake credentials for companies requesting personal information
Use SafeShepherd.com to remove personal information from the Internet and marketing databases
Use AccountKiller.com to delete accounts from popular websites
Use spamgourmet.com to create unlimited disposable e-mail addresses
Use Hushed or Burner to create disposable phone numbers
Visit GRC.com and click on Shields Up to test security
If you must use cloud storage, use a zero-knowledge service: Wuala, Tresorit, Seafile, Spider Oak, ownCloud, or Tonido
Change Vanguard to allow login from single IP address
EXPENSIVE OPTIONS
Use a privacy protection service like Reputation.com
Use a P.O. Box or mail drop to receive remaining snail mail
Use a safety deposit box at your local bank
Use multiple computers for different functions:
  • One computer for software that is only available for use with Microsoft Windows
  • A second computer for financial websites only. See section below
  • A third computer for all other functions (web-surfing, e-mail, etc), preferably with a non Microsoft Windows operating system
Switch to using BlackPhone from Silent Circle
Recommendations for a Financial Website-Only Computer
Use a fresh install of updated non-MS Windows operating system, such as Linux. Two common flavors are:
  1. Ubuntu
  2. Mint
Some operating systems are meant to be freshly installed with each use. This is referred to as Live-CD booting. Two examples include:
  1. Tails, a private operating system
  2. LPS Remote Access
Do not enable or check e-mail on this computer
Use only Firefox and don't store data/cookies in the browser
Use designated bookmarks only, to access financial websites
Use a separate LastPass account for just this machine and these websites
Use parental controls to ensure no other websites are accessed on this machine
Turn your computer off immediately following active use
Adhere to other security recommendations above
Additional Reading
Suggestions
Please use the form below to submit any recommendations you would like to share to make this list more comprehensive
Your Name (optional):
Your Email (optional):  
Your Suggestions:
The authors of this website are not being compensated by any of the companies cited above.
Your donations to keep this site running are greatly appreciated. Thank you!
Donation Amount:  
This website was last updated on Saturday, June 13, 2015 5:42 PM CST
Visitor Count : 7386