Converted from Blogger. Please excuse any layout errors! Many people ask me advice on securing their personal data. They are usually concerned with the operating system and not their connection. They are unaware to the attacks that can happen on a network, like MitM attacks. Securing personal data is very important, whether it be files on a hard drive or data in transit. Depending on the person asking, I usually suggest basic techniques, like using a trusted vpn and some form of file encryption.

I often get asked what do I personally use to ensure that my data is protected. What are the steps that a person studying Information Security goes through to protect their data? Now with reports out of the NSA gathering our data, it is important that privacy stays intact. Not just from hackers, but from prying eyes in general now.

So here goes, My current setup.

Hardware:

Desktop, Dual boot Windows & Arch Linux
(Windows partition is only used for video games.)
  • Bios password
  • Windows Hard drive is truecrypt on boot.
  • Arch Hard drive is Luks + Stacked file encryption (allows duress password,etc) Read more
  • Other hard drives with various media are truecrypted
  • Sensitive data is kept in truecrypt containers hidden with other extensions
  • Screensaver + password lock
  • Truepanic installed for panic mode, which automounts + shutdown when tripped
Laptop, Windows
(Fresh install, sensitive data is only temporary when on the move)
  • Bios password
  • Truecrypt hard drive on boot
  • Truecrypt container for sensitive data.
Netbook, Arch Linux
(Used only on the go. sensitive data is only temporary when on the move)
  • Bios password
  • Luks + stacked file encryption
Android phone
(Stock ROM)
  • sdcard password
  • Sim card password
  • Android lockscreen password
Android Tablet
(Paranoid android)
  • Lock screen password

Data:

VPN + SSH tunnel
  • I own two different virtual private servers for this connection. They are both in different datacenters in different countries.
  • I noticed that my vpn dropped connection when being Man-in-the-middled in Windows. So I use the ssh tunnel (socks proxy) on top of the VPN just in case.
  • My netbook is set by default to not send any connections unless on a vpn. Firefox only works on the ssh tunnel.
Firefox/nightly
  • Despite firefox being arguably insecure and bloated with leftover code, I trust it more than chrome, IE, and opera. Firefox runs much better on Arch than on Windows from what I've seen
  • I use a few addons for it:
    • Adblock Plus
    • Ghostery
    • Less Spam, please
    • QuickProxy (for quick change ssh tunnel)
    • Tamper Data (Testing purposes)
    • Https Everywhere
    • NoScript
Logins
I understand that all my data is encrypted, but what if someone manages to hack the things I login to, or worse?
  • I do not reuse passwords or have the same password for mutiple things.
  • I use 2 factor authentication whenever possible.
  • I use lastpass to store all the random passwords and such.
  • I do not trust lastpass fully though. Although I do have enabled:
  • Only being allowed to login from a certain country
  • 2 factor authentication 

Thoughts on Tor
I do not trust Tor. I understand Tor's goal to be anonymous on the internet, but I would not trust it with logging into accounts. Tor has its uses, like bypassing filters and such. Anyone can be a exit
node on the network and listen to traffic. "As Tor does not, and by design cannot, encrypt the traffic between an exit node and the target server, any exit node is in a position to capture any traffic passing through it which does not use end-to-end encryption such as TLS (Wikipedia)".

Caveats / Problems / Issues

Someone could control cell and grab the 2 factor setup codes, thus gaining access to many accounts. There is no standard way to encrypt cell phones or provide better security for them.

I do not use antivirus. I believe we should be educated enough to not download malware. I do not use Java either. Anything that you are suspicious of being malware can be uploaded to virustotal, and then ran in a virtual machine / sandbox environment. Every once in awhile I'll run malwarebytes just for peace of mind.

Truecrypt seems a bit untrustworthy, I do not like their license. Although their encryption has proven to be sound.I do not like relying on it for all my data though.

Someone could be listening on the end of the vpn. This is unlikely because I own the server which is running the vpn. Somewhere in the facility all traffic could be getting captured though. The ssh tunnel encrypts that data. I also own the server where that tunnel is going. Which someone could sniff the traffic from that as well. It's all relying on ssl from there.

I am looking for an alternative to truecrypt. Full disk encryption with enncrypted file containers with full support on multiple operating systems.