[SOLVED] Best overall system privacy methods? (Win10Home)

[Phillipson]

Hi and good morning all!

I am a newly created IT Tech, and since discovering my ISP has been logging my internet traffic I've been putting all sorts of defenses on my host computer for fun and experiment. To better my knowledge of security, I want to know the best overall internet privacy for SOHO environments, where should we place our attention? Anti-Malware? VPNs? Host/Router Firewalls? IDS???

I'm curious since most privacy applications all offer similar options and I don't know if having a variety of software is necessary. Here's what I've done so far to build my defenses

Downloaded:
Glasswire, Bitdefender Total Security, Avast Secure Browser, ProtonVPN, CCleaner, AdGuard (host application)
Actions took:
Disabled IPv6 completely (registry, NIC, outgoing ports within Defender); Disabled Outgoing ports 50000-52000 (suspected ISP monitoring); Switched DNS to CloudFlare

Does using a VPN service cover all privacy bases? What does a secure browser do different that a VPN can't or a customized Firefox? Does having IPv6 enabled affect vulnerability? Is blocking 2,000 outgoing ports unnecessary? I'm new to the Tech industry so I'd love to know what more seasoned people thought. Thanks

 

[USAFRet]

You do realize that your ISP needs to "know" the To and From of your internet traffic, right?

That is the only way to get the data to you.

How do you know what they are "logging'?

 

[Secret-Squirrel]

my ISP has been logging my internet traffic.................................................Does using a VPN service cover all privacy bases?

In that context, yes. Your ISP logs will only show that you connected to a VPN server and nothing more.

The majority of VPNs claim that they don't keep logs.

 

[USAFRet]

In that context, yes. Your ISP logs will only show that you connected to a VPN server and nothing more.

The majority of VPNs claim that they don't keep logs.

Except for all the ones that actively sell the data they "don't keep".

https://securitytoday.com/articles/2018/09/26/free-vpns-are-a-privacy-nightmare-heres-why.aspx

7 VPN services leaked data of over 20 million users, says report

Seven Virtual Private Network (VPN) providers who claim to keep no logs of people’s activities online have been found to expose 1.2 terabytes of private user data exposed on the open internet.

www.welivesecurity.com

 

[kanewolf]

In that context, yes. Your ISP logs will only show that you connected to a VPN server and nothing more.

The majority of VPNs claim that they don't keep logs.

And of course there is always the problem of services like Netflix that block access from a VPN. Then you have to setup split VPN.
HTTPS encrypts most web content. So the actual "data" is not visible to the ISP. The connection to the URL is visible and the DNS traffic is visible without a VPN.
DNS may be "leaked" even with a VPN, depending on the configuration.

 

[Phillipson]

You do realize that your ISP needs to "know" the To and From of your internet traffic, right?

That is the only way to get the data to you.

How do you know what they are "logging'?

From what I understand, ISPs have agreements to share infrastructures. ISPs are just the door to exit LAN

And I ran netstat and went through who had fingers in my network

 

[Phillipson]

And of course there is always the problem of services like Netflix that block access from a VPN. Then you have to setup split VPN.
HTTPS encrypts most web content. So the actual "data" is not visible to the ISP. The connection to the URL is visible and the DNS traffic is visible without a VPN.
DNS may be "leaked" even with a VPN, depending on the configuration.

Yes, sadly lots of sites don't support VPNs

My DNS configuration should prevent any leakage. I suppose my worries are less where I'm roaming, more who can exploit my LAN network. I want software that monitors inbound/outbound traffic at a router-level. I just think that would be cool and I'd learn more

Thanks for replies!

 

[USAFRet]

From what I understand, ISPs have agreements to share infrastructures. ISPs are just the door to exit LAN

And I ran netstat and went through who had fingers in my network

HTTPS = your data is encrypted between you and whatever you're connected to.
The ISP may know where you're going, but not what the data is.

And they MUST know the URL, to know where to send stuff to, in both directions.

 

[Phillipson]

HTTPS = your data is encrypted between you and whatever you're connected to.
The ISP may know where you're going, but not what the data is.

And they MUST know the URL, to know where to send stuff to, in both directions.

Thank you for clarification, I'm fresh out of Mike Meyer's A+ course. I'll look into how ISPs work to better understand.

Thanks for the help

 

[USAFRet]

Thank you for clarification, I'm fresh out of Mike Meyer's A+ course. I'll look into how ISPs work to better understand.

Thanks for the help

Just like if I mail you a physical letter or package.

I know where to send it to, the post office knows how to route it, your mailman knows the specific street address to deliver it to.
But the only ones that know what is inside the envelope (the data) are you and I. That 'envelope' is akin to the HTTPS encryption.

 

[Phillipson]

Just like if I mail you a physical letter or package.

I know where to send it to, the post office knows how to route it, your mailman knows the specific street address to deliver it to.
But the only ones that know what is inside the envelope (the data) are you and I. That 'envelope' is akin to the HTTPS encryption.

Oh I love that analogy. Thanks for making better sense of it

 

[kanewolf]

A privacy-focused operating system (OS) will use "open source" or "free" software, which means you can see the source code and make sure no "backdoors"are installed. Ideally, it will also run on hardware without proprietary firmware.

There are VERY few individuals that could study the source code for an entire OS and determine if there are backdoors. The security community can study the soure and may find something. But even that scrutiny is no guarantee. Look at how many bugs have been in open source code for years. Any of those bugs could be exploitable.

 

[digitalgriffin]

You do realize that your ISP needs to "know" the To and From of your internet traffic, right?

That is the only way to get the data to you.

How do you know what they are "logging'?

Every ISP has to keep on record for at least 1 year every destination you visit. I believe this was a provision of the original Patriot Act. I don't know what rules are there for other countries.

That said, ISPs are making serious coin selling your surfing data to marketing people.

If you demand ultimate privacy, you need to run linux that is running linux inside a virtual machine (docker or jailbreak come to mind) . Make sure your surfing account has low level privs.

That said, using Cloudflare as your DNS will help. Using Firefox privacy version will help. Using a VPN will help. Using randomized MACs will help

You are as exposed with IPv6 as you are with IPv4. No more or less.

BUT even with a VPN and careful usage you can still easily be tracked through various means including but not limited to traffic analysis, logging, fingerprinting, and user error. ALWAYS Stay away from all free services like facebook, google, yahoo, etc... You can still be tracked, not by your ISP per say, but by more powerful state funded entities. The ISP will know you are visiting a VPN, but not the contents of that data. That said there have been orchestrated attacks by large organizations intentionally trying to throttle VPNs to unmask user data.

For a first timer BitDefender Box 2 is designed to protect your entire network from outside attacks. It even has built in VPN support. However it's doesn't easily allow for UPNP port openings, and definitely doesn't allow for port forwarding.

If you are really gung-ho, building your our DHS box using pfSense or similar is the way to go.

Basically don't do anything stupid on the internet. You will get caught and your history will scream.

 

[Old Molases]

Hi and good morning all!

I am a newly created IT Tech, and since discovering my ISP has been logging my internet traffic I've been putting all sorts of defenses on my host computer for fun and experiment. To better my knowledge of security, I want to know the best overall internet privacy for SOHO environments, where should we place our attention? Anti-Malware? VPNs? Host/Router Firewalls? IDS???

I'm curious since most privacy applications all offer similar options and I don't know if having a variety of software is necessary. Here's what I've done so far to build my defenses

Downloaded:
Glasswire, Bitdefender Total Security, Avast Secure Browser, ProtonVPN, CCleaner, AdGuard (host application)
Actions took:
Disabled IPv6 completely (registry, NIC, outgoing ports within Defender); Disabled Outgoing ports 50000-52000 (suspected ISP monitoring); Switched DNS to CloudFlare

Does using a VPN service cover all privacy bases? What does a secure browser do different that a VPN can't or a customized Firefox? Does having IPv6 enabled affect vulnerability? Is blocking 2,000 outgoing ports unnecessary? I'm new to the Tech industry so I'd love to know what more seasoned people thought. Thanks

The best way to stay concealed from your ISP is to use a VPN, and by using a VPN i meant a paid one. Free ones usually have DNS leaks and your ISP will be able to trace your and track your activity. Using a VPN completely hides your your real identity as your connection is established through a virtual server from the country you choose from. You need to make changes to your browser as your VPN does this for you. Just a couple of things that you need to look for when opting for a VPN its security protocols 256 military encryption is preferred, it has a kill switch so that in case your connection breaks the data transmission stops immediately, it has zero log policy so that when approached by government they dont have any data to present to them. There are hundreds of options to choose from such as Ivacy, Tunnel Bear, Surfshark, Express or Nord.

 

[Ralston18]

And as for "not selling your data" there is big loophole there.

They trade data (not sell it) with someone else and then both sides can sell the data that is not "theirs".....

Likely other loopholes in all the fine print.