Medibank data breach

Ameel Khan November 15, 2022

Finally got the email [1] from Medibank saying that my old membership data with them was stolen by cyber criminals.

Screenshot of an email with the heading ‘An important update from Medibank’.
The email reads: “Dear Ameel, We’re deeply sorry to inform you that some data relating to your former membership has been stolen in the recent cybercrime event. This email details what specific membership data was stolen, outlines actions you can take to safeguard your online identity, and the services available through our Cyber Response Support Program”.
The email then goes on to list what categories of data have and have not been stolen. The data stolen is name, gender, date of birth, email, address, phone number, policy number, and passport number. The data not stolen is credit card and banking details, and health claims data.

I left Medibank in 2009 so, with the exception of my name, gender, and date of birth [2], all the other data they have one me is now outdated and irrelevant.

And while it’s not great that various cybercriminals now have this data, in the broader scheme of things ‘tis but a flesh wound. After all, there’s not much that cybercriminals can do with a single old residential address, an old pre-paid phone number, and an expired Pakistani passport number :)

(Why Medibank kept all my customer data thirteen years after I closed my account with them is a whole other issue, of course. *sigh*)

[1] I got the email from them on 15 November 2022.

[2] You can find all this about me using open-source intelligence gathering anyway — like by looking through my social media feeds and seeing when my friends have wished me ‘happy birthday’, for example.

Proton anniversary

Ameel Khan July 12, 2022

When you support Proton, Proton supports you.

Screenshot of an email from Proton. The title of the email reads “Happy Proton anniversary! We’re giving you extra storage for free.”

Firefox extensions for privacy and security

Ameel Khan March 24, 2019

A post called ‘A Few Simple Steps to Vastly Increase Your Privacy Online’ by Keith Axline has been making the rounds of the internet recently. It’s really good; you should read it.

In that post Keith recommends several privacy-related browser extensions. I use most of those, too, so I thought I’d follow up on my ‘Staying safe and private online’ post from a few weeks ago with the list of Firefox extensions I use to increase my online privacy and security.

Block trackers from following your around the web

Privacy Badger by EFF Technologists: blocks trackers from following you around the web and seeing which websites you visit.

Decentraleyes by Thomas Rientjes: blocks creators of shared internet content (which lots of websites use) from tracking you every time you download their content.

CanvasBlocker by kkapsner: stops some trackers from using JavaScript to ‘fingerprint’ your browser.

Facebook Container by Mozilla: stops Facebook from tracking you around the web — essentially, lets you use Facebook and its related sites (like Instagram) in a private browser container that’s separated from the rest of your browser.

uBlock Origin by Raymond Hill: blocks ads and adware (ie malware in ads).

Keep your connections to websites encrypted whenever possible

HTTPS Everywhere by EFF Technologists: tries to upgrade all your website connections to ‘https’, which is an encrypted connection.

Stop potential security leaks when you use a VPN

Disable WebRTC by Chris Antaki: stops your true IP address from being leaked when streaming media through a VPN.

Create and manage excellent passwords

LastPass Password Manager by LastPass: generate long, unique, random passwords and then keep them secure.

Take things up a notch by using a Virtual Private Network (VPN)

This isn’t a Firefox extension but, for completeness’ sake I thought I’d mention that my VPN of choice is Mullvad by Amagicom AB.

When you connect to the internet with Mullvad, we ensure that the traffic to and from your computer is encrypted to the highest standards even if you are using a public WiFi network at a cafe or hotel.
We keep no activity logs, do not ask for personal information, and even encourage anonymous payments via cash or one of the cryptocurrencies we accept. Your IP address is replaced by one of ours, ensuring that your device's activity and location are not linked to you.

If you want a really comprehensive VPN comparison, by the way, check out That One Privacy Site. One of the reasons I went will Mullvad is because that’s the only VPN listed on this site that has earned its ‘GOOD’ rating for privacy, features, and technology.

Staying safe and private online

Ameel Khan February 16, 2019

I do lots of things to keep myself as secure and private as I can online – so many that I figured I’d make a list.

Securing my devices

make sure all my devices are fully encrypted – that includes all phones, tablets, laptops, and external hard drives (plus some USB sticks)
make sure all my data is backed up – and where it’s backed-up it is encrypted at rest (my cloud backup tool of choice is Arq and I use a local Synology NAS and Google Coldline as my backup locations)
make sure I have USB recovery drives for my all Windows installs
make sure my computer is kept proactively and reactively secure using anti-virus and anti-malware tools (my AV tool of choice is the pre-installed Windows Defender and my anti-malware tool of choice is Malwarebytes)

Securing my internet connection

configure my router to use a secure, private DNS server (CloudFlare’s 1.1.1.1 or Google’s Public DNS 8.8.8.8)
configure my Android phone to use a secure, private DNS server when on 4G (on the latest Android phones go to: Settings > Networks & Internet > Advanced > Private DNS)
use a VPN whenever I’m on an even slightly insecure network – on both my laptop and smartphone (my VPN provider of choice is Mullvad)
turn on my router’s guest network (with network isolation) and connect all my non-computer internet-connected gadgets (TV, Blu-ray player, cable set top box, etc) through that
use an advanced router that supports enterprise-level intrusion prevention (in my case I use a Synology router and their Intrusion Prevention app)

Securing my browser

use browser add-ons/plug-ins like HTTPS Everywhere, uBlock Origin, and Facebook Container (Firefox only) to minimise my online footprint
disable third-party cookies on all my browsers
disable Flash on all my browsers (which will be the default setting in Firefox from Firefox 69 onwards)
use a separate web browser to log into Facebook and Instagram (I actually use five browsers on my laptop: Firefox, Chrome, Vivaldi, Opera, and Edge!)

Update: Check out my follow-up post for my list of ‘Firefox extensions for privacy and security’.

Securing my online accounts

use a password manager to generate and store long, secure, unique passwords for all my accounts (my password manager of choice is LastPass)
use two-factor authentication to keep as many of my accounts as possible secure (check the excellent Two Factor Auth List to see which accounts and services you can set up two-factor authentication for)
keep a regular, close eye on the data that various online services and social networks have on me by going through their ‘security check-up’ processes (eg Google’s excellent Privacy Check-up)
check all my email addresses on Have I Been Pwned to see which online services that I have an account with have had their user data stolen – also sign up to their ‘Notify me’ service to get an alert every time any of my email addresses is found in a newly stolen user data set

Always be learning

keep up with the latest in security via things like the Security Now podcast, several blogs, and a bunch of security-related mailing lists
check the EFF’s Surveillance Self-Defense website for the latest guides
consider switching to “ethical, easy-to-use and privacy-conscious alternatives” to social media networks, online services, and software using the comprehensive (and growing) list on switching.social