Long time member here posting with a throwaway for obvious reasons.
A family friend has recently come under attack from their spouse. Daily, brutal beatings in front of small children that make your blood turn cold.
The victim has been going the legal route for months now and has the police actively engaged. But, as we both know, the police are there after the fact and aren't able to really do much until something terrible happens again.
The abuser is a highly skilled software engineer with a decade+ of white/grey hat experience. This person is now using their professional skills to stalk their spouse.
We purchased the victim a new phone under my name with no connection to the old account. We're setting up a new Google account now (Android phone) that's not connected to the old account. Will be changing the email associated to all social/messaging accounts and set up app-based MFA going forward on everything. Password manager with randomly generated passwords for all accounts.
Thinking of setting up this new android device with MDM under a new GSuite account. Hoping this will give an added layer of protection over phishing attacks the abuser may send.
I'll be doing some education with the victim on phishing attacks, etc. to make sure they don't click on any random links.
I'm wondering if you all have any additional advice? Have you ever helped someone in a similar situation? Basically looking to crank up this non-technical person's op-sec to exceed what someone who knows "everything" can reasonably crack.
Thank you!
https://anonymousplanet.github.io/thgtoa/guide.html
"aren't able to really do much until something terrible happens again."
Really hoping this doesn't mean there isn't any physical separation or isn't a restraining order. If this is still occurring, her immediate concern should be physical security and the will to do whatever may be necessary as it escalates.
* Read and consider whatever advice the government gives to people in witness protection.
* For the victim and her parents: don't have any sort of IoT at home with a microphone. Especially digital assitants like Amazon Echo.
* Don't conenct anything to your Wi-Fi unless essential. (Yes that means not giving the password to visits at the victim's house)
* Get YubiKeys or similar for the victim and the parents. (SMS 2FA is garbage)
* Tell the victim and the parents to never reuse passwords.
* Have a VM to use misleading social media. Post as if the victim were in a different city, etc.
* Use a VPN or Tor. (lower chances of finding the victim's location through their IP or some sort of data leak)
* Use something like the Tor Browser even if you don't use Tor.
* Don't have any cameras inside the victim's house.
* For victim and parents: don't install anything that isn't really necessary.
* Also for victim and parents: get a decent WiFi router with no known vulnerabilities and change the admin password.
* Pay in cash. (Victim only. Avoid data leaks that might record where you shop)
* Don't let others take pictures of the victim or her kids, much less share them.
* Maybe use codenames when talking about location near the place the victim lives.
* Don't use the victim's real address for anything that isn't absolutely necessary. Maybe set up a mailbox in a different city and use this addresses for most purposes. (Or the victim's parent's address)
* Install a non-https blocker and use only DNSSEC over HTTPS or TLS just in case.
* Use encrypted messaging for pretty much everything, including voice calls.
* If possible, register the car and utilities under other people's names or addresses.
* Again if possible, register utilities in another city under the victim's name.
* Use email servers that use TLS for IMAP and SMTP. (Or just use webmail if through HTTPS)
* Considering hiring a private investigator to stalk the stalker. Hopefully this will make him more cautious and maybe the PI can even catch the stalker commiting some crime.
I remember when I had an Android phone and I took a peek at Google's personal-data dashboard at one point. It had a line drawn on the map tracing my every footstep for the past several years. Vacations, commuting, visiting friends. Everything. It was neat at the time, but is a nightmare scenario for this kind of thing. You can disable some of that, I think, but Maps will constantly bug you about turning it back on.
At the very least I'd steer them away from installing any apps that don't come from major global corporations. There's a ton of malware on the Android store, especially games, and it's not hard to imagine some of it collecting data to sell on the black market.
Of course this will depend on the state. I can’t give general advice in the US.
Physical security. Does he know where she lives and does he can follow her, access her wifi, follow the children? Rummage her trash?
FYI - If you file a USPS change of address they mail your old address a confirmation. IIRC the confirmation includes the new address. Maybe someone who has done this recently can confirm.
Are there any shared access online accounts to worry about? Like banking or shopping. Anything where access can be gained to get updated addresses.