Create a gist now

Instantly share code, notes, and snippets.

Embed
What would you like to do?

Simple Security Guidelines

Using an iDevice? (Best option)

  • Use an iPod or an iPad without a SIM card
  • Use an iPhone
  • Do not jailbreak
  • Always upgrade to new iOS versions
  • Use Brave browser

Need Secure chat?

  • Use Signal (iOS + Android)
  • Use Wire (iOS + Android)
  • Avoid desktop versions
    • Optional: use an iPad [Pro] with a smart keyboard
      • register Signal w/ a phone (burner, anonymous SIM, etc)
      • register Wire w/ an email address (ProtonMail is free)
  • Use Conversations w/ OMEMO (Android, unfortunately the only implementation of OMEMO for general use right now)
  • Use Coy.im on desktops
  • Do not use: Telegram, LINE, Kaokao, WeChat, Viber, Hangouts, etc.
  • WhatsApp, Facebook Messenger (Private chat), are acceptible (high security, high surveillance)

Using Android?

  • Do not root your device
  • Do not enable Developer Mode
  • Use a Nexus or Pixel (gets latest patches w/o carrier/vendor barrier)
    • Run the latest version, always
    • Optional: run CopperheadOS
  • Optional: use a flagship Samsung (or Nokia) purchased direct, not through a telco
    • These devices tend to get timely security updates
  • Don't have a Nexus or Pixel? Install LineageOS (official builds only)
    • Run the latest version, always
  • Use Brave browser

Using a ChromeBook?

  • Do not enable developer mode
  • Use Termux for a console environment

Using Windows?

  • Use 10 or 8.1, nothing earlier.
  • Use EMET

Using Office?

  • Do not enable macros. Ever.
  • Find and disable Flash

Using macOS?

  • Install patches and updates immediately
  • Enable the firewall
    • Disable "signed apps"
    • Enable "block inbound"
    • Optional: enable "stealth"
  • Install Objective-see tools
    • Do Not Disturb
    • BlockBlock
    • KnockKnock
    • RandsomWhere
    • Oversight

All:

  • Enable full disk encryption (FDE)
    • Use a special encrypted vault for sensitive files
      • VeraCrypt cross platform
      • CryFS (Linux, sorta macOS)
      • Encrypted disk image (macOS)
  • Require a password to unlock
  • Apply patches
  • Use backups. Secure your backups, they contain your secrets.

Use a password manager!

  • Use KeePass, free, cross platform, but clunky UI/UX
  • Use 1Password, not free, iOS/macOS, good UI/UX
  • Never use a cloud based password manager
  • Never enable integration between your browser and password manager

2FA

  • Enable two factor authentication whenever possible
    • OTPauth iOS/macOS only
    • Authy
    • FIDO (YubiKeys)
    • Duo
    • SMS (last resort, but better than nothing)

Web Browser

  • Use Chrome
  • Use Edge
  • Do not use Safari
  • Do not use IE
  • Do not use Firefox, yet (until they enable sandbox by default)

Use an ad blocker

  • Install uBlock Origin

  • Install HTTPS Everywhere

  • Install uBlock Origin Extra

  • Optional: Install Privacy Badger

  • Disable Flash (on Chrome you can still right click to play)

Use a VPN

  • (Self hosted option: algo) - Best
  • ProtonVPN offers free VPN service - Ok
  • CryptoStorm has a privacy preserving business model - OK
  • Use WireGuard, self hosted, still new but very promising - Good
  • Use Freedome (iOS, Android, macOS), not free, trivial to use - OK
@CerebralMischief

This comment has been minimized.

Show comment
Hide comment
@CerebralMischief

CerebralMischief Aug 22, 2015

One could argue that if knowledgeable enough, rooting the Nexus 6 could result in a more secure device.

One could argue that if knowledgeable enough, rooting the Nexus 6 could result in a more secure device.

@grugq

This comment has been minimized.

Show comment
Hide comment
@grugq

grugq Aug 22, 2015

If you are knowledgeable enough you are not taking security advice from a gist on the internet.

Owner

grugq commented Aug 22, 2015

If you are knowledgeable enough you are not taking security advice from a gist on the internet.

@sneak

This comment has been minimized.

Show comment
Hide comment
@sneak

sneak Aug 22, 2015

Shouldn't this be "use chromium" instead of Chrome (with all its Google RCE auto-update and flash and such)?

Also: Windows?! Seriously? I expect better from you. :P

sneak commented Aug 22, 2015

Shouldn't this be "use chromium" instead of Chrome (with all its Google RCE auto-update and flash and such)?

Also: Windows?! Seriously? I expect better from you. :P

@sneak

This comment has been minimized.

Show comment
Hide comment
@sneak

sneak Aug 22, 2015

Would change "use an ad blocker" to "use uBlock origin in default-3p-deny mode" (but the docs on the ublock site about how to use this, as well as the UI, are respectively buried and confusing)

sneak commented Aug 22, 2015

Would change "use an ad blocker" to "use uBlock origin in default-3p-deny mode" (but the docs on the ublock site about how to use this, as well as the UI, are respectively buried and confusing)

@sneak

This comment has been minimized.

Show comment
Hide comment
@sneak

sneak Aug 22, 2015

Q: Which password manager works best on a Chromebook and an iOS device and OSX?

sneak commented Aug 22, 2015

Q: Which password manager works best on a Chromebook and an iOS device and OSX?

@wbic16

This comment has been minimized.

Show comment
Hide comment
@wbic16

wbic16 Aug 22, 2015

It'd be nice to have some more organization, like so:
https://gist.github.com/wbic16/5c7caa3eac5d874f3817

wbic16 commented Aug 22, 2015

It'd be nice to have some more organization, like so:
https://gist.github.com/wbic16/5c7caa3eac5d874f3817

@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost Aug 22, 2015

Assuming this is aimed at people who're not exactly info sec nerds, you might want to use "Full Disk Encryption" instead of FDE to avoid confusions.

Also, people should note that this is a "Security Guidelines" gist, not a "Privacy Guidelines" one.

ghost commented Aug 22, 2015

Assuming this is aimed at people who're not exactly info sec nerds, you might want to use "Full Disk Encryption" instead of FDE to avoid confusions.

Also, people should note that this is a "Security Guidelines" gist, not a "Privacy Guidelines" one.

@londonontech

This comment has been minimized.

Show comment
Hide comment
@londonontech

londonontech Aug 22, 2015

Safari...is this strictly Windows or OS X as well?

Safari...is this strictly Windows or OS X as well?

@ttilley

This comment has been minimized.

Show comment
Hide comment
@ttilley

ttilley Aug 22, 2015

@grugq - if you have an iOS device, use the configurator to pair-lock it to communicate only with your desktop, thus thwarting the bulk of existing forensics tools: http://www.zdziarski.com/blog/?p=2589

If you are using a development version of iOS, you may also need to use a development version of the apple configurator: https://developer.apple.com/ios/download/

ttilley commented Aug 22, 2015

@grugq - if you have an iOS device, use the configurator to pair-lock it to communicate only with your desktop, thus thwarting the bulk of existing forensics tools: http://www.zdziarski.com/blog/?p=2589

If you are using a development version of iOS, you may also need to use a development version of the apple configurator: https://developer.apple.com/ios/download/

@jvasile

This comment has been minimized.

Show comment
Hide comment
@jvasile

jvasile Aug 22, 2015

It might be useful to specify the audience for this, especially if it helps those people clue in that they should really pay attention to this list.

"Apply patches" is tough in practice for most users. "Favor automatic updates" might be the corollary.

Passphrase might be a better term than password. And you might want to specifically mention enabling the lock screen (so many people don't) and using numeric passes rather than swipe patterns.

jvasile commented Aug 22, 2015

It might be useful to specify the audience for this, especially if it helps those people clue in that they should really pay attention to this list.

"Apply patches" is tough in practice for most users. "Favor automatic updates" might be the corollary.

Passphrase might be a better term than password. And you might want to specifically mention enabling the lock screen (so many people don't) and using numeric passes rather than swipe patterns.

@jvasile

This comment has been minimized.

Show comment
Hide comment
@jvasile

jvasile Aug 22, 2015

@sneak, where is the setting for default-3p-deny mode in ublock?

jvasile commented Aug 22, 2015

@sneak, where is the setting for default-3p-deny mode in ublock?

@cekage

This comment has been minimized.

Show comment
Hide comment
@cekage

cekage Aug 23, 2015

Android : do not enable developer mode

cekage commented Aug 23, 2015

Android : do not enable developer mode

@divVerent

This comment has been minimized.

Show comment
Hide comment
@divVerent

divVerent Jan 3, 2016

What is so wrong with developer mode? That flag alone does nothing.

The real danger is in "enable apps from unknown sources" but that's reachable without developer mode.

Other things in developer mode that might be problematic:

  • Bootloader unlocking
  • USB debugging

However the latter is no worse than iTunes sync, given it equally requires an explicit authorization for the computer you connect with.

Or where I am wrong?

Note that the attack surface argument stands: don't enable USB debugging if you're not using adb for e.g. file transfer or actual debugging.

What is so wrong with developer mode? That flag alone does nothing.

The real danger is in "enable apps from unknown sources" but that's reachable without developer mode.

Other things in developer mode that might be problematic:

  • Bootloader unlocking
  • USB debugging

However the latter is no worse than iTunes sync, given it equally requires an explicit authorization for the computer you connect with.

Or where I am wrong?

Note that the attack surface argument stands: don't enable USB debugging if you're not using adb for e.g. file transfer or actual debugging.

@Romanzo

This comment has been minimized.

Show comment
Hide comment
@Romanzo

Romanzo Jan 8, 2016

Un mio piccolo test per provare https://gist.github.com/Romanzo/2cd7b5cc382f5f419670
Non è scritto in inglese.

Romanzo commented Jan 8, 2016

Un mio piccolo test per provare https://gist.github.com/Romanzo/2cd7b5cc382f5f419670
Non è scritto in inglese.

@jhaddix

This comment has been minimized.

Show comment
Hide comment
@jhaddix

jhaddix Jan 8, 2016

Can we add, install EMET under Windows?

jhaddix commented Jan 8, 2016

Can we add, install EMET under Windows?

@ecnepsnai

This comment has been minimized.

Show comment
Hide comment
@ecnepsnai

ecnepsnai Feb 20, 2016

@sneak LastPass works well on all of those platforms.

@sneak LastPass works well on all of those platforms.

@ecnepsnai

This comment has been minimized.

Show comment
Hide comment
@ecnepsnai

ecnepsnai Feb 20, 2016

@londonontech Safari on Windows was discontinued a long time ago and has not been receiving security updates, but the advice is for both OS X and Windows as in general it's not a very secure browser.

@londonontech Safari on Windows was discontinued a long time ago and has not been receiving security updates, but the advice is for both OS X and Windows as in general it's not a very secure browser.

@wmark

This comment has been minimized.

Show comment
Hide comment
@wmark

wmark Aug 17, 2016

After installing and enabling EMET 5.5 go to Trust and Pinning Rules and enable PublicKey Match for MicrosoftAccountCA.

(Allowed Country won't do any good if the use Symantec CA to spoof certificates for the updater.)

wmark commented Aug 17, 2016

After installing and enabling EMET 5.5 go to Trust and Pinning Rules and enable PublicKey Match for MicrosoftAccountCA.

(Allowed Country won't do any good if the use Symantec CA to spoof certificates for the updater.)

@juancarlospaco

This comment has been minimized.

Show comment
Hide comment
@juancarlospaco

juancarlospaco Aug 18, 2016

  • Do NOT use Chrome. Use Inox or ungoogled-chromium Its Chromium with everything-google removed, no Spyware.
  • Qupzilla is good browser too https://www.qupzilla.com 100% Open Source.
  • Do NOT use Google Search. Do NOT use DuckDuckGo. Use SearX its 100% Open Source.
  • LibreOffice is very good replacement for Office.
  • Try NOT using PDF, use ePub is the same, but internally its HTML5/CSS3, cant run JS. PDF executes arbitrary code, ePub dont, by design.
  • Use an Unicode Emoji on Passwords.
  • Put sticker on WebCam if you dont use it.
  • Put sticker on IR Remote Receiver if your notebook has that and you dont use it.
  • Do NOT use Chrome. Use Inox or ungoogled-chromium Its Chromium with everything-google removed, no Spyware.
  • Qupzilla is good browser too https://www.qupzilla.com 100% Open Source.
  • Do NOT use Google Search. Do NOT use DuckDuckGo. Use SearX its 100% Open Source.
  • LibreOffice is very good replacement for Office.
  • Try NOT using PDF, use ePub is the same, but internally its HTML5/CSS3, cant run JS. PDF executes arbitrary code, ePub dont, by design.
  • Use an Unicode Emoji on Passwords.
  • Put sticker on WebCam if you dont use it.
  • Put sticker on IR Remote Receiver if your notebook has that and you dont use it.
@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost Aug 18, 2016

Mac OS X:

Just some general tips for Mac OS X, feedback welcome.

OS:

  • Enable FileVault 2 with a STRONG password
  • Set a STRONG firmware password on your device
  • Be aware of the iCloud password-reset backdoor - see the second link under Read below
  • Disable all of Apple's iCloud Spyware, Backup, Drive, FindMyDevice, Calendar, Weather, etc.
  • Use a strong password on your Apple ID and enable 2FA, DO NOT REUSE THIS PASSWORD!
  • Install BlockBlock and RansomWhere - https://objective-see.com/ (has other nice tools aswell btw.)
  • Get a license for Little Snitch and Micro Snitch - https://www.obdev.at/products/
  • Ensure you are on the latest version + patchlevel, disable 'silent upgrades', check periodically by hand
  • Disable all unneeded interfaces and ports such as Firewire, Bluetooth, Ethernet, Wifi, etc.
  • Disable all Cloud-related shit such as iCloud, other sync shit like geod, ical, etc.
  • Some tape for Mic + Cam or better dissasemble and remove the hw parts if possible
  • Limit the app execution mode to signed App's from the App Store only
  • Set a short sleep timeout and enable FV2 key destruction on standby
  • Enable OSX's firewall and block all inbound traffic (advanced block mode)
  • Use custom DNS servers you trust and feel comfortable with such as OpenDNS
  • Personally I belive there is no need for anti-virus on a Mac, otherwise use ClamAV or MalwareBytes
  • Use a secure password manager such as Keepass - (Lastpass is ok too, but probably less secure)
  • Use VeraCrypt for usb drives or very sensitive data
  • Always use VPNs+Proxy if in public wifi
  • Disable IPv6 when not needed

Browser:

  • Firefox or Chromium (not Google Chrome) (always keep it up to date)
  • NoScript, uBlock and HTTPSEverywhere addons (optionally UserAgentSwitcher - nice to mitigate exploits by faking IE6 lol)
  • No flash, silverlight, java, etc. disable all plugins, use click2play or even better UNINSTALL them completely!
  • Disable WebRTC completely, too many holes in that cheese
  • Purge all creepy CAs from your browser (there are a plenty of them...)
  • For more Firefox hardening stuff see https://github.com/pyllyukko/user.js/

Mail:

  • Set-up your OWN, SECURE mail servers (if possible)
  • NEVER use imap/pop3/smtp without TLS, big fail!
  • Get the GPGTools suite for Apple Mail - https://gpgtools.org/
  • Sign and encrypt your mails and attachments whenever possible

Cron:

  • Regularly audit your system with the LockDown utility from https://objective-see.com/
  • Regularly run TaskExplorer, KnockKnock and DHS from https://objective-see.com/
  • Regularly check ALL system logs for anomalies including LittleSnitch's log
  • Regularly check kextstat + launchagents and launchdaemons and tmpdirs
  • Wipe stuff with diskutil secureErase if required (not recommended with SSDs)

Read:

ghost commented Aug 18, 2016

Mac OS X:

Just some general tips for Mac OS X, feedback welcome.

OS:

  • Enable FileVault 2 with a STRONG password
  • Set a STRONG firmware password on your device
  • Be aware of the iCloud password-reset backdoor - see the second link under Read below
  • Disable all of Apple's iCloud Spyware, Backup, Drive, FindMyDevice, Calendar, Weather, etc.
  • Use a strong password on your Apple ID and enable 2FA, DO NOT REUSE THIS PASSWORD!
  • Install BlockBlock and RansomWhere - https://objective-see.com/ (has other nice tools aswell btw.)
  • Get a license for Little Snitch and Micro Snitch - https://www.obdev.at/products/
  • Ensure you are on the latest version + patchlevel, disable 'silent upgrades', check periodically by hand
  • Disable all unneeded interfaces and ports such as Firewire, Bluetooth, Ethernet, Wifi, etc.
  • Disable all Cloud-related shit such as iCloud, other sync shit like geod, ical, etc.
  • Some tape for Mic + Cam or better dissasemble and remove the hw parts if possible
  • Limit the app execution mode to signed App's from the App Store only
  • Set a short sleep timeout and enable FV2 key destruction on standby
  • Enable OSX's firewall and block all inbound traffic (advanced block mode)
  • Use custom DNS servers you trust and feel comfortable with such as OpenDNS
  • Personally I belive there is no need for anti-virus on a Mac, otherwise use ClamAV or MalwareBytes
  • Use a secure password manager such as Keepass - (Lastpass is ok too, but probably less secure)
  • Use VeraCrypt for usb drives or very sensitive data
  • Always use VPNs+Proxy if in public wifi
  • Disable IPv6 when not needed

Browser:

  • Firefox or Chromium (not Google Chrome) (always keep it up to date)
  • NoScript, uBlock and HTTPSEverywhere addons (optionally UserAgentSwitcher - nice to mitigate exploits by faking IE6 lol)
  • No flash, silverlight, java, etc. disable all plugins, use click2play or even better UNINSTALL them completely!
  • Disable WebRTC completely, too many holes in that cheese
  • Purge all creepy CAs from your browser (there are a plenty of them...)
  • For more Firefox hardening stuff see https://github.com/pyllyukko/user.js/

Mail:

  • Set-up your OWN, SECURE mail servers (if possible)
  • NEVER use imap/pop3/smtp without TLS, big fail!
  • Get the GPGTools suite for Apple Mail - https://gpgtools.org/
  • Sign and encrypt your mails and attachments whenever possible

Cron:

  • Regularly audit your system with the LockDown utility from https://objective-see.com/
  • Regularly run TaskExplorer, KnockKnock and DHS from https://objective-see.com/
  • Regularly check ALL system logs for anomalies including LittleSnitch's log
  • Regularly check kextstat + launchagents and launchdaemons and tmpdirs
  • Wipe stuff with diskutil secureErase if required (not recommended with SSDs)

Read:

@taoeffect

This comment has been minimized.

Show comment
Hide comment
@taoeffect

taoeffect Aug 18, 2016

That's a great list @schallertd! Regarding this:

Regularly audit your system with the LockDown utility from https://objective-see.com/
Regularly run TaskExplorer, KnockKnock and DHS from https://objective-see.com/

See cautions.

taoeffect commented Aug 18, 2016

That's a great list @schallertd! Regarding this:

Regularly audit your system with the LockDown utility from https://objective-see.com/
Regularly run TaskExplorer, KnockKnock and DHS from https://objective-see.com/

See cautions.

@dguido

This comment has been minimized.

Show comment
Hide comment
@dguido

dguido Aug 27, 2016

@taoeffect, you're welcome to disassemble the binaries for Objective-See just like everyone else. There are no backdoors. Avoid useful tools at your peril. BlockBlock and TaskExplorer are the best things out there to keep yourself safe, and they come from someone who would know what it takes to do that! Last point to remember: everyone needs security. Patrick is an avid OS X user and wrote the tools as much for himself as for everyone else. There's no good reason to sabotage them.

dguido commented Aug 27, 2016

@taoeffect, you're welcome to disassemble the binaries for Objective-See just like everyone else. There are no backdoors. Avoid useful tools at your peril. BlockBlock and TaskExplorer are the best things out there to keep yourself safe, and they come from someone who would know what it takes to do that! Last point to remember: everyone needs security. Patrick is an avid OS X user and wrote the tools as much for himself as for everyone else. There's no good reason to sabotage them.

@adminlinzi

This comment has been minimized.

Show comment
Hide comment
@adminlinzi

adminlinzi Apr 15, 2017

Thanks for sharing

Thanks for sharing

@cedriczirtacic

This comment has been minimized.

Show comment
Hide comment
@cedriczirtacic

cedriczirtacic Oct 26, 2017

Isn't Brave a better option than Chrome/Chromium?

Isn't Brave a better option than Chrome/Chromium?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment