Credit for this document goes to a USDS colleague of mine, Alex Gaynor.
Follow this checklist to improve security today. These are roughly prioritized, and details for each are later in this document.
- Enable 2-factor for every place that offers it, in particular:
- Google (use the "security key" option if you have a YubiKey 4)
- GitHub (use the "security key" option if you have a YubiKey 4)
- Slack
- Your bank
- Optional: Buy a YubiKey 4 as a 2-factor device
- Install LastPass or 1Password so you can use unique passwords everywhere
- Buy a USB condom or charge-only USB cable
- Enable device encryption on your laptops (MacOS, Windows) and phones (Android)
- Lock your devices (PIN, pattern, fingerprint, any are fine)
- Mobile phones
- PCs and laptops, so that they lock after some period of inactivity
- Install and use Chrome
- Install Signal (Android, iPhone) or WhatsApp (Android, iPhone)
- Enable "click to play" in your web browsers
- Uninstall software you don't use
- Use Windows Defender for anti-virus
- Use caution when following links in e-mail
- Keep your software updated, particularly your operating system and web browser
- Never plug your phone into an untrusted USB port
- Avoid sharing USB devices between computers
- Buy a burner phone (and maybe laptop) when traveling to some overseas countries
- Turn off wireless technologies (e.g. bluetooth, NFC) when you aren't using them
- Use encrypted text messaging software instead of SMS
- Consider a Chromebook if you just want to use the web
Phishing. E-mail is not authenticated. Just because it looks like it came from your bank, or your best friend, doesn't mean that it did. "Your account was locked due to suspicious activity. Give us your account number to get it unlocked."
Your Facebook friends. Even if your account is well-protected, how many of your friends use 2-factor? "Hi, I'm stranded in Rome and my credit card is frozen! Can you wire me some cash?"
Identity theft. Few organizations protect data properly, and sufficiently determined attackers can exfiltrate it even when they do. PII and password databases are compromised all the time. Even if you get your account back, the things it contained might be unrecoverably lost (e-mails, documents, money). This can also occur through theft of your own devices.
Password re-use. Without 2-factor, and given all of the password database compromises, using the same password on multiple sites basically guarantees that someone out there knows the username and password to many of your other accounts.
Software vulnerabilities. Sometimes even legitimate, HTTPS-protected web sites are compromised, such as through ad networks. If a new exploit is discovered and your browser has not yet been updated to address it, your computer can be compromised. Any other software that can be accessed over the network (including many virus scanners) are at a high risk of remote exploitation.
Note that some USDS employees have reported being targeted by some of the threats listed below. Don't dismiss these just because they aren't threats that people typically see. Our jobs make us attractive targets.
Spear phishing. Imagine "Hi, so-and-so! Had a great time at the lake last weekend. Remember that site I texted you last week? This one is actually better: ..." except that every part of that message was true because that's how much research they've done. And so of course you click the link. Other variations include messages pretending to be from Google telling you that you should change your password.
Man-in-the-middle. Never trust the network. If a web site doesn't have a green "https" indicator, every network element between you and the web site has the opportunity to intercept or change what you see or send. The green "https" indicator means you can trust your session with that web site, even if you're on a sketchy network.
Wireless. Every method by which you can remotely interact with your devices is a method that an attacker can do the same: Bluetooth, NFC, WiFi, mobile (baseband)
Wires and connectors. Everything you connect to your computer can potentially infect your device with malware, and vice-versa: USB devices of any type, ethernet, even display connections.
Physical access. It takes just a second for a well-equipped attacker to compromise a device they have physical access to.
Enable 2-factor support for all sites that allow it right now, especially Google, Facebook and GitHub. This often involves installing the Google Authenticator app, and using it to scan a secret barcode on the web site to link the two together. You'll then use the OTP supplied by this app to log in to the site in the future. Avoid using SMS as your 2-factor solution wherever possible, but it's better than nothing.
For maximum security, buy a YubiKey 4. Enable the 2-factor "security key" option where it's available (Google, GitHub, Dropbox, and probably others). This renders your account immune to phishing. If you get the NFC-capable YubiKey and have an Android device, you can also use the YubiKey Authenticator app instead of Google Authenticator to keep your 2-factor secrets even secreter (and more portable).
If you're considering a U2F security key, here are the available options:
| Key type | Cost | What it gets you |
|---|---|---|
| FIDO U2F Security Key | $15-18 | U2F-enabled sites, like Google and GitHub. If you aren't sure which to get, get this one. |
| YubiKey 4 | $40-50 | U2F plus "YubiKey"-enabled sites, like LastPass. Also, GPG and SSH keys on your YubiKey. |
| YubiKey Neo | $50 | YubiKey 4 features plus NFC, giving you U2F security key functionality on your Android phone and also giving you the ability to store your "Google Authenticator" OTP secrets on the YubiKey instead of keeping it in your phone. |
Install LastPass or 1Password in your web browser and phone. This gives you unique passwords for each site, and applies reasonable protection of those passwords even though they're ultimately stored in the cloud. LastPass supports YubiKey for 2-factor, but some of us think 1Password has a better security model and UX. Your master password should be very strong (consider a sentence or passphrase).
Every big network intrusion you read about in the news started from a spear phishing attack. These are well-researched messages specifically targeting you, maximizing the chance that you'll think the sender is trustworthy and the content legitimate. They could pose as a friend or a family member, or a trusted company like Google or Apple. The content could be familiar, could reference a recent purchase you made, or could masquerade as a "warning" that your account was just compromised, giving you a helpful link to change your password. (This is how the DNC hack was perpetrated.)
Be extremely cautious and paranoid about following links or opening file attachments sent in e-mail, even if you'd otherwise trust the sender. A quick text message (via Signal!) can confirm the message is legitimate. If it's a message from a business like your bank or Google, skip following the link entirely and navigate to the task yourself.
Always use your own wall charger to charge your phone. Never plug your phone into a random USB port, such as those found at airports or taxi cabs. Only charge your phone from your computer's USB port if you're confident it doesn't have malware. (That's a trick. Your computer probably has malware.)
If you must plug your phone into an untrustworthy USB port, buy and use a USB condom, or use a charge-only USB cable. Newer Android devices default to "charge only" USB port behavior, which may or may not have the same effect. Certainly don't change this default if you want to engage in risky behavior.
- Amazon: Charge-only USB cable (doesn't support fast charging)
- Amazon: USB condom (supports fast charging)
USB devices of any kind can become malware infection vectors. This is especially true for USB thumb drives, but is often true for complex peripherals like printers, and can even be true for devices like keybords and mice. Remember: you're not just interfacing with the device, you're interfacing with every device that device has ever interfaced with.
If you're going to replace your computer, consider replacing cheap peripherals at the same time.
Secure your mobile devices with a PIN, pattern, etc. Whether you use a PIN, password, pattern or fingerprint doesn't really matter much.
Newer phones encrypt by default. Do this for your laptops. Consider doing it for your PC as well, if you have one.
Both of these options are chiefly there to protect you and your data against theft. Neither measure will do anything against a well-funded state adversary, but they will effectively stop most all routine thieves.
It's a lot easier for an adversarial nation-state (which could include our allies!) to hack into your phone when you travel to their home turf, where they probably own the mobile infrastructure and know who you are. If you're worried about your phone number changing, use Google Voice.
If you are travelling to one of these countries in particular, don't bring your phone or laptop: China, Russia, Israel, Cuba, Iran, North Korea, Ukraine, Belarus.
Wireless technologies like Bluetooth have been targets for exploitation in the past. Leaving Bluetooth and NFC turned on all of the time increases the chances that someone might discover and exploit such a vulnerability.
SMS can be snooped on or spoofed by anyone that controls the mobile infrastructure you're connecting to. This includes other nation-states, but it is also possible to trick your phone into connecting to someone's fake mobile tower and you'd never know it. This also implies you can't necessarily rely on the phone number as proof that the other person is who they say they are.
Use end-to-end messaging apps for personal communications where you want some assurance of privacy. Signal is great, but WhatsApp has recently incorporated Signal-like features. Some other messaging apps, such as Google Allo and Facebook Messenger, have end-to-end encryption features, but these features are often confusing and difficult to use reliably. Many people at USDS use Signal for personal messaging.
- Signal (Android, iPhone)
- WhatsApp (Android, iPhone)
- Google Allo's incognito mode
- Facebook Messenger's secret conversations
Usually these apps will have some kind of "safety number" verification step that you shouldn't skip out on.
Prefer software that auto-updates. When an update is released (for instance, monthly OS security releases), take the time to apply the update as quickly as possible. Once word gets out that a vulnerability exists, there is a rush to exploit that vulnerability on systems that are not yet patched. Every time you "remind me tomorrow", you leave yourself open to exploitation for one more day.
Uninstall software that you don't use. Vulnerabilities discovered in software that you don't have installed can't hurt you.
In Chrome, this is in your Settings, under Advanced Settings, Privacy, Content Settings, Plugins. Choose "Detect and run important plugin content" or "Let me choose". This reduces the chance that a compromised site or ad network will invoke an arbitrary plugin with the intention of exploiting a vulnerability in it.
The best protection from malware and viruses on a Microsoft platform is upgrading to Windows 10 and enabling Windows Defender. Avoid commercial anti-virus software. Virus scanners, by their nature, are extremely privileged pieces of software running on your devices, and they have bugs like any other software.