Skip to content

Instantly share code, notes, and snippets.

@zcaceres

zcaceres/security-tips.md

Last active May 17, 2017 02:27
Show Gist options
  • Save zcaceres/0d516a3ceb6a980fa0afd8c883118764 to your computer and use it in GitHub Desktop.
Save zcaceres/0d516a3ceb6a980fa0afd8c883118764 to your computer and use it in GitHub Desktop.
Download ZIP
Security Tips from NCC
Raw
security-tips.md

Security Tips from NCC

Intro

Internet is huge, processed 1 zettabyte (insanely huge).

Your data is being siphoned up, but NSA may not be watching you.

James Mickens "This World Of Ours"

Practice Good OpSec (Operational Security)

  • Privacy Badger
  • encrypting and anonymize internet traffic
  • Tor browser
  • theamnesicincognitolivesystem (tails)
  • HTTPS everywhere
  • VPN (theoneprivacysite.net/vpn-section/)

Text messages are sent in clear text! So SMS is bad news.

Authentication

  • Enable multifactor authentication (google authenticator, yubikey)

MFA is 'something you know', 'something you have', or 'something you are'

  • Use strong passwords. Unique pass for each account/service
  • Use password managers

Passwords

'burp' is an HTTP intercepting proxy. It can brute force your stupid password very easily.

Check out Bruce Schneier's 'Choosing Secure Passwords'

  1. Minimum 12 characters
  2. Mixture of letters numbers and symbols, upper and lowercase
  3. No common patterns or personally-identifiable information

Just USE A PASSWORD MANAGER. Remember ONE password. OnePass/LastPass.

  • Sync passwords ONLY OVER A SECURE NETWORK. Not public Wifi.
  • Stay out of the cloud. Don't put them in the cloud...
  • Encrypt your backup

Always Log Out. Don't leave yourself logged in. Because of Cross-Site Request Forgery Attack (CSRF).

Good Internet Hygiene

  • Don't sign up with real data for stupid sites.
  • Just lie about your credentials.
  • Use throwaway emails: Mailinator, MailDrop
  • haveibeenpwned.com <-- check it to see if you've been on a site that's been hacked

SMS

Text messages aren't secure. If your iMessage is blue, it's encrypted. If it isn't, it's not. Use Signal or Chatsecure otherwise.

Email

It's all about encryption. ProtonMail is secure. Use a PGP plugin. GPGSuite for Mac. Social Media PGP support.

Chat – Someone is ALWAYS LISTENING.

  • Use off-the-record encryption (OTR)
  • Anonymous chat clients if you're really paranoid: Ricochet OTR is available on GChat.

Justin Engler's – 'Secure Messaging for Normal People'

Location

  • Disable locations and all diagnostic feedback
  • PleaseRobMe.com used to tell people when their house could be robbed based on social media checkins. WHAT?!!!!
  • Don't advertise your location.
  • Disable geotagging on photos and media uploads.
  • USB condoms

MeAndMyShadow – Increase Your Privacy <--- good How To's

Traveling Secure

EFF has good travel information.

  • Know your rights
  • Don't take secrets with you
  • Use passwords not fingerprints (your fingerprints are considered public data)
  • Use full disk encryption
  • Create travel profiles/accounts
  • Use burners (laptops/phones)
  • Power down

All Macs have FileVault built in. Use it!

Moral of the story: Yes the NSA is watching you, but not they aren't targeting you. Privacy still matters.

Learn Hacking Stuff

  • OWASP
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment