Skip to content

Latest commit

 

History

History
379 lines (215 loc) · 24.2 KB

README_EN.md

File metadata and controls

379 lines (215 loc) · 24.2 KB

How to stay safe online

Українська версія

Permanent link: https://github.com/sapran/dontclickshit/

Original mind map (updated):

Contents

  1. Don't click shit
  2. Use passphrases instead of passwords
  3. Use multi-factor authentication
  4. Operating system and software
  5. Antivirus
  6. Firewall
  7. Backup your data
  8. Use crypto
  9. Mobile security
  10. Physical security
  11. Stay safe!
  12. Credits

Don't click shit

What do you mean?

Don't open, click or run suspicious files, links, and programs.

Rule of thumb: if you are not expecting it, it is suspicious.

Suspicious files

Don't open suspicious files, email attachments, or archived documents, if you do not completely trust the source they originate from. Send unwanted emails to spam folder before reading – files or links from people you don't know should be treated as malicious by default.

Verify file origin by the means other than media used to receive it. For example, if you have received a Word document via email, contact the sender by an Instant Messenger or by phone and verify the reason for sending it.

❗ The most risky file types are:

  • Any executable files: EXE, COM, CMD, BAT, PS1, SWF, JAR etc.
  • MS Office documents, especially with macros: DOC/DOCX/DOCM, XLS/XSLX/XLSM etc.
  • PDF documents: PDF.
  • Vector graphics with embedded code: SVG.
  • Archives of these files, especially password-protected.

Sometimes it's hard to tell malicious files from legitimate ones under time pressure. Use Virustotal to verify any file by scanning it by more than 50 antiviruses at the same time. While it is much more efficient than scanning files offline, ❗consider the fact that you need to disclose the file to a third party.

🔧 VirusTotal: https://virustotal.com

Suspicious links

Don't open suspicious URL links, especially those pointing to web-sites you don't normally visit. Always check web-site domain names before clicking the links: attackers could mangle the domain name for it to look familiar: facelook.com, gooogle.com etc. Use HTTPS and verify SSL certificate of the web-site to ensure it is not cloned or spoofed.

Malicious URLs can be 'masked' by arbitrary text in HTML files, documents and emails. In web-browsers and email programs, hover the mouse cursor over the link (but don't click) and wait for a while before the real URL pops up. Or right-click on the link and copy it to the text editor to see its actual address. Use VirusTotal to scan suspicious links the same way you scan files.

Malicious URLs can be encoded as QR codes or printed out, including in a form of 'shortened' URLs generated by services such as tinyurl.com, bit.ly, ow.ly etc. Don't enter those links into your browser or scan QR codes by your smartphone unless you know exactly what you are doing.

🔧 You can 'resolve' shortened URLs before opening them using these services:

🔧 These popular web-browser extensions automatically perform this resolution:

Suspicious pop-ups

Be careful with pop-ups in your browser, applications and operating system. Always read pop-up messages and don't 'accept' anything in a hurry.

Pop-ups can be dangerous in many ways: some result in installing malicious SSL certificates that allow attackers to sniff your network traffic; some could install malicious software on your computer or redirect your browser to malicious web-sites that infect your computer with malware.

Suspicious devices

Do not insert flash drives, CD/DVD, external HDDs etc. into your computer unless you explicitly trust their origin. There are techniques of hacking into your computer before you open files on a flash drive and way before your antivirus scans them. If you found it outside or inside the office, if you received it by mail or delivery, if a stranger gives it to you asking to print out a document or just attach it to a PC – it is likely to be malicious. Only trust your own devices and proceed with caution when dealing with devices received from people you work with or otherwise collaborate.

Use passphrases instead of passwords

What is passphrase?

Use passphrases instead of passwords to eliminate problems related to passwords' length and use of dictionary words.

To create a passphrase, choose a phrase you won't forget easily: a line from a poem or a song's lyrics, a proverb, a slogan etc. Then transform it to a single string by removing spaces and replacing letters to similar digits: A->4, B->8, C->(, E->3, I->1, L->7, S->5, T->7 etc. Adding special characters and capitalizing random words in the phrase also makes it stronger.

How to create strong passphrase?

Use passphrase recipes to create strong unique passphrases. Recipe is an algorithm used to create different passphrases for different systems using a common basis. For example:

  1. Choose a strong basis, say, the passphrase w3llD0nem8'.

  2. Think about a way of linking the passphrase to the system. Simply adding server name in the end is easy:

    w3llD0nem8'google

    Splitting the name in halves and adding in the beginning and at the end of the phrase is even cooler:

    goow3llD0nem8'gle

    glew3llD0nem8'goo

  3. Don't forget to apply a mangling rule too, say, change the last letter of the server name to a digit if applicable, and always add an exclamation mark or another special character.

    goow3llD0nem8'gl3!

Keep passphrases secret

No one should know your passphrase except you. Don't tell it to anyone including your boss, your sysadmin or helpdesk, your wife, your parents, your kids etc. There is no legitimate reason for anyone to ask for your passphrase. Technically, even the system that you are using it for does not have your passphrase in its original form – instead it 'hashes' it and stores its cryptographically protected copy.

Never write down your passphrases on paper or in a clear text (unencrypted) file. Password-protected Excel is not encrypted. Password-protected archive is not properly encrypted. Only use trustworthy password managers if needed.

Updating passphrases

Change passphrases regularly and at least once a year. Your corporate passphrases or the passphrases you use more often (e.g. multiple times a day) have to be changed at least once a month or two.

💡 The rule of thumb is: the more frequently you use it, the more frequently it has to be changed.

Still want to use passwords?

Strong passwords are long, complex, and unique. This means they should be longer than 12 characters, contain different types of characters (letters, digits, special characters), and be different for every service, web-site or system you use. Passwords should not be based on simple words that could be found in dictionaries. Passwords shall not be cognitive, that means they have to be based on something else than data about the user or the system. Otherwise, information related to the user or the system could and will help an attacker guess the password.

Password managers

Use password manager (password safe) software and follow these rules:

  1. Generate strong random passwords of configurable length (longer than 20 characters) and complexity.
  2. Make sure your master password is strong.
  3. Use a password manager that encrypts password database before storing it in the cloud or synchronizing it between your devices via the network.
  4. Backup your password database often.

💡 For additional layer of protection, use a manual password salt: figure out a secret string, keep it in memory, and add it manually to each password stored in the manager application every time you paste it into a login form.

🔧 Examples of good password managers are:

Use multi-factor authentication

Enable multi-factor authentication

Most respected online services allow two-factor authentication. Enable it using a built-in software token (available on Facebook, Twitter, Google etc.) or an SMS one-time verification code.

🔧 URLs to multi-factor authentication settings of popular web-sites::

🔧 Large collection of services that support two-factor authentication: https://twofactorauth.org

Avoid SMS

Prefer using Google Authenticator, physical token, or mobile app verification techniques. Avoid SMS one-time passwords wherever possible.

Operating system and software

Do not run client software with administrator privileges. Always log into OS interactively with the rights of the 'regular' user and, if necessary, increase the privileges with the program menu Run As ... when it is required to install or run legitimate programs. Never run, especially with administrator rights, programs on Java and Flash, PowerShell and cmd scripts, etc., and any other 'mobile' code.

❗ WARNING: When you run programs with the rights of a local administrator, you enable them to intercept the access credentials and current sessions of other users who are currently working on your computer or have recently visited it. In this way, the attacker can intercept the access credentials of the corporate domain administrator and completely compromise Active Directory the domain.

Don't use pirated software. Don't run or install software downloaded from untrusted sources. This includes torrents and other peer-to-peer networks. This especially includes keygen and cracking tools that require administrator privileges to run.

Morals or ethics have nothing to do with it: it is just totally insecure. First, trojaning the distribution and putting it online 'for free' is a known way of hacking into systems and it happens much more often than we'd like. Second, pirated software can rarely be kept up to date with security patches that just don't arrive to your system. Messing with 'activations' and re-activations just isn't worth it and the risks of not updating software are unacceptable.

Windows

Turn on Auto-Update in your Windows OS. For more details refer to the official FAQ.

Make sure your Windows Update is configured to check for updates for all Microsoft products, including MS Office.

Update third party software regularly or automatically. For that, use Flexera (formerly Secunia) PSI or an equivalent tool that checks your third party applications for updates and allows you to update them automatically.

🔧 Flexera PSI: http://www.flexerasoftware.com/enterprise/products/software-vulnerability-management/personal-software-inspector/

macOS

Turn on AppStore auto-updates as recommended by Apple.

Turn on your MS Office Auto-Update in macOS as recommended by Microsoft.

Use Homebrew to keep your third party apps up to date. You can easily find many tools you already use in Homebrew:

brew search vlc
brew search wireshark
brew search gpgtools

To install Homebrew, follow the official guide: https://brew.sh

Alternatively, to keep third-party apps up to date, use MacInformer or equivalent tool. ❗WARNING: although safer than not using any update mechanism, this kind of software may be invasive and not as secure as Homebrew. So no URL here.

Linux

Modern Linux distributions allow you to configure an auto-update with OS tools, or to manually update the software manually. For example, in Ubuntu Linux, the software is updated using the command

apt update && apt -y upgrade

For details about your Linux distribution, refer to the documentation.

Antivirus

macOS & Linux

On Linux or macOS don't use antivirus. Seriously. Security software comes with security vulnerabilities, it is not more secure than any other piece of code. However, in order to be efficient, antivirus normally requires elevated privileges in the OS. This introduces new risks that outweigh the dangers of getting infected on relatively secure and less popular platforms. If you follow recommendations in this guide, you can install an AV that is not continuously monitoring your OS, and scan your system with it once in a while. Malwarebytes has one of those, BitDefender is a more thorogh option.

🔧 Malwarebytes https://www.malwarebytes.com

🔧 BitDefender https://www.bitdefender.de

Windows

On Windows do use antivirus. But don't forget that AV is very ineffective against modern online threats. You can imagine antivirus efficiency to vary from 15% to 30%, most of the time this is true.

Choosing antivirus is not easy: 'independent' tests are biased toward the AV vendors who in the end of the day pay for these tests. There are, however, more or less objective reviews and testing results.

Firewall

macOS

Enable and configure the built-in macOS firewall in System Preferences -> Security & Privacy -> Firewall. Advanced Firewall Options... allow more detailed configuration, such as blocking all incoming connections, configuring ingress and egress filtering for specific applications, and allowing incoming connections to system and signed applications. Enable stealth mode if you would like to make your Mac unavailable to any other network client (e.g. to prevent a recent remote attack over ICMP protocol).

Install and master advanced network protection using one of the custom firewall solutions such as

🔧 Little Snitch(commercial) or

🔧 LuLu(free & open source).

Windows

TODO

Linux

TODO

Backup your data

macOS

Use a separate encrypted external hard drive with configured Time Machine backups. Attach it whenever you are doing some important work, it will backup everything automatically. Recommended HDD size: at least twice as large as your internal hard drive. Apple guide.

Windows

In Windows 10 backup & restore functionality is easy and can be configured in Settings -> Update & Security -> Backup. Microsoft guide.

For Windows 8.1 and 7 follow Microsoft recommendations on system and data backups.

Select and use a third party backup software.

Linux

Linux users have many backup mechanisms at their disposal: from tar to rsync remotely to a file share. Less technically savvy users can choose from more user-friendly tools.

You can backup your data by putting it to a cloud drive such as Dropbox, iCloud Drive, Google Drive etc. Don't forget to encrypt data before uploading it though.

Use crypto

Check web-sites encryption

Always make sure that the web-site to which you are passing your sensitive data is protected by HTTPS. That means it has https:// before it in the address bar and its certificate is validated by your browser, so it does not generate security warnings.

Note that presence of HTTPS by itself should not increase your trust in the web-site: anyone can generate a valid certificate for his/her web-site. The web-site domain name should be verified because it can be easily spoofed and web-site cloned if you don't pay attention.

❗ And do not accept untrusted certificates either temporarily or permanently.

Encrypt data

You can use Full Disk Encryption feature of your OS to protect the data at your laptop or PC from theft or loss. FDE is a free feature on Linux, macOS, and Windows Pro.

macOS

Enable File Vault. That's it, you're done. Apple guide.

Linux

Use LUKS or other means of Full Disk Encryption. Alternatively you can select disk encryption options or encrypt just your home partition during OS installation. This seems to be a reasonable guide for Arch, but every popular distro has a similar how-to.

Windows

Enable BitLocker. It's fast, it's native to Windows, and it's easy to configure and use. Microsoft guide.

In case your edition of Windows comes without BitLocker, use a third party solution such as VeraCrypt, a fork of TrueCrypt, which itself is not recommended.

🔧 VeraCrypt: https://veracrypt.codeplex.com

💡 You can encrypt external drives or individual files too.

Encrypt communications

Use trusted end-to-end encrypted communications for private/confidential data. End-to-end encryption ensures that no one other than you and your recipient can access the conversation. The means of encrypting email end-to-end are PGP or GPG, or S/MIME. End-to-end encrypted Instant Messengers are Signal, WhatsApp, iMessage, Viber, Threema. Facebook Messenger, Google Allo, and Telegram have 'secret chats' that may be seen as more secure than default mode.

🔧 Email encryption

🔧 End-to-end encrypted IMs:

🔧 High anonymity IMs:

EFF secure instant messaging guide and scorecard https://www.eff.org/secure-messaging-scorecard

Encrypt cloud data

Encrypt your sensitive data before uploading it to the cloud. Remember: there is no 'cloud', it's just someone else's computer. Boxcryptor and Cryptomator are the tools that allows you to encrypt data offline before putting it to your cloud drive. Use Boxcryptor for one cloud drive for free. Cryptomator is a free open source software.

🔧 Boxcryptor: https://www.boxcryptor.com 🔧 Cryptomator: https://cryptomator.org

Use VPN

To protect your traffic data and metadata from network sniffing, use Virtual Private Networks. You can choose from many VPN services providers, such as proXPN or PrivateTunnel. You can install and maintain your own VPN server as well. Always use corporate VPN when working with business data remotely.

🔧 Personal VPN services (recommended by Daniel Miessler):

💡 How to setup your own OpenVPN server on Digital Ocean: https://www.digitalocean.com/community/tutorials/openvpn-access-server-centos

💡 Algo is a fully automated Ansible-based approach to deploying a personal IPSec VPN server in any major cloud: https://github.com/trailofbits/algo

Mobile security

Mobile network is as insecure as public WiFi access point. Use the same crypto tools while on your cellular data network. Don't consider SMS or your voice calls private: use end-to-end encrypted voice calls and messages instead.

Use iOS. By all accounts, Apple mobile security and the security of its applications ecosystem is much more secure than one based on Android and controlled by your carrier or an OEM manufacturer (Samsung, LG, Sony etc.)

If Android, then Google. Only direct support by OS manufacturer can guarantee timely security updates. Any additional hops in the supply chain (OEM vendor, cellular carrier, enterprise IT etc.) decrease your security level. In some occasions updates just don't reach you after a year or two of using the device.

Don't root your phone. Use only authorized application repositories e.g. Google Play and Apple AppStore. Don't download or install 'emergency security updates' coming from sources other than software manufacturer.

Physical security

Keep your stuff where you can see or control it. Your computer and gadgets require the same level of physical security you maintain for your credit cards and apartment/car keys. ❗Remember: if an attacker can get close to your PC without you noticing, most probably he will succeed in complete OS takeover with very little effort. Keeping user session locked can help, but there are modern attacks which it cannot protect you against.

So, don't leave your equipment unattended, especially when it is running. Shutdown or hibernate every time you leave it event for a few minutes. Require password every time you turn it on.

Do sensitive and insensitive operations on different computers. If you allow your kids play online games on the same PC you use for online banking – you will be hacked. If you shop online from the PC in a computer club or internet cafe – you will be hacked. If you send business emails from the PC in the open area of your hotel – you will be hacked.

Use separate computers for business and financial operations and activities that demand privacy and confidentiality. Use a dedicated virtual or physical machine for the most critical operations.

💡 In some authoritarian countries, you may be asked to provide a password to your encrypted information at the border and at the airport. When crossing the borders of such states, take advantage of the advice: ask the person you trust (preferably the lawyer) to change your password before leaving and give it to you only when you complete a trip. Repeat the procedure on the reverse path.

Stay safe!

Thank you for taking care of your personal cyber-security. Share these tips with your friends, colleagues and close ones to make the world a bit safer.

These tips are contributed by multiple security professionals who have years of experience in building, assessing, and ethically hacking computer systems, applications and networks.

You can share these tips, use them commercially, and change them as you wish. It's free. Links to the original and credits are welcome.

If you have something add or found an error in the text, let me know: via email sapran@protonmail.com or by creating an issue. Pull requests are the most welcome.

Credits

This guide wouldn't exist without the help of many security professionals in Ukraine and abroad. Big thanks to everyone who contributed to the contents of this document and proposed the edits and updates along the course of its creation. Compiled and drafted by Vlad Styran, BSG, https://blog.styran.com.

Special thanks go to Boris "@jadedsecurity" Sverdlik for a great deal of inspiration and coining the "Don't click shit" slogan.