Security recommendations

Some pieces of advice to improve your Opsec or digital security.

Author’s notes:

Phishing

Social engineering is perhaps the most effective way of attacking someone, phishing being one of the most common.

Criminals are always getting more and more creative and coming up with new phishing methods that can be very sneaky sometimes. Some of them are still pretty obvious, but some others can be very sneaky.

You can find some examples here:

Recommendations

Passwords

You should avoid reusing passwords whenever possible. Websites get hacked all the time, and a lot of them either store passwords in plain text, or with a very weak hashihg algorithm succeptible to password cracking.

Avoid storing them on a physical paper, or in an excel/word/plain text document. Doing this isn’t very practical anyway compared to other available options, and the catch with these two approaches is that your passwords are not protected by encryption. So anyone with access to it can read all your credentials.

You can use a Password Manager like KeePassXC for desktop PCs or KeePassDX for mobile devices. Any password manager is okay, as long as you make sure that they are following proper security standards.

One of the advantages of KeePass-based password managers is that they are usually free and open-source (you can audit the code yourself and make sure that it follows proper security standards, if you are into that), and that they are usually offline, they don’t require an Internet connection.

The advantage of an offline password manager is that you are reducing the attack surface by not exposing your password database to the Internet or a cloud service. This can be a bit less convenient if you want to sync your passwords across devices, but you can use tools like Syncthing for that.

Bitwarden is another commonly used open source password manager. It supports syncing, and you can optionally self-host it.

If you prefer CLI based password managers, there’s also the Unix standard password manager Pass

1Password is recommended. At the time of writing this article, 1Password hasn’t had any security incident or data breach. It’s worth noting that 1Password is closed-source, if that’s a concern for you.

LastPass isn’t necessarily a bad password manager, but it is worth mentioning that LastPass has a record of security incidents.

Remember, even though your passwords are in theory protected by encryption, keep in mind that you must use a strong master password to mitigate these security incidents. Your password database contains a lot of sensitive information. If this is a concern for you, consider using offline password managers. As mentioned before, you can reduce the attack surface by not exposing your passwords to a cloud or online service that is not under your control.

Important note: The whole purpose of using a password manager is letting your password manager generate secure and random passwords for you (Don’t just create passwords yourself).

Some websites have very dumb rules on the allowed characters for the password field, so parameterize the password generator of your password manager as you need.

It can take quite a bit of time to replace the passwords of all of your accounts, but it’s worth the time.

How to test how secure is your password:

Multi-factor authentication

Multi Factor Authentication prevents an attacker from accessing an account if the password gets compromised.

A fun fact about MFA that many people don’t know, most of the MFA codes that you receive on your phone (except SMS), are actually Time Based One Time Passwords, which is a standard that generates codes based on the time, and it doesn’t require any Internet connection, preventing man in the middle attacks.

That being said, in most cases (not always), you don’t need a specific app to have your OTPs configured, it only needs to support the TOPT RFC 6238 standard, which is the OTP algorithm that most apps use.

Recommendation

Don’t use SMS for MFA. Sadly, this is not always possible as some services still require SMS for MFA. But keep in mind that SMS is a completely broken protocol that shouldn’t be used anymore. Also, Your phone number is susceptible to SIM Swap attacks. This is how Jack Dorsey (ex Twitter CEO) got hacked.

You can use Aegis for Android or Raivo OTP for iOS. These are open-source alternatives, but you can use the one that you like and trust the most. You may want to avoid using Authy.

Considerations

Keep in mind that multi-factor is not a bullet proff method to prevent an attacker from accessing your accounts. An attacker can still steal your session tokens and bypass any login or multi-factor.

Security Questions

Don’t be honest answering security questions.

Security Questions are these basic questions about you (ie: “What’s your favorite food?”, “Where did you study for the first time?”, etc) that you can answer in case you forgot your password and you don’t have any other way to recover it.

This is extremely susceptible to Social Engineering attacks. If you are honest when answering security questions, an attacker can gather information about you or your relatives and very easily reset your password.

This is a broken system because you shouldn’t forget your passwords if you are using a Password Manager.

Always answer these questions with fake data. You can generate random passphrases with your Password Manager for this purpose.

IoT Devices

IoT devices, such as your Smart TV, Smart Fridge, Smart Watch, or even smart lightbulbs, are sometimes built with very poor security standards, and they get hacked all the time.

The more devices you have connected to the Internet, the more you increase the attack surface.

If some of these devices get hacked, it may not affect you directly, but a very common use case of hacking IoT devices is using them for a botnet of DDoS attacks.

Recommendations

Wireless Devices

Wireless devices can be very convenient to use because cables can be annoying for some people. However, because you no longer need physical access to hijack the communication between devices, the attack surface is increased because someone nearby may be exploiting a vulnerability on your devices.

Bluetooth has always been insecure, and you may want to avoid using it if you can.

Consider using an Ethernet cable instead of a Wi-fi connection. Not only it is a bit more secure, you will also have a more stable connection.

Disable any wireless connection when not in use.

Social Media

Social media is inherently susceptible to social engineering attacks. There are many pitfalls when it comes to privacy when using social media and it is preferable to just avoid using it if you can, or at the very least being careful with what you make public.

Chat Applications
Signal Open Source server and client, but centralized server, requires phone number
Matrix, XMPP Federated/decentralized (sometimes not e2e encrypted due to federation issues)
GNU/Jami, Tox, Session, Briar Serverless
SimpleX E2E encrypted and P2P, although not 100% serverless
iMessage, Whatsapp E2E encrypted and proprietary
Telegram Open Source client, proprietary servers and not E2E encrypted by default
Discord, Slack, Facebook Messenger, etc Not E2E encrypted nor open source
SMS Don’t.

Ransomware

Any operating system can be be affected by Ransomware.

Some Ransomware attacks can be so sophisticated that they can even detect backup drives and encrypt that as well.

Always make regular backups of your important files on different drives or clouds. Keep one backup on an external drive that is physically disconnected from any other device. Make backups within different time frames. For example, let’s say that the ransomware takes one week to encrypt all your files. If you back up your data daily, there’s a chance that some of the files that you are backing up are already encrypted by the ransomware. So, you can do a monthly backup + a separate weekly backup.

Web Browsers

VPNs

VPNs can be useful for privacy in some cases, but they don’t help much for security.

Most websites already protect the data with the HTTPS protocol. Web browsers also support an HTTPS-only mode. A VPN can prevent man-in-the-middle from sniffing a site’s data if you visit a non-HTTPS site, but once the requests leave the VPN servers, the data is no longer encrypted by the VPN protocol, so you should avoid visiting those sites anyway.

Also, many VPNs have lied about their no-log policies. Don’t think that this is only an issue with free VPNs and that it doesn’t happen with paid ones. Just because you gave money to a VPN provider isn’t any warranty that they are not going to give your data to someone else anyway. There’s no way to know if a VPN is collecting data about you, either intentionally or not.

There are legitimate use cases for VPNs, for example, if an organization has internal services that shouldn’t be accessible to the public, the organization can host an internal VPN to make IP whitelisting much easier. This was actually the intended use of VPNs when they were created.

If you don’t trust your network or your ISP, a VPN can prevent your network provider or your ISP from knowing what websites you are visiting, but keep in mind that you are essentially moving the problem from one place to another, now you have to trust on your VPN provider.

Home Routers

Update your router’s admin password. Not the Wi-Fi password. The router admin password.

A lot of routers have very basic admin username and passwords by default, like “admin / admin”, or “admin / admin1”, etc. Some of them have a random string in a sticker that you can find in the router itself, but those can still be a bit predictable sometimes. Some ISP companies assign similar passwords to a lot of the routers that they distribute, and you can find them online.

For example, you could go to someone else’s house who you know uses an specific ISP, search on the web for common admin passwords for that specific ISP, and log in to the admin panel.

With admin access, you can do anything with the router, such as, uploading an infected firmware without you ever noticing anything.

Recommendations

Smartphones

Modern mobile operating systems often have plenty of security features. However, some smartphone users (especially Android ones) tend to worsen their security with some practices.

Recommendations

Android specific

Perhaps the most secure Android experience that you can have (or in smartphones in general for that matter), is using a Google Pixel with GrapheneOS. GrapheneOS has a lot of features to make Android as secure as possible without sacrificing convenience.

You can check GrapheneOS features to understand why it is so secure compared to other Android ROMs, and also why only Pixel phones are supported.

DivestOS can also be an option if your device doesn’t support GrapheneOS. It supports bootloader re-locking on 26 devices. You can check if your device is supported by DivestOS and if it supports bootloader re-locking here.

Be careful when using custom ROMs. With the exception of GrapheneOS, other custom ROMs such as LineageOS usually require you to keep the bootloader unlocked, which also disables Verified Boot. Verified Boot is essential for Android security.

You can read a more detailed explanation here about common bad security practices on Android.

Desktop Operating Systems

Desktop operating systems were not designed with security in mind, and they are usually more vulnerable than other operating systems.

Disk Encryption

Disk Encryption or Data at Rest Encryption is a preventive measure to protect your data if your device (hard drive, SSD, etc) is no longer with you. Even if you format your drive before giving it to someone else, the data is still recoverable.

Secure boot

Secure Boot and TPM are technologies that allow you to mitigate Evil Maid Attacks.

Secure Boot and TPM are only effective if you protect the BIOS settings with a password. Otherwise, an attacker can just disable it.

If you use a modern Apple desktop device, you can read this article and skip the rest of this section: https://support.apple.com/guide/security/startup-security-utility-secc7b34e5b5/web

Note for Apple users: If you set a firmware password for your Mac device (Macbook, Mac Mini, etc), please remember to remove that password if you are not going to use that device anymore. We already have enough e-waste.

OS Specific recommendations

App Sandboxing

App Sandboxing is a security feature that provides an isolated runtime environment that limits the available resources of your system to the program.

Android and iOS have sandboxing features by default for every app that you install. Desktop operating systems are lacking in this regard.

Pirating software

Whether you consider piracy morally correct or wrong (which is an entirely separate debate), there’s always a risk when you pirate a specific piece of software or media. Not only you have to trust the authors of that software, you also have to trust the hacker (or hacker group) who tampered with the executable to bypass the DRM.

There are many examples of this, but the most recent and most popular one is the case of TLauncher, a Minecraft 3rd party launcher that allows you to play Java Minecraft for free. It was discovered that this launcher contains very sneaky malware.

Remember, this can happen with any software downloaded from an untrusted source, but this is more common with pirated software. For example, when you pirate a videogame, a Photoshop license, an Office license, etc.

At first, nothing appears to happen when you “crack” a piece of software, and you may think that nothing wrong is going on with your PC, but it’s probably running malware in the background. Your antivirus may also not able to detect it, either because some malware have the capability of being undetectable by antivirus software, and also, because usually these “cracks” require you to execute them as Administrator. If a piece of malware is running as admin, now it is able to do anything to the system, like disabling your antivirus.

If for some reason you want to run pirated software and reduce the risk of doing so, you can do it inside of a virtual machine, although this is obviously less convenient.

Windows specific

Linux (desktop) specific

Some security researchers don’t consider Linux on the desktop to be secure. The technical reasons why are explained here.

There are some things that you can do to improve the security of your Linux installation:

Electron Apps

Electron isn’t inherently insecure by itself. In fact, Electron has sandboxing features.

However, if you run an Electron app instead of the Web equivalent, you are running such software with higher privileges on your system. For example, an Electron app is able to read your whole home folder (if not properly sandboxed with another tool), and even use zero-day exploits to scale privileges, such as Pwnkit (Note: Pwnkit has already been patched, the point is to reduce the possibility of privilege escalation).

On the other hand, the Web equivalent is sandboxed within the actual browser’s environment, therefore, they are a bit more secure than using the Electron equivalent.

Also, many developers don’t regularly update the Electron version of their apps, so many Electron apps are using an old version of Chromium and Electron that doesn’t have the latest security patches.

For example, at the time of writing this article, Discord uses Chromium version 91, and Electron version 13. Whereas the latest stable Chromium version is 110, and the latest stable Electron release is 23. You can prove this by yourself with the Electron apps that you use with this method:

$ strings Discord | grep '^Chrome/[0-9.]* Electron/[0-9]'
> Chrome/91.0.4472.164 Electron/13.6.6
$ strings slack | grep '^Chrome/[0-9.]* Electron/[0-9]'
> Chrome/106.0.5249.168 Electron/21.2.2

Slack does a better job at keeping the Chromium and Electron engine up to date, but other apps such as Discord still fall behind. Still, if you run these apps in your browser, you don’t have to wait for the developers to update Chromium/Chrome as you can update it yourself, and as mentioned, the web version doesn’t have as much privileges on your system as the Electron equivalent.

Some examples of Electron apps that can be used within a web browser are Slack, Discord, Figma, Notion, Whatsapp Web, Zoom, and many others.

Cloud Storage

Cloud services are very convenient, but they could be susceptible to security incidents. You have to trust your cloud provider with the security of your files. If you want to upload to the cloud and you don’t want the file to be readable by your cloud provider (or a potential attacker), encrypt your files with a randomly generated password before uploading them to the cloud. You can use AES-256 or Cha Cha 20 or the encryption method of your preference. On Unix-like systems, you can run this command to encrypt a file with AES-256:

gpg --symmetric --no-symkey-cache --cipher-algo AES256 your-file

Memory Safety

Most of the security flaws come from memory safety issues, not just with Chromium, but with all kinds of other programs as well.

If you can, use programs that were written in memory safe languages, such as Rust.

If you are a software developer yourself, consider using Rust for writing your programs. But if you can’t, or you don’t want to, consider learning about Rust’s memory safety features and try to implement them in your programming language of preference.

Rust has a lot of features that prevent you from introducing bugs related to memory safety or mutability, such as the concept of Ownership and Borrowing, Lifetimes, no garbage collector, etc.

For example, the “null” value doesn’t exist in Rust, an “Enum” has to be used instead, forcing the developer to always handle a case when there’s no value.

Another example is that Rust has the concept of Ownership and Borrowing. You have to explicitly specify when a parameter should be mutable or not, and there are some rules on how you are allowed to mutate some values. This is usually optional in other programming languages (Javascript, Python, etc).

You can use some tools (linters, code smells, etc) with other languages to mitigate some of these issues, but Rust is built with safety in mind from the ground up.

Note: There are all kinds of security flaws that can happen with any programming language, even with Rust. This section is about memory safety specifically.

General recommendations for developers