Secure your devices: Difference between revisions
→Disable features that create vulnerabilities: added link to black top presentation |
|||
(15 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
== Keep your device or operating system up-to-date with software updates == | |||
When you buy a device or an operating system, keep it up-to-date with software updates. Updates will often fix security problems in older code that attacks can exploit. Note that some older phones and operating systems may no longer be supported, even for security updates. In particular, Microsoft has made it clear that versions of Windows Vista, XP, and below will not receive fixes for even severe security problems. This means that if you use these, you cannot expect them to be secure from attackers. The same is true for OS X before 10.11 or El Capitan. (Source: [https://ssd.eff.org/module/choosing-your-tools Electronic Frontier SSD]) | |||
= | === Free, open source operating systems === | ||
If you cannot afford to purchase a licensed Windows or Mac operating system, you can use a free and open source operating system, such as: | |||
'''[https://www.linuxmint.com/ Linux Mint]''' is an operating system for desktop and laptop computers. It is designed to work 'out of the box' and comes fully equipped with the apps most people need. Linux Mint works on most computers. It can also be run from a live USB stick to make sure everything works fine without having to install anything. | |||
[https://tails.net/ '''Tails'''] is a portable operating system that protects against surveillance and censorship. To use Tails, shut down the computer and start on your Tails USB stick instead of starting on Windows, macOS, or Linux. You can temporarily turn your own computer into a secure machine. You can also '''.''' You can also stay safe while using the computer of somebody else'''.''' Tails is a 1.4 GB download and takes ½ hour to install. Tails can be installed on any USB stick of 8 GB minimum. Tails works on most computers less than 10 years old. You can start again on the other operating system after you s t down Tails. You don't have to worry about the computer having viruses because Tails runs independently from the other operating system and never uses the hard disk. But, Tails cannot always protect you if you install it from a computer with viruses or if you use it on a computer with malicious hardware, like keyloggers. | |||
== Use antivirus or anti-malware == | == Use antivirus or anti-malware == | ||
=== Advice === | === Advice === | ||
1. Know how to check if your antivirus or anti-malware app is working and updating itself. | 1. Know how to check if your antivirus or anti-malware app is working and updating itself. | ||
Line 14: | Line 17: | ||
3. Choose and run only one anti-malware app; if you run more than one on a device, they may interfere with each other. | 3. Choose and run only one anti-malware app; if you run more than one on a device, they may interfere with each other. | ||
[https://freedom.press/training/blog/what-about-antivirus/ What about antivirus?] Article by David Huerta (2020) of the Freedom of the Press Foundation Here's a good article | |||
Excerpt: "Antivirus software is one of the oldest offerings available from the now billion-dollar cybersecurity industry. But what does antivirus software do to help protect our devices, what does it not do, and do we really need it?" | |||
=== Antivirus software options === | === Antivirus software options === | ||
Line 24: | Line 30: | ||
Software available on multiple operating systems that offer free versions: | Software available on multiple operating systems that offer free versions: | ||
* [https://www.bitdefender.com BitDefender] (Android, iOS, Mac, Windows) - Warning: This can be a heavy program for many computers. | |||
* [https://www.malwarebytes.com/ Malwarebytes] (Android, iOS, Mac, Windows). Malwarebytes full version is free for 2 week, but you can manually scan your device without time limits. | |||
* [https://www.avast.com/ Avast antivirus] (Android, iOS, Mac, Windows) | |||
Not recommended: | |||
* [https://www.avg.com/ AVG antivirus] (Android, iOS, Mac, Windows) | * [https://www.avg.com/ AVG antivirus] (Android, iOS, Mac, Windows) | ||
* [https://www.avira.com/en/free-antivirus Avira antivirus] (Android, iOS, Mac, Windows) | * [https://www.avira.com/en/free-antivirus Avira antivirus] (Android, iOS, Mac, Windows) | ||
From the community: AVG, Avira were found to be running mining operations on consumers PC and they don't offer proper protection. | |||
Note that all antivirus and anti-malware apps collect information on how the protected devices are being used. Some of this information may be shared with companies which own them. There have been cases where this information was sold to third parties. | Note that all antivirus and anti-malware apps collect information on how the protected devices are being used. Some of this information may be shared with companies which own them. There have been cases where this information was sold to third parties. | ||
== Full disk encryption == | |||
=== For computers === | |||
'''Apple''' provides a built-in, full-disk encryption feature on macOS called [[wikipedia:FileVault|FileVault]]. Guide: How to encrypt your [https://ssd.eff.org/module/how-encrypt-your-iphone iPhone] (available in 10+ languages) | |||
'''Linux''' distributions usually offer full-disk encryption when you first set up your system. | |||
'''Windows Vista or later''' includes a full-disk encryption feature called [https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/ BitLocker]. Guide: How to encrypt your [https://ssd.eff.org/module/how-encrypt-your-windows-device Windows device] (available in 10+ languages) | |||
=== For smartphones and tablets === | |||
'''Apple''' devices such as the iPhone and iPad describe it as “Data Protection” and turn it on if you set a passcode. | |||
'''Android''' offers full-disk encryption when you first set up your device on newer devices, or anytime afterwards under its “Security” settings for all devices. | |||
=== Disk encryption vulnerabilities === | |||
There are some risks related to disk encryption that you need to consider before moving forward, and find ways to mitigate these risks: | |||
# Data is exposed as soon as it leaves the protected disk | |||
# Data is exposed in the clear if a user session is hijacked | |||
# Data is exposed if device credentials are compromised | |||
# All data is protected by a single key, which means that if you lose that one key, you lose access to the device | |||
== Disable features that create vulnerabilities (Lockdown Mode) == | |||
'''iPhone and Mac devices offers [https://support.apple.com/en-us/HT212650 Lockdown Mode]''' - "When Lockdown Mode is enabled, your device won’t function like it typically does. To reduce the attack surface that potentially could be exploited by highly targeted mercenary spyware, certain apps, websites, and features are strictly limited for security and some experiences might not be available at all. Lockdown Mode is available in iOS 16, iPadOS 16, and macOS Ventura." | |||
Lockdown Mode covers a lot of different scenarios and reduce attack surface for attacks: remove JIT from browser, disable a lot of webkit features, block calls from unknown contacts in iMessage, remove many file types in messages etc. You can read a [https://blacktop.github.io/presentations/0x41con_2023/HTML/index.html#0 2023 analysis presentation by Blacktop]. | |||
'''Android also offers a version of [https://www.zdnet.com/article/how-to-use-the-android-lockdown-mode-and-why-you-should/ Lockdown Mode]''' - "When lockdown mode is enabled, fingerprint sensors, facial recognition, and voice recognition do not function. Once you've activated lockdown mode, the only way to gain access to your device is either via PIN, password, or pattern. One thing you must know about lockdown mode is that it's a one-time thing. In other words, once you've enabled it, it will immediately be disabled upon successful login. That means you have to re-enable lockdown mode every time you want to use it." | |||
== Separate your phone number from your device == | |||
[https://theintercept.com/2017/09/28/signal-tutorial-second-phone-number/ How to use signal without giving out your phone number] (article) - A step-by-step guide to protecting your private phone number while enjoying the security of encrypted texting app Signal. | |||
---- | ---- | ||
''Last updated | ''Last updated June 18, 2024'' | ||
Source for this content: [https://securityinabox.org/en/phones-and-computers/malware/#use-antivirus-or-anti-malware Security in a Box]'' | Source for this content: [https://securityinabox.org/en/phones-and-computers/malware/#use-antivirus-or-anti-malware Security in a Box]'' , [https://ssd.eff.org/ Electronic Frontier SSD], and discussions with human rights security practitioners.'' | ||
Latest revision as of 19:43, 14 November 2024
Keep your device or operating system up-to-date with software updates
When you buy a device or an operating system, keep it up-to-date with software updates. Updates will often fix security problems in older code that attacks can exploit. Note that some older phones and operating systems may no longer be supported, even for security updates. In particular, Microsoft has made it clear that versions of Windows Vista, XP, and below will not receive fixes for even severe security problems. This means that if you use these, you cannot expect them to be secure from attackers. The same is true for OS X before 10.11 or El Capitan. (Source: Electronic Frontier SSD)
Free, open source operating systems
If you cannot afford to purchase a licensed Windows or Mac operating system, you can use a free and open source operating system, such as:
Linux Mint is an operating system for desktop and laptop computers. It is designed to work 'out of the box' and comes fully equipped with the apps most people need. Linux Mint works on most computers. It can also be run from a live USB stick to make sure everything works fine without having to install anything.
Tails is a portable operating system that protects against surveillance and censorship. To use Tails, shut down the computer and start on your Tails USB stick instead of starting on Windows, macOS, or Linux. You can temporarily turn your own computer into a secure machine. You can also . You can also stay safe while using the computer of somebody else. Tails is a 1.4 GB download and takes ½ hour to install. Tails can be installed on any USB stick of 8 GB minimum. Tails works on most computers less than 10 years old. You can start again on the other operating system after you s t down Tails. You don't have to worry about the computer having viruses because Tails runs independently from the other operating system and never uses the hard disk. But, Tails cannot always protect you if you install it from a computer with viruses or if you use it on a computer with malicious hardware, like keyloggers.
Use antivirus or anti-malware
Advice
1. Know how to check if your antivirus or anti-malware app is working and updating itself.
2. Perform periodic manual scans.
3. Choose and run only one anti-malware app; if you run more than one on a device, they may interfere with each other.
What about antivirus? Article by David Huerta (2020) of the Freedom of the Press Foundation Here's a good article Excerpt: "Antivirus software is one of the oldest offerings available from the now billion-dollar cybersecurity industry. But what does antivirus software do to help protect our devices, what does it not do, and do we really need it?"
Antivirus software options
Windows On Windows 10, Security in a Box recommends to turn on Windows's own anti-malware protection Windows Defender
Linux On Linux you can manually scan your device for malware with ClamAV. But be aware it is only a scanner, and will not monitor your system to protect you from infection. You can use it to determine whether or not a file or directory contains known malware — and it can be run from a USB memory stick in case you do not have permission to install software on the suspect computer. You may also consider using paid antivirus (e.g. ESET NOD32)
Software available on multiple operating systems that offer free versions:
- BitDefender (Android, iOS, Mac, Windows) - Warning: This can be a heavy program for many computers.
- Malwarebytes (Android, iOS, Mac, Windows). Malwarebytes full version is free for 2 week, but you can manually scan your device without time limits.
- Avast antivirus (Android, iOS, Mac, Windows)
Not recommended:
- AVG antivirus (Android, iOS, Mac, Windows)
- Avira antivirus (Android, iOS, Mac, Windows)
From the community: AVG, Avira were found to be running mining operations on consumers PC and they don't offer proper protection.
Note that all antivirus and anti-malware apps collect information on how the protected devices are being used. Some of this information may be shared with companies which own them. There have been cases where this information was sold to third parties.
Full disk encryption
For computers
Apple provides a built-in, full-disk encryption feature on macOS called FileVault. Guide: How to encrypt your iPhone (available in 10+ languages)
Linux distributions usually offer full-disk encryption when you first set up your system.
Windows Vista or later includes a full-disk encryption feature called BitLocker. Guide: How to encrypt your Windows device (available in 10+ languages)
For smartphones and tablets
Apple devices such as the iPhone and iPad describe it as “Data Protection” and turn it on if you set a passcode.
Android offers full-disk encryption when you first set up your device on newer devices, or anytime afterwards under its “Security” settings for all devices.
Disk encryption vulnerabilities
There are some risks related to disk encryption that you need to consider before moving forward, and find ways to mitigate these risks:
- Data is exposed as soon as it leaves the protected disk
- Data is exposed in the clear if a user session is hijacked
- Data is exposed if device credentials are compromised
- All data is protected by a single key, which means that if you lose that one key, you lose access to the device
Disable features that create vulnerabilities (Lockdown Mode)
iPhone and Mac devices offers Lockdown Mode - "When Lockdown Mode is enabled, your device won’t function like it typically does. To reduce the attack surface that potentially could be exploited by highly targeted mercenary spyware, certain apps, websites, and features are strictly limited for security and some experiences might not be available at all. Lockdown Mode is available in iOS 16, iPadOS 16, and macOS Ventura."
Lockdown Mode covers a lot of different scenarios and reduce attack surface for attacks: remove JIT from browser, disable a lot of webkit features, block calls from unknown contacts in iMessage, remove many file types in messages etc. You can read a 2023 analysis presentation by Blacktop.
Android also offers a version of Lockdown Mode - "When lockdown mode is enabled, fingerprint sensors, facial recognition, and voice recognition do not function. Once you've activated lockdown mode, the only way to gain access to your device is either via PIN, password, or pattern. One thing you must know about lockdown mode is that it's a one-time thing. In other words, once you've enabled it, it will immediately be disabled upon successful login. That means you have to re-enable lockdown mode every time you want to use it."
Separate your phone number from your device
How to use signal without giving out your phone number (article) - A step-by-step guide to protecting your private phone number while enjoying the security of encrypted texting app Signal.
Last updated June 18, 2024
Source for this content: Security in a Box , Electronic Frontier SSD, and discussions with human rights security practitioners.