Basic security precautions for non-profits and journalists in the United States, mid-2017.
Don't:
- Don't send any sensitive information by email.
- Don't store sensitive information in cloud services like Evernote or Dropbox.
- Don't use your fingerprint to lock/unlock devices.
- Don't back up mobile messages to the cloud/iCloud/Google Drive.
- Don't use your phone number for password recovery.
- Don't use an Android phone, use an iPhone instead.
- Don't take the devices you work on across the US border.
- Don't plug your device directly into an unknown port (such as an airport charger) without the safeguards outlined below.
Do:
- Use a long passphrase to lock your devices.
- Make sure you apply all software updates. Turn on auto-updates where possible.
- Use an iPhone SE, 6, or 7. Don't use an Android phone.
- Set a keycode for your phone at least six digits long, or use a hard-to-guess passphrase
- Use Gmail, with a physical security key on your laptop and Google Authenticator on your phone.
- Here are instructions for adding a security key to Gmail.
- Use a password manager and have it generate random passwords for every site you use. A good password manager is 1password.
- Turn on two-factor authentication on Twitter, Facebook, Github and anywhere else that supports it.
Don't use SMS to your phone number as the second factor. - Use Signal or WhatsApp on your phone to communicate with other people, rather than SMS or iMessage.
- Follow this guide to secure your WhatsApp settings.
- Follow this guide to secure your Signal settings.
- Do as much of your work as possible on an iPhone or iPad rather than on a laptop. Use a bluetooth keyboard for easier typing.
- Consider using a Chromebook. Chromebooks are secure options especially for opening attachments: you can safely open them on it.
- If you have a Windows laptop, uninstall any antivirus products except for Windows Defender (from Microsoft).
- Use Chrome as your browser. Avoid installing spurious, unknown or unnecessary extensions.
- Do install HTTPS everywhere
- Do install uBlock Origin
- Turn on full-disk encryption on all devices.
When Traveling:
- Don't take devices across the US border. Have a dedicated laptop and phone for travel abroad, don't keep sensitive information on them, and don't use them anywhere else.
- Never plug your device into an unknown port. Never plug an unknown device into your computer or mobile device. Carry a “USB data blocker” (either the whole cable or an adapter that plugs into your cable like this) to charge at airport or hotel chargers.
- If you believe your hotel room is monitored, work under the covers on the bed. It is less conspicuous, and prevents video surveillance of what you’re typing and viewing.
- Don’t use hotel phones for calls to sources. Assume that anything you say inside a hotel room may be recorded.
- Don’t leave your phone or laptop unattended; always carry them with you.
Last updated: May 5, 2017