cytr.io

Information Security Configuration Recommendations

For less tech-savy users it can be hard to know where to start to get a good security baseline set for your devices. These guides are an attempt to cover the basics for all the major platforms without getting too deep into the weeds of the technical jargon.

Some of the jargon is defined here

These guides are not meant to be complete, but a start to implementing stronger security for your devices. The recommendations will change over time, and without updates, will become stale. Please file PRs as needed. GitHub Link

Why should I trust you?

Thats a good start, you shouldn’t trust these guides alone - do your own research but make sure its from knowlegable sources. Random internet guides are not always deeply knowlegable on modern attacks or up to date. The authors of these guides have worked in the infosec community for over a decade in various roles from defensive security to offensive security and have tried to distill the most high value recommendations

Security Recommendations by Platform

No matter which platform you use, keep your devices backed up in a secure fashion so others can’t access the data, and be aware of how to wipe your device if you are concerned for your safety or the safety of others if the data on the device were to be exposed.

Mobile

iOS Android

Desktop

macOS Windows

Communication Privacy

Privacy includes not just data encryption, but anonymity both in who you are and who you are communicating with and when. We reccomend both Signal and Wickr (comparison below). There may be others that work well, but we haven’t tested or evaluated them. See below for why you should stick to these apps. They both support all the major platforms.

What NOT to use:

Signal vs Wickr Comparison

Signal and Wickr are both designed from the ground up with security in mind, and therefore we can recommend using either of these apps; they both come with caveats to use them more securely, here we will discuss some of these

Configuration Recommendations and Features to be Aware of

Internet Privacy

We often think of privacy in terms of advertisers knowing too much about us, but the reality is that some governments monitor the internet traffic of their citizens to look for dissident opinions for persecution. This is a much more serious risk model and requires more careful attention to online behavior. Let’s discuss the basics, as this is a highly complex topic; and, for the moment, ignore the attacks that will make even the basics very complex.

What you need to be aware of is the difference between encrypted and unencrypted communications. Modern secure encryption is far too time consuming to break for low priority targets like dissidents, what we need to look out for first is the unencrypted communications.

Google’s transparency report outlines the trend in websites supporting and enforcing secure web browsing, often denoted by the “https” in your browser’s address bar. The summary is that most website support or encorce secure communications at this point. There are also features in modern browsers to force the remaining traffic to use encryption even if the upstream host does not support it (this has its own security ramifications as well).

Most other web traffic is already secured by Transport Layer Security (TLS), with one of the last internet critical protocols to support this being DNS, which now supports TLS and DNS of HTTPS. These are referred to as DoT and DoH respectively.

There are a few ways to secure these last few protocols and websites:

Password Management

One of the most common attack methods relies on users reusing their passwords.

Let’s say your BookFace password is “Siegfried1999!” If there is a BookFace breach that leaks your email address and password, attackers will re-use this information on every other web service available. If you have ever reused it on another site, like LankedOn, your account would be compromised.

Password managers create and store unique passwords very every service, so not only are they harder to guess, but they are also never reused.

Even with the length and complexity of the above password, its honestly a pretty easy-to-brute-force password being a word (or proper noun), a year, and a symbol. This is one of the most common password formulas we see and well known by attackers.

Use a password manager, protect the data and the datastore as well as the devices you use it on.

Password Managers:

Account Security