Topics

A Strong Foundation: Securing Accounts and Devices

Secure Devices

In addition to accounts, it is essential to keep all devices – computers, phones, USBs, external hard drives, etc. – well protected. Such protection starts with being careful about what type of devices your organization and staff purchase and use. Any vendors or manufacturers that you select should have a demonstrated track record of adhering to global standards regarding the secure development of hardware devices (like phones and computers). Any devices you procure should be manufactured by trusted companies that do not have an incentive to hand over data and information to a potential adversary. It is important to note that the Chinese government requires Chinese companies to provide data to the central government. So despite the ubiquitous and inexpensive presence of smartphones like Huawei or ZTE, they should be avoided. Although the cost of cheap hardware can be very attractive to an organization, the potential security risks for political parties should steer you towards other device options, as this access to data has helped facilitate the Chinese government and other governments’ targeting of a variety of political actors and institutions.

Your adversaries can compromise the security of your devices - and everything you do from those devices - by either gaining physical access or “remote” access to your device.

Device Security and Political Parties

cyber Photo

In addition to facing financially motivated ransomware attacks, political parties are frequent targets of sophisticated malware developed specifically to target their devices. In Uganda, for example, the government collaborated with Huawei technicians to surveil opposition political parties and opponents, including the leading opposition candidate Bobi Wine, in an effort to steal party communications and disrupt campaign efforts. After several unsuccessful attempts, authorities turned to the technicians to help infect opposition party members’ devices with spyware. In just two days they were able to penetrate key WhatsApp chat groups and access sensitive communications. Such access enabled authorities to locate and shut down the opposition party’s planned street rallies and arrest Wine along with dozens of his supporters.

Physical device access through loss or theft

To prevent physical compromise, it is essential to keep your devices physically secure. In short, do not make it easy for an adversary to steal or even temporarily take your device from you. Keep devices locked away if left at home or in an office. Or if you think it is safer, keep them on your person. This of course means that part of device security is the physical security of your work spaces (whether in an office setting or at home). You may need to install strong locks, security cameras, or other monitoring systems - especially if your organization is at high risk. Remind staff to treat devices the same way they would treat a large stack of cash - do not leave them lying around unattended or unprotected.

What if a device is stolen?

To limit the impact if someone does manage to steal a device – or even if they just gain access to it for a short period of time – be sure to mandate the use of strong passwords or passcodes on everyone’s computers and phones. The same password tips from the Passwords section of this Handbook apply to a good password for a computer or laptop. When it comes to locking your phone, use codes that are at least six to eight digits, and avoid using “swipe patterns” to unlock the screen. For additional tips on screenlocks, check out Tactical Tech’s Data Detox Kit. Using good device passwords makes it much harder for an adversary to quickly access information on your device in the case of theft or confiscation.

If any devices issued by the organization have a "Find my Device" feature, such as iPhone’s Find My iPhone and Android’s Find My Device, consider requiring staff to activate it. Encourage staff to use these features on personal devices as well. With these features turned on, the device owner (or a trusted contact) can locate the device or remotely wipe its contents should it be stolen, lost, or confiscated. For iPhones, you can also configure the device to auto-wipe after several failed login attempts. Such device management features become critically important for an organization when a device with sensitive information is lost or gets into the wrong hands.

What about device encryption?

It is important to use encryption, scrambling data so that it is unreadable and unusable, on all devices, especially computers and smartphones. You should set up all devices across your organization with something called full-disk encryption if possible. Full-disk encryption means that the entirety of a device is encrypted so that an adversary, if they were to physically steal it, would be unable to extract a device’s contents without knowing the password or key you used to encrypt it.

Many modern smartphones and computers offer full-disk encryption. Apple devices like iPhones and iPads, quite conveniently, turn on full-disk encryption when you set a normal device passcode. Apple computers using macOS provide a feature called FileVault that you can turn on for full-disk encryption.

Windows computers running pro, enterprise, or education licenses offer a feature called BitLocker that you can turn on for full-disk encryption. You can turn on BitLocker by following these instructions from Microsoft, which may have to first be enabled by your organization’s administrator. If staff only have a home license for their Windows computers, BitLocker is not available. However they can still turn on full-disk encryption by going to ‘Update & Security’ > ‘Device encryption’ under the Windows OS settings.

Android devices, as of version 9.0 and later, ship with file-based encryption turned on by default. Android’s file-based encryption operates differently from full-disk encryption but still provides strong security. If you are using a relatively new Android phone and have set a passcode, file-based encryption should be enabled. However, it is a good idea to check your settings just to make sure, especially if your phone is more than a couple of years old. To check, go to Settings > Security on your Android device. Within the security settings you should see a subsection for “encryption” or “encryption and credentials”, which will indicate if your phone is encrypted and, if not, allow you to turn encryption on.

For computers (whether Windows or Mac), it is particularly important to store any encryption keys (referred to as recovery keys) in a safe place. These “recovery keys” are in most cases essentially long passwords or passphrases. In case you forget your normal device password or something unexpected happens (such as device failure), recovery keys are the only way to recover your encrypted data and, if necessary, move it to a new device. So when turning on full-disk encryption, be sure to save these keys or passwords in a safe place, like a secured cloud account or your organization’s password manager.

Remote device access – also known as hacking

In addition to keeping devices physically secure, it is important to keep them free from malware. Tactical Tech’s Security-in-a-Box gives a helpful description of what malware is and why it is important to avoid, which is adapted slightly in the rest of this section.

Understanding and avoiding malware 

There are many ways to classify malware (which is a term meaning malicious software). Viruses, spyware, worms, trojans, rootkits, ransomware and cryptojackers are all types of malware. Some types of malware spread over the internet through email, text messages, malicious web pages, and other means. Some spread through devices like USB memory sticks that are used to exchange and steal data. And, while some malware requires an unsuspecting target to make a mistake, others can silently infect vulnerable systems without you doing anything wrong at all. 

In addition to general malware (which is released widely and aimed at the general public), targeted malware is typically used to interfere with or spy on a particular individual, organization, or network. Regular criminals use these techniques, but so do military and intelligence services, terrorists, online harassers, abusive spouses, and shady political actors.

Whatever they are called, however they are distributed, malware can ruin computers, steal and destroy data, bankrupt organizations, invade privacy, and put users at risk. In short, malware is really dangerous. However, there are some simple steps that your organization can take to protect itself against this common threat.

Will an anti-malware tool protect us?

Anti-malware tools are unfortunately not a complete solution. But it is a very good idea to use some basic, free tools as a baseline. Malware changes so fast, with new risks in the real world so frequently, that relying on any such tool cannot be your only defense.

If you are using Windows you should have a look at the built-in Windows Defender. Macs and Linux computers do not come with built-in anti-malware software, nor do Android and iOS devices. You can install a reputable, free-to-use tool like Bitdefender or Malwarebytes for those devices (and Windows computers as well).  But do not rely on that as your only line of defense as they will certainly miss some of the most targeted, dangerous new attacks.

Also be very careful to only download reputable anti-malware or anti-virus tools from legitimate sources (such as the websites linked above). Unfortunately, many fake or compromised versions of anti-malware tools exist that do much more harm than good.

To the extent that you do use Bitdefender or another anti-malware tool across your organization, be sure not to run two of them at the same time. Many of them will identify the behaviour of another anti-malware program as suspicious and stop it from running, leaving both malfunctioning. Bitdefender or other reputable anti-malware programs can be updated for free, and the built-in Windows Defender receives updates along with your computer. Ensure that your anti-malware software updates itself regularly (some trial versions of commercial software that ship with a computer will be disabled after the trial period expires, leaving it more dangerous than helpful.) New malware is written and distributed every day, and your computer will quickly become even more vulnerable if you do not keep up with new malware definitions and anti-malware techniques. If possible, you should configure your software to install updates automatically. If your anti-malware tool has an optional "always on" feature, you should enable it, and consider occasionally scanning all of the files on your computer. 

Keep devices up-to-date

Updates are essential. Use the latest version of whatever operating system runs on a device (Windows, Mac, Android, iOS, etc), and keep that operating system up-to-date. Keep other software, browser, and any browser plugins up-to-date as well. Install updates as soon as they become available, ideally by turning on automatic updates. The more up-to-date a device’s operating system, the less vulnerabilities you have. Think of updates kind of like putting a band-aid on an open cut. It seals up a vulnerability and greatly reduces the chance that you will get infected. Also uninstall software that you no longer use. Outdated software often has security issues, and you may have installed a tool that is no longer being updated by the developer, leaving it more vulnerable to hackers.

Malware in the Real World: Updates are Essential

Malware photo

In 2017, the WannaCry ransomware attacks infected millions of devices around the world, shutting down hospitals, government entities, large and small organizations and businesses in dozens of countries. Why was the attack so effective? Because of out-of-date, “unpatched” Windows operating systems, many of which were initially pirated. Much of the damage – human and financial – could have been avoided with better automated updating practices and the use of legitimate operating systems.

Be careful about USBs

Be cautious when opening files that are sent to you as attachments, through download links, or by any other means. Also think twice before inserting removable media like USB sticks, flash memory cards, DVDs and CDs into your computer, as they can be a vector for malware. USBs that have been shared for a while are very likely to have viruses on them. For alternative options to share files securely across your organization, take a look at the file sharing section of the Handbook.

Be cautious as well about what other devices you connect to through Bluetooth. It is fine to sync up your phone or computer to a known and trusted Bluetooth speaker to play your favorite music, but be careful about linking to or accepting requests from any devices that you do not recognize. Only allow connections to trusted devices and remember to turn off Bluetooth when it is not in use.

Be smart while browsing

Never accept and run applications that come from websites you do not know and trust. Rather than accepting an "update" offered in a pop-up browser window, for example, check for updates on the relevant application's official website. As discussed in the phishing section of the Handbook, it is essential to stay alert when browsing websites. Check the destination of a link (by hovering over it) before you click, and glance at the website address after you follow a link and make sure it looks appropriate before entering sensitive information like your password. Do not click through error messages or warnings, and watch for browser windows that appear automatically and read them carefully instead of just clicking Yes or OK. 

What about smartphones?

As with computers, keep your phone’s operating system and applications up to date, and turn on automatic updates. Install only from official or trusted sources like Google's Play Store and Apple's App Store (or F-droid, a free, open-source app store for Android). Apps can have malware inserted into them and still appear to work normally, so you will not always know if one is malicious. Be sure that you are downloading the legitimate version of an app as well. Especially on Androids, “fake” versions of popular applications exist. So be sure an app is created by the proper company or developer, has good reviews, and has the expected number of downloads (for example, a fake version of WhatsApp might only have a few thousand downloads, but the real version has over 5 billion). Pay attention to the permissions that your apps request. If they seem excessive (like a calculator requiring access to your camera or Angry Birds asking for access to your location, for example) deny the request or uninstall the app. Uninstalling apps that you no longer use can also help protect your smartphone or tablet. Developers sometimes sell ownership of their apps to other people. These new owners may try to make money by adding malicious code.

Malware in the Real World: Malicious Mobile Apps

iphone Screen

Hackers in multiple countries have been using fake applications in the Google Play store to distribute malware for years. One particular case targeted at users in Vietnam came to light in April 2020. This spying campaign used fake applications, which supposedly helped users find nearby pubs or look up information about local churches. Once installed by unwitting Android users, the malicious applications collected call logs, location data, and information about contacts and text messages. This is just one of many reasons to be careful about what apps you download to your devices.

Save money and increase device security with Tails for your Organization

One very secure option which requires a bit of technical skill to set up is the Tails operating system. This portable operating system is free to use and you can boot it up straight from a USB, bypassing the need to rely on licensed Windows or Mac operating systems. Tails is also a good option for those at extremely high risk, as it incorporates a wide range of privacy-enhancing features. These features include the integration of Tor (discussed below) to secure your web traffic, and the complete erasure of memory every time you shut down the operating system. These features essentially allow you to start with a clean slate each time you restart your computer. Tails also has a “persistence mode”, which allows you to save important files and settings across multiple sessions if desired.

Another option for a free, secure operating system is Qubes OS. While not the simplest option for non-technical users, Qubes is designed to limit the threat of malware and is another option to consider for more advanced and high-risk users in your organization, especially if licensing costs are a challenge. 

What if we cannot afford legal software?

It can be expensive to purchase licensed versions of popular software like Microsoft Office (Word, Powerpoint, Excel) for your entire organization, but a limited budget is not an excuse to download pirated versions of software or fail to keep them up-to-date. This is not a matter of morality – it is a matter of security. Pirated software frequently is filled with malware, and often cannot be patched for security holes.

If you cannot afford the software your organization needs, there is a wide range of great free, open source software like LibreOffice (a replacement for standard Microsoft Office apps) or GIMP (a replacement for photoshop) that can serve your needs.

Even if you can afford legitimate software and apps, your device is still at risk if the underlying operating system is not legitimate. So if your organization cannot afford Windows licenses, consider cheaper alternatives like Chromebooks, which are a great, easy-to-secure option if your organization works mostly in the cloud. If you are using Google Docs or Microsoft 365, you do not need many desktop applications at all - the free in-browser document and spreadsheet editors are more than enough for almost any use.

Another option, if you have staff with the technical skills, is to install a free Linux-based operating system (an open source alternative to Windows and Mac operating systems) on each computer. One popular, fairly user-friendly Linux option is Ubuntu. Regardless of what operating system you choose, make sure that someone in the organization is responsible for regularly checking in with staff to ensure they have applied the latest updates.

Keeping Devices Secure

  • Train staff on the risks of malware and the best practices to avoid it.
    • Provide policies about connecting external devices, clicking on links, downloading files and apps, and checking software and app permissions.
  • Mandate that devices, software, and applications are kept fully updated.
    • Turn on automatic updates where possible.
  • Ensure all devices are using licensed software.
    • If the cost is prohibitive, switch to a no-cost alternative.
  • Require password protection of all organizational devices, including personal mobile devices which are used for work-related communications.
  • Enable full-disk encryption on devices.
  • Frequently remind staff to keep their devices physically secure - and manage your office security with appropriate locks and ways to secure computers.
  • Do not share files using USBs or plug USBs into your computers.
    • Use alternative secure file sharing options instead.