Sharing some process from IF

I saw this Tweet over the weekend, and it struck a chord with me. It’s something I’m very familiar from at IF: someone losing access to a service because they didn’t download their backup codes for 2FA. I don’t blame them — it’s often not clear that you need to download your backup codes. Setting up 2FA can be a technical exercise and backup codes are the last part of that process, easy to miss.

Screen Shot 2017 02 12 At 22 57 02
Sanjay’s tweets about 2FA

Over the space of a year and user testing on 10 people, my colleague Ian and I have gradually built up a set of step-by-step instructions for keeping yourself more secure and private on an Apple Mac or an iPhone (our tools of choice). Sanjay’s tweet made me think that it might be useful to share this list, so that others can use it.

This list was one of the first things I did when I set up IF, because I thought it was important that we practise what we preach. It’s gone through many iterations (we’ve learnt the hard way), and it’s now written into our staff handbook as a list of things we expect each new staff member to action within their first week.

A few caveats:

  • The sequence of these actions is important. Don’t try any of these steps before you’ve got a password storing system that works for you. However good you are at remembering things, it’s just too easy to forget a really important password. Don’t trust your memory!
  • This list is incomplete, and probably always will be. As an operating system gets updated, or your threat model changes, there will be other things you should do to secure yourself.
  • Some people say we shouldn’t be using Google Drive, or password managers, or Slack, or whatever else… This is not about creating the most perfectly secure list of actions for someone with a high threat model, this is about improving the baseline for a digital team.
  • This list is optimised for the threat models of the team at IF, using Apple Macs and iPhones.
  • There are other security to-do lists, check them out.

If you’ve got suggestions for improvements, or have a similar list you use that you’d like to share, please do.

How we setup things for new people at IF

Get a password manager

  1. Before you do anything else, get a password manager. Popular ones in the team are 1password and LastPass.
  2. When you set your master password for your password manager, it might be helpful to think of it as a phrase so you can make the password longer without forgetting what it is.
  3. It is critical that you remember what this password is, so if you need to you can write it down and put it in a sealed envelope. We’ll lock it away for you so should you forget it, we’ll have your backup. After your probation period, if we’ve still got your backup and you’ve not needed it we may suggest that you dispose of the backup.
  4. You will need to update all your passwords once you have your password manager, that is something you can do gradually as you visit each website.

On your Mac

  1. Use a complicated and memorable passphrase to wake your computer (sometimes it can be useful to use a phrase or a sentence and change some of the characters).
  2. Use System Preferences > Mission Control > Hot Corners (or similar) to put your computer to sleep every time you walk away from your desk.
  3. Change your settings so your computer needs your password immediately after being reawakened. In Mac OS, go to System Preferences > Security & Privacy > General. Tick “Require password (…) after sleep or screen saver begins”, and choose “immediately” from the drop down.

Go to System Preferences and…

  1. Encrypt your hard drive, so if someone steals your computer they cannot access your files.
  2. Go to Security & Privacy > FileVault and turn FileVault on.
  3. Write your recovery code into your password manager.
  4. Turn off Spotlight suggestions, so what you search isn’t sent to Apple.
  5. Go to Spotlight > Search Results and uncheck the boxes next to Spotlight Suggestions and Bing Web Suggestions.
  6. Disable your location services for any app that doesn’t need them
  7. Go to Security & Privacy > Privacy and uncheck the relevant apps e.g. Spotlight suggestions
  8. Check the permissions for your other apps
  9. Go to Security & Privacy > Privacy and make sure you’re happy with what each application has access to

On the internet

  1. Turn on two-factor authentication everywhere. This stops people from getting into your accounts if they know your password.
  2. You can sometimes choose between receiving texts or using an app to generate codes. The preferred method is through an app, because it’s possible to spoof or redirect a SIM card.
  3. Download a copy of the emergency codes in case you’re without your phone, store these codes in your password manager.
  4. Turn on two-factor authentication for all software where it’s possible to do so.

Go into the settings of your browser and…

  1. Set up do-not-track
  2. Find the privacy settings and make sure you’re okay with what is selected
  3. If you’d like to, use an ad-blocker like u-block.
  4. Beware HTTP sites, these are not encrypted.

Email

  1. Set up PGP encryption.
  2. Use GPG tools with Apple Mail (it’s not perfect, but it’s workable).
  3. Install GPGTools and generate a key.
  4. Make sure you use a strong password, and put it immediately into your password manager.
  5. Set an expiry time of up to 3 months initially (this means your key will be removed from the key server after 3 months, which is a good safety net if you forget/ lose your password or key for some reason).
  6. Generate a revoke certificate and put this in your password manager.
  7. Make a copy of your private key and put this in your password manager.
  8. Make a second backup of your revoke certificate and your private key, for instance on a private USB stick.
  9. Go to Apple Mail > Preferences > GPG Mail
  10. Uncheck ‘Encrypt new messages by default’
  11. Uncheck ‘Sign new messages by default’
  12. Go to Apple Mail > Preferences > Accounts > Mailbox behaviours
  13. For each of your accounts, uncheck ‘Store [draft] [sent] messages on the server’ this means that only your computer will have copies of these messages, not the server.

On your iPhone

  1. Use a passcode, and select a 6 digit passcode if possible.
  2. Make sure your phone locks when you turn off the screen.
  3. Check for updates and update your phone regularly/ make updates automatic.
  4. Go to Settings > Privacy > Location Services and make sure every app has appropriate location settings on (usually ‘while using’ or ‘never’)
  5. Go to Settings > Privacy > Location Services > System Services (it’s at the bottom of the list)
  6. Uncheck any services that you do not need location for (e.g. location-based alerts)
  7. Click on Frequent Locations (it’s at the bottom of the first list), you’ll see your iPhone is learning the places you go for ‘location-related information’. If you don’t want this service, then turn the Frequent Locations option off.
  8. If you use your phone for work email or Slack, consider turning off Notifications > Mail > Show Previews and Notifications > Slack > Show Previews so the content of these messages is kept private when your phone is on standby.
  9. Download the app Signal, this is the application the team use to chat outside of work.
  10. Here are some extra tips if you’d like to do more to secure your iPhone.

Working outside the office

  1. Do not connect to Wi-Fi networks that have no passwords.
  2. We are creating a VPN for you to use, it’s work in progress.
  3. Hotspotting from your phone in a public place if you’re in doubt.
  4. If you have to work out of the office, avoid working on anything sensitive.
  5. Try to work with your back to a wall so it’s harder for people to shoulder surf what you’re doing.

Pro tips

  1. Remember to encrypt your emails whenever possible.
  2. Never use a password twice.
  3. Don’t share your passwords with anyone.
  4. Try not keep any passwords written down anywhere, but if you have to — make sure you don’t give away any hints as to what the password is for and keep the written password well away from the product or service it’s for.
  5. Keep the software on your computer and phone up to date, generally updates have security patches and bug fixes.
  6. Always put your computer to sleep when you are leaving your desk, even if it is to make a cup of tea!