Merge pull request #8 from 0kok0/checklist-updates

Additions and reordering best practices

.gitignore

@@ -0,0 +1,3 @@
+*.idea
+*.out
+*.log

README.md

@@ -1,5 +1,5 @@
 # status-security
-Repository for all Status Network related security information
+Repository for all **public** Status Network related security information
 
 ## Audits
 All of Status' audits and their respective resources can be found in the [audits](./audits) folder

drafts/personal-security-checklist.md

@@ -6,20 +6,44 @@
 - [ ] No-Wifi Printer: Not an allowed expense
 - [ ] Hardware Wallet: Allowed to expense 1 per contributor
 
-
 ## Personal Procedures
+- [ ] Join internal incident channel
+    - [ ] turn on notifications
+
+### PC      
 - [ ] Get rid of clipboard managers
     - Reasoning [here](https://coinjournal.net/pc-malware-steals-funds-modifying-ethereum-addresses/)
 - [ ] Get rid of cloud screenshot auto-upload
 - [ ] Get rid of remote viewer
-- [ ] Get a password manager
+- [ ] Get a password manager (default: bitwarden)
     - [ ] secure with 2FA (YubiKey / Google Auth)
-- [ ] Remove unused browser extensions
-- [ ] Disable infrequently used browser extensions
+- [ ] Disable unused/infrequently used browser extensions
 - [ ] If your computer is old, start fresh
     - [ ] fresh OS install
     - [ ] new computer
+- [ ] Do not tamper with the integrity protection of your OS (OSX SIP, Linux App Armor)
+    - [ ] Bonus: Get a vm and put your browser/mail client in the vm.
 - [ ] Review launch-on-startup software
+
+### Mobile
+- [ ] Get Trail of Bits iVerify.
+    - [ ] Go through the tutorials and change the settings accordingly.
+- [ ] Charge your phone only with a charger that is yours or from someone you trust.
+- [ ] Get a phone that supports yubikey plugable/nfc
+- [ ] Get a vpn for your phone.
+- [ ] Use a trusted messenger app to take synced private notes as messages to yourself if you
+ don't want Apple/Google to read them.
+- [ ] Store critical contacts only on your simcard
+- [ ] Don't download an untrusted apk. Fdroid, Appstore, Playstore, Huawei Store are your
+ friends 
+- [ ] Make at habit of disabling bluetooth if you don't need it
+- [ ] Get a second phone where you install only what's necessary. Candycrush saga waits on the
+ other phone for you. 
+- [ ] If you root your phone, here be dragons. 
+
+### Online
+    Review public information, think about how this can be used to target you or your device
+
 - [ ] Audit cloud software
     - [ ] What is uploading automatically?
         - [ ] 
@@ -28,14 +52,16 @@
     - [ ] Change password if it isn't fresh or from you Password Manager
     - [ ] set up your hardware wallet / yubikey / U2F on it
     - [ ] If this is where you store you backup codes, regenerate them and handwrite / print on no-wifi printer.  Never put them on clouds again.
-- [ ] Audit Chrome Settings
+    - [ ] Audit Social Media accounts (Google, Github, Facebook, Skype, Twitter, etc)
+
+- [ ] Audit Chrome/Brave Settings
     - [ ] Unsandboxed plugin access: Ask when a site wants to use a plugin to access your computer
     - [ ] Location: ask before accessing
     - [ ] Camera: ask before accessing
     - [ ] Microphone: ask before accessing
     - [ ] Flash: Block sites from running flash
     - [ ] Popups: Blocked
-    - [ ] Clear cache, history, etc
+    - [ ] Set clear cookies, cache, history, etc to on "on exit"
 - [ ] Encrypt all the things
     - [ ] Computer / Laptop
     - [ ] USB Drives
@@ -45,79 +71,85 @@
 - [ ] 2FA all the things
     - [ ] Don't use Authy
     - [ ] turn off _multi-device_
-    - [ ] [Set up Google Authenticator](http://www.androidguys.com/2016/06/02/setting-up-google-authenticator-is-as-easy-as-scanning-a-qr-code/)
-        - [ ] [How to restore access if you lose/destroy device](https://support.mycrypto.com/best-of/restoring-access-to-your-accounts-if-lose-device-with-2fa.html)
     - [ ] Remove phone number as backup option for ANYTHING
-- [ ] Audit Social Media accounts (Google, Github, Facebook, Skype, Twitter, etc)
-    - [ ] authorized apps
-        - [ ] remove the ones you don't use / recognize
-        - [ ] review permissions on ones you do use
-    - [ ] Log out normally
-    - [ ] Remove "application specific passwords" that bypass auth
-    - [ ] **Google:** Remove phone number and email as backup option
-        - [ ] Go to https://myaccount.google.com/security
-        - [ ] Scroll down
-        - [ ] Change your password.
-        - [ ] Click “2 Step Verification”
-        - [ ] Set up: Security key (Yubikey), Authenticator app, Backup codes.
-        - [ ] Remove and/or do NOT set up: recovery phone or email, google prompt, voice or text message
-        - [ ] Print or write the backup codes. Do NOT store in password manager. Do NOT store on computer.
-        - [ ] Do not turn on recovery email. If there is a recovery email there, remove it.
-        - [ ] Do not turn on recovery phone. If there is a recovery phone there, remove it.
-        - [ ] Do not turn on “Google Prompt”
-        - [ ] Do not turn on “Voice or Text Message”
-        - [ ] At the very bottom, click “Revoke all” for “Devices you trust”
-        - [ ] Return to https://myaccount.google.com/security
-        - [ ] Under “Recently used devices” remove anything that isn’t your primary phone and computer.
-        - [ ] Return to https://myaccount.google.com/security
-        - [ ] Review “Apps with access to your account”. Remove anything you aren’t actively using.
-    - [ ] **Github:** Audit your auth’d apps, turn on 2FA
-        - [ ] go [here](https://github.com/settings/applications)
-        - [ ] Audit Install Github Apps => Remove anything you aren’t actively using.
-        - [ ] Authorized GitHub Apps => Remove anything you aren’t actively using.
-        - [ ] Authorized OAuth Apps => Remove anything you aren’t actively using.
-        - [ ] 2FA via hardware device
-    - [ ] **Facebook:** Some of these are best-practices and related to privacy and not security.
 
-        - [ ] Must Do! https://www.facebook.com/settings?tab=security
+- [ ] authorized apps
+    - [ ] remove the ones you don't use / recognize
+    - [ ] review permissions on ones you do use
+- [ ] Log out normally
+- [ ] Remove "application specific passwords" that bypass auth
+- [ ] **Google:** Remove phone number and email as backup option
+    - [ ] Go to https://myaccount.google.com/security
+    - [ ] Scroll down
+    - [ ] Change your password.
+    - [ ] Click “2 Step Verification”
+    - [ ] Set up: Security key (Yubikey), Authenticator app, Backup codes.
+    - [ ] Remove and/or do NOT set up: recovery phone or email, google prompt, voice or text message
+    - [ ] Print or write the backup codes. Do NOT store in password manager. Do NOT store on computer.
+    - [ ] Do not turn on recovery email. If there is a recovery email there, remove it.
+    - [ ] Do not turn on recovery phone. If there is a recovery phone there, remove it.
+    - [ ] Do not turn on “Google Prompt”
+    - [ ] Do not turn on “Voice or Text Message”
+    - [ ] At the very bottom, click “Revoke all” for “Devices you trust”
+    - [ ] Return to https://myaccount.google.com/security
+    - [ ] Under “Recently used devices” remove anything that isn’t your primary phone and computer.
+    - [ ] Return to https://myaccount.google.com/security
+    - [ ] Review “Apps with access to your account”. Remove anything you aren’t actively using.
+- [ ] **Github:** Audit your auth’d apps, turn on 2FA
+    - [ ] go [here](https://github.com/settings/applications)
+    - [ ] Audit Install Github Apps => Remove anything you aren’t actively using.
+    - [ ] Authorized GitHub Apps => Remove anything you aren’t actively using.
+    - [ ] Authorized OAuth Apps => Remove anything you aren’t actively using.
+    - [ ] 2FA via hardware device
+- [ ] **Facebook:** Some of these are best-practices and related to privacy and not security.
 
-        - [ ] Turn on “Get alerts about unrecognized logins”
-        - [ ] Change your password if you didn’t do it before
-        - [ ] Turn on 2FA via Yubikey or Google Auth if you didn’t do it before
-        - [ ] **Must Do!** https://www.facebook.com/settings?tab=privacy
+    - [ ] Must Do! https://www.facebook.com/settings?tab=security
 
-            - [ ] Future posts: Friends
-            - [ ] Review all posts and things you’re tagged in: On
-            - [ ] Limit past posts: Friends
-            - [ ] Who can see your friends list: Friends
-            - [ ] Who can look you up using email / phone number: Friends
-            - [ ] Do you want search engines…: NO!
-        - [ ] **Must Do!** https://www.facebook.com/settings?tab=applications
-            - [ ] Audit list, remove anything out of date or not actively in use.
-        - [ ] **Must Do!** Turn off Profile Picture Login. Holy fucking shit what a security nightmare that “feature” is.
+    - [ ] Turn on “Get alerts about unrecognized logins”
+    - [ ] Change your password if you didn’t do it before
+    - [ ] Turn on 2FA via Yubikey or Google Auth if you didn’t do it before
+    - [ ] **Must Do!** https://www.facebook.com/settings?tab=privacy
 
-        - [ ] Recommended! Make sure “Trusted Contacts” was set up intentionally
+        - [ ] Future posts: Friends
+        - [ ] Review all posts and things you’re tagged in: On
+        - [ ] Limit past posts: Friends
+        - [ ] Who can see your friends list: Friends
+        - [ ] Who can look you up using email / phone number: Friends
+        - [ ] Do you want search engines…: NO!
+    - [ ] **Must Do!** https://www.facebook.com/settings?tab=applications
+        - [ ] Audit list, remove anything out of date or not actively in use.
+    - [ ] **Must Do!** Turn off Profile Picture Login. Holy fucking shit what a security nightmare that “feature” is.
 
-            - This feature to allows you to regain access to your account via trusted friends. Make sure you use this feature very wisely.
-        - [ ] Recommended! Make sure “Legacy Contact” was set up intentionally.
+    - [ ] Recommended! Make sure “Trusted Contacts” was set up intentionally
 
-        - [ ] Similarly you can have an account transition to someone else upon memorialization (if Facebook receives proof that you’ve died). Make sure it is set up carefully.
-        - [ ] Recommended! https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen
-            - [ ] Go to “Your Information” w/ green icon. Toggle all switches OFF
-            - [ ] Go to “Ad settings” w/ blue icon. Select: No, No, No one
-            - [ ] Click X’s in Your Interests & Advertisers until you get bored
-        - [ ] Recommended! https://www.facebook.com/settings?tab=timeline
-            - [ ] Who can post on your timeline? Friends
-            - [ ] Who can see what others post on your Timeline? Friends
-            - [ ] Who can see posts you’re tagged in on your timeline? Friends
-            - [ ] When you’re tagged in a post, who do you want to add to the audience Friends
-            - [ ] Who sees tag suggestions when photos that look like you are uploaded? No One
-            - [ ] Review posts you’re tagged in before the post appears on your timeline? On
-            - [ ] Review tags people add to your posts before they appear on Facebook? On
-    - [ ] **Dropbox / Cloud Storage**
-        - [ ] Turn on 2FA
-        - [ ] Turn off any out-of-date phones or computers
-        - [ ] Audit your https://www.dropbox.com/account/connected_apps
+        - This feature to allows you to regain access to your account via trusted friends. Make sure you use this feature very wisely.
+    - [ ] Recommended! Make sure “Legacy Contact” was set up intentionally.
+
+    - [ ] Similarly you can have an account transition to someone else upon memorialization (if Facebook receives proof that you’ve died). Make sure it is set up carefully.
+    - [ ] Recommended! https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen
+        - [ ] Go to “Your Information” w/ green icon. Toggle all switches OFF
+        - [ ] Go to “Ad settings” w/ blue icon. Select: No, No, No one
+        - [ ] Click X’s in Your Interests & Advertisers until you get bored
+    - [ ] Recommended! https://www.facebook.com/settings?tab=timeline
+        - [ ] Who can post on your timeline? Friends
+        - [ ] Who can see what others post on your Timeline? Friends
+        - [ ] Who can see posts you’re tagged in on your timeline? Friends
+        - [ ] When you’re tagged in a post, who do you want to add to the audience Friends
+        - [ ] Who sees tag suggestions when photos that look like you are uploaded? No One
+        - [ ] Review posts you’re tagged in before the post appears on your timeline? On
+        - [ ] Review tags people add to your posts before they appear on Facebook? On
+- [ ] **Dropbox / Cloud Storage**
+    - [ ] Turn on 2FA
+    - [ ] Turn off any out-of-date phones or computers
+    - [ ] Audit your https://www.dropbox.com/account/connected_apps
+
+### Miscellaneous
+- [ ] OAUTH > Email signup.
+    - [ ] When in doubt authorize a service or app that you start using with your google or your
+     github account. Don't create an account with your email (especially not with your private
+      email!). Then add 2fa!
+    - [ ] When you use an account storing sensitive information that you want neither
+     Google or Microsoft to know about, contact security so we can set something up for you. 
 - [ ] Call your cell provider
     - [ ] Inform them that you work in an industry that has had a number of phone number hacks in the recent months. You are concerned about their ability to protect you and are thinking about moving to a different carrier due to this risk.
     - [ ] Ask them what protections they offer.
@@ -126,34 +158,28 @@
     - [ ] If you have the option, remove yourself as an authorized user (e.g. if you are on your parent’s plan).
     - [ ] If you have the option, insert “DO NOT PORT!” and “DO NOT ACTIVATE NEW DEVICE OVER PHONE!!!” in any fields you have access to (e.g. your “Phone name”, “Company” field, etc.
     - [ ] Don’t use that phone number for any 2FA anyways. Use a brand new Google voice number that no one knows.
-- Miscellaneous
-    - [ ] move crypto funds from internet accessible areas to hardwallet/air-gapped storage.
-        - [ ] Exchanges
-        - [ ] Laptop
-    - [ ] Sign up for Keybase.io
-        - [ ] verify profiles
-        - [ ] share with at least 3 people
-    - [ ] Google yourself
-        - [ ] Remove personal info you find
-        - [ ] Remove Facebook profile indexed by Google in FB settings
-        - [ ] Set up Google search alerts for you name, common usernames, etc [here](https://www.google.com/alerts)
-    - [ ] Look up yourself at haveibeenpwned.com
-        - [ ] If anything compromised, take appropriate action
-            - [ ] change password or anything that is breached
-            - [ ] if bad, consider starting a new email address altogether
-    - [ ] Bookmark commonly accessed financial sites
-        - [ ] mycrypto.com
-        - [ ] exchanges
-        - [ ] bank sites
-- [ ] Join internal security channels
-    - [ ] turn on all notifications
-    - [ ] 
+- [ ] move crypto funds from internet accessible areas to hardwallet/air-gapped storage.
+    - [ ] Exchanges
+    - [ ] Laptop
+- [ ] Sign up for Keybase.io
+    - [ ] verify profiles
+    - [ ] share with at least 3 people
+- [ ] Google yourself
+    - [ ] Remove personal info you find
+    - [ ] Remove Facebook profile indexed by Google in FB settings
+    - [ ] Set up Google search alerts for you name, common usernames, etc [here](https://www.google.com/alerts)
+- [ ] Look up yourself at haveibeenpwned.com
+    - [ ] If anything compromised, take appropriate action
+        - [ ] change password or anything that is breached
+        - [ ] if bad, consider starting a new email address altogether
+- [ ] Bookmark commonly accessed financial sites
+    - [ ] mycrypto.com
+    - [ ] exchanges
+    - [ ] bank sites
 
 ## Company-wide
-- [ ] Internal incident reporting slack channel
+- [ ] Internal incident reporting discord channel
 - [ ] Infrastructure monitoring
 - [ ] Incident response team and procedure
 - [ ] Incident Response phone number 
     - Goes to Corey??
-- [ ] List of linked slack/riot channels
-

post-mortems/template.md

@@ -1,3 +1,5 @@
+## Remark: Post-Mortems are published after the findings were reported and mitigated.
+
 ---
 title: Incident Title
 tags: postmortem, security, transparency

process/github-issues.md

@@ -2,7 +2,12 @@
 This document outlines the process of using Github issues to coordinate security issues of a given project.
 
 ## Should you use Github issues?
- Before submitting any issues, the Discloser should have already engaged in a conversation with the Status Security team about appropriate methods of disclosure for a given project. This should be described in the SECURITY.md file within any given repository. If it is not, then follow the advice of this repository's README.md. If the discloser is still unsure, then please request guidance at security@status.im. 
+ Before submitting any issues, be advised: Internal findings are published as Post-Mortems after
+ they were reported and mitigated. The Discloser should have already engaged in a conversation
+ with the Status Security team about appropriate methods of disclosure for a given project.
+ This should be described in the SECURITY.md file within any given repository.
+ If it is not, then follow the advice of this repository's README.md.
+ If the discloser is still unsure, then please request guidance at security@status.im.
 
 ## Process
 Once the discloser is aware that Github issues are the appropriate methodology of disclosure, the following procedure is **RECOMMENDED****: