status-im
/
status-security
mirror of https://github.com/status-im/status-security.git
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #16 from status-im/secchecklist-patch-1 

Revamp of the security checklist for CC
This commit is contained in:
OxFred 2022-01-10 09:28:37 +01:00 committed by GitHub
parent b3aa9bc674 a961513dcd
commit 699c3189c8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 78 additions and 168 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

246
drafts/personal-security-checklist.md
View File

@ -1,185 +1,95 @@
# Security Checklist
## Personal Devices
- [ ] Yubikey: Allowed to expense 1 per contributor
- [ ] USB Drives: Not an allowed expense
- [ ] No-Wifi Printer: Not an allowed expense
- [ ] Hardware Wallet: Allowed to expense 1 per contributor
People in the crypto industry are particularly targeted by hackers & malware. When joining Status as a Core Contributor, make sure you follow the following recommendations to ensure your safety & the security of the organization as a whole.
## Personal Procedures
- [ ] Join internal incident channel
- [ ] turn on notifications
## General recommendations
### PC
- [ ] Get rid of clipboard managers
- Reasoning [here](https://coinjournal.net/pc-malware-steals-funds-modifying-ethereum-addresses/)
- [ ] Get rid of cloud screenshot auto-upload
- [ ] Get rid of remote viewer
- [ ] Get a password manager (default: bitwarden)
- [ ] secure with 2FA (YubiKey / Google Auth)
- [ ] Disable unused/infrequently used browser extensions
- [ ] If your computer is old, start fresh
- [ ] fresh OS install
- [ ] new computer
- [ ] Do not tamper with the integrity protection of your OS (OSX SIP, Linux App Armor)
- [ ] Bonus: Get a vm and put your browser/mail client in the vm.
- [ ] Review launch-on-startup software
Those recommendations are valid for most Core Contributors who are not particularly exposed.
### Mobile
- [ ] Get Trail of Bits iVerify.
- [ ] Go through the tutorials and change the settings accordingly.
- [ ] Charge your phone only with a charger that is yours or from someone you trust.
- [ ] Get a phone that supports yubikey plugable/nfc
- [ ] Get a vpn for your phone.
- [ ] Use a trusted messenger app to take synced private notes as messages to yourself if you
don't want Apple/Google to read them.
- [ ] Store critical contacts only on your simcard
- [ ] Don't download an untrusted apk. Fdroid, Appstore, Playstore, Huawei Store are your
friends
- [ ] Make at habit of disabling bluetooth if you don't need it
- [ ] Get a second phone where you install only what's necessary. Candycrush saga waits on the
other phone for you.
- [ ] If you root your phone, here be dragons.
### 💻 Hardware
### Online
Review public information, think about how this can be used to target you or your device
#### 🖥️📱 Computers & mobiles devices
- [ ] Be aware of unwanted additions & customizations some manufacturers practice in the PC & Android world https://en.wikipedia.org/wiki/Pre-installed_software,
- [ ] Be aware of the various End-of-life/Guaranteed security update policy for each manufacturer & device, especially in the Android world. For example [Google Pixel](https://support.google.com/pixelphone/answer/4457705?hl=en) & [Nokia](https://www.nokia.com/phones/en_int/security-updates) are known to offer fair update policies. Some manufacturers do not. Once a device do not receive security updates, do not use it anymore,
- [ ] Password protect your BIOS/UEFI.
- [ ] Audit cloud software
- [ ] What is uploading automatically?
- [ ]
- [ ] What is already saved there?
- [ ] 2FA that shit
- [ ] Change password if it isn't fresh or from you Password Manager
- [ ] set up your hardware wallet / yubikey / U2F on it
- [ ] If this is where you store you backup codes, regenerate them and handwrite / print on no-wifi printer. Never put them on clouds again.
- [ ] Audit Social Media accounts (Google, Github, Facebook, Skype, Twitter, etc)
#### 🔑 Hardware authentication devices
- [ ] Audit Chrome/Brave Settings
- [ ] Unsandboxed plugin access: Ask when a site wants to use a plugin to access your computer
- [ ] Location: ask before accessing
- [ ] Camera: ask before accessing
- [ ] Microphone: ask before accessing
- [ ] Flash: Block sites from running flash
- [ ] Popups: Blocked
- [ ] Set clear cookies, cache, history, etc to on "on exit"
- [ ] Encrypt all the things
- [ ] Computer / Laptop
- [ ] USB Drives
- [ ] Change all the old passwords
- [ ] use Password Manager generator for new ones
- [ ] DO.NOT.REUSE.PASSWORDS
- [ ] 2FA all the things
- [ ] Don't use Authy
- [ ] turn off _multi-device_
- [ ] Remove phone number as backup option for ANYTHING
We recommend the use of hardware authentication devices supporting the FIDO2 protocols such as the [Yubico Yubikey](https://en.wikipedia.org/wiki/YubiKey)
- [ ] authorized apps
- [ ] remove the ones you don't use / recognize
- [ ] review permissions on ones you do use
- [ ] Log out normally
- [ ] Remove "application specific passwords" that bypass auth
- [ ] **Google:** Remove phone number and email as backup option
- [ ] Go to https://myaccount.google.com/security
- [ ] Scroll down
- [ ] Change your password.
- [ ] Click “2 Step Verification”
- [ ] Set up: Security key (Yubikey), Authenticator app, Backup codes.
- [ ] Remove and/or do NOT set up: recovery phone or email, google prompt, voice or text message
- [ ] Print or write the backup codes. Do NOT store in password manager. Do NOT store on computer.
- [ ] Do not turn on recovery email. If there is a recovery email there, remove it.
- [ ] Do not turn on recovery phone. If there is a recovery phone there, remove it.
- [ ] Do not turn on “Google Prompt”
- [ ] Do not turn on “Voice or Text Message”
- [ ] At the very bottom, click “Revoke all” for “Devices you trust”
- [ ] Return to https://myaccount.google.com/security
- [ ] Under “Recently used devices” remove anything that isnt your primary phone and computer.
- [ ] Return to https://myaccount.google.com/security
- [ ] Review “Apps with access to your account”. Remove anything you arent actively using.
- [ ] **Github:** Audit your authd apps, turn on 2FA
- [ ] go [here](https://github.com/settings/applications)
- [ ] Audit Install Github Apps => Remove anything you arent actively using.
- [ ] Authorized GitHub Apps => Remove anything you arent actively using.
- [ ] Authorized OAuth Apps => Remove anything you arent actively using.
- [ ] 2FA via hardware device
- [ ] **Facebook:** Some of these are best-practices and related to privacy and not security.
Status allows to expense 1 authentication device per contributor.
- [ ] Must Do! https://www.facebook.com/settings?tab=security
#### 📟 Hardware wallets
- [ ] Turn on “Get alerts about unrecognized logins”
- [ ] Change your password if you didnt do it before
- [ ] Turn on 2FA via Yubikey or Google Auth if you didnt do it before
- [ ] **Must Do!** https://www.facebook.com/settings?tab=privacy
- [ ] For important crypto accounts, we recommend the use of hardware wallets such as the [Ledger](https://www.ledger.com/) or [Trezor](https://trezor.io/),
- [ ] Future posts: Friends
- [ ] Review all posts and things youre tagged in: On
- [ ] Limit past posts: Friends
- [ ] Who can see your friends list: Friends
- [ ] Who can look you up using email / phone number: Friends
- [ ] Do you want search engines…: NO!
- [ ] **Must Do!** https://www.facebook.com/settings?tab=applications
- [ ] Audit list, remove anything out of date or not actively in use.
- [ ] **Must Do!** Turn off Profile Picture Login. Holy fucking shit what a security nightmare that “feature” is.
Status allows to expense 1 hardware wallet per contributor.
- [ ] Recommended! Make sure “Trusted Contacts” was set up intentionally
#### 🖨️ Printers
- This feature to allows you to regain access to your account via trusted friends. Make sure you use this feature very wisely.
- [ ] Recommended! Make sure “Legacy Contact” was set up intentionally.
When printing recovery codes & very sensitive information,
it is important to do so on a printer that has no wifi as the history can be hijacked and the printed documents can be recovered and reprinted.
- [ ] Similarly you can have an account transition to someone else upon memorialization (if Facebook receives proof that youve died). Make sure it is set up carefully.
- [ ] Recommended! https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen
- [ ] Go to “Your Information” w/ green icon. Toggle all switches OFF
- [ ] Go to “Ad settings” w/ blue icon. Select: No, No, No one
- [ ] Click Xs in Your Interests & Advertisers until you get bored
- [ ] Recommended! https://www.facebook.com/settings?tab=timeline
- [ ] Who can post on your timeline? Friends
- [ ] Who can see what others post on your Timeline? Friends
- [ ] Who can see posts youre tagged in on your timeline? Friends
- [ ] When youre tagged in a post, who do you want to add to the audience Friends
- [ ] Who sees tag suggestions when photos that look like you are uploaded? No One
- [ ] Review posts youre tagged in before the post appears on your timeline? On
- [ ] Review tags people add to your posts before they appear on Facebook? On
- [ ] **Dropbox / Cloud Storage**
- [ ] Turn on 2FA
- [ ] Turn off any out-of-date phones or computers
- [ ] Audit your https://www.dropbox.com/account/connected_apps
### Miscellaneous
- [ ] OAUTH > Email signup.
- [ ] When in doubt authorize a service or app that you start using with your google or your
github account. Don't create an account with your email (especially not with your private
email!). Then add 2fa!
- [ ] When you use an account storing sensitive information that you want neither
Google or Microsoft to know about, contact security so we can set something up for you.
- [ ] Call your cell provider
- [ ] Inform them that you work in an industry that has had a number of phone number hacks in the recent months. You are concerned about their ability to protect you and are thinking about moving to a different carrier due to this risk.
- [ ] Ask them what protections they offer.
- [ ] Ask them to put a note requiring you to be in-store with your photo-id in order to activate a new device or port your number.
- [ ] Ask to put a pin on the account.
- [ ] If you have the option, remove yourself as an authorized user (e.g. if you are on your parents plan).
- [ ] If you have the option, insert “DO NOT PORT!” and “DO NOT ACTIVATE NEW DEVICE OVER PHONE!!!” in any fields you have access to (e.g. your “Phone name”, “Company” field, etc.
- [ ] Dont use that phone number for any 2FA anyways. Use a brand new Google voice number that no one knows.
- [ ] move crypto funds from internet accessible areas to hardwallet/air-gapped storage.
- [ ] Exchanges
- [ ] Laptop
- [ ] Sign up for Keybase.io
- [ ] verify profiles
- [ ] share with at least 3 people
- [ ] Google yourself
- [ ] Remove personal info you find
- [ ] Remove Facebook profile indexed by Google in FB settings
- [ ] Set up Google search alerts for you name, common usernames, etc [here](https://www.google.com/alerts)
- [ ] Look up yourself at haveibeenpwned.com
- [ ] If anything compromised, take appropriate action
- [ ] change password or anything that is breached
- [ ] if bad, consider starting a new email address altogether
- [ ] Bookmark commonly accessed financial sites
- [ ] mycrypto.com
- [ ] exchanges
- [ ] bank sites
If you decide to sell your hardware, make sure all your settings & data have been securely removed from it.
## Company-wide
- [ ] Internal incident reporting discord channel
- [ ] Infrastructure monitoring
- [ ] Incident response team and procedure
- [ ] Incident Response phone number
- Goes to Corey??
### 🐧 Operating System
- [ ] Whether you use Windows, macOS, Linux, iOS or Android, it is always a good idea to start fresh with a clean install.
- [ ] Keep your OS up-to-date,
- [ ] Make sure your OS install is fully encrypted.
### 📦 Software
Favor software installed from an app store with automated update mechanisms.
- [ ] Do not use clipboard managers ([why](https://coinjournal.net/pc-malware-steals-funds-modifying-ethereum-addresses/)),
- [ ] Do not use cloud screenshot auto-upload,
- [ ] Do not use remote viewer,
- [ ] Review launch-on-startup software.
#### 🌐 Web Browsers
- [ ] Remove unused browser extensions,
- [ ] Disable infrequently used browser extensions,
- [ ] Bookmark commonly accessed critical websites such as banks, decentralized finance apps, etc.
### 🗝️ Authentication
- [ ] Use a password manager, such as [Bitwarden](https://bitwarden.com),
- [ ] Do not reuse passwords across applications & services,
- [ ] Enable notifications/alerts for breaches of your email on [have i been pwned?](https://haveibeenpwned.com/) or [Firefox Monitor](https://monitor.firefox.com/)
- [ ] Do not use phone number/SMS authentication as 2FA or backup option,
- [ ] Enable Multi-Factor Authentication (MFA) whenever possible using either:
- [ ] An hardware authentication device such as a Yubikey,
- [ ] A software-based authenticator such as [Google Authenticator](https://en.wikipedia.org/wiki/Google_Authenticator).
### ☁️ Online services & cloud
- [ ] Do not backup directly highly critical data such as seed phrases,
- [ ] Regularly review the Connected/Authorised/Installed/OAuth Apps section on services such as Google, [Github](https://github.com/settings/installations) & cloud storage.
### 💽 Backups
- [ ] Whether you backup on a hardware device or the cloud, make sure they are encrypted.
### 🕵🏻 Privacy
- [ ] Be careful with what you publish on social media,
- [ ] Review carefully social media settings, for eg Facebook [Security](https://www.facebook.com/settings?tab=security), [Privacy](https://www.facebook.com/settings?tab=privacy) [Applications](https://www.facebook.com/settings?tab=applications) & [Timeline](https://www.facebook.com/settings?tab=timeline) settings,
- [ ] Consider making use of [Email aliases](https://www.privacytools.io/#email-alias) for some non-critical accounts,
- [ ] Consider the software & service listed on https://www.privacytools.io/ as alternative to the popular ones.
### 📋 Others & General recommendations
- [ ] If you are unsure about something, just ask the security team on dedicated channels,
- [ ] Subscribe to the `#Emergencies` & `#Security-internal` non public channels to keep yourself up-to-date, make use of those channels if necessary.
## Going further
Those recommendations are intended for Core Contributors whose role & tasks could make them more exposed.
- [ ] Consider the use of separated systems on a virtual machine, partition, or hardware for sensitive data & tasks according to [this guide](https://github.com/status-im/status-security/blob/master/drafts/linux-recommendations.md),
- [ ] Use a [Good](https://www.privacytools.io/#vpn) VPN provider,
- [ ] Regularly reset or reinstall your devices & operating systems to start from a clean slate.