cross-posted from: https://lemmy.ml/post/74540

Hello! I think it is a nice time to re-mention some 101 tips of IT security for folks here, that I also practice. Pegasus malware investigation will be big news for a good while, so the more awareness it helps spread, the better.

RULE 1

DO NOT CLICK ON RANDOM SMS AND EMAIL LINKS. Please, do not do this, ever. Just do not do it. Do not do it. Do not do it. Do not do it.

Yes, that is how many times I repeated that line. That is how important this rule is.

Also, do not download random email attachments.

Phishing is such a common tactic that one would think this problem has been solved by now, but it has not.

RULE 2

Keep OFF auto download of photos, videos, documents and so on on WhatsApp, Signal and such apps.

Drive by downloads being self executable surprise bombs is not a new thing. Basically, this rule is similar to keeping off AutoPlay for external USB sticks on Windows computers.

RULE 3

Avoid using popular software too much.

I get it, this is a hard rule to workaround considering how much we need to use WhatsApp, Signal, Telegram and so on, so it is a lot better to compartmentalise your activities among multiple messengers.

Pegasus and a lot of specialised malware uses zero-days to be able to design zero click deployment tricks, which is what these government surveillance tools are good at reserving. They use their millions of dollars of funding and R&D properly, so you have to be careful.

As an example, try to keep WhatsApp internet turned off most of the times via NetGuard, and turn it on only when needed, a good method I have earlier suggested as well in my smartphone hardening guide.

CONCLUSION

Those were some thoughts on the top of my head, before I go to sleep. Stay safe against surveillance! And feel free to ask whatever you want to!

xenith
link
63M

101 tips and you only mentioned 3!!

:)

@weex
link
53M

That’s written in base root 2.

@TheAnonymouseJoker
creator
link
23M

You cheeky little math freak

@TheAnonymouseJoker
creator
link
23M

T_T sorry

@uthredii
link
63M

It might be a good idea for journalists and other targeted people to have multiple burner phones for different activities.

That way if your personal device is infected itnisnkess likely to compromise your human rights work.

You would probably want to turn off any phone you are not using as they are able to access the camera and mic.

@TheAnonymouseJoker
creator
link
23M

Camera and mic access is not hard to prevent as long as the device is not infected. Avoiding infection not hard itself either, if the user or activist has a good grasp of 101 rules.

This is a reason I try to make guides like this, so my stuff can be a good reference for everyone.

@DnuOLp0
link
53M

It seems to me like your rules might protect me from known threats (or not). But I don’t think it is easy to protect against unknown threats. At least when the advice is not using popular technologies and people like journalists necessarily need to use popular communication technologies. Also they may not be able to explain everyone of their contacts that they can’t open any links or documents.

@TheAnonymouseJoker
creator
link
53M

Using sandboxed VMs in computers is an excellent way to open links if one is so endangered. VMs can be created infinitely, and you can save snapshots for VMs as well. Moreover, there is always the good old TailsOS USB that runs on RAM, and nothing can infect RAM permanently.

Now if they choose to use phones to open all kinds of links, that is on them. Phones are vulnerable technology, so they should be used as temporary communication tools and not as mini computer portals for now.

@DnuOLp0
link
33M

I agree vut I think you missed my point. You said it’s easy and I disagree with that. It may be a simple concept but it’s definitely more work on an everyday basis and you need to spend a significant amount of time and effort on learning and preparing all of that. These are significant barriers.

@TheAnonymouseJoker
creator
link
03M

The most you can do against the unknown threat is take a whitelisting approach in life, unless you have a crystal ball that shows future. And that is how I laid out the rules. Not clicking random links, not downloading random files and not using common software is as far as you can go, and only the last one is considerably hard.

@snek_boi
link
5
edit-2
3M

Seeing this post again made me think, apart from my previous reply, about something else.

I think your “popularity of software” argument is great because it probably holds true, in that an investment in finding an exploit has larger returns if the exploitable software is widely used. But rather than thinking in terms of apps, we could think in terms of operating systems. What if the vector of infection is not an app and rather is an OS? This is perfectly possible and there are massive incentives to find such exploits since this is not app-dependent.

This means that merely using iOS or Android in any capacity (either through Lineage OS or perhaps even Replicant) could be enough for infection. And so far, not knowing what the vectors of infection are for Pegasus, this is perfectly possible.

Perhaps using Linux OS is a good idea, given it’s not as popular.

@TheAnonymouseJoker
creator
link
83M

Yes, I agree, but Android is sufficiently secure as Google has incentives (now even more with grifter Apple blocking others’ spying to allow just theirs) to make more and more users get trapped in Google’s ecosystem, plus the development is open source, due to which zero days are extremely costlier to find on Android than for iOS: https://www.wired.com/story/android-zero-day-more-than-ios-zerodium/. This also shows us closed source obscure security model failed with Apple, and even for Windows.

Also, Android is a lot easier to be able to exercise control on and lockdown, and use trusted FOSS software on.

Moreover, if you are doing mission critical work like dissent, journalism, whistleblowing and so on, phones should exclusively be used as communication tools and to click photos and so on. I have covered this in my Activist and Protestors Handbook: https://lemmy.ml/post/34220

One should definitely try and use Linux based distribution, tweaked for your own security needs, for as much work as possible in such cases.

I am having trouble with creating my Linux Hardening Guide currently, which I definitely want to try completing in its entirety like I did the Smartphone Hardening Guide. This is essential because no such guide for Linux exists that is as easy, digestible and considers a lot of things that all current guides lack. And I definitely would love to intertwine it with a new version of the Activists and Protestors Handbook.

@jelbana
link
5
edit-2
1M

deleted by creator

@tracyspcy
link
33M

Use a dumbphone instead

@TheAnonymouseJoker
creator
link
13M

lets use a sword to cut a tomato

Nope.

Also, dumbphones are worse because you have zero controls over the OS running on top of it, and proposing people to use a Nokia 1100 in 2021 does not exactly help anyone take you seriously.

@tracyspcy
link
43M

I’m using a dumbphone normally and it works for me.

@TheAnonymouseJoker
creator
link
13M

It does not for everyone. Everyone has different needs, and 2G phase out is becoming more common than you think. Even 3G is going out.

@ajz
link
3
edit-2
3M

deleted by creator

xenith
link
13M

What type of phone do you use as your daily driver? iPhone? Android?

@TheAnonymouseJoker
creator
link
13M

Android. You can check my smartphone guide pinned at !privatelife@lemmy.ml

@yxzi
link
23M

Also make sure to power down your devices regularly as to flush the temporary memory (provided the hard drive is not infected)

@TheAnonymouseJoker
creator
link
03M

Malware usually does not sit in RAM, but internal storage. What you are suggesting is likely runtime or unpacking code style attacks. Those are different, and protection against them is easier as user has to manually install and run such apps on Android.

xenith
link
13M

One of the articles about it (I think from The Guardian) said that it can run in RAM which was one thing making it harder to detect. It said that it was present until a reboot.

@TheAnonymouseJoker
creator
link
0
edit-2
3M

It is a common practice that if your phone has been left unattended and is out of your sight and is within reach of suspicious or legal criminal authorities, when you return, restart it. I thought it would be clear to people.

It would be better to rephrase my statement as nothing persisting in RAM if you turn off its power or the device that has RAM.

xenith
link
13M

If Pegasus required physical access to your device that would be relevant. However, it’s installed through several other means and according to articles I’ve read can live in RAM. So restarting regularly despite never having an unattended device seems prudent.

@TheAnonymouseJoker
creator
link
03M

Code cannot persist in RAM and survive power loss. The only way that is possible for RAM to have that code persistently is that the code is stored on disk storage, and the code gets copied over to RAM upon each reboot.

xenith
link
1
edit-2
3M

No one is arguing that RAM is persistent after reboots…

@yxzi 's original comment suggested regularly restarting your device, which coincincides with the assessment that Pegasus can live in RAM. I see it as nothing but great advice and I can’t figure out why it illicited your responce in a post created by you about “staying safe from Pegasus.”

edit: a few letters

@TheAnonymouseJoker
creator
link
03M

Pegasus does not live in RAM. Pegasus is copied from disk storage to RAM each time, so it cannot be persistent by design of RAM. If Pegasus is getting detected into your RAM, there are bigger problems than a mere restart of your device.

My post is not making me respond because I want to argue needlessly, but because the problem might be more severe. A restart of phone after your phone has been out of sight is a good measure, but if after repeated restarts it is found there, that is what I was pointing out.

Oue
link
13M

To add

Everyone should use ad blockers across all their devices (uBlock Origin)

Everyone should try to use DNS sinkhole applications/servers like Pi-Hole or Adguard Home or unbound

@TheAnonymouseJoker
creator
link
1
edit-2
3M

Those are not protecting you against Pegasus or such malware. Those protect you from adware, JS spyware, trackers and other things.

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

  • Posting a link to a website containing tracking isn’t great, if contents of the website are behind a paywall maybe copy them into the post
  • Don’t promote proprietary software
  • Try to keep things on topic
  • If you have a question, please try searching for previous discussions, maybe it has already been answered
  • Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
  • Be nice :)

Related communities

much thanks to @gary_host_laptop for the logo design :)

  • 0 user online
  • 22 user / day
  • 80 user / week
  • 201 user / month
  • 599 user / 6 month
  • 3.6K subscriber
  • 1.95K Post
  • 8.81K Comment
  • Modlog