Digital Security and Hygiene Tipsheet
CDAC Network’s Digital Security and Hygine Tipsheet outlines the key digital security and best practice tips designed specifically for mutual aid groups and local actors working in the humanitarian sector. Download the tipsheet below, or follow the instructions below.
Digital Security and Hygiene Tipsheet
Creating a strong password
Strong passwords are the first defence against device, app, and data theft. A compromised password can lead to major privacy breaches. Aim for a minimum of 12 characters, ideally longer, incorporating a mix of uppercase and lowercase letters, numbers, and symbols. Crucially, avoid personal information, dictionary words, or common phrases. Remember, each online account requires a unique password to prevent widespread access if one is compromised.
Examples:
Weak password example: password123
Strong password example: Tr@il5_Hiking&2024!
Two-factor authentication (2FA)
Two-factor authentication (2FA) is an added layer of security that prevents unauthorised access even if passwords are compromised. 2FA authentication methods can include SMS codes and authenticator apps, such as Google Authenticator app. Go to your application (e.g., social media, email), check the privacy and security settings, and search for 2FA. Activate by scanning the QR code using the Google Authenticator app.
Safe browsing habits
Malicious websites are designed to harm your device or steal personal data. They often appear to be legitimate websites but can install malware, collect sensitive information, or trick users into clicking on harmful links. Tips for safer browsing habits:
Scrutinise URLs: Always examine a website's address before clicking or entering details. Cybercriminals often use subtle changes, like swapping an 'o' for a '0’, to trick you.
Heed browser warnings: Your browser is your friend! Modern browsers, such as Chrome and Firefox, often display warnings if a site is potentially dangerous, so be cautious and pay attention to these alerts.
Beware of pop-ups and suspicious links: Be cautious of unexpected or unsolicited links, especially those asking for personal details or downloads. These are common phishing tactics.
Hover before you click: Start hovering your mouse over a link to see its proper destination. This can reveal if a link is a scam or points to a misleading address.
Verify website authenticity with HTTPS: Look for ‘HTTPS’ at the beginning of a URL. The ’S’ signifies a secure connection, indicating the website is authentic and not a spoofed version designed by hackers.
Block third-party cookies: Consider blocking third-party cookies to reduce online tracking and prevent targeted ads. These cookies track your activity across various websites.
Review permissions: Be cautious about the permissions you grant to websites, such as access to your location, microphone, or camera. You can adjust these settings in your browser's privacy options at any time.
Phishing and social engineering awareness
Phishing is an online scam where attackers pose as legitimate institutions to deceive individuals into providing personal data. Here are some signs to help you identify phishing attempts:
Suspicious emails: Phishing emails often come from addresses that appear legitimate but have slight variations (e.g., ‘support@netflixx.com’ instead of ‘support@netflix.com’). The email may contain urgent messages or threats, such as account closure, to pressure you into taking action.
Generic greetings: Phishing messages often use vague greetings like 'Dear User' instead of addressing you by name. Legitimate companies usually use your personal information in their communications.
Poor grammar and spelling: Phishing emails or messages may contain errors in spelling and grammar. While not all phishing attempts have errors, they are a red flag to watch for.
Unexpected attachments or links: If you receive an email requesting that you download an unexpected attachment or click a suspicious link, it may be a phishing attempt. These links often lead to fake websites designed to steal your information.
Inconsistent URLs: Hover over any link to see the actual URL. If it doesn’t match the claimed destination, it’s likely a phishing attempt.
Social engineering involves manipulating individuals into divulging confidential information through psychological manipulation. Some common tactics include:
Pretexting: The attacker creates a fabricated scenario (pretext) to obtain private information. They may pose as a coworker, IT staff, or bank representative to trick you into sharing sensitive data.
Baiting: This involves offering something enticing, like free software or media, to lure you into clicking a malicious link or downloading malware.
Tailgating/piggybacking: In physical settings, attackers may follow someone into a secure area by pretending to be an employee who has forgotten their ID card.
Impersonation on social media: Attackers can impersonate trusted individuals or organisations to manipulate you into sharing personal information or clicking harmful links.
Device and software updates
Software updates are crucial for maintaining the security of your devices and data. These updates often contain patches that fix vulnerabilities and bugs that attackers could exploit. Enabling automatic updates ensures that your software is always up to date without requiring manual checks.
Guide on setting up automatic updates: Check your device settings, go to the system settings, and activate automatic updates. Similarly, look for ‘Manage Apps and Devices’ in the Google Play Store and update all applications. It is also critical to keep your browser up to date. Check the navigation bar to find the settings and browser updates.
Digital security measures before travelling
If you are in the country or travelling from or to Sudan, assume that your devices will be inspected at any moment. Ensure you have strong passwords and hide social media apps, email apps, Google Authenticator apps, or any other apps that contain sensitive information. Update your device software frequently and install a reputable VPN to protect your online activity.
Hide sensitive applications:
iPhone: Use the ‘Hide Apps’ feature in Screen Time or create folders within folders.
Android: Use ‘Secure Folder’ (Samsung) or ‘App Lock’ features that don't show locked status.
Android: Nova Launcher with hidden app drawer.
Windows PC: Enable BitLocker drive encryption to protect all data in the event the device is stolen or lost.
Use secure documentation tools
Download Tella from the Google Play Store.
Tella is a free and open-source mobile application designed to help you safely capture, store, and manage sensitive information, especially in challenging environments. It's crucial for protecting your data and evidence from unauthorised access, censorship, and destruction.
Key features and actions for safety:
Automatic encryption: All photos, videos, and audio recordings captured directly within Tella are immediately encrypted. Key action: Always capture content inside the Tella app to ensure instant encryption. Avoid capturing sensitive media with your phone's default camera/recorder and then importing, unless necessary. Ensure you delete the original.
Hidden files and app camouflage: Tella files are inaccessible from your phone's regular gallery or file explorer. They can only be viewed within the Tella app itself. You can also change Tella's icon and name to something innocent (e.g., a Ludo game) to hide its true purpose. Key action: Utilise the camouflage feature! Go to Tella's settings > Security > Camouflage to change the app icon and name. This adds a crucial layer of plausible deniability if your device is inspected.
Strong app lock: You'll set a PIN, pattern, or password to lock Tella upon installation. You can also set a 'lock timeout' to automatically re-lock the app after a period of inactivity. Key action: Choose a strong, unique password or a complex pattern that is not easily guessed. Avoid standard PINs like birthdays. Configure a short lock timeout from security settings (e.g., 1 minute) for maximum security, especially if you handle highly sensitive information.
Quick Delete feature: Tella offers a ‘Quick Delete’ option to rapidly erase all sensitive data stored within the app in the event of an emergency. Key actions: Familiarise yourself with the Quick Delete function before you need it. Go to Settings > Security > select Quick Delete. Choose all options below to delete photos, videos, files, and settings. This will ensure that even when you reupload the app, it won’t revert the information stored in it.
Secure export and sharing: Tella allows you to export selected files or create reports to securely back up your data to connected cloud services (like Google Drive, Nextcloud, or Tella Web). Avoid sending sensitive files via unencrypted email or messaging apps. Key action: Remember where you send the data when exporting or sharing. While files are encrypted within Tella, their encryption status after export depends on the destination. For maximum security, send to trusted, encrypted cloud storage platforms. Link your application data to encrypted cloud storage. Go to Settings, and then Connections. You can link your data to an encrypted Tella Web (recommended encrypted cloud storage), Google Drive, or any other secure cloud storage service.
Offline mode capability: Tella functions effectively without internet connectivity, allowing you to document events in remote areas. Data can be saved and submitted later to your cloud storage when a secure internet connection is available. Key action: Plan your documentation strategy for offline scenarios. Capture evidence as needed and only connect to the internet and upload when you are in a safe and private location with a trusted network.
Prepare for internet shutdowns
Harness the power of mesh networks for enhanced digital security, especially when internet access is compromised or unavailable. These innovative systems, such as Bridgefy and Briar, use your device's Bluetooth or Wi-Fi to create a decentralised network, enabling you to communicate and share data directly with nearby devices without relying on traditional internet infrastructure. For quick, localised communication, download Bridgefy for robust short-range messaging (up to 100 meters), perfect for events or crowded areas, or Briar (10-20 meters) for more secure, private conversations nearby. Always ensure your mesh networking apps are updated for the latest security patches and features.
How to use Bridgefy:
It is recommended not to discuss/share sensitive information.
Download and install: Get the Bridgefy app from your device's app store (Google Play Store for Android, Apple App Store for iOS).
Initial setup (internet required): The first time you open Bridgefy, you'll need an active internet connection to activate the app. You'll typically sign in with a Google or Apple account and create a username.
Enable Bluetooth: Crucially, ensure your device's Bluetooth is turned on. Bridgefy relies on Bluetooth to create its mesh network.
Public chat: Once activated and Bluetooth is on, go to the 'Broadcast' or 'Public Chat' tab. Here, you can send messages to all other Bridgefy users within your Bluetooth range (up to 100 meters). Be aware that messages in the public chat are visible to everyone nearby using Bridgefy.
Private chats: Tap on a user's avatar in the Public Chat to initiate a private conversation. This allows you to send encrypted, one-on-one messages.
Location permissions: The app may request location permissions to utilise the Bluetooth technology for mesh networking. Granting these permissions is necessary for the app to function.
How to use Briar:
Download and install: Get the Briar app from the Google Play Store (Android only). Briar is not available for iOS due to Apple's restrictions on background processes that are essential for Briar's functionality.
Create an account: Upon opening, you'll create a nickname and a strong password. This account is stored securely on your device. Remember your password, as there's no recovery option.
Disable battery optimisations: Briar will ask for permission to turn off battery optimisations. This is vital, as Briar needs to run in the background to receive messages directly, without relying on a central server.
Add contacts (crucial difference): Unlike Bridgefy, Briar requires you to add contacts explicitly.
Nearby contacts (recommended for security): The most secure way is to 'Add contact nearby.' This involves scanning each other's QR codes using your device's camera. Briar will also request location permission to connect via Bluetooth (it doesn't store or upload your location).
Contacts at a distance (requires internet): If your contact isn't nearby and you have internet access, you can choose 'Add contact at a distance.' Briar will generate a link to send to your contact (via another app, such as Signal)—both you and your contact need to exchange these links while online.
Send messages: Once contacts are added, tap their name in the contact list to send encrypted messages. A green circle beside their name indicates a connection (via internet, Wi-Fi, or Bluetooth).
Introduce contacts: Briar allows you to introduce contacts to each other, so they don't need to meet in person to add each other.
Essential considerations for Briar:
Security focus: Briar is explicitly designed with a strong emphasis on privacy and censorship resistance, often targeting activists, journalists, and those concerned about surveillance. It uses end-to-end encryption and can route traffic over Tor when the internet is available.
Decentralised nature: Messages are synchronised directly between devices, eliminating the need for central servers, which provides a significant privacy advantage.
Contact management: The need to explicitly add contacts, especially by scanning QR codes for nearby connections, makes it less 'spontaneous' than Bridgefy but significantly enhances security and prevents unwanted connections.
Platform limitation: Briar is currently available only for Android.
Mailbox feature: If you're offline (with internet and Bluetooth off), a sent message can be directed to a separate 'Briar Mailbox' app on another device, if it is set up, and then synced when you're back online. This is for message delivery without a central server, but it's less convenient than instant delivery.