Updated April, 2019

Security Guidelines for Congressional Campaigns

Thank you for attending a training session! We covered a lot of ground, so these notes are meant to serve as a reference and reminder of the advice we gave you.

Remember that as a Congressional campaign, you are at exceptionally high risk. The guidelines below are intended to protect you against the kind of threats we saw in 2016. They are ranked in rough descending order of priority.

The good news is, if you follow these guidelines, you will have a high level of protection against being 'Podesta-ed'. The easiest way to get this protection is to form good security habits before you need them.

Please don't hesitate to contact us with questions. You can reach out via Signal to (+1 415 610 0231), or email to maciej@ceglowski.com. Many security nerds are eager to help you stay safe.

Updates

By far the most important piece of advice we can give is: keep all your software up to date.

Turn on auto-updates on your phone and laptop, and don't wait to apply them.


Anti-Virus

Uninstall all anti-virus software. Having antivirus is like putting a hole in your stomach to monitor for food poisoning; it creates more problems than it solves.

The only exception is Windows Defender. It is safe to use, and turning it on will help you un-install other antivirus programs.


Email

Your personal email account holds the keys to your online life, and will be the primary target for attackers. Use Gmail for your personal email, and Chrome as your web browser.

Don't have sensitive conversations over email. Use Signal (see below).

Don't give any apps permissions to read or write your email inbox.

Make sure your email is protected with a security key. We should have already set this up during the training. If you need to set it up again, or to set it up for someone else, here are detailed instructions for adding a security key to Gmail.

Attachments

Attachments are one of the biggest risks you face. Even attachments coming from a trusted sender are a danger; if someone you know gets their email hacked, the attacker may send you a message that looks just like a typical message (for example, an email from your campaign manager with a Word doc).

Here is the hierarchy of attachment safety, from safest to most risky:

  1. Safest is to open them on an iPhone.
  2. Save them directly to Google Drive from Gmail. If you hover over an attachment in Gmail, you'll see a 'save in Google Drive' icon.
  3. Download them to disk, and upload them to Google Drive in your browser. Make sure you delete the downloaded file, so you don't accidentally double-click it in the future.
  4. The least safe way to open an attachment is to double-click it on your laptop. Never do this.

Sharing Files

Get out of the habit of sending attachments. Instead, send links to a Google document.

Don't use file sharing services like Dropbox or Evernote. Stick to Google Drive.


Phone

You must use an iPhone, model 6 or later. Android phones are not safe to use.

Your iPhone is the most secure device you have. Do whatever work you can on it. It is always better to read email, use Signal, and surf the web on your phone.

Make sure you have at least a six-digit key code or passphrase.

TouchID is safe to use, but Siri is not. Siri can reveal information about your contacts even when the phone is locked.


Passwords

We strongly recommend you install a password manager called 1password.

Don't reuse the same passwords (or similar passwords) across sites. It is better to keep a list of random passwords in a text file or Word document than it is to re-use passwords.

If you can remember your password, it is likely not strong enough.

Any clever scheme you use to remember your passwords can be cracked within minutes by modern techniques. Pick truly random passwords instead, and save them in a password manager like 1password.


Laptop

Remember that your phone is always more secure than your laptop.

If you have a Windows laptop, make sure it's running Windows 10.

We should have turned on full-disk encryption on your laptop during our session. This will protect the data on your laptop if it is lost or stolen. Files on the laptop cannot be recovered without knowing the user's system password.

If possible, consider getting a Chromebook. This is a simplified computer, far more secure than an ordinary laptop, that can only run the Chrome browser.

Never put USB drives (flash drives) in your computer.


Text Messages

Use Signal from Open Whisper Systems for sending text messages, and for group chat.

WhatsApp offers similar protection to Signal, but Facebook will know everything about who you messaged and when. For this reason, we recommend sticking with Signal.

Avoid SMS (regular text messages) or iMessage for private messaging. If you use Facebook Messenger, make sure to turn on private conversations.

Treat Twitter and Slack as a public forum, even if you use their private message features.


Facebook

Turn on two-factor auth in Facebook, and add your security key to your Facebook account. The same security key you used for Gmail will work on Facebook.

Take your phone number off your Facebook account.


Slack and Twitter

Assume that anything you say on Slack or in Twitter direct messages will one day be public.

It's fine to use Slack for coordinating and organizing, but be mindful of the conversations you have there. Move private discussions to Signal.


Browser

Use Google Chrome as your default browser on your laptop. We should have installed this and set it up during the training. Avoid Safari and Firefox. Under no circumstances use the Tor browser (it's okay to use Tor, but do it with Chrome, and seek additional training on how to set it up).

On your iPhone, it's okay to use Safari.

Use the uBlock Origin and HTTPS Everywhere Chrome browser extensions. We should have set these up during your training. Avoid using other extensions.

Make a habit of using incognito mode.

If you are visiting websites that you feel are particularly dodgy, consider using a Chromebook for the purpose, or your phone.


Getting Help

If you need help, or feel out of your depth, or there are mysterious white vans outside your campaign HQ, contact us! We'll do our best to connect you to security experts who can give you additional training.

Our goal is to help keep Congressional campaigns safe without overwhelming them. If you found this training valuable, please spread the word to others. We can send nerds to train anyone, anywhere!