Between your chair and your keyboard

• Avoid watchful eyes:
  • Avoid working with your back to a window
  • When you are travelling on a plane or train, attach a privacy filter to your screen. A privacy filter is a clear film which restricts side-on viewing when applied to your screen. Only the person sitting in front of it (you) can see the screen.
• When travelling, try to keep your equipment with you as much as possible. This prevents anyone from being able to obtain files from your computer or being able to introduce a Trojan horse.
• All operating systems (Windows, Mac OS and Linux) let you protect your session with a password. Make sure you use this feature.

Don't leave your laptop lying around! ! xkcd.com

Delete your tracks on a public computer

If you work in an Internet café or on a computer which is not your own, make sure that you do not leave any traces once you've finished your work:

1. If you have checked your email, Facebook or Twitter account, always make sure you log out.
2. Delete your browsing history. This contains various information and an expert could also access some of your online accounts
3. Never store your passwords in the browser on a public computer. If you do this by accident, delete them from the browser's memory when you've finished your work.
4. Clear form entry fields
5. Delete cookies

Clearing this data is done differently in different browsers. A good way to avoid mistakes is to use the private browsing mode in Firefox or Chrome.

Control access to your information

Most online services (Twitter, Facebook, WordPress, Tumblr, Skype, etc.) let you recover a lost password by sending a password to your inbox. You must therefore protect your inbox as much as possible. If it is compromised, all your digital information could be too.

Google's mail service, Gmail, offers an additional layer of security: ”two-step verification”. This service lets you protect your mail account with:

1. a username
2. a password
3. a code that you receive on your mobile each time you connect to your mailbox.

Therefore, without your mobile, you cannot access your mail.

When you log into your Gmail mailbox, remember to click on the “Details” link at the bottom of the page. This opens a window which displays the recent connections to your inbox. This way, you can detect any suspicious activity.

Twitter and Facebook also offer an equivalent service and allow you to view all the applications and sites which are authorised to access your account.

Use passphrases

Password length is the key factor in creating a strong password which can resist a brute-force crack. Combining numbers, special characters and lower- and upper-case letters often creates weak passwords which are difficult to remember. If you use a “passphrase”, rather than a “password”, you can create a string of characters which is easy to remember and is much longer than your old passwords.

• Th$jHTo%46: short and difficult to remember
• I hear the sound of bells on the green pastures: easy to remember and, for an attacker, very difficult to guess

The website xkcd explains why it is best to use passphrases rather than passwords in some cases.

Use a different passphrase for each service

There is no point in having a long passphrase if you use the same phrase to protect all of your online services. If one of your services is compromised, as can sometimes happen, all of your online accounts are compromised. It is therefore crucial to use a different passphrase for each service.

Use a passphrase manager

Using a different passphrase per service can be problematic if can't remember them all. Don't panic, there are reliable and secure tools available where you can save all your passwords.

LastPass is a password manager LastPass is available as an extension for Firefox, Chrome and Safari, and allows you to save all your passphrases. Access to your LastPass storage is protected with a unique passphrase. So you only have to remember one phrase for access to all your online services. Like Google's mail service, Gmail, LastPass offers two-step verification. If you use LastPass, it is highly recommended that you choose a long passphrase and set up two-step verification.

Be careful what you click on!

While it is important to install antivirus software on your computer, it is even more important to use common sense when you receive a link or an attachment by email, Twitter, Facebook or Skype. Social networks and communication tools are the main carriers of viruses.

Malware (malicious software) is also developed by specialist hackers which cannot be detected by antivirus software. The best defence is to act early, before malware infects your computer or smartphone.

• Don't download files or click on links which you receive from unknown senders.
• Carefully check the email address or Twitter account of anyone who shares a link with you. If you have any doubt, check the sender's identity with other contacts or by using a search engine.
• If the file and sender seem suspicious, get expert assistance. Citizen Lab is an organisation which analyses the viruses sent by both dissidents and activists and helps them to protect themselves better.

Monitor your social networking presence

Facebook and Twitter are useful communication tools. However, make sure you control the information that is made public. The following tutorials and online services can help you to manage your online presence better:

• Check your Internet presence with namechecker
• Privacy settings in Facebook
• Recent changes to Facebook that you should know about
• Securing your Twitter account

https?

When you visit a site whose URL begins with https, you can be sure of three things:

The site's authenticity Each https site has a certificate which it presents to your browser when your browser tries to access it. In turn, your browser has a database against which it checks the validity of the certificate presented. The certificate is the site's ID card and is unique for each https site. The confidentiality of data exchanged with the site. There are several intermediaries between you and the sites you visit: the Internet access provider; the server(s); any proxy servers, including malicious parties (particularly when you're connecting over unlocked Wi-Fi hotspots). Once the site's identity had been validated, an encrypted communication channel is established between your browser and the site which guarantees that no intermediaries can intercept the information exchanged, such as requested pages, their content and any passwords sent. The integrity of data Using the https protocol also guarantees that no one can modify the data which is sent.

Breaking https

There are a few ways of breaking the secure channel which is set up between an https site and your browser.

Blocking https connections

This is by far the easiest way of breaking https. Sites offering an https version can usually also be accessed via http. An attacker seeking to control the network you are connected to (your access provider or the shared Wi-Fi connection at your hotel, for instance) may simply close the https access and force you to use the unsecured http version.

Impersonating an https site

An attacker may position themselves between you and the site you want to access, and redirect you to a copy of the site using a fake certificate. This is known as a 'man-in-the-middle' attack.

If you go to Gmail, an attacker seeking to take control of the network and the DNS servers may reroute your request and redirect you to another site which looks just like the Google mail service. The only clue for avoiding such attacks is the security warning in your browser.

Your browser will indicate that the site's certificate is not valid and that the site is not what it claims to be.

Certificate theft

Within a man-in-the-middle attack, there is a very slight possibility that the attacker has a copy of the targeted site's certificate. This is an extremely sophisticated type of attack as it involves firstly stealing one or more certificates from a certification authority.

In August 2011, certificate authority DigiNotar was compromised and certificates were stolen. These were used mainly in Iran to carry out man-in-the-middle attacks on Google services. This type of attack is extremely effective as your browser is unable to detect the fraud and does not display any security warning.

Some solutions

There are some tips and software which can increase your browsing security.

Choose Firefox or Chrome

Mozilla, publisher of Firefox, and Google, publisher of Chrome, take particular care in terms of security. For example, they were the first to update their browser's certificate databases following the above-mentioned DigiNotar security breach. Firefox has the additional advantage of being a free software whose aim is to ensure the security and privacy of its users. Chrome also focuses on security but is not free and does not offer the same guarantees in terms of privacy.

Deactivate Java

Java is a cross-platform computing language which exists as a plug-in for all browsers. It poses lots of problems in terms of security. According to the publisher of Kaspersky, 50% of attacks reported in 2012 used flaws in the browsers' Java plug-in. If you do not need Java in your browser deactivate it, or even better uninstall it.

Boost your browser with some useful extensions

You can add features to Firefox and Chrome using plug-ins.

• https everywhere: checks whether there is an https (encrypted) version for each site you visit and if so redirects you to it. This saves you having to manually add the “s” after http to each web address you visit, as in reality nobody actually manages to do this.
• No script: enables you to control JavaScript scripts which are launched on the sites you visit. JavaScript is a programming language which is widely used on the web. It runs in your browser and can sometimes be used in certain attacks (XSS and XSRF). You can authorise certain sites to run JavaScript and the extension remembers your choice. This is tedious at first, but essential for secure browsing. Chrome's equivalent is ScriptSafe.
• Web of trust: works on a crowdsourcing model (where information is collected from a wide circle of sources) and tells you whether a site is safe or not based on the opinions of other Internet users. If you land on a site known to contain malicious scripts, WOT will display a warning before the page loads.
• Certificate Patrol: checks the certificates when you arrive at an https site and warns you when your browser detects a change in certificates. This is very useful against man-in-the-middle attacks.

Before leaving

• If possible, travel with a virgin computer. Ideally, you should completely reinstall your operating system (Window, OS X or Linux).
• If you need to take files with you on your computer, take only those that will be absolutely necessary while you are there and encrypt them using PGP or TrueCrypt, which is simpler to use.
• Update your operating system and, while you are there, don’t accept any updates even if Windows ask you to.
• Turn on your firewall (software that blocks unwanted incoming and outgoing connections, allowing your to ward off some kinds of intrusion).
• Install antivirus software and make sure it is updated with the latest virus definitions.
• Protect your computer and mobile phones with passwords. They will help to deny access to your work.
• Encrypt your hard drive. Protecting your computer and mobile phone with passwords is pointless if you do not also encrypt your entire hard disk. In Windows, use Bitlocker or TrueCrypt. In Apple Mac’s OS X, use FileVault (Preferences > System > Security).
• Install a VPN, which is an application that allows you to establish an encrypted communication tunnel between your computer and a server located outside the country. Using a VPN will make it extremely difficult to intercept your communications. It will also enable you to circumvent any blocking of websites and online services imposed by the authorities. You should install a VPN before you go because unofficial VPNs, meaning those not controlled by the regime, are banned in Iran and access to sites offering unofficial VPNs is blocked.

Measures to take while in Iran

Good “electronic hygiene” should be practiced to avoid installing any malware on your computer:

• Don’t click on links sent by a stranger.
• Don’t download any software if you don’t know where it comes from.
• Don’t accept contact requests from strangers on social networks.
• Always identify the sender of an email before opening any attachments.
• When you connect to the Internet, always use your previously installed VPN.
• Secure your browsing by using the https protocol. It prevents your website passwords from being visible on the network.
• Don’t use Skype to sent sensitive information. The confidentiality of communication via Skype is not guaranteed and, because of its widespread use, Skype is the target of a great deal of malware.
• Encrypt your communications. Email is often intercepted in Iran. To guarantee the confidentiality of the messages you exchange with your editors, encrypt your emails with PGP or encrypt your chats with Adium (Mac) or Pidgin and the OTR plugin (Windows, Linux).
• The sending of an encrypted email is visible on the network. Although the regime may not be able to access the content of an encrypted email, it may know who sent it and to whom it was sent. Take care when you send an encrypted email. Take account of the situation of the person you are emailing.
• Create one or two email address that are not associated with the media that you work for, and use only these addresses. As a result, your emails will be more discreet and will be more likely to pass unnoticed by the authorities.
• You can also send your emails to a specially-created email address, from which they can be removed by a trusted third party with password access and forwarded to their final destination from another email address. This will protect the identity of the recipients of your emails while you are inside Iran.

In the event of Internet cuts or drastic slowdowns

It is not uncommon for the Internet to get much slower during demonstrations or in the run-up to major events. But Internet slowdowns or cuts do not last long. Keep filming or writing and store your work on an encrypted USB flash drive (encrypted with TrueCrypt, for example). A USB stick is easier to conceal and carry than a computer.

You can use a satellite connection to send your work but, be careful, because satellite transmissions are easily spotted. Don’t stay too long in the same place while transmitting files. Change location frequently. If you must sent big files, send them in stages. There is software than can break a big file down into smaller parts.

Mobile phones

Your mobile phone contains a lot of important information. Iran’s two main mobile phone service operators, Mobile Communication Company of Iran and Irancell, are controlled by the Revolutionary Guards. As well as data sent or received, you mobile phone or smartphone has a lot of information on the SIM card, its internal memory and any memory card that may be installed.

• Protect your phone with a password, if it has this feature. All SIM cards have a PIN installed by default. Change it and block access to your SIM card with this SIM code.
• If your phone uses the Android operating system, you can use the many applications created by the Guardian Project and Whispersys to encrypt your browsing, chats, SMS and voice messages.
• Turn off GPS in the apps that use it. But make sure that someone is kept abreast of your movements.
• If possible, don’t keep any browsing history. If you are in country that monitors mobile phones or if you think you are under close surveillance because of your activities, it is better not to use a mobile phone to communicate. Use face-to-face meetings instead.
• If you want to keep your phone with you even during sensitive meetings, remove the battery before going. Even without a SIM card, mobile phones send a lot of information (IMEI, IMSI or TMSI numbers and network cell) to nearby relay antennae that allows them to be located. Using IMSI catcher software, the authorities can intercept these signals and locate a previously identified SIM card holder. Unfortunately, a battery cannot be removed from an iPhone.