document set:DRAFT DIGITAL SECURITY CHECKLISTS FOR U.S. NON-PROFITS
title:Endpoint Security Checklist
author:Jonah Silas Sheridan, Lisa Jervis for Information Ecology
last modified:9/2/2017
last modified:10/10/2017
version:"2.0DRAFT,NOTPEERREVIEWED"
---
# Endpoint Security Checklist
## Introduction
Securing your devices or "endpoints" (meaning that they are one end of all connections you make to a website, online service or other person's device) are a cornerstone of digital security. In general, security trainers, practitioners, and the documents and manuals they use operate from an assumption that your devices are secure from intrusion and not running any software that you don't expect or intend. This is important because anyone who can control your endpoints can see and control all the same information you can -- and so any protections of that information as it travels across internal networks or the open Internet become irrelevant.
*This checklist comes from the Weathering the Storms toolkit, which contains wraparound documentation including an introduction, frequently asked questions, and a glossary where you can look up any terms that are unfamiliar to you. This is a community-driven document set with the latest version always at https://ecl.gy/sec-check. We welcome your feedback via RoadMap, or our contact format https://iecology.org/contact/.*
Unfortunately, in practice, it is not a reasonable assumption in the operating reality of many non-profits and activists that our endpoints are not compromised. Especially with the increased use of encryption technologies to secure communications and other sensitive information as it moves over the network, attacks on the hardware in devices themselves and, more commonly the software running on them has become a more attractive strategy for obtaining or altering data than in the past. Coupled with the fact that many devices are shipped with tracking, advertising, or other software that you may not expect or that may expose your device to risks, putting time into securing your devices is a critical task for securing your organization and ensuring further improvements to your security are meaningful.
Securing your devices or "endpoints" (meaning that they are one end of all connections you make to a website, online service or other person's device) is a cornerstone of digital security. In general, security trainers and practitioners -- and the documents and manuals they use -- operate from an assumption that your devices are secure from intrusion and not running any software that you don't expect or intend. This is important because anyone who can control your endpoints can see and control all the same information you can, and so any protections of that information as it travels across internal networks or the open Internet become irrelevant.
This checklist provides a number of practices that can help you protect your devices from being a threat to the confidentiality, availability, or integrity of the information on them or on the networks they connect to. By educating your staff about the importance of endpoint protection, training and supporting staff in implementing these practices, and making them part of your organization's onboarding processes and technology policies, you can increase security for individual staff and the organization as a whole. Furthermore, you can better trust that any other secure systems or services your organization adopts are protecting you as expected. These are meant to be applicable to computers, mobile phones, and tablets except where otherwise indicated.
Unfortunately, in practice, it is not a reasonable assumption in the operating reality of many non-profits and activists that our endpoints are not compromised. Especially with the increased use of encryption technologies to secure communications and other sensitive information as it moves over the network, attacks on hardware in devices themselves and, more commonly, the software running on them has become a more attractive strategy for obtaining or altering data. In addition, many devices are shipped with tracking, advertising, or other software that you may not expect or that may expose your device to risks. These factors combined mean that putting time and effort into securing your devices is a critical task for securing your organization and ensuring that any further steps you take to improve your security are meaningful.
This checklist provides a number of practices that can help you protect your devices from being a threat to the confidentiality, availability, or integrity of the information stored on them or on the networks they connect to. By educating your staff about the importance of endpoint protection, training and supporting staff in implementing these practices, and making them part of your organization's onboarding processes and technology policies, you can increase security for individual staff and the organization as a whole. Furthermore, you can better trust that any other secure systems or services your organization adopts are protecting you as expected.
**These practices do not constitute a complete set of endpoint protection activities and are especially ill-suited for protecting you from targeted attacks by well-resourced and persistent organizations or entities. They will not fully protect you from the consequences of losing physical control of your device, including situations where a technically capable group has physical access to your device such as may happen at an international border, if you are arrested or detained, or if your device is stolen. If your threat model includes these sorts of concerns, contact a digital security professional to help you build systems that will remain resilient in your specific context.**
...
...
@@ -24,57 +26,63 @@ This checklist provides a number of practices that can help you protect your dev
:wrench: Technical skill level required
:fire: Work flow disruption for staff
## General Endpoint Security Tasks
## General Endpoint Security Tasks for Computers, Mobile Phones, and Tablets
:heavy_check_mark: **Keep your devices in your control, always.**
:rocket::wrench::fire::fire::fire:
*The easiest way to attack someone's devices is to gain physical control of them. Consequently, the most important practice you can follow to protect them is to keep them in your control at all times. This means that you know where they are and can ensure that nobody is accessing them without your permission. Note that a hotel room desk drawer or even a hotel safe does not necessarily meet this standard, as both can usually be accessed by hotel staff such as cleaners or management. When working in a public place, don't leave your computer even for a couple of minutes. This can be inconvenient but ensures nobody can surreptitiously install software on or hardware in your computer without your knowledge.*
*The easiest way to attack someone's devices is to gain physical control of them. Consequently, the most important practice you can follow to protect them is to keep them in your control at all times. This means that you know where they are and can ensure that nobody is accessing them without your permission. Note that a hotel room desk drawer or even a hotel safe does not necessarily meet this standard, as both can usually be accessed by hotel staff such as cleaners or management. When working in a public place, don't leave any device alone even for a couple of minutes. Aways take your phone with you, and d the same for a laptop or ask someone you trust (not the stranger at the next table!) to supervise it for you. This can be inconvenient but ensures nobody can surreptitiously install software on or hardware in your device without your knowledge. <JSS, one reviewer suggested mentioning that someone could stick a USB into your computer and infect it with something even while sleeping. That is not a change I want to make without you specifically approving. I would say: Note that a USB drive with malicious software on it could compromise your computer even when it is sleeping.>*
:heavy_check_mark: **Run the updating tool for your operating system and applications regularly and/or set updates to run automatically.**
:heavy_check_mark: **Run the updating tool for your operating system and applications whenever updates are available and/or set updates to run automatically.**
:rocket::wrench::fire::fire:
*The operating system is the most basic software a device can run, and every other program or application depends on it. Operating systems are often tied to specific hardware; major examples include Microsoft Windows, Apple's OSX (for computers) and iOS (for iPhones and iPads), Android, ChromeOS (for Chromebooks) and Linux. Any time an operating system manufacturer or application creator provides an update that fixes a security vulnerability, you are at increased risk until you install that update, because the vulnerability has become public and any bad actors have thus learned about it. Setting updates to run automatically will help, but you should still manually start the update process if learn of a specific security issue with any of your software. Note that you may need to restart your device for many updates to take effect, so responding to any alerts that ask you to restart your device is important to these updates being meaningful.
If you have specific software requirements or custom software created especially for your organization, automatic updates can cause work disruption, as some OS updates may be incompatible with existing software. Therefore, operationalizing this recommendation must be coordinated with your IT team or tech support provider.*
*The operating system is the most basic software a device can run, and every other program or application depends on it. Operating systems are often tied to specific hardware; major examples include Microsoft Windows, Apple's OSX (for computers) and iOS (for iPhones and iPads), Android, ChromeOS (for Chromebooks), and Linux. Any time an operating system manufacturer or application creator provides an update that fixes a security vulnerability, you are at increased risk until you install that update, because the vulnerability has become public and any bad actors have thus learned about it. Setting updates to run automatically will help, but you should still manually start the update process if you learn of a specific security issue with any of your software. If you don't want to run updates automatically, you should run your update process prompty when alerted that updates are available. Note that you may need to restart your device for many updates to take effect, so responding to any alerts that ask you to restart your device is important to these updates being meaningful.
If you have specific software requirements or custom software created for your organization, automatic updates can cause work disruption, as some OS updates may be incompatible with existing software. Therefore, operationalizing this recommendation must be coordinated with your IT team or tech support provider.*
:heavy_check_mark: **Use built-in full disk encryption on your devices and shut them down when they are not in use or are at risk of loss.**
:rocket::wrench::fire::fire:
*Full disk encryption means that the contents of a disk, usually the storage inside your device -- which contains the operating system, programs you have installed, and your organizational data -- are scrambled so that they cannot be easily accessed when the disk isn't unlocked. For the storage inside a device, unlocking happens anytime the computer is running and logged in. Without this feature, someone who steals your device, finds your lost device, or otherwise accesses your hardware can easily read your files and possibly impersonate you to your systems.
Although full disk encryption is increasingly enabled by default on mobile devices, this is not true on all platforms and so in many cases must be manually set up. This feature is called Bitlocker on Windows, Filevault on OSX, and LUKS on Linux. On devices running Android 5.0 and later, you can turn on this feature in the Security section of Settings menu. On iOS 7 and earlier, you can turn this on in the Passcode section of the General settings. Chromebooks and devices running iOS 8 or later have full disk encryption enabled by default. For advanced users, an open source encryption tool called VeraCrypt can also provide full disk encryption to Windows, OSX and Linux computers as well as offering other advanced features and can be found at https://www.veracrypt.fr/en/Home.html.* __This recommendation is not effective unless is it coupled with the practices described in the next item, regarding device authentication and locking, to make sure the encryption cannot be easily bypassed when the computer is running.__
Although full disk encryption is enabled by default on some mobile devices, it must be manually set up on all laptop and desktop computers, and many phones and tablets. The full disk encryption feature is called Bitlocker on Windows (setup instructions vary depending on Windows version and hardware details), Filevault on OSX (find this under System Preferences>Security & Privacy), and LUKS on Linux (setup instructions depend on your distribution). On mobile devices running Android 5.0 and later, you can turn on this feature in the Security section of Settings menu. On iOS 7 and earlier, you can turn this on in the Passcode section of the General settings. Chromebooks and devices running iOS 8 or later have full disk encryption enabled by default. For advanced users, an open source encryption tool called VeraCrypt can also provide full disk encryption to Windows, OSX, and Linux computers as well as offering other advanced features and can be found at https://www.veracrypt.fr/en/Home.html.* __This recommendation is not effective unless is it coupled with the practices described in the next item, regarding device authentication and locking, to make sure the encryption cannot be easily bypassed when the computer is running.__
*Full disk encryption is strongest when your computer is turned off or turned on but awaiting a password to start up. Once you have logged in, the computer has the secret key needed for decrypting your data in its memory (so you can work!) and so even with the screen locked and full disk encryption there is some risk to someone obtaining your logged in computer while it is running. However this is a highly technical attack and shouldn't stop you from keeping your computer turned on or logged in when you need to work, but it is also true that a device with full disk encryption in a hostile environment or out of your sight is safest when turned off.*
*It is important to know that full disk encryption requires your device to do complex math, so turning on this feature will use processing power and may even make older devices unreasonably slow to use. Full disk encryption will also increase the risk of you losing access to some of your information, as a lost password or PIN or failure of the part of the disk where the encryption keys are stored will generally mean you (as well as anyone else) cannot recover your data. Ensure you use syncing services and/or have regular backups of your data to minimize the risk of data loss in this case, but recognize that those copies of your data and the servers you sync also need to be secure. Full disk encryption can also be used on an external hard drive or USB sticks you use for backups using the same built in tools mentioned above or by using VeraCrypt.*
:heavy_check_mark: **Use a strong password or long PIN code on your device, set your device to lock itself after a short period, and manually lock the device if walking away from it. Be aware of your surroundings when entering this code or password to ensure no one is watching and your movements aren't being recorded on camera.**
:heavy_check_mark: **Use a strong password or long PIN code on all your devices, set your devices to lock themselves after a short period, and manually lock any device if walking away from it. Be aware of your surroundings when entering your password or PIN to ensure no one is watching and your movements aren't being recorded on camera.**
:rocket::wrench::fire::fire::fire:
*Always set up a long (8 numbers or more) PIN code or complex password to log in to your device to ensure that a lost or stolen device is inaccessible through its screen and the hardware remains encrypted. Use the screen timeout feature of your device and require your password or PIN to wake it back up to ensure that your information and your accounts are protected even if the device is found while turned on. The shorter the screen timeout period, the shorter the amount of time your device is vulnerable -- so choose as short a time as you can while still being able to do your work. If stepping away from a device, manually lock the screen. Nearly every operating system has a keyboard shortcut or other quick way to lock a device (look it up in the relevant documentation or ask your technical support provider). Be aware when entering a PIN or password in public spaces to be sure nobody malicious is watching and that your keystrokes are not being recorded on camera. While biometric unlocking mechanisms (for example, fingerprints or facial recognition), swipe patterns, and other locking mechanisms are becoming more common they can still be bypassed more easily than PINs and passwords so are not yet recommended.*
*Always set up a long (8 numbers or more) PIN code or complex password to log in to any device -- computer, phone, and tablet -- to ensure that a lost or stolen device is inaccessible through its screen and the hardware remains encrypted. Use the screen timeout feature of your device and require your password or PIN to wake it back up to ensure that your information and your accounts are protected even if the device is found while turned on. The shorter the screen timeout period, the shorter the amount of time your device is vulnerable -- so choose as short a time as you can while still being able to do your work. If stepping away from a device, manually lock the screen. Nearly every computer operating system has a keyboard shortcut or other quick way to lock a device (look it up in the relevant documentation or ask your technical support provider). Be aware when entering a PIN or password in public spaces to be sure nobody malicious is watching and that your keystrokes are not being recorded on camera. For mobile devices, biometric unlocking mechanisms (for example, fingerprints or facial recognition), swipe patterns, and other locking mechanisms are becoming more common, and are generally easier to use than complex passwords and long PINs. However, they can be more easily bypassed by, for example, grabbing your wrist and forcing your thumb into the button, holding your phone up to your face, or looking at the pattern of skin oils on your screen to see a swipe pattern. For these reasons they are not recommended. This may change as implementations improve.*
:heavy_check_mark: **Run antivirus, anti-malware, and ad blocking software on your devices.**
:rocket::wrench::wrench::wrench::fire::fire:
*Antivirus and anti-malware software are programs that run on your computer and scan all files coming in or going out for files that are known to infect, steal data from, or otherwise abuse your computer or data without your consent. While these tools work only against software already created, identified, and added to the software's lists of what to scan for, a large proportion of intrusions rely on these well-known threats. However, these types software by their very nature must have access to all the files on your computer and so can themselves be a vector of intrusion. For this reason, you are best off with software made by a well-known manufacturer and vetted by your technical support provider. Never trust "free" or "no-cost" software promising to scan for viruses and malware, especially those that appear in pop-up advertisements in your web browser or on your device, as they often carry viruses themselves. TechSoup offers low-cost [Symantec](http://www.techsoup.org/symantec-catalog) and [Bitdefender](http://www.techsoup.org/bitdefender) antivirus software to most non-profit organizations.
*Antivirus and anti-malware software are programs that scan all files coming in or going out for files that are known to infect, steal data from, or otherwise abuse your device or data without your consent. While these tools work only against software already created, identified, and added to the software's lists of what to scan for, a large proportion of intrusions rely on these well-known threats. However, these types of software by their very nature must have access to all of the files on your computer, and so can themselves be a vector of intrusion. For this reason, you are best off with software made by a well-known manufacturer and vetted by your technical support provider. Never trust "free" or "no-cost" software promising to scan for viruses and malware, especially those that appear in pop-up advertisements in your web browser or on your device, as they often carry viruses themselves. TechSoup offers low-cost [Symantec](http://www.techsoup.org/symantec-catalog) and [Bitdefender](http://www.techsoup.org/bitdefender) antivirus software to most non-profit organizations.
Note that the work of scanning for viruses and malware takes power from your device's processor, often a significant amount, so if it is already slow this may make your device unusable at times.
Adblocking software will keep advertisements from loading on your web browser or device. Because of the complexity of modern ads, they can be vectors of attack, so you are safer blocking them entirely. Furthermore, removing advertisements should also improve your device's performance since it won't use your network connection to load, or use your processor to run, all of that often fancy (and insecure) content. However, ad-blocking software suffers from the same problems as antivirus and there are many actually track you or inject other advertisement. uBlock Origin is a wellrespected open source ad blocker which is available for Chrome, Firefox (including on Android), Safari and Microsoft Edge and can be downloaded from https://github.com/gorhill/uBlock/* ***Note that there is another ad blocker called just uBlock or μBlock that uses the same logo as uBlock origin but is not recommended.***
Ad-blocking software will keep advertisements from loading on your web browser or device. Because of the complexity of modern ads, they can be vectors of attack, so you are safer blocking them entirely. Furthermore, removing advertisements should also improve your device's performance since it won't use your network connection to load, or use your processor to run, all of that often fancy (and insecure) content. However, ad-blocking software suffers from the same problems as antivirus software, and there are many that actually track you or inject other advertisements. uBlock Origin is a well-respected open source ad blocker that is available for Chrome, Firefox (including on Android), Safari, and Microsoft Edge. It can be downloaded from https://github.com/gorhill/uBlock/* ***Note that there is another ad blocker called just uBlock or μBlock that uses a similar logo as uBlock origin but is not recommended.***<JSS,therewasarectogroupallbrowserextensionstogetherwithamentionhere--soaddHTTPSEverywhereandPrivacyBadger.Mysenseisnottobcwewanttostickwiththetopicandthosetwoareaboutdatagoingoutonthewirenotcomingintodoharm.ButIwanttorealitycheckthatandseeifit'strue/ifyouthinkrepetitionwouldbeusefulhere>
:heavy_check_mark: **Paint any exposed screws on your devices with sparkly nail polish or other paint that cannot be easily removed and replaced without notice. Whenever possible, put tamper-evident tape across places where devices open. Before taking your device anywhere it may be at risk of being out of your control, take photographs of how screws and other openings appeared and store them so that they are accessible from someplace other than that device.**
*Although the idea of painting your computer or device with nail polish or covering it with tape may seem silly, this will allow you to ensure that, if you do lose control of your device temporarily, it has not been physically tampered with. (This is listed as difficult because you will need to both remember to document your device's physical state beforehand and check these details after your device has been returned to you.) Note that this strategy will be most useful with a photograph (stored someplace you can get to even without your devices turned on to help you ensure that nothing has changed about the device when it was out of your control.*
:heavy_check_mark: **Be exceptionally careful about what software you install on your devices.**
*The proliferation of mobile apps, browser extensions and other "free" (as in zero-cost, not open source) programs has caused numerous security problems. Avoid software that hasn't been created by a company you already have a trust relationship with (i.e., any company whose tools you are already using internally). Software that appears to have good intentions (like antivirus scanning) or even beneficial features may be masking malicious activities in the background. In most browsers and mobile devices, an application will ask for certain permission -- the information and hardware it can access on your device. These are worth looking at to make sure they at least vaguely reflect what is expected. For example if a flashlight app asks for permissions to your contacts or to make phone calls, you probably don't want to install it.*
*The proliferation of mobile apps, browser extensions and other "free" (as in zero-cost, not open source) programs has caused numerous security problems. Avoid software that hasn't been created by a company you already have a trust relationship with (i.e., any company whose tools you are already using at your organization). Software that appears to have good intentions (like antivirus scanning) or even beneficial features may be masking malicious activities in the background. In most browsers and mobile devices, an application will ask for certain permissions at installation -- the information and hardware it can access on your device. These are worth looking at to make sure they at least vaguely reflect what is expected. For example, if a flashlight app asks for permissions to your contacts or to make phone calls, you probably don't want to install it. Permissions to be especially cautious around granting include camera, microphone, and location services access. <JSSaddmore?>
The way to look at permissions after installation depends on the context. In Chrome, go to chrome://extensions/ and click the permissions link for each one. <JSS,IwanttogivemorebrowserinstructionsbutwhenIlookedinFirefoxtheextensionspagedoesn'tlistpermissionsandclickingonextensionsindividuallydoesnotexposethemeither.THisseemscrazytome!> On iOS devices, under Settings is a list of all permissions; under each permission is the list of apps that use it. On Android devices, go to Settings>Application Manager to view a list of apps; under each app is the list of permissions it uses. <anythingmeaningfulwecansayaboutcomputerapplicationpermissionsreview?>*
## Laptop and Desktop Computer Security Tasks
:heavy_check_mark: **Carefully source your USB and memory card devices, only plugging trusted and personally sourced ones into your computer.**
:rocket::wrench::wrench::fire::fire::fire:
*Don't plug other people's USB devices and memory cards such as flash drives, hard drives and phones into your computer, or any such devices that came to you in anything besides verifiable original packaging. This recommendation is especially important with regard to devices from unknown or untrusted sources (leaving USB sticks around an office is a classic intrusion technique), but it also applies devices owned by trusted people, as trusting a person is not the same as trusting all the devices they use, the software they run or the other devices they have plugged their USB device into into. USB and memory card devices can silently infect your computer in ways that are very hard to detect.*
*While never plugging USB devices into your computer is ideal, it is not always possible to do so. If you have to plug something into a computer, make sure that computer is running antivirus software that is up to date, and consider logging into a guest account that doesn't have access to your files or systems and then passing the files on it through an additional virus scan before opening or using. Certain cloud services, including Google Drive and Box (but not Dropbox) automatically scan uploaded files (under 25MB for Google Drive) for viruses and will alert you if your files are infected so you can use that as an additional layer of protection. However, there is still risk associated with USB devices and after using a USB device you don't trust, be on the look out for odd behavior such as error messages, extra network traffic or rapid battery usage and report any of those things immediately.*
:heavy_check_mark: **Add a privacy filter to your computer's screen.**
:rocket::wrench::fire::fire:
*One of the easiest ways to accidentally leak information is for someone in a public place to see it on your screen. Purchasing and installing privacy filters (basically, a piece of plastic that allows what is on your computer to be seen only by the person sitting right in front of it), especially if you work frequently in libraries, cafés, coworking spaces, airports, and/or airplanes, will protect you from this threat. Be aware that if you frequently share information by showing your actual laptop screen to others (as opposed to connecting your laptop to a projector or other display), you will want to ensure that any filter you purchase has an attachment option designed to enable easy temporary removal.*
:heavy_check_mark: **Carefully source your USB and memory card devices, only plugging trusted and personally sourced ones into your computer.**
*Don't plug other people's USB devices and memory cards such as flash drives, hard drives and phones into your computer, or any such devices that came to you in anything besides verifiable original packaging. This recommendation is especially important with regard to devices from unknown or untrusted sources (leaving USB sticks around an office is a classic intrusion technique), but it also applies devices owned by trusted people, as trusting a person is not the same as trusting all the devices they use, the software they run or the other devices they have plugged their USB device into into. USB and memory card devices can silently infect your computer in ways that are very hard to detect.*
*While never plugging USB devices into your computer is ideal, it is not always possible to do so. If you have to plug something into a computer, make sure that computer is running antivirus software that is up to date, and consider logging into a guest account that doesn't have access to your files or systems and then passing the files on it through an additional virus scan before opening or using. Certain cloud services, including Google Drive and Box (but not Dropbox) automatically scan uploaded files (under 25MB for Google Drive) for viruses and will alert you if your files are infected so you can use that as an additional layer of protection. However, there is still risk associated with USB devices and after using a USB device you don't trust, be on the look out for odd behavior such as error messages, extra network traffic or rapid battery usage and report any of those things immediately.*
## Mobile Phone and Tablet Security Tasks
:heavy_check_mark: **Don't click links sent to you by SMS or other text message, especially from unknown parties.**
:heavy_check_mark: **Don't click links sent to you by SMS or other text message, or through social media, especially from unknown parties.**
:rocket::wrench::fire::fire:
*There is rarely a reason to send links in this way and yet we continue to see situations where mobile devices are compromised through incoming links sent by text message (which can include not just the common SMS text message that works on all cellular networks even without a data connection but by also messages from any instant messaging application as either one allows anyone who knows your number to send you a message.) The link may display what looks like a legitimate page, or often a shortened link, but may have installed malicious software in the background. If you absolutely need to click a link sent in this way, verify with the sender by phone or video call that the link you see is what they sent you. Of course this is broadly true of all links sent to you over other channels that accept messages from anyone, for example email or a comment form on a web page, so you should use caution in clicking those links as well.*
*There is rarely a reason to send links in this way, and yet we continue to see situations where mobile devices are compromised through incoming links sent by text messages or social media messaging. Note this includes not just the common SMS text message that works on all cellular networks even without a data connection, but by also messages from any application that allows someone who knows your phone number of username to send you a message. The link may display what looks like a legitimate page, or often a shortened link, but may have installed malicious software in the background. If you absolutely need to click a link sent in this way, verify with the sender by phone or video call that the link you see is what they sent you. (Of course, this is broadly true of all links sent to you on all devices and over any channels that accept messages from anyone, for example email or a comment form on a web page, so you should use caution in clicking those links as well.)*
:heavy_check_mark: **Use either a charge-only cable or a "USB condom" to charge your device from anything other than a wall charger or a computer that you know to be free of infection. Carry a backup battery to ensure you never have to charge your device from an untrusted source.**
:rocket::wrench::wrench::fire::fire::fire:
*Almost all modern professionals have been there: your mobile phone or tablet is dead and the only place to charge it a friend's laptop, an internet connected device, or a public computer. Unfortunately that computer or device can become a route for a virus or other malicious software to infect your device. For use in these situations, you can purchase a "USB condom" (which prevents a connection between the data pins in the unknown port and the USB cable and allows only the power pins to connect) or charge-only USB cable (which does not contain the wires that are used for data transfer in the first place). Either option will enable you to safely connect your device to any USB port you come across. Another option, which has the added advantage of being useful even if you can't find a random port, is to purchase and carry a USB-enabled backup battery so you can always charge your device on the go. Although it has been shown to be possible, there have been no reports of backup batteries spreading malware. However if charging from a suspicious charger or one from a stranger,you may wish again to use a USB condom or charge only cable to ensure that any software on the battery cannot affect your device.*
*Almost all modern professionals have been there: your mobile phone or tablet is dead and the only place to charge it a friend's laptop, an internet connected device, or a public computer. <are airport charging stations and airplane seats equivalent to walls for charging purposes? they often have direct USB ports> Unfortunately that computer or device can become a route for a virus or other malicious software to infect your device. For use in these situations, you can purchase a "USB condom" (which prevents a connection between the data pins in the unknown port and the USB cable and allows only the power pins to connect) or charge-only USB cable (which does not contain the wires that are used for data transfer in the first place). Either option will enable you to safely connect your device to any USB port you come across. Another option, which has the added advantage of being useful even if you can't find a random port, is to purchase and carry a USB-enabled backup battery so you can always charge your device on the go. Although it has been shown to be possible, there have been no reports of backup batteries spreading malware. However if charging from a suspicious charger or one from a stranger,you may wish again to use a USB condom or charge only cable to ensure that any software on the battery cannot affect your device.*
