Hello DFLers!


We hope you all had a great week! 


As we move into the post-convention home stretch, we wanted to refresh you all on the importance of keeping campaign and personal data safe and secure. Whether you’re a first-time activist or a seasoned campaign professional, it is important to stay up-to-date when it comes to security measures. 


As you all know, there are both foreign and domestic actors who are constantly attempting to gain access to our data. We’ve all seen what can happen when we’re not careful at every level. This is a long update, but please read on to learn more about how you can protect yourself and the campaign in the final months of the cycle. We are only as strong as our weakest link. Do not be the weak link.


There are four main types of security threats:

  • Device Infection - when a hacker successfully uses a virus or malware to do things such as take control of your camera, operate your computer remotely, or lock you out of your device

  • Account Breach - when a hacker gains access to accounts such as social media accounts or VAN

  • Device Loss and Theft

  • Eavesdropping/Physically Spying


Device Infection

The best thing you can do to prevent a virus from infecting your device is to keep it up to date at all times. 


Make sure that all your phones, tablets, and computers are set to automatically update. If you ever get a notification that tells you to restart your device, you should do it right away. This is because the manufacturer is constantly testing their systems and making repairs. If Apple or Microsoft have identified an issue, it is more than likely that less-friendly actors also know about it too, and will try to exploit it before you get your device updated. 


We also recommend that you encrypt your laptop disk. You can find instructions on how to do that here for Windows computers and here for Macs


Lastly, we recommend you use Chrome for web browsing both on your laptop and phone, with the following extensions installed: [links]

  • HTTPS Everywhere - Encrypts your browser connection even on less-secure sites.

  • uBlock Origin - Blocks a variety of threats

  • Google Password Checkup - Will let you know if one of your passwords has been compromised.

  • Your choice of password manager (see password manager below)


Account Breach

The best thing you can do to prevent an account breach is using long, randomly generated passwords, utilizing two-factor authentication wherever possible, and being alert for phishing emails.


The most common mistake in data security is using weak passwords, or reusing the same password on multiple websites. This is why we recommend a password manager. The DNC specifically recommends LastPass or 1Password. 


With a password manager, you set one master password and then allow the manager to generate long, random passwords for all the websites you visit. The great thing is, in addition to being more secure, it’s super easy because you only have to know the one password! You can find LastPass here and 1Passowrd here.


If you opt not to use a password manager, do not use the same password across multiple sites. This is because, if one site is hacked, hackers will use that password on all your other accounts, betting that you used the same one elsewhere. Outsmart them. Don’t reuse passwords. 


Two-factor authentication means that, in addition to your password, there is a second code that is randomly generated and sent to you. This can be via email, text message, another device or an authentication app. 


Authentication apps are the most secure because they cannot easily be intercepted like a text or an email. The DNC recommends Authy (found here) because if your device is lost or stolen you still have access to your codes. Google Authenticator (instructions here) is also acceptable, but beware that it might be difficult to access your accounts if your device is lost or stolen.


You should set up two-factor authentication on all accounts where it is offered, both for personal and campaign-related accounts. This includes, but is not limited to:

  • VAN

  • Gmail

  • Outlook

  • Slack

  • Twitter

  • Facebook

  • Instagram


Phishing attempts are when an actor who wants to steal your account info poses as another website or someone you know to get you to click a link or hand over passwords. We’ll go over some of the basics on how to spot phishing here. If you ever encounter a phishing email, please forward it to collin@dfl.org


First of all, no reputable website will ever ask you for your password. If a person claims to need your password to assist you with something, they are definitely not who they say they are, and you should not respond. 


Other phishing attempts are more sophisticated. For example, many phishing emails look like they come from someone you already know. 


For example, here is an email purporting to be from Wells Fargo. 


Anatomy of a Phishing Email | Vade Secure


Can you spot the signs of a phishing attempt?

  1. The sending address is long, contains random letters and numbers, and the domain name (after the @) is not Wells Fargo.

  2. The body of the email is vague and contains grammatical errors that are uncharacteristic of a legitimate corporate email. 

  3. There is a link in the email. Anytime you get a link in an email, mouse over it and check if the url matches the description of the site. 

  4. The signoff is not an actual part of any organization.


When in doubt, email collin@dfl.org!


Device Loss and Theft

The best thing you can do to prevent theft is to keep your device on you at all times and set strong passwords. 


Much like passwords on your accounts, you want your passwords on your laptop and smartphone to be as strong as possible so if your device is stolen, hackers can’t get in. 


Of course the best thing to do is to keep your device with you at all times. With most of us working from home, this should be less of an issue, but if you do go out, keep your device locked and on your person.


Eavesdropping

The best thing you can do to prevent eavesdropping is to encrypt your communications.


The DNC recommends Signal for encrypted communications. All DFL employees should be using Slack for work purposes. 


When joining conference calls, use your laptop, or use the Zoom/Goole Meets app on your smartphone phone. Do not call in with your phone number. 


--


If you have not already, please fill out this form to ensure all your devices are up to date and you have the tool necessary to keep DFL data safe.


--


Thank you for sticking with this critically important topic. As always, we wanted to highlight a few more articles in our knowledge base:


Please submit any additional requests for Articles on our Knowledge Base here.


Have a great weekend!


Thomas & the DFL Data Team