Digital Nomad's Guide to Information Security

By Philip Thomas, Moonlight co-founder

Hello from Barcelona! Last week, somebody stole the Moonlight team’s laptops out of our Airbnb. I have been spending the last few days configuring our new MacBooks. So, I am sharing the steps that we take to keep data secure.

Our small team travels internationally full-time with no permanent home or office. With the rise of digital nomadism, more people are working on laptops while moving between locations around the world. Many nomads freelance, which means that they have to protect others’ intellectual property. This burden requires you to play “IT department” for yourself - by setting up tools and policies to protect your data.

This guide can help any digital freelancer to keep their data secure.

Assumptions I make:

  • You’re working on a personal computer
  • If you’re not using OSX, you can find alternatives to the software I mention for your platform
  • Recoverability is worth some security sacrifices
  • Non-technical users should be able to understand and deploy these changes
  • Leverage commercial tools where they create a better user experience

Threats you face

The primary threat for a digital nomad is that your device gets stolen by an unsophisticated thief, then later ends up in the hands of a sophisticated attacker. Maybe somebody snatches the laptop off of a table at a coffee shop, then resells it to an organized criminal organization who knows how to extract information off of it.

The secondary threat model is that network traffic is being monitored and manipulated all the time, mainly while using wifi in public, coffee shops, hotels, Airbnbs, and airports. If you send secret information that is not encrypted, you have to assume it has been compromised.

A tertiary threat model is that of a nation-state attacker with access to tools such as advanced attacks or compelling you to unlock devices, such as while crossing an international border. I don’t focus on this threat model, but it is one to be aware of as you plan your travels. If your company or clients consider this a compelling threat, you need more different guidance than this article provides.

General strategy

Encrypt data

Use a password manager to store passwords and travel documents Use two-step verification everywhere, and opt for U2F where available Keep as little information on the computer as possible by leveraging cloud Never leave a laptop alone when unlocked, and power it down when unattended

Hardening OS X

This section covers low-difficulty, high-impact actions that you can take to protect your computer. Technical users should review more comprehensive hardening guides. MacBooks already include strong built-in security, but in many cases you still have to turn it on.

This security model relies on disk encryption with FileVault. You are safe from data theft if somebody steals your encrypted computer while it is powered off. Many of the other security steps we take, ranging from physical security to requiring admin passwords more often, minimize what an attacker can do with an unlocked laptop.

  • Memorize a long, unique user password: Four common words together create a secure password.
  • Encrypt storage with FileVault: This is the single most important action that you can take for physical data security. FileVault provides a backup key that you can use in case you forget your password. I prefer to store this key in 1Password and to disable iCloud’s ability to unlock the encryption.
  • Require an administrator password to change settings: If an attacker gains access to your locked computer, then this feature helps to prevent them from disabling your security.
  • Disable the guest user account: By default, anybody can use your Mac as a guest. If an attacker can use the laptop in guest mode, they are more likely to use it and charge it. Ideally, you want a thief to ignore your stolen laptop until it runs out of battery, at which point it will default to a secure, locked state.
  • Block network activity with the Application Firewall: Enable the OS X Application firewall in stealth mode. Disable all incoming connections.
  • Enable a Firmware Password: This stops attackers from being able to access low-level firmware commands on your computer. I mainly do this because it prevents an attacker from being able to wipe and resell a laptop. Note that sophisticated attackers can access this password in plaintext - so do not reuse this pin anywhere.

Securing accounts:

1Password: Using a password manager is the best way to secure your accounts. You should use it to store a unique, secure password for every single website that you visit. Ideally, you should not even have seen your password for most sites. Also, you can store files, two-factor authentication seeds, credit card numbers, and any other information you use. I like 1Password because it is easy to use, integrates easily with Chrome, works great for teams, and syncs across devices.

Two-step verification everywhere: Logging in should require something you know (a password) and something you have (a one-time password). You should be diligent about enabling it for every single account you have. Three main second factor methods exist:

  • Security experts consider U2F the best choice for authenticating login attempts. But, the technology is relatively new, so many sites do not yet support it. Also, it is not consistently easy to use on mobile. (See Yubikeys and SoftU2F below for usage information). A handful of major sites have added U2F support - including Google, Facebook, Stripe, Github, Twitter, and Salesforce.
  • Time-based pins (“Google Authenticator”-style) are the second-best solution because they are reasonably secure, can be stored in 1Password, and do not require internet access (or cell service) to use. Some caution against keeping these one-time codes in 1Password alongside the site passwords because it’s not a true “second” factor. However, as a digital nomad, replacing a phone can take weeks. Storing one-time passwords in 1Password lets you access your accounts from any computer.
  • SMS-based pins can be difficult to receive while traveling. Plus, they are considered generally insecure. Attackers can hijack your phone number and receive your text messages by just calling your telecom. If SMS is the only second form of authentication that you can use - it is better than nothing. However, security-conscious users disable SMS on their accounts if other second factor methods are available.

Yubikeys: If you want to take security very seriously, or if you are managing a distributed organization, then hardware U2F keys are essential. They look like flash drives, but function as digital keys for logging into websites. Google says that using them has neutralized employee phishing, and any large tech company now mandates that employees use them. You should ideally have one small U2F key that you can leave in your laptop USB port, and another on your keychain (or in your luggage) as a backup.

SoftU2F: If you cannot justify a hardware token (or if somebody stole your Yubikey with your laptop), then I recommend this free software from Github. It provides U2F support but stores the tokens in the OSX keychain. When you log into a site, you click “Allow” on a system pop-up instead of typing in a code. It’s incredibly convenient.

Securing network activity

encrypt.me: This software has been my favorite VPN solution for years, and it provides egress points around the world. I use it most often while traveling to access websites that require you to be in the USA. Normally, these are media sites - but many government sites (such as the California jury duty portal) require an IP address in the USA to use them! From a security perspective, encryption should come from the server instead of a VPN. If your ISP or network is censoring content or manipulating content, a VPN can tunnel your traffic to a different country. If you are working with a client who is not diligent about security, then you should use a VPN to tunnel out of local networks to minimize the risk of sniffing.

HTTPS Everywhere: This free browser plug-in is a no-brainer. If a website supports secure HTTPS, this makes sure that your browser uses it.

Keybase: I use this app to securely send messages, API keys, and files to collaborators and clients. Modern internet security is good at safely sending information between people. But, it is awful at confirming the identity of the other person. The risk is that you securely send secret information to the wrong person (or an imposter). Keybase provides a free way to verify identity using websites and social media accounts. It is also way easier to use than vanilla PGP.

TorBrowser: If you visit a secure website - your WiFi network, internet provider, and VPN cannot see the information on the page. But, they can see which site you are accessing. If you need to access websites anonymously, TorBrowser is the best way. It is popular among journalists in hostile countries.

Phone Security

Encrypt: In general, you should lock down your phone with encryption where possible, and require a password immediately on lock.

1Password: Install the password manager and sync it with your other devices.

Use USB Condoms: Before you go plugging your phone into random USB ports, airplane seats, and car chargers - it’s smart to use a small USB condom. I suggest using electrical tape to add them to the ends of your charging cables. A USB condom blocks data and allows power - which means that you can stop malicious USB ports from stealing your information or hijacking your phone. (Do you want your Uber driver to sync all photos off of your phone secretly? It’s not that hard.)

encrypt.me: I generally don’t use a VPN on my phone because it uses drains the battery faster. But, a standard subscription of Encrypt.me includes both laptop and phone support, so it is smart to use in case you are on a censored network.

Physical security

Alfred: I live in AirBNBs full-time, which means that I don’t have control over the locks on our listings. Alfred lets you turn an old smartphone into a Dropcam-style security camera. Plus, it sends push notifications to your phone with clips of movement. After a thief looted our apartment, I started using this app while we are gone. It’s less than $100 to buy an extra Android smartphone on Amazon, and the app is free - so it provides affordable peace of mind.

Google Home: As an additional security experiment, I am using Google Home to play music in our Airbnb while it is unoccupied. Ideally, it acts as a deterrent by making opportunistic thieves think that somebody is home.

Power off: When you are not in physical possession of phone or laptop, shut it down. Not standby - 100% off. If you are entering a high-risk scenario, such as checking a computer into luggage or leaving it with a porter, aim to power down the device a couple of hours ahead of time. Why? When your laptop is on, the computer saves the encryption key for unlocking the disk in memory. Sophisticated attackers, such as governments, can read this encryption key out of memory to compromise your device (sometimes for hours after it is turned off).

Remove sensitive data: If you have concerns about being compelled to unlock your computer - consider removing confidential information, such as company code, from the device. Basecamp requires their employees to do this while going through border control. 1Password even supports a travel mode that temporarily removes data from devices.

Add contact information to the lock screen: I suggest adding your phone number (with country code!) and email address to the lock screen of your laptop. If you lose your laptop, then the person who finds it can contact you.

Leverage the cloud: Where possible, keep data in the cloud instead of on your hard drive. If somebody steals the device, it is easy to revoke access. If you need to use a friend’s laptop, you can get most of your productivity back immediately. From a practical perspective, this means picking things like Figma over Sketch, or paying for 1Password so that you can access your information on their website. Tools like Dropbox and Google Drive can be used to sync your most critical files in real time, too.

Backblaze: I have been paying Backblaze $5/mo for years to back up my data. It keeps a cloud copy of my computer in near-real time. When a thief stole my laptop, I was able to sign in to Backblaze and download my uncommitted code changes. Compared to an external hard drive, a cloud backup cannot get taken with the laptop, and it is less likely to break. The downsides are that Backblaze keeps a copy of your files, not of the “whole computer” (e.g., your applications, configurations, etc.). Also, it can take a long time to download the information you need (mainly for big files on slow connections). It is critical that you set a security key in Backblaze to encrypt your data and store it in 1Password. Otherwise, if somebody compromises your Backblaze account (or their servers), then they have access to a copy of your computer.

Time Machine: If you rely on cloud backups, then it will take you days to download your information onto a new machine. Sometimes this isn’t about security - maybe you get a new laptop, or your hard drive fails. In those cases, you want to be able to get back to working as quickly as possible. OS X includes Time Machine, and it lets you restore your complete computer within a few hours from an external hard drive. I carry an external hard drive in my luggage, and my habit is to back-up my laptop every time I pack luggage. The most important thing is to encrypt your backup drive and store the key in 1Password. If you create a backup drive without securing it, then anybody with the drive can make a copy of your computer.

Preparing for disasters

Forward your 1Password emergency key: If you use 1Password’s website, they provide you with an emergency key to download. You need this key to recover access to your 1Password account if you lose your devices. It is critical that you do not store this in 1Password - because you may need it to access 1Password! I suggest emailing the key to a few trusted friends, and asking them to save the email should you ever need the key. With the key, you can access your full 1Password data through their website.

Store photos of your wallet contents: Save photos of the front and back of your credit cards, debit cards, ID cards, passport, and insurance cards in 1Password. If you lose an item and need to revoke it - it will save you valuable time to have the account number and phone number available already.

Store device serial numbers: Keep copies of the serial numbers for your phone, laptop, and other valuable electronics in 1Password. If it sounds annoying to do now, then it will be a lot more annoying to do when you no longer have the devices and are scouring through email purchase receipts. Where possible, keep the original purchase receipt in 1Password to expedite insurance claims and police reports.

Copy your passport: Where possible, keep your passport in a safe and carry a paper copy of it.

Passport card: If you are a US Citizen, I recommend paying an extra $30 when you renew your passport to get a passport card. The card is pretty useless regarding crossing borders. But, I prefer to carry this daily instead of my passport book (or a paper copy) while outside of the country. It has more clout than state drivers’ licenses abroad.

Fleetsmith: If you are managing laptops for others, check out Fleetsmith. Their free plan tells you whether critical security features like encryption and firewall are enabled, plus it inventories device serial numbers.

Enroll in Find My Mac and iPhone / Google Find Your Phone: These free systems allow you to track and erase stolen devices. In the off chance that somebody gains access to your unlocked MacBook, iCloud will let you remotely lock and wipe it. You may want to add your significant other or family through Family Sharing so that they can sign in and manage lost devices if you lack access to the internet.

Disaster recovery

If you have a device lost or stolen, here are steps that you should take:

iCloud / Google Find Your Phone: If you can actively track your device after losing it, then I suggest passing that information to the police. However, if it is not immediately available, then I think that you should bite the bullet and request a full remote erase.

File a police report: You will need your ID, device serial numbers, and the values of the items.

Prepare for phishing messages: Attackers have sophisticated software designed to steal your Apple ID. Be prepared for text messages linking to fake Apple login pages. I was phished for months after a person took my phone in San Francisco. Be alert, only log into Apple.com and iCloud.com, and block numbers that send you phishing messages!

Revoke lost keys: For any lost Yubikeys or SoftU2F keys - log into all of the accounts and revoke the tokens.

Notes to nomadic app developers

If you are coding a personal project while traveling, here are some suggestions for protecting your user data:

Allow revoking sessions: If you are coding an app, it’s normal to have a “Remember Me” button. After you log in, if you lose access to that browser - you need a way to cancel the session! You do this by storing a revocable identifier on the server. Otherwise, an attacker can gain access to your system - and you can’t stop them!

HTTPS all resources: With tools like LetsEncrypt and Caddy, there should be no excuse not to offer HTTPs security. Companies like Google are ditching the VPN - and you should, too! Standardize login: For self-hosted resources like CI services, ticketing software, BI software, etc. - you need to control login in one place. Even if these systems have built-in auth systems - you do not want the internet to have access to the app until you have validated their identity first. Lockdown internal resources with reverse proxies like Cloudflare Access and Cloud Identify-Aware Proxy to prevent attackers and former collaborators from gaining access to internal systems.

HSTS Everything: If you run a secure site at example.com, users normally find out that it is a secure page by making an insecure request first. So, if they type example.com into their browser - the first request is insecure until your server responds saying “NO! Use the secure HTTPS version!” During this first request, your site is vulnerable - and an attacker could pretty easily pretend to be you. All HSTS cookies say is “Only connect to this site using HTTPS in the future.” You can go further and stop a browser from ever making an insecure request to your site by registering it with the HSTS Preload system. Vulnerable websites like banks and financial institutions tell web browsers to hard-code that their domains require secure connections. You can have web browsers like Google Chrome be pre-programmed to skip insecure requests to your specific site by registering for the HSTS Preload system.

Disable insecure database access: With tools such as Sequel Pro, it’s way too easy for any user to transmit a database password without encryption accidentally. Once that is done, you could easily have a data breach where an attacker reuses the stolen password. So, it is crucial to prevent unencrypted connections to your databases. Where possible, also lock down your firewall rules to prevent login attempts from untrusted sources. We allow read-only database queries through a secured Metabase web app, and we primarily restrict edit access to CI and Google’s cloud terminal. That way, database access never is unencrypted.

Sign your code: If somebody hijacks your Git server, they should not be able to change the code that runs on your servers. On distributed teams, it is important to verify who wrote which code. With Git code signing, each user can validate that they wrote a piece of code. Github and other code repositories can be configured to show, verify, and enforce the signing of commits.

--

If you have any feedback, please let us know, and we are happy to update this guide.