Secure Communication

SECURE COMMUNICATION For activists and privacy conscious users 11-Feb-16 https://www.cudeso.be

Goal • Defend yourself and your friends from surveillance • Use secure technology • Apply best practices • Use common sense

• Based on EFF – Surveillance Self Defense •  https://ssd.eff.org/

11-Feb-16

Secure Communication 2

Threat Modeling •  What do you want to protect?

•  Assets, your data (e-mails, messages, files) •  Who do you want to protect it from?

•  Who is your adversary? Their capabilities. •  How likely is it that you will need to protect it?

•  Likelihood of unauthorized access to your data. The risk •  How bad are the consequences if you fail?

•  What is the possible damage? Financial loss? Reputational loss? •  How much trouble are you willing to go through in order to try to

prevent those?

•  Threat = a bad thing that can happen •  Risk = a likelihood that an incident will occur

11-Feb-16


Don’t get paranoid • Risk analysis based on risk and capabilities is

•  Personal •  Subjective

• Your threat actor might be the only threat actor • You might be one of many subjects

•  High numbers of subjects decrease the likelihood that you become a victim

•  Every threat actor has limited capabilities

• Risk of tunnel vision •  Technology is only the tool. Your brain is the strongest

lock.

11-Feb-16


Best practices • Secure your computer and devices

•  Protect your computer with a password •  Require a password when the computer starts or is locked •  Do not use “auto-login”

•  Protect your mobile phone with a PIN code or ideally a password •  Have your mobile phone set to use encrypted local storage

• You raise the bar for someone else to get easy access to your data. Requires the attacker to have minimal –computer- skills to read your personal information

11-Feb-16


Best practices • Use strong and long passwords, better use passphrases

•  Not only for your computer but for all your accounts

•  Ideally use a password vault with a strong master password •  LastPass, Dashlane

• Different passwords/passphrases for different accounts •  If supported, use 2 factor authentication

•  Extra protection with a code via an SMS •  Demo password strength test https://howsecureismypassword.net/ •  Use more than 10 characters with numbers and not easy to guess

•  Do not use Password, the name of your mother or the town where you live

11-Feb-16


Best practices •  “Password reset questions” on sites

•  Can be tiresome •  Use questions and answers that only you know

•  Even better: use store the questions and answers in a password vault

• Use full disk encryption •  Different levels of protection, depending on your adversary •  Some systems are flawed •  Make sure you have backups of your data

•  Encrypted backups or not?

11-Feb-16


Container encryption - TrueCrypt • Original developers stopped support • Still available for download from other sites

•  If you’re really concerned about the download check the hashes

•  https://truecrypt.ch/downloads/ •  https://www.grc.com/misc/truecrypt/truecrypt.htm

•  TrueCrypt containers are just “files”, they can be moved to other devices •  For example copy the TrueCrypt container to an external drive •  Share the password for unlocking via other secure channels

• Copy files from your “normal” drive to TrueCrypt

11-Feb-16


Container encryption - TrueCrypt •  Tutorial at : http://andryou.com/truecrypt/docs/tutorial.php

11-Feb-16


Container encryption - TrueCrypt • Workflow

•  Select TrueCrypt file •  Select a mount slot •  Click Mount •  Enter password

11-Feb-16


File encryption - GPG • GPG, digital signature and encryption

•  https://www.gnupg.org/

• Requires more technical knowledge •  http://ubuntuforums.org/showthread.php?t=680292

• Made more accessible via Keybase •  https://keybase.io/

•  Ideal for encrypting one file and then sending it over “unsafe” communication channel

• Protect your master-key! •  Store the revocation certificate in a safe place

•  Don’t lock yourself out

11-Feb-16


Best practices • Use different browsers

•  Firefox, Chrome, Safari, Opera, Internet Explorer •  Avoid Internet Explorer if possible

•  Closely tied to the operating system

• One browser only for “personal” things •  1 for online banking, e-mail , •  1 for information gathering •  1 for random browsing

• Use “Private” browsing •  No cookies •  No history •  Forensic research on your computer can still disclose your

browsing history 11-Feb-16


Best practices • Always type in the URL, do not click on a link • When you enter usernames and passwords, make sure

the website is secured - HTTPS

•  Log out of a website (e-mail, Facebook) once you no longer need it •  This prevents tracking

• Use disposable e-mail for subscribtions or one-time-only messages •  https://www.guerrillamail.com/ •  This is not “encryption”

11-Feb-16


Guerillamail

11-Feb-16


Best practices • Use an up-to-date system

•  All the Windows and Apple patches •  Use automatic updates •  Do not use Windows XP, Vista or old versions of Apple OSX

•  Any protection mechanism or encryption is useless when remote intrusion to your computer is childs ’play

•  Avoid Acrobat Reader and Microsoft Office documents •  Lots of vulnerabilities •  Loads external resources

•  Avoid Flash •  Do not use Java on your machine

11-Feb-16


Best practices • Use a system firewall

•  Build in for both Windows and Apple

• Use a virus scanner •  Make sure it is still active and receives the new updates •  Quality of free virus scanners is good, no real quality difference

with commercial –paid- virus scanners

11-Feb-16


Best practices • Enable the option for “remote wipe” of your telephone or

tablet •  Automatically when a wrong PIN is entered more than x times •  From remote when your device is lost

11-Feb-16


Best practices •  Limit the use of location services, enable them only for the

applications that you need it for • Disable share your location by default

11-Feb-16


Common sense • Do not connect to random wireless networks

•  Only connect to trusted networks, networks that you know • Protect your wireless network at home with a password • Do not let anyone else use your computer or telephone

un-attended • Never leave your device unlocked • Shoulder surfing

•  Someone eavesdropping when you enter your password

• Access your online accounts from trusted sources •  Logging in to your e-mail or Facebook from a “friends’computer” is

not always a good idea, depends on the trust you have in that friend

11-Feb-16


Common sense • Be careful with attachments that you did not request

•  Word documents, PDF files, … •  Even if it comes from a “trusted” contact

•  Mails can be easily spoofed (“pretending” to come from someone) •  If it comes from a trusted contact, ask that contact for clarification

•  Do not use the same transport (e-mail) for clarification, use telephone or messaging

• Do not install software from a popup or similar. Always make sure you started the install (and not by clicking on a link)

11-Feb-16


Social media • Social media

•  Do you really need to have your picture there? •  Why would you need tagging? •  Be aware of geo-location

•  No need to include all the location details

• One-on-one does not exist in social media •  It is a broadcast to everyone •  A message (almost) never goes away

•  Your data belongs to the net forever •  “Right to be forgotten” (ref. Google)

•  Other sites copy the content and do not comply with the request for deletion of data

11-Feb-16


Tor network – surf anonymously • Software to browse the Internet anonymously •  “normal” network packet : sender + destination

•  Path to destination is more or less pre-defined and is (almost) fixed

•  “tor” network packet : packet wrapped in multiple layers •  Path to the destination is not pre-defined and changes

11-Feb-16


client router 1 router 2 server

client

server

Tor network • Volunteer driven • Can be slower • Some destinations block connections from Tor •  “Deep” web / “Dark” web • Sites can also be “hosted” on Tor

•  Only reachable via Tor • Criminals also want to surf anonymously

•  Police doesn’t like it •  Silk Road one of the most known Tor sites

•  Drugs, weapons •  Merely using Tor can be a sign for law enforcement to get more

interested

11-Feb-16


Tor network • Use the pre-packaged software •  https://www.torproject.org/download/download-

easy.html.en • Best practices still apply

•  Do not install extra “browser-plugins” •  Always use HTTPS •  Do not submit personal details on websites •  Do not open / download documents when online

•  Some documents (PDF, Word) open “extra” files via Internet •  This happens “outside” Tor -> discloses your normal Internet connection

11-Feb-16


Tails •  “Computer from an USB” •  Focused on privacy and anonymity •  https://tails.boum.org/

11-Feb-16


Signal - Secure phone &messages • Signal Open Whisper Systems • Encrypted • Secure phone conversations • Secure text messages • Requires Internet connection •  https://whispersystems.org/

•  Only install from App Store or Google Play

• As always, best practices apply •  Lock your device •  Protect it with a PIN code •  Do not use it with untrusted partners

11-Feb-16


Signal

11-Feb-16


Secure e-mail • Use IMAPS • Use Authenticated SMTP and do not use POP •  If you are really paranoid you should not use e-mail

•  If your browser or computer has been hacked then “secure” e-mail will not protect you

• Keep a sane Inbox •  Delete mails. Also the “Sent” mails •  Empty the deleted e-mails •  Trust (?) your provider not storing the deleted / purged e-mails

somewhere else

11-Feb-16


ProtonMail • Build by students from MIT and people from CERN

•  In Switserland, strong privacy laws

•  https://protonmail.com/ •  [email protected]

•  Future [email protected]

•  For privacy conscious users •  Free

•  Huge success, “waiting list” : can take up multiple days •  Get immediate access with donations

•  17 (basic) to 73 (Mobile + 1GB) EURO •  500MB storage •  1000 messages per month

11-Feb-16


ProtonMail •  Two passwords

•  One to access your account

•  One to decrypt your mailbox

11-Feb-16


ProtonMail • Send mail to users not using ProtonMail

•  Use a one-time password •  The message will expire after a while

11-Feb-16


Tutanota • Alternative to Protonmail

•  https://tutanota.com/ •  No waitinglist •  Germany based •  1GB storage •  No aliases •  Free for non commercial use •  Use your own domain with

the Premium version

11-Feb-16


Tutanota

11-Feb-16


Tutanota • Send e-mails to users not using Tutanota with a shared

password

11-Feb-16


Take-aways • Do not get paranoid • Use common sense • Use secure websites (HTTPS) for personal data

•  Also for e-mail (IMAPS + Authenticated SMTP) • Do not open documents from untrusted sources • Set strong passwords • Do not use untrusted networks and devices •  Lock devices with passwords and pins

•  Remote wipe and wipe after unsuccessful pins • Keep your systems up to date

•  Operating system and applications • Use firewall and anti-virus

11-Feb-16


Take-aways - tools •  For disposable messages / mail

•  https://www.guerrillamail.com/

• Secure phone and messages •  https://whispersystems.org/

•  Tor surf anonymously •  https://www.torproject.org/download/download-easy.html.en

• Private e-mail with ProtonMail or Tutanota •  https://protonmail.com •  https://tutanota.com/

•  TrueCrypt •  https://truecrypt.ch/downloads/

11-Feb-16


Contact • Use common sense • Be vigilant but don’t get paranoid

• Contact •  https://www.vanimpe.eu •  https://www.cudeso.be

•  @cudeso

11-Feb-16
