Upload
koen-van-impe
View
1.062
Download
0
Embed Size (px)
Citation preview
SECURE COMMUNICATION For activists and privacy conscious users 11-Feb-16 https://www.cudeso.be
Goal • Defend yourself and your friends from surveillance • Use secure technology • Apply best practices • Use common sense
• Based on EFF – Surveillance Self Defense • https://ssd.eff.org/
11-Feb-16
Secure Communication 2
Threat Modeling • What do you want to protect?
• Assets, your data (e-mails, messages, files) • Who do you want to protect it from?
• Who is your adversary? Their capabilities. • How likely is it that you will need to protect it?
• Likelihood of unauthorized access to your data. The risk • How bad are the consequences if you fail?
• What is the possible damage? Financial loss? Reputational loss? • How much trouble are you willing to go through in order to try to
prevent those?
• Threat = a bad thing that can happen • Risk = a likelihood that an incident will occur
11-Feb-16
Secure Communication 3
Don’t get paranoid • Risk analysis based on risk and capabilities is
• Personal • Subjective
• Your threat actor might be the only threat actor • You might be one of many subjects
• High numbers of subjects decrease the likelihood that you become a victim
• Every threat actor has limited capabilities
• Risk of tunnel vision • Technology is only the tool. Your brain is the strongest
lock.
11-Feb-16
Secure Communication 4
Best practices • Secure your computer and devices
• Protect your computer with a password • Require a password when the computer starts or is locked • Do not use “auto-login”
• Protect your mobile phone with a PIN code or ideally a password • Have your mobile phone set to use encrypted local storage
• You raise the bar for someone else to get easy access to your data. Requires the attacker to have minimal –computer- skills to read your personal information
11-Feb-16
Secure Communication 5
Best practices • Use strong and long passwords, better use passphrases
• Not only for your computer but for all your accounts
• Ideally use a password vault with a strong master password • LastPass, Dashlane
• Different passwords/passphrases for different accounts • If supported, use 2 factor authentication
• Extra protection with a code via an SMS • Demo password strength test https://howsecureismypassword.net/ • Use more than 10 characters with numbers and not easy to guess
• Do not use Password, the name of your mother or the town where you live
11-Feb-16
Secure Communication 6
Best practices • “Password reset questions” on sites
• Can be tiresome • Use questions and answers that only you know
• Even better: use store the questions and answers in a password vault
• Use full disk encryption • Different levels of protection, depending on your adversary • Some systems are flawed • Make sure you have backups of your data
• Encrypted backups or not?
11-Feb-16
Secure Communication 7
Container encryption - TrueCrypt • Original developers stopped support • Still available for download from other sites
• If you’re really concerned about the download check the hashes
• https://truecrypt.ch/downloads/ • https://www.grc.com/misc/truecrypt/truecrypt.htm
• TrueCrypt containers are just “files”, they can be moved to other devices • For example copy the TrueCrypt container to an external drive • Share the password for unlocking via other secure channels
• Copy files from your “normal” drive to TrueCrypt
11-Feb-16
Secure Communication 8
Container encryption - TrueCrypt • Tutorial at : http://andryou.com/truecrypt/docs/tutorial.php
11-Feb-16
Secure Communication 9
Container encryption - TrueCrypt • Workflow
• Select TrueCrypt file • Select a mount slot • Click Mount • Enter password
11-Feb-16
Secure Communication 10
File encryption - GPG • GPG, digital signature and encryption
• https://www.gnupg.org/
• Requires more technical knowledge • http://ubuntuforums.org/showthread.php?t=680292
• Made more accessible via Keybase • https://keybase.io/
• Ideal for encrypting one file and then sending it over “unsafe” communication channel
• Protect your master-key! • Store the revocation certificate in a safe place
• Don’t lock yourself out
11-Feb-16
Secure Communication 11
Best practices • Use different browsers
• Firefox, Chrome, Safari, Opera, Internet Explorer • Avoid Internet Explorer if possible
• Closely tied to the operating system
• One browser only for “personal” things • 1 for online banking, e-mail , • 1 for information gathering • 1 for random browsing
• Use “Private” browsing • No cookies • No history • Forensic research on your computer can still disclose your
browsing history 11-Feb-16
Secure Communication 12
Best practices • Always type in the URL, do not click on a link • When you enter usernames and passwords, make sure
the website is secured - HTTPS
• Log out of a website (e-mail, Facebook) once you no longer need it • This prevents tracking
• Use disposable e-mail for subscribtions or one-time-only messages • https://www.guerrillamail.com/ • This is not “encryption”
11-Feb-16
Secure Communication 13
Guerillamail
11-Feb-16
Secure Communication 14
Best practices • Use an up-to-date system
• All the Windows and Apple patches • Use automatic updates • Do not use Windows XP, Vista or old versions of Apple OSX
• Any protection mechanism or encryption is useless when remote intrusion to your computer is childs ’play
• Avoid Acrobat Reader and Microsoft Office documents • Lots of vulnerabilities • Loads external resources
• Avoid Flash • Do not use Java on your machine
11-Feb-16
Secure Communication 15
Best practices • Use a system firewall
• Build in for both Windows and Apple
• Use a virus scanner • Make sure it is still active and receives the new updates • Quality of free virus scanners is good, no real quality difference
with commercial –paid- virus scanners
11-Feb-16
Secure Communication 16
Best practices • Enable the option for “remote wipe” of your telephone or
tablet • Automatically when a wrong PIN is entered more than x times • From remote when your device is lost
11-Feb-16
Secure Communication 17
Best practices • Limit the use of location services, enable them only for the
applications that you need it for • Disable share your location by default
11-Feb-16
Secure Communication 18
Common sense • Do not connect to random wireless networks
• Only connect to trusted networks, networks that you know • Protect your wireless network at home with a password • Do not let anyone else use your computer or telephone
un-attended • Never leave your device unlocked • Shoulder surfing
• Someone eavesdropping when you enter your password
• Access your online accounts from trusted sources • Logging in to your e-mail or Facebook from a “friends’computer” is
not always a good idea, depends on the trust you have in that friend
11-Feb-16
Secure Communication 19
Common sense • Be careful with attachments that you did not request
• Word documents, PDF files, … • Even if it comes from a “trusted” contact
• Mails can be easily spoofed (“pretending” to come from someone) • If it comes from a trusted contact, ask that contact for clarification
• Do not use the same transport (e-mail) for clarification, use telephone or messaging
• Do not install software from a popup or similar. Always make sure you started the install (and not by clicking on a link)
11-Feb-16
Secure Communication 20
Social media • Social media
• Do you really need to have your picture there? • Why would you need tagging? • Be aware of geo-location
• No need to include all the location details
• One-on-one does not exist in social media • It is a broadcast to everyone • A message (almost) never goes away
• Your data belongs to the net forever • “Right to be forgotten” (ref. Google)
• Other sites copy the content and do not comply with the request for deletion of data
11-Feb-16
Secure Communication 21
Tor network – surf anonymously • Software to browse the Internet anonymously • “normal” network packet : sender + destination
• Path to destination is more or less pre-defined and is (almost) fixed
• “tor” network packet : packet wrapped in multiple layers • Path to the destination is not pre-defined and changes
11-Feb-16
Secure Communication 22
client router 1 router 2 server
client
server
Tor network • Volunteer driven • Can be slower • Some destinations block connections from Tor • “Deep” web / “Dark” web • Sites can also be “hosted” on Tor
• Only reachable via Tor • Criminals also want to surf anonymously
• Police doesn’t like it • Silk Road one of the most known Tor sites
• Drugs, weapons • Merely using Tor can be a sign for law enforcement to get more
interested
11-Feb-16
Secure Communication 23
Tor network • Use the pre-packaged software • https://www.torproject.org/download/download-
easy.html.en • Best practices still apply
• Do not install extra “browser-plugins” • Always use HTTPS • Do not submit personal details on websites • Do not open / download documents when online
• Some documents (PDF, Word) open “extra” files via Internet • This happens “outside” Tor -> discloses your normal Internet connection
11-Feb-16
Secure Communication 24
Tails • “Computer from an USB” • Focused on privacy and anonymity • https://tails.boum.org/
11-Feb-16
Secure Communication 25
Signal - Secure phone &messages • Signal Open Whisper Systems • Encrypted • Secure phone conversations • Secure text messages • Requires Internet connection • https://whispersystems.org/
• Only install from App Store or Google Play
• As always, best practices apply • Lock your device • Protect it with a PIN code • Do not use it with untrusted partners
11-Feb-16
Secure Communication 26
Signal
11-Feb-16
Secure Communication 27
Secure e-mail • Use IMAPS • Use Authenticated SMTP and do not use POP • If you are really paranoid you should not use e-mail
• If your browser or computer has been hacked then “secure” e-mail will not protect you
• Keep a sane Inbox • Delete mails. Also the “Sent” mails • Empty the deleted e-mails • Trust (?) your provider not storing the deleted / purged e-mails
somewhere else
11-Feb-16
Secure Communication 28
ProtonMail • Build by students from MIT and people from CERN
• In Switserland, strong privacy laws
• https://protonmail.com/ • [email protected]
• Future [email protected]
• For privacy conscious users • Free
• Huge success, “waiting list” : can take up multiple days • Get immediate access with donations
• 17 (basic) to 73 (Mobile + 1GB) EURO • 500MB storage • 1000 messages per month
11-Feb-16
Secure Communication 29
ProtonMail • Two passwords
• One to access your account
• One to decrypt your mailbox
11-Feb-16
Secure Communication 30
ProtonMail • Send mail to users not using ProtonMail
• Use a one-time password • The message will expire after a while
11-Feb-16
Secure Communication 31
Tutanota • Alternative to Protonmail
• https://tutanota.com/ • No waitinglist • Germany based • 1GB storage • No aliases • Free for non commercial use • Use your own domain with
the Premium version
11-Feb-16
Secure Communication 32
Tutanota
11-Feb-16
Secure Communication 33
Tutanota • Send e-mails to users not using Tutanota with a shared
password
11-Feb-16
Secure Communication 34
Take-aways • Do not get paranoid • Use common sense • Use secure websites (HTTPS) for personal data
• Also for e-mail (IMAPS + Authenticated SMTP) • Do not open documents from untrusted sources • Set strong passwords • Do not use untrusted networks and devices • Lock devices with passwords and pins
• Remote wipe and wipe after unsuccessful pins • Keep your systems up to date
• Operating system and applications • Use firewall and anti-virus
11-Feb-16
Secure Communication 35
Take-aways - tools • For disposable messages / mail
• https://www.guerrillamail.com/
• Secure phone and messages • https://whispersystems.org/
• Tor surf anonymously • https://www.torproject.org/download/download-easy.html.en
• Private e-mail with ProtonMail or Tutanota • https://protonmail.com • https://tutanota.com/
• TrueCrypt • https://truecrypt.ch/downloads/
11-Feb-16
Secure Communication 36
Contact • Use common sense • Be vigilant but don’t get paranoid
• Contact • https://www.vanimpe.eu • https://www.cudeso.be
• @cudeso
11-Feb-16
Secure Communication 37