Personal Security 101 (Work In Progress!)

There is no specific subject for this forum, talk about whatever you want.
Post Reply
User avatar
Illusion
Member
Posts: 365
Joined: Thu Jul 09, 2009 8:05 pm
Contact:

Personal Security 101 (Work In Progress!)

Post by Illusion » Wed Apr 04, 2012 3:53 pm

I've posted this in here (SG) whilst it's a work in progress, it's far from complete - but there is definitely a need for this at the moment.

I think I've wrote on Personal Security before, perhaps a bit hypocritical really - considering how lax mine got until now! Considering I've had the unenviable task of fixing about 2 years worth of idiocy, I feel rather qualified to talk about this.. :P

First of all - Persec is pretty important now, regardless of who you are and what you do. Persec covers things from malware, computer system intrusions, data being compromised on web apps - or snooping, eavesdropping and other interceptions. The days of persec merely being for those with something to hide are long gone.

Civil liberties organisations are causing uproar regarding laws that seek to remove any sense of privacy and security that we used to be afforded. Now is the time to invest a few minutes of your time to make those laws as difficult to implement as possible - if it only means wasting their time whilst you play cat-and-mouse; it sends a clear signal that people will no longer stand to have the liberties violated.

As a side note, I used to possess strong conservative views (which, I believe, are similar to Republican views in America) - with an emphasis on patriotism and defence. I infact decided to join the army, but due to circumstances some of you know, I was unable too (after having my date for Phase I (Basic for you yanks ;))) - something I still have issues regarding. Why do I say this? I am not some wannabe anarchist, some conspiracy theorist or anything other - I'm simply a young man who believes he has the right to privacy, as does every other citizen of a "free society", at least until there is evidence regarding activities that warrant such an intervention.

This is by no means comprehensive, in fact, I aim to edit it and improve it as time goes on - as at the moment I am in the middle of a major study session and am merely penning my own thoughts.

Before we move on to Personal Security itself, it's perhaps rather important to address electronic security.

Email, Chat and Communications
These are the 3 main issues for any budding eavesdropper; who are you talking too, and what are you saying?

Perhaps the biggest, but often most misunderstood, service of secure email is hushmail. The sign up process here is incredibly fast, being about 4 pages. However, that ease of sign-up comes at a huge price - hushmail offer no help if your data is requested. In the past they have been only too eager to hand data over to authorities. If your intention is just to play cat-and-mouse though; look no further.

You can always roll your own encrypted email though, using a package such as PGP - pretty good privacy. By encrypting the emails, even if your mail server is asked to provide data - you're good to go, as they will just be gaining access to the encrypted records.

If you tie it in with a mail provider that offers POP3/IMAP access, then it's perfectly possible to run a portable version of your mail software - and have it located on a truecrypt volume. (More about truecrypt later)

Often Instant Messaging packages, such as pidgin, have an option for encryption. However, do some research before choosing a package - for most purposes however, this is more than enough to play a game of "cat-and-mouse" again.

A notable, but often forgotten surprisingly, is the issue of logs. Whilst some people secure their software adequately, this is pointless if they have plain text logs sitting around. Once again - a live version of the IM software and a truecrypt volume will allow you to keep logs if needed, whilst maintaining a degree of security.

Web Applications
This is very simple - try not to depend on them. Web Apps come and they go, but your data doesn't. When you use a web application you are often putting a lot of faith in them, and trusting them with a lot of data.

Being tied into a web application that is compromised, closes down or otherwise becomes unusable is not a fun experience! So try and use these sparingly.

If you absolutely must use one - think password security. This is old news, but the amount of people who use one password is astounding - this is 2012 guys. An easy way to generate passwords is to have a set string of two or three characters, such as "!@#" and then think of word - such as "nikki" - and substitute letters for numbers.

So we have "!@#n1kk1@#!", which is surprisingly easy to remember if you keep the same characters - but just change the word. However, these passwords soon add up and it's often useful to have some software to offer a helping hand.

Enter Personal Information Management software - such as EssentialPIM. Now I'd often advise against using software with important data such as this, but combined with its portability and the security that comes with a truecrypt volume - it can be made to be a pretty secure solution that enables a greater amount of freedom with passwords. Furthermore, EssentialPIM has the option to self-encrypt it's database files - not that I'd put too much faith in this facility.

Encryption
We've been talking a lot about "Truecrypt Volumes" - so what are they?

Truecrypt is an multi-platform encryption package that has some really neat features, such as full disk encryption as well as the ability to create "volumes"; essentially virtual disks that can be mounted through the truecrypt application.

All encryption is handled on the fly; and all the volumes are treated by your Operating System as a removable device - ala a USB disk.

For added security you can use a password with the addition of a "keyfile" - the keyfile must be present when you access your truecrypt volume. That said, remember that if you lose this password or if you delete the keyfile - you are definitely going to be in hot water. Finding a way to solve this without compromising your security is going to be difficult - and as such, this is probably one area when you can accept having a slight chink in your armour - as it does allow you an extra layer of armour.

Whilst there are other encryption packages around, truecrypt is an open-source one which opens the avenue of people doing independent code reviews to verify it's security. Furthermore, its not platform specific - which if you use multiple Operating Systems like I - can be incredibly useful.

Web Browsing and Anonymity
One of the most important matters when ramping your Persec up a gear is building some form of anonymity, whilst avoiding the natural "slow-downs" that are often associated with anonymity.

Proxies
Web Proxies aren't very flexible and generally only offer to mask your browsing habits using Port 80 - HTTP. As such, whilst they might help with browsing the internet, they don't offer any other features.

Perhaps the only real advantage is the fact you can choose which country your proxy is in. However, finding decent ones can often be a chore.

TOR and Freenet
These are two projects that have some similarities and some key differences.

Freenet is essentially a network of computers, which work slightly similar to a P2P network - where data is taken from other nodes on the network - meaning that speed is dependant on how many nodes are available and sharing with you.

Naturally, connecting to nodes and the data being stored on their system can pose a slight security risk - so you can opt to have your security settings at the highest possible; this allows you to choose which nodes you connect too - and you will connect to only those nodes.

The network itself does have some useful data on, some good text files and other resources. However, there is also a large amount of questionable pornography - however, this is an issue that is also present on TOR.

TOR is a similar package in the sense it gives you access to a ".onion sites" - sites with cryptic character URLs that host all sorts of data; from poetry to text files to the usual questionable pornography.

However, TOR isn't a closed network - it offers anonymity for using the internet as a whole. Your traffic will go through nodes such as yourself, before leaving an "exit node" where it will interface with the internet itself. This is where things can get a little interesting though..

Anyone can specify, in a configuration file, to run an exit node. Given the amount of traffic that will be going through your system if you do this, it gives plausible deniability of any traffic that goes through your system - and also increases the signal-to-noise ratio; i.e if someone is monitoring your traffic, they suddenly have a whole lot more traffic to sift through without even being certain of what is yours!

TOR has a few vulnerabilities, such as running an exit node and recording the traffic; however that will give your data away - but not your identity. (Dependant on what you're doing) There is also the "Privoxy" package that acts as a local proxy to help maximise the security of your traffic. Also, rather handily, you can download them together as "Vidalia" and install a firefox add-on that allows you to switch tor on and off.

You can also configure chat applications to run through tor, and in the case of linux, you can run the "torify" command and specify pretty much any application to utilise the anonymity of tor.

It must be stated though, that whilst TOR offers a decent level of anonymity - it can be painfully slow, and Freenet is marginally quicker; but a closed off network.

Virtual Private Networks
The path that is often considered the best, and the fastest, is a VPN. This is usually the most expensive though; what with most VPN services being paid for.

Like email providers, you need to ensure what the providers policy is regarding Law Enforcement Co-operation. In this document we are largely discussing "cat-and-mouse"; but for P2P usage I got a 3 month subscription to iPredator for 15EUR.

iPredator is linked to ThePirateBay, and is based in Sweden. They also claim that they will not cooperate with LE, unless the offence that is being suspected could warrant more than 2 years imprisonment under the Swedish legal system.

VPNs will also give you immunity from ISP level snooping. Additionally; you can run all the above services through a VPN - as they are treated as a network connection by the Operating System; not a proxy.

Speed wise, there is generally minimal side effects with VPNs - depending on your provider.

General Computer Security
All of these measures are pointless however, if you have a infestation of malware! This is obvious - but actually run your anti-virus software, your anti-spyware software and check your firewall rules.

Most of us probably download a fair bit - this increases our risk of infection ten fold. To think of it in biological terms; we can stand on a needle and get AIDS - or we can go around sleeping with anything that breathes and refusing to wear protection; file-sharing without common sense is doing just that. So check reviews, scan files and pay attention to firewall requests and registry changes.

Just because you don't run Windows doesn't mean your immune. Yes, windows will take the biggest share of attacks; purely due to the popularity - however as Mac OS X gains popularity, so has the rate of attacks leveled against it. Even Linux has had a few attacks.

There is enough freeware out there to have a good security set-up without having to spend any money. ZoneAlarm or COMODO for a firewall, Avast!, Panda or AVG for Anti-Virus. Spybot for Spy-ware protection.. It's easy to do. (Spybot also rocks for the registry protection)

Furthermore, delete wisely. The amount of space that can be saved just by running CCleaner is pretty surprising. Then using a software package such as "Eraser" (available for both Linux and Windows) is sensible. Eraser allows the secure deletion of data with the overwriting of the space it occupied; furthermore it allows the overwriting of ALL free space on a HD. The command line options of the linux version are pretty powerful.

As our phones become more like small computers, a lot of this information applies to them as well.

Personal Security
So, now we get on to the real subject matter! Unfortunately, and rather ironically, I am running out of time as I get to this bit. So this will be the first bit to edited and improved upon.

By applying the tips above we can be anonymous, talk in the safety of encryption and be safe in the knowledge that our data is. However, all that is in vein unless you're sensible with what you post on the internet and how you post it.

Social Networking websites are the biggest problems today; viewed as essential for those who are sociable - but present many problems to those who are security aware. Having a sensible approach to security is what matters here:
- Don't feel the need to fill in all the profile data; you can - but don't be too trusting.
- Lock down the privacy options, have random characters in your name etc (Although, Facebook appears to disregard privacy settings a lot of the time)
- Ensure old social networking websites are deleted.

Services such as "pipl" offer a very powerful tool for assessing your own security, in addition for assessing the security of others!
- To defeat this form of service; use different usernames wherever you go - or have a username for each hobbie, and never use your real name. Do not be an idiot and use the same one - you WILL regret this.
- Have a cryptic email address, or multiple email addresses

When you post something on any website, consider whether you're comfortable having that information in the public domain. Once it's out there, it's out there.

Have a website? Do a WHOIS check on your domain name - 'nuff said.

Google yourself every now and again, if you can muster the balls, you probably wont like what you're going to find. When you manage to get those results down to something you like.. well, lets just say you've achieved enlightenment!

Discussion is highly encouraged in this thread! However, do not be offended about any discussion of advice you may post, and beware of the possible frankness of it - as when talking about security, "myths" can be dangerous. One member appears to have left after being unable to take healthy discussion of his claims, so 1337 h19h-sk001 h4x0rs with an ego bigger than their knowledge need not apply!
"I'm not worried about this because I am too strong, too good, too intelligent, but I want to say to the others 'don't follow the stupid'."

User avatar
Ghost
Moderator
Posts: 632
Joined: Fri Oct 07, 2005 3:29 pm
Contact:

Re: Personal Securit 101 (Work In Progress!)

Post by Ghost » Wed Apr 04, 2012 8:30 pm

Well, looks like I have a lot if work to do. Damn you for writing such a good guide.
"A man's greatest treasures are his illusions."

User avatar
Xanatos
Moderator
Posts: 2675
Joined: Sun Jun 21, 2009 2:51 am
Location: The last place you look.
Contact:

Re: Personal Securit 101 (Work In Progress!)

Post by Xanatos » Thu Apr 05, 2012 8:00 am

Handy tips, seems I've got a lot of work to do. If you ever get around to elaborating more on personal "securit" you should make a PDF for NOnet Resources.

EDIT: Fixed the title for you. :wink:
We are all books containing thousands of pages and within each lies an irreparable truth.
What is locked, can be opened. What is hidden, can be found. What is yours... can be mine.

User avatar
Ghost
Moderator
Posts: 632
Joined: Fri Oct 07, 2005 3:29 pm
Contact:

Re: Personal Security 101 (Work In Progress!)

Post by Ghost » Wed Apr 18, 2012 7:00 pm

Hushmail was never really meant to be a secure answer, it merely makes it that much more of a pain in the ass for your local law enforcement agencies to snoop on you.

I'm going to be perfectly honest here, if a government really wants to read your emails, and snoop on your online activity, there's not a damn thing any individual is going to be able to do to prevent that, save not using email or the internet at all. Hushmail is nice because it helps to discourage law enforcement from looking at your activities "because they can". That extra layer of security means that instead of just snooping on your emails because they feel like it, they'll need a reason, and then they'll need to contact hushmail. Of course, if they took an interest in you for a specific reason, they'd be reading your emails in no time at all. But with an encrypted service like hushmail, at least they won't be reading them for no reason whatsoever, simply because it takes that much extra work. It really is just a means of discouraging local law enforcement agencies from getting nosy without just cause.
"A man's greatest treasures are his illusions."

User avatar
Illusion
Member
Posts: 365
Joined: Thu Jul 09, 2009 8:05 pm
Contact:

Re: Personal Security 101 (Work In Progress!)

Post by Illusion » Thu Apr 19, 2012 12:06 am

Pr3dAt0R wrote:If you're accepting contributions to this thread:

Passwords: try to stay with 25 characters or more.
All the security measures in the world are worthless if it's bypassed with "welcome", "password", "secret", and simple things like that.

Operating Systems: Windows and security? Fuck no, not since Win98, when they first build the NSA a backdoor. Something every version afterwards has too.
Linux is basically the only option if you REALLY want to have a secure setup, but you'd need some knowledge of it to set everything up properly...
Yeah, I want to open this up to discussion - especially when it's actually finished. Alas, physiology and biochemistry papers are taking up most of my time at the moment.

The bit about the passwords is good, and even Google are investing in adverts to further that message - it's finally getting through to the average end-user (who, appear to believe that they need not care about their security) that passwords are the key to any defence. Google's campaign is very good, and I've seen their adverts on countless trains recently - with tips such as taking a quote ("To be or not to be, that is the question" being their example) and abbreviating it with numbers added in ("2bon2b,tisq", also as their example).

However the part about operating systems is what usually gets my back up. Security is only as good as the user, no matter what is said. I've seen countless examples of Linux users being just as dumb as others; if this wasn't the case then a lot of server intrusions wouldn't happen. You have end-users who set up incorrect permissions for applications, run root as standard - because"it's annoying to be bugged for my password when doing certain tasks", have lots of services turned on (web developers are especially bad at this, as they believe security isn't as important as their services aren't intended to be seen by anyone other than themselves.. but leave services running anyway, with half developed buggy apps)... the list goes on.

Even so called "security enthusiasts", and I hold my hand up high to this. A few years ago I was running an insecure app, perhaps for weeks, whilst I wrote an exploit for it. This, being in the days of buffer overflows being the primary type of exploit, meant that I had to turn off any stack protection. (i.e SELinux). The same goes for those who preach from the "Open Source means the code can be audited by anyone" book - ermmm... and? I can run a closed source app through a fuzzer and/or debugger determine whether or not there is any security risks. Also, take a browse on sourceforge or wherever - binaries are becoming the norm*, and very rarely do people actually bother to check the source code of applications anyway. Perhaps the furthest most people go is to run a source code auditing tool and check the output (Once place I worked at last year, as a coder, a colleague (who was primarily a professional pen tester, educated to MSc level) was conducting a code review and simply ran a tool like "Flawfinder" before deeming it secure...) - hardly the best method when it wont pick up things like inline ASM, or other ways of hiding vulnerabilities. If code truly was reviewed just because it could be, incidents like the UnrealIRCd (TL/DR: A source code tarball was uploaded to the official page for UnrealIRCd, which had a trojan in the source code. This occured in November 2009, no one was aware until June 2010.. six months later. Essentially people were actually compiling their own malware.)one wouldn't occur - note this was an IRCd, something that you'd expect people with enough knowledge of security to use; not "simple end-users".

*On the topic of linux binaries, there are a few examples of them also being "tampered" with - and even making it on to official distribution repositories; also malicious repositories themselves being set-up. So we've estabilished compiling the binaries yourself isn't secure - unless of course you spend a lot of time auditing the code correctly (which, to be thorough - will also involve testing with the application compiled and running - fuzzing etc), yet using official repositories may also be dangerous - yet using unofficial ones is even more dangerous.

The fact of the matter is, advocating a solution like Linux is far from the answer - because it provides a false sense of security. When I switch from Linux or OS X to Windows - I immediately find myself behaving more aware of the security risks - and as such, I haven't had any issues. Common sense prevails - good security software (read reviews before purchasing - and purchase. Security is non-existant f you can't download updates.) and actually using it wins every time. Same with downloads, setting your torrent software to automatically run your AV software upon completion of a download.. Little steps, such as having software like Spybot that will inform you of any registry changes, having sensible firewall rules.. It all adds up. You can't be lazy on either OS, but both can be made pretty secure with common sense. At least Windows now rubs your nose in Security - user permissions akin to root/su on *nix systems as one example, the security center which bitches if you aren't running adequate security software as another example.

Also, the point about the NSA code in Windows - what about SELinux then? That thing which seems standard with most distributions - for security purposes - that was developed by the NSA? Or the TOR network that was developed by the US Navy...

On the topic of having a false sense of security - it always happens when someone comes out and says "Actually guys, how secure is Windows in comparison to Linux? I think their similar" - you get the usual "OMG M$ FUD! ITS JUST A M$ TROLL, HE WAS PAID TO WRITE THAT PAPER" etc. Regardless of the actual merit of any research or any view. For a science, Computer Science is in the dark ages. If that happened in the biomedical sciences for instance - people would reproduce it (Computer Science - It is science supposedly), people would critically appraise it, check the methods and so on. However, to quote Prof. on the first lecture of the MIT "Introduction to Computer Science" (6.00 - available on MIT OCW) course - "The problem with Computer Science is.. that it isn't a science.".

So, whilst apologising for the rant - I'd like to say I can't really advocate saying that one OS is better than another for security; most of it is down to the end user. Frankly, I feel that inferring otherwise is just downright dangerous.
Pr3dAt0R wrote:TOR: using it to get on the "clear" web, you still need to get end-to-end security running, stay in the TOR net, and there's no unencrypted data at all.
Clearweb should be encrypted as much as possible, anyway.
In the OP ->
RTFOP wrote:TOR has a few vulnerabilities, such as running an exit node and recording the traffic; however that will give your data away - but not your identity. (Dependant on what you're doing)
The requirement for encryption with TOR was mentioned, or at least the underlying reason was. Perhaps it needed to be spelt out somewhat more overtly however. It's worth mentioning though, that if you go to download TOR - it is very clear to see this is an issue, as it's mentioned multiple times.
Pr3dAt0R wrote:Hushmail: only use that if you want LEA to read your mail.

Unrelated to this thread, this article, http://www.wired.com/threatlevel/2012/0 ... -takedown/ is about a recent drug bust.
There's a PDF of the case linked near the top.
In that PDF, page 13, line 21-25, it says all that's important about Hushmail.
In the OP ->
RTFOP wrote:Perhaps the biggest, but often most misunderstood, service of secure email is hushmail. The sign up process here is incredibly fast, being about 4 pages. However, that ease of sign-up comes at a huge price - hushmail offer no help if your data is requested. In the past they have been only too eager to hand data over to authorities. If your intention is just to play cat-and-mouse though; look no further.
Also, no one with half a brain cell would use hushmail for anything that sensitive - that's just common sense; and also expressed in the post. Hushmail was very quick to hand over details when there was the CardersMarket incident back in 2007(?), thus wasn't trusted after that in most circles. This isn't exactly news..
"I'm not worried about this because I am too strong, too good, too intelligent, but I want to say to the others 'don't follow the stupid'."

Post Reply