2. Goal
• Defend yourself and your friends from surveillance
• Use secure technology
• Apply best practices
• Use common sense
• Based on EFF – Surveillance Self Defense
• https://ssd.eff.org/
11-Feb-16
Secure Communication 2
3. Threat Modeling
• What do you want to protect?
• Assets, your data (e-mails, messages, files)
• Who do you want to protect it from?
• Who is your adversary? Their capabilities.
• How likely is it that you will need to protect it?
• Likelihood of unauthorized access to your data. The risk
• How bad are the consequences if you fail?
• What is the possible damage? Financial loss? Reputational loss?
• How much trouble are you willing to go through in order to try to
prevent those?
• Threat = a bad thing that can happen
• Risk = a likelihood that an incident will occur
11-Feb-16
Secure Communication 3
4. Don’t get paranoid
• Risk analysis based on risk and capabilities is
• Personal
• Subjective
• Your threat actor might be the only threat actor
• You might be one of many subjects
• High numbers of subjects decrease the likelihood that you become
a victim
• Every threat actor has limited capabilities
• Risk of tunnel vision
• Technology is only the tool. Your brain is the strongest
lock.
11-Feb-16
Secure Communication 4
5. Best practices
• Secure your computer and devices
• Protect your computer with a password
• Require a password when the computer starts or is locked
• Do not use “auto-login”
• Protect your mobile phone with a PIN code or ideally a password
• Have your mobile phone set to use encrypted local storage
• You raise the bar for someone else to get easy access to
your data. Requires the attacker to have minimal –
computer- skills to read your personal information
11-Feb-16
Secure Communication 5
6. Best practices
• Use strong and long passwords, better use passphrases
• Not only for your computer but for all your accounts
• Ideally use a password vault
with a strong master password
• LastPass, Dashlane
• Different passwords/passphrases for different accounts
• If supported, use 2 factor authentication
• Extra protection with a code via an SMS
• Demo password strength test https://howsecureismypassword.net/
• Use more than 10 characters with numbers and not easy to guess
• Do not use Password, the name of your mother or the town where you
live
11-Feb-16
Secure Communication 6
7. Best practices
• “Password reset questions” on sites
• Can be tiresome
• Use questions and answers that only you know
• Even better: use store the questions and answers in a password vault
• Use full disk encryption
• Different levels of protection, depending on your adversary
• Some systems are flawed
• Make sure you have backups of your data
• Encrypted backups or not?
11-Feb-16
Secure Communication 7
8. Container encryption - TrueCrypt
• Original developers stopped support
• Still available for download from other sites
• If you’re really concerned about the download check the hashes
• https://truecrypt.ch/downloads/
• https://www.grc.com/misc/truecrypt/truecrypt.htm
• TrueCrypt containers are just “files”, they can be moved to
other devices
• For example copy the TrueCrypt container to an external drive
• Share the password for unlocking via other secure channels
• Copy files from your “normal” drive to TrueCrypt
11-Feb-16
Secure Communication 8
9. Container encryption - TrueCrypt
• Tutorial at : http://andryou.com/truecrypt/docs/tutorial.php
11-Feb-16
Secure Communication 9
10. Container encryption - TrueCrypt
• Workflow
• Select TrueCrypt file
• Select a mount slot
• Click Mount
• Enter password
11-Feb-16
Secure Communication 10
11. File encryption - GPG
• GPG, digital signature and encryption
• https://www.gnupg.org/
• Requires more technical knowledge
• http://ubuntuforums.org/showthread.php?t=680292
• Made more accessible via Keybase
• https://keybase.io/
• Ideal for encrypting one file and then sending it over
“unsafe” communication channel
• Protect your master-key!
• Store the revocation certificate in a safe place
• Don’t lock yourself out
11-Feb-16
Secure Communication 11
12. Best practices
• Use different browsers
• Firefox, Chrome, Safari, Opera, Internet Explorer
• Avoid Internet Explorer if possible
• Closely tied to the operating system
• One browser only for “personal” things
• 1 for online banking, e-mail ,
• 1 for information gathering
• 1 for random browsing
• Use “Private” browsing
• No cookies
• No history
• Forensic research on your computer can still disclose your
browsing history
11-Feb-16
Secure Communication 12
13. Best practices
• Always type in the URL, do not click on a link
• When you enter usernames and passwords, make sure
the website is secured - HTTPS
• Log out of a website (e-mail, Facebook) once you no
longer need it
• This prevents tracking
• Use disposable e-mail for subscribtions or one-time-only
messages
• https://www.guerrillamail.com/
• This is not “encryption”
11-Feb-16
Secure Communication 13
15. Best practices
• Use an up-to-date system
• All the Windows and Apple patches
• Use automatic updates
• Do not use Windows XP, Vista or old versions of Apple OSX
• Any protection mechanism or encryption is useless when remote
intrusion to your computer is childs ’play
• Avoid Acrobat Reader and Microsoft Office documents
• Lots of vulnerabilities
• Loads external resources
• Avoid Flash
• Do not use Java on your machine
11-Feb-16
Secure Communication 15
16. Best practices
• Use a system firewall
• Build in for both Windows and Apple
• Use a virus scanner
• Make sure it is still active and receives the new updates
• Quality of free virus scanners is good, no real quality difference
with commercial –paid- virus scanners
11-Feb-16
Secure Communication 16
17. Best practices
• Enable the option for “remote wipe” of your telephone or
tablet
• Automatically when a wrong PIN is entered more than x times
• From remote when your device is lost
11-Feb-16
Secure Communication 17
18. Best practices
• Limit the use of location services, enable them only for the
applications that you need it for
• Disable share your location by default
11-Feb-16
Secure Communication 18
19. Common sense
• Do not connect to random wireless networks
• Only connect to trusted networks, networks that you know
• Protect your wireless network at home with a password
• Do not let anyone else use your computer or telephone
un-attended
• Never leave your device unlocked
• Shoulder surfing
• Someone eavesdropping when you enter your password
• Access your online accounts from trusted sources
• Logging in to your e-mail or Facebook from a “friends’computer” is
not always a good idea, depends on the trust you have in that
friend
11-Feb-16
Secure Communication 19
20. Common sense
• Be careful with attachments that you did not request
• Word documents, PDF files, …
• Even if it comes from a “trusted” contact
• Mails can be easily spoofed (“pretending” to come from someone)
• If it comes from a trusted contact, ask that contact for clarification
• Do not use the same transport (e-mail) for clarification, use telephone or
messaging
• Do not install software from a popup or similar. Always
make sure you started the install (and not by clicking on a
link)
11-Feb-16
Secure Communication 20
21. Social media
• Social media
• Do you really need to have your picture there?
• Why would you need tagging?
• Be aware of geo-location
• No need to include all the location details
• One-on-one does not exist in social media
• It is a broadcast to everyone
• A message (almost) never goes away
• Your data belongs to the net forever
• “Right to be forgotten” (ref. Google)
• Other sites copy the content and do not comply with the request for deletion of
data
11-Feb-16
Secure Communication 21
22. Tor network – surf anonymously
• Software to browse the Internet anonymously
• “normal” network packet : sender + destination
• Path to destination is more or less pre-defined and is (almost) fixed
• “tor” network packet : packet wrapped in multiple layers
• Path to the destination is not pre-defined and changes
11-Feb-16
Secure Communication 22
client router 1 router 2 server
client
server
23. Tor network
• Volunteer driven
• Can be slower
• Some destinations block connections from Tor
• “Deep” web / “Dark” web
• Sites can also be “hosted” on Tor
• Only reachable via Tor
• Criminals also want to surf anonymously
• Police doesn’t like it
• Silk Road one of the most known Tor sites
• Drugs, weapons
• Merely using Tor can be a sign for law enforcement to get more
interested
11-Feb-16
Secure Communication 23
24. Tor network
• Use the pre-packaged software
• https://www.torproject.org/download/download-
easy.html.en
• Best practices still apply
• Do not install extra “browser-plugins”
• Always use HTTPS
• Do not submit personal details on websites
• Do not open / download documents when online
• Some documents (PDF, Word) open “extra” files via Internet
• This happens “outside” Tor -> discloses your normal Internet connection
11-Feb-16
Secure Communication 24
25. Tails
• “Computer from an USB”
• Focused on privacy and anonymity
• https://tails.boum.org/
11-Feb-16
Secure Communication 25
26. Signal - Secure phone &messages
• Signal Open Whisper Systems
• Encrypted
• Secure phone conversations
• Secure text messages
• Requires Internet connection
• https://whispersystems.org/
• Only install from App Store or Google Play
• As always, best practices apply
• Lock your device
• Protect it with a PIN code
• Do not use it with untrusted partners
11-Feb-16
Secure Communication 26
28. Secure e-mail
• Use IMAPS
• Use Authenticated SMTP and do not use POP
• If you are really paranoid you should not use e-mail
• If your browser or computer has been hacked then “secure” e-mail
will not protect you
• Keep a sane Inbox
• Delete mails. Also the “Sent” mails
• Empty the deleted e-mails
• Trust (?) your provider not storing the deleted / purged e-mails
somewhere else
11-Feb-16
Secure Communication 28
29. ProtonMail
• Build by students from MIT and people from CERN
• In Switserland, strong privacy laws
• https://protonmail.com/
• myuser@protonmail.com
• Future myuser@yourdomain.com
• For privacy conscious users
• Free
• Huge success, “waiting list” : can take up multiple days
• Get immediate access with donations
• 17 (basic) to 73 (Mobile + 1GB) EURO
• 500MB storage
• 1000 messages per month
11-Feb-16
Secure Communication 29
30. ProtonMail
• Two passwords
• One to access your account
• One to decrypt your mailbox
11-Feb-16
Secure Communication 30
31. ProtonMail
• Send mail to users not using ProtonMail
• Use a one-time password
• The message will expire after a while
11-Feb-16
Secure Communication 31
32. Tutanota
• Alternative to Protonmail
• https://tutanota.com/
• No waitinglist
• Germany based
• 1GB storage
• No aliases
• Free for non commercial use
• Use your own domain with
the Premium version
11-Feb-16
Secure Communication 32
34. Tutanota
• Send e-mails to users not using Tutanota with a shared
password
11-Feb-16
Secure Communication 34
35. Take-aways
• Do not get paranoid
• Use common sense
• Use secure websites (HTTPS) for personal data
• Also for e-mail (IMAPS + Authenticated SMTP)
• Do not open documents from untrusted sources
• Set strong passwords
• Do not use untrusted networks and devices
• Lock devices with passwords and pins
• Remote wipe and wipe after unsuccessful pins
• Keep your systems up to date
• Operating system and applications
• Use firewall and anti-virus
11-Feb-16
Secure Communication 35
36. Take-aways - tools
• For disposable messages / mail
• https://www.guerrillamail.com/
• Secure phone and messages
• https://whispersystems.org/
• Tor surf anonymously
• https://www.torproject.org/download/download-easy.html.en
• Private e-mail with ProtonMail or Tutanota
• https://protonmail.com
• https://tutanota.com/
• TrueCrypt
• https://truecrypt.ch/downloads/
11-Feb-16
Secure Communication 36
37. Contact
• Use common sense
• Be vigilant but don’t get paranoid
• Contact
• https://www.vanimpe.eu
• https://www.cudeso.be
• @cudeso
11-Feb-16
Secure Communication 37