Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

4

Share

Download to read offline

Secure Communication

Download to read offline

Secure Communication for activists and privacy conscious users

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

Secure Communication

  1. 1. SECURE COMMUNICATION For activists and privacy conscious users 11-Feb-16 https://www.cudeso.be
  2. 2. Goal •  Defend yourself and your friends from surveillance •  Use secure technology •  Apply best practices •  Use common sense •  Based on EFF – Surveillance Self Defense •  https://ssd.eff.org/ 11-Feb-16 Secure Communication 2
  3. 3. Threat Modeling •  What do you want to protect? •  Assets, your data (e-mails, messages, files) •  Who do you want to protect it from? •  Who is your adversary? Their capabilities. •  How likely is it that you will need to protect it? •  Likelihood of unauthorized access to your data. The risk •  How bad are the consequences if you fail? •  What is the possible damage? Financial loss? Reputational loss? •  How much trouble are you willing to go through in order to try to prevent those? •  Threat = a bad thing that can happen •  Risk = a likelihood that an incident will occur 11-Feb-16 Secure Communication 3
  4. 4. Don’t get paranoid •  Risk analysis based on risk and capabilities is •  Personal •  Subjective •  Your threat actor might be the only threat actor •  You might be one of many subjects •  High numbers of subjects decrease the likelihood that you become a victim •  Every threat actor has limited capabilities •  Risk of tunnel vision •  Technology is only the tool. Your brain is the strongest lock. 11-Feb-16 Secure Communication 4
  5. 5. Best practices •  Secure your computer and devices •  Protect your computer with a password •  Require a password when the computer starts or is locked •  Do not use “auto-login” •  Protect your mobile phone with a PIN code or ideally a password •  Have your mobile phone set to use encrypted local storage •  You raise the bar for someone else to get easy access to your data. Requires the attacker to have minimal – computer- skills to read your personal information 11-Feb-16 Secure Communication 5
  6. 6. Best practices •  Use strong and long passwords, better use passphrases •  Not only for your computer but for all your accounts •  Ideally use a password vault with a strong master password •  LastPass, Dashlane •  Different passwords/passphrases for different accounts •  If supported, use 2 factor authentication •  Extra protection with a code via an SMS •  Demo password strength test https://howsecureismypassword.net/ •  Use more than 10 characters with numbers and not easy to guess •  Do not use Password, the name of your mother or the town where you live 11-Feb-16 Secure Communication 6
  7. 7. Best practices •  “Password reset questions” on sites •  Can be tiresome •  Use questions and answers that only you know •  Even better: use store the questions and answers in a password vault •  Use full disk encryption •  Different levels of protection, depending on your adversary •  Some systems are flawed •  Make sure you have backups of your data •  Encrypted backups or not? 11-Feb-16 Secure Communication 7
  8. 8. Container encryption - TrueCrypt •  Original developers stopped support •  Still available for download from other sites •  If you’re really concerned about the download check the hashes •  https://truecrypt.ch/downloads/ •  https://www.grc.com/misc/truecrypt/truecrypt.htm •  TrueCrypt containers are just “files”, they can be moved to other devices •  For example copy the TrueCrypt container to an external drive •  Share the password for unlocking via other secure channels •  Copy files from your “normal” drive to TrueCrypt 11-Feb-16 Secure Communication 8
  9. 9. Container encryption - TrueCrypt •  Tutorial at : http://andryou.com/truecrypt/docs/tutorial.php 11-Feb-16 Secure Communication 9
  10. 10. Container encryption - TrueCrypt •  Workflow •  Select TrueCrypt file •  Select a mount slot •  Click Mount •  Enter password 11-Feb-16 Secure Communication 10
  11. 11. File encryption - GPG •  GPG, digital signature and encryption •  https://www.gnupg.org/ •  Requires more technical knowledge •  http://ubuntuforums.org/showthread.php?t=680292 •  Made more accessible via Keybase •  https://keybase.io/ •  Ideal for encrypting one file and then sending it over “unsafe” communication channel •  Protect your master-key! •  Store the revocation certificate in a safe place •  Don’t lock yourself out 11-Feb-16 Secure Communication 11
  12. 12. Best practices •  Use different browsers •  Firefox, Chrome, Safari, Opera, Internet Explorer •  Avoid Internet Explorer if possible •  Closely tied to the operating system •  One browser only for “personal” things •  1 for online banking, e-mail , •  1 for information gathering •  1 for random browsing •  Use “Private” browsing •  No cookies •  No history •  Forensic research on your computer can still disclose your browsing history 11-Feb-16 Secure Communication 12
  13. 13. Best practices •  Always type in the URL, do not click on a link •  When you enter usernames and passwords, make sure the website is secured - HTTPS •  Log out of a website (e-mail, Facebook) once you no longer need it •  This prevents tracking •  Use disposable e-mail for subscribtions or one-time-only messages •  https://www.guerrillamail.com/ •  This is not “encryption” 11-Feb-16 Secure Communication 13
  14. 14. Guerillamail 11-Feb-16 Secure Communication 14
  15. 15. Best practices •  Use an up-to-date system •  All the Windows and Apple patches •  Use automatic updates •  Do not use Windows XP, Vista or old versions of Apple OSX •  Any protection mechanism or encryption is useless when remote intrusion to your computer is childs ’play •  Avoid Acrobat Reader and Microsoft Office documents •  Lots of vulnerabilities •  Loads external resources •  Avoid Flash •  Do not use Java on your machine 11-Feb-16 Secure Communication 15
  16. 16. Best practices •  Use a system firewall •  Build in for both Windows and Apple •  Use a virus scanner •  Make sure it is still active and receives the new updates •  Quality of free virus scanners is good, no real quality difference with commercial –paid- virus scanners 11-Feb-16 Secure Communication 16
  17. 17. Best practices •  Enable the option for “remote wipe” of your telephone or tablet •  Automatically when a wrong PIN is entered more than x times •  From remote when your device is lost 11-Feb-16 Secure Communication 17
  18. 18. Best practices •  Limit the use of location services, enable them only for the applications that you need it for •  Disable share your location by default 11-Feb-16 Secure Communication 18
  19. 19. Common sense •  Do not connect to random wireless networks •  Only connect to trusted networks, networks that you know •  Protect your wireless network at home with a password •  Do not let anyone else use your computer or telephone un-attended •  Never leave your device unlocked •  Shoulder surfing •  Someone eavesdropping when you enter your password •  Access your online accounts from trusted sources •  Logging in to your e-mail or Facebook from a “friends’computer” is not always a good idea, depends on the trust you have in that friend 11-Feb-16 Secure Communication 19
  20. 20. Common sense •  Be careful with attachments that you did not request •  Word documents, PDF files, … •  Even if it comes from a “trusted” contact •  Mails can be easily spoofed (“pretending” to come from someone) •  If it comes from a trusted contact, ask that contact for clarification •  Do not use the same transport (e-mail) for clarification, use telephone or messaging •  Do not install software from a popup or similar. Always make sure you started the install (and not by clicking on a link) 11-Feb-16 Secure Communication 20
  21. 21. Social media •  Social media •  Do you really need to have your picture there? •  Why would you need tagging? •  Be aware of geo-location •  No need to include all the location details •  One-on-one does not exist in social media •  It is a broadcast to everyone •  A message (almost) never goes away •  Your data belongs to the net forever •  “Right to be forgotten” (ref. Google) •  Other sites copy the content and do not comply with the request for deletion of data 11-Feb-16 Secure Communication 21
  22. 22. Tor network – surf anonymously •  Software to browse the Internet anonymously •  “normal” network packet : sender + destination •  Path to destination is more or less pre-defined and is (almost) fixed •  “tor” network packet : packet wrapped in multiple layers •  Path to the destination is not pre-defined and changes 11-Feb-16 Secure Communication 22 client router 1 router 2 server client server
  23. 23. Tor network •  Volunteer driven •  Can be slower •  Some destinations block connections from Tor •  “Deep” web / “Dark” web •  Sites can also be “hosted” on Tor •  Only reachable via Tor •  Criminals also want to surf anonymously •  Police doesn’t like it •  Silk Road one of the most known Tor sites •  Drugs, weapons •  Merely using Tor can be a sign for law enforcement to get more interested 11-Feb-16 Secure Communication 23
  24. 24. Tor network •  Use the pre-packaged software •  https://www.torproject.org/download/download- easy.html.en •  Best practices still apply •  Do not install extra “browser-plugins” •  Always use HTTPS •  Do not submit personal details on websites •  Do not open / download documents when online •  Some documents (PDF, Word) open “extra” files via Internet •  This happens “outside” Tor -> discloses your normal Internet connection 11-Feb-16 Secure Communication 24
  25. 25. Tails •  “Computer from an USB” •  Focused on privacy and anonymity •  https://tails.boum.org/ 11-Feb-16 Secure Communication 25
  26. 26. Signal - Secure phone &messages •  Signal Open Whisper Systems •  Encrypted •  Secure phone conversations •  Secure text messages •  Requires Internet connection •  https://whispersystems.org/ •  Only install from App Store or Google Play •  As always, best practices apply •  Lock your device •  Protect it with a PIN code •  Do not use it with untrusted partners 11-Feb-16 Secure Communication 26
  27. 27. Signal 11-Feb-16 Secure Communication 27
  28. 28. Secure e-mail •  Use IMAPS •  Use Authenticated SMTP and do not use POP •  If you are really paranoid you should not use e-mail •  If your browser or computer has been hacked then “secure” e-mail will not protect you •  Keep a sane Inbox •  Delete mails. Also the “Sent” mails •  Empty the deleted e-mails •  Trust (?) your provider not storing the deleted / purged e-mails somewhere else 11-Feb-16 Secure Communication 28
  29. 29. ProtonMail •  Build by students from MIT and people from CERN •  In Switserland, strong privacy laws •  https://protonmail.com/ •  myuser@protonmail.com •  Future myuser@yourdomain.com •  For privacy conscious users •  Free •  Huge success, “waiting list” : can take up multiple days •  Get immediate access with donations •  17 (basic) to 73 (Mobile + 1GB) EURO •  500MB storage •  1000 messages per month 11-Feb-16 Secure Communication 29
  30. 30. ProtonMail •  Two passwords •  One to access your account •  One to decrypt your mailbox 11-Feb-16 Secure Communication 30
  31. 31. ProtonMail •  Send mail to users not using ProtonMail •  Use a one-time password •  The message will expire after a while 11-Feb-16 Secure Communication 31
  32. 32. Tutanota •  Alternative to Protonmail •  https://tutanota.com/ •  No waitinglist •  Germany based •  1GB storage •  No aliases •  Free for non commercial use •  Use your own domain with the Premium version 11-Feb-16 Secure Communication 32
  33. 33. Tutanota 11-Feb-16 Secure Communication 33
  34. 34. Tutanota •  Send e-mails to users not using Tutanota with a shared password 11-Feb-16 Secure Communication 34
  35. 35. Take-aways •  Do not get paranoid •  Use common sense •  Use secure websites (HTTPS) for personal data •  Also for e-mail (IMAPS + Authenticated SMTP) •  Do not open documents from untrusted sources •  Set strong passwords •  Do not use untrusted networks and devices •  Lock devices with passwords and pins •  Remote wipe and wipe after unsuccessful pins •  Keep your systems up to date •  Operating system and applications •  Use firewall and anti-virus 11-Feb-16 Secure Communication 35
  36. 36. Take-aways - tools •  For disposable messages / mail •  https://www.guerrillamail.com/ •  Secure phone and messages •  https://whispersystems.org/ •  Tor surf anonymously •  https://www.torproject.org/download/download-easy.html.en •  Private e-mail with ProtonMail or Tutanota •  https://protonmail.com •  https://tutanota.com/ •  TrueCrypt •  https://truecrypt.ch/downloads/ 11-Feb-16 Secure Communication 36
  37. 37. Contact •  Use common sense •  Be vigilant but don’t get paranoid •  Contact •  https://www.vanimpe.eu •  https://www.cudeso.be •  @cudeso 11-Feb-16 Secure Communication 37
  • mohibkhan30

    Jul. 22, 2020
  • ShailendraPachar

    Jun. 28, 2019
  • AndrewYefanov

    Nov. 10, 2017
  • valdesjo

    Feb. 12, 2016

Secure Communication for activists and privacy conscious users

Views

Total views

3,326

On Slideshare

0

From embeds

0

Number of embeds

442

Actions

Downloads

61

Shares

0

Comments

0

Likes

4

×