HowToThinkAboutOnlineSecurity AGuideforAc8vists

crane@riseup.net

Whatssecurity?
Stoppinganadversaryfromdoingsomething thatyoudontwantthemtodo Theresalwaysanadversaryinvolved.Maybe morethanone.

Example:anemailtoafriend cri8cizingthegovernment
Doesthegovt.havetheabilitytointercept youremail? Wouldtheywantto? Cantheyreadit? Ifnot,cantheylearnwhothesenderand recipientsare? Willtheyfollowyoumorecloselynow?

Example:storinglesonalaptop
Isthelaptopkeptsomewheresafe? Doyouneedapasswordtoreadtheles? Canthelesbeaccessedremotely? Arethereothercopiesoftheles? Doesanyoneknowyouhaveinteres8ngles? Whatwouldhappeniftheleswereread?

BadSecurity:PalinEmailHack

Howdidthehackergetin?
UsedrecoverpasswordfeatureonYahoo Itaskedhimforbirthday,zipcode,andwhere Palinmetherhusband Answerstotheseques8onsfromWikipedia, USPostOce,andonlinebiography

Howwasthehackercaught?
PostedscreenshotshadURLstar8ngwith ctunnel.com

ctunnelisananonymousproxy,whowashappytogive theirlogstotheFBI. LoghadIPaddressofcomputerusedforthehack.

Also...
Hackerpostedamessageon4chan.orgunderthe namerubico thisaccounthademailrubico10@yahoo.com Thisemailaddressconnectedtorealnamevia YouTubeprole

BothPalinandthehackerprac8cedbadsecurity.The adversarywoninbothcases.

HowToThinkAboutSecurity
Whoistheadversary? Whatthreatsdotheypresent? HowcanIprotectmyselffromthesethreats? Whatwillitcostme?Whatwillitcostthe adversary?

Securityismostlyabouthabits. Itssomethingyoudo,notsomethingyousetup.

Thingsthatcanbethreatened
Invisibility:adversarycanbecomesuspicious ofsomethingyouaredoing Contacts:adversarycanlearnwhoyouare talkingto Anonymity:adversarycanlearnwhoyouare Privacy:adversarycanlearnwhatyouknow Opera;ons:adversarycanstopyoufrom ac8ng,bothonlineandoine

Securingyourcomputer
Ifthebackdoorisopen,itdoesntma]erifthe frontdoorislocked. Ifyourcomputerisntsecure,yourcommunica8on securitydoesntma]er(much). Needstobeimpossibletocontrolitremotely. An8virussobware An8spywaresobware(bewarekeyloggers!) Networkrewall

Physicalsecurity
Arewalldoesnthelpwhensomeonestealsyour computer Orreadsyouremailwhileyoureatlunch. Putapasswordonyourcomputer! Iftheinforma8onreallyisimportant,encryptthe disk! Usetheopera8ngsystemstools,orPGPWhole DiskEncryp8on,orTrueCrypt

Passwordsecurity
Phishingisbyfarthemostcommonwayto getpasswords. Dontuseshortpasswords,wordsinthe dic8onary,orpersonaldata(likeyourbirthday orpetsname.) Usedierentpasswordsondierentsites. Neversharepasswordsbetweenpeople!Get themtheirown.

Phishing
Afakewebsitethatasksforyourpassword Mostcommonly:anemailoramessagethat saysyouneedtologinsomewhere,withalink toclickon. AlwaysreadtheURLbeforeenteringa password,ortypeityourself.

PhishingExample

h]ps://
Q:WhocanreadwhatIsendontheinternet? A:Everyonewhorunsacomputersomewherein themiddleofthepaththatcommunica8on takes. ISPs,Telcos,governments... Unless:yousendthedataencrypted.Onthe web,encryptedsitesstartwithh]ps

Dontmakeiteasy.
Nevertypeanysensi8veinforma8onintoa webpagethatdoesnotstartwithh]ps

SecurityisAboutPeople
Hackingissexy,butinrealitypeoplearethe weakpoint.
ignorance,scams,socialengineering,mistakes gegnglazy:sharingpasswords,usinginsecure channels...

Wouldyougiveupyourpasswordif...
theythreatenedtoreyou? theyputyouinjail? theykidnappedyourmother?

Whatdotheywatch?
US,UK,Iran,Chinesegovernmentsknownto haveextensiveelectronicsurveillance. Emails,IM,generalinternettrac Facebook,Google,Yahoo,etc.allservice millionsoflawenforcementrequestsperyear. Phonesdontneedtobetapped.Itsalldone throughthenetworknow. Basically,youhavetoassumethatall communica8onsaremonitored.

Whatelsecantheywatch?
Creditcards,bankingtransac8ons Securitycameras Studentcards,smartcards,any8meyouuse anycard... Na8onalgovernmentscanaskforanyofthis data. Willgovernmentscooperateoninterna8onal cases?Maybe.

Securingwebemail
Gmailalwaysusesh]psnow So,thecommunica8onfromyourcomputerto Googlescomputerissecure. ButthenGooglesendstheemailtothe recipientsserverwithoutencryp8on! Think:wheredoesthismessagego?Where arethecomputersphysicallylocated?

WheretheEmailgoes
gmail.com yahoo.com

WhatifwebothuseGmail?
Be]er! Nowtheemailisneversentunencrypted. ButGooglecans8llreadit... WhendoesGooglereademails?WhentheUS governmenttellsthemto.Millionsofrequestsper year. WillGoogletellothergovernments? Maybe.Yahoohas.

Keepingemailprivate,really
YouneedtousesomethingcalledPGP(pre]y goodprivacy)toencryptmessages. Abittricky.ForFirefox,atoolcalledFireGPG makesthiseasier. Iftheemailisencryptedproperly,noonebut thereceivercanreadit,evenifits intercepted. Tutorialhere:
h]p://www.irongeek.com/i.php?page=videos/using GPGPGPFireGPGtoencryptandsignemailfromgmail

TheInternetisMorethanTheWeb
Therearelotsofwaystocommunicatethatdonotinvolvethe web: Appsonyourphone instantmessagingprograms EmailthroughOutlook,Thunderbird,etc. Skype Twi]erclients etc.

h]pswonthelpforthese,becauseitsonlyforwebpages.

Skype
Skypeusesstrongencryp8onandisgenerally consideredsafe. Skypecompany(EU)knowswhoyouretalkingto, butnotwhatyousay.Willtheytell? BUT DonotuseChineseTOMSkypeorclone! Inten8onallyinsecure!Watchesforkeywordsand sendsdatatoChinesegovt!

SimplesecureCommunica8on: IntstantMessengerplusOTR
OTRmeansotherecord.Itsapluginfor instantmessengerprograms. Easy! JustuseyournormalIMaccount,andaccessit fromaprogramwhichsupportsOTR AllOSs:usePidginplustheOTRplugin Mac:useAdium

Mostlysecureisnotsecure (likeusingcondoms)
Ifyouneedsecurecommunica8ons,setupIM +OTRrightnow. Communica8onsthataresome8messecure areworsethanuseless. Thatoneunencryptedmessagecancause problemsinmanydierentways. Itonlytakesoneleaktoruininvisibilityor anonymity. Dontbelazy.

Important!

Encryp8onpreservesprivacy,butnotanonymity.

Theycantreadit, buttheyknowwhoImtalkingto.
Encryptedcommunica8ons(likeIM+OTR)protectprivacy,but notinvisibilityoranonymity.

Usingencryp8onmaybesuspicious. Theyknowwhoyouareandwhoyourfriendsare,andwhen youtalkedtothem.

Anonymity
Everycomputerontheinternethasaunique number,calledtheIPaddress IPmeansinternetprotocol.Thisishowyour dataknowshowtogettoyou. MostserverslogtheIPaddressofeveryone whousesthem. YourISPsellsyoutheIPaddress,soitknows whoyouare.

HidingyourIPAddress
Canuseananonymousproxy

Butdoestheproxykeeplogs?Whocanread them?

Trus8ngaproxy
Anyonerunningaserverhastogivetheirlogs tolawenforcementintheirjurisdic8on E.g.aserverinCanadamustreporttothe Canadiangovernment. Isthisaproblem?Maybe. Whatiftheproxyishackedbytheadversary? Whatiftheproxyisactuallyrunbythe adversary?

OnionRou8ng
Usemul8pleproxies. NosingleproxyknowsboththeIPaddressof bothendsoftheconnec8on

TOR:TheOnionRouter
torproject.org Interna8onalprojecttobuild ananonymitytool. Thebestanonymityyoucancurrentlyget. Alsojumpsoverrewallsveryreliably! Slow...thenetworkisnotlarge. Youcanhelp!RunaTornode!

Thingsthatbreakanonymity
Dontpostyourname,city,email,etc.! Dontlogintoyourregularemail,Facebook, etc.overananonymousconnec8on! Timinga]ack:ifyourealwaysusingTorwhen anewpostappearsonananonymousblog, theycantellitsyou. Used8medelayedpos8ngfeaturetoavoid this. Anonymityishard!Ifyouneedit,studyit.

Phones
Theloca8onofeveryphoneiscon8nuously loggedbythetelco,towithinafewmeters. ChangingSIMcardswontmakeyou anonymous,becausethephonehasanIMEI number. Textmessagesarelogged. Calldes8na8onand(some8mes)audioare logged. Phonesareveryinsecure!

Bewarehiddeninfoindocuments!
WhenyousaveaWordorPDFle,itincludes yourusernameandotheriden8fying informa8on. Thisiscalledmetadataandwillgiveyouaway! Useaplaintexteditortoavoidthis(Notepad, TextEdit) Orsani8zethedocumentbeforereleasing.See NSAprocedures:
h]p://www.nsa.gov/ia/_les/support/I733028R2008.pdf

AvoidingSuspicion
Decidecarefullywhichac8vi8esarepublicand whichareprivate.Speakoutdeliberately,not randomly. Ifyouonlyhaveencryptedcommunica8ons withcertainpeople,theadversaryknows exactlywhoyouareworkingwith! Useencryp8onwheneverpossibleforyour regulartrac.

Summary

Howtothinkaboutsecurity
Whatareyoutryingtoaccomplish,whois tryingtostopyou,andhowcantheydoit? Designyoursecuritytoprotectagainstspecic threats. Thingsthatcanbethreatened:invisibility, contacts,anonymity,privacy,opera;ons. Securityissomethingyoudo. Itchangesfast!Keeplearning!

WhatToDo
Makeasecurityplan! Secureyourcomputers:an8virus,an8spyware, rewalls Secureyourcomputersphysically:locks, passwords,diskencryp8on Usestrongpasswords.Dontsharethembetween peopleoraccounts. Usesecurecommunica8ons. Sani8zereleaseddocuments! Keeplearning!

Privatecommunica8ons
ThesimplestmethodIknowforprivacy: UseinstantmessengerplusOTR(always!) NeverIMfromyourphone! Communica8onbetweentwousers@gmailis secondbestwaybutitkeepslogs,and dependsonGoogleandUSgovtbeingonyour side.

Anonymouscommunica8ons
Ifyouneedanonymityaswellasprivacy: SignupfornewIMaccountsanonymously dontgiveyouremailorreuseausername. SetyourIMclienttoroutethroughTOR AlwaysuseTOR.Theone8meyoudont,the adversarygetsyourIMhandleandknowswho youtalkto.

Anonymousemailaddresses
gmail.comnowrequiresaphonenumber,sonot anonymous. riseup.netisbest,butyouwillneedtobeinvited bysomeonewhoalreadyhasanaccount. hushmail.comisfreeandverygood.Cansend encryptedmessagestopeoplewithout encryp8onsobware. Donteverlogintoyouranonymousemailaccount withoutTor!Otherwiseanyonewatchingyour connec8onwillknowitsyou!

Ihaventtalkedabout...
Securingyourwebserver. Denialofservicea]acks:howtokeepyoursite up(assumingthegovernmentcantjustorder youtostop.) Smugglingdata. Opera8onalsecurity:whodoyoutrustinthe realworld?Whoknowsyourplans?Whogets passwords? Therearemanydierenttypesofsecurity.

Keeplearning!
NGOsecurityguide(readit!)Detailedtutorialsonevery toolmen8onedhere: h]p://security.ngoinabox.org/ AnonymousbloggingwithWordpressandTOR h]p://advocacy.globalvoicesonline.org/projects/guide/ HowtogetaroundtheGreatFirewall: h]p://www.randomwire.com/howtobypassthegreat rewallofchina/