Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Secure Communication

2,998 views

Published on

Secure Communication for activists and privacy conscious users

Published in: Internet
  • The final result was amazing, and I highly recommend ⇒ www.HelpWriting.net ⇐ to anyone in the same mindset as me.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • My personal experience with research paper writing services was highly positive. I sent a request to ⇒ www.WritePaper.info ⇐ and found a writer within a few minutes. Because I had to move house and I literally didn’t have any time to sit on a computer for many hours every evening. Thankfully, the writer I chose followed my instructions to the letter. I know we can all write essays ourselves. For those in the same situation I was in, I recommend ⇒ www.WritePaper.info ⇐.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Did u try to use external powers for studying? Like ⇒ www.HelpWriting.net ⇐ ? They helped me a lot once.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Secure Communication

  1. 1. SECURE COMMUNICATION For activists and privacy conscious users 11-Feb-16 https://www.cudeso.be
  2. 2. Goal •  Defend yourself and your friends from surveillance •  Use secure technology •  Apply best practices •  Use common sense •  Based on EFF – Surveillance Self Defense •  https://ssd.eff.org/ 11-Feb-16 Secure Communication 2
  3. 3. Threat Modeling •  What do you want to protect? •  Assets, your data (e-mails, messages, files) •  Who do you want to protect it from? •  Who is your adversary? Their capabilities. •  How likely is it that you will need to protect it? •  Likelihood of unauthorized access to your data. The risk •  How bad are the consequences if you fail? •  What is the possible damage? Financial loss? Reputational loss? •  How much trouble are you willing to go through in order to try to prevent those? •  Threat = a bad thing that can happen •  Risk = a likelihood that an incident will occur 11-Feb-16 Secure Communication 3
  4. 4. Don’t get paranoid •  Risk analysis based on risk and capabilities is •  Personal •  Subjective •  Your threat actor might be the only threat actor •  You might be one of many subjects •  High numbers of subjects decrease the likelihood that you become a victim •  Every threat actor has limited capabilities •  Risk of tunnel vision •  Technology is only the tool. Your brain is the strongest lock. 11-Feb-16 Secure Communication 4
  5. 5. Best practices •  Secure your computer and devices •  Protect your computer with a password •  Require a password when the computer starts or is locked •  Do not use “auto-login” •  Protect your mobile phone with a PIN code or ideally a password •  Have your mobile phone set to use encrypted local storage •  You raise the bar for someone else to get easy access to your data. Requires the attacker to have minimal – computer- skills to read your personal information 11-Feb-16 Secure Communication 5
  6. 6. Best practices •  Use strong and long passwords, better use passphrases •  Not only for your computer but for all your accounts •  Ideally use a password vault with a strong master password •  LastPass, Dashlane •  Different passwords/passphrases for different accounts •  If supported, use 2 factor authentication •  Extra protection with a code via an SMS •  Demo password strength test https://howsecureismypassword.net/ •  Use more than 10 characters with numbers and not easy to guess •  Do not use Password, the name of your mother or the town where you live 11-Feb-16 Secure Communication 6
  7. 7. Best practices •  “Password reset questions” on sites •  Can be tiresome •  Use questions and answers that only you know •  Even better: use store the questions and answers in a password vault •  Use full disk encryption •  Different levels of protection, depending on your adversary •  Some systems are flawed •  Make sure you have backups of your data •  Encrypted backups or not? 11-Feb-16 Secure Communication 7
  8. 8. Container encryption - TrueCrypt •  Original developers stopped support •  Still available for download from other sites •  If you’re really concerned about the download check the hashes •  https://truecrypt.ch/downloads/ •  https://www.grc.com/misc/truecrypt/truecrypt.htm •  TrueCrypt containers are just “files”, they can be moved to other devices •  For example copy the TrueCrypt container to an external drive •  Share the password for unlocking via other secure channels •  Copy files from your “normal” drive to TrueCrypt 11-Feb-16 Secure Communication 8
  9. 9. Container encryption - TrueCrypt •  Tutorial at : http://andryou.com/truecrypt/docs/tutorial.php 11-Feb-16 Secure Communication 9
  10. 10. Container encryption - TrueCrypt •  Workflow •  Select TrueCrypt file •  Select a mount slot •  Click Mount •  Enter password 11-Feb-16 Secure Communication 10
  11. 11. File encryption - GPG •  GPG, digital signature and encryption •  https://www.gnupg.org/ •  Requires more technical knowledge •  http://ubuntuforums.org/showthread.php?t=680292 •  Made more accessible via Keybase •  https://keybase.io/ •  Ideal for encrypting one file and then sending it over “unsafe” communication channel •  Protect your master-key! •  Store the revocation certificate in a safe place •  Don’t lock yourself out 11-Feb-16 Secure Communication 11
  12. 12. Best practices •  Use different browsers •  Firefox, Chrome, Safari, Opera, Internet Explorer •  Avoid Internet Explorer if possible •  Closely tied to the operating system •  One browser only for “personal” things •  1 for online banking, e-mail , •  1 for information gathering •  1 for random browsing •  Use “Private” browsing •  No cookies •  No history •  Forensic research on your computer can still disclose your browsing history 11-Feb-16 Secure Communication 12
  13. 13. Best practices •  Always type in the URL, do not click on a link •  When you enter usernames and passwords, make sure the website is secured - HTTPS •  Log out of a website (e-mail, Facebook) once you no longer need it •  This prevents tracking •  Use disposable e-mail for subscribtions or one-time-only messages •  https://www.guerrillamail.com/ •  This is not “encryption” 11-Feb-16 Secure Communication 13
  14. 14. Guerillamail 11-Feb-16 Secure Communication 14
  15. 15. Best practices •  Use an up-to-date system •  All the Windows and Apple patches •  Use automatic updates •  Do not use Windows XP, Vista or old versions of Apple OSX •  Any protection mechanism or encryption is useless when remote intrusion to your computer is childs ’play •  Avoid Acrobat Reader and Microsoft Office documents •  Lots of vulnerabilities •  Loads external resources •  Avoid Flash •  Do not use Java on your machine 11-Feb-16 Secure Communication 15
  16. 16. Best practices •  Use a system firewall •  Build in for both Windows and Apple •  Use a virus scanner •  Make sure it is still active and receives the new updates •  Quality of free virus scanners is good, no real quality difference with commercial –paid- virus scanners 11-Feb-16 Secure Communication 16
  17. 17. Best practices •  Enable the option for “remote wipe” of your telephone or tablet •  Automatically when a wrong PIN is entered more than x times •  From remote when your device is lost 11-Feb-16 Secure Communication 17
  18. 18. Best practices •  Limit the use of location services, enable them only for the applications that you need it for •  Disable share your location by default 11-Feb-16 Secure Communication 18
  19. 19. Common sense •  Do not connect to random wireless networks •  Only connect to trusted networks, networks that you know •  Protect your wireless network at home with a password •  Do not let anyone else use your computer or telephone un-attended •  Never leave your device unlocked •  Shoulder surfing •  Someone eavesdropping when you enter your password •  Access your online accounts from trusted sources •  Logging in to your e-mail or Facebook from a “friends’computer” is not always a good idea, depends on the trust you have in that friend 11-Feb-16 Secure Communication 19
  20. 20. Common sense •  Be careful with attachments that you did not request •  Word documents, PDF files, … •  Even if it comes from a “trusted” contact •  Mails can be easily spoofed (“pretending” to come from someone) •  If it comes from a trusted contact, ask that contact for clarification •  Do not use the same transport (e-mail) for clarification, use telephone or messaging •  Do not install software from a popup or similar. Always make sure you started the install (and not by clicking on a link) 11-Feb-16 Secure Communication 20
  21. 21. Social media •  Social media •  Do you really need to have your picture there? •  Why would you need tagging? •  Be aware of geo-location •  No need to include all the location details •  One-on-one does not exist in social media •  It is a broadcast to everyone •  A message (almost) never goes away •  Your data belongs to the net forever •  “Right to be forgotten” (ref. Google) •  Other sites copy the content and do not comply with the request for deletion of data 11-Feb-16 Secure Communication 21
  22. 22. Tor network – surf anonymously •  Software to browse the Internet anonymously •  “normal” network packet : sender + destination •  Path to destination is more or less pre-defined and is (almost) fixed •  “tor” network packet : packet wrapped in multiple layers •  Path to the destination is not pre-defined and changes 11-Feb-16 Secure Communication 22 client router 1 router 2 server client server
  23. 23. Tor network •  Volunteer driven •  Can be slower •  Some destinations block connections from Tor •  “Deep” web / “Dark” web •  Sites can also be “hosted” on Tor •  Only reachable via Tor •  Criminals also want to surf anonymously •  Police doesn’t like it •  Silk Road one of the most known Tor sites •  Drugs, weapons •  Merely using Tor can be a sign for law enforcement to get more interested 11-Feb-16 Secure Communication 23
  24. 24. Tor network •  Use the pre-packaged software •  https://www.torproject.org/download/download- easy.html.en •  Best practices still apply •  Do not install extra “browser-plugins” •  Always use HTTPS •  Do not submit personal details on websites •  Do not open / download documents when online •  Some documents (PDF, Word) open “extra” files via Internet •  This happens “outside” Tor -> discloses your normal Internet connection 11-Feb-16 Secure Communication 24
  25. 25. Tails •  “Computer from an USB” •  Focused on privacy and anonymity •  https://tails.boum.org/ 11-Feb-16 Secure Communication 25
  26. 26. Signal - Secure phone &messages •  Signal Open Whisper Systems •  Encrypted •  Secure phone conversations •  Secure text messages •  Requires Internet connection •  https://whispersystems.org/ •  Only install from App Store or Google Play •  As always, best practices apply •  Lock your device •  Protect it with a PIN code •  Do not use it with untrusted partners 11-Feb-16 Secure Communication 26
  27. 27. Signal 11-Feb-16 Secure Communication 27
  28. 28. Secure e-mail •  Use IMAPS •  Use Authenticated SMTP and do not use POP •  If you are really paranoid you should not use e-mail •  If your browser or computer has been hacked then “secure” e-mail will not protect you •  Keep a sane Inbox •  Delete mails. Also the “Sent” mails •  Empty the deleted e-mails •  Trust (?) your provider not storing the deleted / purged e-mails somewhere else 11-Feb-16 Secure Communication 28
  29. 29. ProtonMail •  Build by students from MIT and people from CERN •  In Switserland, strong privacy laws •  https://protonmail.com/ •  myuser@protonmail.com •  Future myuser@yourdomain.com •  For privacy conscious users •  Free •  Huge success, “waiting list” : can take up multiple days •  Get immediate access with donations •  17 (basic) to 73 (Mobile + 1GB) EURO •  500MB storage •  1000 messages per month 11-Feb-16 Secure Communication 29
  30. 30. ProtonMail •  Two passwords •  One to access your account •  One to decrypt your mailbox 11-Feb-16 Secure Communication 30
  31. 31. ProtonMail •  Send mail to users not using ProtonMail •  Use a one-time password •  The message will expire after a while 11-Feb-16 Secure Communication 31
  32. 32. Tutanota •  Alternative to Protonmail •  https://tutanota.com/ •  No waitinglist •  Germany based •  1GB storage •  No aliases •  Free for non commercial use •  Use your own domain with the Premium version 11-Feb-16 Secure Communication 32
  33. 33. Tutanota 11-Feb-16 Secure Communication 33
  34. 34. Tutanota •  Send e-mails to users not using Tutanota with a shared password 11-Feb-16 Secure Communication 34
  35. 35. Take-aways •  Do not get paranoid •  Use common sense •  Use secure websites (HTTPS) for personal data •  Also for e-mail (IMAPS + Authenticated SMTP) •  Do not open documents from untrusted sources •  Set strong passwords •  Do not use untrusted networks and devices •  Lock devices with passwords and pins •  Remote wipe and wipe after unsuccessful pins •  Keep your systems up to date •  Operating system and applications •  Use firewall and anti-virus 11-Feb-16 Secure Communication 35
  36. 36. Take-aways - tools •  For disposable messages / mail •  https://www.guerrillamail.com/ •  Secure phone and messages •  https://whispersystems.org/ •  Tor surf anonymously •  https://www.torproject.org/download/download-easy.html.en •  Private e-mail with ProtonMail or Tutanota •  https://protonmail.com •  https://tutanota.com/ •  TrueCrypt •  https://truecrypt.ch/downloads/ 11-Feb-16 Secure Communication 36
  37. 37. Contact •  Use common sense •  Be vigilant but don’t get paranoid •  Contact •  https://www.vanimpe.eu •  https://www.cudeso.be •  @cudeso 11-Feb-16 Secure Communication 37

×