Hello,
As you all are aware its been known for about the last 10 years that the NSA, CIA, and other Intelligence Agencies both Domestic in the USA and Foreign of it have increased their surveillance of communications and increasingly stepped on the right of privacy of individial citizens. I am writing this as advice on how to eliminate most methods of monitoring, tampering, forensic evidence gathering or liability from an individual's standpoint. I should note that some basic security knowledge or willingness to learn the below information is somewhat of a requirement.
1) Encrypting Your Data to Prevent Forensic Evidence or Data/Identity Theft.
a) If you have a mobile smart phone, which most people these days do then I recommend you do the following. Go the the settings section/application in your android or iPhone and then scroll the screen down to the security/screen locking section. Open that section up and then go to the screen locking section at the top, most likely you set a pin or screen pattern for your unlock method. Change this to a password, the latest android updates allow up to a 17 character password. Set a password you'll remember with at least 1 uppercase letter, 1 special character, 1-3 digits and the rest can be lowercase letters. An example of this would be SourceAvenger999* . This will make brute-forcing, dictionary attacks and hybrid attacks most likely unsussessfull at decrypting your device. Now go back to the security/screen locking section of settings and select "Data Encryption", Under this section you'll find options to encrypt the phone and Memory Card of the device. I recommend encrypting both as then no unencrypted data would be present.
b) Encrypt your Internal Hard Drive, External Hard Drives and Flash Drives. I recommend using Truecrypt or Diskcryptor for encrypting your data. Cascading the algorithms(aka using for example AES-TWOFISH, or AES-SERPENT) will greatly increase the overall security of your data against forensic analysis. Make sure to encrypt the entire hard drive/flash drive to leave no unencrypted data behind.
c) Encrypt your Phone Calls, I recommend applications like Redphone which encrypt the phone call so people monitoring the phone calls via the cell company or mobile tower vehicles cannot get anything from the content of your phone calls.
d) Encrypt your text messages, I recommend programs like TextSecure and such that do end to end encryption and identity validation. Make sure your application also stores the texts encrypted on your device . e) Encrypt your Instant Messaging conversations, I recommend using Pidgin-otr (aka Off the Record). This will allow you to chat with friends and family members in a secure medium. This ensures that those monitoring the connection through mitm techniques cant see the content of your Instant Messengers. There is also a plugin for Skype with Pidgin to allow encrypted skype conversations. Off The Record works with most chat protocals(Aim, MSN, Facebook, Goole Talk, etc).
f) Encrypt your Email Communications, I recommend using a plugin like Enigmail and the runtime client GNUGPG which will store your encryption key for you. Enigmail integrates into Thunderbird allowing you to encrypt, sign or just verify that messages haven't been altered in transit and that there encrypted by your intended contact.
g) Use a VPN for doing most your online activities to block the ISP from knowing your online activities, any MiTM attempts by intelligence agencies and such. Use OpenVPN 256bit encryption to prevent monitoring/decrypting of your internet activities. This also has the added benefit of adding a layer of anonymity to your internet activities.
2) Securing Your Passwords Against Most Attack Methods
a) Use a service like Lastpass or AI Roboform that will securely encrypt and store your usernames and passwords for websites. For Lastpass I recommend a 40+ character pass phrase with Uppercase, lowercase, numbers ,special characters such as * , and a space between each word. Use 10,000 iterations to slow down attackers who try to break your Lastpass Password Hash if it were to ever get stolen.
b) Use the Secure Password Generator Included with the Services, For whatever site you are registering with generate the maximum length password it will let you(generally 32 characters) with Uppercase, lowercase, digits, and special characters. Generate a new one for each site you are registered with this will ensure if one of your sites are hacked the rest are not.
c) Never share your password with ANYONE, sending your password to anyone should only ever be considered for dire emergencies as whoever you send the password to has full control over what account you gave them access too.
3) Practice Secure Computer Habits
a) Don't click random links people send you especially if they do not look like something from a known safe site such as facebook, gmail, etc. Any sites like tinyurl, and bit.ly can "shorten" links which makes it unknown where that link will land you at without special extensions to "unshorten" them or actually following the link. Thats why following any online links even sent by friends can be dangerous.
b) Have an up to date and secure anti-virus product on your machine, I recommend Avira, Avast or Kaspersky. To make it even more secure in the "expert" settings of the antivirus change the heuristics to a High Detection level, Scan All File types, Scan arcieves, scan files when written/read, and scan for rootkits/memory threats. All these settings need to be enabled to maximize your security. Also avira has the option to target Joke programs and "Unusual Runtime Compression" as possible threats which can save you sometimes.
c)Use a behavior detection based firewall such as Comodo Internet Security. Set the firewall configuration to Proactive Mode, Under HIPS Configuration select the mode for monitoring to be Paranoid Mode and under monitoring settings make sure all options are checked. Select the box "Put popup windows into verbose mode", enable adaptive mode and enable enhanced protection mode. Under firewall settings change the following settings. Set the mode to Safe Mode, enable Anti-Arp spoofing, enable Do protocal analysis, Filter IPv6 Traffic, and Filter Loopback Traffic.
d) Don't download and execute programs that you arn't sure are safe. If your unsure if their safe or not run them in a virtual machine, Comodo Sandbox or through an online sandboxing service.
f) Routinely Check for Unknown programs or network activity on your machine. However often you believe it to be neccessary check your machine that often. I normally monitor my processes, network activity and such live while im using the machine.
g) If all else fails and you manage to get hacked or attacked by malware then try to recover the damage done to your machine through many of the tools available online such as Malwarebytes anti-malware, superanti-spyware, spybot search and destroy, malwarebytes anti-rootkit, etc. If you run all those programs and the malware is still active and resistant to termination then backup your data and wipe the machine. Unless the malware embeds it self in your machines bios in the motherboard then your shouldn't have any issues erasing it and starting over fresh.
h) Disable Autorun for flash drives, cds, dvds, etc.
i) Use avira to lock your host file from changes
j) Use spyware blaster to "immunize" your browser against known malware sites and cookies.
k) Turn off your computer when you leave your house and if anyone ever knocks on the door be prepared to power the machine down and your phone. This will ensure minimum forensic evidence is available. Cold boot attack methods would be degraded due to the machine already being powered down, having to take the compuer case apart, take ram out and plant them in a diff machine then freeze them to prevent data loss. By then odds are most if not all the data in memory was lost. Also the phone being off ensures the decryption password wasnt stored in live memory able to be plucked out either.
Note: By no means is this a complete and perfect guide to securing everything but I do believe it to be a really good start for most people. The ideas and methods I recommend should prevent forensic analysis by thieves, warrentless raids, wiretapping, or other methods of monitoring or gathering intelligence. In theory all of these methods if implemented correctly could eliminate any forensic evidence or personal information to be stolen or monitored. This should also bypass most throttling techniques by ISP's and governments as well as most censoring methods. Lastly, this should guarentee you your right to privacy as outlined in the bill of rights which has been so often trampled on by the NSA, CIA, etc.
P.S. Theres other things you can do to further increase security such has hidden truecrypt volumes, encrypted virtual machines, using I2P or tor for more degrees of separation, etc. As I said above this is by no means a complete and perfect set of methods to protect you but its a great starting point to go forward from.
From an forensics standpoint heres what would happen Federal Agents knock or bust down your door you power off the machine by holding in the power button, and at the same time power down your phone. By the time they get around the room to arrest you or to seize your electronics the machines are off and the decryption passwords are no longer in RAM. This goes for the phone or the computer. As for decrypting the hard drives forensicly breakign a 40+ character passphrase that uses all characters and has cascading of algorithm encryption is going to be near impossible. The judge cannot prove you remember the decryption password as who knows how many weeks or months pass where you arnt using it anymore, therefore it can be forgotten. The judge cannot pry into your thoughts to verify the authenticity of your statements and lie detectors can be fooled so honestly speaking basically the forensics lab would have images of your harddrives, flash drives, etc and have no way to prove whats on them, the ISP has no logs of your internet activity and most VPN's do not logs the majority of the internet traffic. Therefore there is no direct proof you played any part in whatever your being accused of and not really any circumstantial evidence.
Also, forensically speaking if your house was raided while your gone and your machines off then there isnt even a chance your decrpytion passwords stored in ram, therefore the hardrive images are useless, flash drive images, etc. And if your are coming home and 15 cop cars are there then i think its a safe bet to turn your phone off before asking them why their there so again no RAM can be accessed for passwords.
From a Security standpoint these security methods can be beat by hardware keyloggers, software keyloggers, cameras monitoring computer use, etc but if you practice all the good computer practices then you shouldn't need to worry. Always be aware of how your actions could be perceived by those around you, never openly give away information if its not needed. Always be aware of possible threats and vulnerabilities to your right to privacy.
No comments:
Post a Comment