Go Back   SOCNET: The Special Operations Community Network > Areas of Expertise > Technology and Communications

Reply
 
Thread Tools Display Modes
  #1  
Old 8 June 2013, 10:55
BOFH's Avatar
BOFH BOFH is offline
I aim to misbehave
 
Join Date: Jul 2004
Location: \\Gibson\garbage
Posts: 4,200
Data security and privacy how-to

A lot of people are concerned with email/phone/text privacy in light of the recent news of NSA data mining. I don't blame them. There has been some discussion of security products, but I think some of us forget that not everyone is a techie, and some won't know how to implement solutions.

As such, I'm going to post a few tutorials here. I'll start with basic cell phone voice call and text security for Android, and add more as I have time. Poly, CV, or anyone else, please feel free to add to this.

For Android phones, the apps are almost painfully simple to use...pretty much ready to go "right out of the box."

Disclaimer: these are not the only solutions on the market, and are not the only good/effective solutions. They are simply the ones I use. If anyone else uses a different product, please let us know how well it works, and how to get it set up.

First: RedPhone - an app from Whisper Systems which provides end-to-end encryption for VOIP calls. Keep in mind that RedPhone will not work unless the person you are calling also has it installed. Unfortunately, this is going to be the case with any security product. RedPhone is available in the Android market, and is 100% free. After installing, it will go through a VERY short setup/verification with little or no user input. By default, the app will sense if you are calling someone else who has redphone installed and ask if you want to "go secure." The only real downside is that since it's VOIP, it's dependant on your phone's data connection. If you are somewhere with a bad connection, or if you have a limited data plan, it can be a problem. I try to stay on wifi when using RedPhone.

When making a call with RedPhone, you'll see two words at the bottom of the screen. They change with every call. I can't say for certain that they were included for this reason, but I use them as a sort of "challenge and reply," to ensure everything is on the "up and up." In other words, it the words at the bottom of the screen are "helmet laptop," I would challenge with "helmet," and if you reply with anything other than "laptop," I'm just going to hang up. Yes, I just picked two random things sitting on my desk at work to use as an example.


Next: Text security with TextSecure - another product from Whisper Systems, and also free. TextSecure will take the place of the default Android messaging app, and will encrypt all text messages on your device. The inconvenient part: you'll have to put in a password each time you want to decrypt your sms/mms for reading. You can leave it decrypted all day, but then what's the point of securing them? You also need to have a very strong passphrase. The example I've been using to illustrate this point is that
Quote:
OhGodOhGodItIs1984AndOrwellWasRight#!)#!)#!)#!)
is far harder to brute force than
Quote:
P@$$\/\/0rd
Anytime you send sms/mms to someone else using TextSecure, the app will ask you if you want to exchange security keys. Select "yes." This will allow the messages to be encrypted in transit, as well as on the device.

The "cons," of TextSecure: All messages will be encrypted on your device, but will not be encrypted in transit unless the person you're texting also runs TextSecure. As such, friends and family need to be coerced into using the same products.



When I get home from work, I'll try to detail a few of the free VPN services out there. Some of them require you to use their proprietary VPN software, so I can't help with those...I don't run Windows, so those programs aren't available on my computer.
__________________
"...for those who man the battle line, the bugle whispers low, and freedom has a taste and price the protected never know..."


While true:
Continue
Reply With Quote
  #2  
Old 8 June 2013, 14:31
anachranerd's Avatar
anachranerd anachranerd is offline
Confirmed User
 
Join Date: Jul 2010
Location: North Dallas, TX
Posts: 132
One big challenge is defeating the metadata mining currently ongoing. You can encrypt the contents, but there is still a list of who talked to who, when and from where. If I, anachranerd, called you- BOFH, and we both used Redphone, yes no one could listen in but they would still know we are in contact and when.

I admit Im not totally sure how to beat that.

CVOIP solution over TOR? Would be able to hide at least one side of the conversation.


Quote:
Next: Text security with TextSecure - another product from Whisper Systems, and also free. TextSecure will take the place of the default Android messaging app, and will encrypt all text messages on your device. The inconvenient part: you'll have to put in a password each time you want to decrypt your sms/mms for reading. You can leave it decrypted all day, but then what's the point of securing them? You also need to have a very strong passphrase. The example I've been using to illustrate this point is that
I work in QA, not security, so forgive my ignorance. But, even a simple strong password instead of a passphrase would still make it difficult to crack encryption right? To the point of making it not worth it for an eavesdropper to casually try to tune in on most conversations? I.e if my stuff is encrypted with a simple password like b1gT@nk or something- isnt that already demanding enough to decode?
Reply With Quote
  #3  
Old 8 June 2013, 15:41
BOFH's Avatar
BOFH BOFH is offline
I aim to misbehave
 
Join Date: Jul 2004
Location: \\Gibson\garbage
Posts: 4,200
Quote:
Originally Posted by anachranerd View Post
One big challenge is defeating the metadata mining currently ongoing. You can encrypt the contents, but there is still a list of who talked to who, when and from where. If I, anachranerd, called you- BOFH, and we both used Redphone, yes no one could listen in but they would still know we are in contact and when.

I admit Im not totally sure how to beat that.

CVOIP solution over TOR? Would be able to hide at least one side of the conversation.



I work in QA, not security, so forgive my ignorance. But, even a simple strong password instead of a passphrase would still make it difficult to crack encryption right? To the point of making it not worth it for an eavesdropper to casually try to tune in on most conversations? I.e if my stuff is encrypted with a simple password like b1gT@nk or something- isnt that already demanding enough to decode?
Problem is, any dictionary will already have variations on common words like that. Pass phrase is better, and length always beats complexity.
__________________
"...for those who man the battle line, the bugle whispers low, and freedom has a taste and price the protected never know..."


While true:
Continue
Reply With Quote
  #4  
Old 8 June 2013, 16:20
Macka's Avatar
Macka Macka is offline
Confirmed User
 
Join Date: Sep 2001
Location: SOCNET-Northeast
Posts: 2,264
You could use this site to check your password strength.

It is legit, but I still don't use my own passwords. I just use one that is laid out in a similar manner.

https://howsecureismypassword.net/
__________________
Freedom costs a Buck 0-5
Reply With Quote
  #5  
Old 8 June 2013, 18:41
Polypro's Avatar
Polypro Polypro is offline
BTDT
 
Join Date: Oct 1999
Location: A Noisy Bar In Avalon
Posts: 12,004
Quote:
Originally Posted by anachranerd View Post
One big challenge is defeating the metadata mining currently ongoing. You can encrypt the contents, but there is still a list of who talked to who, when and from where. If I, anachranerd, called you- BOFH, and we both used Redphone, yes no one could listen in but they would still know we are in contact and when.
This is incorrect. RedPhone, being TCP/UDP, uses the phone's data connection. There is no "log" that the provider could gather and send, other than IP addresses, just like any web surfing session. All they could say is "here is a list of IPs that the phone contacted. And that's assuming no VPN use.

The communication to the the RedPhone signaling, and relay servers, is encrypted with TLS. The RP signaling server then sends a push notification to who you're calling, and then connects you through the relay server. All your carrier would see is an encrypted connection to a RP server...there is no way for them to know who you called...or called you.

An attack would require a global adversary, watching every RP server, and every user on the planet. Then they would have to do correlation and timing attacks. This is EXTREMELY Non-Trivial...and it still wouldn't get them the voice packets.

Moxie lives to prevent this crap

https://whispersystems.org/blog/low-latency-switching/

https://github.com/WhisperSystems/RedPhone/wiki

P

Edit: The "words" are an SAS (Short Authentication String) to prevent MitM (Man in the Middle) attacks. I usually have the receiver read them, after acknowledging that the voice is the same that I remembered. Neat that you use a challenge and pass...pretty cool.

Last edited by Polypro; 8 June 2013 at 18:46.
Reply With Quote
  #6  
Old 8 June 2013, 18:52
rhea's Avatar
rhea rhea is offline
As Above So Below
 
Join Date: Oct 2003
Location: Texas
Posts: 769
Thanks!

Quote:
Originally Posted by mikemac64 View Post
You could use this site to check your password strength.

It is legit, but I still don't use my own passwords. I just use one that is laid out in a similar manner.

https://howsecureismypassword.net/
One of my passwords would take 511 years and the best one was 3 thousand years...so I will keep it awhile!
__________________
Built for comfort; not for speed
Knowledge is power
When you cannot see past your own anger and fear; you are nothing. "A Course In Miracles"
''Rise and rise again until lambs become lions'' from the movie Robinhood with Russell Crow
No good deed goes unpunished..look what they did to Robin Longstride
"I'm not afraid of terrorists, I am; however, afraid of the other employees" -me.
Reply With Quote
  #7  
Old 8 June 2013, 18:58
Polypro's Avatar
Polypro Polypro is offline
BTDT
 
Join Date: Oct 1999
Location: A Noisy Bar In Avalon
Posts: 12,004
For now, some simple things:

Change all your email to Countermail. Pay the $60:

https://countermail.com/

All OS's welcome. Uses a Java Applet for the web interface, but can also be used with other IMAP clients. At the very least, they are outside the US, they don't log anything, and all email is encrypted while on their server. You don't have to even use PGP with anyone, and they still provide a ton more privacy than any US provider.

Never surf unless you're on a VPN. Pay the $80 (isn't it fricken awesome that you have to spend your hard earned money to remain private from your own government? God bless America, huh? Uh-oh...is that treason?)

https://airvpn.org/

https://mullvad.net/en/

http://bolehvpn.net/

Maybe buy 1 month from each to test out.

P
Reply With Quote
  #8  
Old 8 June 2013, 20:16
anachranerd's Avatar
anachranerd anachranerd is offline
Confirmed User
 
Join Date: Jul 2010
Location: North Dallas, TX
Posts: 132
Quote:
Originally Posted by Polypro View Post
This is incorrect. RedPhone, being TCP/UDP, uses the phone's data connection. There is no "log" that the provider could gather and send, other than IP addresses, just like any web surfing session. All they could say is "here is a list of IPs that the phone contacted. And that's assuming no VPN use.

The communication to the the RedPhone signaling, and relay servers, is encrypted with TLS. The RP signaling server then sends a push notification to who you're calling, and then connects you through the relay server. All your carrier would see is an encrypted connection to a RP server...there is no way for them to know who you called...or called you.

An attack would require a global adversary, watching every RP server, and every user on the planet. Then they would have to do correlation and timing attacks. This is EXTREMELY Non-Trivial...and it still wouldn't get them the voice packets.

Moxie lives to prevent this crap

https://whispersystems.org/blog/low-latency-switching/

https://github.com/WhisperSystems/RedPhone/wiki

P

Edit: The "words" are an SAS (Short Authentication String) to prevent MitM (Man in the Middle) attacks. I usually have the receiver read them, after acknowledging that the voice is the same that I remembered. Neat that you use a challenge and pass...pretty cool.

I stand corrected. Thank you sir!
Reply With Quote
  #9  
Old 8 June 2013, 22:34
Papa Smurf Papa Smurf is offline
On the Extract Bird
 
Join Date: Dec 2008
Location: On the extract bird
Posts: 2,167
I'm good to go...
Attached Images
File Type: jpg Capture.jpg (29.0 KB, 638 views)
Reply With Quote
  #10  
Old 8 June 2013, 22:56
Sharky's Avatar
Sharky Sharky is offline
Administrator
 
Join Date: Dec 1999
Location: SOCNET
Posts: 18,199
I use ExpressVPN and it's worked well so far.
__________________
Out of the night that covers me,
Black as the Pit from pole to pole,
I thank whatever gods may be
For my unconquerable soul.
In the fell clutch of circumstance
I have not winced nor cried aloud.
Under the bludgeonings of chance
My head is bloody, but unbowed.
Beyond this place of wrath and tears
Looms but the Horror of the shade
And yet the menace of the years
Finds, and shall find, me unafraid.
It matters not how strait the gate,
How charged with punishments the scroll,
I am the master of my fate
I am the captain of my soul.
-Invictus
Reply With Quote
  #11  
Old 8 June 2013, 22:59
assertnull's Avatar
assertnull assertnull is offline
Confirmed User
 
Join Date: May 2011
Location: SE Texas
Posts: 3,056
How secure is my password?
well, for my disks, it's a 256-character chunk of /dev/urandom
some printable characters, some not

so, reason for posting - are there enough linux users here that my doing a HOWTO video/screencast on full disk crypto with a(n unknown) key on removable media would be something anyone is interested in?

I may do one anyway at some point, but, quite literally *while* I was making my last post in the disk decryption thread a few down from this one, my HDD started dying. Kinda creepy. But, I have a new disk coming in the mail on Monday, and have to do a new install anyway, so if there's any interest I'll do it then. If not, I'll hardly take it personally.

NB: any other linux users looking for a good screen recording app, I use http://recordmydesktop.sourceforge.net/ with the Qt frontend, let it save as Ogg, then 'ffmpeg -i video.ogv video.mp4' - works a treat


ETA: just a thought. Might it be helpful to organize things according to the threat? e.g.

THREAT: capturing voice data
COUNTERMEASURE: RedPhone

Last edited by assertnull; 8 June 2013 at 23:11.
Reply With Quote
  #12  
Old 8 June 2013, 23:30
anachranerd's Avatar
anachranerd anachranerd is offline
Confirmed User
 
Join Date: Jul 2010
Location: North Dallas, TX
Posts: 132
Quote:
Originally Posted by assertnull View Post
How secure is my password?
well, for my disks, it's a 256-character chunk of /dev/urandom
some printable characters, some not

so, reason for posting - are there enough linux users here that my doing a HOWTO video/screencast on full disk crypto with a(n unknown) key on removable media would be something anyone is interested in?

I may do one anyway at some point, but, quite literally *while* I was making my last post in the disk decryption thread a few down from this one, my HDD started dying. Kinda creepy. But, I have a new disk coming in the mail on Monday, and have to do a new install anyway, so if there's any interest I'll do it then. If not, I'll hardly take it personally.

NB: any other linux users looking for a good screen recording app, I use http://recordmydesktop.sourceforge.net/ with the Qt frontend, let it save as Ogg, then 'ffmpeg -i video.ogv video.mp4' - works a treat


ETA: just a thought. Might it be helpful to organize things according to the threat? e.g.

THREAT: capturing voice data
COUNTERMEASURE: RedPhone
Couldn't hurt either way. Post it up man.
Reply With Quote
  #13  
Old 8 June 2013, 23:54
assertnull's Avatar
assertnull assertnull is offline
Confirmed User
 
Join Date: May 2011
Location: SE Texas
Posts: 3,056
Quote:
Originally Posted by anachranerd View Post
Couldn't hurt either way. Post it up man.
will do whenever the disk shows up.

I could actually probably combine that with a "booting from a LiveDVD" segment, too. I currently keep my "swiss army knife" thumb drive, and my drive with key and boot loader, separate. But there's no reason the two can't be combined - grub2 is just as happy to boot from an .iso as it is an actual HDD, so I might throw that in there.

Videos help *me* at least. Do one well enough, you increase the chances that much more someone else will say "hey, it isnt as difficult as i thought! Time for crypto!" - one more PC the .gov overlords cant touch is always a good thing.
Reply With Quote
  #14  
Old 8 June 2013, 23:58
CV's Avatar
CV CV is offline
Ungood
 
Join Date: Apr 2003
Location: US
Posts: 7,327
Great thread. I am making it a sticky. Busy at the moment so I can't add to the convo. Keep it going.
__________________
It's a hipster filter. Keeps your kind out. -Jimbo
Reply With Quote
  #15  
Old 9 June 2013, 00:50
Armitage12 Armitage12 is offline
Confronting the Reckoning
 
Join Date: Jan 2013
Location: Old North West
Posts: 1,110
Counter mail---important detail

Quote:
Originally Posted by Polypro View Post
For now, some simple things:

Change all your email to Countermail. Pay the $60:

https://countermail.com/

All OS's welcome. Uses a Java Applet for the web interface, but can also be used with other IMAP clients. At the very least, they are outside the US, they don't log anything, and all email is encrypted while on their server. You don't have to even use PGP with anyone, and they still provide a ton more privacy than any US provider.

P
So if I understand the most important advantages of Countermail:
(1) encrypted contents of email provided the other party is also using Countermail
(2) superior protection of your unencrypted email by passing it through their hands, compared with either your Internet service provider or free online (google/Microsoft) email, when sending to someone NOT using Countermail, by dint of their good stewardship.

[I spent about five hours last week working through some of this and I am reasonably technically minded, but it is still mentally challenging in some ways to think through all the vulnerabilities and generate possible solutions. This thread is incredibly helpful and I thank everyone for sharing their wisdom]
Reply With Quote
  #16  
Old 9 June 2013, 00:56
anachranerd's Avatar
anachranerd anachranerd is offline
Confirmed User
 
Join Date: Jul 2010
Location: North Dallas, TX
Posts: 132
Quote:
Originally Posted by assertnull View Post
will do whenever the disk shows up.

I could actually probably combine that with a "booting from a LiveDVD" segment, too. I currently keep my "swiss army knife" thumb drive, and my drive with key and boot loader, separate. But there's no reason the two can't be combined - grub2 is just as happy to boot from an .iso as it is an actual HDD, so I might throw that in there.

Videos help *me* at least. Do one well enough, you increase the chances that much more someone else will say "hey, it isnt as difficult as i thought! Time for crypto!" - one more PC the .gov overlords cant touch is always a good thing.
Agreed on everything you just said.

I would be happy to pen a tutorial on booting from a liveCD/DVD for people on here, if there is interest. Start from the basics and work from there.
Reply With Quote
  #17  
Old 9 June 2013, 01:18
BOFH's Avatar
BOFH BOFH is offline
I aim to misbehave
 
Join Date: Jul 2004
Location: \\Gibson\garbage
Posts: 4,200
Quote:
Originally Posted by Polypro View Post
This is incorrect. RedPhone, being TCP/UDP, uses the phone's data connection. There is no "log" that the provider could gather and send, other than IP addresses, just like any web surfing session. All they could say is "here is a list of IPs that the phone contacted. And that's assuming no VPN use.

Thanks for getting that, Poly. I was on my phone when I read the reply, and was too lazy to type all that out. Just got back on the laptop, but clearly you've already got it.
__________________
"...for those who man the battle line, the bugle whispers low, and freedom has a taste and price the protected never know..."


While true:
Continue
Reply With Quote
  #18  
Old 9 June 2013, 01:21
anachranerd's Avatar
anachranerd anachranerd is offline
Confirmed User
 
Join Date: Jul 2010
Location: North Dallas, TX
Posts: 132
Quote:
Thanks for getting that, Poly. I was on my phone when I read the reply, and was too lazy to type all that out. Just got back on the laptop, but clearly you've already got it.
Sorry for the stupidity...had I read a little bit more carefully---I wouldn't have said all that. My bad.
Reply With Quote
  #19  
Old 9 June 2013, 01:23
BOFH's Avatar
BOFH BOFH is offline
I aim to misbehave
 
Join Date: Jul 2004
Location: \\Gibson\garbage
Posts: 4,200
Quote:
Originally Posted by anachranerd View Post
Sorry for the stupidity...had I read a little bit more carefully---I wouldn't have said all that. My bad.

Meh. No stupidity...I'm a security professional, and while I don't know what Poly does to earn a paycheck, his knowledge is top notch.

As for the password strength:
Quote:
It would take a desktop PC about 366 duovigintillion years to crack my password!

http://hsim.pw/
__________________
"...for those who man the battle line, the bugle whispers low, and freedom has a taste and price the protected never know..."


While true:
Continue
Reply With Quote
  #20  
Old 9 June 2013, 02:35
MacDuff's Avatar
MacDuff MacDuff is offline
Confirmed User
 
Join Date: Feb 2008
Location: Frankfort, KY
Posts: 776
I'm lost when it comes to all this technical stuff but I'm interested in learning. I appreciate you all taking the time to add to the knowledge base, I think this is one of the more interesting discussions to come up lately.

One question though; are there security advantages to running Ubuntu or some other flavor of Linux?
__________________
Drinking from a firehose...
Reply With Quote
Reply

Thread Tools
Display Modes

Our new posting rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



All times are GMT -4. The time now is 05:29.
Powered by vBulletin® Version 3.8.3
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
Socnet.com All Rights Reserved
SOCNET