The Everyday Marksman

Community Hub

\\\ The Forum

Digital privacy too...
 

Digital privacy tools  

  RSS

xsquidgator
(@xsquidgator)
Member Member
1193 Brass
Challenges:
Rank:
Joined: 2 months ago
Posts: 35
27/06/2019 1:42 pm  

Is there any interest here in digital privacy tools, for example PGP email encryption, TOR browser bundle, darkweb, VPN, etc?

I'm just an enthusiast user of these things, not an IT or pro in this field, but I have I think picked up some useful tips and tools via osmosis, hanging around others, etc.   It's not shooty or outside survival, but I think it's still useful and fits in with wanting with those other skillsets.  Nowadays, I can't imagine going online without using some of these things to stay private.

Caveat- just like other things of interest around here, these are just tools and they don't make you bulletproof or invisible just by having them.  Protecting your digital privacy may include using these kinds of tools, but you still must always exercise information discipline in order for the tools to do you any good.  And, in today's world it might not be safe to use some of these things as doing so can put you "on a list".  For example, I've been told elsewhere that if you use Tor browser, your IP address is almost certainly put into a .gov list somewhere for whatever purpose they have.  Using Tor isn't illegal (for now) but that kind of thing is something to know before you decide.

One useful place to start, if you're interested, is "Info Security for Journalists 101"  (PDF alert)

You don't have to use the tools in the pdf or even the versions of the tools presented in it.  The PDF is written for non-technical people and is a good primer that explains each concept/tool and then has decent step-by-step instructions on how to install and use the tools.

https://tcij.org/sites/default/files/u11/InfoSec%20for%20Journalists%20V1.3.pdf

I'm somewhere in the middle of the bell curve, privacy wise.  I haven't gone totally hardcore like a journalist in China or Iran might do, anticipating a police dissection of his or her computer (there are instructions in the PDF for how to physically disconnect the speaker mic on your pc so that it couldn't be activated to listen to your conversations).  I put a piece of tape over the webcam, I use a commercial VPN service, I keep Tor installed and occasionally use it, always use Duckduckgo as a search engine etc.  If possible I use PGP with emailing friends, of which maybe 1/4 of my friends are tech enough to be comfortable using PGP.  For the other friends, I at least try to use something more private than Gmail such as an offshore-based webmail provider like Protonmail, Unseen, etc.

If it does any good though, I want the bastids to have to work at it a little bit to keep the big eye on me.

Any interests, thoughts?


Quote
xsquidgator
(@xsquidgator)
Member Member
1193 Brass
Challenges:
Rank:
Joined: 2 months ago
Posts: 35
27/06/2019 3:46 pm  

I meant to include (but can't seem to edit the original post)- I suggest that digital privacy is relevant to the "Everyday Marksman", if you visit online forums like this, discuss/research related training topics online, etc.


ReplyQuote
Matt
 Matt
(@matt)
Practitioner Admin
9231 Brass
Challenges:
Rank:
Joined: 1 year ago
Posts: 203
27/06/2019 8:14 pm  

I think it's interesting, but ultimately not something I focus on. I take general precautions about PII, but I fully realize there is a long paper trail on me given my background, security clearances, and having to pay hosting fees on this site.

"Man is still the first weapon of war" - Field Marshal Montgomery


ReplyQuote
Sunshine Shooter
(@sunshine-shooter)
Engaged Member Author
1269 Brass
Rank:
Joined: 4 months ago
Posts: 80
28/06/2019 11:40 am  

I think digital privacy tools are far more likely to be useful in today's world than a gun for someone who isn't an LEO or active duty infantry.

I'll definitely be checking out your link.

"Good judgement comes from experience, and experience comes from bad judgement"

progunmillennial.wordpress.com


ReplyQuote
Nick_
(@nick_)
Member Community Founder
272 Brass
Rank:
Joined: 3 months ago
Posts: 18
29/06/2019 12:43 pm  

Thanks for the information. It is something that I would like to improve on with my computer. I would probably be like you in that I would be somewhere in the middle of the road.

“While people laugh at me because I’m different, I laugh at them because they’re all the same.”


ReplyQuote
JustinC
(@justinc)
Member Subject Matter Expert
255 Brass
Rank:
Joined: 2 months ago
Posts: 18
30/06/2019 11:43 am  

Hi, guys. I'm Justin. I work in the digital security/privacy realm and have written several books on the topic. If there is interest I am happy to delve into some of this. Before getting into specific tools, techniques, and procedures, however, it is helpful to have some framework on which to hang privacy and security problems.

Critical to understanding this framework is disambiguating privacy and security. Though they are often thought of as the same thing, they aren't. Let's use my house as an example.

  1. Privacy. I could put up a 10' privacy fence that would give the privacy to sunbathe in my backyard, unobserved. I could purchase my home in a land trust or other instrument to keep me private from data brokers. I could blur my house in Google Streetview. All of these things increase my privacy, but none makes my home harder to get into. In the case of the privacy fence, it may actually make my home easier to get into by giving a burglar a covered/concealed approach, or a concealed location from which to observe my comings and goings (privacy fences work both ways like that). Hence the need for security.
  2. Security. My home has UL-437 locks with upgraded door jambs, motion lights, an IDS, a camera system, a decent safe, a very well trained German Shepherd Dog, and other physical security measures in place (and of course, me). These all make my home harder to get into a protect my goods, but by themselves don't offer me any privacy.
  3. Privacy & Security. Together privacy and security do complement each other really well. If you are looking to come after me specifically and can't find my home I've created another significant barrier before you even get to my physical security measures.

The bottom line: security prevents access to a location, account, etc. Privacy is the obfuscation or minimization of the information that is publicly findable or viewable about you. Ideally we want both, but we compromise some on both to make life livable. Finding your balance is up to you.

Finding the balance is the product of Threat Modeling. A threat model is a realistic, plausible accounting of potential threat actors and their intersection with your attack surface. This is a topic unto itself, but is critically important. If we overestimate our threats we spend too much time, energy, and money protecting ourselves from implausible threats; if we underestimate our threats we get hurt, hacked, or otherwise pwned. Questions to ask to determine your threat model:

  1. What are you trying to protect? This could be physical access to your home, unauthorized access to your bank/email/social media accounts, etc.
  2. Who are you trying to protect it from? This ranges from everyday criminal threats to sophisticated state actors. That last one sounds implausible...but it's not. More on that in a future post.
  3. What are the consequences if you fail to protect it? Failing to protect your PII could literally result in financial ruin. One in 5 victims of identity theft never recover. Think about that and it's implications for you and your family for a minute.

The Framework

There isn't really a digital security problem that can't be hung on this framework. There are implied tasks (good, strong passwords for instance) under each of these. This is my preferred way to think about digital security.

  1. Malware resilience. It doesn't matter what sexy encryption your using if I'm just reading your data directly from your keyboard or screen. This is an imperative step and one that every human should undertake.
  2. Protecting data-at-rest. This is just protecting the data that is stored on your various devices.
  3. Protecting data-in-motion. Protecting the data the we elect to cede physical control of through electronic transmittal.
  4. Protecting cloud-stored data, and
  5. Protecting personally identifiable information.

There are tons of tools to help with each of these, but honestly the best security measure in most cases is better human behavior.

I recommend taking some time to think about these principles. I'm happy to expound if there is any interest.

JC

This post was modified 2 months ago by JustinC

ReplyQuote
xsquidgator
(@xsquidgator)
Member Member
1193 Brass
Challenges:
Rank:
Joined: 2 months ago
Posts: 35
30/06/2019 5:29 pm  

Hey Justin- Great, I'm interested!  (Not to derail things if this is too far off-topic for the intent of this forum, though, hopefully this is considered part of the area of interest.)

I would imagine that you have a combination of knowledge and training-skills you'd recommend the average person have in this area?  I'd be curious as to how you'd recommend the average person get some bang for the buck for their efforts and learning to get a reasonable amount of security/privacy with available time, money etc resources.

I'm not even sure if that's possible with the way the internet and all of our "smart" devices work, but I'd like to learn more and do what I can.  All things considered, it seems to me that it'd be a good idea to keep a lot of "training talk" more private if possible.


ReplyQuote
JustinC
(@justinc)
Member Subject Matter Expert
255 Brass
Rank:
Joined: 2 months ago
Posts: 18
30/06/2019 7:31 pm  

I don't think we're derailing; Matt asked me to help out with this topic. I'm glad to offer any input I can. However...

Please bear with me. I will get to the cool privacy/security tools, but there is some important groundwork to lay. Without a way to conceptualize privacy and the art of the possible, you could spend a lot of time spinning your wheels on mitigations that require a ton of effort but at the end of the day aren't worth the squeeze. So without further ado, let's talk about...

Privacy Nihilism vs. Privacy Purism vs. Privacy Harm Reduction, and Personal Responsibility

Privacy Nihilism: This presents as one of two things. The first and most common is, "I have nothing to hide." First of all, that is patently false - every human on earth has thoughts, words, or actions he or she would not want to become public knowledge. If those have been recorded on digital media there is a greater than zero chance they will be exposed. We all have something to hide.

The other way this presents is, "there's so much out there about me already OR the NSA/corporate surveillance apparatus/Russians can get anything they want...so what's the point?" Well, if the NSA is a credible threat actor within your threat model, I can't help you very much. I can help you a little, and I can help you a lot against everything else. Opting out of default collection is (relatively) easy; opting out of a targeted intelligence effort or law enforcement investigation against you is not. I'm happy to elaborate on this if there's a specific question about it (though obviously I can't reveal certain capabilities/TTPs, so please *don't* ask that one).

Privacy Purism: I've been down this road. I've rented apartments, registered cars, and turned on utilities in the names of anonymous LLCs. I've become a resident of a state I've spent exactly one night in, used expensive mail drop services...the list goes on and on. Unless privacy is your job and/or you have no need to earn a living, date/have a social life, leave your house, etc., this is a challenge for most people. I have too many other pursuits and skillsets that need to be developed and maintained to remain the "purist".

It is possible for the purist to be insanely private. However, even he cannot avoid leaving his home. He can't stop shopping. This means he can't stop being recorded on video, in association with his name when using an ATM, withdrawing money at the bank, etc. He can't stop his license plate from being recorded by automated license plate readers (ALPR)(most of which are owned by private corporations). The issue with Privacy Purism is it isn't sustainable unless you're independently wealthy and don't have to leave home and/or have no other responsibilities, and/or it is your only interest area. If it is your only interest area...dude, get out from behind the computer!

Privacy Harm Reduction: This is the strategy I take. Harm reduction means, in a nutshell, "do what you can. Every little bit helps." I liken it to quitting smoking - if you've smoked for 20 years, your lungs probably suck. If you quit today you're not going to be in perfect health tomorrow, but in 10 years you're going to be massively better off. If you tighten up some privacy and security problems now, they aren't going to turn into big problems later on.

The harm reduction strategy is sustainable. It doesn't require you "burn it down" tonight and start life as a new person tomorrow. A lot of people try this and get discouraged, and give up. Harm reduction involves mitigating privacy/security interventions into your life as they are necessary, or you have the time, money, and mental bandwidth. There are a few things I think everyone should do IMMEDIATELY (if not sooner), but most things can wait another month or two.

It's also possible to be very private and very secure in this category. I can go as far as I want, but at the same time accept the things that aren't worth it relative to my threat model and not be kept up at night worry about them. This is a very sustainable model, and the one you should begin with. If you want to be a purist later and have the time and money - go for it! If you try to go all-in right now, you have a daunting task ahead of you and not many succeed.

Personal Responsibility: I think you do have personal responsibility for your own privacy and security. Believe me, NO ONE ELSE CARES ABOUT YOU. No one is coming to save you. When your accounts get hacked or your data gets spilled, what do you think your local police department is going to do? They're going to give you a report...to prove that you filed a police report.That's it. Good luck with that.

Your responsibility is to yourself and those within your financial care. It's funny - we'll spend hours debating red dots versus LPVOs for something that we will almost certainly never use in extremis, but completely cop out to something that will almost certainly happen to someone reading this. Take responsibility for yourself.

Responsibility also means you have to stop saying, "well, I hate Google having all my data, but what can you do?" There are things you can do. But like most things worth having they will cost you something. Google is - in my opinion - email welfare. I don't want free email; I'll pay for my products and services.

We also have a bigger responsibility to limit the information available to those in power (corporate powers or government powers). You may be a big fan of the current administration and not view your relationship with them as adversarial. But guess what? Yep - a new administration will eventually take this one's place. Do you want them to be able to subpeona Google for a list of devices that has ever been to a gun store or shooting range? I don't. But in light of the erosions against the First and Fourth Amendments in the last decade (yes, those protects all others, too. Hell, the whole thing is important, and I'm not "pro-2A", I'm "pro-Constitution") we have to take it upon ourselves to limit that information. The national gun registry is here and the organization maintaining it isn't ATF or DHS - it's FAANG: Facebook, Amazon, Apple, Netflix, and Google.

If you'd like to hear more about the risks of government having access to all the data we hand to third parties, check out my interview on the SOFREP Radio podcast, episode 392.


Nick_ and Matt liked
ReplyQuote
JustinC
(@justinc)
Member Subject Matter Expert
255 Brass
Rank:
Joined: 2 months ago
Posts: 18
01/07/2019 8:44 am  

Ok, with some of the background out of the way, let's talk about Part I of the framework: Malware Resilience.

Malware Resilience

Malware is THE single biggest digital threats we face today. Not to insult anyone's intelligence, but "malware" is short for "malicious software," software that takes some action that is not in our best interest. When we go on the internet, regardless of what sites we go to we are essentially walking around in the sketchy part of town, headphones in, eyes down...and unarmed. The problem is theres no graffiti, it's well-lit, everyone looks friendly, and all the stores are upscale. We're in the bad part of town and we don't even know it. That's the problem with the internet; even "good" or "safe" or "reputable" sites serve malware sometimes. Maybe they sold ad space and didn't vet the code that went into it, or maybe their site got hacked. The old adage to use "good browsing hygeine" is impossible because it's not possible for us to assess whether a site is "good" or "bad".

Malware is the mugger we'll never see coming, and we'll probably never realize our wallet is missing. That's the insidious thing about malware; it's main goal is to remain undetected after it has "mugged" you. Getting malware on a modern machine can be difficult. The attacker who uses it has spent either a massive amount of time or money, or both developing the exploit through which it installs. He wants to get a foothold on your machine and keep it. If you discover it (because it slows your machine down, or it makes a million porn pop-ups appear), you'll fix it, so it does its best to fly under the radar.

Once installed, malware might do any number of things. It may use your machine to mine cryptocurrency, process stolen credit cards, or turn it into a CAPTCHA-solving zombie. It might record your keystrokes and what happens on your screen and for blackmail use. It might encrypt all your stuff and extort you for a couple thousand bucks to get the decryption key. Your computer might be used in distributed denial of service attacks, to send email spam, or maybe just to hack your email/bank/social media accounts. It might even turn your machine into a child pornography server.

Someone reading this - maybe even me - is impacted by malware right now. Securing the system against malware is the critical first step to becoming somewhat secure. Fortunately, the techniques for doing this are pretty easy.

Step 1: Get Off Your Administrator Account

When you purchased your laptop (phones/tablets are a little different, we'll talk about those later) it came with a single account - the administrator. Your computer must have an admin account. The admin account allows the system administrator to make global changes to the computer - things like installing or removing software, making changes to the registry, etc.

Unfortunately, most of us log in to this account and begin using it as our personal account. When we use this account all the time, we're operating in a state (this state is technically called "escalated privilege") where changes like this are possible to anyone who wants to make them. Windows or Mac assumes, "hey, the admin is logged in, so these changes must be legit...so let's let them happen."

The administrator account is designed so that a company's system administrator can create discrete user accounts for the employees of the company so that only he can make global changes. The user accounts can use all the functions of the computer (browsers, word processors, etc.) but they can't make global changes. For personal use, you should think of yourself as your household/family's system administrator WHEN NEEDED...but you should think of yourself as a user most of the time.

This means you need to setup a Standard User Account for yourself and work out of it. This should be the very first step when you purchase a new computer. If you already have a computer and you've been working out of it for awhile you might not want to do this because all your files are where you want them, etc. In that case you can make a new administrator account and "demote" your current one to standard user.

It's a bit dated, but I wrote <a href=" removed link " target="true">step-by-step instructions for this on my security blog a couple years ago.

Step 2: Update, update, update!!!!

Updates are important. There are more lines of code in Microsoft Word than were used in the entire first mission to the moon. Naturally, in this much code there are bound to be mistakes which potentially equal vulnerabilities. We want updates the instant they are available, not only because they correct the vulnerability, but also because the existence of an update advertises the problem to malware developers. Though it is slightly inconvenient, GET YOUR UPDATES IMMEDIATELY!!!

  1. Update Your Operating System. This one is actually pretty easy. Unless you've messed with it, your operating system (Windows or Mac) is set to update itself automatically. Let it happen, and when it tells you it needs to shutdown to apply updates, DO IT. Don't screw around, forget about it, then spend the next two weeks running out-of-date software.
  2. Update your Applications. This one is harder. Unless all your apps come from your OS's developer's app store (be it Apple, Google Play, or Windows) you aren't automatically going to be notified when an update is available. So, there are some sub-steps under this one. These are borrowed (and paraphrased) from Brian Krebs and known as "<a href=" removed link " target="true">Krebs' Three Basic Rules of Internet Safety".
    1. If you didn't go looking for it, don't install it. This one is kind of self-explanatory.
    2. If you installed it, UPDATE IT. Most of us don't think twice about installing a program on our computer. We should though; we are giving it extraordinary access and placement to our system, and to our personal data. If we install it, we accept responsibility for taking care of it, i.e. managing its permissions and privacy settings, and keeping it updated. The problem with this one is that it's hard to know when an update is available. At best you'll be alerted when you open the app that a new version is available. When you see this message, DON'T DELAY - INSTALL THE UPDATE!
    3. If you no longer need it, GET RID OF IT. This is by far the most important one. All those programs and apps you've installed that you don't use are attack surface. They're out of date. Even if they're up-to-date, they're not perfect and have vulnerabilities. Conduct an audit of your applications and get rid of everything you don't need. If it turns out you needed it, guess what? You can reinstall it. But if you haven't used it in the last 30 days, there's a good chance you won't ever use it again.

Step 3: Antivirus

This is usually what people think of when they think of computer security. For me this is important, but is a last line of defense. My first lines of defense are created by not operating in a state of escalated privilege (an administrator account) and having everything updated. I'm already making an attacker make a decision about me, to wit, "do I risk burning this little-known or zero-day exploit on this guy?"

Still, I would recommend having a reputable, high-quality antivirus. It does work. It works through two mechanisms. First it has a definitions file which is essentially a "naughty list" of code that it will not allow to execute on your machine. The problem there is exploits that are not currently know cannot, by definition, be on this list. The fix is to also monitor activity heuristics. If a weird process that is potentially malicious is observed, your antivirus should put a stop to it. Lastly, a lot of antivirus will conduct a recce of your system before attempting to install. If they notice no antivirus, it's tantamount to a burglar noticing your don't have an alarm system - you move up his flow chart of possible targets.

None of these techniques are "high speed," but if everyone did these three things we'd live in a massively safer digital environment. Malware would be way harder to deploy on a broad scale and would be far less lucrative. Start with these three steps. I'll be back later with more.


ReplyQuote
Matt
 Matt
(@matt)
Practitioner Admin
9231 Brass
Challenges:
Rank:
Joined: 1 year ago
Posts: 203
01/07/2019 8:25 pm  

@justinc This post got caught up in the moderation queue because of the links (the site doesn't allow users to post links until they reach a certain post threshold, it's an anti-spam measure). You can email or PM them to me and I'll inser them for you.

"Man is still the first weapon of war" - Field Marshal Montgomery


ReplyQuote
Nick_
(@nick_)
Member Community Founder
272 Brass
Rank:
Joined: 3 months ago
Posts: 18
01/07/2019 11:46 pm  

Thanks Justinc, I am learning a lot! Keep sending the information!

“While people laugh at me because I’m different, I laugh at them because they’re all the same.”


ReplyQuote
JustinC
(@justinc)
Member Subject Matter Expert
255 Brass
Rank:
Joined: 2 months ago
Posts: 18
02/07/2019 9:25 am  

I should have mentioned this earlier, but if there are specific questions about anything I have presented here please don't hesitate to ask. I am more than happy to help to the best of my ability!

In my last post I talked about Step 1 in my Security Framework. The steps there are all designed to minimize the chances of contracting malware. There are other steps, more advanced that can be taken, and maybe I'll cover those in the future. They get much more technically demanding and time-consuming to implement. However, @xsquidgator asked how the average person gets some bang for their buck. The steps listed yesterday are good examples of very high "flash to bang" steps. They take minimal effort to enable, require minimal effort and interaction on a daily basis, but provide a significant upgrade in most people's security. Every human should do those three steps.

Now I'm going to go out of order and talk about Step 4 of the framework: Protecting Cloud Stored Data. My framework is ordered to apply to the operational context of most of my government clients. For our purposes here, protecting cloud-stored data is probably the next most important item. For the average citizen this is a massive concern. Everything is cloud-connected. Our online accounts exist in enemy territory. They can be "touched" by anyone who wants to take a crack at logging into them.

Protecting Cloud Stored Data

In one of his early posts on this thread, @matt mentioned that a lot of information is already "out there" (my quotes and verbiage, not his) because of his security clearances, paying for the site, etc. And that's true - that information does exist online. But that doesn't mean we shouldn't care about it. Because it exists somewhere doesn't mean it is available everywhere and to everyone. We should take personal responsibility and ownership for it and protect it to the fullest extent possible. We're all already doing this to some point whether we realize it or not.

Back to @matt as an example (sorry, Matt). Yes, you've given OPM* your social security number, DOB, and mother's maiden name, but you probably aren't posting that information on your Facebook page. You might've given GoDaddy your credit card number, it's expiration and CCV, but that information probably isn't in a meme you posted on Instagram. Subconsciously we recognize that just because information exists about us, it isn't and shouldn't be available to everyone, everywhere.

The purpose of these next few steps is to make that information as difficult as possible to access.

Step One: Limit the Scope of Information 'In the Wild'. Once again we're going to focus on behavior rather than tools. Whether we realize it or not, we have a massive ability to control information that is "out there" about us. There are a few steps we need to take to do that.

  1. Delete unnecessary information in your accounts. Still have that Flickr account that you don't use anymore? You should probably delete those photos (your really should; Flickr is now owned by Verizon). Still have that old Yahoo! email account you used in high school? You REALLY need to delete the information in that account. "But, Justin, why? I haven't used that account in years!" I'm glad you asked. If you're my age (late 30s/early 40s) that Yahoo! account probably contains old Amazon orders. It probably contains appointment information, flight itineraries, information about your vehicles, your bills, etc. It also probably contains emails to and from old boyfriends removed link Though it doesn't feel like it, that information is really, really important - not to you, but to a bad guy. If I wanted to conduct a social engineering attack against you, all of that information would be incredibly useful. I could craft an email to you as your college girlfriend (I admit, even I would probably fall for that one). I could craft any number of emails that almost anyone would either respond to, or be compelled to click a link in. My advice: CLEAN HOUSE! Delete all those old emails removed link from the accounts you no longer use. That information can now pretty much ONLY be used for a purpose that is not in your best interest. This goes for current accounts, too - don't leave more information in them than you absolutely need to.
  2. Delete Old/Unused Accounts. After your content is deleted, there's no reason not to delete your old/unused accounts. If they don't exist, they can't be hacked. Though they might not represent a huge threat to you, they can be used to trick your friends and family. If you cannot delete the account, delete all the content it contains (or change that content to purposely misleading information) and lock it down to the fullest extent possible by following the remaining steps in this post.
  3. Think Carefully Before Creating New Accounts. Read (OK, at least skim) the privacy policy. Do you need to provide true and accurate information?Is this really a service you even need? Do you need iCloud, or can you get by backing up your phone to your laptop? Again, much of that information may already be with OPM or GoDaddy or Facebook...but that doesn't mean you need to give it to ten other services. If you can avoid it, just don't create/use the account in the first place.

Keeping minimal information online is our best bet at preventing hacking. We still need email, online banking, etc. Since we can't minimize everything down to zero, we need a strategy to protect those accounts that are still out there. Now we get into the fun stuff...

Just kidding. Now we get to talk about everyone's favorite: PASSWORDS (and other authentication measures).

Step One: Use Good, Strong Passwords. Here's the bad news: all of the passwords you currently use suck. If you know them in your head and type them with your fingers, they suck. Period. They are difficult for you to remember and type, but trivially easy for a computer to break. Here are the three criteria to making strong passwords:

  1. Length: This is absolutely the most important factor. Having special characters and numbers is important, but it pales in comparison to having a long password. Here's why: if you follow my other two rules (below) you'll automatically be opted out of the most common ways passwords are broken (simple guessing and dictionary** attacks). This means an attacker looking to get access to your account must resort to a brute force attack (attempting to test every possible combination of characters out to x-length). Every single character you add in length makes the problem of brute force take exponentially longer. My recommendation generally is attempt to make all passwords 30 characters or longer. Yes, I know that is a lot, but I will recommend some tools to help with that.
  2. Complexity: Although less important than length, complexity is still important. This means using at least one character from each of the following groups: uppercase letters, lowercase letters, numbers, and special characters (!@#$%^&*()_+, etc.). You don't have to go nuts here; you just need at least ONE of each. This forces an attacker to add all of those ingredients to his formula when conducting brute force. Again, this has an exponential impact on the time it would take to find YOUR password.
  3. Unpredictability. Humans are predictable. We reuse the same passwords over and over, or modify them only slightly. We make passwords in predictable ways (i.e. adding a number to the end of a simple word, or replacing a letter with a special character as in, "p@ssword"). Predictability drives dictionary attacks (definition in footnotes below). If you are making a password up in your head, even if you have never used it before, it is almost certainly predictable.

There is one other factor when it comes to passwords: you should use a different one on every. Single. Account. Period. No "ifs," "ands," or "buts." I know at this point you're asking, "how am I supposed to remember a different, 30-character password that I didn't make up in my head...for every single account?

Step One Point One: Use a Password Manager. A password manager is nothing more than a simple application or utility that remembers all your passwords securely. They have a number of benefits: they take up minimal space, use minimal resources, are optimized for ease of use, and they help you do what computers are good at: remembering stuff.

There is an adage that goes something like, "security and convenience are inversely proportional." This is usually true, but not in the case of password managers. They make your life easier. You never have to try and remember which password you used on that site you rarely visit. You never have to make up a password for a new site. Password managers do all this stuff for us. Even my girlfriend (who is not a tech geek, nor terribly interested in security or privacy) LOVES her password manager.

My two specific recommendations are:

  1. KeePassXC. The document posted in the first post in this thread recommends KeePass. I recommend KeePassXC (Google it) as the most secure password manager. It is updated much more frequently and has massively better options than legacy KeePass. Here's how it works: the application creates a database on your computer. You assign a master password to that database (one of the very few passwords I actually know is the one to my KeePassXC database). Next, you create entries for your accounts that contain at a minimum the username, password, and URL, and there are other fields if you want to use them. When you close the database it is encrypted (AES-256, we'll talk about that later) and stored locally on your device. You can create copies of this database to place on other devices or to store as backups. There are benefits and downsides to this system.
    • Benefits: First, KeePassXC is completely free and open-source. It is more secure than the next system I will discuss. Your data doesn't get transmitted to the "cloud". It exists only on the machines you put it on. You have ultimate control, and the best possible security story.
    • Downsides: You have no version control. Let's say you make a database and put it on your laptop and your wife's computer. As long as you both know the password and have the application, both of you can open the database. So far, so good. But let's say your wife logs into you bank account and it tells her it's time to change the password. She changes it in *her* copy of the database. Guess what? Your version of the database doesn't get updated - that's the first problem. The second problem is that these databases only exist locally. If you only have the database on devices stored in your home and your house burns down...yeah, you can see where this is going.
  2. LastPass. LastPass works differently; it is cloud-hosted. You first sign up for a subscription and download their browser add-on (desktop) or app (mobile). Much of the setup is similar in function to what I described for KeePassXC - create entries, add your accounts, etc. Everything gets encrypted locally, on your device, then transmitted to LastPass's servers. This has a ton of benefits:
    • Benefits: You have excellent version control; if anyone on your account (I wouldn't share with too many people, but sharing within your family might be desirable) changes anything, the master database is updated and everyone's instance of LastPass reflects the change. You have insane flexibility of function; you can create specific vaults (for instance, a vault with work passwords that you access from your work computer, or a vault for your kids that contains only items they are allowed to log into). LastPass even has an emergency option that lets you setup a designated recipient of your passwords in the event of your death (you are not required to use this option if you don't want to). LastPass is also very secure and has an excellent reputation.
    • Downsides: though very secure, LastPass isn't quite as secure as KeePassXC. Your data is still transmitted across the internet (albeit in an encrypted state) and your account is accessible through the internet. To get access to premium features and access LastPass from multiple devices you also have to pay for it (~$3/mo).

If there's one big takeaway from this long post, it is: use a password manager, and begin changing your passwords. However, DON'T RUSH IN and try to change everything!!! Get the password manager and put a trial password in it (one your know, in case you screw something up). Get familiar with the functions and cycle of operations. Get really comfortable before you start changing your passwords to long, complex, pseudorandomly generated junk. Take it nice and slow.

I know this one has run long, but I have one more step:

Two-Factor Authentication

Two-Factor Authentication (2FA for short from here on out) is a system that requires to "factors" to log in to a system. The first is a knowledge-based factor: your password. The second should be a different factor, like a one-time code you retrieve from your phone.

2FA makes you massively more secure than a password alone. Let's say you are using amazing passwords from your KeePassXC database. That's great, but the service could still spill their database of passwords somehow - you have no control over that. But even armed with the correct username AND password, an attacker would still need that "other" factor to be able to log in to your account. Another example: you use a public computer/work computer/malicious Wi-Fi network where your information is captured. Well, it's not great that they got your password, but without access to that other factor, it still won't do them any good.

There are several ways 2FA works. I'm only going to talk about the two most common:

  • SMS. All of you are probably familiar with this one. You login, then you get a text message with a six-digit code. Here's the deal: that is way better than nothing, but it's no ideal. There are a million ways that text can be intercepted (in fact, NIST [the National Institute of Standards and Technology] "deprecated" SMS two-factor all the way back in October of 2016). Also, if you ever travel and don't have cell service, you simply aren't going to receive that SMS. However, if you have an account and the ONLY two-factor option is available is SMS, IT'S WAY BETTER THAN NOTHING!!! Use it!
  • Software Token. This is a massive security upgrade over SMS, and the technique I use for most things. Software tokens are widely used; off the top of my head Amazon, Dropbox, Evernote, Google, LastPass, SquareSpace, WordPress...and about a million more sites allow software tokens. Using it requires a smartphone and an app. The app I use and recommend is called "Authy". It is available in the App and Google Play stores. Here's how it works (consult the website you are enabling 2FA for for specific instructions): Install the application. Login to your account and find the security settings. Select "enable 2FA" (or similar) and choose verbiage that looks like "authenticator app" or "Google authenticator". You will then open your app and scan a QR code. The QR code transmits at token to your device. In the future when you login to that account you enter your username and password, then consult the app for a six-digit 2FA code (the code changes every 30 seconds).

Hopefully this wasn't too overwhelming!


Nick_ liked
ReplyQuote
JustinC
(@justinc)
Member Subject Matter Expert
255 Brass
Rank:
Joined: 2 months ago
Posts: 18
03/07/2019 8:20 am  

I notice that somehow I managed to delete yesterday's footnotes, so here they are:

*OK, so let's talk about the OPM hack. Really this is applicable to any hack or breach or spill, but let's just use OPM as an easy example. Sure, your stuff has been hacked by them, and that sucks. But that doesn't mean your SF86, fingerprint card, etc., etc., is for sale on the open market. That means a state actor has it. Fortunately, they are probably protecting it better than USG is protecting it even now. That data is a massive intelligence haul for whatever entity got it; they aren't going to sell it to low-lives who want to commit employment insurance fraud in your name, and certainly aren't going to give it away. So yes, OPM got hacked, but think about what that actually means before going down the submitting to Privacy Nihilism.

Actually, the fact that OPM got hacked means you probably need more security, not less. A state actor committed that hack for intelligence value. You're not much more likely to be elicited...or further exploited digitally if you are assessed to be of some intelligence value.

**A dictionary attack is a pre-defined list of words that an attacker will test in an attempt to find your password. There are a number of ways an attacker might choose a dictionary.

  • The least focused way an attacker might get a dictionary is by downloading a really generic one. These have a high probability of success in cases where "any account will do," i.e. the attacker wants to get into any email account to harvest it's contact list to serve email spam. With a list of the 1,000,000 most common passwords (compiled from the results of previous password breaches) an attacker will get into someone's account with this method.
  • There are also regional, language, and cultural-specific dictionaries. These are slightly more focused, and probably have a slightly better chance of success against a specific individual.
  • If someone is attempting to gain access to your account specifically he or she may will almost certainly craft a custom dictionary. There are applications (search "Common User Passwords Profiler") that allow you to quickly and easily build a custom dictionary against anyone. You simply open the application and fill as many fields about the person as you know. Names (their name, the names of their spouse, children, parents, etc.), significant dates, phone numbers, etc. The application will generate a list of millions of possible passwords that are designed around that individual's personal information and hueristics of how humans make passwords. For example, the most common way to obfuscate a password is to add a number (or numbers) to the end of a simple, dictionary word. If I know that, and that your name is "Chris" and that your birthday is in June, I would certainly try combinations like "chris6", "chris06", etc. Though this seems really, really simplistic, it's not when millions of combinations are produced and can be tested. Humans are terribly unpredictable.

ReplyQuote
JustinC
(@justinc)
Member Subject Matter Expert
255 Brass
Rank:
Joined: 2 months ago
Posts: 18
03/07/2019 10:01 am  

Today we're going to talk about protecting data-at-rest. Before we dive into tools, techniques, and procedures, I want to give you a meaningful way to conceptualize this. There are two ways that the community thinks about this that are FLAT OUT WRONG. The first is an over-reliance on encryption. The second is imagining that attacks on data-at-rest is the biggest threat we face. It's not, and I think these next couple of paragraphs will help explain why.

There are essentially two ways an attacker can get the data that is stored on your hard drive (i.e. your tax documents, you selfies, those embarrassing dick pics, and whatever else). First, the attacker can get malware on your system. Malware can access these files and, if necessary, upload them off your machine. At this point we have protected our systems from malware to a reasonable degree by upgrading (actually, downgrading) to a standard user account rather than an Administrator account, by ensuring our system and all apps are updated, and by using antivirus. We haven't done anything sexy, but honestly, we're easily in the top 95th percentile of home users, security-wise. If you haven't completed those steps, you should seriously consider it before moving on to this next portion.

The other way an attacker can access our stuff is by physically accessing our equipment. There he or she can use forensic tools to execute a keyboard (logical) attack on our device. This type of attack uses software to copy your hard drive, then attempts to assemble files from the "1"s and "0"s found on it. So...ask yourself what is more likely. Is it more likely that someone is going to sit down at your computer an attack it directly, or you are going to contract malware from the internet. The vast majority of us never take our computers outside our homes. This doesn't mean they can't be stolen in a burglary (more on that in a moment), but that risk pales in comparison to the risk of operating in an adversarial digital environment (the Internet) every single day.

Don't get me wrong; I think encrypting your data is important. For most of us, though, it's just not as important as protecting it from malware. Without further ado, let's get back into the Framework with Step 2:

Protecting Data-at-Rest

I mentioned earlier that encryption is the first thing you'll read about on security blogs when it comes to protecting data-at-rest. Screw that - I don't want to rely on software to protect me if I don't have to. Software is vulnerable to other software. For me, encryption of data-at-rest is LAST RESORT SECURITY. For me (and probably for you) the first line of defense should be physical security.

Caveat: If you are a SOF operator or intelligence operative you may spend significant time with your computer transiting to and from and through dangerous places. In this instance encryption becomes extremely important because you are forced to relinquish some physical security.

Physical Security

I'm going to try to rein myself in here - I could talk about physical security all day. My "lock pick kit" weighs about seventy pounds, and is a four-drawer toolbox (and ironically, has fewer actual lock picks than most lock pick sets on the market)(see? I'm already side-tracking!). I co-wrote a full, 300-page book on physical security, so I'll just hit a few high points here:

  1. Get decent locks on your home. You don't need to spend $450 per deadbolt at Security Snobs to have decent locks. Go to your local locksmith and ask for a 6-pin, Grade II lock with a good key bitting (he'll know what it means). It probably won't cost much more than $75 per lock, but it'll be ten times better than that worn out Kwikset (or Kwikset knockoff) that's on your door now. If you actually talk to your locksmith and tell him you're looking for a security upgrade but are on a budget, he might we willing to retrofit those $75 Grade II locks with some used high-security (Abloy, ASSA, Medeco, Mul-T-Lock, etc.) cores for a minimal charge.
  2. User your locks. You also have to USE THEM. Lock your doors, don't hide your key outside, and don't give keys out to people you don't really trust (unless they are from high-security locks, they are really easily copied). Side note: don't post photos of your keys on the internet. The information available in even a poor photo of a key is usually enough to make a working copy of that key.
  3. Use light to your advantage. Leave your porch lights on. Get some motion lights (the RAB Stealth is expensive, but the absolute best motion light on the market). Get some lamp timers to keep the lights on when you aren't home.
  4. Don't leave your laptop in hotel rooms. There are about a million ways to get into hotel rooms, from $30,000 boxes that decode keys to socially engineering the housekeeping staff, to a $40 under-the-door tool.
  5. Don't take your laptop if traveling to high-risk areas. If you can avoid it, leave your laptop at home where you have good locks, lights, a alarm, etc. Don't take your laptop to other countries.

Encryption

OK, so we've established that physical security can't protect us from everything. If our house is broken into, we get mugged, have an auto accident while our laptop is in the car, get arrested, etc, etc, we may lose physical control of the device. At that point we are left relying on software to protect us.

We want to choose the best software possible. The only encryption algorithm we should consider is called AES (Advanced Encryption Standard). AES was selected by NIST (remember them? I mentioned them in the previous post in the discussion of two-factor authentication), as the result of a contest. That's right - a USG agency ran a contest that was open to anyone on earth to select the encryption algorithm we use to protect classified information. The contest was won by two Belgian cryptographers. That should tell you something about good encryption: even if you intimately understand how it works, you can't take encrypted cipher-text and reverse-engineer it back to plain text. That's the type of encryption we want protecting our stuff. Never settle for anything other than AES. If you're looking at an encryption product and it is touting "proprietary encryption" or "military grade" without those three letters, keep looking.

Encryption Implementation

There are three basic ways we can use encryption. They each have advantages and disadvantages.

Full Disk Encryption (FDE): This is the best option for most people. Full disk encryption protects your entire hard drive. That means your operating system, your files, your applications, and even your unused space. Not only is it the most secure option, it's also usually the easiest to work with. You log in as you normally would; a decryption key is stored in memory as long as the computer is booted up, and your files are cryptographically accessible. In a nutshell: you don't notice anything different at all, but if I try to attack your computer, everything is protected. The tools for this are:

  • FileVault II for macOS: This FDE application (more technically "full volume" encryption for you nerds) is included with every single Mac sold. All you have to do is open your System Preferences, navigate to "Security & Privacy" and turn FileVault on. You will be required to record a long alphanumeric key (write it down or save it on another drive) that you can use to recover your files if you lose or forget your password. After that FileVault will begin encrypting your disk - too easy. Some of you Mac users already have this awesome protection turned on and don't even know it.
  • LUKS for Linux: The Linux Unified Key Setup (LUKS) is included on every single Linux distribution (that I am aware of). Again, built-in encryption that was built by, with, and for the operating system it runs on.
  • Ugh...BitLocker for Windows: Here's the deal: the Privacy Purists hate Bitlocker (and FileVault) because they aren't fully free and open source. I think for most of our threat models, that really doesn't matter all that much. Bitlocker (and FileVault) are both awesome because they provide strong security, and work seamlessly with the operating systems they are designed for. So why the big "Ugh"? Well, Windows doesn't think home users deserve protection, so Bitlocker is only included with top-tiered versions of Windows. That means if you have Windows Home and want Bitlocker, you'll need to spend $99 to upgrade to Windows 10 Pro. I think I've only every talked two people into making that upgrade: myself, and a SEAL who was one of my really motivated students. I think this is a really classless move by Windows; it would cost them nothing to include Bitlocker in every single copy of Windows...yet they don't.
  • VeraCrypt for Windows: Veracrypt was mentioned in the original article that @xsquidgator provided. VeraCrypt is great software, but using it for FDE on Windows can be challenging. I'm not saying its impossible. It's not, it just requires a bit more know-how and time. I haven't mentioned this yet because it hasn't been relevant yet, but using a third-party application also elevates your profile. If you are a SOF operator and customs decides to look at your computer it's going to be obvious that you've gone out and found a third-party encryption software and taken the time to implement it. This makes you a little more interesting than the dude who just turned on FileVault. That's probably not a concern for most of us but if it applies...think about it.

Volume Level Encryption

This form of encryption involves making a container that you put specific files into. VeraCrypt is the preferred tool for this task. If you download VeraCrypt (it is available for Windows, Mac, and Linux) and click "Help" you can open the VeraCrypt User's Guide that will walk you through all of the functions of the application. I'm not going to duplicate that effort here, though I will tell you how I use VeraCrypt. And of course, if you have questions please ask.

I have one huge volume (~250 GB) that gets mounted as soon as I boot my computer. This volume contains all my files. Everything goes in there. Why? I view it much like a view my gun safe. My home is secure, but I also want a more secure place. If my home is broken into (or I have guests over, or whatever) I still have a place for those special items.

When you mount (or open) your VeraCrypt container, you only have to provide your password once. You don't have to individually unlock every single file you want to access. This is true as long as the container remains mounted. When you dismount the container, or shut down your computer, everything is once again cryptographically inaccessible and secure. You may want to consider using VeraCrypt as a redundancy for your full disk encryption (as I do) or as your primary encryption if - for some reason - you absolutely cannot use FDE.

File Level Encryption

This is the third major encryption implementation. This is the one I use the least, but it does serve a valuable purpose. File Level Encryption means encrypting individual files. There are tons and tons of applications that do this. Some do it by default, like Microsoft Word/PowerPoint/Excel (using AES-128). If you have a Mac you can export encrypted PDFs using Preview (if you're a Windows user you'll need to spring for Adobe Acrobat Pro to encrypt PDFs). There are also a ton of third-party programs like 7-Zip, Encrypto, etc. that will encrypt single files.

My use-case for these is typically emailing a document to a non- or low-skilled user. My accountant is an excellent example. She is a great accountant, but not a great security person, so I can't get her to setup VeraCrypt. But I can send her an encrypted PDF. When she opens it, it prompts her for a password which I can give to her over the phone.

I hope this post has given you some tools to protect your data. Most importantly, I hope I've helped you think about encryption and physical security. If anyone has any questions, please don't hesitate to ask!


ReplyQuote
xsquidgator
(@xsquidgator)
Member Member
1193 Brass
Challenges:
Rank:
Joined: 2 months ago
Posts: 35
04/07/2019 8:40 am  

@JustinC- thanks very much for writing and posting this!  This is great information and well-explained, as well as being broken into achievable steps.

I am back on the computer after a few days at work but am looking forward today to re-reading this and starting to do some of the things.

It hadn't occurred to me to encrypt everything on my disk but yeah, that's obvious in retrospect.  Use a non-administrator account, ditto. 
Great stuff - I think this is very helpful!


ReplyQuote
JustinC
(@justinc)
Member Subject Matter Expert
255 Brass
Rank:
Joined: 2 months ago
Posts: 18
04/07/2019 9:25 am  

@xsquidgator

Thanks for letting me know what you think! I hope I didn't hijack this thing - I just really, really enjoy writing about this stuff. Glad you're finding it helpful and again, if I can answer any specific questions, let me know!


ReplyQuote
xsquidgator
(@xsquidgator)
Member Member
1193 Brass
Challenges:
Rank:
Joined: 2 months ago
Posts: 35
14/07/2019 10:30 pm  

@JustinC, I've still got a lot of digesting to do of what you've put up here, but I've made progress on accomplishing some of your recommendations.  HAven't encrypted my whole hard drive but I have encrypted my own root level folder that had all my stuff in it (200+ GB).  Will keep re-reading what you put up and moving towards some other things.  Thanks again for sharing your expertise!


ReplyQuote

Thank you for coming by The Everyday Marksman. This site and its community are a labor of love. I hope you stick around for a while, and maybe even join us.

-Matt

\\\ Participate

COPYRIGHT © The Everyday Marksman

Adventure Awaits

+ Newsletter
+ New Content Alerts
+ Deals and Sales

Subscribe now

Let's Stay Connected

We can't Wait to Show You More

  
Working

Please Login or Register