Archive for December, 2010
I recently helped a friend of a friend create a new email process for himself. He’s a journalist and wanted a little more protection than is usual. He’s been noticed by governments, corporations and others, and has had some problems with his email being stolen in the past. He’s had a laptop stolen and some of his email appearing in print.
His situation is far from typical, but it was an interesting thought experiment to see how “secure” one could be, if paranoid enough and accepting of enough cost and inconvenience.
We looked at several threats against his email and personal and professional files, and came up with some easy changes that could cut his risk significantly.
One of his suspicions was that at some point his US-based ISP had been forced to turn over some of his email. For that reason, I recommended that he find an “off shore” email provider. I recommended going to a provider in the EU, as they have much better privacy laws, and a history of telling other nations to buzz off. Sadly, the UK isn’t a good option, as between the “special relationship” and the Official Secrets Act, even their own citizens aren’t well protected. Their ongoing debate about their national identity cards shows a certain bias for the government at the expense of their citizens, although this may be settled, at least for now. I think the Netherlands, Germany or Switzerland would be good email homes, as there seem to be numerous options for hosted email in those countries, and the few that I checked into all offer SSL-protected web mail.
Next, we talked about installing PrettyGoodPrivacy to protect his email in transit. PGP has been acquired (and re-acquired) since the days of Phil Karn, but they still have a solid reputation. If you are a geek, then you can get and install the open source gpg (Gnu Privacy Guard). Commercial PGP offers good email encryption, good file encryption and even hard drive Whole Disk Encryption (WDE).
Another part of his “threat model” is theft of his laptop to get his files. While encrypting hard drives are becoming more available, there may or may not be OS level support. Check out offerings from Seagate and Hitachi as well as some laptops from Dell and IBM which include encrypting hard drives.
If you don’t select a hardware drive encryption solution, you can use PGP or TrueCrypt. If you just want the data encrypted and you don’t care if someone might know that you have encrypted data, then PGP. If you are concerned about someone knowing that you have secrets, then TrueCrypt. Since TrueCrypt can make invisible (or at least hard to detect) partitions, that’s an additional level of assurance.
As an international traveler, your laptop is subject to search at any border, including the US ports of entry. France and China have also been mentioned as countries with some level of laptop threat at their borders. There are a few ways to get your data through the entries, although some may raise red flags.
First, you can just encrypt some files, or even the entire hard disk with PGP. This may raise questions, and in some jurisdictions (UK,
maybe US), the authorities may be able to compel you to divulge any passwords to unlock the files or drive. There have been two people jailed in the UK for refusing to divulge their passwords. US law is unclear, as the Circuits have ruled in different ways in different cases, if I recall correctly.
If you want to carry encrypted data without it being apparent, then you can use TrueCrypt to create an encrypted “volume” which will look
like a regular file. Just name the file something innocuous, like “refrigerator-ref-manual.pdf.zip”. Even if “they” try to un-zip the file, it will appear to be a damaged ZIP file. Oh darn, too bad.
Bruce Schneier offers a novel while complicated solution: encrypt with a key that you don’t know.
But best of all is to not actually carry any data at all… Store your data at your non-US ISP, and keep nothing on your laptop except a web browser. You can always get to your data as long as you have a net connection, but you don’t carry it where it can be seized or lost if your laptop is stolen. If you need your data when you aren’t connected, then just put the data at the ISP and clear it off your laptop before you travel, and then download it at your destination and then carry it around. This method has been recommended in the corporate security press for protecting corporate secrets.
One novel idea is to not carry a laptop at all. Carry an iPad and use it to read your email and access your data. Store nothing on the
iPad, and clear the browser cache frequently. No one will know how to search it at a border, as there are no currently no common tools to
image an iPad. Even when those tools arrive, there will be no data to find.
So, how’s your paranoia level?
- Protect Your Laptop, Phone During U.S. Border Searches (howto.wired.com)
- You: Five Best File Encryption Tools [Hive Five] (lifehacker.com)
I’ve been thinking about security again. Between the “freedom fondle” at my trip to Las Vegas, the recent Gawker “oops”, and work, I’ve been revisiting the idea of the “threat pyramid”. This is a concept that I created for a security evaluation I performed for a job back in the early 90s.
The idea is that there are more people (and tools) capable of being at threat at the lower levels of capabilities, and fewer higher levels of sophistication.
For example, there are potentially millions of “script kiddies” who can use easy to find and easy to use attack tools. I recently dealt with a case where a 16 year old had downloaded “shrink wrapped” Botnet tools (with a convenient Windows GUI) to attack a site. The tool did everything from create a customized malware package, through basic SPAM distribution to managing the botnet command and control.
As you move up in the pyramid, you have fewer people (or groups) capable of being a threat, but they have more capacity to be a threat. They will be creating more sophisticated tools, and will require more capable (hence expensive) defenses.
At the top pf the pyramid, you have “government” level threats. These are well-funded, technically sophisticated groups that are likely to target specific high-value targets. Could be a government, or just a well-funded criminal enterprise. This is now sometimes being characterized as the “Advanced Persistent Threat (APT)”, which is actually a pretty good term. While at a prior job, I met the leader of one of these groups, who worked for a government agency. Their goal was to be able to enter a high-value target, get everything they wanted, and get out without detection. Their motto was “one packet, one kill”. They were quite content to map out a specific target over weeks or even months, then get in, get the data and get out in just a few minutes (if not seconds).
So, how does this apply to you, or your organization?
You can split the threat pyramid into at least three regions based on who you think is your adversary, their capabilities and your budget (or determination).
At the very bottom are the threats that are pretty much beneath your notice. The normal “background radiation” of the Internet. Things that will hit you defenses and bounce off. Things that are so common that it isn’t worth people time to notice. Consider things like the constant port scans that are going on all the time that are blocked by your perimeter routers and firewalls. They never get past the perimeter, they are constantly going on, and they aren’t something that you’re ever going to do anything about them, except maybe count them for some management report. Defenses here are well-understood, affordable and considered a requirement for living on the modern Internet. If you get owned by one of these threats, there’s really no excuse.
At the very top are those threats that you’ll just never see. They might own you, but you’ll never know it, at least not until after the attack has come and gone, If a government decides that you’re an interesting target, they”ll get in, and you’ll likely never even know it. There’s literally nothing you can do (or afford to do) to defend against this threat. This is a risk that you’ll just have to accept.
It’s the middle where things get interesting. This is the area where you have to do the thorough analysis, and make tough decisions about which protections you need, which you can afford, and which your organization will tolerate. This is the area that most security efforts should be focused, and where there is also the most uncertainty. This is where all the tradeoffs have to be made.
So, how does this apply to you? Think about your own threat pyramid. Make sure that you have the lower levels covered. Then decide how high you want to raise the bar. Too low and you get owned by an easily preventable threat. Too high and you may not be able to afford the defenses, or you’ll spend too much time and money worrying about a threat that you really just can’t defeat.
I was one of the million or so people affected by the recent Gawker compromise. At the same time, I’m moving to a new laptop. I decided to take this as a wakeup call to get my password house in order, and to change some of the things about my working environment.
I had originally thought that I was unaffected, but I had created a throwaway Gawker account over a year ago so I could comment on a Jalopnik post. Throwaway email address at a domain that I no longer use, and a password that I shared with all throwaway web accounts. So far, so good.
While I was looking into the stories about the Gawker incident, I found this article at lifehacker about how to be smarter about online passwords. I’ve always kept “important” passwords (banks, credit cards, etc) completely separate from email accounts, web site accounts, etc. I use the built-in password manager in Firefox for most accounts, but with a master password.
But, when I tried the “Lastpass security test“, I discovered that I had entirely too many web accounts (361!), and entirely too much password reuse. So, time to get serious about web passwords.
Since installing Lastpass, I’ve started culling through all that old password cruft, and resetting my most important passwords with generated passwords. Since I have several completely separate online identities, this may take some time. I figure I’ll have to take a fair amount of time over the Holiday break.
We have to realize that very few, if any of the web sites we use on a daily basis were actually designed with security in mind. Any security they have in place is to protect themselves, not their visitors. Gawker has admitted this, and seems to be changing course. I wonder if any other sites will take this as a wakeup call?
- How to Audit and Update Your Passwords [Passwords] (lifehacker.com)
- Personal Password Security and the Gawker Hack (prweb.com)