View
225
Download
0
Embed Size (px)
Citation preview
7/28/2019 Online Security for Activists
1/47
HowToThinkAboutOnlineSecurity
AGuideforAc8vists
7/28/2019 Online Security for Activists
2/47
Whatssecurity?
Stoppinganadversaryfromdoingsomethingthatyoudontwantthemtodo
Theresalwaysanadversaryinvolved.Maybe
morethanone.
7/28/2019 Online Security for Activists
3/47
Example:anemailtoafriend
cri8cizingthegovernment
Doesthegovt.havetheabilitytointerceptyouremail?
Wouldtheywantto? Cantheyreadit? Ifnot,cantheylearnwhothesenderand
recipientsare?
Willtheyfollowyoumorecloselynow?
7/28/2019 Online Security for Activists
4/47
Example:storingfilesonalaptop
Isthelaptopkeptsomewheresafe? Doyouneedapasswordtoreadthefiles? Canthefilesbeaccessedremotely? Arethereothercopiesofthefiles? Doesanyoneknowyouhaveinteres8ngfiles?
Whatwouldhappenifthefileswereread?
7/28/2019 Online Security for Activists
5/47
BadSecurity:PalinEmailHack
7/28/2019 Online Security for Activists
6/47
Howdidthehackergetin?
UsedrecoverpasswordfeatureonYahoo Itaskedhimforbirthday,zipcode,andwhere
Palinmetherhusband
Answerstotheseques8onsfromWikipedia,USPostOffice,andonlinebiography
7/28/2019 Online Security for Activists
7/47
Howwasthehackercaught?
PostedscreenshotshadURLstar8ngwithctunnel.com
ctunnelisananonymousproxy,whowashappytogivetheirlogstotheFBI.
LoghadIPaddressofcomputerusedforthehack.
7/28/2019 Online Security for Activists
8/47
Also...
Hackerpostedamessageon4chan.orgunderthenamerubico
[email protected] ThisemailaddressconnectedtorealnameviaYouTubeprofile
BothPalinandthehackerprac8cedbadsecurity.Theadversarywoninbothcases.
7/28/2019 Online Security for Activists
9/47
HowToThinkAboutSecurity
Whoistheadversary? Whatthreatsdotheypresent? HowcanIprotectmyselffromthesethreats? Whatwillitcostme?Whatwillitcosttheadversary?Securityismostlyabouthabits.
Itssomethingyoudo,notsomethingyousetup.
7/28/2019 Online Security for Activists
10/47
Thingsthatcanbethreatened
Invisibility:adversarycanbecomesuspiciousofsomethingyouaredoing
Contacts:adversarycanlearnwhoyouaretalkingto
Anonymity:adversarycanlearnwhoyouare Privacy:adversarycanlearnwhatyouknow Opera;ons:adversarycanstopyoufrom
ac8ng,bothonlineandoffline
7/28/2019 Online Security for Activists
11/47
Securingyourcomputer
Ifthebackdoorisopen,itdoesntma]erifthe
frontdoorislocked.
Ifyourcomputerisntsecure,yourcommunica8on
securitydoesntma]er(much).Needstobeimpossibletocontrolitremotely.
An8virussoware An8spywaresoware(bewarekeyloggers!) Networkfirewall
7/28/2019 Online Security for Activists
12/47
Physicalsecurity
Afirewalldoesnthelpwhensomeonestealsyourcomputer
Orreadsyouremailwhileyoureatlunch.
Putapasswordonyourcomputer! Iftheinforma8onreallyisimportant,encryptthe
disk!
Usetheopera8ngsystemstools,orPGPWholeDiskEncryp8on,orTrueCrypt
7/28/2019 Online Security for Activists
13/47
Passwordsecurity
Phishingisbyfarthemostcommonwaytogetpasswords.
Dontuseshortpasswords,wordsinthedic8onary,orpersonaldata(likeyourbirthdayorpetsname.)
Usedifferentpasswordsondifferentsites. Neversharepasswordsbetweenpeople!Getthemtheirown.
7/28/2019 Online Security for Activists
14/47
Phishing
Afakewebsitethatasksforyourpassword Mostcommonly:anemailoramessagethat
saysyouneedtologinsomewhere,withalink
toclickon.
AlwaysreadtheURLbeforeenteringapassword,ortypeityourself.
7/28/2019 Online Security for Activists
15/47
PhishingExample
7/28/2019 Online Security for Activists
16/47
h]ps://
Q:WhocanreadwhatIsendontheinternet?
A:Everyonewhorunsacomputersomewherein
themiddleofthepaththatcommunica8on
takes.
ISPs,Telcos,governments...
Unless:yousendthedataencrypted.Ontheweb,encryptedsitesstartwithh]ps
7/28/2019 Online Security for Activists
17/47
Dontmakeiteasy.
Nevertypeanysensi8veinforma8onintoawebpagethatdoesnotstartwithh]ps
7/28/2019 Online Security for Activists
18/47
SecurityisAboutPeople
Hackingissexy,butinrealitypeoplearetheweakpoint.
ignorance,scams,socialengineering,mistakesgenglazy:sharingpasswords,usinginsecure
channels...
Wouldyougiveupyourpasswordif...theythreatenedtofireyou?theyputyouinjail?theykidnappedyourmother?
7/28/2019 Online Security for Activists
19/47
Whatdotheywatch?
US,UK,Iran,Chinesegovernmentsknowntohaveextensiveelectronicsurveillance.
Emails,IM,generalinternettraffic Facebook,Google,Yahoo,etc.allservicemillionsoflawenforcementrequestsperyear. Phonesdontneedtobetapped.Itsalldone
throughthenetworknow.
Basically,youhavetoassumethatallcommunica8onsaremonitored.
7/28/2019 Online Security for Activists
20/47
Whatelsecantheywatch?
Creditcards,bankingtransac8ons Securitycameras Studentcards,smartcards,any8meyouuse
anycard... Na8onalgovernmentscanaskforanyofthis
data.
Willgovernmentscooperateoninterna8onalcases?Maybe.
7/28/2019 Online Security for Activists
21/47
Securingwebemail
Gmailalwaysusesh]psnow So,thecommunica8onfromyourcomputerto
Googlescomputerissecure.
ButthenGooglesendstheemailtotherecipientsserverwithoutencryp8on!
Think:wheredoesthismessagego?Wherearethecomputersphysicallylocated?
7/28/2019 Online Security for Activists
22/47
WheretheEmailgoes
gmail.com yahoo.com
7/28/2019 Online Security for Activists
23/47
WhatifwebothuseGmail?
Be]er! Nowtheemailisneversentunencrypted. ButGooglecans8llreadit...WhendoesGooglereademails?WhentheUS
governmenttellsthemto.Millionsofrequestsperyear.
WillGoogletellothergovernments?
Maybe.Yahoohas.
7/28/2019 Online Security for Activists
24/47
Keepingemailprivate,really
YouneedtousesomethingcalledPGP(pre]ygoodprivacy)toencryptmessages.
Abittricky.ForFirefox,atoolcalledFireGPGmakesthiseasier.
Iftheemailisencryptedproperly,noonebutthereceivercanreadit,evenifitsintercepted.
Tutorialhere:h]p://www.irongeek.com/i.php?page=videos/usingGPGPGPFireGPGtoencryptandsignemailfromgmail
7/28/2019 Online Security for Activists
25/47
TheInternetisMorethanTheWeb
Therearelotsofwaystocommunicatethatdonotinvolvetheweb:
Appsonyourphone instantmessagingprograms EmailthroughOutlook,Thunderbird,etc. Skype Twi]erclients etc.h]pswonthelpforthese,becauseitsonlyforwebpages.
7/28/2019 Online Security for Activists
26/47
Skype
Skypeusesstrongencryp8onandisgenerallyconsideredsafe.
Skypecompany(EU)knowswhoyouretalkingto,butnotwhatyousay.Willtheytell?
BUT
DonotuseChineseTOMSkypeorclone!Inten8onallyinsecure!Watchesforkeywordsand
sendsdatatoChinesegovt!
7/28/2019 Online Security for Activists
27/47
SimplesecureCommunica8on:
IntstantMessengerplusOTR
OTRmeansofftherecord.Itsapluginforinstantmessengerprograms.
Easy! JustuseyournormalIMaccount,andaccessit
fromaprogramwhichsupportsOTR
AllOSs:usePidginplustheOTRpluginMac:useAdium
7/28/2019 Online Security for Activists
28/47
Mostlysecureisnotsecure
(likeusingcondoms)
Ifyouneedsecurecommunica8ons,setupIM+OTRrightnow.
Communica8onsthataresome8messecureareworsethanuseless.
Thatoneunencryptedmessagecancauseproblemsinmanydifferentways.
Itonlytakesoneleaktoruininvisibilityoranonymity.
Dontbelazy.
7/28/2019 Online Security for Activists
29/47
Important!
Encryp8onpreservesprivacy,butnotanonymity.
7/28/2019 Online Security for Activists
30/47
Encryptedcommunica8ons(likeIM+OTR)protectprivacy,butnotinvisibilityoranonymity.
Usingencryp8onmaybesuspicious. Theyknowwhoyouareandwhoyourfriendsare,andwhen
youtalkedtothem.
Theycantreadit,
buttheyknowwhoImtalkingto.
7/28/2019 Online Security for Activists
31/47
Anonymity
Everycomputerontheinternethasauniquenumber,calledtheIPaddress
IPmeansinternetprotocol.Thisishowyourdataknowshowtogettoyou.
MostserverslogtheIPaddressofeveryonewhousesthem.
YourISPsellsyoutheIPaddress,soitknowswhoyouare.
7/28/2019 Online Security for Activists
32/47
HidingyourIPAddress
Canuseananonymousproxy
Butdoestheproxykeeplogs?Whocanreadthem?
7/28/2019 Online Security for Activists
33/47
Anyonerunningaserverhastogivetheirlogstolawenforcementintheirjurisdic8on
E.g.aserverinCanadamustreporttotheCanadiangovernment.
Isthisaproblem?Maybe. Whatiftheproxyishackedbytheadversary? Whatiftheproxyisactuallyrunbytheadversary?
Trus8ngaproxy
7/28/2019 Online Security for Activists
34/47
Usemul8pleproxies. NosingleproxyknowsboththeIPaddressof
bothendsoftheconnec8on
OnionRou8ng
7/28/2019 Online Security for Activists
35/47
Thebestanonymityyoucancurrentlyget. Alsojumpsoverfirewallsveryreliably! Slow...thenetworkisnotlarge. Youcanhelp!RunaTornode!
TOR:TheOnionRouter
torproject.org Interna8onalprojecttobuild
ananonymitytool.
7/28/2019 Online Security for Activists
36/47
Thingsthatbreakanonymity
Dontpostyourname,city,email,etc.! Dontlogintoyourregularemail,Facebook,
etc.overananonymousconnec8on!
Timinga]ack:ifyourealwaysusingTorwhenanewpostappearsonananonymousblog,
theycantellitsyou.
Used8medelayedpos8ngfeaturetoavoidthis.
Anonymityishard!Ifyouneedit,studyit.
7/28/2019 Online Security for Activists
37/47
Phones
Theloca8onofeveryphoneiscon8nuouslyloggedbythetelco,towithinafewmeters.
ChangingSIMcardswontmakeyouanonymous,becausethephonehasanIMEInumber.
Textmessagesarelogged.
Calldes8na8onand(some8mes)audioarelogged.
Phonesareveryinsecure!
7/28/2019 Online Security for Activists
38/47
Bewarehiddeninfoindocuments!
WhenyousaveaWordorPDFfile,itincludesyourusernameandotheriden8fying
informa8on.
Thisiscalledmetadataandwillgiveyouaway! Useaplaintexteditortoavoidthis(Notepad,
TextEdit)
Orsani8zethedocumentbeforereleasing.SeeNSAprocedures:h]p://www.nsa.gov/ia/_files/support/I73302R200.pdf
7/28/2019 Online Security for Activists
39/47
AvoidingSuspicion
Decidecarefullywhichac8vi8esarepublicandwhichareprivate.Speakoutdeliberately,not
randomly.
Ifyouonlyhaveencryptedcommunica8onswithcertainpeople,theadversaryknows
exactlywhoyouareworkingwith!
Useencryp8onwheneverpossibleforyourregulartraffic.
7/28/2019 Online Security for Activists
40/47
Summary
7/28/2019 Online Security for Activists
41/47
7/28/2019 Online Security for Activists
42/47
WhatToDo
Makeasecurityplan! Secureyourcomputers:an8virus,an8spyware,
firewalls
Secureyourcomputersphysically:locks,passwords,diskencryp8on
Usestrongpasswords.Dontsharethembetweenpeopleoraccounts.
Usesecurecommunica8ons. Sani8zereleaseddocuments! Keeplearning!
7/28/2019 Online Security for Activists
43/47
Privatecommunica8ons
ThesimplestmethodIknowforprivacy:
UseinstantmessengerplusOTR(always!) NeverIMfromyourphone!Communica8onbetweentwousers@gmailis
secondbestwaybutitkeepslogs,and
dependsonGoogleandUSgovtbeingonyourside.
7/28/2019 Online Security for Activists
44/47
Anonymouscommunica8ons
Ifyouneedanonymityaswellasprivacy:
SignupfornewIMaccountsanonymouslydontgiveyouremailorreuseausername.
SetyourIMclienttoroutethroughTOR AlwaysuseTOR.Theone8meyoudont,the
adversarygetsyourIMhandleandknowswhoyoutalkto.
7/28/2019 Online Security for Activists
45/47
Anonymousemailaddresses
gmail.comnowrequiresaphonenumber,sonotanonymous.
riseup.netisbest,butyouwillneedtobeinvitedbysomeonewhoalreadyhasanaccount.
hushmail.comisfreeandverygood.Cansendencryptedmessagestopeoplewithoutencryp8onsoware.
DonteverlogintoyouranonymousemailaccountwithoutTor!Otherwiseanyonewatchingyourconnec8onwillknowitsyou!
7/28/2019 Online Security for Activists
46/47
Ihaventtalkedabout...
Securingyourwebserver. Denialofservicea]acks:howtokeepyoursite
up(assumingthegovernmentcantjustorderyoutostop.)
Smugglingdata. Opera8onalsecurity:whodoyoutrustinthe
realworld?Whoknowsyourplans?Whogetspasswords?
Therearemanydifferenttypesofsecurity.
7/28/2019 Online Security for Activists
47/47
Keeplearning!
NGOsecurityguide(readit!)Detailedtutorialsoneverytoolmen8onedhere:
h]p://security.ngoinabox.org/
AnonymousbloggingwithWordpressandTORh]p://advocacy.globalvoicesonline.org/projects/guide/
HowtogetaroundtheGreatFirewall:
h]p://www.randomwire.com/howtobypassthegreatfirewallofchina/