Online Security for Activists

7/28/2019 Online Security for Activists

1/47

HowToThinkAboutOnlineSecurity

AGuideforAc8vists

[email protected]


2/47

Whatssecurity?

Stoppinganadversaryfromdoingsomethingthatyoudontwantthemtodo

Theresalwaysanadversaryinvolved.Maybe

morethanone.


3/47

Example:anemailtoafriend

cri8cizingthegovernment

Doesthegovt.havetheabilitytointerceptyouremail?

Wouldtheywantto? Cantheyreadit? Ifnot,cantheylearnwhothesenderand

recipientsare?

Willtheyfollowyoumorecloselynow?


4/47

Example:storingfilesonalaptop

Isthelaptopkeptsomewheresafe? Doyouneedapasswordtoreadthefiles? Canthefilesbeaccessedremotely? Arethereothercopiesofthefiles? Doesanyoneknowyouhaveinteres8ngfiles?

Whatwouldhappenifthefileswereread?


5/47

BadSecurity:PalinEmailHack


6/47

Howdidthehackergetin?

UsedrecoverpasswordfeatureonYahoo Itaskedhimforbirthday,zipcode,andwhere

Palinmetherhusband

Answerstotheseques8onsfromWikipedia,USPostOffice,andonlinebiography


7/47

Howwasthehackercaught?

PostedscreenshotshadURLstar8ngwithctunnel.com

ctunnelisananonymousproxy,whowashappytogivetheirlogstotheFBI.

LoghadIPaddressofcomputerusedforthehack.


8/47

Also...

Hackerpostedamessageon4chan.orgunderthenamerubico

[email protected] ThisemailaddressconnectedtorealnameviaYouTubeprofile

BothPalinandthehackerprac8cedbadsecurity.Theadversarywoninbothcases.


9/47

HowToThinkAboutSecurity

Whoistheadversary? Whatthreatsdotheypresent? HowcanIprotectmyselffromthesethreats? Whatwillitcostme?Whatwillitcosttheadversary?Securityismostlyabouthabits.

Itssomethingyoudo,notsomethingyousetup.


10/47

Thingsthatcanbethreatened

Invisibility:adversarycanbecomesuspiciousofsomethingyouaredoing

Contacts:adversarycanlearnwhoyouaretalkingto

Anonymity:adversarycanlearnwhoyouare Privacy:adversarycanlearnwhatyouknow Opera;ons:adversarycanstopyoufrom

ac8ng,bothonlineandoffline


11/47

Securingyourcomputer

Ifthebackdoorisopen,itdoesntma]erifthe

frontdoorislocked.

Ifyourcomputerisntsecure,yourcommunica8on

securitydoesntma]er(much).Needstobeimpossibletocontrolitremotely.

An8virussoware An8spywaresoware(bewarekeyloggers!) Networkfirewall


12/47

Physicalsecurity

Afirewalldoesnthelpwhensomeonestealsyourcomputer

Orreadsyouremailwhileyoureatlunch.

Putapasswordonyourcomputer! Iftheinforma8onreallyisimportant,encryptthe

disk!

Usetheopera8ngsystemstools,orPGPWholeDiskEncryp8on,orTrueCrypt


13/47

Passwordsecurity

Phishingisbyfarthemostcommonwaytogetpasswords.

Dontuseshortpasswords,wordsinthedic8onary,orpersonaldata(likeyourbirthdayorpetsname.)

Usedifferentpasswordsondifferentsites. Neversharepasswordsbetweenpeople!Getthemtheirown.


14/47

Phishing

Afakewebsitethatasksforyourpassword Mostcommonly:anemailoramessagethat

saysyouneedtologinsomewhere,withalink

toclickon.

AlwaysreadtheURLbeforeenteringapassword,ortypeityourself.


15/47

PhishingExample


16/47

h]ps://

Q:WhocanreadwhatIsendontheinternet?

A:Everyonewhorunsacomputersomewherein

themiddleofthepaththatcommunica8on

takes.

ISPs,Telcos,governments...

Unless:yousendthedataencrypted.Ontheweb,encryptedsitesstartwithh]ps


17/47

Dontmakeiteasy.

Nevertypeanysensi8veinforma8onintoawebpagethatdoesnotstartwithh]ps


18/47

SecurityisAboutPeople

Hackingissexy,butinrealitypeoplearetheweakpoint.

ignorance,scams,socialengineering,mistakesgenglazy:sharingpasswords,usinginsecure

channels...

Wouldyougiveupyourpasswordif...theythreatenedtofireyou?theyputyouinjail?theykidnappedyourmother?


19/47

Whatdotheywatch?

US,UK,Iran,Chinesegovernmentsknowntohaveextensiveelectronicsurveillance.

Emails,IM,generalinternettraffic Facebook,Google,Yahoo,etc.allservicemillionsoflawenforcementrequestsperyear. Phonesdontneedtobetapped.Itsalldone

throughthenetworknow.

Basically,youhavetoassumethatallcommunica8onsaremonitored.


20/47

Whatelsecantheywatch?

Creditcards,bankingtransac8ons Securitycameras Studentcards,smartcards,any8meyouuse

anycard... Na8onalgovernmentscanaskforanyofthis

data.

Willgovernmentscooperateoninterna8onalcases?Maybe.


21/47

Securingwebemail

Gmailalwaysusesh]psnow So,thecommunica8onfromyourcomputerto

Googlescomputerissecure.

ButthenGooglesendstheemailtotherecipientsserverwithoutencryp8on!

Think:wheredoesthismessagego?Wherearethecomputersphysicallylocated?


22/47

WheretheEmailgoes

gmail.com yahoo.com


23/47

WhatifwebothuseGmail?

Be]er! Nowtheemailisneversentunencrypted. ButGooglecans8llreadit...WhendoesGooglereademails?WhentheUS

governmenttellsthemto.Millionsofrequestsperyear.

WillGoogletellothergovernments?

Maybe.Yahoohas.


24/47

Keepingemailprivate,really

YouneedtousesomethingcalledPGP(pre]ygoodprivacy)toencryptmessages.

Abittricky.ForFirefox,atoolcalledFireGPGmakesthiseasier.

Iftheemailisencryptedproperly,noonebutthereceivercanreadit,evenifitsintercepted.

Tutorialhere:h]p://www.irongeek.com/i.php?page=videos/usingGPGPGPFireGPGtoencryptandsignemailfromgmail


25/47

TheInternetisMorethanTheWeb

Therearelotsofwaystocommunicatethatdonotinvolvetheweb:

Appsonyourphone instantmessagingprograms EmailthroughOutlook,Thunderbird,etc. Skype Twi]erclients etc.h]pswonthelpforthese,becauseitsonlyforwebpages.


26/47

Skype

Skypeusesstrongencryp8onandisgenerallyconsideredsafe.

Skypecompany(EU)knowswhoyouretalkingto,butnotwhatyousay.Willtheytell?

BUT

DonotuseChineseTOMSkypeorclone!Inten8onallyinsecure!Watchesforkeywordsand

sendsdatatoChinesegovt!


27/47

SimplesecureCommunica8on:

IntstantMessengerplusOTR

OTRmeansofftherecord.Itsapluginforinstantmessengerprograms.

Easy! JustuseyournormalIMaccount,andaccessit

fromaprogramwhichsupportsOTR

AllOSs:usePidginplustheOTRpluginMac:useAdium


28/47

Mostlysecureisnotsecure

(likeusingcondoms)

Ifyouneedsecurecommunica8ons,setupIM+OTRrightnow.

Communica8onsthataresome8messecureareworsethanuseless.

Thatoneunencryptedmessagecancauseproblemsinmanydifferentways.

Itonlytakesoneleaktoruininvisibilityoranonymity.

Dontbelazy.


29/47

Important!

Encryp8onpreservesprivacy,butnotanonymity.


30/47

Encryptedcommunica8ons(likeIM+OTR)protectprivacy,butnotinvisibilityoranonymity.

Usingencryp8onmaybesuspicious. Theyknowwhoyouareandwhoyourfriendsare,andwhen

youtalkedtothem.

Theycantreadit,

buttheyknowwhoImtalkingto.


31/47

Anonymity

Everycomputerontheinternethasauniquenumber,calledtheIPaddress

IPmeansinternetprotocol.Thisishowyourdataknowshowtogettoyou.

MostserverslogtheIPaddressofeveryonewhousesthem.

YourISPsellsyoutheIPaddress,soitknowswhoyouare.


32/47

HidingyourIPAddress

Canuseananonymousproxy

Butdoestheproxykeeplogs?Whocanreadthem?


33/47

Anyonerunningaserverhastogivetheirlogstolawenforcementintheirjurisdic8on

E.g.aserverinCanadamustreporttotheCanadiangovernment.

Isthisaproblem?Maybe. Whatiftheproxyishackedbytheadversary? Whatiftheproxyisactuallyrunbytheadversary?

Trus8ngaproxy


34/47

Usemul8pleproxies. NosingleproxyknowsboththeIPaddressof

bothendsoftheconnec8on

OnionRou8ng


35/47

Thebestanonymityyoucancurrentlyget. Alsojumpsoverfirewallsveryreliably! Slow...thenetworkisnotlarge. Youcanhelp!RunaTornode!

TOR:TheOnionRouter

torproject.org Interna8onalprojecttobuild

ananonymitytool.


36/47

Thingsthatbreakanonymity

Dontpostyourname,city,email,etc.! Dontlogintoyourregularemail,Facebook,

etc.overananonymousconnec8on!

Timinga]ack:ifyourealwaysusingTorwhenanewpostappearsonananonymousblog,

theycantellitsyou.

Used8medelayedpos8ngfeaturetoavoidthis.

Anonymityishard!Ifyouneedit,studyit.


37/47

Phones

Theloca8onofeveryphoneiscon8nuouslyloggedbythetelco,towithinafewmeters.

ChangingSIMcardswontmakeyouanonymous,becausethephonehasanIMEInumber.

Textmessagesarelogged.

Calldes8na8onand(some8mes)audioarelogged.

Phonesareveryinsecure!


38/47

Bewarehiddeninfoindocuments!

WhenyousaveaWordorPDFfile,itincludesyourusernameandotheriden8fying

informa8on.

Thisiscalledmetadataandwillgiveyouaway! Useaplaintexteditortoavoidthis(Notepad,

TextEdit)

Orsani8zethedocumentbeforereleasing.SeeNSAprocedures:h]p://www.nsa.gov/ia/_files/support/I73302R200.pdf


39/47

AvoidingSuspicion

Decidecarefullywhichac8vi8esarepublicandwhichareprivate.Speakoutdeliberately,not

randomly.

Ifyouonlyhaveencryptedcommunica8onswithcertainpeople,theadversaryknows

exactlywhoyouareworkingwith!

Useencryp8onwheneverpossibleforyourregulartraffic.


40/47

Summary


41/47


42/47

WhatToDo

Makeasecurityplan! Secureyourcomputers:an8virus,an8spyware,

firewalls

Secureyourcomputersphysically:locks,passwords,diskencryp8on

Usestrongpasswords.Dontsharethembetweenpeopleoraccounts.

Usesecurecommunica8ons. Sani8zereleaseddocuments! Keeplearning!


43/47

Privatecommunica8ons

ThesimplestmethodIknowforprivacy:

UseinstantmessengerplusOTR(always!) NeverIMfromyourphone!Communica8onbetweentwousers@gmailis

secondbestwaybutitkeepslogs,and

dependsonGoogleandUSgovtbeingonyourside.


44/47

Anonymouscommunica8ons

Ifyouneedanonymityaswellasprivacy:

SignupfornewIMaccountsanonymouslydontgiveyouremailorreuseausername.

SetyourIMclienttoroutethroughTOR AlwaysuseTOR.Theone8meyoudont,the

adversarygetsyourIMhandleandknowswhoyoutalkto.


45/47

Anonymousemailaddresses

gmail.comnowrequiresaphonenumber,sonotanonymous.

riseup.netisbest,butyouwillneedtobeinvitedbysomeonewhoalreadyhasanaccount.

hushmail.comisfreeandverygood.Cansendencryptedmessagestopeoplewithoutencryp8onsoware.

DonteverlogintoyouranonymousemailaccountwithoutTor!Otherwiseanyonewatchingyourconnec8onwillknowitsyou!


46/47

Ihaventtalkedabout...

Securingyourwebserver. Denialofservicea]acks:howtokeepyoursite

up(assumingthegovernmentcantjustorderyoutostop.)

Smugglingdata. Opera8onalsecurity:whodoyoutrustinthe

realworld?Whoknowsyourplans?Whogetspasswords?

Therearemanydifferenttypesofsecurity.


47/47

Keeplearning!

NGOsecurityguide(readit!)Detailedtutorialsoneverytoolmen8onedhere:

h]p://security.ngoinabox.org/

AnonymousbloggingwithWordpressandTORh]p://advocacy.globalvoicesonline.org/projects/guide/

HowtogetaroundtheGreatFirewall:

h]p://www.randomwire.com/howtobypassthegreatfirewallofchina/

Documents

Online Security for Activists