Saturday, October 14, 2017

Why You Should Have Protonmail

 
 
 
When you communicate with others via e-mail, the content of your messages may be read or scanned by someone other than your intended recipient (the addressee). It should be no secret by now that many of the major e-mail providers scan the content of your private e-mail to provide targeted advertising to you, the user. E-mail services can be, and often are, hacked. The recent Yahoo e-mail hack is just one example (See: "Every single Yahoo account was hacked - 3 billion in all" CNN Money Oct 3, 2017) And for some there may be the concern of your e-mail being accessed through legal discovery, or search warrant.
 
Now while you may not care about some of the content of your e-mail being exposed, you no doubt have personal e-mail content that you don’t want shared with anyone other than the intended recipient. To protect your personal and private communications with close friends and family, it is important to get everyone to communicate through an end-to-end encrypted e-mail service. For this, I recommend that you get everyone to sign up for and use a ProtonMail account.
 
ProtonMail is an end-to-end encrypted email service founded in 2013 at the CERN research facility in Geneva, Switzerland. ProtonMail uses client-side encryption to protect email contents and user data before they are sent to ProtonMail servers, in contrast to other common email providers such as Gmail and Hotmail. The service can be accessed through a webmail client or dedicated iOS and Android apps.  
 
When communicating on the ProtonMail network all your communication between ProtonMail accounts is encrypted using PGP. You also have the ability to send encrypted e-mail to users of other services if you have a shared message password; but having all of your close friends and family using the ProtonMail network is a much more secure option.  
 
  • ProtonMail is incorporated in Switzerland and all our servers are located in Switzerland. This means all user data is protected by strict Swiss privacy laws.
  • All emails are secured automatically with end-to-end encryption. This means even ProtonMail cannot decrypt and read your emails. As a result, your encrypted emails cannot be shared with third parties.
  • No personal information is required to create your secure ProtonMail account. By default, ProtonMail does not keep any IP logs which can be linked to your anonymous email account.
 
 
 

Friday, October 13, 2017

Free Privacy & E-Security Books

 
 
In 1999, I published my first book Privacy for Sale. The following year, I published The Complete Guide to E-Security, and then in 2002, I published The Privacy Handbook. All three of these books were published by Paladin Press in Colorado. Unfortunately, Paladin Press will close its doors at the end of the year (2017) and these three books are no longer in print.
 
I am making a PDF copy of each of these books available for free to readers of my blog, Chesbro On Security. Just follow the links and download a copy from my Google Drive.
Some of the information in these books is outdated, some of my ideas at the time were well... pretty bad (although perhaps valid at the time); but much of the information in these books is still valid and applicable to personal privacy and security today. At a minimum, you can read my thoughts on privacy and e-security from 15-20 years ago, and compare it to my thoughts in this blog currently.
 
 



KeePassXC Password Manager 2.2

 
 
 
KeePassXC (KeePass Cross-Platform Edition) is a community fork of KeePassX, the cross-platform port of KeePass for Windows.
 
The database is encrypted with the industry-standard AES (alias Rijndael) encryption algorithm using a 256 bit key. And it is compatible with KeePass Password Safe.
 
KeePassXC features include:
  • Auto-Type on all three major platforms (Linux, Windows, OS X)
  • Twofish encryption
  • DEP and ASLR hardening
  • Stand-alone password and passphrase generator
  • Password strength meter
  • YubiKey challenge-response support for strengthening your database encryption key
  • a generator for time-based one-time passwords (TOTP)
  • a diceware password generator
  • a command line interface (CLI)
  • CSV database import
  • true portable mode with the config file residing in the same directory as the application
  • automatic database locking when you lock your desktop session
 
 


Thursday, October 12, 2017

SnowHaze for iOS



 
SnowHaze is a powerful private browser developed to fully protect your data on the Internet. You can use SnowHaze on Apple iPhone, iPad and iPod Touch running iOS 9.2 or later. I use SnowHaze and recommend it as a replacement for the Safari browser.
 
Apple devices come with the Safari pre-installed, and you generally are not able to completely uninstall Safari from your iOS devices. You can however disable the Safari Browser by following these steps:
 
1: From your device's home screen, click  the Settings app
2: Scroll down and select General
3: Select Restrictions
4: Enter (or create) your restrictions passcode
5: Switch the toggle next to Safari to the OFF position

From the SnowHaze web-site... (https://snowhaze.com/en/)
 
"You are most probably not selling guns to Yemen over the Internet. However, already very basic information about you can be very harmful if it lands in the wrong hands. Your health data could be sold to an insurance company, which could deny selling you insurance. You could see more expensive flight tickets on the internet than your neighbor does because the site that is selling you the tickets already knows where you want to go. There are tons of more examples and the technology to analyze collected data is evolving at an incredible pace! While all popular browsers (Safari, Firefox, Chrome, etc.) offer functions that claim to protect your data ... well, they don't really. They erase your local data, but the much more harmful part on the internet stays there, easily accessible for everybody. This is why it is so important to protect your data. No browser entirely hides your activities on the internet (even TOR and SnowHaze do not), but we do everything to protect your data as well as we can. The technologies that SnowHaze uses are not new. But until now, it was too hard to set up, the interfaces were just ugly and the pages would not even load correctly. This is why we created SnowHaze - The first easy to use browser that really protects your data. Let us know what you think; we would love to hear your opinion!"


Cyber Self-Defense

 

 



Cybersecurity Attacks - The Insider Threat

 
Cybersecurity Attacks - The Insider Threat
http://www.cdse.edu/shorts/cybersecurity.html
 
A new (August 2017) course from CDSE. This short, 15 minute, course gives an overview of cyber attacks by insiders, and provides recommendations on how to mitigate those threats.
 
 
 
 
 


Wednesday, October 11, 2017

Secure E-mail Certificates

 
"A Secure E-mail certificate adds security and authenticity to your e-mail communications. Encryption keeps your e-mail private while digital signing ensures the integrity and authenticity of the message." ~ Comodo
 
One method of encrypting e-mail across multiple systems and with multiple users is through the use of digital certificates.  A digital certificate is a data file containing the necessary information for a user to sign, encrypt, and decrypt e-mail.  Digital certificates can be used with most any e-mail client that supports S/MIME (Secure/Multipurpose Internet Mail Extensions); such as Outlook, Netscape, Mac Mail, Thunderbird, and Eudora.  The advantage of this is that regardless of what e-mail system a person is using, it is usually possible to exchange encrypted e-mail through the use of digital certificates. 
 
To use digital certificates to encrypt e-mail it is first necessary to obtain a personal digital certificate.  Digital certificates are data files issued by certification authorities (CA). 
 
To obtain a personal digital certificate simply visit one of the certification authorities’ web-sites, fill out the certificate application and then download and install your digital certificate. A digital certificate may be associated with an e-mail address, or may be associated with a specific individual through the submission of identification documents to the certification authority when the digital certificate is requested. Digital certificates associated with an e-mail address may be available for free, while those associated with a specific individual through the submission of identification documents usually charge a small annual fee. For personal e-mail security, having the digital certificate associated with just an e-mail address may be sufficient, however individuals using digital signatures in a business or professional capacity may want to have their digital certificate associated to their personal identity as well. In either case the encryption is the same, and the digital certificates function in the same way.
 
Comodo offers a free secure e-mail certificate at:  https://www.comodo.com/home/email-security/free-email-certificate.php
 
Improve your digital security.  Get your personal secure e-mail certificate today.
 
 


Tuesday, October 10, 2017

7-Zip Encrypted Archives

 
7-Zip is a free file compression program that gives users the option of also encrypting compressed archives using the AES256 algorithm.  You can download a copy of 7-Zip from http://www.7-zip.org. Once you download and install 7-Zip, you can access it by ‘right-clicking’ on files you want to compress, and encrypt.
 
To encrypt a file or folder using 7-Zip right click on it and choose ‘Add to archive…’ from the 7-Zip menu. From the next menu choose “7z” for your Archive Format, and select AES256 as the Encryption method. If you don’t want your file and folder names to be visible in you 7-Zip archive, check the “Encrypt file names” box. Enter a strong password and click “OK”. 7-Zip will now compress and encrypt your archive.
 

 
Anyone with a copy of 7-Zip and knowledge of the password protecting the encrypted archive can access its content. Thus 7-Zip is an excellent way of sharing files securely. If for some reason the recipient of the archive doesn’t have a copy of 7-Zip you can always create a self-extracting archive by choosing the “Create SFX archive” option. This creates an executable (.exe) file so there is no requirement to have 7-Zip installed to open the archive. Self-extracting archives are useful for storing back-ups of files and folders, but less useful for sharing information as many e-mail programs won’t allow you to send a .exe attachment, or will not allow a .exe attachment to be delivered. Still, if you are making archives available in some manner other than e-mail (such as through OnionShare, Dropbox, or Google Drive), self-extracting archives are still be a useful option.
 
With 7-Zip, you also have the option of choosing “Zip” for your archive format. The zip format will be compatible with most other file compression programs, and you still have the option of encrypting files and folders using this format. If choosing zip as your archive type you lose the option of encrypting file names and creating self-extracting archives. When using the zip archive format, I recommend that you first create an unencrypted inner archive. Name this inner archive something innocuous and then place this inner archive into an encrypted outer archive. In this way you protect the file and folder names from anyone who does not know the password to decrypt your outer archive. In most cases I recommend downloading and using 7-Zip, but in some business environments users may not be able to install programs like 7-Zip on their work computers. The zip archive format, using both an inner and outer archive, allows you to securely share files and folders, while protecting the file names, when the recipient does not have 7-Zip installed on his or her computer. 
 
You may note that when using the zip archive type, you have the option of selecting “ZipCrypto” as your encryption method. ZipCrypto is a weaker encryption algorithm than AES256 and is available for backwards compatibility with some file compression and encryption schemes. AES256 is the default encryption for most encryption today, so generally speaking you should never select the ZipCrypto option when creating a new archive.
 
On your personal computers, and on your business computers where allowed, I recommend that you download and install a copy of 7-Zip. This will provide you with an excellent file compression program, and will also give you a way of creating AES256 encrypted archives. If you store copies of your personal information in the Cloud, or perhaps burn files to CD/DVD and store them off-site, an AES256 encrypted archive is an excellent method of protecting that stored information. 
 




Monday, October 9, 2017

Anti-Kidnapping Techniques

 
Unless you’re the kind of person who heads to Mexico, Nigeria, Pakistan, India, or similar high-risk countries on business or for a little R&R, it’s unlikely you’ve given much thought to the threat of kidnapping when planning your trips. But kidnapping has boomed over the past decade, thanks to the growing socioeconomic divide around the globe and the spread of radical groups. While kidnappers used to target rich locals, and the abductions were largely confined to a handful of countries, these days foreign business executives and tourists are now just as likely to be the victims, and the abductions can happen virtually anywhere.
 
A form of kidnapping that is becoming more common is some parts of the world is "express kidnapping". Express kidnapping is similar to a mugging, but instead of just demanding your purse or wallet; victims of express kidnapping are taken to ATMs and forced to withdraw money. In some cases, express kidnapping victims are held for a few days and forced to withdraw the maximum limit from ATMs until either their account is empty or the bank blocks further cash withdrawals. Express kidnapping victims may also be taken to back to their home, hotel, or business and forced to hand over any available cash, credit cards, or other valuables. 
 
 
 

To avoid being kidnapped you must not allow yourself to be put into a situation where an adversary can gain physical control of you.  It will always be preferable to avoid giving an adversary the opportunity to kidnap you, than to have to fight off a kidnapping attempt, or escape from a hostage situation.
 
Some kidnapping prevention tips include:
  • Vary your travel routes and times. Don’t set patterns that allow someone to ambush you.
  • Plan your routes before setting out, and always know where you are.
  • Travel with more than one person in your vehicle, or travel in multi-vehicle convoys.
  • Keep vehicle doors locked, and keep windows up anytime you are driving in a city, or stopped at an intersection.
  • Leave enough space between you and the car in front to give yourself an escape route.
  • Be aware of the possibility of surveillance and employ surveillance detection techniques.
  • Pay attention to other vehicles in front and behind you, and be aware of cars waiting in side roads or in off-road parking spaces.
  • Be especially alert when arriving at or departing from known locations, such as your home or work.
  • Maintain appropriate security at your residence to prevent home-invasion robberies and kidnapping. Install top-quality locks. Have an alarm system, and security cameras. In some cases a 'panic room' may be appropriate to allow you to lock yourself away from attackers.
  • Have a working cellular telephone, and know what numbers to call in an emergency. But remember when seconds count, help is just minutes away.
  • Be careful about revealing data on social media - Do not reveal too much about yourself or your family members via social media. No need to flaunt new cars, houses, or condominium units. Never reveal your home address on social media. Don’t post on social media the places you frequent.
  • Always be properly armed to allow you to resist a violent attack, such as a kidnapping attempt.
Whether you should actively resist a kidnapping attempt is situation dependent, and security advice often recommends not resisting your kidnappers. However, once kidnappers have you under their control it becomes that much more difficult to escape, and you are at the mercy of your kidnappers.

The US Department of State has said: "Kidnapping can take place in public areas where someone may quietly force you, by gunpoint, into a vehicle. They can also take place at a hotel or residence, again by using a weapon to force your cooperation in leaving the premises and entering a vehicle. The initial phase of kidnapping is a critical one because it provides one of the best opportunities to escape. If you are going to resist at the point of capture, do so as if your life depends on it; it most probably does."   
 
If you are armed, actively resisting (shooting) your kidnappers will thwart the kidnapping attempt. That being said you must be sufficiently skilled with your weapons to overcome the violence presented by your kidnappers. Which means that if you are going to carry a firearm for personal protection be sure that you know how to use it, and that you practice to develop and maintain your shooting skills.
 
According to U.S. Bureau of Justice Statistics data, having a firearm and being able to use it in a defensive situation is the most effective means of avoiding injury (more so even than offering no resistance) and thwarting completion of violent crime, such as robbery or assault. In general, resisting violent crime is far more likely to help than to hurt, and this is especially true if your attacker attempts to take you hostage. 
 

 
Escaping Illegal Restraint 
 
Assuming that you have been kidnapped, have you thought about how you would escape from illegal restraint? For some this can be a very important consideration. As with every survival skill you must practice your techniques to perfect them. However, in order to practice a skill, you must first learn it.
 
I found an interesting video on YouTube that demonstrates skills for escaping from restraints:
2:25 - Zip Ties Intro
5:17 - Best Case Scenario Zip Tie Hand Placement
8:51 - Shimming Zip Ties
11:50 - Breaking Out of Single Zip Tie
13:39 - Breaking Out of Double Zip Ties
17:00 - Friction Sawing Zip Ties
22:41 - Breaking Out of Duct Tape
25:24 - Escaping from Handcuffs
34:51 - Cutting through Rope
37:55 - Wrap Up
 
The Tiny Inconspicuous Handcuff Key (TIHK) company http://tihk.refr.cc/66BCH4D sells small handcuff keys and other escape tools that should be of interest to anyone facing the potential need to escape from kidnapping or illegal restraint.
 
An article on Survivopedia: "Restraint Escape Kit: Why You Need the Ability to Escape"  lists several items that one might carry to aid in escaping from illegal restraint.
 
Many of the recommended items can be purchased from Amazon.Com:
If you know how to pick locks, or want to learn, it may be worthwhile adding a small set of lock picks to your escape kit. While lock picks can be purchased from many sources, some of my favorites are: 
The Black Scout Survival YouTube Channel has a lot of related information, and they sell an Escape & Evasion DVD that I recommend.
 

 
So, the bottom line is this. The chances of you becoming a kidnapping victim is pretty low, unless you are traveling to countries with a high kidnapping risk. But a low risk, does not mean no risk. ABC News once reported: "Phoenix, Arizona has become the kidnapping capital of America, with more incidents than any other city in the world outside of Mexico City and over 370 cases last year alone." (ABC News, February 11, 2009) 
 
A kidnapping may not start out as such, but arguments can escalate into assaults, and assaults can result in you being held against your will, being illegally restrained or kidnapped. If you are prepared to deal with the possibility of kidnapping then you reduce your risk of becoming a victim; and if you do become a kidnap victim you increase your chances of escape by having planed in advance for this possibility.

The US Department of State has published "Personal Security Guidelines For the American Business Traveler Overseas" which provides useful information in avoiding becoming a victim of kidnapping and other crimes while traveling.  Additional security advice is provided in "Security Guidelines For American Families Living Abroad". In the Spring of 2016, the US Department of State published a "Travel Security Form" to aid travelers in planning a safe trip overseas.


 

Sunday, October 8, 2017

OnionShare

 
OnionShare lets you securely and anonymously share files of any size. It works by starting a web server, making it accessible as a Tor onion service, and generating an unguessable URL to access and download the files. It doesn't require setting up a server on the internet somewhere or using a third party file-sharing service. You host the file on your own computer and use a Tor onion service to make it temporarily accessible over the internet. The other user just needs to use Tor Browser to download the file from you.
 
You can download OnionShare for Windows and macOS from https://onionshare.org/. It should be available in your package manager for Linux, and it's included by default in Tails.
 

  • Once you have installed OnionShare, open the program from the start menu.
  • Use the 'Add Files' and 'Add Folder' buttons or 'Drag and Drop' the files you want to share.
  • Click the 'Start Sharing' button.
  • This will generate a TOR (.onion) link to the files and folders you are sharing.
  • Provide this .onion link to anyone with whom you want to share the files and folders. 
By default OnionShare stops sharing these files and folders after the first download. If you want to share the files and folders with multiple people open the settings menu (gear icon in the lower right of the OnionShare screen) and uncheck the 'Stop sharing after first download button'.
 

 
You must have OnionShare open and running on your computer to share files and folders. Once you quit OnionShare the URL to access your shared files and folders won't exits anymore. If you re-add the same file and folders to a new session of OnionShare, a new URL is generated.
 
These files and folders can only be accessed using TOR (https://www.torproject.org/), so anyone with whom you plan to share files and folders must have TOR installed on his or her computer. That being said, anyone running TOR and knowing the .onion URL to access these files and folders can download them anonymously. As is often the case when using TOR, very large files can take a long time to download. 

OnionShare was developed by Micah Lee (https://micahflee.com) and is open source, released under the GPLv3.

 
 


OpenPuff Steganography





The word "steganography" comes from the Greek words steganos, meaning hidden or covered, and graphia, meaning to write.  Thus, steganography refers to hidden writing or to methods for concealing messages.  The advantage of steganography is that it allows sensitive information to be hidden in mundane and innocuous carrier files.  Steganography is not new.  It has been used at least since the time of ancient Greece.  Today with modern computers and the rapid exchange of information across the Internet, steganography allows information to be shared with individuals in areas and in situations where their communications are monitored and their freedom of expression and association is repressed.

 
 
One of the most popular steganography programs is the OpenPuff Steganography & Watermarking Tool. OpenPuff is freeware and provides the user with the ability to encrypt and hide data in audio (wav), image (bmp, jpg, png), and stream (Mp3, Mp4, Vob) carrier files, as well as in pdf files and a few other file types as well.  OpenPuff focuses on the security of your hidden information, and is highly recommended for anyone who needs to exchange information securely and covertly.

OpenPuff safeguards hidden information by encrypting the data and protecting it with up to three different passwords.  At least one password of eight characters is required to hide data with OpenPuff.  Additional passwords increase the security of the hidden data.  Hidden data can also be split across multiple carrier files, allowing large amounts of sensitive information to be concealed.  OpenPuff further protects hidden information by adding a large amount of random data (noise) to the information before it is encrypted and hidden.
 
A special feature of OpenPuff is ‘Deniable Steganography’ which allows two separate sets of data to be concealed in a carrier file.  This allows someone to hide both sensitive information and decoy information.  If forced to disclose the passwords protecting the hidden data, a user can give up the decoy passwords, revealing non-incriminating information, while sensitive information still remains hidden and protected by a separate set of secret passwords. 

OpenPuff also allows one to insert a hidden string of up to 32 characters into a carrier file.  This is a type of digital watermark.  This digital watermark can be revealed, without the need for a password, using the CheckMark function in OpenPuff.  This digital watermarking function can be used to identify and track files posted to public forms or shared with selected groups of people.

OpenPuff is fairly easy to use, but there is a little bit of a learning curve for people unfamiliar with the software.  For example, because OpenPuff saves a carrier file (with hidden data) as the same name as the file used to create that carrier file, these files must be saved to separate locations / folders.  Trying to create a carrier file from a photo on your desktop and then save the photo with hidden data back to the desktop generates an error but does not identify what caused the error.  The error message just states: "Couldn’t create target: [Filename]."  Other errors can be generated when a user tries to hide too much data in a small carrier file, or when OpenPuff password strength requirements are not met when hiding data in a carrier file.  In general, however, with several minutes of practice any person with basic computer skills will be able to easily use OpenPuff to conceal sensitive information.

Using Steganography
 
 

A primary purpose of steganography is to hide sensitive information from censors, abusive regimes, spies, and thieves.  Information that appears to be mundane, innocuous, and perhaps even a little bit boring will attract little attention.  Information that is encrypted, using PGP for example, may not be able to be decrypted and read by an adversary, but the use of encryption may cause an adversary to believe that the message contains sensitive or illicit information, whether it does or not.  In some places the use of strong encryption may be restricted or prohibited.  Steganography allows encrypted information to be hidden from prying eyes.
 
When using steganography to transmit information there should be a plausible reason for sending a file to someone in the first place.  Just sending attached photos or files without any associated comments or context can appear suspicious.  Instead of sending a file to someone directly, an innocuous photo might be posted to a web-page or on-line forum.  Anyone that wanted to do so could copy the photo, but only someone with OpenPuff and knowledge of the correct passwords could recover any hidden information that the photo might contain. 
 
It should be noted that because of the way some social media sites, like Facebook, process posted photos, information hidden using OpenPuff, and other steganography programs, may be corrupted or destroyed in photos uploaded to these sites.  If using a social media site to exchange information using steganography it is important to conduct tests to ensure that data integrity is maintained in uploaded files.  
 
Steganography works well to hide small amounts of sensitive data in otherwise innocuous information.  The greatest limitation of steganography is that carrier files must be significantly larger than the data being hidden.  You can’t hide the text of a large book in a small image file.  Large amounts of data are best hidden in audio (wav) or stream files (Mp4), and OpenPuff does this quite well.  With OpenPuff you can also split large amount of data over multiple carrier files. 
 
As with all security tools, it is important to practice using OpenPuff to become proficient, and to be able to take full advantage of the capabilities of the software.  OpenPuff is an important tool for security researchers and for anyone who needs to share sensitive information.

OpenPuff is certainly not the only steganography tool available.  There are several other steganography tools available (some of which are quite good), but in the opinion of the author OpenPuff is the best steganography tool currently available.  OpenPuff’s ability to encrypt data, conceal that data in several different types of carrier files, split data over multiple carrier files, and provide for the hiding of decoy data to help guard against coercion - forcing someone to disclose passwords used to protect hidden information - makes OpenPuff must have security software.  
 
OpenPuff Steganography & Watermarking Tool
http://embeddedsw.net/OpenPuff_Steganography_Home.html