Complete Privacy and Security

It is my pleasure to make a few announcements today.  First, The Complete Privacy and Security Desk Reference has been released and is finally available on Amazon!  This is huge – Michael and I had hoped to have this work out by January but things happened that were beyond our control.  Thousands of Wickr messages, hundreds of ProtonMail emails, scores of Signal calls, and four personal meets later (one in a foreign country), here we finally are!  From the description:

This 492-page textbook will explain how to become digitally invisible. You will make all of your communications private, data encrypted, internet connections anonymous, computers hardened, identity guarded, purchases secret, accounts secured, devices locked, and home address hidden. You will remove all personal information from public view and will reclaim your right to privacy. You will no longer give away your intimate details and you will take yourself out of ‘the system’. You will use covert aliases and misinformation to eliminate current and future threats toward your privacy & security. When taken to the extreme, you will be impossible to compromise.
Since Complete Privacy and Security is available on Amazon, I will no longer be taking direct sales here.  However, I will still be taking bulk orders of over 10 copies.  Contact me for price breaks.
Complete Privacy and Security
Second, today marks the one-year anniversary of this blog.  I am proud of this milestone, and feel it has been a productive year.  I greatly appreciate all of you who have emailed me, commented on the blog, or just lurked in the background.  Thank you!  In the coming year I plan to be much  more active; as you may have noticed since the Thirty-Day Security Challenge ended I’ve tried to post three posts a week, and I hope to continue this through 2016.
Third, now that Volume I of Complete Privacy and Security is finished, I can once again begin focusing on the Your Ultimate Security Guide series.  This series will undergo some changes.  These books will get much smaller and will be intended as companions to CP&S.  While CP&S is more principle-focused, new versions of Your Ultimate Security Guide will dig into the nitty gritty of each OS. However, it will forego a lot of the material that would be duplicted by CP&S.  This should make these volumes much slimmer and cost-effective.  The first planned releases are a Windows 10 and Android, which I hope to complete this year.  An iOS re-write will be available in October or November, after the release of the now iOS version.
Thank you all again for a great first year!

Real World Example: Physical Insecurity

I recently ran across this door and lockset in the industrial district of a major US city.  Seeing an old, ramshackle (or abandoned) commercial building with a padlock hasp on the door is not all that uncommon.  However, I was close enough to notice something interesting.  Look at the photo.  This door presents an excellent example of physical insecurity – but why?

Physical InsecurityIn case you have trouble seeing the mortise cylinder, below is a close-up shot.  It’s a Medeco mortise cylinder.  Though the keyway is badly worn, it is a Medeco Original (first generation).  This is a beautiful old lock.  It has probably served this building for twenty-five years or more.

Physical InsecuritySo, what is wrong with this picture, and why is it so interesting to me?  It is interesting to me because the Medeco is a UL 437-Listed  high security lock.  Medeco locks are extremely popular and prolific, and are even trusted by the US Government.  There are  problems with Medeco‘s security, but they are still a huge upgrade over standard door hardware.  In spite of this, this door is protected with a $12 Master padlock.  Master Locks are used by BosnianBill as bad examples for every lock-defeat technique imaginable.  This padlock has four pins.  It is vulnerable to picking, bumping, and padlock shims.  It can be cut and pried, as can the hasp.  And look at the stack of washers holding the hasp on.  It’s not hard to imagine a hacksaw blade slipping into the stack and cutting the bolt.  The Medeco has five rotating pins and a sidebar.  It can still be picked or bumped but this requires much greater skill.

Why is this so?  I imagine the Medeco key has long since been lost, but it is also possible the Medeco is broken.  In this example I have no way of knowing, but it is interesting to think about.  Instead of tracking down a locksmith and having the lock decoded or repaired, the owner decided to implement his own system of access control.  In doing so he or she reduced decent security to gross physical insecurity.

International Travel Security Tips

Over the past few years I’ve been fortunate enough to do a bit of international travel.  I’m also fascinated with personal security.  The following are some minor “best practices” for international travel security.  If you have any suggestions, post them so we can all benefit. Additionally, If I’m being foolish, please call me out.

Primer:  I fly with a US passport, often through countries where I prefer not to advertise my citizenship.  I worry about my general privacy being violated by large scale data-aggregation companies, identity fraud, and international terrorism.  I also worry about my US Passport elevating my profile.

Luggage

International Travel Security

I took this in a European airport.  Can you identify the US Service-member?  As a professional, it’s a worthwhile investment to buy normal/bland luggage.  I know plenty of servicemembers who view this as an unprofessional and ridiculous violation of Operational Security (OPSEC).  Obviously some do not.  Use normal luggage.  Blend in.  Don’t be interesting.

Passport Cover:  Inexpensive, professional and aesthetically pleasing, passport cases are a worthy investment.  Many are made with Radio Frequency Identification (RFID) blocking material.  The RFID blocking is a plus, but I think the biggest advantage is simply that it conceals my US passport.  I’m in an airport with thousands of strangers, in debatably hostile countries.  I have no idea who could catch a glance at my passport and immediately seethe with animosity.  To be honest, I don’t blame some of them but I’m damn sure not going to give them a reason to remember me.

International Travel Security

RFID Blocking:  Like the passport cover, I’m a fan of protecting my other digital assets from RFID compromise.  I’m interested in protecting all my electronic/RFID-capable devices from identity theft as well as airport security (who really wants to go to additional security screening?).  It is probably not a bad idea to have an RFID-blocking messenger bag or pouches for laptops, tablets, and cell phones†.  Like the passport cover, I would focus on getting something non-alerting.  Stay away from “tactical” nylon!

Block Data While Charging:  USB connections typically allow power AND data to transfer between devices.  Theoretically, malicious software (malware) can easily infect your devices via the numerous airport, airplane, hotel USB charging stations (as well as the USB ports now found in many rental cars). Inexpensive data blockers like the PortaPow I use allow you to block the data transfer while still allowing charging.

International Travel Security

Cell Phone Privacy Screen: Reminiscent of computer privacy screens seen at many medical facilities, these screen covers drastically reduce visibility to anyone trying to view your screen from any oblique angle.  Additionally, they protect your screen from scratches.  On my most recent flight, a well-meaning older lady sitting next to me was baffled at my screen while trying to shoulder surf me. She asked, “What’s on your screen? I can’t even see your screen!”.   Instant validation.

Miscellaneous/Well Known Points:  Many of these have been beaten to death in privacy circles, yet I would be remiss not to mention them.  Be wary of emerging and unknown Wi-Fi access points.  I took the following pics at a Starbucks inside the Istanbul Airport a few months ago.

International Travel Security

In order to get Wi-Fi access, you had to pair your credit card up with your boarding pass, then input the provided pin to get online.  That’s some exceptional data linkage.  **FYI, If you wait for someone to put their info it and take a photo of the pin…that pin will also work for you.

If you’re using public wifi, use a Virtual Private Network (VPN).  Don’t leave your computer or phone in your hotel room if you can help it.  Cover the camera on your laptop with tape or one of these.  Again, this is not new knowledge.  However, make sure the tape covers the camera but not the indicator light that the camera is active. The difference is, this gives you an early warning when big-data (or PLA) is watching you.

International Travel Security

My biggest advice to anybody is, please watch what you talk about.  I hear way too many sensitive discussions in airports – from business people, military contractors, and servicemembers.  Don’t talk about your business’s proprietary information or classified information.  Also, just be polite.  Terrible people in the airport are the worst.

Gabe (a pseudonym) is a close friend and colleague who has a vast body of experience in international travel and working against an opposing force.  Gabe has a few future posts planned.  Enjoy!

†Because of the cost of some of these bags, I intend to begin reviewing some of these products in coming months.  If there is something specific you’d like to see reviewed, please let me know – Justin

Identity Theft & Data Breach Response

Data breaches occur with shocking regularity.  The news is full of reports of data being spilled by companies and individuals being targeted for identity theft.  Few of these stories contain much useful information on appropriate data breach response, however.  Once your information has been spilled it is impossible to fully recover it.  However, there are some meaningful data breach response steps you can take if you do fall victim to this type of crime.

  1. Contact your financial institutions immediately. If you think your financial information has been compromised this should be your first step.  Call your bank or credit card issuer and alert them to the problem.  Frequently your bank will contact you if suspicious activity occurs, but if you know something they don’t, don’t wait!  Request to cancel your credit and debit card numbers and be issued new ones.  Use new PINs on these cards, and ask the bank to flag your account for suspicious activity.
  2. Contact the credit reporting bureaus.  If you do not have a credit freeze in place and the breach involves financial information, you should immediately contact Equifax, Experian, and Transunion. Some online resources advise placing a fraud alert on your account at this point; I recommend a credit freeze (see below).
  3. Change your login information.  If you suspect an online account has been breached you should immediately change its password and, if possible, username.  If the account does not already have two-factor authentication enabled, enable it.  In addition, you should also change the login credentials for any accounts associated with the breach account.
  4. Contact local law enforcement and file a report.  I will be honest – your local law enforcement agency probably isn’t going to open an investigation and bring the perpetrator to justice, so be prepared for that.  What they will do is generate a police report for you.  This serves as proof that you were the victim of identity theft.  This can help you recover your credit later if the need should arise.  It can also assure that you get free credit freezes for life (see below).  It may also be useful if you attempt to opt-out of public and non-public databases as Michael and I recommend in The Complete Privacy and Security Desk Reference.

Of course, the best spillage, identity theft, or data breach response is preemptive (the best defense is, after all, a good offense).  There are several steps you can take to make yourself more resilient against identity theft.  The time to act is now – once your information is online you will never completely erase it.  I am a strong advocate for dealing with the problem before it is a problem!

  1. Use strong authentication for online accounts.  Use strong passwords and two-factor authentication on all of your online accounts.  Though this isn’t a guarantee that your accounts are safe, you are unlikely to fall into the “victim of opportunity” category.
  2. Use unique usernames.  Though this could fall under the above category, I am listing it discretely because I think it protects you where strong passwords and two-factor authentication do not: customer service reps.  If an attacker knows your username, he or she can often convince a customer service rep to give out sensitive information.  Using a unique username gives you a great layer of protection against this type of attack.
  3. Have a credit freeze in place.  A credit freeze with each of the credit reporting agencies (Experian, Equifax, and TransUnion) is the strongest measure you can take to ensure new credit is not issued in your name.  Credit freezes also protect your personal information and credit report.  A credit freeze will not protect your current accounts and lines of credit, however.
  4. Use one-time credit card numbers.  Some credit card issuers offer this option organically.  A one-time credit card number is only good for one purchase.  If a hacker recovers it, it will no longer be valid and cannot make a charge to your account.  If your bank does not offer this an online service that I recommend called Blur does.
  5. Limit personal information that is publicly available.  Large amounts of personal information make you vulnerable to social engineers.  This information can be pieced together to allow someone to impersonate you in order to gain access to your financial or online accounts.  I recommend minimizing the information you place in the public domain on social media, personal blogs, etc.  If a great deal of information is available about you, remove it!  More information is available in The Complete Privacy and Security Desk Reference which will be publicly available soon.

Lock Safari Vancouver, BC – Part II

In Part I of my “Lock Safari Vancouver, BC” I covered the common (but very secure) Abloy and ASSA offerings, as well as the Medeco locks I saw.  All three of these brands are owned by the ASSA-Abloy conglomerate, and  I will lead off again with another ASSA-Abloy product: the Israeli Mul-T-Lock.  I saw several of these in mortise cylinder form-factor.  I also saw a handful of switch and cam locks, none of which I was able to adequately photograph.  The photos below show, in order: a switch lock, a close-up a mortise cylinder, and a wider shot of same.  The mortise cylinder was largely hidden behind a protective plate that I am unfamiliar with – if you know what it is, I’d like to.

Lock Safari Vancouver, BC Mul-T-Lock 1 Lock Safari Vancouver, BC Mul-T-Lock 2 Lock Safari Vancouver, BC Mul-T-Lock 3

 

 

 

 

 

 

 

This lock was marked “US-1 LOCK” and had a keyway that looks quite similar to a Mul-T-Lock.  Unfortunately I can’t confirm that, and it is possible it is a copy of the Mul-T-Lock.

Lock Safari Vancouver, BC Mul-T-Lock 4

I was very pleased to find a DOM dimple key lock in the wild; these are uncommon in the US.  Unfortunately, I was unable to get a better photograph.

Lock Safari Vancouver, BC DOM

I also witnessed several examples of Schlage Primus in the large-format interchangable core configuration.

Lock Safari Vancouver, BC Schlage

That covers all of the high-security locks I was able to find on this trip.  However, I did manage to find some other, more interesting stuff.  Some of it is truly unique, and I have seen it nowhere else.  The first is this rim-mounted lock.  The keyway is familiar to me; I ran across a padlock with a strikingly similary keyway that was extracted from Kenya circa 2013.  BosnianBill has done a video on another padlock with the same keyway here.

Lock Safari Vancouver, BC Rim Lock w Smiley KeywayI found a very nice 7-lever padlock.  This specimen was on a gate over a storefront and has seen some use.  This large 60mm padlock appears to be marked “PLAZA”.

Lock Safari Vancouver, BC LeverI also saw exactly one disc-detainer lock, in fairly poor condition.  It appears to be an inexpensive Chinese knock-off of Abloy or Abus rotating disc locks.

Lock Safari Vancouver, BC Chinese Copies 1 Lock Safari Vancouver, BC Chinese Copies 2

 

 

 

 

 

 

 

Finally, this is perhaps the most interesting security feature I saw on my trip.  This appears to be hardened steel cover for a cylindrical knobset.  I’m not totally sure what the purpose of this is, save to prevent someone from knocking the knob off the door, but it certainly is interesting.

Lock Safari Vancouver, BC Weird Knobset ProtectorI hope  you’ve enjoyed Lock Safari Vancouver, BC!  Some new cities are coming soon, so stay tuned!

Lock Safari Vancouver, BC: Part I

I recently had the opportunity to spend an extended weekend in Vancouver, BC.  While there, I indulged my desire to run around the city and its seedier parts to look for interesting locks.  “Lock Safari Vancouver” was a success – I found some very interesting stuff!  This post will be divided into two parts.  This first half will cover the more “pedestrian” Abloy, ASSA, and Medeco products.  Part II will cover the more odd and interesting.

Abloy: I found quite a few Abloy looks, but frustratingly none of them were door hardware.  I found only switch locks and cam locks (on apartment call boxes and mailboxes, respectively) and padlocks.  Most were Protec or Protec2.  The newer Abloy 330 padlocks of varying shackle-length were seen almost everywhere.  I was unable to closely observe the keyway on the large grey padlock in the center photo (below) but believe it to be an older (but still excellent) “Exec” model.

Lock Safari Vancouver Abloy 1 Lock Safari Vancouver Abloy 2 Lock Safari Vancouver Abloy 3

 

 

 

 

 

 

 

ASSA:  I was also quite pleased to find the ASSA Twin is fairly popular.  This design is one of my favorite high-security mechanisms (just behind the Abloy).  These presented on both residential and commercial applications.  Locks in the deadbolt or mortise cylinder form-factors were most common.  I also did not see any newer models like the V-10.  Rather, most of these locks were in the 6000-series.  Interestingly all the ones I was able to photograph did exhibit the “sneaky” key profile Han Fey talks about in page 9 of this document.

Lock Safari Vancouver ASSA 1 Lock Safari Vancouver ASSA 2 Lock Safari Vancouver ASSA 3

 

 

 

 

 

 

Lock Safari Vancouver ASSA 4

Medeco: Unsurprisingly I saw quite a few Medeco locks.  These were installed on both residential and commercial applications and came in several form-factors.  I saw deadbolts (residential), mortise cylinders, and one key-in-knob (KIK) cylinder.  The KIK was marked “GUNNEBO” – if anyone can give me any information on that I’d interested.  All Medeco locks were all of the latest m³ variety.

Lock Safari Vancouver Medeco 1

Lock Safari Vancouver Medeco 2 Lock Safari Vancouver Medeco 3

 

 

 

 

 

 

Stay tuned next week for Part II of Lock Safari Vancouver!

Threat Modeling: Profile Elevation

A couple of weeks ago I posted my introduction to threat modeling.  Several times in that post I mentioned the concept of profile elevation, and it will certainly be coming up more as I flesh out my thoughts on threat modeling.  It has occured to me that this topic should be explored more fully. Profile elevation is a fairly intuitive concept.  For our purposes we can describe it as† “the generally-undesirable condition of:

  1. becoming more visible to one’s adversary, and/or
  2. becoming more interesting to one’s adversary.”

Being either or both more visible and/or interesting to your adversary is a bad thing in nearly any adversarial situation (Murphy’s Laws of Combat: Try to look unimportant, the enemy may be low on ammunition).  If you are highly visible to an adversary your movements, whether online or in the real world, are easier to track.  If you are interesting to your adversary, he or she will be willing to invest time and money to pursue you, digitally or physically.  Targeted surveillance costs time and money, and most adversaries will be limited in some capacity on each.  In the digital collection realm this limitation is often one of analytical or language capabilities; paying competent analysts and linguists is expensive.  Fitting their findings into a bigger picture is also difficult unless you have elevated your profile to the point of being interesting.

Profile Elevation

In the “tactical” community profile elevation avoidance is referred to as being a “grey man“.  If your personal threat model(s) warrant it, you should strive for the being digitally grey.  That is, blending with the herd and being generally uninteresting to avoid becoming a target.  Once your adversary has become focused on you and your activities, defeating him or her can become extremely difficult in the short to mid-term, and next-to-impossible in the long term.  As I mentioned in threat modeling, the best way to do this is to select mitigations that are in accordance with your perceived threat model.

The next two articles in my threat modeling suite will cover specifically threat modeling different encrypted email options and virtual private networks.

†This is my made-up definition.  If you think it needs improvement, let me know.

Thirty Day Security Challenge Follow-Up

Two weeks after the conclusion of the Thirty Day Security Challenge, it’s probably a good time to follow up on what we did.  I heard from several of you and would like to share some of the feedback that I got.  To quickly re-cap what we covered:

Week 1 was heavily focused on local system security and covered the following: OS and app udpates, creating standard user accounts, reviewing basic privacy settings, and scanning our machines with antivirus and antimalware applications.  On Thursday of this week we broke the routine and requested a ProtonMail account that we used later in the Challenge.

During Week 2 we shifted focus outwardly.  The first two days were about password managment and changing passwords.  The three following days dedicated to installing Firefox and manipulating its basic settings, installing some basic security add-ons, and working with NoScript.  The weekend project for the second week was tightening your Wi-Fi security.

Week 3 began by setting up a virtual private network and our Account Security Tuesday that week was enabling two-factor authentication.  We covered two days of smartphone security and some encrypted voice and messaging applications, and rounded out with an introduction to VeraCrypt.

Week 4 was a bit more privacy focused.  It began with system cleaning and Account Security Tuesday instructed you to close unused accounts.  We moved onto email masking, credit freezes, and social network account privacy and the weekend covered full disk encryption.  The final three days talked about backups, using unique usernames, and finally, recruiting others to using encryption.

***YOUR FEEDBACK***

I asked for your feedback, and some of your responded.  Some of you would have liked to have seen some of the techniques demonstrated on video, so this is something I will strongly consider in the near future.  In fact, I may consider re-doing the entire Thirty-Day Challenge in video if there is enough interest.  The second major feedback point I got is that you enjoyed the challenge and would like to be able to use it as a tutorial for your friends.  I do plan to add a page in the near future where quick links to all of the posts in the challenge will be accessible.  For now you can refer your friends to this post which contains links (above) to all of the posts.

***FUTURE CHALLENGES***

I doubt I will do any more month-long challenges in the near future.  However, if there is interested I may put together some shorter “sprint” challenges that are 5-14 days in length.  The two ideas I have right now are Mobile Device Security and Intermediate Computer Security. Do you have an idea?  Is there something specific you’d like to see covered?  If so, drop me a line and we’ll try to work something out.

Thank you for all your participation, comments, and emails.  It was really gratifying to pull this project off and I couldn’t have done it without your encouragement throughout!

Codebook Password Manager Mobile App

I have written about Codebook Secure Notebook and the STRIP Password Manager, both here and in Your Ultimate Security Guide: iOS.  Due to some major recent changes to these systems they merit a revisit.  Zetetic, the company that publishes both of these applications, has merged them into a single app.  At first this concerned me greatly.  Though I loved STRIP and think it is one of the more secure password managers on the market, acceptable replacements exist.  What really concerned me was the potential loss of Codebook.  Codebook was an encrypted notes application for which I have not yet found a suitable alternative.  Fortunately Zetetic has given us our cake and allowed us to eat it, too.  The new application, Codebook Password Manager and Data Vault, combines the best features of both of these applications.

One of the stated reasons for the change was the name “STRIP”.  Originally STRIP was a light-hearted acronym for Secure Tool for Remembering Important Passwords.  Unfortunately, people searching for the app online often found many other, less savory uses of the word “strip”. The full name of the application is now a much more serious, though somewhat unweildy, Codebook Password Manager and Data Vault.

The new version of Codebook Password Manager provides the same password management tools as the old version.  My favorite among these is the organic ability to store TOTP/OAUTH tokens inside the app.  TOTP/OAUTH is the Time-based One Time Password/Open Authentication protocol that is commonly referred to as “Google Authenticator”.  This capability negates the need for a second authentication app on the device.  The new Codebook also mimics the old version’s ability to record and securely store notes.  I love the ability to jot down notes on my iPhone but hate that they are not securely stored.  I also dislike that the native iOS Notes application can by synced with (insecure) email accounts.  Codebook solves this problem by giving you an encrypted platform for securely storing notes.

Codebook Secure Notebook Screens

Codebook Password Manager is very easy to use.  Enter your password (or create a new one).  Once you are logged in to your database click the “+” icon in the upper-right side of the screen.  This will allow you to create a “New Entry” or “New Note”.  Entries are password managment fodder like usernames and passwords.  New notes are free-form entries that allow you to jot down thoughts, lists, etc.

I have only two complaints with the updated version of Codebook.  First, I miss the old Codebook shield icon.  The icon really doesn’t matter, but I really liked the old one.  Also worth noting: I miss some of the old menu options.  The old Codebook was a dedicated note-taking app and allowed me to choose my font and pitch.  The new version does not; alas the text in my notes look big and clunky in comparison. As I said, these are minor complaints and really don’t matter to the app’s function.

The new app is  available for Android, iOS, OS X, and Windows.

Threat Modeling: An Introduction

I have previously written about categorizing attackers based on their levels of skill and focus.  I have also written about categorizing security measures to defeat attackers with a given level of skill or focus.  Both of these posts tie in closely with (and were early attempts at) a topic that I want to explore more fully in coming months: threat modeling.  Threat modeling is the examination of two things as they relate to each other: an adversary and a security measure.  The effectiveness of the security measure is weighed against the skill and capabilities, focus, and time available to the attacker.  Threat modeling allows you to understand what you “look like” to your opposition, understand his or her capabilities, and select effective mitigations. Continue reading “Threat Modeling: An Introduction”