It seems that encrypted messaging systems are all the rage these days. I’m not complaining – this is a very good thing. Even WhatsApp recently announced it would implement strong end-to-end encryption using Signal’s excellent protocol. I think this is great – a billion users will be using end-to-end encryption by default. There is still room, however, for dedicated secure messaging apps. Threema Secure Messenger is one of those apps. While many of the features mirror apps like Signal and Wickr, there is still room on my phone for Threema. Continue reading “Review: Threema Secure Messenger”
In a continuation my suite on threat modeling, this post will discuss lock threat models. There are many high security locks that are intended to address the vulnerabilities of the standard pin-tumbler mechanism. There is also a spectrum between bargain-basement hardware and expensive high-security locksets. I understand that security doesn’t exist in a vacuum: though it would probably be a more secure world if everyone had a high security lock, it would also be a very expensive one. Deciding on the right lock for your needs should be informed by a threat model. Continue reading “Mechanical Lock Threat Models”
I have several photos like the one below. Friends who know me know that I like locks, and sometimes send these photos to me. I occasionally run across a gaggle of locks like this, and perhaps you have, too. There is a reason gates are sometimes locked like this. This is a method of gate access control. This gate protects a facility that must be accessed by multiple parties. These parties may not want to share a key or combination with each other. Parties may also arrive at infrequent periods to gain initial access. The property manager can unlock his lock, introduce the new one into the chain, and grant repeated access. There is a serious security issue with this arrangement, however. Continue reading “Gate Access Control: Doing It Wrong”
In Part I of this series we discussed the principles of rolling your own encrypted email. Part II and Part III covered the installation and setup of the applications needed to make this happen. Today we will begin talking about how to actually use all this “stuff”. Installing the programs are the easiest parts of this process, but using it isn’t as daunting as it was just a few years ago. Hopefully you have been using Thunderbird over the past week and have some comfort level with it. To begin using it to send and receive encrypted email, you will need someone to practice with. This is a good reason and a good strategy to encourage others to use encryption!
I haven’t written much about data backups here before, but they are incredibly important. Everyday, run-of-the-mill data loss can range from frustrating to devastating. In the midst of a natural disaster the impact of personal data loss may be compounded as you are trying to deal with much more basic needs. I am proud to be a guest on the In The Rabbit Hole Urban Survival Podcast this week (the episode will air today and can be found here). Aaron and I talked about backing up the documents you may need to have on hand in an emergency, or what I call the “Bugout Backup”. I also mentioned how to store and protect this information with encryption. Our first topic was why having this information is important.
In the last part of this installment we discussed importing mail into the Thunderbird mail client. Now that our email has been taken out of the browser, we can begin adding the cryptographic elements. The first of these is GPG (Gnu Privacy Guard). GPG is an open source implementation of PGP. It will provide the actual encryption used for our emails. The next step is to install an add-on to Thunderbird called Enigmail. Enigmail will provide the interface, allowing Thunderbird to use GPG’s encryption. Installing and setting up GPG and Enigmail is the first order of business in this post.
Different operating systems require different versions of GPG. If you are using Windows you will install GPG4Win. If you are using OS X you will install GPG Suite. If you are using Linux, you can probably skip this step because GPG comes standard with most distros. If you do need to download it you can do so here. After you have downloaded the application, begin the setup process. You will be prompted to provide your administrator password and select a language. After you have done so you should see screens depicted in the following screenshots.
On the third screen you will be asked which components of GPG you wish to install. I generally choose to make my installation as light as possible. I uncheck everything except “GnuPG” and the “Compendium”. The other components provide powerful capabilities, but they are superflous for our purposes.
The next step is to install Enigmail. Since it is only a extension to Thunderbird this is an easy installation. First, open Thunderbird. Next, click the hamburger icon, and then click “Add-ons”.
CREATING A KEY PAIR WITH GPG AND ENIGMAIL
With GPG and Enigmail installed, you are ready to begin creating your key(s). When Thunderbird restarts the Enigmail Setup Wizard will begin walking you through the process of key generation. This is not an overly complicated process, and Enigmail will automate most of it. With the “Start setup now” radio button checked, click “Next”.
On the next screen select “I prefer an extended configuration”. On the next screen check “I want to create a new key pair for signing and encrypting my email”. The next screen will prompt you to enter a password. I recommend that you take some time to enter a good password. This password can never be changed, so take the time now. After clicking the “Next” the key generation process will begin.
After the keys have been generated you will be prompted to generate a Revocation Certificate. A revocation certificate allows you to revoke your keys if they are compromised in the future (leading to compromise of communications encypted with them). This ensures that if you lose control of your private key you can still maintain control of the communications. We will discuss how to revoke a certificate in a future post on the topic. Ensure you store the revocation certificate in a secure location.
Now that we have installed GPG and Enigmail and setup a keypair, we are ready to being exchanging encrypted emails. We will cover this in the next segment, so stay with me!
If you enjoyed this article and would like exclusive content, sign up for the Operational-Security Newsletter.
I recently had the opportunity to explore another city in my search for rare and interesting locks. Lock Safari Salt Lake City took me through quite a few neighborhoods over a long weekend. Over three days a close friend and I covered the Marmalade, 9th and 9th, Temple Square/Downtown, and Sugar House areas of SLC. I found quite a few interesting locks, but not as many as I expected from a city of this size. But I didn’t come up totally empty-handed, and I visited a major landmark: the Mormon Temple. I always enjoy seeing what locks are used on noteworthy buildings, though they rarely fail to disappoint. Without further ado, here’s what I found on Lock Safari Salt Lake City: Continue reading “Lock Safari Salt Lake City, UT”
This is the second in a multi-part series on setting up your own email encryption. Today we will cover installing and setting up Mozilla Thunderbird. Thunderbird is a desktop mail client that allows you to access your email from a platform other than the browser. This is a necessary step because of the vulnerabilities inherent in internet browsers. Thunderbird is popular (I am far from the first person to post a Thunderbird tutorial) and capable. For our purposes it will be used to remove email (and crypto) from the browser into a more secure environment. Continue reading “DIY Encrypted Email 2: Thunderbird”
As promised in my post on email threat models, today I am going to begin a series on DIY encrypted email. As I discussed in the email threat modeling post, this is the most secure email encryption available. Before we get into the “how to” portion of this, it is important to first understand asymmetric encryption. Email encryption relies on a wholly different encryption model than that used to protect data-at-rest. Encrypting email and web traffic relies on asymmetric encryption (also known as public key cryptography). One of the classic problems with encryption for communications is “key exchange”. It would be simple to encrypt a PDF and email it to someone. However, it would be difficult to exchange the password for that file without sending it unencrypted. Sending it plaintext leaves the password vulnerable to interception. This compromises the integrity of the entire system. But there is a better way. Continue reading “DIY Encrypted Email 1: The Basics”
Welcome to the 4th and final installment of this series on Gmail Two Step Verification. This part will cover “App passwords”. App passwords are an extremely handy function of the Gmail Two Step system. The allow you to create custom, one-time passwords for two-factor accounts, that can be used on certain apps. This option is only available if you have two-factor authentication enabled. It allows you to login on apps that do not accept two factor tokens (the unique, six-digit code). An good example of this is the iPhone’s native mail application. It can only accept a username and password. To link your two-factor protected Gmail account you must create an App password. Another good example that will come into play next week is the Thunderbird mail client.
App passwords also have an ancillary convenience benefit. If you have a long password on your Gmail account (up to 99 characters are allowed), it is difficult to input on your mobile device. App passwords are only 16 characters long and are composed only of letters and numbers. These passwords are easily input on tiny electronic keyboards. If you’re worried that this password will be used elsewhere – don’t. They are only good for one login. Once you’ve used it, it can’t be used elsewhere. To get started, log into your Gmail account. Click your avatar, the click the blue “My Account” button. Navigate to Sign in and Security >> App Passwords.
Click the drop-downs and select the service (Mail, Calendar, Contacts, YouTube, or Other) you desire. On the device drop down select the appropriate device (next week we will use “Custom” for Thunderbird). Next, click “Generate”. Your unique, one-time, 16-character password will appear. At this point you should enter it into the password field of the application you are attempting to access. You will NOT be able to access this password again, so if you close the window prematurely you will have to generate a new app password.
You can generate an unlimited number of app passwords. I recommend that you create the bare minimum, and revoke old ones as soon as they are no longer needed. When you revoke a passcode, the app that was logged into your account will be logged out. To regain access with that app you must generate a new app password.
To revoke an app password, simply click “REVOKE”. This password can no longer be used. You should revoke any unused app passwords. You should also revoke relevant app passwords immediately in the event you lose your device.Revoking Trusted Devices: As I have mentioned earlier in this series, it is possible to designate some computers as “trusted”. This means you will not be required to enter you second authentication factor when logging in from these machines. I only recommend doing so on computers that are full disk encrypted OR that never leave your home. There is a safety (NOT security) benefit to having one trusted device: if you lose your phone or security key you will still have access to your account. You can then turn two step verification off until you recover your device. To revoke trusted devices navigate to the Gmail Two Step Verification page. Scroll to the bottom to “Devices you trust“. Click “REVOKE ALL” and confirm.
I hope you have learned something and (maybe even) enjoyed this series. This started as a single post until I realized the sheer immensity of Gmail Two Step Verification can be overwhelming (to reader and writer alike!). As always, if there is something you’d like to see covered, don’t hesitate to let me know!
If you enjoyed this article and would like exclusive content, sign up for the Operational-Security Newsletter.