Operational-Security Official URL Update

This is just a quick announcement to say that the URL for what I have been calling “Operational-Security.com” is officially https://operational-security.com. I am attempting to consolidate my rather confusing set of URLs, and lower my own cost by reducing the number of HTTPS certificates and domains I maintain.

Unfortunately this is going to create a bit of headache for some of you. If you have linked to blog posts at “blog.yourultimatesecurity.guide…” (or added them as bookmarks or favorites) you will probably find many of these links broken. For that I apologize. All new posts and updates will appear at the new URL. Thank you for your patience!

JC

FileVault Volume Level Encryption

A little known feature of FileVault is the ability to create encrypted volumes. Volumes are essentially encrypted file containers that can store a file or set of files. Volumes can be copied, emailed, burned to a DVD, or just set up as an additional layer of encryption for especially sensitive files. FileVault volume level encryption allows you to do this without needing a third-party application like VeraCrypt – assuming you don’t need to share these volumes with other operating systems.

Continue reading “FileVault Volume Level Encryption”

Gear Review: Anker Powerline Cable

I know gear reviews are a little out of my lane. With the combination of the impending Your Ultimate Security Guide: iOS deadline, writing a couple articles for Lucky Gunner, and working on the DeleteMe series, I haven’t had a ton of time to focus on in-depth projects. So I though I would talk about some gear that I use on a daily. It’s not necessarily security-related but it’s important to me just the same. Since I use phones to research, write, and teach live courses, charging and syncing is something I do a lot of. OEM cables – especially iPhone cables – are really prone to failure at the connections where they are bent and pulled. I have been on the hunt for a suitable replacement and have finally found one: the Anker Powerline cable series. Continue reading “Gear Review: Anker Powerline Cable”

Complete Privacy and Security

It is my pleasure to make a few announcements today.  First, The Complete Privacy and Security Desk Reference has been released and is finally available on Amazon!  This is huge – Michael and I had hoped to have this work out by January but things happened that were beyond our control.  Thousands of Wickr messages, hundreds of ProtonMail emails, scores of Signal calls, and four personal meets later (one in a foreign country), here we finally are!  From the description:

This 492-page textbook will explain how to become digitally invisible. You will make all of your communications private, data encrypted, internet connections anonymous, computers hardened, identity guarded, purchases secret, accounts secured, devices locked, and home address hidden. You will remove all personal information from public view and will reclaim your right to privacy. You will no longer give away your intimate details and you will take yourself out of ‘the system’. You will use covert aliases and misinformation to eliminate current and future threats toward your privacy & security. When taken to the extreme, you will be impossible to compromise.
Since Complete Privacy and Security is available on Amazon, I will no longer be taking direct sales here.  However, I will still be taking bulk orders of over 10 copies.  Contact me for price breaks.
Complete Privacy and Security
Second, today marks the one-year anniversary of this blog.  I am proud of this milestone, and feel it has been a productive year.  I greatly appreciate all of you who have emailed me, commented on the blog, or just lurked in the background.  Thank you!  In the coming year I plan to be much  more active; as you may have noticed since the Thirty-Day Security Challenge ended I’ve tried to post three posts a week, and I hope to continue this through 2016.
Third, now that Volume I of Complete Privacy and Security is finished, I can once again begin focusing on the Your Ultimate Security Guide series.  This series will undergo some changes.  These books will get much smaller and will be intended as companions to CP&S.  While CP&S is more principle-focused, new versions of Your Ultimate Security Guide will dig into the nitty gritty of each OS. However, it will forego a lot of the material that would be duplicted by CP&S.  This should make these volumes much slimmer and cost-effective.  The first planned releases are a Windows 10 and Android, which I hope to complete this year.  An iOS re-write will be available in October or November, after the release of the now iOS version.
Thank you all again for a great first year!

Threat Modeling: An Introduction

I have previously written about categorizing attackers based on their levels of skill and focus.  I have also written about categorizing security measures to defeat attackers with a given level of skill or focus.  Both of these posts tie in closely with (and were early attempts at) a topic that I want to explore more fully in coming months: threat modeling.  Threat modeling is the examination of two things as they relate to each other: an adversary and a security measure.  The effectiveness of the security measure is weighed against the skill and capabilities, focus, and time available to the attacker.  Threat modeling allows you to understand what you “look like” to your opposition, understand his or her capabilities, and select effective mitigations. Continue reading “Threat Modeling: An Introduction”

How to Verify File Integrity using Checksums

Verifying file integrity is an important step when downloading and installing applications, especially when these applications are relied upon to perform a security function.  An application that is not downloaded completely or correctly may be weakened and fail to provide the necessary security.  Worse, users may be the victims of a watering hole attack where the download site is infected with malware, or some targeted individuals are redirected to look-alike sites.  In this instance the software in question would be modified to suit the attacker’s aims and its security could be bypassed entirely.  The easiest way to have some assurance that your downloaded applications are intact and legitimate is to verify their integrity using checksums and a checksum calculator.

There are also some other reasons that a checksum calculator may be handy.  For example, if you wish to transmit an attachment to another person through email, a cloud storage account, or other digital medium, a checksum could be used to verify the file had not been tampered with in transit.  Checksums can also be used to ensure that two files are are identical.  For example, if you backup a large folder to a USB flash drive you can compare the checksums of the two folders to ensure they are the same.

I constantly push this technique in my live classes and never cease to be amazed at the minuscule number of participants who every take any steps at all to verify the integrity of applications before executing them.  It appears to me that this skill is applied only by the smallest handful of users. The other major problem I run into when teaching (and when downloading software myself) this is the lack of a single, independent checksum repository from which to pull known-good checksums for comparative purposes.  This is perhaps at least part of the problem inherent in verifying file integrity.

As a result I have slowed down on the blog in the past couple of weeks to expand and update the checksums page. Though many do not, some security applications post checksums on their download pages.  Even so I still believe it is important to verify checksums from an alternate source; if you are redirected to a forged download page and download a corrupted file, it would be a simple matter for the forger to post his or her own checksum.  If you acquired both a corrupt file and its corresponding checksum from a forged site, the result would be worse than not verifying the file at all: you would receive a false positive, causing you to misplace trust in the application.

This is the primary motivating factor in my recent expansion of my checksums page.  There seems to be no comprehensive, third-party repository of checksums for security software.  The checksums posted there are SHA-256 and SHA-512. MD5 is insecure and there are credible reports of vulnerabilities in SHA-1 dating back several years.

Methodology: Before calculating checksums I download the application in question.  If a GPG signature is available I will use the signature to verify the integrity of the application, and then use a checksum utility to calculate a hash.  If a signature file is not available for a given application, I will compare it against a checksum found on a third-party site.

Windows:  The CHK Checksum Utility is the simplest and most user friendly checksum calculator I have found for Windows operating systems.  CHK runs in portable mode so there is no need to install it.  Simply download and open the executable.  Drag the file or files to be verified into the interface.  The checksums will automatically be calculated in SHA-1; to change this open the Options menu and select the desired algorithm.

CHK 1

Next, right click on the file to be verified and select Verify…CHK 2

In the pop-up that appears, paste a known-good checksum and click Verify.

CHK 3

A green checkmark will appear next to the application if the checksums match; if not a red “X” will appear beside the application name.

Checksums for the CHK Checksum Utility itself are available on my checksums page.

OS X:  Mac users have checksum verifying ability built-into their operating systems, though it requires a trip to the Terminal.  Open Launchpad and select Terminal.  Enter the command “shasum” into the terminal.  Next, drag the file itself into the terminal window and press Enter; by default this will calculate SHA-1 hashes.  If you wish to verify the file using a SHA-256 or SHA-512 checksum use one of the following commands (disregarding the file path which is represented in italics):

  • SHA-1:         shasum /user/macbook/desktop/filename.dmg
  • SHA-256:    shasum -a 256 /user/macbook/desktop/filename.dmg
  • SHA-512:    shasum -a 512 /user/macbook/desktop/filename.dmg

This method merely displays the calculated hash for the selected file.  To verify its authenticity requires a visual check.  This is tedious and can be mistake-prone but is not impossible.  I recommend copying both versions of the checksum (the output of the terminal calculation and the checksum collected from the internet) and pasting them into a word processing document, one on top of the other, in the same pitch and font.  This makes differences much more easily identified visually.

Mac shasum

There are also several GUI-driven checksum calculators available for OS X but I confess I have not yet tried one.  There are very few that have been either recommended by a reputable source or well-reviewed.

Linux:  Given Linux’s proclivity for eschewing graphic user interfaces (GUIs) over the terminal it is somewhat surprising that an excellent GUI-driven checksum calculator exists for Linux.  It is called GtkHash, and will not be covered here.

Moving Forward into 2016

Those of you who follow this blog have doubtlessly noticed that I haven’t posted anything here since mid-December.  My absence has been for good cause, however.  As I’m sure you’ve noticed the main site has undergone a serious reboot with the blog to follow suit shortly.  This has consumed a serious amount of my time around the holidays.  There are several other exciting projects that are also underway that are keeping me busy.  Below is a quick rundown of what to expect in the coming year:

Blog

There are three changes coming to the blog.  Most superficially, and as mentioned above, the look of the blog will be changing sometime this month to mirror the look and feel of the main site.  Next, and perhaps most importantly the blog will also be encrypted with https by the end of this month (like the main site currently is).  Finally, I intend to post longer-form articles here in the coming year and as a result may post as infrequently as once every two to three weeks.

Complete Privacy and Security Desk Reference: Volume 1 (Digital)

I spent a couple of weeks with Michael Bazzell last month working on our upcoming joint work.  We made excellent progress but due to legal review and some other unforeseen issues this work will likely not be available until late March.  Rest assured we are working hard to get this book into your hands as quickly as possible.  You may also notice the title has changed since my last post about this work to include “Volume I (Digital)”.  This is because we had such a large raft of content this work will be broken into at least three volumes.

Pageflex Persona [document: PRS0000424_00033]

Your Ultimate Security Guide: Android

Work has officially commenced on Your Ultimate Security Guide: Android.  This work will follow the same format as my previous two works and teach you how to thoroughly secure your Android handset and the communications that occur on it.  Your Ultimate Security Guide: Android will be available in March 2016.

Twitter

I have create a Twitter account: @secguide.  You can follow me there to see when new blog posts are available and checksums are updated.

Welcome!

Welcome to YourUltimateSecurity.Guide!  I am very excited to finally see Your Ultimate Security Guide: Windows 7 Edition in print and on sale on Amazon.com!  Since the security world shifts so rapidly, this blog will support the book with updates, news, checksums, and other useful information. This site is also a means through which to contact me with any questions, comments, corrections, or other feedback.  I am very interested to hear what you think about the book!

This site will also provide links to some of the applications listed in the book and in full disclosure some of these links will be affiliate links.  As I mentioned in the book, however, I will not endorse anything that I do not fully believe in and any product to which I link has my full endorsement.

Stay tuned for the next in the series, Your Ultimate Security Guide: iOS Edition, coming in the Fall of 2015!