Home » Forums » Daily Paul Liberty Forum

0 votes

Cyber Security Information

Submitted by Echelon on Sun, 10/18/2009 - 01:59
in

Cyber security is something with which we should all be concerned these days. The Department of Homeland Security continually cites cyber terrorism as a major impending threat. There are all kinds of cyber terrorism, including monitoring, snooping, recording and profiling of our web surfing habits, as well as e-mail and instant messenger conversations. Protection against this, and a few simple means of fulfilling our duty to protect and enforce our web privacy, is what I'll focus on here, within the general realm of surfing the web and communicating by e-mail and instant messenger. I'll try to keep this primer as fitting as possible within that scope. By "fitting" I mean implementation of widely-available and established mechanisms that are relatively easy for the mainstream to acquire, understand and use.


As a side-note on browsers, Internet Explorer is very insecure (I don't care what Micro$oft tells you). Internet Explorer is the biggest target for hackers as it is the single most hackable browser by leaps and bounds. I recommend using Firefox, but ANYTHING other than Microsoft Explorer is advisable!


This information is by no means presented as a be-all/end-all security blanket. Anyone in the know will tell you that there is no such thing as 100% secure. However, within the realm cited above, this information will go a very long way in serving as a determent against invasion of your privacy.

  • Secure Socket Layers (SSL)

    SSL (HTTPS protocol) has been broken. This was demonstrated at DefCon and the Feds were briefed on the technique. You can believe that with such a thing having been demonstrated to Big Brother, this exploit will be used by the wrong people. The exploit is fairly new, but it will become commonplace in short order, just like most other exploits of this magnitude. Trust it less and less over the next few months.


  • Symmetrical Encryption

    Everything you send and receive (including e-mail and instant messaging) goes over your ISP's equipment. Thus, they can see everything you do. If what you do is encrypted by a safe algorithm, then your ISP (or any other snoop) will see essentially garbage, scrambled data. Stay abreast of which encryption algorithms are already known to have been broken; if you use a broken/compromised/exploited algorithm then you might as well not use any at all. With respect to e-mail and instant messaging, specifically, I suggest some kind of symmetric key encryption, PGP for example. In symmetric key encryption you will generate a "key pair" - a "public key", which you give out freely, and a "private key", which you should protect and keep to yourself (see next bullet point). What one key encrypts, the other decrypts. You then encrypt anything you wish to transmit using your private key. You give your public key to anyone that you welcome to read your messages. This helps to ensure the least possible chance that your conversation and your private/personal information will be illegally intercepted or otherwise used to your determent (identity theft, for example). Each party in the communication will need to generate a key pair, protect their private keys and share their public keys with each other.


    Linux users will likely already have the necessary framework installed to support generally-appropriate encryption. If not, grab GPG. Windows users (boo!!!) will need WinPT and WinGPG - free support framework and software bundles.

    • For e-mail, you should generate a PGP key pair, protect your private key and give out your public key. You can give your public key to people on a case-by-case basis, or you can register it to enable anyone who knows your e-mail address to find your public key.


      As a side note on e-mail, it is advisable to disable scripts and display of images in messages from senders that you do not know and trust absolutely, as these things can serve as a way of obtaining your IP address when you open the messages. How you disable scripts and images on your specific e-mail client depends on which client you use, be it web-based or application. There are many different types of e-mail clients. See your client's help section for disallowing images. If you use Micro$oft Outlook, it is advisable to find an alternative. Mozilla Thunderbird with the Lightning plugin is a great, free alternative.


    • For instant messaging, some kind of messenger plugin is required. There are messengers out there with built-in support for secure communication, but (generally) they have their own proprietary chat/message protocol, which means you can't use those messengers to talk to anyone in a secure manner on a mainstream protocol (like Yahoo!, AOL, MSN, et cetera). It is generally best to use a messenger client that supports both mainstream protocols and encryption plugins. This gives some "modularity" - if you don't like the way one encryption plugin or algorithm works you simply find another plugin that suits your needs. Generally, as with e-mail, a PGP key pair will need to be generated. Linux users can use the Kopete client with the OTR (Off The Record) plugin. Windows users (boo!!!) can use the Pidgin client, which also has an OTR plugin. Both clients, which are free, support multiple mainstream protocols (Yahoo!, MSN, ICQ, AOL, IRC and others).


    • For Internet conferencing (voice/video/chat conferencing, whiteboard, file transfer and et cetera), something like SILC (Secure Internet Live Conferencing) is a viable option (among many). The SILC client is needed, which is inherent to most Linux distros. Windows users (boo!!!) additionally need Cygwin to support SILC.



  • Protecting Symmetric Private Keys

    The following paragraph cannot be stressed enough:


    There should only be one person on the entire planet who ever has your private key - you. If your private key, ever, for any reason, under any circumstances, is accessed by anyone but you, then you might as well not be using encryption at all. If your system is compromised via virus, trojan, zombification or other back door mechanisms (or by physical access to your machine) and your private key is obtained by a second party, your encrypted traffic can be easily decrypted by the second party. This means that your encryption is useless at that point from the standpoint of the other party.


    Once your private key (which is a file on your hard drive) is generated, make sure to secure it by one of the following ways:

    • File permissions - This is the most common and convenient way to secure the private key file. Essentially, you make sure the permissions for that file are such that only you can access it.


    • Moving the key to external storage - A more secure (but more complicated and less convenient) option is to copy the private key file to external storage (CD, floppy, thumb drive, etc), but NOT to an online backup service provider or the like. Once you've copied the private key to external storage, remove the file containing the original private key from your hard drive via secure wipe. This way, if your system is ever compromised in a way that would give a remote party access to files on your hard drive, there will be no private key to be found on your hard drive. Most Linux distros will come with Wipe or some variation thereof built-in. Windows users (boo!!!) can get Disk Wipe.



    However you choose to secure your private key file (permissions or external storage) DON'T ever e-mail or otherwise transmit your private key over any network - ever.


  • IP Masking (General)

    In Internet-based end-to-end communication, it is desirable to obfuscate your real IP address to minimize potential undesirable and unintended consequences. While "communication" can apply to a wide range of scenarios, I'll limit the scope of this point to web surfing with a browser. Within that scope, unintended consequences would be things along the lines of unwittingly stumbling across attack sites; having your surfing habits tracked; being profiled based on your interests; having your interest data sold by corporations; mis-clicking a link or being redirected to a web site that you did not mean to visit, thereby (with increasing likelihood) inadvertently ending up on a watch list; and et cetera.


    There are many attack sites out there that will detect the (apparent) IP address of new visitors and immediately kick off back-end processes that scan and analyze the computer using the incoming IP address, in search of points of attack (open ports, type of operating system/hardware, back doors and et cetera). Essentially, you will connect to a web (attack) site and the server hosting the site will say, "Oh - a new visitor from IP address x.x.x.x! I'll go ahead and serve up the site to keep the visitor busy while I inspect the computer at that IP." The site might also say, "Ah - IP address x.x.x.x is here. I'll forward that IP address over to a botnet controller for further action." In these scenarios (and many others like them) it is preferable to make your IP address appear to be something else, as far as the party on the other end knows - thereby misdirecting attacks to an IP address that is not yours (to a system built to withstand the attack). Also, it is not uncommon for Big Brother to obtain the IP address of visitors to certain web sites via web server logs, correlate the IP addresses to their corresponding Internet service providers and then contact those providers, saying something along the lines of, "We suspect one of your customers of cyber terrorism. Which of your customers was using IP address x.x.x.x on this date and time?"


  • IP Masking by Proxy

    There are many ways of masking or spoofing your IP address. Generally, the more complicated and effective the method is, the less legal it is likely to be (with a few exceptions). Use of an anonymous proxy server is the most fitting for the scope I'm discussing here.


    Using a proxy server, your browser does not connect directly to web sites around the web; the browser connects always and only to the proxy server, telling the proxy server what URL to pull up. The proxy server will make the connection to the web site that you want to view and relay it to your browser - as sort of a buffer between your browser and the web site you're accessing. The server hosting the web site will see the requesting IP address to be that of the proxy server - not your IP address. As far as the remote web site knows, the end user is the proxy server - not you. Of course this much is only true so long as the proxy server you're using is a true anonymous proxy server; some proxy servers still forward HTTP request/response headers which can reveal you, despite the fact that "anonymous" service is being paid for. MAKE SURE to clarify with whichever provider you choose that their servers are true anonymous proxy servers which forward NO IDENTIFYABLE INFORMATION. Also, it is generally-advisable to not submit a user name or password through a proxy unless you're 100% certain that the server is clean and trustworthy. Also be advised that you must go through your ISP's equipment to get to a proxy server, so your ISP can still see unencrypted activity between you and the proxy. There are other caveats to using proxy servers that you need to make yourself aware of.


  • Wireless Networking

    Don't use it for anything sensitive. Wireless is generally far easier to compromise and "snoop" than traditional hard-wired networking. Most wireless security algorithms are generally regarded as jokes because they're so easy to crack, and there are a great many tools freely available for hacking into wireless networks. Among the more popular and effective of these tools are Wireshark, AirSnort and Kismet (I'm partial to Kismet for testing security, related to my profession).


    Also, pay close attention to clients that are connected to your wireless router. How you do this depends on the type of router you have and the interface it provides. It is common for people to drive around with laptops and freely-available tools, looking for wireless networks to compromise. Once attackers find and compromises your wireless network, anything they do over the Internet originates from your IP address. As far as your ISP is concerned, you did it, and investigators will be led straight to your door. Of course, this is a very easy and popular (but illegal) way for people to mask their IP address - by using yours.


    If you must use wireless, make sure to change your router password often (after about every 750 megabytes of data transfer IN AND OUT)!


  • HTTP Request Headers

    When you open a web page in your browser, your browser tells the server hosting the web site a few things about the requester (you). Information about your browser/operating system type and version, among other things, is transmitted, which can be used against you. Where tracking your surfing trail is concerned, the "Referrer" header essentially tells the remote web server, "The link that was clicked to get to the page being requested is [here]." The remote server can then say, "Ah, the link that this user clicked to get here is located at URL [whatever]." For example, if I post a link to a web page in this comment, any third party (such as the NSA's Echelon and Carnivore systems, or other criminal hackers) monitoring traffic to the web page at the link I posted will be led straight to this comment. This also applies if the target web site is a bait site. For these reasons, and many others, it is preferable to disable your browser from saying, "Hey, the link I clicked on to get to you is located [here]."


    There are several ways to disable or filter the Referrer header. For easy effectiveness, I recommend using the Firefox browser, with a minor tweak. To do this:

    • Open Firefox


    • In the address bar, type "about:config" (without the quotes) and hit the [enter] key. Firefox's configuration editor will display.


    • Near the top of the configuration editor, you will see a text field labeled Filter. In this field, type "network.http.sendRefererHeader" (without the quotes) and hit the [enter] key. I realize that the "Referrer" part is mis-spelled here, because it is mis-spelled in the configuration (and in the HTTP specifications in general).


    • Below the Filter field that you just typed in, you will see a column list with columns for Preference Name, Status, Type and Value. Beneath the Value header you should see a value of 1. If you see a value of 0 then you are done and no further action is required. Otherwise, double-click the 1. A pop-up window will appear, titled Enter integer value. In the text field, type 0 and click OK.


    • Close and restart Firefox.


    From this point on, Firefox should no longer tattle on you by transmitting the location of any links you click on.


  • Cookies

    Even if your IP is masked, and referrer reporting is disabled, cookies can still, at times, tell the remote server (and a nosy ISP) where you've been, along with other information about you. Even though cookies are not as critical as everything else presented here, it is still advisable to clear them from time to time (after you've been anywhere that you want to keep private). How to do this depends on the browser and version you use. As there are many types and versions of browsers out there, it is beyond the scope of this basic information to outline step-by-step procedures for all. However, in just about all browsers, it's pretty self-explanatory.



I realize that this might not mean anything to some of you. Others will wonder why it's posted here. Still others will understand how very important it is to protect privacy in the face of certain enemies.


If you guys need help on a specific topic or issue, I'll be glad to help where I can. But please know that I am very busy with other things at present, so be patient with me if I cannot answer immediately.


»

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Now, on a lighter note...

Submitted by Echelon on Wed, 10/21/2009 - 02:05.

Let's see YOU defend against THIS!

The defense is anonymity and plausible deniability

Submitted by Echelon on Wed, 10/21/2009 - 02:18.

The defense is anonymity and plausible deniability

Those mechanisms are used against citizens and citizens are free to fight fire with fire.

In order for systems like you've pointed out to work, they must be able to read the written word and tie it to the flesh-and-blood authors. They must be able to say, “SuperBlogger1776 is, in real life, Johnny Suspect, who lives at 123 Kikkenmaidore Blvd.” Once that tie has been made, of course, it's not an unrealistic thought that such a tie could lead to, “Johnny said, and I quote, 'The government sucks!' and he put 'sucks' in bold font, so let's go get him and give him paper cuts all over his eyes with a copy of the Constitution! Grab the lemon juice, cadet; we'll show you how keeping citizens safe really works. What's that? Hahaha – no, cadet. Johnny, doesn't like us, which obviously makes him a terrorist, so we don't need a warrant. C'mon. It'll be fun.”

Okay, so maybe that's stretching it a bit, but a closer look at all the abusive crap that has come out of the Patriot Act alone should be enough for most people to know that Big Brother's response in my hypothetical scenario above may not really be that far-fetched in the near future. This alone is more than enough reason to protect your privacy as much as possible.

Systems like the one you cited are double-edged swords, where one edge is meant to cut you and the other to cut your enemies. The bigger and more threatening the sword, the more blood each edge can draw. So how do you know if you should love or fear the sword? You take a hard look at who's wielding it. Does history show the wielder to be more partial to the edge that defends you or the one meant to remove your limbs? Or, has the wielder, perhaps, convinced you that he is on your side, and has done some good things for you from time to time, but more and more you find yourself bleeding to death from small cuts all over, given to you by the wielder, which was “accidental” and/or “necessary” to defend you?

Consider the size and scope of the system you cited. Consider all that it entails and all that it can do, good and bad, to be a single unit, albeit a massive, complex one. Now consider that unit as but one module of greater systems, like the one that DAARPA is preparing to build in Utah. Such systems are geared for nothing other than total information awareness. This is a sword big enough to either hack the country to its knees or preempt monstrous enemies from encroaching upon us. There is real wisdom in the old cliché, “Knowledge is power.” That power can work for you or against you. Which edge of the sword do you trust the wielders of these systems to use? If the wielders of such massive swords have bad intent toward you, can you realistically tell them, ”Sorry, buddy. You only use the good side of the sword!” and expect not to get cut? Does history advise you on any of this?

Don't get me wrong. I'm not saying that such systems have to be so sinister. They can do just as much good for the world. But whether they do more harm than good depends solely on the true goals and desires of those who wield them. Look at the wielders and their track records to date and decide whether or not you find any comfort to be taken therein.

I think it's ironic that systems like you've pointed out happen to employ the same means used by hackers with bad intent, identity thieves and other criminals of the like. Whether you preserve your privacy based on matter of principal or otherwise, you absolutely have the right to do so, no matter who you defend against.

With specific respect to us here at DP, the bottom line is that anyone, be it government or those who work against government, with the means, resources and desire to know who we are, in the flesh and blood, likely already knows. But why encourage them to use the unfavorable edge of the sword against us? Why allow them to continue to intrude on our private, personal effects, whether or not those things affect them? I realize that there will always be some who are insistent upon misconstruing and directly equating preservation and enforcement of privacy, based on nothing more than principal, with “something to hide.”

And, before anyone starts in with, “If you have nothing to hide, why do you care if they watch?” Please know that I do not and will not buy into that third grade playground psychology. The matter here is one of principles that are being trampled – not actual content. The fact is, I have nothing to hide, but that doesn't mean I should just discard and ignore principals. A man of no principles is in danger of being a mindless puppet.

I'm not a long-timer of DP, but I've looked at a lot of historical posts and, to date, I've not yet seen one instance where any of us have advocated, directly or indirectly, blowing things up, killing anyone, stealing anything, hijacking anything or anything remotely related to crime or terrorism. While the government may not like some of the things we discuss, everything I've seen here so far is in line with human rights, God-given rights, freedom, liberty and the Constitution. But we all know how the written word can be grossly misconstrued, depending on the demeanor and mindset of a given reader. Obviously blogs are meant to be seen by the public, but why allow your posts to be tied to the fingers that typed them? In the case of your e-mails, instant messenger conversations and surfing habits, they are not meant to be public information, so at least make anyone, no matter who they are, who sets out to intrude on our privacy struggle for success.

I really wish we could trust systems like those you pointed out. I wish that those who wield them would prove trustworthiness – or at least that they had not bent over backwards so many times to prove the opposite. These information systems have so much potential for so much good, in the right hands. But are they in the right hands? Should they be trusted? I'll let you guys come to your own conclusions and form your own opinions on these beast systems. Personally, I cannot in good conscience trust that such systems will never bite me, even when I've done nothing wrong. I prefer to look to history and words of wisdom for advice...


"The means of defense against foreign danger historically have become the instruments of tyranny at home."

- James Madison


"If Tyranny and Oppression come to this land, it will be in the guise of fighting a foreign enemy."

- James Madison


"I would rather be exposed to the inconveniences attending too much liberty than those attending too small a degree of it."

- Thomas Jefferson


"Good intentions will always be pleaded for any assumption of power. The Constitution was made to guard the people against the dangers of good intentions. There are men in all ages who mean to govern well, but they mean to govern. They promise to be good masters, but they mean to be masters."

- Thomas Jefferson


"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety."

- Benjamin Franklin


Now compare that time-proven wisdom with the modern-day thought of those who would wield certain information systems:


"...this balance between freedom and safety is one that we have to... uh... carefully... balance."

- Nancy Pelosi


"Will you have to give up some of your freedoms to ensure safety from terrorists? Maybe... maybe."

- DHS Spokesman (on C-SPAN about three weeks ago - I'll have to dig the archive for his name)

Hmmm - lots would consider

Submitted by Lacandy on Mon, 10/19/2009 - 16:35.

the DHS as a cybersecurity threat.

Janet Napolitano is going to deliver a a special webcast address during what is supposedly National Cybersecurity Month.

The Secretary will discuss the:

- urgent need to counter the threat of cyber attacks

- shared responsibility for staying safe online

- leadership role DHS is playing on cybersecurity

http://www.dhs.gov/index.shtm

*** (What is up with the picture of "Christopher - Special Agent, Secret Service"?)

Obama = O.ne B.ig A.ss M.istake A.merica

Obama = O.ne B.ig A.ss M.istake A.merica

Absolutely!

Submitted by Echelon on Wed, 10/21/2009 - 02:21.

.

Nice. Thanks for

Submitted by stuki on Mon, 10/19/2009 - 16:28.

Nice. Thanks for posting.

Also, check out www.truecrypt.org, for very mature and easy to use disk encryption. I would not, with an emphasis on not, store a computer where it can get stolen without the disk being encrypted. Truecrypt also allows you to create strongly encrypted volumes on USB keys, etc. Instructions are on the site.

Tor, at torproject.org, is essentially a dynamically reconfiguring network of anonymous proxies, making it less likely that sites simply block your favorite proxy. It has been used by dissidents and journalists harassed by governments all over the world, as well as, I'm sure, your friendly neighborhood kiddie porn peddler, drug dealer and Hannity appointed "terrorist". Point is, the technology is well proven and fairly secure. At least to the point where, even if the NSA were able to track you down, they won't want to tip their hand by demonstrating this, unless you manage to convince them you really are in the process of placing a bomb in Manhattan. In which case, while no fan of neither government spy agencies nor Manhattan bankers, I'm still rooting for the NSA.

Also, for all those who reckon their own particular communication does not warrant encryption, keep in mind that the more useless trivialities are strongly encrypted, the harder it will be for snoopers to figure out where to focus their decryption and snooping efforts. If the only people in the world encrypting their mail were Chinese dissidents, it wouldn't be too hard for the Chinese government to zero in on those they wanted to suppress. If, on the other hand, every single one of the more than 1 billion people in China did so, well.... the problem suddenly becomes a lot harder.

Over zealous law enforcement recognizes this, and, at least in the case of Tor, is attempting to establish precedent allowing prosecution of the owner of the edge nodes that connect to supposedly "illegal" content, in an effort to keep down the number of people daring to run edge nodes, and hence the potential size and performance of the network as a whole.

From a freedom perspective, ideally everyone should encrypt everything, always, with sufficient strength so that there would be absolutely no way for any authority to distinguish a birthday card to mom from a billion dollar transfer from Pablo Escobar to Osama bin Laden. With the sheer volume of communication flowing across the wires these days, that would render any non specifically targeted dragnet type snooping effort pointless, leaving no option for law enforcement but to only snoop on people they have probable cause to think are criminals, with a strict interpretation of probable.

you're right on. I think

Submitted by Canada on Tue, 10/20/2009 - 02:13.

you're right on.

I think this website should be available over SSL, even though SSL is broken as hell, just because it makes it that much harder on anyone snooping.

afternoon bump!

Submitted by Liberty_Belle on Mon, 10/19/2009 - 16:00.

*****
"I think we are living in a world of lies: lies that don't even know they are lies, because they are the children and grandchildren of lies." ~ Chris Floyd

"I think we are living in a world of lies: lies that don't even know they are lies, because they are the children and grandchildren of lies." ~ Chris Floyd

bump for interest

Submitted by highwithaltitude on Mon, 10/19/2009 - 08:26.

"First they ignore you, then they laugh at you, then they attack you, then you win!"
GANDHI

"First they ignore you, then they laugh at you, then they attack you, then you win!"
GANDHI

Thank you so much

Submitted by quiltingsando on Mon, 10/19/2009 - 08:06.

for sharing this information with us. I will have my son look into this when he comes to visit. Bookmarked and bumped.

Prepare & Share the Message of Freedom through Positive-Peaceful-Activism.

Good but

Submitted by zenpiper on Mon, 10/19/2009 - 04:09.


If the NSA reads my email, here is what they get

"How's lunch on Friday?"

I suppose I am naive, but I honestly do not think that the NSA cares a fig about me. I am a rather boring individual, except for my occasional posts here. That's about it.

My email server is Fastmail.fm and they have pretty good encryption. But if the NSA decodes it, then they know my plans for lunch on Friday.

Seriously, this is good info. I will do what I can. Thanks a lot.

Sure

Submitted by Echelon on Mon, 10/19/2009 - 07:33.

Not all e-mails are interesting, but I guarantee you that there is interest nonetheless in correspondence between members of this site and other liberty-minded sites.

BTW, what ARE you having for lunch today? :-)

Lunch with my Chinese girlfriend

Submitted by zenpiper on Tue, 10/20/2009 - 02:02.


I had sweet & sour pork w/rice. She had duck and bok choy w/rice. I drank iced Oolong tea, she had mango juice. $9.50 at Sunny's Cafe. If you turn up on the island I'll buy you lunch.

More

Submitted by Canada on Mon, 10/19/2009 - 02:56.

If you can't understand this, consider yourself totally, utterly, hopelessly vulnerable.

The best I can say to the non-technical is: wipe and reinstall from trusted media as often as you can afford to.

The comment about IE vs. Firefox is not technically true. There is Firefox 0day... trust me. If you do run it I recommend noscript. http://noscript.net/
Avoid plugins you don't absolutely need as they increase attack surface. And updates don't even have any authentication.

Using bulk disk encryption is a good idea. If you're running Windows or OS X it's pointless to bother with anything other than full disk encryption. http://www.truecrypt.org/

If you use any kind of crypto, NEVER use hibernation. By its very nature it copies physical memory to disk which means your keys are going to be recoverable. Ditto for swap. Who needs it anyway, RAM is so cheap.

PCMCIA/Cardbus/Firewire and possibly USB ports can be used to write to physical memory. That means they can be used to instantly disable password protected screensavers. As it's not really practical to fill these ports with glue, you should turn off your machine when it's not in use.

All hypervisors can be broken out of, however it's still not a bad idea to run your apps in vmware. A lot of malware refuses to run under vmware because who in their right mind runs in vmware except for guys who love to reverse engineer malware? :)

Finally, to protect your keys against recovery in the event that jackbooted thugs seize your computer, glue your memory to the board and cover it in glue. Make sure you use a BIOS password for booting. It turns out RAM is pretty persistent, especially at very low temperatures.

Thanks, Canada

Submitted by Echelon on Mon, 10/19/2009 - 08:28.

This was mainly intended to be written in a manner that the non-tech people could understand... from the standpoint of protecting against a third party sniffing traffic incoming/outgoing over the wire.

The aspects you raised (and similar) are a separate thread (or maybe three or four!). Maybe I'll get around to writing that some day. But yes – you're right on the money with the other aspects you've raised.

I run Gentoo, hardened kernel, no swap and whole-disk encryption using TrueCrypt (except for one of my machines, which is using StegFS). Peripheral ports and loopback devices must be manually mounted and non-O/S-essential RAM is randomized on shutdown. I only run Windows boxes for video games and consider them expendable (i.e.: Windows boxes often become lab rats at my house) so I don't even bother with security on those. :-)

And, yes, you should never hibernate with encrypted disk, but suspend is doable: http://whilos.blogsite.org/?p=13

BIOS password is pretty easy to get around if you have physical access to the machine. :-(

The general rule of thumb is that convenience sacrifices security; the easier and more convenient something is to use, the less secure (with a few exceptions). People complain all the time when borrowing my computers... “Why do I have to put in so freakin' many passwords?! Why don't you just tell it to remember passwords?! Why do I have to put in a BIOS password, a password to mount the drive and a password for the O/S?! Why do I have to put in two passwords to wake the machine up?! Why can't you make all your passwords the same?! Why do your passwords have to be so freakin' long and complicated?! Why don't you make it so that I don't have to do all this B.S. every time I plug something into a USB port?! Why does it take so long to reboot – what's it doing on shutdown?!” ...and et cetera :-)

Your setup sounds a lot like

Submitted by Canada on Mon, 10/19/2009 - 14:09.

Your setup sounds a lot like my setup.

Anyway, security is all about anticipating the threat. If the threat is having guys with guns come get you and your computer a BIOS password is well worth the inconvenience.

The point of the BIOS password is to slow down the forensics team while data in your RAM degrades. If they can get it cooled down by spraying it with coolant the state of DRAM can be preserved for a long time. They need to boot your machine into some software that just dumps physical memory to some kind of persistent storage. Seconds count. It's hard to change your boot options when your BIOS is locked out.

Software mitigation of this is possible, as the CPU runs for many cycles even after power to the motherboard has been disconnected. Sensors can detect power has been lost, the kernel can then overwrite critical memory where keys are stored. OpenBSD is the only OS that implements this as far as I know.

Also, another thought. I wish Peter Schiff would not show his cable modem in his videos. It's possible to reconstruct the entire packets merely from the blinking of the activity lights in some devices. This has been demonstrated to work against a Cisco Catalyst 1900 series at speeds up to 10meg.

Guys like us should be advising high profile people in high risk situations such as independent journalists... Can you think of any way to make that happen?

.

Submitted by Echelon on Mon, 10/19/2009 - 15:57.

Regarding the BIOS password, I use them. Any roadblocks, big or small, are good. But if guys with guns come for your computers, they'll likely be taking your toys to people with considerable resources and money at their disposal, dedicated to violating your personal effects. In such atmospheres, BIOS passwords equate to minor roadblocks. I've seen situations where people take two machines with the same motherboards, configure the BIOS settings they way they want them to be on one machine, extract the CMOS I/C containing the desired configuration and insert the I/C into the “locked” machine. The whole process takes about 10 minutes. RAM can easily be kept cool during the process. It's not unrealistic to think that outfits like the NSA, with all that they have at their disposal, could keep a library stock of known CMOS I/C's on hand, preprogrammed with the desired BIOS configuration and ready to “plug & play” (so to speak). If not, it would be small beans to send a gopher out with Big Brother's credit card to pick up the needed motherboard. If the average idiot breaks into your house and takes your stuff, a BIOS password will go much further than it will against something like the NSA. Of course, BIOS passwords only matter anyway if your system is set to boot off of the hard drive and only from the hard drive (no CD boot, PXE/Network boot, USB boot or et cetera).

Regarding Schiff showing his cable modem on TV, I'm not sure where the Catalyst comes in (it's a switch – not a modem). Are you saying that the information in the packets can be reconstructed by the blinking of the lights (on either the modem or the switch)? To my knowledge the lights blink when a packet is transmitted or received, but the binary info in the packets is not represented by the blinks. I have a couple of 1900's and a 5000 series. I'll have to test this. I'm thinking that I can open the case, tap an oscilloscope onto the leads of one of the LED's, inject packets of known content through the switches at a steady rate and see if the flashing of the LED's seems to represent digital data, or if it's simply a light flash per packet. This should allow me to change the packet data and see if the waveform pulsing the LED's changes accordingly. I'm betting it's a light flash per packet, which would not allow reconstruction of anything except number and timing of packets (but not packet source, destination, type, size, contents or et cetera). I'll let you know in a day or two, when I get time to play with it. :-) Even if it does work, in Schiff's case you'd be watching the pulses through TV – with a 60Hz or maybe 120Hz (on some TV's) refresh rate, which would yield a skewed flash pattern of the LED's. Trying to watch something that takes place thousands of times per second in chunks that only update 60 or 120 times per second would not be reliable at all. Can you tell me where this LED snooping was demonstrated or who demonstrated it?

Regarding how to get into a position of advising people like Schiff on a technical level, I have no idea, my MexAmeriCanadian neighbor. :-) Maybe be really, really good at what we do, become high-profile ourselves and offer services for free? :-)

In any case, I just wanted to present something to help people protect their privacy within the realm of web browsing and communicating by e-mail and IM, without a lot of confusing technical jargon (although some degree is required). There are so many more aspects of security – too many to list within the intended scope of this thread. And just when we have all the holes plugged, some 10 year old kid will come along with an ice pick and poke more. :-)

Regarding the RAM dump:

Submitted by Canada on Mon, 10/19/2009 - 17:08.

Regarding the RAM dump: Seconds count. Anything that increases the complexity of the attack gives the defender an edge.

Yes, the thing in Schiff's videos is not a switch, and yes information in the packets can be reconstructed by the blinking of the lights. I saw this demonstrated against a Cat 1900. I cannot find the paper anymore. It's not new, at least 5 years old. Maybe closer to 10. The demo did not need an oscilloscope. A crap USB webcam is enough. The problem is that the LEDs were directly driven by the packet forwarding circuitry, therefore they leaked more information than simply the timings of frame forwarding. Looked at in slow motion the LEDs are not flashing on and off the way you'd think they would. At 100meg the LEDs oscillate so quickly no meaningful recovery can take place... at least with a $50 webcam from 5-10 years ago. I'm not saying Schiff's cable modem IS vulnerable, only that it COULD be vulnerable to the same class of bug. If you're going to try to repo it think about how the data is actually encoded on the wire. I wish I could find the paper, cause it's such a cool attack.

I already do this stuff for a living. And guess who buys my services more, libertarians or globalists?

Anyway, good post. I'm glad you brought the topic up to get people to think about it more. I don't think this stuff is all that complex... certainly not harder than understanding the scams the central bankers are pulling on us.

I understand what you're saying about the oscilloscope

Submitted by Echelon on Mon, 10/19/2009 - 17:51.

But if I inject an isolated packet across the switch and the scope shows a Vcc state change on the LED when transmission of the packet starts, and a Vcc change back to its original state when the packet finishes, with no state changes in between, then it's a situation of packet = single LED blink. If there are several Vcc state changes between beginning and end of packet transmission, then it's possible data could be represented by and extracted from the LED state changes, warranting a closer look into the phenomenon. In that case, with varying data in the injected packets, the state change pattern on the LED Vcc should vary accordingly. My oscilloscope is sensitive to Vcc changes on the microvolt scale (tiny fractions of the voltage drop that would make an LED go from “on” to “off”). It can also see/take snapshots of any state changes (oscillations) at rates many times greater than 100 megaflops. This will be a great, easy, preliminary way for me to observe the behavior within a few minutes. I can test at 10TX, 100TX and 1000TX. It will make a fun project. :-)

Right, you'd be using the

Submitted by Canada on Tue, 10/20/2009 - 02:19.

Right, you'd be using the oscilloscope to test if it's even worth trying with a camera. And probably to figure out how the state is encoded as well... Makes sense. I don't even have an oscilloscope. You are obviously a much better hardware hacker than I. Let me know if you get any interesting results.

thanks for the about:config referrer mod

Submitted by troy on Sun, 10/18/2009 - 22:41.

always wondered how to stop this but never put the effort into finding out.

thanks again

.

Submitted by Echelon on Mon, 10/19/2009 - 01:47.

If you have an active inspection firewall you can also filter out HTTP request/response headers, cookies and et cetera that way. That's a little beyond the scope of this thread, but I'd be happy to discuss it with you offline should you ever need to do so.

i downloaded one

Submitted by troy on Mon, 10/19/2009 - 02:32.

but it doesn't seem to want to work for me, anymore.

no need to get into the specifics. i'm pretty savvy, but what firewall do you recommend?

anything but zonealarm.

Sunbelt

Submitted by Echelon on Mon, 10/19/2009 - 08:27.

For a software-based firewall on Windows, Sunbelt Personal Firewall (formerly Kerio) is great. There are others, but I'm partial to Kerio. Yes, ZoneAlarm is horrible!!!

Excellent info!

Submitted by Qwerk on Sun, 10/18/2009 - 22:16.

Bump for your expertise, Echelon. Thank you.

Freeman08's picture

Thanks for the info

Submitted by Freeman08 on Sun, 10/18/2009 - 09:48.

It may come in handy!

"A great civilization is not conquered from without until it has destroyed itself within" W. Durant

Michael Nystrom's picture

.

Submitted by Michael Nystrom on Sun, 10/18/2009 - 21:37.

.

'Always be yourself. Everyone else is taken.' - Oscar Wilde

Echelon~Thank you!

Submitted by Liberty_Belle on Sun, 10/18/2009 - 09:39.

Been waiting for this post! Thank you so much. I will .

*****
"I think we are living in a world of lies: lies that don't even know they are lies, because they are the children and grandchildren of lies." ~ Chris Floyd

"I think we are living in a world of lies: lies that don't even know they are lies, because they are the children and grandchildren of lies." ~ Chris Floyd