The question is: how do I send secure email from a computer where I can’t install any programs?

The answer: PGP on a USB drive!*

The method below will allow you to use all of the GnuPG functions without installing anything on the host computer. In fact, besides file access, there are no any traces that GnuPG was in use.

Ingredients:

- empty, formatted USB drive >128MB – the faster, the better!

- GnuPG 1.4.9 Windows binary – http://www.gnupg.org/download/

- GPGShell 3.73 – http://www.jumaros.de/rsoft/index.html

- Copy2USB 1.05 – http://www.jumaros.de/rsoft/download/Copy2Usb.exe.gpg

- FireFox Portable – http://portableapps.com/apps/internet/firefox_portable

- FireGPG – http://getfiregpg.org/s/home (after FireFox Portable installed)

- SHA1sum – ftp://ftp.gnupg.org/GnuPG/binary/

Directions:

0) Use SHA1sum to check the integrity of the files you downloaded.

1) Install GPGShell on your computer. Install GnuPG in the GPGShell directory. This does not give the cleanest installation but makes everything much easier.

2) Use GnuPG (or some other PGP program) to extract Copy2USB. (Hint: use the decrypt function.)

3) Run Copy2USB. It should be fairly self explanatory. The target directory is a folder on the USB drive.

4) Test the install! Try opening GPGtray and accessing the key manager. If successful go to a command line and check the version “gpg –version” If the home directory is point at C:\Documents and Settings\… then you will need to reset the home folder. This can be done from the gpgconfig program.

Note: Use a fast USB drive. Otherwise, it will seem as if the very paws of Slowcat himself are haplessly fumbling with your instructions.

5) Install FirefoxPortable on the USB drive. Set it up however you like.

6) Install FireGPG as an extension. It may complain about an old library, I haven’t found a way to solve that. However, everything seems to work out fine in the end.

6a) Disable the Gmail integration. At the very least, test it before you rely on it. It doesn’t seem to work properly.

6b) Set the paths. Specify the path to the GPG exectuble. Add a command line option to set the home directory to the proper place on the USB drive. %CD%\..\.. will help here to start the path in your current directory and then go up a couple levels. Not particularly elegant but it works!

7) Test integration with FirefoxPortable. Start GPGTray and create a new keypair. Make the passphrase STRONG! A sentence that is easy for you to remember and difficult for someone to guess is ideal. Throw in some l33t or dirty words. Close the key manager and open the key manager from within FireGPG. If you can see the key, you’ve done things correctly!

Use: Gmail Example

0) Create a new keypair called “Test”. Set the passphrase to something very simple.

1) Open FirefoxPortable. Login to your Gmail account and type a message into the body of the email.

2) Select the entire plaintext message and right click. Choose FireGPG->Encrypt and Sign. In this example. you will encrypt the message with Test’s public key and sign with your private key. You will be asked to enter your passphrase for the private key.

3) Paste the entire PGP message block including headers into the body of the email. You will want to either paste over or delete the plaintext. Send the email to yourself.

4) To decrypt the cyphertext you just sent to yourself, select the cyphertext and right click. Choose FireGPG->Decrypt. You will then be asked to enter the passphrase for the Test private key. If successful, a new window should open up revealing the original message you typed.

Key Points:

1) To Send: Encrypt with the recipient’s public key. Sign with your private key using your passphrase.

2) To Read: Decrypt with your private key using your passphrase.

Of course, you cannot encrypt a message if you don’t know a person’s public key. To find someone’s public key, you can either have them give it to you (via email, paper, telepathy, etc.) or you can search for it on a keyserver like cryptonomicon.mit.edu.

However, just because I’m not very concerned doesn’t mean that others aren’t. Given the popular media’s fear-mongering to which many have succumbed, I would not be surprised to see serious disruptions in otherwise robust systems.

From an IT perspective, I urge people to consider how they will keep their systems running in the event of widespread absenteeism. If you already have a business continuity plan, good for you. If not, now is the time to quickly get one together. Copy from your neighbor if that’s what it takes.

Map out your critical goals for the time period you anticipate experiencing abnormal behavior. Everything on this list takes top priority. For example:
1) Maintain service on all mission-critical systems
2) Continue to monitor and respond to security events
3) Continue regular patch testing and implementation cycle
4) Contain any spread of potential infection internally
5) Identify and maintain contact with chain of command for executive decisions and alternates in chain

Then, identify what activities/resources will be necessary in order to accomplish those goals. For example:
1) Require at least two admins on call with remote access capability at all times. Require at least  one security admin on call
2) Enable remote monitoring on mission-critical systems
3) Confirm hot standbys functional. Consider upgrading warm or cold standbys
4) Bring up out-of-band communications channels (IRC, Jabber, etc.)
5) Produce and circulate copies of critical daily reports on out-of-band channels
6) Enforce policies restricting employees with high fever from the office
7) Agree upon and establish secondary command chains in case primary is unreachable

Finally, educate everyone on the plan and test it! It’s generally accepted that reduce service levels will result from activation of any contingency plan. The idea is that you will be able to set that service level ahead of time.

Ask your vendors about their business continuity plans and share yours with them.

There may or may not be a pandemic but that doesn’t mean there won’t be overreactions. Control variability now while it’s still easy to do so.

1) Use strong passwords/passphrases for every account. (Strong = mix of letters, numbers, cases and special characters.)

2) Use different passwords for every account.

3) Never write down your password. Ever.

4) Never tell anyone your password. Ever.

The results are bad. All of this quickly adds up to dozens of accounts you have no idea how to get back into two weeks later. So how is any mortal man or woman supposed to follow these security best practices without looking like a doofus and constantly popping “Login attempts exceeded” screens?

There is a certain art to creating memorable passwords. I recommend two methods:

Look at the Titlebar Method: Create a password that uses some parts of the website name or function. For example, an eBay password could be {B1dd1ng0n-Junk-} or {L0s1ng@uct10nzzz}. A combination of l33t, poor spelling and your own personal touch can help greatly while staring at the eBay login page. Incidentally, you may want to look up on game theory and especially The Winner’s Curse. If you absolutely must have that priceless doodad, you can just look up at the titlebar and remember why you’re there.

Almost the Same Method: Say you are an auction fiend with accounts on eBay, uBid and auction.com. You’re passwords could be {J0n3s1n’3B@y}, {J0n3s1n’uB1d} and {J0n3s1n’@uct10n.c0m}. Now this does present one problem. If the username and password to one account is compromised, it would not take a great stretch of imagination to figure out the other ones.

When composing password remember your friends: complexity and length. This may seem imposing at first. It is certainly more challenging than {password123}  but the learning curve is not too bad. For example, my facebook password is more than 10 characters long and I can bang it out in about a second and half consistently. I am also notorious for not checking my fb either so it can’t take that much practice. Good luck! (and with strong passwords, you won’t need nearly as much of it!)

At the 2007 InformationWeek conference, the CEO of McAfee announced that the value of cybercrime reached $104B USD annually.  This surpassed the value of global wholesale illicit drug trade.

I have reservations about both of these numbers. However, even if we believe that these numbers are only correct to an order of magnitude, we still see an immense problem.

I can give a variety of statistics and theories and the-sky-is-falling rants but let’s think about a couple particular examples.

1) The Corporate Whistleblower

Alice wants to expose corporate wrongdoing but has a family to support. She can’t affort to lose her job.

Alice finds the data, plugs in a USB drive containing PGP, finds the public key for the Attorney General and encrypts the data using the AG’s key. Anyone searching her computer would only find gibberish. At this point, the original data remains untouched on the company server. The copy is only readable by the AG.

Alice launches Privoxy and Tor to disguise her connection to her gmail account. Corporate spies can see her outbound communication to the first proxy but can’t tell that she’s connecting to her email.

Alice sends the data to the AG, closes her net connections and wipes the file and free space on her hard drive.

Most corporate IT teams will not even register that anything unusual happened. Those that do would have a hard time figuring out exactly what. A few very paranoid and very skilled teams will be able to identify Alice as the source of the leak.

2) The Hungry Sales Agent

Bob is a life insurance agent for a nationwide firm. His client files including a lot of personal and sensitive information reside on his laptop. This makes it easy for Bob and saves him the trouble of logging into the corporate VPN.

Bob is at a corporate client’s site and finishes his morning session with management. He leaves his laptop and briefcase in the conference room. Fifteen minutes later, lunch in hand, Bob returns to find his laptop missing.

The thief, Eve, reboots to a custom operating system from her CD. She quickly downloads the client data and packages it to sell to identity thieves. Eve wipes the computer and sells it for a couple hundred bucks.

Three months later, customers of this firm receive a notice that their personal data may have been compromised and are advised to hire a credit monitoring service. In most cases, the damage will already have been done.

(This actually happened to me. Even large companies show remarkable apathy towards the danger that their clients face. I start getting notices when I’m 30 days late paying a $30 cable bill. A Fortune 500 has no excuse waiting three months when my personal credit and personal reputation are at stake.)

The bottom line is this: The proper implementation of information security allows people live their lives free of interference from those who do wrong. It is as basic as the latch on your window and the lock on your door.

This should be no more than a 15-minute process but as the disembodied voice says, your experience may vary.  It looks long but it’s not really that bad.

Part 1) Install PGP

1) The basic functionality of PGP (encryption/decryption/signing…) is available for free in perpetuity as part of PGP Corporation’s PGP Desktop software license. Go to www.pgp.com and click on the “Evaluation” link towards the bottom of the page.
2) Select “PGP Desktop Trial Software (Desktop Client Only)”.
3) Read the text and the license agreement at the bottom of the page. Check the box to accept the license and click “Accept”.
4) Fill out the required information and submit it. PGP Corp will email you a download link to the software. Open the link and click the white “Download” button on the left side of the page.
5) Unzip the downloaded package. There are two files inside and unzip the larger one. The small file is a signature package to verify that the files are legitimate.
6) Follow the install instructions. Reboot as necessary.

Part 2) Creating Your Keys

1) Open up the PGP Desktop and click on “File -> New PGP Key”
2) Follow the instructions and type in your name and email, etc. This will be one of the ways for people to find you. Don’t use aliases unless people can link you to your alias!
3) Enter your passphrase. You can type anything you want in here. Go ahead and use numbers and spaces and wierd symbols. Make it 1) long enough and varied enough to be secure (look at the little bar at the bottom) and 2) short and easy enough that you can type it all the time.
4) Click, click, click and finish.
5) Congratulations! You made a keypair! That’s right, in that little icon is a private key for you and a public key for the world. Don’t give out your private key. Give your public key to *everybody.*

Part 3) Upload your keys and Download others’ keys

1) Go to “Tools -> Edit Keyservers”
2) Add any servers you’d like. I recommend looking at this page (http://www.rossde.com/PGP/pgp_keyserv.html#pubserv) and adding the servers in bold. Be sure to select whether the server is LDAP or HTTP and enter the correct port number. For example, I would select Type:” PGP Keyserver HTTP”, Address: “cryptonomicon.mit.edu”, port: “11371″ and click “OK”.
3) Click on the “All Keys” tab at the top left of the window, find your key and right click to select “Send to -> cryptonomicon.mit.edu”. This will upload your key to the server so that others can find encrypt messages that only you can read.
4) Then click on “Search for keys” and from the dropdown box at the top of the screen select “Everywhere”. This will search all the servers for the key you want. You can also select particular servers if you know which one you want.
5) In the search box, type “xinophobia” and click search. Right click on the most likely-looking result and add it to “All keys”.
5a) My key is on my Contacts page.

Part 4) Excitement! Sending encrypted email

1) Log into your gmail. (The process is mostly the same for desktop email programs)
2) Write a message to someone (ex. xinophobia)
3) Place the cursor in the main body of the text. Find the PGP lock icon on the system tray (lower right side of the screen) and right click on it. Select “Current window -> Encrypt and Sign”
4) Select the recipient of the message and drag it to the “Recipients” box. Click “Ok” and then enter your passphrase to sign it with your key.
5) The plaintext message is automatically replaced with the a strange looking cyphertext block. If not, try pasting the cyphertext from the clipboard.
6) Send it!

Part 5) What to do when you get encrypted email

1) Place your cursor in the body of the cyphertext.
2) Right click on the PGP icon and select “Current Window -> Decrypt and Verify”
3) Enter your key and a box will pop up with the message. If you like, the message can be copied to the clipboard and pasted somewhere else.
4) Read your friend’s encrypted message about this weekend’s BBQ!

Part 6) Sharing your keys

1) Tell your friends where you uploaded your key.
2) Select your key in PGP desktop and click “email this key”.

—The End—

—Epilogue—
Please don’t forget your passphrase. Don’t write it down anywhere! Just don’t forget it. If you use your key everyday, you’ll be pretty safe. It is rumored that “The Government” (which one???) can crack PGP but it’s unlikely “The Government” will help you if you forget your key.

As case law stands now, you are not required to divulge your passphrase. There is still a great deal of controversy as to whether or not encryption is really protected under the 5th Amendment. Try to stay out of trouble.

Any tool which can be used for good can be used for evil and vice versa. (Generally speaking this is true. I’m struggling to come up with a “good” use for Puppy-kicking Boots. Whoever invented that needs to be shot.) Use PGP for good!

I keep an eye on the police blogs in my area just to get a feel for what kinds of incidents occur. Many of them relate to purses and laptops walking out of unsecured rooms. This kind of breach does not require a ton of commentary. If practical, lock the door to your offices. Lock your computer to a solid object. Encrypt your data and lock down your terminal when you step away. (There is software to do this for you!) Finally, don’t leave stuff unattended for prolonged periods.

As evidenced by the police blogs and personal experience, many restricted-access buildings depend on unauthorized persons voluntarily not attempting to enter. Despite the assertions of facilities administrators, these buildings and by extension the offices within should be considered public.

To end on a lighter note, I offer an excerpt from the daily police blog:

“Public Intoxication / Possession of a Fictitious Document: A Student, who was under the age of 21, was reported as leaping a tall fire hydrant in a single bound and staggering as he attempted to walk along the sidewalk…”

Students! If you are under 21 and drunk, do not leap tall fire hydrants in a single bound! You will attract unwanted attention. Next time, try a doublejump.

(credit: Penny Arcade)

A far simpler solution is to look over their shoulder while they type.* Take care when signing on in public places. The guy standing in line for a coffee may take an interest in your banking password. Admittedly, this kind of attack of opportunity may not happen often. However, this is an easy way to actively hunt prey.

The concern lies in more than just physically proximate attackers. Many public areas will also have security cameras. A good line of sight would reveal a string of credentials: local machine, webmail, banking, etc.

Some thieves are known to target victims at ATMs on the condition that they successfully observe the victim’s PIN. Similarly, a laptop theft is much more severe if the attacker can immediately access the system. This makes possible a number of attacks in which the victim is unaware.

For example, at the library Alice shoulder surfs Bob’s password. Bob locks his computer to the table and goes to the restroom. A couple minutes later, he returns to find his laptop in its original position apparently untouched. However, during that time Alice logged in and installed a backdoor. Bob would probably not find it until the damage had already been done.

As always, watch your back. In terms of information security, it is not unwarranted to assume that everyone, except a trusted few, is your enemy. And what do we know about turning our backs to our enemies?

A quick and easy mitigation is to type very quickly. Otherwise, moving both hands while typing can distract a casual shoulder surfer. As an added distraction, pad the beginning and end of each string i.e. type “in air” without actually depressing keys.

And lest I forget this most valuable piece of advice: CHANGE YOUR PASSWORDS OFTEN. The more sensitive your password, the more often you should change it. If you even suspect it’s been compromised, change it!

*Actually, it’s also possible to listen to the sequence of keystrokes and identify the keys pressed. There’s a paper on this, I’ll link it later.

Internet Storm Center: isc.sans.org

And to those who watch:

Internet Health Report(US only): www.internetpulse.net
CERTStation: www.certstation.com

I would also recommend a basic home computer security suite:

Avast (www.avast.com) – Antivirus
Ad-Aware (www.lavasoft.com) – Antispyware
ZoneAlarm (www.zonealarm.com) – Firewall

These programs are all free for personal, non-commercial use. While it will certainly not stop all threats, it offers decent security with a minimal maintenance burden. Use this as a starting point and select better choices based on user experience level and personal preference. I would recommend declining any paid upgrades.

For more layers of defense:

Encryption:
PGP Desktop (www.pgp.com)
PGP allows you to encrypt files and also send encrypted email. This provides excellent security against casual eavesdroppers. The trial package has limited functionality after 30 days but remains sufficient for home use.

Software proxy and onion router:
Vidalia (www.vidalia-project.net)
Vidalia will allow you to anonymously access websites. It provides some limited ability to access sites that have been blocked locally (i.e. by government or corporate mandate).

Full disk encryption:
TrueCrypt (www.truecrypt.org)
TrueCrypt provides on-the-fly full disk encryption. I will be testing the lastest version in the near future.

Network Security Operating System:
BackTrack (www.remote-exploit.org/backtrack.html)
BackTrack is filled with tools for those interested in testing their own network defenses.

You can quickly test your status using some internet-based scanners:

Symantec: security.symantec.com
Shields Up: https://www.grc.com/x/ne.dll?bh0bkyd2

For maximum effectiveness, remember to update and scan regularly!

I would also be happy to hear about any options/tools that are particularly good!

As of 7/12/08:

Domains not reachable:

- facebook.com (was reachable on 6/29/08)
- icanhascheezburger.com (was previously able to load site without pictures but now totally unreachable)
- uncyclopedia.com
- torproject.org
- dit-inc.us

Domains reachable:

- cnn.com
- bbc.co.uk
- xkcd.com
- wikipedia.org

The combination of Privoxy+Tor is again successful in accessing the blocked sites.
I chose to use this method because of its usability: free, well-integrated into popular browsers, and easy to setup.

However, there are several importants caveats to using tor:

- The network as it exists will not support connections requiring a lot of bandwidth (i.e. bittorrent, massive file transfers, etc.). It will work but it will be extremely slow. I need to stress that such usage will also have a negative impact on other tor users.
- The software is experimental and should not be relied upon for strong anonymity.
- The most reliable source for software and updates (torproject.org) is not reachable without a working copy of Tor.
- Very few entry nodes are reachable. This raises some serious questions about the immediate security and long-term viability of Tor.

In my 80 hours or so logged into a functional circuit, I have seen only three distinct entry nodes. From a security standpoint, it is easy to believe that these entry nodes are planted or otherwise compromised to allow monitoring. Even if the entries are legitimate, it wouldn’t be hard to shutdown the network entirely. I leave this as an exercise to the reader.

There is an interesting paper on timing attacks for any onion router network:
Low-Resource Routing Attacks Against Anonymous Systems by Kevin Bauer, Damon McCoy, Dirk Grunwald, Tadayoshi Kohno, Douglas Sicker
http://www.cs.colorado.edu/department/publications/reports/docs/CU-CS-1025-07.pdf

There are many alternatives to Tor which I will decline to list here. One that I am investigating is FreeGate: dit-inc.us.

I encourage readers to have a plan of action in case Internet access is restricted in their area. What tools do you have immediately available to facilitate a breakout? If you don’t usually encrypt communications (i.e. pgp or some variant), will you want/need to? How many of your contacts will you be able to reach via other means (secure or not)?

…there is a Great Firewall looming over the webscape. Like any good defensive wall it keeps out invaders. Yet, the oft unnoticed aspect of walls is perhaps just as important. It keeps people in. Whether the wall is cyber or physical, it sends a not-so-subtle message that “We are all you should be interested in. There is nothing out there that a right-thinking person would want to see.”

Let me point out that this is true to some degree everywhere. Some methods are explicit. Others are far more insidious – a subtle manipulation of reality. But this is a topic for another time.

Like the typical wrong-thinking person, I have become accustomed to my free access to the Internet. Being unwilling to give it up, I have prepared for a small scale inspection of this Wall with just a touch of breaching as required.

First would be a survey of what is actually allowed and prohibited. The easy way is to hit the hotspots: wikipedia, major news sites, blog hosting sites, etc.

Next step is to examine what tools remain accessible. Are open proxies still available? How about the Tor network? One can quickly get a feel for if/what kind of crackdown has been made. The availability of some kind of open access, even sporadic, would have a huge impact on the success of breakout attempts. Open access means a chance to download new tools, refresh lists of proxies, exchange information and in short, buy oneself a little more time.

Finally, I will examine what methods are required to reach the blocked content. Personally, I suspect that one method will work for everything but there are inherent risks in being a one-trick pony. The sentries, though lumbering, are always moving. Sitting still is one of the best ways to find yourself locked down. Without outside assistance, it could be very difficult to break free again.

Reports on the above are forthcoming over the next week. Silence on the wire would suggest a much stronger adversary than I had anticipated.

To leave you with a bit of concrete information, I present the following tips on finding power outlets at airports.

1) Endeavor to fly through good airports and on good airlines. The Southwest terminal in Austin-Bergstrom has laptop bars setup with stools and a raised counter with two outlets per person. Good for your cell phone, too! The Continental terminal at Newark International actually has most outlets covered up with metal plates. Which leads me to number two.

2) Look around you for electronic devices. TVs, speakers, lighted signs, etc. all require power. If they’re going to wire those signs, it wouldn’t be too much of a stretch to place an outlet on the floor or wall. Electric cart parking/recharging areas by definition have power. Construction vehicles used indoors are usually electric. Discovering where they charge is akin to finding the lair of a dragon.

3) Wander into an empty part of the terminal and look for others with electronics. These people may have done the work for you.

4) Check near pillars and other structural supports.. An unadorned pillar may have surveillance or NBC detection equipment inside. Water fountains also require beaucoup electricity.

5) If your desperate, check behind the ticket counters at unused gates. Just be aware that security may not be happy to find you back there.

6) Another last-ditch power source can be found in restrooms. Some models of automatic sinks plug into the wall. Of course, this depends on the type of sink and layout of the bathroom. This is option is wet, conspicuous and difficult to explain.

7) Use your imagination! Observe your environment carefully and take nothing for granted. Even if you have to stand in the middle of the floor and strike a pose while you text.