Hex dump of Gibe-F worm.

Confidentiality and Data Integrity Tools

We must be careful with terminology.

This becomes harder because one word can mean opposite things to different people. To a corporation or government, "security" often means the ability to monitor all communications and information stored by its employees or citizens. But to those employees or citizens, "security" means the ability to communicate and store information without being monitored. It means both violating and protecting secrecy, depending on who you ask.

Of the CIA triple of information security — Confidentiality, Integrity, and Availability — most people concentrate on the first one. But before we jump in, we need to make sure we're being careful with the words we use to discuss these concepts. According to many people:

Secrecy is a technical term for the effect of the mechanisms used to limit access to information. These mechanisms are typically a combination of access control and encryption.

Confidentiality involves the obligation to protect the secrets of other people or organizations. For example, the obligation of a physician or lawyer to their patient or client.

Privacy is the ability and/or right of a person to protect or conceal personal information. People can and should have privacy, this can extend to include their families, but it doesn't make sense to talk about the privacy of a corporation.

"Nothing works against the success of a conspiracy so much as the wish to make it wholly secure and certain to succeed. Such an attempt requires many men, much time, and very favorable conditions. And all these in turn heighten the risk of being discovered. You see, therefore, how dangerous conspiracies are."

— Francesco Guicciardini, Ricordi Politici, 1528-1530

"Fawn — next time with fewer people"

— Robert "Bud" McFarlane, note to Fawn Hall, 22 April 1987

An amusing summary is: "It's no secret what I'm doing in the public toilet stall, but for privacy's sake I close the door." I've seen that attributed to Cory Doctorow, but can't easily find a reference.

As for secrecy, we need to consider the actual message content and the external details of the communication or storage. For example, observing that someone is communicating with a specialized medical clinic exposes secrets about their condition. Some people say we need both secrecy of the message contents and anonymity of the communication. Other people use the terms message content secrecy and message source (or destination) secrecy, and the corresponding concepts of confidentiality for your obligations to protect someone else's secrets.

Privacy Tools

Use the excellent Privacy Tools web site.

PGP and Gnu Privacy Guard

Don't
Use PGP

First, realize that PGP and Gnu Privacy Guard provide the illusion of security. Cryptography Matthew Green has explained the problems in 2014, and then the EFail vulnerability in 2018 made things worse for encrypted email.

See my "Just Enough Cryptography" page for an overview of the concepts of encryption (for confidentiality) and digital certificates (for integrity of the message and authentication of the sender).

The best solution for a PGP user tool is the Gnu Privacy Guard. Linux and BSD include it, and it's easily added to other operating systems. It's open-source so it's well-tested and trusted, get it at gnupg.org for Linux, BSD, macOS, and Windows.

If you need a commercial product, Symantec bought PGP the company.

Disk Encryption Tools

TrueCrypt was a free open-source disk encryption system for Windows, macOS, and Linux. In May 2014 the project abruptly shut down, its web site replaced with links to a Sourceforge page warning that the software should not be trusted.

My page on Linux file system encryption explains how to use dm-crypt within the Linux kernel to encrypt file systems, either locally or within the Amazon cloud.

There are some issues with Microsoft's EFS (Encrypting File System) — see the details on my page on os-specific issues.

Key Recovery Tools

Remember that if a system can have its cryptographic keys "recovered", you shouldn't rely on it to keep your information confidential! Beware commercial applications that claim to include methods for encrypting your files! There are tools that quickly break the toy "encryption" included in Microsoft Word, Microsoft Excel, WordPerfect, Quattro Pro, PKZIP, Paradox, Lotus 1-2-3, and many more. For tools to break this toy "encryption" see the Openwall project's great archive of open-source password recovery software.

And of course there are people who will do this for you, for a fee, or sell you software, including Passware, Password Recovery Tools, PWCrack, Elcomsoft, and Lastbit.

World War II S.O.E. spy radio built into a full-sized suitcase.

A "low profile" spy radio used by the S.O.E. in World War II. It weighs 16 kilograms and fills a suitcase. Compare that to modern HF radio designs which can fit far more functionality into an Altoids tin.

Privacy risks of Google and similar search engines

This is absolutely no fault of Google or other search engines, but some silly web site administrators have misconfigured their servers. Instead of the web server being kept within the sandbox of /var/www/html (or wherever) on UNIX, or C:\inetpub on Windows, the server serves out everything on the file system. Or at least far more than it should.

The great SHODAN search engine has a lot of these already done for you. The NSA published a how-to book for its employees, "Untangling the Web: A Guide to Internet Research". But it's pretty simple to specialize your own Google searches.

If you are just interested in looking at other people's webcams, see the Insecam online camera directory. You can find them yourself by searching at Shodan:
netcam linux+upnp+avtech

As for Google searches, try these:

Also see the Google Hacking Diggity Project and the Search Diggity tool.

There are also more specialized FTP and archive indexing engines:
Search-22 Мамонт / www.mmnt.ru FileMare.com FileWatcher FileSearching.com FTP Search Engine NAPALM FTP indexer MetaBear.ru

You might then need Binwalk and BAT or the Binary Analysis Tool to unpack and analyze arbitrary packages and firmware.

Secure E-Mail, Online Storage, and File Sharing (versus government surveillance)

See the page on government surveillance for these topics:

Information Leakage

Lots of information can leak out of a host, giving a would-be attacker hints about what it is and how it might be attacked. Automate the banner grabbing with Nmap, which can also detect the remote OS. Used it follows:
nmap -sS -sV -O target.example.com

Detect the remove version of the BIND DNS server, if the remote machine is willing to honestly answer such a question from your machine:
dig chaos txt version.bind. @target.example.com

Request and display the header of the web server, possibly revealing operating system, web server software, supporting software such as PHP or .NET and its version, and security headers:
curl -I https://www.example.com/

SSH and Secure Replacements for Telnet and FTP

SSH tools can be found at the following, most of them are free:

SSH Clients for UNIX

OpenSSH provides both SSH and SFTP (FTP tunneled through SSH). Plus you can tunnel TCP applications through SSH.

SSH Clients for Windows and DOS

OpenSSH is finally included with Windows, with commands ssh, scp, and sftp. You may need to go into the Control Panel and enable it.

The world no longer relies on PuTTY, one guy's project.

SSH Clients for Macintosh — In addition to the built-in Terminal and installing the OpenSSH port, of course: SecureCRT (commercial) and NiftySSH.

I had forgotten about the issue of TN3270 security, now it supports TLS.

Hardware Encryption

FIPS 140 specifies security requirements for cryptographic modules used by U.S. government agencies to secure unclassified but sensitive information. See the standard itself and lists of approved hardware on the NIST site.

Cryptek made the DiamondNIC LAN card, certified at B2 by NSA, plus LAN and WAN hardware solutions.

Fortezza cryptographic cards were made by Mykotronx and Spyrus, but those date back to the PC Card or PCMCIA technology of the 1990s.

Also see the COMSEC page.

Commercial Eavesdropping Equipment

Narus and Verint sell mass surveillance and eavesdropping equipment to a wide range of governments. From their web pages in 2010:

Verint Systems is a leading provider of Actionable Intelligence solutions and services for enterprise workforce optimization and security intelligence.
Narus
Narus is the leader in real-time traffic intelligence for the protection and management of large IP networks

Real-time Traffic Intelligence
is the ability to protect and manage large IP networks by understanding in detail the behavior of the traffic

Product
NarusInsight is the most scalable traffic intelligence system for capturing, analyzing and correlating IP traffic in real time.

In addition to the U.S. government and U.S. telecommunications companies, Verint's customers have included Mexico (the government's nation-wide telecommunications eavesdropping system), Vietnam (equipment used by all ISPs for government mandated monitoring of discussions of democracy), and many others.

Narus has sold their high-end systems to the People's Republic of China's Internet monitoring and enforcement agency, the Information Technology Security Certification Center. According to the U.S. State Department's Country Reports on Human Rights Practices issued March 6, 2007, after this upgrade:

The authorities reportedly began to employ more sophisticated technology enabling the selective blocking of specific content rather than entire Web sites. Such technology was also used to block e-mails containing sensitive content ... New restrictions aimed at increasing government control over the Internet included stricter Web site registration requirements, enhanced official control of online content, and an expanded definition of illegal online content. The country's Internet control system reportedly employed tens of thousands of persons. The government consistently blocked access to sites it deemed controversial, such as sites discussing Taiwan and Tibetan independence, underground religious and spiritual organizations, democracy activists, and the 1989 Tiananmen massacre. The government also at times blocked access to selected sites operated by major foreign news outlets, health organizations, and educational institutions.


Amazon
ASIN: 0307279391

According to James Bamford's The Shadow Factory, Narus has also sold its eavesdropping systems to fun and friendly governments like Pakistan, Egypt, Saudia Arabia, and Libya.

Glimmerglass Networks sold intercept hardware for optical networks, as described by their president and CEO in a story in Aviation Week and Space Technology, July 26, 2010, pp 57-58.

Wireless LAN/WAN Security

Authentication and integrity are at least as important, or even more important, as confidentiality in some applications. See my networking monitoring/sniffing page for this category.

Voice Scramblers

For secure voice links, get real hardware. Expect to pay a lot. Historically, these were something like a STU, CipherTAC, or ASTRO system from Motorola, or a SwiftLink 1400, about US$ 16,600.

Voice encryption units can be built into radio gear. Communications Specialists has offered units in the range of US$ 79-299 each, and E. F. Johnson has produced chips and modules for secure radio transceivers.

Do not trust the "voice-scrambling" units sold via ads in popular magazines! They are trivial for anyone who understands analog circuit design. Here is a circuit to both do that trivial "scrambling" and to break it.

Also see my COMSEC page.

Cryptography and International Law

No one shall be subjected to arbitrary interference with his privacy, family, home, or correspondence, nor to attacks upon his honor and reputation. Everyone has the right to the protection of the law against such interference or attack.

— Article 12, Universal Declaration of Human Rights, 1948

It's hard to figure out the laws of one country, let alone several. To export from the U.S., January 2000 finally saw some loosening of U.S. laws, but do not assume that anything goes!

Now, where are you exporting it to? France and Russia (well, at least on paper...) require you to register cryptography, and don't allow import of strong cryptography. Israel, Singapore, and Hong Kong all have differing rules of their own. Germany and Malaysia seem to regulate digital authentication. Saudi Arabia simply bans all cryptography. If you have to do anything with multinational applications of cryptography, check out Bert-Jaap Koops' excellent Koop's Crypto Law Survey

The EFF has a generally quite critical look at U.S. laws.

X Privacy and xspy

Be very careful about reckless use of xhost! xspy is a tool for grabbing all keyboard and/or mouse input from an unsecured X display — click here to get a copy. This is very useful for convincing people of the insecurity of mis-used X! Make certain you understand xauthority, and avoid the reckless xhost +!

IPsec — Confidentiality, Integrity, and Authentication Through Secure IP

Click here to see my page with a simple explanation of IPsec.

If you use PPTP, the Point-to-Point Tunneling Protocol, do not use the flawed Microsoft implementation. Use the L2TP protocol with IPsec instead.

Virtual Private Networks

IPsec and TLS are fundamental technologies supporting VPNs or Virtual Private Networks. Your organization can use that technology to set up secure connections across the Internet between distant sites.

However, if you are an individual looking for a way to obscure your Internet activity by securely tunneling to a provider or proxy and then connecting from there, well, there aren't a lot of good choices. Brian Krebs has an excellent overview of how most public VPN solutions are worthless, especially any supposed free VPN providers. He points us to a collection of reviews and side-by-side comparisons of VPN services.

Tracking with mobile devices

Researchers at Technische Universität Braunschweig wrote a paper "Privacy Threats through Ultrasonic Side Channels on Mobile Devices" in which they describe smart phone apps which listen for ultrasonic signals in stores and carried on television commercials in order to track owners' locations and activities plus their web site and television viewing history. The signals are at 18-20 kHz, so they can be received and transmitted by consumer devices but not detected by typical adult humans. The Silverpush technology has received some media attention including this article in The Atlantic. Other tracking technologies include Shopkick, Lisnr, and Signal360.

Researchers at P1 Security wrote "Subscribers remote geolocation and tracking using 4G VoLTE enabled Android phone", describing how an attacker can use Voice over LTE technology to retrieve information on targeted subscribers including their locations.

Keyloggers

Cryptologia had an article "Non-Cryptanalytic Attacks", discussing various ways of spying on user activity to steal passwords, capture all activity, and so on. (vol. 26, no. 3, 2002, pp 222-234)

The article struck me as rather creepy, describing products and activities from the "Two Wrongs Make a Right" school of thought.

You can buy keyloggers from Amazon. They are marketed as crucial for parents to monitor their children, and for spouses or lovers to monitor their special-but-suspected someone.

STARR — STealth Activity Recorder & Reporter — was a product by iOpus. For a while you could download it from CNet.

D.I.R.T. — Data Interception by Remote Transmission — was described by Codex Data Systems as a tool they would only sell to law enforcement and federal goverment agencies: "Data Interception by Remote Transmission is a powerful remote control monitoring tool that allows stealth monitoring of all activity on one or more target computers simultaneously from a remote command center." CA had a page about detecting it as spyware. It appears that D.I.R.T. is a scam and Codex's CEO was a convicted felon on probation for illegal possession of surveillance devices, "widely regarded as a scam artist with a long history of security/surveillance snake-oil sales" according to this article in The Register.

ABCKeylogger is another "tool" widely considered malware.

Ghost Keylogger now called Spytector is another long-lived piece of spyware still being sold.

Magic Lantern is a US FBI software product intended to be deployed as an e-mail attachment that infects the recipient's machine to install spyware. MSNBC has reported on it, but the FBI has refused to tell the public or the Congress anything about it.

Back to the main Security page