Confidentiality and Data Integrity Tools
We must be careful with terminology.
This becomes harder because one word can mean opposite things to different people. To a corporation or government, "security" often means the ability to monitor all communications and information stored by its employees or citizens. But to those employees or citizens, "security" means the ability to communicate and store information without being monitored. It means both violating and protecting secrecy, depending on who you ask.
Of the CIA triple of information security — Confidentiality, Integrity, and Availability — most people concentrate on the first one. But before we jump in, we need to make sure we're being careful with the words we use to discuss these concepts. According to many people:
Secrecy is a technical term for the effect of the mechanisms used to limit access to information. These mechanisms are typically a combination of access control and encryption.
Confidentiality involves the obligation to protect the secrets of other people or organizations. For example, the obligation of a physician or lawyer to their patient or client.
Privacy is the ability and/or right of a person to protect or conceal personal information. People can and should have privacy, this can extend to include their families, but it doesn't make sense to talk about the privacy of a corporation.
"Nothing works against the success of a conspiracy so much as the wish to make it wholly secure and certain to succeed. Such an attempt requires many men, much time, and very favorable conditions. And all these in turn heighten the risk of being discovered. You see, therefore, how dangerous conspiracies are."
— Francesco Guicciardini, Ricordi Politici, 1528-1530
"Fawn — next time with fewer people"
— Robert "Bud" McFarlane, note to Fawn Hall, 22 April 1987
An amusing summary is: "It's no secret what I'm doing in the public toilet stall, but for privacy's sake I close the door." I've seen that attributed to Cory Doctorow, but can't easily find a reference.
As for secrecy, we need to consider the actual message content and the external details of the communication or storage. For example, observing that someone is communicating with a specialized medical clinic exposes secrets about their condition. Some people say we need both secrecy of the message contents and anonymity of the communication. Other people use the terms message content secrecy and message source (or destination) secrecy, and the corresponding concepts of confidentiality for your obligations to protect someone else's secrets.
Privacy Tools
Use the excellent Privacy Tools web site.
PGP and Gnu Privacy Guard
Don'tUse PGP
First, realize that PGP and Gnu Privacy Guard provide the illusion of security, but its early-to-mid-1990s cryptography with a horrible user interface and many further flaws. Cryptography Matthew Green has explained the problems in 2014, and then the EFail vulnerability in 2018 made things worse for encrypted email. The Latacora blog similarly explained how horrible PGP is in 2019 with The PGP Problem.
See my "Just Enough Cryptography" page for an overview of the concepts of encryption (for confidentiality) and digital certificates (for integrity of the message and authentication of the sender).
The best solution for a PGP user tool is the Gnu Privacy Guard. Linux and BSD include it, and it's easily added to other operating systems. It's open-source so it's well-tested and trusted, get it at gnupg.org for Linux, BSD, macOS, and Windows.
If you need a commercial product, Symantec bought PGP the company.
Disk Encryption Tools
TrueCrypt was a free open-source disk encryption system for Windows, macOS, and Linux. In May 2014 the project abruptly shut down, its web site replaced with links to a Sourceforge page warning that the software should not be trusted.
My page on
Linux file system encryption
explains how to use dm-crypt within the
Linux kernel to encrypt file systems, either locally
or within the Amazon cloud.
There are some issues with Microsoft's EFS (Encrypting File System) — see the details on my page on os-specific issues.
Key Recovery Tools
Remember that if a system can have its cryptographic keys "recovered", you shouldn't rely on it to keep your information confidential! Beware commercial applications that claim to include methods for encrypting your files! There are tools that quickly break the toy "encryption" included in Microsoft Word, Microsoft Excel, WordPerfect, Quattro Pro, PKZIP, Paradox, Lotus 1-2-3, and many more. For tools to break this toy "encryption" see the Openwall project's great archive of open-source password recovery software.
And of course there are people who will do this for you, for a fee, or sell you software, including Passware, Password Recovery Tools, PWCrack, Elcomsoft, and Lastbit.
A "low profile" spy radio used by the S.O.E. in World War II. It weighs 16 kilograms and fills a suitcase. Compare that to modern HF radio designs which can fit far more functionality into an Altoids tin.
Privacy risks of Google and similar search engines
This is absolutely no fault of Google or other search engines,
but some silly web site administrators have
misconfigured their servers.
Instead of the web server being kept within the sandbox of
/var/www/html (or wherever) on UNIX,
or C:\inetpub on Windows,
the server serves out everything on the file system.
Or at least far more than it should.
The great SHODAN search engine has a lot of these already done for you. The NSA published a how-to book for its employees, "Untangling the Web: A Guide to Internet Research". But it's pretty simple to specialize your own Google searches.
If you are just interested in looking at other people's
webcams, see the
Insecam online camera directory.
You can find them yourself by searching at Shodan:
netcam
linux+upnp+avtech
As for Google searches, try these:
-
Lists of files from the
My Documentsfolder, including Excel spreadsheets:
intitle:"index of" intitle:"My Documents" xls budget
intitle:"index of" intitle:"My Documents" xls business
intitle:"index of" intitle:"My Documents" xls tax -
The same sort of thing, except let's limit our search to the
.ustop-level domain and look for files or folders named "grades" or "attendance" or "behavior" to try to find sensitive information in school records:
intitle:"index of" intitle:"My Documents" site:us grades OR attendance OR behavior -
School spreadsheets:
intitle:"index of" intitle:"My Documents" site:us xls -
UNIX systems foolishly serving out their
/etcdirectory, some with the fileshadowworld-readable. Pull out the entry forrootout ofshadowand use Crack to reverse-engineer their administrative password.
intitle:"index of" intitle:etc shadow passwd nsswitch -man5 -
Database administrator's passwords!
intitle:"Index of" administrators.pwd -
Filemaker Pro database servers that are way too friendly:
"Select a database to view" intitle:"filemaker pro" -
Sensitive US military and government documents tend to include
"DISTRIBUTION RESTRICTION: Distribution is authorized
to ... only", so let's look for that:
filetype:pdf "DISTRIBUTION RESTRICTION: Distribution is authorized to" site:.mil
filetype:pdf OR filetype:doc OR filetype:ppt OR filetype:xls
"DISTRIBUTION RESTRICTION:" site:.mil -"approved for public release" -
Remotely controllable (by you!) webcams, many not intended for
public access:
Panasonic (usually controllable) WebcamXP Pro AXIS high-resolution camera AXIS PTZ camera (view/view.shtml) AXIS PTZ camera (view/index.shtml) AXIS multi-camera view AXIS network camera or video server AXIS 205/206M/206W/210 network camera Canon webview netcams MOBOTIX M1 cameras SupervisionCam Panasonic network camera Panasonic WJ-NT104 network camera Sony SNC-Z20 network camera Sony SNC-RZ30 network camera Many intentional webcams (beach, harbor, construction, etc) -
Find U.S. Social Security Numbers by searching for Excel spreadsheets
containing the strings "SSN" and "DOB" plus common American
surnames.
Note that "Smith" and "Jones" are too obvious a choice,
you will tend to get examples rather than real data.
See
http://www.lifesmith.com/comnames.html
for the 50 most common American surnames.
Note that Google limits query complexity,
so you will need to try five at a time.
And you will need to weed out the copies of course exercise work,
people doing homework by entering bogus data into spreadsheets:
filetype:xls SSN DOB johnson OR williams OR brown OR davis OR miller
filetype:xls SSN DOB wilson OR moore OR taylor OR anderson OR thomas
filetype:xls SSN DOB jackson OR white OR harris OR martin OR thompson
filetype:xls SSN DOB garcia OR martinez OR robinson OR clark OR rodriguez
filetype:xls SSN DOB lewis OR lee OR walker OR hall OR allen
Also see the Google Hacking Diggity Project and the Search Diggity tool.
There are also more specialized
FTP and archive indexing engines:
Search-22
Мамонт /
www.mmnt.ru
FileMare.com
FileWatcher
FileSearching.com
FTP Search Engine
NAPALM FTP indexer
MetaBear.ru
You might then need Binwalk and BAT or the Binary Analysis Tool to unpack and analyze arbitrary packages and firmware.
Secure E-Mail, Online Storage, and File Sharing (versus government surveillance)
See the page on government surveillance for these topics:
- Secure e-mail providers shut down under U.S. government pressure.
- International outrage over the U.S. US-984XN / PRISM / Boundless Informant surveillance programs even though Germany and other nations do the same thing.
- In 2011-2012 the national governments of the United Arab Emirates, Saudi Arabia, and India obtained back-door access to all Blackberry data traffic in those countries.
- Nokia and Apple also provided full access to the Indian government.
Information Leakage
Lots of information can leak out of a host, giving a would-be
attacker hints about what it is and how it might be attacked.
Automate the banner grabbing with
Nmap,
which can also detect the remote OS.
Used it follows:
nmap -sS -sV -O target.example.com
Detect the remove version of the BIND DNS server,
if the remote machine is willing to honestly answer
such a question from your machine:
dig chaos txt version.bind. @target.example.com
Request and display the header of the web server,
possibly revealing operating system, web server software,
supporting software such as PHP or .NET and its version,
and security headers:
curl -I https://www.example.com/
SSH and Secure Replacements for Telnet and FTP
SSH tools can be found at the following, most of them are free:
SSH Clients for UNIX
OpenSSH provides both SSH and SFTP (FTP tunneled through SSH). Plus you can tunnel TCP applications through SSH.
SSH Clients for Windows and DOS
OpenSSH
is finally included with Windows,
with commands ssh, scp,
and sftp.
You may need to go into the Control Panel and enable it.
The world no longer relies on PuTTY, one guy's project.
SSH Clients for Macintosh — In addition to the built-in Terminal and installing the OpenSSH port, of course: SecureCRT (commercial) and NiftySSH.
I had forgotten about the issue of TN3270 security, now it supports TLS.
Hardware Encryption
FIPS 140 specifies security requirements for cryptographic modules used by U.S. government agencies to secure unclassified but sensitive information. See the standard itself and lists of approved hardware on the NIST site.
Cryptek made the DiamondNIC LAN card, certified at B2 by NSA, plus LAN and WAN hardware solutions.
Fortezza cryptographic cards were made by Mykotronx and Spyrus, but those date back to the PC Card or PCMCIA technology of the 1990s.
Also see the COMSEC page.
Commercial Eavesdropping Equipment
Narus and Verint sell mass surveillance and eavesdropping equipment to a wide range of governments. From their web pages in 2010:
Narus is the leader in real-time traffic intelligence for the protection and management of large IP networks
Real-time Traffic Intelligence
is the ability to protect and manage large IP networks by understanding in detail the behavior of the traffic
Product
NarusInsight is the most scalable traffic intelligence system for capturing, analyzing and correlating IP traffic in real time.
In addition to the U.S. government and U.S. telecommunications companies, Verint's customers have included Mexico (the government's nation-wide telecommunications eavesdropping system), Vietnam (equipment used by all ISPs for government mandated monitoring of discussions of democracy), and many others.
Narus has sold their high-end systems to the People's Republic of China's Internet monitoring and enforcement agency, the Information Technology Security Certification Center. According to the U.S. State Department's Country Reports on Human Rights Practices issued March 6, 2007, after this upgrade:
The authorities reportedly began to employ more sophisticated technology enabling the selective blocking of specific content rather than entire Web sites. Such technology was also used to block e-mails containing sensitive content ... New restrictions aimed at increasing government control over the Internet included stricter Web site registration requirements, enhanced official control of online content, and an expanded definition of illegal online content. The country's Internet control system reportedly employed tens of thousands of persons. The government consistently blocked access to sites it deemed controversial, such as sites discussing Taiwan and Tibetan independence, underground religious and spiritual organizations, democracy activists, and the 1989 Tiananmen massacre. The government also at times blocked access to selected sites operated by major foreign news outlets, health organizations, and educational institutions.
Amazon 0307279391
According to James Bamford's The Shadow Factory, Narus has also sold its eavesdropping systems to fun and friendly governments like Pakistan, Egypt, Saudia Arabia, and Libya.
Glimmerglass Networks sold intercept hardware for optical networks, as described by their president and CEO in a story in Aviation Week and Space Technology, July 26, 2010, pp 57-58.
Wireless LAN/WAN Security
Authentication and integrity are at least as important, or even more important, as confidentiality in some applications. See my networking monitoring/sniffing page for this category.
Voice Scramblers
For secure voice links, get real hardware. Expect to pay a lot. Historically, these were something like a STU, CipherTAC, or ASTRO system from Motorola, or a SwiftLink 1400, about US$ 16,600.
Voice encryption units can be built into radio gear. Communications Specialists has offered units in the range of US$ 79-299 each, and E. F. Johnson has produced chips and modules for secure radio transceivers.
Do not trust the "voice-scrambling" units sold via ads in popular magazines! They are trivial for anyone who understands analog circuit design. Here is a circuit to both do that trivial "scrambling" and to break it.
Also see my COMSEC page.
Cryptography and International Law
No one shall be subjected to arbitrary interference with his
privacy, family, home, or correspondence, nor to attacks
upon his honor and reputation.
Everyone has the right to the protection of the law against
such interference or attack.
— Article 12, Universal Declaration of Human Rights, 1948
It's hard to figure out the laws of one country, let alone several. To export from the U.S., January 2000 finally saw some loosening of U.S. laws, but do not assume that anything goes!
Now, where are you exporting it to? France and Russia (well, at least on paper...) require you to register cryptography, and don't allow import of strong cryptography. Israel, Singapore, and Hong Kong all have differing rules of their own. Germany and Malaysia seem to regulate digital authentication. Saudi Arabia simply bans all cryptography. If you have to do anything with multinational applications of cryptography, check out Bert-Jaap Koops' excellent Koop's Crypto Law Survey
The EFF has a generally quite critical look at U.S. laws.
X Privacy and xspy
Be very careful about reckless use of xhost!
xspy is a tool for grabbing all keyboard
and/or mouse input from an unsecured X
display — click here to get a copy.
This is very useful for convincing people of the
insecurity of mis-used X!
Make certain you understand xauthority,
and avoid the reckless xhost +!
IPsec — Confidentiality, Integrity, and Authentication Through Secure IP
Click here to see my page with a simple explanation of IPsec.
If you use PPTP, the Point-to-Point Tunneling Protocol, do not use the flawed Microsoft implementation. Use the L2TP protocol with IPsec instead.
Virtual Private Networks
IPsec and TLS are fundamental technologies supporting VPNs or Virtual Private Networks. Your organization can use that technology to set up secure connections across the Internet between distant sites.
However, if you are an individual looking for a way to obscure your Internet activity by securely tunneling to a provider or proxy and then connecting from there, well, there aren't a lot of good choices. Brian Krebs has an excellent overview of how most public VPN solutions are worthless, especially any supposed free VPN providers. He points us to a collection of reviews and side-by-side comparisons of VPN services.
Tracking with mobile devices
Researchers at Technische Universität Braunschweig wrote a paper "Privacy Threats through Ultrasonic Side Channels on Mobile Devices" in which they describe smart phone apps which listen for ultrasonic signals in stores and carried on television commercials in order to track owners' locations and activities plus their web site and television viewing history. The signals are at 18-20 kHz, so they can be received and transmitted by consumer devices but not detected by typical adult humans. The Silverpush technology has received some media attention including this article in The Atlantic. Other tracking technologies include Shopkick, Lisnr, and Signal360.
Researchers at P1 Security wrote "Subscribers remote geolocation and tracking using 4G VoLTE enabled Android phone", describing how an attacker can use Voice over LTE technology to retrieve information on targeted subscribers including their locations.
Keyloggers
Cryptologia had an article "Non-Cryptanalytic Attacks", discussing various ways of spying on user activity to steal passwords, capture all activity, and so on. (vol. 26, no. 3, 2002, pp 222-234)
The article struck me as rather creepy, describing products and activities from the "Two Wrongs Make a Right" school of thought.
You can buy keyloggers from Amazon. They are marketed as crucial for parents to monitor their children, and for spouses or lovers to monitor their special-but-suspected someone.
STARR — STealth Activity Recorder & Reporter — was a product by iOpus. For a while you could download it from CNet.
D.I.R.T. — Data Interception by Remote Transmission — was described by Codex Data Systems as a tool they would only sell to law enforcement and federal goverment agencies: "Data Interception by Remote Transmission is a powerful remote control monitoring tool that allows stealth monitoring of all activity on one or more target computers simultaneously from a remote command center." CA had a page about detecting it as spyware. It appears that D.I.R.T. is a scam and Codex's CEO was a convicted felon on probation for illegal possession of surveillance devices, "widely regarded as a scam artist with a long history of security/surveillance snake-oil sales" according to this article in The Register.
ABCKeylogger is another "tool" widely considered malware.
Ghost Keylogger now called Spytector is another long-lived piece of spyware still being sold.
Magic Lantern is a US FBI software product intended to be deployed as an e-mail attachment that infects the recipient's machine to install spyware. MSNBC has reported on it, but the FBI has refused to tell the public or the Congress anything about it.