We must be careful with terminology.
This becomes harder because one word can mean opposite things to different people. To a corporation or government, "security" often means the ability to monitor all communications and information stored by its employees or citizens. But to those employees or citizens, "security" means the ability to communicate and store information without being monitored. It means both violating and protecting secrecy, depending on who you ask.
Of the CIA triple of information security — Confidentiality, Integrity, and Availability — most people concentrate on the first one. But before we jump in, we need to make sure we're being careful with the words we use to discuss these concepts. According to many people:
Secrecy is a technical term for the effect of the mechanisms used to limit access to information. These mechanisms are typically a combination of access control and encryption.
Confidentiality involves the obligation to protect the secrets of other people or organizations. For example, the obligation of a physician or lawyer to their patient or client.
Privacy is the ability and/or right of a person to protect or conceal personal information. People can and should have privacy, this can extend to include their families, but it doesn't make sense to talk about the privacy of a corporation.
"Nothing works against the success of a conspiracy so much as the wish to make it wholly secure and certain to succeed. Such an attempt requires many men, much time, and very favorable conditions. And all these in turn heighten the risk of being discovered. You see, therefore, how dangerous conspiracies are."
— Francesco Guicciardini, Ricordi Politici, 1528-1530
"Fawn — next time with fewer people"
— Robert "Bud" McFarlane, note to Fawn Hall, 22 April 1987
An amusing summary is: "It's no secret what I'm doing in the public toilet stall, but for privacy's sake I close the door." I've seen that attributed to Cory Doctorow, but can't easily find a reference.
As for secrecy, we need to consider the actual message content and the external details of the communication or storage. For example, observing that someone is communicating with a specialized medical clinic exposes secrets about their condition. Some people say we need both secrecy of the message contents and anonymity of the communication. Other people use the terms message content secrecy and message source (or destination) secrecy, and the corresponding concepts of confidentiality for your obligations to protect someone else's secrets.
PGP and Gnu Privacy Guard
See my "Just Enough Cryptography" page for an overview of the concepts of encryption (for confidentiality) and digital certificates (for integrity of the message and authentication of the sender).
The best solution for a PGP user tool is the Gnu Privacy Guard. Linux and BSD include it, and it's easily added to other operating systems. It's open-source so it's well-tested and trusted, get it at gnupg.org for Linux, BSD, and Windows. For macOS, get MacGPG from gpgtools.org or the sourceforge page.
If you need a commercial product, Symantec bought PGP the company.
Disk Encryption Tools
TrueCrypt was a free open-source disk encryption system for Windows, macOS, and Linux. In May 2014 the project abruptly shut down, its web site replaced with links to a Sourceforge page warning that the software should not be trusted.
My page on
Linux file system encryption
explains how to use
dm-crypt within the
Linux kernel to encrypt file systems, either locally
or within the Amazon cloud.
There are some issues with Microsoft's EFS (Encrypting File System) — see the details on my page on os-specific issues.
Key Recovery Tools
Remember that if a system can have its cryptographic keys "recovered", you shouldn't rely on it to keep your information confidential! Beware commercial applications that claim to include methods for encrypting your files! There are tools that quickly break the toy "encryption" included in Microsoft Word, Microsoft Excel, WordPerfect, Quattro Pro, PKZIP, Paradox, Lotus 1-2-3, and many more. For tools to break this toy "encryption" see the Openwall project's great archive of open-source password recovery software.
And of course there are people who will do this for you, for a fee, or sell you software, including Passware, Password Recovery Tools, AccessData, PWCrack, Elcomsoft, and Lastbit.
According to a Reuters story on 24 Dec 2002, the U.S. Transportation Security Administration foolishly relied on these toy systems, and anyone could download and decode "restricted" documents from their web server.
Privacy risks of Google and similar search engines
This is absolutely no fault of Google or other search engines,
but some silly web site administrators have
misconfigured their servers.
Instead of the web server being kept within the sandbox of
/var/www/html (or wherever) on UNIX,
C:\inetpub on Windows,
the server serves out everything on the file system.
Or at least far more than it should.
The great SHODAN search engine has a lot of these already done for you. The NSA published a how-to book for its employees, "Untangling the Web: A Guide to Internet Research". But it's pretty simple to specialize your own Google searches.
If you are just interested in looking at other people's
webcams, see the
Insecam online camera directory.
You can find them yourself by searching at Shodan:
As for Google searches, try these:
Lists of files from the
My Documentsfolder, including Excel spreadsheets:
intitle:"index of" intitle:"My Documents" xls budget
intitle:"index of" intitle:"My Documents" xls business
intitle:"index of" intitle:"My Documents" xls tax
The same sort of thing, except let's limit our search to the
.ustop-level domain and look for files or folders named "grades" or "attendance" or "behavior" to try to find sensitive information in school records:
intitle:"index of" intitle:"My Documents" site:us grades OR attendance OR behavior
intitle:"index of" intitle:"My Documents" site:us xls
UNIX systems foolishly serving out their
/etcdirectory, some with the file
shadowworld-readable. Pull out the entry for
shadowand use Crack to reverse-engineer their administrative password.
intitle:"index of" intitle:etc shadow passwd nsswitch -man5
Database administrator's passwords!
intitle:"Index of" administrators.pwd
Filemaker Pro database servers that are way too friendly:
"Select a database to view" intitle:"filemaker pro"
Sensitive US military and government documents tend to include
"DISTRIBUTION RESTRICTION: Distribution is authorized
to ... only", so let's look for that:
filetype:pdf "DISTRIBUTION RESTRICTION: Distribution is authorized to" site:.mil
filetype:pdf OR filetype:doc OR filetype:ppt OR filetype:xls
"DISTRIBUTION RESTRICTION:" site:.mil -"approved for public release"
Remotely controllable (by you!) webcams, many not intended for
Panasonic (usually controllable) WebcamXP Pro AXIS high-resolution camera AXIS PTZ camera (view/view.shtml) AXIS PTZ camera (view/index.shtml) AXIS multi-camera view AXIS network camera or video server AXIS 205/206M/206W/210 network camera Canon webview netcams MOBOTIX M1 cameras SupervisionCam Panasonic network camera Panasonic WJ-NT104 network camera Sony SNC-Z20 network camera Sony SNC-RZ30 network camera Many intentional webcams (beach, harbor, construction, etc)
Find U.S. Social Security Numbers by searching for Excel spreadsheets
containing the strings "SSN" and "DOB" plus common American
Note that "Smith" and "Jones" are too obvious a choice,
you will tend to get examples rather than real data.
for the 50 most common American surnames.
Note that Google limits query complexity,
so you will need to try five at a time.
And you will need to weed out the copies of course exercise work,
people doing homework by entering bogus data into spreadsheets:
filetype:xls SSN DOB johnson OR williams OR brown OR davis OR miller
filetype:xls SSN DOB wilson OR moore OR taylor OR anderson OR thomas
filetype:xls SSN DOB jackson OR white OR harris OR martin OR thompson
filetype:xls SSN DOB garcia OR martinez OR robinson OR clark OR rodriguez
filetype:xls SSN DOB lewis OR lee OR walker OR hall OR allen
Also see the Google Hacking Diggity Project and the Search Diggity tool.
There are also more specialized
FTP and archive indexing engines:
Search-22 Мамонт / www.mmnt.ru FileMare.com FileWatcher FileSearching.com FTP Search Engine NAPALM FTP indexer MetaBear.ru
You might then need Binwalk and BAT or the Binary Analysis Tool to unpack and analyze arbitrary packages and firmware.
Sanitizing Media by Overwriting
There are U.S. federal standards on how to overwrite magnetic media in a way that is considered secure. The short version is:
- Overwrite all locations with some character,
- Then with its logical complement,
- Then with a random character,
- And finally verify the last write
Something like all zeros, then all ones, then pseudo-random bits, and finally verify that you can read the same pseudo-random sequence back out. For more details on just how to do this on various types of media see the nice summary at zdelete.com or, for the full details, see the original DOD documents.
However, while NSA definitely is aware of DOD 5220.22-M and recommends its use, there is no such thing as "the NSA standard" or "the NSA method" above and beyond this. Just 3 overwrites (and then carefully destroy the media for maximum safety). Note that DOD services may have their own nomenclature for "DOD 5220.22-M".
If you really want to pursue this (because you think that your advisary is likely to apply atomic-force microscopy on your media to recover data after you overwrote it), read this 1996 paper. Also be aware that physical disk geometry is automatically (and silently!) remapped by drive electronics during the media service life, meaning that sensitive data may have been written to spare cylinders. It can be difficult to verify that you are writing the patterns to all addressible locations. If you really care, use a hammer.
Secure E-Mail, Online Storage, and File Sharing (versus government surveillance)
See CryptoHeaven for secure e-mail, online storage, and file sharing. Hmmm, shades of Neil Stevenson's cryptographic data haven in Cryptonomicon...
See the page on government surveillance for these topics:
- Secure e-mail providers shut down under U.S. government pressure.
- International outrage over the U.S. US-984XN / PRISM / Boundless Informant surveillance programs even though Germany and other nations do the same thing.
- In 2011-2012 the national governments of the United Arab Emirates, Saudi Arabia, and India obtained back-door access to all Blackberry data traffic in those countries.
- Nokia and Apple also provided full access to the Indian government.
Lots of information can leak out of a host, giving a would-be
attacker hints about what it is and how it might be attacked.
Automate the banner grabbing with
which can also detect the remote OS.
Used it follows:
nmap -sS -sV -O target.example.com
Detect the remove version of the BIND DNS server,
if the remote machine is willing to honestly answer
such a question from your machine:
dig chaos txt version.bind. @target.example.com
SSH and Secure Replacements for Telnet and FTP
SSH tools can be found at the following, most of them are free:
SSH Clients for UNIX
OpenSSH provides both SSH and SFTP (FTP tunneled through SSH). Plus you can tunnel TCP applications through SSH.
SSH Clients for Windows and DOS
PuTTY OpenSSH SSHDOS SecureCRT (commercial)
SSH Clients for Macintosh — In addition to the built-in Terminal of course:
SecureCRT (commercial) NiftySSH
I had forgotten about the issue of TN3270 security.
FIPS 140 specifies security requirements for cryptographic modules used by U.S. government agencies to secure unclassified but sensitive information. See the standard itself and lists of approved hardware on the NIST site.
Cryptek makes the DiamondNIC LAN card, certified at B2 by NSA, plus LAN and WAN hardware solutions.
Fortezza (tm) cryptographic cards are made by Mykotronx and Spyrus
VPNet Technologies, +1-408-445-6000, makes encryption boxes that sit between your LAN and your router.
Certicom Corp, +1-905-507-4220, makes the Certifax 3000, a secure FAX machine.
nCipher makes a PCI-bus cryptographic accelerator card.
Atalla network encryption hardware is sold by HP.
Also see the COMSEC page.
Commercial Eavesdropping Equipment
Narus and Verint sell mass surveillance and eavesdropping equipment to a wide range of governments. From their web pages:
Narus is the leader in real-time traffic intelligence for the protection and management of large IP networks
Real-time Traffic Intelligence
is the ability to protect and manage large IP networks by understanding in detail the behavior of the traffic
NarusInsight is the most scalable traffic intelligence system for capturing, analyzing and correlating IP traffic in real time.
In addition to the U.S. government and U.S. telecommunications companies, Verint's customers have included Mexico (the government's nation-wide telecommunications eavesdropping system), Vietnam (equipment used by all ISPs for government mandated monitoring of discussions of democracy), and many others.
Narus has sold their high-end systems to the People's Republic of China's Internet monitoring and enforcement agency, the Information Technology Security Certification Center. According to the U.S. State Department's Country Reports on Human Rights Practices issued March 6, 2007, after this upgrade:
The authorities reportedly began to employ more sophisticated technology enabling the selective blocking of specific content rather than entire Web sites. Such technology was also used to block e-mails containing sensitive content ... New restrictions aimed at increasing government control over the Internet included stricter Web site registration requirements, enhanced official control of online content, and an expanded definition of illegal online content. The country's Internet control system reportedly employed tens of thousands of persons. The government consistently blocked access to sites it deemed controversial, such as sites discussing Taiwan and Tibetan independence, underground religious and spiritual organizations, democracy activists, and the 1989 Tiananmen massacre. The government also at times blocked access to selected sites operated by major foreign news outlets, health organizations, and educational institutions.
According to James Bamford's The Shadow Factory, Narus has also sold its eavesdropping systems to fun and friendly governments like Pakistan, Egypt, Saudia Arabia, and Libya.
Glimmerglass Networks sells intercept hardware for optical networks, as described by their president and CEO in a story in Aviation Week and Space Technology, July 26, 2010, pp 57-58.
Wireless LAN/WAN Security
Authentication and integrity are at least as important, or even more important, as confidentiality in some applications. See my networking monitoring/sniffing page for this category.
For secure voice links, get real hardware. Expect to pay at least US$ 1000 per unit. Historically, these were something like a STU, CipherTAC, or ASTRO system from Motorola, or a SwiftLink 1400 (about US$ 16,600) from Telecommunication Systems, or similar products from AT&T.
Voice encryption units to be built into radio gear. Communications Specialists has offered units in the range of US$ 79-299 each, and E. F. Johnson has produced chips and modules for secure radio transceivers.
See the Secure Products Wiki for more details.
Do not trust the "voice-scrambling" units sold via ads in popular magazines! They are trivial for anyone who understands analog circuit design. Here is a circuit to both do that trivial "scrambling" and to break it.
Also see my COMSEC page.
Cryptography and International Law
No one shall be subjected to arbitrary interference with his
privacy, family, home, or correspondence, nor to attacks
upon his honor and reputation.
Everyone has the right to the protection of the law against
such interference or attack.
— Article 12, Universal Declaration of Human Rights, 1948
It's hard to figure out the laws of one country, let alone several. To export from the U.S., January 2000 finally saw some loosening of U.S. laws, but do not assume that anything goes!
Now, where are you exporting it to? France and Russia (well, at least on paper...) require you to register cryptography, and don't allow import of strong cryptography. Israel, Singapore, and Hong Kong all have differing rules of their own. Germany and Malaysia seem to regulate digital authentication. Saudi Arabia simply bans all cryptography. If you have to do anything with multinational applications of cryptography, check out Bert-Jaap Koops' excellent Koop's Crypto Law Survey
The EFF has a generally quite critical look at U.S. laws.
X Privacy and
Be very careful about reckless use of
xspy is a tool for grabbing all keyboard
and/or mouse input from an unsecured X
display — click here to get a copy.
This is very useful for convincing people of the
insecurity of mis-used X!
Make certain you understand
and avoid the reckless
IPsec — Confidentiality, Integrity, and Authentication Through Secure IP
Click here to see my page with a simple explanation of IPsec.
If you use PPTP, the Point-to-Point Tunneling Protocol, do not use the Microsoft implementation, which is now proven to be broken! See the explanations here and here. Use the L2TP protocol with IPsec instead.
Virtual Private Networks
IPsec and TLS are fundamental technologies supporting VPNs or Virtual Private Networks. Your organization can use that technology to set up secure connections across the Internet between distant sites.
However, if you are an individual looking for a way to obscure your Internet activity by securely tunneling to a provider or proxy and then connecting from there, well, there aren't a lot of good choices. Brian Krebs has an excellent overview of how most public VPN solutions are worthless, especially any supposed free VPN providers. He points us to a collection of reviews and side-by-side comparisons of VPN services.
Tracking with mobile devices
Researchers at Technische Universität Braunschweig wrote a paper "Privacy Threats through Ultrasonic Side Channels on Mobile Devices" in which they describe smart phone apps which listen for ultrasonic signals in stores and carried on television commercials in order to track owners' locations and activities plus their web site and television viewing history. The signals are at 18-20 kHz, so they can be received and transmitted by consumer devices but not detected by typical adult humans. The Silverpush technology has received some media attention including this article in The Atlantic. Other tracking technologies include Shopkick, Lisnr, and Signal360.
Researchers at P1 Security wrote "Subscribers remote geolocation and tracking using 4G VoLTE enabled Android phone", describing how an attacker can use Voice over LTE technology to retrieve information on targeted subscribers including their locations.
Cryptologia had an article "Non-Cryptanalytic Attacks", discussing various ways of spying on user activity to steal passwords, capture all activity, and so on. (vol. 26, no. 3, 2002, pp 222-234)
The article struck me as rather creepy, describing products and activities from the "Two Wrongs Make a Right" school of thought.
Now, of course, you can buy keyloggers from Amazon. They are marketed as crucial for parents to monitor their children, and for spouses or lovers to monitor their special-but-suspected someone.
STARR — STealth Activity Recorder & Reporter — was a product by iOpus. It seems to no longer be supported, but it appears that you can still download it from CNet.
D.I.R.T. — Data Interception by Remote Transmission — was described by Codex Data Systems as a tool they would only sell to law enforcement and federal goverment agencies: "Data Interception by Remote Transmission is a powerful remote control monitoring tool that allows stealth monitoring of all activity on one or more target computers simultaneously from a remote command center." CA has a page about detecting it as spyware. It appears that D.I.R.T. is a scam and Codex's CEO was a convicted felon on probation for illegal possession of surveillance devices, "widely regarded as a scam artist with a long history of security/surveillance snake-oil sales" according to this article in The Register.
ABCKeylogger is another "tool" widely considered malware.
Ghost Keylogger is another long-lived piece of spyware still being sold.
Magic Lantern is a US FBI software product intended to be deployed as an e-mail attachment that infects the recipient's machine to install spyware. MSNBC has reported on it, but the FBI has refused to tell the public or the Congress anything about it.
Spyware: Adware, Stealth Networks, Web Cookies, etc
There's a lot of concern over "spyware". To avoid most (but not all!) spyware, use any browser except for the horribly insecure Explorer. Most people like Mozilla's Firefox. Beware, browsers in general tend to be buggy (due to their complexity), they all have security problems, but because of both poor design and poor software production, Explorer has a much worse track record.
Most organizations find that preventing the use of Explorer solves much of their spyware/adware problems.
Back to the main Security page