This is a guest post by an Anonymous writer introduced on another web site. I particularly liked this article because it references sites you can use now. We have written about this subject in other articles that can be found throughout our site but this is a different writer’s view to achieve the same goal. Its kinda long but stick with it mate half the fun of finding the treasure is the journey.
Introductory Lessons in Communication Security
Everyone already understands that it is important to protect your identity online. Similar to operational security where practitioners are encouraged to conceal their actions; i.e. Don’t discuss your stockpile, number or types of weapons or ammunition, or your evacuation plan, Communication Security focuses on your tactical communication. While not everyone may have a complete understanding of communication systems, there are simple methods to protect yourself and your identity online.
The simplest method of authentication (identifying yourself and approved for access) to a system is the standard username and password. It is the cheapest form of authentication and easiest to implement. It is important to understand how many systems handle these passwords.
Generally speaking, most systems do not store your password in plain text. Instead it goes through what is called a hashing algorithm when you create your password. This protects your password in the event that a password file is compromised. This changes your password to a random string of text.
On older systems (think Windows XP or earlier) this hash code is 16 characters long. When a password is 7 characters or less, the last portion of the hashed password will always be 404EE. This informs that potential attackers that you are using a password less than 7 characters and will be easier to crack. This is important to understand the need for strong passwords.
Strong password creation follows multiple guidelines.
The password must be long, at least 8 characters
The password must contain special characters: !@#$%^&*()
The password must contain numbers: 1234567890
The password must contain capital and lowercase characters.
The password must not contain easily obtainable information:
Important dates : anniversary or birthdays
You, spouse, children, pets, family names
Favorite activities or sports teams
Job information: For active duty military, MarineCorps1775 is not a good password.
Any other easily guessed passwords: password, qwerty, 1234, etc.
Avoid l33t speak: l33t speak is substituting numbers for their letter counterparts, such as “1amAw3s0m3”
A good rule for a password is to take a phrase, substitute numbers, and characters. For example, choose a phrase that is easily remembered. “To be or not to be” exchange every other letter to a memorable number, for instance a birth date. “T1 b9 8r 1o0 t2 b01” this adds the date 19810201 into the phrase. Then change every other number to a symbol. “T1 b! 8r @o0 t# b0$” and finally, change every other letter to a capital. “T1 b! 8R @o0 T# b0$” This is a pretty secure password. While this process can be confusing and difficult to remember, there are other options available.
There are many password generation and keeping applications available to different operating systems; to include Windows, Macs, Linux, IPhone/IPad, and Android. Lastpass is a good paid program, and a free program is keepass. There are pro and cons to each of these programs, but both support encryption of the passwords. Additionally, you can save this file to the cloud on Dropbox or other platforms so that your passwords are accessible anywhere.
Finally, writing down your password is generally considered a bad idea. However, if this is your preferred method, storing this document in your wallet is a better choice than under the keyboard or even in a desk drawer.
Everyone knows there are methods to track your actions online. From the websites you visit, emails you send, online transactions, or file sharing habits are easily traced by any number of organizations. Your Internet Service Provider, NSA, FBI, and other organizations can easily obtain your records. There are various ways to protect your identity and habits online.
TOR, also known as The Onion Router, anonymize your traffic by bouncing your connection globally through their crowed-sourced user pool. How this works is anyone connected to the TOR network can act as an entry or exit point. People attempting to trace your connection will find that it bounces all around the globe essentially making it impossible to trace. This method is a free solution available on Windows, Mac, Linux, and Android. I do not know at the time of this writing if it is supported through IPhone and IPad.
A VPN is a virtual private network. It routes all of your traffic through encrypted tunnels provided by your VPN provider. There are several good options for VPN’s, some of which do not log your IP address, therefore having no method of tracking your online habits. This prevents them from having to report your usage information to government agencies, and protects your information from hackers by using the encrypted tunnels. BolehVPN and Astrill VPN provide these services and are well recommended.
Public networks are a hacker’s playground. Airports, hotels, coffee shops, and restaurants that provide free public WIFI are dangerous areas to access. Due to the free nature of these networks, anyone can log on for any reason. Any activity conducted on these networks can easily be seen by an attacker. The attacker can view your emails, sniff your passwords, as well as access your computer.
A user should not log on to any service (be it email, Facebook, or bank accounts) while connected to these networks. If you need to use these types of networks often, there are methods to protect yourself. Using the above mentioned VPN services will encrypt your traffic end to end, preventing hackers from seeing what you are doing. Additionally, for hotel rooms that provide an Ethernet port, you may consider purchasing a travel router that can act as a firewall as well as a VPN service to protect your connection.
Online Web Purchases
Web purchases should only be conducted through trusted sites. This will ensure that all purchases are protected and the company is following best practices for securing your personal information. Additionally, only sites that are secured should be used to purchase. This can easily be seen by the URL of the website. If during checkout you do not see https:// in the URL, then you should not use this site for online transactions.
Places that provide computers for access also are a cause for concern. Similar threats that affect public networks affect these as well. Additionally, threats to the physical machine could compromise your identity and security. If at all possible, a “LiveCD” should be used to access these machines. A LiveCD is an operating system that you can boot into, providing the user with a different operating system that once shut down does not retain usage information. Most of these systems are Linux-Based.
A popular one is called TAILS, originally developed for DoD personnel accessing government systems from unsecured locations. TAILS comes pre-equiped with TOR and other anonymizing programs built in. These systems can be tricky to understand first starting out so you should practice prior to using a public system. Also, it requires to be booted from either CD or USB device, so you may have to change the boot order of the computer in order for it to work. Instructions to do this can be found online.
This may not be an option on the system you are using due to BIOS passwords. If unable to load your own operating system, avoid checking email, Facebook or purchasing products. If you must, ensure to clean the Internet History and Cache prior to leaving.
Finally, no discussion is complete without physical security. If an attacker gains physical access to your computer, it is no longer yours. They own it, and can do anything they please with it. They can take an exact image of your hard drive, install software, access your files, basically do whatever they want to it. To prevent this, ensure you use strong passwords, implement a BIOS password to prevent them from changing the boot order and loading an alternate operating system, use whole disk encryption, physically locking your device to a sturdy object, and ensure it doesn’t get stolen in transit. There are backpacks specifically made that have locking zippers, and made of Kevlar to prevent people from cutting it.
Additionally, if you need to sell or otherwise get rid of your computer, ensure your hard drive is clean prior to transfer. When a file is deleted from a computer, it isn’t actually gone. The space on the hard drive is simply re-allocated to be written over. Data can still be recovered weeks, even months after the file has been deleted. To prevent this, there are a couple of options available. Eraser is a program that can securely erase unused space on the drive. This is good to ensure your deleted files are unrecoverable on your computer while you are using it.
If you plan on getting rid of your computer entirely, Dariks Boot n’ Nuke will securely erase the entire hard drive, and contains several options. From the DoD approved 7-pass method to the Gutmann 35 pass method. (If you choose the 35 pass method, be prepared to wait a LONG time… at least 5 hours for a 250 gigabyte hard drive.)
I hope this sheds some light on communications security and provides you with a starting point on securing your own communications.
Although the writer remains anonymous, here is some credentials offered. The writer has a Master’s of Science in Information Assurance and Security where the curriculum has been certified by the NSA. Additionally, the writer has industry recognized certifications to include Certified Ethical Hacker, Certified Hacking Forensics Investigator, and ISO 27000 security policies certification.