CSWMB No 33, Frontpage Kenya

No 33, February 2008

DIGITAL SECURITY FOR ACTIVISTS

Roots of (in)security: Protecting your computer

Wojtek Bogusz, Digital Security and Information Systems Coordinator, Front Line

Increasingly our work is done through computers and the Internet. We depend on these tools and use them to collect and store information. For civil society activists and human rights defenders, however, if sensitive information ends up in the wrong hands, it can place lives at risk. The CSW Monthly Bulletin is publishing a series of articles highlighting practical ways you can increase your digital security and privacy [1]. This month, Wojtek Bogusz of Front Line discusses how you can protect your computer from viruses, malware, Internet hackers and physical risks. He also discusses how to create and maintain good passwords.

This article is a part of the updated second version of the Security Edition of NGO in a Box [2], currently under development.

1. Roots of (in)security: Protecting your computer

1.1 A Healthy Computer

Without creating and maintaining a good foundation for security on your computer it is impossible to guarantee the effectiveness of any other security tools you install. For example: the strength of your password and the quality of your encryption programme provide little security if computer is infected with a “spyware” programme that logs all your keystrokes and sends this information to someone else. It is extremely important for each computer to have anti-virus, anti-spyware and firewall software installed. In addition, all this software must be regularly updated, including the operating system, to ensure your computer is immune to the latest threats.

Protecting your computer from viruses and malware

There are many types of “malware” [3], including viruses, worms, macros, trojans, and spyware. They are transmitted from computer to computer in a multitude of different ways: over emails, downloaded with files or while reading web pages, and shared through cd/dvd's, USB memory sticks or external drives. Some malware (like viruses) can damage your information and bring your work to a halt. Other malware programmes (like spyware) can record keystrokes that you type on your keyboard, movements of your mouse, pages you visit, or programmes you run and send this information to an outsider.

Fortunately there are many programmes to protect you (anti-virus and anti-spyware), but it is essential that you choose a good programme. We recommend that you use the anti-virus programme Avast! [4] and the anti-spyware programme SpyBot [5]. If you already have anti-virus programme installed on your computer and you do not want to switch, check if it can also protect you from spyware. If you do switch, make sure you uninstall your current anti-virus programme before adding another. Running two anti-virus programmes at the same time can cause your computer to crash. The most important thing is that you regularly update your anti-malware (both anti-virus and anti-spyware) programmes. Each day, new malware is written and distributed. If you do not update, very soon you will be as unprotected as if you don’t have any anti-malware running at all. It is also important to ensure the anti-malware is running regular scans on your computer.

We also recommend that you be extremely cautious when opening email and attachments. It is best not to open attachments from unknown sources. Also, when connecting any media (such as a USB memory stick) to your computer, always check your anti-virus programme is updated and running. In addition, we advise against running or downloading programmes, applets, or scripts from the Internet if you do not trust their origin.

If you are keen on finding out more, you can keep up to date on news related to viruses [6]. Switching to free and open source software can also help to protect your computer from viruses – see below.

Guarding your computer against intruders

Even with the best anti-malware programme, there is a chance that some spyware will sneak through and try to send information outside. This could also happen if one of your installed programmes has a security hole. The faulty programme could then be used as an entry point to gain access to your computer. To prevent this, you need another line of protection - a firewall.

A firewall is like a security guard that monitors all entrances and exits – it is the first programme that receives, inspects and makes decisions about all incoming data before it reaches any other programmes in your computer. It is also the last to inspect all information that is leaving your computer. If the information, its origin, destination or a specific programme is not granted permission to communicate it is stopped and the firewall asks you what to do.

We recommend that you install and use Comodo firewall [7], which is much better than the default firewall (if any) available in the Windows operating system. It is also worth checking and improving the settings of your Windows system and other programmes that you use – see tools like Xpy [8], Vispa [9] and Security and Privacy Complete [10] to learn about how to do this.

Simple actions can also help protect your computer. Switch off services that you do not use on your computer [11]. Install only essential programmes on your computer, and uninstall all that you do not need. Disconnect your computer from the Internet when you are not using it and switch it off completely when you are not working on it.

Ensuring your software is updated and reliable

Computer programmes are complex. It is inevitable that they contain some errors – even some that may undermine your security. Software developers continue to correct the errors they find and periodically release updates to fix those errors. We recommend that you regularly check for updates for all your programmes, including your Windows operating system [12].

Proprietary programmes like Microsoft Windows allow only legal copies of the programmes to download updates. If you use an illegal copy you will not be able to update it, risking that your information could be exposed to unauthorised persons. By not having a valid licence you also risk that the police could confiscate your computer. Prosecuting an organisation for the illegal use of software is a convenient option for authorities seeking to restrict its work for political reasons.

To address those and other issues we strongly recommend you to switch to free and open source software (FOSS). Aside from the fact that it is free, FOSS is also much more secure than such programmes as Internet Explorer, Outlook or Outlook Express and Microsoft Office which are known for being non secure and prone to viruses. Switch to FOSS equivalents: Firefox [13], Thunderbird [14], OpenOffice [15]. Those programmes look and work almost in the same way and co-operate with Microsoft programmes. But most importantly, they are more secure as they are developed in a transparent, open way, by a large, more diverse and independent group of people. You may also consider completely switching from Microsoft Windows to FOSS operating systems called GNU/Linux. One we would recommend is Ubuntu [16].

1.2 Break-ins and breakdowns

You can put a great deal of effort into building up a digital barrier around your information and computer only to lose all your information because someone steals or destroys your computer, or even because of an intended or accidental electric surge in your power supply.

Many organisations give insufficient consideration to the physical security aspects of their office, equipment and information stored within it. Often there are no complete policies that protect equipment and information from theft, weather conditions, and accidents. An organisation may have good locks on its doors and strong windows, but may fail to keep track of how many copies of keys exist to open these doors and who owns them. It could also have little or no control over cleaners who work at the office outside normal hours. It is tough to summarise a one-fits-all solution for a physical security plan, as it often depends on the particular circumstances and environment of an organisation.

We recommend that you start with assessing your own and your organisation's risks, threats and vulnerabilities. Physical protection of the digital aspect of your work fits within the broader context of your work (see Protection Handbook and Protection Manual for Human Rights Defenders [17]). The assessment of your vulnerabilities should include evaluation of:

· The communication channels you use (e.g. paper letters, fax, landline phones, mobile phones, emails, Skype, etc.) and how you use them;

· How you store your information (e.g. email or web server, computer disks, external USB disks, CD/DVDs, mobile phones, printed paper, etc.);

· Where the information is located (e.g. internet, office, home, etc.)

You can take it further by evaluating the physical risks to your equipment and to the information that you store and exchange. Review the practical changes that you can take to improve physical security. Put all this in writing and create a security policy. Imagine this document as a guideline for yourself and for any newcomers to the organisation to ensure they know the security standards. It can also serve as a checklist of things-to-do in case of emergencies. Security policies should be reviewed periodically and should reflect any changes.

Below is a list of tips on improving the physical security of your information. Note that this is not a complete list, but just a few general ideas to get you started.

Outside office/home - get to know your neighbours; review how you protect the possible entry points; consider installing a surveillance camera, or motion-sensor alarm; analyse what you dispose and how, especially printouts, CD's and other carriers of information.

In the office/home - create physical barriers to delay and make access to information difficult: install an intercom, have a reception to welcome people, have a meeting or public room next to reception so visitors do not have to wander through your office.

Cabling and network devices - keep servers, computers, hubs and other communication devices behind a locked door; run all cabling within the office to make it harder to tap; encrypt your wireless network and lock it to prevent unauthorised access.

Desk and computer - place your computer so the screen cannot be seen or reached from an outside window; lock the computer case to prevent tampering; lock your computer to your desk to make theft harder; password protect BIOS and configure it so it does not boot from the floppy drive; password lock your computer whenever you're away from it (press Ctrl+Alt+Delete, then "k" - the shortcut for the Lock button) to make sure that you have to enter a password to log in to your computer; encrypt sensitive information (we will explain how to do this in one of the next articles).

Portable devices - keep your laptop, PDA (devices such as Blackberry), and mobile phone with you at all times, especially if you are travelling and staying in a hotel. Meal times are optimum times for thieves to check hotel rooms for unattended laptops. Don't advertise your laptop or PDA - avoid using them in public areas and consider a non-traditional bag for carrying your laptop.

Safe environments - protect your electronic devices from unstable electricity sources and extreme temperatures, dust, high humidity and mechanical stress; install line filters or UPS on your computer power supply; do not put computers in a passage or near radiators; and do not put computers or electric installations on the floor.

1.3 Passwords and Pitfalls

Everything is protected by some sort of a key: your house and car by a physical key, your credit card by a PIN, your email account or encrypted file on the disk by a password. All these keys/passwords allow the person who knows them access to resources. You can build very advanced systems of protection but if the password (a key, PIN, etc.) is weak, they will be too. What makes the password strong?

Long and hard to guess: Passwords should be as long as possible (at least 10 characters long). Some people even use a short sentence for a password, called a pass-phrase. A password (pass-phrase) should be hard to guess. It should not be related to you personally. Also do not use words as they appear in the dictionary as they are easier to guess.

Unique: Don't use the same password for more than one service. If someone, let’s say the administrator of one of your accounts, has access to your password, this person would have access to all of the other accounts protected by the same password. Don't re-use passwords and do not rotate them. Passwords should be used once.

Practical: Can you remember your password without having to write it down? Writing it down essentially means it’s no longer secure. Passwords should only be stored using a special programme - see below.

Recent: Change your password on a regular basis (at least every 3 months). The longer you keep one password the more probable it is that someone can breach it.

Personal: Don't reveal your password to anyone. If you do, change your password as soon as you can afterwards. If you have to share an account, ask your administrator if it is possible to have separate accounts that would allow each person access to the same resources.

There are different methods of increasing the strength of your password, keeping in mind all the points above:

1. Use varying capitalisation for example: My naME is Not MR. !MarSter

2. Use language in combinations such as: Let Them Eat le gateaU du chocolaT

3. Use punctuation and alternate characters (like: !@#$&*()-=+{}[]\|;:'"<>?/.,), and not just at the end of a phrase.

4. Use mnemonics composing the passwords from the first letters of the long sentence or substituting some words/sounds by numbers/letters. So for example:

"1haD,waMwB=" is a mnemonic for:

“I had a dream, where all men were born equal” or

"2Bon2B?TitQ" is a mnemonic for:

"To be or not to be? That is the question" or

"Mf,yrU:-)2d?" is a mnemonic for:

"My friend, why are you happy today?"

Password programmes: Creating and maintaining passwords

Each of us has many different passwords to remember, making it all the more difficult to make them strong, unique and current. There are programmes, like KeePass [18] designed to store all of your passwords in a secure database. This database is encrypted and locked with a master password – this way you have to remember just one password. KeePass can help you to create very strong passwords. It can run entirely from a USB memory or external disk, so you can carry it and your password database around with you.

1.4 References and Further Reading

[1] "Digital Security and Privacy for Activists - Introduction", CIVICUS Bulletin No 32, January 2008: www.civicus.org/csw/SECURITY_INTRO1.htm

[2] "Security Edition of NGO in a Box" (see: security.ngoinabox.org) is a project of Front Line (www.frontlinedefenders) and Tactical Tech (www.tacticaltech.org) It is a toolkit of peer-reviewed free and open-source software, materials and guides to provide digital security and privacy. Its aim is to simplify this complicated area and reduce the overwhelming choices often faced by people when trying to find solutions to their problems. Recommended software is reviewed, explained and accompanied by installation and user guides in multiple languages. Each tool is accompanied with clear explanations and tips written for the non-technical user. The whole toolkit is available online on the Front Line website. The toolkit is also available on a CD. The toolkit is currently available in French, Spanish, Arabic, Russian and English.

See also “Digital Security and Privacy for Human Rights Defenders” a book written by Dmitri Vitaliev for Front Line: www.frontlinedefenders.org/manual/en/esecman

[3] Wikipedia: article about Malware: en.wikipedia.org/wiki/Malware

[4] Avast! is anti-virus desktop programme: www.avast.com/eng/free_virus_protectio.html.

It is also good to mention a free and open source anti-virus programme called ClamAV as it is developed independently from any commercial company and is not attached to any particular country, society or government: www.clamwin.com

[5] SpyBot is anti-spyware scanner: www.safer-networking.org

[6] Virus bulletins: Fighting malware and spam: www.virusbtn.com; Full Coverage: Computer Viruses on Yahoo!: news.yahoo.com/fc/tech/computer_viruses

[7] Comodo firewall provides protection from hackers, viruses, spyware and identity theft, secures against internal and external threats: www.personalfirewall.comodo.com

[8] Xpy is a small tool which disables the default threats of a Windows XP and 2000 installation and improves privacy settings and your system's security: xpy.whyeye.org

[9] Vispa allows you to easily tweak your Windows Vista for better privacy and security, even system performance vispa.whyeye.org

[10] Security and Privacy Complete is disabling non secure operating system components and settings for protection against viruses, worms, malicious code, hackers and other vulnerabilities cmia.backtrace.org

[11] Learn how to turn Off Unnecessary Windows Services: www.marksanborn.net/howto/turn-off-unnecessary-windows-services and how to determine unnecessary services in Windows: security.berkeley.edu/MinStds/Determining-Un-Services-Windows.html

[12] How to download updates and drivers from the Windows Update Catalogue: support.microsoft.com/kb/323166

[13] Firefox web browser excellent replacement of Internet Explorer: www.mozilla.com/firefox

[14] Thunderbird email client programme replacement of Outlook: www.mozilla.com/thunderbird

[15] OpenOffice is a multi-platform and multilingual office suite and an open-source project. It is compatible with all other major office suites: www.openoffice.org

[16] Ubuntu is a community developed, linux-based operating system that is perfect for laptops, desktops and servers. It contains all the applications you need - a web browser, presentation, document and spreadsheet software, instant messaging and much more: www.ubuntu.com

[17] “Protection Manual for Human Rights Defenders” a manual written by Enrique Eguren of Peace Brigades International and published by Front Line describing risk analysis, evaluating threats, preventing and reacting to attacks and developing a security plan: www.frontlinedefenders.org/manuals/protection

[18] KeePass programme to maintain and keep track of your passwords: www.keepass.info

1.5 About the author:

Wojtek Bogusz is a digital security and information systems co-ordinator working with Front Line – Dublin based International Foundation for the Protection of Human Rights Defenders. You can contact him on email wojtek (AT) frontlinedefenders (DOT) org or also through the group email of Security Edition of NGO in a Box project: security (AT) ngoinabox (DOT)