No 34, March 2008

DIGITAL SECURITY FOR ACTIVISTS

Away from prying eyes: Protecting your information from unauthorised access

Wojtek Bogusz, digital security consultant, Front Line & Dimitri Vitaliev, co-author, Security Edition of NGO in a Box

Personal computers help us to store and quickly access information. Some of this information may be private or sensitive. Without sufficient consideration of how you protect this information, others can read or even delete it without your permission. What can you do to effectively protect your information from unauthorised access?  

This is the third article in a CSW Monthly Bulletin series [1] highlighting practical ways you can increase your digital security and privacy. This article is part of the updated second version of the Security Edition of NGO in a Box [2], currently under development.


Introduction 

One of the first steps in keeping out intruders, whether from the Internet or otherwise, is maintaining a properly functioning and healthy computer system. One that is malware free, protected by several security barriers and regularly updated. Please read last month’s digital security article for more information and tips [2].

Common Misconceptions: 

My computer is protected by the Windows login password.

Answer: The Windows password is quite easy to break. You should not rely on it to protect access to your files. The same goes for passwords set by Microsoft Word or Adobe Acrobat. A new attack on the Windows password was published on http://www.storm.net.nz/projects/16 - the attack allows anyone with a laptop and a firewire cable to reset your Windows password within seconds. 

I keep my files in the 'My Documents' folder. Other users cannot access it.

Answer: By default, anyone with an administrator's password can read all files on the computer. Someone with sufficient skills can gain access to any unprotected files on a Windows computer system. 

I keep all my important documents on a USB memory card.

Answer: Unfortunately these are very easy to steal or lose. As you move your USB card from one computer to another, you are also at risk of having it infected with viruses. 

There are two popular and proven methods to secure your files from outsiders’ access. One of these methods involves encrypting your files - in other words making them unreadable to anyone else but you (or who you allow). The other involves hiding the very existence of your private information on a computer. 

Encrypting Your Information [3]

Encryption is the process of coding or scrambling data in such a way that it appears unintelligible to anyone who does not have the specific key needed to decode the message. We recommend that you use TrueCrypt [4], a programme which secures your files by encrypting them and preventing anyone without the correct password from having access. It is like a lockable safe. It locks your files away so that only someone with the correct password can read them. 

Please refer to TrueCrypt Beginner's Tutorial and User Guide [4] for details on using the programme.  

Note: Storing confidential data is a risk – encryption reduces this risk, but does not eliminate it. So the first step is to minimise the sensitive information recorded, and the second is to encrypt what is left.  

Hiding Your Information 

TrueCrypt Hidden Volumes 

If somebody finds out about the existence of your TrueCrypt volume full of encrypted files, they could also try and find your password. This may happen by accident, as a result of threats or somebody spying on you. There are many situations where you cannot refuse to reveal a password for reasons of your own safety, or that of your family and colleagues. 

TrueCrypt helps you deal with these situations by allowing you to create a hidden space (volume) which is stored within your standard encrypted volume. It is almost like having a vault with a false bottom. The hidden volume can only be opened with an alternative password. It is impossible to find or prove the existence of the hidden volume, even when you open the standard volume. So, if you are forced to reveal your password, and the location of the standard TrueCrypt volume, the hidden one remains concealed. This method is useful to people who expect to be under pressure to reveal their standard encryption method and need to create a momentary diversion to leave or escape a dangerous situation. 

Steganography tools 

Hiding the existence of information is called steganography [5]. It is like writing a letter with invisible ink (lemon juice, for example). Whereas encryption conceals your message by making it unreadable to the outsider, the aim of steganography is to hide the existence of the message itself. For example, you can hide text in a photograph, a sound file or an already existing Word document on your computer.  

There are a number of tools in existence that perform different steganographic functions.[6] [7]

The first requirement for choosing the necessary tool is to keep the choice itself a secret - every steganography tool to date can be reverse engineered (meaning that if your adversary knows what programme you used to code your text into a picture, they can easily retrieve it). The trick to using steganography is to create an atmosphere of normality around your operations (regularly storing/sending holiday or baby photos) and after a multitude of similar operations, to code some text into one of those images. 

Other methods of steganography do not require any software, just some good planning and cooperation between the communicating parties. You can use codes, body language, alternate meanings and so on to disguise the real message. These methods are not new and quite often prove just as effective as modern computer based ones.  

References and Further Reading 

[1] See other articles published in "Digital Security and Privacy for Activists" series:

“Introduction", CIVICUS Bulletin No 32, January 2008: www.civicus.org/csw/SECURITY_INTRO1.htm

“Roots of (in)security: Protecting your computer”, CIVICUS Bulletin No 33, February 2008: www.civicus.org/csw/DIGITAL_SECURITY-No33.htm 

[2] "Security Edition of NGO in a Box" (see: security.ngoinabox.org) is a project of Front Line (www.frontlinedefenders) and Tactical Tech (www.tacticaltech.org) It is a toolkit of peer-reviewed free and open-source software, materials and guides to provide digital security and privacy. Its aim is to simplify this complicated area and reduce the overwhelming choices often faced by people when trying to find solutions to their problems. Recommended software is reviewed, explained and accompanied by installation and user guides in multiple languages. Each tool is accompanied with clear explanations and tips written for the non-technical user. The whole toolkit is available online on the Front Line website. The toolkit is also available on a CD. The toolkit is currently available in French, Spanish, Arabic, Russian and English.  

[3] See Digital Security and Privacy for Human Rights Defenders - a book written by Dmitri Vitaliev for Front Line: www.frontlinedefenders.org/manual/en/esecman. We especially recommend the following chapters:

      Chapter 2.4 Cryptology

      Chapter 2.8 Steganography

      Chapter 4.3 Case Study 3 – Securing and Archiving Data 

[4] TrueCrypt (www.truecrypt.org) is free open-source disk and files encryption software for Windows, Mac OS X, and Linux. See:

      Frequently Asked Questions www.TrueCrypt.org/faq.php

      Beginner's tutorial www.truecrypt.org/docs/?s=tutorial

      User Guide www.truecrypt.org/docs 

[5] Steganography article on Wikipedia - en.wikipedia.org/wiki/Steganography 

[6] Steganography Tools List on Johnson & Johnson Technology Consultants, LLC - www.jjtc.com/Security/stegtools.htm 

[7] Steganography Tools List on Cotse.Net - www.cotse.com/tools/stega.htm

 

About the authors: 

Wojtek Bogusz is a digital security and information systems consultant and trainer working with Front Line – Dublin based International Foundation for the Protection of Human Rights Defenders. He is also co-editor and manager of the Secure Edition of NGO in a Box project. 

Dimitri Vitaliev is a consultant on issues of electronic security and privacy for human rights activists around the world. He is the author of the 'Digital Security and Privacy for Human Rights Defenders' manual, co-editor of the NGO in a Box - Security edition project and is often on the road, providing training and advice on security policies and strategy. 

You can contact both of the authors through the group email of Security Edition of NGO in a Box project: security (AT) ngoinabox (DOT) org