Privacy for anyone anywhere
Prerequisites/dependencies
Systems that can boot DVD, USB, or SD media (x86, no
PowerPC or ARM), 1GB RAM
Introduction
“We will open the book. Its
pages are blank. We are going to put words on them ourselves. The book is
called Opportunity and its first chapter is New Year's Day.” -Edith Lovejoy Pierce
First and foremost, Happy New
Year!
If you haven’t read or heard
about the perpetual stream of rather incredible disclosures continuing to
emerge regarding the NSA’s activities as revealed by Edward Snowden, you’ve
likely been completely untethered from the Matrix or have indeed been hiding
under the proverbial rock. As the ISSA Journal focuses on Cyber Security and
Compliance for the January 2014 issue, I thought it a great opportunity to
weave a few privacy related current events into the discussion while operating
under the auspicious umbrella of the Cyber Security label. The most recent
article that caught my attention was Reuters reporting that “as a key part of a
campaign to embed encryption software that it could crack into widely used
computer products, the U.S. National Security Agency arranged a secret $10
million contract with RSA, one of the most influential firms in the computer
security industry.”
The report indicates that RSA received $10M from the NSA in exchange for
utilizing the agency-backed Dual Elliptic Curve Deterministic Random Bit
Generator (Dual EC DRBG) as its preferred random number algorithm, an
allegation that RSA denies in
part.
In September 2013 the New
York Times
reported that an NSA memo released by Snowden declared that
“cryptanalytic capabilities are now coming online…vast amounts of encrypted
Internet data which have up till now been discarded are now exploitable." Ars
Technica’s Dan Goodin
described Operation Bullrun as a “a combination of
‘supercomputers, technical trickery, court orders, and behind-the-scenes
persuasion’ to undermine basic staples of Internet privacy, including virtual
private networks (VPNs) and the widely used secure sockets layer (SSL) and transport
layer security (TLS) protocols.”
Finally, consider that, again as reported by DanG, a senior NSA cryptographer,
Kevin Igoe, is also the co-chair of the Internet Engineering Task Force’s
(IETF) Crypto Forum Research Group (CFRG). What could possibly go wrong? According
to
Dan, Igoe's leadership had largely gone unnoticed until the above mentioned reports
surfaced in September 2013 exposing the role NSA agents have played in
"deliberately weakening the international encryption standards adopted by
developers."
I must admit I am conflicted.
I believe in protecting the American citizenry above all else. The NSA claims
that their surveillance efforts have thwarted attacks against America.
Regardless of the debate over the right or wrong of how or if this was
achieved, I honor the intent. Yet, while I believe Snowden’s actions are
traitorous, as an Internet denizen I can understand his concerns. The problem
is that he swore an oath to his country, was well paid to honor it, and then
violated it.
Regardless of my take on
these events and revelations, my obligation to you is to provide you with
tooling options. The Information Systems Security Association (ISSA) is an
international organization of
information security professionals and practitioners. As such, are there means
by which our global readership can better practice Internet privacy and
security? While there is no panacea, I propose that the likes of The Amnesiac
Incognito Live System, or Tails, might contribute to the cause. Again, per the
Tails team themselves: “Even though we're doing our best to offer you good
tools to protect your privacy while using a computer,
there is no magic or perfect
solution to such a complex problem.” That said, Tails endeavors
to help you preserve your privacy and anonymity. Tails
documentation is
fabulous; you would do well to start with a full read before using Tails to
protect your privacy for the first time.
Tails
Tails, a merger of the Amnesia
and Incognito projects, is a Debian 6 (Squeeze) Linux distribution that works
optimally as a live instance via DVD, USB, or SD media. Tails seeks to provide online
anonymity and censorship circumvention with the Tor anonymity network to
protect your privacy online. All software is configured to connect to the
Internet through Tor and if an application tries to connect to the Internet
directly, the connection is automatically blocked for security purposes. At
this point the well informed amongst you are likely uttering a “whiskey tango
foxtrot, Russ, in October The Guardian
revealed that the NSA targeted the Tor
network.” Yes,
true that, but it doesn’t mean that you can’t safely use Tor in a manner that
protects you. This is a great opportunity however to direct you to the Tails
warning page
.
Please read this before you do anything else, it’s important. Schneier’s
Guardian article also provides nuance. “The fact that all Tor users look alike
on the internet, makes it easy to differentiate Tor users from other web users.
On the other hand, the anonymity provided by Tor makes it impossible for the to know who the user is, or whether or not the
user is in the US.”
Getting under way with Tails
is easy. Download
it,
burn it to your preferred media, load the media into your preferred system, and
boot it up. I prefer using Tails on USB media inclusive of a persistence volume,
just remember to format the USB media in a manner that leaves room to create
the persistent volume.
When you boot Tails, the
first thing you’ll see, as noted in Figure 1 is the Tails Greeter which offers you More Options. Selecting Yes
leads you to the option to set an administrative password (recommended) as well
as Windows XP Camouflage mode (makes Tails look like Windows XP when you may
have shoulder surfers).
|
FIGURE 1: Tails Greeter |
You can also boot into a
virtual machine, but there are some specific drawbacks to this method (the host
operating system and the virtualization software can monitor what you are doing
in Tails). However Tails will warn you as seen in Figure 2.
|
FIGURE 2: Tails warns regarding a VM and confirms Tor |
Tor
You’ll also note in Figure 2
that TorBrowser (built on Iceweasel, a Firefox alternative) is already
configured to use Tor, including the Torbutton, as well as NoScript, Cookie
Monster, and Adblock Plus add-ons. There is one Tor enhancement to consider that
can be added during the boot menu
sequence for
Tails where you can interrupt the boot sequence with
Tab, hit
Space,
and then add
bridge to enable
Tor Bridge Mode.
According to the Tor Project, bridge
relays or bridges for short are Tor relays that aren't listed in the main Tor
directory. As such, even if your ISP is filtering connections to all
known Tor relays, they probably won't be
able to block
all bridges. If you
suspect access to the Tor network is being blocked, consider use of the Tor
bridge feature as supported fully by Tails when booting in
bridge mode. Control Tor with Vidalia
which is available via the onion icon the notification area found in the upper
right area of the Tails UI.
One last note on Tor use as
already described on the Tails Warning page you should have already read. Your
Tor use is only as good as your exit node. Remember, “
Tor is about hiding your location,
not about encrypting your communication.” Tor does not, and
cannot, encrypt the traffic between an exit node and the destination server.
Therefore,
any Tor exit
node is in a position to capture any traffic passing through it and you should
thus use end-to-end encryption for all communications. Be aware that Tails also
offers
I2P
as an alternative to Tor.
Encryption Options and Features
HTTPS Everywhere is
already configured for you in Tor Browser. HTTPS Everywhere uses a ruleset with
regular expressions to rewrite URLs to HTTPS. Certain sites offer limited or
partial support for encryption over HTTPS, but make it difficult to use where
they may default to unencrypted HTTP, or provide hyperlinks on encrypted pages
that point back to the unencrypted site.
You can use Pidgin for instant
messaging which includes OTR or off-the-record encryption. Each time you start
Tails you can count on it to generate a random username for all Pidgin
accounts.
If you’re afraid the computer
you’ve booted Tails on (a system in an Internet café or library) is not
trustworthy due to the like of a hardware
keylogger, you can use the
Florence virtual
keyboard, also found in the notification area as seen in
Figure 3.
|
FIGURE 3: The Tails virtual keyboard |
If you’re going to create a
persistent volume (recommended) when you use Tails from USB media, do so easily
with Applications | Tails | Configure
persistent volume. Reboot, then be sure to enable persistence with the Tails Greeter. You will need to setup
the USB stick to leave unused space for a persistent volume.
You can securely wipe files
and cleanup available space thereafter with Nautilus Wipe. Just right click a
file or files in the Nautilus file manager and select Wipe to blow it away…forever…in perpetuity.
KeePassX is available to
securely manage passwords and store them on your persistent volume. You can
also configure all your keyrings (GPG, Gnome, Pidgin) as well as Claws Mail.
Remember, the persistent volume is encrypted upon creation.
You can encrypt text with a
passphrase, encrypt and sign text with a public key, and decrypt and verify
text with the Tails gpgApplet (the clipboard in the notification area).
One last cool Tails feature
that doesn’t garner much attention is the Metadata Anonymisation app. This is
not unlike Informatica 64’s
OOMetaExtractor, the
same folks who bring you FOCA as described in the March 2011
toolsmith.
Metadata Anonymisation is found under
Applications then
Accessories. This application will
strip all of those interesting file properties left in metadata such as author
names and date of creation or change. I have used my share of metadata to
create a target list for social engineering during penetration tests so it’s
definitely a good idea to clean docs if you’re going to publish or share them
if you wish to remain anonymous.
Figure 4 shows a before and after collage of
PowerPoint metadata for a recent presentation I gave.
|
FIGURE 4: Metadata cleanup with Tails |
There are numerous opportunities to protect
yourself using The Amnesiac Incognito Live System and I strongly advocate for
you keeping an instance at the ready should you need it. It’s ideal for those
of you who travel to hostile computing environments, as well as for those of
you non-US readers who may not benefit from the same level of personal freedoms
and protection from censorship that we typically enjoy here in the States
(tongue somewhat in cheek given current events described herein).
Conclusion
Aside from hoping you’ll give Tails a good look and make
use of it, I’d like to leave you with two related resources well worth your
attention. The first is a 2007
presentation from
Dan Shumow and Niels Ferguson of Microsoft titled
On the Possibility of a Back
Door in the NIST SP800-90 Dual Ec Prng. Yep, the same random number generator
as described in the introduction to this column. The second resource is from
bettercrypto.org and is called
Applied Crypto Hardening. Systems administrators
should definitely give this one a read.
Enjoy your efforts to shield yourself from watchful eyes
and ears and let me know what you think of Tails. Ping me via Twitter via
@holisticinfosec or email if you have questions (russ at holisticinfosec dot
org).
Cheers…until
next month.