Security – Page 29 – A Geek With Guns

Everything Old is New Again

Edward Snowden’s leak that made the public aware of the fact that the National Security Agency (NSA) was spying on everybody ended up being the straw that broke the camel’s back for many. Those people finally realized that the United States isn’t the freest country on Earth and that our government isn’t any better than the communist regimes they were told to fear throughout the entire Cold War. Of course, many of those people also believe that the state’s act of rampant spying is new and that, historically, such things were unthinkable. As it turns out, a snoopy federal government is nothing new in the United States:

In 1862, after President Abraham Lincoln appointed him secretary of war, Edwin M. Stanton penned a letter to the president requesting sweeping powers, which would include total control of the telegraph lines. By rerouting those lines through his office, Stanton would keep tabs on vast amounts of communication, journalistic, governmental and personal. On the back of Stanton’s letter Lincoln scribbled his approval: “The Secretary of War has my authority to exercise his discretion in the matter within mentioned.”

[…]

Having the telegraph lines running through Stanton’s office made his department the nexus of war information; Lincoln visited regularly to get the latest on the war. Stanton collected news from generals, telegraph operators and reporters. He had a journalist’s love of breaking the story and an autocrat’s obsession with information control. He used his power over the telegraphs to influence what journalists did or didn’t publish. In 1862, the House Judiciary Committee took up the question of “telegraphic censorship” and called for restraint on the part of the administration’s censors.

History repeats itself. Today’s states are advantaged by technologies that makes snooping easier than ever. But states have always utilized the most advanced technologies of their time to keep tabs on what the people were up to. Fortunately, technology is a double-edged sword. While it enables states to spy on people it also allows people to fly under the radar of Big Brother. In Lincoln’s time one could prevent Stanton’s office from knowing what was being transmitted on telegraphs by encoding their messages. We have the same capability today. Modern cryptography allows us to keep prying eyes from reading our communications, so long as we use the tools available to us correctly (which isn’t always easy).

Since humanity continues to repeat old mistakes it makes sense to get into the habit of expecting those mistakes and developing plans to mitigate the consequences. The states of today, just like the states of yesterday, are allowed to snoop on the people because the people continue to make the mistake of entrusting monopoly powers to handfuls of individuals. That being the case, one should always assume that those holding power are watching. Making such assumptions the default helps get us into the mindset necessary to develop and utilize techniques to slip by the watchmen. If enough people get into such a mindset it could, finally, give rise to a society where the watchmen are rendered mostly harmless.

Security is Hard

In the hopes of staving off would-be state assassins, Edward Snowden announced that he has distributed encrypted copies of data that he obtained while working at the National Security Agency (NSA):

Taking another page out of the WikiLeaks playbook, Edward Snowden has apparently distributed an encrypted copy of at least “thousands” of documents that he pilfered from the National Security Agency to “several people,” according to Glenn Greenwald, the Guardian reporter who first published Snowden’s leaks.

In an interview with the Daily Beast on 25 June, Greenwald said that Snowden “has taken extreme precautions to make sure many different people around the world have these archives to insure the stories will inevitably be published.”

Greenwald added: “If anything happens at all to Edward Snowden, he told me he has arranged for them to get access to the full archives.” The Brazil-based journalist said that he himself has thousands of documents that Snowden leaked from the NSA, which may or may not constitute the totality of what he exfiltrated.

On the surface it looks like a clever method to keep himself alive but, as Bruce Schneier pointed out, he may not have thought his clever plan all the way through:

I’m not sure he’s thought this through, though. I would be more worried that someone would kill me in order to get the documents released than I would be that someone would kill me to prevent the documents from being released. Any real-world situation involves multiple adversaries, and it’s important to keep all of them in mind when designing a security system.

Security is hard. People tend to focus on very specific individual threats and design security systems around those threats without taking into consideration other potential threats. Snowden focused so heavily on the threat of a United States assassin taking him out that he forgot to consider the fact that there are many people in the world who really want that NSA data leaked.

Encrypt Everything: Sending OpenPGP Encrypted E-Mails with Thunderbird and Enigmail

Finally, it’s here, the final guide in my OpenPGP series. I’m sorry it took so long to post but free time has been at a premium as of late. This guide will explain how to use Thunderbird and Enigmail, which you should already have installed, to send e-mails that will give the National Security Agency (NSA) a hard time.

Before I get to the guide I want to note a couple of things. First, this guide will not explain how to add your e-mail account to Thunderbird. If you need instructions on that please see Mozilla’s guide for automatic account configuration and manual account configuration. Second, this guide will be applicable to OS X, Windows, and Linux but the screenshots will be taken from OS X as that is the primary operating system I use. With those notes out of the way let’s begin.

The first thing we need to do is enable OpenPGP for your account. This can be found by navigating to the menu button, selecting Preferences, and clicking on Account Settings…:

You should be looking at the Account Settings… page. From here select the OpenPGP Security item under your e-mail account:

By default OpenPGP is disabled for every account. To enable OpenPGP for your account click the Enable OpenPGP support (Enigmail) for this identity check box. This will also allow you to change the options below the check box. By default Enigmail is setup to use your e-mail address to identify the OpenPGP keypair to use for your account. If you entered your e-mail address when you created your OpenPGP keypair this is the option you should selection, otherwise you’ll have to manually select a keypair.

You will also notice several check boxes under Message Composition Default Options. The check box labeled Sign non-encrypted messages by default will ensure that Enigmail cryptographically signs e-mails that you’re not encrypting. I usually select this because the cryptographic signature allows recipients of my e-mails to verify that I sent the e-mail and that the contents haven’t been altered. The check box labeled Sign encrypted messages by default does the same thing as the check box above it but for encrypted e-mails. I usually check this by default as well. Selecting Encrypt messages by default will cause Enigmail to encrypt every e-mail you send. I usually leave this option unchecked because most of the people I send e-mails to don’t have OpenPGP and therefore are unable to decrypt messages I send to them.

The last check box, which is labeled Use PGP/MIME by default, is, in my opinion, pretty useful. Normally when you send a cryptographically signed and/or encrypted message the recipient sees a blob of text. PGP/MIME puts OpenPGP signatures and encrypted content into attachments. If the recipient is using OpenPGP, and has the proper decryption key, they will see whether or not the signature is valid and be able to read the encrypted contents. On the other hand, if the recipient isn’t using OpenPGP, they will not see the signature text or the encrypted content. I check this option because the signature text and encrypted content often confuse recipients unfamiliar with OpenPGP. When this option selected, as far as the recipients without OpenPGP are concerned, the e-mail is just a regular old e-mail.

Before leaving the Account Settings… page there is one other thing you may wish to consider doing. Navigate to Composition & Addressing:

By default Thunderbird is setup to use HyperText Markup Language (HTML) formatting for e-mails. I’m not a fan of HTML formatting when it comes to e-mails and it can raise some Cain with the OpenPGP signature process. I always deselect Compose messages in HTML format. You can either leave it checked or not, it’s up to you.

Once you’ve completed your work in the Account Settings… page click the OK button; it’s time to send an e-mail. Composing an encrypted and signed e-mail with Thunderbird and Enigmail is easy. Start a new e-mail and enter the recipient, subject, and message you want to send. After you’ve done that click the arrow next to the OpenPGP button in the toolbar:

As you can see, encrypting the e-mail, if you didn’t setup Enigmail to do it automatically in the Account Settings… page, is as simple is clicking the Encrypt Message menu item. If you look at the lower right-hand corner of the e-mail composition window you’ll see a key. If the key is gray the e-mail will not be encrypted, if the key is yellow the message will be encrypted.

Now that your e-mail is setup to be encrypted it’s time to click the Send button. If you haven’t imported the recipients public key into GNU Privacy Guard or flagged the recipient’s public key as trusted you will see the following dialog:

If you’ve imported the key but never flagged it as trusted just click the check box next to the recipient’s public key. You can also attempt to download the recipient’s public key from a key server if you haven’t imported it by clicking the Download missing keys button. Clicking that button will open the following dialog:

Many keyservers are setup to share public keys with each other. If the recipient has uploaded their public key to a notable server selecting the default option will stand a good chance of finding the public key you need.

Those who previously imported the recipient’s public key and flagged it as trusted won’t have to worry about the above steps. In either case you’re done. Congratulations, you’ve sent your first encrypted e-mail. Now convince your friends and family members to follow these guides so they can send you encrypted e-mails and decrypt your encrypted e-mails.

Fed’s Asked to Avoid Def Con

In a rather hilarious turn of events Dark Tangent, the organizer of the Def Con security conference, has kindly asked the Feds to avoid the event:

The request was posted to the main Def Con webpage by Jeff Moss, the founder of the hacking conference.

In the past, he said, the convention had been an “open nexus” where government security staffers and law enforcement agents could freely mix and share ideas with the other hackers, researchers and security professionals that attended.

“Our community operates in the spirit of openness, verified trust, and mutual respect,” he said, a state of affairs that had led to an exchange of information that had seemed mutually beneficial.

However, wrote Mr Moss, many people now questioned that free exchange of ideas in the wake of ongoing disclosures about the US National Security Agency’s Prism programme, which, since 2007, has been scooping up huge amounts of data about people’s online activity.

As a result, “it would be best for everyone involved if the feds call a ‘timeout’ and not attend Def Con this year,” he wrote.

I guess this year’s Spot the Fed contest will be far more exciting than in years past. It also stands to reason that any employee of a federal agency will receive extra special attention from any black hat hackers at the event. Hackers, in general, don’t appreciate being spied on and have a tendency to return the favor. Since the federal government has been spying on everybody it wouldn’t surprise me if the attendees at Def Con decided to spy on federal employees or attempt to compromise any electronic devices they bring along (after all, this is the same conference where a team demonstrated how easy it is to intercept Global System for Mobile (GSM) phone calls).

CryptoParty Postmortem

I don’t have anything else for you today because last night’s CryptoParty went longer than I expected. The turnout exceeded my expectations by a notable amount so I think we managed to get a good number of people setup with OpenPGP. As it turns out, explaining OpenPGP in two hours isn’t feasible so there is still some fine tuning requires on our behalf but I think we did far better than last time. If anybody reading this has previous CryptoParty experience feel free to comment below or send me an e-mail covering what you’ve learned.

Encrypt Everything: Installing Thunderbird and Enigmail

After a longer than expected break I’m returning to the Encrypt Everything series. Previously I discussed OpenPGP and explained how to generate keypairs in OS X, Windows, and Linux. In this installment I will explain how to install the Thunderbird e-mail client and its Engimail plugin, which enables sending and receiving OpenPGP signed and encrypted e-mails. Be sure you’ve followed the previous guide for your operating system as installing GNU Privacy Guide and generating a keypair is a prerequisite. This guide will apply to OS X, Windows, and Linux.

Step one is to download a copy of Thunderbird. This can be done by going to Mozilla’s Thunderbird website, which should automatically detect what operating system you’re running and provide you with the appropriate binary. If you, like me, run NoScript then separate links for each operating system will be displayed.

OS X

If you haven’t installed GPGTools yet do so.

After GPGTools has been installed download the latest version of Thunderbird from Mozilla’s website. The file you download will be a .dmg. Double-clicking on the file will mount it and you’ll be greeted with the following window:

To install Thunderbird simply drag the Thunderbird icon over the Applications folder shortcut and release the mouse button. That’s it, Thunderbird is installed.

Windows

If you haven’t installed Gpg4win yet do so.

Once you’ve installed Gpg4win download the latest version of Thunderbird from Mozilla’s website. The downloaded file is a standard Windows installer. Double-click on it to start the installation process:

Once the installer has opened click the Next button twice followed by the Install button. Once Thunderbird is installed click the Finish button and you’re done.

Linux

GNU Privacy Guard is installed by default on many Linux distributions but you still need to generate a keypair. If you haven’t generated your keypair yet do so.

As with my previous Linux guide this guide was created using Xubuntu 13.04, which includes Thunderbird as the default e-mail client. Likewise, according to Ubuntu’s website, Thunderbird has been the default e-mail client since version 11.10. According to this guide Thunderbird is also included by default on Fedora Core.

Therefore, if you’re using any of the distributions this guide is applicable to, you already have Thunderbird installed. Wasn’t that easy?

Installing Enigmail

Now that you have Thunderbird installed you will need to install the Enigmail plugin. Doing so is simple thanks to Thunderbird’s built-in ability to find and install plugins. The following steps apply to OS X, Windows, and Linux. Screenshots will be taken on an OS X virtual machine because it is my default operating system.

First, if you are running OS X or Linux, go to the Tools menu and click Add-ons:

If you are running Windows click the menu button on the right-hand side of Thunderbird (next to the search box) and click Add-ons:

This will open the Add-ons Manager tab:

See the box in the upper right-hand corner of the tab labeled “Search all add-ons”? Enter “enigmail” into it and hit the enter key. You will get a list of available plugins:

The Enigmail plugin will likely be the first result:

Click the Install button to begin the installation process. You will see a progress indicator:

Once Enigmail has been downloaded and installed you will be asked to restart Thunderbird:

That’s it, you’re setup and ready to begin sending OpenPGP signed and encrypted e-mails. As you can guess sending actual e-mails will be the topic of the next Encrypt Everything installment.

The NSA’s Complete Lack of Oversight

Since Edward Snowden leaked information regarding the National Security Agency’s (NSA) PRISM program the state has been ensuring us that a great deal of oversight exists between the NSA’s agents and private communications. As it turns out, that isn’t the case:

Top secret documents submitted to the court that oversees surveillance by US intelligence agencies show the judges have signed off on broad orders which allow the NSA to make use of information “inadvertently” collected from domestic US communications without a warrant.

That is a major point to note. If the NSA “inadvertently” collects data on people living in the United States, the very same people the NSA claims it’s not spying on, it can use that data without so much as a warrant. I ask you, what motivation does the NSA have not to collect domestic communications? If there’s no punishment for doing so then there is no motivation against doing it. What makes this even worse is that this policy comes from the top:

The Guardian is publishing in full two documents submitted to the secret Foreign Intelligence Surveillance Court (known as the Fisa court), signed by Attorney General Eric Holder and stamped 29 July 2009. They detail the procedures the NSA is required to follow to target “non-US persons” under its foreign intelligence powers and what the agency does to minimize data collected on US citizens and residents in the course of that surveillance.

The documents show that even under authorities governing the collection of foreign intelligence from foreign targets, US communications can still be collected, retained and used.

Is anybody surprised that Eric Holder has authorized the NSA to collect data on people living in the United States? After all the skeletons that have been pouring out of his closet I doubt anybody is even slightly shocked by this revelation. Just how far does this authority go? Pretty damned far:

However, alongside those provisions, the Fisa court-approved policies allow the NSA to:

• Keep data that could potentially contain details of US persons for up to five years;

• Retain and make use of “inadvertently acquired” domestic communications if they contain usable intelligence, information on criminal activity, threat of harm to people or property, are encrypted, or are believed to contain any information relevant to cybersecurity;

• Preserve “foreign intelligence information” contained within attorney-client communications;

• Access the content of communications gathered from “U.S. based machine[s]” or phone numbers in order to establish if targets are located in the US, for the purposes of ceasing further surveillance.

In other words, there is no real oversight or any form of protection against the NSA spying on people residing in the United States. Most of us have suspected this for a long time but until now we’ve been unable to surface proof.

NSA Gets Early Access to Information Regarding Zero-Day Exploits on Microsoft Windows

A lot of information regarding the National Security Agency (NSA) has come to light in the last few weeks but none of the information we’ve seen so far as been as disturbing as this:

The National Security Agency (NSA) has used sensitive data on network threats and other classified information as a carrot to gain unprecedented access to information from thousands of companies in technology, telecommunications, financial, and manufacturing companies, according to a report by Michael Riley of Bloomberg. And that data includes information on “zero-day” security threats from Microsoft and other software companies, according to anonymous sources familiar with the data-swapping program.

In the security industry this is what we would call bad news. Having early access to otherwise unknown zero-day exploits would give the NSA an window of opportunity to attack systems before the owner’s knew a problem existed. Effectively, the NSA could do anything from take down a network controlled by Microsoft systems to installing back doors into networks controlled by Microsoft systems. Beyond receiving information regarding zero-day exploits the NSA may have even more influence over Micorsoft.

This information, combined with the information that Microsoft was the first company to sign onto the PRISM system, makes me wonder how much influence the NSA has over that company. Could the NSA convince Microsoft to hold back patches that fix exploits that the NSA is currently using to attack systems?

I’m also curious how many other companies are giving this type of preferential treatment to the NSA. Is Apple giving the NSA information regarding exploits? Are the lead developers of Linux? Things could become very interesting in the next couple of weeks.

Encrypt Everything: Using GPG on Linux

Now that I’ve explained how to use GNU Privacy Guard on OS X and Windows it’s time to cover Linux. Writing a tutorial on Linux is slightly more difficult because different distributions have different ways of doing things, which means I have to limit this tutorial’s scope. This tutorial is aimed at users running mainstream distributions based on Red Hat and Debian. I wrote this tutorial using Xubuntu 13.04 and looked up Fedora Core specific instructions. This tutorial is known to work on Xubuntu, all but entirely guaranteed to work on Ubuntu, and most likely applicable to Fedora Core. The good news is GNU Privacy Guard is in the standard installation of Debian and Fedora-based distributions meaning you don’t have to install it manually if you’re running Debian, Ubuntu, Xubuntu, Kubuntu, Fedora Core, or Red Hat. I will explain how to install Seahorse, a graphical GNU Privacy Guard front end for Gnome and Xfce.

The first thing you need to do is install Seahorse. On Debian-based systems, such as Ubuntu, you will need to open a terminal and enter the following command:

sudo apt-get install seahorse

On Red Hat-based systems, such as Fedora Core, you will need to open a terminal and enter the following command:

su -c "yum install seahorse"

Seahorse should now be installed. It may or may not be automatically added to your application menu, depending on the distribution you’re running however the application can be launched from all systems by entering the following command in a terminal:

seahorse

You will be greeted with Seahorse’s main screen:

Generating a new OpenPGP key pair is easy. First, click on the green plus button. You will be asked what type of key you want to create:

Select PGP Key and click the Continue button. You will now be presented with a dialog where you can enter the key pair information:

Although it’s not necessary I do recommend click the little triangle next to Advanced key options so you can manually enter a key pair length. By default it’s set to 2048 and I recommend you max it out to 4096 but you’re not required to. Whether you want to manually enter a key pair length or not you should fill in your identifying information. For this example I entered my name into the Full Name field and openpgptest@christopherburg.com into the Email Address field. Once you’ve entered your desired information click the Create button.

You will now be asked to enter a passphrase:

Enter a strong passphrase[1] as it will be used to encrypt your private key, which will prevent it from being used should it fall into unwanted hands. Remember, whoever possess the private key can use it to sign or encrypt data. If a malicious user was able to obtain and decrypt your private key they could impersonate you. After you’ve entered your passphrase into both fields click the OK button. Now comes the fun part, waiting for your key pair to be generated:

For some reason generating a key pair in Linux took much longer than generating a key pair in either OS X or Windows. It took my system approximately 20 minutes to generate the key pair. During this time Seahorse is waiting to collect enough random data, which will occur faster if you use other applications. After doing some research online I found several methods that are supposed to decrease the amount of time needed to collect enough random data. The most common recommendation I came across was an application called Entropy Gathering Daemon. I didn’t have time to download, install, and test it so I will leave you to experiment with it if you want.

After the key pair has been generated it will appear in your list of keys:

That’s it, you now have an OpenPGP key pair to encrypt and sign e-mails. Now you need to know how to import the public keys used by those you correspond with. Importing a key is easy. First, you need to obtain a copy of the public key you want to input. For this example I will use the public key for blog [at] christopherburg [dot] com. If you obtained a copy of the public key in text format paste it into a text file with a name that ends in .asc. Now go to the File menu and click Import:

In the Import Key dialog box select the .asc file containing the public key. For this example I named the file blog.christopherburg.com.asc:

A dialog box will present information from the key being imported:

If you want to see all the details click the little triangle next to Details. Once you’re satisfied that the details are correct click the import button. You will be returned to Seahorse’s main screen but the key won’t be listed. In order to see imported keys you need to go to the View menu and select Show any:

Now you will see all the keys Seahorse knows about:

As you can see the public key for blog [at] christopherburg [dot] com is listed but isn’t trusted. If you double-click on the key you can open a dialog box that will list the key’s details:

If you click on the Trust tab you can check the box labeled I trust signatures from ‘Christopher Burg ‘ on other keys:

Now the key will show up in your list of trusted keys. If you so desire you can sign the public key with your private key. Signing a public key is a way of alerting other people that you have verified that the person with the corresponding private key is who he says he is.

That’s how you setup OpenPGP key pairs in Seahorse. Now that we’ve covered methods to generate OpenPGP keys on OS X, Windows, and Linux we can move onto using Thunderbird and Enigmail to send encrypted and/or signed e-mails and decrypt and/or verify signatures on e-mails, which will be covered in the next tutorial.

That Awkward Moment When You Realized Those Crazy Crypto-Anarchists Were Right

As if spying on our telephone conversations wasn’t bad enough another disturbing fact was revealed about the National Security Agency’s (NSA) vast spying operations. Although we all suspected that the NSA had access to the databases of the largest technology companies in Silicon Valley we now have proof:

A top-secret surveillance program gives the National Security Agency surreptitious access to customer information held by Microsoft, Yahoo, Apple, Google, Facebook, and other Internet companies, according to a pair of new reports.

The program, code-named PRISM, reportedly allows NSA analysts to peruse exabytes of confidential user data held by Silicon Valley firms by typing in search terms. PRISM reports have been used in 1,477 items in President Obama’s daily briefing last year, according to an internal presentation to the NSA’s Signals Intelligence Directorate obtained by the Washington Post and the Guardian newspapers.

This afternoon’s disclosure of PRISM follows another report yesterday that revealed the existence of another top-secret NSA program that vacuums up records of millions of phone calls made inside the United States.

What does this mean? A lot. Effectively the NSA has access to every e-mail sent to or from Microsoft, Yahoo, and Google’s services. It also means that the NSA has access to everything you’ve posted on Facebook including comments, pictures, and private messages regardless of your privacy settings. Microsoft, Yahoo, and Google searches are also obtainable by the NSA. In other words, anything you’ve ever send to or accessed from the servers of the involved technology companies is at the fingertips of the NSA.

Concern about this very thing is what lead me to move all of my needed online services to my personal server. My e-mail, calendaring, address booking, Virtual Private Network (VPN), and websites are all hosted on a server physically located in my dwelling. Hosting all of your own services can be a pain in the butt at times but it’s the only way to have any reasonable assurance that your confidential information remains confidential. I recommend everybody buy a domain name and move their online services away from major technology companies and onto their own services. If you’re not sure how to do that then it’s time to learn and I will gladly help anybody want asks for it.

If you can’t pull yourself away from third-party services then you need to encrypt everything. I’ve written a few tutorials that explain how to encrypt e-mail using OpenPGP. As of this writing the tutorial for OS X is completed, the first part of the Windows tutorial is completed, the first part of the Linux tutorial will be posted later today, and the tutorial explaining how to use Thunderbird and Enigmail to send and receive encrypted e-mails will be posted in the near future. When the Cyber Intelligence Sharing and Protection Act (CISPA) was being debated in Congress I wrote a short guide that explained a few technologies that could be used to avoid the state’s prying eyes, learn how to use them (I will write detailed guides at some point).

To quote a famous phrase, shit just got real.