Three Steps to Securing Your Online Documents

Google Drive & Docs
Google Drive & Docs

You want your documents and data to be secure, accessible everywhere and easy to access. As the saying goes, You can have any two of those requirements you want, but never all three at once. It is simply impossible to have all three. Unfortunately, most people choose easy over secure, and then complain bitterly when their documents are stolen and made public. Or simply deleted.

The dream of instant access to all of you documents is now a reality with cloud based services such as Google Docs and Drive, Dropbox and a host of other services.

You can sit down at any computer or tablet and access almost all your documents immediately.

But there is a downside to that. Others can also access documents from the cloud if they have your login details. They can access your documents if they can access your computer.

So how do you ensure the security of cloud hosted documents? Let’s look at the ups and downs of adequate security.

1. Choose a Good Password

Number one on the list is the level of security we have on our cloud account. The most obvious question is, how good is your password? If your password is 123456 or monkey, secret, letmein or similar, you have a major problem. Security breaches over the last few years have resulted in millions of passwords being leaked. These passwords have been analysed by both good guys and bad guys, and now everyone knows the million or so most used passwords.

For the curious, I have listed the 12 most common passwords of 2013. If you are using one of these, bow your head is shame, and know that any time a hacker wants your data, he will have it in minutes…

  1. password
  2. 123456
  3. 12345678
  4. abc123
  5. qwerty
  6. monkey
  7. letmein
  8. dragon
  9. 111111
  10. baseball
  11. iloveyou
  12. trustno1
Lastpass Password Manager
Lastpass Password Manager

Clever passwords are not so clever. If you think s3cret is more secure that secret, think again m0nkey and monkey are pretty much the same when someone decides to use a password list of a million common passwords to crack your account. Use a long, random, different password for every site you visit. If you cannot remember passwords, use a password manager app or plugin for your computer or browser. I use Lastpass, and have had no problems with it. I let Lastpass generate passwords for me. Lastpass is highly respected, well designed and a Trust No One (TNO) app. Lastpass cannot give your passwords to anyone, because they do not have them. they are encrypted for everyone but you.

Don’t Save The Password on Your Computer. Do NOT write your passwords down in a file named Passwords and save it on your desktop. Just read about the Sony hack to find the down side of that approach.

Add Two Factor Authentication

Then, for better security add two-factor authentication.

Google Authenticator
Google Authenticator

For Google, Dropbox and Lastpass, and many more online services, an authenticator app like Google Authenticator or Authy work perfectly. I prefer Authy because I can make it require a PIN when it starts up. There is a little effort involved in getting an Authenticator working, but they are well documented. Just be prepared to spend 10 or 15 minutes setting it up on your devices

Authenticator
Authenticator

You need the app running on your phone or tablet, preferably both, and when you log into your cloud service from a new computer, or every few weeks, you must authenticate by providing a six-digit code that changes every 30 seconds. This means you need the password and the mobile phone with the authenticator to log into your cloud account.

Print out a few “Get out of jail” keys so you can log in without your device in an emergency. But secure these printed keys well. See the documentation for your cloud provider.

Secure Your Computer, Phone  and Tablet

Authenticator App
Authenticator App

This makes it very difficult to get into your cloud accounts from another computer. However is someone steals your laptop, phone or tablet while they are unlocked, they will have access.

So make sure you have a password or PIN that is strong enough to keep a thief out. Ensure that a PIN or password is required to access your computer whenever it starts or comes out of standby.

Remember, if someone steals your phone and can access your cloud accounts and your  Authenticator, they can change the password. So keep that phone or tablet secure.

I always close the lid of my laptop or HP Chromebook 11 when I walk away from it is a shared space. In fact I rarely get more than a couple of meters away in public or shared space.

I have made a habit of putting everything into a pocket or bag when I put it down in a public or shared space. Basically I treat a laptop, phone or tablet the way I treat cash. I NEVER leave it lying around unattended.

Here is an example of why…

If you work in an office or have a desktop computer, make sure you lock it when you get up and walk away. Having a screensaver that locks it after a few minutes is probably enough in an office environment. I work largely alone in my home office, so I simply set

Chromebook Lock Button
Chromebook Lock Button

the screensaver to come on after five minutes. If I was is a co-working space or an office with a lot of people, I would (and have) activated the screensaver manually when I walk away. This is easy to do on computers running Linux. I think it also an option on later versions of Windows. On Chromebooks and Chromeboxes, it is in the bottom right corner of the status window.

Remember the simple security rule. If someone can access your unsecured hardware, they can do pretty much anything. A running, logged in PC is the crown jewels for a thief. Don’t assume everyone in your office is trustworthy.

Follow these three steps, and you will be well on the way to having secure and safe access to your cloud based files and documents.

There is a price. It takes a little longer to log into your account, there is a bit more friction. But after a few days it becomes second nature.

Enjoy! – Phil Stephens

Would the SONY Hack Work on a Google Drive Based Business?

Your Information IS your business, Keep It Safe

Google Drive & Docs
Google Drive & Docs

A modern business of ANY size is largely the sum of it’s data and documents. Keeping them safe and private is crucial for the survival of your business. Are you safe if you use Google services?

Security in the Post Sony Hack World

The Sony Pictures hack has shone the spotlight on the security issues posed by Internet connected systems, particularly those using Windows desktops. Sony, it will probably be revealed, got hacked via a spearfishing attack. Spearfishing is aiming a carefully crafted attack at an individual using personal information to make the attack seem like an email or document they expect, know, or want. Once they have allowed it into the network, lax security procedures and poor passwords gave them access to everything. However they got in, poor security procedures will ultimately be revealed to be the main culprit.

Sony Hack
Sony Hack

Passwords were stored in unencrypted files named “passwords”. Thousands of email messages stored in Microsoft Outlook .PST data files were copied. massive numbers of documents were just copied off the Sony servers and out to the web. It is obvious that security was lax, but the reason all this was copied is basically that it was all sitting on Sony servers, and the passwords were weak or available to the hackers.

This was a failure of the classic server-client network on a huge scale.

Security in the Google Cloud World

Google Drive Logo
Google Drive Logo

On the other hand, a business that keeps it’s workers on Chromebooks and stores data in the cloud is going to be in a better position to defend it’s data.

The documents, spreadsheets and mail are all stored on Google’s secure and backed up servers. Access is via individual user passwords. Documents can be private, shared with individuals, shared with domains (everyone in the business) or publicly.

There is one huge security advantage to this. Instead of documents being emailed around the company, they can be shared via email. This means that all that is sent is a link. A document in an email can be forwarded, copied and stolen. The document link will only work for someone logged into Google Drive as the recipient of the document. Anyone else that gets the link will not be able to access the document. This is a huge step up from emailing documents.

An Example of the Dangers of Sending Documents

Some time ago, I worked for a very large organization that used Microsoft Office. Everyone used Outlook for email. People inside the company sent contracts, proposals, memos and other documents as Word documents attached to emails.

In one large department, Instead of saving documents on the corporate servers, they began to go back to Outlook to find the last version of the document and worked on that. Then they sent it or saved it back to Outlook. Corporate data was not being saved on the file servers. Outlook .PST files grew to huge sizes.

Then, one Sunday night, the mail server for that department ran out of disk space. It tried to alert the Sysadmin, but there was no space on the server to process the email. The whole system collapsed at 2:35 AM and no-one knew anything was wrong until they arrived for work on Monday.

The lack of disk space had also prevented backups from running properly. Tape backups had failed weeks before, but no-one had checked the logs. It took two weeks to get the mail system running, and many users had lost hundreds of documents and revisions of documents. Some lost their entire email history, address book and calendar. For weeks, email flew around the organization begging for recent versions of contracts, proposals and other documents to be sent back to the originators. The fallout went on for a year or more.

As the Sysadmin for my department, I began monitoring the size of Outlook data files, and began delivering scathing warnings if they began to grow to large.

It was a lesson I never forgot.

And the Winner Is…

If Sony had been using Google cloud storage, how may this have played out?

E-mail would have been protected by storage in Google’s cloud. Google mail is accessible by web browser. The connection to Gmail is by a secure HTTPS connection. This would have made intercepting e-mail difficult to impossible. Attachments would have been replaced by links, and not accessible to the hackers without the relevant passwords. Email would have remained secure as long as passwords remained secure.

I have mentioned secure passwords a few times. A cloud based solution needs good password security. Sony obviously were using bad passwords and poor password procedures.

For Google Docs (the business version of Drive) User policy is controlled centrally by the Administrator and allows policy like good passwords and two factor authentication to be enforced.

Lastpass
Lastpass

A corporate account with Lastpass would have saved a lot of grief. Lastpass creates and stores secure passwords. Instead of using “Monkey” or “123456” everywhere, Lastpass will generate a real, unique and secure password for every site and then store it for you. Every time you visit that site while logged into lastpass, it will paste the password and username into the browser for you.

And even better, it is really secure, really cheap, and uses two factor authentication.

Singing the Praises of Two Factor Authentication  

Two factor authentication simply means you need something other that the password. The password is easily stolen, but a second form of identification means the password is not enough

The second factor or token can be one of those key-ring devices that shows a number every thirty seconds, a fingerprint, a retinal scan, or a usb dongle that has to be plugged into your computer before you can log in.

Every teller at my bank has to swipe a card and type a password before they can use a terminal. That card is their second factor.

The simplest one for most of us is an app for our phone or tablet. I use Google Authenticator. I have registered my Google Mail account, and when I login, I have 30 seconds to type in the six digit number displayed on my phone or tablet. I also have a sheet of six emergency codes. I keep that paper very safe, and have never had to use it. I always have a phone or tablet in range when I sit down at the computer.

The Cloud IS Secure

00131-drive-iconsAs we can see from this, using a cloud service like Google Docs is no less secure than storing everything on a local server.

Is it absolute security? No. No-one is even sure such a thing exists. It is all relative.

If the FBI, NSA, ASIO or GCHQ want your data, they will get it. But Google is working hard to make this process more difficult for them, and is making great strides.

This is a low friction, low cost option to provide secure storage and sharing of your data with high reliability, and no cost for a big IT team to keep it working.

REALLY Secure Information in the Cloud  

Some things really are secrets, rather that just private. There are ways to put the absolutely most secret things in the cloud to. They just require a little work to get them there.

More on that later – Enjoy!

Beware the “Awesome Screenshot” Extension for Chrome, Firefox, Safari

Awsome Sceenshot Page
Awsome Sceenshot Page

This seemingly innocent plugin that allows the capture and annotatiuon of screenshots has been caught with it’s hand in the till, according to mig5.net. I caught onto this story courtesy of the Chrome Story Blog.

Awsome Screenshot Access
Awsome Screenshot Access

Basically the Awsome Screenshot plugin spies on all the web sites and pages you visit, sends the data back to servers for storage, and at a later date a web-crawler identifying itself as “niki-bot” begins scanning those pages. The purpose is not clear, but the terms of service for “Awesome Screenshot” states:

When users access the software, certain non-personally and personally identifiable information (the “User Information”) may be collected, stored and used for business and marketing purposes, such as maintaining and improving the Services, conducting research, and monetization. This User Information includes, without limitation: IP address, unique identifier number, operating system, browser information, URLs visited, data from URLs loaded and pages viewed, search queries entered, social connections, profile properties, contact details, usage data, and other behavioral, software and hardware information. If you access the Services from a mobile or other device, we may collect a unique device identifier assigned to that device or other information for that device in order to serve content to it. This collected data may also be supplemented with information obtained from third parties or submitted by users.

Awsome Screenshot Logo
Awsome Screenshot Logo

My advice would be to run, do not walk to your computer and remove the Awsome Screenshot plugin immediately!

Thank you to the sites mentioned above for doing the detective work on this one!

 

TrueCrypt – A Trustworthy File Encryption Tool.

 

Why Encrypt Files?

We keep our secrets in files. It has been said that only people with something to  hide object to surveillance and want privacy. Personally, I don’t have many secrets, There are plenty of things I do, say and write that I do not want shared, photographed or discussed. It is PRIVATE.

Everyone has secrets. Governments have secrets. Every business has customer information that must be kept from prying eyes.

Software and hardware companies work long and hard on new products and projects before they release them to the public. And the details will still be secret in many cases. Kentuck Fried Chicken and Coca Cola have secrets.

For Example NASA

NASA

In 2001 NASA suffered four data losses when laptops with unencrypted data where lost or stolen.

NASA suffers major data breach
NASA suffers major data breach

David Miranda

In August, 2013 David Miranda was detained at Heathrow under anti-terrorism laws. He was not suspected of terrorism, he is the partner of Glenn Greenwald, who has been publishing documents leaked by Edward Snowdon that are embarrassing to the NSA and GCHQ in the Guardian newspaper.

David Miranda detained
David Miranda detained

Miranda was forced to hand over passwords for his laptop, phone and several USB keys he was carrying.

If he did not comply, he could be detained.  He was being held under duress. More on this later…

Encryption Tools

There are a number of encryption tools. some of them “on the fly tools” like TrueCrypt.

What is “On the Fly” Decryption?

TrueCrypt mounts a drive, partition or volume (file) so it can be seen and accessed by the operating system as a drive or folder. Files can be copied, read, run, deleted and be edited in real time.

These are just a few of the tools available. Most are not free:

Comparison of disk encryption software
Comparison of disk encryption software

One of the most popular is Bitlocker, and it  is free… But it only works on Windows, and do you trust Microsoft?

Is Bitlocker Safe?

Microsoft has admitted building a back door into Skype after purchasing it. It works with the NSA because as a public company, it has no choice. And it is suspected that there is a back door into Windows, written into the encryption DLL from Windows 95 OSR2 onwards.. It is closed source. No one can look at the code and see if it is clean.

So Microsoft products may not  be trustworthy.

The NSA have even attempted to have a back door built into Linux.

Linux Back Door?
Linux Back Door?

Fortunately, as an open source project, that is not easy to do, with many eyes looking on.

There are other trustworthy open source projects, but TrueCrypt is well known, cross platform, and here.

TrueCrypt

TrueCrypt is:

  • Open source
  • Free
  • Capable of  running on Linux, Windows, Mac
  • System agnostic, create a volume on one OS, it works on all the others
  • Safe, an independent code audit is underway, thanks to a Kickstarter project

 

TrueCrypt is very flexible. It can encrypt:

  • Whole drives
  • Partitions
  • Containers (Files that can function as encrypted folders or drives)

 

It can open containers on:

  • System drives
  • Network drives
  • USB and SD devices

 

It can open or mount devices upon:

  • Booting the system
  • Connection of the device (inserting a USB for example)
  • On user request ( by using the software to mount a volume)

 

It can disconnect a device upon:

  • Shutdown
  • After a period of inactivity (eg. No read/write for 10 minutes)
  • When suspended
  • When requested (manual / user dismount)

 

Some Features

  • It treats an encrypted partition or file as a folder In linux, or, on Windows, a drive letter
  • TrueCrypt volumes can be stored anywhere, including a USB drive
  • All settings are stored in an XML file, not in the Windows registry
  • It uses on the fly symmetric encryption, the data is never stored unencrypted in the file system.
  • A volume looks like noise. There no header that can be used to identify it. It can be any file extension.
  • One corrupt block (128 bits) does not destroy the volume, the header is duplicated

Encryption Technology

The encryption is based on a huge pool of entropy used by the random number generators. This is drawn from the clock and calendar, MAC and IP information, random data from the network card, and movement of the mouse and keystrokes.

Use a Good Password (NOT One of These)

 

The weakest link is the password. ALWAYS use a good password. Here are the worst 25 passwords from 2013. If you use one of these, congratulations, you are in good company, now CHANGE IT!

The 25 most popular (dumbest) passwords of 2013:

1. password
2, 123456
3. 12345678
4. abc123
5. qwerty
6. monkey
7. letmein
8. dragon
9. 111111
10. baseball
11. iloveyou
12. trustno1
13. 1234567
14. sunshine
15. master
16. 123123
17. welcome
18. shadow
19. ashley
20. football
21. jesus
22. michael
23. ninja
24. mustang
25. password1

Some of the more advanced features of TrueCrypt are:

  • Files can be used as part of the password. This will help on a community PC because a keyboard logger cannot read the file data
  • Security tokens (tags, USB devices and smartcards) can be used as security tokens
  • Up to three encryption keys can be chained for maximum security (it IS slower)
  • Header files containing the encryption data can be saved and stored
  • Header files can be used to recover “lost” volumes if passwords are lost

Plausible deniability.

If you are arrested, held prisoner or in a ransom situation failing to give a password can be life threatening. Plausible deniability is being able to demonstrate good faith by giving the demanded information without giving away secrets

In the US and Britain you can be jailed for refusing to give passwords while being questioned as a suspect.

David Miranda, mentioned earlier, supposedly had the password to an encrypted USB drive in his pocket…

Miranda Was Carrying a password
Miranda Was Carrying a password

Note the third bullet point. They decrypted ONE file. If they had found anything incriminating, he would not have been released nine hours later. Perhaps it was a sacrificial file used to protect the presence of a TrueCrypt hidden volume in a duress situation…

Hidden Volumes Provide Plausible Deniability.

A hidden, encrypted volume can be created within a volume. The TrueCrypt application tries to open the outer container with the provided password. If it fails, it searches further. If there is another, hidden container, it opens that.

The result is that in a duress situation the first password will open the outer container and reveal the not so secret, sacrificial files. The second password will open the second truly secret volume.

The size or even existence of the hidden volume is difficult to prove, because TrueCrypt fills every container with random data, So it always looks full.

Until decrypted, a TrueCrypt partition/device appears to consist of nothing more than random data (it does not contain any kind of “signature”). Therefore, it should be impossible to prove that a partition or a device is a TrueCrypt volume or that it has been encrypted (provided that the security requirements and precautions listed in the manual are followed).

Safety and features

Partition headers can be backed up. 1k file. if a corporate PC has an encrypted partition, and the employee loses or changes the password, management can come back with the backed up header and recover the data.

Does TrueCrypt use parallelization?

  • Yes. Increase in encryption/decryption speed is directly proportional to the number of cores/processors your computer has.
  • Benchmarks run under Windows XP found that it ran faster on a TrueCrypt volume than it did using native Windows file systems, because the TrueCrypt drivers use multiple cores or processors to increase throughput!!
  • Encrypting a system drive creates an ISO image you must burn. The disk can repair a damaged boot-loader. damaging the boot-loader could cause TrueCrypt to not know the password, the disk can repair it.
  • TrueCrypt is aware of, and manages wear levelling on SSDs

The TrueCrypt installation installs an excellent 150 page Pdf manual.

There are command line options, for details of usage applying to the Linux and Mac OS X versions, please run: truecrypt –h

Download TrueCrypt from the web site today, and give it a try.

Phil Stephens

What is Identity Theft, and Should I Worry?

Identity Theft
Identity Theft -Image by Don Hankins

Identity theft is having someone steal enough personal information from you that they can impersonate you well enough to obtain a credit card, bank account, apply for a loan, register a car, get a drivers licence or apply for a passport or mobile phone account in your name.

The danger is, all of these things can result in you being liable for unpaid debt, crimes or other fallout from someone posing as you behaving badly or illegally.

A lot of identity theft is performed on-line, but in this article, I want to discuss the more personal and local version. Your garbage bin.

Much of this information can be gleaned from papers you throw in the garbage. We all get mail every day with personal information. From bank statements and Centrelink documents to invitations to get new credit cards or increase our credit limit. Most come with much of our personal information pre-printed. These are absolute gold to an identity thief. They raid letter boxes on a daily basis, looking for this kind of information.

When I started my last business, we advertised it locally (and laboriously) by trudging from house to house around much of Launceston area putting flyers in letterboxes. I once received an irate phone call from someone telling me we had stolen a letter from his box when we dropped off the flyer.

When I explained the the fliers were being distributed by me, my wife and my son, and leaving a flyer after robbing the box would not have been the brightest idea for us, he apologised and hung up. He had lost a piece of vital mail that day…

AFP Identity Crime Page
AFP Identity Crime Page

The Australian Federal Police have an excellent on-line resource under the title Identity Crime. It is worth a read. There are many other resources, but for Australians, this is a pretty good one.

I was prompted to visit this subject by an excellent post on Unclutterer.com  about shredders. I am sitting looking at my shredder, a Fellows P-35C purchased from Officeworks.

It replaced a series of cheap shredders that failed when fed too much paper, or just burned out. I have never been one to overload my shredder, but the cheap, low powered models are prone to choking and jamming if paper is fed in off-centre.

The fact is, with care, even the cheapest shredder will do its job, but spending a bit more is well worth the cost. My current shredder will handle five sheets of paper and cuts it into confetti rather that strips. It cost around $70.

Shredders need to be maintained. I spread a little 3 in 1 oil on a sheet of paper and feed it through the shredder occasionally.

We recently had an episode here in Australia where the opposition turned up in parliament with a sensitive document that a government minister had shredded. The document was retrieved from the bin and taped back together and produced in parliament to much laughter and hoots of derision. I decided that my next shredder would be a cross-cut shredder!

For those home based, a bonus of shredding is the ability to turn shredded paper and other junk mail into Paper Log/Briquettes and use them in the fire. There are a number of tools to do this, unfortunately most of the are US based, and freight is expensive.

For those on the road, papers can be used as fire starters or soaked, screwed up into logs, dried and burned. The simple option is to simply burn any papers with personal information. A smoky option, but a simple one.

On the road, we tend to use fires or braziers, and paper to get the fire going is always in short supply, so save those personal documents and feed them to the fire

The key is, DO NOT put anything with personal information in the bin. Grey Nomads have been fined for disposing of waste in public bins based on papers found by council inspectors, and any paper can lead to identity theft. Dispose carefully!

Image courtesy of Don Hankins