This year I attended the SOMA Conference for the first time as an actual SOMA member. While I’ve been going... View ArticleView Article
Everybody’s has secrets. Everybody has things worth protecting. It could be your family photos, your saved browser passwords, your bank records, or maybe just that totally legal MP3 collection.
Your laptops, thumb drives and even regular desktop computers all have a treasure trove of data that I’m sure you would not want an unscrupulous person to freely rummage around in.
You’re not alone. The military, rebels, banks and corporations have the same infosec concerns. While your information leaking may not cause a national security crisis, it’s a crisis to you. As a prepper, that means you do something about it now, and not when you come back from the coffee shop bathroom to find your computer gone.
Before we go any further, I wanted to take a second for a reality check. Crypto-geeks and some of us survivalists think our primary threat comes from NSA black helicopters coming to “disappear” us. There is something to the strategy that protecting your data from the government protects it from all other threats; there’s also something to the idea of building a nuclear bomb shelter to protect you from burglars.
First, it’s much easier for state and Federal agencies to just request your data stored on third party systems. All it takes is a signed warrant to force your email, cell phone carrier or social network provider to hand over every private message, IP address (which often leads to physical location), and login history. If you want an interesting read, the Electronic Frontier Foundation obtained a Department of Justice PowerPoint on how LEO’s obtain information from social networking sites.
Second, if SWAT does kick your door open and they seize everything in your house with a transistor, I suspect they have the means to access any data they want. If your state forensics analyst does not have the means, the FBI’s cyber crime unit certainly has access to the computing resources to break your keys within a matter of months (if not hours).
Third, some federal agencies maintain portfolios of security vulnerabilities to use in operations. It could be a hardware or software key logger, a browser vulnerability, or unpublished vulnerabilities in your encryption software. If they do not have the tools on-hand, they likely have the resources to buy them from the black market.
The entire process may add months or years to the investigation, but most any encryption system will be compromised by a sufficiently funded and technical attacker. Worst case, someone breaks your kneecaps and you hand over the keys. Fortunately, you and I will probably never deal with that. Our attackers will likely will be airport luggage thieves, strangers finding your thumb-drives, disgruntled co-workers, and at worst, professional data thieves such as corporate spies and private investigators.
File and System Encryption Overview
We need to use some specialized tools to lock down where the data sit. In today’s article, we’ll be focusing on file and system encryption software and in particular the TrueCrypt application. There are other tools to consider, such as data scrubbers and hardware encryption, but if properly deployed software encryption can be a near-complete solution for data at rest.
Encryption in general means manipulating information in such a way as it cannot be interpreted unless the reader knows a secret. It is nothing new, and has been practiced for centuries by military leaders and revolutionaries; the kama sutra even lists it as an “art” all wives should practice to better arrange secret meetings with lovers. Primitive encryption systems originally used the encryption method itself as the shared secret, but more sophisticated algorithms are publicly known, but take a secret password/key. In the computer age, this means storing the data on your hard-drive using an encryption key.
This does not protect you from someone seizing your data while your machine is running, or theoretically if it has been recently turned off five to fifteen minutes. Also, if you are just using file encryption or a file container and not full-disk encryption, your operating system is likely to store your open file temporarily in an unencrypted area that can be later retrieved.
What it does protect you against is someone stealing your device and accessing the data within. Even a simple operating system password, like a Windows login/screensaver password, is relatively trivial to break even for unsophisticated attackers. Only by encrypting the data on the hard disk platter can you protect it.
TrueCrypt is a free, cross-platform encryption system that can handle file, device, and full system encryption. While not open-source, the code is available for the public to review for vulnerabilities and backdoors. This is an important distinction between this system and some proprietary alternatives such as BitLocker, because you have the benefit of thousands of eyeballs looking for flaws, versus an internal quality-assurance team. Also, closed-source security systems have a nasty habit of building backdoors for admins and governments, which become a door for anyone at all.
There are supposedly two authors who remain anonymous; one can speculate about their motivations, but given its track record, I trust it more than black box encryption systems.
The example above uses TrueCrypts file containers. You can think of them as encrypted ZIP files or a virtual thumb-drive. Once created, they can safely be emailed or burned to a CD. To create one, just click “Create Volume” from the main window and follow the wizard. This isn’t an article on encryption methods, but suffice to say the AES encryption method is what the Department of Defense recommends for all material classified top secret.
An interesting feature of TrueCrypt that you can build a secondary password into encrypted containers and devices for decoy data. By selecting “Hidden TrueCrypt Volume” during the creation wizard, you can set two passwords for the same thumb drive or file container. In the event you’re forced to reveal a password (through the use of rubber-hose cryptoanalysis or you’re re-entering the country) with one password you reveal your actual data, with the second, you reveal some sensitive but unimportant data (such as old credit card statements). Theoretically, because the encrypted data appears statistically random, it’s impossible to determine if there is a secondary encrypted volume present.
Full Disk Encryption
Most of the other encryption methods are useful for a limited set of cases (transmitting containers, carrying them on the thumb drives, etc.), but do leave bread-crumbs on the machine that can be recovered through forensics means. Also, your browsing history, your downloaded email, and other moderately sensitive data probably shouldn’t be in the hands of data thieves. The only sure way to protect these data is to encrypt the entire hard-drive, operating system and all.
TrueCrypt makes this dead simple. After you have a CD burner and a blank CD handy, inside of TrueCrypt type “System” and then “Encrypted System Partition/Drive”. The wizard does a good job walking you through, but it does force you to burn a rescue CD in case it becomes corrupted for some reason. The encryption process can take up to a day, but you can use the system normally and even turn it off. After it has finished encrypting, before Windows comes up on the boot process it prompts you for your password. If you try and access the hard-drive from a bootable CD or with an external enclosure, it’s mostly impossible without a password. Follow the advice for using strong passwords and most any data thieves will be left empty-handed. Even if it means writing it down and keeping it safe, it is better than using an easily cracked password.
Fill disk encryption is not a panacea. It is a tool in your larger information security strategy, like the locks on your door or your carry weapon. Here are some things it does not protect against.
- Data in motion. Data being transmitting over a network or by thumb drive are leaving your encrypted bastion, and can’t be protected.
- While the machine is running. Your data are unencrypted while the machine is running, so if someone gets access via malware or seizure it is not going to do a lick of good.
- If your backups are unencrypted. Your external hard drive and your DVDs that hold your backups need to be encrypted to, otherwise you left your back door open.
- If a skilled data thief is prepared to capture RAM data if the machine is recently turned off.
Infosec, like any other operation, requires considering attacks from all sides, mitigating the risks, and using the right tools. While it’s not taking on the nuclear wasteland with your AR and a case of jerky, as a prepper you understand threats come from all places. If you want to protect yourself against a PI your ex-wife hired or a curious, power-hungry TSA agent, then consider encrypting your devices and system.
Are you getting more than 14¢ of value per day from ITS Tactical?
Please consider joining our Crew Leader Membership and our growing community of supporters.
At ITS Tactical we’re working hard every day to provide different methods, ideas and knowledge that could one day save your life. Instead of simply asking for your support with donations, we’ve developed a membership to allow our readers to support what we do and allow us to give you back something in return.
For less than 14¢ a day you can help contribute directly to our content, and join our growing community of supporters who have directly influenced what we’ve been able to accomplish and where we’re headed.
Maybe decrypting your thumb drive only on a virtual machine could improve security? I'm talking about keeping somewhere for example VirtuaBox image with fresh OS installed on it and after decrypting our data just deleting the copy of VirtuaBox image we used? But afterall I think that accessing encrypted data in any way puts the data in vulnerable position, there's just no other way to keep decrypted data safe than physical one, in my opinion.
additionally, besides a week/short password to protect data using AES-256 bit encryption (what truecrypt uses) there are two physical tricks that will defeat it. one is freezing the memory and another is basically a virus. with the first method, the system needs to be seized while powered-on, even if it is at the "ctrl-alt-delete" logon screen, because at this point the decryption password to boot the system has already been put in, so while the systemis on, the internals of the system is accessed, then something like a compressed air can upside down is used to spray the memory sticks with the liquid to "freeze" the memory, then the memory sticks are removed and put in another system that is then booted with a special disk that has software to look for the encryption key. the freezing of the memory sticks cause the data in the memory sticks to stay upto 30-60 seconds with out power.
the second way is by using a program like "evil maid" that can be installed on a computer with a usb drive or cd, and its purpose is to do nothing but capture the password used to unlock the truecrypt encrypted drive. the process is simply put a thumb drive with "evil maid" on it in usb port, power the system up, the "evil maid" installs itself, then turn the power off. await for the user to actually power up and enter the password. later install the same usb drive with "evil maid" on it and boot, recover the password it captured. and the encryption is defeated.
additionally, besides a week/short password to protect data using AES-256 bit encryption (what truecrypt uses) there are two physical tricks that will defeat it. one is freezing the memory and another is basically a virus. with the first method, the system needs to be seized while powered-on, even if it is at the "ctrl-alt-delete" logon screen, because at this point the decryption password to boot the system has already been put in, so while the systemis on, the internals of the system is accessed, then something like a compressed air can upside down is used to spray the memory sticks with the liquid to "freeze" the memory, then the memory sticks are removed and put in another system that is then booted with a special disk that has software to look for the encryption key. the freezing of the memory sticks cause the data in the memory sticks to stay upto 30-60 seconds with out power. the second way is by using a program like "evil maid" that can be installed on a computer with a usb drive or cd, and its purpose is to do nothing but capture the password used to unlock the truecrypt encrypted drive. the process is simply put a thumb drive with "evil maid" on it in usb port, power the system up, the "evil maid" installs itself, then turn the power off. await for the user to actually power up and enter the password. later install the same usb drive with "evil maid" on it and boot, recover the password it captured. and the encryption is defeated.
A few important points. Encryption software is only as good as the password you encrypt with. Most people will use passwords that are easily guessed. The problem with drop box or other web based storage, is that you have no real control over physical security and physical security should probably come first. Further, you really don't know how well anything is secured if you aren't managing it yourself.
Thanks, Jon. In a previous article's comments (http://goo.gl/Dwsj) I had talked about using DropBox with my KeePass database to transport and access it. TrueCrypt is a great complement to that strategy, except any changes within file containers means needing to re-transmit the entire container. It's fine on a 50 meg container, but once you start to get past 100 meg, the bandwidth consumption could be a drag.
Could you change the extensions of the music files to something that's approved, like .pdf or .ppt? If opened, they would just appear to be corrupted or "broken" in some way.
Good info, just beaware that on thumb drives the "pricks" will be able to tell something is hidden pretty easily. When you bring up the "my computer" screen holding the mouse over the drive gives you it total space, and space available (same as if you checked its properties). We were having problems at work with listening to music so a lot of us were bringing in music on flashdrives hidden. They started plugging them in to check total space and available space compared to the "work" files that were viewable. If the two gig flashdrive only had 128mb open, and the viewable files were only 128mb they'd make you lock the drive up in a locker.
As for your "data in motion" reference on what TrueCrypt does not do, look into another application called DropBox. The combination of both actually allows you to take the executable TruCrypt program - as well as your encrypted file - with you wherever you go and across multiple computers.
Great Article. TrueCrypt is a good piece of software to use to protect yourself and like you said it's FREE.
pf-- Could you change the extensions of the music files to something that's approved, like .pdf or .ppt? If opened, they would just appear to be corrupted or "broken" in some way.