In today’s society, our devices are constantly connecting to one another through multiple formats. These devices contain a multitude of different methods to ensure that we’re able to connect whenever and wherever we are.

Most smart phones contain connection abilities for X, EV and 3G/4G Cellular Networks, WiFi, Bluetooth and GPS. A simple device like a cell phone can have the ability to connect using all these six different methods!

These public connections are great for sharing and receiving information on the go, but unfortunately this means our devices are open to even more threats than ever before.  For example, your cell phone may be connecting to different devices and networks in public without your knowledge. It’s very important to understand how to secure your devices against unwanted intrusion in order to keep your information safe while in public.

Wi-Fi

Wi-Fi is one of the most popular connections that devices use and public Wi-Fi is becoming more and more popular. Wherever we happen to be, we usually have access to a Wi-Fi network. Identity thieves and malicious users favor public Wi-Fi networks because the security on these networks is usually next to nothing. These users can access files and other information that your computer is sharing without your knowledge.

A good step you can take to secure your device on a public network is to ensure you have an up to date firewall installed that will monitor your connection. Users may want to consider upgrading to a different firewall program other than the default offered by the manufacturer.

Changing your sharing permissions is an important way to keep your information secure. Many computers share information by default in order to allow sharing of files on a home network. We recommend disabling all file and folder sharing when you’re in public to avoid any unwanted access to your device.

Bluetooth

Bluetooth devices have the ability to exchange data over short distances from fixed and mobile devices, creating personal area networks (PANs.) Bluetooth is great for quickly sharing a file between two devices or printing a document wirelessly, it can also be used to pair accessories to your devices such as earpieces or external speakers.

Having Bluetooth active can become a security risk if your device doesn’t have the correct settings. Many devices have Bluetooth enabled by default and some are even enabled to allow other devices to connect. Malicious users can access your device through the Bluetooth connection and copy files or gain access to another device attached to your Bluetooth device.

The good news is that most phones have the capability to turn Bluetooth on and off fairly easily. Bluetooth isn’t necessary for any functions other than pairing another device to yours, so you will not be limiting the functions of your device.

Location Services

Many smartphones and other devices utilize GPS and radio technology to allow programs and apps to run things like navigation and location check-ins. However, many of these services are running all the time and not just when you’re accessing that program or app.

Most smartphones give you the option to disable location services and many of them can be turned on and off with ease for times when you want to utilize features like navigation. Check out Data Leaks: Location Based Services and Why You Should be Concerned, for more about the security risks that location based services can carry with them.

Staying Secure

Keeping your devices secure while utilizing public connections is relatively simple as long as you keep track of the connections your device is using. Some companies offer physical devices that will disable the ability to connect if you need to absolutely make sure that your device stays disconnected.

The best method to ensure a device doesn’t connect to anything is obviously to power down that device. However, there are situations when the device may need to be utilized immediately and you may not have time to wait for it to power up. With the right knowledge of how your devices operate and how to maintain its connections, you can keep your information safe and private when using it in public.

The art of war teaches us to rely not on the likelihood of the enemy’s not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable.
– Sun Tzu

Defined loosely, a Red Team is a group of experts engaged in the practice of viewing a problem from an adversary’s perspective. This adversary can be an enemy trying to infiltrate the perimeter, a competitor trying to get the latest marketing documents or a robber trying to break into a house.

The goal of most Red Teams is to enhance decision making, either by finding and pointing to the weak links in a security system or by simply acting as a devil’s advocate.

Red Team

Red Teams are used frequently in the world of computer security. A group of penetration testers will assess the security of an organization, which is often unaware of the existence of the team or their exact assignment. Red teams can test the security of computer systems and networks, as well as the physical security.

The same idea can be applied by you to help identify and protect your network, computer and property.

With a little thinking outside the box you can perform a Red Team assessment on your assets: put yourself in the attacker’s shoes. If you were to penetrate your perimeter, knowing what you know about it (since you put all the defence mechanism in place), how would you do it? If you can find a hole so can an attacker.

Identify Targets with CARVER

One of the methods you can use to start identifying security issues is the CARVER Matrix.

CARVER is an acronym that stands for Criticality, Accessibility, Recuperability, Vulnerability, Effect and Recognizability. It’s a system used to assess targets and decide which one needs to be secured first. Let me write down what each component means in terms of computer security:

Criticality

The target value. How vital is this to the overall organisation? A target is critical when its compromise or destruction has a highly significant impact in the overall organisation.

Accessibility

How easily can I reach the target? What are the defences? Do I need an insider? Is the target computer accessible via a network?

Recuperability

How long will it take for the organisation to replace, repair, or bypass the destruction or damage caused to the target? Once the compromise is found, how long will it take for the system to recuperate from the breach?

Vulnerability

What is the degree of knowledge needed to exploit the target? Can I use known exploits or should I invest in new, possible zero-day exploits?

Effect

What’s the impact of the attack on the organisation? Similar to the first point (Criticality) this point should also analyze possible reactions from the organisation.

Recognizability

Can I identify the target as such? How easy is it to recognise that a specific system, network, or device is the target and not a security countermeasure?

Using the Matrix

The CARVER Matrix maps all this into an easy to quantify table or grid, where the high-risk targets are easily spotted. How do we use the CARVER Matrix? Write down the targets in a table. The top of the table will have the components of CARVER. Each target will have its own row, with each component being ranked from one to five. Five is the highest priority or, in our case, the highest value.

This example shows that in our fictitious network the most vulnerable part is the mail server (total score 23). Why? Let’s look at the components.

Criticality

In this organisation the mail server is vital to daily work. It scores a five.

Accessibility

The mail server is easily accessible from the Internet. There are some defences, but they’re trivial. It earns a five.

Recuperability

The organisation IT personnel know that the mail server might be vulnerable. They make a backup every day so that in the event of something going wrong there will be some downtime, and some messages might be lost, but the backup will be up and running soon. The score then is a two.

Vulnerability

The attacker doesn’t have to be an expert or have a high degree of knowledge to attack the mail server. However, some degree of knowledge and proficiency is required (a script kiddy could not do this). It gets a three.

Effect

We know that mail is critical, but what will happen when it is compromised? The organisation will be down for some time and that’s bad. However, since a backup is in place no one will panic. The score is three.

Recognizability

It is trivial to recognise a mail server as such, so it gets a five.

Beyond the fact that the mail server’s score is 23, the matrix shows that since it’s a critical part of the organisation (C = 5) and the knowledge required to penetrate this server is medium-to-low (V = 3), this resource should be secured first.

Using CARVER can be a bit cumbersome in the beginning, but, once you start using it, the matrix becomes easier and you will begin to see a system’s weak points almost immediately.

Conclusion

In addition to utilizing the CARVER Matrix, there are other points that you need to take into account when trying to defend your virtual (and physical) perimeter.

Control Your Environment

Controlling the environment is one of the most important aspects in physical security. It should be the same in cyber-security. Be aware of your surroundings, and make the environment work for you. Where is each computer, and where is the information stored in them? What are the connection channels between the machines? How is external data able to flow? Know the DMZs, firewalls and routers, external networks and failure points, points of connection to the Internet, ISPs and backups (internal and off-site).

By knowing your environment intimately and by performing assessment and penetration testing often, you can react to changes in the environment — however subtle they might be — and spot the potential or actual threats quickly. By knowing your environment and placing protection and defensive measures you make it harder for the attackers to operate in your environment.

Change Your Habits

Habits play against you. An attacker can build and plan an attack based on these habits. If you are using a specific personal firewall or version of software, try changing it with the next install. If your IP addresses all follow a certain pattern for servers with Internet connectivity and those kept out of the Internet, or the addresses are assigned in a different way that may alert an attacker to what computers might have sensitive data, change it. Change the patterns. Change the way you connect servers and other network elements.

Remember, no person acts truly at random, and no person has truly infinite resources at their disposal. If you record, track, and group information on your possible adversaries you can develop profiles. With these profiles, you can draw inferences, and with those inferences, you can be more adaptive and effectively secure your perimeter. This is called “intelligence-driven response.” (1)

Editor-in-Chief’s Note: Please join us in welcoming U. Fridman as a contributor on ITS Tactical. He’s currently a senior information security consultant that specializes in detection of information security threats and response to security incidents. His background includes extensive experience in red team activities and management, information warfare, counter cyber-terrorism, industrial espionage, forensics analysis and other security services.

(1) Source: Attacking the Kill Chain

There’s a great personal security app for iPhone and BlackBerry called Silent Bodyguard I’d like to draw your attention to today.

Silent Bodyguard acts like a panic button that can be activated in two taps and immediately send a discreet SOS message and GPS Location every 60 seconds to whomever you’ve set as your emergency contacts.

I’ve been testing Silent Bodyguard on my iPhone now for the better part of three months, and am confident you’ll all work this into one of your go-to items in an emergency situation.

Usage

I was turned on to Silent Bodyguard by a friend in the last SCG International HUMINT (Human Intelligence) course I attended, as a way to discreetly let each other know if we’d been detained or picked up in the exercises.

While we never had to use it, it was great knowing that we had that line of discreet communication if we needed it. I’ve since transitioned to using and testing the app for myself and my family as a way to alert each other if we’re ever in trouble.

As mentioned earlier, the app sends out SMS and email alerts every 60 seconds when you activate it. In both the email and text message, a link to the user’s location via Google Maps is shown, which makes it really easy to view a satellite image of the location on your iPhone if necessary. It’s almost like being fed real-time intel if you’re on the receiving end.

Set up

The first thing you’ll see on Silent Bodyguard is a nondescript outdoor photo of a creek, which helps with the inconspicuous nature of the app, and three buttons. From left to right you have the “whistle” button which activates the broadcasts, the “waves” button that changes from a red dot to green waves when broadcasting and the “Tools” button where you enter all your settings.

Through the settings you’re able to add your personal info (so your contacts will know who the distress signal is coming from), one emergency phone number for SMS and up to three email addresses. There’s even a way to test your settings to ensure the app is working correctly and sending out your distress signal and GPS location.

Notes

Silent Bodyguard is very simple and straightforward, as it should be. There’s one way to activate it and a minimum amount of options. It would be nice to send SMS broadcasts to more than one phone number, and even a way to customize the distress verbiage that is sent.

While I understand the need for a distracting photo on the opening screen, there should be a way to change it. I do like how the app icon is a nondescript wrench though.

Every time I’ve tested this app it’s performed flawlessly and is definitely worth a dollar in my opinion. An added bonus is that the alerts that are sent out use the Silent Bodyguard servers and don’t cost you anything!

Give Silent Bodyguard a try by finding links to the App Store and Blackberry App World on their Website.

UPDATE: It looks like Silent Bodyguard has a Pro Version as well, but you have to purchase the ability to send SMS Emergency Signals for $1.99 (up to 3 contacts) and $2.99 (up to 7 contacts). There’s also a Twitter functionality for $0.99 to send the Emergency Signal to all your Twitter followers, and a way for your Facebook friends to receive them as well but I couldn’t figure out how to get this function activated.

Black Hat USA 2010 and DEF CON 18 took place last week in Las Vegas. In order to really appreciate the magnitude of each conference proceedings, it is important to understand where each conference focuses its attention.

Black Hat is a security conference largely addressing all things computer and communications security. It is where industry comes together, describes attack vectors, and openly talks about malware, hackers, and threats to innocent systems and privacy. Black Hat is big business, both expensive to attend and sponsored by big name companies such as IBM and Adobe. If Black Hat were personified as a female actor, it is probably most analogous to an Angelina Jolie. Mostly prim and proper, strong reputation, easily discussed in polite conversation.

In sharp contrast is DEF CON, a conference in its 18^th year. This year’s theme: 18 and barely legal. If that doesn’t set the tone for this conference, consider that DEF CON would be best personified as Lindsey Lohan- often drifting into illegal situations. DEF CON is an all-cash conference, no attendance records by design. It is where electronics and software gurus—hackers in proper parlance, meet for 3 days to discuss—and demonstrate—the unthinkable.

Highlights

The highlight of the entire week had to come from DEF CON. For approximately 20 minutes, the presenter “legally” became an AT&T cellular tower, hijacking all the cell phones that use the GSM cellular network. Lawyers were on hand, as were the local media, to witness the presentation entitled Practical Cellphone Spying, by Chris Paget.

The synopsis of the hour-long presentation is this: HAM operators are permitted access to portions of the 900MHz spectrum, so long as they announce their call sign on a regular basis and transmit at less than 100 watts. A portion of this spectrum overlaps with the GSM frequencies used here in the United States. Chris used a 25 milli-watt transmitter and OpenBTS (http://openbts.sourceforge.net/) to capture AT&T handsets, using a VOIP solution as a backhaul. Members of the audience were encouraged to make phone calls during the session. Randomly by design, some were connected through the VOIP backhaul, calls recorded in the process, while others were met with a devilish recording advising them that their call couldn’t be completed, and done in a way one would expect from a DEF CON presentation. Total investment with gear purchased from eBay: no more than $2000.

Most disconcerting to some was that during this presentation 911 services were not available to the GSM phones linked to Chris’ tower. The humorous understatement of the moment: if you burst into flames from the antenna radiation, be sure to find someone with a Verizon (CDMA) phone to dial 911 on your behalf.

Digital Security

The range of digital security discussions across both conferences was daunting. From instructions on how to hack millions of routers, devices that make the Internet a reality, to intricate instructions on how to jackpot ATM machines, my mind consistently wandered toward the same question at the end of virtually every session I attended: have the digital technologies that we’ve come to rely on forsaken us?

Black Hat brought in the biggest names, including Deputy Secretary Jane Holl Lute from the US Department of Homeland Security, and Gen (Ret.) Michael Hayden, former director of both the CIA and the NSA. Both speakers delivered more provocative questions than answers, asking the audience to consider how society has become enamored with technologic advances, ignoring the security ramifications that follow widespread adoption.

Nothing is Truly Secure

The Black Hat opening day keynote emcee succinctly stated the problem: nothing we have built is truly secure. Think about it this way—email, web browsers, digital hardware, including wireless access points, routers and firewalls, and even today’s mega-smart cell phones—none of them is truly secure. Nothing engineered to date is truly secure.  Why?!? Is security that hard to design? Why is encryption so often easily skirted with simple man-in-the-middle attacks? Does the rate at which we innovate preclude us from building secure systems? Are innovators so obsessed with innovation that security is an afterthought, if a thought at all? Or, is security simply beyond the grasp of human engineering? After all, security especially in recent years has been given an elevated status by the media.

What are the ramifications of our inability to build secure systems? The ramifications are disturbing. We often speak about the notion of privacy, but spend 8 consecutive days with hackers at these conferences and one can’t help but reach the conclusion that privacy is already a thing of the past.

Data Leaks Series Planned

Over the next several weeks, we’re going to embark on a journey here at ITS that takes a deep, critical look at the data leaks in your life. These are data leaks that you probably didn’t even know existed. We are going to look at how your car tire valve stems (not tread marks) can give away your daily routine, how WiFi as we know it is fundamentally broken and unsafe, how your computer or cell phone can easily be compromised by a determined hacker armed with an openly available rootkit, and how big business wants to force intrusive location based services (LBS) upon you in the name of profit margins.

The conclusion of the series is likely obvious to most—if you want true privacy, move to the backcountry and unplug everything that has a transistor in it. If that’s not an option, and if you want to better mitigate the digital risks imposed on life from technology, stayed tuned…

There’s an interesting Website we stumbled upon the other day that provides a secure, auto-deleted messaging service.

So what exactly does that mean? This Message Will Self-Destruct offers the ability to send an encrypted email-like message to another person either with or without a password. As a reassurance that your message is secure, it’s never stored with TMWSD, just hashed using a heavy-duty hashing utility called bcrypt. The optional password salts the encryption key for even more security.

In addition, whenever the intended recipient reads your message (with or without the password you may have given them) the encrypted message is deleted forever.

Try it out for yourself, but just remember that if you forget the password, not even TMWSD can recover your message!

DEF CON 18 is in full swing at the Riviera hotel at the end of the Las Vegas strip. If you haven’t heard of DEF CON before, it’s ok; the conference is focused at the über geeks among us.

Attendees at DEF CON include computer security professionals, journalists, lawyers, federal government employees, crackers, and hackers with a general interest in computer code and computer architecture.

From demonstrations of turning Pringles cans into directional antennas, through interactive discussion on hacking ATMs, physical penetration (e.g. lock picking), Internet routers, and building your own UAV to map WiFi and capture videos of your neighbors skinny dipping in their pool, DEF CON pretty much covers it all in gory technical detail.

Chronology

Of course, DEF CON pays homage to the past, too, showing a chronology of computing power dating back well into the 60’s.

I had a sentimental moment when I saw my first computing platform, the venerable Apple //c on display while I was waiting for the conference tracks to kick off this morning.

Badges

DEF CON 18 printed up 7000 badges, but those were gone in under 24 hours. Unlike traditional badges, these badges are literally printed circuit boards with a persistent display that remains even when there is no power.

Attendees are given the source code and encouraged to hack the hell out of the badges- including completely reprogramming them to do other, more “evil” things then simply displaying the DEF CON logo.

The late arrivers stick out with their laminated paper that shows a DEF CON-esque graphic, demonstrating the fact that it pays to be on time even in the geek world!

Crowds

My unprofessional estimate pegs this years DEF CON attendance around 12,000 people.  This picture on the right was from the sole hallway to the conference tracks, filled with people who were denied entry into the existing track conference rooms because they were too full!

At one point I personally felt the crowd snake a couple feet in one direction, you couldn’t help but move. It will be very interesting to see if it thins out as the conference progresses.

Some of the more compelling tracks will assuredly be difficult to get into, including “Weaponizing Lady Gaga; Psychosonic Attacks,” a talk that has been highly popular in the hallway chatter. The talk introduces an emerging attack vector of psychosonics, showing how any .mp3 can be turned into a weapon, a study aid, etc. by simply injecting an alternate data stream attack made up of psychosonic frequencies. Most intriguing, the presentation brief states that the presenters will “attack the audience” so that everyone can judge for themselves.

Tactical?

The word “tactical” doesn’t show up too often at DEF CON, and the conference’s general anti-Fed theme is exemplified with the “Spot the Fed” game that hands out prizes to attendees that successfully find a fed.

Military folks are generally not considered feds, though ultimately it is up to the audience to issue a final verdict. For example, someone in CID is highly likely to be labeled a fed, despite the fact that they are active duty military. Odds are this guy to the right is not a fed!

Tactical may be missing, but there is a palpable theme around cyber warfare activities. The former Chief Security Officer (CSO) of Facebook.com gave one of the opening keynote tracks. His presentation lacked…charisma, but the large conference hall had standing room only. Perhaps the scariest moment for the attendees was when he predicted that the upcoming “cypocalypse” would yield no more cold beer!

Vendors

The conference runs for 3 full days, but the swag is disappearing fast. The vendor space is just as packed as the hallways—all cash deals, including the conference registration itself. (Me? At DefCon? No, I wasn’t at DEF CON!). The SerePick booth was too deep to even approach this morning as people sought out high quality physical penetration kit.

DEF CON is an exciting conference, and while I was only able to cover this morning’s event here, stayed tuned for another report sometime next week that summarizes my experiences at both the DEF CON and Black Hat security conferences.

Everybody’s has secrets. Everybody has things worth protecting. It could be your family photos, your saved browser passwords, your bank records, or maybe just that totally legal MP3 collection.

Your laptops, thumb drives and even regular desktop computers all have a treasure trove of data that I’m sure you would not want an unscrupulous person to freely rummage around in.

You’re not alone. The military, rebels, banks and corporations have the same infosec concerns. While your information leaking may not cause a national security crisis, it’s a crisis to you. As a prepper, that means you do something about it now, and not when you come back from the coffee shop bathroom to find your computer gone.

Threat Assessment

Before we go any further, I wanted to take a second for a reality check. Crypto-geeks and some of us survivalists think our primary threat comes from NSA black helicopters coming to “disappear” us. There is something to the strategy that protecting your data from the government protects it from all other threats; there’s also something to the idea of building a nuclear bomb shelter to protect you from burglars.

First, it’s much easier for state and Federal agencies to just request your data stored on third party systems. All it takes is a signed warrant to force your email, cell phone carrier or social network provider to hand over every private message, IP address (which often leads to physical location), and login history. If you want an interesting read, the Electronic Frontier Foundation obtained a Department of Justice PowerPoint on how LEO’s obtain information from social networking sites.

Second, if SWAT does kick your door open and they seize everything in your house with a transistor, I suspect they have the means to access any data they want. If your state forensics analyst does not have the means, the FBI’s cyber crime unit certainly has access to the computing resources to break your keys within a matter of months (if not hours).

Third, some federal agencies maintain portfolios of security vulnerabilities to use in operations. It could be a hardware or software key logger, a browser vulnerability, or unpublished vulnerabilities in your encryption software. If they do not have the tools on-hand, they likely have the resources to buy them from the black market.

The entire process may add months or years to the investigation, but most any encryption system will be compromised by a sufficiently funded and technical attacker. Worst case, someone breaks your kneecaps and you hand over the keys. Fortunately, you and I will probably never deal with that. Our attackers will likely will be airport luggage thieves, strangers finding your thumb-drives, disgruntled co-workers, and at worst, professional data thieves such as corporate spies and private investigators.

File and System Encryption Overview

We need to use some specialized tools to lock down where the data sit. In today’s article, we’ll be focusing on file and system encryption software and in particular the TrueCrypt application. There are other tools to consider, such as data scrubbers and hardware encryption, but if properly deployed software encryption can be a near-complete solution for data at rest.

Encryption in general means manipulating information in such a way as it cannot be interpreted unless the reader knows a secret. It is nothing new, and has been practiced for centuries by military leaders and revolutionaries; the kama sutra even lists it as an “art” all wives should practice to better arrange  secret meetings with lovers. Primitive encryption systems originally used the encryption method itself as the shared secret, but more sophisticated algorithms are publicly known, but take a secret password/key. In the computer age, this means storing the data on your hard-drive using an encryption key.

This does not protect you from someone seizing your data while your machine is running, or theoretically if it has been recently turned off five to fifteen minutes. Also, if you are just using file encryption or a file container  and not full-disk encryption, your operating system is likely to store your open file temporarily in an unencrypted area that can be later retrieved.

What it does protect you against is someone stealing your device and accessing the data within. Even a simple operating system password, like a Windows login/screensaver password, is relatively trivial to break even for unsophisticated attackers. Only by encrypting the data on the hard disk platter can you protect it.

TrueCrypt

TrueCrypt is a free, cross-platform encryption system that can handle file, device, and full system encryption. While not open-source, the code is available for the public to review for vulnerabilities and backdoors. This is an important distinction between this system and some proprietary alternatives such as BitLocker, because you have the benefit of thousands of eyeballs looking for flaws, versus an internal quality-assurance team. Also, closed-source security systems have a nasty habit of building backdoors for admins and governments, which become a door for anyone at all.

There are supposedly two authors who remain anonymous; one can speculate about their motivations, but given its track record, I trust it more than black box encryption systems.

The example above uses TrueCrypts file containers. You can think of them as encrypted ZIP files or a virtual thumb-drive. Once created, they can safely be emailed or burned to a CD. To create one, just click “Create Volume” from the main window and follow the wizard. This isn’t an article on encryption methods, but suffice to say the AES encryption method is what the Department of Defense recommends for all material classified top secret.

Hidden Volumes

An interesting feature of TrueCrypt that you can build a secondary password into encrypted containers and devices for decoy data. By selecting “Hidden TrueCrypt Volume” during the creation wizard, you can set two passwords for the same thumb drive or file container. In the event you’re forced to reveal a password (through the use of rubber-hose cryptoanalysis or you’re re-entering the country) with one password you reveal your actual data, with the second, you reveal some sensitive but unimportant data (such as old credit card statements). Theoretically, because the encrypted data appears statistically random, it’s impossible to determine if there is a secondary encrypted volume present.

Full Disk Encryption

Most of the other encryption methods are useful for a limited set of cases (transmitting containers, carrying them on the thumb drives, etc.), but do leave bread-crumbs on the machine that can be recovered through forensics means. Also, your browsing history, your downloaded email, and other moderately sensitive data probably shouldn’t be in the hands of data thieves. The only sure way to protect these data is to encrypt the entire hard-drive, operating system and all.

TrueCrypt makes this dead simple. After you have a CD burner and a blank CD handy, inside of TrueCrypt type “System” and then “Encrypted System Partition/Drive”. The wizard does a good job walking you through, but it does force you to burn a rescue CD in case it becomes corrupted for some reason. The encryption process can take up to a day, but you can use the system normally and even turn it off. After it has finished encrypting, before Windows comes up on the boot process it prompts you for your password. If you try and access the hard-drive from a bootable CD or with an external enclosure, it’s mostly impossible without a password. Follow the advice for using strong passwords and most any data thieves will be left empty-handed. Even if it means writing it down and keeping it safe, it is better than using an easily cracked password.

Limitations

Fill disk encryption is not a panacea. It is a tool in your larger information security strategy, like the locks on your door or your carry weapon. Here are some things it does not protect against.

• Data in motion. Data being transmitting over a network or by thumb drive are leaving your encrypted bastion, and can’t be protected.
• While the machine is running. Your data are unencrypted while the machine is running, so if someone gets access via malware or seizure it is not going to do a lick of good.
• If your backups are unencrypted. Your external hard drive and your DVDs that hold your backups need to be encrypted to, otherwise you left your back door open.
• If a skilled data thief is prepared to capture RAM data if the machine is recently turned off.

Conclusion

Infosec, like any other operation, requires considering attacks from all sides, mitigating the risks, and using the right tools. While it’s not taking on the nuclear wasteland with your AR and a case of jerky, as a prepper you understand threats come from all places. If you want to protect yourself against a PI your ex-wife hired or a curious, power-hungry TSA agent, then consider encrypting your devices and system.

If you’d like a better perspective on how dependent we are on digital services, imagine your bank account being looted, locked out of your email, and your Facebook page vandalized.

While we in the preparedness community like to focus on the beans, bullets, and bullion for someday, information security affects the now.

An AR and a stockpile of Mountain House may give you peace of mind, but until your online services and personal data are secured with strong passwords, you should feel exposed. It is by no means the only aspect of information security to be aware of, but for most regular people, it is the weakest link.

Fortunately, this is one of the threats that is free and extremely easy to neutralize. First I will explain the “why” behind passwords, and then the “how.” By the end, you should have an easier time managing passwords and have a way to secure your sensitive documents.

Theory of Password Strength

So what does password strength actually mean? Simply put, it means minimizing the probability of guessing the password without knowing it. The three factors that play a role in this are character set, length, and entropy.

Character set means the possibilities for each position in the password; a numeric password has 10 possibilities (0-9), a lower-case letter password has 26 possibilities (a-z), and a password consisting of all the ASCII characters has 94 possibilities per spot.

Password length exponentially increases the possible passwords in that space. For example, a single character password would have 94 possibilities (94¹ options).  A two character password has 8836 possibilities (94²), and an eight character password would have 6,095,689,385,410,820 possibilities (94⁸). Obviously, longer is better, especially if you are using mixed case characters, symbols and numbers.

Lastly, entropy is one of the most important factors. Entropy is just a fancy word for randomness, or how easy it is to predict the next letter based on the previous. For example, if the first five characters were “11111″, there’s a higher probability of the sixth being “1″ rather than “Q”.

This is why password advice is to always have a random password, at least eight characters long, using numbers, letters, and symbols.

How Passwords Are Broken

In a realistic threat assessment, you’re much more likely to have your password stolen as you type it by a piece of malware installed by funny screensaver you downloaded. Also, the number of guesses per second is severely limited on online services that limit the number of guesses and add computer-stopping CAPTCHA’s after a handful of failed attempts.

For now I’ll focus on how passwords are broken in the worst case. This means the attacker has a copy of the password hash or encrypted data on their own machine and the password never changes; for example, a government agency has a copy of your encrypted “photos” and are trying to gain access.

Modern password cracking tools don’t incrementally go through and try each option. They start with pre-compiled lists of English words, phrases, and commonly used passwords. In addition, there are other kinds of intelligent statistical methods that shorten time-to-crack, but assuming you followed the rules above, it will be forced to resort to brute-force guessing.

The next factor in how long it takes to crack is how much parallel computation power can the attacker muster. While modern CPU’s are very fast, it is actually Graphical Processing Units traditionally found in video cards that are the real power-houses of password cracking. The short reason is that regular CPU’s are very good at computing serial calculations (where the input of the next depends on the results from the last calculation) and that GPU’s are good at hundreds of simultaneous, independent calculations. Guessing passwords falls in the latter category.

Using off-the-shelf hardware is so good, US Customs have bought 20 PlayStation 3′s to replace their existing Dell password-cracking cluster. An off-the-shelf Nvidia GeForce GTX 285 gaming graphics card ,which only costs $400, can make an estimated 580 million guesses per second per card. Government and corporate budgets can afford hundreds of these for a cluster.

To estimate your password strength, divide your password’s possibilities (unique characters used to the power of the password’s length) by the best guess of how many passwords can be guessed per second. Our 8-character password would last 12.1 days against 10 GTX 285′s, 6 against 20 cards, etc.

KeePass Password Management

KeePass is an application used to store passwords in an encrypted file, with versions available for Windows, Linux, Mac, iPhone, Blackberry and the Android platform. The format that these applications store the passwords in (.kdb) is a single file containing a database of all your login credentials.

By protecting all of your passwords with a single master password, you get two advantages. The first is that you can u case the in-built password generator to protect all of your accounts with a unique, ridiculous strong password. The way most systems (should) handle passwords are agnostics about length and character set. This means your password can often be a 64-character, full-ASCII set protected password that you never have to remember. If one password is compromised on an online forum, your bank password is still secure.

The second advantage is you’ve reduced the exposure from dozens of systems which all need to be protected to a single point of failure. Now you can focus on remembering an extremely strong password and securing that single file.  Your KeePass database can be protected by an unlimited length password, and so I recommend Robert Hensing’s advice which is to use a pass-phrase.

Use an entire sentence which contains punctuation and numbers, but is memorable to you; avoid well known phrases or song lyrics (as those would likely be checked by password guessers), but something unique like “My first dog, Fluffy, died when he was 12 years old.” This is a 52 character password with mixed case letters, numbers, and symbols; while it does not have perfect entropy, it’d be damn hard to crack by anyone but the most determined and knowledgeable attacker.

By having it password protected, you could reasonably email the database to yourself or copy it to a thumb-drive and keep it at another location to keep it secured. It technically exposes you to a higher risk of getting cracked, but hard-drives die, computers are stolen, and houses burn down. I’d rather take the chance the Black Helicopters decrypt my SSL message to GMail than not back it up and lose access to all my systems.

Besides, a real-world attacker can always use rubber-hose cryptanalysis.

Attaching and Encrypting Files

The other major (and underrated) feature in KeePass is the ability to include other files “attached” inside your database. On an entry, you can attach any type of file, including ZIP, to an entry that will keep it encrypted an inside of the KDB file.

Without having to install or deal with more complicated file encryption schemes, this is a dead-simple to way to keep a limited number of files fairly secure.

Final Notes

Attackers come in all forms, and whether you’re keeping your secret plans safe from the New World Order, or just keeping your savings account safe from thieves, the principals of good information security remain the same. Passwords are not the sexiest of topics, but they are the keys to your online life.

Taking a few minutes to put your logins in order will, at worst, keep you from having to recover your password, and at best, save you from a serious financial or privacy blow.

Editor’s Note: Andrew Stuckey has degree in Information Systems from the Wisconsin School of Business and is developing CitizenArmory.com, an online marketplace for firearms transactions. Please join us in welcoming him as a guest writer on ITS Tactical.