Category: Security


Using a private encryption system based on the OpenPGP standard can provide a great improvement to the security of your sensitive data. To maximize the value of that improvement, however, you need to make sure your OpenPGP system itself is secured against the efforts of malicious security crackers.

The following tips assume you are using GnuPG on a free/libre/open source UNIX-like system, such as FreeBSD or Debian GNU/Linux. They also assume you are minimally familiar with the workings of such a system so that an explanation of how the ls command works is unnecessary (for instance).

  1. Protect your private keyring file. This is the file used to store your private encryption keys. By default, this file is located at ~/.gnupg/secring.gpg. At minimum, you should ensure that its file permissions are set to 600 (using the chmod command if necessary). If a malicious security cracker cannot access your private keyring file directly, he or she cannot decrypt or digitally sign as you unless he or she has both access to the system on which the keyring file is located and your passphrase.
  2. Protect your passphrase. You need to ensure that you do not forget this passphrase (especially if you use your GnuPG key to encrypt and protect other passwords), but you also need to make sure it does not fall into the hands of a malicious security cracker. A good, strong passphrase is monumentally difficult to crack — so difficult that, at present levels of technology, it is effectively impossible. Thus, without your passphrase, a malicious security cracker cannot encrypt, decrypt, or digitally sign as you unless he or she has direct access to your private keyring file. Even then, the ability to make use of it is in doubt because GnuPG stores it as encrypted data (thus the need for the passphrase).
  3. Use a strong passphrase. A passphrase that just uses a single English language word is trivial to crack. A passphrase that uses a famous quotation is not much better. A passphrases that uses letter substitutions, such as p4ssw0rd instead of password, is easily cracked as well. Spaces, special (non-alphanumeric) characters, and long character sequences unrecognizable as comprising words in any way, are all important parts of a strong passphrase. The reason people use passphrases instead of 128-bit keys is that they are easier to remember — but the reason people usually try to guess a passphrase rather than trying to guess the 128-bit key it protects is that the passphrase is usually easier to guess. Make it as difficult to guess as possible without ensuring you forget the passphrase.
  4. Limit the number of machines on which you store copies of your private key. Ideally, you should only have the key on one machine that is not connected to a network and copy files that need to be encrypted or decrypted back and forth between that machine and others only via physical media. This improves your ability to protect both the key and your passphrase significantly. On the other hand, it is extremely impractical for many people. For most purposes, simply limiting it to one machine on which you ensure great care is taken to maintain a “secure enough” environment is good enough, but the degree of security you require for your private key is a decision entirely in your own hands. The fewer machines on which you store your key (preferably one), however, the better. In fact, the absolute best you could do would be to store your key on zero computers — instead, keep it on a USB mass storage device, a floppy, or some other removable storage media, and only access it from a computer that is not connected to any network. The impracticality of this approach for most people is significant, however, and it is almost never employed these days.
  5. If you must transfer your private key from one machine to another, doing so via physical media such as a floppy, USB mass storage device, or CD-R, is far preferable to transfering via network. Wireless networks are a particularly bad idea for transfer of a private key, in general. Limit the exposure of even encrypted private keys to any networks because doing so ensures that a malicious security cracker would not only need to compromise your network to copy your private key (or keyring file) but would need to specifically compromise the computer where that key is stored.
  6. You may want to have more than one private key. If you have need of a key in an environment you do not entirely trust — such as on a workstation at your place of employment, where others’ indiscretions may lead to reduced security on the network — you should not trust your most important private data there. This may, for many people, mean maintaining two separate private keys (and their attendant public keys).
  7. When you generate your private keys (your “keypair”), you should also create a revocation certificate. This can be done with a simple command, where name is replaced with the name under which your key was created: gpg --output revoke.asc --gen-revoke 'name'. The revocation certificate should be stored on physical media such as a floppy disk or CD-R, preferably somewhere secure such as a safe or safety deposit box, in case your key is compromised and needs to be revoked.
  8. Set an expiration date for your encryption subkey. Normally, when creating your keypair using GnuPG, you have one each of a DSA master signing key and an ElGamal encryption subkey. The former is used for signing documents. The latter is used to decrypt files that have been encrypted using your public key. It is typically the case that you do not want your master signing key to expire; this key is intended to act as your “fingerprint,” if you will — a verifiable personal identification tool. The latter, however, may be set to expire to improve the security provided by GnuPG. If it changes periodically, your encryption subkey is even more difficult to crack and use, because an old key that is cracked does not allow anyone to access any future documents. It would only allow a malicious security cracker to decrypt and read documents that were encrypted prior to the expiration of the old key.
  9. To make maximum use of the OpenPGP standard as a means of providing privacy and security of communications, you should learn about the concept of a web of trust, and be very careful with how you make use of this concept to improve the convenience of private encrypted communications so that the security of those communications is not compromised. The key (pun not intended) point is to recognize that a relationship should be established and verified between a given public key and the real, physical person it is meant to represent and identify. Depending on how extensively you use an OpenPGP system, it may be impractical to personally identify each individual with whom you may wish to establish private, secure communications, and a “web of trust” is a mechanism for providing the identification you need without having to personally visit every single one of them.
  10. Talk to others about improving privacy and security via GnuPG and other OpenPGP compliant systems. It only helps secure a path of communication if the person on the other end is also using it, after all.
Email is commonly used in business today, yet only a small percentage of users take the time to guarantee their email is sent in a secure and confidential manner. If you’re not part of that elite group, read on to learn how to setup OpenPGP with the Mozilla Thunderbird mail component.

OpenPGP is a patent-free encryption scheme based on the same security architecture as the commercial version of PGP, which has been available since the early 90’s. Thunderbird uses OpenPGP through the GnuPG implementation — developed by the Free Software Foundation — for interpreting and sending digitally signed and encrypted messages.

The first step in setting up Thunderbird with OpenPGP is to have GnuPG installed on your system. The majority of Linux distros include this package in their official release. Query for it on your system be entering the following command: which gpg. If it’s not found, or if you are using a different operating system like Windows or MAC, then you will need to download and install it.

The cornerstone to GnuPG’s security — and hence OpenPGP — are key pairs. Made up of a private and a public key, they are used throughout the security loop by both sender and receiver, as we will observe in the rest of this article.

To create a key pair using GnuPG, enter gpg --gen-key at the command line. You will be prompted with a series of questions, such as the encryption algorithm, key size — which will reflect the encryption strength — your name, email address and a passphrase. Using the default answers is generally sufficient. Just keep in mind that your passphrase will be your means to access the key pair and confirm your identity locally. The actual key pairs you generate will be stored in your user home directory under .gnupg if you are using Linux, or under another specific GnuPG directory if you are using Windows or MAC.

Once you have created your key pair, it’s time to configure Thunderbird to use them. In order to simplify the deployment of OpenPGP within Thunderbird, a special plug-in named Enigmail can be used. Download this plug-in and install it using the Tools–Extensions menu in Thunderbird. Then exit Thunderbird and restart it. You will then be prompted for the initial configuration settings.

The first task is setting the path in which GnuPG is installed. By default this is /usr/bin/pgp on Linux. You will also be able to indicate special flags to be used when invoking GnuPG, and to allow Thunderbird to recall your passphrase for a certain length of time each session. This to avoid re-typing the security credential every time you send an encrypted — or a digitally signed — message. The other tabs provided on this initial windows setup offer more advanced features, which we will not explore now. You can modify them later from the Enigmail–Preferences menu.

We are now ready to send an email using OpenPGP. Compose a message and select the OpenPGP icon atop the composer, a pop-up window will offer you three choices: Sign Message, Encrypt Message & Use PGP/MIME. We will explore the first two in the following paragraphs.

The simplest and most non-intrusive manner of assuring security is signing your messages. This process guarantees that even if some users are ill-equipped to fulfill their part of the security chain — as we will further outline — you can guarantee integrity to others.

Signing a message places a fingerprint onto the body of your message — an actual text fragment — which is generated from your private key. This fingerprint can later be correlated by the recipient of the message, using the public key of your key pair. This is why you make the public key readily available. In the event someone tries to forge a signed message pretending to be you, or tampers with your mail enroute, your recipient need to perform a check against your public key to detect such activity.

Enigmail checks signed messages automatically upon receipt, and informs you if the signature doesn’t match the public key. The reason signing a message is so non-intrusive, is that you don’t force all your recipients to verify the signature. If the recipients wish to do so, they can obtain your public key and verify that the message is authentic. If they don’t wish to do so, the message can still be read.

The actual publication of your public key can be done several ways. The simplest being to send it — the public key — to your contacts. You can also publish your public key information on a centralized database, like Keyserver.net . This allows your contacts to obtain the key themselves, without having to send it to each of them individually. You can use GnuPG or Enigmail to create a text version of your public key. In Enigmail, select the OpenPGP Key Management option for exporting it to a text file. In GnuPG you can use the following command line sequence : gpg --armor --export my@email.com, where my@email.com is the email used for creating the key pair.

Since being able to correlate signed messages with public OpenPGP keys is part of receiving secure messages, Enigmail also offers the possibility to import all the public keys of your contacts. You’ll need to have the public key of anyone you wish to send encrypted messages.

If you opt to encrypt a message with OpenPGP, you will be prompted through a pop-up window to select the public key of your intended recipient. Once it has been encrypted with a public key, only the holder of the complementary private key can read it. Contrary to signing a message, encrypting an email requires that both parties be involved in the security process.

Once you are comfortable using these OpenPGP alternatives with Thunderbird, you can set default behaviours from the Enigmail-Preferences menu. If you administer multiple email accounts, each will require its own key pair, since the email address is a part of the basis for the generation of your keys.

If you use Thunderbird as your email client, hopefully you will now begin using OpenPGP as described here to ensure yourself a more secure email environment.

Security predictions for 2009

Security predictions for 2009

http://tinyurl.com/75l8nx

The Safest Web Browser

Firefox keeps your personal info personal and your online interests away from the bad guys.

More info:     http://tinyurl.com/5c478d

With virus, spyware and phishing scams so common on the web today, what’s an average user to do?  Even if you’re not a computer savvy geek there are still at least 6 simple steps everyone can take to have a more secure computer or browsing experience.

1. Create secure passwords.

Simple security starts with a password. Even if it’s not a super secure password, it’s better to have something than nothing at all. But why not go a step further? Creating secure passwords isn’t that tough to do. Here’s a few tips:

  1. Longer is better (if you can remember it)
  2. Add numbers and symbols($#@?) to mix things up.
  3. Don’t base your password on a dictionary word like “bigdog123”.

If you’d like some more tips, head over to Linux-Tip.net which has a pretty decent guide to follow, or if you want some deeper explanations take a look at Bruce Schneier’s article, “Secure Passwords Keep You Safer“.

2. Keep the passwords secure.

I would hope that this goes without saying, but for those who need it, here it is. DON’T GIVE ANYBODY YOUR PASSWORD! This includes help desk employees or anybody, unless you absolutely have to. 99.99% of the time, tech support personnel do not need your password and shouldn’t be asking for it in the first place. If you do give your password out to someone, please do yourself a favour and change it as soon as you can to protect your information.

Also, be sure to change your passwords regularly. Every couple months is a good rule of thumb.

3. Dot your “i”s and cross your “t”s.

Be careful when typing in a url. Phishers often set up sites on common misspellings of the site they’re attemping to get your information from.  Here’s an example of how it works: you type in “www.ebbay.com”, a site that looks like eBay shows up and asks for your password. Well, the rest is history from there I’m afraid.

Another variation on this form of attack involves the use of e-mail or other electronic communications. This is what happened to Twitter just recently. An e-mail was sent out with a link to a Twitter page. Instead of being taken to the official Twitter site, users were taken to twitter.access-logins.com/login/ where a very offical looking Twitter login screen asked them for their password. The site was not part of Twitter, but was part of a phishing website (hence the access-logins.com part of the address) that stole their twitter accounts and did crazy stuff to it. That’s why you should NEVER follow a link from an e-mail to login to any site.

This sort of thing happens all the time, even with online banking sites sometimes. Watch that address before you enter your username and password.

4. Bring in … the ANTI-VIRUS!

Anti-virus programs are such a simple way to improve computer security, yet some people still don’t use them. If you don’t like spending the extra cash, why not get a free version? AVG offers an excellent free product that is just as effective against viruses as any paid application. In fact, AVG is the only anti-virus program I use now. You can download it here.

5. Man the firewall!

Firewall? I don’t need no stinking firewall! What’s a firewall? A firewall is like putting a lock on your back door to keep burglars from waltzing straight in. A simple firewall will keep out an entire host of viruses and hackers. If you use Windows XP, just check out this guide for help on how to turn on your firewall.

6. Think before you click.

This kind of ties in with those notes in #3 about phishing. A lot of people (you may be one of those) will click on anything that grabs their attention. Yeah, those “shoot the monkey 5 times and win a plasma TV” ads, you know the ones. Sometimes people will login to a phishing site like the Twitter example and accidentally give away usernames and passwords to their online banking site. It is a very dangerous thing to just click on anything in front of you. Think first, use some common sense, and ask yourself, “how could they afford to give away all those plasma TVs if all you have to do is shoot the stupid monkey?”

7. Update, update, update.

Keeping up-to-date is an important part of computing and security. The recent worm attack on Windows is a prime example of this. Most operating systems make this easy with automatic updates so that you don’t have to worry about it.  However, you should make sure that those automatic updates are enabled. Click here for information on how to double check this on a Windows PC.

AntiVirus Software Review

AntiVirus Software Review

You think the winter flu was bad…

Today’s computer viruses are more sophisticated and aggressive than ever. Thankfully, with antivirus software, you can confidently keep your data safe and your computer free of infection.

http://tinyurl.com/dojbp