How to Use Encryption and Privacy Tools to Evade Corporate Espionage

Home , Deep web, Gpg4win, Orbot, Tails (operating system), The Intercept, ZRTP

to Evade Corporate Espionage An ICIT White Paper

Institute for Critical Infrastructure Technology

August 2015

NOTICE: The recommendations contained in this white paper are not intended as standards for federal agencies or the legislative community, nor as replacements for enterprise-wide security strategies, frameworks and technologies. This white paper is written primarily for individuals (i.e. lawyers, CEOs, investment bankers, etc.) who are high risk targets of corporate espionage attacks.

The information contained within this briefing is to be used for legal purposes only. ICIT does not condone the application of these strategies for illegal activity. Before using any of these strategies the reader is advised to consult an encryption professional. ICIT shall not be liable for the outcomes of any of the applications used by the reader that are mentioned in this brief. This document is for information purposes only. It is imperative that the reader hires skilled professionals for their cybersecurity needs.

The Institute is available to provide encryption and privacy training to protect your organization’s sensitive data. To learn more about this offering, contact information can be found on page 41 of this brief.

Not long ago it was speculated that the leading world economic and political powers were engaged in a cyber arms race; that the world is witnessing a cyber resource buildup of

Cold War proportions. The implied threat in that assessment is close, but it misses the mark by at least half. The threat is much greater than you can imagine. We have passed the escalation phase and have engaged directly into full confrontation in the cyberwar. State-sponsored hacking groups are regularly committing targeted and complex attacks against governments, businesses, and individuals. In this new reality there are two possibilities when it comes to your own personal/business data and the data of your clients. The first possibility is that you and your business are already breached in some way and have been for some time now.

Somewhere in your system (at home, the office, your cellphone/tablet, or even your smartwatch) state-sponsored hackers from China, the Eastern Bloc, North Korea, or even Iran have placed software that allows them to quietly watch your every online move and record it all; thereby, stealing away information that provides them with a decided advantage in business negotiations or outright stealing intellectual property to copy it with impunity. Hacker groups like Anonymous, The Syrian Electronic Army, The Chaos Computer Club (Europe), and Tarh

Andishan (Iran) may be siphoning off the your organization’s most treasured secrets for no other reason than to expose them to the world and embarrass those you protect. Further, compromised systems, potentially including every PC in your organization, are infected and their resources are used to assist in attacks against other organizations, such as dedicated- denial-of-service (DDoS) attacks. Your organization can be investigated by the FBI or carry liability for attacks made against other organizations from your network. In today’s climate bad

actors are not always sitting half a world away. Often it is an employee whose laissez faire attitude or ignorance about basic cyber security methods brings down even the most sophisticated organization. Given the current state of the Federal cybersecurity landscape, odds are that there will be no white knights on charging steeds coming to your rescue anytime soon. They are going to be busy setting their own houses in order. More likely is that you will get more and more regulations to comply with and stiffer penalties to endure for failing to do so. The second possibility is that your organization is about to be breached and you have the opportunity to proactively prevent that occurrence. There is absolutely no chance that everything is just fine and you have nothing at all about which to be concerned. Unsuspecting targets and those who do not appreciate the threat are the most appealing victims. Everything is up for grabs in the escalating cyberwar. Are you willing to risk everything?

Those perpetrating these attacks are interested in every detail they can collect and that includes the most mundane pieces of daily life. Some information is useful for decades, and other information, including expired records, can be fed into Big Data algorithms to generate valuable information. In a world of legal holds and incredibly long file retention requirements, legal organizations are a massive treasure hoard capable of sustaining those who breach them for decades. These bad actors are patient, well-funded (especially if they are state-sponsored), and have the strength of numbers on their side. Vandals and criminals pursue quick payoffs and easy returns but foreign governments value a broader palate of information and they have limitless resources and patience. Once attackers penetrate a system, they may continuously monitor the network in real time until they choose to act. Adversaries may even patch

vulnerabilities behind them so that other parties do not also breach the system and set off alerts. Becoming discouraged at the possibility of a full-court press against your existing cybersecurity measures is exactly what these groups count on. Constant vigilance is the first block in a solid foundation to protecting yourself, your business, and your clients. In the following pages you will see that there is a combination of small steps that, when executed in concert, make your organization a much more difficult target to hit and thus less appealing to groups who often begin by looking for the easiest/fastest win they can get. This is by no means a talisman or magic bullet that will prevent all cyber-attacks, but often making yourself a more difficult target than your competitors is enough to mitigate most attacks.

Attackers have breached 96% of organizations across all sectors, including Legal,

Financial, Healthcare, Pharmaceutical, and Government, at some point in the past decade.

According to Bloomberg Business, adversaries have breached 80 of the biggest 100 law firms, by revenue, since 2011. Clients are pressuring organizations to adequately protect their data under the threat of migration to another firm. No organization wants to publically admit that they their unprotected systems and cyber-apathy assisted the exfiltration of client intellectual property. Data is no longer solely safe behind the layered security supporting organizations because sophisticated actors, who cannot breach the defenses, will alter their strategy and target the employees supporting the organization instead of attacking the system directly. The most prevalent and by far the most successful attack vector against an organization is social engineering, the process where an attacker, bent on soliciting confidential information or minute organizational details, interacts with an employee person-to-person via email, phone, or

real life. This process is akin to the big bad wolf knocking on the door and asking for a cup of sugar instead of trying to huff, puff, and blow the brick house down. Social engineering attacks, which range from stealing user login information to mapping the organizational structure, are so successful that if you think of a major breach that has appeared in the media in the past 5 years (Ashley Madison, Darkode, OPM, Target, etc.) there is almost a certain likelihood that the breach began as a social engineering attack. Simply, if an actor knows who you are, what you do, when you do it, where you browse online, why you interact online, and how you access the internet, then the actor literally knows or knows how to learn, every scrap of information necessary to steal your data, financial information, or intellectual property. Fortunately, employees can utilize many of the procedures and tools popularized by the nefarious lot to ensure the levels of privacy, anonymity, and security necessary to prevent personally targeted attacks. Every person in an organization should adopt these preventative measures to ensure organizational resiliency. When an attacker fails to gain entry with their initial target, most often they simply adjust their attack laterally or diagonally in an organization and repeat the endeavor until they achieve success. Blocking the ability to gain a foothold by creating an organizational culture of cybersecurity in this way makes yours a much more difficult target to attack.

Data must be protected where it is accessed, where it is stored, and while it is in transit.

An increasingly more mobile workforce requires secure access to data on personal computers and smartphones as well as the ability to navigate online without attracting the attention of malicious actors. Predators can be avoided if they never notice prey. Data stored on servers and

personal computers must be protected and encrypted. More importantly, the data known to personnel must be protected by training employees to value security, privacy, and anonymity.

Information can be securely transferred through encrypted email, encrypted telephony and text message solutions, and through end -to-end encryption solutions such as virtual private network (VPN) connections. Data that must be accessed through the use of mobile devices must be accessed through a containerized solution that keeps the data secured and away from the personal data and apps that a user also keeps on their device. This containerized segment may also be remotely wiped clean and remotely removed from a user’s device when a device is lost or stolen, or if the individual’s association with your organization is terminated. Enterprises can no longer consider best of breed solutions that are narrow in focus. Best of suite tools must be employed that allow data to be protected regardless of the platform and application used to access and interact with it. While this may sound like a daunting and expensive proposition do not be discouraged. Acclimation is quick and easy if you follow the right steps.

While there is no single solution or silver bullet to security or privacy, the majority of these concerns can be easily and rapidly addressed using free, open source software. The most fundamental solution is the adoption of the Tails operating system and some basic best practices, for online interactions. Computer activity leaves footprints in the form of temporary files, IP addresses, browsing cookies, and user metadata. Malicious actors use these indicators to target personnel through social engineering, keystroke logging, screen capture, system monitoring, or malware infection. Tails is an amnesiac operating system designed to leave little or no footprint. Tails offers similar web, email, and chat applications as Windows or MAC, and it

feels like either Debian Linux or Windows 8, depending on the user configuration. Tails downloads with applications preconfigured with security and privacy in mind. Tails also supports state of the art cryptographic tools to encrypt files, email, and instant messages, which, its creators claim, remain unbreakable to even the NSA. Tails uses the Tor (The Onion

Router) browser. As a result, Internet traffic through Tails is relayed around the internet through the Tor network, a collection of randomized nodes, and afterward traffic origin is unknown to most monitoring methods. Users download Tails, place it on a spare USB, SD card, or CD, and boot the operating system from the device, instead of Windows, Linux, or MAC. For simplicity, the guide later in this document will explain how to load Tails onto a USB device.

Personnel who access machines with disk drives or users who desire a higher degree of security should use the installer within the USB booted Tails to create a Tails boot CD and then use that instead. Booting from a CD is safer than booting from rewritable volatile memory because the underlying code cannot be changed in any way. The user can be certain that they operate independently of the underlying system and that no evidence of activity remains behind. Tails does not save user data to the machine hard drive, so any work, such as created documents or downloaded programs must be saved to a separate device. When the system is shut down, the short term memory, or RAM, of the PC is erased and the user activity “never happened”.

Essentially, Tails turns any computer into an Etch-a-sketch. Tails can boot on any PC, anywhere, without fear of contamination or surveillance. Because Tails, ignores the memory of the machine that it runs from, users are able to navigate anywhere on the internet, use public

machines, and use public Wi-Fi, without worrying about surveillance or infecting their system with malware.

Tails is not foolproof. Users can be monitored if they reuse accounts, frequent their traditional internet destinations, or fail to adhere to other best practices. Constant vigilance is the order of the day even when you feel most secure. Further, Exodus Intelligence reports that

Tails, like any operating system, has vulnerabilities that an adversary can exploit if they know both that the user is running Tails and some indicator of identification such as where the user is connecting from or an identity that the user recycles. Malware can still infect systems when the user visits or downloads files from untrusted destinations. However, the impact of the risk of surveillance or malware infection is minimized to a single user session.

The Tor network is likewise, not perfect. Governments, researchers, and adversaries have attempted to de-anonymize it in the past, and many still try. So far, success has been limited and barring vast, persistent illegal activity, users should feel confident that Tor could anonymize them. Tor cannot protect you if you are already under sophisticated surveillance. A recent DARPA initiative called Memex was developed to collect and aggregate data from Tor sites to assist Federal agents in operations to shut down human trafficking rings. Memex is a collection of search engine tools that index darknet websites that do not declare their presence. These sites, which never appear in search engines like Google, are normally only accessible by users who know the address. Now, Memex remains in government control; however, no laws prohibit commercial firms or ne’er-do-wells from developing similar engines and tracking identifiable user patterns. Cautious users should therefore, take every step to

minimize their active footprint and present as small an attack profile as possible. Provided users adhere to Tails best practices, persistent adversaries would have to infiltrate, monitor, and compromise a user system in a single session or the adversary must find an easier target. If the user abandons online identities frequently, connects from different internet access points or connects at different times of the day, and maintains a low profile, then Tails guarantees security and privacy.

One way that Tails protects the user identity is by spoofing (i.e. lying about) the media access control (MAC) address that acts at the system fingerprint attached to the wireless or

Ethernet adapter. Another major protection is Tails design to route all user internet traffic through the Tor network. The Tor network, sometimes referred to as the onion network, connects the familiar internet with the less familiar darknet and deepnet. All user traffic is bounced around amongst thousands of random nodes across the globe like the most chaotic game of pinball imaginable. Complete or even on demand de-anonymization of the Tor network has proved impossible for even the NSA. This is in part due to Tor’s growing popularity combined with its founding characteristic that anonymity increases in direct proportion to the number of users. Tails relies on the Tor internet browser instead of Firefox or Chrome. The Tor browser spoofs the user system IP address, the cliché fingerprint of a system, and offers the user access to search engines and resources that are not indexed on the traditional internet.

Tor is one of the only services that offers end-to-end anonymity, because user traffic is encapsulated in layer of encryption (hence the onion moniker) before it is jumbled around with the traffic of other users until it reaches its destination. As a result, a secure tunnel is formed

between the user and their destination. Most end-to-end solutions such as virtual private networks (VPNs), which offer-end to-end encryption, can be visualized as a straw (representing the connection) poking through a Styrofoam ball (representing the global internet). Any traffic in the sphere can see the straw, but no one, including the internet service provider, except the user and the destination site can see what flows within the straw. A background process in Tails automatically encrypts communication from the Tor browser, instant messaging clients, or email clients with the VPN like HTTPs, when possible. The Tor network can be explained in a similar metaphor to VPNs except, the sphere is pierced by an immense number of identically colored, intricately interwoven fun straws contorted at every angle possible specifically to confuse anyone attempting to follow any single straw. The Tor network is a powerful tool, but users should refrain from depending upon it. Many “dark” sites host malicious content that can record user activity. As a result, users must resist the urge to navigate to familiar parts of the internet such as Facebook, the organization site, or private (non-disposable) email. With as little information as navigation patterns, a persistent adversary can learn a great deal about a target.

For many, this makes the internet feel claustrophobic and it is important for users to remain vigilant and accept the juxtaposition of browsing to fewer sites despite the wider selection. This is simply a tool for specific uses and not a wholesale replacement for normal browsing, conspicuous social media presence, and the like.

Alongside the layered obfuscation methods built into the Tor browser, it and all the other applications available in Tails support strong encryption. An algorithm is a set of step-by- step instructions that detail a process, such as booting a PC or baking cookies. An encryption

algorithm is the application of a set of mathematical operations to a data set. Encryption algorithms can be as simple as “add 3 to each number”, or as complex as “take logarithmic function of the second derivative of the value and process it through an XOR sequence”. For most users, it is sufficient to view encryption processes as a “black box” tool and to employ encryption algorithms whose strength are proportional to the value and lifetime of the asset secured. Encryption does not make data impervious to exfiltration, nor does encryption ensure that an adversary cannot break the algorithm and access the data. An adversary could steal data and spend the next few years decrypting the data. Retroactive analysis is extremely lucrative, even if the data are no longer useful because Big Data engines can use them for predictive analysis. Encryption and decryption algorithms require increasing computational time and resources proportional to the strength of the algorithm and the amount of data. The goal of encryption is not to make data impossible to access or steal; rather, encryption increases the amount of time and resources an adversary must input in order to access data.

“Strong” encryption algorithms ensure that the threshold of adversarial time and resource allocation to break encryption and access data, is significantly greater than the lifetime and value of the data. This is a game of diminishing returns.

Organizations may consider investing in full drive encryption hardware solutions that prevent data exfiltration from lost or stolen devices, provided that the devices were shut down.

Open source software alternative such as Microsoft Bitlocker, FileVault, or TrueCrypt can encrypt individual files, partitions, external drives, or internal drives. Additionally, applications such as SpiderOak allow users to encrypt files stored in the cloud. File encryption does not

usually prevent data exfiltration from a compromised machine because data decrypted to the user is already decrypted to the attacker; but, file encryption solutions do prevent data exfiltration from a lost or stolen device.

Most people forget that mobile phones are just smaller personal computers. Mobile security usually stops at placing a screen lock on the device. Data on stolen devices can usually still be read if the thief connects the phone to a PC. Users should consider encrypting their devices as much as they should consider encrypting their databases, especially if employees access organization resources, such as organization email or databases, from their phones.

Encryption does nothing against the theft of data while the phone is unlocked, such as

Bluetooth hacking, while the owner is using the device but it does reduce the amount of time an adversary could breach the device. As always, the easiest solution for organizations is to prohibit access to organization resources from mobile devices. Given lower operating budgets and the drive for more mobile employees and increased productivity this is often times a non- starter. As a result a rigorous BYOD (Bring Your Own Device) policy must be developed and adopted by organizations allowing employees to access company resources with personal devices. Employees should also be trained to avoid storing anything of value, even banking credentials, on mobile devices. Given the societal aversion to that option, encryption solutions exist and should be thoroughly investigated prior to implementation. Encrypting the hard drive of a smart phone will cause some, usually slight, degradation in response time and performance. Furthermore, removing encryption from a device will almost always require a complete factory reset of the unit. Android Gingerbread 2.3.4 and newer devices have the

option to automatically encrypt the hard drive of the device in the security settings. The process takes about an hour. Users should avoid encryption applications, free or commercial, on application stores because many of them are malicious ransom programs or malware that grants an actor remote access to data on the device. Other mobile solutions include corporate

VPNs, mobile sandbox virtualization environments that partition the device, and commercial solutions. Options that allow for the remote wiping or removal of corporate owned data should be heavily considered as strong candidates in mobile device management (MDM). Many commercially available containerized/sandbox applications of this variety also allow for the provisioning of corporately managed email, contacts, content repositories, and even a whitelisted app store for approved applications to be used on the mobile device.

A secure instant messenger (IM) called Chatsecure is available on Android systems in conjunction with Orbot (the Android version of Tor). Both applications are available from

Google Play. Free applications Redphone and Signal allow users to communicate securely and anonymously through the secure voice over the internet protocol (VoIP) ZRTP (Z-Real Time

Transport Protocol) created by Phil Zimmerman. Commercial VoIP and text message solutions are still available online from Silent Circle, a company founded by Zimmerman and Jon Callas.

Users should not use Chatsecure, Redpohone, Signal, or the Silent Circle applications without

Orobot. Furthermore, they should consider purchasing a prepaid smartphone to use instead of their private or corporate device. Internet enabled smartphones such as the Huawei line of phones sold at many national big box retailers, can be purchased for less than $40 and feature the same functionality as a Samsung Galaxy. If using these devices in an enterprise setting for

corporate communications they must be vetted with your Information Security professionals to ensure that they are supported by any mobile device management applications that may need to be provisioned on the device. Alternatively, users could purchase pre-secured mobile devices. Last year, Jon Callas and Phil Zimmerman assisted a Swiss startup called Blackphone that advertises as an entire commercial mobile security solution from the operating system outwards. Blackphone is an Android based security focused device that offers secure calling, text messaging, encrypted file transfer, and video chat among other applications.

Users can choose an email client according to their needs and preferences. Tails comes loaded with the Clawmail email client, users can follow the instructions at the end of this document to download GnuPG 4 windows, or users can navigate load the Tor browser and create a Hushmail account (www.hushmail.com). Configuring disposable email accounts and IM accounts takes time and practice. Users must determine and exchange their temporary identities and public keys in a channel outside of the secure zone. This is easy if two people can communicate freely in the physical world, but it is more difficult in cyberspace. In such cases, communication is up to the ingenuity of the user. The safest route is creating both accounts in an exchange, navigating the key exchange yourself, and then contacting the other party with the username and password of a disposable email or IM account for your shared communication.

Tails comes with a preconfigured instant messaging (IM) and email clients that offers security, authentication, and deniability. The IM client, Pidgin is also available outside of Tails for Windows and Linux users, in combination with the Tor browser. Pidgin and the OTR plugin

for Pidgin should be installed from within the Tor browser. A similar program, Adium, is available for MAC users in combination with the Tor browser. Prior to creating an account, users must choose a XMPP server, known as a Jabber server (https://list.jabber.at/), and communicate their server choice to the recipient of their communication unless they create both accounts and then pass on the login credentials and jabber server information to the recipient. It is worth noting that Jabber server selection should be done from the Tor browser so that the user native IP address does not appear in the logs of various Jabber servers. The

Jabber server will not know who you are and if you employ encryption on your communications, then the server will not be able to know what you are saying. As a result, you do not have to trust the Jabber server that you choose. The IM chat clients mentioned support the Off-the-Record (OTR) cryptographic protocol that uses a combination of the 128 bit AES symmetric-key algorithm, the Diffie–Hellman key exchange with 1536 bits group size, and the

SHA-1 hash function. When possible, users should enable OTR encryption because it remains one of the strongest cryptographic protocols in use and even the NSA have yet to decrypt OTR

IM communications. By using OTR the user is provided with four aspects of privacy:

 Encryption - nobody other than the sender and intended recipient can read their

messages (without extreme efforts)

 Authentication – making sure that the recipient is the person the message was actually

intended for

 Deniability - messages do not have digital signatures that are confirmable by a third

party – the recipient cannot prove that messages received were sent by you (but they’re

still sure about it)

 Perfect forward secrecy – if someone gains access to your private keys, they won’t be

able to decrypt any past conversations

If used without Tails, it is highly recommended that users purchase a cheap, dedicated device, such as a $100 tablet or netbook. Avoid the temptation of purchasing a cheap preowned device. There are too many potential risks for pre-loaded malware and keylogging software to make this an attractive option no matter how cheap the price. Just as it is important not to purchase pre-owned devices when you are ready to dispose of a device you have purposed for this use it should never be recycled back into the general population. These devices should not be resold or repurposed to friends/family. They should be physically, completely degaussed and destroyed. This dedicated device will have limited functionality, so cost effectiveness outweighs performance capability. Example configuration of pidgin is available in the guides section.

Before learning how to send anonymous chat or emails, users must unlearn ingrained traditional internet behavior. Anonymous accounts should be created through Tor and accounts should never be accessed when unconnected to Tor. Since Tails routes all internet traffic through Tor, the user can create new IM accounts directly on the chat client. Outside of Tails, it is difficult to ensure that IM traffic passes through the Tor browser, so users should open the

Tor browser, navigate to a Jabber server that allows online account creation (such as Chatme,

CodeRollers, Darkness XMPP, XMPP.jp, etc.) and create accounts within the Tor browser. Use a new account for each contact, abandon accounts frequently, and try to avoid signing into multiple accounts at the same time. The Tor browser features a small green onion button at the upper left with the option to refresh the browser and generate a new identity. Periodically use this feature between jaunts to various sites or at intervals during long dialogues to prevent correlation of activity, browsing habits, and system details from the temporary IP address.

Neither the username nor the password should correspond to identifiable information about the creator or to any past account or password. Do not give any identifiable information to the chat service or to other users. Secure, anonymous chat and email requires preparation that often daunts unaccustomed users. Whether or not users utilize Tails, secure communication relies upon preventing exposure of metadata and properly encrypting the communication. Metadata are the details behind communication such as who is communicating with whom, how long communications last, the locations of the participants, and profiles of the false identities used for the communication. False personas obscure the identities of the participants; however, users must combat the habits ingrained in them through use of the traditional internet. A username should be seen as a disposable identity rather than an alter-ego. To assist in this endeavor, develop a repeatable scheme that allows you to easily remember and create login credentials. One suggestion is to grab the nearest book, open to a random page, and create your own username password template. For instance, from page 80 of an edition of Frankenstein, the first line “It is the same: for, be it joy or sorrow” can translate

into the username Iti2Thes4For and the password Bei2Joyo2Sorrow. Here, my algorithm is a capitalized whole word followed by the first letter and length of the next word, followed by a capitalized whole word, the first letter and length of the next word, and another capitalized whole word. This book cipher allows me to create a considerable number of accounts, even if I only use the first line on a page. Additionally, So long as I can remember the book, I only need to remember or record (on a post it or notepad) a page number, devoid of any compromising information.

During communication, keep language as brief as possible. Unless parties know each other, the first few minutes of each communication should entail validation that of the other party’s identity through a prearranged method. If an adversary compromises a friend’s account, then the key pair of that friend could be compromised as well, depending upon the attack vector. Dialogue is extremely characteristic of a person and users should try their best to mask their mannerisms, writing style, and preferential word choice. In anonymous communications, sanitize text by avoiding idioms, contractions, and common phrases. Only reveal specific or specialized knowledge when necessary and especially avoid doing so when communicating with unknown contacts. Knowledge is power, after all, and every grain of sand an actor accumulates helps them build a mountain. Occasionally, leave your account logged in for an extended period of time or arrange exchanges at atypical times to reduce periodic snooping in case all other privacy and security measures fail.

Remaining secure and anonymous, while tedious, is extremely easy. Many of the processes, such as encrypting hard drives, only needs performed once. Learning to configure

and use Tails, the Tor browser, encrypted email and disposable accounts, can put many outside their comfort zones; however, pushing past that discomfort is easy. In short time, the applications become rudimentary, security is increased significantly through anonymity, and researchers and organizations regain their privacy. Just as with any other habit with enough repetition these new best practices become second nature and fall right into a culture of security that is both sustainable and repeatable across the enterprise for all users. Hopefully this document has imparted to you, the reader, the importance of using privacy protections and also a technical walkthrough of some of the basics on getting yourself set up with various tools.

There is an underlying question that also needs to be addressed here as well. Why does using these privacy tools and protections help you protect your data and your clients’ data? There have been a few references in this document that hint at the underlying logic. Make yourself a more difficult target, a smaller profile, make attackers work harder…etc. This cannot be stressed enough. Attackers will most always begin by using known attack vectors and they will pursue low-hanging fruit first. Once a vulnerability in an organization is found word spreads and a single successful attack can become an onslaught. It is their built-in information sharing and, for some, braggadocio, that is an additional force multiplier for the hacking community. While these tools do not make you and your organization impervious to attack they certainly provide some amount of cloaking. Your organization is removed from attackers’ first line of sight when it employs security and privacy controls to promote itself to a tier higher than the low-hanging fruit of your competitors. “Harder to find, harder to hack.” would be a good mantra learn.

While some bad actors may take this as a challenge, by and large there is no need to devote

time and resources trying to ferret you out as a user when there are literally millions of other users out there who present easier target simply by not using the free and readily-available tools referenced herein. What is your privacy and the confidence of your family and clients worth to you?

Guides:

How to Download GPG 4win and Create a Key Pair:

1. Navigate to GPG 4win’s homepage (http://www.gpg4win.org/) and select the large

green button. Upon redirection, select the large green button of the latest release at the

top of the page. Save the binary.

2. A hash is a security abbreviation representing a file. Any minute change in a file changes

the hash. We want to confirm that the file downloaded is what we want, so we need to

confirm that the SHA-1 hash matches what is displayed on the GPG 4win page. Install

HashCalc (http://www.slavasoft.com/hashcalc/) and open the program. Click on the “…

“icon beside the data box and navigate to the folder where gpg4win-2.11.exe is located.

Check the SHA-1 box in HashCalc and click calculate. Compare to the SHA-1 on the GPG

4win page, one character at a time.

3. If the SHA-1 hashes match, double click and run the executable. Follow the setup wizard

and select and install all components except Clawmail (unless desired). Install the start

menu shortcut, if desired.

4. Navigate to the Gpg4win folder and select the GPA. GPA will generate the public key

that you give to other users and the private key that you use to decrypt messages sent

to you. Upon initial configuration, a prompt should ask if you want to generate a private

key now. Select that option.

5. Enter a name and email address. If using the key for anonymous purposes, the name

associated to the key should not be your name. Enter a generic name or the name of an

author of a Google page or something. Enter a passphrase that is not linked to your real

identity.

6. Backup the key somewhere safe if you intend on reusing the account.

7. Be sure to set an expiration date on the keys to prevent extended usage and minimize

the impact if an actor compromises the account.

8. Copy, paste, and save your public key to a text file.

9. Click the import button, navigate to your key, and import the text file.

10. You will need to import the public key of each contact you associate with in this manner.

How to Download and Use Tails:

1. Downloading and configuring the Tails operating system is a simple process that is often

overcomplicated by poor explanation on the internet. These easy, one-time instructions,

aim to minimize the time and technical prerequisites necessary for a user to begin to use

Tails. Navigate to the Tails homepage (https://tails.boum.org/ ) and click the large green

download Tails 1.4.1 button.

2. The Tails operating system is downloaded as an ISO image, essentially a snap shot of a

file, and then the archive file is booted from a CD, USB, or SD card. Creating a bootable CD

offers the greatest security because the code cannot be altered and malware cannot

corrupt the system; however, many new PC’s do not have disk drives, USB drives and SD

cards are easier to initially create, and memory devices are easier to update to new versions

of Tails. Tails contains an installer that can be used to create additional bootable CD’s or

devices after the operating system is running on the PC. Users are encouraged to proceed

through these easy steps and then use the installer within Tails to create alternative

bootable media.

Scroll down the webpage to “step 2.)” and download the Tails latest release ISO image

and the cryptographic signature by clicking on the green buttons on the left of the page,

directly under the direct download heading. Save both files to a cleanly labeled folder or

directly to the desktop for easy access. Due to the size of the ISO image, the download may

take about an hour.

3. While these files are downloading, install GPG 4win according to the directions above (if

you have not done so already) and install Rufus (https://rufus.akeo.ie/ ). GPG 4win is

necessary to verify the ISO image to ensure that the copy of Tails obtained is genuine and to

prevent man-in-the-middle attacks wherein an adversary intercepts the download request

and passes the user a different file. Rufus will simplify the process of converting the Tails

files into a bootable USB drive or SD card.

4. After all of the four programs are installed, navigate to the location where the Tails ISO

and cryptographic signature are saved. Right click on the signature, and scroll down the

dropdown menu and select the decrypt and verify option.

5. Confirm that the input line points to the iso.sig file and that the “input file is detached

signature” box is checked.

6. The signed data bar should display the file path of the ISO image; however, select the

blue icon to the right, navigate to the location of the ISO file, and reselect the image, to

ensure that the program verifies the ISO.

7. Click the decrypt and verify button at the bottom of the application. The program will

run for a few minutes. If the program returns a green confirmation message or a yellow

“not enough information” message, then the ISO image matches the signature. If the

program returns any other message, delete the ISO image and signature and re-download

them from the Tails homepage (https://tails.boum.org/ ). Close the application after confirmation.

8. Insert an empty flash drive or SD card with at least 4 GB memory. Tails support warns

that some brands of PC’s and flash drives will not boot the Tails operating system. Despite

this warning, users should attempt to boot Tails on a system even if it appears on the

support page because, the warning is more of a generalization than a list of unsupported

devices. In preparation for this document, Tails was placed on an 8GB Sandisk Cruzer USB,

which supposedly will not support Tails, and the device boots perfectly fine. Since all other

files on the device will be erased during formatting, it is important to move all other files off

the drive. If possible, use a new device to ensure a higher degree of confidence that the ISO

image will not be corrupted by malware or corrupted files that are hidden on the device. A

4GB flash drive costs less than $3 at most shopping centers.

9. Run the Rufus application. Select the name of the USB or SD card under the device drop

down menu. Be sure that the default FAT 32 option is selected under the file system

heading. Select ISO image from the dropdown menu beside the “Create a bootable disk

using” box. Select the icon beside the menu, navigate to the ISO image and select it. Start

Rufus and proceed through the warnings. The file conversion may take a few minutes.

10. In the meantime, open a browser and learn the boot options key for your PC during

startup (https://craftedflash.com/info/how-boot-computer-from-usb-flash-drive).

11. Close all applications and safely shut down the PC. Insert the Tails USB/SD card if it was

removed from the system. Restart the system and press the boot options key until a menu

appears. Scroll to boot from the Tails device and select it.

a) If the system still will not boot from the device, as is common with operating

systems such as Windows 8, then find the key corresponding to BIOS settings

during startup. Restart the PC and press the BIOS key until a menu appears.

Using the arrow keys, scroll over to System Configuration, scroll down to boot

options, and then scroll down to Legacy support and switch the setting to

Enabled. Exit BIOS saving changes. Repeat step 11.

12. Upon start up, the system may ask if you would like to boot the live system. Select live

system and proceed. The Tails startup menu will prompt with the option to see more

options.

The menu provides the options: to set a root password (and you are encouraged to set a random password, such as something within sight, like a ketchup bottle), the option to camouflage as Windows 8 for a more familiar feel and less conspicuous public browsing, and the default enabled option of MAC Address Spoofing (it is recommended that this option

remain enabled), and Network Configuration options (which are useful if navigating from public

Wi-Fi).

13. Tails will deploy and after a minute or two, Tails will check whether the system is

connected to the internet. If your connection does not automatically register, then locate

the internet options icon located in the upper right of the display (either an internet cord or

a computer icon depending on masking preference) and select your preferred connection.

14. Finally, wait for a prompt confirming that connection to the internet is established and

open the Tor browser to verify that it opens to the Tails homepage. This minor test adds to

confidence that the booted system has not been compromised.

How to Configure and Use the Tor Browser:

1. Open the Tor browser and check that it opens to the Tails homepage.

2. Click on the No Scripts, red S icon in the top left of the browser. Select the Forbid Scripts

Globally option to prevent malicious scripts from running, no matter where you explore on the internet.

3. Click on the green Tor Checker button on the right of the Tails homepage. The checker will tell you the IP address that outside parties will think generates your traffic. Ensure that this address does not match the traditional host IP address of your system. Such a result indicates a compromise of the Tails system or a corruption of the bootable media. The traditional system

IP address can be found in the details section of the network connections in the control panel

(http://windows.microsoft.com/en-us/windows/find-computers-ip-address#1TC=windows-7).

4. Highlight the green onion icon, located between the red No Scripts icon and the address bar of the Tor Browser, and select Privacy and Security Settings. Adjust the slider bar to meet your desired balance of security and utility. The highest settings are recommended for sensitive exploration.

5. Additionally, the green Tor onion icon offers the New Identity option, which will reset the browser, and issue a new IP address. Frequent use of this feature, between searches or website visits, reduces the footprint of user activity by attributing the session to multiple users.

The Tor network offers resources, of varying legality. Some of these resources can be accessed through the non-traditional search engines built into the browser. The Hidden Wiki

(deepweb.pw) lists many of Tor’s hidden service and it is a useful starting place for deep web or dark web resources and navigation.

How to Communicate with Pidgin:

1. If you are using Tails, proceed to the next step. If you are using Windows, install the Tor

browser and then download and install Pidgin and the OTR plugin for Pidgin. After

installation in Windows, Pidgin will require that the Tor browser be open in order for Pidgin

to function. If you are operating on a Linux distribution, run the command “sudo apt-get

install pidgin pidgin-otr tor” from the terminal line.

2. Open Pidgin and click the Add button. First, switch to the Proxy tab. Use Global settings for

Tails. For Windows or Linux, set the proxy type to “Tor/Privacy (SOCKS5)”, the host field

type to “127.0.0.1”, and the Post field type to “9150” for Windows or “9050” for Linux. This

step ensures that Pidgin traffic is routed through the Tor browser only. Add a disposable

username and password different from your account credentials. This pair is optional and

can be less secure, but including them causes Pidgin to route each open session (with a

different pair) differently, which increases user anonymity.

3. Navigate to the basic tab. Select “XMPP” under the Protocol menu and enter your

disposable username and password. Enter your Jabber server in the Domain field and

“anonymous” in the Resource field. Click Add. The buddy list menu should appear. If your

account does not register, fix the warning according to the prompt. If the account still does

not connect, try creating the account on a Jabber server (at their site) and then entering the

information into Pidgin.

4. Next, you will need to generate an OTR key for your account (and a new one for every

account created in the future). The file is stored locally, so this will need to be created at the

start of each Tails session or saved to a flash drive (though there is an obvious security

tradeoff). In the buddy menu, select the Tools menu and choose Plugins. Scroll down and

select the “Off-the-Record Messaging” plugin. Check the box and click the configure plugin

button. Select your disposable account from the dropdown menu, check the “Require

Private” messaging box, and click the generate button. Write this key down. If you want to

communicate with someone, you need to tell them your disposable username, Jabber

server, and OTR fingerprint and they need to pass you the reciprocal information. At the

start of the first encrypted chat with someone, you will be able to see their fingerprint, and

you will need to check it, one character at a time, against their fingerprint that they tell you

through a different communication medium. After that, you can mark the contact as

trusted and you will not have to compare fingerprints again. If the fingerprint does not

match, then the communication may be subject to a man-in-the-middle attack. In such an

attack, someone intercepts each side of the communication and reads or alters it in the

middle of delivery. Visualize your communication as two tin cans on a string. In a man-in-

the-middle attack, the second tin can of you and your other party are at either ear of a

malicious attacker instead of each other’s ears. In short, if the fingerprints do not match, do

not communicate and restart the entire process.

5. For communication to happen, you will need to be registered on the same Jabber server as

your contact. Click Add Buddy in the buddy window and enter the associated username.

They will not immediately appear online because you must wait until they consent to let

you see their status. You will receive a similar request.

6. Double click on their name to start chatting. Begin by clicking on the “unverified” icon at the

bottom on the window and choose “Authenticate buddy”. Manually compare fingerprints

and if they match, change the second drop down menu from “I have not” to “I have” and

click Authenticate. The “unverified” icon should change to “private”.

7. You only have to complete this verification process once for each new contact. However,

after that, it is up to you to confirm that the person on the other side of the screen is the

person with which you want to communicate.

*Expert research contributed by the following ICIT Fellows: • James Scott (ICIT Senior Fellow – Institute for Critical Infrastructure Technology) • Drew Spaniel (ICIT Visiting Scholar, Carnegie Mellon University) • Chris Schumacher (ICIT Researcher)

Contact Information

Legislative Branch Inquiries:

 James Scott, Senior Fellow, ICIT ([email protected], 202-774-0848)

Federal Agencies and Executive Branch Inquiries:

 Parham Eftekhari, Senior Fellow, ICIT ([email protected], 773-517-8534)

Fellow Program & Training Inquiries:

 Parham Eftekhari, Senior Fellow, ICIT ([email protected], 773-517-8534)

Links

Website: www.icitech.org

Social Media:

ARS Technica http://arstechnica.com/security/2013/06/encrypted-e-mail-how-much-annoyance-will-you-tolerate-to- keep-the-nsa-away/ http://arstechnica.com/information-technology/2015/07/researchers-claim-theyve-developed-a-better- faster-tor/

Bloomberg Business: http://www.bloomberg.com/news/articles/2015-03-19/cyber-attacks-force-law-firms-to-improve-data- security

Crafted Flash: https://craftedflash.com/info/how-boot-computer-from-usb-flash-drive

Electronic Frontier Foundation: https://www.eff.org/deeplinks/2012/11/tutorial-how-create-anonymous-email-accounts

Engadget: http://www.engadget.com/2015/07/23/tor-hornet-privacy/

Exodus Intelligence: http://blog.exodusintel.com/2014/07/23/silverbullets_and_fairytails/ https://geti2p.net/en/

The FreeNet Project: https://freenetproject.org/

The Guardian: http://www.theguardian.com/technology/2015/mar/06/tips-tricks-anonymous-privacy

Forbes: http://www.forbes.com/sites/thomasbrewster/2015/04/10/darpa-memex-search-going-open-source- check-it-out/

The Hacker News: http://thehackernews.com/2015/07/high-speed-anonymous-network.html

How-to Geek: http://www.howtogeek.com/141953/how-to-encrypt-your-android-phone-and-why-you-might-want- to/

The Intercept: https://firstlook.org/theintercept/2015/07/14/communicating-secret-watched/

International Business Times: http://www.ibtimes.co.uk/death-dark-web-darpas-memex-search-engine-allows-tor-tracking-1488124 http://www.ibtimes.co.uk/hornet-tor-style-dark-web-network-allows-high-speed-anonymous-web- browsing-1512359

Jabber List of Public XMPP Servers: https://list.jabber.at/

LifeHacker: http://lifehacker.com/how-can-i-stay-anonymous-with-tor-1498876762

MakeUseOf: http://www.makeuseof.com/tag/4-top-hacker-groups-want/

PC Magazine: http://www.pcmag.com/article2/0,2817,2363302,00.asp

PC World: http://www.pcworld.com/article/2101000/blackphone-plans-more-secure-devices-bouyed-by- snowden-leaks.html

Propublica: http://www.propublica.org/article/six-tips-for-protecting-your-communications-from-prying-eyes http://www.propublica.org/article/privacy-tools-the-best-encrypted-messaging-programs http://www.propublica.org/article/privacy-tools-encrypt-what-you-can

Naked Security: https://nakedsecurity.sophos.com/2015/02/16/memex-darpas-search-engine-for-the-dark-web/

Stack Exchange: http://tor.stackexchange.com/questions/97/should-i-run-tor-in-a-vm

Spiegal Online: http://www.spiegel.de/international/germany/inside-the-nsa-s-war-on-internet-security-a- 1010361.html

Tails: The Amnesiac Incognito Live System: https://tails.boum.org/ https://tails.boum.org/about/index.en.html https://tails.boum.org/support/known_issues/index.en.html#index1h2

The Tor Project: https://www.torproject.org/projects/projects.html.en https://blog.torproject.org/category/tags/tails

The Verge: http://www.theverge.com/2014/4/29/5664884/this-is-the-most-secure-computer-you-ll-ever-own

Wired: http://www.wired.com/2015/07/online-anonymity-box-puts-mile-away-ip-address/ http://www.wired.com/2014/06/be-anonymous-online/

ZD Net: http://www.zdnet.com/article/hornet-tor-alternative-for-high-speed-anonymous-browsing-revealed/