security in a box : tools and tactics for your digital security
TRANSCRIPT
-
8/9/2019 Security in a Box : Tools and Tactics for Your Digital Security
1/60
II III
Security in-a-box provides the
knowledge you need to recognise digital
security threats and the tools you need
to address them. It offers detailed,
step-by-step instructions to help you
use those tools effectively, as well as
practical, non-technical advice for
anyone who relies on digital technology
to do sensitive advocacy work.
www.tacticaltech.org
www.frontlinedefenders.org
TOOLSAN
DTACTICS
FORADVOCACY
security in-a-boxtools and tactics for your digital security
-
8/9/2019 Security in a Box : Tools and Tactics for Your Digital Security
2/60
IV i
tools and tactics for your digital security
security in-a-box
TOOLSAN
DTACTIC
SFOR
A
DVOCACY
-
8/9/2019 Security in a Box : Tools and Tactics for Your Digital Security
3/60
ii iii
TABLE OF CONTENTS
Intoction 1
1. Ho to otect o comtefom malae an haces 9
Viruses
Spyware 12
Firewalls 13
Keeping your soware up-o-dae 15
2. Ho to otect o infomation
fom hsical theats 21
Assessing your risks 21
Proecing your inormaion rom
physical inruders 23
Mainaining a healhy environmen
or your compuer hardware 26
Creaing your physical securiy policy 27
3. Ho to ceate an maintain
sece assos 33
Selecing and mainaining secure passwords 33
Remembering and recording secure passwords 35
4. Ho to otect the sensitive les
on o comte 43
Encryping your inormaion 44
Hiding your sensiive inormaion 46
Security in-a-box was developed by theTactical Technology Collective and Front Line in collaboration with:
Coordination, writing & editing Wojtek BoguszDmitri VitalievChris Walker
Additional writing Cormac McGuireBenji Pereira
English proofreading Caroline Kraabel
& copy editing Benji Pereira
Lead tester Rosemary Warner
Design Lynne Stuart
Curriculum development Pamela TeitelbaumDmitri Vitaliev
Coordination of Louise Berthilsonsoftware localisation Alberto Escudero Pascual
Spanish teamTranslation Phol Edward Paucar Aguirre
Editing Katitza Rodrguez PeredaWebmaster Angelin Venegas Ramrez
Localisation Diego Escalante UrreloProofreading Carlos Wertheman
French TeamEditing, translation & localisation Patrick Cadorette
Translation & localisation Alexandre GudonProofreading Miriam Heap-Lalonde
Editing Fabian Rodriguez
Russian TeamTranslation Emin AkhundovTranslation Alexei BebinovTranslation Alexander Lapidus
Proofreading Ksenia ShiryaevaEditing, translation & localisation Sergei Smirnov
Arabic TeamEditing, translation & localisation Ahmad Gharbeia
Editing Manal HassanTranslation & localisation Khaled Hosny
Translation Mahammad F Kalfat
Special Thanks to The Citizen Lab, Robert Guerra,Internews, RiseUp,The Tor Project
& VaultletSoft
Funder
-
8/9/2019 Security in a Box : Tools and Tactics for Your Digital Security
4/60
iv v
5. Ho to ecove fom infomation loss 53
Ideniying and organising your inormaion 54
Dening your backup sraegy 56
Creaing a digial backup 58
Recovering rom accidenal le deleion 61
6. Ho to esto sensitive infomation 67
Deleing inormaion 68
Wiping inormaion wih secure deleion ooll 69
ips on using secure deleion ools eecively 71
ips on wiping he enire conens o a
sorage device 72
7. Ho to ee o Intenet
commnication ivate 77
Securing your email 78
ips on responding o suspeced email
surveillance 83
Securing oher Inerne communicaion ools 84
Advanced email securiy 85
8. Ho to emain anonmos anbass censoshi on the Intenet 93
Undersanding Inerne censorship 94
Undersanding censorship circumvenion 96
Anonymiy neworks and basic proxy servers 97
Specic circumvenion proxies 101
Glossa 107
-
8/9/2019 Security in a Box : Tools and Tactics for Your Digital Security
5/60
vi 1
Intoction
Advocaes are increasingly concerned abou heir digial securiy, andwih good reason. While compuers and he Inerne can be exremelypowerul ools or advocacy, hey also expose groups (ha may already
be quie vulnerable) o new risks. As more advocaes have begun orely on digial echnology o achieve heir oureach, daa-collecion,inormaion design, communicaion and mobilisaion objecives, heserisks have become greaer.
I you are an advocae who ocuses on sensiive issues, or youwork closely wih such people, hen you have probably experienced (orheard sories abou) digial securiy and privacy hreas. Compuers and
backup drives ha were conscaed, passwords ha changed myseri-ously, local websies ha were hacked or overloaded by malicious Iner-ne rac, oreign websies ha can no longer be accessed and emailsha appear o have been orged, blocked, m odied or read by someoneoher han he inended recipien. ese are rue sories, and many o
hem are se in an environmen ha makes maters even worse, one inwhich compuer operaing sysems are requenly ou-o-dae, sowareis oen piraed and viruses r un rampan.
is oolki provides ex planaions o, and soluions or, hreas likehese. I was creaed by a diverse eam o expers who undersand noonly he condiions under which advocaes work, bu also he resourceresricions hey ace.
While Securiy in-a-box is designed primarily o address he grow-ing needs o advocaes in he global Souh, paricularly human righsdeenders, he soware and sraegies in his oolki are relevan odigial securiy in general. I has somehing o oer anyone who works
wih sensiive inormaion. is may include vulnerable minoriies andindependen journaliss or whisle-blowers, in addiion o advocaesworking on a range o issues, rom environmenal jusice o ani-corrup-ion campaigns.
HOw TO uSE THE SECurITy IN-A-BOx TOOLkITis oolki has hree major componens:o he How-o Bookleo heHands-on Guideo a selecion o reeware and Open Source sowareisHow-o Bookle is designed o explain he issues ha you musundersand in order o saeguard your own digial securiy. I seeks oideniy and describe he risks you ace and help you make inormed
-
8/9/2019 Security in a Box : Tools and Tactics for Your Digital Security
6/60
2 3
decisions abou how bes o reduce hose risks. o his end, i answerseigh broad quesions relaed o basic securiy, daa proecion and com-municaion privacy.
A he beginning o each chaper, you will nd a backgroundscenario populaed by cional characers who will reappear in brieconversaions hroughou he chaper in order o illusrae cerain
poins and answer common quesions. You will also nd a shor lisshowing wha you can learn om his chaper. I is a good idea o scanhrough his lis beore you begin reading. As you work hrough a chap-er, you will encouner a number o echnical erms ha are highlighedin green and dened in he glossary a he end o he bookle. You willalso nd reerences o he specic soware discussed in he oolkis
Hands-on Guides .eseHands-on Guides are included, along wih an elecronic
copy o heHow-o Bookle, on he accompanying CD (or USBmemory sick, i you have a version o he oolki ha conains one).Each guide explains how o use a paricular reeware or Open Source
soware ool. eHands-on Guides highligh poenial diculies, sug-ges helpul ips and, mos imporanly, walk you hrough he processo conguring and using hese ools securely. ey include screenshosand sep-by-sep insrucions or you o ollow as you go along.
All o his soware can be insalled direcly rom he oolki ordownloaded ree o charge rom he Inerne. In mos cases, you caninsall a ool simply by clicking on he appropriae link a he begin-ning o whichever guide explains ha ool, hen elling your browser oOpen or Run he insall program. I a Hands-on Guide provides specialinsallaion insrucions, you may have o save a le o your Deskop, orsome oher locaion, in order o insall ha ool. e Securiy in-a-boxdisc also includes a secion called Porable Securiy, where you will ndporable versions o a ewSecuriy in-a-box ools. ese versions aremean o be insalled direcly ono a USB memory sick so ha you canuse hem on any compuer.
Any single chaper or guide in his oolki can be read individually,or ormated in your browser or easy prining, or shared elecronically.However, you will ge more ou oSecuriy in-a-box i you can ollowhe relevan links and reerences ha are scatered hroughou boh he
bookle and he soware guides. Ideally, you will have his bookle inron o you while you work hrough he Hands-on Guides. You shouldalso remember o nish reading he How-o Bookle chaper coveringa paricular ool beore you begin relying on ha ool o proec your
digial securiy.Where possible, you should read he chapers o his bookle in
order. Securiy is a process, and here is oen litle poin in rying odeend yoursel agains an advanced hrea o your communicaionprivacy, or example, i you have no ye ensured ha your compueris ree o viruses and oher malware. In many cases, his would be likelocking your door aer a burglar is already in your home. is is no osay ha any one o hese eigh opics is more imporan han any oher,
i is simply ha he laer chapers make cerain assumpions abou whayou already know and abou he sae o he compuer on which you areabou o insall soware.
O course, here are many good reasons why you migh wan owork hrough hese chapers ou o sequence. You migh need adviceon how o back up your imporan les beore you begin insalling heools described in he rsHands-on Guide. You migh nd yourselaced wih an urgen privac y hrea ha jusies learningHow o proeche sensiive fles on your compuer, which is covered in Chaper 4, asquickly as possible. Perhaps you are working rom an Inerne ca, ona compuer whose securiy is no your responsibiliy and rom which
you do no inend o access any sensiive inormaion. I you wan o usehis compuer o visi a websie ha is blocked in your counry, hereis nohing o preven you rom skipping ahead o Chaper 8: How oremain anonymous and bypass censorship on he Inerne.
Whaever pah you ake hrough he oolki, we hope i answerssome o your quesions, helps you undersand some o your vulnerabili-ies and shows you where o look or soluions.
ABOuT THE SECurITy IN-A-BOx prOjECTDigial securiy and privacy hreas are always unique o he work haan advocae does and he environmen in which ha person operaes.Furhermore, he collecion o soware ha migh help address hosehreas is consanly changing, and he ools hemselves are requenlyupdaed. For hese reasons, i is exremely dicul o c reae an o-he-shel oolki like Securiy in-a-box. Nohing saed in his oolkiis absolue, and here is no replacemen or a rused, local exper whoundersands he environmen you work in, is sympaheic o your causeand can help you ideniy he mos up-o-dae ools wih which oproec yoursel.
Neverheless, we hope ha Securiy in-a-boxwill give you an ideao he relevan issues and he righ soluions or your own paricularsiuaion. We have worked wih expers rom all over he globe opeer-review he ools and acics ha make up his oolki. is bookle
oers he very bes advice ha we could assemble wihou being able olook a and respond o your unique circumsances.
-
8/9/2019 Security in a Box : Tools and Tactics for Your Digital Security
7/60
4 5
e soware ha we seleced was researched, esed and, in manycases, localised ino addiional languages by a diverse eam o securiyexpers, advocaes, human righs deenders, ranslaors and sowareengineers in collaboraion wih he acical echnology Collecive andFron Line. ese ools eaured prominenly in a number o securiyrainings ha were held as par o he Securiy in-a-box projec, rain-
ings ha served no only o srenghen he securiy and privacy o advo-caes hroughou he world, bu also o conrm he appropriaeness ohe ools seleced and o veriy he accuracy o he Hands-on Guides.
As o his bookles publicaion, he enire oolki is available inve languages: English, Arabic, French, Russian and Spanish. I ex iss
boh as a prined oolki, and on he Securiy in-a-box websie, awww.securiy.ngoinabox.org. Please wrie o [email protected] i
you would like o reques addiional copies, disribue or ranslae heoolki or alk o us abou raining.
acical ech and Fron Line are dedicaed o making his oolkias useul as possible or advocaes, and o ensuring ha uure versions
are even beter. o do so, we rely heavi ly on your eedback. Your soriesabou he oolki how you use i, wha you nd useul and wha youdon nd useul will help us ge i righ. ey will also help us raiseunds or he urher developmen o his projec. Please send us yourcommens, sories and ideas o [email protected].
-
8/9/2019 Security in a Box : Tools and Tactics for Your Digital Security
8/60
6 7
1How to protect yourcomputer from malwareand hackers
-
8/9/2019 Security in a Box : Tools and Tactics for Your Digital Security
9/60
8 9
1. Ho to otect o comte fommalae an haces
Regardless o your broader objecives, keeping your compuer healhy isa criical rs sep down he pah oward beter securiy. So, beore you
begin worrying oo much abou srong passwords, privae communi-
caion and secure deleion, or ex ample, you need o make sure hayour compuer is no vulnerable o haces or plagued by malicioussoware, oen called malae, such as viruses and spyware. Oher-
wise, i is impossible o guaranee he eeciveness o any oher securiyprecauions you migh ake. Aer all, here is no in poin locking yourdoor i he burglar is already downsairs, and i doesn do you muchgood o search downsairs i you leave he door wide open.
Accordingly, his chaper explains how o mainain your sowareand use ools like Avast, Sbot and Comoo Fieall o proec yourcompuer agains he ever-presen dangers o malware inecion andhace atacks. Alhough he ools recommended in his chaper are
or Windows, which is he operaing sysem mos vulnerable o hesehreas, GNu/Lin and Apple OS X users are also a risk and shouldsill adop he acics presened below.
Background scenarioAssani is a human rights activist in a Francophone African
country. His two teenage children, Salima and Muhindo, have
offered to help him with some routine computer work he has
been asked to do. After seeing the state of his computer, they
offer to teach him the basics of how to keep it healthy and
functional. Assani also likes the idea of using Free and Open
Source Software, but hes not sure whether that would bemore or less secure, so he asks for their advice.
What you can learn from this chaptero More abou he naure o a ew o he specic hreas ha malae
poses o he privacy and inegriy o your inormaion, he sabiliy oyour compuer and he reliabiliy o oher securiy ools
o How you can use a number o recommended ools o help proecyoursel rom hese hreas
o How o keep your compuer secure by updaing your soware requenlyo Why you should use feeae ools, o avoid he dangers associaed
wih expired licenses or piraed soware, and popular FOSS ools,where possible, o enhance your securiy.
-
8/9/2019 Security in a Box : Tools and Tactics for Your Digital Security
10/60
10 11
VIruSESere are many dieren ways o classiy viruses, and each o hesemehods comes wih is own se o colorully-named caegories. Worms,macroviruses, rojans and backdoors are some o he more well-knownexamples. Many o hese viruses spread over he Inerne, using email,malicious webpages or oher means o inec unproeced compuers.
Ohers spread hrough removable media, paricularly devices like USBmemory sicks and exernal hard drives ha allow users o wrie inor-maion as well as reading i. Viruses can desroy, damage or inec he in-ormaion in your compuer, including daa on exernal drives. ey canalso ake conrol o your compuer and use i o atack oher compuers.Forunaely here are many ani-virus ools ha you can use o proec
yoursel and hose wih whom you exchange digial inormaion.
Anti-virus softwareere is an excellen feeae ani-virus program or Windows calledAvast, which is easy o use, regularly updaed and well-respeced by
ani-virus expers. I requires ha you regiser once every 14 monhs,bu regisraion, updaes and he program isel are al l ree-o-charge.
Hans-on: Get state ith
theAvast Guide
Clam win is a FOSS alernaive o Avas and he various well-knowncommercial ani-virus programs. Alhough i lacks cerain eauresha are imporan or a primary ani-virus program, Clam Win has headvanage ha i can be run rom a USB memory sick in order o scana compuer on which you are no allowed o insall soware. is is
exremely helpul when you have no choice bu o use public compuersor Inerne caes or sensiive work.
Tips on using anti-virus software effectivelyo Do no run wo ani-virus programs a he same ime, as his migh
cause your compuer o run ex remely slowly or o crash. Uninsallone beore insalling anoher.
o Make sure ha your ani-virus program allows you o receive updaes.Many commercial ools ha come pre-insalled on new compuersmus be regisered (and paid or) a some poin or hey will sopreceiving updaes. All o he soware recommended here suppors
ree updaing.o Ensure ha your ani-virus soware updaes isel regularly. New
viruses are writen and disribued every day, and your compuerwill quickly become vulnerable i you do no keep up wih new virusdeniions. Avas will auomaically look or updaes when you areconneced o he Inerne.
o Enable your ani-virus sowares always on virus-deecion eaurei i has one. Dieren ools have dieren names or i, bu mos o
hem oer a eaure like his. I may be called Realime Proecion,Residen Proecion, or somehing similar. ake a look a Secion3.2.1 o heAvas Guide o learn more abou ha ools ResidenScanner.
o Scan all o he les on your compuer regularly. You don have o dohis every day (especially i your ani-virus soware has an always oneaure, as described above) bu you should do i rom ime o ime.How oen may depend on he circumsances. Have you conneced
your compuer o unknown neworks recenly? Wih whom have youbeen sharing USB memory sicks? Do you requenly receive srangeatachmens by email? Has someone else in your home or oce
recenly had virus problems? For more inormaion on how bes oscan les, see heAvas Guide.
Preventing virus infectiono Be exremely cauious when opening email atachmens. I is bes o
avoid opening any atachmen received rom an unknown source. Iyou need o do so, you should rs save he atachmen o a olderon your compuer, hen open he appropriae applicaion (such asMicroso Word or Adobe Acroba) yoursel. I you use he programsFile menu o open he atachmen manually, raher han double-click-ing he le or allowing your email program o open i auomaically,
you are less likely o conrac a virus.o Consider he possible risks beore insering removable media, such as
CDs, DVDs and USB memory sicks, ino your compuer. You shouldrs check ha your ani-virus program has he laes updaes and hais scanner is running. I is also a good idea o disable your operaingsysems AuoPlay eaure, which can be used by viruses o inec
your compuer. Under Windows XP, his can be done by going insideMy Compuer, righ-clicking on your CD or DVD drive, selecingProperies and clicking on he AuoPlay ab. For each conen ype,selec he ake no acion or Promp me each ime o choose an acionopions hen click OK.
o You can also help preven some virus inecions by swiching o ree
and open source soware, which is oen more secure, and whichvirus wriers are less likely o arge.
-
8/9/2019 Security in a Box : Tools and Tactics for Your Digital Security
11/60
12 13
Assani:I have a virus cleaner and I run i regularly, so I gure my
compuer is healhy, righ?
Salima: Acually, jus having ani-virus soware isn enough. You also
need o proec your compuer om spyware and hackers, so youll have
o insall and run a couple more ools.
SpywArESpyware is a class o malicious soware ha can rack he work youdo, boh on your compuer and on he Inerne, and send inormaionabou i o someone who shouldn have access o i. ese programscan record he words you ype on your keyboard, he movemens o
your mouse, he pages you visi and he programs you run, amongoher hings. As a resul, hey can undermine your compuers securiyand reveal condenial inormaion abou you, your aciv iies and yourconacs. Compuers become ineced wih spyware in much he same
way ha hey conrac viruses, so many o he suggesions above are also
helpul when deending agains his second class o malware. Becausemalicious webpages are a major source o spyware inecion, you shouldpay exra atenion o he websies you v isi and make sure ha your
browser setings are secure.
Assani: I all sounds like somehing ou o a spy movie o me. Is my
compuer really ineced wih spyware?
Mhino: Believe i or no, i s really common. I hose programs you
downloaded om he Inerne haven ineced you, heres a good chance
a leas one o he webpages youve visied has. e ac ha you use
Windows and Inerne Explorer makes i even more likely. I youve never
scanned your compuer or spyware, I be youll be surprised by how
much is already insalled on i
Anti-spyware softwareYou can use ani-spyware ools o proec your compuer rom hi sype o hrea. Spybo is one such program, and i does a very good jobo ideniying and removing cerain ypes o malware ha ani-virusprograms simply ignore. Jus like wih ani-virus soware, hough, i isexremely imporan ha you updae Spybos malware deniions andrun regular scans.
Hans-on: Get state iththeSpybot Guide
Preventing spyware infectiono Say aler when browsing websies. Wach or browser windows ha
appear auomaically, and read hem careully insead o jus clickingYes or OK. When in doub, you should close pop up windows byclicking he X in he upper righ-hand corner, raher han by clickingCancel. is can help preven webpages rom ricking you ino insall-
ing malware on your compuer.o Improve he securiy o your Web browser by prevening i rom
auomaically running he poenially dangerous programs ha aresomeimes conained wihin webpages you visi. I you are usingMozilla Fiefo, you can insall he NoScit add-on, as described inSecion 4 o he Fireox Guide.
o Never accep and run his sor o conen i i comes rom websiesha you don know or rus.
Assani:Ive heard ha Java apples and AciveX conrols can be
dangerous. Bu I have no idea wha hey are.
Salima: eyre jus dieren examples o he same sor o hing: small
programs ha your Web browser someimes downloads along wih
whaever page youre reading. Web designers use hem o creae complex
sies, bu hey can also spread viruses and spyware. You don have o
worry oo much abou how hey acually work, as long as you have
NoScrip insalled and running properly.
FIrEwALLSA rewall is he rs program on a compuer ha sees incomingdaa rom he Inerne. I is also he las program o handle ougoinginormaion. Like a securiy guard, posed a he door o a building odecide who can ener and who can leave, a rewall receives, inspecsand makes decisions abou all incoming and ougoing daa. Naurally, iis criical ha you deend yoursel agains unrused connecions romhe Inerne and rom local neworks, eiher o which could give hackersand viruses a clear pah o your compuer. In ac, hough, monioringougoing connecions originaing rom your own compuer is no lessimporan.
A good rewall allows you o choose access permissions or eachprogram on your compuer. When one o hese programs ries oconac he ouside world, your rewall will block he atemp and give
you a warning unless i recognizes he program and veries ha you
have given i permission o make ha sor o connecion. is is largelyo preven exising malware rom spreading viruses or inviing hackers
-
8/9/2019 Security in a Box : Tools and Tactics for Your Digital Security
12/60
14 15
ino your compuer. In his regard, a rewall provides boh a second lineo deense and an early-warning sysem ha migh help you recognize
when your compuers securiy is being hreaened.
Firewall softwareRecen versions o Microso Windows include a buil-in rewall, which
is now urned on auomaically. Unorunaely, he Windows rewallis limied in many ways. In paricular, i does no examine ougoingconnecions, and i can be somewha dicul o use. However, here isan excellen feeae program called Comoo Fieall, which does a
beter job o keeping your compuer secure.
Hans-on: Get state ith the Comodo
Firewall Guide
Asani: So, now you wan me o insall ani-virus, ani-spyware and
rewall soware? Can my compuer cope wih all ha?
Mhino: Absoluely. In ac, hese hree ools are he bare minimum i
you wan o say secure on he Inerne hese days. eyre made o work
ogeher, so insalling hem all shouldn cause any problems. R emember,
hough, you don wan wan o run wo ani-virus programs or wo
rewalls a he same ime.
Preventing untrusted network connectionso Only insall essenial programs on he compuer you use or sensiive
work, and make sure you ge hem rom a repuable source. Uninsallany soware ha you do no use.
o Disconnec your compuer rom he Inerne when you are no usingi and shu i down compleely overnigh
o Do no share your Windows password wih anyone.o I you have enabled any Windows services ha you are no longer us-
ing, you should disable hem. See he Furher readingsecion or moreo Make sure ha all o he compuers on your oce nework have a
rewall insalledo I you do no already have one, you should consider insalling an
addiional rewall o proec he enire local nework a your oce.Many commercial broadband gateas include an easy-o-userewall, and urning i on can make your nework much more secure.
I you are no sure where o sar wih his, you migh wan o ask orassisance rom whoever helped se up your nework
kEEpING yOur SOFTwArE up-TO-dATECompuer programs are oen large and complex. I is ineviable hasome o he soware you use on a regular basis conains undiscoverederrors, and i is likely ha some o hese errors could undermine yourcompuers securiy. Soware developers coninue o nd hese errors,however, and release updaes o x hem. I is hereore essenial ha
you requenly updae all o he soware on your compuer, includinghe operaing sysem. I Windows is no updaing isel auomaically,
you can congure i o do so by clicking he Stat menu, selecingAll pogams and clicking winos uate. is will open InerneExplorer, and ake you o he Microso Updae page, where you canenable he Atomatic uates eaure. See he Furher readingseciono learn more abou his.
Staying up-to-date with freeware and FOSS toolspoieta softae oen requires proo ha i was purchasedlegally beore i will allow you o insall updaes. I you are using a
piraed copy o Microso Windows, or example, i may be unable oupdae isel, which would leave you and your inormaion exremely
vulnerable. By no having a valid license, you pu yoursel and ohers arisk. Relying on illegal soware can presen non-echnical risks, as well.e auhoriies in a growing number o counries have begun o veriyha organisaions possess a valid license or each piece o soware hahey use. Police have conscaed compuers and closed down organiza-ions on he basis o soware piracy. is jusicaion can be abusedquie easily in counries where he auhoriies have poliical reasons oinerere wih a given organisaions work. Forunaely, you do no haveo purchase expensive soware o proec yoursel rom acics like his.
We srongly recommend ha you ry ou he feeae or FOSSalernaives o any propriey soware ha you currenly use, especiallyhose programs ha are unlicensed. Freeware and FOSS ools are oen
writen by voluneers and non-pro organisaions who release hem,and even updae hem, ree o charge. FOSS ools, in paricular, are gen-erally considered o be more secure han oieta ones, becausehey are developed in a ransparen way ha allows heir soce coeo be examined by a diverse group o expers, any one o whom canideniy problems and conribue soluions.
Many FOSS applicaions look like, and work almos he same wayas, he proprieary soware ha hey were writen o replace. A hesame ime, you can use hese programs alongside proprieary soware,
including he Windows operaing sysem, wihou any problems. Eveni your colleagues coninue o use he commercial version o a paricular
-
8/9/2019 Security in a Box : Tools and Tactics for Your Digital Security
13/60
16 17
ype o program, you can sill exchange les and share inormaion wihhem quie easily. In paricular, you migh consider replacing InerneExplorer, Oulook or Oulook Express and Microso Oce wihFireox, underbird and Op enOce, respecively.
In ac, you could even move away rom he Microso Windowsoperaing sysem enirely, and ry using a more secure FOSS alernaive
called GNu/Lin. e bes way o nd ou i youre ready o make heswich is simply o give i a r y. You can download a LiveCdversion oUbunu GNu/Lin, burn i o a CD or DVD, pu i in your compuerand resar. When is done loading, your compuer will be runningGNU/Linux, and you can decide wha you hink. Don worry, noneo his is permanen. When youre nished, simply shu down yourcompuer and remove he Ubunu LiveCD. e nex ime you sarup, youll be back in Windows, and all o you applicaions, setings anddaa will be jus as you le hem. In addiion o he general securiyadvanages o open-source soware, Ubunu has a ree, easy-o-use up-dae ool ha will keep your operaing sysem and much o your oher
soware rom becoming oudaed and insecure.
FurTHEr rEAdINGo See he chaper onMalicious Soware and Spam and he Appendix on
Inerne Program Setings in heDigial Securiy and Privacy or HumanRighs Deenders [1] book.
o Keep up o-dae wih news abou viruses on he Virus Bullein [2]websie.
o Learn how o deermine which Windows services are unnecessary[3]and disable hose you do no need [4].
o Oher oolkis rom he acical echnology Collecive (C) [5]can help you swich o using FOSS and Freeware ools or all o yoursoware needs.
LINkS[1] www.onlinedeenders.org/manual/en/esecman[2] www.virusbn.com[3] hps://securiy.berkeley.edu/MinSds/Deermining-Un-Services-Windows.hml[4] www.marksanborn.ne/howo/urn-o-unnecessary-windows-services[5]www.acicalech.org
-
8/9/2019 Security in a Box : Tools and Tactics for Your Digital Security
14/60
18 19
2Protect your informationfrom physical threats
-
8/9/2019 Security in a Box : Tools and Tactics for Your Digital Security
15/60
20 21
2. Ho to otect o infomationfom hsical theats
No mater how much eor you have pu ino building a digial barrieraround your compuer, you could sill wake up one morning o nd hai, or a copy o he inormaion on i, has been los, solen, or damaged
by any number o unorunae accidens or malicious acs. Anyhingrom a power surge o an open window o a spil cup o coee mighlead o a siuaion in which all o your daa are los and you are no longerable o use your comp uer. A careul risk assessmen, a consisen eoro mainain a healhy compuing environmen and a writensecit olic can help avoid his ype o diaser.
Background scenarioShingai and Rudo are an elderly married couple with many
years of experience helping the HIV-infected population
of Zimbabwe maintain access to proper medication. They
are applying for a grant to purchase new computers andnetwork equipment for their ofce. Since they live in a region
that is quite turbulent, in terms both of politics and of
infrastructure, they and their potential funders want to
ensure that their new hardware will be safe, not only from
hackers and viruses, but also from conscation, thunder-
storms, electrical spikes and other such disasters. They ask
Otto, a local computer technician, to help them devise a plan
of action to strengthen the physical security of the computers
and network hardware they plan to buy if their grant
application is successful.
What you can learn from this chaptero More abou a ew o he hsical theats o your compuer and o
he inormaion sored on io How bes o secure compuer equipmen agains some o hese hreaso How o creae a healhy operaing environmen or compuers and
nework equipmeno Wha o consider when creaing a securiy plan or he compuers in
your oce
ASSESSING yOur rISkSMany organisaions underesimae he imporance o keeping heir
oces and heir equipmen physically secure. As a resul, hey oen
-
8/9/2019 Security in a Box : Tools and Tactics for Your Digital Security
16/60
22 23
lack a clear policy describing wha measures hey should ake o proeccompuers and backup sorage devices rom he, severe weaher condi-ions, accidens, and oher physical hreas. e impor ance o suchpolicies may seem obvious, bu ormulaing hem properly can be morecomplicaed han i sounds. Many organisaions, or example, have goodqualiy locks on heir oce doors, and many even have secure windows;
bu i hey do no pay atenion o he number o keys ha have beencreaed, and who has copies o hose keys, heir sensiive inormaionremains vulnerable.
Shingai: We wan o pu a brie summary o our securiy policy ino
his gran applicaion, bu we also need o make sure he policy isel is
horough. Wha should we include in i?
Otto: Im aaid I can recommend a one-size-s-all soluion o he
challenge o physical securiy. e specics o a good policy almos
always depend on a paricular organisaions individual circumsances.
Heres a piece o general advice, hough: when youre rying o come upwih a plan, you need o observe your work environmen very careully
and hink creaively abou where your weak poins migh be and wha
you can do o srenghen hem.
When assessing he risks and vulnerabiliies ha you or your organisa-ion ace, you mus evaluae several dieren levels a which your daamay be hreaened.o Consider he communicaion channels you use and h ow you use
hem. Examples migh include paper leters, axes, landline phones,mobile phones, emails and Se messages.
o Consider how you sore imporan inormaion. Compuer harddrives, email and web servers, USB memory sicks, exernal USBhard drives, CDs and DVDs, mobile phones, prined paper and hand-
writen noes are all likely possibiliies.o Consider where hese iems are locaed, physically. ey could be in
he oce, a home, in a rash bin ou back or, increasingly, somewhereon he Inerne. In his las case, i migh be quie challenging o o de-ermine he paricular piece o inormaions acual, physical locaion.
Keep in mind ha he same piece o inormaion migh be vul-nerable on many dieren levels. Jus as you migh rely on ani-virussoware o proec he conens o a USB memory sick rom malware,
you mus rely on a deailed physical securiy plan o proec he same
inormaion rom he, loss or desrucion. While some securiy prac-ices, such as having a good o-sie backup policy, are helpul agains
boh digial and physical hreas, ohers are clearly more specic.When you decide wheher o carry your USB memory sick in
your pocke or sealed in a plasic bag a he botom o your luggage, youare making a decision abou physical securiy, even hough he inorma-ion you are rying o proec is digial. As usual, he correc policy de-pends grealy on he siuaion. Are you walking across own or ravelling
across a border? Will somebody else be carrying your bag? Is i raining?ese are he sors o quesions ha you should consider when makingdecisions like his.
prOTECTING yOur INFOrMATION FrOM pHySICALINTrudErSMalicious individuals seeking access o your sensiive inormaionrepresen one imporan class o physical hrea. I would be a mis-ake o assume ha his is he only such hrea o he securiy o yourinormaion, bu i would be even move shorsighed o ignore i. ereare a number o seps you can ake o help reduce he risk o physical
inrusion. e caegories and suggesions below, many o which mayapply o your home as well as your oce, represen a oundaion uponwhich you should build in accordance wih your own paricular physicalsecuriy siuaion.
Around the ofceo Ge o know your neighbours. Depending on h e securiy climae in
your counry and in your neighbourhood, one o wo hings may bepossible. Eiher you can urn hem ino allies who will help you keepan eye on your oce, or you can add hem o he lis o poenialhreas ha your securiy plan mus address.
o Review how you proec all o he doors, windows and oher poins oenry ha lead ino your oce.
o Consider insalling a surveillance camera or a moion-sensor alarm.o ry o creae a recepion area, where visiors can be me beore
hey ener he oce, and a meeing room ha is separae rom yournormal work space.
In the ofceo Proec nework cables by running hem inside he oce.o Lock nework devices such as seves, otes, sitches, hbs
and modems ino secure rooms or cabines. A n inruder wih physi-cal access o such equipmen can insall malware capable o sealing
daa in ransi or atacking oher compuers on your nework evenaer he leaves.
-
8/9/2019 Security in a Box : Tools and Tactics for Your Digital Security
17/60
24 25
o I you have a wireless nework, i is criical ha you secure youraccess oint so ha inruders canno join your ne work or monior
your rac. I you are using an insecure wireless nework, anyone inyour neighbourhood wih a lapop becomes a poenial inruder. isis an unusual deniion o physical, bu i helps o consider ha amalicious individual who can monior your wireless nework has he
same access as one who can sneak ino your oce and connec aneherne cable. e seps required o secure a w ireless nework will
vary, depending on your access poin hardware and soware, bu heyare rarely dicul o ollow.
At your work spaceo You should posiion your compuer screen careully, boh on your
desk and when you are away rom he oce, in order o prevenohers rom reading wha is displayed here. In he o ce, his meansconsidering he locaion o windows, open doors and he gues wai-ing area, i you have one.
o Mos deskop compuer cases have a slo where you can atach apadlock ha will preven anyone wihou a key rom geting inside.I you have cases like his in he oce, you should lock hem so hainruders canno amper wih heir inernal hardware. You migh alsoconsider his eaure when purchasing new compuers.
o Use a locking secit cable, where possible, o preven inrudersrom sealing he compuers hemselves. is is especially imporanor lapops and small deskops ha could be hidden inside a bag orunder a coa.
Software and settings related to physical securityo Make sure ha, when you resar your compuer, i asks you or a
password beore allowing you o run soware and access les. I idoes no, you can enable his eaure in Windows by clicking on heSar menu, selecing he Conrol Panel, and double-clicking on User
Accouns. In he User Accouns screen, selec your own accoun andclick Creae a Password. Choose a secure password, as discussed inChaper 3: How o creae and mainain good passwords, ener your pass-
word, conrm i, cl ick Creae Password and click Yes, Make Privae.o ere are a ew setings in your compuers BIOS ha are relevan o
physical securiy. Firs, you should congure your compuer so ha iwill no boot rom is oppy, CD-ROM or DVD drives. Second, youshould se a password on he BIOS isel, so ha an inruder can no
simply undo he previous seting. Again, be sure o choose a securepassword.
o I you rely on a secure password daabase, as discussed in Chaper 3,o sore your Windows or BIOS passwords or a paricular compuer,make sure ha you do no keep your only copy o he daabase onha compuer.
o Ge in he habi o locking your accoun whenever you sep awayrom your compuer. On Windows, you can do h is quickly by hold-
ing down he Windows logo key and pressing he L key. is will onlywork i you have creaed a password or your accoun, as describedabove.
o Enct sensiive inormaion on compuers and sorage devices inyour oce. See Chaper 4: How o proec he sensiive les on your com-pueror addiional deails and poiners o he appropriae Hands-onGuides.
ro: Im a bi nervous abou messing around in BIOS. Can I break my
compuer i I do somehing wrong?
Otto: You sure can, a leas or a litle while. In ac, he setings hayou migh wan o change are prety simple, bu he BIOS screen isel
can be a litle inimidaing, and i is possible o leave your compuer
emporarily unable o sar i you do somehing wrong. In general, i
youre uncomorable working in BIOS, you should ask someone wih
more compuer experience o help you ou.
Portable deviceso Keep your lapop, your mobile phone and oher porable devices ha
conain sensiive inormaion wih you a all imes, especially i youare ravelling or saying a a h oel. ravelling wih a lapop secitcable is a good idea, alhough i is someimes dicul o nd anappropriae objec o which you can atach one. Remember ha mealimes are oen exploied by hieves, many o whom have learn ocheck hoel rooms or lapops during hours o he day when hey arelikely o be unatended.
o I you have a lapop, or a hand-held compuing device such as aPersonal Digial Assisan (PDA), ry o avoid puting hem ondisplay. ere is no need o show hieves ha you are carrying such
valuable hardware or o show individuals who migh wan access oyour daa ha your shoulder bag conains a hard drive ull oinormaion. Avoid using your porable devices in public areas, andconsider carrying your lapop in somehing ha does no look like a
lapop bag.
-
8/9/2019 Security in a Box : Tools and Tactics for Your Digital Security
18/60
26 27
MAINTAINING A HEALTHy ENVIrONMENT FOr yOurCOMpuTEr HArdwArELike many elecronic devices, compuers are quie sensiive. ey dono adap well o unsable elecriciy supplies, exreme emperaures,dus, high humidiy or mechanical sress. ere are a number o hings
you can do o proec your compuers and nework equipmen rom
such hreas:o Elecrical problems such as power surges, blackous and brownous
can cause physical damage o a compuer. Irregulariies like his cancrash your hard drive, damaging he inormaion i conains, orphysically harm he elecronic compo nens in your compuer.
o I you can aord hem, you should insall Uninerrupible PowerSupplies (upSs) on imporan compuers in your oce. A UPSprovides emporary power in he even o a blackou.
o Even where UPSs are deemed inappropriae or oo cosly, you cansill provide power lers or surge proecors, eiher o which willhelp proec you rom power surges.
o es your elecrical nework beore you connec imporan equipmen o i. ry o use power sockes ha have hree slo s, one ohem being a ground line, or earh. And, i possible, ake a day orwo o see how he elecrical sysem in a new oce behaves whenpowering inexpensive devices, such as lamps and ans, beore puing your compuers a risk.
o o deend agains accidens in general, avoid placing imporan hard-ware in passages, recepion areas or oher easily accessible lo caions.UPSs, power lers, surge proecors, power srips and exensioncables, paricularly hose atached o servers and neworking equip-men, should be posiioned where hey will no be swiched o by anaccidenal missep.
o I you have access o high-qualiy compuer cables, power srips andexension cables, you should purchase enough o serve your enireoce and pick up a ew exras. Power srips ha all ou o wallsockes, ail o hold plugs securely and spark consanly are more han
jus annoying. ey can be quie damaging o he physical securiy oany compuers atached o hem. ey can also lead rusraed userso secure heir loose compuer cables o a sparking power srip wihape, which creaes an obvious re hazard.
o I you keep any o your compuers inside cabines, make sure heyhave adequae venilaion, or hey migh overhea
o Compuer equipmen should no be housed near radiaors, heaing
vens, air condiioners or oher ducwork
Shingai:Acually, we jus solved a ew o hese problems earlier his year.
We spen monhs rying o nd cables ha wouldn all ou o he backs
o our compuers.
Otto: And power srips ha didn look like hey were abou o se he
carpe on re?
Shingai: a, oo. In he end, Rudo had o bring some back om a rip
o Johannesburg. Mind you, he elecriciy isel is sill prety unsable,
bu a leas he equipmen is easier o work wih.
CrEATING yOur pHySICAL SECurITy pOLICyOnce you have assessed he hreas and v ulnerabiliies ha you or yourorganisaion ace, you mus consider wha seps can be aken o improve
your physical securiy. You should creae a deailed secit olicby puting hese seps in wriing. e resuling documen will serve asa general guideline or yoursel, your colleagues and any newcomers
o your organisaion. I should also provide a checklis o wha acionsshould be aken in he even o various dieren physical securiy emer-gencies. Everybody involved should ake he ime o read, implemenand keep up wih hese securiy sandards. ey should also be encour-aged o ask quesions and propose suggesions on how o improve hedocumen.
Your physical securiy policy may conain various secions, de-pending on he circumsances:o An oce access policy ha addresses he alarm sysems, wha keys
exis and who has hem, when guess are allowed in he oce, whoholds he cleaning conrac and oher such issues
o A policy on which pars o he oce should be resriced o auho-
rized visiorso An invenory o your equipmen, including serial numbers and physi-
cal descripionso A plan or securely disposing o paper rubbish ha conains sensiive
inormaiono Emergency procedures relaed o: o Who should be noied i sensiive inormaion is disclosed or
misplaced oWho o conac in he even o a re, ood, or oher naural disaser o How o perorm cerain key emergency repairs o How o conac he companies or o rganizaions ha provide
services such as elecrical power, waer and Inerne access o How o recover inormaion rom your o-sie backup sysem. You
-
8/9/2019 Security in a Box : Tools and Tactics for Your Digital Security
19/60
28 29
can nd more deailed backup advice in Chaper 5: How o recoverom inormaion loss.
Your secit olic should be reviewed periodically and modi-ed o reec any policy changes ha have been made since is lasreview. And, o course, don orge o back up your securiy policydocumen along wih he res o your imporan daa. See he Furher
readingsecion or more inormaion abou creaing a securiy policy.
FurTHEr rEAdINGo For addiional inormaion on assessing risks, see he Securiy
Awareness, and Trea Assessmensecions o heDigial Securiy andPrivacy or Human Righs Deenders book [1].
o For a more deailed explanaion o how o se a BIOS password, seehe Windows Securiy chaper in heDigial Securiy and Privacy orHuman Righs Deenders book [1].
o For guidelines on creaing a securiy policy, see Case Sudy 1 in heDigial Securiy and Privacy or Human Righs Deenders book [1].
o See also he Proecion ManualandProecion Handbook or HumanRighs Deenders [1].
LINkS[1] www.onlinedeenders.org/manual/en/esecman[2] www.onlinedeenders.org/manuals
-
8/9/2019 Security in a Box : Tools and Tactics for Your Digital Security
20/60
30 31
3Create and maintainsecure passwords
-
8/9/2019 Security in a Box : Tools and Tactics for Your Digital Security
21/60
32 33
3. Ho to ceate an maintain seceassos
Many o he secure services ha allow us o eel comorable usingdigial echnology o conduc imporan business, rom signing in oour compuers and sending email o encryping and hiding sensiive
daa, require ha we remember a password. ese secre words, phrasesor srings o gibberish oen provide he rs, and someimes he only,
barrier beween your inormaion and anyone who migh wan o read,copy, modiy or desroy i wihou your permission. ere are many
ways in which someone could learn your passwords, bu you can deendagains mos o hem by applying a ew specic acics and by using asecure password daabase ool, such as KeePass.
Background scenarioMansour and Magda are siblings, in an Arabic-speaking coun-
try, who maintain a blog on which they anonymously publicise
human rights abuses and campaign for political change.Magda recently tried to log into her personal webmail ac-
count and found that her password had been changed. After
resetting the password, she was able to log in, but when she
opened her inbox she noticed that several new messages were
marked as having been read. She suspects that a politically-
motivated intruder may have learned or guessed her pass-
word, which she uses for several of her website accounts. She
is meeting with Mansour, who has less computer experience,
to explain the situation and to voice her concerns.
What you can learn from this chaptero e elemens o a secure passwordo A ew ricks or remembering long, complicaed passwordso How o use he keepass sece asso atabase o sore pass-
words insead o remembering hem
SELECTING ANd MAINTAINING SECurE pASSwOrdSIn general, when you wan o proec somehing, you lock i up wiha key. Houses, cars and bicycle locks all have physical keys; proecedles have enction keys; bank cards have PIN numbers; and emailaccouns have passwords. All o hese keys, physical and elecronic, haveone hing in common: hey open heir respecive locks jus as eecively
in he hands o somebody else. You can insall advanced rewalls, secure
-
8/9/2019 Security in a Box : Tools and Tactics for Your Digital Security
22/60
34 35
email accouns, and encte disks, bu i your password is weak, ori you allow i o all ino he wrong hands, hey will no do you muchgood.
Elements of a strong passwordA password should be dicul or a compuer program o guess.
o Mae it long: e longer a password is, he less likely i is ha acompuer program would be able o guess i in a reasonable amouno ime. You should ry o creae passwords ha include en or morecharacers. Some people use passwords ha conain more han one
word, wih or wihou spaces beween hem, which are oen calledpassphrases. is is a grea idea, as long as he program or service youare using allows you o choose long enough passwords.
o Mae it comle: In addiion o lengh, he complexiy o a pass-word also helps preven auomaic password cracking soware romguessing he righ combinaion o characers. Where possible, youshould always include upper case leters, lower case leters, numbers
and symbols, such as puncuaion marks, in your password.
A password should be dicul or ohers o gure ou.o Mae it actical: I you have o w rie your password down because
you can remember i, you may end up acing a whole new caegoryo hreas ha could leave you vulnerable o anybody wih a clear
view o your desk or emporary access o your home, your walle, oreven he rash bin ouside your oce. I you are unable o hink o apassword ha is long and complex bu sill memorable, he Remem-bering secure passwords secion, below, migh be o some h elp. I no,
you should sill ch oose somehing secure, bu you may need o recordi using a sece asso atabase such as keepass. Oher ypes
o password-proeced les, including Microso Word documens,should no be rused or his purpose, as many o hem can be bro-ken in seconds using ools ha are reely available on he Inerne.
o dont mae it esonal:Your password should no be relaed oyou personally. Don choose a word or phrase based on inormaionsuch as your name, social securiy number, elephone number, childsname, pes name, birh dae, or anyhing else ha a person couldlearn by doing a litle research abou you.
o kee it secet: Do no share your password wih anyone unless i isabsoluely necessary. And, i you mus share a password wih a riend,amily member or colleague, you should change i o a emporary
password rs, share ha one, hen change i back when hey are doneusing i. Oen, here are alernaives o sharing a password, such as
creaing a separae accoun or each individual wh o needs access.Keeping your password secre also means paying atenion o whomigh be reading over your shoulder while you ype i or look i up ina secure password daabase.
A password should be chosen so as o minimise damage i someone
does learn i.o Mae it niqe: Avoid using he same password or more han one
accoun. Oherwise, anyone who learns ha password will gain accesso even more o your sensiive inormaion. is is paricularly rue
because some services make i relaively easy o crack a password. Iyou use he same password or your Windows user accoun and yourGmail accoun, or example, someone wih physical access o yourcompuer can crack he ormer and use wha hey learn o access helater. For similar reasons, i is a bad idea o roae passwords by swap-ping hem around beween dieren accouns.
o kee it fesh: Change your password on a regular basis, preerably
a leas once every hree monhs. Some people ge quie atached o aparicular password and never change i. is is a bad idea. e longeryou keep one password, he more opporuniy ohers have o gurei ou. Also, i someone is able o use your solen password o access
your inormaion and services wihou you knowing abou i, heywill coninue o do so unil you change he password.
Manso: Wha i I rus someone? Is OK or me o ell you my
password, righ?
Maga: Well, rs o all, jus because you rus somebody wih your
password doesn necessarily mean you rus hem o ake good care o
i, righ? Even hough I wouldn do anyhing bad wih your password,I migh wrie i down and lose i or somehing. a could even be how I
go ino his mess! And besides, is no all abou rus. I youre he only
one who knows your password, hen you don have o wase your ime
worrying abou who o blame i he accoun ges broken ino. Righ now,
or example, I eel prety conden ha somebody acually guessed or
cracked my password, because I never wroe i down or shared i wih
anyone.
rEMEMBErING ANd rECOrdING SECurE pASSwOrdSLooking over he lis o suggesions above, you migh wonder how
anyone wihou a phoographic memory could possibly keep rack opasswords ha are his long, complex and meaningless wihou wriing
-
8/9/2019 Security in a Box : Tools and Tactics for Your Digital Security
23/60
36 37
hem down. e imporance o using a dieren password or eachaccoun makes his even more dicul. ere are a ew rick s, however,ha migh help you creae passwords ha are easy o remember buexremely dicul o guess, even or a clever person using advancedpassword cracking soware.
You also have he opion o recording your passwords using a ool
like keepass ha was creaed specically or his purpose.
Remembering secure p asswordsI is imporan o use dieren ypes o characers when choosing apassword. is can be done in various ways:o Varying capialisaion, such as: My naME is No MR . MarSero Alernaing numbers and leters, such as: a11 w0Rk 4nD N0 p14Yo Incorporaing cerain symbols, such as: c@(heR1nhery3o Using muliple languages, such as: Le em Ea 1e gaeaU au ch()
colaAny o hese mehods can help you increase he complexiy o an
oherwise simple password, which may allow you o choose one hais secure wihou having o give up enirely on he idea o memoriz-ing i. Some o he more common subsiuions (such as he use o azero insead o an o or he @ symbol in place o an a) were long-agoincorporaed ino password-cracking ools, bu hey are sill a good idea.ey increase he amoun o ime ha such ools would require o learna password and, in he more common siuaions where ools o his sorcanno be used, hey help preven lucky guesses.
Passwords can also ake advanage o more radiional mnemonicdevices, such as he use o acronyms. is allows long phrases o beurned ino complex, seemingly-random words:o o be or no o be? a is he quesion becomes 2Bon2B?iQ
o We hold hese ruhs o be sel-eviden: ha all men are creaedequal becomes Wh2bs-e:aMac=
o Are you happy oday? becomes rU:-)2d@y?ese are jus a ew examples o help you come up wih your own
mehod o encoding words and phrases o make hem simulaneouslycomplex and memorable.
Recording passwords securelyWhile a litle creaiviy may allow you o remember all o your pass-words, he need o change hose passwords periodically means ha youmigh quickly run o u o creaiviy. As an alernaive, you can generae
random, secure passwords or mos o your accouns and simply give upon he idea o remembering hem all. Insead, you can record hem in a
porable, encryped secure password daabase, such as KeePass.
Hans-on: Get state ith
the KeePass Guide
O course, i you use his mehod, i becomes especially imporanha you creae and remember a very secure password or keepass, or
whaever ool you choose. W henever you need o ener a password ora specic accoun, you can look i up using only your maser password,
which makes i much easier o ollow all o he suggesions above.KeePass is porable, as well, which means ha you can pu he daabaseon a USB memory sick in case you need o look up a password while
you are away rom your primary compuer.Alhough i is probably he bes opion or anybody who has o
mainain a large number o accouns, here are a ew drawbacks o hismehod. Firs, i you lose or accidenally delee your only copy o apassword daabase, you will no longer have access o any o he accouns
or which i conained passwords. is makes i exremely imporanha you back up your KeePass daabase. Look over Chaper 5: How orecover om inormaion loss or more inormaion on backup sraegies.Forunaely, he ac ha your daabase is encryped means ha youdon have o panic i you lose a USB memory sick or a backup driveconaining a copy o i.
e second major drawback could be even more imporan. I youorge your KeePass maser password, here is no way o recover i or heconens o he daabase. So, be sure o choose a maser password ha is
boh secure and memorable!
Manso: Wai a minue. I KeePass uses a single maser password oproec all o your oher passwords, how is i more secure han jus using
ha same password or all o your accouns? I mean, i a bad guy learns
he maser password, he ges access o everyhing, righ?
Maga:Is a good hough, and youre righ ha proecing your maser
password is really imporan, bu here are a couple o key dierences.
Firs o all, his bad guy would no only need your password, hed need
your KeePass daabase le, oo. I you jus share he same password
beween all o your accouns, hen hed only need he password isel.
Plus, we know ha KeePass is exremely secure, righ? Well, oher
programs and websies can go eiher way. Some o hem are much less
secure han ohers, and you don wan someone breaking ino a weak
-
8/9/2019 Security in a Box : Tools and Tactics for Your Digital Security
24/60
38 39
websie, and hen using wha he learns o access a more secure accoun.
And heres anoher hing, oo. KeePass makes i really easy o change
your maser password i you hink is necessary. I should be so lucky! I
spen all day oday updaing my passwords.
FurTHEr rEAdING
o o learn more abou secure passwords, see hePassword Proecionchaper and he How long should my password be? Appendix in heDigial Securiy and Privacy or Human Righs Deenders book [1].
o Wikipedia has inormaive aricles onPasswords [2], Guidelines or password srengh[3], andpassword cracking[4].
LINkS[1] www.onlinedeenders.org/manual/en/esecman[2] www.en.wikipedia.org/wiki/Password[3]www.en.wikipedia.org/wiki/Password_srengh[4]www.en.wikipedia.org/wiki/Password_cracking
-
8/9/2019 Security in a Box : Tools and Tactics for Your Digital Security
25/60
40 41
4Protect the sensitiveles on your computer
-
8/9/2019 Security in a Box : Tools and Tactics for Your Digital Security
26/60
42 43
4. Ho to otect the sensitive les on ocomte
Unauhorised access o he inormaion on your compuer or porablesorage devices can be carried ou remoely, i he inruder is able oread or modiy your daa over he Inerne; or physically, i he manages
o ge hold o your hardware. You can proec yoursel agains eiherype o hrea by improving he physical and nework securiy o yourdaa, as discussed in Chaper 1: How o proec your compuer ommalware and hackers and Chaper 2: How o proec your inormaionom physical hreas. I is always bes o have several layers o deence,however, which is why you should also proec he les hemselves. a
way, your sensiive inormaion is likely o remain sae even i your ohersecuriy eors prove inadequae.
ere are wo general approaches o he challenge o securing yourdaa in his way. You can enctyour les, making hem unreadable oanyone bu you, or you can hide hem in he hope ha an inruder will
be unable o nd your sensiive inormaion. ere are ools o help youwih eiher approach, including a FOSS applicaion called TeCt,which can boh encryp and hide your le.
Background scenarioClaudia and Pablo work with a human rights NGO in a South
American country. They have spent several months collecting
testimonies from witnesses to the human rights violations
that have been committed by the military in their region. If
the details of who provided these testimonies were to become
known, it would endanger both the courageous people who
testied and members of the organisation in that region. This
information is currently stored in a spreadsheet on the NGOs
Windows XP computer, which is connected to the Internet.
Being security conscious, Claudia has made sure to store a
backup of the data on a CD, which she keeps outside the ofce.
What you can learn from this chaptero How o encryp inormaion on your compuero Wha risks you migh ace by keeping your daa encrypedo How o proec daa on USB memory sicks, in case hey are los or
soleno Wha seps you can ake o hide inormaion rom physical or remoe
inruders
-
8/9/2019 Security in a Box : Tools and Tactics for Your Digital Security
27/60
44 45
ENCrypTING yOur INFOrMATION
pablo:Bu my compuer is already proeced by he Windows login
password! Isn ha good enough?
Claia:Acually, Windows login passwords are usually quie easy o
break. Plus, anybody who ges his hands on your compuer or longenough o resar i wih a LiveCD in he drive can copy your daa
wihou even having o worry abou he password. I hey manage o
ake i away or a while, hen youre in even worse rouble. Is no jus
Windows passwords you need o worry abou, eiher. You shouldn rus
Microso Word or Adobe Acroba passwords eiher.
Encting your inormaion is a bi like keeping i in a locked sae.Only hose who have a key or know he locks combinaion (an encryp-ion key or password, in his case) can access i. e analogy is paricu-larly appropriae or TeCt and ools like i, which creae secure
conainers called encryped volumes raher han simply proecing onele a a ime. You can pu a large number o les ino an encryped vol-ume, bu hese ools will no proec anyhing ha is sored elsewhereon your compuer or USB memory sick.
Hans-on: Get state ith
the TrueCrypt Guide
While oher soware can provide encrypion ha is equally srong,rueCryp was designed specically o make his kind o secure lesorage as simple as possible. Furhermore, is suppor or carrying
encryped volumes on porable sorage devices, he ac ha i is a FOSS ool, and he deniabiliy eaures described in he Hiding yoursensiive inormaion secion below, give rueCryp a disinc advanageover many buil-in proprieary encrypion ools, such as Windows XPsbilocker.
pablo: Alrigh, now you have me worried. Wha abou oher users
on he same compuer? Does his mean hey can read les in he My
Documens older?
Claia: I like he way youre hinking! I your Windows password
doesn proec you om inruders, how can i proec you om oher
people wih accouns on he same compuer? In ac, your My Documens
older is normally visible o anybody, so oher users wouldn even have
o do anyhing clever o read your unencryped les. Youre righ, hough,
even i he older is made privae, youre sill no sae unless you use
some kind o encrypion.
Tips on using le encryption safely
Soring condenial daa can be a risk or you and or he people youwork wih. Encrypion reduces his risk bu does no eliminae i. ers sep o proecing sensiive inormaion is o reduce how much oi you keep around. Unless you have a good reason o sore a paricularle, or a paricular caegory o inormaion wihin a le, you shouldsimply delee i (see Chaper 6: How o desroy sensiive inormaionor more inormaion abou how o do his securely). e second sep iso use a good le encrypion ool, such as rueCryp.
Claia: Well, maybe we don acually need o sore inormaion ha
could ideniy he people who gave us hese esimonies. Wha do you
hink?
pablo: Agreed. We should probably wrie down as litle o ha as
possible. Plus, we should hink up a simple code we can use o proec
names and locaions ha we absoluely have o record.
Reurning o he analogy o a locked sae, here are a ew hings youshould bear in mind wh en using rueCryp and ools like i. No materhow surdy your sae is, i won do you a whole lo o good i you leavehe door open. W hen your rueCryp volume is mouned (whenever
you can access he conens yoursel), your daa may be vulnerable,so you should keep i closed excep when you are acually reading or
modiying he les inside i.ere are a ew siuaions when i is especially imporan ha you
remember no o leave your encry ped volumes mouned:o Disconnec hem when you walk away rom your compuer or any
lengh o ime. Even i you ypically leave your compuer runningovernigh, you need o ensure ha you do no leave your sensiiveles accessible o physical or remoe inruders while you are gone.
o Disconnec hem beore puting your com puer o sleep. is applieso boh suspend and hibernaion eaures, which are ypically used
wih lapops bu may be presen on deskop compuers as well.o Disconnec hem beore allowing someone else o handle your com-
puer. When aking a lapop hrough a securiy checkpoin or bordercrossing, i is imporan ha you disconnec all encryped volumes
-
8/9/2019 Security in a Box : Tools and Tactics for Your Digital Security
28/60
46 47
and shu your compuer down compleely.o Disconnec hem beore insering an unrused USB memor y sick
or oher exernal sorage device, including hose bel onging o riendsand colleagues.
o I you keep an encryped volume on a USB memory sick, rememberha jus removing he device may no immediaely disconnec he
volume. Even i you need o secure your l es in a hurr y, you have odismoun he volume properly, hen disconnec he exernal drive ormemory sick, hen remove he device. You migh wan o praciceunil you nd he quickes way o do all o hese hings.
I you decide o keep your rueCryp volume on a USB memory sick,you can also keep a copy o he rueCryp program wih i. is willallow you o access your daa on oher peoples compuers. e usualrules sill apply, however: i you don rus he machine o be ree omalware, you probably shouldn be yping in your passwords or access-ing your sensiive daa.
HIdING yOur SENSITIVE INFOrMATIONOne issue wih keeping a sae in your home or oce, o say nohing ocarrying one in your pocke, is ha i ends o be quie obvious. Manypeople have reasonable concerns abou incriminaing hemselves byusing encrypion. Jus because he legiimae reasons o encryp daaounumber he illegiimae ones does no make his hrea any less real.Essenially, here are wo reasons why you migh shy away rom using aool like rueCryp: he risk o sel-incriminaion and he risk o clearlyideniying he locaion o your mos sensiive inormaion.
Considering the risk of self-incrimination
Encrypion is illegal in some counries, which means ha downloading,insalling or using soware o his sor migh be a crime in is own righ.
And, i he police, miliary or inelligence services are among hosegroups rom whom you are seeking o proec your inormaion, hen
violaing hese laws can provide a preex under which your aciviiesmigh be invesigaed or your organisaion migh be persecued. Inac, however, hreas like his may have nohing o do wih he legaliyo he ools in quesion. Any ime ha merely being associaed wihencrypion soware would be enough o expose you o accusaionso criminal aciviy or espionage (regardless o wha is acually inside
your encryped volumes), hen you will have o hink careully abou
wheher or no such ools are appropriae or your siuaion.I ha is he case, you have a ew opions:
oYou can avoid using daa securiy soware enirely, which wouldrequire ha you sore only non-condenial inormaion or inven asysem o code words o proec key elemens o your sensiive les.
o You can rely on a echnique called seganography o hide your sensi-ive inormaion, raher han encryping i. ere are ools ha canhelp wih his, bu using hem properly requires very careul prepara-
ion, and you sill risk incriminaing yoursel in he eyes o anyonewho learns wha ool you have used.
o You can ry o sore all o your sensiive inormaion in a secure web-mail accoun, bu his demands a reliable nework connecion anda relaively sophisicaed undersanding o compuers and Inerneservices. is echnique also assumes ha nework encrypion is lessincriminaing han le encrypion and ha you can avoid accidenallycopying sensiive daa ono your hard drive and leaving i here.
o You can keep sensiive inormaion o o your compuer by soringi on a USB memory sick or porable hard drive. However, such de-
vices are ypically even more vulnerable han compuers o loss andconscaion, so carrying around sensiive, unencryped inormaionon hem is usually a very bad idea.
I necessary, you can employ a range o such acics. However, evenin circumsances where you are concerned abou sel -incriminaion, imay be saes o use rueCryp anyway, while atemping o disguise
your encryped volume as bes you can.I wan o make your encryped volume less conspicuous, you can
rename i o look like a dieren ype o le. Using he .iso le exen-sion, o disguise i as a CD image, is one opion ha works well or large
volumes o around 700 MB. Oher exensions would be more realisicor smaller volumes. is is a bi like hiding your sae behind a painingon he wall o your oce. I migh no hold up under close inspecion,
bu i will oer some proecion. You can also rename he TeCtprogram isel, assuming you have sored i as you would a regular leon your hard drive or USB memory sick, raher han insalling i as aprogram. e rueCryp Guide explains how o do his.
Considering the risk of identifying your sensitiveinformationOen, you may be less concerned abou he consequences o getingcaugh wih enction soware on your compuer or USB memorysick and more concerned ha your encryped volume will indicaeprecisely where you sore he inormaion ha you mos wish o proec.
While i may be rue ha no one else can read i, an inruder will knowha i is here, and ha you have aken seps o proec i. is exposes
-
8/9/2019 Security in a Box : Tools and Tactics for Your Digital Security
29/60
48 49
you o various non-echnical mehods hrough which ha inrudermigh atemp o gain access, such as inimidaion, blackmail, inerroga-ion and orure. I is in h is conex ha rueCryps deniabiliy eaure,
which is discussed in more deail below, comes ino play.TeCts deniabiliy eaure is one o he ways in which i goes
beyond wha is ypically oered by le enction ools. is eaure
can be hough o as a peculiar orm osteganogah ha disguisesyour mos sensiive inormaion as oher, less sensiive, hidden daa. Iis analogous o insalling a suble alse botom inside ha no-so-subleoce sae. I an inruder seals your key, or inimidaes you ino givingher he saes combinaion, she will nd some convincing decoy mae-rial, bu no he inormaion ha you ruly care abou proecing.
Only you know ha your sae conains a hidden comparmenin he back. is allows you o deny ha you are keeping any secres
beyond wha you have already given o he inruder, and migh helpproec you in siuaions where you mus reveal a password or somereason. Such reasons migh include legal or physical hreas o yourown saey, or ha o your col leagues, associaes, riends and am-ily members. e purpose o deniabiliy is o give you a chance oescaping rom a poenially dangerous siuaion even i you choose oconinue proecing your daa. As discussed in he Considering he risko sel-incriminaion secion, however, his eaure is much less useul imerely being caugh wih a sae in your oce is enough o bring abouunaccepable consequences.
rueCryps deniabiliy eaure works by soring a hiddenvolume inside your regular encryped volume. You open his hiddenvolume by providing an alernae password ha is dieren romhe one you would normally use. Even i a echnically sophisicaedinruder gains access o he sandard volume, he will be unable o prove
ha a hidden one exiss.O course, he may very well know ha rueCryp is capable o
hiding inormaion in his way, so here is no guaranee ha he hreawill disappear as soon as you reveal your decoy password. Pleny opeople use rueCryp wihou enabling is deniabiliy eaure, how-ever, and i is generally considered impossible o deermine, hroughanalysis, wheher or no a given encryped volume conains his kindo alse botom. a said, i i s your job o make sure ha you do noreveal your hidden volume hrough less echnical means, such as leav-ing i open or allowing oher applicaions o creae shorcus o he lesha i conains. e Furher readingsecion, below, can poin you o
more inormaion abou his.
Claia: Alrigh, so le s oss some junk ino he sandard volume, and
hen we can move all our esimonies ino he hidden one. Do you have
some old PDFs or somehing we can use?
pablo: Well, I was hinking abou ha. I mean, he idea is or us o give
up he decoy password i we have no oher choice, righ? Bu, or ha o
be convincing, we need o make sure hose les look kind o imporan,don you hink? Oherwise, why would we boher o encryp hem?
Maybe we should use some unrelaed nancial documens or a lis o
websie passwords or somehing.
FurTHEr rEAdINGo For addiional inormaion on securing your les, see he Crypology
chaper, he Seganography chaper and Case Sudy 3 rom he DigialSecuriy and Privacy or Human Righs Deenders book [1].
o e rueCryp FAQ[2] provides answers o some common quesionsabou rueCryp.
LINkS[1] www.onlinedeenders.org/manual/en/esecman[2] www.ruecryp.org/aq.php
-
8/9/2019 Security in a Box : Tools and Tactics for Your Digital Security
30/60
50 51
5Recover frominformation loss
-
8/9/2019 Security in a Box : Tools and Tactics for Your Digital Security
31/60
52 53
5. Ho to ecove fom infomation loss
Each new mehod o soring or ranserring digial inormaion endso inroduce several new ways in which he inormaion in quesion can
be los, aken or desroyed. Years o work can disappear in an insan, asa resul o he, momenary carelessness, he conscaion o compuer
hardware, or simply because digial sorage echnology is inherenlyragile. ere is a common saying among compuer suppor proession-als: is no a quesion o i you will lose your daa; is a quesion o
when. So, when his happens o you, i is ex remely imporan ha youalready have an up-o-dae backup and a well-esed means o resoringi. e day you are reminded abou he imporance o a backup sysemis generally he day aer you needed o have one in place.
Alhough i is one o he mos basic elemens o secure compu-ing, ormulaing an eecive backup policy is no as simple as i sounds.I can be a signican planning hurdle or a number o reasons: heneed o sore original daa and backups in dieren physical locaions,
he imporance o keeping backups condenial, and he challenge ocoordinaing among dieren people who share inormaion wih oneanoher using heir own por able sorage devices. In addiion o backupand le-recovery acics, his chaper addresses wo specic ools,Cobian Bac and unelete pls.
Background scenarioElena is an envionmentalist in a rssian-seaing
cont, hee she has begn to ceate a ebsite that
ill el on ceative esentation of images, vieos, mas
an stoies to highlight the etent of illegal efoestation
in the egion. She has been collecting ocments, meia
les an geogahic infomation abot logging fo eas,
an most of it is stoe on an ol winos comte in
the ofce of the NGO hee she os. while esigning a
ebsite aon this infomation, she has come to ealise
its imotance an to o abot eseving it in the
event that he comte shol be amage, eseciall if
it shol haen befoe she gets evething coie to
the ebsite. Othe membes of he oganisation
sometimes se the comte, so she also ants to lean
ho to estoe he les if someone accientall eletes
the fole containing he o. She ass he nehe
Niolai to hel he evelo a bac stateg.
-
8/9/2019 Security in a Box : Tools and Tactics for Your Digital Security
32/60
54 55
What you can learn from this chaptero How o organise and back up your inormaionoWhere you should sore your backupso How you can manage your backups securelyo How o recover les ha have been deleed accidenally
IdENTIFyING ANd OrGANISING yOur INFOrMATIONWhile i is clearly imporan ha you ake seps o preven disaser, bymaking sure ha your inormaion is physically sae, ree o malware andproeced by a good eall and srong passwords, on heir own heseseps are no enough. ere are simply oo many hings ha can go
wrong, including virus atacks, haces, elecrical shor circuis, powerspikes, waer spills, he, conscaion, demagneisaion, operaingsysem crashes and hardware ailure, o name jus a ew. Preparing ordisaser is jus as imporan as deending agains i.
Elena: I know backup is imporan, Nikolai, bu doesn ha mean I
should have someone else se i up or me? I mean, am I really going o
have he ime, resources and experise o do his on my own?
Niolai: Youll be ne. Coming up wih a good backup plan akes a bi o
hough, bu i doesn ake all ha much ime or money. And, compared
wih losing all o your inormaion, you can hardly call i inconvenien,
righ? Besides, backup is deniely one o hose hings ha you should
manage yoursel. Unless he people who normally help you ou wih ech
suppor are exremely reliable and exremely well-inormed abou where
you keep your digial inormaion, youre beter o seting hings up on
your own.
e rs sep o ormulaing a backup policy is o picure where yourpersonal and work inormaion is currenly locaed. Your email, orexample, may be sored on he providers mail server, on your own com-puer, or in boh places a once. And, o course, you migh have severalemail accouns. en, here are imporan documens on he compuers
you use, which may be in he oce or a home. ere are address books,cha hisories and personal program setings. I is also possible ha someinormaion is sored on removable media as well, including USB memo-ry sicks, por able hard drives, CDs, DVDs, and old oppy disks. Yourmobile phone conains a lis o conacs and may have imporan exmessages sored in i. I you have a websie, i may conain a large collec-
ion o aricles buil up over years o work. And, nally, don orge yournon-digial inormaion, such as paper noebooks, diaries and leters.
Nex, you need o dene w hich o hese les are maser copies,and which are duplicaes. e maser copy is generally he mos up-o-dae version o a paricular le or collecion o les, and corresponds ocopy ha you would acual ly edi i you needed o updae he conen.Obviously, his disincion does no apply o les o which you haveonly one copy, bu i is exremely imporan or cerain ypes o inor-
maion. One common disaser scenario occurs when only duplicaes oan imporan documen are backed up, and he maser copy isel geslos or desroyed beore hose duplicaes can be updaed. Imagine, orexample, ha you have been ravelling or a week while updaing hecopy o a paricular spreadshee ha you keep on your USB memorysick. A his poin, you should begin hinking o ha copy as yourmaser copy, because he periodic, auomaed backups o he oudaed
version on your oce compuer are no longer useul.ry o wrie down he physical locaion o all maser and duplicae
copies o he inormaion idenied above. is will help you clariyyour needs and begin o dene an appropriae backup policy. e ablebelow is a very basic example. O course, you will probably nd hayour lis is much longer, and conains some sorage devices wih morehan one daa ype and some daa ypes ha are presen on mulipledevices.
data Te Maste/ Stoage device Locationdlicate
Elecronic documens Maser Compuer hard drive Oce
A ew imporan Duplicae USB memory sick Wih meelecronic documens
Program daabases (phoos, Maser Compuer hard drive Oceaddress book, calendar, ec.)
A ew elecronic documens Duplicae CDs Home
Email & email conacs Maser Gmail accoun Inerne
ex messages & Maser Mobile phone Wih mephone conacs
Prined documens Maser Desk drawer Oce(conracs, invoices, ec.)
In he able above, you can see ha:o e only documens ha will survive i your oce compuers hard
drive crashes are he duplicaes on your USB memory sick and heCD copies a home.
o You have no ofine copy o your email messages or your addressbook, so i you orge your password (or i someone manages o
-
8/9/2019 Security in a Box : Tools and Tactics for Your Digital Security
33/60
56 57
copy your ex messages and conac inormaion rom your SIM caono he phone isel, and hen copy hem ono a backup SIM card. ismehod can be paricularly useul as an emergency backup soluion, buremember o keep he exra SIM card sae. e abiliy o copy conacinormaion and ex messages beween a mobile phone and is SIMcard is a sandard eaure, bu i your phone allows you o sore his kind
o inormaion on a removable ash memory card insead, hen backingi up may be even easier.
pinte ocments
Where possible, you should scan all o your imporan papers, hen backhem up along wih your oher elecronic documens, as discussed above.
In he end, you sho uld have rearranged your sorage devices, daaypes and backups in a way ha makes your inormaion much moreresisan o disaser:
data Te Maste/dlicate Stoage device Location
Elecronic documens Maser Compuer hard drive Oce
Elecronic documens Duplicae CDs Home A ew imporan Duplicae USB memory sick Wih meelecronic documens
data Te Maste/ dlicate Stoage device Location
Program daabases Maser Compuer hard drive Oce
Program daabases Duplicae CDs Home
data Te Maste/ dlicate Stoage device Location
Email & email conacs Duplicae Gmail accoun Inerne
Email & email conacs Maser underbird on Oce
oce compuer
data Te Maste/ dlicate Stoage device Location
ex messages & mobile Maser Mobile phone Wih mephone conacs
ex messages & mobile Duplicae Compuer hard drive Ocephone conacs
ex messages & mobile Duplicae Backup SIM Homephone conacs
data Te Maste/dlicate Stoage device Location
Prined documens Maser Desk drawer OceScanned documens Duplicae CDs A home
change i maliciously), you will lose access o hem.o You have no copies o any daa rom your mob ile phone.o You have no duplicae copies, digial or physical, o prined docu-
mens such as conracs and invoices.
dEFINING yOur BACkup STrATEGy
o back up all o he daa ypes lised above, you will need a combina-ion o soware and process soluions. Essenially, you need o makesure ha each daa y pe is sored in a leas wo separae locaions.
Electonic ocments
Creae a ull backup o he documens on your compuer using aprogram like Cobian Bac, which is described in more deail below.Sore he backup on somehing porable so ha you can ake i homeor o some oher sae locaion. I may be easier o use CDs or DVDs orhis, raher han a porable hard drive or USB memory sick, so ha youdo no risk losing your old backups while you are ransporing a newone. Blank CDs may be cheap enough ha you can use a new one every
ime you make a backup. Because his caegory o daa oen conainshe mos sensiive inormaion, i is paricularly imporan ha youproec your elecronic documen backups using encrypion. You canlearn how o do his in Chaper 4: How o proec he sensiive les on yourcompuerand in he rueCryp Guide.
pogam atabases
Once you have deermined he locaion o your program daabases, youcan back hem up in he same way as elecronic documens.
Email
Raher han accessing your email only hrough a web browser, insall
an email clien like Thnebiand congure i o work wih youraccoun. Mos webmail services will provide insrucions on how ouse such programs and, oen, how o impor your email addresses inohem. You can learn more abou his in he Furher Reading secion,
below. Make sure ha you leave a copy o your messages on he mailserver, raher han jus moving hem over o your compuer. eTunderbird Guide explains in deail how o do his.
Mobile hone contents
o back up he phone numbers and ex messages on your mobilephone, you can connec i o your compuer using he appropriaesoware, which is generally available rom he websie o he company
ha manuacured your phone. You may need o buy a special USBcable o do his, however. As an alernaive, you can use he phone o
-
8/9/2019 Security in a Box : Tools and Tactics for Your Digital Security
34/60
58 59
Elena:I know some people who keep all o heir imporan documens
on Gmail, by ataching hem o dra messages or emails o hemselves.
Would ha coun as a second physical locaion or my les?
Niolai: I migh help you recover i you lose one or wo very imporan
documens, bu is prety awkward. Honesly, how many documens
per week would you be willing o back up like ha? Plus, you needo consider wheher or no hose atachmens are sae, especially i
youre a all worried abou your email being moniored. Unless youre
connecing o Gmail securely, his is a bi like handing over your sensiive
inormaion on a silver plater. Using an HTPS connecion o Gmail
in order o back up small ruecryp volumes or KeePass daabase les
would be prety sae, because heyre encryped, bu I really wouldn
recommend his as a general-purpose backup sraegy.
CrEATING A dIGITAL BACkupO he various daa ypes discussed here, i is he elecronic documensha people end o worry abou mos when esablishing a backuppolicy. is erm is somewha ambiguous, bu generally reers o lesha you keep rack o yoursel and ha you open manually, eiher
by double-clicking on hem or by using a par icular applicaions Filemenu. Specically, i includes ex les, word processing documens,presenaions, PDFs and spreadshees, among oher ex amples. Unlikeemail messages, or example, elecronic doc umens are generally nosynchronised wih remoe copies over he Inerne.
When backing up your elecronic documens, you should remem-ber o back up your program daabases, as well. I you use a calendarapplicaion or an elecronic address book, or example, you will needo nd he older in which hese programs sore heir daa. Hopeully,
hese daabases will be in he same locaion as your elecronic docu-mens, as hey are oen kep inside your My Documens older on a
Windows compuer. I ha is no he case, however, you should add heappropriae olders o your regular backup.
Email sored by an applicaion such as Thnebi is a specialexample o a program daabase. I you use an email program, especiallyi you are unable or unwilling o sore a copy o your messages on heserver, hen you mus ensure ha his email daabase is included in yourregular backup. You may consider image and video les o be elecronicdocumens or iems wihin a program daabase, depending on how youinerac wih hem.
Applicaions like Windows Media player and iunes, or example,work like daabases. I you use programs like his, you migh have o
search your hard drive o learn where hey sore he acual media lesha hey help manage.
Storage devicesBeore you can back up your elecronic documens, you mus decide
wha kind o sorage device you will use.
Comact discs (Cds)CDs sore around 700 Megabyes (MB) o daa. You will need a CD
burner and blank discs in o rder o creae a CD backup. I you wan oerase a CD and updae he les sored on i, you will need o have a CD-RW burner and rewriable CDs. All major operaing sysems, including
Windows XP, now include buil-in soware ha can wrie CDs andCD-RWs. Keep in mind ha h e inormaion writen on hese discs may
begin o deeriorae aer ve or en years. I you need o sore a backupor longer han ha, you will have o recreae he CDs occasionally, buyspecial long lie discs or use a dieren backup mehod.
digital Vieo discs (dVds)
DVDs sore up o 4.7 Gigabyes (GB) o daa. ey work much likeCDs bu require slighly more expensive equipmen. Yo