Participating With Safety
by Paul Mobbs
Participating With Safety: A series of briefings on information security and online safety for civil society organisations
The Association for Progressive Communications has developed a series of briefings to help those working online improve the security of their computer and online communications. The briefings were developed as part of a project aimed at improving the online security of computer users such as journalists and human rights workers. But the content of the briefings is relevant for all those working online.
The series of seven briefings cover the following areas:
1. Introducing Information Security - this outlines what information security is, and the different means that exist to protect your information from damage or loss
2. Backing-up Information - how to organise your information to keep regular copies, how to make back-up copies, and how to store them securely
3. Passwords and Access Controls - this outlines the purpose of access controls, such as passwords or encryption, and how to use them
4. Using Encryption and Digital Signatures - described how data encryption and digital signatures work, and how they can be used to protect your information from unwanted intrusion
5. Computer Viruses - outlines what computer viruses are, and how to minimise the risks from the damage they may cause
6. Using the Internet Securely - describes how the Internet can be used as a means of surveillance, by the state and corporations, and how these surveillance measures can by avoided
7. Living Under Surveillance - outlines the scope of private and state surveillance, and how simple measures can reduce (but never eliminate) the potential impacts of surveillance
An Introduction to the 'Participating With Safety' Project
Computers are a very useful tool to assist people's work. They not only help with writing, graphic design and publishing information, they are increasingly becoming an essential communications tool as part of computer networks and the Internet.
But the reliance people have on computers is also a weakness. This weakness, and the ways of working around the problems computer technology can create, must be understood by those using computers. Through the understanding of the weaknesses of the way computers and computerised communications work we can take steps to protect our work, our security and our privacy.
There are many different aspects to using computers securely:
You can set-up the computer to run more securely and reliably;
Using access controls, such as passwords, you can prevent disclosure of information;
By organising the information on the computer, and keeping regular copies, you can prevent the loss or corruption of information; and
Using various means, you can secure your use of the Internet, and prove the authenticity of your communications.
Using computers more securely is a mixture of learning a little more about how the computer works, and undertaking certain tasks on a regular basis. The vast majority of the risks to your use of your computer come from mistakes in your own use or storage of information, or from the failure of the equipment it is stored on. Surveys in industries dependent on computer technology have found that 75% of data losses are due to internal errors, not from external factors such as computer viruses or deliberate damage. You don't have to organise your information according to a strict formula. But it must be done in a way that everyone who needs to use it understands how data is stored and used. It's also important to organise things to make it easier to keep copies of information, and to store those copies in such as way that they cannot be damaged or destroyed.
The other issue to deal with are the external threats to your work and computerised information. This comes from a variety of sources. There are the everyday risks from bad software and computer viruses. But increasingly we are becoming subject to directed risks; this can be the intrusion by the state or corporations who seek to frustrate or prevent our work taking place, or those seeking to defraud or steal information or computer equipment. The careful management of information, and the use of access controls to data and equipment, can help reduce the impacts of any attacks on you or your organisation. But it is important to realise that you can never completely prevent damage or data loss from external influences.
Overall, the purpose of these briefings is to help you make a qualitative improvement to the security of your computer and communications.
Introducing Information Security
Written by Paul Mobbs for the Association for Progressive Communications, March 2002.
Introduction
Using computers is a complex business. To use them properly you must learn not only how to use the functions of the word processor or database that you rely on; you also need to learn how to organise your computer and the information it contains in order to protect against the accidental loss of information.
It is also important to prepare your computer, your information and your premises, for the possibility of deliberate external damage, which could be caused by computer viruses, interception, monitoring or physical raids by the state or other forces which oppose your work.
This briefing is the first in a series about information security. It should be read in conjunction with the other briefings in this series, which concentrate on the practical aspects of security. They cover:
· Backing up information
· Passwords and access controls
· Using encryption and digital signatures
· Computer viruses
· Using the Internet securely
· Counter surveillance
This briefing outlines the main points you need to consider when addressing the security of your computers and systems. The other briefings look in more detail at features mentioned here. Much of what this briefing discusses is theoretical. It cannot be proscribed, because it is dependent upon the needs and circumstances of the individual. Although the content of the briefing may seem daunting, it is worthwhile reading the material as it provides the context for the use of other briefings as part of a system of security rather than a piecemeal system of protection.
The need for security
Information Security (also known as IT Security, or Infosec) is the theory and practice of using computers and information systems in order to:
· Prevent accidental loss or damage to information and computer systems by people using them;
· Develop and set up the systems to ensure as much reliability and security as possible - that means protecting your equipment, preventing viruses, hardware failures, etc.;
· Prevent others (i.e. hackers/crackers and other people interested in influencing what you're doing) causing accidental or deliberate loss or damage to your data and equipment.
The above list of potential threats to security is in decreasing order of probability.
The objectives of good security
The ingredients of a good information security plan to control and/or enable the sensitivity, security, access and performance of your data and systems:
· Information must be controlled according to its sensitivity - this requires you to decide what security certain information requires, and to classify information in terms of its sensitivity or irreplaceability;
· Security barriers must prevent unauthorised access or alteration of data - you should combine physical barriers (such as locks) with programmable barriers (set up as part of computer programs or the computer's operating system);
· People must be able to access the information they need to use - this requires that people understand how the system of access works on the computer or information system, and that they have the relevant access codes/keys;
· Your computers, and the procedures people use relating to them, must perform effectively in order to meet the needs of users. You must work out what tasks you need your system to perform for you and what levels of security you require, and then develop systems that meet these criteria.
How to approach information security
The best way to approach the problem is to develop systems and cycles:
· Systems are the methods by which information is secured - for example organising information on the computer so that it is easier to find or back up;
· Cycles are periods of time over which information security is reviewed - so for example you could have cycles for changing passwords or backing up data on a regular basis.
Security is a process, not a product. You cannot buy security and install it. It is a collection of different measures, tailored to your own needs, methods and ways of working.
Assessing the risks
The most common everyday risks you are likely to face are, in order of probability:
· user errors (accidentally deleting files/damaging storage media)
· problems with software (especially Windows)
· deliberate damage (viruses, motivated damage)
· equipment failure
· theft
· power surges, flood and fire.
There will also be risks that apply only to you, as a result of the type of work you undertake, or because of the location your equipment.
When organising your information, systems and equipment you need to consider what risks you face and how you can plan for contingencies as a result:
· Consider various 'what if' scenarios: How might your data be lost, compromised or damaged?
· For each scenario you can think of, consider -
ú the risk of that series of events happening;
ú what technical means you could use to recover or protect data or information, and thereby reduce the risk;
ú the consequences of taking those actions (you could address the risk posed by fire, for example, by keeping copies of information in another location, but you would then have to find a way of protecting those copies from other risks such as theft).
· For each of your solutions, weigh the risk against the cost or difficulty of the technical solution and decide whether it's worth the time, money and effort. For example, if you have put a copy of a file on the Internet, or distributed it to many other people, you do not need to give it the same level of protection as your own local files.
· Keep it simple - introduce systems and cycles to deal with each risk one-by-one. If you try to tackle everything at once, the task may seem overwhelming. You may find that taking steps to prevent one risk will often solve the problems created by another. For example, you may wish to guard against theft, but find that the same procedures can also guard against intervention by the state or others who oppose your work.
Looking after your information
In industry, 75% of information loss or system damage is caused by staff error, rather than by external forces (such as hacker/crackers or viruses). Analyse your own information security skills, and identify where you need additional training or resources in order take steps to deal with those needs.
Get organised
From filing cabinets to floppy disks, looking after information is all about how you organise your data. You need to make sure it is:
· Accessible - You need to find things when you need them - that doesn't necessarily mean adopting strict structures, but it does mean you, and those needing access to your data, need to know where things are;
· Quantifiable - You need to have a good idea what you have in order to tell if anything goes missing following a burglary or a raid - would notice any tampering with your computers or filing systems, is all your software properly registered in case someone checks, or are you aware of the content of the paper and digital information you hold and whether it contains information that could be considered unlawful?;
· Transparent - In the event of you or key people in a network being detained or taken out of circulation, by illness or some other more deliberate action, other people need to be able to access and make sense of your data to continue your work;
· Recoverable - You need to be able to easily reconstitute data if it gets damaged - that means making sure you only have 'useful' information on your files, and a minimal amount of useless or superfluous data that complicates the process of reorganising your information.
Developing and organising a good information system is a process of learning, and experimenting with different ideas until you find a system that works for you and those you work with. Learn from your mistakes.
Security barriers
As noted earlier, you need to set up barriers so that people cannot get hold of your information unless you want them to.
Paper-based information is fairly easy to protect because it is bulky; you would notice if it went missing. Electronic information is more difficult to control because it is easily copied; someone could break into your office with a laptop, transfer your information onto their system, and you would be none the wiser as to what they had taken.
A word of caution - if your system is too well indexed, or too well classified in files and boxes or directories, then it's easier for people to locate sensitive information within your filing system. Therefore it's a good idea to have a few gaps and illogical filing practices that those using the information are familiar with, in order to make sure your files are not completely open to everyone.
Protecting your information
There are various ways in which your information can be compromised (in increasing order of severity):
· Infiltration - people work their way into your office on a pretence, or as part of the group of people you work with, in order to gain access to your information;
· Burglary - people gain access to take your computer or information (either copying, damaging or destroying);
· Raids - the state uses its powers to gain access to your premises and computer and take away your information (see discussion below);
· Arson - the most quick and effective way to prevent activists working, is to simply incinerate their equipment and information to prevent them working effectively in the future.
Guarding against the first two is fairly simple - basic access barriers and security measures will prevent access, and if loss does occur, you can swiftly replace it.
Guarding against raids and arson is more difficult, and ultimately futile. Guarding against arson can be expensive, and is most effectively solved by keeping copies of important information and files in another location. To be effective in the immediate aftermath of an attack or raid, you must also ensure you can always beg or borrow access to a compatible computer.
State Intervention
Guarding against action by the state presents a different set of problems. The purpose of access barriers is to increase the amount of time taken to gain access to your information. Those seeking covert access will be deterred by good access barriers because of the additional time taken to circumvent the protection you have installed. When the state acts officially it does not have this problem. It can act openly. It can employ staff and specialists tools to help gain access. It also has complete legal rights to prevent any efforts by you stop or frustrate their attempts to gain access.
No matter what physical security you have in place the officers of the state will forcibly enter your premises and destroy or remove computer equipment if they believe you have information concealed there. Even then, if they are not happy, they will take those people they believe have the information and hold or interrogate them until they turn it over. The greatest risks are usually presented when you have the best security - those people who hold the password to systems or encryption keys, or who know of the location of backed up data, will be under the most pressure to reveal what they know.
Although access barriers do not provide effective protection from action by the state, they can provide valuable time to allow you to take other action. For example, calling legal support or other organisation who can provide assistance. If you have good physical security, you might also have time to encrypt sensitive databases, or back up your current work off the computer in case the computer is taken away.
The best defence against raids by the state is to have many copies of your valued information held amongst a number of people. In the event of a raid they can circulate copies and publicise the work of those who have been subject to state action, according to the instructions you give them.
Security barriers
Security is all about protection layered in depth through the provision of barriers to access. You must build different layers of protection - like the layers of an onion - around important equipment and information. You need to protect access to:
· The building or premises where your equipment and/or files are located;
· The room where your equipment and/or files are located;
· The hardware of your computer(s);
· The operating system installed on your computer(s), and any boxes or cabinets where paper information is stored;
· Your files and data (including paper information).
Another important issue are services, such as power and Internet or network connections, that penetrate through the layers. These too must be secured if you are to have effective security. In particular, network or Internet connections should use firewalls to prevent access remotely over a network. You should also consider the other ways by which security can be covertly breached and try and minimise the potential for their use (see the briefing 7 on Living Under Surveillance).
Level 1: Securing your premises
Securing your building is a matter of common sense. If you lost your keys, could you get into your office? If you can find a way in, it is likely that somebody else could.
You will first need to consider the three types of intrusion you can expect:
· Opportunist burglars only want your equipment, not the data it contains. Good door and window locks are usually enough to prevent them gaining access. Opportunist burglars have no strong motivation to enter your property specifically- they will choose any empty, easily accessible property. Good external security will deter them.
· Targeted burglaries (where someone is trying to get into your premises because of who you are and what you do) are a different matter.
However good your external security is, these burglars will try to get through it. Your defence must be to protect the items they are likely to be looking for.
· Access by the state or police cannot be prevented, but can be made more difficult. If they can't get in with your co-operation, they'll force their way in. If you try and hide things in the building, they will quite happily rip the building apart to find them. There's no hiding from a search warrant, so there's no point in trying - all they'll do is make an even bigger mess of the office.
When looking at physical security measures, consider the following points:
· Doors - Using a dead-lock will prevent people from opening the door from the inside without a key, making it more difficult to remove equipment.
You can only strengthen doors so far. They only need to be strong enough to prevent someone prising them open with a crowbar or kicking them in with a boot. If they are too strong, the fire brigade won't be able to get in if your building is on fire.
· Windows - Use key locks to secure window frames (professional burglars carry a variety of the spanners and pins used to open standard security locks). Burglars are often unwilling to break glass because it's risky climbing through the broken glass on the frame. Preventing them from opening the frame after they have broken the window will be a deterrent.
Toughened glass can help prevent access, but it can also trap you inside during a fire. If you put bars on a window which may be a means of escape in an emergency, make sure the frame that the bars are attached to is hinged and can be opened quickly.
· Walls - It's as easier to smash a weak wall than a strong door. Many newer buildings do not have solid internal walls, just boarded partitions. If you need really good security, you may need to consider the likelihood of someone gaining access from another part of the building.
· Roof spaces - If you share roof spaces with adjoining buildings you should fit locks to prevent access that way.
Roof and ceiling spaces are good locations for listening/surveillance devices because they provide space for equipment, and they have power supplies running through them. Tell-tale signs of interference from a roof or ceiling space are small holes on the ceiling, or unexplained damage/repair to the paint work. You should restrict people's ability to access roof spaces in general.
Level 2: Securing The Room
You can secure a house or office up to a point, but not so far that it may prevent emergency services getting in when you really need assistance. Once you have done what you can to make your building secure you should then consider the room, or rooms, where you keep sensitive information.
There are a few basic things you can do:
· Locks on any means of entry to the room - this may be windows and/or doors.
· Use cupboards and lockers to store material, and bolt them to the wall or floor to stop them being removed.
· Vital equipment can also be bolted to shelves or workbenches, providing they too are fixed to the wall or floor. You can get brackets or metal cages for computers, thereby ensuring that important systems can be fixed to floors or shelves.
· Although alarm systems for a whole building can be expensive, you can secure a room using simple systems that detect motion within a space, without the need for a lot of wiring.
Level 3: Your Computer Hardware
Computer hardware (the physical components of your system) usually comes with a number of features that make it more difficult (although not impossible) for unauthorised people to use a computer system. These features are a mixture of physical and 'firmware' (programmable hardware) locks:
· Most computers have a facility for a password to be entered before the computer boots up. The password is held in an area of memory inside the computers circuits, but it is only secure if the person cannot get access to the inside of the computer. If the computers case is opened and the battery inside disconnected, the password will be cleared from memory after one hour and anyone will be able to boot up the computer.
Some (but not all) computers have 'back doors' installed in the computer's firmware. They allow the police, security consultants, etc., to gain access to the system with a secret password unique to each type of computer system. If in doubt ask the manufacturer before buying the system.
· Keyboard locks are small key-activated locks on the front of a computer which disconnect the keyboard from the computer system, making it unusable.
Keyboard locks are easily forced, or can be manually bypassed if someone gains access to the inside of a computer's case - they are therefore no guarantee of restricting access.
· Floppy disk drive locks are flat pads inserted into the floppy disk drive (like a normal floppy disk). Most require a key to fix into place and to remove. If someone tries to remove the lock it will damage the disk drive, making it unusable.
The aim of a floppy disk drive lock is to prevent the removal of data from the system, but they can be easily overcome - for example, by simply replacing the floppy disk drive.
· A removable hard drive rack and caddy allows for the entire hard disk of the computer to be easily removed and locked away for safe keeping, or taken away from the office altogether. This is the most secure option for computer systems. If the hard disk, containing all the data on the system, is removed, there is no possible way to access it.
Hard drives can be easily removed by unwanted visitors, so get disk racks with key locks to hold the hard drive caddy in place.
Left -Removable hard drives, with key locks, installed in a computer.
Right -a hard disk rack and caddy, with the hard disk installed, before installation in a computer
· Lockable cases are included on some computers. They prevent access to the inner workings of the computer system, but the locks are often of low quality and can be easily forced. However, you can buy high-tensile steel locks that clamp the case together. Some of these also double up as frames (or small cages with a high-strength lock on the front) that lock the computer to a desk, floor or other surface. They are good anti-theft devices because not only do they prevent removal of the computer, and they also prevent people getting at the expensive and easily portable components inside the case.
How far you need to go in securing your hardware will very much depend upon the type of threats you are guarding against:
· Opportunist theft - Locking your equipment to a desk or to a work surface is the most secure option. With a little more difficulty and a little less security, you can also secure by fixing screws from inside the case, through the base, into the work surface below.
· Targeted theft - If someone is after your data, they can circumvent any hardware security features, with the exception of removable hard drives. To protect your data, install a removable hard drive, and remove the hard drive to another, more secure location at the end of the working day.
Hardware, in particular the monitor (the display screen) gives off strong radio waves. These can be picked up using special equipment; just a few hundred metres from where you are using your computer, someone can reassemble an image of what you have on your screen at any time (the military code name for this type of system is 'tempest').
If you are concerned that the material being displayed on your system is so sensitive that you cannot risk any disclosure, you should pay for an extremely expensive 'shielded' monitor. This has a metal mesh running inside the case, and the glass screen is interlaced with fine wires, to prevent the emissions of radio waves. The easier option is to use a laptop computer, which is far less liable to give off large amounts of radio waves from the display screen.
Level 4: Your Operating System
How you make your operating system secure will very much depend upon the threats that you are likely to face. If you want to secure against opportunistic damage or theft, operating systems do not provide a great deal of additional protection. If you want to protect against theft of or damage to data, the operating system is very important.
Windows (the most popular desktop operating system in the world) has next to no security at the operating system level:
· User accounts can be easily bypassed
· Once access to the system is gained, all areas of the system are open to the reading and writing of data.
· Some versions of Windows, such as NT, have better security and segregation of parts of the system between different users. But the Windows operating system is notoriously fickle when it comes to security, and most of these security features can be bypassed.
· Because Windows does not prevent users of the system from having access to files and programs that make the operating system function, it can be easily damaged or corrupted by mistake.
· Windows programs, in particular the Microsoft Outlook email program, are highly susceptible to computer viruses.
The best form of security available at the operating system layer is encryption of the hard disk.
If you use Windows you should be aware that:
· The disk encryption that comes with the later versions of the operating system is not very secure, and can be easily 'cracked' by the police or security consultants.
· It is possible to get programs to encrypt portions of the hard disk on Windows systems, but they are not totally secure; there are always areas of the disk where your data may be backed up in an unencrypted form, and so available to anyone with the knowledge of how to interrogate the hard disk.
· Hard disk encryption uses a lot of processing power, and therefore should only be used on more powerful computers; it will significantly decrease performance speeds on slower computers.
A simple and effective way of protecting your system when computers are running is to use a screen saver with password protection:
· If you leave your computer, and are delayed for longer than you expect, the screen saver will start up after a few minutes and prevent others viewing your work, removing data or corrupting the contents of your computer.
· If you are working on something sensitive, and want to leave the computer, you can run the screen saver to lock out access.
· If you leave to answer the door, and it happens to be a raid, the screen saver can lock up the computer to prevent access. This requires a short screen saver time limit to be effective - no more then three to four minutes.
Screen savers are not wholly foolproof. There are ways to circumvent them, although it would take professional assistance to do so.
Level 5: Protecting Your Data at Program Level
Most program-level security uses passwords to prevent access to word processed or database files.
The password protection systems available with most mainstream office programs are completely insecure. They work by simply refusing access to the file; because they do not encrypt the contents of a file they still allow the raw data to be read by anyone who knows how.
Other systems work by 'hashing' the data. This is a very weak, low-level form of encryption that is easily cracked. You can find programs available over the Internet that enable you to do this.
The main form of program-level security is the use of secure encryption programs, such as PGP, to encrypt files (see the briefing on Using Encryption and Digital Signatures).
You should not rely on encryption for total security. When editing data, your computer uses areas of the hard disk for temporary files. These files are not fully erased from the hard disk when you close the file you're editing, and so for some days afterwards, parts of the file you were editing will be available to anyone who knows how to access the raw data stored on the hard disk.
The only certain safeguard against this is to encrypt your hard disk at the operating system level.
A less reliable option is to use a program that scrambles or overwrites all unused areas of your hard disk with random data and so completely erases any temporary files. If you use this sort of program, you must remember to run it on a regular basis, otherwise you will jeopardise your security.
The other essential aspect of program-level security is maintaining the system and protecting against computer viruses. There is a variety of specific programs available to help you do this:
· Use clean-up tools for your hard disk, to repair or remove corrupted data from the system. This will make your system faster and more reliable, but also helps security. When files are deleted they are not really deleted -they are just removed from the index of files on the disk.
· You can get programs that shred files by overwriting them with random data.
· Remove damaged files (by using utilities like Scandisk for Windows), and reorganise the files on the disk in a more logical order (by using utilities like Defrag for Windows). This will make it harder for intruders to access files you have deleted or any temporary files created when you edit data.
· Use an anti-virus program for systems that are susceptible to viruses. This is primarily those using the Windows operating system and Microsoft-based Internet and email software.
Anti-virus software is no failsafe guarantee of protection. New viruses arise all the time, so if you use anti-virus software be prepared to pay for regular updates.
The majority of computer viruses target Windows, and are initiated through Microsoft's Outlook email program. You can improve security by using an alternative to Outlook for email, or even using an alternative operating system that provides a higher level of security, such Apple Macintosh or the Linux operating system for PCs.
· Encryption programs often have other useful functions contained within them. Some have shred functions that completely erase data from the disk (see above). Others have scrambling functions that overwrite all unused areas of a disk to remove deleted files and any temporary files created by the operating system (see above).
· Most programs have a setting enabling you to automatically save and back up copies of files that you are working on at regular intervals. This is a good way of guaranteeing against the loss of information if your computer crashes whilst you are working, or if you accidentally delete a large quantity of data and cannot 'undo' the operation to put it back. Creating back-up copies also means that the older version of the file can still be accessed. This can be useful if you accidentally edit the wrong file, delete data or a main file and cannot recover it.
Persistence
Paper records are easy to destroy. They can be shredded or pulped, or sensitive sections can be blocked out with indelible ink. But computer data can be more difficult to deal with:
Computers store large quantities of information very effectively. As we discussed above, even when files are deleted the data remains on the disk unless you take steps to 'shred' the file. The 'persistence' of this data can prove incriminating to those whose work attracts the displeasure of the state. Persistence also presents a risk to personal privacy. The persistence of information, therefore, may jeopardise your security.
· Problems of persistence arise particularly where you back up information to write-once disks, such as write-only CDs (CD-Rs). These cannot be erased. Instead they must be carefully destroyed (the best way to destroy a CD-R disk is to break or cut it with a guillotine into four or more pieces).
· Other backing-up media, such as tapes or large capacity disks, should also be disposed of very carefully at the end of their working lives.
Often we dispose of backing-up media because they have failed to work. But even though the media may have failed, experts can still recover data from the undamaged or uncorrupted areas of the media. For this reason failed media should be physically damaged to render them completely unreadable before disposal.
· If you have a hard disk that has failed, magnetic erasure is not reliable. The most secure erasure option is to unscrew the steel case that protects the hard disk and then split the hard disk's plater into quarters using a chisel or other heavy-duty cutting tool.
· CD-ROMs should be cut or sawn into thin strips (some heavy-duty paper shredders will do this).
· Tapes should be removed from their cassette, the spool of tape then cut in half, and the small strips of tape then randomly dispersed in other refuse.
· Floppy disks can also be a problem because people have a tendency to send each other floppies containing files without giving any thought to what was held on the disk previously. If the data held previously was not fully erased by using a shredding program, or by conducting a full re-formatting of the disk's file system, the information will still be on the disk. It can be read by anyone with the required skills and computer software.
· You should also pay careful attention to the disposal of computer systems and components when they reach the end of their lives. Hard disks will not only contain highly sensitive and personal information; they may also be the means by which you protect the security of other information you hold, such as passwords or encryption keys. Merely deleting files from the disk is not enough.
Before disposing of any computer, thoroughly erase the hard disk by using a file-shredding program. Otherwise, replace the hard disk with a new one.
Email and the Internet
The use of email and the Internet to send data also presents problems of persistence. Depending on the requirements imposed by law, some Internet Service Providers will store some or all or the data you move over the Internet. Therefore not only may the text of the messages you send be available, but perhaps the files you attach. The only solution to this is to send sensitive information using encrypted messages or files.
Even so, the fact that you have sent information across the 'Net will always generate communications data. Communications data is the description of your information transactions on the Internet - dates, times, addresses and the quantity of information passed. Communications data is increasingly being used as a means of covert surveillance by states and security services.
Going beyond passive security - counter-surveillance
Securing the space where you work is the first objective. If anyone can walk in and use your computers and other equipment, you have no security. But after that you should consider developing systems that actively seek to avoid the potential for the surveillance of your activities.
The first thing to concentrate on is the security of the computer itself. As well as securing the operating the operating system, described at length earlier, you should take steps to secure the hardware. Some computers have locks on the case. Those that do not can be secured by fitting some sort of lock to the case.
An option to secure not only computer cases but any type of cased equipment it to provide a 'seal' on the screw or bolts. Take a very fine brush, and a pot of model-makers enamel paint with the colour chosen at random, and paint a small line over the minute gap between the head of the screw and the case of the enclosure (but do not paint over the head of the screw!). Then, if the screws are ever undone, the paint will split and the tampering will be obvious. The reason for choosing a random colour is that any attempt to redo the paint seal will be foiled unless they can match your colour.
You should assume that all mechanical locks can be picked by professional surveillance operatives. Therefore do not assume that good locks will secure your working area. Instead seek to secure the workplace 'in depth' so that even if access is gained to the working area, access to information can still be frustrated. There are various options to do this:
· Ensure that you have good quality locks. On internal rooms the locks are usually of a lower quality. You can improve security by using higher quality locks on internal doors.
· By having a locked area within the space where sensitive material is kept you make it harder to access your sensitive material. If this too can contain cupboards or storage spaces with high quality locks that will help too.
· An alarm system on the doors or windows can provide good security. But some sort of motion-detection is a far better means to provide an alert if someone attempts to access an area. Also, whilst alarm systems are expensive, motion detectors provide a cheap means, within minimal need for wiring and alteration of the fabric of the building, to cover a large area.
Those who wish to access your information will, if required, smash their way in. But the object of good space security is to make covert access harder, as well as preventing general theft. Covert access is more of a problem because it does not provide you with a warning that someone has attempted to make an entry. Good security around your workplace should primarily be aimed at highlighting any access attempts. Having detected them you can step-up your security.
If there are any attempts to access your workplace you should always conduct a thorough search of the area. Your first goal should be to check that all your computers are intact. Then you should check that you data back-ups and installation disks are intact and uncorrupted. If you find that the computer has been tampered with to gain access, you should assume that the computer may have been uploaded with a virus or other rogue program. You should disconnect it from any networks before booting the system, take off any data files that cannot carry viruses, and then wipe and reinstall the system.
After dealing with the immediate problems of any attempt to access your work space, you should then systematically check all your communications equipment. The cases of telephones and other communications equipment can be secured using a small line of paint on the screws that secure the case, as described above. This will show any attempts to open them up. But you should also check for any damage to the walls, ceiling or floor of the room, or for any attempts to mask damage with paint. This may give away attempts to install some sort of surveillance device. You should also check the mains power sockets as these provide both a space and a power supply for surveillance devices.
If you have access to the equipment, you might also sweep the area for radio transmitters. But unless you have professional sweeping equipment, this is likely to only pick up the low-tech/amateur style listening devices.
Counter-surveillance is difficult to described in a general way. This is because, unlike general computer security, it is highly specific to the location and layout of the areas/equipment that need to be protected. There is further information provided on this issue in briefing no.7 - Living Under Surveillance.
Backing Up Your Data
Written by Paul Mobbs for the Association for Progressive Communications, March 2002.
This briefing is one of a series on information security. It looks at:
· Why, when and how you should back up data and information on your computer
· Storage, security, costs and legality
· Organising your information
· Methods of backing up
· Issues to consider: longevity, security, recovery and redundancy
· Installation disks
· Backing up with Linux
Why 'back up'?
Information on your computer is vulnerable: hard disks can fail, computer systems can fail, viruses can wipe a disk, careless operators can delete files, and very careless operators can delete whole areas of the hard disks by mistake. Computers can also be damaged or stolen. For these reasons backing-up your data is essential. This involves making copies of essential files on your system and keeping them on another computer, or on some form of storage media.
To ensure that you can back up easily it is important to organise the information on your computer. The aim is to make different users, and/or different areas of an individual user's work, easily identifiable and easy to find on the disk. This is achieved by setting up a series of directories on the disk that contain different types or areas of a user's work. This is generally called a 'workspace' - the area of a disk that contains a user's work. This also helps segregate a user's unique work from files or information that are held by a number of people, or that are loaded onto the computer from other sources, such as CDs, so you don't back-up files unnecessarily.
When to back up
Backing up data can be a difficult task where there are lots of files to copy. The first rule of backing up is therefore to minimise the amount of data you have to back up by regularly removing useless or out-of-date files from your system. It's also important to get into the habit of backing up in different ways for different reasons to increase the reliability of your backed-up data.
You should consider backing-up:
· When you've done a large amount of work over a short period - in which case you should back up all the contents of your 'workspace';
· When you've completed a major body of work - you should clean up the directory containing the files (to get rid in files that are not needed) and just back up that directory;
· On a regular basis, back up your whole 'workspace' and the essential system files.
How to back up
How you back up depends upon the type of equipment you have and the amount of data you have to back up:
· Backing up your immediate work is very simple. It is unlikely to be a huge volume, and so some sort of disk storage is easy to organise. Within an organisation, where you are more likely to have a network of computers, it also possible to back up users' work to a single computer somewhere on the network.
· On a regular basis it is a good idea to back up not just the current work, but also copies of the word processor's user dictionaries, email or Internet download directories, and other important system files, as well as all the users' data.
· Make arrangements to hold copies of backed-up information at other locations. These back-ups are not going to be as up-to-date as your regular office-based back-ups. But in the event of a catastrophe, such as the theft of computers, a fire, or a deliberate raid by the state or some other organisation, you can at least put a large part of your computer-based work back together.
Storage
Another issue with regard to backing-up is how data is stored. Many people use programs that compress large amounts of data into a smaller space, and which stitch together many small files as one big file in the process. Whilst this is a useful way of backing up data in the short term, in the longer term this has security and reliability implications.
Security
Backing up data has other security implications. Whilst the information on the computer can be protected behind different type of security barriers, data on back-up disks is more vulnerable because it is 'open' - simply stored on some form of storage media without any barriers to access other than the box or room the storage media is stored in.
In circumstances where you have particularly sensitive data to back up, it is often safer to have one set of back-ups containing your ordinary data, and a smaller set of back-ups containing more sensitive data for which you make separate storage arrangements.
Costs
Fundamentally, your policies on backing up are just a matter of money. If a computer holds all the work you have produced over 2 years, and the cost of producing that work is £5 to £10 per hour, the value of the information held on a computer could be £15,000 or more to reproduce. On a computer worth only £1,000, and the cost of disk storage or CD's at £1 to £10 each, backing-up makes clear economic sense, without the impact that losing large amounts of your work can have on your business or campaign activities.
Legality
There are legal implications to backing up. As copyright law becomes more restrictive it affects your legal rights to back up the contents of your hard disk.
Where information has been created by someone else, be that a book or an email, it is technically their property. The backing-up of information, where it is solely for your own use, is a grey area in the law in many countries. But where more than one person has access to data, for example as part of a community organisation or group, it can be argued that making copies of other people's information without their permission is an infringement of copyright. In some countries this will be a criminal offence, whilst in others it will be a civil offence where the copyright owner must prosecute.
The easiest way to steer clear of copyright problems when backing-up is to segregate the information on your system according to whether it is 'open' information, or information that may need restrictions on its use. You can then either not back up this information, or back up to a disk or media that will not be copied or distributed to other persons/organisations.
In general you should try to avoid backing up:
· Any software - be it the installation programs or installed programs - where there is any possibility that a copy may end up in the hands of someone else;
· Any web pages or email where the page/email contains a specific copyright message;
· Any reports, and especially books and multimedia works, unless they have no clear copyright restrictions, or unless they are specifically circulated as 'open content'.
Organising information
Effective backing-up depends upon how well you organise your information.
If your computer has lots of unimportant data mixed in with your most important files you risk damaging files by deleting or editing the wrong ones. You will also waste time and money backing up far larger quantities of information than you need to. Organising information in this way will also mean that you use your computer system more effectively and efficiently.
To ensure good practice in organising your information you should:
· Use directories within the hard drive(s) of your computer to hold data for each user, and different areas of that user's work. In this way you can back up single files, directories that contain an entire project, a user's entire workspace, or the data for all users who use that particular computer.
· Make sure that files shared between many users are kept separate from a user's individual files.
In more detail, this means:
· Always have a directory for each user who uses the computer, and perhaps a 'guest' directory for occasional users;
· Try to keep finished work and work in progress apart - finished work should be backed up for long-term storage, where work in progress should be backed up regularly, and keeping older/completed files out of current work area saves space;
· When starting a new project, always create a directory for it and store all information related to the project in that directory - in this way you can keep a regular back-up of the project by copying the whole directory in one go;
· Where a project contains a large volume of files try subdividing them into more sub-directories to allow backing-up on different disks - this is dependent upon the capacity of the storage media you are using; and
· If using a network for access and backing up, always try to keep the files that everyone shares separate from user's. Get your users into the habit of accessing and updating shared files in one location - this prevents confusion arising over different versions of the same file stored in different areas of the network system.
Organise your backed-up data so that it mirrors the organisation of the work on the computer. This means that in the case of a file or a whole disk being damaged or corrupted, the work can be restored easily; it also means data can be simply copied in a way which re-creates the working environment that your users find familiar.
Methods of backing up
There is no specific right way of backing up. It will depend upon:
· what form your data is in,
· how much data you wish to back up, and
· what hardware you use to back up.
There are various options for backing up small and large quantities of data. The critical factors you need to consider are the costs and capacity involved in each option and the period for which data can be held without any degradation or corruption.
Table: Comparisons of capacity and cost
Low cost High cost
Low capacity Floppy disk - 1.44MB E-mail - 1 to 2MB Secure server - 1 to 25MB
Medium capacity ZIP disk - 95MB CD recordable (CD-R) - 600MB JAZZ disk - 900MB CD re-writable (CD-RW) - 550MB
High capacity QIC tape storage - 500 - 4,000MB DAT tape - 2,000MB or more DVD recordable (DVD-R) - >4,700MB Removable h/disk - 4,000 to 80,000MB+
All figures are in megabytes - MB
Floppy disks
All PCs come with a floppy disk drive. Until recently the floppy disk was sufficient for backing up data. But over time, programs have become more complex, files have grown larger and the size of hard disks has grown from a few megabytes to a few gigabytes. Using floppy disks to back up the entire contents of your hard disk is no longer a viable option.
Despite their small capacity, floppy disks are still a good way of backing-up small amounts of data - for example backing up your day's work. But floppy disks have become increasingly superfluous with the development of the Internet. Whereas previously people sent floppy disks via the post to move data over long distances, today the same volume of data can be sent as a file attached to an email.
Local networks
Backing up over a local network, to another computer in the same room or building, can be done at high speed and involves the transfer of large volumes of data. Backing up over a network can reduce costs, because you only need buy one high-capacity back-up device, such as a tape drive or CD-burner, which everyone can share. But you still have the problem of the data being stored on machines, and those machines being accessible within your office.
When backing up over a network you are still backing-up to another hard disk. But the statistical likelihood that two computers will have their hard disks fail at the same time is very low. You will be able to recover information from at least one of the hard disks involved.
The only problem you would have with a local network would be if all the computers in your office were stolen. For this reason keep any computer you use for backing up more securely than other computers on the network; locked in a ventilated cupboard or purpose built security cage, for example.
The Internet
A more secure option is to back up over the Internet to a secure server, or to another person with whom you have an arrangement to hold data with. These machines may be in your own country, or more likely, in another country where the laws on privacy and data protection provide far greater protection for your information.
The reason this provides greater security is that it removes the data from your location to somewhere else; even, if necessary, to a different legal jurisdiction that gives better protection to personal information.
There are two options:
· With a secure server you can access the system at any time to store or retrieve data. You should be able to store data in an encrypted format so that only you can access it, but the actual online session should also use some form of encryption so that the transactions themselves are secure. For those states where storing data in an encrypted format is a problem, or where the possession of certain type of information is a problem, secure servers are a simple solution to data security.
· If you have an informal agreement with other activists or groups in another country, you can exchange information via the Internet and they can look after your files for you.
The only problem with this is that the transfers are not automated, so you rely on those looking after your data to store it carefully, and return it to you when you request it. In many cases you could do this by default, by sharing your information for other groups or activists to use themselves; in this way your data is more secure because others will hold and be able to use it in the event of your work being restricted or prohibited.
The issue to consider with backing up over the Internet is the amount of data you can transfer. With dial-up connections only a few megabytes are realistic. With broadband connections, depending on the available upload speed, that can rise to around ten or twenty megabytes.
ZIP/JAZZ drives
ZIP and JAZZ drives are high-capacity removable disk drives.
ZIP drives are 100 megabyte disk drives that plug into your parallel port (without affecting your use of the printer) or can be fitted internally like an additional removable hard drive.
JAZZ drives are similar, but they have a 1 gigabyte capacity.
The only issue between the two is how much data you have to back up, and how safe you can keep it. JAZZ drives are good for backing up data from devices that generate huge files - such as digital video. If you lose or damage a JAZZ disk you will lose ten times more information than if you had lost a ZIP drive.
ZIP drives provide a very good short-term back-up medium, although their cost and smaller size makes them less good for long-term storage because of the number of disks you might generate.
QIC Tape/DAT tape drives
Tape drives or DAT tape drives are usually fitted inside the computer, although external units are available. Some versions plug in like another disk drive, whilst others plug into the computer's parallel port or USB port. Tape drives use a long tape in a cartridge to copy the whole contents of a hard disk onto tape. There are two types:
· QIC ('quarter inch cartridge') drives, which work in a similar way to audio cassette players. QIC tapes vary in capacity from 40 megabytes to 4 gigabytes.
· DAT ('digital audio tape') drives, which work in a similar way to video recorders. DAT tapes can store 2 gigabytes or more.
With tapes you usually back up an entire hard drive rather than parts of it. You can then restore all or parts of the disk at a later date. They are a cheap solution, given their capacity, but they are not very reliable after a long period of use. They are also not as convenient as other options such as CDs because you must have a tape drive to use them. They are also slower, and on standard PCs require an additional interface card because they usually use the SCSI drive interface standard.
Writable/re-writable CD ROM drives
Writable and re-writable CD ROM drives can store up to 550 or 650 megabytes per CD (they may say 600 or 700 megabytes, but 50 to 100 megabytes are used for directory information).
Writable drives (CD-R = 'CD recordable') are good for making permanent archive back-ups, but it's a bit of a waste because you can only write once to a CD; you cannot over-write it after that. This can also present a security problem because as you progressively update your backed-up data you'll probably want to dispose of older CDs. Writable CD ROMs, are now the cheapest form of backing up, with the recent fall in the price of drives.
Re-writable CDs (CD-RW = 'CD-read/write') are better, because you can add and overwrite files as you go; they're better than CD-Rs for small-scale backing-up of recently completed work. But the more times that you re-write a CD the more likely that data may be corrupted. This is because the re-writing process slowly degrades the recording polymer inside the disk.
Re-writable CDs, are a competitive alternative to tape drives because of their better reliability and versatility. But tape drives still win on capacity.
Writable DVD drives
Recently writable DVD drives (DVD-R) with a capacity in excess of 4 gigabytes of data are now available. But they are extremely expensive to buy and run, although costs will fall over the next few years. For the foreseeable future they will be outside the scope of many small organisations. The only exception may be those involved in digital media, for whom writable DVD not only represents a back-up option, but also a means of distributing multimedia productions.
Removable hard drives
Removable hard drives can hold tens of gigabytes of data and are very effective in terms of security. You need more technical expertise to manage them than other options, however.
When you have finished using your computer you can remove the hard disk in a protective caddy and lock it away. You could also back up your data to the hard disk and then store it in another location. This method is very space-effective, because a large amount of data can be stored on the disk. The metal shielding of the hard drive's case and the small size also make it more secure to transport and store.
The real benefit of removable hard drives is if you have a local network; you can have one dedicated machine that backs up to a removable hard drive, back up from all other machines to this computer, and then remove and store the hard disk elsewhere.
A hard drive can contain a working operating system, not just data. You can therefore set up a hard disk in the computer with a basic operating system, and then be able move it to another computer in an emergency. Another advantage is that you could encrypt the entire hard drive for additional security.
A comparison of the performance of different backing-up options
Longevity Security Recovery Redundancy
Floppy disk A few years, if stored in shielded container. Very good for small daily back-ups of current work. Need good physical security, or encryption of data Good, if drive is aligned. In worst case, data can still be recovered from parts of the disk even when corrupted. Easy to create copies at low cost
Email Relies on recipient's information security procedures Low security in transit unless encrypted - relies on good storage security by recipient(s) Relies on recipient to send it back. Easy to email many recipients at once. You might have complications over the version/date of the backup.
Secure server Relies on server operator's information security procedures Low security in transit unless encrypted - relies on good storage security by server operators Good if server is online for the majority of the time, but it is still reliant on you having Internet access to recover data Not good as sole means of backing-up sensitive data, but very good as a means of quickly backing-up off site
ZIP disk A few years, if stored in a shielded container Need good physical security, or encryption of data - ideally should sign if stored off site. Good, if drive is aligned. But overall problem that not everyone has a ZIP drive Easy to create copies, although it can be time consuming and expensive.
JAZZ disk A few years, if stored in a shielded container Need good physical security or encryption of data - ideally should sign if stored off-site. Good, if drive is aligned. Greater problem that JAZZ drives are rarely used Easy to create copies, although it can be time consuming. And expensive
CD recordable Perhaps ten years or more, if stored to reduce damage to disk Need good physical security, or encryption of data, but compact way of storing data off-site Good, but you must verify reading after creating the CD on an ordinary CD-ROM drive Easy to create copies at low cost
CD re-writable Limited by regularity of use; each re-write degrades the storage media. Useful for daily/weekly back-ups. Need good physical security, or encryption of data - ideally should sign if stored off-site, but this is difficult on such a large disk. Good at first, but may become difficult with regular re-writing. Not easy to copy because they can only be read from a CD-RW drive, unlike CDs. OK for historical backing-up
DVD recordable Perhaps ten years or more, but the media has not had long term real-world testing Need good physical security, or encryption of data, but compact way of storing data off-site Good, but you must verify reading after creating the DVD on an ordinary DVD drive Easy to make copies, but a very expensive option. Good for huge quantities of data - e.g. digital video
QIC tape A few hundred back-ups before wear may become a problem Need good physical security - difficult to encrypt/sign. Inclusion of sensitive files such as encryption keys makes them a security problem. Good, but can be slow. Also not widely used outside of the business world. Not an issue. Made for single back-ups of a whole hard disk - making copies is time consuming
DAT tape A few hundred back-ups before wear may become a problem Need good physical security - difficult to encrypt/sign. Inclusion of sensitive files such as encryption keys makes them a security problem. Good - main benefit is faster transfer rate than QIC. Problem is DAT drives are not common because of the higher cost Not an issue. Made for single back-ups of a whole hard disk - making copies is time consuming
Removable hard disk Perhaps ten years or more if stored correctly Good physical security required. Encryption of hard disk simple to arrange Good, and at high speed. It is also highly portable between computers - it is a drive. Expensive option, especially for large quantities of data. But good for infrequent
A removable hard drive thus provides you with a really good disaster recovery system; in the event of a catastrophe you simply need another compatible computer, plug in the back-up hard drive, and all your data and applications will be available as before.
Using a removable hard drive with the Windows operating system is not really feasible; it is not very portable between machines, and usually requires you to provide new drivers to work with different hardware. The new Windows XP system would not work at all if you had to install the drive in a different computer system. With Windows your best option is a 'pluggable' hard drive - this plugs into a USB port and can be move from computer to computer provided each computer has the correct software and drivers installed.
The Linux operating system, on the other hand, lends itself well to using a removable hard drive. It is very portable, and even on computers with very different hardware it will reconfigure itself and carry on working as before.
Longevity, security, recovery and redundancy
When backing up data you are trusting that the system you are using will return that data to you when you require it to. There are four important issues you must consider to ensure that your data remains available for when you need it most:
· Longevity - how long the data remains viable;
· Security - protecting the data from damage or theft;
· Recovery - being able to read your back-ups; and
· Redundancy - making sure that you have enough copies, should something nasty happen to one of them.
Longevity
Longevity is an important issue if you want to keep data for a number of years. The behaviour of materials you use for back-ups is critical; you will have a lot of data stored in a very little space, and degradation of the materials can destroy your entire back-up.
All magnetic media - floppy disks, ZIP/JAZZ disks, tapes and hard disks -are vulnerable to damage by magnetic fields. This includes:
· Strong sources of electromagnetism, such as your computer's monitor, telephones and loudspeakers;
· The Earth's magnetic field.
A floppy disk left unshielded will have its contents corrupted after a few years because it becomes damaged by variations in the Earth's natural magnetic field, and by proximity to magnetic fields from electrical equipment.
In order to ensure the long life of data stored on magnetic media you should regularly 'refresh' the information on the disks. Information stored on ZIP or floppy disks should be copied back onto a computer every year or two. You should then reformat the disk, and write the data back to the disk again.
Keep all your magnetic media inside metal storage cabinets, as far away from electrical sources as possible. If you intend to store the disk for long periods of time but you do not have a suitable metal case, put a layer of metal (metal foil, for example) around the disks to significantly reduce the influence of magnetic fields.
With magnetic tapes/DAT tapes refreshing is not an issue because you tend not to use them for file storage, but rather backing up a whole hard disk. Also, the roll of magnetic tape shields itself from local magnetic fields (although stronger fields will still degrade its content).
Tapes that are to be stored for long periods should be wound every year or so by putting them back in the drive and doing a test read. This prevents the surfaces of the tape sticking together.
Read-only CDs, as well as writable CDs such as CD-R, CD-RW and DVD-R, are not susceptible to magnetic fields.
CDs are sensitive to light, however, particularly the ultraviolet component in sunlight, because it degrades the polymers/plastics in the disk.
All writable CD media are also sensitive to heat. Heat can degrade the film in the CD that the data is stored in.
CDs should therefore be stored in light-proof, strong containers, and they should be protected from extremes of temperature, as well as regular changes in temperature.
All back-up media should be stored in conditions that are free from damp, at a fairly constant temperature. Regular swings of temperature to extremes can damage the plastics or polymers in them. Swings in surrounding temperature can also cause damage through condensation, as warm humid air condenses on the cold surfaces of the storage media.
The storage area should be free from vibration because this will cause mechanical stress on the polymers. It's also important to protect hard disks, if you use them for backing up data, from static electricity; this is most easily done by storing them in anti-static bags.
Security
Backed-up data can be a significant liability; in the event of a break-in or raid, back-ups provide a very portable means of taking copies of your data. The only way to protect backed-up data is through physical barriers. You can encrypt your back-ups, but this has implications for recovery of the data (see Recovery below).
To prevent anyone removing your back-ups:
· Keep them in secure containers, which are themselves securely installed/fixed to prevent them being carried away;
· Segregate your back-ups according to the sensitivity or importance of data. In this way you can keep your most sensitive data under better security than the rest;
· Consider setting up 'decoy' storage areas by putting your less important data or old back-ups in clear view, whilst finding more secretive/secure places for more important data.
The most secure option, for data and for important paper-based records, is to keep copies in another location. Although off-site back-ups will not be as up-to-date as those kept in your office, they will survive any attempt to deprive you of your computers and data, especially by the state or other organisations trying to stop your work.
With the actions of the state especially, the confiscation of computers and data effectively stops your work. The most effective way for other organisations to stop groups or individuals working is to burn down their offices (a tactic seen in states such as the USA). Providing that you have off-site back-ups, and you can get access to computers, you can carry on your work fairly soon after any catastrophic loss of data or equipment.
Verification is more of a priority on media that can be edited, such as magnetic media and CD-RW disks. Read-only disks cannot be edited (although you could have a duplicate substituted for your own copy).
A final security feature you should consider installing on your back-ups is some form of signature or verification of the back-up's integrity. If the back-ups are not encrypted, have no strong physical security, or are stored on a computer outside your direct control, verification helps you ensure that your back-up has not been tampered with. This does not prevent the back-up being read. It just ensures that no one can change the content and introduce erroneous data or a computer virus.
Verification can be as simple as having a directory listing, that you keep on a different disk, in order to verify the information stored about the file - in particular the file size.
The most secure way of doing this is keeping some sort of checksum or digital signature:
· A checksum is a simple numerical analysis of the file(s') contents. There are programs that generate checksums, but they are not supplied with Windows as standard. Some virus checkers will also generate checksums for you, stored as a separate file.
· A digital signature is an analysis of the file(s') content which is protected with a cipher.
Checksums can be forged. Digital signatures cannot be forged unless the people modifying the data have the key for the cipher.
Digital signatures can be produced by most PGP encryption programs; the file can be signed and the signature added to the file, or the signature can be detached and stored separately.
The signature or checksum should be kept separately from the data so that it can be modified itself (although a signature cannot be falsified, it can be corrupted to cast doubt on the authenticity of a back-up). By running the signature or checksum against the back-up you can check not only for any corruption of the data, but also, if the risk exists, for whether any of the data on the backup has been tampered with.
Recovery
You must be able to recover your data. You should also always plan for data recovery not taking place on the computer on which the back-up was made. This has implications for the way that you make your back-ups.
You should always verify your back-up immediately after creating it. Some CDs, for example, can contain errors created as part of the CD burning process. They may not be detected by the CD-RW drive but may prevent the reading of information on an ordinary CD-ROM drive. By reading a newly created back-up in an ordinary drive you ensure that the CD has been correctly created. Problems can also occur with floppy disks because the heads of the disk drive are misaligned. Whilst the floppy disk will work well on the machine it was created from, other floppy drives may be unable to read the whole disk.
The format in which you store data can be very important - file formats become outdated and unreadable, and some forms of data storage are more vulnerable to corruption than others.
If using proprietary file formats (for example word processing files) you should make sure that you are using a widely compatible format. The most recent format of a particular application may make compatibility with other people's systems more difficult. Likewise, using less well-used formats (a particular problem for Linux users) may make compatibility a problem. If you work with a wider community of officers or computer users, you need to arrive at an agreement on what file formats you will use to ensure that data is available to the widest possible number of users.
Data compression, using programs such as PKZip, GNUZIP, etc., is a very useful way of squeezing a lot of data into a smaller space.
There are also high risks involved in using compression:
If you have one small error in the stored information, you tend to lose all or large portions of the compressed data. This is because the data is processed as a long stream of continuous data, and an error in reading causes the decompression process to fail; and
With compression you are usually compressing more than one file, and whereas an error in the storage media might only cause the loss of one file, with compressed files one error can lose all the files contained in the compressed file.
Encrypting backed-up data can be very risky. Whilst data encryption represents a very secure way of holding data, it is risky because you always need the following to decrypt your data:
A small file which contains the encryption key (the 'secret' or 'private' key); and/or
A password or passphrase.
For security purposes, always keep your encrypted data, the private key and the password/passphrase separate. If not, the security encryption gives is diminished. If you lose the password or secret key you will never be able to recover the data.
Like compression, encryption works on a continuous stream of data. Some encryption systems will also initially compress data in order to reduce the size of the created file. Errors in storage or reading from the storage media will prevent you recovering anything from the encrypted file.
Never, therefore, rely on an encrypted file as your master back-up. Encrypted back-ups are a way of protecting against poor physical security, but you should always try to keep a plain back-up in a more secure location.
Redundancy
The laws of probability dictate that, at some time, your backed-up data will fail. You can minimise the likelihood of this happening, by adopting the 'good practice' tips outlined above. But you must always assume that at sometime your system of backing up will go wrong. To cope with this, keep 'redundant' copies of backed-up data, to be used in the event of a problem with your latest back-up.
There are two ways of keeping redundant back-ups:
· Historical back-ups - this involves keeping a regular back-up of information, but not deleting older back-ups. This is very easy to do with CD-R disks - you just keep backing up to cheap, write-once disks, and keep the older disks in case more recent versions are damaged.
· Duplicate back-ups - this involves copying your back-ups, and storing them in case your primary back-up fails. This means you have to be able to copy your back-up media, or you must back-up twice.
Duplicate back-ups have the advantage of always being more up-to-date than historical back-ups.
If you use CD-Rs to back up, you will effectively make historical back-ups because you will always have the older disks left over from previous back-ups. After a while you will need to carefully dispose of them; or you could use them as off-site back-ups.
Duplicate back-ups take more effort to create. There is also a problem of inheriting errors in the original file. With duplicate back-ups, any error that crops up on your system (either an error with the file or something like a file virus) will always exist in your backed-up data. With historical back-ups you always have the option of going back to find an uncorrupted version of a file.
At other times, for example when creating up-to-date copies for storing off-site, you will need to make copies of back-ups, or back up twice.
In practice it really doesn't matter which option you use - you can choose either, or use both together.
You must evolve your own procedures for backing-up that fit the technological capabilities of your system and your own needs. It doesn't matter how you do it, as long as you do it regularly, the information is stored securely, and the resultant information is usable should you ever need to retrieve it.
Installation disks
So much of backing up relates to the data created by your use of computers. One issue is seldom considered - backing up your system or installation disks.
When you set up your system you install software from floppy disks or CD ROMs. These are important for three reasons:
· If you use or treat them incorrectly, they won't function, and you won't be able to install your software;
· If you lose them, you'll possibly have to replace them, or upgrade, which could involve great expense; and
· If you use them incorrectly you could infect your installation disks with a virus - which then means you may never get rid of it because you will infect your system each time you install those applications.
CD ROMs (unless they are copies of software on re-writable CDs) are immune from virus attack because they can't be written to. However, all magnetic media - for example the floppy 'boot' disk that comes with operating systems, can be infected with viruses. Software that's downloaded from the web as an executable file can also become infected with viruses.
In practice your installation disks are not very vulnerable to casual theft, since the unique registration of the software makes them traceable. But if someone wanted to disable the work of an activist or campaigns group they would not only seek to disable their equipment - they would also take the software disks too. Taking or damaging the software disks makes it far harder for you to start over again because you have to buy new software. For activists, who are often using older systems and old software, this can also mean having to pay for new, more expensive software, because copies of the older systems they were using are difficult to get hold of.
Increasingly, people are downloading software, either as whole programs, or as upgrades or patches for existing systems. All such files should be backed up as soon as you have downloaded them.
The major problem with backing up most software on CD-ROM is the copy protection systems on recent applications and operating systems. Older software, and software based around the Linux operating system does not restrict the creation of back-up copies. But proprietary systems, such as Windows, do not permit copying. There are two options:
· You can try and circumvent the copy protection systems to make your back-up, for example by making an 'image' of the CD-ROM and writing the image to another CD, if you have the software to do this. Not only may this not work with some software, however, but increasingly this type of action is becoming illegal under new copyright laws;
·You could buy another copy of the application, from a computer fair or shop, without a licence certificate; this technically makes it worthless, however, because you can only obtain a copy of a disk with a licence. You keep this copy so that, if you ever need a back-up, you can use this disk with the licence you obtained with your primary copy.
The law surrounding the making of back-up copies is vague. The practice for many years was to ignore the taking of back-up copies ignored provided that the copy was only used when the primary copy was corrupted, and that subsequent usage of the back-up was in accordance with the license for the software. But recent amendments to copyright legislation on many countries now not only make the copying of disks illegal, they also prohibit the use of techniques to circumvent the copy protection systems installed on the disk. This raises the question as to how the public are supposed to protect their (often very expensive) software from damage or corruption. Currently the balance has been tipped entirely in favour of software producers.
Passwords and Access Controls
Written by Paul Mobbs for the Association for Progressive Communications, March 2002.
This briefing is one of a series on Information Security. It looks at:
· Access control and classifying data
· Passwords and authentication
· Using passwords
· Using passwords to improve security
A summary of access control
Access control
'Access control' is all about ensuring that information is accessible to those who need it, but not to those who do not. This is not always as straightforward as it seems; being too strict about access can deny information to those need it.
To control access effectively and efficiently you need to think in terms of layers:
· Do not rely on just one or two levels of access which may effectively bar everyone;
· In general, do not prevent access to information or resources unless there is a good reason to. Creating unnecessary barriers will just make additional work and wasted effort.
So, for example, if your computer can dial in to the Internet, it is a good idea to control who uses it - otherwise someone could use your computer to do things on the Internet in your name. But rather than close the whole computer, all you need to do is set up your Internet services for manual connection, rather than leaving your password on the computer and allowing automatic connections. This way other people can use the computer, but you can control who gets access to the Internet through it.
Classifying data
You should seek to classify data according to its sensitivity; you can then manage access on the basis of the sensitivity of the resources or information concerned, and not solely on the basis of whoever has clearance use the computer.
When considering how to protect the information you hold, remember that access can be controlled by a number of means, but you must always assume that any data held on a computer is vulnerable to disclosure:
· Physical locks, and passwords on the hardware and operating system can be circumvented;
· File locks can be easily circumvented if you have the programs to do this;
· Any machines or networks that are connected to the Internet, especially those machines that are always connected, are vulnerable to having the operating system hacked by others to gain access remotely;
· Any machine connected to a network, is vulnerable to attack by other machines on the network, and especially by any machine used to monitor the traffic sent over the network;
· Encrypted data held on the computer it was encrypted on is not fully secure if you have the encryption keys stored on the same computer; and
· Once a person has access to the hard disk inside your machine, they can copy it, and use other systems to recover data from it.
You can minimise the likelihood of sensitive information being disclosed, but you cannot, in the face of a determined effort to get access to the information you hold prevent access. For example, a raid by the state will result in you computer, with its encrypted data, being seized, and in many states the failure to turn over the encryption key and password can result in imprisonment. In these circumstances you would have to chose between your liberty and disclosing your most secret information.
In terms of controlling access, this leads to three simple rules:
· If information is not in any way sensitive, you only need to control access minimally - this saves the effort of protecting information that does not require control;
· If information is sensitive, but you need to use it regularly, should be stored on computers that have additional barriers to access - for example using password locks on individual files; and
· If information is extremely sensitive, you shouldn't keep it on the computer at all - there are various options, from keeping the data encrypted on a floppy disk, on a secure server, to using a removable hard disk on the computer and swapping it with a hard disk containing your most sensitive information that keep securely hidden (the latter is quite technical to set up, but is easy to use for most people).
Passwords and Authentication
Many people do not bother using passwords because the range of passwords can eventually get confusing, and if you make mistakes you are denied access.
Passwords are a means of authenticating access - of proving a permission to undertake some sort of action. There are various forms of authentication in use today:
· Passwords - widely used, from the PIN number on a cash card to long, complex passwords on encryption programs, but the idea is that you have a unique identification based upon a string of letters and/or numbers that grant access to a system;
· Keys or tokens - physical keys, swipe or smart cards, that uniquely validate identity by the possession of them, and grant access to the areas permitted by those keys;
· Biometrics - the automated reading of physical features about you, such as fingerprints, iris scans or facial features, that uniquely identify you, and hence your conditions of your access.
Computers can use all of these methods. Most non-corporate computers use only passwords, although the technology to allow other forms of authentication can be purchased.
In practice, authentication is only of use where the systems are able to effectively implement controls over access. Under the Windows operating system (Windows 95/98/ME etc.) the evolved standard is that only one password is used to log on to the system, but even then this password can be easily circumvented and full access to the system granted. In this sort of environment the strength of your passwords, or the regularity with which you change them, makes very little difference. You can build in security by other means, but even these additional methods can be circumvented by skilled computer users and computer security experts.
There are other options to improve the security of Windows system; for example, using the password protection for word processor files and the files created by many other office-based applications.
But because Windows does not prohibit the running of new software by any user, people may run programs that can use you own computer's resources to 'crack' (break the security of) your Windows passwords, as well as the passwords used to protect the most popular word processor and other files.
You can buy additional security features for Windows, using a variety of authentication systems, but as this is not standard, and it is designed for the corporate environment, it is expensive.
There are also other proprietary products you can by that provide some extra protection for systems by preventing software being installed, or preventing access to certain areas of the system without a password. But these products have been developed for the business world by computer security companies, and so are expensive.
The most secure, easily available option available for use with a Windows system is encrypting files, or setting up an encrypted area on the hard disk. Programs such as PGP Free can do this (see briefing no.4 on PGP Free), and program like this are available free from a number of sources. Using encryption requires the use of a password to access or decrypt files, so providing an additional layer of security.
Keeping the same password for a long period need not be risky provided it is appropriate for that use. On many systems you may have one password for the hardware booting up, another for logging onto your system, and a third/fourth for going online and getting email. Adding to this burden with more unique passwords, and expecting them to be changed often, creates problems for many people.
The need to change passwords is in fact only related to the probability that others can discover them. For example, if you have a very secure computer, unused by others, in an office of your own, you will not need to change passwords very often. But certain passwords, such as the passwords used to access a network (including the passwords used over the network, such as those to access email or shared files), will need to be changed more regularly because they can be extracted from the network by those with the skills to do so.
Using passwords
As we have seen, passwords are inherently insecure in protecting systems. To be useful they must be memorable, but their strength lies in the fact they are not so simple that they can be guessed or extracted by accident from the user.
The strength of a password is dependent upon its length, and the number of characters in the character set available to the user. Most passwords allow upper and lowercase letters, the numbers 0 to 9 and the underscore ('_') character. Some passwords limit the length of the password, whilst others enforce a minimum length. You should try to find out exactly what characters are permitted in the password to ensure you can improve its strength.
The protection given by passwords, particularly on Internet/network connected machines, is reliant on being able to resist mechanised as well as manual cracking attempts and so the greatest number of possible combinations must always be used. Therefore passwords should not be names, dictionary words, or other information that describes publicly available information about you (birth dates, house numbers, friends, partners, etc.).
For example, using only uppercase characters, there are 26 possible options, so a six digit password will have almost 309 million combinations (you can calculate the number of combinations by taking the number of possible characters and raising it to the power of the number of characters in the password). If we use all the possible symbols that can be easily typed on a PC compatible keyboard there are roughly 96 options, making 782 billion 6-letter password combinations. But in practice common words are used as part of the password, reducing the available combinations to only a few tens of thousands, but this can be increased by adding numbers, non-alphabetic characters, or even using words from another language than your native language.
There are many hard and fast rules on passwords, but for most people the work involved in meeting all these rigid rules is too onerous. Most people evolve their own rules, according to the sensitivity of the work they undertake, and the way their computer systems are configured. In general:
· Passwords should ideally be a random sequence of alphanumeric characters not less than six characters long - if not - be sure to insert at least one number or other non-alphabetic character with any words you use as a password.
· Never use sequential passwords (name of saints, months, record titles, etc.)
· Do not reuse passwords - or not within a year or two of their previous usage
· 'Front line' passwords, such as the passwords to boot up a computer or log on to an operating system, should be replaced every few months where they may be discovered by other people. Otherwise replace them when you feel they need replacing.
· Passwords protected behind other passwords are more secure, and need not be changed as often (but on Windows systems, all files are open to all users, so there's no protection).
· If you have reason to believe that someone has accessed your system without permission or supervision, change your passwords immediately.
· If you have reason to believe that information has been downloaded from your system, you may not only have to change passwords, but you should also change any encryption keys kept on your system.
· Never rely on the file encryption provided with word processors and other programs to be secure when you need to protect very sensitive information - use a proper encryption system such as PGP instead.
· Never discuss passwords in public, on phones, or write them in messages posted via email or snail mail
· Do not use any personal information - names, bank account numbers, phone numbers, car registrations, etc.
· Never use the same password more than once on the same system
Using passwords to improve security
For most computer systems you can use the following tips to improve the security of your system:
· Set the BIOS password - When you switch on a computer you have the option of using a password to prevent the system booting-up. Newer computers have two BIOS passwords, one for the user that allows the system to boot, and one for the 'supervisor' that protects the BIOS settings from being changed. This is one of the simplest ways of protecting a computer because unless the system boots, nothing on the system can be accessed. It is not fully secure, because expert users may know a backdoor password for the BIOS system, and in any case they can access your data by removing the hard disk and inserting it into another computer. But the BIOS password is a good way to prevent access to the data on the computer by non-experts.
· Set up user accounts - On Windows systems the user accounts provide no security, but they are a good way for individual users to segregate their Windows settings, bookmarks, etc.
· For sensitive files, use password locks - Many popular office programs have the ability to scramble the content of files using a very weak form of encryption. This is enabled using a specific function, or by specifying the use of a password when saving a file which must then be provided whenever that file is opened. This provides a moderate level of security when combined with other security measures. But there are a number of programs available that are able to easily break the weak encryption on these files for those that are able to locate and use them.
· For the most sensitive information, use encryption - encryption systems provide the highest level of protection by encoding the file, or the hard disk, using mathematical problems so complex they cannot be unravelled without a key file and your password. For more information see Briefing no.4 on Using Encryption and Digital Signatures
Using Encryption and
Digital Signatures
Written by Paul Mobbs for the
Association for Progressive Communications, March 2002.
What is encryption?
Encryption is a means of encoding information so that it cannot be decoded and read without a 'key'. Computers have revolutionised encryption because they can encode and decode at high speed and encryption programs now come as 'plug-ins' for a lot of common software. They can also use far more complex systems of encryption that are far harder to break.
Older systems of encryption required the transmission of the encrypted message, but also the key to enable decryption. This is a problem because it requires that you are able to securely send the key to the message recipient before they could receive an encrypted message. This problem was solved in the 1980s with a new system called 'public key encryption'. Public key encryption uses two keys; one key, the public key, is used to encrypt the data, and another, the private key, is used to decrypt it. Public key encryption system is based on highly complex mathematical functions so complex that they cannot be solved without the unique combination of these two keys. It would take an impractical amount of time with even a super computer to find the solution to the mathematical problem that allows decryption. This means that you can make 'public' half of the key available to anyone to encrypt a message with, but the complexity of the encryption system means that the 'private' key cannot be determined from the content of the public key.
There are various public key encryption systems available. But what determines the strength of these systems is the size of the key; the larger the key, the more secure, because the more computer power it requires to break the message. An early system, called DES (Data Encryption Standard), used a 56-bit key. The number of permutations in a binary 56-bit key is 2 raised to the power 56; a total of 72 million billion combinations. The most common standard today is based around the program Pretty Good Privacy (PGP). This uses a different set of mathematical algorithms that use key lengths from 128-bits to 2048-bits or higher. This gives a huge number of possible combinations; too big a number to sensibly write on this page as a real number.
The flexibility of computers means that cryptographic systems, like PGP, can be used for a number of different purposes to help secure the data held on, or transmitted by, a computer system:
· Messages being sent over the Internet can be encrypted to prevent anyone other than their intended recipient reading them;
· Messages can be routinely 'signed', using a digital signature based around encryption, so that it can be proven that the source of the message is authentic;
· Information on a computer disk can be encrypted to prevent others having access to it, for example if the computer or disk is stolen, without the required password private key; and
· Encryption systems can be built into communications apparatus, such as telephones or web browsers, to provide encryption of information in real time to prevent interception or eavesdropping of communications.
Even if you don't wish to make your communications secret, some functions enabled by encryption, such as digital signatures, are an immensely useful way of authenticating the source of the message because of the ease with which digital information can be manipulated, copied or forged. Also, though you may not use encryption to send messages, you may wish to encrypt personal information, or information that you have an obligation to protect under the data protection law such as sensitive customer or professional information.
Using Encryption
Encryption used to be a technical operation. Today using encryption systems is a seamless part of using email or web browsers. The most common encryption program, PGP, comes in a variety of versions. Many of them, such as PGP Free, are available free of charge over the Internet. Some operating systems, such as Linux, usually include PGP or similar programs as standard.
Most recent PGP systems integrate themselves into your computer system. They ask you what email system you use, and install the appropriate 'plug-ins' to provide encryption functions within your email programs and the operating system's desktop. Some versions of these programs also provide the option to encrypt parts of your hard disk, or to encrypt individual files as part of other programs. Most will also allow you to use a digital signatures to sign files or email messages.
When you install a program such as PGP you are asked to create you 'key pair', the public and private key, for use in encryption. You can actually use more than one key pair, but this may be a problem if you have problems remembering complex passwords required for each key pair. Also some programs, such as email, also have problems accepting more than one secret key for encryption.
A key pair is generated using extremely large prime numbers. These form the basis of the keys. But to add a personal lock on the key pair you are also required to provide a password that you must remember, or the key becomes useless. Passwords should be at least eight or ten characters long. But if you use longer passwords the system is more secure (the words of a song or poem can help you remember a longer passwords more easily).
When you have generated your key pair you can send your public key to your friends, or even post it on a web site if you have one. But you must never disclose your private key, or the password you use with your key pair when decrypting messages. You should also back up your private key to prevent losing it should your computer fail, especially if you use your key to encrypt important files. But you need to back it up in such a way that it can't be easily found (for example, you could print out the private key and hide it in the sleeve of a book - but it is better if you devise your own unique method of physically hiding your keys).
There are various ways in which encryption can aid the use of computers:
Digital signatures
Even if you don't wish to encrypt data, using digital signatures is a very easy means of preventing your identity from being misused on the Internet. The purpose of digital signatures is to provide an encrypted 'digest' of the message alongside the normal copy of the message. Sending a signed message usually involves the same process as sending an encrypted message, but instead you ask the program only to sign the message. This 'signature' is then appended to the end of the file or email message.
When you receive a signed message you ask the program to verify that the message has not been changed. The program does this by decrypting the message signature and compare the results to the body of the message. If the result is the same as the plain message the computer gives you the OK.
Secure web services
Web browsers also support encrypted communications under a standard called 'secure sockets'. Secure sockets allows you to give sensitive personal information over the 'Net, such as your credit card number, without people being able to read that data as it travels to its destination. The encrypted secure sockets session is enabled by the web server you are contacting. You can always keep a check on whether or not the session you are using is encrypted because the address you are connected to should be prefixed 'https://' rather than 'http://', and the little padlock graphic in the corner of the screen should be closed rather than open.
Secure sockets does not use a long key - therefore it's not as secure as PGP and other systems that allow you to use longer encryption keys. However, the most likely way that your personal information will be compromised will be through lax security at the computer system you are sending your data to. Therefore when giving your personal information to another system on the 'Net, you should always check first that the system operators have a good reputation for security (a search of the Internet for the name of the company, plus the keywords 'hack', 'crack' or 'security' is a simple, but not foolproof way to do this).
How to tell if your browser is using 'secure sockets'
Encrypting disks
Some encryption systems allow you to encrypt areas of your hard disk, to store files more easily in an encrypted form. These provide a secure way of holding information, particularly information that you may use regularly and need to keep secret such as mailing lists and other personal information.
There is a more detailed outline of disk encryption in the Briefing 2 on Backing-up Information
Encryption and security
Encryption can improve security - but only if you take care to protect your secret/private key, and your password. Anyone who does not take steps to secure other areas of their computer, such as setting up a boot password, will not be guaranteed secure encryption.
Setting up hard disk encryption, to keep all data on the computer secure, can be difficult for new computer users. But the effort involved in doing this has to be weighed against the risks to a person's data. For everyday use the signing and encryption of the most sensitive information will be sufficient for most people. But for those who fear that their data on their computer is vulnerable to disclosure, they should install, or get advice on installing, disk encryption.
Computer Viruses
Written by Paul Mobbs for the
Association for Progressive Communications, March 2002.
This briefing is one of a series on Information Security. It looks at:
· What is a virus?
· How viruses work
· How viruses assimilate your computer
· Basic tips on protection against viruses
· Viruses and Linux
What is a virus?
A virus is an executable programme, a set of instructions that manipulate the functions of your computer's operating system. The early, simple computer viruses consisted of just two commands - firstly a check for a particular condition (be it the date or some other criteria) and then a call to the program that formats the computer's hard disk.
Many of the earlier viruses were transmitted from file-to-file on a computer as people shared files or floppy disks. Today the most common way to catch a virus is via the Internet. But instead of something simple, such as formatting your hard disk, Internet-borne viruses are far more complex. Many will read your email address book and forward themselves, when you next check your email, to all your friends.
'Virus' is actually a generic term for software that is harmful to your system. They spread via disks, or via a network, or via services such as email. Irrespective of how the virus travels, its purpose is to use or damage the resources of your computer. The first viruses were spread as part of computer programs, or by hiding in floppy disks. Most modern viruses are spread by Internet services, in particular email.
The problem with viruses is that the threat is often worse than the reality. For that reason a lot of people have made a lot of money out of hyping viruses and then selling the antidote. For example, many of the X thousand viruses that software companies talk about have never actually entered the real world. They are the result of laboratory tests of particular security problems on computer systems to see if a virus could work in that way. Having established that it could be a problem, they note the particular signature such a virus would have, and that's what the virus checker looks for.
The greatest effect of viruses tend not to be the destruction of data, but taking up people's time. For example, virus hoaxes spread by email tend to surface every now and again, usually under the title 'PEN PAL GREETINGS' or such like. In itself it is the ultimate virus because you consciously spread the panic every time you forward it to your friends. That's the thing about computers - a lot of people don't know how they work, so they are easily deceived.
Viruses are not a marginal issue. Some have talked of viruses as a means of checking for security flaws in computer networks and automatically fixing the flaws in the programs. More recently, the US Federal Bureau of Investigation (FBI) has been rumoured to be developing a virus called 'Magic Lantern' that can penetrate computer systems and, under certain conditions, send copies of encryption keys and security information back to the FBI. Therefore computer viruses are not just a threat to a system - they are also a more general security threat.
How viruses work
It is impossible to receive any type of virus in a plain text email message, or in most word processor files, compressed data files (such as PKZip/GZip), database or spreadsheet files - these are not executable programs. The only exception to this is where a file contains Visual Basic or other code as part of a user-defined algorithm or program, or embedded 'object code' that may be executed by the software application.
To make the virus resident in your system you have to actually execute the program. That means:
· You have to run a program from the Internet that is infected with a virus - the solution is to check them with a virus checker first.
· You have to run a program from a floppy disk infected with a virus - again, the solution is to scan the disk with a virus checker first.
· You have to open/run a file in another programming language (Basic, C, etc.) which has a virus written into it - the solution here is to not run any program you don't understand.
· You have to open and use a file in more advanced word processors or spreadsheets that contains 'object code' or user defined instructions called 'macros' - the simple solution here is to go into the application's set-up and select the 'disable macros' option.
File viruses, where program code transfers from one file to another, whilst a problem some years ago are now in decline. The great problem today are:
· 'macro-viruses', small sections of interpreted code, that are transported as part of emails; and
· worms and trashing programs, that are transported as attachments to emails.
Programs such as Microsoft Outlook are very insecure because they attempt to integrate email into the rest of the operating system. Whilst this is a very useful way of simplifying the operation of the computer for beginners, it is a serious security risk. Virus writers exploit this feature to instal their virus on your system. This feature cannot be turned off from Windows, although following the havoc caused by the 'I Love You' some companies developed software to block viruses exploiting the flaws in Microsoft Outlook.
When people try to read email which contains visual basic code they will, when people try to real emails, Outlook forces the system to interpret the code and in the process this activates the macro-virus.
Attachments are another problem. When people receive a screen saver or 'promotional program' they will often, because they are not aware of the risk, run the program. But the flaws in the Microsoft system mean that the vast majority of viruses are specific to Microsoft software, and so users of the Macintosh and Linux systems are relatively immune to virus problems.
Any message sent through commonly available email programs is either just plain text or an encoded plain text file. As such it can harbour no executable code, and most operating systems would reject a request to try and execute such a file. So you can't get a virus by reading an email, or exchanging/chopping the text of an email into another application.
The only danger is that you may unknowingly download a programme as part of an attachment to an email. But if you keep your email attachment directory separate from your system files the program cannot be accidentally run unless you specifically request it to be.
How you deal with viruses is also dependent upon your role. This briefing deals with the individual computer user. For users who are part of local networks there are different issues related to networked systems. For example, it is important to prevent a virus accessing one part of the network; therefore the use of floppy disk on networked computers might be restricted. Those who run email servers also have a role to play. Servers can have anti-virus software running with the email server, preventing the transmission of attachments that are known to contain viruses. Internet users should ask if their service provider is blocking viruses at the server, and to install this feature if they are not.
Basic tips on protection against viruses
There are three very simple tips for significantly reducing the risks of having problems with viruses:
· Be cautious when using Internet services -
ú don't click on attachments,
ú turn off macros in Word,
ú turn off Javascript,
ú configure the web browser not to run programs,
ú if possible, don't use Microsoft Outlook (Microsoft Outlook is the least secure of the commonly used email programs);
· If you use Microsoft Outlook get the latest version, or a patch of existing versions, and configure it not to run attachments or programs;
· Use some sort of virus checking software to scan any files that arrive as attachments, or that you receive on disk.
If you have a little more knowledge on the use of computers, the following may be helpful:
· Configure your operating system so that you can see the filename extension - this will allow you to see what type of file it is and identify executable from non-executable files. You should also beware of files that have a double extension, such as 'picture.jpeg.vb'.
· Don't execute any program you receive on floppy disks, or over the Internet, without first scanning it for viruses or checking what instructions the code contains. That includes executable ('.exe'/'.com') files, screen savers ('.scr'), executable ('.exe.) PKZIP and other archive files, batch ('.bat') files, Visual Basic or script files such as VBScript ('.vbs'/'.bas') and any programs interpreted/compiled from source code files.
· Make sure the 'helpers' or 'settings' part of your Web browser has the switches for '.exe', '.bat', '.doc', '.vbs' etc. (basically, all the file extensions involving potentially infected executable code) set to 'Ask User' (or the equivalent on your browser). Never let your browser automatically execute any program! Set all Java and other plug-in options to 'off' or 'ask'. This can make using the web a little more time consuming, but safer.
· Make sure that the 'boot sector protection' in your BIOS system set-up is turned on to prevent the boot sectors of disks being overwritten if an older-style boot virus installs itself.
· Make sure that the 'boot order' switch in your system set-up is set to 'C: only' (or C: A:' if 'C only' is not permitted) - that way if you turn on with a floppy in the drive it won't execute the boot sector program on the floppy and potentially infect your system.
· Make sure that the attachments downloaded with email are stored in a dedicated directory, and that there is no 'path' statement pointing to that directory (the 'path' statement in the 'autoexec.bat' file informs your system which directories to look in if a requested program cannot be found in the current working directory - it usually says 'path' or 'set path'). The simplest option is to create your own directory, and then make your email program point to it.
· The most effective and simple means of virus protection is a regular full system scan about every few weeks, or following the downloading of a number of programs (that's where the virus software checks every executable file and object code file on your system). Using 'checksums' (that's where the number in a file are added up and the result stored to see if one part has been changed) is very effective, but it's not foolproof, and it's really annoying when you recheck because it will flag up many files that have been innocently changed.
· Don't run programs from unverified sources - even if they do check out with a virus scanner. It is very easy to insert a rogue instruction into a program to trash your system and these will not be picked up by a virus scanner.
· Always keep a backup system/boot up disk with virus software installed on it - that way if the system is infected you can boot from the floppy without activating the virus on the hard disk and then clean the system.
· Clean out your system regularly using Scandisk - it cleans up any stray data from your disks, truncated files, etc. Also, keep an eye out for undeleted temporary ('.tmp') files in your system. Virus protection is all about good system management, but it is easier to clean an infected system of viruses if there are no rubbish files stored on your system.
Using the Internet Securely
Written by Paul Mobbs for the Association for Progressive Communications, March 2002.
This briefing is one of a series on Information Security. It looks at:
· How the Internet can be used to monitor your online activity.
· Minimising the risks to your online activity being monitored.
· Minimising the risks to your system
· Privacy and system maintenance
· Common ways we expose our identity on the Internet.
· Managing disclosure: Alternate personas
The Internet is an open network; any point on the network can be accessed from any other. This is what makes the Internet a publicly accessible mass medium. It also makes using the Internet a security risk - through the information you give out, and through the opportunities it gives other people to impact upon your work.
The Internet presents three main risks, in decreasing order of significance:
· Exposure of Private Information -
When you send email and browse the web, you are not anonymous. You leave logs of what you have done on many servers. People can also put 'taps' on your email connection and record all your incoming and outgoing email and web traffic.
· Damage to your computer -
When you are online or use internet services, you expose your computer to computer viruses and hackers.
· Unwanted public profile -
It is becoming easier to rapidly compile profiles about people and their online behaviour from bringing together information they disclose about themselves as they use the internet.
Organising your information and your computer system well and having a good back-up system are the best ways to protect your system (see especially briefings no.2 on Backing-up Information and no.5 on Computer Viruses). But learning how to work online in a way that protects your information, your identity, and if possible your privacy, is an important part of working securely on the Internet.
How the Internet can be used to monitor your online activity
Connecting a computer to the outside world, through a local network or the Internet, turns it into a potential tool of surveillance.
Sending and receiving private information on the internet is challenging. The process of sending an email is similar to the process of sending a real (physical) letter. Imagine you are sending a real secret letter. If you leave an early draft of the letter at your house, someone might find it. If the postman cares, he might notice who you are sending it to, and how heavy the envelope is. If the postman cares a lot, he might open the letter and read it. The postman will then deliver the letter to the local post office. Again, the post office might record who sent what letter to whom and on which date, and they might even open the letter. You local post office will send the letter to the post-office nearest to the recipient, and finally on to the recipient himself. If the recipient leaves a copy of the letter lying around, it is possible the letter may be discovered.
The risks for email are greater than the risks for real mail. In the above metaphor, your postman is your connection to your Internet Service Provider (ISP). Your post office is where you have your email account, and how you send outgoing mail. The recipient's post office is the recipient's email provider, and the recipient's postman is the recipient's ISP. But it gets worse! In the internet, email providers always, automatically log who sends email to whom. And, by default, our emails are like a postcard - the message itself is easily visible to the postmen and post offices.
Everything you do on the internet goes through your ISP. The default for most internet services is to send everything in 'cleartext'. This means that, for example, the entire contents of your email is visible to anyone with access to your local network or the connection to your ISP. It is also possible for you to protect certain services by setting up automatic encryption of the service. For web-browsing, you can use the secure 'https' protocol instead of the 'http' protocol. 'https' is the standard for all online banking websites and most 'log-in' pages. There are webmail systems that use https as well. If your email service provider has SSL capability, you can 'tunnel' securely past your ISP to receive and send email. This is called POP/SSL and SMTP/SSL. Of course, you still need to trust your email provider to a certain extent.
Briefing 4 in this series explains encryption. It is possible to send emails encrypted with an encryption programme such as PGP. However, this only encrypts the body of the message. The headers, such as 'From', 'To', and 'Subject' and all still visible to your ISP. These headers can be used to monitor the activities of groups or individuals; it enables a watcher to generate a profile of what an individual or group of individuals have been doing together online, what other systems or email addresses they have contacted or have been contacted by, and the times, dates and even locations of when the members of a 'network' communicate.
Here is an example of an encrypted message. You can see that the 'header' information is not encrypted. The Header is in bold. You can see that a lot of information about the message is not encrypted.
Delivered-To: [email protected]
Received: from nfs1.gn.apc.org (nfs1.gn.apc.org [194.202.158.5])
by seven.gn.apc.org (Postfix) with ESMTP id 3BBC23957
for ; Mon, 7 Jan 2002 09:58:52 +0000
(GMT)
Received: from KBLAP.gn.apc.org ([194.202.158.101])
by nfs1.gn.apc.org (8.9.3/8.8.8) with ESMTP id KAA17178
for ; Mon, 7 Jan 2002 10:02:03 GMT
Message-Id: <[email protected]>
X-Sender: [email protected]
X-Mailer: QUALCOMM Windows Eudora Version 4.3.2
To: [email protected]
From: a.person
Subject: Re: [an-email-list] new member
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: [email protected]
Errors-To: [email protected]
X-BeenThere: [email protected]
X-Mailman-Version: 2.0.6
Reply-To: [email protected]
List-Help:
List-Post:
List-Subscribe: ,
List-Id:
List-Unsubscribe: ,
List-Archive:
Date: Mon, 07 Jan 2002 09:59:37 +0000
X-UIDL: 6cc!!S;n"!LjD"!~L-!!
-----BEGIN PGP MESSAGE-----
Version: PGPfreeware 7.0.3 for non-commercial use
buqZ7/TNFRl5HU+Nenl+dOchFoAzh4rQTea/AFUlhdy3XLXTORAxb8vme9NM8YIP
sM4RE73ByoS/ll/lLrb3GG4QsX51GIiVwO6J0HzXGEbsQqcmQDdVLe2P7FDokI4r
UvhO+Q2oHn9oiE/JRxz5OHprwl2ThvXsxRhKvIXiszzkzxSoEG1D9gLci44iy47P
crzGA1pfOZIAgifhHeQtk4mseUO4BSlbRk1/K1HAbeJ9lSc+mVEL3V2tLxT3Eq6x
ggNnhiyqYcnAkTw2FKvaYsHmrOH0cnxfypFjBvNiQEk0qq5rr4lJQ8ItIlr2lzSE
0XRXT+2GkIELlpuuY2U2BpYs7wAHPO8hp+nQTQQscSttE2utleC4n958DUE5w3zU
Zd+S0Rqy7M6J6CJcAc4AVPK4X5A2abrsttVxEdeNXDvDIdAbfFHpm0qHqoB2iUKl
MbL+y9k+mPXVe6eRzb6j47/by/PuYLlE8i1cVVvYACMbjfIJAtukFMRFqsDp7EWu
pz9NPB4wCEL4qXQpMUHbM9FlVkmNJ3Y5UINsIxsWlU241AZi+vPk1x/saLclN5Kd
JgoGkQaHLVvhKvAACdISgojemFfaCDe+buZ+qimBfhLj6GnadTMk84oIlX9j6evm
f4zHj354IjQ2aGOrqdCoO6sn7LVR2VaXP0U2/O5Vy/zPn1dPy4kY2JsqeN/30nX8
WN8CAce0l2WWvJE=
=LZSS
-----END PGP MESSAGE-----
_________________________________________
an-email-list mailing list
[email protected]
http://mailman.greennet.org.uk/mailman/listinfo/an-email-list
Minimising the risks to your online activity being monitored
There are a lot of online services and software that you can use to improve your privacy.
The next page has a matrix of common tools. This is followed by advice on when to use these tools.
Secure Email
If you are sending and receiving email by your ISP, they can potentially read all your email. This may or may not be acceptable. If security is a concern, there are several options you can consider.
Examples of free, somewhat private web-based email are:
S-Mail Setup an web-email address with . This system lets you check your email on the web using the fairly-secure https protocol. If you send email with s-mail, your ISP will not be able to see what you have sent. However, if the recipient of the email is being monitored, your email may not be secure. If you correspond with people regularly about sensitive issues, you may ask them to get an account on the same system you are using.
Lokmail As an alternative, if you are emailing someone who uses PGP, you might be interested in . Lokmail is similar to s-mail.com, and lets you access it via https. But it also lets you encrypt your messages to people using PGP. It has a server-side PGP system (that is, Lokmail encrypt your mail as opposed to you doing so with your mail programme). But, this is not as provably secure as using PGP on your local computer.
Common Anonymity, Encryption and Information Management Tools
Name Location Cost Type Remarks Good for / recommended use Bad for / drawbacks
Encryption
Hushmail Free Web based email with encryption Java-based On the road: Email encryption Emergencies recommendation: Have an account there Only encrypts to other hushmail users Slow on dialup
s-mail Free Web based email with encryption Java-based like Hushmail, but faster, no expira-tion time and less trustable On the road: email encryption Emergencies recommendation: Have an account there Only encrypts to other s-mail users Slow on dialup
Cotse $5.95/ mth Mail and other privacy tools
Zixmail US$ 24/ year Encrypted email Can send private email to users of standard email
LokMail Free Web based email with standard PGP encryption Does not use Java Can send encrypted mail to any PGP user
PGP Free for non-commercial use General encryption (email, files) Everyday encryption needs Recommended for Windows OS License required for non-personal use Moving to a closed product
GnuPG Free General encryption (email, files) Does not use patented algorithms Everyday encryption needs Recommended for non Windows OS Windows OS support is basic
Name Location Cost Type Remarks Good for / recommended use Bad for / drawbacks
Anonymity
Anonymizer.com Tunnel-ing: US$30 /3 mon-ths Secure tunneling anonymiser SSH based solution, so encryption is included Anonymize all kinds of communication (smtp, pop, http, etc) Anonymous publication
nethush Free (basic) 15 US$/ month (gold) Web anonymiser Web browsing only. Anonymous web browsing with url encryption The free version is better than safeproxy.org for web
Safeproxy. org Free (basic) 5 US$/ month (gold) Web and (web-based) email anonymizer
TriangleBoy Free network against blocking (censorship) Peer to peer technology Accessing sites that have been blocked by your ISP
Anonymous remailers Changing often. See: Free Email anonymizer Completely email based Offline anonymous email sending
Tools
Cyber Scrub US$ 40 - 60 File wiper and trace remover Better evidence deleting than PGP Only for Windows
APC Rapid Response Network Free Mirroring network for threatened content Sites susceptible to censorship
The Freenet Project Free Network for publishing content freely / anonymously Requires propietary client for publication/ browsing Requires propietary client for publication and browing
Various remote file storage tools www.globedesk.com www.freedrive.com groups.yahoo.com www.streamload.com Various Remote file storage Yahoo groups offers 20 Mb for free Off-site backups
Spam Mimic Free Message hiding (stegano-graphy) Hides short messages on spam-like messages Hiding the existence of a message Does not really encrypt the message
S-mail and Lokmail are free, easy to use, and fairly secure. However, they are not as provably private as PGP or Hushmail (which is described in the next section). The reason we recommend s-mail instead of Hushmail is that Hushmail terminates free user accounts if they are not used for 3 weeks, and Hushmail takes longer to start than s-mail. If you have very strong security needs, or do not trust s-mail or Lokmail, you should consider using Hushmail's paid service or using the 'Paid, more private' option below.
If you only need to send secure emails every once in a while, but you need very strong encryption, Hushmail is a good option. Hushmail uses very strong encryption, and is easy to set-up and use. But you must pay for the Hushmail service if you require regular, reliable use.
If both you and the person you are communicating with use Hushmail, no one can monitor what you say. However, Hushmail can be slow to use over a dial-up phone line.
Hushmail terminates free accounts if they are not used every 3 weeks. If you want other people to be able to contact you securely, you could subscribe to the paid Hushmail service and advertise your Hushmail email address. You can set your Hushmail account to alert your normal address that you have a new message waiting in your secure Hushmail account.
Another option is paid, private email using clients like Microsoft Outlook, Eudora, or other email programs that can work alongside PGP. PGP is 'the standard' in secure email. PGP uses very strong encryption (see Briefing 4), and your ISP will not be able to unscramble the contents of your messages.
However there are obstacles to using it effectively:
· It can be hard at first to understand about how PGP's system of public and private keys work.
· It is sometimes difficult for your communication partners to use PGP.
· Even if you both use PGP, your 'traffic data' of From/To/Subject is still visible to anyone watching your internet traffic, as is the fact you are using PGP. By looking at this traffic data, anyone watching will be able to see who you are emailing, what the subject is, and that you are using PGP. Who you are emailing is often important information for those monitoring your activities
To avoid the last problem, you need to use POP/SSL and SMTP/SSL to email providers that you trust not to divulge your traffic data. There are many web-hosting and email providers who offer POP/SSL and SMTP/SSL as part of a web-hosting package. If your email providers accept SSL connections, it is quite simple to set your email client options to use this functionality.
The final option is anonymous, private email. Sometimes people need to send an email message and make sure no one can tell who sent it. This is not easy to do.
To get around the problem of traceable email 'anonymous remailers' have been developed. These receive email with forwarding addresses included and forward the email on to the recipient. It then appears as if the email originated by the remailer, rather than the person sending it. Some systems also allocate random addresses that allow a reply to be sent back. But, in the last few years, many of these remailers have closed, sometimes because of pressure from the law enforcement and security services, but mainly because of legal threats from those who have been attacked or libelled by anonymous email.
Different remailers operate different policies. Some are truly anonymous, and will not log any data that identifies users. Others require you to open an account. Some are free, some charge for the service. Providing a reliable list of anonymous remailers is difficult because their policies may change regularly, and new ones may open as others close. You should search the Internet to find a current list of remailers. You can do this by using a search engine such as Google (http://www.google.com) using the keywords 'anonymous remailers'.
Many remailing/mail forwarding systems now archive the traffic which passes through them in order that messages can be traced back to the point of origin if there are complaints from the authorities. The level of privacy given to logged information will primarily be dictated by the laws on privacy and data protection in the country in which the remailer is located.
Anyone who needs to send email that is totally anonymous needs to become, or seek assistance from, a technical expert. It is easy to make a mistake and expose your identity in 'anonymous' emails. The URL listed in the matrix is a good place to start looking. http://www.sendfakemail.com/~raph/remailer-list.html
Anonymous web servers
Generally, whenever you use the web, two organisations know what sites you visit:
· the sites that you visit record that you visited them
· your ISP can also record what URLs you go to
You can use the web anonymously through anonymous web servers or 'proxy servers'. These stand between you and the server that you are retrieving information from:
· You request a web page from the anonymous server.
· It retrieves the page and so any information logged will be that of the anonymous server, not your own Internet service provider.
· The server will then modify any links in the page before sending it back to you. This means that if you click on any of the links in the page they too will be requested anonymously via the anonymous server, rather than direct to the server you are requesting the page from. Anonymous web servers will also log data in one way or another.
You should carefully check the credentials of the server's operator before using it!
Anonymous server relay
You should also be aware that even though you can put an anonymising server between you and a point on the Internet, the link between you and the server relay can still be tapped by your ISP.
To avoid being monitored by your ISP, you have to 'tunnel' your link to a secure server. Currently, this is only available via a paid service at . There used to be another tunnelling service called the Freedom Network developed by Zero Knowledge, but it closed it's service in late 2001.
Minimising the risks to your system
Connecting to the Internet, or to a local network, can pose a threat to your system. Your system can run programs without your knowledge; unbeknown to you, they may damage your system or export information to other computers. Managing risks to your system therefore involves using programs that monitor the activity of network connections, and the activity of files or programs that access the Internet. There are two important types of program your should install - a firewall and a virus scanner.
Firewalls
An Internet connection is a two-way channel. Depending upon how your system is configured, your system may receive and process requests for other services via a 'socket' (a socket is the name for an established Internet or network connection). To limit the potential for abuse of the socket you should configure a firewall.
Internet firewalls police what programs are allowed to connect to a network socket. The network could be the Internet, or any local network that you might be connected to.
You personally have to authorise each program to connect to the socket before it is allowed to do so. Therefore any programs that are quietly trying to connect to the Internet in the background, without your intervention, will be blocked, and you will receive a warning message.
The firewall also prevents other computers on the network accessing services on your computer via the socket unless they are authorised to do so. In this way, by controlling what can flow through the socket, you control what data is allowed to flow in and out of your computer.
Firewalls can also protect privacy. As noted above, some programs try to connect to the Internet to transact information, even when you are not using the program. Programs do this by running a small program when the computer starts up. When the program detects that an Internet connection has been made it wakes up the main program to go online. Unless you have given the program permission to use the network or Internet, its attempt to access the socket will trigger a warning from the firewall. You can then deny or allow the program to access the network or Internet. This means that any rogue software, such as a virus, which has installed itself on your system, will not be able to export data from your system without you knowing about it. It also stops the 'spyware' that is increasingly built into proprietary programs in an effort to control the unlicensed use of software.
There are a number of firewalls that are available for Windows machines. Microsoft XP comes with a firewall built-in, but this only works on the incoming stream of data. Therefore programs on your computer can access the 'Net without triggering an alert. This represents a significant security flaw in the system. Most other firewall systems do monitor the outgoing data stream.
There are many free and commercial firewall programs. You can search for 'personal firewall' in a search engine, or go to www.firewallguide.com/ to see some popular ones.
On Linux systems you have many options for configuring a firewall, and most newer Linux distributions do this for you when you set up the computer.
Virus scanners
Viruses are a particular problem on Microsoft systems, where they exploit the flaws in Microsoft's programs to infect a computer and spread the infection to other computers inside files or emails. Virus scanners are a means of preventing this by warning you of potential threats to your system.
Virus scanners work by looking for the signature of a virus in a file or email attachment. More advanced systems also check your system, looking for security holes, and attempt to patch the flaws in the system.
If the scanner detects the signature of a virus it quarantines the file or email to prevent it being opened, and provides a warning to the user.
As new security flaws are discovered, and new viruses written, older scanners do not recognise the new viruses. Therefore it is important to regularly update your virus scanning software.
The most important way to prevent virus problems is not to use programs that are susceptible to viruses. That means avoiding the Microsoft Outlook email program, and restricting the use of scripting languages such as Visual Basic and Java on your system.
Every time Microsoft introduces a new operating system it is necessary to be more vigilant whilst the flaws in the system are discovered and exploited by virus writers.
A simpler alternative is to use a non-Microsoft operating system, such as Apple Macintosh or Linux, which because of their design are far less susceptible to attack by viruses.
Briefing no.5 on Computer Viruses contains detailed information on computer viruses, and how to avoid them.
Privacy and system maintenance
As noted in Briefing no.1 on Information Security (see the Persistence section) it is easy to accumulate data on a system, but sometimes quite hard to remove it.
If you use the Internet your computer will accumulate data about dates, sites and contacts that could be very sensitive.
Managing the information generated as part of your use of the Internet is therefore an important part of privacy online. The greatest threat is that your computer will be accessed, stolen or confiscated, and that the information on it will then be used against you or others. This risk cannot be removed, but it can be reduced by careful management of the system.
Email
Most email programs store data on disk. The exception is web mail, where data is stored on someone else's server (unless you save a copy to your own hard disk). Many email programs also store data separately, mainly in the files attached to an email. Often the directories associated with an email program will become clogged, mainly with useless information, unless you take care to clean them regularly. The emails themselves can also mount up, so take care to regularly tidy the 'in' box and folders of the email system.
Encryption
If you have an encryption program installed, emails that have been encrypted are automatically decrypted and displayed when you open the email.
Beware - file attachments are not automatically encrypted along with an email message. Attached files must be encrypted and decrypted separately, using programs such as PGP Tools (see Briefing no.4 on Using Encryption). If you have sensitive email that has not been encrypted, you might consider saving these emails as text files, and then encrypting the files using your own key, to prevent others having easy access to them.
Web caches
Web servers, to speed up access time, store the files downloaded from web sites in a 'cache'. This cache varies in size depending upon the configuration of your system. But unless you clean the cache regularly, particularly after doing some particularly sensitive work on the Internet, the cache will provide a detailed record of the information that you have been viewing over the past few days or weeks. It is also possible for web pages to contain information hidden in images or files that are downloaded, but not displayed. These will also be stored in your cache.
Cleaning the cache is therefore a simple way of clearing any data covertly hidden in web pages from your system.
Web history files
The other significant file kept by the web browser is the 'history list'. This is a list of all the pages that have been visited recently.
You may have noticed that on some pages the links you have previously visited are a different colour from the links you have not. This is controlled by the history list. The period after which they expire is set in the configuration of the web browser. If it is set to thirty days, ever page visited over the past thirty days will be listed in the history list. If set to 'never expire', every page that the browser has viewed since it was first used will be available.
You have the option of clearing the history list. You should do this on a regular basis. The browser also keeps a 'bookmarks' file of links. This should be regularly edited, partly to remove any junk. When you no longer need them, remove any reference to sensitive links.
Wiping and deleting files
As noted in Briefing no.1, when you delete files on your system it is really only the reference in an index file that is actually deleted.
Managing your emails and attachments, clearing your browsers cache, or editing the history or bookmarks files is not likely to actually remove these files from the system - it just removes the index entry from the file system.
So, after doing any tidying up of files on your system, you should also clear the free disk space on the system. This can be done simply using utilities such as Scandisk and Defrag on Windows. But to be absolutely sure you need to overwrite the free disk space with new data. There are various programs available to do this, but the most effective are those that come with encryption systems. These overwrite the free space with random information to mask any data that may have been stored on the disk previously and then deleted. For further information see the PGP appendix to Briefing no.4, Using Encryption and Digital Signatures.
Note: To securely delete a file in Windows NT, Windows 2000, or Windows XP, you need to both securely erase the file and also wipe the free space. These operating systems use NTFS, which keeps alternate data streams of deleted files.
Unwanted public profile
You online public identity is comprised of a number of factors:
· You may have an email address. This identifies you as a unique user of a particular computer network; it will identify the particular network that provides your email services, and can act as a pointer as to where further information about you can be obtained.
· You may have a web site. The domain name of the web site, depending upon who registered it, will give away some information about who runs the site. By looking up the numeric address people can also find out who provides your web services, and where they are located.
· You may be a member of email list, or use Usenet newsgroups. Many of these postings may be archived, long after they were made, and may be accessible through search engines. This makes information about your interest in certain issues, as well as associations with others working on similar issues, openly available.
· As you browse the Internet you will deposit information on computers that uniquely identifies the computer you use. On the web this is managed by small files that are attached to your browser called 'cookies'. These hold small amounts of information about your use of the system, and perhaps also your personal preferences. On other systems you may have to enter your email address, which will then be used as a key to a database to track your use of the system.
· You will probably give information online about yourself in order to have access to services. Much of this information is sold to marketing companies, and is available to those who have the finances to purchase it. Although the rarest of commodities because of the costs involved, it is possible to obtain a profile of your online activities by purchasing data from the companies who harvest information from the Internet.
The greatest risk to your security is when all of the information about you is assembled to produce a profile. Hackers or surveillance operatives can gather enough information about you to make the planning of surveillance far easier. Using this information they can map your network of co-workers, identify information about you, your home, and your working habits. By researching the information that you post to the Internet, it may also be possible to gather information about your access to resources, your technical competency, and perhaps identify those who may have an interest in disclosing damaging information about you.
Managing disclosure: Alternate personas
Your identity online can be a liability. You must have an identity in order to access services that require you to register with them before giving you information. As noted above, there is the potential for this information to be used against you, stolen or abused. To solve this problem you should consider creating one or more 'alternate personas' for using the Internet.
Alternate personas are often used by people in web chat rooms. If you keep notes on the information that makes up your alternate persona, it has other uses too. To make an alternate persona you will need to set up:
· A name - this can be an alias, or just an obviously manufactured name;
· A user account - to be sure that your browser/email program gives out the correct information as part of its transactions with other server you should set up a user account under the new name (but beware, the information embedded in files may still give your main name away).
· An address - this can be difficult to make, as it should not refer to the number or name of a real location, but so long as the address has a valid street name and post code, most systems that validate addresses against postal codes will pass it.
· A new email address - this can be an additional address to your existing account, but you should make sure that your service provider does not provide information that openly associates you with this new address;
· Passwords - you will need to keep passwords that are used by your alternate persona noted down so they don't get confused with others;
· A story or 'legend' - you will need to keep a record of anything personal information you create for this persona, such as age, sex, interests, etc., so that you can supply them if required (some services validate access by you being able to enter certain personal attributes).
These details are most easily kept as a file, be it a database or word processor file, that you keep on your computer and can access when required.
The purpose of an alternate persona is not to provide anonymity. It is to provide a means to mask your true identity when using services online that may disclosure your personal information to others. This prevents others accessing data that could be used for something like direct marketing, but also for accessing data that could be used to organise surveillance of you.
People pretending to be you via email
The major issue related to the protection of your identity is the securing of your email address. Many people also use web mail - email managed through a web server. Web mail produces a slightly different set of problems, but the principles are much the same.
There are three ways your Internet identity can be 'stolen':
· Information can be posted in your name, supposedly from you, but actually sent from a different address. Many people do not always read the header information that comes with a message, and may believe that the information is from you. One of the easiest ways this can be done is to concoct a message and send it as a forwarded message - so stripping it of the header information that identifies it as unique.
· Email addresses can be forged or 'spoofed'. Email servers do not always have security for outgoing emails (i.e. checking the name of the sender to make sure it is a valid account on their system). This means that the email address can be altered by changing the settings of the outgoing email address. Many email lists only discriminate by email address, and therefore if the name in the email appears to come from you the message will be forwarded to the list. Another problem is that while people will see your email address, they will not always bother to check the header information to make sure the message originated at your email server. Spoofing is a problem because in many countries it is not illegal, as long as the intention in sending the spoofed email was not to defraud the recipient of goods or money.
· Your email account can be taken over. This is far harder to do, because someone must obtain the passwords for your account. But if you do not secure your computer (especially if it is a laptop), it is possible. It may also be done by tricking your service provider into giving your details out over the phone, perhaps using information about you obtained by researching your background, guided by information obtained online. Service providers can be tricked fairly easily; they often do not know their clients personally, only by the information contained on their databases. It is also possible, but far harder, to crack your email server. Either way, these options are illegal in many countries because they constitute unauthorised access to a computer system.
All of these threats, with the exception of poor security on your computer, can easily be dealt with by signing your email with a cryptographic signature (for details, see the briefing no.4 on Using Encryption and Digital Signatures).
Embedded identificationn
Computers can embed personal information in the files they use. For example, Microsoft Word keeps track of who has written and modified files.
Embedded information was originally used as a means of protecting the copyright of programs. Information that has commercial value can also contain embedded information, or digital watermarks that enable its producers to identify who used or produced the data, and therefore whether their intellectual property rights have been abused. Embedded information also provides a means of identifying individuals, storing information about their preferences, or monitoring their use of a service.
Digital watermarks and embedded information are an important issue within the general subject of freedom of conscience and expression. They may threaten our human rights to anonymously engage in dialogue, or to report facts or information anonymously. As computers and software become more complex, and with the increasing commercialisation of the Internet, anonymity is being eroded.
A further refinement of embedded information is the online registration of software, where the registration process is controlled by programs created by the software developer. These programs may pass on information about your computer, and the data on it.
For example, the online registration of the Windows 95 operating system resulted in information about the users' computer being transferred to Microsoft's systems. Microsoft's latest operating system, Windows XP, takes this process one step further. It requires that you register online, and that you divulge information about your system, in order to obtain a code that activates your computer. If you make any significant changes to your system following this, your computer will fail to operate. You must then register again, sending a new digest of information about your system to Microsoft. Because it assigns every computer a unique identity, Windows XP can also create a digital fingerprint that could be embedded into files to prove the location of the computer they were created on.
Registered or not, programs may also try to access their developer's computer system when you make an Internet connection. Some programs do this as a means of checking for updates or new offers for that program. But it also means that the program could pass on other information about your use of the computer and the program.
Causing a computer to operate processes without the authority of the user is a crime in many countries. But because for most programs you must click to accept a license agreement, you give assent to these programs commandeering your Internet connection to send data back to their home base.
The main risk from embedded identification is that a report or document you produce, and within which you have deliberately not included any identification, can identify you as its author from the information embedded within the file. Many word processors insert information on the date and time the document was produced, and allows the user to set the name of the author. But even if you clear this information, it is possible that the registration details of the program, including the name, will be encoded within the file.
The simplest way to avoid any risk of embedded information in a file is to use a text file. But if you require some sort of formatting you should use older file formats that carry less information, such as Word 6, or use RTF (rich text format).
Living Under Surveillance
Written by Paul Mobbs for the
Association for Progressive Communications, March 2002.
This is one of a series of briefings on Participating Safely Online. This briefing covers:
· Surveillance and counter-surveillance
· Official and un-official telephone tapping
· Monitoring mobile phones and post
· Bugs and computer-based surveillance
· Photography, documentation trails
· Tips for basic counter-surveillance
Surveillance and counter-surveillance
Surveillance is the art of monitoring the activities of persons or groups without them knowing they are being monitored. Surveillance has been an intrinsic part of human history. Sun Tzu's The Art of War, written 2,500 years ago, discusses how spies should be used against a person's enemies. But modern electronic and computer technology have given surveillance a whole new means of operation. No longer must it be practised by agents, it can be automated using computers. No longer do people have to be watched - their own activities create records that describe their activities.
Counter surveillance is the practise of avoiding or making surveillance difficult. Before computer networks, counter surveillance involved avoiding agents and communicating secretly. With recent development of the Internet and computer databases counter surveillance has grown. Now counter surveillance involves everything from knowing how to delete a file on a computer to avoiding becoming the target of direct advertising agencies.
The greatest impact of computer-enabled surveillance is the numbers of organisations involved in surveillance operations:
· The state and security services still have the most powerful surveillance systems, because they are enabled under the law. But today levels of state surveillance have increased, and using computers they are now able to draw together many different information sources to produce profiles of persons or groups in society.
· Many large corporations now use various form of 'passive' surveillance. This is primarily a means of monitoring the activities of staff and for controlling public relations. But some large corporations actively use various forms of surveillance to monitor the activities of activists and campaign groups who may impact their operations.
· Many companies trade in information lawfully, buying and selling it from other companies or local government agencies who collect it. This data is usually bought by companies who wish to use it for marketing or advertising purposes.
· Personal information is obtained my many small groups and individuals. Some of this is for harmless purposes, but increasingly sensitive personal information is being obtained for criminal purposes, such as credit card and other types of fraud.
For those who are peacefully working to change society, surveillance presents a problem. Particularly after the September 11th attack on New York, many states now view political dissent as a problem, and have introduced new laws to strengthen their surveillance powers. Many states have also redefined their legal definition of terrorism to not only include violent acts, but also types of direct action protest. Even where groups have no involvement in violence, states and corporations may try to use information obtained about groups or individuals to discredit their work. As the scope of surveillance increases, it is important that groups and individuals manage their exposure to different types of surveillance to limit the damage it can do to them, or their work.
Modern surveillance cannot be totally avoided. If the state use all of their resources to investigate your activities, they will be able to do so. However, non-state groups may employ surveillance techniques against your organisation, and some precautions can reduce their success.
This briefing explores the means by which the impacts of surveillance may be lessened. This briefing is meant to be used as the basis of discussion, and not as a complete counter-surveillance manual.
Note: In all the forms of surveillance mentioned below, the issue of patterns is important. Although in isolation a single piece of communications data seems useless, when collected together with the communications data of other people it can disclose a lot of information about organisational relationships, work patterns, contacts and personal habits. The collection and processing of communications data is largely automated using computers - hence easy to do.
Telephones
The official tapping of telephone lines
The contracts or licenses by which the state controls telephone companies means that they must provide access for tapping lines to the security services and the police.
When telephone exchanges were mechanical a tap had to be installed by technicians, linking circuits together to route the audio signal from the call. Now that many exchanges are being converted to digital technology installing taps is far simpler, and can be done by installing small plugs, or even by computer. Telephone services provided by cable TV companies are tapped in a similar way.
Unless the tap has been very badly installed, it is not possible to tell if your line is being tapped or not. The noises that some people believe to be telephone taps are really just noise created by the induction of signals from other phone lines. Because the tap is made at the exchange it is very difficult to tell if the line is tapped because there will be no appreciable difference in volume. But irrespective of the tapping of content, communications data will always be collected automatically, and stored for later use by the billing department of your phone company or the security services.
For telephone services run via digital exchanges, the information generated will consist of a list of the phone numbers you have called, the duration of the calls, and perhaps a log of the type of communications media being used (some services send data and voice communications via different routes to conserve bandwidth).
The unofficial tapping of telephone lines
It's also possible to be tap conversations unofficially. There are a number of ways to monitor telephone conversations:
· Recording the conversation - the person making/receiving the call records the conversation using a 'telephone pickup coil' attached to the ear-piece, or they fit an in-line tap with a recording output. Both of these are easily available through electrical shops. Most who record telephone conversations, such as journalists, will use the recording for their own private work. But be aware that anything you say to someone you don't know may be recorded and used for other purposes.
· Direct line tap - this is what the state do via the telephone exchange. But unofficial tapping, where the user's line is physically tapped near the house, is also possible. The tap can either involve a direct electrical connection to the line, or a coil placed around the line to pick up the signal inductively. There will be some drop in signal levels because of the loss of power from the line, and it may also generate noise on the line. Direct taps usually require regular maintenance, either to change tapes or replace batteries, which may give away their presence.
· Radio tap - this is like a bug that fits on the telephone line. The state does not normally do this because they have access via the exchange. It can be fitted to one phone inside the house, or outside on the phone line. It may produce noise (you might even get signal feedback down the line on amateur made equipment) to alert you, but probably not. The unit is powered from the line so once installed it's maintenance free, and only transmits when there's a call in progress. However these devices tend to be low powered because the drain on the line would become too great. Therefore the receiver would have to be installed within a few hundred metres of the tap. Radio taps can be found in the same way to line taps, by checking your line regularly.
To guard against unofficial line taps you should know where your telephone line runs, and perhaps inspect it regularly for new joins, or small wires connected to the line.
Location data and mobile phones
Mobile phones are, in surveillance terms, a major liability. This liability will only increase as the new third-generation (3G) phones are introduced. This is because the base stations will be located closer together.
For mobile phones the major threat is the collection of communications data. This data not only includes information about the time and duration of the call, but also the geographical location where the call was made from and to whom. This data can be determined generally because the geographic communications cell that the call was made in is stored with the details of the call. But it is also possible to get greater resolution of a persons location by combining information from a number of cells surrounding the persons location. This additional precision must be specifically enabled by the telephone company - it is not part of ordinary operation. There is no counter-measure against the state/telephone companies doing this.
The old first generation mobile phones could be easily monitored by anyone with a 'scanning all-band receiver' because the system used an analogue transmission system - like an ordinary radio transmitter. The second generation digital phones are harder to monitor because they use a digitally compressed transmission. However the state can tap mobile phones with the co-operation of the phone company. It's also possible for organisations with the correct technical equipment, such as large corporations, to monitor mobile phone communications and decrypt the message. There were proposals for European mobile phones to use stronger encryption, but this was opposed by a number of European states.
Mobile phones can be used anonymously, but it is very expensive to do. Pre-paid mobile phones can be bought without having to give details of your name or address, and because you insert cards there is no billing information. However, once you have been identified as using a certain phone, you can be tracked. So if you require longer-term anonymity it is necessary to regularly change the phone every few days.
Postal services
As more people use faxes and email the significance of the postal system is decreasing (this may not be the case in all countries, certainly the case with international communications, but probably not local). But interception of post is still very important to the security services.
There is no easy way to know your post is being read. The machines used to sort and stamp letters often rip up items anyway, so damage is no certain indicator that your post is being read.
The simplest counter-measure to stop your post being opened is to put sticky tape along each edge and the seams of the envelope, and then sign the tape with an indelible marker. That prevents all but the most expert tampering.
People used to send floppy disks via the post. Today these files can go easily by email. But CDs of data are still regularly sent by post. To ensure that this data is not open to reading by anyone, even if its just wrongly delivered, you should encrypt the data and then burn it onto the CD-ROM.
Surveillance devices - 'bugs'
Surveillance devices or 'bugs' are not really a communications media, but they are a device that requires a communications channel. The idea of a 'bug' usually involves a radio transmitter, but there are many other options for carrying a signal; you can send radio frequencies through the main wiring of a building and pick them up outside, you can pick up the transmissions from a cordless phones, and you can pick up the data from poorly configured wireless computer networks or tune in to the radio emissions of a computer monitor.
Bugs come in all shapes and sizes. The original purpose of bugs was to relay sound. Today the miniaturisation of electronics has progressed so far then even TV pictures can be broadcast via bugs that incorporate miniature video cameras (something made popular recently during TV coverage sports events, etc.).
Older bugs used the VHF radio band. Modern bugs, thanks to the developments in electronics for mobile phones, work in the UHF and microwave bands. The use of digital rather than analogue technology means that the most professional bugs can encrypt the output signal, and change the frequency of operation in a pseudo-random pattern to make finding them harder. The range of these bugs varies from a few hundred yards to a few miles. Some of the state's bugging devices are even linked to satellite systems. There is a growing commercial market in surveillance devices such as audio and CCTV bugs, mainly for observing people in the workplace. Officially very little of this equipment is used for spying on the activities of pressure groups - but the potential is there.
Amateur bugs are usually the size of a cigarette packet. Professional bugs can fit into pens, calculators and other commonplace items. Some are only the size of small shirt buttons - but the power and operation life of the smallest bugs is very short.
The devices used by persons or organisations without the funding to buy professional equipment are crude. These devices can be bought from electronics magazines, and designs to build them are available on the Internet. They tend to broadcast in or around the VHF frequency band. They are also fairly bulky because they are made from ordinary electrical components and need a conventional battery power supply. However a well-made amateur bug can be just as effective as a professional one for conducting surveillance.
Another great problem with modern technology is the development of 'wireless' appliances. To be 'wireless' a device must transmit information, either by radio waves or infra-red light, and this potentially makes all the information sent via that link available to others. Radio waves are the worst option, but even infra-red can be picked up through a window. Some wireless devices, such as wireless computer networks, do encrypt transmissions, but the standard forms of encryption are weak.
Wireless devices, be it a wireless keyboard or a wireless telephone, should not be used in any environment where sensitive information is handled.
Bugs emit radio waves. The standard counter-measure for bugs is therefore to 'sweep' for them with a receiver, looking for the radio emissions. Professional sweeping devices are very expensive. There are low-tech sweeping devices available, through amateur electrical magazines, or that can be built from circuit designs on the Internet. But sweeping is not fool proof. Advanced bugs can be remotely operated to switch on and off, and some even rapidly switch frequencies according to a pre-determined pattern in order to make location with sweepers more difficult. You may also be bugged, but you don't detect it when you sweep because it's run out of power.
The other problem are those bugs that do not emit radio waves - they are very difficult to detect. Bugs are a technical solution to a problem - remotely listening to people's conversations. A simpler option is simply to record the conversation on a normal recording machine. There are a number of options for this:
· Pocket sized devices, either worn or carried in baggage, linked to a small microphone that's usually mounted on the surface to pick up the audio. Digital recording devices, such as minidisc or the latest palm-sized camcorders, also give very high quality recordings in a very small device.
· Larger recording devices hidden in the room, for example above suspended ceilings. These are popular in workplaces for monitoring staff.
· Ultra directional microphones. These are like the microphones you see on camcorders, or carried by sound technicians. They are constructed to receive signals only from one direction. The most high-tech directional microphones can eavesdrop on conversations from a hundred metres away or more.
· Laser microphones. These are very expensive and highly technical to operate. You bounce a laser beam of a window, or off some object near the conversation you want to hear that resonates (for example, a picture on a wall). Any object which can resonate/vibrate will do so in response to the pressure waves created by noises present in a room. The electronics detect the minute difference in the distance travelled by the light to pick up this resonance, and reproduce the sound causing that resonance.
If a microphone is hidden in a room it is almost impossible to detect it. This is because it has no radio emission. Very sensitive equipment could be used to look for magnetic fields or electrical noise emanating from the recording equipment. This is because the computerised/digital technology in digital tape recorders emits characteristic electrical noise. But if the place being monitored has lots of computers, photocopiers and other electrical equipment installed that would be very difficult. Older analogue equipment is very difficult to detect.
Computer Surveillance
Computers make excellent surveillance tools because they can do things without their owners knowing about it . At the very basic level, computers are a surveillance tool because you confide your secrets into it. Anyone can then come along and access or remove your computer and retrieve your information. But if someone is able to install software on your system they can turn your computer into a surveillance device.
Getting software onto a computer can be done in three ways:
· You obtain access to the computer directly - this requires that you load a CD or floppy disk into the computer and transfer the programs. This is possible if someone uses your computer for an innocuous purpose, or they gain access whilst you are not there.
· You can receive a computer virus, form an email or an infected file, that can install a program on your computer. This can enable hackers to gain access to your computer, or it can send information such as your encryption keys to security services (a project the US FBI is currently working on).
· Your computer can be hacked when it is online, and rather than damaging it the hacker can install software on the system that enables them to control it, store information on it, or read your private files. This is more of a problem for Internet servers, but computers with a permanently connected broadband line are also susceptible.
The simplest form of access would be via a new, unique computer virus. This is because it may not be picked up by virus scanning software. It could also use the facilities on your system to compile a digest of the information and usage of your computer, and send that back to its base. Whilst access to your system whilst you are online is possible, it would be difficult to arrange because unless you are online all the time, they will not when precisely when you use the Internet.
To protect against people accessing your computer from the Internet, and also protecting against rogue programs on your computer, you should use a firewall on your network or Internet connection. (refer to Firewalls in briefing 6) This will flag up a warning whenever an unauthorised access takes place. But beware of the Microsoft firewall - it only works on connections going into your computer, so rogue programs can still connect out.
Getting access to your computer is the next most likely. This is a real possibility, since you must assume that the types of people engaged in this kind of surveillance, because of the technical barriers involved, are professionals. They are also likely to have the technical capability to gain access to your home or workplace. You should therefore take steps to limit access to your system.
The briefing on Introducing Information Security (no.1) outlines how to protect your information. Perhaps one of the most effective means of preventing opportunistic access, apart from a boot password, is a screen saver with password protection. This is a simple means of preventing access whilst you are away from the computer.
Computer networks are another surveillance problem. Networks operate by sending packets of data to every computer on the network, but only the computer matching the packet address will process that packet of data. Using programs called packet sniffers it is possible to read all the packets that cross the network. Using a packet sniffer it is possible for one computer on the system to intercept all data transactions over the system, or just those for one of the other computers. This again could be done using software installed on the system without the knowledge of the computers operator. The problem would be extracting the large volumes of information that sniffing packets can generate. But for only a short period of time, packet sniffing could reveal all sorts of information.
One of the lesser known forms of surveillance goes by the name of 'TEMPEST'. Computer monitors and some other digital equipment emit radio waves as the high-powered coils and transistors switch electricity to create the video image. The same type of emissions can be used by TV companies to detect if their programmes are being watched on an ordinary TV without a license being paid. But with better technology, the actual image on the screen of a computer monitor can be captured and displayed.
One solution to the TEMPEST problem is to use a low powered display, such as a laptop computer. But it is possible that these displays could also emit waves that could be resolved to produce an image. The only certain solution to TEMPEST is to shield a monitor, which is a very difficult thing to do, or specifically buy an extremely expensive shielded monitor.
Finally, computers themselves can be tapped physically. For example, it would be possible to bug the keyboard in a way that transmitted the codes of the keys pressed - in this way it is easy to discover the passwords use to start the computer, as well as the passwords for accessing the Internet, email and encryption keys. Anything beyond tapping the keyboard would require taking your computer apart.
Photography
Photography is becoming more valuable as a means of surveillance. In recent years there has been a significant expansion in the level of stills and video photography carried out at public demonstrations in many countries. At the same time there have been advances in closed circuit television (CCTV) technology and computer image processing that enable digital images taken from cameras to be matched with images stored in a database.
Photographs have long been collected as a form of evidence. But as protest and civil disobedience become an ever greater liability to governments and corporations, images are gathered not only as evidence for prosecution, but also as a source of intelligence information. The collection of photographs and video also has another important function - it scares people.
Closed circuit TV (CCTV) - where the picture is viewed or recorded, but not broadcast - initially developed as a means of security for banks. Today it has developed to the point where it is simple and inexpensive enough to be used in home security systems, and for everyday surveillance.
The widespread use of CCTV by the police and governments has developed over the last 10 years. In the UK, cities and towns across the country have installed large numbers of cameras linked to police authorities. The justification for the growth of CCTV in towns is that it deters crime - although there is still no clear evidence that CCTV reduces crime. The recent growth of CCTV in housing areas also raises serious issues about the extent to which CCTV is being used as a social control measure rather than simply a deterrent to crime.
The first CCTV cameras used in public spaces were crude, low definition black and white systems. Modern CCTV cameras use high definition colour cameras that can not only focus to resolve minute detail, but by linking the control of the cameras to a computer, objects can be tracked semi-automatically. For example, they can track movement across a scene where there should be no movement, or they can lock onto a single object in a busy environment and follow it. Being computerised, this tracking process can also work between cameras.
Currently, in some areas of the UK such as London, CCTV is being combined with computer imaging systems to track car number-plates. This is being developed in part as a security measure, or as a means of identifying cars reported stolen. But there is no reason why a network of such cameras could be used to track the movement of individuals. The proposed road tolling system for London will also rely on reading car number plates to generate billing information - therefore producing a potential source of locational information on persons or groups.
Perhaps the most disturbing extension to this technology is the recognition of faces from high-definition CCTV images. With this technology, it would be possible to determine a person's identity without the need to stop and ask them in the street, or even alert them that their identity is being checked and logged. The systems can check many thousands of faces in a database in under a second.
The latest developments in CCTV and imaging techniques, being developed in the UK and USA, is developing computerised monitoring so that the CCTV operator does not have to endlessly look at all the screens. This also means that an operator can run many more CCTV cameras. These systems do not observe people directly. Instead they track their behaviour by looking for particular types of movement, or particular types of clothing or baggage. In public spaces people behave in set and predictable ways. People who are not part of the 'crowd', for example car thieves, do not behave in the same way. The computer can identify their movements, and alert the operator that they are acting out of the ordinary. Potentially, waiting in a busy street to meet someone could trigger this system.
The same type of system can, if required, go one step further and track an identified individual as they move through the area covered by CCTV. This is currently being developed in the USA as part of the project co-funded by the US Defense Advanced Research Projects Agency. With software tools, the system will be able to develop three-dimensional models of an area and track/monitor the movement of objects within it.
The development of CCTV in public areas, linked to computer databases of people's pictures and identity, presents a serious risk to civil liberties. Potentially you will not be able to meet anonymously in a public place. You will not be able to drive or walk anonymously around a city. Demonstrations or assemblies in public places could be affected as the state would be able to collate lists of those leading them, taking part, or even just talking with protesters in the street.
Documentation trails
Modern society creates huge amounts of data. Every time you use a bank machine, pay by credit card, use a phone card or make a call from home you clock up electronic records of transactions. In the past these would have been called 'paper trails'. But today many of these records are electronic. This information, if obtained by the state, or obtained through unofficial channels (sorting your rubbish/bribing those in charge of keeping the information) can also describe how you live and work.
The scope of the information that can be obtained from paper trails is growing all the time as our lives become more monitored. Once many sources of information are matched as part of intelligence analysis it can produce an insight into your habits, your work, and your hobbies.
The abolition of cash, and the introduction of 'electronic money', could be one of the greatest blows to free expression and free association in modern times. As we move towards the 'cash-less society', all electronic transactions will have to be monitored at an even more intensive rate in to prevent electronic forgery. There will have to be detailed records of every transaction, and the two parties involved in that transaction (e.g., you and a shop), in order that every credit and debit can be matched up to ensure that no extra money was plugged into the system. Of course, this will mean that, unless you barter outside of the mainstream system, all transactions will be traceable by the state, and possibly even large corporations.
One of the greatest freedoms we have is to buy a book, or a newspaper, or to donate money to a cause, and do so with complete anonymity. In a situation where all transactions are electronic, and the information about all transactions must be audited to prevent fraud, that anonymity is lost.
However, the primary problem relating to the use of documents and data is not the state. Compared to how marketing and PR companies assemble data on individuals, the security services could be considered mere beginners. Today a whole web of information is collected by marketing companies in order to sell you things, or determine how companies should run their marketing strategies. Many people unwittingly assist in this. Today you don't have to fill in a survey form to be besieged with junk mail. The details from a whole range of transactions, from credit agreements to the electoral register, are all purchased by market research companies to provide information on the habits of the public as potential customers.
Data profiling
Most of the information described above is generalised - it identifies trends from large quantities of data, and the role of the individual in that is very minor. Data profiling on the other hand is a process whereby someone seeks to get as much information about you as possible - personally - in order to assemble a picture of your specific life and habits.
Data profiling is very important in intelligence operations and has many applications - from deciding whether a person is vulnerable to bribery, through to conducting profiling of suspects to decide where they can be apprehended. The state has powers to do this by issuing orders that banks, credit companies or even your employer supply data to them. But even corporations and private investigators can assemble this information if they are well connected. The problem is that a lot of your personal information is not very well protected. This is because, in isolation, small amounts of information is not considered sensitive. But once this information is brought together it can describe in detail the actions, habits and preferences of the individual.
Identities
Identity is an important issue in terms of civil liberties. There are instances when we wish to hide our identity - to remain anonymous - for a whole range of reasons. To eliminate this will be a serious erosion of our civil liberties. This is possible as we move towards the development of 'electronic identities. There are two aspects to this:
· the development of systems of credentials - where you carry a card or a document; and
· the development of biometrics - where you are recognised from your 'unique' biological characteristics.
The development of identity systems is being pushed on two fronts:
· The banking industry - who wish to find a more fool proof system of verifying financial transactions than the possession of a plastic card or the use of a signature;
· Law enforcement - who want a way of identifying individuals easily, perhaps even when they are unwilling to co-operate.
One of the simplest forms of identification is the carrying of credentials. Some countries have an identity card system to aid identification. Other documents, such as drivers licenses, library cards, bankers or credit cards are also used to verify identity. The problem with identity based on credentials is that the individual must carry them, and be identifiable, or face a legal penalty. This problem is compounded if the form of the identify card is 'machine-readable' (could you explain more) In this case it may create a document trail as it is used to verify transactions.
As a means of combating the problem of people carrying or falsifying credentials, researchers are increasingly looking at biometrics - measuring biological or physical characteristics - as a way to determine identity. One of the oldest forms of biometrics is fingerprints. Everyone (identical siblings excepted) has a unique pattern of fingerprints, and these have been used for many years to help identify suspects in police enquiries. A finger/thumb print can be reduced to a brief numeric description, and such systems are being used in banks and secure areas to verify identity.
A more recent development is DNA fingerprinting, which looks at some of the major markers in the body's DNA to produce a match. However, the match produced is less accurate than ordinary fingerprints because it only identifies people to within one family - not the individual themselves.
Handwriting - primarily your signature - has been used for many years to determine identity. However other characteristics of the individual can also be used to check identity. Voice analysis has been used for some as a means to prove identity - but it is not suited to portable use because of the problems of storing a range of voice prints. But perhaps the two most viable portable systems, because identities can be reduced to a series of numeric data points rather than a detailed image or sound, are:
· Iris recognition. Some banks are now using this method of security. The human iris has an almost unique pattern that can be reduced to a simple series of numeric descriptions. The iris reader matches the pattern of the iris to one stored and verifies the match.
· Facial recognition. The configuration of the facial features can be used to accurately identify one individual from another. Again, the configuration can be reduced to a short numeric description.
By combining some form of personal identifying feature, with a system of verification it is possible to do everything from buying food to travelling abroad. The important issue is how this information is managed in order to reduce the likelihood of tracking. If you were to combine a particular biometric system with new smart card technology to store the description, that system would be immune from tracking (unless the transaction produced a document/electronic trial). But if the identifying features are stored centrally, and a whole range of systems have access to those descriptions, it is possible that other uses could be made of the data; for example, using high resolution CCTV images with a databases of facial identities in order to identify people at random.
Human operatives and social engineering
The most invasive form of surveillance is the use of human operatives. This takes two forms:
· The use of operatives to infiltrate an organisation; and
· The use of social engineering techniques to obtain information.
In groups dealing with issues that are directly contrary to government policy the issue of infiltration often arises. Also, where groups oppose large corporations, infiltration by agents of the corporation is also feared. As well as operatives, the police and security services may put pressure on certain members of an organisation to disclose the information they hold on other members.
Running operatives is very expensive, and for the state the information recovered from operatives can be obtained from less problematic forms of surveillance. If discovered, it can also be a public relations disaster for the government or corporation involved. For these reasons, the use of operatives to infiltrate organisations is not as widespread as many believe. But infiltration is still very likely from other organisations who are motivated to discover and monitor the work of campaign groups. This may be for political or economic motivations. There are also many informal links between large corporations and police or security services, and the trading of information about groups and activists is part of this relationship.
It is not possible to guard against the infiltration of an organisation without damaging the viability or effectiveness of the organisation. Worrying too much about infiltration within the organisation can breed mistrust and bad working relationships within an organisation. Rather like other forms of surveillance, the professional infiltration of operatives into and organisation is difficult to guard against.
Another more likely scenario, especially when dealing with the media or corporate public relations, is social engineering. Social engineering is where someone phones you, interviews you, or just talks to you in the street and tries to make you believe they are someone else, or someone with an innocuous interest in you. But their real interest is to obtain some specific information that they believe you possess.
You should develop clear procedures for handling enquiries about your work. For example, one day you get a phone call saying "hi, I'd really like to come on your demonstration against Company X, when is it?", or, "I'm calling for john, he's lost the password for the computer can you give it to me?". You have to guard against the disclosure of information in this way:
Unless you have an extremely good reason to, you should never give any security-related information over the phone, and via the Internet you should encrypt security information.
Social engineering is easily identified by asking a series a questions to see if a person is aware of facts or future plans that they should not have awareness of.
Journalists are a particular problem. Journalists for well known media organisation can be verified by phoning the editor of that organisation, but freelance or independent journalists should be treated with care - they could be working for anyone.
There is of course a balance to be struck here. You need to be able to allow people a certain amount of access to your campaigns. But you also need to preserve the integrity of the groups of people most closely involved in the campaigns work. How you arrive at this balance is your own, difficult, problem to resolve. But however it is resolved, it must be agreed between all those involved in a particular issue in order that you have a consistent policy with all those involved.
Personal counter-surveillance
Counter-surveillance is reliant on good information security planning. The briefing on Introducing Information Security (no.1) outlines how to protect your information - including information on counter-surveillance in the workplace. Protecting information is the first stage of counter-surveillance. But counter surveillance must also be seen as a balancing of opposing objectives.
If you are very good at restricting all information, that state or corporations will have problems monitoring you. However, you are also likely to become more isolated and secretive in the process, which may isolate you from the public you are trying to engage. Therefore, like information security, counter surveillance requires an effort to protect those activities or information that are sensitive, whilst giving less emphasis to those activities that can be open to all.
Information security is primarily based on protecting equipment with security procedures and barriers. Personal counter-surveillance is based on much the same process, but instead you provide security and barriers around your own personal habits. As humans we are creatures of habit. If we exhibit very predictable habits. This makes monitoring of our activities easier. But if on certain occasions we break our habits, it can also give away the fact that we are doing something at that time which is not part of our everyday work.
The best way to begin thinking about avoiding surveillance is to think about breaking the regular patterns in your life. This masks regular activity, so making it harder to practice routine surveillance. But it also masks the times when you may undertake activities out of the ordinary.
Breaking regular patterns does not mean going to bed at different times, or working different hours everyday. Instead it requires that any activities you wish to avoid being the subject of surveillance are integrated into the other events in your life - but not to the extent that they become predictable. If you change the route you take to work or to shop on a random basis, you make it more difficult to monitor your movements. If you build irregular appointments into activities that might involve surveillance, it creates a background 'noise' in the pattern of your activities that masks any change in your habits.
Securing the information on your computer will help your overall security. If you have a portable computer you are presented with a whole new problem because you move that system outside of your ordinary systems of security and access barriers. Therefore special care should be taken with portable computers:
· The system should be secured with a BIOS password to prevent booting;
· Use encryption of the hard disk, where possible, to prevent access to the contents of the hard disk if it is removed from the machine;
· You should ensure that your portable computer has different passwords than those used on your static equipment.
Securing your information is fairly easy. But the main issue you will have to deal with when considering personal surveillance is how to carry out meetings, and networking with people, when you need to discuss sensitive issues.
You should not seek to avoid surveillance for issues that have no sensitivity. This of course assumes that sensitive work only constitutes a minor part of your work. Where the sensitive parts of your work comprise a large part of your everyday workload the more difficult it will be to hide those activities within the patterns of your everyday life.
Primarily, when dealing with sensitive information, you should avoid generating any kind of documentation or opportunities for surveillance by working systematically to avoid it. As society becomes more highly surveilled, this is becoming more difficult to do. As governments begin to use communications and transactions data as an increasingly significant part of their effort to monitor the activities of their citizens, you should work in a way that does not generate systematic document trails. To do this, you should think about implementing the following as part of your work:
Travel -
· If you are travelling to a sensitive meeting take a different route going there and coming back, and if possible do not use the same bus or station when going to or leaving the location you are travelling to. This lessens the likelihood that your destination will be identified.
· If travelling on sensitive business, try to use public transport. Using you own private cars will provide a traceable identity.
· To avoid the CCTV systems in public places move with the crowd; don't rush, don't cut corners, and don't look around for CCTV cameras.
· If you can build in other events/appointments as part of your journey, that will help provide an alternate motive for travelling to that area of a town or city.
· Facial recognition systems work primarily on the configuration of facial features. To work they need to get a good view of the face. Looking at a slight angle towards the ground, and wearing a hat with a brim, helps fool the system.
· If you travel using public transport, roaming tickets are preferable to tickets for a specific journey - they give you more flexibility over the route, and they are more difficult to associate a route travelled with a particular ticket purchase.
· If you have the time available and you can obtain a roaming ticket, build in some extra time to your journey and change trains to make it hard to piece together your journey from CCTV and surveillance sources.
· If travelling in a town, avoid moving through the major shopping areas, or 'controlled environments' such as shopping centres. These have the highest level of CCTV coverage.
· Always assume that public transport vehicles have CCTV installed - travelling during peak hours will help mask your presence.
· To make following you in person or via CCTV more difficult do not wear distinctive clothes or carry distinctive objects - blend in.
· Darkness aids anonymity, but is not a foolproof solution to the latest CCTV cameras which can see in the dark.
Mobile phones -
· If in doubt, turn it off.
· If travelling to a sensitive location, in an urban area do not use your phone within two or three miles of the location, or in rural areas do not use it within ten or fifteen miles of the location. This will prevent the creation of a trail that associates you with that location on that day.
· If the location you are going to is nowhere near a route you regularly travel, turn off your phone before you start your journey there.
· If you desperately need to mask your location, let someone else carry your phone around for the day - but this is only realistic if you take all precautions to prevent generating other document trails whilst you are moving around.
Payments -
· If you are travelling to a sensitive location, don't pay by credit/debit card or take money from a cash machine.
· If you need to spend cash when travelling to/working around a sensitive location, do not spend the notes taken directly from the cash machine (their sequential numbers may be logged). Keep a supply of notes received as change elsewhere and use those.
· If you need to buy something when travelling to/working around a sensitive location, do not give any loyalty cards or personalised money off tokens as part of your purchases - they are traceable.
Communications -
· If you need to make a sensitive phone call that must not be directly associated with you, do so from a public phone box. But beware, if you are associated with the person at the other end of the call, and the content of their calls (rather than just the data) is being monitored, your location at that date and time will be discovered.
· If using public phone boxes, try to use them randomly across an area rather than the ones that are closest to you. Also, try to avoid phone boxes on direct transport routes to your home or place of work.
· If you wish to send something sensitive through the post, wear gloves to prevent creating fingerprints when producing/packing the item, do not lick the envelope or stamps to prevent creating a DNA sample, and post it in a different location to where you normally post your letters (the further the better) using stamps bought on a different day.
· If you need to send a sensitive fax, use a copy shop/bureau which has a self-service desk.
· If you desperately need to keep in communication, buy a pay-as-you-go mobile phone and only use it for a day or two whilst you are engaged in sensitive work.
Online -
· Maintain a number of alternate personas (see briefing no.6 on Using the Internet Securely) on the Internet that give you access to web mail and other services should you ever need to use them.
· If you need to use the Internet, use a cybercafe, but make sure that you do not access your own Internet services from the cybercafe - use an alternate persona.
· If you need to view material that you do not wish to be associated with as part of the server logs of your Internet service provider, use a cybercafe.
· If you use cybercafes as part of your communications, try not to use the same one.
· If you have a laptop computer, and you wish to mask your location, let someone you trust use it online whilst you are away on sensitive work.
Meetings -
· When organising a private meeting, if you cannot send details to all involved in ways that will not be intercepted always try to agree on meeting in one location near to the meeting place. You can then direct people to the correct location as they arrive. By keeping the location of a private meeting limited, you lessen the likelihood of the location being surveilled.
· If meeting in the home or building of another person or organisation do not make a phone call from their phone to a number that is identified with you, or from a public phone box near to that building.
· If the people going to a private meeting are likely to have mobile phones, ask them to turn them off before travelling to the meeting place (if all the mobile phones of a groups of people are in the same cell at the same time on the same day, it can be assumed that you have had a meeting).
· If you require a private meeting place, do not keep using the same one. Alternate it as much as possible. Also, if you meet in a public place, pick somewhere with a high level of background noise, and with as many obstacles or partitions around the point where you meet, to prevent your conversations being overheard.
· If you must pay for something whilst having a meeting, use cash. Or, if you cannot, get one person to pay. In this way you will not generate paper trails linking you together.
· Meeting in public spaces, streets, in parks, or on public transport is not a good idea - many of these areas are surveilled by CCTV. But bars, cafes and restaurants tend not have their CCTV systems linked to a central control room, and what CCTV systems are installed are concentrated around the till.
In conclusion...
There is not foolproof formula for counter surveillance. If the state directs all of its resources to monitoring your every move, they will be able to do so. But as members of a society working to change the organisation of that society peacefully, it is not likely that we will be subjected to the highest levels of state surveillance. Therefore we're not looking to defeat the high-tech, high-cost types of surveillance. We're looking to control our exposure to the everyday types of passive surveillance practised by the state, and the opportunistic actions of corporations who are interested in our activities.
The important rule with counter surveillance is proportionality. Seeking to prevent all surveillance would mark us out as so deviant compared to all other members of society that it would actually attract attention. Instead it important to apply a level of counter surveillance in proportion to the sensitivity of the information or action involved. In this way we prevent our actions being so deviant in their patterns from the norm of society as a whole. In this way the work we wish to protect should slip through un-noticed.
The final issue with counter surveillance is one of justification. We must be able, if challenged, to justify our use of counter surveillance techniques. Otherwise our use of these tactics could be used by the state or security services as evidence of guilt in the conduct of our activities.
We are guaranteed, under human rights conventions, rights to free expression, association and conscience. These rights can only be exercised where we have the ability to interact with others in a way which is not subject to routine surveillance. Today, thanks to digital technology, surveillance has become so pervasive that reaching an environment where it is possible to exercise human rights free from state or private intervention is very difficult. Human rights are subjective. This means that the human rights of someone engaged in social change are interpreted differently from the rights of someone who engages in organising local sporting activities. For those engaged in legitimate and otherwise 'public' social change and protest activity, and who believe that their work is unwelcomed by corporations or the state, counter surveillance is a legitimate part of their work in order to exercise their human rights.
Free Documentation License:
Copyright © 2001, 2002 Association for Progressive Communications (APC) and Paul Mobbs. Further contributions, editing and translation by Karen Banks, Michael de Beer, Roman Chumuch, Jim Holland, Marek Hudema, Pavel Prokopenko and Pep Turro. The project to develop this series of briefings was managed by the Association for Progressive Communications, and funded by OSI.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1or any later version (see http://www.gnu.org/copyleft/fdl.html for a copy of the license).
Please note that the title of the briefing and the 'free documentation license' section are protected as 'invariant sections and should not be modified.
For more information about the Participating With Safety project, or if you have questions about the briefings, contact [email protected].
|
