Chinese military leaders call automation the great equalizer, since its enemies heavily depend upon computers. An effective attack upon their enemy’s IT infrastructure provides an immediate and disproportionate impact which is the core concept of asymmetric warfare.

This asymmetry benefits the attacker, regardless of his motives or methods.

Once you have entered your message and clicked on  SAVE THIS MESSAGE, you will be given a URL to pass on to the recipient.  When the intended recipient reads your message (with or without the password you may have given them) the encrypted message is deleted forever. If you lose the password your message is also lost!

After installing Dropbox on your computer and creating an account you create folders on a Web server that is accessible from all your computers. To sync files with another computer you must download and install the appropriate version of Dropbox for that computer.  Login to the your Dropbox account on all the computers you want to sync. The software will create a new folder on each computer called “Dropbox”. All the folders and files that are copied to that folder are synced to all the other computers. Those files are also available over the Internet using the Dropbox web interface.

Dropbox makes it easy to allow public access to  your files. Inside of your Dropbox folder there is a subfolder called Public. Any folder or file inside of the Public folder is exactly that, public and accessible to the world. A document you need to send to a friend or coworker may be added to the Public folder. Just copy the publicly accessible link and email it to the intended recipient and have them download the document.

Security

Dropbox doesn’t offer encryption for  your data. If they did, the web interface to access your files would be much less useful because you wouldn’t be able to view or download your files directly. Encryption would also make it much more complicated to share files with other people.

The lack of encryption makes this an unwise choice for any work related application.

The following are methods used to obscure Internet traffic and avoid IP blacklists  and content filters.

Use the IP Address

As an example, check out the site baremetal.com where you can look up the IP address of just about any site.  Put that IP address into your browser’s address bar, and it takes you there, bypassing the need to enter a domain name.  This will avoid many implementations of blocking software.  This won’t get past a good content filter and it won’t get past an IP blacklist that includes the IP address you just entered.

Cached Pages

Viewing cached pages will get past most blocking software but it won’t get past a content filter. The content filter doesn’t look at the IP or Domain address, it reads the content for its appropriateness.

Encrypted Connection

Employees can setup their browser so that their web queries go through an encrypted tunnel to an external server which may give them unrestricted online access.  An example would be using the encrypted Google search site at its old address, https://www.google.com/, which was too close to the non-encrypted address.  The new address of https://encrypted.google.com/ allows large organisations like school boards to deny access to this site.  Referrals from a Google search will be invisible to the blocking software.

Just putting HTTPS: in front of the address may get you an encrypted connection to a stripped down version of the Web page.

The HTTPS: connection is the best approach in most cases. However, it is becoming more common for large companies to insert an inline HTTPS proxy in the network to  read and analyze this traffic by creating a man-in-the-middle.

SSH

There is also SSH or encrypted SOCKS whereby users transfer unencrypted traffic over a network through an encrypted channel. SSH tunnels provide a means to bypass firewalls that prohibit certain Internet services — so long as a site allows outgoing connections.

VPN

Hamachi, an VPN tool for creating direct tunnel to a server (for more on this see Episodes 18 & 19) and Tor, which routes Internet connections through a series of anonymous relays, are the most secure.  These tools were built to protect privacy, but they also hide Internet activity.

Hamachi and Tor obscure Internet traffic with encryption and prevent traffic analysis by IP address.  If the traffic is encrypted with a tool like Tor, then blocking or reading the traffic nearly impossible. Tools like Tor or Hamachi are highly decentralized and peer-to-peer, which makes keeping track of IP addresses an endless battle.

Thou shalt not be afraid for the terror by night; nor for the arrow that flieth by day; Nor for the pestilence that walketh in darkness; nor for the destruction that wasteth at noonday. (Psa 91:6)

I don’t think they were talking about Communication Security (COMSEC) when they wrote that Psalm, but good COMSEC helps avoid terrors that come in the night.

Zfone for VOIP

Zfone  appears to be the lowest cost solution for robust VOIP encryption that you control.

Skype

Calls made over Skype are encrypted by 256-bit long Skype encryption keys are a length that at least in theory, would take a literal eternity to crack. But you don’t have control over the encryption, Skype does.

Oldstyle COMSEC

To avoid an electronic trail, hard copy letters that are distributed via snail mail in a circular rotation might work– these are known as circular letters.  Each letter is given a number, and each addenda that is added is given a letter. Subsequent letters can reference the content of earlier ones, for example, “as mentioned in Letter 2-A”, etc., etc..

This can be modified to include an emailed file that is encrypted and the message sending it digitally signed by each person.  Using nearly anonymous email accounts accessed through TOR would make this very secure.

Forbes.com spoke with Zimmermann about why his company created Zfone which he offers to the public for free. The article is interesting because Zimmermann points-out the intelligence value of traffic analysis, which I mentioned in a previous article. Zfone makes it nearly impossible to eavesdrop on a conversation, but it does not prevent an intelligence service or police service from conducting traffic analysis.

VON Magazine also interviewed Zimmermann in its January 2007 edition about issues surrounding wiretapping and VoIP.

Passwords were the cornerstone of data security. It doesn’t matter if you are signing onto the company LAN, starting your laptop, or receiving email, passwords were required to keep out the thieves and brigands. Well today passwords are obsolete! Today you need a passphrase!

If you take a list of the employees at any company then look at the logon passwords you will find at least one matching an employee’s name. The user’s favorite quotation from The Catcher in the Rye is probably a bad choice for a passphrase as hackers collect lists of favorite passphrases.The best method of choosing passphrases entails a simple prescribed method that produces a memorable passphrase. Without going into the mathematical details, a secure passphrase consists of five words or more. This is where we use the dice.

The Diceware solution involves picking a passphrase using ordinary dice to select words from a word list at random. A five digit number preceeds each word in the list. Each digit is from one to six. If you roll five dice cubes and arrange the cubes to form a row, then you have the number that corresponds to a word in the list. Some lists contain about 8000 words, abbreviations and easy to remember character strings.

If the resulting passphrase consists of 14 or fewer characters and spaces you should start over. Start again when the resulting passphrase is a recognizable sentence.

The advantages to this method of choosing passphrases is:

• Easy to learn and use
• Extremely secure
• Totally prescriptive
• Transparent — you don’t have to “trust” anybody
• Free – no software or hardware required

For more information on the Diceware solution visit The Diceware Passphrase Home Page.

How Investigators and Consultants handle deliverables after the final editing may affect the security of the entire job. Yet they often give the product of their genius to some unknown person for copying and binding, then leave to have lunch. We have all seen this.

Another version of this slipshod security practice is emailing unsecured reports. Or unwarranted reliance on the passwords in Word or PDF files to protect the contents.

Anybody who thinks that file passwords are completely secure should look at this Google Directory for Password Recovery software or this one for PDF Password Crackers. All password systems have weaknesses that can be exploited under some circumstances. Security comes from minimizing the exposure of the password-protected report files to circumstances that could lead to unauthorized access. Knowing the weaknesses of the password system and experience with the tools used to break it form your best defence.

A steganographic message in plaintext is first encrypted, and then a covertext is modified to contain the encrypted message. The recipient can recover and decrypt it if he knows the techniques used to conceal and encrypt the hidden message.

Stories of terrorists using steganographic messages began with USA Today articles written by Jack Kelley, who was fired in 2004 for fabricated stories and inventing sources. Private Investigators have far more mundane uses for steganography.

Steganography is used for “Watermarking” which has taken on a new importance in the digital era. Digital images, video, and text, are all easily copied and illegally distributed. By embedding identifying information in a file, steganography software enables Investigators to control the distribution of, and to verify ownership of their digital information. It essentially conceals copyright and distribution information within digital information. One easy-to-use program for this purpose is wbStego.

However, beware that the more important the steganographic message, the more likely someone will try to remove it. StirMark and other software may remove copyright information from files.