SI 2014 Training
Page 7 of 8 FirstFirst ... 2345678 LastLast
Results 61 to 70 of 71
  1. #61
    Join Date
    Sep 2006
    Location
    Offshore
    Posts
    8,124
    Quote Originally Posted by barnetmill View Post
    I am not sure how to wipe the hd of a non-functional computer, but there must be a way like using a strong magnetic field.
    A sledge hammer and a woodchipper.

    http://csrc.nist.gov/publications/ni...00-88_rev1.pdf
    http://www.nsa.gov/ia/_files/governm...ion_Manual.pdf

    When I sold storage devices to various 3-letter US agencies, we never saw any of them back for repair or analysis. Debugging problems was a bit tricky, since we couldn't examine the gear or the problematic data.
    Ceterum autem censeo, Carthaginem esse delendam

  2. #62
    Al Lipscomb Guest
    So you want meaningful security for data you need to move around. Let us say you are doing business overseas and need to transmit some information in a secure manner. Maybe nothing life or death, but lots of money and to some that could become life or death if things go wrong.

    Start with a computer you have 100% control of physically. It does not need to be high end as its role is limited. Epoxy the network port and no wifi. USB ports may be a risk so a DVD reader/burner can be installed if you need to.

    Install an OS on an encrypted disk (whole disk only) and use a very secure pass phrase to unlock it. If you can do two factor authentication, even better. Install an Open PGP compliant product (PGP, GPG) and go somewhere private. Now generate a brand new private/public key pair and secure the private key with a strong pass phrase that is different from what is locking the hard disk.

    The private key will never, ever, ever leave this disk. Ever. Lock everything up when not in use. Your security is no stronger than what is protecting this computer.

    Note the public key's fingerprint and, using a secure channel, distribute it to those you wish to communicate with. Have the key signed by trusted third parties if you need to establish trust with others. For most applications you will need to publish the public key somewhere. For some needs a key server is best, for others hide it on a web site.

    When you need to send data you need to obtain a verified copy of the recipients public key. This needs to go onto the secure system and is added to the key chain. Create the message and encrypt it using the public key, sign the message as well. The encrypted message can be stored in an ASCII armored file.

    There are many ways to transmit this message. You can use your imagination. You can print the results and send them via the postal service to be scanned in for example. Or include it as a "track" on a music CD, or load it onto an iPod. Someone who has the message won't be able to read it unless they have the private key that matches the public key.

    There are also techniques for protecting the recipient key to offer further protection. You can use "key splitting" to require multiple people to agree to "open" the message for example.

    Remember that if you send an encrypted message you must deal with the original "clear text" message. If you leave a copy of that file laying around you have a weakness. If you don't include yourself as a recipient when encrypting you cannot decrypt the message.

    The shelf life of the message will depend on how long it takes before the encryption can be broken. If someone can get a copy of your private key down the road then the protection is gone. Dispose of obsolete keys when they are no longer needed. Do not "chain" keys by sending the new key as an encrypted key protected by the old key.

    Don't change keys too often as the strength lies in the ability to exchange trusted keys.
    Last edited by Al Lipscomb; 12-10-2011 at 01:37 PM.

  3. #63
    Join Date
    Dec 2005
    Location
    beamed down with the Away Team...
    Posts
    513
    Quote Originally Posted by BillyOblivion View Post
    Do you know of a bank that allows two folks to share an account yet access that account through different credentials?
    Wells Fargo
    There comes a time in every man’s life when he is called upon to do something very special for which he and he alone has the capabilities, has the skills, and has the necessary training. What a pity if the moment finds the man unprepared. —Winston Churchill

  4. #64
    The first think to do is to get off Windows and start using Linux (for example Ubuntu), and use FULL harddisk encryption (Ubuntu Alternate installer - configure your system so you have NO swap file).

    Whatever you use in the way of encryption should be open source (i.e Truecrypt - best on the market and open source).

    Never rely on services like Anonymizer, they will give up your user data when faced with a court order.

    Full disk encryption on Linux for your system (running bleachbit every now and then to clean your system), Truecrypt for encrypting folders/files on your Encrypted Linux, TOR browser bundle for secure surfing (using public wifi spots) is a good start.

  5. #65
    Join Date
    Apr 2004
    Location
    Northern Virginia
    Posts
    2,178
    Quote Originally Posted by hernando_mauro View Post
    The first think to do is to get off Windows and start using Linux (for example Ubuntu), and use FULL harddisk encryption (Ubuntu Alternate installer - configure your system so you have NO swap file).

    Whatever you use in the way of encryption should be open source (i.e Truecrypt - best on the market and open source).

    Never rely on services like Anonymizer, they will give up your user data when faced with a court order.

    Full disk encryption on Linux for your system (running bleachbit every now and then to clean your system), Truecrypt for encrypting folders/files on your Encrypted Linux, TOR browser bundle for secure surfing (using public wifi spots) is a good start.
    https://tails.boum.org/

    Good place to get a LiveCDsystem.

  6. #66
    Tag for future refferance.
    HONOR
    all else

  7. #67
    Quote Originally Posted by BillyOblivion View Post
    If you're not a computer guy, and don't have a really, really good one on hand you're likely to fuck up something fierce.
    This just about sums it up. I've been doing Security Risk Analysis (I identify and secure IT security risks for companies) for a few years now. It's not as satisfying as LE (I miss LE) but it has it's similarities. One thing I've learned is cyber security is just like physical security. There are entities that are smarter and better than you. Even Uber hackers get caught. Don't let yourself fall into the trap of relying your tech. It's just like buying a gun. If you don't train with it it is useless to you. You'll be overconfident and think you can't be beat. Until you come up against a professional that knows real violence and you're dead. You can and will get caught if you are worth catching. It's all a matter of time and the motivation of the entity hunting you down.

    That being said, you can create a secure workspace on a flash drive for anonymous browsing and messaging on a public use computer. To create a secure workspace you need:

    • A flash drive.
    • An OS. (preferably a flavor of Linux)
    • Some encryption (PGP) software.
    • A proxy server; You can set up a browser configured proxy (The best proxies to set up are, Anonymous Proxy, Distorting Proxy, or High Anonymity Proxy) Use proxy software such as Tor (my favorite) or you can buy something like Hide-My-IP or GhostSurf. Or simply use a web based proxy (preferably one based in countries that have no reciprocal agreements, conventions, or extradition treaties with the U.S.)
    • Or just use a web based IP anonymizer such as ninjacloak.com.

    You can set up the same things on a laptop with a WiFi card then use free public WiFi available virtually anywhere. Truck stops, fast food places, public libraries, shopping malls, etc. I can access my local library's WiFi after close parked on the street. College campuses usually have guest logons for visiting students so you can log on without being a student. Pick a location with a lot of people and few cameras. As many posters have already discussed OPSEC is your weak link not your tech. Tradecraft (for lack of a better term) is more important than the tech. Your OPSEC has to be good. There are thousands of professionals that are the special forces of tech. You cannot beat them or outsmart them. Time and movement are your only advantages. Or you can use the good guy technique...Don't do anything that would motivate anyone to come after you.

    As a side note: DO NOT USE IP SPOOFING OR "HACKER TOOLS". IP spoofing and a lot of hacking software is illegal (To use not possess) in most jurisdictions.

    Apologies if this was incoherent. I typed this while working. 2am without any chemical motivation and the brain gets a little fuzzy while trying to multitask. So, if this doesn't contribute to the conversation just ignore it and have a nice day.
    "Fight with your spirit and the sword will follow."

    Stupid can be fatal. DON'T get any on you.

    Robert D
    KD7OPI

    http://teckomando.tripod.com

  8. #68
    Quote Originally Posted by barnetmill View Post
    Additional question is when computers are brought in for repair are there things that the repair tech might do relative stealing information. Are there certain files that should be removed prior to repair. Or should you just wipe the hard drive and have everything newly loaded prior to bringing it in. I am not sure how to wipe the hd of a non-functional computer, but there must be a way like using a strong magnetic field.
    You need a magnet that produces a 20,000 Gauss positive field and a 20,000 Gauss negative field to make the data unrecoverable. DoD grade degaussers are expensive. You can pick up a retrieving magnet with a 150 lb pull from Harbor Freight for around $8 that will work. You would be amazed at what computer forensics techs can recover from what looks like a completely destroyed hard drive. Don't forget to clear your RAM too. For another poor man's degausser use heat. A cutting torch works perfectly. Heat destroys the magnetic field on the plates and they can't get data from slag. There's a company in Fresno that I have used for clients that had hard drive failures and didn't bother with IT industry standards of redundancy. It costs a lot to have them do open plate surgery but they can recover your data if your data is worth hundreds of thousands of $. The gubment can do the same thing.
    "Fight with your spirit and the sword will follow."

    Stupid can be fatal. DON'T get any on you.

    Robert D
    KD7OPI

    http://teckomando.tripod.com

  9. #69
    Al Lipscomb Guest
    Mine in bold.

    Quote Originally Posted by hernando_mauro View Post
    The first think to do is to get off Windows and start using Linux (for example Ubuntu), and use FULL harddisk encryption (Ubuntu Alternate installer - configure your system so you have NO swap file).

    The operating system has almost nothing to do with the problem at hand. While the cool guy answer is Linux those of us who work on computer security for a living often use other tools. If your FULL disk is encrypted, you don't need to worry about your swap area.

    Whatever you use in the way of encryption should be open source (i.e Truecrypt - best on the market and open source).

    Truecrypt is far from the best. It can be useful, but most people don't understand its limitations.

    Never rely on services like Anonymizer, they will give up your user data when faced with a court order.

    Full disk encryption on Linux for your system (running bleachbit every now and then to clean your system), Truecrypt for encrypting folders/files on your Encrypted Linux, TOR browser bundle for secure surfing (using public wifi spots) is a good start.
    Putting encrypted files/folders on an encrypted file system is not only a waste of time, but can weaken the protection. TOR is another matter as it is only as secure as the owner of the servers you pass through. Public wifi? Really?

    I can go on.

  10. #70
    Al, I am taking note of your points.

    Could you elaborate on the limitations of truecrypt, not in too much technical depth but in an understandable way, also, what criteria should we be looking for in file/folder encryption software?
    Last edited by hernando_mauro; 06-05-2012 at 04:22 AM.

Page 7 of 8 FirstFirst ... 2345678 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •