Data Security and Online Privacy
Computers at Work
You have information on your computer that you don’t want others to see. Sometimes you want to share information with someone, but you don’t want anyone to know that you are the one sharing it. Let’s say that you came across some information suggesting that your employer may be breaking law. You want to make this information public, but you can’t do it openly because you will be fired. Another example: you are at work and you need to send a personal, confidential email. You know that your employer is monitoring your emails and you don’t want to share your personal life with your boss.
There are secure, easy-to-use, and absolutely free tools available for download that you can use to ensure security of your information and your online privacy. Rule number one: don’t keep sensitive personal information on your work PC. Everything you have on that PC – any personal files and emails – can be legally accessed by your employer. Your employer has the right to read any information you send from your work computer. You employer can read your personal emails even if you are using external webmail account, as long as you access it from your work PC or via your employer’s network.
Your employer can install a key logger application on your PC without telling you. A key logger will run in the background and it will remember anything you type, including your emails and passwords. You will not see the key logger and you will not be able to stop it. You need to assume that your boss can see anything you are doing on your work computer: what you type, which Web sites you are browsing, the emails you are sending – everything. All this information will be recorded and saved for months and years, until such time as your employer decides to use it against you. When at work you should have no expectation of privacy.
If you need to use a computer at work for personal business, you need to bring your own laptop. This way at least you know that your computer does not have a key logger or any other type of monitoring software installed on it by your employer. The next step is installing encryption software. It is not enough to just encrypt your private files. Let’s say your employer is suspecting that you are the one leaking compromising information to the press. You employer filed a law suit against you and the judge ordered you to decrypt everything on your personal laptop that you were bringing to work.
Complying with the order will mean a legal victory for your employer; on the other hand, refusing to decrypt your data or deleting the files will land you in jail for contempt of court or obstruction of justice. There is encryption software available that will allow you to avoid such a dilemma. When encrypting your data you are using two different passwords: one password is used to encrypt harmless files, and another password is used to encrypt the data you really want to hide. There is no scientific way of proving that the encrypted file or volume contains two separate layers of encrypted information.
So when you have no choice but to provide your password, you only reveal the password used to encrypt harmless data. While your employer may still suspect that you are using dual-encryption system, there is no way to prove it. Such a security system is called deniable encryption. The best deniable encryption software available is TrueCrypt. There are versions for Windows, Mac OS, and Linux. It is free and open source, which is always important when it comes to selecting security-related applications.
The best way to use TrueCrypt is to load it on your laptop and your home PC. Then you follow the instructions to create an encrypted volume – a file of predetermined size that can be mounted as a disk device. It is best to keep that file on a removable USB thumb drive. First you mount it using the first password and write some harmless files to the drive. Then you remount it using your second, secret password and now you can write your sensitive data to the drive. If you are pressed to decrypt your data, then you only decrypt the harmless part and nobody will be able to prove that you are hiding something else.
Some employers will rig your Windows workstation to prevent you from running certain applications like TrueCrypt. For example, when you try to mount a TrueCrypt volume, your computer may freeze up. One of the more popular snooping applications used by employers is Permeo Premium Agent. It can prevent you from running applications or accessing certain Web sites. If you have local admin rights on your workstation, go to Control Panel -> Administrative Tools -> Services. Check the list of “Started” services and see if Permeo Premium Agent is running. If it is, double-click on it, stop it, and change startup type to “Disabled”. Again, if you have local admin rights, buy and install ProcessGuard. This useful utility will allow you to control exactly which applications and services are allowed to run on your computer. ProcessGuard is also a great weapon against rootkits and trojans, so you kill two birds with one stone.
When you have your personal laptop connected to a company network, you need to make sure that any personal communications are encrypted before they leave your computer. You can create encrypted files using TrueCrypt and then send them as attachments using your work email system. This approach, however, is risky because it attracts attention. While your employer may not be able to read your encrypted attachments, he can still see who you are talking to. And your employer will be able to keep history of your emails, which can later be used to show a correlation between your emailing habits and compromising information being published in a local newspaper.
The best way is to use a webmail account that offers HTTPS access and supports encryption. HTTPS is what you use when purchasing stuff online. Any information your enter into a Web form is encrypted by your Web browser before it leaves your computer. This way even if your employer is monitoring your network activity, he will not be able to determine neither the content nor destination of your emails. A good secure webmail service to use is Hushmail. The basic account is free and you have an option to upgrade to a premium account for a monthly fee.
Unfortunately, some employers restrict access to webmail services. If that’s the case, you should try using one of the free anonymous Web proxy services available online. You can find lists of current top free anonymous Web proxies at the following addresses:
Staying Online Anonymously
The problem with anonymous proxy service providers is that a court order may force them to reveal network logs. In many countries, ISPs and other network service providers are required to keep user activity logs for weeks or months. A more sophisticated and far more secure alternative to the anonymous proxies is the free and open-source Tor. This application is available for Windows, Mac OS, and Linux. It will route your online communications in random and convoluted ways – called the “onion routing” – that are very difficult to trace. Obviously, this will slow down your Web browsing experience, but it will give you a degree of privacy that can’t be matched even by the premium anonymous proxies.
It is important to remember that Tor and any similar “onion routing” applications do not encrypt the data you send. There is still a way to intercept and track your communications – Tor just makes it very difficult and time-consuming. Even when using Tor, you should still encrypt any sensitive data you are sending. How do check if Tor is working? When installing Tor, make sure you also install the “Torbutton” – a Firefox plugin that allows you to turn Tor on and off as you are browsing. Restart Firefox, make sure your Tor is disabled (check lower right-hand corner of your Firefox) and go to whatismyip.com. You will see the actual external IP address of your network. Now enable Tor and refresh the WhatIsMyIP page. You will see that the IP address has changed.
Let’s imagine you want to make certain information public but you don’t want to be identified as the source. Let’s also say that you want this information to be quickly distributed around the Internet so it becomes very difficult to erase. The Freenet is a distributed anonymous data storage mechanism that allows people to share sensitive information without the fear of censorship or reprisal. Because all data on the Freenet network is stored in multiple copies on computers all over the world, it is very difficult for someone to erase all the copies.
An even bigger project designed to support whitleblowers is Wikileaks. You can submit your information to Wikileaks anonymously and it will be placed on their Web site for everyone to see. Unlike Freenet, the Wikileaks doesn’t just rely on the protection offered by an anonymous distributed network, but also on the proficiency of its legal department in dealing with freedom-of-speech-related matters. In the past few years of its operation, Wikileaks showed unyielding resistance to all attempts at censorship by governments, courts, public organizations, and private individuals.
For the Paranoid
As they say, it’s only paranoia if you are wrong. If the information you want to make public is so sensitive that the KGB’s entire First Chief Directorate will be called back from retirement to track you down, then relying on software tools is not good enough – you need to add a physical security layer. The best way to do this is not to use a network connection that can (even if theoretically) be traced back to you. Find a location that offers free wireless broadband access and use that connection instead. Then leave and never use that network again. While in the neighborhood, don’t talk to anyone, don’t use your credit card, don’t take toll roads, don’t drive your own car, wear dark sunglasses and a fake mustache. Just kidding (or not).
When you connect to a free wireless network, your computer’s name and MAC address will be logged. The computer name is easy enough to change, but the MAC address, while possible to fake, has a tendency of slipping through software controls. This quasi-unique number is stored inside your wireless interface card hardware. There is an outside chance that this number can be traced to you via the manufacturer of your computer or your wireless NIC. To deal with this problem, you can just replace the wireless card. Then you will need to scan your registry and log files on your PC (or any other system files) and make sure that the old MAC was not stored anywhere. A better way is to use VMWare or a similar application to install a dummy OS on your laptop and delete it after you are done with it.
Matters of Encryption
If you encrypted your data using quality software and chose a good password, breaking the encryption will be incredibly difficult. However, there have been some very impressive advances in the fields of supercomputers and distributed computing. For example, the recently-unveiled Roadrunner – the world’s fastest supercomputer from IBM based on processors used for Sony PlayStation 3 – is more than twice as fast as the closest runner up – the IBM Blue Gene. This is a very substantial jump in performance and the new $135 million machine will be used to – surprise – design more lethal nuclear weapons. Why use it for human genome project, or SETI, or cancer research – better nukes is what we really need. Anyway, machines like this, as well as HPC clusters based on custom hardware designed specifically for breaking encryption, present a serious threat to even the strongest encryption algorithms currently in popular use.
So far there is one encryption algorithm that has been mathematically proved to be unbreakable. And by “unbreakable” they mean unbreakable. Even if you use the computer from Star Trek’s “Enterprise”. This encryption method is known as one-time pad (OTP) and is derived from the Vernam cipher. The problem with encryption software using the one-time pad method is not theory but implementation. If someone out there writes a program and claims that it uses OTP to create unbreakable encryption – how do you know they are not full of crap? The solution is not to shoot for “unbreakable” but to use good quality open-source encryption software. Using open-source is important: the more people have access to the source code, the greater the chance someone will catch any errors. And there are always errors. The worst thing you can do when choosing encryption software is to trust someone’s proprietary code.
So what’s good out there? Well, there is GNU Privacy Guard – the Linux-standard encryption with Windows version available as well. A more Windows-oriented version of GPG is the GPG2Win, which also includes email encryption plugins for Outlook. FireGPG is a GPG plugin for Firefox allowing you to use encryption with Gmail. The good old PGP (Pretty Good Privacy) developed by Zimmerman and his team is still available for download from Freeware PGP.
Using anonymous proxies and encryption makes your online life a bit more complicated. Nevertheless, you need to understand the need for such precautions. When we hear about police states, we tend to think about North Korea or China and not about the US, which every year jails more people than China; or about the UK, which has a high-resolution CCTV camera for every fourteen of its citizens; or about Sweden, which recently passed the law authorizing its intelligence agencies to snoop on all domestic and foreign network and cell phone traffic without court orders.
A government’s desire and ability to spy on its citizens are directly proportional to its budget: the more money the government has, the more snooping it will do. Therefore, it is only logical that the wealthiest nations have the nosiest governments. The only thing you can do to fight back against this unhealthy curiocity is to become familiar with modern online privacy tools and to learn to use them effectively.