Morning Musings

I'm not ready to wake up yet...

Protect Yourself Online

| Comments

This is a quick guide to staying secure on the internet.

Hashes and Signatures

Hashes and signatures are your primary tool for verifying data and detecting any form of tampering. You need to understand how hashes work and why they are important. Know how to generate hashes and checksums:

$ echo Hello1 > test.txt
$ cat test.txt 
Hello1
$ sha256sum test.txt 
e616a6e0657eb277d4acad697f19d066aaa62cdde2862d0be591f3de8357de4b  test.txt

$ echo Hello2 > test.txt
$ cat test.txt 
Hello2
$ sha256sum test.txt 
f660df71283ecaf2c469cde588dd19e498c61eb1b5f1bcc664b8d9f338c67331  test.txt

Changing the file by a single character created a completely different hash. Hashes are like fingerprints; they are unique to a particular file, and cannot be spoofed.

Know how to verify hashes:

$ cat test.txt 
Hello2
$ sha256sum test.txt > hashes.sha256sum
$ cat hashes.sha256sum 
f660df71283ecaf2c469cde588dd19e498c61eb1b5f1bcc664b8d9f338c67331  test.txt
$ sha256sum -c hashes.sha256sum 
test.txt: OK
$ echo Hello1 > test.txt 
$ sha256sum -c hashes.sha256sum 
test.txt: FAILED
sha256sum: WARNING: 1 computed checksum did NOT match

Become familiar with GPG. Know how to verify signatures:

$ ls
test.txt  test.txt.sig
$ cat test.txt
Hello1
$ gpg --verify test.txt.sig 
gpg: assuming signed data in `test.txt'
gpg: Signature made Sun 29 Mar 2015 11:56:47 AM EDT using RSA key ID C37AF029
gpg: Good signature from "Joseph Ruether <jrruethe@gmail.com>"
$ echo Hello2 > test.txt
$ gpg --verify test.txt.sig 
gpg: assuming signed data in `test.txt'
gpg: Signature made Sun 29 Mar 2015 11:56:47 AM EDT using RSA key ID C37AF029
gpg: BAD signature from "Joseph Ruether <jrruethe@gmail.com>"

Passwords and Encryption

1

With passwords, the longer the better. Complexity does not beat length.
Use Diceware to generate a 4 or 5 word passphrase and memorize it.

You can also generate random data from the command line:

dd if=/dev/urandom bs=1 count=64 | sha256sum

Use the mnemonic.py script from this post to generate a string of words from the hex.

Get a Yubikey Neo.
Use it’s static password mode to store your passphrase.
Follow these instructions to load your GPG encryption and signing keys.
Use its NFC capabilities with the YubiClip and OpenKeychain Android apps to access your static password and GPG keys from the Yubikey on your smartphone.

Use a password manager like KeepassX. It is open souce and cross platform.
Use a keyfile along with your master password.
Use KeepassX to generate long random passwords for all other needs.

Use Truecrypt. It is open source and cross platform.
Use a keyfile along with a strong password generated by KeepassX.

Treat the keyfiles as access tokens.
Do not let them touch the network. Do not upload them to any online service.
Instead, manually load them onto your various devices using USB.
Back them up by printing them to paper in Base64 format, and keep the backups in a safe place.

dd if=/dev/urandom bs=1 count=64 | base64 > keyfile.base64

By keeping a strong password on a hardware token you posess, coupled with a software token that only exists on the devices of your choosing, you have achieved two factor authentication without any third party.
Both pieces are needed to unlock either your password database or your truecrypt container.

This means you can use a 3rd party synchronization service without being required to trust them; they couldn’t access your passwords or data even if they wanted to.
Bittorrent Sync or Dropbox both work well to keep your passwords and data synced between your devices.

Browsing

Always use HTTPS, and be aware of the certificate being used.
Learn how to check the certificate fingerprints:

  • Chrome: Lock icon –> Connection tab –> Certificate information
  • Firefox: Lock icon –> More information –> View Certificate

The truely paranoid will want to verify these fingerprints against another channel.
This site is a great way to verify the fingerprints.
GRC’s fingerprint is 01:56:D3:AC:CF:5A:3F:B8:8F:0F:B4:30:88:2D:F6:72:4E:8C:F2:E0, write it down somewhere.

Use Duck Duck Go instead of Google.
Use Firefox instead of Chrome.
Consider the following extensions:

Operating System

Don’t use Windows. Debian is a stable and secure Linux distribution.
Alternatively, use Tails or Whonix (Both are based on Debian).
In addition, Debian supports full disk encryption using LUKS.

For your smartphone, use Android and CyanogenMod if possible.
Android also supports full disk encryption with LUKS.

Debian can also be installed to a USB drive and act as a “cold boot” system.
Cold boot means that it is never allowed to touch the network; all data transfer to the cold boot system is done with a second USB drive.
This practice is good for storing GPG private keys and Bitcoin wallets securely.

More Information

I highly recommend you read the following pages for more information:


  1. Randall Munrow, XKCD licensed under CC-BY-NA 2.5

Comments