Autoblog de wefightcensorship.org

Between your chair and your keyboard

• Avoid watchful eyes:
  • Avoid working with your back to a window
  • When you are travelling on a plane or train, attach a privacy filter to your screen. A privacy filter is a clear film which restricts side-on viewing when applied to your screen. Only the person sitting in front of it (you) can see the screen.
• When travelling, try to keep your equipment with you as much as possible. This prevents anyone from being able to obtain files from your computer or being able to introduce a Trojan horse.
• All operating systems (Windows, Mac OS and Linux) let you protect your session with a password. Make sure you use this feature.

Don't leave your laptop lying around! ! xkcd.com

Delete your tracks on a public computer

If you work in an Internet café or on a computer which is not your own, make sure that you do not leave any traces once you've finished your work:

1. If you have checked your email, Facebook or Twitter account, always make sure you log out.
2. Delete your browsing history. This contains various information and an expert could also access some of your online accounts
3. Never store your passwords in the browser on a public computer. If you do this by accident, delete them from the browser's memory when you've finished your work.
4. Clear form entry fields
5. Delete cookies

Clearing this data is done differently in different browsers. A good way to avoid mistakes is to use the private browsing mode in Firefox or Chrome.

Control access to your information

Most online services (Twitter, Facebook, WordPress, Tumblr, Skype, etc.) let you recover a lost password by sending a password to your inbox. You must therefore protect your inbox as much as possible. If it is compromised, all your digital information could be too.

Google's mail service, Gmail, offers an additional layer of security: ”two-step verification”. This service lets you protect your mail account with:

1. a username
2. a password
3. a code that you receive on your mobile each time you connect to your mailbox.

Therefore, without your mobile, you cannot access your mail.

When you log into your Gmail mailbox, remember to click on the “Details” link at the bottom of the page. This opens a window which displays the recent connections to your inbox. This way, you can detect any suspicious activity.

Twitter and Facebook also offer an equivalent service and allow you to view all the applications and sites which are authorised to access your account.

Use passphrases

Password length is the key factor in creating a strong password which can resist a brute-force crack. Combining numbers, special characters and lower- and upper-case letters often creates weak passwords which are difficult to remember. If you use a “passphrase”, rather than a “password”, you can create a string of characters which is easy to remember and is much longer than your old passwords.

• Th$jHTo%46: short and difficult to remember
• I hear the sound of bells on the green pastures: easy to remember and, for an attacker, very difficult to guess

The website xkcd explains why it is best to use passphrases rather than passwords in some cases.

Use a different passphrase for each service

There is no point in having a long passphrase if you use the same phrase to protect all of your online services. If one of your services is compromised, as can sometimes happen, all of your online accounts are compromised. It is therefore crucial to use a different passphrase for each service.

Use a passphrase manager

Using a different passphrase per service can be problematic if can't remember them all. Don't panic, there are reliable and secure tools available where you can save all your passwords.

LastPass is a password manager LastPass is available as an extension for Firefox, Chrome and Safari, and allows you to save all your passphrases. Access to your LastPass storage is protected with a unique passphrase. So you only have to remember one phrase for access to all your online services. Like Google's mail service, Gmail, LastPass offers two-step verification. If you use LastPass, it is highly recommended that you choose a long passphrase and set up two-step verification.

Be careful what you click on!

While it is important to install antivirus software on your computer, it is even more important to use common sense when you receive a link or an attachment by email, Twitter, Facebook or Skype. Social networks and communication tools are the main carriers of viruses.

Malware (malicious software) is also developed by specialist hackers which cannot be detected by antivirus software. The best defence is to act early, before malware infects your computer or smartphone.

• Don't download files or click on links which you receive from unknown senders.
• Carefully check the email address or Twitter account of anyone who shares a link with you. If you have any doubt, check the sender's identity with other contacts or by using a search engine.
• If the file and sender seem suspicious, get expert assistance. Citizen Lab is an organisation which analyses the viruses sent by both dissidents and activists and helps them to protect themselves better.

Monitor your social networking presence

Facebook and Twitter are useful communication tools. However, make sure you control the information that is made public. The following tutorials and online services can help you to manage your online presence better:

• Check your Internet presence with namechecker
• Privacy settings in Facebook
• Recent changes to Facebook that you should know about
• Securing your Twitter account

https?

When you visit a site whose URL begins with https, you can be sure of three things:

The site's authenticity Each https site has a certificate which it presents to your browser when your browser tries to access it. In turn, your browser has a database against which it checks the validity of the certificate presented. The certificate is the site's ID card and is unique for each https site. The confidentiality of data exchanged with the site. There are several intermediaries between you and the sites you visit: the Internet access provider; the server(s); any proxy servers, including malicious parties (particularly when you're connecting over unlocked Wi-Fi hotspots). Once the site's identity had been validated, an encrypted communication channel is established between your browser and the site which guarantees that no intermediaries can intercept the information exchanged, such as requested pages, their content and any passwords sent. The integrity of data Using the https protocol also guarantees that no one can modify the data which is sent.

Breaking https

There are a few ways of breaking the secure channel which is set up between an https site and your browser.

Blocking https connections

This is by far the easiest way of breaking https. Sites offering an https version can usually also be accessed via http. An attacker seeking to control the network you are connected to (your access provider or the shared Wi-Fi connection at your hotel, for instance) may simply close the https access and force you to use the unsecured http version.

Impersonating an https site

An attacker may position themselves between you and the site you want to access, and redirect you to a copy of the site using a fake certificate. This is known as a 'man-in-the-middle' attack.

If you go to Gmail, an attacker seeking to take control of the network and the DNS servers may reroute your request and redirect you to another site which looks just like the Google mail service. The only clue for avoiding such attacks is the security warning in your browser.

Your browser will indicate that the site's certificate is not valid and that the site is not what it claims to be.

Certificate theft

Within a man-in-the-middle attack, there is a very slight possibility that the attacker has a copy of the targeted site's certificate. This is an extremely sophisticated type of attack as it involves firstly stealing one or more certificates from a certification authority.

In August 2011, certificate authority DigiNotar was compromised and certificates were stolen. These were used mainly in Iran to carry out man-in-the-middle attacks on Google services. This type of attack is extremely effective as your browser is unable to detect the fraud and does not display any security warning.

Some solutions

There are some tips and software which can increase your browsing security.

Choose Firefox or Chrome

Mozilla, publisher of Firefox, and Google, publisher of Chrome, take particular care in terms of security. For example, they were the first to update their browser's certificate databases following the above-mentioned DigiNotar security breach. Firefox has the additional advantage of being a free software whose aim is to ensure the security and privacy of its users. Chrome also focuses on security but is not free and does not offer the same guarantees in terms of privacy.

Deactivate Java

Java is a cross-platform computing language which exists as a plug-in for all browsers. It poses lots of problems in terms of security. According to the publisher of Kaspersky, 50% of attacks reported in 2012 used flaws in the browsers' Java plug-in. If you do not need Java in your browser deactivate it, or even better uninstall it.

Boost your browser with some useful extensions

You can add features to Firefox and Chrome using plug-ins.

• https everywhere: checks whether there is an https (encrypted) version for each site you visit and if so redirects you to it. This saves you having to manually add the “s” after http to each web address you visit, as in reality nobody actually manages to do this.
• No script: enables you to control JavaScript scripts which are launched on the sites you visit. JavaScript is a programming language which is widely used on the web. It runs in your browser and can sometimes be used in certain attacks (XSS and XSRF). You can authorise certain sites to run JavaScript and the extension remembers your choice. This is tedious at first, but essential for secure browsing. Chrome's equivalent is ScriptSafe.
• Web of trust: works on a crowdsourcing model (where information is collected from a wide circle of sources) and tells you whether a site is safe or not based on the opinions of other Internet users. If you land on a site known to contain malicious scripts, WOT will display a warning before the page loads.
• Certificate Patrol: checks the certificates when you arrive at an https site and warns you when your browser detects a change in certificates. This is very useful against man-in-the-middle attacks.

Before leaving

• If possible, travel with a virgin computer. Ideally, you should completely reinstall your operating system (Window, OS X or Linux).
• If you need to take files with you on your computer, take only those that will be absolutely necessary while you are there and encrypt them using PGP or TrueCrypt, which is simpler to use.
• Update your operating system and, while you are there, don’t accept any updates even if Windows ask you to.
• Turn on your firewall (software that blocks unwanted incoming and outgoing connections, allowing your to ward off some kinds of intrusion).
• Install antivirus software and make sure it is updated with the latest virus definitions.
• Protect your computer and mobile phones with passwords. They will help to deny access to your work.
• Encrypt your hard drive. Protecting your computer and mobile phone with passwords is pointless if you do not also encrypt your entire hard disk. In Windows, use Bitlocker or TrueCrypt. In Apple Mac’s OS X, use FileVault (Preferences > System > Security).
• Install a VPN, which is an application that allows you to establish an encrypted communication tunnel between your computer and a server located outside the country. Using a VPN will make it extremely difficult to intercept your communications. It will also enable you to circumvent any blocking of websites and online services imposed by the authorities. You should install a VPN before you go because unofficial VPNs, meaning those not controlled by the regime, are banned in Iran and access to sites offering unofficial VPNs is blocked.

Measures to take while in Iran

Good “electronic hygiene” should be practiced to avoid installing any malware on your computer:

• Don’t click on links sent by a stranger.
• Don’t download any software if you don’t know where it comes from.
• Don’t accept contact requests from strangers on social networks.
• Always identify the sender of an email before opening any attachments.
• When you connect to the Internet, always use your previously installed VPN.
• Secure your browsing by using the https protocol. It prevents your website passwords from being visible on the network.
• Don’t use Skype to sent sensitive information. The confidentiality of communication via Skype is not guaranteed and, because of its widespread use, Skype is the target of a great deal of malware.
• Encrypt your communications. Email is often intercepted in Iran. To guarantee the confidentiality of the messages you exchange with your editors, encrypt your emails with PGP or encrypt your chats with Adium (Mac) or Pidgin and the OTR plugin (Windows, Linux).
• The sending of an encrypted email is visible on the network. Although the regime may not be able to access the content of an encrypted email, it may know who sent it and to whom it was sent. Take care when you send an encrypted email. Take account of the situation of the person you are emailing.
• Create one or two email address that are not associated with the media that you work for, and use only these addresses. As a result, your emails will be more discreet and will be more likely to pass unnoticed by the authorities.
• You can also send your emails to a specially-created email address, from which they can be removed by a trusted third party with password access and forwarded to their final destination from another email address. This will protect the identity of the recipients of your emails while you are inside Iran.

In the event of Internet cuts or drastic slowdowns

It is not uncommon for the Internet to get much slower during demonstrations or in the run-up to major events. But Internet slowdowns or cuts do not last long. Keep filming or writing and store your work on an encrypted USB flash drive (encrypted with TrueCrypt, for example). A USB stick is easier to conceal and carry than a computer.

You can use a satellite connection to send your work but, be careful, because satellite transmissions are easily spotted. Don’t stay too long in the same place while transmitting files. Change location frequently. If you must sent big files, send them in stages. There is software than can break a big file down into smaller parts.

Mobile phones

Your mobile phone contains a lot of important information. Iran’s two main mobile phone service operators, Mobile Communication Company of Iran and Irancell, are controlled by the Revolutionary Guards. As well as data sent or received, you mobile phone or smartphone has a lot of information on the SIM card, its internal memory and any memory card that may be installed.

• Protect your phone with a password, if it has this feature. All SIM cards have a PIN installed by default. Change it and block access to your SIM card with this SIM code.
• If your phone uses the Android operating system, you can use the many applications created by the Guardian Project and Whispersys to encrypt your browsing, chats, SMS and voice messages.
• Turn off GPS in the apps that use it. But make sure that someone is kept abreast of your movements.
• If possible, don’t keep any browsing history. If you are in country that monitors mobile phones or if you think you are under close surveillance because of your activities, it is better not to use a mobile phone to communicate. Use face-to-face meetings instead.
• If you want to keep your phone with you even during sensitive meetings, remove the battery before going. Even without a SIM card, mobile phones send a lot of information (IMEI, IMSI or TMSI numbers and network cell) to nearby relay antennae that allows them to be located. Using IMSI catcher software, the authorities can intercept these signals and locate a previously identified SIM card holder. Unfortunately, a battery cannot be removed from an iPhone.

Originally written in mid-2012 for France’s National Institute for Broadcasting (INA), the following article was updated and republished on Jean-Marc Manach’s blog with the title of How (not) to be the victim of (cyber-)espionage. What applies one day on the Internet, does not always apply the next. The article aims to provide some advice and suggestions on how to establish a window of anonymity online. It is not an exhaustive guide. Readers are urged to verify the validity of the websites and services mentioned in this article.

Fifteen minutes of online anonymity

I have often written or translated instructions for Internet users on how to secure their online communications since 1999 whaen, as a journalist, I began trying to find out how to protect my sources. And I came to realize that it is impossible for non-specialists to secure their computers in such a way as to prevent professionals from being able to get into them. Nonetheless, it is perfectly possible for them to create windows of confidentiality, to disappear for the duration of an online connection, to learn to communicate in a discreet, secure and stealthy manner, and to exchange files without being detected.

The KGB and CIA could not prevent each other’s spies from communicating with their sources, just as the FBI could not prevent Daniel Ellsberg from leaking the Pentagon Papers and the NSA could not prevent WikiLeaks from shedding some transparency on US and international diplomacy. To paraphrase Andy Warhol, the key nowadays is how to get one’s 15 minutes of anonymity. It is not only possible but also essential for journalism and for democracy, and it is not necessarily very complicated.

Whatever the type of computer, operating system or software you use, you can secure your communications – and therefore you sources ­– via the Internet. The methods and services mentioned below are not as secure as using GnuPG, but may prove useful if all you are seeking is a window, or 15 minutes, of anonymity. What they have in common is encryption of information at the browser level, before transmission to the website where it will be shared with the person or persons to whom you want to send it.

Several computer security specialists have recently pointed out the limits of such systems, which are based on the concept of zero-knowledge proof. Their security depends, among other things, on using computers and websites that have not already been hacked into. Given the technical skills needed to properly secure a computer, these services are probably best used only when your need to transmit something – a message, temporary password, article or photo – in a stealthy manner. And better still, if possible, you should use a dedicated computer for this (netbooks can be bought for €200), one that is connected to the Internet only for this purpose and is not used for any of your other activities, during which it could get infected by a Trojan or other form of malware.

Secure chatting

CryptoCat, the best known of these web services, was designed to allow you to chat and to simultaneously send .zip or image files of up to 600 kb in size, as with standard instant messaging software, but in a secure manner. In response to criticism, its developer decided to add an additional layer of security by allowing users to install CryptoCat as an extension in their browsers (Chrome or Firefox).

File exchange

You want to send or receive a file anonymously and securely?

The dead letterbox technique consists of using a webmail service of which the username and password are known by two (or more) people. Messages can be exchanged by leaving them in the Drafts folder. This way, you and another person can communicate with each other without ever actually sending each other emails.

SpiderOak and Wuala are “cloud” storage platforms that encrypt your data at the browser level before you send it. You must create an account linked to a secure email address.

Hushmail.com is an encrypted email service that emphasizes ease of use. There are also dozens of AnonBox, created by the famous German hackers of the Chaos Computer Club (CCC), but remember to always use https and Tor when you connect to them.

RiseUp is an email service maintained by an activist community. The originality of this service is that it does not keep of any log or record of the IP addresses connecting to its servers. RiseUp also stores all email messages in an encrypted form.

Your can also use the Hide My Ass file-sharing service, which is one of the many web proxies (or anonymizers) that are used to circumvent Internet censorship or to browse anonymously. For more information on this subject, see How to circumvent Internet censorship and How to circumvent cyber-surveillance.

Confidential notes

NoPlainText and PrivNote (both accessible securely via https) allow you to create short memos that “self-destroy” as soon as they are read. PrivNote can send you an email alert when a memo is read. It is practical for sending a password or any short confidential message without having to use GnuPG. (The password should of course be temporary. Any password you are sent should always be changed. Passwords are never shared with third parties.)

These services cannot prevent an unauthorized third party from intercepting the link – and therefore the memo – before the intended recipient sees it. But they can, on the other hand, allow you to establish whether your channel of communication is being spied on. You just have to send an initial (anodyne) message and see whether or not your source receives it in order to known whether the channel is secure or compromised.

ZeroBin uses the same principle but also allows you to programme the deletion of the memo (in 10 minutes, one hour, one day, one month, a year or never) and allows the other party to comment on it. CryptoBin allows the memo to be protected by a password, which adds another layer of security but requires sharing the password with your source, for which you could use CryptoCat or PrivNote. In order to add more layers of security, try if possible to combine these services and access them using Tor or an equivalent.

Phone problems

There is no really reliable way for communicating confidentially by mobile phone. To be very clear: NEVER use your mobile phone to call a source’s mobile phone if the source needs to be protected – see the recent “phone records affair” in France.

If you really have to phone your source, go to a public phone far from your office or use the mobile phone or landline of someone who has no direct contact with you. And call your source on a mobile phone or, preferably, landline with which he or she has no direct connection. Or use one of the techniques that have already been explained. And meanwhile, we should follow the development of Whisper Systems encryption software, which does not work on all mobile phones and is still in Beta version.

Use of the increasingly popular Internet telephony software Skype should also be ruled out whenever possible. AFP came in for a lot of criticism when it reported in a dispatch that it interviewed a Syrian dissident via Skype in July 2012. Skype’s so-called “security” has repeatedly been violated since the French authorities advised against its use in 2005. It has since been revealed that Skype not only helps certain law enforcement and intelligence agencies to spy on users but also that booby-trapped versions of Skype have been created in order to enable identification of their users.

Do you want to phone your sources via the Internet? No problem, but use Jitsi, the “open-source Skype” recommended by Jacob Appelbaum, a hacker and Tor developer who supports WikiLeaks and is therefore well up on source protection issues, or Mumble, which is mainly used by video gamers but which encrypts communications by default. The Telecomix hackers, who distinguished themselves by helping Arab Spring Internet users and cyber-dissidents to secure their telecommunications, have set up two secure servers for communicating via Mumble.

IRL

Computer and digital security is a profession. If it is not your profession, operate on the assumption not only that you can easily be (or are being) monitored – ISPs keep records of all your Internet connections and Internet activity, while phone companies keeps records of all the numbers you call or call you – but also that someone could, without too much difficulty, actually be spying on you.

In other words, your preferred method of communication should be “IRL” (In Real Life) meetings, physical meetings in public places or the backrooms of cafés, like 20th century spies. Of course, the meetings can also be compromised if they have been set up by phone or email. It is an irony of history that in this technologically hyper-connected 21st century, we have invented no better way of protecting sources and professional confidentiality than old-fashioned paper mail, which is much less monitored and spied on than phone or Internet communications.

Going further

• Encrypt everything! – a digital security software directory
• How to encrypt your email? – the ABC of privacy protection
• Free.korben.info – the open-source Internet wiki
• The digital self-defence manual guide – should be read and reread, on your own or shared with others. How to fine-tune the art of navigating the digital world’s troubled waters.
• How to circumvent Internet censorship
• Computer and Internet security and privacy – anonymity etc
• Basic protection of sources – by #JHack. Workshops, conferences and meetings between journalist, activists and hackers.
• Security in-a-box – Digital security tools and strategies
• The basics – for any Windows user connected to the Internet

About the author

Jean-Marc Manach has been covering the rise of the “surveillance society” for nearly ten years, both as a journalist and as a defender of human rights, freedoms and privacy. He has participated in:

• The Big Brother Awards, which give “Orwell prizes” each year to those who have distinguished themselves by their violation of privacy.
• Bugbrother.com (to learn about making communications secure and protecting privacy).
• Renseignementsgeneraux.net (to learn how to defend one’s rights against abuses committed by the police in the course of gathering information on the population).
• Vie-privee.org (for its press review on information technology and freedoms).

How a VPN can be used 

A VPN allows data to be moved from one private network to another using a secure Internet tunnel. Your Web browser cannot access www.google.com via a classic VPN connection. Your email client can only connect to your company’s internal email and not to your own email address. You are sheltered but isolated. The VPN has the functionality it needs for us to protect our communications between A and B using legal means. But there is more to it than this. 

Using a VPN as a “virtual escape route” to circumvent censorship

The Internet is a place for communicating and exchanging information, which does not please everyone. Some states monitor and spy on the content of their citizens’ online activities and, where they feel it is necessary, restrict access to some websites or services that they believe to be contrary to their interests.

The diagram below shows an example of a filtering system put in place by a government to prevent the country’s Internet users from posting videos of demonstrations. This is an ideal scenario for using a VPN to circumvent the filter system.

The following diagram shows the use of a VPN as a means of bypassing an existing filtering system.

Your workstation is company A and the VPN provider is company B. The main difference is that your real Internet connection is through the VPN provider, so the Internet sees that you are connected from Sweden and not from your own country. This means the filtering system in place in your own country no longer applies. By using a VPN, a legal tool, you can publish your video on YouTube, read your email, surf any part of the Web securely, etc. Your country will no longer be able to see what you are using the Internet for since you are now accessing it via a tunnel with one end in Sweden, a country where the Internet is outside your government’s control.

Setting up this type of service is no simple matter and requires a level of technical knowledge not available to everyone. Fortunately there are companies that provide such services commercially, making the configuration and use of a VPN on your workstation a fairly simple matter.

Choose a VPN provider carefully

A VPN connection costs about five euros per month. Avoid free offers. One way or another these so-called free services find a way to make you pay. A free VPN may, for example, be set up with the intention of discreetly spying on your communications, known as a “honeypot”. 

Most VPN services provide documentation and software to install on your computer. Once you sign up, you will receive your login information by email, including your username and password (similar to your mailbox details).

Launch the software, enter your username and password and the application will do the rest. It will create a tunnel connecting you to the country you have previously specified. Once the connection is established, you are virtually in another country.

Here is an example of a connection interface:

VPN on your mobile phone

Like any other device that connects to the Internet, your smartphone is subject to restrictions imposed by your telephone provider, if you connect via 3G, or your Internet service provider if you use wifi.

You can install an application on your smartphone, as you can on your computer, to create a VPN tunnel allowing you to connect from your phone. The Android operating system has already launched a VPN client in the menu “Wireless and Networks -> VPN settings”. You can obtain information from your VPN provider that will allow you to set up your Android phone just as easily as your computer.

Text and images kindly provided by Jean Marc Bourguignon / fo0

Image file formats such as TIFF and JPEG are some of the most talkative ones. Created by digital cameras or mobile phones, these files contain metadata in a format called EXIF that may include the image’s date, time and even GPS coordinates, the model and serial number of the device that took it and a thumbnail of the original image. Image processing applications tend to keep this data intact. The Internet has countless cropped or pixelized images whose EXIF thumbnail still shows the original image. So, how do you rid your files of unwanted metadata and restore their virginity before sending them?

Checking and cleaning metadata

When you send a sensitive document, it is vital to ensure that its metadata are not compromising. There are various ways to access the metadata. The easiest way is to check the file properties. A simple right-click will give you a lot of information.

Desktop application files of the Office kind may contain information about the individual or company that that created the file. Whether you are using Microsoft Word or Open Office, you have the possibility of eliminating this information when you create the file.

PDF files can also act as snitches. They often contain the author’s name. It is accessible in the file properties and can be changed by using PDF file editing software. Using Acrobat Writer under Windows or Mac, you just have to go to the “File” menu and then “Properties” in order to modify the document author’s name. For GNU/Linux users, there are free alternatives such as PDF Mod that offer a simply way to edit PDF file metadata.

You can use the Exif Viewer extension for Firefox to display the metadata of JPEG images. It is also available for the Chrome browser. All this extension does is display Exif data.

Advanced control of metadata

There are more sophisticated tools that allow you to edit all kinds of metadata, regardless of the type of file – PDF, JPEG, GIF or anything else: -

• MAT, Metadata Anonymisation Toolkit: an application with a graphical interface available under GNU/Linux
• Metanull: an application with a graphical interface available under Windows
• ExifTool: a command-line application available under GNU/Linux, Windows and Mac OS X.

This document was inspired by the Tails distribution’s official documentation, entitled “The Amnesic Incognito Live System.” Like the original, it is published under the GPL v 3.0 license.