Cover your tracks: beat the NSA and GCHQ at their own game
14th Dec 2013 | 16:14
Keep private what you want to keep private
It's grand to think we're all being kept safe by GCHQ and the NSA recording every single communication we make, then stashing them in a five-zettabyte Utah-based storage facility for time immemorial?
While President Obama says they're not, the head of the NSA says they are.
Lurking between the legalese, it seems all voice and internet communications are being stored. But that's fine, isn't it? You didn't really want your privacy, now did you? Come on.
It might seem like we have joined the tinfoil-hat wearing brigade. Yes, it's true that many of us have food caches dotted around, but that's to fend off the munchies going to and from work, rather than planning for the apocalypse. Truth be told, we're somewhat less worried about the NSA running off with our emails - though surely that's an infringement of our intellectual property rights - than shady gents physically running off with our stuff, or even Russian hackers tapping their way into our systems.
Last issue we looked at TOR, which is a clever system that masks where you are in the world by obfuscating your original IP address. Alongside this, it attempts to use HTTPS servers as much as possible to encrypt internet traffic, but it's not foolproof and is only relevant for your online life.
What else you can do? Put simply, you can either encrypt all your stuff or take it offline. We'll ignore that second option for the moment and concentrate on hiding all your stuff with encryption.
Modern high-speed, high-security encryption not only protects your data, but is largely unbreakable when used correctly. You can deploy it to protect everything from your entire hard drive to individual emails sent over the insecure internet. We understand you might be busy and not paranoid, so we'll start by protecting the important stuff before moving on to encrypting selected emails or dealing with your full system…
We're glad you've made it this far, because frankly encryption is about as sexy as Alan Sugar gyrating in a pink g-string. It's also not helped by the usual set of questions. Isn't encryption a pain to use? Isn't it slow? Isn't it complicated to install? The short reply to these are no, no and no.
At its worst, we're talking about using an independent, open source, full-system with pre-boot encryption that requires you to create a password and rescue CD as part of a pretty standard installation. Beyond this, the encryption process can run in the background without hindering you at all.
Thanks to modern processors being kitted out with accelerated instructions, deploying encryption on a system has almost no impact on performance. Even the impact on older systems is small at best - around a 3-8 per cent reduction on pre-2010 processors. For newer processors, there's a set of hardware-accelerated instructions called AES-NI.
Excluding Core i3 models, you'll find these in all Intel's processors since Sandy Bridge, but also in the Core i5/7 Clarkdale and Arrandale models, being the Core i5/7-6xx and i5-5xx ones. AMD has similarly integrated the instruction set into all Bulldozer, Piledriver and Jaguar processors. This increases performance at least five-fold, reducing the impact to just a percentage point at worst.
One key design goal of the widely used AES was efficiency. On the Pentium Pro architecture, a byte can be processed in 18 clock cycles leading to 11MB/s at 200MHz. For hardware supporting AES-NI, this is reduced to just three clock cycles. The practical outcome is that any mid-range or better system built in the last three years won't even bat an eyelid at full-system encryption. Outside of this level you can expect at least a 10 per cent reduction in drive access speed, but it's doubtful that would be across the board or more importantly if it'd be noticed by most average users.
With performance worries neatly brushed under the rug, we can go back to wondering why we want encryption and how we can easily implement something useful.
The idea of encryption is to put up a barrier so complicated to vault, it's not worth the attacker's time to overcome it, but there's always a chance that they could discover the key or back door, or you might reveal the data by accident. It's therefore important to follow procedures when creating passwords and handling data - the classic gaffe being getting drunk and leaving an unencrypted copy of your data in a pub or on a train.
For protection we're going to look at a number of solutions that cover local files on specific drives, including removable drives, encryption of emails and files sent from your local machine, and full-system encryption of the boot drive. A number of the tools we've used here come with Windows, but we also turned to freely-available, open-source options that are just as secure, but run on most operating systems too.
Let's kick things off by covering BitLocker, which is the official full-drive encryption system offered by Microsoft. The major limitation of BitLocker is that it's only available to the Enterprise and Ultimate Editions of Windows Vista and Windows 7, along with Windows 8 Pro and Enterprise Editions. It's something of a shame it's not available to all, because it offers a well-integrated and straightforward encryption system, but we guess Microsoft didn't want your average Joe securing their data then locking themselves out from it.
You can easily find BitLocker settings under the System and Security Control Panel. Just type BitLocker into the Start Menu (what do you mean Microsoft stole it?) and select 'BitLocker Drive Encryption'. For any drives other than the boot partition, including removable drives, there are really no restrictions; just activate BitLocker for that drive via the Control Panel.
BitLocker supports standard password protection and smartcard readers with a PIN, but for home use the latter option isn't likely. Just set a password that's at least eight characters long (which you should print and keep it somewhere safe, just in case) and Windows will take care of the rest.
For the Windows boot drive, you'll need a spare inserted USB drive so that BitLocker can store the encryption key. Ideally you want a system kitted out with a Trusted Platform Module, as this takes care of all the boot-time key handling and authentication in total security. The extra complexity is required as the BitLocker system has to handle the boot-time transfer from the BIOS to a fully-encrypted Windows system. For a non-TPM system, it boots via the USB drive that stores the encryption keys and the code to swap the boot process to a much more secure partition.
We've mentioned the Trusted Platform Module (or TPM), but not really explained what it is. Much was made of it when it was first conceived, but it's most often found on business systems as an optional extra. The TPM provides cryptography features to the PC, including secure key generation and storage, true random number generation and system authentication.
As part of a secure ecosystem the TPM alone can be used to authenticate a system, or it can be used alongside a PIN or also a USB key. So for example, if a drive is removed and transferred to another PC, even with the PIN and with a USB key, the TPM won't decipher the data.
In its hallmark style, Microsoft has made BitLocker as useless as possible by limiting its availability. Well done Microsoft. This isn't a problem though, because the open source community supplies arguably the best cross-platform, high-performance, full-system encryption solution around in the form of TrueCrypt.
If you haven't already, go to www.truecrypt.org, grab the Windows install package. You'll notice that the TrueCrypt interface is surprisingly simple. You can ignore the main area, which is a list of drives. This reflects an older aim of TrueCrypt: to provide a virtual mounted drive that's just a single encrypted file on the existing file system. It's clever, as you can read and write to it and the encryption is handled on the fly.
You can still use this system, and it's a great way to carry protected data around with you on a USB drive. In fact, when you install TrueCrypt there's a portable option for exactly this. Beyond this, TrueCrypt offers encryption of the system partition with boot-time protection, standard removable and fixed-drive encryption, and the ability to encrypt the boot drive with a hidden system drive.
For the super-paranoid, this last option creates two bootable systems with different passwords. If you're ever forced to provide the password, you can give the fake one. This triggers the system to boot into the 'fake' OS, and with the encryption, the real OS looks no different to random bits. For plausible deniability you're suppose to use the 'fake' OS on a day-to-day basis, saving the hidden OS for duties you want secure.
No matter what option you wish to use, click the 'Create volume' button and choose from file-base, non-system and system partition encryption. The system partition encryption is the most involved of these, but even this is straightforward. You'll be asked if you want a normal or hidden drive as detailed above. Most people, we suspect, will opt for normal.
An option to encrypt the host protected area is next. If you built the system yourself, then you're safe to choose 'Yes', but for vendor systems we'd select 'No'. It depends on whether the PC has a hidden rescue partition, so if you're unsure, don't do it. TrueCrypt supports multi-boot systems, though if you're running one you can probably figure out this yourself.
Before creating your password, you can choose your encryption and hash methods. The default AES and RIPEMD-160 hash are perfectly adequate and securely tested solutions. Finally, TrueCrypt will ask you to choose your very own password.
This is very important stage in the process. As we've said before, a long, non-trivial password is best, and TrueCrypt suggest a minimum of 20 characters. We'd point to the XKCD guidelines of using multiple words that paint a memorable pictogram, but it never hurts to top that off with a number and few bits of random punctuation. You need to remember this password, because there's no way to recover your data if you happen to forget it.
Next, TrueCrypt is going to create hashes and slats based on random data; it's already started to take 'random' data points. Computers are notoriously bad at generating truly random numbers, so it's been monitoring your key strokes, taken timing information and other elements. Next it'll ask you to move the mouse randomly too.
With this done and the encryption keys created, it's essential that you make the rescue disc. In fact, TrueCrypt will not let you proceed without one.
The last stages including an option to wipe unused data. If you're using an SSD we don't advise this, because it's better to use the PartMagic and the three passes are really overkill.
Finally, TrueCrupt will test to see if the system can in fact boot, and enable you to test the password. If all of that succeeds then it'll start the encryption, which takes place on the fly so you can carry on working.
With that all done, you have a secured system and the data can only be read if the correct password is supplied. For data files and disks, these can be swapped into any other system running TrueCrypt and continue to be used, as long as the password is supplied again.
The rescue disk can not only decrypt all the data in an emergency but restore the bootloader, key data and original system loader, but you will still need your original password. You can also alter your password, but due to the way the encryption is designed, older rescue CDs will still be able to decrypt your data with the old password, so it's best to destroy it.
With the stuff on your hard drives locked down, it's time to turn our attentions to your stuff out there on the shady internet.
But if your favourite online web email company is handing out access to your account, how can you keep your communication secure? Enter PGP (Pretty Good Privacy), which is a public key system aimed at email.
Now let's get one thing clear: if you're emailing people with web-based accounts, nothing is secure. However, if you encrypt your message or files locally before sending onto the internet, only the recipients you want will ever be able to read it.
While PGP is now commercially owned by Symantec the OpenPGP group maintains an open-source version, which is used as part of the www.gpg4win.org distribution. This clever pack bundles not only a full OpenPGP plug-in for Microsoft Outlook - if that's your email poison - but also Claws Mail, which is a standalone email client set up for sending encrypted emails.
Before you can use PGP, you need to create a key pair using the Kleopatra software. You'll be asked to supply your name, email address and a passphrase, which needs to adhere to the same security measures as a good password. Once this is done, there's an option to email your public key (called the certificate) to anyone who wants to send you a secure message. You can also use 'File > Export certificate' to get the public key file.
Of course, if you want to send someone a secure message you'll need to know their public key, so there's a level of cooperation required. If you use Microsoft Outlook, the plug-in found in the Add-in tab when writing an email will let you encrypt the message.
- Now why not read Why the Internet of Things will change all of our lives