Difference between revisions of "Sandbox"
(3 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
− | {{ #ask: [[Category: | + | {{ #ask: [[Category:Scenario_Task]]|?Scenario Task Description|?Scenario Task Type|?Scenario Task Format|?Scenario Task Parent }} |
− | | | + | |
− | | | + | |
− | }} | + |
Latest revision as of 18:31, 25 November 2015
Scenario Task Description | Scenario Task Type | Scenario Task Format | Scenario Task Parent | |
---|---|---|---|---|
2 factor authentication | 2-factor authentication also known as 2-step and 2fa is a method of authenticating yourself with a combination of two components: something you know (a password) and something you have (e.g. a mobile phone). The idea behind this method is that it's incredibly difficult for the hacker to have access to both components. The service must be offered by your email provider and many of them do now. Please have a look at this excellent report by Citizen Lab on 2fa phishing attacks, in particular the conclusions and recommendations within.
|
Unauthorised Access | Solution | I want to protect my email account from unauthorised access |
A website I am trying to access is unreachable | Many countries that practice Internet censorship are 'kind' enough to display a warning or a reason to the user when a banned website is being requested. In other circumstances your request may simply result in a 'Page Not Found' error, or the browser will keep spinning and eventually time out with another error message. There could be several reasons for this situation to consider, before claiming with certainty that the site is indeed censored.
|
Censorship | Scenario | Access to the Web |
Access to the Web | Sometimes accessing a website may prove problematic. This may be due to several reasons: for instance that website may be filtered in the place where you are located, but you may also be experiencing a simple connection problem.
This section explores how to troubleshoot a connection, introduces the topic of circumventing website filtering, and discusses ways to connect to websites securely or anonymously. An introduction to these topics can be found in the How does the Internet actually work? pages, Basic Internet Security from Floss manuals and the more detailed Privacy & Security Conscious Browsing guide. |
Censorship Surveillance Profiling your identity and actions |
Scenario | |
Can I be anonymous whilst using my phone | The short answer is you can't, and there are several reasons why. Your SIM card can be directly linked to your identity, account or point of purchase. The IMEI and the IMSI numbers in your phone are unique and can also be linked directly to your location and/or identity. In general, Mobile phone tracking is a well established technology and the only way to prevent this type of location tracking is to remove the battery, carry a Faraday cage-like accessory or not bring your phone at all.
If you want, however, you can browse the Internet anonymously from your phone:
|
Profiling your identity and actions Surveillance |
Solution | Phone |
Computer | A large portion of our digital identities, years of work history and meticulously configured software rests on our computers. A broken, stolen or otherwise malfunctioning computer could be a small (or large) calamity. This section deals with how best to protect your computer from various physical and digital risks.
|
Unauthorised Access Data Loss |
Scenario | |
Data | Your data is your own. Protecting it from loss, corruption and unauthorised access requires effort and by default your data is only as secure as the device it is stored on. This section deals with protecting your offline data. For information on protecting your data on the Internet, please refer to the sections on Email, Online Conversations, Access to the Web | Unauthorised Access Data Loss |
Scenario | |
To send or not to send - that is the question! And it is not a rhetorical one: email is an all consuming part of our digital lives, but it is also very ancient, and in the years its 30-year-old design hasn't improved much in terms of security.
Email is basically made of two parts: the "body", with the content of the message, and the "header", with information on the author of the email, the person it has been sent to, the time when it was sent, etc. All this information, called metadata, can be gathered from email records and turned into a pattern, as can be seen on the Immersion project from MIT. The content of the messages, on the other hand, can be protected, and the various questions you may have about how to secure your email are answered in this section. |
Profiling your identity and actions Surveillance |
Scenario | ||
FAQ | This is an introductory guide for those looking for an answer to their digital security concerns. It assumes common threat scenarios and asks a series of iterative questions to direct you to a solution, whether that's a tool, a technique or a link to one of the excellent resources listed herein. Treat every recommendation as one piece of the security puzzle you need to solve.
Guides and reference manuals
Software and services index
ContactsIf you have a suggestion for a threat scenario or new resource to link to, a recommendation or simply want to help or find something out, please write https://encrypt.to/info@equalit.ie |
Solution | ||
Find a reliable hosting provider | If you are setting up your own website for the first time, or want to find a more secure solution for the website you already have, you will have to look into the complicated market of hosting providers, where making the right choice can be hard. To understand what you need to look for, consider the following points:
In any case, keep your own backup of the site and make sure you are in control of the DNS records so as to switch providers when necessary. A more detailed guide is available for those considering their hosting options. Commercial Hosting
Non-commercial Hosting
|
Unauthorised Access Surveillance Censorship |
Solution | My Website |
Google mail | Google Mail hardly requires an introduction. It is a free service and incredibly prevalent on the Internet. There are many options to improve your account's security, such as 2-step authentication and other account security options. If correctly configured, these will provide a good level of protection. Consider that Google is a US registered company and has hundreds of millions of users. | Surveillance | Service | To find a reliable email provider |
How can I access censored websites from my phone | Bypassing website censorship on your phone is very similar to doing it from your computer albeit with slightly different tools. You can use the Tor Browser for Android or the unofficial Onion Browser for iPhone.
Android users can also install Psiphon, that works with "VPN, SSH, and HTTP proxy technologies to keep users connected at all times". BitMask is a new project encrypting online communications for Android users. iPhone users should establish a VPN connection to a trusted provider for circumventing censorship. Torrent Freak has a list you can choose from. |
Censorship | Solution | Phone |
How can I prevent getting a virus infection from an email | There are many solutions here, varying in their degree of difficulty to implement. Protecting your email from malware (malicious software, including viruses) begins with protecting your computer from viruses. You need to be extra vigilant when opening an email and, whenever possible, switch off the email preview function.
What follows is a list of steps, by degree of difficulty, you could take to reduce the risk of viruses infecting your primary computer systems and files:
|
Unauthorised Access | Solution | I want to be protected from malicious emails |
How can I prevent my computer from malfunctioning | Like any machine with a huge number of components, a computer could theoretically break at any time - whether through physical or water damage, or simply because of a malfunctioning component. More often than not a computer malfunction is caused by buggy or conflicting software. The infamous blue screen of death will be familiar to any longtime Windows user. Simply put:
In any case, make sure you have an up-to-date backup |
Data Loss | Solution | Computer |
How can I see who the email is really from? | The short answer is: you can't. You can only be certain of the sender's identity and for that you need to read I want to learn about digital signatures. There are however some tips to help you better understand where the email may have come from.
Every email you receive is made up of several components. There is the content itself, address details, as well as technical data about the message - also known as the message header. It contains detailed information generated by your email server about where the message came from and how it was processed before arriving in your inbox. This may be your only forensic clue to investigate the message's origin. If you want to learn to examine email headers, read this guide on email spoofing and Gmail's guide on understanding their message headers. You can also copy and paste the message header into the MXToolbox to get a humanly readable context of where this email has been. |
Impersonation | Solution | I want to be certain of the recipient's identity (and vice versa) |
How can I stop spam | Unfortunately you can't :( Once your email address ends up on the spammers' lists, the only thing you can do is to install a good spam cleaner or use an email provider that offers this service (quite common these days). It's very easy to end up on these lists especially with the prevalence of the data broker industry. Here's some tips for keeping your email address out of the spammers' hands:
|
Profiling your identity and actions | Solution | I want to be protected from malicious emails |
How do I know if someone else is accessing my email account | The three main email providers offer a 'Recent Activity' notification window where you can view where and how your account was last accessed.
|
Unauthorised Access | Solution | I want to protect my email account from unauthorised access |
How to protect your phone from virus infection | The best way to keep your phone free from malicious software is to:
Even these methods may not protect you completely, as attackers have been known to sneak malicious software into the official repositories run by Google and Apple. You can also try to install an anti-virus and are advised to enable the firewall on your iPhone or something akin to the NoRoot Firewall on Android. To secure yourself from malicious code built (or injected) into various websites, install a script blocker such as Ghostery; uBlock for Android; or the Purify app for iPhone. |
Unauthorised Access | Solution | Phone |
Hushmail | Hushmail is an established and well known provider of secure email solutions. In the past they have provided access to private user data in response to a request from Canadian law enforcement. | Surveillance | Service | To find a reliable email provider |
I want to be anonymous connecting to the web | Disassociating your true identity from an IP address assigned to your device usually requires a change of your physical location - a public place - to connect to the Internet from. Using a wifi hot-spot or going to an Internet cafe will give you some degree of anonymity (especially if those places are not running CCTV or force you to register with an ID before using their services). Bear in mind that once connected you need to consider the following concerns that may de-anonymise you on the local network:
|
Profiling your identity and actions Surveillance |
Solution | Identity or Location |
I want to be anonymous when browsing the web | There are multiple guides to help you stay anonymous when browsing the Internet. Anonymity, which is not inherent in the Internet, is useful when you want to hide your destination address from the local Internet Service Provider or your identity from the visited website. It can also help protect your social graph, obscuring the network of your actual online (and offline) relationships. If you need anonymity to send an email, please refer to the I want to send an anonymous email section.
|
Profiling your identity and actions Surveillance |
Solution | Identity or Location |
I want to be certain of the recipient's identity (and vice versa) | When sending an email, it is incredibly easy to fake (or "spoof") one's email address. For example, try sending yourself an email with a made up identity from https://emkei.cz In order to be certain of each other's email identity the message needs to be signed cryptographically. You can do this yourself or learn about existing authentication methods used by some email providers. | Impersonation | Scenario | |
I want to be protected from malicious emails | A huge quantity of malicious content can access your computer through your email inbox. This could be annoying but harmless unsolicited advertising (spam), malicious software embedded in an attachment or within the message itself, and various types of links leading you to infected web pages. Many tools exist to protect your computer from infection but they will never be 100% effective and a lot of discretion is advised when opening or reacting to content received in an email message. To learn how to check if an email you have received is malicious, read this manual by the Electronic Frontier Foundation. Also, be aware of rogue software promising to protect your computer. | Unauthorised Access | Scenario | |
I want to communicate securely | There are two primary channels for communicating with others from your smartphone - using the mobile network (GSM, CDMA, etc) for voice and SMS messages, or using a data connection (e.g. to the Internet) over the cellular network. Different solutions for secure communications exist for each of the two channels, and each scenario below assumes both circumstances.
Generally speaking, privacy advocates and security researchers do not recommend using mobile phones or smartphones for (very) secure communication. There is a third way, however, to communicate 'off the grid' for smartphone users. Firechat uses the phone's wifi or bluetooth device to establish conversations with other users in the geographic vicinity. You do not need to connect to the cellular or data network. Messages between users in these temporal messaging rooms are, however, not encrypted. |
Surveillance Profiling your identity and actions |
Scenario | Phone |
I want to delete metadata from my files | Metadata is data about data. It is needed for our digital systems to work properly: for instance, it enables emails to be delivered correctly, helps us find files on our computer, and fundamentally makes it possible to navigate and manage digital content. But as it helps our navigation, it can also help others trace our activities. Every Word document, digital photograph, PDF, etc. you create will contain metadata. This could include information about the physical device you used, the location you were at, the time of creation and so on. It's important that you know how to locate and destroy this metadata from a given file. | Profiling your identity and actions | Solution | I want to destroy data |
I want to destroy data | Those rumours were true - computers cannot delete data. Information previously deleted on your computer, USB or SD card by using the standard delete > empty bin method, can be recovered. In order to destroy data you need to overwrite its physical location on the disk with new information. Specific tools exist for this purpose including Bleachbit for Windows and Linux, as well as CCleaner and Eraser for Windows. MacOS users can follow the techniques mentioned in this guide or recommendations regarding SecureTrash on the Apple website.
|
Unauthorised Access Data Loss |
Scenario | Data |
I want to ensure that my data is never lost | Whether through a malicious action or by sheer bad luck, data can be lost in many different ways. And if that data had been stored just in one device or location, it may be very difficult or even impossible to recover it.
The only way to not actually lose any information is to have an up-to-date and secure backup. The best solution, especially if your archive is sizeable and your Internet connection speed is basic, is to make several encrypted copies of your data on various portable memory devices If you want to keep an online archive of your files, there are many commercial and some free services offering encrypted storage. In choosing between them, look out for terms such as 'client-side' or 'end-to-end' encryption - that is where the provider cannot decrypt your data because it was encrypted locally, by your client. Peerio is an encrypted file storage and sharing tool with 1GB of free space. Mega also offers encrypted online storage and sharing with 50GB for free. There is a syncing feature to keep all your devices up to date. |
Data Loss Unauthorised Access |
Solution | Data |
I want to find out about existing options for authenticating email | Several systems have been developed in recent years to help email providers authenticate the sender of an email message. Most providers currently use an email authentication system to filter spam. If you are a Gmail user, you can understand how this works by reading Gmail's email authentication guide.
In general, you must rely on your email provider to perform sender authentication, but if you want to be sure and inspect some of the messages you receive manually, you will need to learn how to read message headers (sometimes called "message source") and authenticate them yourself with these online tools: If you would like to check that your email provider offers email authentication (for emails that you send to others), you can try the DKIM Validator website. Simply send an email to the address on that page and then click to view the results. These systems either confirm the domain name (e.g. @equalit.ie) that the message was sent from or check the sender's IP address against a list of known malicious addresses. |
Impersonation | Solution | I want to be certain of the recipient's identity (and vice versa) |
I want to have a private phone conversation | There is not much choice for having a private (encrypted) conversation using the cellular network. The CryptoPhone might be one of the few commercially available solutions, but both parties will need to have one for secure calls.
Android and iPhone users can rely on various tools that use a secure Voice over IP protocol or a VPN approach to encrypting your calls. You will need a steady data (Internet) connection and the same application for all conversing parties. Note that by "private" we mean conversations which are not accessible to anyone but the conversing parties. Android:
Multi-platform
|
Surveillance | Solution | I want to communicate securely |
I want to hide my traces | Your computer keeps trace of most of your activities. This includes the websites you visit, documents you've worked on, email attachments opened, etc. This information is constantly collected and stored as 'temporary files' on the computer. Since these files document your actions, they could give away a lot of information about you to anyone who might have access to your machine, so it may be prudent to delete such traces.
Bleachbit for Windows and Linux, as well as Ccleaner can destroy temporary files.
Using your browser in Incognito mode on Chrome or Firefox will prevent the recording of your browsing history and the download of cache to the computer. It will also disable cookie collection for that session and help prevent profiling. Additional browser settings on Firefox and Chrome will help you better control your data. If you want to be fairly sure that anyone getting hold of your machine will not be able to learn about what you've been up to, it is always advisable to encrypt your hard disk, and you can also consider using Tails, a live operating system that leaves no traces on the computer you are using (unless you ask it to do so). |
Profiling your identity and actions | Solution | Data |
I want to investigate other options | The only way to be sure that your email conversation is truly confidential is to use end-to-end encryption technology. Aside from that you would need to either:
Some suggestions for encrypted messaging services built as open-source software:
|
Surveillance Profiling your identity and actions Impersonation |
Solution | To send an email that no one but me and the recipient can read |
I want to know about options for private chat | If you want to have a private chat conversation with someone, you need to make sure that no one else but you and the person/s you are chatting with can read your messages (confidentiality), that the person/s you are chatting with are really who they say they are (authenticity) and that what you and the other people in the chat are writing is not tampered with by third parties (integrity).
In order to obtain all this, you need to use a tool offering end-to-end encryption and key verification. As most service providers (e.g. Google, Microsoft, Yahoo, Facebook) don't offer this service and can therefore read your chat record, it is a good idea to either switch to an alternative chat service that provides encryption by default, or to use software for encryption if you need to stick to those services. Take a look at the EFF's Secure Messaging Scorecard to see how they rate various chat clients that claim security properties.
|
Surveillance | Solution | Online Conversations |
I want to learn about circumventing Internet censorship | There are numerous ways to block a website. Luckily there are also many ways to get around these blocks. For a quick primer, look at the How to Circumvent Online Censorship guide by the EFF or the more detailed Floss manual on bypassing censorship, or a practical multilingual guide on how to remain anonymous and bypass censorship on the Internet from the Security in-a-box project.
The solution lies in connecting to the desired website via an intermediary server - and hiding this action from the censor. There are a number of tools and services to achieve this:
|
Censorship | Solution | A website I am trying to access is unreachable |
I want to learn about digital signatures | You've come to the right place! But all in due time: before you learn how to cryptographically sign your message, you first need to understand how email encryption works and generate a key pair, which is used to encrypt your messages, but also to digitally sign them.
By signing a message, you will be able to prove to the recipient that you are the actual author of the email (authenticity) and that the text has not been tampered with along its way from your computer to the recipient's inbox (integrity). For more information, you can read the Digital Signatures section on the Bitcoinbombs website and then a practical guide for your email client from the Security in-a-box website. |
Impersonation | Solution | I want to be certain of the recipient's identity (and vice versa) |
I want to learn about encrypting email | Excellent! It's a journey but one well worth taking. There are many guides about setting up and using public key encryption and it may seem overwhelming at first. A few helpful tips to remember when starting out:
Keep in mind that aside from encrypting your messages, you should also know about key verification, message signing and file encryption. Please make sure you refer to these sections in the given resources. Here's a list of guides, varying in the software methods they show as examples, by language and context, to help you get started and on the way:
|
Surveillance | Solution | To send an email that no one but me and the recipient can read |
I want to learn about secure audio and video conferencing | Secure telephony and video conferencing on the Internet did not exist until very recently, when ZRTP, a cryptographic standard for voice over IP (VOIP) conferencing was invented by Phil Zimmerman, the same person who gave us PGP encryption for email. ZRTP offers end-to-end encryption of the conversations and has been implemented in Jitsi and Linphone. Both tools encrypt audio and video conferencing and are available for use on all common platforms.
|
Surveillance | Solution | Online Conversations |
I want to prevent unauthorised access to my data | If you want to avoid that your documents are accessed by someone without your permission, you need to either encrypt them one by one (file encryption) or to store them in a secure space, which may be your computer, a storage device or just a part of them (disk encryption).
In order to create a secure space on your hard disk or storage device or encrypt the entire computer, you can use several tools:
|
Unauthorised Access | Solution | Data |
I want to protect my Email | Surveillance Profiling your identity and actions |
Scenario Starts | ||
I want to protect my computer from virus infection | Like its biological predecessor, a computer virus can be caught in a lot of different circumstances. It may be impossible to prevent your computer from exposure but a series of defensive mechanisms should be able to stop the infection. They include:
|
Unauthorised Access | Solution | Computer |
I want to protect my email account from unauthorised access | There are many things you can do to protect your email account from unauthorised entry or hacking. There are quite a few things your email provider should do as well, so pick one wisely. First and foremost your account must be protected by a good password. You also need to make sure that your computer is free from malware. | Unauthorised Access | Scenario | |
I want to recover data | Information previously deleted from your computer or removable memory card can sometimes be recovered. If your computer is broken and the operating system refuses to load, it may still be possible to recover data from the hard drive by booting it from a live operating system | Data Loss | Solution | Data |
I want to send & receive secure messages from my phone | Messaging is the most popular method for communicating on smartphones today. WhatsApp, SnapChat, Slack, just to name a few, and of course the behemoths that are Facebook messenger and Google Hangouts all offer messaging services. It's interesting to note that they are all working in silos - your friends and contacts need to use the same provider as there is no inter-service communication. In general, they are not considered private since the provider has access to your messages.
Messaging apps that perform end-to-end encryption and publish their methods and source code in the public domain are considered here as private messaging tools. You can see a review of multiple apps on the EFF's secure messaging scorecard.
|
Surveillance Profiling your identity and actions |
Solution | I want to communicate securely |
I want to send a pseudonymous email | There are two ways to go about this. One is to use an anonymity network (like Tor) to register and then send emails from a standard webmail account, as explained in EFF's How to create an anonymous email account guide. The other solution is to use a secure operating system and access your email provider from a public location, using a fake MAC address. Needless to say, in both cases your email account should be registered with a pseudonym, completely disassociated from any of your personal details and you must maintain rigor and vigilance whenever accessing this account. | Surveillance | Solution | I want to send an anonymous email |
I want to send a secure SMS (text message) | There really are not many options for sending private SMS/MMS without a data plan or access to the Internet from your smartphone. Android users have SMSSecure which was a fork of the original TextSecure application after they decided to remove support for SMS/MMS. There are no known iPhone applications for end-to-end SMS encryption. | Surveillance | Solution | I want to send & receive secure messages from my phone |
I want to send an anonymous email | There are several options for sending an anonymous email. One of which involves a pseudonymous email where any data identifying you or your location is stripped from the message. A level of technical experience is required as you move further down the anonymity scale in your email communications. This is especially true because of the problem posed by email metadata.
You can register a temporary email address (good for one day) to receive an email anonymously from the https://anonbox.net project. You can send an anonymous email using the Paranoici remailer service. It will wrap your email message in several layers of encryption, anonymising the metadata of your message. The 'easiest' way to send an anonymous email (containing no identifying metadata about the conversing parties) is over the Tor Hidden Service network. You can register an email account in Torbox (http://torbox3uiot6wchz.onion/) and access its webmail service from a Tor Browser or through a Torrified Thunderbird client. The recipient must use the same service for conversing with you. |
Profiling your identity and actions Surveillance |
Scenario | |
I want to share a document securely | If you want to share a document with a friend or two, without anyone else being able to access this document, several options are available. You can send your document as an encrypted email attachment, as described in I want to learn about encrypting email or use a stand-alone GPG4USB to encrypt one or more individual files. In either case, both parties need to have set up and exchanged their keys in advance - to decrypt the message they have received.
You can also use an encrypted messaging service or do a file transfer if both parties have set up a secure chat session. |
Surveillance | Solution | Data |
I would like to connect to a website anonymously | This topic is covered in I want to be anonymous connecting to the web in the section Identity or Location. | Surveillance | Solution | Access to the Web |
I would like to connect to a website securely | Connecting to a website securely means several things, all of which contribute to secure your access to the websites you visit:
Read the Better Browsing guide by RiseUp for details on how to browse with greater security in Firefox or Chrome (in general, these are the recommended browsers when discussing security).
The HTTPS Everywhere browser add-on by the Electronic Frontier Foundation ensures that you connect securely and with trusted credentials to thousands of websites.
In all cases, make sure that your computer's operating system is up-to-date, that you are using the latest version of your browser and that you are running anti-malware protection. Install the recommended extensions from the RiseUp guide and review the How Do I Protect Myself Against Malware? guide from the EFF.
You may also wish to use an anonymity network or a VPN to reach the desired website as explained in the I want to be anonymous when browsing the web section. |
Surveillance Profiling your identity and actions |
Solution | Access to the Web |
I would like to prevent others from accessing my computer | Barring physical access to your computer may be a logistical challenge: in most cases there will be moments when it is left unattended. Nevertheless, you can prevent others from getting any of your personal data out of it by using strong passwords and disk encryption. A laptop with a TPM chip can encrypt the entire drive and secure the computer from booting to unauthorised parties, using BitLocker for Windows (Ultimate and Enterprise editions of Windows Vista and Windows 7, the Pro and Enterprise editions of Windows 8) and dm-crypt for Linux. Mac users can encrypt the disk using the built-in FileVault feature. | Unauthorised Access | Solution | Computer |
I'd like to have an anonymous conversation | In order to have an anonymous conversation, you need to connect to the network anonymously or via a service that protects your identity to enable anonymity. In general, what you have to look for is a tool or a service that hides your IP address, as explained in the Identity or Location section.
|
Profiling your identity and actions | Solution | Online Conversations |
I'm worried someone is trying to lure me with a fake email (phishing) | Receiving messages asking you to click on a certain link, reply with private and sometimes confidential data or open an attachment, could also be a Phishing attack. Targeted attack messages - whereby the content is specifically tailored to be relevant to you are known as spear phishing. In the everyday humdrum of working life, reading dozens if not hundreds of emails per day, it is quite easy to mistakenly click on a link or open an attachment, without giving a second thought to the sender's identity or intent. Targeted attacks (an email purportedly from your friend or your boss) are even harder to detect. Please review the How to avoid phishing attacks guide from the EFF.
Some of the bigger email providers like Gmail or Hotmail offer help to detect and report phishing attacks. The NetCraft tool can protect your web browser from accessing known websites used for phishing re-directions. Firefox users can also install additional add-ons to double-check a site's validity before visiting it. In principle you should:
|
Unauthorised Access | Solution | I want to be protected from malicious emails |
… further results |