Full English version

Contents

Resource Kit



Resource Kit

  • Subsections


Add or edit subsection:

Minimum time
Maximum time


Position

0

TypeModule
LangEn
  • Last modified: 6 August 2013 17:18:20


  • русская версия



Document Outline

The training curricula will accompany digital security trainings. It is separated into sections applicable for the trainer as well as participants. Its purpose is to provide a framework within which trainings will be organised and lead. It will also act as an additional resources to participants wanting to review the training's documentation and lesson learnt.

The trainings and accompanying curricula is designed to guide a non-technical user to understand the issues and technologies that may affect their work and personal safety, as they relate to digital security.

Trainer's Resource Kit

The 'Trainer's Resource Kit' accompanies trainers when leading a digital security workshop. It comprises of a series of training modules on each of the included software tools, a guide to building a suitable and effective curricula for the session, as well as hints and tips on how best to organise a training, security considerations, understanding participant's needs and training methodology.

All trainers undertaking a digital security workshop should make themselves familiar with this Resource Kit. It will aid in planning a training, understanding your audience's needs and ability to receive information, help to avoid some of the common pitfalls for training preparation and execution.

The Audience

The audience should be considered non technical and in need of solutions to improve and secure their working practice. The audience is made up of people from different language backgrounds, but English is assumed to be to the common language of communication. They may be highly stressed and overworked, thereby limiting the length of sessions and volume of information that can be presented at one time.

The Trainer

The most important element of any training is the trainer him or herself. Their job is comprised of preparing the agenda and hand out materials, ensuring the training space is equipped with sufficient computers and Internet access, as well as the comprehensive and communicative presentation itself. The trainer should ideally present in the audience's first or common language and be aware not only of the many technical issues, but also of the audience's needs and cultural specifics.

Technical requirements from the trainer include familiarity with all content presented in the curricula as well as the Digital Security Toolkit and the Digital Security & Privacy for Human Rights Defenders manual. A strong background in Windows XP – 7 and relevant software will aid the trainer during workshops. Additional expertise may be needed in accordance with the audience's needs. This may include experience with mobile telephony and popular platforms of 3G handsets (iPhone, Anroid, BB).

Communication

The technique and skill in explaining methodology and tools will be the most important element of a training. The trainer must at all times imagine themselves in the participant's shoes and carefully weigh the language and terms used for presentation. There should not be an unjust assumption as to the prior technical knowledge of the participants or their eagerness to learn any of the presented topics. All exercises and software 'walkthroughs' must be tested in advance and in consideration of the participants' needs and equipment at hand.


Technology trainings' can be dull if the speaker does not make an effort to relate difficult topics to everyday situations and appeal to the real life experience of the participants.


At no time should the trainer assume a manner of technical superiority nor should they explain topics as 'easy' or 'straightforward' as this can bring down morale of individual participants and implant an understanding that only very technical people can understand this material. When helping the participants perform certain actions on their computer, the trainer should never take control of their mouse or keyboard and give all instructions verbally.

It is incredibly advantageous to present information to an audience in a language they understand, i.e. not through a translator. Although there is an existing assumption trainings will be conducted in English, software discussed and used during the trainings is localised into multiple languages. It is recommended that participants install and use software in a language they feel most comfortable in, to ensure comprehension and uptake.

Training space and equipment

Every digital security training will require:

  • Digital projector and screen
  • At least one computer between two people, preferable one each
  • A whiteboard and flip-chart
  • Internet connection
  • one USB memory stick per participant

Internet connection

An Internet connection (for the whole room) is required to teach any Internet related topics, like secure email, instant messaging, censorship circumvention, etc. Certain Internet ports should be accessible to ensure functionality for software like Tor, Pidgin and others. Most of the software can be run successfully over ports 80 and 443. Thunderbird with Gmail or Riseup will require open ports: 26, 465, 587 and 993. It is preferable that there are no proxy server settings on the local network, however all software tools that may be affected by this issue, can be configured to work over a network proxy. To ensure these settings, you may need to be in prior contact with the network administrator (if any) for the training space you are going to be using.

Since some exercises will require all participants being online at the same time, it is recommended to have at least 128Kb p/s for every 5 attendees (speed limit is based on standard DSL connection).

Computers for people

At least one computer/laptop between two participants is recommended. Participants should try out every exercise themselves and not merely look over someone else's shoulder. Ideally the operating system should be the same on all computers. Due to the internal IT policies, installation of new software may only be done in advance of the training with IT helpdesk's support. Alternatively, only portable software may be loaded and used from the participants' USB memory sticks.

USB Memory Sticks

The majority of software titles necessary for a digital security training can be run entirely from a USB memory stick. A necessary amount of new USB keys, already configured can be bought in advance and distributed to the participants. This will save time during the training and may reduce the risk of passing on viruses between the participants' computers. Some software titles need to be installed on the operating system in order to function properly, and they are described as such in 'Software Modules' section of this guide.

Security Considerations

The trainer should lead with examples of good security practices which includes event planning.

  • Training location: The venue for the training may likely be in an official training centre but may also take place in a different venue in lieu of available space, equipment and other considerations. The local organisers should be allowed to decide where they feel most comfortable in carrying out this event.
  • Pre & post event communication: Should be conducted over a secure channel and as early as possible to ensure time for preparations and participants' attendance
  • Photos, paper documents and carry-away materials: Although customary in many cultures, try to avoid unnecessary photo and video documentation of the event.
  • Bear in mind that handouts the participants take home with them, including printouts of your presentation, CDs and USB memory devices may be inspected and confiscated by the local security services. Try to reduce any paper trail and demonstrate how to hide and obfuscate information on digital devices.

Evaluating user needs and environment

The trainer needs to understand, in advance, the issues and problems facing participants and what it is they hope to take from the training. There are several common areas of learning that would apply in most cases. Additional information should be sought by the trainer, from the participants and can be done in the form of a pre-training questionnaire (see below).

The most important and difficult task of a digital security trainer is to promote security practices and tools in a holistic manner. There is no one fits all solution to any problem on a computer or the Internet. Better security comes from having awareness of the risks and vulnerabilities as well as access to and familiarity with many different security software and topics. The trainer must present his/her audience with a suitcase full of solutions and continually promote an all inclusive approach to implementing them.

Resource Kit/Questionnaire



Questionnaire

  • Subsections


Add or edit subsection:

Position

0/1

TypeLesson
Section ofResource Kit
LangEn
  • Last modified: 6 August 2013 17:18:20


  • русская версия



Preliminary questionnaire for training participants

  1. What are your main needs from a computer/Internet? What do you use them for?
  2. Do you fix computer problems/faults yourself, or do you have someone who does it for you?
  3. Do you share your computer with anyone?
  4. Do you know if currently, your computer is free of viruses and other malicious software? How can you be sure?
  5. Do you make a backup of your information (if so, please explain)
  6. Do you run a website, blog, forum? (if so, please explain how you run it and how you post information on it.)
  7. Have you come across electronic insecurity in your work or private life before? What were the problems and how (if) they were resolved?
  8. Has your office/home ever had a break-in?
  9. Do you have any security procedures in your home/office? Are any of these related to your computers and the information stored on them?
  10. What topics would you like to see covered during the digital security workshop?

    Password management



Password Management

  • Subsections


Add or edit subsection:

Minimum time
Maximum time


Position

2

TypeModule
LangEn
  • Last modified: 6 August 2013 17:18:20


  • русская версия



Introduction

Lecture on the need for good passwords in everyday computer operations; definitions of good password characteristics and a practical session on remembering passwords through the use of Mnemonics and password management software.

Links:



Password Cracking

  • Subsections


Add or edit subsection:

Lesson typeDemonstration
Minimum time10
Maximum time20
OptionalityRequired
Position

2/1

TypeLesson
Section ofPassword management
LangEn
  • Last modified: 6 August 2013 17:18:20


  • русская версия



Introduction

A password is usually the first and often the last line of defense for information systems. Participants need to be convinced during this lesson that it is not reasonable or secure to have a weak password protecting important information nor is it a good idea to have one strong password protecting all the user's different accounts.

Password Insecurity

Discuss password profiling, social engineering attacks and installation of keyloggers, via email or drive-by downloaders.

Demonstrate how a password cracker works. Demonstrate Windows password crackers, like Ophcrack; Advanced Office Password Recovery and the winlockpwn attack over a firewire cable.

Install Cain on a local machine and demonstrate the withdrawal of its local passwords.

Ask one of the participants to prepare a Word document with an easy password, and crack it using Advanced Office Password Recovery for example.

Ask the participants to test out their favourite password's security from http://www.cryptool-online.org/index.php?option=com_cto&view=tool&Itemid=159&lang=en

Goal

Explain the principles of brute force and the need for password complexity.

Trainer's notes

You'll need to prepare in advance for password cracking and make sure you've tested your software. You'll need Rainbow Table for opchrack. The trial version of AOPR can only crack 4 character passwords.

Password management/Mnemonics



Mnemonics

  • Subsections


Add or edit subsection:

Lesson typePractical
Minimum time10
Maximum time20
Position

2/2

TypeLesson
Section ofPassword management
LangEn
  • Last modified: 6 August 2013 17:18:20


  • русская версия



Introduction

Whilst its difficult to remember complex passwords, techniques such as mnemonics can make this process easier. Using acronyms people can create passwords from easy to remember phrases or sentences.

Exercises

Demonstrate how to turn a sentence into a password, using minuscule and capitals characters and substituting certain letters for numbers. Ask all participants to create their own password using mnemonics and a piece of paper/pen. Go around the room to see if they can recite their own passwords.

Trainer's notes

The of this exercise is to create confidence in participants ability to create and remember a entirely in their head, without writing it down on paper. Passwords they create and remember with mnemonics can be later used as the Master Password in Keepass or other instances.

Password management/KeePass



KeePass

  • Subsections


Add or edit subsection:

Lesson typePractical
Minimum time30
Maximum time45
OptionalityRequired
Position

2/3

TypeLesson
Section ofPassword management
LangEn
  • Last modified: 6 August 2013 17:18:20


  • русская версия



Installation

Walkthrough Standard installation. Creating the master password. Saving the database.

Trainer's notes: Keepass can only use localisation files if the Windows OS supports the locale language.

Practical Ask users to enter their existing passwords into KeePass. Practice creating new passwords with KeePass. Practice saving the database. Move passwords from the program to the desired location, such as webmail login. Discuss the security of the master password and its advantage over the user remembering all their passwords in their head.

Trainer's notes: Make sure participants SAVE the database after every new entry. Go through some of the settings in the Options menu, such as auto-locking and minimising to the system tray and the time limit for the clipboard memory.

KeePass backup and restore

Create a backup of the password database on USB memory stick. Email the backup file to yourself.

Trainer's notes: Differentiate between KeePass software and database file. Make sure files are copied and not moved to USB stick. Explain that the password databases are encrypted and cause no harm from being stored in insecure email accounts.

KeePass exercises

  1. Ask the participants to change computers with someone else and access their KeePass database from it
  2. Ask the participants to find within KeePass settings an option that controls how long a password will stay in clipboard memory (Tools > Settings > Memory)
  3. Initiate a race between someone using KeePass for webmail login, and another manually inserting a password you created in advance from a piece of paper
Trainer's notes: Remember to reiterate the importance of the master password strength.

Internet Communications Security



Internet Communications Security

  • Subsections


Add or edit subsection:

Minimum time
Maximum time


Position

3

TypeModule
LangEn
  • Last modified: 6 August 2013 17:18:20


  • русская версия



This module explains the inherenent insecurity of standard Internet commuications and introduces email and instant messaging services that offer encrypted channels of communications. Public Key Encryption for an additional layer of security is covered as well

Links



Introduction

  • Subsections


Add or edit subsection:

Minimum time20
Maximum time40
Position

3/1

TypeLesson
Section ofInternet Communications Security
LangEn
  • Last modified: 6 August 2013 17:18:20


  • русская версия



Email insecurity

Explain and demonstrate the problems of insecure email communication. Demonstrate how some services provide secure login but insecure account use. Draw a diagram of an international communication channel, explaining the route taken by email and the point of surveillance that may exist along this route.

SSL webmail

Email communications are insecure by default, both due to the open nature of the Internet and reliance on the provider of the service. Internet surveillance systems, installed on local and national network can easily read unprotected email. In most cases, secure email must be present on both sides of the communication channel, to maintain privacy.

The two main differences between the RiseUp and Gmail services are the space offered for the mail accounts and their respective owners. Whereas RiseUp is run by a group of activists who take great effort and pride to ensure data stored on their servers is not accessible to anyone, Google allows automatic scanning of content by their advertising agent and may be more susceptible to US and other governments pressures interests and influence.

Trainer's Notes: Choose carefully which of the two services to present. This will depend on the audience and their country of operation. In circumstance where hosting email within US jurisdiction may not be desirable, RiseUp should be the preferable option. Otherwise, Gmail offers a better quality of service and much more space. It is also easier to register and promote to other users.

The ideal scenario is that the communicating parties settle on using a similar service. Many participants may already be using Gmail. In this instance you may register the rest on Gmail as well, show the security options and demonstrate Google Apps.


Trainer's notes: Use trial IM sniffing software or wireshark for demonstration. Prepare in advance to make sure the demo works for you (your network card, OS). Choose local/popular (according to your audience) email services for demonstration.

Internet Communications Security/Email over SSL



Email over SSL

  • Subsections


Add or edit subsection:

Lesson typePractical
Minimum time80
Maximum time110
OptionalityRequired
Position

3/2

TypeLesson
Section ofInternet Communications Security
LangEn
  • Last modified: 6 August 2013 17:18:20


  • русская версия



Registering Riseup or Gmail

Walkthrough

Trainer's notes: Sometimes, newly created Riseup accounts do not login. Try and test this feature beforehand. Make sure to receive the global invite code from the coordinator.

Using Riseup or Gmail

Demonstrate Squirrel Mail and IMP, discussing their differences. Show the virtual keyboard for login. Set webmail options to expect the users country encoding (if relevant). Ask participants to email each other, and yourself. Quick walkthrough of the user panel (https://user.riseup.net)

Demonstrate the Gmail services, including Google Docs. Explain how to 'force https' option in the settings and configure other services such as IMAP forwarding, add-on accounts and low-html options.

Trainer's notes: If most participants are used to using Outlook or similar programs to read email, demonstrate how to configure Thunderbird to access email from Riseup or Gmail over secure channels.

Exercises

If people are wary of switching from their current insecure email accounts, ask them to investigate whether auto-forwarding of emails from their old account to the new is possible.

Ask the participants to create a document in Google Docs and share with others. Suggest a race for the first document with edits from 10 different users in the room. Repeat exercise with the Calendar, asking the participants to create an event and invite others . The winner is the first person whose invitation is accepted by five others.

Internet Communications Security/Public Key Encryption



Public Key Encryption

  • Subsections


Add or edit subsection:


Lesson typePractical
OptionalityOptional
Position

3/3

TypeLesson
Section ofInternet Communications Security
LangEn
  • Last modified: 6 August 2013 17:18:20


  • русская версия



Introduction

Explain the public key encryption process and its application to email. Discuss key validity and fingerprints, as well as the need to distribute the public key and fingerprint by different channels.

Trainer's notes: Try to use props in demonstrating the public/private key methodology. Keep the principle as simple as possible without reverting to complex explanations and terminology. In essence, the need to distribute the public key freely and the ability to check the validity of someone else's key are the only topics that need to be concrete in the participants' minds to proceed further. Leave digital signatures to a later session if everything else goes well. Refer to the documentation to help prepare for this session.

The most important message is that all communicating parties need to understand this process and have swapped keys in advance for this type of communication to be effective. Participants must understand how to teach others (their colleagues and contacts) the methods you have just explained.

Creating a key pair

Trainer's notes: Since we will use PKE only for email encryption, you will need to install the Thunderbird + GnuPG + Enigmail package and set it up to Internet_Communications_Security/Email_over_SSL read an email account, before proceeding further.

Lead the participants through creating a key pair via the Enigmail interface. Make sure to go slowly and explain expiration dates, private key storage and backup. Upload the public key to a keyserver (e.g. http://keys.mayfirst.org/) and set the trust options on the private key as required.

Advanced Key Management & Digital Signatures

Explain and demonstrate the process of digitally signing a message with a private key. Explain why it is needed and when to use.

Demonstrate key signing and verification. Ask participants to verify and sign each other's key, using a keyserver as the reference point to upload keys verified. Explain the PGP Web-of-Trust model (http://en.wikipedia.org/wiki/Web_of_trust).

Encryption in Outlook

Optional If all participants are using Outlook (2003 and lower), demonstrate how to install http://www.gpg4win.org paying attention to include the GPGol extension. Note that this plugin works only up to Outlook 2003 and does not encrypt/decrypt attachments or PGP/MIME.

Trainer's notes: GPG4Win does not automatically integrate with Outlook when using MS Exchange. Email content must be d/encrypted using the PGP tray icon and the Clipboard or Current Window functions. In fact, you may use any email or webmail client to demonstrate PGP security.

Portable Option

The http://gpg4usb.cpunk.de/ tool and relevant guide http://gpg4usb.cpunk.de/ can be used to encrypt/decrypt text messages directly from a USB stick without the need to install an email client. This is a useful option for those who wish to continue reading and sending webmail.

Exercises

  • Ask the participants to exchange their public keys with each other by or through the keyserver. Stress the importance of key verification and communicating the fingerprint via an alternative channel.
  • Ask the participants to encrypt an email message to the entire group. Follow up by showing the options of encrypting attachments
  • Set up Enigmail to successfully verify people's digital signatures (this will involved the recipient of the message to set the sender's key trust to maximum)

    Internet Communications Security/Vaultletsoft



Vaultletsoft

  • Subsections


Add or edit subsection:

Minimum time60
Maximum time120
Position

3/4

TypeLesson
Section ofInternet Communications Security
LangEn
  • Last modified: 6 August 2013 17:18:20


  • русская версия



Introduction

Even when using SSL email services you still need to rely (trust) on the provider of the service to keep your information private and secret. There is a solution in today's communications that will protect the content of your messages from everyone, apart from the recipients. The technology is known as encryption and it can be performed manually (as you will be shown with PGP Desktop) or by using an automated tool. The first method requires a good understanding of complex concepts, leaving a lot of room for user error. Vaultletsoft however, performs all encryption automatically, leaving the user just to remember their login passphrase. It has exceptional other features to increase the privacy of the communications channel.

Trainer's Notes: Whether you have already covered one of the SSL Wembail service above or are skipping directly to presenting Vaultletsoft in this module, you will need to explain to the audience how this service differs from SSL only connections. Talk in brief about message encryption and the privacy gains from the service provider.

Installation

Standard installation and registration as per the http://en.security.ngoinabox.org/vaultletsuite_main.html

Log in and log out several times to make sure everyone is comfortable with the process.

Trainer's notes:

  • Make sure to have the latest Vaultletsoft software so as not to force mandatory updates during presentation. Offer those participants with their own laptops to install the software and those using someone else's to run the portable version of the USB key. In each instance recommend the correct method of installation. If you feel that your audience is interested and capable – choose the Hands on for Mobile Data method of registration. Make sure the participants understand where their Vaultletsoft files are located.
  • Explain the differences between the registration processes (Easy / Control / Mobile). Only the Control option offers to store the private key on the user's computer, USB stick. This is necessary if the user does not want to trust Vaultlet with storing their private key and is an important security distinction.

Using Vaultletsoft

Demonstrate the sending and receiving of email, archive functions and the difference between storing email on the Vaultlet server or on the computer/USB device. Demonstrate VaultletFiler and how to upload/encrypt documents to it, as well as extracting them.

Extra Features

Demonstrate the Half-life, Scope Control and Special Delivery features. Ask the participants to practice with them, sending specially encoded messages to one another. Ask participants to send an email from their Vaultletsoft account to an external email address they own.

Trainer's Notes: To activate these special features, participants will need to have a Blue account. Their initial free accounts can be upgraded in the VaultletSuite 2 Go menu, by choosing My Account > Display Account Manager. Enter the 'VS2GO4U' code in the Promo Code area. The account will now be classified as Blue.

Internet Communications Security/Instant Messaging



Instant Messaging

  • Subsections


Add or edit subsection:

Lesson typePractical
Minimum time40
Maximum time100
Position

3/5

TypeLesson
Section ofInternet Communications Security
LangEn
  • Last modified: 6 August 2013 17:18:20


  • русская версия



Introduction

Instant Messaging is a very popular common way of communicating with friends and colleagues. However it is incredibly vulnerable to the world of Internet surveillance, password sniffing and impersonation. Secure IM uses similar principles to secure email for establishing private conversation.

Installation & configuration

Standard install of Pidgin client. Alternatively you can run the portable version with the plug-in already installed and configured. Add the participants Google account into Pidgin, making sure that SSL connections are forced.

Pidgin does not support audio or video capabilities.

Notes for later addition

Using Pidgin

Demonstrate how to add, authorise buddies in Pidgin and let the participants register each other, initiate IM sessions between each other. Security features such as chat logging, remembering the account password, privacy settings. How to add additional accounts for different IM protocols.

Trainer's notes: The next exercise will require people to chat with each other, so participants in the class need to add each other to contacts.

Off the Record Messaging

Generate a key for this identity. Examine its fingerprint. Discuss and demonstrate how to lead secure, and authenticated chats with OTR. Participants should engage in secure and authenticated chats with the trainer and each other. Attempt file sharing over an encrypted channel.

Trainer's notes:

  • OTR does not support group chats.
  • You could demonstrate message security by showing network sniffing tools (e.g. wireshark) to demonstrate the encryption. Alternatively you could demonstrate the Pidgin+OTR conversation in Google Talk window where the messages will appear scrambled.

    Internet Communications Security/VoIP



VoIP

  • Subsections


Add or edit subsection:

Position

3/6

TypeLesson
Section ofInternet Communications Security
LangEn
  • Last modified: 6 August 2013 17:18:20


  • русская версия



Introduction

We do not support or recommend Skype any longer due to:

  • Closed source and numerous reports of hacking Skype security
  • Dual-login functionality
  • Track record in China (TomSkype)
  • Recorded chat history
  • Automated login
As an alternative...

Disk Encryption



Disk Encryption

  • Subsections


Add or edit subsection:

Minimum time
Maximum time


Position

4

TypeModule
LangEn
  • Last modified: 6 August 2013 17:18:20


  • русская версия



This module will discuss the security of information stored on a computer or digital memory device. Encryption will prevent all unauthorised people from accessing data it protects


Links:



Unauthorised File Access

  • Subsections


Add or edit subsection:

Lesson typeDemonstration
Position

4/1

TypeLesson
Section ofDisk Encryption
LangEn
  • Last modified: 6 August 2013 17:18:20


  • русская версия



Show how files stored on a computer and secured by a Windows password/login, can be accessed by a third party. Load the computer from an Ubuntu Live CD or USB and access the user files. Alternatively download the Windows Reset Administrator Password CD and demonstrate to the participants.

Trainer's notes: You will need a Windows computer with a login password to demonstrate the features. If you have the resources and technical knowhow, demonstrate the inception attack over a firewire cable.

Disk Encryption/TrueCrypt



TrueCrypt

  • Subsections


Add or edit subsection:

Minimum time60
Maximum time90
Position

4/2

TypeLesson
Section ofDisk Encryption
LangEn
  • Last modified: 6 August 2013 17:18:20


  • русская версия



Installation

TrueCrypt: Install on computer. Re-launch the package file and Extract the files to a USB stick to create a 'traveller disk'. Explain the difference between using an installed and portable version. Open the software folder and upload the necessary localisation.

Trainer's notes: Localisations depend on the Windows ability to handle the language locale. Both installations requires admin privileges on Windows.

Creating a volume

Follow the hands-on guides to create an encrypted volume. Explain the options for selecting the location to store the volume file. Explain obfuscation possibilities for the file extension (Truecrypt only). Mount and dismount the volume.

Trainer's notes: For ease of session, a 100 MB volume size is recommended. Don't get stuck on explaining algorithms and the random number generator. For Truecrypt, draw up a list of common large file extensions, e.g. .mp3, .mpeg, .avi, .iso and so on. Encourage people to use KeePass to create a strong password.

Exercises

  1. Ask the participants to create a document and to save it inside the encrypted volume.
  2. Create a backup of the dismounted volume (file) on the USB memory disk.
  3. Change computers and ask participants to open the newly created document.
  4. Rename the Volume file. Change its extension.


  1. Create a new volume (any size)
  2. Rename the volume file
  3. Organise a competition where participants swap USB memory sticks and try to guess which file is the one containing the Truecrypt volume.

Trainer's notes: Make sure to explain the difference between the software and the volume file - you need one to access the other with. Emphasise that when dismounted, the file can easily be deleted.

Editorial note: In May of 2014 the TrueCrypt website announced the project was ceasing development following the discovery of a serious security vulnerability in the code. Users were recommended to find an alternative solution. However since that time, an independent, open source project to audit the software has been undertaken and the subsequent review of this audit concludes:

"The remaining issues are less severe, but still important enough to at least do the "short term fix" in Phase 1. They are issues like integer overflows and errors in the kernel driver checking file permissions and names. They are real security holes, but assuming there is only one user on the machine and no malware to exploit the holes (big IF), then they should not cause problems.

After reading this audit, we would recommend that TrueCrypt 7.1a remains safe for use"

Disk Encryption/Hidden Volumes



Hidden Volumes

  • Subsections


Add or edit subsection:

Position

4/3

TypeLesson
Section ofDisk Encryption
LangEn
  • Last modified: 6 August 2013 17:18:20


  • русская версия



Introduction

This session requires a thorough explanation to the concept and reasons behind creating a hidden volume, and the best way to keep its existence concealed. Stress the importance of choosing the right size for the hidden volume and the need to keep the outer volume prepared for surrender and inspection - the need to hold files that will satisfy the adversary in there

Trainer's notes:' Its advisable that a hidden volume is created from scratch, then the exercise is repeated to create the hidden volume inside the original standard volume (from a previous session).

Creating a Hidden Volume

Follow the guidelines as per https://security.ngoinabox.org/en/truecrypt_hiddenvolumes. Make sure that the password for the hidden volume is NOT the same as for the outer. Do not enable the disk protection feature, since this could expose the existence of the hidden disk.

Demonstrate the difference between accessing a hidden and standard volume. Discuss the most effective password policy for the user's needs.

Trainer's notes: It is always best to draw the standard/hidden volume during explanation. Try first to create a hidden volume inside the existing standard one. Explain that in the instance of running a hidden volume, the users need to remember the standard password by heart and keep the hidden volume's password safe in a different location (e.g. KeePass)

Advanced exercises (Truecrypt)

  1. Create a 1MB volume, a 1/2 MB hidden volume within it.
  2. Populate the standard volume with documents prepared for 'surrender' and the hidden one with sensitive files.
  3. Upload the volume to an online file server (e.g. adrive.com) or to an email account.
  4. Change computers, download the volume and open the hidden disk

    Deleting Data



Deleting Data

  • Subsections


Add or edit subsection:

Minimum time
Maximum time


Position

5

TypeModule
LangEn
  • Last modified: 6 August 2013 17:18:20


  • русская версия



This modules covers three important issues regarding data recovery, deletion and the cleaning up of history and tracks left behind by the user after each computer session. The data recovery lesson also exemplifies the need for correct data deletion and the sessions can be presented in that order.

Links



Recovery

  • Subsections


Add or edit subsection:

Minimum time30
Maximum time60
Position

5/1

TypeLesson
Section ofDeleting Data
LangEn
  • Last modified: 6 August 2013 17:18:20


  • русская версия



Demonstration

Explain the consequence of standard delete procedure on Windows OS. Demonstrate file deletion from a computer, USB memory stick, digital photo or video camera (using flash memory). Display the deletion on the projector or on the digital device to the participants. Install and run Recuva (or similar software) to retrieve the deleted files.

Trainer's notes: You must test this in advance as often, OS irregularities prevent the discovery or recovery of deleted files. However, in most cases all of the examples above work smoothly. Other tools to use could include http://www.handyrecovery.com, http://www.officerecovery.com/freeundelete, http://undeleteplus.com/

Note that free undelete tools are much much less advanced than proprietary services, especially laboratories that specialise in data recovery. You should stress to the audience that damaging the media device will not erase its contents and a dedicated laboratory will be able to restore it. Only overwriting digital data with other data is an effective method to wipe its contents.

Its advisable to run the undelete software from the computer itself, not a portable version.

Demonstration

It is also possible to suggest using data deletion and recovery as a strategy. For example, photos taken during a protest on a digital camera can be deleted by the photographer who is expecting a search of his equipment. Arriving home, the photographer can undelete these photos using one of the above tools. It is important to stress that once deleted, new photos should not be taken on the same advice as they will overwrite the wanted material.

Exercises

  1. Participants are asked to create documents on a USB stick, delete it, then restore it
  2. Participants take digital photos on their camera or mobile phone, delete them on the device itself then attempt to recover them
  3. If using rented or public computers, participants can spend some time looking for 'compromising; material deleted on those machines

    Deleting Data/Wiping



Wiping

  • Subsections


Add or edit subsection:

Minimum time30
Maximum time60
Position

5/2

TypeLesson
Section ofDeleting Data
LangEn
  • Last modified: 6 August 2013 17:18:20


  • русская версия



Introduction

Discuss the realities of digital data storage and subsequent problems of normal data deletion. Move on to data recovery and coming out of that explain how 'free space' on a computer could still hold many old files. Briefly introduce the process of wiping data and the methods that exist to do so. Explain the purpose of multiple passes and the relevant time requirements. In summary, or at the end of the session describe the difference between Ccleaner and Eraser, the main of which being that Ccleaner's original function was to wipe temporary files - although now it also does standard file wiping and free space.

Trainer's notes: introduce and stick to a new naming convention that distinguishes between deleting and permanent deleting (wiping or erasing).

Installation

Standard installation. Successful installation will display the Eraser icon in the Windows System Tray after reboot and will enable Eraser options on the Windows Explorer right-click menu.

Trainer's notes: Although available in portable version, it is not recommended to use Eraser from a USB stick. You should also choose between the installation of Eraser 5.8 and 6.X The latter version does not have the 'Secure Move' function. It is not proven whether the latter version is more effective in wiping data, free space.

Configuration

Set the wiping preferences, explaining the reasons for the number of passes. Talk about file wiping and free space. In Eraser, explain the 'swap' file option, password protection and scheduler.

Wiping Data

  1. Perform a file wipe using the Explorer extension.
  2. Perform a folder wipe using the Explorer extension.
  3. Perform a file & folder wipe using the Eraser interface.
  4. Perform a secure file move (from the computer to the USB memory stick) using the Eraser Explorer extension.

Trainer's notes: Prepare a set of files and folders for erasing in advance. Optionally, ask your participants to create the files and folders themselves. Do NOT wipe 'real' user documents.

Wiping free space

  1. Ask the participants to 'Wipe Free Space' task from the USB memory stick
  2. (Optional) Perform a free space wipe of the C: drive

Trainer's notes: Make sure that only one pass is chosen for the free space wipe session, otherwise it will take too long to complete. You could schedule a coffee break to occur during the wiping process. It may be interesting to try undelete software at the end of this process to ensure participant's of its effectiveness.

Additional software descriptions

The patterns used for overwriting are based on Peter Gutmann's paper Secure Deletion of Data from Magnetic and Solid-State Memory (the one who recommends the 35 pass method for secure deletion) and they are selected to effectively remove magnetic remnants from the hard drive.

Other methods include overwriting with pseudorandom data. You can also define your own overwriting methods.

Deleting Data/Temporary files



Temporary files

  • Subsections


Add or edit subsection:

Minimum time60
Maximum time90
Position

5/3

TypeLesson
Section ofDeleting Data
LangEn
  • Last modified: 6 August 2013 17:18:20


  • русская версия



Introduction

Discuss the creation of temporary files from working on documents and browsing the Internet, the vulnerabilities to privacy and security this can cause. In summary, or at the end of the session describe the difference between CCleaner actions and Windows File Cleaner. 

Trainer's notes: If there is sufficient time, trainers are advised to demonstrate both Ccleaner and Eraser. Should there only be time for one lesson, Ccleaner is preferred since it also performs data wiping and free space wipe.

Temporary files

Show the location of Windows, Internet Explorer and Office temporary files. View their content, including cookies and Internet cache. Demonstrate how temporary files are created.

Discuss and demonstrate existing methods for cleaning temporary files including the Windows 'Disk Cleanup' option, Firefox's 'Clear Private Data' and IE's possibilities for cache and cookies deletion.

Installation & Configuration

Standard installation. Select the required interface language and set the cleaning options to wipe.

Trainer's notes: Ccleaner can also be run as a portable version from a USB stick.

Using Ccleaner

Explain the categories to clean within the 'Windows' and 'Application' tabs. Ask the participants to select the desired (preferably all) options and to Analyse their disk. Examine the results of a scan and proceed to cleaning (wiping) the temporary files.

Trainer's notes: Make sure that the participants are not relying on their browser History, auto-fill and similar features, as these will be deleted. Inform them that the history of all their activity on this computer and the Internet will be wiped.

Note that a full scan may take a long time complete, especially on computers that have several years of temp files built up. You may want to schedule a coffee or lunch break in-between this module.

Advanced exercises

  1. Discuss the Windows registry and its role in carrying information on current and past software installed.
  2. Scan the registry for errors and clean
  3. Display the Tools section of Ccleaner and discuss its applicability in obfuscation of installed software.
  4. Work with the Ccleaner Explorer menu, including the Recycle Bin

    Internet Anonymity



Circumvention & Anonymity

  • Subsections


Add or edit subsection:

Minimum time
Maximum time


Position

6

TypeModule
LangEn
  • Last modified: 6 August 2013 17:18:20


  • русская версия



Data retention, Internet surveillance and website filtering have made the Internet a closed and controlled environment in many countries. The majority of these practices function on the identification of the client and the host - namely our IP and the IP of the webservice we are seeking. Anonymysing these identifiers renders much of this technology irrelevant.

Trainer's notes: You will need a fast Internet connection for a group session, preferably without a network proxy. USB memory stick for Tor Browser portable

Links



Tor

  • Subsections


Add or edit subsection:

Position

6/

TypeLesson
Section ofInternet Anonymity
LangEn
  • Last modified: 6 August 2013 17:18:20


  • русская версия



Installation & configuration

Standard installation of the Vidalia bundle, including the Torbutton add-on in Firefox. Reboot computers. Launch Tor and make ask participants to not touch anything on the Vidalia control panel whilst ot loads (otherwise it has a tendency to crash at this moment). View the Vidalia Settings window and describe the connections options in 'Network'. View and briefly describe the message log.

Trainer's notes: Always test Tor in advance on training premises. The initial connection will require a download from the Tor network of around 1MB per computer. Take this time into consideration. Alternatively, you may only showcase the portable version of Tor - created by you with the recent Tor connection file downloads already present.

Connecting to the Tor network

Once connected, open the Firefox browser and describe the Torbutton and its features. Show how to switch between using Tor and standard connection. Visit IP or geo-location identifying websites (e.g. http://hostip.info). Attempt to access restricted websites (if any).

Demonstrate the two connection options if behind a firewall or proxy server. Direct Tor traffic over the standard http/s ports.

Trainer's notes: Stress that Tor may be slower than normal Internet connections due to the number of proxies and encryption used to make a website visit. It should be usable on any stable and 'higher than dialup' Internet connection.

Google's geo-IP identifier presents the country relevant search page.

Its important to remind users to test the location of their exit node, just in case it proves to be on a country that restricts free access to the Internet (e.g. China). Always stress that Tor is used for anonymity and not privacy. It does not make your webmail more secure and if you are using non https accounts, the Tor exit node will know your login name and password.

Advanced Tor connections

A short discussion to the possibilities of blocking Tor leads to a demonstration of the Tor bridges system. Describe its purpose (for helping those in countries where Tor is blocked) and try to find bridged connections to Tor.

Trainer's notes: If you need to explain how to create a bridge, talk about opening ports on the firewall and port forwarding if need be. Try to demonstrate the feature on a local router.

Internet Anonymity/Internet surveillance and censorship



Internet surveillance and censorship

  • Subsections


Add or edit subsection:

Position

6/1

TypeLesson
Section ofInternet Anonymity
LangEn
  • Last modified: 6 August 2013 17:18:20


  • русская версия



Demonstrate how data and website requests travel on the Internet, the WHOIS databases and how website filtering is achieved. Draw a diagram explaining circumvention with proxy servers and explain the advantages of Tor. Demonstrate the network traffic generated by Tor.

Trainer's notes: Use wireshark and etherape for demonstration of network traffic. Prepare in advance to make sure the demo works for you (your network card, OS). With enough time and research, prepare a brief overview of past and present circumvention technologies, including http://peacefire.org, http://psiphon.ca, web translators, http accelerators, and so on.

Mobile Communications



Mobile Communications

  • Subsections


Add or edit subsection:

Minimum time
Maximum time


Position

7

TypeModule
LangEn
  • Last modified: 6 August 2013 17:18:20


  • русская версия



Mobile Communications

Ideas for module

Links