Insights For Success

Strategy, Innovation, Leadership and Security

OPSEC - Security when making calls

GeneralEdward Kiledjian

RELATED: OPSEC - Introduction to Malware

RELATED: OPSEC - How to securely delete files

If you are making calls using a cellphone or landline phone then you should assume that your conversation can easily be intercepted by the carrier (providing the service or a government agency that has control over that carrier). Security researchers have even proven that with $1,500 in parts, they can build a cell phone call interception device by pretending they are a cell tower.

Regular phone calls on your cell phone (including SMS and MMS messages) are easily intercepted and should be considered insecure.

What about VOIP?

VOIP stands for Voice Over IP and any app that allows you to make voice calls is typically using VOIP (Whatsapp, Skype, DUO, etc). Many carriers have started offering Voice Over WIFI and Voice Over LTE. VOWIFI and VoLTE have the same security (or insecurity) as making a regular call using your carrier's normal cell network.

Some VOIP software offers decent or good end-to-end encryption. These require both parties to have the same software and typically callout that they use encryption in their literature. But be careful, not all encryption is created equal. Telegram Messenger advertises that it is secure but a deep dive into its model shows it uses "bad" (my opinion) encryption and shouldn't be trusted. 

RELATED: Telegram Messenger isn't as secure as you think

So some VOIP services offer good reliable encryption and others don't. Here are the ones you can rely on.

Signal

I have written about the free open-source Signal messaging app for years. Signal is the defacto reference on how to build solid end-to-end encryption. Their model was so good, they helped Whatsapp when it wanted to improve its security. 

RELATED: Whatsapp to become more secure than Apple Messages

Signal is cross-platform (Windows, Mac, ChromeOS, Chrome Browser). Signal offers a simple encrypted text messaging service and secure encrypted calling service. 

Signal uses your existing number and address book to simplify your authentication and connection with other users. Therefore there is no separate username or password to remember.

I have to highlight the fact that a motivated attacker can still collect metadata from signal calls because the central management servers are still owned by Whisper Systems. Whisper Systems does not have a way to listen in on calls or read messages but they do know who you spoke to, when and for how long. Having said this though, they still offer the most secure and best build encrypted messaging app around, and it is all offered for free.

Jitsi for encrypted video chats

If you want a free open-source tool for encrypted video chats (does audio too) then take a look at Jitsi. It also supports group chats. There is no requirement to sign-up for anything and therefore your personal information isn't sitting on some third-party server, 

You visit the site, enter a meeting name (without spaces and difficult to guess) and share that link with the other participants. It's really all there is to it. Safe, Easy and Secure.

What about Skype or Google Hangouts?

Most VOIP solutions offer transport encryption (which means a third-party like your carrier can't eavesdrop) but the data is managed unencrypted once it reaches the provider's network. In most cases, I discourage the use of these services for situations where security is the utmost priority. One caveat is that Skype has announced that it will work with the Signal team to implement end-to-end encryption (like Whatsapp did) but that is still many months away.  

There are dozens of products that use security to differentiate themselves and most have not been independently reviewed. I recommend you stick to the 2 products mentioned above.

Conclusion

Good security requires some planning but is well worth the effort. Hopefully, this article helps

OPSEC - How to securely delete files

GeneralEdward Kiledjian

You should also read my previous article "OPSEC - Introduction to Malware". 

Most computer (or smartphone/tablet) users believe that when you use the delete function in your operating system, you have securely destroyed the file beyond recovery, but that simply isn't the case. In most cases, the entry to the file was removed from the index but unless that disk space is needed by the operating system, the file is most likely still on the disk (just isn't normally accessible anymore).  The only sure way to ensure that the information is permanently deleted is by using a special process or tool that overwrites the drive. 

Let's talk about solid state drives

Note :  Deleting files from flash drives is very hard (Solid State Disks, USB keys, SD Cards, etc) The information in this post applies only to traditional spinning disks (what we call hard drives). 

The best recommendation I can make for these types of media is to use encryption as soon as you unpack the medium. 

What about Windows

The most widely recommended tool to securely delete a file or write over empty space to ensure previously deleted files aren't recoverable is a freeware tool called Eraser. Once installed, you can right-click a file or folder and choose Eraser > Erase from the right-click menu. 

You can also delete all the previously delete data from your computer by overwriting the empty space. 

What about Mac OS?

On MacOS 10.4 running on a computer with a normal hard drive, you can

  • open the Trash folder
  • Go to Finder > Secure Empty Trash

Unfortunately, in the El Capitan update, Apple removed this option because it could no longer guarantee that the new SSD disks in its devices would overwrite the files. Their comment can be found here and reads:

An issue existed in guaranteeing secure deletion of Trash files on some systems, such as those with flash storage. This issue was addressed by removing the “Secure Empty Trash” option.
— Apple blog

Apple's mitigating control is that they encrypt the entire disk using FileVault and thus without your password, the data would look like jibberish anyway. 

What do I do before selling my computer?

Regardless if you use a Windows or Mac machine, or if you use a hard disk or more modern SSD, the key is to remove the storage medium from the machine before you sell it. Then physically destroy the disk. In the commercial space, we use specialized disk shedders but you can drill holes in it then bank the daylights out of it with a hammer. Just remember to be safe.

How do I dispose of CD-ROMs or DVDs?

Most office supply stores sell inexpensive paper shedders that also shred (or in most cases physically destroy the storage medium) of CD-ROMs and DVDs. I recommend you invest in one of those or physically break the disk into hundreds of pieces using pliers.

Is your Chromebook vulnerable to Specter or Meltdown?

GeneralEdward Kiledjian

TL;DR: If you are using a Chromebook that is actively supported, you are probably fine.

Specter and Meltdown are two significant chip level vulnerabilities that kicked off the 2018 security scene with a bang. Affection millions of devices from almost every manufacturer, many consumers are panicking about what this means for them. 

Since I love Chromebooks, I wanted to write an article about how these two vulnerabilities affect them. 

This isn't a deep technical review about Meltdown or Specter. There are loads of well-written articles about them. Instead, I will just lightly explain it to the general public.

These 2 are bugs in the design of the processor (aka the brain) of your computing device (made by Intel & AMD). These "bugs" have existed for about 20 years and allow an attacker (capable of running code on your system) to break security controls implemented on systems and in apps to steal information. Specter does affect your smartphone (probably). 

Great detailed information about these can be found here for those who are interested: https://meltdownattack.com/

Google has a support article that clearly outlines its plan to ensure all Chromebooks are eventually patched. 

But how do I check my device?

First, check the version of ChromeOS you are running. Most should be at version 63 already and this partially fixes some of the issues. You can check if your product has an update available here.

The good news is that most mainstream devices are patched including:

  • Google Pixelbook 2017
  • Samsung Chromebook Pro
  • ASUS Chromebook Flip C302

Some even say "patch not required" like:

  • Samsung Chromebook Plus
  • Acer Chromebase

Systems with kernel 3.18 or 4.4 are already patched. you can also use the chrome://gpu flag and search for operating system to find your kernel level. 

Google's position is that ARM-powered Chromebooks and Chromeboxes are not vulnerable but will be patched anyway with future updates. 

How is Google fixing the issue? With something called Kernel Page Table Isolation (KPTI). Basically, they are separating the kernel memory from that of the user processes. 

The moral of the story? Security is a hard computer science problem but you should sleep much better tonight (compared to Windows or Mac users) knowing that Google is working feverishly to protect you from these types of attacks. Just make sure you are using a supported product and reboot when you see the little upward arrow indicating there is an update (in the lower right hand status bar). 

SecureDrop protects the anonymity of whistle-blowers

GeneralEdward Kiledjian

SecureDrop is an open-source project created by (the late) Aaron Swartz with support from Kevin Poulsen and James Dolan. The entire raison d'être of SecureDrop is to create a safe information exchange mechanism between media organizations and whistleblowers. 

The solution requires two servers:

  • a TOR facing server to store messages and files
  • a private server that monitors the security of the first server

When a message or files are dropped on the first server, the information is encrypted with GPG for secure storage. 

By using the TOR anonymizing network, whistle-blowers can protect their identities from local threats (schools, companies & governments) and from the media organization receiving the information. 

If TOR is blocked from your origin location, you can use the special GETTOR service I wrote about here. 

The SecureDrop system assigns a codename for every whistle-blower. This codename is a means for the media organization to build a relationship with the whistle-blower while maintaining full anonymity. 

It is obvious why the whistle-blower benefits from the anonymity but so does the media organization. The media organization may be given information it otherwise couldn't obtain. Journalists are also protected because they can't "give up" their sources because they don't know who they are. 

The system doesn't use any third party embedded content, and the only information it logs is the codename and the date/time of the last message sent. Every time a new message is sent, the previous date/time stamp is deleted. 

Who uses SecureDrop?

At last count, there were more than 36 news organizations around the world that use SecureDrop. You can find the list here. Some "normal" web links to media organizations that leverage this tool include:

I added the last link (Radio Canada) because they are the French sister site to the CBC and accept French submissions.

The above links are the normal internet web pages that explain (for each site) how they use SecureDrop. Links to the TOR SecureDrop for each can be found in the main directory above or on each of the normal web pages.

Alternative ways to get the TOR browser

GeneralEdward Kiledjian

Tor is an incredible power privacy enhancing tool that every security-conscious netizen should have in their arsenal. It doesn't replace a VPN service, since TOR isn't optimized for high bandwidth usage (like streaming music/videos) but it definitely has a place in my internet usage portfolio. 

To use TOR, you need access to a small kit of software that includes the TOR router and the TOR browser (a locked down customized version of the Mozilla Firefox browser). 

The Great Firewall of China site test tool confirms that the TOR Project website is blocked.

Luckily I live in Canada where we enjoy incredible internet freedom but what if you don't? What if you need TOR (because you live in a zone where the internet is tightly controlled or monitored) but you can't access the website to download the installer kit? The TOR project has create the GETTOR strategy to help those people gain access to its power network.

You can:

The system will then share with you a secret list of links to download the installer from GitHub, Dropbox or Google Drive.

Once you install the TOR package (after checking the validity to ensure it hasn't been tampered with), you can also use a TOR Bridge if your country, school, company or ISP performs deep packet inspection to block TOR. A TOR bridge is a relay to help circumvent censorship. 

You are now ready to enjoy private, anonymous and secure web browsing. Once installed, all future updates to the TOR software will be delivered via the TOR browser itself so you don't have to worry about performing these steps again.