Spy Blog - SpyBlog.org.uk

A few minor quibbles:

• We would, for example, not configure our web server or web browser software to accept SSL version 2.0 connections (SSL version 3 and TLS version 1 are ok), because of inherent weaknesses, such as the possibility of a cipher strength downgrade attack which reduces the strength of the encryption to only 40 bit encryption, which is crackable in near real time on most desktop computers sold today.

• The use of USB memory sticks or similar flash media is more convenient than , say floppy diskettes, but, the very reliability and ruggedness of these devices also makes them extremely difficult to erase securely, without resorting to physical destruction.

• There is also no guidance on the use and possible abuse of mobile telephones, which are, of course, more common than personal computers. (see our hints and tips blog post for some ideas on this)
  

As the main author Dmitri Vitaliev says, security is a process, and a habit and a mindset, which, hopefully, this publication will help to stimulate and inspire people to take their own tailored precautions and conduct their own research and risk assessments, into what suits them and their associates best.

CONTENTS Introduction 1

The Problems; Security as a process; A guide to the manual

1.1 Security and Insecurity 4
Methods and trends of surveillance, censorship and electronic attacks;
Specific threats faced by human rights defenders

1.2 Security awareness 9
Securing: Your operational environment; Office environment;
Personal Workspace; Public environment
Questions to ask yourself 11

Where is my data?
Who knows my password?
Whose computer is this?
Who is this?
Who can access my computer?
Do I know my environment ?

1.3 Threat assessment and the security circle 14
Modelling risk and developing a strategic diagram;
Threat prevention;
Reactions to threats; Security circle

2.1 Windows Security 20
Operating system updates;
File Allocations;
Lock Screens;
BIOS

2.2 Password Protection 26
How passwords are compromised through profiling, social engineering, brute force attacks

Creating Passwords 28
How to create passwords using mnemonics and software

2.3 Information Backup, Destruction and Recovery 30
Information backup strategies; frequent access files, non-frequent access files, system backup

Information Destruction 32
Secure and permanent data deletion;
Wiping removable devices;
Wiping guidelines

Information Recovery 34
Prevention of information loss;
Recovering lost data

2.4 Cryptology 36
History of modern cryptology;
Encrypting your computer;
Public key encryption and security;
Digital signatures;
Encryption insecurity

2.5 Internet Surveillance and Monitoring 43
How the Internet is monitored;
Threats from cookies;
Monitoring email communications;
Spoofing
Internet & Email Filtering 46

Filtering email for specific keywords;
Internet filtering
Internet Censorship 48
Blocking websites from access by DNS, IP, keyword blocking;
DNS hijacking

2.6 Circumvention of Internet censorship and filtering 51
Circumventing Internet censorship with proxy servers;
Different types of proxy servers, their features and advantages;
Anonymity networks;
Anonymous Internet publishing

2.7 Encryption on the Internet 59
Verifying secure Internet connection with SSL certificates;
Man-in-the-Middle attacks

2.8 Steganography 67
Linguistic Steganography - Semagrams;
Open Codes;
Covered Ciphers
Data Steganography - Hiding text in images, in audio; Steganography software;
Detecting steganography

2.9 Malicious software and Spam 75
History of viruses;
Malware variations and their effects;
Reacting to malware attacks;
Spam and prevention

2.10 Identity Theft and Profiling 82
Profiling today;
What makes up your digital profile;
How cookies are used;
Digital identity;
Authenticity and Anonymity;
Preventing profiling

3. Changes to legislation on Internet privacy and freedom
of expression affecting work and safety of Human
Rights Defenders around the world 88

3.1 Censorship of online content and Online publishing 92

3.2 Website Filtering 98

3.3 Communications Surveillance 101

3.4 Cryptology and Circumvention 104

4.1 Case Study1 - Creating a Security Policy 106
Drafting a security plan;
Components of the plan;
Case Study - developing a security plan for a human rights NGO

4.2 Case Study 2 - Communication channels 110
A human rights NGO is researching and documenting cases of torture in their country. They need to store this information securely and communicate it to the headquarters in a different country

4.3 Case Study 3 - Securing and Archiving Data 116
A human rights NGO wishes to transfer its large collection of paper documents to a computer and secure it from loss, theft and unauthorised access

4.4 Case Study 4 - Secure Email and Blogging 121
A journalist reporting on human rights violations by email and blogging fears that her messages are being censored and tampered with. She wishes to secure her online identity and communications, anonymise her Internet presence and adopt good password techniques

Appendix A. Computers explained 127
History and modernity;
How computers work;
Operating Systems;
Proprietary vs free and open source software

Appendix B. Internet explained 132
History of the World Wide Web; Internet Today;
Basic Internet infrastructure;
How email works;
Websites;
Voice-over IP;
Blogging

Appendix C. Internet Program settings 139
How to secure your Internet browser settings;
Internet Explorer - basic security settings, deleting temporary files;
Mozilla Firefox - basic security settings, deleting temporary files

Appendix D. How long should my password be? 146
How long does a computer or Internet password need to be in view of today's brute force attacks

Glossary 147

A proposal for the Internet Rights Charter 148