Category Archives: Security

Encryption and You

In the past, i’ve wrote about internet anonymityFacebook account hijacking, and i’ve briefly touched on password security (revision coming soon). Today we’re going to be talking about message encryption and why it is important to you.

As you should already be aware, Facebook stores more information about you than you even know about yourself. They collect personal information in at-least 57 categories, including all chat conversations you’ve ever had on Facebook. While Facebook may do a good job safeguarding this data, there is always the possibility of your account being hacked. Most people will find themselves having more than generic conversations on Facebook, and even though it may be convenient to have every previous conversation right at your fingertips (which are automatically stored in a history on Facebook), when your account ends up in the wrong hands you can say good-bye to privacy.

A solution to this issue has already been proposed in Ian Goldberg’s paper, Off-the-Record Communication, or, Why Not To Use PGP, so instead of rephrasing Ian’s article, I am going to summarize it (for your convenience), expand upon it, and then demonstrate implementation of off-the-record (OTR) communication with Facebook Chat. Finally, I will add a few concluding remarks, suggestions, and provide additional resources for learning.

The Basics, and a brief summary of OTR Communication, or, Why Not To Use PGP

The goal is simple:

The notion of an off-the-record conversation well-captures the semantics one intuitively wants from private communication: only the two parties involved are privy to the contents of the conversation; after the conversation is over, no one (not even the parties involved) can produce a transcript; and although the participants are assured of each other’s identities, neither they nor anyone else can prove this information to a third party. (Goldberg 2)

OTR provides:

  • Encryption – Messages will be encrypted (no one else can read your messages)
  • Authentication – You are sure the message is coming from the person you are conversing with.
  • Deniability – No one can prove you sent a message, however, your correspondant trusts you enough that any message sent by you is authentic.
  • Perfect Forward Secrecy (PFS) – If you lose a private key a message was encrypted with, no previous conversation is compromised.

If you would like to initiate an OTR conversation with a friend, all you need to do is initiate an encrypted chat and subsequently they should verify your fingerprint.

Fingerprint – A form of authentication that consists of 40 letters/numbers that let you identify an OTR user.

If you’d like to read more about OTR fingerprints (which, you should), check it out at cypherpunks.ca.

Why OTR with Facebook Chat?

When going OTR with Facebook Chat, you are provided the added benefits of OTR (encryption, authentication, deniability, and PFS) with the convenience of chatting with friends on Facebook. Although these messages will still be archived, they will only appear as encrypted messages and Facebook will never be able to view them. It is also important to note- an OTR conversation is only established when users on both sides of the conversation are capable of going OTR.

Before we get started…

Unfortunately, this process can’t be any more streamlined than what I am about to explain to you. I will now break down the next section into multiple parts- you only need to read the section that corresponds to the operating system you use.

Setting up OTR with Facebook Chat (on Windows/Linux)

To get chatting with OTR on Windows requires you to download an IM client that supports the XMPP protocol, as well as the OTR plugin. For the sake of this guide, I would suggest using Pidgin (for alternatives, see the Additional Resources section).

  1. Download and install the latest version of Pidgin @ pidgin.im.
  2. Upon starting Pidgin, add a new account- choosing the Facebook protocol. Enter your Facebook username and password.
    Note: Your username will not be the email address you log into Facebook with. If you are unsure of it, go to the General Account Settings and it will appear under ‘Username’.
  3. After adding, Pidgin will automatically try to log you in. If you are prompted to accept a SSL certificate, do so.
  4. Now, download and install the latest version of the OTR plugin for Pidgin @ cypherpunks.ca.
  5. Enable OTR by navigating to Tools > Plugins (CTRL+U) in Pidgin and checking the box to enable “Off-the-Record Messaging”.
  6. Generate a fingerprint for yourself by double clicking “Off-the-Record Messaging” plugin and click “Generate”. Once generated, be sure “Enable private messaging” and “Automatically initiate private messaging” are checked. From now on when you want to chat on Facebook, use Pidgin!

How to initiate an OTR conversation?

From the OTR menu at the top of the message window to your buddy, request to ‘Start private conversation’. Once a private conversation has been initiated, be sure to authenticate your buddy via fingerprint or question. Granted they properly authenticate, you should now be notified the private conversation is in effect.

Setting up OTR with Facebook Chat (on Mac)

To get chatting with OTR support on Mac only requires the popular IM client, Adium. Alternatives to Adium are available in the Additional Resources section.

  1. Download and install the latest version of Adium @ adium.im.
  2. Adium will run a setup assistant upon its first run. Choose to use Jabber as the service. Your Jabber ID will be username@chat.facebook.com and your password will be the one you use for Facebook. (ie. tom321@chat.facebook.com)
    Note: Your username will not be the email address you log into Facebook with. If you are unsure of it, go to the General Account Settings and it will appear under ‘Username’.
  3. For the most part, we’re setup. Fortunately, Adium comes with OTR support out of the box. Lets make sure OTR is automatically initiated as well as generate our fingerprint… In the Adium menu, go to ‘Preferences…’. (CMD+ ,). Double click your Facebook account, go to the Privacy tab, and be sure the encryption drop-down box is set to “Encrypt chats automatically”.
  4. Next, go to the Advanced tab, choose Encryption (on the sidebar), select your Facebook account from the drop-down box and click ‘Generate’. From now on when you want to chat on Facebook, use Adium!

How to initiate an OTR conversation?

Start a conversation with a friend (ie. me: “hey! lets go OTR.”). With the message window in focus, navigate to Contact > Encryption > ‘Initiate Encrypted OTR Chat’. Upon acceptance of your OTR proposal, you should then request verification of your buddy’s fingerprint by navigating to Contact > Encryption > ‘Verify…’. Once authenticated, happy private chatting!

Conclusion

Unfortunately, most people stay on-the-record because the convenience of chatting through facebook.com. For those who would like to support added privacy, I would highly suggest moving towards an IM client that supports OTR.

Additional Resources

Listed below are a few resources that may help you gain additional knowledge about OTR.

Anonymity and You

With the way things are in the world today (see: photo identification, online security doesn’t exist), it’s your best bet to re-evaluate how much of your personal information is accessible online. Let’s get something straight before we get into the nitty gritty:

Personal information consists of any information that pertains to ‘YOU’. This could be your name, address, age, location, photos of you, etc. (The list goes on…)

Maintaining your identity on the internet can be a challenge, especially when companies are constantly introducing new changes to their privacy policy. Of course, the best way to stay up to date on privacy policies would be to read them every time a new change is made. Unfortunately, most of the time we are never made aware of these changes until something big happens and they end up in the news. Lo and behold, fear privacy policy changes no more- If you’d like to preserve (or restore) your anonymity on the internet, it’s as simple as limiting the information you share.

Now before we jump to big conclusions, lets test the waters. To do this, perform a quick Google search (web and image) on your name and see how many results show personal information. You might be surprised to see that several third party websites are allowing search engines to index the accounts you’ve linked from Facebook and other networks. This is just to prove a small point- your Facebook privacy settings only extend as far as Facebook.com- and not to the sites you grant access to your profile and information.

Instead of going on-and-on about risk factors, I’ve come up with a list of suggestions on how to wipe your internet identity nearly clean:

  • Stop contributing personal information to the internet- If you want to continue sharing, do so under an alias / screen name (they were popular in the 90’s).
  • If your name is currently your username on any website, change it! Some websites even have a field for your full name, so be sure to remove it or change it to something made up. (Search engines will re-index the pages over time and your name will disappear from search results).
  • If you are ever required to use your first and last name on a website (Facebook, for example)… then make one up! You’re probably safe using your real first name, but make up a last name! No one has to know it isn’t your real last name except you and your friends.
  • Delete any publicly available personal information from search results. For example: Google your name, visit each result, and remove any posts or data that links back to you. Facebook groups and fan pages are often public and many times will index comments or posts you have written.
  • If you come across any accounts you no longer access, try to gain access back into them and delete them. Many websites give you the option to deactivate or delete your account completely.
  • Search for your name and address under Whitepages and remove any listings with your information.
  • Create a new email for strictly personal use. You should only use this email for communication between people you know or trust. Use another email address for every newsletter you subscribe to or website you join. This alternative email should not have any personal information. (Tip! A first name is as personal as the internet should get.)
  • Explore the privacy settings and policies found on websites you frequent. Be sure to limit information to “Friends only” or “Circles only” and always opt out of indexing yourself in search results.

This is just the tip of the iceberg in terms of basic anonymity. If you want to protect yourself even further, you’ll need to dig much deeper into the internet and scavenge your personal information.

Protecting Yourself on Facebook (Updated)

A couple months ago I wrote about how easy it is for someone to steal your Facebook account in less than 5 minutes. While there will always be risks in security, Facebook has finally implemented support for secure browsing. The best part? It only takes a few seconds to set up, so I highly suggest you follow along!

Enabling secure browsing on Facebook:

  1. Log into your Facebook account.
  2. In the top right menu bar, go to Account > Account Settings.
  3. From the Account Settings page, you will notice an area “Account Security”- located towards the bottom. Click the “change” link to the right of it.
  4. Directly shown underneath will be “Secure Browsing (https)”. Tick the check-box “Browse Facebook on a secure connection (https) whenever possible”.
  5. Save your changes. (Blue save button)

Easy enough, and now your good to go! Now it won’t be so easy for any hackers to sniff your internet traffic and get easy access to your account!

Tip! In Account Security, you will will also notice your recent Account Activity. Look here if you suspect anyone is signing onto your account at other locations!

What Makes A Strong Password

Passwords. You need them everywhere and all the time.

To maintain the highest level of security to your information, it is necessary of you to change your password at least once each year. Alas, choosing a simple password will not be good enough with todays ever-growing society of computer hackers. Great news for you- I’ve created a breakdown of a few rules you can go by to create your new, strong password- without it being too difficult to remember or easy for others to figure out.

What’s in a strong password? A strong password has several characteristics, it:

  • Consists of at least 6 characters (Longer is better!)
  • Contains a combination of numbers, letters, and symbols (if allowed)
  • Utilizes case-sensitivity

Now that we have identified what makes a strong password, let’s lay down some ground rules.

A password should not:

  • Contain any words found in a dictionary
  • Contain any part of the username (or your name) (IE. username: tombeute password: tomtom)
  • Directly relate with any public information about you
    (For example: If you’re really into baseball and the whole world knows, do not make your password ‘yankeefan’ or ‘baseball’ or any variations similar; such as replacing letters with numbers.)

To ensure the safety and security of all of your information- locally and in the cloud (internet), you will need to make a password that is difficult enough (for a stranger) to guess, but easy enough (for you) to remember.

Password Creation 101 (Methods):

  • The Pass-Phrase
  • The Key-Mapper
  • Completely Random
  • Master Password

The Pass-Phrase is a method of password creation involves a sequence of words or other text used to encrypt a password.

  1. To create a pass-phrase, start with a sentence that is easy for you to remember. Note: It could be the first line of your favorite song, a movie title, anything!
    Pass-phrase example: I live in New Jersey with 3 sisters.
  2. The pass-phrase will now be encoded and condensed to your preference, being sure to utilize the characteristics of a strong password.
    Pass-phrase example: iLIN3wJw/3S

Pass-phrase encryption will make your life easier when creating and recalling passwords. To illustrate how I came up with my encoded pass-phrase, let’s take a look:

iLIN3wJw/3S = I live in New Jersey with 3 Sisters

  • i = I
  • L = live
  • IN = in
  • N3w = New
  • J = Jersey
  • w/ = with
  • 3 = 3
  • S = sisters

And there you see how easy it is to utilize the pass-phrase method!

The Key-Mapper is another method of password creation, however it might not be as easy to remember as a pass-phrase will be.

  1. To create a key-mapper style password, think of a password you might commonly use.
    Key-Mapper example: fanboy5
  2. Now, that isn’t the best password to use because it contains a dictionary word. Instead, let’s use a new mapping on our keyboard to represent each letter. For example, each letter will now be represented by the letter one key to the right of it. (f = g, a = s, n = m)
  3. Our re-mapped password of fanboy5 is now encoded;
    Key-Mapper example: gsmnpu6

Feel free to further enhance your key-mapped password by using fancier key-map patterns (perhaps one key up and one key to the left). Also, replace certain letters with symbols to further secure your password.

A Completely Random password is hands-down the least convenient method of password creation and can be arguably the most secure method of password creation- it is simply a random computer generation of numbers, letters, and symbols (optional).

Obviously, the creation of a random password is straight forward. However, in case you would like a computer to do the randomization for you then visit StrongPasswordGenerator.com.

The Master Password method of password creation is nothing more than a method to avoid use of the same password for each website you belong to.

The concept is simple, let’s refer back to our pass-phrase password of: iLIN3wJw/3S. That will now be known as our master password.

To keep this password easy to remember, yet secure enough that I’m not using it on every site, we can prefix or suffix the password with hints.

Example usage of our password on different sites:

  • Gmail = iLIN3wJw/3Sgma
  • Facebook = iLIN3wJw/3Sfac
  • Twitter = iLIN3wJw/3Stwi
  • Skype = iLIN3wJw/3Ssky

There are several other ways to use a master password, just remember to keep your algorithms consistent and you will never forget another password!

Last Minute Reminders!

  • If you find the need to write down your password, use common sense! Do not write it on a post-it on your desk, do not save it in a file on your desktop entitled ‘passwords’.
  • Do not use the same password for multiple applications.
  • Do not use obvious information about you in your password.
  • Be sure any password reset questions do not contain obvious information! **

While there  are still many more risks posed to the security of your information other than password compromisation, you can be one step ahead by having a strong password. Be sure to refresh your password annually, and do not share your password with anyone other than yourself.

Stealing A Facebook Account In Less Than 5 Minutes

Are you aware how easy it is for even the most novice computer user to steal access to your Facebook/Amazon.com/Gmail/Twitter/Flickr account- in less than 5 minutes?

If you aren’t, I highly suggest you keep reading so you can learn how to protect yourself.

Websites like Facebook (and the others listed above) require a username and a password for access. Computers send and receive data all the time. The type of data that is transferred over a network when a user logs into a website is known as a cookie. Cookies act like tickets to a theme park- once you enter you can go anywhere within the park (in our example, anywhere within the website without having to sign-in again).

The easiest way to protect your cookies is by sending them through an encrypted connection. Without going into too much detail, encrypted traffic can not be sniffed [easily] (obtained by another person on the network). Most websites that require authorization for access will force a SSL (secure) connection to ensure the security of the data being sent from your computer to the website. Unfortunately there are many websites in existence today that still do not force a secure connection, leaving all of your personal, credit card, user name and password information at a high risk! All it takes on an insecure, public internet (college, free WiFi, etc) connection is one person to steal a cookie from your session. Essentially, a hacker will use that stolen cookie to regain entrance into the website (and your account).

Now, it’s likely you are asking how to protect yourself from becoming a victim- the answer is quite simple; ensure all personal information is communicated through a secured connection. To verify if you are using a secured connection, look in the address bar of your web browser and note the ‘http’ prefix.

Does your URL say:
http://facebook.com (Insecure – High Risk!)
https://facebook.com (Secured – Low Risk.)

Luckily for the not-so-tech-savvy there are several tools already available to help protect you from this risk.

TIP! Gmail users can protect themselves by using the built-in browser connection setting. Sign into your Gmail account, go to Settings. Select the ‘Always use https’ option and then ‘Save Changes’.

If your using Internet Explorer:
Your best option right now is to install the user-script ‘Facebook Secure Connection – Force Https (SSL)‘. Unfortunately, this will only protect traffic through Facebook.com. (Note: The initial login will not be encrypted, but everything there after will be.)

If your using Mozilla Firefox:
The best method of protection is to install EFF’s ‘HTTPS Everywhere‘ extension. HTTPS Everywhere will protect you on most websites that require authorization.

If your using Google Chrome:
Your options are limited like Internet Explorer, you can use the plugin ‘Facebook Secure Connection (Force Https SSL)‘. (Note: The initial login will not be encrypted, but everything there after will be.)

OR

For Mac (OS X) users:
You can install the application ‘SideStep‘. SideStep will automatically secure all insecure connections initialized from your Mac. If your using a Mac, I highly suggest this option!

For Windows (PC) users:
You can install the application ‘Proxy Switcher‘. Proxy Switcher will re-route your internet traffic through proxy servers with ease, protecting your information from the locals on your network.

If your not surfing the web with Firefox, then it might be in your best interest to download it (http://firefox.com) and install the HTTPS Everywhere extension. If your using a Mac, your best bet is to install SideStep (unless your using Firefox to do web browsing, in which you should use HTTPS Everywhere).

It is important to mention Facebook does not support a secure connection through their chat server. This means if you are using a secure connection to access Facebook, you will not be able to access chat.

TIP! Always remember to log out of any accounts you sign into when you are finished. Closing your cookie session will render any old cookies useless.

Facebook

How likely are you to share your passwords openly with strangers you’ve never met?

If you’re like me and care about your privacy in the least bit, you wouldn’t want to ever take the chance of letting your information get in the wrong hands. Facebook users should be made clearly aware of the Facebook privacy policy, and if you have not read it already then I highly suggest you do.

The motives of a company like Facebook is not to protect your information but to share it. Think about it this way: every member of Facebook who shares information about their-self becomes an asset to the company. Facebook uses this information about you (which according to the privacy policy, is now in their possession) and sells it to marketing companies and shares it with search engines to increase search queries (more hits to Facebook means more money). There’s much more about the privacy policy that I’m not touching upon right now, but definitely- read up on it.

Another point to enlighten you on is Facebook’s application permissions. As an end-user, you must be made clearly aware that ALL applications you use on Facebook have access to your profile. These permissions are equivalent to sharing your profile password with a stranger. Examples of some common applications people share information with are, but obviously aren’t limited to: FarmVille, Cafe World, Bejewled Blitz, Social Interview,  The Yes/No Game, Bumper Sticker, and ‘Likes This’. To see how many developers (yes, their people too) you are sharing your information with, go to: Account > Privacy Settings. From there in the bottom left, click “Edit your settings” under the “Applications and Websites” section. You will see ‘Applications you use’: “You’re using X applications, games and websites…”

Surprised? Now if I were you, I’d remove or disable all those applications because behind the games, amusement, and interviews are people too- people I have never met who can compromise my information. To do this it’s simple: from the same page, go to “Edit Settings” (far right) and proceed to delete your applications by hitting the “X” on the top right of each application listing.

The risk you run by allowing applications to access your profile is quite obvious. It is the same motivation Facebook has- to share and market information about you. Likewise, by sharing your account information with strangers you are running yourself the risk of account theft. I could technically create a fun Facebook app, post something on your wall about it, and all I’d need you to do is allow the app permission to access your profile. (IE. “Tom answered a secret question about you! View it now.”) Bam! I gave myself access to your profile and you didn’t even know.

A brief recap: Facebook. Review their privacy policy in full, they don’t care about your privacy or information- they just want their money, and don’t use Facebook app’s if you wouldn’t give your password out to a stranger.