Digital Security and Privacy for Activists, 2. Away from Prying Eyes: Protecting your information from unauthorised access
Personal computers help us store and quickly access information on their hard drives. Some of this information may be very private or sensitive. Without sufficient consideration of how you protect this information, however, others can gain access it to it without your permission. Someone could steal or break into your computer or digital storage device (for example, your USB memory card/stick could be stolen or confiscated). Someone could even intrude into your computer remotely over the Internet and read or even destroy files. What can you do to effectively protect your information from unauthorised access?
This is the third article in a series [1] highlighting practical ways you can increase your digital security and privacy. This article is a part of the updated second version of the Security Edition of NGO in a Box [2], currently under development.
2.1 Introduction
One of the first steps in keeping out intruders, whether from the Internet or through physical intrusion – is maintaining a properly functioning and healthy computer system. One that is malware free, protected by several security barrier and regularly updated. Please read last month’s digital security article for more information and tips [2].
Common Misconceptions:
My computer is protected by the Windows login password.
Answer: The Windows password is quite easy to break. You should not rely on it to protect access to your files. The same goes for passwords set by Microsoft Word or Adobe Acrobat
I keep my files in the 'My Documents' folder. Other users cannot access it.
Answer: default everybody can read everybody else’s files unless you set your computer otherwise. Also anyone with the right administrative privileges or able to restart your computer from cd or usb drive can have access to all files on a computer system.
I keep all my important documents on a USB memory card.
Answer: Unfortunately these are very easy to steal or lose. As you move your USB card from one computer to another, you are also at risk of having it infected with viruses.
There are two popular and proven methods to secure your files from outsider's access. One of these methods involves encrypting your files in other words making them unreadable to anyone else but you (or who you allow) and the other involves hiding the very existence of your private information on a computer.
2.2 Encrypting Your Information
Encryption is the process of coding or scrambling data in such a way that it appears unintelligible to anyone who does not have the specific key needed to decode the message. We recommend that you use TrueCrypt [4], a program which secures your files by encrypting them and preventing anyone without the correct password from accessing them. It is like a lockable safe. It locks your files away so that only someone with the correct password, can read them.
Please refer to TrueCrypt Beginner's tutorial and User Guide [4] for a details on using the programme.
Note: Storing confidential data is a risk – encryption reduces this risk, but does not eliminate it. So the first step is to minimise the sensitive information recorded, and the second is to encrypt what is left. e.g. perhaps you do not need to record/store data that could identify people on your computer at all or you can additionally code their names, dates, places names, etc.?
2.3 Hiding Your Information
TrueCrypt Hidden Volumes
If somebody finds out about the existence of your TrueCrypt volume full of encrypted files, they could also try and disclose your password. This may happen by accident, as a result of threats or somebody spying on you. There are many situations where you cannot refuse to reveal a password for reasons of your own safety, or that of your family and colleagues.
TrueCrypt helps you deal with these situations by allowing you to create a hidden volume which is stored within your standard encrypted volume. You can open the hidden volume by providing different password to one used for opening the standard volume. It is impossible to find or prove the existence of the hidden volume, even when you open a standard volume. So, if you are forced to give up your password, and the location of your TrueCrypt volume, you can reveal the contents of the standard TrueCrypt volume, but you do not have to reveal the existence of the hidden volume it contains. This method is not supposed to serve as ultimate protection for your files, but rather to give you a chance to leave/escape a dangerous situation.
Steganography tools
Hiding the existence of information is called steganography. It is like writing a letter with invisible ink (lemon juice, for example). Whereas encryption conceals your message by making it unreadable to the outsider, the aim of steganography is to hide the communication of the message itself. For example, you can insert text into a photograph, sound file or other already exiting file on your computer. Although the file is altered to include your information but the change is done in such a way that the content of the file (the photo, the song, etc.) do not seem changed to the viewer/listener.
There are a number of tools in existence that perform different steganographic functions. See below for resources on the Internet that present a large collection of different steganographic software.
The first requirement for choosing the necessary tool is to keep the choice itself a secret - every steganography tool to date can be reverse engineered (meaning that if your adversary knows what programme you used to code your text into for example a picture, they can easily retrieve the text). The trick to using steganography is to create an atmosphere of normality around your operations (regularly storing/sending holiday or baby photos) and after a multitude of similar operations, to code some text into one of those images.
Other methods of steganography do not require any software, just some good planning and cooperation between the communicating parties. You can use codes, body language, alternate meanings and so on to disguise the real message. These methods are not new and quite often prove just as effective as modern computer based ones.
2.4 References and Further Reading
[1] See other articles published in "Digital Security and Privacy for Activists series:
- "Introduction", CIVICUS Bulletin No 32, January 2008
- "Roots of (in)security: Protecting your computer”, CIVICUS Bulletin No 33, February 2008
[2] "Security Edition of NGO in a Box" is a project of Front Line and Tactical Tech It is a toolkit of peer-reviewed free and open-source software, materials and guides to provide digital security and privacy. Its aim is to simplify this complicated area and reduce the overwhelming choices often faced by people when trying to find solutions to their problems. Recommended software is reviewed, explained and accompanied by installation and user guides in multiple languages. Each tool is accompanied with clear explanations and tips written for the non-technical user. The whole toolkit is available online on the Front Line website. The toolkit is also available on a CD. The toolkit is currently available in French, Spanish, Arabic, Russian and English.
[3] See "Digital Security and Privacy for Human Rights Defenders" - a book written by Dmitri Vitaliev for Front Line. We especially recommend following chapters:
- Chapter 2.4 Cryptology
- Chapter 2.8 Steganography
- Chapter 4.3 Case Study 3 – Securing and Archiving Data
[4] TrueCrypt is free open-source disk and files encryption software for Windows, Mac OS X, and Linux. See:
[5] Steganography article on Wikipedia
[6] Steganography Tools List on Johnson & Johnson Technology Consultants, LLC
[7] Steganography Tools List on Cotse.Net
2.5 About Authors:
Wojtek Bogusz is a digital security and information systems consultant and trainer working with Front Line – Dublin based International Foundation for the Protection of Human Rights Defenders. He is also co-editor and manager of the Secure Edition of NGO in a Box project.
Dimitri Vitaliev is a consultant on issues of electronic security and privacy for human rights activists around the world. He is the author of the 'Digital Security and Privacy for Human Rights Defenders' manual, co-editor of the NGO in a Box - Security edition project and is often on the road, providing training and advice on security policies and strategy.
You can contact both of the authors through the group email of Security Edition of NGO in a Box project: security (AT) ngoinabox (DOT) org