Information Insecurity

In light of recent developments in Malaysia, with the computers of certain prominent anti-establishment bloggers, consistently being confiscated for dubious investigative purposes, I thought that it might be a suitable time to write a little about information security. The whole idea behind information security isn’t to foil justice, but to make sure that the rights of people are not infringed.

With harddisk sizes going into the Terabyte range, there are lots of things stored on a person’s personal computer, including personal information that nobody has any right to access. Sometimes, these confiscated computers are subject to random checks in the hope of finding something, anything, that can be used to entrap the owner. So, let’s start with the basics.

Email Security
Although the technology has been around for more than a decade, I’m surprised that most people do not know about it, much less use it. Email, is transmitted in the clear. So, anything that is said through an email, can be easily intercepted and read by others. The only way to protect the content of email messages is through the use of public key (PKI) cryptography.

The most commonly used software is PGP or if you want an open source version, GNUPG (GPG). Both these software integrate fairly well with all popular email programmes, whether it be Outlook, Thunderbird or Kmail. So, you wouldn’t even need to know any voodoo to get it to work. If you use a webmail programme, these tools also provide a regular text based mode, which can encrypt/decrypt plain text documents, which you can then cut-and-paste into the webmail client.

This software allows you to encrypt every email that you write, so that the only person who can read it is your intended receipient. So, I would urge everyone to install and learn how to use these tools. These tools should be used for all business communications as well, if you don’t want your competition eavesdropping on your sensitive communiques.

How PKI works is by exchanging public keys. A public key is a very large number that is represented in text, as shown below. When you send me an email message, your private key and my public key is used to generate a secret key that is used to encrypt the message. When I receive it, I will be able to decode the email using my private key and your public key. So, at no time would either of us need to expose our private keys. All these things happen mathemagically.


-----BEGIN PGP PUBLIC KEY BLOCK-----
mQGiBEga0Q0RBACFdq6c/juNDkjeSRUGmm1/GpzjwRLIciAcg1OazBonr1NlPUzN
BPXFmDg2pKL1apeqOExe/Im3d0qTAfT/sYVJlBVH7CzkupNQo7juGYuHFLgTwnUk
VjLDj1/hln3+h4sQOPnB8VurJVjZjlzs1RJ+xjDV776T0ENN399upLy/CwCgxxpv
ndbFYj4R1YXx5fPH9bzacVsD/Aq9muuTmla2MsIdYzPH4Sy815KiwmH2NjqzOMqx
Gejhi64DT5J5zkvLrCdCSRm3qO1vsqmeBgh29rlMnj8n0pEJh9IXROA+0ZBz6DvM
xfcuKh3WWUQH/2krv0veUN3PIwq6DF6/+6WPCyQ6aXf3oG8KAXUbILGah5oht/YK
WW3dA/0QV5n+ZEujzdUsbJwGmpP+GNJmCUht84vDX3vA9vgrVeIankNJDR1ciy4w
ixynfNJoHUCZkHwsgez4v0Q5hINmbcvdG3ntDJ1rjUwbnRevcd4QOMNZ6LzkGevv
Rux8x2DaRZ1Gmho4jjEi3yK0/5+rsUhs2GR3R4HvTEdcjXO4GLQ6U2hhd24gVGFu
IChibG9nLnN5YnJlb24uY29tKSA8dGhvdWdodGNocm9uaWNsZXNAZ21haWwuY29t
PohgBBMRAgAgBQJIGtENAhsjBgsJCAcDAgQVAggDBBYCAwECHgECF4AACgkQuTQe
A25Xp36AaQCgk3UGGwhTztW0KXKb30gyM+zemR0AnihZtSHA3JEzl4/CxrLzgUXF
Q6KruQQNBEga0R4QEADYLIytkrGyuF/zBicecnKandG1iM4Eo8gx0E1kaqp0VWMP
QkRCU+un9dYdfQXYXZ5UH1jz7nfJ13I1K5kSmOX1EUpRwVh13wH61xYAI9YPxbWL
ZVylLlqWl0hKJIBaRsu+xQA/syrdfMnaGMODRIutCcEbScPEDlMYZ0B2qb9r9H7B
Yr+oiggTToLA336qQtb9/qKV8hF8ELQP561hBjjvoAPm4lbiUfRW3SFAO81tX3Tf
Yuq5iKa2r0mfKvFqy/y4OpBnp3KGmj8yurM6avIUonK5w918LVlXyz5t5d5pLoou
ug7K69EglehqfIWgvmUjIjHYAHgz9qCJrQgc26zcVJbxkp+FJo86B0kYZwV71q2h
u/oZjicl1fvklHon2HtU4IvzE6vxEHJuYZLU8pPYga1CBwApS8A4GOt8uo5zen0i
MdiW/i9uqlpK1wnhBkBLQqOrE91trd/YLTYMHox9j3KbGdEsad6A9djyX/F4XD7V
xA4XJjZn9qGyr8bfvkZEsOLxtX3NSEIfy2SeHlOKsdalA5C/Hl0ZXA2cGmHCrq9c
o198KiHA0MCc/DTlpGYCKmc+Ccl2Tk88sU4Ps5FY4j+5sYjErqHa1ydVVM/WZgHw
zYOVFouy+SXLElUhb5+BvXkUdy+NJ9sZmghc8/nUUk3v45xiuvcd0XbEmrKdIwAD
BRAAggsJeaphgBchuUo6aJrfN5RaQkoN57sMJXpPnY3bdPQWim0J73VR0dJk8GTM
NrK+QuW9yB5o2j8afQWr5o0ANiWdcJE3uGMj9TrcmM13C5h9MjOU/DjdQZF8CpRR
sxWX7bE/FW/Okg0PSMkiMfKr/mD9z50rsXu8fHayH+/cR4T5aJZqE4yPhU8vN4+1
HUhMM3rTshFqZM0eHbht/6n0UvIUpA2RRfxs+orKw0HchFXdzB4Bm2ApuPSwN6r7
7eeyHGrfEIGc3oKTRPsKFVfHfckk28fT9f67nYuY/2Y5MeXCxfH686HG7IvXs8v8
V6mkJ90jTtDas0gFu8aKFP7Ktzikp40Igq9KhUs/66EOAaHwhlvh+Eg/buyuYKw3
x8ylQD5tmuNdSYEUpf+XnpmpUv1K2vhJG8g5OmTQmctOUnQzacBQ4BxjGLMekhRR
ZKOz3DV0v/VQ9A6kZZaSRcTQL/cHFQz7HEbL1kXrk5ZgWCkPaNcUQFcu3ncTnleK
dWn5c9Dq5chnGEFfDOMLdaDxGkPo+Xu8KgcOVZRuZLrt+JQEhsR6qOtGtNShuiDn
8ZqZuAzkGmeav6gu6+Jd2Z4JDrlWefBSQruJ8bdtZF0nbJieiuicROtmIVzE0pej
zz/OIXAQbX8QiUFVKVleysStia3dNT+0q4dyzNLJwXxms9eISQQYEQIACQUCSBrR
HgIbDAAKCRC5NB4DblenftGnAKC6gz+rONxPB0e7nq+/IGqxXUqCogCfdsLOTB6g
W0b5lFsUSMRw1HBmQEk=
=wwef
-----END PGP PUBLIC KEY BLOCK-----


Any eavesdropper would only end up reading a bunch of random letters and numbers (much like the ones above). As an additional step of protection, do not store your emails locally in an unencrypted form. Leave them encrypted and have your email programme decrypt them each time you wish to read them. All these steps add an additional layer of protection.

There are no known exploits that can easily defeat this scheme, at least not until computers can factorise extremely large numbers quickly enough, at which point, you just double the size of the encryption key and continue using it. The easiest way to steal a PKI protected email is to just haul you to court and force you to divulge it’s contents.

Harddisk Security
It’s no use just protecting our communications channel if we do not protect our data storage as well. So, all harddisks, whether internal or external, should be encrypted. Truecrypt is a tool that runs on all platforms, which allows on-the-fly-encryption (OTFE). OTFE essentially intercepts all access to the harddisk and encrypts anything being saved and decrypts anything being read, transparently.

So, if you ever lose your laptop due to carelessness, theft or legal confiscation, at the very least, your data is safely tucked away. Anyone who tries to access your data without the correct keys, will only end up reading a bunch of random gibberish again. So, all your private communications, photos and videos, will be protected under heavy lock and key.

However, there is one caveat to using OTFE encryption, which only applies if you’re traveling to the US. The government is legally allowed to make copies of your harddisk data at the border. If your computer is encrypted, they are also empowered to deny you entry or to confiscate your computer. So, it may not be a good idea to travel with encrypted data through US customs.

There is one currently known exploit, to defeat this system, but it involves a lot of preplanning. The attacker would need to physically compromise your computer within minutes of it being shutdown, and preserve the memory contents by freezing your memory module, as illustrated through the following video. The solution to this problem is to not leave your computer running, unattended. Given enough off-time, the following attack would not be plausible.