Pages

18 May 2016

Communications Security 101



Communications Security 101

by Cope Reynolds


Let's talk a little bit about communications security or "COMSEC" as it pertains to email, texting and social media.  COMSEC is also critical in the use of landlines, snail mail and even the face-to-face conversations that you have on the street from day to day but for now, let's stick to online dangers.  The following is fairly long but if you value your safety and privacy, it will be WELL worth your time to read it.  Please bear in mind that are many more advanced measures above and beyond what is mentioned here but for now, this will get you headed in the right direction.  Like everything else, opinions may vary on this subject.  I can say that I have had a couple of the finest communications and security specialists available advise me on this subject and we have been playing this game for a long, long time. 

"COMSEC" is not just a military or law enforcement acronym, it applies to all of us. A common phrase that just makes me cringe is, "My life is an open book, I have nothing to hide".  I have heard or seen those exact words hundreds of times over the years.  Well, yes you do have something to hide.  The things that you say online can be used easily to build profiles on you and your family or your business by those that wish to do you harm either physically, financially or psychologically.  These can be hackers, scammers, violent criminals or the gov't.  For instance, after a few times of mentioning on Facebook what time you pick up little Jimmy from baseball practice or what time you go to work or when you get paid, just to mention a few, a profile can be started on you and how you conduct your day to day life.  Careless mention of friends' or family names, addresses, phone or social security numbers, dates, etc. When you're leaving, where you're going and how long you'll be gone on vacation.  Nearly anything you provide can be used to harm or inconvenience you and it is astonishing to see the amount of personal information that gets put out every day! Luckily, there are a few things we can do to dramatically reduce that possibility.

One last thing before we move on and this is crucial! Keep these three words in the back of your mind and consider them before you relay ANY information that may be of a sensitive nature. "Need-to-know".  Make absolutely certain that the person that you are sharing information with NEEDS TO KNOW!  If they want to know just for curiosity's sake, do not share it with them!  If you want to tell them just to stroke your own ego, do not share it with them!  This goes for nosy spouses, best friends and your barber.  NEED-TO-KNOW!  That's not WANT-TO-KNOW! It's not WANT-TO-SHARE!  Your three-word, take-home phrase of the day is... say it with me -- "NEED-TO-KNOW!

OK, we can move on now...

PASSWORDS
 

Good, strong passwords are the key to protecting your personal information online.  Never use birthdays, phone numbers, Social Security numbers, addresses, names or recognizable words as all or part of your passwords.  Information that you may inadvertently provide can allow people to hack your passwords through what is called social engineering.  Social engineering it is just one of several methods used to hack passwords.

Four or five character passwords may be okay for forums and chat rooms where personal information is not usually at risk.  6 characters are better especially if you use uppercase lower case and numbers in your password.  However, this is still only moderately secure.  A "complex password" is one that uses uppercase and lower case letters, numbers and special characters.  A 6-character complex password has something to the tune of 700 billion possible combinations.  I know that sounds like a lot but it's still not all that difficult to hack using electronic means.  A simple, 8-character password using only letters and numbers has over 50 times more combinations then a 6-character complex password.  An 8 character complex password, choosing from a pool of numbers, upper and lower case letters and 19 special characters gives you almost 646 trillion  combinations.  Again, that's a staggering number but a determined hacker with a fast computer and the right software could break that in less than three months.  Add one more character out of the same pool and it could take as many as much as nine years to go through every possible combination.  Obviously, the longer the password is and the more characters to choose from, the stronger the password.  This is also why we should change our passwords from time to time so if someone has already begun this process, they'll never reach their goal.  Ideally, we should memorize our passwords.  However, we should NEVER use the same password for everything, especially very sensitive sites, so that makes it difficult to memorize multiple, complex passwords. It is best not to write your passwords down but if you must, save them somewhere secure.  It is best to store passwords in a file that is protected by a very strong, complex password.  We strongly encourage people to use a program like KEEPASS which can help both create secure passphrases and store them in encrypted files.

To further protect your contacts, messages and information, it is imperative that your phone also be passcode or pattern protected instead of just swiping the screen.  A good passcode is stronger than a pattern but a complex pattern using 6 or more dots works fairly well too.  Locking by using your fingerprint is extremely secure unless... an aggressive captor physically forces you to unlock your screen by forcibly touching your fingertips to the screen until they get the right one.

Security and safety is often inconvenient. 

Okay, now that we got that out of the way, let's talk about secure communications.  For our purposes today, it's online voice and text that we are concerned about.  I could spend an hour telling you what not to use and why but I'm going to spare you all that let you do your own research.  I will tell you that Hushmail and Safemail are a couple of email programs that most of us no longer trust completely.  Understanding that technology is subject to change, I will tell you some programs that we use that we do trust and if you wish to speak securely with any of us, you will likely have to use one of these programs.

SIGNAL

Signal is our top program for about 95% of our day-to-day communications.  Signal allows secure, encrypted texting and encrypted voice communications.  Signal is a full-service texting program and should be installed and used as your default texting client.  Signal, like so many other secure programs, is only secure if you are communicating with another Signal user.  Texting to another Signal user will automatically be secure, there is nothing more that you must do (other than both of you keeping your phones secured).  That being the case, there are a couple things you must watch out for to avoid sending sensitive information to people that are not secure.  For one thing, in the text box where you type your message, it will say "Send Signal Message" before you ever start typing.  As soon as you start typing in the text box, the blue attachment button to the right with the paperclip in it will morph into a "Send" button. It will still be bright blue and have a little paper airplane and a locked padlock in it.  If you wish to send a secure attachment, you will need to touch the paperclip in the blue circle on the right before you start typing.

If the text box says "Send Unsecured SMS" obviously your message will be unsecure when sent.  When you start typing in the unsecured box,the "Send" button on the right will turn dark grey with an unlocked padlock in it.  Those are two prior warnings that you may be sending sensitive information to an unsecured user.  Also when you send a secure message you will see after it has sent there will be two check marks beside your message on the right if it went through.  If there is only one check mark that means that it was either sent to an unsecure recipient or has not yet been received by a secure recipient.  That will let you know that you may have inadvertently sent sensitive information to an unsecured user and give you time to work on damage control.

Signal users must be in your phone's contact list.  You must have their phone number and they must have yours.  This may be considered a downside to Signal because you can only use it with trusted contacts and not anonymously.  Signal allows secure texting and calling over Wi-Fi and data which opens up many options for you.  That means that you can pull up beside McDonalds and make a free phone call on their wifi using Signal. You could download Signal onto a disposable smart phone, make your important calls, destroy the phone and be on your way. To use Signal voice communications, tap the telephone receiver in the top, right corner of your phone screen, just like your regular texting client. Signal voice calls need a good, strong data signal or wifi.


One last thing about voice on Signal, DO NOT use "voice texting" if you want your text message to be secure.  You are still using the mic on the phone and it could be intercepted.  The Signal voice feature encrypts the voice message upon sending.  Regular voice text does not.

Signal has no mandatory burn time on messages but you can set a voluntary burn time which means that the message will be destroyed on both ends at the desired time.  Signal, as well as all the other secure programs should NEVER be set to where you are signed in all the time.  You should always set it to where you have to sign in periodically.  The higher the risk at any given time, the shorter the time before the program should lock you out.  When you do not do that, you are compromising everyone in your group.  If you are too lazy to type in the password occasionally then you should not be trusted as someone to share information with. Integrity, respect and honesty in this game is imperative!

Make Signal your default texting program.  It has all the features you need and is every bit as easy to use as anything else with the exception of punching in a password from time to time. 

WICKR

(NOTE: Wickr used to be our second choice for secure texting but has recently been purchased by Amazon which means that we no longer trust it. We havecall deleted it from our phones and tablets.) 

 Wickr does not need to exchange phone numbers so communications can be done anonymously. This is a plus. It also has a mandatory burn time which is inconvenient. You can set your burn time for anything from a few seconds to 6 days but you cannot keep it permanently.  This means that if you have information that you want to save you will have to copy and paste it and put it somewhere else where it won't burn but is still secure, such as Signal or ProtonMail.  You do not want to copy the information and store it in an insecure file on your computer.  It will not send and will stay in queue under your username indefinitely unless you have to restart the program.  Wickr can send secure files, pictures and very short audio files. Signal and Wickr both have their strong and weak points as far as convenience is concerned but Signal definitely has yhe best security.

Wickr is limited to, I believe, 1,500 characters per message.


CONFIRMATION OF MESSAGES

 

It is assumed that some messages, whether secure or not, may be time sensitive.  If you are relaying the time to pick someone up or go to a meeting and the recipient doesn't receive the message for a hour after you sent it, it doesn't do much good. With all texting programs, when you are in a questionable service area, it is important to begin all text messages with the time that the message was sent in 24-hour format or "military time".  That way,  if your message is received much later than it was sent, your contact will know. This may be critical. 

For example....
 

Let's say that you send an important text message to a contact that is in a weak signal zone.  The message appears to have sent on your end and you have no reason to believe that it wasn't received a few seconds later.  However, since your contact was in a poor service area or maybe had his phone off or in airplane mode, he will not have any idea when the message was sent.  If he assumes that it was just sent and the information is time sensitive,  it could be catastrophic.  Also, be specific in your instructions in case the message is not received right away.  Don't tell someone to "Meet me at HQ in an hour".  Your text should be worded thusly... "1335 - Meet me at HQ at 1500 hrs."  Your recipient will have all the information they need.

ZELLO
Zello is an also-ran. Forget it if want true secure communication.  

SKYPE

Skype used to be an amazing program but it is no longer to be trusted. Skype does not have the same degree of security that it had before Microsoft acquired it. It is fine for family and friends to visit and pass along things that you don't want everyone in the world to know but it offers zero protection against government intrusion or very determined hackers.  You can call Skype to Skype for free and have unlimited talk time.  If you want to call a landline, you either have to subscribe to one of their programs, use their pre-paid program or offer payment information call by call.  You can get Skype on desktop or laptop computers and there is a full-featured app for your phone.  It has a wonderful texting program, voice and video messaging and file transfer.  Skype is moderately secure in all modes, free and easy to use.

If you would like to purchase the premier version, you can also get your own phone number which you can use for a home or business phone and it is pretty cheap.  When you call out, you can set your caller ID to either show that you called from an anonymous number or any number of your choice.  You have complete control of call forwarding, caller ID and many other features.

PROTONMAIL

ProtonMail is probably the most secure, stand-alone email program known at the present time.  It is based in Switzerland and is extremely secure. You can send secure attachments, both voice and text plus images and audio files.  As with Signal, ProtonMail is only totally secure with other ProtonMail users.  ProtonMail may take a little while to get an account.  I've been using ProtonMail since it's very inception and have found no flaws.

 As with Signal for texting,  ProtonMail is the only email program that we will share sensitive information over at the current time.

Other email programs can be made secure as well and there are dozens of tutorials online to help you do that.  Here is one such link that will walk your through using Thunderbird and PGP encryption.

So, there you go.  There is so much more but for now, this should give you some things to think about concerning your personal security.  It's time folks!  It's time to start covering your tracks a little and being just a tad more cautious!

In Liberty,
Cope Reynolds (Desertscout)
Southwest Shooting Authority of Arizona

Colts and Kimbers are what you show your friends.
GLOCKS are what you show your enemies!