In this day and age of digital information, our communications and data are open to a world of invasive agencies. Some of these agencies may be your nosy neighbor out to see what you are up to or an activist group gathering unguarded data to send to agencies of various domestic and foreign governments. Many of us in the prepper community have taken some measures of security to safeguard our data. Some people avoid the digital world altogether to dodge this issue, though not all of us are willing to go to that level of abandonment of technology. There are many benefits to using digital technology to assist in preparing for the future. I am not going to go into heavy technical detail about every aspect of digital security. However, I am going to describe what is called defense in depth, which is both a military term and a cyber security term, and then touch upon a way to utilize a key generator. If there is enough interest, I can definitely write up instructions on how to install /setup the programs and procedures I will be discussing.
Many of us have taken the threat of our email being read in transit seriously. With agencies, such as the NSA and foreign intelligence, trying to track and read everything we do, simple measures no longer can be counted upon. Another circumstance to consider is what happens if one day someone was to simply confiscate your computer to see what you have been up to. How many of your personal systems have no protection whatsoever, if someone simply sits down at the system?
According to Wikipedia.org:
Defense in Depth (also known as Castle Approach) is an information assurance (IA) concept in which multiple layers of security controls (defense) are placed throughout an information technology (IT) system. Its intent is to provide redundancy in the event a security control fails or a vulnerability is exploited that can cover aspects of personnel, procedural, technical and physical for the duration of the system’s life cycle.
The idea behind the defense in depth approach is to defend a system against any particular attack using several independent methods. It is a layering tactic, conceived by the National Security Agency (NSA) as a comprehensive approach to information and electronic security.
Defense in depth is originally a military strategy that seeks to delay, rather than prevent, the advance of an attacker by yielding space in order to buy time. The placement of protection mechanisms, procedures, and policies is intended to increase the dependability of an IT system where multiple layers of defense prevent espionage and direct attacks against critical systems. In terms of computer network defense, defense in depth measures should not only prevent security breaches but also buy an organization time to detect and respond to an attack, thereby reducing and mitigating the consequences of a breach.
What we are going to talk about is beyond simply using TOR as a browser or PGP for email encryption. What I propose is: utilizing VMs (virtual machines) running on encrypted virtual hard drives contained on removable media that is itself encrypted.
In layman’s terms, we are going to have a computer within a computer that is stored on a secure USB (or other) device. Basically, you will be using a virtual computer system to do your data storage, prepper browsing, and/or secure emails.
- The machine will be slower (unless you have a really powerful computer system),
- You must remember passwords. (Key note: Remember, do not write them down everywhere),
- You also need some degree of technical aptitude for the setup, and
- You must secure your device when not in use.
By walking you through the following scenario, the advantages will be clearer than if I just list them.
X Agency comes to your house and seizes your personal computer to use as evidence. Their claim is that you have been distributing banned reading materials.
- Any initial password to gain entry to a system is easy to bypass. (It’s a government agency, so they can get the manufacturer of the machine to give them the backdoor access. Sorry; it is just the way it is.)
- Once in your system, they will first make a backup of the hard drive(s), so they can work on the copy rather than the original.
- They perform their initial scans of the system and are unable to find anything located on the local hard drives. (Defense layer 1)
- One of the X Agency techs notices that you have virtual machine software installed (Oracle Virtual Box, in this case). He runs the software and sees you have VMs setup, but they are not located on the local hard drive. (Defense layer 2)
- After many days, weeks, months, or years, maybe, they finally locate your USB flash drive that you had been using to hold your VMs. (Defense layer 2.5)
- Once the drive is in place, they attempt to access the files, only to be asked for an encryption key for access. Since you had used the highest level of security that the program used (True Crypt, in this case), it could take years in real time to break the encryption. (Defense layer 3)
- Let’s say they got lucky and broke it in a matter of weeks and now can access the USB Drive. They start the VM up all happy to see they have finally got you. Only, the VM is encrypted (True Crypt again) and requests a password to start the virtual machine. (Defense layer 4) Again, they get lucky and break the encryption, and finally are able to search your VM to their heart’s content.
- Only there is nothing there to incriminate you, since you had keyed True Crypt to use a shadow operating system. (Defense layer 5) I could go on and describe other layers past what we already have done. One thing you need to understand is that they will be able to get to the information, but it will take time. How much time, you ask? I refer you to the following article: http://en.wikipedia.org/wiki/Brute-force_attack So what is the main advantage for DiD (Defense in Depth)? It’s time– the time it will take someone to break into the system is your protection. Be glad we do not live in Great Britain, which has a law on the books to force you to give them any and all passwords to your systems. Even in a situation like that, storing the device and holding the VMs separately from the actual PC, will buy you time. Remember, all the security in the world is useless if you violate your own rules.
- Plan the system you will use.
- Implement the plan.
- Document the plan. (This doesn’t mean write down where your USB drive is, or write down your password!)
- Refine and update the system, and plan over time.
(Another good note to remember: Do not use the same password for each level of the encryption; that will drop the time to break the code astronomically. Once they have one, they have them all in that case.)
There is yet another use for encrypted removable media. It can be used to move data between groups or individuals in a more secured manner. There is a way of developing a code system for generating the keys used by the software. I’m going to give an example of one of these methods for key generation and sharing. Some one of you will remember from history about code words being used by the Allies in radio transmissions and how random words would have a meaning. What if we could use that method of hiding a key generator in plain sight?
This will depend on everyone having the same reference point they are using to encrypt/decrypt from. In our case let’s go with the Bill of Rights, which is something most of us have in some form or another. I’m going to keep it easy here; let’s make a key for a wireless router running wpa2. We need a 13-character key to implement the security properly. So on our friendly broadcast, the announcer reads off the 5th amendment of the Bill of Rights. You know from prior planning that the amendment number (5 in this case) +1 is how many characters you count over in the text of the amendment. So in this case that’s every 6th character until the end of the text and then loop back around to the beginning until you have the amount of characters you need (13 in this case). Look at the example below. I have counted out the characters and bolded the ones we need. (Yes, you count punctuation and spaces; however use _ instead of a space. At the end of a line, keep count on the next line.)Amendment V:No person shall be held_to answer for a capital, or otherwise infamous crime, unless on a presentment or indictment of a grand jury, except in cases arising in the land or naval forces, or in the militia, when in actual service in time of war or public danger; nor shall any person be subject for the same offense to be twice put in jeopardy of life or limb; nor shall be compelled in any criminal case to be a witness against himself, nor be deprived of life, liberty, or property, without due process of law; nor shall private property be taken for public use, without just compensation.
So in this case our key code would be “rhe_soa,tsaru”.It’s completely random and contains no dictionary words. Yet anyone with the knowledge of the key process could unlock this router. Another candidate could be the King James Bible, where the chapter and verse are the text, and the month could be how many characters you count over. Make it even more interesting, you could plan your generator so that even months count from the start of the verse while odd months count from the end of the verse. The ways of doing this are endless.