Cyber-Security Toolbox

Cyber-Security Toolbox

CYBER-SECURITY TOOLBOX
Compiled by: Michael Chesbro June 2011 Edition-3

The Cyber-Security Toolbox contains several security techniques and programs that can be employed by the individual user to make his or her electronic information and electronic communications more secure. The Cyber-Security Toolbox is compiled from multiple open sources, and system help files. This document is a compilation of data obtained from the links given herein, and is intended to aid users in establishing a more secure cyber-environment.

Every bit of cyber-security we use makes it that much more difficult for hackers, spies, criminals and other adversaries to access our electronic systems, steal our information, or disrupt our operations.

Michael Chesbro

Cyber-Security Toolbox

Table of Contents
Encrypt an e-mail message in Microsoft Office Outlook 2007 Digital Certificates Use Safe Access File Exchange (SAFE) to Securely Exchange Large Files Use Encryption Wizard (EW) to Secure Your Files JavaScrypt: Browser-Based Cryptography Pretty Good Privacy (PGP) Hushmail Ironkey Create a Secure Computing Environment with Lightweight Portable Security Puppy Linux TrueCrypt - Free open-source disk encryption software Install Anti-Virus Software on Your Home Computer Participate in IA Education, Training and Awareness Programs Use Your DoD CAC At Home Use the Password Function in Microsoft Office to Protect Your Documents Use a Secure Erase Utility to Destroy Electronic Data Use Strong Passwords Store Your Passwords in a Password Safe Protect Data-At-Rest (DAR) Enable Microsoft Encrypting File System United States Postal Service Electronic Postmark Use AKO/DKO IM & Chat Enable Secure Logon (CTRL+ALT+DELETE ) Cellular Telephones and PDAs Zfone Vumber - Virtual Phone Number Google Voice Whisper Systems (Encrypted voice and texts for your Android Smartphone) TOR Google Encrypted Search Google Account 2-step verification Temporary / Disposable E-mail Addresses EPIC Online Guide to Practical Privacy Tools NIST Computer Security Division - Computer Security Resource Center US CERT Cyber Security Tips NSA - CSS Cyber Security Factsheets Report Cyber-Crime

Michael Chesbro

Cyber-Security Toolbox

Encrypt an e-mail message in Microsoft Office Outlook 2007

Encrypting an e-mail message in Microsoft Office Outlook 2007 protects the privacy of the message by converting it from readable plaintext into ciphered (scrambled) text. Only the recipient who has the private key that matches the public key used to encrypt the message can decipher the message. Encrypt a single message

1. In the message, on the Message tab, in the Options group, click the Encrypt Message Contents and Attachments button. 2. Compose your message and send it. Encrypt all messages

1. On the Tools menu, click Trust Center, and then click E-mail Security. 2. Under Encrypted e-mail, select the Encrypt contents and attachments for outgoing messages check box.

Michael Chesbro

Cyber-Security Toolbox
3. To change additional settings, such as choosing a specific certificate to use, click Settings. 4. Click OK twice. In order to send encrypted messages over the Internet, you need to exchange certificate files (.cer file) with the recipient. You can do this in a number of ways. For example: Send a digitally signed message. The recipient adds your e-mail name to Contacts and in doing so, also adds your certificate. Send an e-mail message with your .cer file attached or send the .cer file on a disk / CD-ROM. The recipient can import the .cer file into your contact card. Create a contact card with your .cer file, and send the contact card. Publish your certificate to an LDAP (Lightweight Directory Access Protocol (LDAP): A protocol that provides access to Internet Directories.) directory or another directory that is available to the other person. Post the certificate on a share that is available to the other person.

If your system administrator has set up security for your network using Microsoft Exchange, it is not necessary to swap certificates. 3DES is the default encryption algorithm. Encryption strength is no longer restricted by the United States government. Outlook uses the RC2 algorithm by default when running on a 40-bit operating system that does not have 128-bit encryption capabilities.

Digital Certificates
Digital ID A Brief Overview http://www.verisign.com/static/005326.pdf VeriSignTM Class 1 Digital IDSM for Microsoft Internet Explorer https://digitalid.verisign.com/client/class1MS.htm Comodo Digital Certificate http://www.instantssl.com/ssl-certificate-products/free-email-certificate.html Comodo's Free Email certificates allow you to use the digitally sign and encrypt features built into your personal email client to authenticate and secure your email communications. This allows recipients of your emails to confirm your identity and ensure that the email you sent was not modified during transmission. It is also simple to fully encrypt your communications to prevent unauthorized viewing.

Michael Chesbro

Cyber-Security Toolbox
GlobalSign Digital ID http://www.globalsign.com/authentication-secure-email/digital-id/ GlobalSign offers a range of PersonalSign (Digital IDs issued to people) with varying trust levels. Digital IDs can be used to access online Government services to submit declarations electronically, authenticate you to SSL VPNs, and secure email by digitally signing and encrypting email using applications such as Microsoft Outlook or other S/MIME email software. The same Digital ID can also digitally sign Microsoft Office documents. By digitally signing a document or email, you can confirm that you are the originator of the document / email and help prove that the document / email has not changed since the time you signed it.

Use Safe Access File Exchange (SAFE) to Securely Exchange Large Files

The AMRDEC Safe Access File Exchange (SAFE) application is for securely exchanging UNCLASSIFIED / FOUO files. Files of up to 2GB in size may be transferred through SAFE but the actual size is dependent of various factors such as connection speed, the network's congestion, and various other determinates. Since many organizations that do business within the Army limit the size of attachments that can be sent via email, the SAFE applications were created as alternative file-sharing methods to email and FTP. How Secure is SAFE? SAFE uses the SSL (Secure Socket Layer) protocol--128-bit encryption--when a file is uploaded and downloaded. Users should be aware however that the limited use PIN that the users receive to access a file in SAFE is sent via email. Therefore the PIN is only as safe as your email system. Since this system was designed as an alternative to simply attaching the file to an email anyway, this is acceptable. The SAFE server uses Department of Defense PKI certificates for identification and encryption. Any format of file(s), including a .zip file, may be sent to anyone with a valid email address Virus protection provided SAFE servers are less susceptible to worms or other email viruses

AMRDEC SAFE - https://safe.amrdec.army.mil/SAFE/

Michael Chesbro

Cyber-Security Toolbox

Use Encryption Wizard (EW) to Secure Your Files

EW is an SPC implementation of the Advanced Encryption Standard (AES)(Rijndael) augmented with a file manager Graphical User Interface (GUI) for ease of use. The 128-bit encryption/decryption algorithm used by Encryption Wizard is considered cryptographically strong and is routinely used in National Security Agency (NSA) and National Institute of Standards and Technology (NIST) certified products. Encryption Wizard is designed to protect data at rest and in transit (such as email attachments). Fast, Easy-to-Use Protection Quickly and easily protect your important data inside and outside your organization. Encryption Wizard (EW) provides a user-friendly, drag-and-drop, single window interface to encrypt any type of file on nearly any computer or media. To encrypt files or directories, simply drag them into the EW window, press Encrypt, and enter a passphrase and/or use a PKI certificate. EW can also create encrypted (and optionally compressed) archives of files and directories. Free Public Version -- Download now from http://spi.dod.mil/ewizard.htm . Free FIPS Version This restricted version uses a FIPS 140-2 validated encryption module from RSA for use by the federal government and its contractors. Encrypted files are compatible with the public version. Escrow keys can be embedded for use in your enterprise. To obtain the FIPS version or customize for your enterprise, contact the Software Protection Initiative.

Michael Chesbro

Cyber-Security Toolbox
Cryptographically Strong Encryption Wizard protects data on your network, while stored on media, and during transmission across the Internet using a FIPS 140-2 validated module. 128-bit AES encryption, SHA-256 hashes, and RSA digital signatures meet DoD requirements for transmitting and storing critical unclassified information. Enterprise Ready Encryption Wizard aims to protect data wherever stored and however transmitted between dissimilar networks, platforms, and operating systems for a broad range of users. Listed on the Air Force Enterprise Products List, EW complements Data-at-Rest products for defense-in-depth and granular control. Optional command line interface permits scripting of data protection. Installation packages available for common enterprise software distribution systems. System Requirements Java Runtime Environment SE, v1.5 (or newer) Administrator access not required for installation

JavaScrypt: Browser-Based Cryptography

The JavaScrypt: Browser-Based Cryptography is http://www.fourmilab.ch/javascrypt/"a collection of Web pages and programs in the JavaScript language [that] perform military-grade encryption (256 bit secret key AES) entirely within your Web browser--you needn't download nor install any software, and nothing is sent to any Web site when you encrypt or decrypt a message. You can download the page source and JavaScript programs to your own computer and use them even when not connected to the Internet. Companion pages provide a text-based steganography facility and key generator suitable for preparing one-time key lists." An advantage of the JavaScrypt: Browser-Based Cryptography program is that its "lite" version is very small (32 KB) and can be stored in a web-based e-mail program (i.e. attach it to an e-mail and send it to yourself) or accessed on-line from the Fourmilab website, thus allowing one to encrypt sensitive communications from any computer which can access your web-based e-mail.

Michael Chesbro

Cyber-Security Toolbox

Pretty Good Privacy (PGP)

Pretty Good Privacy or PGP is an encryption program developed by Phil Zimmermann and published in 1991. It was one of the first public-key encryption programs available to the general public, and has today become the "unofficial standard" for encryption of e-mail and personal communication on the Internet. PGP uses public key encryption. It has one key (a public key) for encryption and a second key (a private key) for decryption. With PGP installed on your computer you can encrypt a message to any person whose public key you possess. However, the only way to then decrypt that message is to possess the associated private key. Thus when using PGP you give your public key to everyone, add it to key servers, and maybe even publish it on the Internet, but you keep your private key secret and secure, thereby ensuring that while anyone can encrypt a message and send it to you, only you can decrypt and read that message. People who use PGP on a regular basis will often publish their PGP public key to a "key server". A key server is simply a site where you can search for a person's public key and post your own public key for others to use. PGP key servers are run by several groups and organizations, but some of the major key servers can be found on-line at: MIT PGP Public Key Server - http://pgp.mit.edu/ PGP Corporation Public Key Server - http://keyserver.pgp.com/ University of Mainz (Germany) Public Key Server - http://pgp.uni-mainz.de/

If you use PGP you could visit anyone of these PGP key servers and locate the author's PGP public key. This would give you a way to securely contact the author of this book without first having met him or otherwise exchanged any type of encryption key. If you included a copy of your own PGP public key in your e-mail, or if your PGP public key was posted to the key server you could receive an encrypted reply to your e-mail... a reply that only you could read.

Michael Chesbro

Cyber-Security Toolbox
PGP is available for most operating platforms and systems, and is available as freeware from the PGP International site at: http://www.pgpi.org/ . Gnu Privacy Guard (GnuPG) is a PGP compatible free implementation of the OpenPGP standard. GnuPG is available on-line at: http://www.gnupg.org/ .

Hushmail

https://www.hushmail.com/ Hushmail is a secure web-based free email service, developed 1999. Hushmail looks and feels just like any other web-mail site, but adds strong encryption to your emails to protect your secrets from prying eyes. Key features Easy-to-use web-based email Standards-compliant encryption Works on iPhone and BlackBerry Optional Outlook integration

The free Hushmail account is limited to 2MB of storage space. Storage of up to 10GB is available for $49.98 per year.

Ironkey
https://www.ironkey.com

Michael Chesbro

Cyber-Security Toolbox
Your identity and personal data are too valuable to risk. IronKey Personal keeps you protected with military-grade encryption and easy-to-use identity management. The result of extensive R&D and the collaboration of some of the world's leading experts in cryptography and the Internet, IronKey is the world's most secure flash drive. IronKey Personal comes loaded with a secure private browser that lets you surf anonymously and protects your passwords whenever you go online. IronKey Personal simplifies your digital lifestyle while giving you added peace of mind. Ironkey Datasheet: https://www.ironkey.com/files/datasheets/ironkey-personal-s200.pdf

Create a Secure Computing Environment with Lightweight Portable Security

http://spi.dod.mil/lipose.htm Lightweight Portable Security (LPS) creates a secure end node from trusted media on almost any Intelbased computer (PC or Mac). LPS boots a thin Linux operating system from a CD without mounting a local hard drive. Administrator privileges are not required; nothing is installed. SPI created the LPS family to address particular use cases. LPS-Public is a safer, general-purpose solution for using web-based applications. The accredited LPS-Remote Access is only for accessing your organization's private network. LPS-Public allows general web browsing and connecting to remote networks. It includes a CAC-enabled Firefox browser, a PDF and text viewer, Java, and Encryption Wizard - Public. (http://www.spi.dod.mil/ewizard_down.htm)

Michael Chesbro

10

Cyber-Security Toolbox
LPS-Public turns an un-trusted system (such as a home computer) into a trusted network client. No trace of work activity (or malware) can be written to the local computer. Simply plug in your USB CAC-reader to access CAC-restricted DoD websites. To get started, download the LPS-Public ISO image and burn it to a CD.

Puppy Linux

Linux is a free operating system, and Puppy Linux http://puppylinux.org is a special build of Linux meant to make computing easy and fast. Puppy Linux also enables you to save money while doing more work, even allowing you to do magic by recovering data from destroyed PCs or by removing malware from Windows. With Puppy Linux, you can carry your programs and data anywhere. Easy - Just use a CD or USB flash to boot a PC. Puppy Linux is downloadable as ISO, an image that can be burned to CD or DVD. Fast - Because Puppy is small, it can live in your PC's memory and be ready to quickly execute your commands, whereas in other systems, programs are first read from drive storage before being executed. Save Money - Even if your PC has no hard disk (ex, broken hard disk), you can still boot Puppy via CD or USB and continue working. Old PCs that no longer work with new systems will still work good-as-new with Puppy. Do More - Puppy boots in less than a minute, even in old PCs, and it does not require antivirus software. Administering Puppy is quick and minimal. With Puppy, you just have to take care of your data, which you can easily save to USB flash (Then forget about your operating system!). Your data can be read by other computers. Do Magic -Help your friends suffering from computer malware by booting Puppy and removing malware from their PC (use antivirus that is built-in or can be installed in Puppy). Example - bad

Michael Chesbro

11

Cyber-Security Toolbox
Autorun.inf is easily removed by Puppy (Just delete it as well as its companion exe program). If your friend thinks that she has lost data from her corrupted hard disk, boot Puppy and try saving her data! Carry Anywhere (Portable) - Because Puppy is able to live in CD/DVD or USB flash, as well as save data to these same devices, you can carry your programs and data with you.

Are you now ready for Puppy? Keep these important reminders before using Puppy: You don't have to install Puppy (to hard disk) to use it. Simply burn the ISO to CD/DVD and boot the PC or laptop with it. Once booted, you can then install it to USB flash (see the Setup menu), so you can use it for booting the PC when a CD is not available. You don't have to save data to hard drive to work with Puppy. You can save data to USB flash or even to Internet storage (like www.drop.io ). When installed to USB flash, Puppy consumes only a little over 100 MB, or about 256 MB with OpenOffice. You can use the same USB flash (where Puppy is installed) for saving data.

TrueCrypt - Free open-source disk encryption software

Free open-source disk encryption software for Windows 7/Vista/XP, Mac OS X, and Linux
TrueCrypt http://www.truecrypt.org is a software system for establishing and maintaining an on-thefly-encrypted volume (data storage device). On-the-fly encryption means that data is automatically encrypted or decrypted right before it is loaded or saved, without any user intervention. No data stored on an encrypted volume can be read (decrypted) without using the correct password/keyfile(s) or correct encryption keys. Entire file system is encrypted (e.g., file names, folder names, contents of every file, free space, meta data, etc).

Michael Chesbro

12

Cyber-Security Toolbox
Files can be copied to and from a mounted TrueCrypt volume just like they are copied to/from any normal disk (for example, by simple drag-and-drop operations). Files are automatically being decrypted on the fly (in memory/RAM) while they are being read or copied from an encrypted TrueCrypt volume. Similarly, files that are being written or copied to the TrueCrypt volume are automatically being encrypted on the fly (right before they are written to the disk) in RAM. Note that this does not mean that the whole file that is to be encrypted/decrypted must be stored in RAM before it can be encrypted/decrypted. There are no extra memory (RAM) requirements for TrueCrypt. For an illustration of how this is accomplished, see the following paragraph. Let's suppose that there is an .avi video file stored on a TrueCrypt volume (therefore, the video file is entirely encrypted). The user provides the correct password (and/or keyfile) and mounts (opens) the TrueCrypt volume. When the user double clicks the icon of the video file, the operating system launches the application associated with the file type typically a media player. The media player then begins loading a small initial portion of the video file from the TrueCrypt-encrypted volume to RAM (memory) in order to play it. While the portion is being loaded, TrueCrypt is automatically decrypting it (in RAM). The decrypted portion of the video (stored in RAM) is then played by the media player. While this portion is being played, the media player begins loading next small portion of the video file from the TrueCrypt-encrypted volume to RAM (memory) and the process repeats. This process is called on-the-fly encryption/decryption and it works for all file types, not only for video files. Note that TrueCrypt never saves any decrypted data to a disk it only stores them temporarily in RAM (memory). Even when the volume is mounted, data stored in the volume is still encrypted. When you restart Windows or turn off your computer, the volume will be dismounted and files stored in it will be inaccessible (and encrypted). Even when power supply is suddenly interrupted (without proper system shut down), files stored in the volume are inaccessible (and encrypted). To make them accessible again, you have to mount the volume (and provide the correct password and/or keyfile). A beginner's tutorial to TrueCrypt is available here: http://www.truecrypt.org/docs/tutorial

Michael Chesbro

13

Cyber-Security Toolbox

Install Anti-Virus Software on Your Home Computer

To help protect your home and personal computers the DoD Antivirus Software License Agreement with McAfee and Symantec allows active DoD employees to utilize the antivirus software for home use. Home use of the antivirus products will not only protect personal PCs at home, but will also potentially lessen the threat of employees bringing malicious logic into work and compromising DoD networks. To obtain a copy of the free anti-virus software provided by the DOD, visit https://www.cert.mil. (DoD PKI CAC Card Required) For individuals who do not have DoD PKI to access the above software, there are other free anti-virus programs available: AVG Free Anti-Virus Software - http://free.avg.com/us-en/homepage Avast Free Anti-Virus Software - http://www.avast.com/free-antivirus-download Microsoft Security Essentials - http://www.microsoft.com/security_essentials/ Panda Cloud Antivirus Free Edition - http://www.cloudantivirus.com/en/ Trend Micro HouseCall - http://housecall.trendmicro.com/

Michael Chesbro

14

Cyber-Security Toolbox

Participate in IA Education, Training and Awareness Programs

The DISA Information Assurance Support Environment http://iase.disa.mil/eta/ provides a variety of free, on-line IA education, training, and awareness programs. IA training helps to ensure that the privacy, reliability, and integrity of our information systems remain intact and secure.

Information Assurance Fundamentals Training - https://ia.signal.army.mil/IAF/default.asp This course provides individuals an understanding of the information systems security policies, roles, responsibilities, practices, procedures, and concepts necessary to perform the functions of an Information Assurance Security Officer (IASO). The lessons presented will aid the IASO in developing an effective security approach and in selecting cost-effective controls to meet the requirements of laws, directives, and regulations. Lesson 1 - Army Information Assurance Program (AIAP) Lesson 2 - Federal Laws, DoD Regulations and Policies Lesson 3 - Army Regulations and Policies Lesson 4 - Army Information Assurance Training Program Lesson 5 - Network/Hacker Threats

Michael Chesbro

15

Cyber-Security Toolbox
Lesson 6 - Malware Lesson 7 - Physical Security Lesson 8 - Risk Assessment and Management Lesson 9 - Security Incident and Response Planning Lesson 10 - Continuity of Operations (COOP) Lesson 11 - DoD Information Assurance Certification and Accreditation Process (DIACAP) Lesson 12 - Wireless Security Lesson 13 - Intrusion Detection Systems (IDS) and Auditing Lesson 14 - Firewalls and Perimeter Defense Lesson 15 - Encryption and Common Access Cards (CAC) Lesson 16 - Legal

InfraGard Awareness Information Security Awareness Course https://www.infragardawareness.com/index.php The InfraGard Awareness Information Security Awareness course is FREE to all individuals and small businesses with 50 or fewer employees. This training will help you and your employees understand how you to help make your workplace more secure. It will also teach you vital skills to protect yourself and your family from cybercrime and identity theft. The course is divided into 13 lessons. The time of each lesson ranges from approximately three to nine minutes long. The total time for the entire course is approximately 90 minutes. The first part of the course focuses on the key behavioral challenges including; helping employees make a personal connection with cybercrime and workplace security understanding who commits these crimes and what their motives are understanding why exploiting predictable employee behavior is critical to committing these crimes why modifying personal behavior can be so powerful in preventing these crimes.

The second part of the course focuses on security best practices and policies, and on how they contribute to behavioral change and better workplace security. It addresses all the key security vulnerabilities, including web and e-mail use, passwords, data protection, social engineering, virus management, security outside the office, personal workspace security and more. Standard lessons include:

Michael Chesbro

16

Cyber-Security Toolbox
Pre-Lesson Course Welcome and Overview Lesson 1: The Impact of Cybercrime and Identity Fraud Lesson 2: Todays Threats Lesson 3: How Employee Behavior is Exploited Lesson 4: Strong Passwords Increase Security Lesson 5: Understanding and Recognizing Social Engineering Lesson 6: Email Best Practices Lesson 7: Protecting Against Viruses, Spyware and Spam Lesson 8: Protecting Your Personal Workspace Lesson 9: Security You Can Live With Lesson 11: Protecting the Workplace from Identity Fraud Lesson 12: Risks and Acceptable Uses of Electronic Resources Lesson 13: Secure Use of Networks

DHS/FEMA Certified Cyber Security Training is available through the TEEX Domestic Preparedness Campus at: http://www.teexwmdcampus.com/index.k2

Michael Chesbro

17

Cyber-Security Toolbox

Software Engineering Institute's Virtual Training Environment (VTE)! https://www.vte.cert.org VTE provides high-fidelity e-learning delivered right to your Web browser, which means that VTE combines three unique capabilities: On-demand lecture in the form of video, audio presentations, and demonstrations Hands-on lab environments A learning management system to manage enrollments and track progress

Use Your DoD CAC At Home

Step - 1 You will need to obtain a CAC Reader. This can be issued, or you may choose to buy one. The following links are for CAC readers available from Amazon.Com: SCM SCR3310 USB Smart Card Reader Common Access CAC ID DOD SCM SCR331 - SMART card reader - USB Step - 2 Go to http://militarycac.com and follow the instructions to download DoD Certificates and ActivClient.

Michael Chesbro

18

Cyber-Security Toolbox
Using your DOD CAC from home allows you to quickly log in to AKO / DKO, change your password, add or sponsor guests, and avoid the KBA questions. Be sure your CAC is registered with AKO / DKO. http://help.dr1.us.army.mil/cgibin/akohd.cfg/php/enduser/std_adp.php?p_faqid=264&p_sid=f1lawh*j&p_lva=95 Once you have your CAC set up at home, go to https://rw5.army.mil to access your office e-mail.

Use the Password Function in Microsoft Office to Protect Your Documents

To password protect a Microsoft document, workbook, or presentation (MS Word, Excel, or PowerPoint): Click the Microsoft Office Button, point to Prepare, and then click Encrypt Document. In the Encrypt Document dialog box, in the Password box, type a password, and then click OK. You can type up to 255 characters. By default, this feature uses AES 128-bit advanced encryption. In the Confirm Password dialog box, in the Reenter password box, type the password again, and then click OK. To save the password, save the file.

Michael Chesbro

19

Cyber-Security Toolbox
The default encryption algorithm is AES 128-bit. This value can be increased to AES 256-bit via a Registry entry, local security policy, or domain Group Policy. AES encryption is supported for Open XML formats used in previous versions of Microsoft Office when those documents are created in a Microsoft 2007 Office system application. However, documents saved in the older Office binary formats can only be encrypted using RC4 to maintain compatibility with older versions of Microsoft Office. The level of protection provided by the AES encryption is related to the strength of the password used to protect the document. You should use complex passwords that include upper and lower case letters, numbers and symbols and that are at least 10 characters long. Its important to note that there are two options to add a password in Microsoft 2007 Office system documents. One option enables you to encrypt the document using a password; this is referred to as a Password to open. The second option does not use any encryption. It is designed so you can collaborate with content reviewers you trust, but is not designed to help make the file more secure. This is referred to as the Password to modify.

Use a Secure Erase Utility to Destroy Electronic Data

Data erasure is a method of software-based overwriting that completely destroys all electronic data residing on a hard disk drive or other digital media. Permanent data erasure goes beyond basic file deletion commands, which only remove direct pointers to data disk sectors and make data recovery possible with common software tools. Unlike degaussing and physical destruction, which render the disk unusable, data erasure removes all information while leaving the disk operable, preserving assets and the environment. According to the Center for Magnetic Recording Research, "Secure erase does a single on-track erasure of the data on the disk drive. The U.S. National Security Agency published an Information Assurance Approval of single pass overwrite, after technical testing at CMRR showed that multiple on-track

Michael Chesbro

20

Cyber-Security Toolbox
overwrite passes gave no additional erasure. [http://cmrr.ucsd.edu/people/Hughes/DataSanitizationTutorial.pdf] "Secure erase" is a utility built into modern ATA hard drives that overwrites all data on a disk, including remapped (error) sectors. Center for Magnetic Recording Research - University of California, San Diego. Secure Erase Utility http://cmrr.ucsd.edu/people/Hughes/SecureErase.shtml Darik's Boot And Nuke | Hard Drive Disk Wipe and Data Clearing http://www.dban.org/ Eraser http://eraser.heidi.ie/ http://www.tolvanen.com/eraser/

Use Strong Passwords

The Department of Defense Password Management Guideline (CSC-STD-002-85) states: The probability that any single attempt at guessing a password will be successful is one of the most critical factors in a password system. This probability depends on the size of the password space and the statistical distribution within that space of passwords that are actually used. Since many user-created passwords are particularly easy to guess all passwords should be machine generated... PC Tools - Secure Password Generator - http://www.pctools.com/guides/password/ The PC Tools Password Generator allows you to create random passwords that are highly secure and extremely difficult to crack or guess due to an optional combination of lower and upper case letters, numbers and punctuation symbols. Brookhaven National Laboratory Cyber Security On-line Password Generator https://www.bnl.gov/cybersecurity/pwgen/

Store Your Passwords in a Password Safe

A password safe is a computer program that stores your passwords in an encrypted format on your computer. You create multiple, very complex, passwords and store them in the password safe. You then memorize a single complex password that grants you access to your password safe. An excellent password safe was developed by Bruce Schneier, and is now an open source project available on-line at: Password Safe -

Michael Chesbro

21

Cyber-Security Toolbox
http://passwordsafe.sourceforge.net/. Another password safe is the Keepass Password Safe, available on-line at: http://keepass.info/.

Protect Data-At-Rest (DAR) Enable Microsoft Encrypting File System

Microsoft Encrypting File System (EFS) is installed as part of the Windows operating system.(http://technet.microsoft.com/en-us/library/bb457116.aspx) Microsoft Windows Encrypting File System (EFS) enables users to encrypt individual files, folders, or entire data drives. Because EFS provides strong encryption through industry-standard algorithms and public key cryptography, encrypted files are confidential even if an attacker bypasses system security. EFS users can share encrypted files with other users on file shares and in Web folders. Security features such as logon authentication or file permissions protect network resources from unauthorized access. However, anyone with physical access to a computer such as a stolen laptop can install a new operating system on that computer and bypass the existing operating systems security. In this way, sensitive data can be exposed. Encrypting sensitive files by means of EFS adds another layer of security. When files are encrypted, their data is protected even if an attacker has full access to the computers data storage. EFS allows users to store confidential information about a computer when people who have physical access to your computer could otherwise compromise that information, intentionally or unintentionally. EFS is especially useful for securing sensitive data on portable computers or on computers shared by several users. Both kinds of systems are susceptible to attack by techniques that circumvent the restrictions of access control lists (ACLs). In a shared system, an attacker can gain access by starting up a different operating system. An attacker can also steal a computer, remove the hard drives, place the drives in another system, and gain access to the stored files. Files encrypted by EFS, however, appear as unintelligible characters when the attacker does not have the decryption key.

Michael Chesbro

22

Cyber-Security Toolbox
Because EFS is tightly integrated with NTFS, file encryption and decryption are transparent. When users open a file, it is decrypted by EFS as data is read from disk. When they save the file, EFS encrypts the data as it is written to disk. Authorized users might not even realize that the files are encrypted because they can work with the files as they normally do. In its default configuration, EFS enables users to start encrypting files from My Computer with no administrative effort. From the users point of view, encrypting a file is simply a matter of setting a file attribute. The encryption attribute can also be set for a file folder. This means that any file created in or added to the folder is automatically encrypted. To create an EFS Encrypted folder: 1. Choose a folder in your My Documents folder to be EFS protected. 2. Right-click and choose Properties. 3. Click the Advanced button. 4. Check the checkbox labeled Encrypt contents to secure data. 5. Click OK. 6. Click Apply. 7. If the Confirm Attribute Changes dialog appears, select the Apply changes to this folder, subfolders and files radio button. 8. Click OK. 9. Click OK on Folder Properties. 10. Windows Explorer shows different colors for the following: a. Black normal files on the file system. b. Green files and/or folders are EFS encrypted. c. Blue files and/or folders are compressed. 11. Move or copy at least one file or record into the EFS protected folder.

Data-At-Rest (DAR) Protection - Enable EFS on USB Media 1. To run EFS on a USB device (thumb drive) it needs to be formatted with the NTFS files system. However, by default, only FAT32 and FAT are selectable.

Michael Chesbro

23

Cyber-Security Toolbox
2. Using Windows Explorer, format the USB device with FAT32. 3. Once the formatting is complete, right click the device and check properties. Verify that the file format is FAT32. 4. At a command prompt, run the CONVERT command. Example: CONVERT E: /FS:NTFS (Where E: represents the USB device drive) 5. Once the CONVERT command finishes, the USB device will have a NTFS file system on it which can now accept EFS protected data. Using Windows Explorer, select Properties of the USB device to validate that file format is NTFS. Further details on Data-At-Rest protection can be found here: http://www.gordon.army.mil/NEC/documents/BBP%20Data%20at%20Rest.pdf Note: The EFS Encrypt feature is only available in the Vista Business, Ultimate, and Enterprise editions. It will remain grayed out in the Vista Home Basic and Home Premium editions.

United States Postal Service Electronic Postmark

Protect the integrity of your content - https://www.uspsepm.com/ The USPS Electronic Postmark (EPM)* is an auditable time-and-date stamp service offered by authorized service providers, under license by the United States Postal Service. The EPM can be used to verify the authenticity of a document or file sent electronically, and provides trusted proof of content as of a specific point in time. EPMs issued by an authorized EPM service provider are stored in their repositories and available for verification for a period of up to seven years from the date of issuance. The USPS serves as the backup verifier for all EPMs issued by any of the authorized providers of the USPS EPM service.

Use AKO/DKO IM & Chat

Michael Chesbro

24

Cyber-Security Toolbox Many of us use IM & Chat program to talk with friends and colleagues on-line. When chatting on-line with military members (or any other person with AKO/DKO access) you can secure your conversation by using the AKO/DKO IM Client. All IM communications via AKO/DKO IM are made via an encrypted channel (SSL). This includes IM's between AKO/DKO users and IM's between AKO/DKO and Navy and Air Force IM users also. You can access IM from the AKO/DKO homepage by clicking the IM button. You can also download the AKO/DKO IM Client and install it on your home computer running it as a standalone program.

Enable Secure Logon (CTRL+ALT+DELETE )

(From the Help File) It's important to keep your computer as secure as possible. One way to do so is to enable secure logon so that you are required to press CTRL+ALT+DELETE to log on. Using secure logon provides an additional layer of security for your computer by ensuring that the authentic Windows logon screen appears. When secure logon is enabled, no other program (such as a virus or spyware) can intercept your user name and password as you enter it. Click to open Advanced User Accounts. If you are prompted for an administrator password or confirmation, type the password or provide confirmation. Click the Advanced tab, select the Require users to press Ctrl+Alt+Delete check box, and then click OK. (From: http://support.microsoft.com/kb/308226) To Enable or Disable the CTRL+ALT+DELETE Sequence 1. Click Start, click Control Panel, and then click User Accounts. 2. Click the Advanced tab. 3. In the Secure logon section, select or clear the Require users to press Ctrl+Alt+Delete check box. Note If the Advanced tab is not available, click Start, click Run, type control userpasswords2, and then click OK.

Michael Chesbro

25

Cyber-Security Toolbox
The Advanced tab is not available under certain conditions. For example, if you are a restricted user, the Advanced tab is not available. For more information, click the following article number to view the article in the Microsoft Knowledge Base: 306992 (http://support.microsoft.com/kb/306992/ ) How to manage stored user names and passwords on a computer in a domain in Windows XP * Disabling the CTRL+ALT+DELETE sequence creates a "security hole." The CTRL+ALT+DELETE sequence can be read only by Windows, ensuring that the information in the ensuing logon dialog box can be read only by Windows. This can prevent rogue programs from gaining access to the computer. * If a Windows XP-based computer is part of a domain, domain-wide policies may have been set that override the settings you make on the local computer. * On MS-DOS-based computers (and some older UNIX-based systems), pressing CTRL+ALT+DELETE gains the attention of the BIOS, causing a "warm" reboot. You can use the keyboard to shut down the operating system. On Windows-based computers (starting with Microsoft Windows NT), the CTRL+ALT+DELETE sequence is intercepted by Windows. The advantage of the keystroke-intercept technique is to help prevent Windows from being shut down by someone who does not have access to do so.

Cellular Telephones and PDAs

Cell-Phone Security Tips: 1 - Protect your phone like the valuable item it is. Even if the cost of the phone itself is relatively inexpensive, the value of the information stored on the phone can be considerable. 2 - Restrict access to your phone with a PIN or password. There are three types of value associated with your phone: the cost of the physical device itself, the value of the cell-phone service (i.e. making calls), and the value of the information stored on the phone (all of your contacts and personal information). Requiring a PIN or password to access your phone helps protect against theft of your cell-phone service and personal information. 3 - Write down the make and model of your phone, your phone number, SIM number and/or IMEI number, and the contact information for your service provider. If your phone is ever lost or stolen you will need this information to quickly deactivate the phone and report it stolen to the police.

Michael Chesbro

26

Cyber-Security Toolbox
4 - Make a back-up of the information stored on your phone. If your phone allows you to easily save your data to your home computer, great! If not, at least write down your most important contact numbers and similar information and store it safely away from your phone. 5 - Be sure you understand what liability you face if someone steals your phone and starts running up a bill. Arrange with your cellular service provider for a maximum bill amount, after which they decline service until the bill is paid. Perhaps you will set the limit at double your average monthly bill. This will allow you to increase your usage when necessary, but will prevent a $20,000.00+ cell-phone bill if someone runs up unauthorized charges. (Huffington Post, 2009) 6 - Consider anti-theft and recovery software for your phone. Services such as iHound https://www.ihoundsoftware.com/, Theft Aware http://www.theftaware.com/, and Gadget Trak http://www.gadgettrak.com/provide software that can help you recover a lost phone. ===== Guidelines on Cell Phone and PDA Security: Recommendations of the National Institute of Standards and Technology (October 2008) - http://csrc.nist.gov/publications/nistpubs/800-124/SP800-124.pdf Cell phones and personal digital assistants (PDAs) have become indispensable tools for today's highly mobile workforce. Small and relatively inexpensive, these devices can be used for many functions, including sending and receiving electronic mail, storing documents, delivering presentations, and remotely accessing data. While these devices provide productivity benefits, they also pose new risks to organizations. This document provides an overview of cell phone and PDA devices in use today and offers insights into making informed information technology security decisions on their treatment. The document gives details about the threats and technology risks associated with the use of these devices and the available safeguards to mitigate them. Organizations can use this information to enhance security and reduce incidents involving cell phone and PDA devices. US CERT Cyber Security Tip ST06-007 - Defending Cell Phones and PDAs Against Attack http://www.us-cert.gov/cas/tips/ST06-007.html Cyber Security Tip ST05-017 - Cybersecurity for Electronic Devices http://www.us-cert.gov/cas/tips/ST05-017.html Cyber Security Tip ST04-020 - Protecting Portable Devices: Data Security http://www.us-cert.gov/cas/tips/ST04-020.html

Michael Chesbro

27

Cyber-Security Toolbox

Zfone
Zfone http://zfoneproject.com/ is a new secure VoIP phone software product which lets you make encrypted phone calls over the Internet. Its principal designer is Phil Zimmermann, the creator of PGP, the most widely used email encryption software in the world. Zfone uses a new protocol called ZRTP, which is better than the other approaches to secure VoIP, because it achieves security without reliance on a PKI, key certification, trust models, certificate authorities, or key management complexity that bedevils the email encryption world. It also does not rely on SIP signaling for the key management, and in fact does not rely on any servers at all. It performs its key agreements and key management in a purely peer-to-peer manner over the RTP media stream. It interoperates with any standard SIP phone, but naturally only encrypts the call if you are calling another ZRTP client. This new protocol has been submitted to the IETF as a proposal for a public standard, to enable interoperability of SIP endpoints from different vendors. Zfone is available as a universal "plugin" for a wide variety of existing VoIP clients, effectively converting them into secure phones. It's also available as an SDK to allow VoIP product vendors to integrate encryption into their products. Zfone: Doesn't depend on signaling protocols, PKI, or any servers at all. Key negotiations are purely peer-to-peer through the media stream Interoperates with any SIP/RTP phone, auto-detects if encryption is supported by other endpoint Available as a "plugin" for existing soft VoIP clients, effectively converting them into secure phones Available as an SDK for developers to integrate into their VoIP applications Submitted to IETF as a proposal for a public standard, and source code is published

A public beta release of the Zfone software is available for download for Windows, Mac OS X, or Linux.

Michael Chesbro

28

Cyber-Security Toolbox

Vumber - Virtual Phone Number

A Vumber http://www.vumber.com/ is a virtual phone number now you can have two numbers on a single phone. With Vumber, choose any area code you want and link it to your home, cell, or work phone. When someone calls your Vumber, it will ring on your phone without ever revealing your private phone number and you control how to handle the call; you can: a) answer it; b) send them to Vumber voicemail or Vumbermail as we call it; c) give them a busy signal; d) tell them the number is out of service; or e) play them a custom message you create. Vumber lets you keep your phone number private, which means unequaled privacy protection. And its not limited to a pre-defined one-to-one calling relationship like you sometimes see out there; its as simple as having another phone number. Even simpler; Vumber puts you in total control of your communications and your identity. Most importantly, you can call from your Vumber, too. Just dial your Vumber, and then dial the number and your Vumber will show up on their caller ID. Its that easy. Its simple and instant to use. With Vumber, you get a flexible, privacy-protected, portable, disposable telephone number and a private Vumbermail voice mailbox. And dont worry... You still have your existing numbers, and you can still call and get calls from them. But now you also have a number with total control - your Vumber.

Google Voice
Google Voice http://www.google.com/voiceis a telecommunications service by Google launched on March 11, 2009. The service provides a US phone number, chosen by the user from available numbers in selected area codes, free of charge to each user account. Inbound calls to this number are forwarded to other phone numbers of the subscriber. Outbound calls may be placed to domestic and international destinations by dialing the Google Voice number or from a web-based application. Inbound and outbound calls to US (including Alaska and Hawaii) and Canada are free of charge. International calls are billed according to a schedule posted on the Google Voice website. Google Voice with a Google number

Michael Chesbro

29

Cyber-Security Toolbox
Use one number to manage all your phones; your Google Voice number is tied to you, not to a particular device or location. Voicemail like email: Save voicemail messages for as long as you'd like, star important ones, and search through them Voicemail transcription: Voicemail messages will be automatically transcribed to text and sent to you via email and/or SMS. Customize your callers' experience (custom voicemail greetings, decide which of your phones ring based on who's calling, send some callers straight to voicemail, etc.) Define which phones ring, based on who's calling, and even ListenInTM on voicemail before answering the call. We use smart technology to route your calls. So, if you're already on a Google Voice call, we'll recognize it and use call waiting to reach you on the phone you're on. Works with mobile phones, desk phones, and work phones. There's nothing to download, upload, or install, and you don't have to make or take calls using a computer. International calling: Make low priced international calls from the web or from your phone.

Google Voice with your non-Google phone number: With this option you won't get some features (i.e. call forwarding, screening, and call recording), but you'll still get plenty of others, including: Voicemail like email: Save voicemail messages for as long as you'd like, star important ones, and search through them Voicemail transcription: Voicemail messages will be automatically transcribed to text and sent to you via email and/or SMS. Custom voicemail greetings: Customize your voicemail greeting based on who is calling. International calling: Make low priced international calls from the web or from your phone.

Whisper Systems (Apps. for the Android Operating System)

http://www.whispersys.com/ RedPhone 0.4 Encrypted voice for your smartphone. RedPhone provides end-to-end encryption for your calls, securing your conversations so that nobody can listen in. It's easy to use, and functions just like the normal dialer you're accustomed to. RedPhone uses your normal mobile number for addressing, so there's no need to have yet another identifier or account name; if you know someone's mobile number you know how to call them using RedPhone. And when you receive a RedPhone call your phone will ring just like normal, even if it is asleep. TextSecure 0.5

Michael Chesbro

30

Cyber-Security Toolbox
Encrypted texts for your smartphone. TextSecure is a drop-in replacement for the standard text messaging application, allowing you to send and receive text messages as normal. All text messages sent or received with TextSecure are stored in an encrypted database on your phone, and text messages are encrypted during transmission when communicating with someone else also using TextSecure.

TOR

http://www.torproject.org/ Tor is an encryption tool that can help you protect the confidentiality of your communications. Tor is a free, relatively easy to use tool primarily designed to protect your anonymity online. But it also has the side benefit of encrypting your communications for some of their journey across the Internet. Tor protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, and it prevents the sites you visit from learning your physical location. Tor works with many of your existing applications, including web browsers, instant messaging clients, remote login, and other applications based on the TCP protocol.

Google Encrypted Search

https://encrypted.google.com/ With Google search over SSL, you can have an end-to-end encrypted search solution between your computer and Google. This secured channel helps protect your search terms and your search results pages from being intercepted by a third party. This provides you with a more secure and private search experience.

Michael Chesbro

31

Cyber-Security Toolbox
To use search over SSL, visit https://encrypted.google.com each time you perform a search. Note that only Google web search is available over SSL, so other search products like Google Images and Google Maps are not currently available over SSL. When you're searching over SSL, these properties may not appear in the left panel. Here's how searching over SSL is different from regular Google search: SSL encrypts the communication channel between Google and a searcher's computer. When search traffic is encrypted, it can't be read by third parties trying to access the connection between a searcher's computer and Google's servers. Note that the SSL protocol does have some limitations more details are below. As another layer of privacy, SSL search turns off a browser's referrers . Web browsers typically turn off referrers when going from HTTPS to HTTP mode to provide extra privacy. By clicking on a search result that takes you to an HTTP site, you could disable any customizations that the website provides based on the referrer information. At this time, search over SSL is supported only on Google web search. We will continue to work to support other products like Images and Maps. All features that are not supported have been removed from the left panel and the row of links at the top. You'll continue to see integrated results like images and maps, and clicking those results will take you out of encrypted search mode. Your Google experience using SSL search might be slightly slower than you're used to because your computer needs to first establish a secure connection with Google.

Note that SSL search does not reduce the data that Google receives and logs when you search, or change the listing of these terms in your Web History How will SSL search affect content filtering services? When searches are conducted using https://encrypted.google.com, those searches will bypass any content filters that are in place on your network.

Google Account 2-step verification

http://www.google.com/support/accounts/bin/static.py?page=guide.cs&guide=1056283&topic=1056284

Using 2-step verification will help prevent strangers from accessing your account with just a stolen password. When you sign in with 2-step verification, you'll verify your identity using both a password and a code that you receive on your phone. 2-step verification adds an extra layer of security to your Google Account by requiring you to have access to your phone as well as your username and password when you sign in. This means that if someone steals or guesses your password, the potential hijacker still can't sign in to your account because they don't have your phone.

Michael Chesbro

32

Cyber-Security Toolbox

Temporary / Disposable E-mail Addresses

TempE-Mail (Address expires in 14 days) - http://www.tempemail.net/ 10 Minute Mail - http://10minutemail.com/10MinuteMail/index.html Trashmail - https://ssl.trashmail.net/ Mailinator - http://www.mailinator.com/ Jetable - http://www.jetable.org/en/index

EPIC Online Guide to Practical Privacy Tools

http://epic.org/privacy/tools.html

NIST Computer Security Division Computer Security Resource Center

http://csrc.nist.gov/

US CERT Cyber Security Tips

http://www.us-cert.gov/cas/tips/

NSA - CSS Cyber Security Factsheets

http://www.nsa.gov/ia/guidance/security_configuration_guides/fact_sheets.shtml
Michael Chesbro

33

Cyber-Security Toolbox

Report Cyber-Crime
Report Phishing - http://www.us-cert.gov/nav/report_phishing.html Report A Computer Security Incident - https://forms.us-cert.gov/report/ File a Cyber-Complaint On-line - http://www.onguardonline.gov/file-complaint.aspx Internet Crime Complaint Center - http://www.ic3.gov/complaint/default.aspx Federal Trade Commission Complaint Assistant - https://www.ftccomplaintassistant.gov/

Michael Chesbro, CPO, CSS, CCIA, CFC, CAS, CHS-III, SSI, IAC Criminal Intelligence Specialist / Certified Crime & Intelligence Analyst DES OPSEC Officer / DES Security Manager / DES COMSEC Officer Joint Base Lewis-McChord Fusion Center - Directorate of Emergency Services Joint Base Lewis-McChord, Washington 98433 Tel: 253-966-7303 / DSN: 347-7303 Fax: 253-966-7318 AKO: michael.chesbro@us.army.mil LEO: michael.chesbro@leo.gov

Michael Chesbro

34