So, okay. If you've read the basic article about security plans, C-Days - Basic security plan, let's move on to a small example, about securing a home office.
A note, I won't get into specific configurations, but will include links to how to set it up yourself. If I had to include a manual for every software, or every device out there, it will be a veeery long post.
But, as time goes by, I will try to get the specifics into tutorials, and link from here, for those interested :)
So, let's dive in. The scenario I'll look into here, is for a small home office, so it's very basic. For the most part, I'll be using Open Source Linux solutions, primarily Debian and Kali, since that's what I'm working on every day.
I won't recommend Kali, unless you know you have a specific use for it, or the tools it include. If not, don't use it for your daily OS, it WILL come back to haunt you if you do, since it's not very user friendly :)
But, with that said, let's see what we can come up with.
If you remember from the last article, the basic questions we base a security plan on, is as follow.
What do I have I want to protect ?
Who do I want to protect it from ?
How likely is it that I need to protect it ?
What happens if I fail ?
How much trouble do I wan't to go through to protect it ?
So, let's have a look at the questions, and go through the solutions, and talk about each.
What do I have that's worth to protect ?
Physical i have a couple of laptops, a couple of workstations, a tablet and a phone.
For data, there's my data from work, my emails, private messenger communications, my private data ( that cookbook I'm working on, and some bad love poetry ).
So, it's not really all that interesting, but none the less, I like to keep it to myself. Then there's my private papers, passport, some jewelry, and other stuff. So, I guess it's what most people have, nothing really interesting, but none the less private stuff, we'd like to protect, or save. So how do we do that ?, and more important, from who ?
The who it easy to decide, or make a qualified guess as to who it might be. For me, it's "J Random Hacker", and "The neighborhood Kid with a laptop". Some "Three-Letter-Acronym-Agency" (None mentioned, none forgotten), and "Nosey ISP Inc.".
So, how likely is it ?. "J Random Hacker", not very likely, but none the less, it's just a basic precaution. "The-Kid", if he's like me, highly likely :), "Thre--Letter..", hhmm. Not really, but it's a fun thought, and an intellectual challenge that's worth looking into. "Nosey ISP Inc.". Hmm, not really, but I don't like my ISP being able to read my email :)
So, with the "who", out of the way, what can we do about it, and how, what do we need to do ?. What capabilities do they have ?
First things first. "J Random..". Likely to have access to zero day exploits, and being updated with the newest tricks of the trade. How do we protect ourselves ?.
Keeping all systems up to date and being carefull about what we do online is a good start. Making sure that all webpages we frequently use, has https enabled, and that we check certificates, that they are valid, and issued by a trusted provider. For the really paranoid, something like Tor is a good idea. You can read about that project on their website https://www.torproject.org/.
What else can we do ?. We can use cryptography to protect emails and messenger traffic, like we did for the browser. But what kind of crypto is there ?
Symmetric crypto is when each end use the same key, that can be a keyfile, or a password. Both ends of the communication, knows the secret to decode and encode.
The problem with that is that it's not very secret. So, enter assymmetric encryption, like GPG. It's when each party have two keys, one private and one public. The Private key, is for reading / decryption, and for signing. Signing is a way to digitally sign a file / message, so the other end can verify who it's from, in a secure way. When the other end, want to send, they use the public key, to encrypt the message.
So, we have Alice and Bob, A and B. B starts of with generating a couple of keys, his private and public key, and publishes his public key to his website. Alice want to send him a private message, so she reads of his public key, from the website, and imports it into GPG, marked as belonging to Bob. Then she encrypts the message with Bobs public key, and, and sends it on it's merry way.
Bob, decodes it with his privat key, entering his password for opening the key, and can now read the message Alice send him. If he wishes, and he have her Public key, he can respond with an encrypted answer.
The problem here, is managing keys, but keys can be published on public key servers, or as in the example, published online. Mine can be found here Contact.
That brings me to the next topic, day to day communication, also known as messengers. A normal messenger, like Facebook, or Google Hangouts or Skype, is what most people use, but are there any other options, more secure options ? Sure. There's a couple, based on Jabber, with open source clients.
if you look at a normal setup, it would be something like this.
Client A <---> Server <---> Client B.
The problem is that the server knows the IP address of the client, the timestamps they connected, their username, and their password, as a minimum. They can also decrypt SSL traffic, when it's on the server, before passing it along, so the basic question is, do we trust the provider ?. If not, we can use something like pidgin, with the otr-encryption plugin, that makes encrypted traffic between clients, and thus protects us from the providers, and everybody else. You can find Pidgin here https://www.pidgin.im/
To take care of the server problem, we could use our own Jabber based server. A suggestion would be Prosody, that can be found here https://prosody.im/.
So, jump to http://www.debian.org and get an ISO image, and setup your own little server, and throw Prosody on it. There's your fun little project in these C-Days :)
How do we protect the server, Well, we could use something like Kali, with LUKS encrypted drives, and the "Nuke patch" installed, but that would be overkill for most people. Another solution, would be to use public Jabber servers, https://www.jabberes.org/servers/, and make ourselves an account there, if we again, trust the provider.
If you really want to go "Off-Grid", something like Tox is a possibility, and you can find a description of the Tox project, here https://tox.chat/faq.html.
Basically, it takes care of a couple of problems, the centralized server, it has perfect-forward-secrecy, which the technically inclined can read about here https://en.wikipedia.org/wiki/Forward_secrecy, just for fun.
So, to recap, that took care of email, Instant messenger, and web traffic, so we're doing good right ?
More or less. What about that laptop, when we're away from home. ? We could use encryption to protect the drive and our personal files. On Windows it would be something like BitLocker, if you're running Windows 10 Professional, for the Windows Home users, we could use something like Veracrypt. It's basically a form of encryption for Windows, that can runtime protect the harddrive, and files on removeable media like usb sticks.
If you think it could be fun, have a look at https://www.veracrypt.fr/en/Home.html, but be warned...
It cant protect from everything. It can't protect you from doing something wrong, or if someone is willing to commit violence to get your data, that's a question about how much torture / interrogation you can withstand, not a technical question. The only thing that can protect your data in that case, is LUKS encrypted drives, with the "Nuke-Patch", as activating that function destroys the encryption key, and thus destroys your data. That's not a topic we will investigate further :)
Another option, if you can afford it, is looking into Opal harddrives. It's AES encryption, but based in the drive itself. It's a more expensive solution, but worth looking into, if you have something that's really private.
But, what about phones ?, what about tablets ?
For phone encryption, there's something like Signal. It's a messenger and VoIP solution, that employs end-to-end encryption, and features groups, text, picture, audio and video messages. It does know your phone number, but everything else is passed between clients using the data channel, so it's pretty secure, and for the most part, secure enough.
But, with that said, if someone can crack into your phone, and install a rootkit, it's not your phone anymore, and your calls are not protected anymore :) You can read about Signal IM here, https://signal.org/
The only thing left, when it comes to small / portable devices, is common sense. Don't leave them unattended, lock you desktop, or turn off the machine when you leave it, even for a minute. Know where your phone is, and your tablet is, at all times. If it leaves your hand or pocket, even for a minute, go through it looking for any evidence of tampering or malware, and count on it being compromised, just to be on the safe side..
So, the last thing we can do, is to protect out network, so it's as secure as we can make it. Have a look at the article about good passwords in the article Wifi security,
That leaves just a couple of questions, what happens if I fail, and how much trouble do I want to go through ?
Doing all of this, is'nt that much trouble. It doesn't take very long do do, and all of it, can be done in a day or two. The trouble is, that security is something you'll have to work into your daily routine, so it becomes a habit you do without thinking about it. If you use GPG, and want to add someones key, you call them, and verify their keys and fingerprint. The same thing goes for adding them on IM. A way Pidgin helps you there, is you can Authorize another party, using a question they are the only ones that know, so you can be sure who's at the other end.
Using a good password for Wifi, and changing it every now and then, it's not that hard. To set up the password on the devices you use the most, and turn on encryption on those, it's not that much work. Maybe an hour every two weeks. That's simply just the cost of having a decent security level.
But, what about if someone breaks into the office, and tampers with the machine / the network ?
Hmm, highly unlikely, but a possibility. Decent doorlocks, and a good alarm system takes care of that, for the most part. But again, if yo're doing something stupid, there's no patch or easy fix for that. That means, if you have an indoor garage, don't use a lousy door into your house, use a good door, and a decent lock. And no, don't leave those keys for the BMW on the counter, lock them away when you're not home and don't need the car. (Yes, real example).
But, that's another topic, for another category, lockpicking and alarm systems, in the physical security category, which isn't quite ready for primetime yet :)
I will stop here, I hope you got some inspiration for what is possible, and what options is out there, and can get started with coming up with solutions of you own, and start helping friends and family being more secure. Remember, there's no such thing as 100% secure, it simply isn't possible. Security is a process, not an endgame, not an one size fits all, all the time.