Digital Survival - security

Mobile phone security & privacy

katie — Thu, 03 Feb 2011 12:00:37 +0000

Mobile phones carry a vast amount of data; not just your contacts but also logs of calls made and received, and of SMS messages sent and received. They can reveal a lot about you; for example, the list of all your contacts in your mobile phone shows exactly who you are working with. If you are working on a politically sensitive issue this can put you and everyone you work with at risk. There are obvious security concerns for people who use mobile phones to record video or take photos in sensitive situations. If a phone is confiscated or found with footage in it that incriminates others, those people could be put at risk as well as the phone's owner. Great caution should be exercised at all times. Special care needs to be taken if and when this content is transmitted over the mobile network as mobile phone service providers can be pressured to hand over records of activity on particular phones. Networks also automatically track the location of each and every active mobile phone – this is done for the purposes of routing calls and messages. This means that members of the public (or at least their phones) can be pinpointed to a specific location at a specific time. The only way to ensure your location cannot be identified is to turn your phone off and remove its battery. Mobile phone cameras also routinely store the location where an image was taken, along with details of date, time and the type of camera or phone used. This information, or metadata, is stored as part of the JPEG standard which is the file format most commonly used for digital images. This information could be useful to you in some circumstances – to prove that you were in a particular place at a particular time to witness an event – but it could also get you into trouble, depending on the situation. Tools are available which enable this ‘hidden’ information to be viewed, and (in most cases) removed, before the image is forwarded to others. You can download a free tool called JPEG Stripper (http://www.steelbytes.com/?mid=30) which will help you remove metadata from your images.

Tags:

mobile phone

security

Mobile phone security checklist

katie — Thu, 03 Feb 2011 11:58:29 +0000

When using your phone, remain aware of your surroundings and do not use it in crowded areas or where you feel unsafe.
Avoid displaying your phone in public. Keep it with you at all times and do not leave it unattended.
Always use a PIN code to unlock your phone's keypad and functions. See the phone's security settings to set this. Use invisible ink to mark the phone and battery with your postcode and street number or the first two letters of your house name. This can be helpful in recovering your phone if it is lost or stolen.
The 15-digit serial or IMEI number helps to identify your phone. This can be accessed by looking behind the battery of your phone – it should be visible as a 15 digit number. Make a note of this number and keep it separate from your phone, as this number could help the police to trace ownership quickly if it is stolen.

For more information, visit the Security section of the Mobiles in-a-box toolkit (http://mobiles.tacticaltech.org/security)

Tags:

mobile phone

security

Instant Messaging Security

katie — Wed, 02 Feb 2011 17:25:43 +0000

With IM, it may seem as though you are having a 'private chat' with someone, but because it's transmitted via the internet this may not be the case. Unfortunately IM programmes don't offer good security so you need to use other programmes to do this. You are more secure if both you and your instant messaging contacts use the same software and take the same security precautions.

Tags:

Instant Messaging (IM)

security

Email tips

katie — Wed, 02 Feb 2011 17:16:22 +0000

Don't open email attachments that you are not expecting, or which have come from someone you do not know. When you open such an email, make sure that your anti-virus software is up-to-date and pay close attention to any warnings from your browser or email program.
You can use anonymity software which can help you hide your chosen email service from anyone who might be monitoring your internet connection. A good, free software programme to do this is Tor. You can find out more about this in chapter 8 of Security in-a-box at http://security.ngoinabox.org/chapter-8. If you don't want to give away information about your identity through your email, do not register a username or 'Full Name' that is related to your personal or professional life.
You can avoid getting spam (unwanted or junk email) by guarding your email address and distributing it sparingly. Also, never open or reply to any emails you consider to be spam, because spammers will take this as a proof of the legitimacy of the address and will just send you more spam. Consider using a spam filter, but remember that it needs to be monitored as it may mistake a genuine email for spam.
You should try to avoid your emails being mistaken for spam by the recipients. Spam filters will block messages with certain words in the subject heading. It is worth scanning your spam folder for subject lines that are getting blocked. A list of sample words blocked by spam filters can be found at http://www.mequoda.com/articles/subject-line-spam-trigger-words/
Beware of email scams. Many scam emails pretend to come from a bank, Ebay, Paypal, or other online shops. If you get an email telling you that your account is in danger of being shut down, or that you need to take immediate action by updating your account information, be very suspicious: these messages are usually scams. Another frequent scam has you receiving an email from someone you know which says that they have had an emergency and asks you to send them money. This person's email account is likely to have been compromised by a scammer.
Pay close attention if your browser suddenly gives you messages about invalid security certificates when you attempt to access a secure webmail account. It could mean that someone is tampering with the communication between your computer and the server in order to intercept your messages.

Tags:

spam

security

Email Security

katie — Wed, 02 Feb 2011 17:10:24 +0000

Few of the webmail providers available offer SSL access to your email. Some of them give you a secure login to protect your password but the messages you send and receive are not secure. Some even insert the IP address of the computer you are using into all of the messages you send. Two providers which are worth considering are Gmail and Riseup.

GMAIL: can be used entirely through a secure connection, as long as you login to your account from https://mail.google.com (with the HTTPS), rather than http://mail.google.com. To ensure ultimate security, you also need to set a preference that tells Gmail always to use SSL in sending and receiving mail. However, we don't recommend relying entirely on Google for the confidentiality of your sensitive email communication. Google scans and records the content of its users' messages for a wide variety of purposes and has, in the past, conceded to the demands of governments that restrict digital freedom.

RISEUP: If you don't have an email account yet, or wouldn't mind switching, the best we can recommend is Riseup https://mail.riseup.net. RiseUp offers free email to activists around the world and takes great care to protect the information stored on their servers. They have long been a trusted resource for those in need of secure email solutions. Unlike Google, they have very strict policies regarding their users' privacy, and no commercial interests that might conflict with those policies. In order to create a new RiseUp account, however, you will need two 'invite codes' which can be given out by anyone who already has a RiseUp account.

Regardless of what secure email tools you decide to use, keep in mind that every message has a sender and one or more recipients. Even if you are accessing your email account securely, your recipients may not be using a secure email account when reading and replying to your messages. To ensure private communication, you and your contacts should all use secure email services. If you want to be certain that messages are not intercepted between your email server and a contact's email server, you might all choose to use accounts from the same provider. In this case, RiseUp is a good one to choose.

If you suspect that someone is monitoring your email, you should read 'Tips on responding to suspected email surveillance' at http://security.ngoinabox.org/en/chapter_7_2

Tags:

Gmail

Riseup

security

Secure Socket Layer (SSL)

Social networking security

katie — Wed, 02 Feb 2011 16:52:14 +0000

You should maintain your security awareness on these sites just as you would on any other. Beware of clicking on unknown links posted by other users, and of suspicious messages to your account. Also, remember that the information you put into a social networking site may not be private and many different people may look at it, including people that are not trusted friends. You can usually tune your privacy settings in your account options and control who can see your profile, but you might also consider signing up under a pseudonym to avoid divulging too much private information.

Tags:

social network sites

security

Search engine security

katie — Wed, 02 Feb 2011 16:27:58 +0000

If you are concerned about someone monitoring your search keywords, you can use an SSL connection with Google. Just type in https://www.google.com. This doesn't prevent Google from logging your search requests, but it does ensure that your search is not being monitored by a third party on the internet. If you are also concerned about Google logging your search requests, you can use a search engine like Scroogle http://scroogle.org), which uses Google's search database but doesn't log your keywords.

Tags:

Secure Socket Layer (SSL)

Web-browsing security

katie — Wed, 02 Feb 2011 16:09:15 +0000

Many countries have installed software to prevent people from accessing certain websites and internet services. Companies, schools and public libraries often use similar software to prevent employees, students and patrons from accessing material that they consider distracting or harmful. Some filters block sites based on their IP addresses, while others blacklist certain domain names, or search through all unencrypted internet communication, looking for specific keywords. If you suspect that the page you are looking for is being censored, you may want to consider using an anonymity tool like Tor (www.torproject.org). You can learn more about bypassing censorship in Security in a Box (http://security.ngoinabox.org/en/chapter-8)

Tags:

internet

web-browsing

security

Internet security

katie — Wed, 02 Feb 2011 15:44:33 +0000

All data travels through the internet in a readable format unless it is encrypted. SSL stands for Secure Socket Layer; this is the technology which allows your computer to communicate over the internet privately. SSL turns the information into a code (encrypts it) so that it cannot be read by unauthorised people. You may have seen SSL on banking websites where you are required to enter private financial information. You will know when you are on an SSL-supported website because you will see a little padlock sign on the lower frame of the browser window, and the internet address of the site will begin with HTTPS rather than HTTP. It is a good idea to use SSL for your email too, if possible. It will encrypt your login details (so that no one can get hold of your password) and your outgoing email so that it cannot be intercepted on the way to the recipient. If you are using email software (where your email messages are downloaded straight to your computer) such as Thunderbird or Microsoft Outlook, it should be set to use SSL – this needs to be agreed with your server. For webmail accounts, such as Gmail and Yahoo, you will probably also have to enable SSL, either as a preference in your account settings or by typing in the HTTPS manually (by logging in to https://gmail.com instead of http://gmail.com). You should always make sure that your connection is secure before logging in, reading your email, or sending a message.

Tags:

internet

security

Secure Socket Layer (SSL)

Internet café security checklist

katie — Wed, 02 Feb 2011 14:58:52 +0000

Internet cafés can be very useful for people who do not have their own computers or internet connections. You pay to use the computer by the minute or the hour, and you don't have to deal with any day-to-day computer maintenance, as you would with your own machine. However, internet cafés present security risks of their own. There are many users coming in and out every day, which means a greater chance of virus infection and even the possibility of others spying on your activities. Nevertheless, internet cafés can be useful for avoiding internet surveillance but you have to know what steps to take to ensure that you remain anonymous and do not leave any trace of your activities behind when you leave. Your aim should always be to leave the computer in the state you found it – as if you've never even been there.

Make informed choices; make sure the internet café you use is well-known and recommended. Look to see if lots of people are using it, and consider asking for recommendations from friends or locals in the area.
Check if the computers have anti-virus software running. Also note whether users are allowed to plug their own devices into the computers; for example, digital cameras. The more interaction between the computers and other devices, the higher the risk of coming into contact with viruses.
Use Firefox rather than Internet Explorer: at the moment there are fewer viruses made for Firefox because it is newer software than Internet Explorer. Take a look at GetFirefox.com and see what it looks like so that you can recognise it in an internet café. If the computers do not have Firefox installed, consider using it as a portable application.
Check for malware: to start your session securely, you need to check that the computer you are using is not already infected. It's a good idea to run the Avast portable application from your USB drive. Otherwise, use an online malware tool to check the computer for malware. A good tool for this purpose is Housecall which is free and only requires a small download (http://housecall.trendmicro.com/)
Leave No Trace
Protect your personal details: when logging in to your various internet accounts, make sure that you don’t select the option to save your details. When you have finished, click the 'log out' option; if you just close the browser window of Gmail, for example, the next person who tries to access Gmail will be taken straight in to your email account. Make sure that any information you fill in on any internet forms is not saved. To do this, go to: Tools > Internet Options > Content > Autocomplete > Clear Forms and Clear Passwords > Ok.
Delete your internet history. When you've finished your session, clear your cookies (small text files saved on the computer that can identify you and what you did) as well as the internet history which lists the sites you visited. In Internet Explorer, go to: Tools > Internet Options > Delete Cookies and Clear History > Ok. Deleting the files may take a few minutes so make sure you leave time for this at the end of your internet session.
In Firefox versions 3.5 or later there is an option for 'Private Browsing', where none of your history or information will be retained, or there is an option to 'Clear Recent History'. You'll find both of these options under Tools.
Delete any saved documents: if you have saved anything to the computer, make sure that you delete your files, both from the folder you saved them in and from the recycle bin of the computer.

Tags: