DIY Encrypted Email 3: GPG and Enigmail

In the last part of this installment we discussed importing mail into the Thunderbird mail client.  Now that our email has been taken out of the browser, we can begin adding the cryptographic elements.  The first of these is GPG (Gnu Privacy Guard).  GPG is an open source implementation of PGP.  It will provide the actual encryption used for our emails. The next step is to install an add-on to Thunderbird called Enigmail.  Enigmail will provide the interface, allowing Thunderbird to use GPG’s encryption.  Installing and setting up GPG and Enigmail is the first order of business in this post.

GPG

Different operating systems require different versions of GPG.  If you are using Windows you will install GPG4Win.  If you are using OS X you will install GPG Suite.  If you are using Linux, you can probably skip this step because GPG comes standard with most distros.  If you do need to download it you can do so here.  After you have downloaded the application, begin the setup process.  You will be prompted to provide your administrator password and select a language.  After you have done so you should see screens depicted in the following screenshots.

On the third screen you will be asked which components of GPG you wish to install.  I generally choose to make my installation as light as possible.  I uncheck everything except “GnuPG” and the “Compendium”.  The other components provide powerful capabilities, but they are superflous for our purposes.

GPG and Enigmail

ENIGMAIL

The next step is to install Enigmail.  Since it is only a extension to Thunderbird this is an easy installation.  First, open Thunderbird.  Next, click the hamburger icon, and then click “Add-ons”.

GPG and EnigmailClick the search bar in the Add-ons menu and type “Enigmail”.

GPG and EnigmailClick install button for Enigmail.  It will begin downloading.

GPG and EnigmailAfter Enigmail is installed, you will be prompted to restart Thunderbird.  After a restart you will be ready to being creating your key pair.

GPG and Enigmail

CREATING A KEY PAIR WITH GPG AND ENIGMAIL

With GPG and Enigmail installed, you are ready to begin creating your key(s).  When Thunderbird restarts the Enigmail Setup Wizard will begin walking you through the process of key generation.  This is not an overly complicated process, and Enigmail will automate most of it.  With the “Start setup now” radio button checked, click “Next”.

GPG and EnigmailOn the next screen select “I prefer an extended configuration”.  On the next screen check “I want to create a new key pair for signing and encrypting my email”.  The next screen will prompt you to enter a password.  I recommend that you take some time to enter a good password.  This password can never be changed, so take the time now.  After clicking the “Next” the key generation process will begin.

GPG and Enigmail

After the keys have been generated you will be prompted to generate a Revocation Certificate.  A revocation certificate allows you to revoke your keys if they are compromised in the future (leading to compromise of communications encypted with them).  This ensures that if you lose control of your private key you can still maintain control of the communications.  We will discuss how to revoke a certificate in a future post on the topic.  Ensure you store the revocation certificate in a secure location.

GPG and Enigmail

Now that we have installed GPG and Enigmail and setup a keypair, we are ready to being exchanging encrypted emails.  We will cover this in the next segment, so stay with me!

If you enjoyed this article and would like exclusive content, sign up for the Operational-Security Newsletter.

DIY Encrypted Email 2: Thunderbird

This is the second in a multi-part series on setting up your own email encryption.  Today we will cover installing and setting up Mozilla Thunderbird.  Thunderbird is a desktop mail client that allows you to access your email from a platform other than the browser.  This is a necessary step because of the vulnerabilities inherent in internet browsers.  Thunderbird is popular (I am far from the first person to post a Thunderbird tutorial) and capable.  For our purposes it will be used to remove email (and crypto) from the browser into a more secure environment. Continue reading “DIY Encrypted Email 2: Thunderbird”

DIY Encrypted Email 1: The Basics

As promised in my post on email threat models, today I am going to begin a series on DIY encrypted email.  As I discussed in the email threat modeling post, this is the most secure email encryption available.  Before we get into the “how to” portion of this, it is important to first understand asymmetric encryption. Email encryption relies on a wholly different encryption model than that used to protect data-at-rest.  Encrypting email and web traffic relies on asymmetric encryption (also known as public key cryptography).  One of the classic problems with encryption for communications is “key exchange”. It would be simple to encrypt  a PDF and email it to someone.  However, it would be difficult to exchange the password for that file without sending it unencrypted.  Sending it plaintext leaves the password vulnerable to interception.  This compromises the integrity of the entire system.  But there is a better way. Continue reading “DIY Encrypted Email 1: The Basics”

Gmail Two Step Verification Pt. 4

Welcome to the 4th and final installment of this series on Gmail Two Step Verification. This part will cover “App passwords”.  App passwords are an extremely handy function of the Gmail Two Step system.  The allow you to create custom, one-time passwords for two-factor accounts, that can be used on certain apps.  This option is only available if you have two-factor authentication enabled.  It allows you to login on apps that do not accept two factor tokens (the unique, six-digit code).  An good example of this is the iPhone’s native mail application.  It can only accept a username and password.  To link your two-factor protected Gmail account you must create an App password.  Another good example that will come into play next week is the Thunderbird mail client.

App passwords also have an ancillary convenience benefit.  If you have a long password on your Gmail account (up to 99 characters are allowed), it is difficult to input on your mobile device.  App passwords are only 16 characters long and are composed only of letters and numbers.  These passwords are easily input on tiny electronic keyboards.  If you’re worried that this password will be used elsewhere – don’t.  They are only good for one login.  Once you’ve used it, it can’t be used elsewhere.  To get started, log into your Gmail account.  Click your avatar, the click the blue “My Account” button.  Navigate to Sign in and Security >> App Passwords.

Gmail Two Step Verification

Click the drop-downs and select the service (Mail, Calendar, Contacts, YouTube, or Other) you desire.  On the device drop down select the appropriate device (next week we will use “Custom” for Thunderbird).  Next, click “Generate”Gmail Two Step VerificationYour unique, one-time, 16-character password will appear.  At this point you should enter it into the password field of the application you are attempting to access.  You will NOT be able to access this password again, so if you close the window prematurely you will have to generate a new app password.

Gmail Two Step Verification

You can generate an unlimited number of app passwords.  I recommend that you create the bare minimum, and revoke old ones as soon as they are no longer needed.  When you revoke a passcode, the app that was logged into your account will be logged out.  To regain access with that app you must generate a new app password.  Gmail Two Step Verification

To revoke an app password, simply click “REVOKE”.  This password can no longer be used.  You should revoke any unused app passwords.  You should also revoke relevant app passwords immediately in the event you lose your device.Gmail Two Step VerificationRevoking Trusted Devices:  As I have mentioned earlier in this series, it is possible to designate some computers as “trusted”.  This means you will not be required to enter you second authentication factor when logging in from these machines.  I only recommend doing so on computers that are full disk encrypted OR that never leave your home.  There is a safety (NOT security) benefit to having one trusted device: if you lose your phone or security key you will still have access to your account.  You can then turn two step verification off until you recover your device.  To revoke trusted devices navigate to the Gmail Two Step Verification page.  Scroll to the bottom to “Devices you trust“.  Click “REVOKE ALL” and confirm.

Gmail Two Step Verification

I hope you have learned something and (maybe even) enjoyed this series.  This started as a single post until I realized the sheer immensity of Gmail Two Step Verification can be overwhelming (to reader and writer alike!).  As always, if there is something you’d like to see covered, don’t hesitate to let me know!

If you enjoyed this article and would like exclusive content, sign up for the Operational-Security Newsletter.

Gmail Two Step Verification Pt. 3

In the third part of my series covering Gmail Two Step Verification I will talk about an advanced topic: the Security Key option.  The security key is a physical device that plugs into your computer’s USB port.  By far the most common and popular iteration of this concept is the Yubikey.  There are three current versions of this device: the Yubikey 4, the Yubikey Neo, and the Yubikey Nano†.  All of these devices have slightly different capabilities, but their core function is the same.  They serve as a strong second authentication factor.

To enable this option, you first need a U2F (Universal Second Factor)-capable device like a Yubikey.  Log into your Gmail account.  Click your avatar, then the blue “My Account” button.  Navigate to Sign-in and Security, and Two Step Verification.  Now scroll to and click “SET UP ADDITIONAL SECOND STEP“.

Gmail Two Step Verification

The next screen will give you some information about registering your Security Key.  Click “NEXT”.  Gmail Two Step Verification

You will be required to enter your password.  Enter it and click “Sign in”.  Ensure that your security key is NOT inserted at this point.Gmail Two Step Verification

On the next screen you will be prompted to register your security key.  This will require that you insert the security key.  When instructed, touch the top of it.  This will prompt it to transmit the unique code to Google.Gmail Two Step Verification

When the code is received and accepted you will see the screen below.  Be aware that this automatically makes the security key the default “second step”.  Gmail Two Step Verification

To login with the Security Key, enter your username and password.  You will be presented with the screen shown below.  It will prompt you to insert your security key.  You must then physically touch the ring on top of the key.  This will transmit the unique code and verify your identity.  Gmail Two Step VerificationThe security key option is one of the most secure ways to use Gmail Two Step Verification.  Your security key will also work on a number of other services.  Dropbox, LastPass, Password Safe, and WordPress all support the Yubikey as a second authentication factor.  It can also be used to unlock your full disk encrypted computer – just don’t lose it!

Yubico recently sent me samples of the Yubikey 4 and Nano models.  Look for a full review soon.

If you enjoyed this article and would like exclusive content, sign up for the Operational-Security Newsletter.

Gmail Two Step Verification Pt. 2

In Part I of this mini-series on Gmail Two Step Verification, we covered enabling two-factor with SMS messages.  In today’s post we will delve into some additional options.  These options offer some additional convenience and flexibility, as well as increased security.

Backup Codes:  Backup codes are unique, 10-digit codes that can be used to gain access to your account if you lose your phone.  This is a safety feature, and a fairly good one.  After enabling two step verification you should generate these!  To do so navigate back to your sign-in options (My Account >> Sign-in and security >> Two Step Verification). Scroll down to Backup Options.   You have the option to choose a backup phone or create backup codes.  If you wish to use a backup phone, ensure it belongs to a trusted party like your spouse.  Otherwise, click “Backup codes”.

Gmail Two Step VerificationA pop-up will appear displaying your backup codes.  You can print them, save them to a .txt file, or copy and paste them.  I prefer to copy and paste them into the “Notes” section of my password manager entry.  Regardless of where you choose to store them, they should be stored securely.  An attacker can use these codes to gain access to your account.

Gmail Two Step Verification

Authenticator App:  The next option we will look at is using an authenticator app rather than receiving SMS messages.  Text messages work great, but may be less secure.  If your phone account is hacked, the attacker can forward your messages (including your two-factor codes) to his phone.  Also, if you are in an area with no reception or overseas, you will be unable to log into your account.  Before you begin you need to install a two-factor authenticator app on your device that utilizes the TOTP (Time-based, One-Time Password) protocol.  I recommend using Google Authenticator (Android, iOS) or Authy (Android, iOS).  You are now ready to begin.  To enable this feature login to your account.  Navigate to My Account >> Sign-in and security >> Two Step Verification.  Just below your second factor (your phone) will be an option to “SET UP ADDITIONAL SECOND STEP“.  Click this option and select “Authenticator app“.

Gmail Two Step VerificationThe next screen will ask you what kind of phone you have (Android or iPhone).  Select the appropriate radio button and click “Next“.

Gmail Two Step Verification

The next screen will display a QR code that you must scan with your authenticator app.

Gmail Two Step Verification

At this point, open the app on your mobile device.  For this example I used Google Authenticator but the process is similar for Authy.  Tap “Begin Setup“.  On the next screen tap “Scan Barcode“.  It will request access to your camera; allow this.  The app will scan the QR code which will add the account.  Your phone’s screen should now display your second authentication factor.

Gmail Two Step Verification

Back in your browser, you will now be prompted to enter the code you app generated.  This is to make sure everything was setup correctly.  Enter the code and click “Verify“.

Gmail Two Step Verification

Gmail Two Step verification should now be setup with the app as your default second factor.

Gmail Two Step VerificationPart III of the Gmail Two Step Verification series will cover the Security Key option.  It will also discuss revoking trusted machines.  Stay with me!

Gmail Two Step Verification Pt. 1

I am a strong proponent of two-factor authentication.  It greatly reduces the chance of an attacker getting into your account.  I have recommended it here on the blog, and in my books.  Only recently did I realized I have not posted explicit instructions for how to set it up.  Since Gmail is one of the most popular email providers today, I will begin with it.  Using Gmail also has an additional benefit: it has almost every two-factor option possible.  Learning on Gmail is a good way to learn how to set two-factor authentication generally.  If you do not have a Gmail account, this would be a good reason to set one up – it is an excellent learning tool.  This post will be a step-by-step tutorial for setting up Gmail Two Step Verification, and will be the first of four parts.  This part will cover the basic setup.  Part 2 will discuss some intermediate topics like backup codes and using Authenticator.  Part 3 will discuss using the “Security Key” and revoking trusted machines.  Part 4 will cover “App Passwords”.

To begin using Gmail Two Step Verification, login to your Gmail account.  Next, click your avatar in the upper-right corner of the interface and click the blue “My Account” button.

Gmail Two Step VerificationThis will take you to a screen showing you privacy and security options for your Gmail account.  Click “Sign-in and Security“.

Gmail Two Step VerificationOn the following screen, click “2-step Verification“.

Gmail Two Step VerificationThe next screen will provide you some light information about Gmail Two Step Verification.  To continue the setup process click the blue “Get Started” button.

Gmail Two Step VerificationGmail Two Step Verification requires that you provide a phone number.  This will be used to send your verification codes.  Enter you phone number on the next screen. Select text (SMS) message or voice calls.  I recommend text messages unless you have a good reason for wanting voice verification.

Gmail Two Step VerificationYou will be sent a text message at the number you provided.  The message will contain a unique, six-digit code.  On the next screen you will be prompted to enter this code.

Gmail Two Step VerificationIf you entered the code correctly, it should have worked.  On the next screen you will find out if it did (it probably did).  You will also have the option to “TURN ON“.

Gmail Two Step VerificationAfter clicking “TURN ON”, Gmail Two Step Verification is enabled.  When you log into your Gmail account you will be prompted to enter your username and password.  Before being allowed into your inbox, you will also have to enter the one-time code that will be texted to you. Note the red box indicating “Don’t ask again on this computer”.  You should uncheck this box on any computers you do not trust.

Gmail Two Step Verification

Stay tuned for Part II of this mini-series, where we will get into some more advanced features of Gmail Two Step Verification!

International Travel Security Tips

Over the past few years I’ve been fortunate enough to do a bit of international travel.  I’m also fascinated with personal security.  The following are some minor “best practices” for international travel security.  If you have any suggestions, post them so we can all benefit. Additionally, If I’m being foolish, please call me out.

Primer:  I fly with a US passport, often through countries where I prefer not to advertise my citizenship.  I worry about my general privacy being violated by large scale data-aggregation companies, identity fraud, and international terrorism.  I also worry about my US Passport elevating my profile.

Luggage

International Travel Security

I took this in a European airport.  Can you identify the US Service-member?  As a professional, it’s a worthwhile investment to buy normal/bland luggage.  I know plenty of servicemembers who view this as an unprofessional and ridiculous violation of Operational Security (OPSEC).  Obviously some do not.  Use normal luggage.  Blend in.  Don’t be interesting.

Passport Cover:  Inexpensive, professional and aesthetically pleasing, passport cases are a worthy investment.  Many are made with Radio Frequency Identification (RFID) blocking material.  The RFID blocking is a plus, but I think the biggest advantage is simply that it conceals my US passport.  I’m in an airport with thousands of strangers, in debatably hostile countries.  I have no idea who could catch a glance at my passport and immediately seethe with animosity.  To be honest, I don’t blame some of them but I’m damn sure not going to give them a reason to remember me.

International Travel Security

RFID Blocking:  Like the passport cover, I’m a fan of protecting my other digital assets from RFID compromise.  I’m interested in protecting all my electronic/RFID-capable devices from identity theft as well as airport security (who really wants to go to additional security screening?).  It is probably not a bad idea to have an RFID-blocking messenger bag or pouches for laptops, tablets, and cell phones†.  Like the passport cover, I would focus on getting something non-alerting.  Stay away from “tactical” nylon!

Block Data While Charging:  USB connections typically allow power AND data to transfer between devices.  Theoretically, malicious software (malware) can easily infect your devices via the numerous airport, airplane, hotel USB charging stations (as well as the USB ports now found in many rental cars). Inexpensive data blockers like the PortaPow I use allow you to block the data transfer while still allowing charging.

International Travel Security

Cell Phone Privacy Screen: Reminiscent of computer privacy screens seen at many medical facilities, these screen covers drastically reduce visibility to anyone trying to view your screen from any oblique angle.  Additionally, they protect your screen from scratches.  On my most recent flight, a well-meaning older lady sitting next to me was baffled at my screen while trying to shoulder surf me. She asked, “What’s on your screen? I can’t even see your screen!”.   Instant validation.

Miscellaneous/Well Known Points:  Many of these have been beaten to death in privacy circles, yet I would be remiss not to mention them.  Be wary of emerging and unknown Wi-Fi access points.  I took the following pics at a Starbucks inside the Istanbul Airport a few months ago.

International Travel Security

In order to get Wi-Fi access, you had to pair your credit card up with your boarding pass, then input the provided pin to get online.  That’s some exceptional data linkage.  **FYI, If you wait for someone to put their info it and take a photo of the pin…that pin will also work for you.

If you’re using public wifi, use a Virtual Private Network (VPN).  Don’t leave your computer or phone in your hotel room if you can help it.  Cover the camera on your laptop with tape or one of these.  Again, this is not new knowledge.  However, make sure the tape covers the camera but not the indicator light that the camera is active. The difference is, this gives you an early warning when big-data (or PLA) is watching you.

International Travel Security

My biggest advice to anybody is, please watch what you talk about.  I hear way too many sensitive discussions in airports – from business people, military contractors, and servicemembers.  Don’t talk about your business’s proprietary information or classified information.  Also, just be polite.  Terrible people in the airport are the worst.

Gabe (a pseudonym) is a close friend and colleague who has a vast body of experience in international travel and working against an opposing force.  Gabe has a few future posts planned.  Enjoy!

†Because of the cost of some of these bags, I intend to begin reviewing some of these products in coming months.  If there is something specific you’d like to see reviewed, please let me know – Justin

Identity Theft & Data Breach Response

Data breaches occur with shocking regularity.  The news is full of reports of data being spilled by companies and individuals being targeted for identity theft.  Few of these stories contain much useful information on appropriate data breach response, however.  Once your information has been spilled it is impossible to fully recover it.  However, there are some meaningful data breach response steps you can take if you do fall victim to this type of crime.

  1. Contact your financial institutions immediately. If you think your financial information has been compromised this should be your first step.  Call your bank or credit card issuer and alert them to the problem.  Frequently your bank will contact you if suspicious activity occurs, but if you know something they don’t, don’t wait!  Request to cancel your credit and debit card numbers and be issued new ones.  Use new PINs on these cards, and ask the bank to flag your account for suspicious activity.
  2. Contact the credit reporting bureaus.  If you do not have a credit freeze in place and the breach involves financial information, you should immediately contact Equifax, Experian, and Transunion. Some online resources advise placing a fraud alert on your account at this point; I recommend a credit freeze (see below).
  3. Change your login information.  If you suspect an online account has been breached you should immediately change its password and, if possible, username.  If the account does not already have two-factor authentication enabled, enable it.  In addition, you should also change the login credentials for any accounts associated with the breach account.
  4. Contact local law enforcement and file a report.  I will be honest – your local law enforcement agency probably isn’t going to open an investigation and bring the perpetrator to justice, so be prepared for that.  What they will do is generate a police report for you.  This serves as proof that you were the victim of identity theft.  This can help you recover your credit later if the need should arise.  It can also assure that you get free credit freezes for life (see below).  It may also be useful if you attempt to opt-out of public and non-public databases as Michael and I recommend in The Complete Privacy and Security Desk Reference.

Of course, the best spillage, identity theft, or data breach response is preemptive (the best defense is, after all, a good offense).  There are several steps you can take to make yourself more resilient against identity theft.  The time to act is now – once your information is online you will never completely erase it.  I am a strong advocate for dealing with the problem before it is a problem!

  1. Use strong authentication for online accounts.  Use strong passwords and two-factor authentication on all of your online accounts.  Though this isn’t a guarantee that your accounts are safe, you are unlikely to fall into the “victim of opportunity” category.
  2. Use unique usernames.  Though this could fall under the above category, I am listing it discretely because I think it protects you where strong passwords and two-factor authentication do not: customer service reps.  If an attacker knows your username, he or she can often convince a customer service rep to give out sensitive information.  Using a unique username gives you a great layer of protection against this type of attack.
  3. Have a credit freeze in place.  A credit freeze with each of the credit reporting agencies (Experian, Equifax, and TransUnion) is the strongest measure you can take to ensure new credit is not issued in your name.  Credit freezes also protect your personal information and credit report.  A credit freeze will not protect your current accounts and lines of credit, however.
  4. Use one-time credit card numbers.  Some credit card issuers offer this option organically.  A one-time credit card number is only good for one purchase.  If a hacker recovers it, it will no longer be valid and cannot make a charge to your account.  If your bank does not offer this an online service that I recommend called Blur does.
  5. Limit personal information that is publicly available.  Large amounts of personal information make you vulnerable to social engineers.  This information can be pieced together to allow someone to impersonate you in order to gain access to your financial or online accounts.  I recommend minimizing the information you place in the public domain on social media, personal blogs, etc.  If a great deal of information is available about you, remove it!  More information is available in The Complete Privacy and Security Desk Reference which will be publicly available soon.