COMSEC: Get Security

Doers Need COMSEC

If the EPA would do this to a scientist, imagine what other powerful agencies will do to activists. Whistle Blowers have "some" protection under the law. In reality it is you that has to protect yourself.

Dangerous Activism: Oppression, Government & Otherwise

Empowerment is easiest for Americans doing safe, public, legal activism. Americans have constitutionally protected freedom of expression, so in theory they should be able to go about their business peaceably without fearing illegal government intrusion. However, citizens of oppressive regimes have a whole range of problems to deal with when confronting government opposition. Governments routinely skirt, ignore or legislate around legal limitations on their powers to spy and oppress. Non-governmental corporate and criminal groups may also use a variety of oppressive tactics, sometimes with government

Legal Assessments

Numerous groups track the human rights records of the many national and regional governments.

Dangerous Countries

• Columbia

Be Just Paranoid Enough

Oppression’s psychologically deterring ability to inspire fear usually far outstrips the actual physical ability to attack. If you are too paranoid, you will waste your efforts worrying about imaginary boogeymen. On the other hand, if you underestimate the risk of oppression &

Spying

Being followed, mail being opened, infiltrators Intelligence Agencies For Or Against Activists French Secret Service bombed Greenpeace’s ship and murdered crew. Companies have hired private investigators to harass activists. Eg. Ralph Nader & GM Espionage and government secrecy are part of activism for many reasons and issues.

France Bombed Greenpeace Rainbow Warrior Ship

Disinfo: Poisoning the well

Sometimes false information is deliberately released or propagated to sow confusion or divert investigations into chasing red herrings. moon landings and pentagon missiles

Information Theft

Encryption is one way to help protect your privacy online, and also helps in communication between activists in the event that some is watching who does not have the best interests at heart. There have been cases with [Indymedia] where nazi's have hacked and read private emails between members of a collective. They managed to gather personal information from these emails, including home phone numbers.

Encrypting online communications is one way to help prevent this from happening amoung activists.

• Data Destruction

Identity Theft:

GPG also allows for the signing, rather then encrypting of emails. This prevents others from pretending to be other member in a network. By creating a sig on an email, the author can be compared to the known nickname, thereby protecting the real identity of the author, and by insuring the messages are real.

SEE ALSO: Identity_Theft

Authentication

• "The thing we'd like to retain is how the service is based on your real identity," he says. By linking the identities of new members to their mobile-phone numbers at sign-up, Chon hopes to keep a lid on anonymous accounts - and the exhibitionism that can scare advertisers away." —Cyworld on CNN

Insecurity

Security is never perfect. It is more a matter of risk management and minimizing insecurity.

Secure Software

It is important to use the most secure browser available, Firefox.

Trusted Computers

A new computer is a new risk. All the steps used to secure your home computer come into question: Whose computer is it and can it be trusted?

• Never forget to log out of any accounts you sign into such as Drupal systems like EmpowerThyself.com and webmail systems like GMail. If someone leaves themselves logged in, email them this page.
• Never use a system that you suspect of being insecure
• Browsers often remember form inputs. Never let a browser "Remember" secret username/passwords that you wouldn't want someone sitting at your computer to see offered as "autocomplete" hints. Remembering secret accounts could compromise your pseudonymity.

Log & Cache Purging

LXPK: /Utilities/Keychain Access
LXPK: That's how OSX does passwords
LXPK: One key to rule them all and in the keychain encrypt them
LXPK: master key locks all the keychained keys
LXPK: you can write notes in it too
LXPK: And even logged in it requires passwords to view the contents
LXPK: Of course to be safe I would have to purge this chat log
LXPK: I have to add that to my COMSEC guide
LXPK: purging caches
Jon Sullivan: or even better woudl be to figure out what has caches and what doesn't
LXPK: I found some sick security stuff on NGO-in-a-box
LXPK: They do some really cool work
Jon Sullivan: like does adium cache in mem or on disk ?
LXPK: Tactical Technology is their nam
Jon Sullivan: nice
LXPK: Idunno
LXPK: I need to find out though
LXPK: And document it

How Vulnerabilities Work

Someone discovers a vulnerability. Sometimes they disclose it publically, sometimes they disclose it to the software developers quietly, sometimes they keep it to themselves to use in an attack.

“Zero hour” is the time between when an exploit becomes available and when fixes are released.

Servers are not yet patched for immunity to the vulnerability. Chaos may ensue.

Someone develops an exploit for the vulnerability.

Someone uses the exploit or releases a virus that

Offshore Hosting

In some cases it is advantageous to host your Internet servers in a foreign country where greater anonymity and freedom from censorship is available. For example, Sweden offers protection from American copyright law that shelters Pirate Bay because its operators are Swedish. You may not be protected from the law though if you live in the US.

Offshore Hosting FAQ

Death Threats

http://www.nowpublic.com/node/128377

Basic COMSEC Skills

To certify your Basic COMSEC integrity, a checklist of measures must be tracked to audit your security and gaps. Ideally an Advanced COMSEC specialist should help you implement your Basic COMSEC Checklist and train you in how to follow these simple "be calm" BCOM measures. If you have mastered the COMSEC checklist, you can take the COMSEC test to become Basic COMSEC Qualified.

• Anonymization
• Anti-spyware Scanning
  
• Anti-virus Protection
• Backup Discipline
• Data Destruction
• Dual Firewalls
• GPG Encryption
• Rootkit Detection
• Safe Passwords
• Secrecy
• Security Updating
• SITESEC: Physical Site Security
• Threat Assessment
• Wireless Security

Advanced COMSEC Skills

• Intrusion Detection
• Social Engineering
• Steganography
• Keystroke Logging
• Lie Detecting
• OPSEC: Operational Security
• Pentesting
• Denial of Service Attacks
• False Positive Wall
• Personal Idioms
• Third Party Confirmations
• Trust Rings
• GPG Sub Keys
• GPG: Get up to speed on encryption to protect your right to privacy.
• Wikipedia on COMSEC
• SSH Proxy Don't let people spy on your web use.
• Vulnerability Scanning
• Wireless Security
• TOR has a weakness that if you have enough nodes you can sniff the endpoints.
• http://www.gilc.org/speech/anonymous/
• Posting ePinions anoymously

Physical Security

Computer systems are subject to physical attack.

• Hard drive theft
• Keystroke spying by loggers, cameras and over-the-shoulder watching
• Break-and-entering ( for example: Watergate)

Server Security

Servers are high priority security assets at great risk of attack.

• Essential Measures
  • Security Updating
  • Vulnerability Minimization
• Best Measures
  • Intrusion Detection Systems

Trust

Kiosks = bad. "Most Spyware were nice enough to let me know they were there, in the form of advertisement for Spyware removals, while others just sat there an awaited who knows what… probably usernames and passwords for Hotmail/Gmail/etc accounts."

Attacks

• Birthday Attack
• Brute Force Attack
• Meet in the Middle Attack
• Middle Man Attack
• Collision Attack
• Passive Attack
• Packet Sniffing