Tag Archives: encryption

How I Protect Myself Against Ransomware

Share

Ransomware

What is RansomWare?

Ransomware is probably the worst kind of malware you can get infected with.  After it gets into your system, it secretly encrypts all your disk drives in the background.  Once it’s done, it notifies you that all your files are encrypted and locked and demands an exorbitant amount of money to be transferred to the thieves (usually via BitCoin) in order to receive the decryption key and sometimes they take your money and never give you the key.  The longer you wait, the higher the ransom, until after about 3 days, they delete your key and your files are gone forever.

Things that do NOT work:

  • Encrypting your hard drive.  While it’s good practice to encrypt your hard drive, this does absolutely NOTHING to protect against Ransomware.  It may protect you from external people snooping your data, but if ransomware gets installed on your machine, it has access to your drive while it’s unencrypted, and can then encrypt it with its own keys.
  • Backups created using the same PC.  Why would having a backup NOT work against ransomware?  Because again, the ransomware can see and write to your backup drive if it’s accessible from your same PC and it will encrypt that too!

How I’m protecting myself against Ransomware

  • I have 2 drives on my main PC:  A boot drive that contains Windows and the installed applications, and an external, high capacity hard drive where ALL my data goes, INCLUDING my Windows Desktop, and all the special windows folders like desktop, documents, pictures, videos, downloads, etc…
  • My boot drive and my external drive are both encrypted (not really a help against Ransomware… just thought I’d mention that they’re encrypted).
  • I have a second drive of equal capacity as my data drive and it’s hooked up to an older Linux laptop.
  • On host, Windows PC, I created a user account named “Backup” (could be named anything) with read only access to my main data drive on my Windows PC.
  • On Linux, I used Veracrypt to encrypt my backup drive that’s connected to it (doesn’t really help against Ransomware, but again, just thought I’d mention it.)
  • Running a scheduled backup program on the Linux laptop (Lucky-backup… a GUI for rsync), connecting to my Windows PC over the network with the Windows “Backup” user account. It backs up all of my Windows external data drive to the Linux, encrypted backup drive and runs a differential backup every night.
  • Critically, the Windows PC has no direct access to the Linux backup drive.
  • My Linux laptop boots off a Linux flash thumb drive and does NOTHING but backup.

How does this protect me?

By using 2 different PC’s, the chances of BOTH of them being infected with ransomware at the same time is very small. By using 2 different operating systems, the chances of both being infected at the same time is drastically reduced.  While Linux is NOT virus free and is NOT ransomware free, it’s significantly more resilient and will NOT be infected by a Windows ransomware infection.  If, by chance, the Linux machine gets infected with Ransomware, it has only read only access to my data drive on my Windows PC and will not be able to encrypt it.  In either case, I have my full data on the other machine.

What happens if my Windows machine gets Ransomware?

I’ll reformat all of my Windows drives by booting off a clean flash thumb drive that has Windows installation media.  Then I’ll have to manually re-install my software, which will be a pain, but I have access to all of it.  Then I’ll need to restore my data to my data drive from my clean Linux backup.

What happens if my Linux machine gets Ransomware?

I’ll reformat all my Linux drives by booting off a clean flash thumb drive and then re-set up my backup system.  My Windows machine at that time should be clean.

Why doesn’t Encrypting my drives help me?

Encrypting your drives DOES  help protect you against adversaries trying to gain access to your data, but it does NOT help protect you against ransomware, which simply wants to DESTROY your data.  The reason is because ransomware runs after you’ve booted into Windows and Windows has decrypted access to your encrypted drives.  That means the ransomware has access to your encrypted drives too and can simply double-encrypt your data.

Thank you for sharing this article.  See this image?

image

You’ll find actual working versions of them at the top and bottom of this article. Please click the appropriate buttons in it to let your friends know about this article.

Share

Zero Knowledge Encryption

Share

Zero Knowledge

Spideroak.com has this to say about zero knowledge encryption:

“Zero Knowledge means we know nothing about the encrypted data you store on our servers. This unique design means nothing leaves your computer until after it is encrypted and is never decrypted until it is unlocked with your password on your computer. It’s not just “end to end encryption;” it’s a Zero Knowledge System.”

Spideroak.com, by the way, is a cloud drive service provider.  Though, there are some critiques of the way they password protect your local key on your own PC, it is far more secure than Google Drive, Microsoft One Drive, Amazon cloud storage, DropBox, Box.Net, etc…

In short, if you have full control over your encryption keys and the remote service provider does NOT and cannot decrypt your data, then THAT is zero knowledge encryption.  Never settle for anything less.

 

Share

Mobile: Encrypting All Internet Traffic

Share

This is one of many articles in a series I’m writing to cover end-to-end encryption for everything you do in your digital life.  I’ll cover encrypting specific types of internet traffic (like E-Mail, Web sites, etc…) in other articles.

For a primer on encryption, please read my article “Understanding Encryption” as it teaches VERY IMPORTANT concepts that you need to know before moving forward here.

This works for rooted AND unrooted phones.

Big Disclaimer

Before going any further, let’s make one thing perfectly clear on THIS particular encryption.  This does NOT make all your internet traffic encrypted from your phone all the way to the final destination!

So… What does it do then?

This will encrypt your connection from your phone through and past your ISP.  It protects you from your ISP and anyone snooping on  your local end of the network.  This is great for when you need to use public wifi.  Scammers running a free wifi node will NOT be able to see your data NOR will they know where on the internet you’re going.

So… What does it NOT do?

Excellent question!  Let’s say you’re browsing a website that’s NOT encrypted (like this page you’re on right now)… Under normal circumstances, anyone snooping your network traffic ANYWHERE on the internet… from your local connection all the way to the connection on my end at my website, can see:

  • Your IP address.
  • The URL you’re wanting to visit.
  • Anything you type on my search page.
  • The contents of the pages my website sends back to you.
  • In short, everything is visible and in the clear.

Using the techniques in this article, you’ll be on an encrypted connection from your phone, through and past your ISP to some random computer on the TOR network, to a couple MORE computers on the TOR network, till your connection finally exits the TOR network and gets back on the regular internet, possibly in another country.  From THERE, your connection from THAT computer to my website is entirely unencrypted.

So… Why use TOR then?

To hide your network activity from your ISP, your cell phone provider network, your employer’s wifi, your local government(s) (including the NSA and GCHQ (the British NSA)), and anyone else snooping on the network near your end of the connection.  It will also hide your IP address from the websites you’re visiting.  You can make yourself appear to be in just about any country you choose.

Will this guarantee no one can see what I’m doing online?

LOL!  You’re cute when you’re innocent.  Of course not.  NOTHING is 100% safe on the internet, but it’s pretty darn strong protection and causes even the NSA headaches.  Someone with lots of resources would have to be specifically targeting you and it would be very difficult for them, even then.  You’re reasonably safe even against the NSA, but not totally.

What does it encrypt?

Note that this is a method to obfuscate ALL your internet traffic from your Android device, not just web browsing, but everything, including traffic to and from the Google Play Store, Google searches, game communication.  Again, it will NOT encrypt an unencypted connection.  It will encrypt all steps of the connection up to the exit node (see “How does it work?” below).

How does it work?

There are thousands of computers all around the world volunteering to be part of the TOR (The Onion Router) network.  When you connect to the TOR network, you’re randomly choosing an entry node computer somewhere in the world.  That computer then forwards your traffic to another, randomly chosen computer somewhere else in the world, which then forwards you to yet another computer on TOR somewhere else in the world, which then forwards you to a randomly selected TOR “exit node” computer… a computer on TOR whose purpose is to act as a fake YOU to the sites you visit.  It’s THAT computer’s IP address that your sites will see.

All traffic between you and all the TOR computers that your traffic passes through is encrypted.  The TOR computers do not know of your entire connection path through all the TOR computers you’re connecting through.  ONLY your own device knows that.  This is to prevent malicious adversaries from trying to reverse trace where you are.

Doesn’t this slow my connection down?

You betcha!  Yes.  Yes it does.  You do NOT want to do this for a first person shooter game.  YOU WILL LOSE!

Step by step instructions (FINALLY!)

If you’re device is NOT rooted, you’re going to change your Proxy address to “localhost” and your port to 8118 after you download and install Orbot. Below the installation steps are steps on doing that below:

  1. Download the app “Orbot” from the Google Play store.Screenshot_20160404-165041
  2. Optionally, you may want to ALSO install “Orfox”, a browser made to work on the TOR network.  It’s a modified version of the FireFox browser.  It works in tandem with Orbot.  But any browser will work.
    1. Screenshot_20160404-165051
  3. Launch the Orbot app.
    1. Screenshot_20160404-165126
  4. Long press on the screen to start Orbot.
    1. Screenshot_20160404-165118
  5. If you want to appear to be from a specific country, tap the drop down control in the bottom right of the screen and choose your desired country.
    1. Screenshot_20160404-165145
  6. If your device is rooted, skip the following steps about configuring your wifi connection and go directly to step #11.
  7. If your device is NOT rooted, it requires a little more work.  Steps 7-9 will need to be completed every time you connect to TOR.  Go to Settings->Wifi and long press on your wifi connection that you’re connected to and select “Manage network settings”.Screenshot_20160404-165310 BLURRED
  8. Now check the box “Show advanced options”
    1. Screenshot_20160404-165317 BLURRED
  9. Change your Proxy to “Manual”.
    1. Screenshot_20160404-165332 BLURRED
  10. Change your Proxy Host Name to localhost and your Proxy port to 8118 and tap “SAVE”.
    1. Screenshot_20160404-165404 BLURRED
  11. If everything worked (and it doesn’t always), you should have a secure connection on the TOR network now.  Open OrBot and click the “Browser” button on the lower left.Screenshot_20160404-165118
  12. If you have OrFox installed, it should open OrFox and load a page that tests.  It will tell you if you’re on a safe Tor connection.  If you don’t have OrFox installed, it’ll launch your default browser and do the same thing.  Here are 2 screenshots, one of OrFox and one of Chrome:

Screenshot_20160404-165205Screenshot_20160404-165422

If it didn’t work, you’ll see a page like this:

Screenshot_20160404-165246 BLURRED

If you see the “sorry” page, launch Orbot, then open its menu and choose “Exit”, then go to step #3 and try again.  There’s no guarantee that this will work all the time.  Some days it works.  Some days it doesn’t.

image

How to end TOR and go back to NORMAL networking

  1. Open the Orbot app, long press, and Orbot will end the TOR connection.  The onion icon will become gray.
  2. Open the menu in the Orbot app and choose “Exit”.
  3. Fix your wifi proxy back… Settings->Wifi.
  4. Long press your wifi network and choose “Manage network settings.
  5. Click the check box “Show advanced options”.
  6. Change “Proxy” back to “None”.
  7. Tap save.

You should now have a normal network connection again.  As a last resort, simply reboot your device if networking fails to restore to normal.

Thank you for sharing this article.  See this image?

image

You’ll find actual working versions of them at the top and bottom of this article. Please click the appropriate buttons in it to let your friends know about this article.

Share

Encrypt Your Entire Non Boot Disk

Share

This is another entry in my list of articles on encrypting your entire digital life from end to end.  Click here for the lead article.  This article is about encrypting your entire NON boot disk on your server, desktop, or laptop computer.  These instructions are DIFFERENT from encrypting your boot disk, which you can find here.  I’ll be giving specific instructions for Windows, but Mac & Linux steps are similar.   These instructions are using free, open source software that’s NOT from Microsoft.

Short (VERY short version)
    1. Install encryption software.
    2. Backup the drive (no, seriously!  DO THIS!)
    3. Select an empty drive letter.
    4. Select device.
    5. Encrypt.

The rest of this shows you the details of those steps.

Let’s begin
  1. Download and Install VeraCrypt fromhttps://veracrypt.codeplex.com/releases/view/616110
  2. Select an available drive letter (your encrypted volume will have this drive letter, NOT the original drive letter).
  3. Click the “Select Device” button and choose your drive to be encrypted.  (3 lines for each drive show up.  Choose the line that contains your drive’s current drive letter).
  4. From the “System” menu, choose “Encrypt System Partition/Drive”.
    1. image
  5. Follow the directions in the software.

DO NOT FORGET YOUR PASSPHRASE!!!!!

After that, you’re all done.  Now, every time you reboot, if you want to open your encrypted drive, you’ll need to mount it with VeraCrypt.  SO DON’T YOU DARE FORGET YOUR PASSWORD!  Seriously!  If you forget your passphrase, there’s NO WAY to recover it.  That’s it.  It’s done.  The data on your non boot drive will be gone forever.  You’ll have to reformat your drive and start all over OR pull out the drive and set it aside, hoping you’ll remember your passphrase some day.  I cannot stress this enough.  You CANNOT forget your passphrase!  I recommend storing a HINT of your passphrase in an ENCRYPTED password management tool, like LastPass.  I use the “secure notes” feature to store mine.

Your drive is now much more secure.

Thank you for sharing this article.  See this image?

image

You’ll find actual working versions of them at the top and bottom of this article. Please click the appropriate buttons in it to let your friends know about this article.

Share

Encrypting Your Cloud Storage

Share

image

This is the sixth entry in my “Encrypt All The Things!” series.

Let’s face it.  Cloud storage SUX!  Why?  Because all of the most popular cloud storage services do NOT provide end to end encryption.  Oh sure, you’re files travel over an https connection from your PC to their server, but your files are not encrypted with a public key from a private key that only YOU have access too.  Sure, the cloud storage providers may encrypt your files (with THEIR keys) AFTER they receive your upload and before they store them on their own drives.

BUT!

THEY have access to the contents of your files.  They can see the file names in clear text.  They have access to the entire contents.  THEY own the encryption keys on their end and you sent them your files without encrypting them first.  Therefore, you are NOT in control of your data.  If that cloud service gets hacked or if there’s a bad employee, or they get subpoena’d, other people can (and likely WILL) gain access to your personal data.  It’s simply NOT protected.

There’s only ONE option

When it comes to cloud storage, you have only one option for realistic security.  That is, your files MUST be encrypted ON YOUR END before they’re sent over the wire to the cloud storage provider and that encryption on your end MUST be done with your public key and your private key MUST be a key that ONLY YOU have access to.  It should exist ONLY on your own PC or phone.  PERIOD.  There are no if, ands, or buts about it.  This is called “zero knowledge” encryption.

Please see “Understand Encryption” on a discussion of public/private keys.  It’s kind of critical to your understanding of how to judge whether a cloud storage service is doing it right.

Zero Knowledge

Spideroak.com has this to say about zero knowledge encryption:

“Zero Knowledge means we know nothing about the encrypted data you store on our servers. This unique design means nothing leaves your computer until after it is encrypted and is never decrypted until it is unlocked with your password on your computer. It’s not just “end to end encryption;” it’s a Zero Knowledge System.”

Spideroak.com, by the way, is a cloud drive service provider.  Though, there are some critiques of the way they password protect your local key on your own PC, it is far more secure than Google Drive, Microsoft One Drive, Amazon cloud storage, DropBox, Box.Net, etc…

Another one with zero knowledge is Mega.co.nz.  This cloud storage provider was created by the infomous Kim DotCom who’s wanted by the United States government for hosting a similar service for copyright pirates.  So, some reasonable questions have arisen as to the true privacy of this site.  And recently Kim DotCom has come out and said he’s no longer affiliated with Mega and that you shouldn’t trust it, that it’s not safe (but can you trust HIM?)

Anyway, the point is, you need to either encrypt your own files BEFORE uploading them to a cloud service or use a cloud service that does it for you (ON YOUR END!).

Home Brew

Alternatively, you can do it yourself by manually encrypting your Individual Files then upload the encrypted files to any cloud storage provider you want.  It’s a bit of a hassle, but it will provide you actual protection.  You should note that if you upload your encrypted files, but keep the file names, a LOT can be known about what you’re storing.  Best to zip up the file first (storing the name in the zip file), giving the zip file an arcane name, like the date and time it was zipped, encrypt the zip file (not with the weak ass encrypting provided in the zip products, but with how I describe to encrypt Individual Files), THEN upload it.

Conclusion

    1. Save yourself some headaches and use only “zero knowledge” cloud services and thoroughly research what others have to say about their encryption.
    2. Hide your meta-data (file names, folder names, folder structures, etc…) if you’re going to home-brew it.

Do you have any experience with encrypted cloud storage?  Please share your experience in the comments.

Thank you for sharing this article.  See this image?

image

You’ll find actual working versions of them at the top and bottom of this article. Please click the appropriate buttons in it to let your friends know about this article.

Share

Encrypt your web traffic

Share

image

image

This is my fifth installment in my “Encrypt All The Things!” series.  Today, we will encrypt all (or as much as possible) of your web traffic on Windows, Mac, Linux, & Android.

  • Click here to follow me on Google+.
  • Follow me on Twitter @CSharpner.
  •  

    Your web traffic (what you request to view, what is sent to your browser to view, and what you post back in webforms when signing up for new accounts, uploading your photos, uploading your files… is all done in clear, unencrypted text unless the page you’re requesting or posting to begins with https://.   That “s” is the critical piece.  That means “secure”.  That means the web page was encrypted at the web server before being sent to your browser and anything you post (or fill in and submit) will be encrypted too.

    But, Not So Fast!

    There are several gotchas where that is NOT the case:

      1. You might be on an https site, but the site may have been coded poorly and the data you’re filling in might not be going back to an https page.  If so, then your data is being sent back in clear text over the open internet, and THAT’S more important than the page you’re viewing being encrypted (well, in many cases).  The page COULD be coded to post your data back to a non-secure page.
      2. Just because you’re on an https site, doesn’t mean that the site owners are trustworthy.  All it means is that the connection between the two of you is encrypted.  If you’re on a phishing website, it’s still the bad guys, even IF it’s encrypted.
      3. If you’re at work, it’s entirely possible that your employer has installed their OWN root certificates on YOUR work PC and your employer is acting as a man in the middle.  Even though you may be on an https website on a trusted website like https://google.com, your connection may be encrypted only between your PC and the equipment downstairs in the computer room in the very building you’re in.  Your employer can easily have access to ALL of your web traffic, record it, snoop it, and use it against you.  (We’ll spend some extra time on this one a little later in the article).
      4. If your PC already has malware on it, encrypted traffic is pretty much useless because they’ve already gotten behind all your protections and have access to everything you do BEFORE it gets encrypted and sent over the internet.  (Wipe your hard drive and start over.  Not kidding!)

    So, What Do You Do?

      1. If the https site is coded poorly and is sending your data back, unencrypted, how do you know?  That’s a little complicated and unless you’re a web developer (and even IF you’re a web developer), it’s hard to tell sometimes.  In short, do this on a login page or a web page asking for your personal information:
        1. On your desktop browser, right-click the page and choose “View Source” or “View Page Source” or something similar to that.
        2. Look for something that starts with “<form “   Like this from EFF’s website, as an example:
          1. <form action=”https://supporters.eff.org/subscribe” method=”post” class=”newsletter-form” accept-charset=”UTF-8″>
        3. This is called a form and the “action” tells us WHERE our data goes when we submit it on that page.  Notice that it’s an “https” site?  That means it’s encrypted on our end before going back.  If it’s just “http” with no “s”, it’s being sent back in the clear, with ZERO encryption!
          1. What do you do?  Not much you can do about that.  But you CAN install the TOR browser.  It’ll encrypt EVERYTHING you do in the browser, and pass it through a peer to peer network, hopping through multiple other computers, before finally having the last computer actually send your data to the real website.  But, it’ll have to be unencrypted there before going across the internet to the site you wanted to post to.  You can’t force the website to receive your data encrypted.  You can only encrypt it on your end, pass it along a few PCs before it must be decrypted and sent in the clear.  That’ll at least block your ISP form seeing it or anyone snooping on your local network.  But it won’t stop a snoop on the OTHER end of the connection.
      2. How do you know if your employer is snooping on what you THOUGHT was an encrypted connection?
        1. In Chrome:  Go to any https site, like https://google.com, click on the green padlock, click “connection”, click “certificate information”, click the “Certification Path” tab.
          1. image
        2. It should not have your company’s name in there.  If it DOES, guess what?  You’re employer is decrypting and snooping on your traffic.  They’re playing as what’s called a “Man In The Middle”.  This only works because they have control of your PC and have installed their OWN root certificate telling your browser to trust THEIR security certificates as valid owners of Google.com.  NOT COOL!
          1. What do you do about THAT?  Stop using your work computer for anything that’s personal.  That’s the only way out.  I take my own laptop to work, plug in my Android phone to it and share my T-Mobile data connection with my laptop.  I do my web browsing from my laptop and the rest of my work from my work PC.
        3. If your PC has malware on it… You might not even know it.  But if you DO know it, for heaven’s sake!  STOP USING IT… like RIGHT NOW!  Reformat your drive, re-install your OS and your software.  That’s the only realistic way to get rid of it all, and stop downloading those stupid toolbars!  Seriously!  Also, don’t download software from sources you’re not 100% certain are widely accepted as trustworthy!

    Maximize You Encryption While Browsing

    • You can force websites that aren’t using encryption to start using it, so avoid websites that don’t offer https .
    • If you’re on a website that’s NOT https., then click in your browser’s address bar and TYPE that s right after the “p” in “https” and click “GO”. Many websites DO offer an encrypted version of their website, but you must manually enter it.
    • Better yet, install Https Everywhere.  It’s a browser plugin available for the most popular browsers.  It will do the above step for you by using the https version of any site you go to (if that site has one available).  This will NOT force all your web traffic to be encrypted, but it sure will avoid the non encrypted versions of sites you visit, if at all possible.  NOTE!  You can still get to unencrypted sites and your traffic won’t be encrypted on those sites.

    Stop your ISP, Employer, Family, Neighbors, and Hackers from snooping on your web traffic

    I mentioned the TOR browser above.  This is a modified version of the FireFox browser, specially made to route your web browsing traffic through its own sub-network… kind of an underground network of participating servers and PCs around the world.  Normally, when you go to say www.google.com, you’re making a direct connection from your PC to google.com.  With Tor, you’re going to a random server around the world on the Tor network, which then forwards you to another random server somewhere else around the world, to yet another one somewhere else around the world, which finally then sends your request to google.com, but from that 3rd machine.  In other words, as far as Google is concerned, a connection was made from that other machine to them, which might be in Russia, China, America, Germany, or anywhere else in the world.  You’ll frequently see ads in other languages because of this.

    This protects you from your ISP, your employer (if you can get away with installing TOR on your work PC… but just assume that even if you can, that your employer can still see your traffic because they have complete control of your work PC), your nosy family members, nosy neighbors, nosy patrons at the coffee shop, or anyone else near by that may be snooping on your traffic.

    The end result is it’s damned near impossible to tie YOU to whatever you’re doing on the destination website.  It also encrypts ALL your web traffic to and from any website… BUT ONLY ENCRYPTED UP TO THAT LAST PC!  If you’re visiting an unencrypted website, YOUR TRAFFIC WILL BE UNENCRYPTED from that last PC in the Tor network to the final website, and back again.  You MUST understand this.

    This should be obvious, but my experience in IT is that nothing ever is, to everyone.  So!  I’ll state this clearly:  The TOR browser does NOT encrypt your web browsing if you’re using Chrome, or FireFox, or Opera, or Internet Explorer, or Edge.  It’s only going to work on web pages you visit WITH the Tor browser.

    What About Android?

    You have two good solutions on Android.  One’s good.  The others even better.  Both options are the Orbot app.  But the differences are if you’re Android device is rooted or not.  A rooted Android device gets significantly better security options.

    First, go download the Orbot app here from the web, or here from the Play Store.

    Orbot, if you’re device is rooted, can rout ALL your internet traffic through the Tor network.  You can also configure Tor to only send traffic from specific apps through the tor network.

    When your traffic goes through the tor network, anyone locally snooping on your web traffic has no way of knowing what websites you’re communicating with.  Remember, if the site you’re communicating with is NOT an https site, there will be an unencrypted connection somewhere in the world to your final site.  Don’t trick yourself into thinking it’s fully encrypted all the way through.  It only is for sites that are https.  Tor will protect you from local snoopers.  It won’t protect you from snoopers hacking into the data to the final, unencrypted website.  Got it?  Good!

    Thank you for sharing this article.  See this image?

    image

    You’ll find actual working versions of them at the top and bottom of this article. Please click the appropriate buttons in it to let your friends know about this article.

    Share

    Creating an encrypted, virtual disk

    Share

    image

    image

    This is the fourth post in my “Encrypt All The Things!” series.  The prior article was on encrypting a single file.  In an effort to increase my privacy and my family’s safety, I’m going through and encrypting everything that’s possible and writing a series of articles on end-to-end encrypting for everything from phone calls to hard drives.

  • Click here to follow me on Google+.
  • Follow me on Twitter @CSharpner.
  •  

    What you’ll need

    • Encryption software (described below, with links – It’s FREE)
    • A Windows, Mac, or Linux PC.

    Software

    TrueCrypt was one of the most popular disk encrypting programs for a long time, until about a year ago when the author unexpectedly pulled the plug and put some strange text on his website that the program was unsecure and people need to go find something else.  The whole tech industry was scratching their heads because it had just gone through a very public security audit and determined to be very secure.  What happened was the author(s) just got tired of supporting it and called it quits.  Fortunately, it was open source and other groups have taken over, forked the code, and have been improving on it.  VeraCrypt is a popular fork of it that I recommend.  You can download it here.  It’s available for Windows, Mac, & Linux.  And it’s fully open source and free and supported by its new authors.

    Download and install VeraCrypt.

    Virtual Disks

    We’ll be making a virtual disk that’s encrypted.  A virtual disk is simply a large file.  VeraCrypt can do its magic and make Windows/Mac/Linux think it’s a disk, so you can read and write files in it, just like on any other hard drive.  In Windows, the virtual disk will have its own drive letter (but only when you “mount” it… when you’re done with it, you “dismount” it and it stops looking like a disk to the OS).

    image

    • Click the “Create Volume” button to begin.

    image

    • Make sure “Create an encrypted file container” is selected, then click “Next”.
    • Select “Standard VeraCrypt volume” and click next.  I’ll let you discover the other features of this product outside the scope of this tutorial.
    • For “Volume Location”, click the “Select File…” button and choose a place on one of your accessible hard drives or network drives.  You’ll need to provide a file name.  I recommend giving it an ambiguous name like “Graphics-System.dll”.  This obscures the meaning of the file from intruders.
    • image
    • Then click “Save”.  Also, make sure “Never save history” is checked.  This prevents intruders from running this app on your machine and seeing where you created your last encrypted virtual disk.

    image

    • Click “Next” and if you named it with a file extension of “.dll”, then you’ll get a warning.  It’s OK.  We’re doing this on purpose.
    • Now, choose your encryption method.  All of them are good.  Better is using 2 or more of them simultaneously.

    image

    • Remember, the tougher the encryption, the slower the encrypting and decrypting.  I recommend clicking the “Benchmark” button and choosing the one that gives you the fastest speeds, unless you have state secrets or secrets that can cause significant harm to you or others, then take one of the options that give you all three.  Notice that you might notice one of them is significantly faster than the others.  If so, then your CPU chip probably has encryption hardware built in.  VeraCrypt will use that if you choose it.  As you can see, AES is drastically faster than the others on my own machine.  That’s because my Intel CPU has AES encryption hardware.  I’m going to choose “AES”

    image

    • For the hash Alorithm,  Sha-512 is better than Sha-256.  Whirlpool and Sha-256 are similar, but Sha-256 was created by the NSA and Whirlpool wasn’t.  Use that information however you like!  I’m choosing Whirlpool.
    • Next, choose the size of your encrypted virtual disk.  This is up to you.  How much space do you need for your encrypted data?  Whatever that number is, it HAS to be less than the available space on whatever drive your storing the virtual disk file on.
    • Next, choose your password.  This is a pass phrase you’ll need to enter every time you mount the encrypted volume.  Obviously, use something strong, long, and easy to remember, but difficult for others to figure out.  I recommend typing in a full sentence, with punctuation.  CASE MATTERS!  Don’t use famous quotes.  Think of something that is unique to you like, “I hate it when people cut in front of me in line at the movies!@#$”  Be creative!

    image

    • After entering and re-entering your pass phrase, click next.  That takes you to the “Volume Format” window where you need to rapidly move your mouse back and forth, up and down, in circles, and everything else in that window to help your computer create a random number to seed the encryption.  The more randomness from you it gets, the better.  Computers are terrible and making random numbers by themselves.  So spend a full minute or two just moving your mouse every which way across that window.  Then click “Format”.

    image

    image

    Congratulations!  You have now created your first encrypted virtual disk.  But, in order to USE it, there’s just a little more to do (and this is what you’ll need to do every time you want to mount your encrypted, virtual disk).

    Mounting your virtual disk

    image

    Back to the main window of VeraCrypt, pick a drive letter from the list provided (Mac & Linux will be slightly different), then click “Select File” and find your encrypted virtual disk file (You DID pay attention to where your created it, right?)

    image

    And click the “Mount” button.   Then enter the pass phrase you created at the beginning.  Without this passphrase, it will be impossible to access the encrypted data on your virtual disk (even if there’s nothing in it yet, you can’t even mount it without the passphrase).

    image

    image

    If you used a system file extension like “.dll” on your encrypted volume, you’ll get another warning when you try to mount it.  Just click OK.  It’s OK, we meant to do this.  We’re trying to fool the bad guys, right?

    You’re Done!

    image

    You’re encrypted volume is now mounted and ready to use, like any other disk.  “But, can I…”  YES!  It’s just a volume like any other volume.  You can read and write to it exactly like anything else.  You an stream video files to and from it just like any hard disk.

    Notice I have mine mounted with the “M” drive letter assigned to it.  You can exit VeraCrypt and your encrypted virtual volume will stay mounted.  When you’re done with this, start VeraCrypt back up, select the volume, and click “Dismount”.

    As long as it’s mounted, anyone that has physical access to your machine can access its contents, so be sure to dismount as SOON as you’re done with it.  Also, anyone with NETWORK ACCESS to your machine could have access to the contents of your encrypted volume.  It’s ONLY protected when it’s NOT MOUNTED!  When you’re using it, it’s accessible to other software on your computer!!!

    Notice my M: drive in my drives list?

    image

    That’s the encrypted volume I just created and mounted.  Yes, it’s a really small disk.  Don’t tell anyone, OK? Smile  I do have bigger ones!  No!  Really!  I do!  Wait!  Where are you going?

    Thank you for sharing this article.  See this image?

    image

    You’ll find actual working versions of them at the top and bottom of this article. Please click the appropriate buttons in it to let your friends know about this article.

    Share

    Encrypt Individual Files (Desktop)

    Share

    image

    This is the 3rd article in a series of articles about encrypting your entire digital life from end to end.  Click here for the lead article.  This article is about encrypting individual files on your desktop computer.  I’ll be giving specific instructions for Windows, but Mac & Linux steps are similar.

    Short (VERY short version)

      1. Install encryption software.
      2. Create your encryption keys.
      3. Encrypt a file.
      4. Decrypt a file.

    The rest of this shows you the details of those steps.

    Review or brush up

    Before you go any further, it’s really important that you are familiar with the basics of modern day encryption.  Please review this article on understanding encryption:

    I will be using terminology that won’t make sense to you if you have not read the “Understand Encryption” article or are not already fairly familiar with encryption and how it’s implemented in modern technology.

    Let’s begin

      1. Download and install Gpg4win from http://www.gpg4win.org/
      2. Once installed, you’ll need to import your friends’ public keys (if you plan on sending them anything encrypted) and create your own (if you don’t already have any).
        1. Open Kleopatra (it’s installed with Gpg4win).  It’s a key management application.
        2. Click the “Lookup Certificates on server” button and enter your friends’ names and/or e-mail addresses to see if they have public keys.  If they’re not published, you can easily ask them directly.  Most likely, most of your friends do not yet.  I’d encourage you to get them started on this.
        3. Now, create or import YOUR key pair.  Close Kleopatra and open GPA.  Yes, it’s almost a clone of Kleopatra.  No, I don’t know why there are two of these tools.  But Gpa will let you create key pairs.
        4. Open the “Keys” menu and choose “New Key”.
        5. Enter your name (you can’t change this, so choose wisely), then “Next”, then your e-mail address.
        6. Yes, you want a backup copy.
        7. Enter your passphrase… DO NOT EVER FORGE IT!  DON’T BE STUPID – MAKE IT COMPLEX!  I recommend saving it in LastPass.com (get set up with LastPass.com if you’re not already.  It’s TOTALLY worth it (free)).
        8. Right-click your new key and choose “Export Certificate to Server” which will export your public key to a public key server for others to find so they can send you encrypted data.
      3. Now that your contacts’ keys are imported and you’ve created your own key, let’s encrypt a file.
        1. Open Windows Explorer (I said _Windows_ Explorer, NOT _Internet_ explorer!) and find some file that you’d like to encrypt.
        2. Right-click the file and choose “Sign & Encrypt” (You don’t have to do both signing AND encrypting.  You can do just one, if you like).
        3. In the dialog box, make sure “Encrypt” is selected.  If you’d like to compress it before you encrypt it, be sure to check “Archive files with”.  Because you can’t compress it AFTER you encrypt it!
        4. Click “Next” then pick your recipient (who you want to be able to decrypt the file).  If it’s just you, then choose your own key.

    To decrypt the file, just right-click it and choose decrypt.  It will know which key was used and will prompt you for the passphrase.

    Thank you for sharing this article.  See this image?

    image

    You’ll find actual working versions of them at the top and bottom of this article. Please click the appropriate buttons in it to let your friends know about this article.

    Share

    Encrypt All The Things! [A Guide]

    Share

    So, Microsoft Windows 10 sends your private data to Microsoft (E-Mail and private files in private folders (read the EULA if you don’t believe me), your employer is snooping on your web traffic at work, local hackers are packet sniffing your web traffic at the coffee shop, your neighbors are hacking your home wi-fi, cloud providers have access to your files, thiefs have access to everything on your laptop or phone when you lose them in public, and don’t even get me started on the NSA and all the things THEY have access to (hint:  It’s everything, including your phone calls), not to mention your ISPs and rogue, tin-pot tyrannical dictatorship governments around the world.

    You want your data to stay out of their hands and eyes?  Then you’d better put on your foil hat, pull up a chair, and pay attention to this how-to on encrypting all your data and all your communications (including phone calls!) and some best practices thrown in for good measure.

    From a high level, here are the things we’ll be encrypting.  I’ll break them up into separate articles, because it would be quite a lot to take in all at once.  I’ll be writing these articles over the next couple of weeks, so check back here to see this topic list change from black text to hot links to the published articles.

    Thank you for sharing this article.  See this image?

    image

    You’ll find actual working versions of them at the top and bottom of this article. Please click the appropriate buttons in it to let your friends know about this article.

    Share

    Encrypt Your desktop E-Mail

    Share

    image

    This is one of many articles in a series I’m writing to cover end-to-end encryption for everything you do in your digital life.  I’ll cover encrypting your webmail and mobile e-mail in other articles.

    For a primer on encryption, please read my article “Understanding Encryption” as it teaches VERY IMPORTANT concepts that you need to know before moving forward here.

    Did you know that ALL E-Mail goes across the open internet in plain, raw, NON encrypted text?  Well, all except e-mail that you explicitly encrypt, which this article will show you how.

    Encrypting your E-Mail requires the following steps that we’ll cover individually to simplify the process:

    • Install the proper plugin for your E-Mail app.
    • Create your public/private key pair.
      • Store your private key in a VERY secure place.
      • Publish your public key for others to use.
      • Import your keys into your E-Mail plug in.
      • Import your friends public keys into your E-Mail plugin.

    Since I obviously don’t have the resources to provide thorough instructions for every e-mail app out there and for every plugin available, I’ll cover 1 popular e-mail app and 1 popular plugin.  The e-mail app we’ll be using for this tutorial is Mozilla’s Thunderbird, available on Windows, Mac, & Linux.  You can download it here.  It’s free and open source.

    Since you’re reading this article, I’m going to assume you’re already using an e-mail program on your PC, or you wouldn’t be here, so I’ll skip the tutorial on how to install and configure an e-mail app.  You should already have that up and going before continuing here.

    First, you’ll need a plug in for your e-mail app that can handle encrypting and decrypting e-mail.  I recommend Enigmail for Thunderbird.  Click here to get it.  It’s also free and open source.

    Once installed (I assume you don’t need a tutorial to install the plugin), open the new “OpenPGP” menu in Thunderbird and select “Key Management”.

    image

    It’ll look like this:

    image

    If you already have a public/private key pair, add them here.  You should have them in an .asc file.

    If you do NOT already have a public/private key pair, inside the OpenPGP Key Management window, open the “Generate” menu and choose “New Key Pair”.

    image

    If you have more than one E-Mail address configured in Thunderbird, you’ll want to generate a new key pair for each e-mail address.  Choose your e-mail address from the drop down list at the top of this window.

    Choose a passphrase and don’t forget it.  Also, for the love of all that is digital, DO NOT MAKE IT SIMPLE!!!!  If you’re going through the effort of generating public/private key pairs to make it difficult for eavesdroppers to see your communications, don’t drop the ball now and use a short or easy password.  I recommend using LastPass.com to generate long, complex passwords and to store them for you (fully encrypted, of course).

    Choose an expiration date too.

    Why choose an expiration date?

    First, let’s explain what that is.  After that date, all software to all other users will inform them that this is invalid.

    Why you want this:  If you forget your passphrase and your key becomes compromised, you’ll NEVER be able to revoke your key.  Put an expiration date on it so that it will eventually die on its own.

    I recommend 1 to 2 years.  You can and should generate new keys when they expire and publish the new public key.

    Once it’s all filled in the way you like it, click “Generate Key”.

    Allow the software to generate a revocation certificate.

    Now, backup and protect your private key.  Store it in a safe place.  I recommend storing it as a secure note in LastPass.com as well as inside of an encrypted virtual disk (I’ll explain this in a later article).

    Publish your public key

    Now, your public key is no good if no one has it.  Remember, in order for anyone to send you an encrypted message, they MUST encrypt it with your PUBLIC key.

    Right-click your key(s) and choose “Upload public keys to key server”.  This makes your key available in search results on public key servers by anyone that knows your name or e-mail address.

    If you ever accidentally expose your private key, you can revoke your key pair from this app by right-clicking your key and choosing to revoke it.  Be sure to upload the change to the key servers so others know your key is revoked and they stop sending you important information encrypted with your old, public key.

    You’re now ready to begin using encrypted E-Mail.  BTW, click the “Display All Keys by Default” check box to see your key(s) listed there.

    I recommend setting this up for all the members of your household on each of their PCs.  Set each member up with their own private/public key pair and show them how to properly manage them or point them to this article and let them do it.  Let THEM come up with the key phrases and ENSURE they don’t forget them!  Then, you can start E-Mailing your family members securely.

    Get public keys of your contacts

    You can’t send encrypted mail to anyone until you have their public key.  So, in the Key Manager app, open the key server menu and choose “Search for keys”.  You can type partial or whole e-mail address or user names.  It will search public key servers for any matches.  There are 3 or 4 key servers provided in the key manager.  If you don’t find your contact in one, try another.  Of course, call your contact and make sure they even HAVE a public key.  They can also e-mail it to you.  Note:  While testing the search while writing this article, none of the key servers found any address that I knew was there.  Note that you can copy the URL from the search window and paste it into your address bar in your web browser and really search directly on those key server sites to find your contact’s keys.

    image

    Once found, add them to your key list (called a “key chain”).  That makes them available to you when you send encrypted E-Mail.  Speaking of which, let’s send some encrypted E-Mail now.

    Send your first encrypted E-Mail

    Close your key manager.  Start a new e-mail message in Thunderbird.  Address it to someone for whom you have a public key.  Click the “OpenPGP” button.  The first time you send an e-mail message, encrypted, from your e-mail address, Enigmail will prompt you if you want to enable OpenPGP for this identity.  Be sure to check that box.  I recommend checking the “Encrypt messages by default” check box too.

    image

    Click OK, then the dialog box pops up that you’ll likely see before sending each messages:

    image

    Click “OK” and your message will be encrypted and sent.

    Side Note:  “Signing” a message is important if you want to prove to the recipient that it’s from you.  This is explained in my “Understand Encryption” article, which you should be familiar with.

    Note that Enigmail will encrypt the message with the public key associated with the RECIPIENT’S E-Mail address, not YOURS.

    See these images?

    image

    You’ll find actual working versions of them at the top and bottom of this article. Please click the appropriate buttons in it to let your friends know about this article.

    Share