PSST - Security Precautions
Introduction
PSST employs advanced, military-grade strong encryption technology.
In writing this program, I've aimed to strike the optimal balance between
security and convenience. I've also had to take into account that some of you
using this program may have fairly basic computer skills.
Therefore, please read this page thoroughly. There are some potential security
hazards you need to know about, and it's in your interest to familiarise yourself
with these hazards and take appropriate measures.
What are the hazards?
Broadly, the greatest hazard is that you may communicate with another person
in such a way that would cause you to suffer if someone else was party to the
communication.
There are several different attacks which may render PSST's security effectively
null and void.
Basically, most attacks fall into the following categories, which I will discuss in
detail, along with countermeasures, later in this document:
- Local Surveillance Software
- Remote System Exploits
- Local Surveillance Hardware
- Government-Mandated Key Disclosure
- Passive Surveillance Attacks
- Social Engineering Attacks
Local Surveillance Software
This is a common hazard when using computers in the workplace. Basically, it involves
a company's system administrators embedding software on all the company PCs - software
which records all keystrokes to a file, as well as frequent screenshots.
Do not depend on your standard system tools, such as Windows TaskMgr, (or
Ctrl-Alt-Del on Windows 9x), to determine which tasks are running. Because there
are surveillance programs which will not show up on any of these lists.
There are different ways of finding out if your system is under surveillance.
For instance:
- Asking around, perhaps getting friendly with system administration people
- Finding out if anyone has been dismissed, and working out if they were caught
out purely from what they typed into their keyboards
- Conducting a conversation and deliberately speaking a fiction. See if anyone
in management acts on that fiction. Choose a fiction that will tempt a company
to react, but will not land you in any trouble.
There are ways to find out if your system is running surveillance software. For
example:
- Check disk volume sizes, and see if your disks are gradually getting fuller.
- Sniff your network connection, and see if there's any traffic taking place
as you type
- Search the web, and find out about the various surveillance programs and
counter measures
- Compare all your operating system files with the same files on a virgin
installation.
If you syspect your system is compromised by a software logger, a possible counter
measure is to get a CD-based version of Linux, and re-master a disk with PSST and
all its required software. Boot your machine into this custom software whenever you
need to communicate.
Trojans and Remote System Exploits
This hazard is possibly greater for home computers than computers in offices.
It involves another party exploiting known security weaknesses in your computer's
operating system and gaining administrator access.
FYI, it's not only crackers and criminals who break into systems in this way. Governments
do it as well on a regular basis. For example New Zealand now has legislation which
gives full permission for government authorities to hack into private people's PCs,
and view/add/modify/delete files, and/or install surveillance software.
A frequent form of this attack is where the attacker sends you an email, with a 'From'
address and a 'Subject' designed to provoke your curiosity. This email can be malformed
in such a way as to fool the operating system into executing arbitrary code. Or it may
contain an attachment that you might be fooled into opening.
Once your system has been breached, it's a simple matter of replacing certain operating
system files, and/or installing extra software hidden deep amongst the thousands of
existing system files.
Once all this is set up, your attacker can monitor your keystrokes, view what's on your
screen, and see all data flowing to/from your computer.
Regarding PSST, they can uplift your private key, possibly even your session key and
that of the person you're talking to, and render all your conversation into plain
data.
If you suspect your system has been compromised, there are different packages available
to cleanse your disk. Programs such as Ad-Aware are excellent. But if you're
really desperate, then consider reformatting all your disks, and reinstalling all
your software carefully from scratch.
Get a Decent Firewall
The value of a good firewall can not ever be underestimated. Without it, you might as well
not bother with encryption, because it won't give you any real security.
Good firewalls include iptables for Linux/*BSD, or ZoneAlarm or
AtGuard for windoze. Don't leave any vulnerable ports open, especially the
SAMBA/NetBIOS port 139.
Local Surveillance Hardware
This is particularly nasty. Such attacks may involve the attacker getting physical
access to your PC, and installing a piece of circuitry inside your keyboard and/or
monitor.
The only reliable countermeasures against this attack are either to:
- Never leave your PC unattended, or out of view of yourself or those you trust
OR
- Run the software on a laptop or a Linux PDA that you have in your possession
at all times
Passive Surveillance
This is definitely getting into James Bond territory, but it's significant and
plausible enough to mention here.
Basically, passive surveillance involves using technologies that can remotely determine
what you are typing, and what's displayed on your screen.
Examples of passive surveillance, and possible counter-measures, include:
- TEMPEST - receiving high-frequency radio waves emanated by your keyboard and
screen, and reconstructing the signals into actual keystrokes and screen images.
Countermeasure - Install a Faraday cage around your computer equipment, and/or in
all rooms where a PC is used.
- Laser Tap - remotely monitoring the sound inside a room, by bouncing a laser
beam off an outside wall, and measuring microscopic deflections in the beam due to
tiny movements in the wall due to sound waves.
Countermeasure - Play loud music, preferably music with lots of noisy
chaotic percussion.
- Optical screen reconstruction - pointing an ultra-high-speed camera at a window,
fast enough to capture the movement of screen raster lines.
Countermeasure - Blacken windows, seal door cracks.
These techniques are expensive and technology-intensive, and reserved for cases
where a company or government is really concerned about something you might be saying.
If you have real reason to suspect that one or more of these attacks is taking place,
then consider spreading disinformation and provoking the attacking party to play their
hand.
Government-Mandated Key Disclosure
This is the result of governments, such as those in Australia and the UK, disgracefully
over-reaching their moral and political mandate.
Under mandatory key escrow laws, anyone from a list of designated government
authorities can call on you at any time, and demand your personal encryption keys.
If you are in possession of any encrypted data, and you refuse to provide sufficient
keys and/or passwords to render this data into plain accessible format, then you could
be looking at 2 years in jail or more.
PSST halves the legal exposure which can result from forced key escrow, by using
different temporary session keys for sending and receiving, and encrypting each
session key against each user's public key.
This means that if the attacker gets your public key, and if they've archived the
raw traffic flowing in/out of your computer over time, they can derive one of the
session keys, and decrypt everything you've received, but luckily, not the
information you've sent (unless of course they are able to get the private
key of the other party you've been talking to).
Countermeasures
There is one simple and effective, albeit inconvenient, way to protect yourself
against key escrow attacks. Change your keys frequently, and get everyone you're
talking to to do the same.
If your private key is changing often, and if you're securely deleting all prior
private keys, then all the data your attacker has archived, up until you last changed
your private key, will be useless - there'll be no way to decrypt it. Also, since
you've not been previously asked for your keys, you won't be legally responsible for
failing to decrypt this earlier data.
With future versions of PSST, I hope to implement a discipline requiring each user to
have not just one private key, but one for each other user they talk to. Also, to
provide a protocol for automatically generating and securely exchanging new keys. Such
a protocol will also involve a compulsory exchange of new keys at the end of each
session, which will therefore completely void the power of key escrow. If you don't
have the power to decrypt the raw traffic archive, then how can you possibly be
punished? (Perhaps you might like to support
this upgrade)
Social Engineering Attacks
This is one of the nastiest classes of attack, because it involves exploiting
weaknesses in human judgement, rather than software design and implementation.
Many of the most expert hackers (in the intruder, not the developer
sense of the word) have boasted that 50-80% of their successful system break-ins
resulted from exploiting human laziness or carelessness.
There is one very potent social engineering attack that can be carried out against
PSST users. It involves sending an email to each user, forging the headers of the
other user, and saying "Hi, I've lost my private key, and your public key. Here's
my new public key. Can you please send me your public key?". Then, intercepting
the emails sent between the two, and substituting public keys generated by the
attacker for the real ones.
If both users fall for this trick, they'll replace their private keys, and accept
the fake public keys. Once the fake public keys are in place, the attacker can then
invisibly proxy the TCP connections and data between the two users. Since the attacker
has private keys for the fake public keys, s/he can control the generation of session
keys, and thus tap the data in plaintext.
If/when PSST gains popularity, it's highly likely that government agencies may
preinstall the infrastructure needed to automate this attack, in which case your
security is absolutely zilch.
Countermeasures
By now it should be clear why you get harassed with 2 popup warning windows every time
you import someone's public key. Because it may not actually be their key.
Possible counter-measures include:
- Only exchange keys in person
- Hash your own and each other's public keys. The md5sum utility is ideal.
Contact the other user out of band (eg phone), read out the MD5 hashes of your
key and theirs, and they'll compare with their own hashes. If there's any difference,
you'll both know that you're under attack.
- Never, NEVER blindly accept another person's public key without first
confirming that key with them to your satisfaction.
Conclusion
PSST is not perfect. It has its weaknesses, some in the software, some in the nature of
computer hardware, some in the other software on that computer, and some
in the human frailties of its users.
If you are expecting this program to take care of your privacy without you
being willing to learn a little about security, you could be in for an unexpected
and devastating shock - in which case, don't blame me!
But if you take the time to master these fundamentals, then you can easily create
a situation where the opportunity cost of an attacker going after you is so
prohibitive that they'll just give up and go after easier and more profitable
targets.
So in preparing your defences, you should ask the questions:
- What is it worth for an attacker to gain access to my communications?
- Given my security setup, how difficult and expensive would it be for them
to compromise my privacy?
- From my attacker's point of view, is it worth their while to go after me or
someone I'm talking to? Or is the opportunity cost high enough that they'll
better meet their overall needs going after someone else?
Forgive an old cliche, but:
The price of liberty is eternal vigilance!