PSST - Security Precautions

Introduction

PSST employs advanced, military-grade strong encryption technology.

In writing this program, I've aimed to strike the optimal balance between security and convenience. I've also had to take into account that some of you using this program may have fairly basic computer skills.

Therefore, please read this page thoroughly. There are some potential security hazards you need to know about, and it's in your interest to familiarise yourself with these hazards and take appropriate measures.

What are the hazards?

Broadly, the greatest hazard is that you may communicate with another person in such a way that would cause you to suffer if someone else was party to the communication.

There are several different attacks which may render PSST's security effectively null and void.

Basically, most attacks fall into the following categories, which I will discuss in detail, along with countermeasures, later in this document:


Local Surveillance Software

This is a common hazard when using computers in the workplace. Basically, it involves a company's system administrators embedding software on all the company PCs - software which records all keystrokes to a file, as well as frequent screenshots.

Do not depend on your standard system tools, such as Windows TaskMgr, (or Ctrl-Alt-Del on Windows 9x), to determine which tasks are running. Because there are surveillance programs which will not show up on any of these lists.

There are different ways of finding out if your system is under surveillance. For instance:



There are ways to find out if your system is running surveillance software. For example:



If you syspect your system is compromised by a software logger, a possible counter measure is to get a CD-based version of Linux, and re-master a disk with PSST and all its required software. Boot your machine into this custom software whenever you need to communicate.

Trojans and Remote System Exploits

This hazard is possibly greater for home computers than computers in offices.

It involves another party exploiting known security weaknesses in your computer's operating system and gaining administrator access.

FYI, it's not only crackers and criminals who break into systems in this way. Governments do it as well on a regular basis. For example New Zealand now has legislation which gives full permission for government authorities to hack into private people's PCs, and view/add/modify/delete files, and/or install surveillance software.

A frequent form of this attack is where the attacker sends you an email, with a 'From' address and a 'Subject' designed to provoke your curiosity. This email can be malformed in such a way as to fool the operating system into executing arbitrary code. Or it may contain an attachment that you might be fooled into opening.

Once your system has been breached, it's a simple matter of replacing certain operating system files, and/or installing extra software hidden deep amongst the thousands of existing system files.

Once all this is set up, your attacker can monitor your keystrokes, view what's on your screen, and see all data flowing to/from your computer.

Regarding PSST, they can uplift your private key, possibly even your session key and that of the person you're talking to, and render all your conversation into plain data.

If you suspect your system has been compromised, there are different packages available to cleanse your disk. Programs such as Ad-Aware are excellent. But if you're really desperate, then consider reformatting all your disks, and reinstalling all your software carefully from scratch.

Get a Decent Firewall

The value of a good firewall can not ever be underestimated. Without it, you might as well not bother with encryption, because it won't give you any real security.

Good firewalls include iptables for Linux/*BSD, or ZoneAlarm or AtGuard for windoze. Don't leave any vulnerable ports open, especially the SAMBA/NetBIOS port 139.

Local Surveillance Hardware

This is particularly nasty. Such attacks may involve the attacker getting physical access to your PC, and installing a piece of circuitry inside your keyboard and/or monitor.

The only reliable countermeasures against this attack are either to:




Passive Surveillance

This is definitely getting into James Bond territory, but it's significant and plausible enough to mention here.

Basically, passive surveillance involves using technologies that can remotely determine what you are typing, and what's displayed on your screen.

Examples of passive surveillance, and possible counter-measures, include:



These techniques are expensive and technology-intensive, and reserved for cases where a company or government is really concerned about something you might be saying.

If you have real reason to suspect that one or more of these attacks is taking place, then consider spreading disinformation and provoking the attacking party to play their hand.

Government-Mandated Key Disclosure

This is the result of governments, such as those in Australia and the UK, disgracefully over-reaching their moral and political mandate.

Under mandatory key escrow laws, anyone from a list of designated government authorities can call on you at any time, and demand your personal encryption keys. If you are in possession of any encrypted data, and you refuse to provide sufficient keys and/or passwords to render this data into plain accessible format, then you could be looking at 2 years in jail or more.

PSST halves the legal exposure which can result from forced key escrow, by using different temporary session keys for sending and receiving, and encrypting each session key against each user's public key.

This means that if the attacker gets your public key, and if they've archived the raw traffic flowing in/out of your computer over time, they can derive one of the session keys, and decrypt everything you've received, but luckily, not the information you've sent (unless of course they are able to get the private key of the other party you've been talking to).

Countermeasures

There is one simple and effective, albeit inconvenient, way to protect yourself against key escrow attacks. Change your keys frequently, and get everyone you're talking to to do the same.

If your private key is changing often, and if you're securely deleting all prior private keys, then all the data your attacker has archived, up until you last changed your private key, will be useless - there'll be no way to decrypt it. Also, since you've not been previously asked for your keys, you won't be legally responsible for failing to decrypt this earlier data.

With future versions of PSST, I hope to implement a discipline requiring each user to have not just one private key, but one for each other user they talk to. Also, to provide a protocol for automatically generating and securely exchanging new keys. Such a protocol will also involve a compulsory exchange of new keys at the end of each session, which will therefore completely void the power of key escrow. If you don't have the power to decrypt the raw traffic archive, then how can you possibly be punished? (Perhaps you might like to support this upgrade)

Social Engineering Attacks

This is one of the nastiest classes of attack, because it involves exploiting weaknesses in human judgement, rather than software design and implementation.

Many of the most expert hackers (in the intruder, not the developer sense of the word) have boasted that 50-80% of their successful system break-ins resulted from exploiting human laziness or carelessness.

There is one very potent social engineering attack that can be carried out against PSST users. It involves sending an email to each user, forging the headers of the other user, and saying "Hi, I've lost my private key, and your public key. Here's my new public key. Can you please send me your public key?". Then, intercepting the emails sent between the two, and substituting public keys generated by the attacker for the real ones.

If both users fall for this trick, they'll replace their private keys, and accept the fake public keys. Once the fake public keys are in place, the attacker can then invisibly proxy the TCP connections and data between the two users. Since the attacker has private keys for the fake public keys, s/he can control the generation of session keys, and thus tap the data in plaintext.

If/when PSST gains popularity, it's highly likely that government agencies may preinstall the infrastructure needed to automate this attack, in which case your security is absolutely zilch.

Countermeasures

By now it should be clear why you get harassed with 2 popup warning windows every time you import someone's public key. Because it may not actually be their key.

Possible counter-measures include:




Conclusion

PSST is not perfect. It has its weaknesses, some in the software, some in the nature of computer hardware, some in the other software on that computer, and some in the human frailties of its users.

If you are expecting this program to take care of your privacy without you being willing to learn a little about security, you could be in for an unexpected and devastating shock - in which case, don't blame me!

But if you take the time to master these fundamentals, then you can easily create a situation where the opportunity cost of an attacker going after you is so prohibitive that they'll just give up and go after easier and more profitable targets.

So in preparing your defences, you should ask the questions:



Forgive an old cliche, but:
The price of liberty is eternal vigilance!