On the Internet, and increasingly in the Real World, every possible piece of datum about us, our actions and transactions are recorded. In a panopticon-like environment such as that we operate within, it is not possible to go un-seen; however, it is possible to model our actions in such a way as to reduce the likelihood of being noticed, and when noticed, reduce the quantity of information divulged .
Quintessential to this, is an awareness of our actions, and what information may be gleamed from those actions. It should also be understood that even though a piece of divulged information may seem harmless, that piece of information, combined with other pieces of information and an existing body of knowledge, can be used to deduce previously unknown information about a target.
To illustrate this point, let me use a well-known scenario:
Jane is a web surfer. Jane goes to a web site, and without Janeâs knowledge the web server the site is housed on collect’s Janeâs IP address. (Jane’s IP address has been divulged — enough to target Jane for several types of network attacks). Also, lets suppose that for some reason Jane is targeted by the operator of this web site (maybe she posted a bad comment about a product they sell on their message board). The operator could easily determine who Jane’s uses for her ISP. Combining the IP address without the time that Jane accessed the web site, Jane’s account can be identified (note, the operator may not get this information from the ISP — this is effected by the ISP’s policies, and the operatorâs skills in social engineering — Even if the operator didn’t get the name, he could deny Jane future service through allegations of hacking attempts, etc.. Use your imagination.)
This example was chosen, in part, due to the fact that some official activities of ACPO volunteers will mirror those of Jane — web browsing. As ACPO establishes a noticeable presence in the Child Pornography community as a threat, ACPO members will themselves become targets of retaliation. As these threats emerge, ACPO members may need to take precautions to guard their identity while performing their volunteer duties. We will look at these precautions in both principle (the why and what) and application (the how).
Security Policy for ACPO
1 – Passwords and login names
You should never use a password that falls under one or more of these categories:
- Is less than eight (8) characters long (if the system doesn’t demand it).
- Only contains lower case letters (if the system doesn’t demand it).
- Doesn’t include numbers (as long as the system supports it).
- Contains a word that can be found in a dictionary, including names, nicknames, places and the like.
Could be guessed easily (dog’s name, street you live on and so on).
Never give away your personal password(s) to anyone, not even those you trust.
If the password can/may be shared, make sure the person you are about to share it with are the one you think. Make sure that the password is encrypted as soon as it leaves your computer, preferably with PGP.
Don’t store any passwords on your computer if they are not encrypted. Passwords should always be considered to be secret information (see below) if no reason for a lower level can be given.
If you, by any chance, have had a password in an unencrypted file make sure you wipe the file with at least sixteen (16) over-writes.
If you have a login name that is not to be publicly known, the same rules about storing, sending, encrypting and wiping is to be followed.
2 – Levels of information
There are three (3) levels of information.
- Secret information: Information that is to be strictly kept within a group of people within ACPO.
- Sensitive information: Information that can be shared with all members of ACPO but should not be shared with any non-members.
- Public information: Information that can be shared with anyone.
Always store secret and sensitive information encrypted. Public information does not need to be encrypted.
While sharing secret or sensitive information you shall make sure the information is encrypted as soon as it leaves your computer. Public information does not need to be encrypted.
If you have stored secret or sensitive information in an unencrypted file this file should be wiped with at least sixteen (16) over-writes. Files including only public information need not be wiped.
Secret information may not be shared with anyone if that person has no reason to have that very information. While sharing secret information you shall make sure that person you are sharing it with truly is the person you think it is.
Sensitive information may not be shared with anyone outside ACPO if that person doesn’t need the information to aid ACPO in it’s work. While sharing sensitive information you shall make sure that the person you are sharing it with truly is the person you think it is.
Public information may be shared with anyone.
3 – Reporting
You shall report if you know or have strong reasons to believe that one or more person(s) have not followed this policy.
You shall report any break ins into any system that has or may have any information from, to, about ACPO or is related to ACPO in a way that may hurt the organization if it was to be gained by one or more person(s) who was not supposed to have that information (see above, “Levels of security”).
You shall report if you know of attempts of break ins or have strong reasons to believe that one or more person(s) have tried to break in into a system that has or may have any information from, to, about ACPO or is related to ACPO in a way that may hurt the organization if it was to be gained by one or more person(s) who was not supposed to have that information (see above, “Levels of security”).
You shall report if you know that or have strong reasons to believe that one or more person(s) who is not authorized to have secret or sensitive information (see above, “Levels of security”) has, due to any reason, gotten hold of such information.
Any reports done due to this policy shall be done to the security team as soon as possible.
More From DeepQuest
* Your passwords, login-names, or any details related to our Information Services are confidential. Any information about other members will have to be submitted to Natasha or any members of the operation/technical team for to be approved. ALL requests must be PGP signed. Look the at the head office page for public keys.
* Always make sure the person you send info to, talk to, mail or the like is really the person in question by checking PGP signature validity, mail server etc..
* Always encrypt sensitive information. Wipe files with a minimum of 9 passes, we strongly recommend the use of PGP tools (freewarewww.pgpi.com). If you need assistance feel free to contact any members of the operation/technical team.
* If you suspect a possible breach of security, someone trying to break security or even just have a suspicion of someone breaking security you should immediately contact DeepQuest
leader of the operation/technical team or any other member for assistance. Try to provide logs, and basic description. It will used to report this to the security-staff. We will try to fix this issue ASAP and will report the intrusion to local authorities.
*Sending ANY virus to any of our members at least twice will be considered as violation or hack attempt, in agreement to United States federal laws (most countries have this law also) and will be reported to the ISP and legal authorities unless the sender show clearly that it was an error. -Only*.txt files must be sent via internal or external communications. ALL other attachments should deleted, unless it is required attachment.
* Think once more. This has saved many persons from error, in the end, it’s the human factor that’s the reason to all error. Humans programmed computers and thus they can be flawed, humans can be fooled by someone who knows how and so on.
* PGP guide 4 retired pple * V.0.1 by DeepQuest
This document will try to explain PGP use on Wintel and MacOs box.
Before starting the description is only describing the use with two-mail software: Netscape Messenger and Eudora. A copy of the PGP can be found at ftp://ftp use version 6.0 or higher, they are available on both platforms.
All settings for both soft are very easy just follow the instruction and provide all information asked (real or faked).
When you install PGP it will ask you to create your private key. THIS HAS TO REMAIN KEPT IN A SAFE PLACE AND BACKUP! Select your level of encryption I highly recommend a minimum of 1024 bits. 56bits key can be broken in less than 23 hours.
The chance to break your private key is exponential so don’t think it will take (1024*23)/56 hours to break your code! Use a pass phrase of minimum 10 letters (mix with uppercase letters), numbers and signs. Once your private key is created you should provide your public key to a personal web page or (which is better) to directories like PGPI or MIT LDAP. You will have this choice after the setup of PGP.
1-With Eudora pro (Eudora light must be the same) and Netscape Messenger.
I won’t make guide on the PGP usage with any M$oft outlook or Exchange products. Their products suck, and are very weak in term of security plus I don’t like them what they do, the way they work etc..>:-).I’ll NEVER use any m$ products outside my job. If you want to sign a mail, select the text in the body of the message copy it. Then on Wintel PGP in the startup items (by default bottom right) click on the PGPtray, select sign clipboard. If you have one or several keys (different email account, or key encryption level) select it, type your passphrase. Then paste the clipboard replacing the whole body of the mail. Your message is signed and ready to be sent. If you want to encrypt your message select “encrypt”, select the recipient(s) type your passphrase and send it. I highly recommend you to get the recipient(s) public key to use this encryption. If you can’t get it, select the “conventional encryption”, it will ask you to provide a passphrase.
Another cool feature with PGP is “wipe”. Pple down with ACP0 mission must use this to permanently delete secret files. Thrashing a file is not really deleting it. Norton unerase is quickly able to back the file. Wipe option, doesn’t only erase the file, it does it several time and rewrite 0 on the space used by the file on your disk. As far as know it’s impossible to restore any file. Even if you have all the hardware used by Gov. agencies to read track by track of disk. Before deleting any file, go in PGP preference. In the menu General bottom left you’ll see the “number of pass” put 14, which is acceptable level of security. Use the wipe only to delete files (doc, txt, jpg, gif etc…).You can use it to delete any huge files or a whole hard disk if you want but it’s going to take some time, don’t forget it’s going to erase 14 times…
PGP allow you to create encrypt partitions on Wintel and MacOS. Plus you can mount or unmount the disk at any time. It’s very useful if you want to store secret stuff on it. The set up is also very easy. Launch pgpdisk; create a new disk with the wizard. It’s going to create a *.pgd file, set up the size of it and save it to an existing partition. Mount unmount it any time you want.