Cyber-Security Toolbox

Transcription

Cyber-Security Toolbox
Cyber-Security Toolbox
Cyber-Security Toolbox
CYBER-SECURITY TOOLBOX
Compiled by: Michael Chesbro
7 May 2012
Edition-4
The Cyber-Security Toolbox contains several security techniques and programs that can be employed by
the individual user to make his or her electronic information and electronic communications more
secure.
The Cyber-Security Toolbox is compiled from multiple open sources, and system help files. This
document is a compilation of data obtained from the links given herein, and is intended to aid users in
establishing a more secure ‘cyber-environment’.
Every bit of cyber-security we use makes it that much more difficult for hackers, spies, criminals and
other adversaries to access our electronic systems, steal our information, or disrupt our operations.
Michael Chesbro
1
Cyber-Security Toolbox
Table of Contents






































Encrypt an e-mail message in Microsoft Office Outlook 2007
Digital Certificates
Comodo Secure E-mail
Secure Shuttle Transport
Hide My Ass Proxy
You Hide Proxy
Secret Message App.
Use Safe Access File Exchange (SAFE) to Securely Exchange Large Files
Use Encryption Wizard (EW) to Secure Your Files
JavaScrypt: Browser-Based Cryptography
Pretty Good Privacy (PGP)
Comodo Disk Encryption Software
Hushmail
Opolis Secure E-mail
Apricorn Aegis Padlock Pro 500 GB USB - 256-bit Encrypted Portable External Hard Drive
Ironkey
Create a Secure Computing Environment with Lightweight Portable Security
Puppy Linux
Ubuntu Linux
TrueCrypt - Free open-source disk encryption software
Install Anti-Virus Software on Your Home Computer
Participate in IA Education, Training and Awareness Programs
Use Your DoD CAC At Home
Use the Password Function in Microsoft Office to Protect Your Documents
Use a Secure Erase Utility to Destroy Electronic Data
Use Strong Passwords
Store Your Passwords in a Password Safe
Master Lock Vault
Protect Data-At-Rest (DAR) – Enable Microsoft Encrypting File System
United States Postal Service Electronic Postmark
Use AKO/DKO IM & Chat
Enable Secure Logon (CTRL+ALT+DELETE )
Cellular Telephones and PDAs
Zfone
Vumber - Virtual Phone Number
Google Voice
Whisper Systems (Encrypted voice and texts for your Android Smartphone)
TOR
Michael Chesbro
2
Cyber-Security Toolbox










Google Encrypted Search
HTTPS Everywhere
Google Account 2-step verification
Temporary / Disposable E-mail Addresses
Anonymous E-mail
EPIC Online Guide to Practical Privacy Tools
NIST Computer Security Division - Computer Security Resource Center
US CERT Cyber Security Tips
NSA - CSS Cyber Security Factsheets
Report Cyber-Crime
Michael Chesbro
3
Cyber-Security Toolbox
Encrypt an e-mail message in Microsoft Office Outlook 2007
Encrypting an e-mail message in Microsoft Office Outlook 2007 protects the privacy of the message by
converting it from readable plaintext into ciphered (scrambled) text. Only the recipient who has the
private key that matches the public key used to encrypt the message can decipher the message.
Encrypt a single message
1. In the message, on the Message tab, in the Options group, click the Encrypt Message Contents and
Attachments button.
2. Compose your message and send it.
Encrypt all messages
1. On the Tools menu, click Trust Center, and then click E-mail Security.
2. Under Encrypted e-mail, select the Encrypt contents and attachments for outgoing messages check
box.
Michael Chesbro
4
Cyber-Security Toolbox
3. To change additional settings, such as choosing a specific certificate to use, click Settings.
4. Click OK twice.
In order to send encrypted messages over the Internet, you need to exchange certificate files (.cer file)
with the recipient. You can do this in a number of ways.
For example:





Send a digitally signed message. The recipient adds your e-mail name to Contacts and in doing
so, also adds your certificate.
Send an e-mail message with your .cer file attached or send the .cer file on a disk / CD-ROM. The
recipient can import the .cer file into your contact card.
Create a contact card with your .cer file, and send the contact card.
Publish your certificate to an LDAP (Lightweight Directory Access Protocol (LDAP): A protocol
that provides access to Internet Directories.) directory or another directory that is available to
the other person.
Post the certificate on a share that is available to the other person.
If your system administrator has set up security for your network using Microsoft Exchange, it is not
necessary to swap certificates.
3DES is the default encryption algorithm. Encryption strength is no longer restricted by the United States
government. Outlook uses the RC2 algorithm by default when running on a 40-bit operating system that
does not have 128-bit encryption capabilities.
Digital Certificates
Digital ID A Brief Overview
http://www.verisign.com/static/005326.pdf
VeriSignTM Class 1 Digital IDSM for Microsoft Internet Explorer
https://digitalid.verisign.com/client/class1MS.htm
Comodo Digital Certificate
http://www.instantssl.com/ssl-certificate-products/free-email-certificate.html
Comodo's Free Email certificates allow you to use the digitally sign and encrypt features built into your
personal email client to authenticate and secure your email communications. This allows recipients of
your emails to confirm your identity and ensure that the email you sent was not modified during
transmission. It is also simple to fully encrypt your communications to prevent unauthorized viewing.
Michael Chesbro
5
Cyber-Security Toolbox
GlobalSign Digital ID
http://www.globalsign.com/authentication-secure-email/digital-id/
GlobalSign offers a range of PersonalSign (Digital IDs issued to people) with varying trust levels. Digital
IDs can be used to access online Government services to submit declarations electronically, authenticate
you to SSL VPNs, and secure email by digitally signing and encrypting email using applications such as
Microsoft Outlook or other S/MIME email software.
The same Digital ID can also digitally sign Microsoft Office documents. By digitally signing a document or
email, you can confirm that you are the originator of the document / email and help prove that the
document / email has not changed since the time you signed it.
Comodo Secure E-mail
https://www.comodo.com/home/email-security/secure-email.php
Michael Chesbro
6
Cyber-Security Toolbox
Secure Shuttle Transport
http://www.secureshuttle.com/Index.htm
It is no secret that almost every online communication is vulnerable to hackers and espionage software.
With the emergence of Voice over IP technologies, even conversations can now easily be decoded.
Secure Shuttle Transport (SST) changes that by providing complete protection from potential in-transit
hazards.
SST is specifically designed to achieve two primary goals:


Total Internet Security including all data and voice transmission.
Easy-to-use interface with seamless transmission and reception of data files as well as text and
audio transmission.
SST uses a simplified interface to send and receive encrypted data and voice messages. The interface is
easy to navigate without a cluster of unnecessary, hard-to-use features. SST uses RSA encryption to
secure information before sending it over the Internet. The recipient is immediately notified of the
communication attempt and SST automatically decrypts the data upon receipt. RSA encryption is stateof-the-art.
Hide My Ass Proxy
Michael Chesbro
7
Cyber-Security Toolbox
http://hidemyass.com/proxy/
Free proxy to surf anonymously online, hide your IP address, secure your internet connection, hide your
internet history, and protect your online identity.
You Hide Proxy
http://www.youhide.com/
Youhide provides a free proxy service which changes your IP to prevent unauthorized access to your
computer over the Internet, manage cookies to prevent monitoring of your network traffic, you can
bypass firewall that block you from visiting your favorite websites and unblock many sites like myspace,
facebook etc.
Secret Message App
A cross-platform, secure, mobile encryption and messaging app.
by kXm Interactive
http://www.secretmessageapp.com/
Michael Chesbro
8
Cyber-Security Toolbox
http://www.appbrain.com/app/secret-message/kxm.secretMessage
Secret Message is available for iPhone, iPad, Android, Windows Phone 7 and BlackBerry mobile devices!
Email, SMS, Tweet or post on Facebook secret messages between friends, co-workers, lovers using this
simple application that encrypts text with a given key/passcode, and just as easily decrypts a given text
with the same key. AES cipher algorithm is used to secure the message, resulting in very sound
communication encryption that helps you keep your private conversations safe from prying eyes.
Agree on a secret key. Write it. Encrypt it. Email it. SMS it. Post it on Facebook or Twitter!
message received via e-mail can be decrypted on-line at:
http://www.secretmessageapp.com/decrypt
Use Safe Access File Exchange (SAFE) to Securely Exchange Large Files
The AMRDEC Safe Access File Exchange (SAFE) application is
for securely exchanging UNCLASSIFIED / FOUO files.
Files of up to 2GB in size may be transferred through SAFE but
the actual size is dependent of various factors such as
connection speed, the network's congestion, and various
other determinates.
Since many organizations that do business within the Army
limit the size of attachments that can be sent via email, the
SAFE applications were created as alternative file-sharing
methods to email and FTP.
How Secure is SAFE?
SAFE uses the SSL (Secure Socket Layer) protocol--128-bit encryption--when a file is uploaded and
downloaded. Users should be aware however that the limited use PIN that the users receive to access a
file in SAFE is sent via email. Therefore the PIN is only as safe as your email system. Since this system
was designed as an alternative to simply attaching the file to an email anyway, this is acceptable. The
SAFE server uses Department of Defense PKI certificates for identification and encryption.
•
Any format of file(s), including a .zip file, may be sent to anyone with a valid email address
•
Virus protection provided
•
SAFE servers are less susceptible to worms or other email viruses
Michael Chesbro
9
Cyber-Security Toolbox
AMRDEC SAFE - https://safe.amrdec.army.mil/SAFE/
Use Encryption Wizard (EW) to Secure Your Files
EW is an SPC implementation of the Advanced Encryption Standard (AES)(Rijndael) augmented with a
file manager Graphical User Interface (GUI) for ease of use. The 128-bit encryption/decryption algorithm
used by Encryption Wizard is considered cryptographically strong and is routinely used in National
Security Agency (NSA) and National Institute of Standards and Technology (NIST) certified products.
Encryption Wizard is designed to protect data at rest and in transit (such as email attachments).
Fast, Easy-to-Use Protection
Quickly and easily protect your important data inside and outside your organization. Encryption Wizard
(EW) provides a user-friendly, drag-and-drop, single window interface to encrypt any type of file on
nearly any computer or media.
To encrypt files or directories, simply drag them into the EW window, press Encrypt, and enter a
passphrase and/or use a PKI certificate. EW can also create encrypted (and optionally compressed)
archives of files and directories.
Free Public Version -- Download now from http://spi.dod.mil/ewizard.htm .
Free FIPS Version
This restricted version uses a FIPS 140-2 validated encryption module from RSA® for use by the federal
government and its contractors. Encrypted files are compatible with the public version. Escrow keys can
Michael Chesbro
10
Cyber-Security Toolbox
be embedded for use in your enterprise. To obtain the FIPS version or customize for your enterprise,
contact the Software Protection Initiative.
Cryptographically Strong
Encryption Wizard protects data on your network, while stored on media, and during transmission
across the Internet using a FIPS 140-2 validated module.
128-bit AES encryption, SHA-256 hashes, and RSA digital signatures meet DoD requirements for
transmitting and storing critical unclassified information.
Enterprise Ready
Encryption Wizard aims to protect data wherever stored and however transmitted between dissimilar
networks, platforms, and operating systems for a broad range of users. Listed on the Air Force
Enterprise Products List, EW complements Data-at-Rest products for defense-in-depth and granular
control. Optional command line interface permits scripting of data protection. Installation packages
available for common enterprise software distribution systems.
System Requirements


Java Runtime Environment SE, v1.5 (or newer)
Administrator access not required for installation
JavaScrypt: Browser-Based Cryptography
The JavaScrypt: Browser-Based Cryptography is http://www.fourmilab.ch/javascrypt/"a collection of
Web pages and programs in the JavaScript language [that] perform military-grade encryption (256 bit
secret key AES) entirely within your Web browser--you needn't download nor install any software, and
nothing is sent to any Web site when you encrypt or decrypt a message. You can download the page
source and JavaScript programs to your own computer and use them even when not connected to the
Internet. Companion pages provide a text-based steganography facility and key generator suitable for
preparing one-time key lists."
An advantage of the JavaScrypt: Browser-Based Cryptography program is that its "lite" version is very
small (32 KB) and can be stored in a web-based e-mail program (i.e. attach it to an e-mail and send it to
yourself) or accessed on-line from the Fourmilab website, thus allowing one to encrypt sensitive
communications from any computer which can access your web-based e-mail.
Michael Chesbro
11
Cyber-Security Toolbox
Pretty Good Privacy (PGP)
Pretty Good Privacy or PGP is an encryption program developed by Phil Zimmermann and published in
1991. It was one of the first public-key encryption programs available to the general public, and has
today become the "unofficial standard" for encryption of e-mail and personal communication on the
Internet.
PGP uses public key encryption. It has one key (a public key) for encryption and a second key (a private
key) for decryption. With PGP installed on your computer you can encrypt a message to any person
whose public key you possess. However, the only way to then decrypt that message is to possess the
associated private key. Thus when using PGP you give your public key to everyone, add it to key servers,
and maybe even publish it on the Internet, but you keep your private key secret and secure, thereby
ensuring that while anyone can encrypt a message and send it to you, only you can decrypt and read
that message.
People who use PGP on a regular basis will often publish their PGP public key to a "key server". A key
server is simply a site where you can search for a person's public key and post your own public key for
others to use. PGP key servers are run by several groups and organizations, but some of the major key
servers can be found on-line at:



MIT PGP Public Key Server - http://pgp.mit.edu/
PGP Corporation Public Key Server - http://keyserver.pgp.com/
University of Mainz (Germany) Public Key Server - http://pgp.uni-mainz.de/
If you use PGP you could visit anyone of these PGP key servers and locate the author's PGP public key.
This would give you a way to securely contact the author of this book without first having met him or
otherwise exchanged any type of encryption key. If you included a copy of your own PGP public key in
your e-mail, or if your PGP public key was posted to the key server you could receive an encrypted reply
to your e-mail... a reply that only you could read.
Michael Chesbro
12
Cyber-Security Toolbox
PGP is available for most operating platforms and systems, and is available as freeware from the PGP
International site at: http://www.pgpi.org/ . Gnu Privacy Guard (GnuPG) is a PGP compatible free
implementation of the OpenPGP standard. GnuPG is available on-line at: http://www.gnupg.org/ .
Comodo Disk Encryption Software
http://disk-encryption.comodo.com/
Finding a secure method to store sensitive data has always been a complex problem. With mobile and
desktop computers acting as storage devices for sensitive information; data loss and data theft are on
the rise. Attempting to maintain encrypted files on removable media is not a reliable option as these can
be forgotten, stolen or lost.
Your solution: Comodo Disk Encryption!



Simple deployment and operation
Strong protection of personal and corporate data
Doesn't disrupt computer usage or performance
Comodo Disk Encryption allows you to encrypt local hard drives and partitions and is designed to
continuously protect sensitive data from being compromised, lost or stolen. Using on-the-fly disk
encryption and two levels of authentication, Comodo Disk Encryption automatically protects stored
information without disrupting the computing experience.
Comodo Disk Encryption protects your sensitive information by enabling you to encrypt any drive or
partition on your system using one of several strong algorithms. All encryption/decryption processes are
performed on the fly with no reboot needed. You can continue to use the drive as usual. Even root
partitions can be encrypted.
Multiple access authentication types add an additional layer of security.
Password Authentication - Set a password of your choice as an access authentication key to encrypt the
required drives. The password must be entered whenever the system is started to enable access to the
encrypted drive(s).
USB Memory Key Authentication - Configure a USB memory stick as an authentication key to encrypt
the required drives. This key must be plugged into the system whenever the system is started to access
the encrypted drive(s).
Authentication with both Password and USB Memory Key - This combination is a highly secure practice
that meets the classic two factor authentication criteria of 'something you have' plus 'something you
know'.
Why do you need Comodo Disk Encryption?
Michael Chesbro
13
Cyber-Security Toolbox




Because encrypting your data means no one else will be able to access it if your computer gets
stolen or lost
Because you want to be the sole person that is able to start a specific computer
Because you want to lock down certain drives or partitions on a shared or family computer
Because you want your confidential data to be totally protected from hackers, data thieves and
unauthorized viewing
Comodo Disk Encryption - System Requirements
Operating Systems
Windows Vista (32 bit and 64 bit)
Windows XP (Service Pack 1 or later) (32 bit and 64 bit)
Windows Server 2003 (32 bit and 64 bit)
Windows 2000 (Service Pack 3 or later) (32 bit)
Hardware
Intel Pentium II 233 MHz or equivalent processor
128 MB RAM
12 MB free hard drive space
Hushmail
https://www.hushmail.com/
Hushmail is a secure web-based free email service, developed 1999. Hushmail looks and feels just like
any other web-mail site, but adds strong encryption to your emails to protect your secrets from prying
eyes.
Key features



Easy-to-use web-based email
Standards-compliant encryption
Works on iPhone and BlackBerry
Michael Chesbro
14
Cyber-Security Toolbox

Optional Outlook integration
The free Hushmail account is limited to 2MB of storage space.
Storage of up to 10GB is available for $49.98 per year.
Opolis Secure E-mail
http://www.opolis.eu/
Opolis is a high-security E-Mail service.
Combining latest E-Mail security technologies, Opolis transmits, processes and stores all your
confidential messages in encrypted mode. Accessible from all over the world, Opolis operates on your
PC in parallel to standard E-Mail applications, such as Microsoft's Outlook or Apple's Mail. The Opolis
Mail Client runs on any machine and does not require any specific configuration.
Opolis is a fully integrated service provider for all your confidential E-Mails, combining a global
infrastructure, server systems, backup facilities, storage and customer service.
The Power to the Sender concept of Opolis allows the sender to protect, control and monitor all sent
messages. With Opolis, it is always the sender of an E-Mail who has ultimate authority and control over
the flow of messages and its attachments.
"I Protect": Opolis E-Mails are immediately encrypted when sent and can only be decrypted and read by
the authorized recipient, and nobody else. Neither can anyone read Opolis E-Mails whilst these are
transmitted or safely stored on the Opolis server system. Opolis uses a Public-Private Key technology for
encryption and the services of iTrust as a registry of public keys for Opolis Users. Opolis also ensures
that message content or information in relation to the message flow cannot be manipulated or falsified.
"I Decide": The sender of an Opolis E-Mail decides whether the recipient may copy, print, respond to or
forward a message to another Opolis User or not.
"I Control": The sender of an Opolis E-Mail can actively and live monitor the path and status of each
message sent.
Michael Chesbro
15
Cyber-Security Toolbox
Apricorn Aegis Padlock Pro 500 GB USB 2.0 and eSATA 256-bit Encrypted
Portable External Hard Drive
http://www.apricorn.com/products/hardware-encrypted-drives.html
Order from Amazon.Com: http://www.amazon.com/exec/obidos/ASIN/B003EYVJTA/chesbro-20
Apricorn’s Aegis Padlock Secure USB Drive with 256-bit hardware encryption provides the ultimate in
data protection whether at the office, home or on the road. Ideal for workplace environments or
business travel, the Aegis Padlock’s easy-to-use keypad and software free, cross compatible design
enables you to access the drive with your own unique PIN. Featuring seamless real-time encryption,
keeping your data safe even if the hard drive is removed from its enclosure, the Aegis Padlock’s robust,
shock mounted design and integrated USB cable is ideal for securing data on the fly. Real-time 256-bit
hardware encryption; PIN Access; Integrated USB cable; Shock mounted, portable design; Software free
design - Perfect for Corporate deployments; Setup takes just minutes; Compatible with any OS.
Michael Chesbro
16
Cyber-Security Toolbox
Ironkey
https://www.ironkey.com
Your identity and personal data are too valuable to risk. IronKey Personal keeps you protected with
military-grade encryption and easy-to-use identity management. The result of extensive R&D and the
collaboration of some of the world's leading experts in cryptography and the Internet, IronKey is the
world's most secure flash drive. IronKey Personal comes loaded with a secure private browser that lets
you surf anonymously and protects your passwords whenever you go online. IronKey Personal simplifies
your digital lifestyle while giving you added peace of mind.
Ironkey Datasheet: https://www.ironkey.com/files/datasheets/ironkey-personal-s200.pdf
Create a Secure Computing Environment with Lightweight Portable Security
http://spi.dod.mil/lipose.htm
Michael Chesbro
17
Cyber-Security Toolbox
Lightweight Portable Security (LPS) creates a secure end node from trusted media on almost any Intelbased computer (PC or Mac). LPS boots a thin Linux operating system from a CD without mounting a
local hard drive. Administrator privileges are not required; nothing is installed. SPI created the LPS family
to address particular use cases.
LPS-Public is a safer, general-purpose solution for using web-based applications.
The accredited LPS-Remote Access is only for accessing your organization's private network.
LPS-Public allows general web browsing and connecting to remote networks. It includes a CAC-enabled
Firefox browser, a PDF and text viewer, Java, and Encryption Wizard - Public.
(http://www.spi.dod.mil/ewizard_down.htm)
LPS-Public turns an un-trusted system (such as a home computer) into a trusted network client.
No trace of work activity (or malware) can be written to the local computer. Simply plug in your USB
CAC-reader to access CAC-restricted DoD websites.
To get started, download the LPS-Public ISO image and burn it to a CD.
Puppy Linux
Linux is a free operating system, and Puppy Linux http://puppylinux.org is a special build of Linux meant
to make computing easy and fast.
Puppy Linux also enables you to save money while doing more work, even allowing you to do magic by
recovering data from destroyed PCs or by removing malware from Windows.
With Puppy Linux, you can carry your programs and data anywhere.

Easy - Just use a CD or USB flash to boot a PC. Puppy Linux is downloadable as ISO, an image that
can be burned to CD or DVD.
Michael Chesbro
18
Cyber-Security Toolbox





Fast - Because Puppy is small, it can live in your PC's memory and be ready to quickly execute
your commands, whereas in other systems, programs are first read from drive storage before
being executed.
Save Money - Even if your PC has no hard disk (ex, broken hard disk), you can still boot Puppy via
CD or USB and continue working. Old PCs that no longer work with new systems will still work
good-as-new with Puppy.
Do More - Puppy boots in less than a minute, even in old PCs, and it does not require antivirus
software. Administering Puppy is quick and minimal. With Puppy, you just have to take care of
your data, which you can easily save to USB flash (Then forget about your operating system!).
Your data can be read by other computers.
Do Magic -Help your friends suffering from computer malware by booting Puppy and removing
malware from their PC (use antivirus that is built-in or can be installed in Puppy). Example - bad
Autorun.inf is easily removed by Puppy (Just delete it as well as its companion exe program). If
your friend thinks that she has lost data from her corrupted hard disk, boot Puppy and try saving
her data!
Carry Anywhere (Portable) - Because Puppy is able to live in CD/DVD or USB flash, as well as
save data to these same devices, you can carry your programs and data with you.
Are you now ready for Puppy? Keep these important reminders before using Puppy:


You don't have to install Puppy (to hard disk) to use it. Simply burn the ISO to CD/DVD and boot
the PC or laptop with it. Once booted, you can then install it to USB flash (see the Setup menu),
so you can use it for booting the PC when a CD is not available.
You don't have to save data to hard drive to work with Puppy. You can save data to USB flash or
even to Internet storage (like www.drop.io ). When installed to USB flash, Puppy consumes only
a little over 100 MB, or about 256 MB with OpenOffice. You can use the same USB flash (where
Puppy is installed) for saving data.
Michael Chesbro
19
Cyber-Security Toolbox
Ubuntu Linux Operating System
http://www.ubuntu.com/
Super-fast, easy to use and free, the Ubuntu operating system powers millions of desktops, netbooks
and servers around the world. Ubuntu does everything you need it to. It'll work with your existing PC
files, printers, cameras and MP3 players. And it comes with thousands of free apps.
TrueCrypt - Free open-source disk encryption software
Michael Chesbro
20
Cyber-Security Toolbox
Free open-source disk encryption software for Windows 7/Vista/XP, Mac OS X, and Linux
TrueCrypt http://www.truecrypt.org is a software system for establishing and maintaining an on-thefly-encrypted volume (data storage device). On-the-fly encryption means that data is automatically
encrypted or decrypted right before it is loaded or saved, without any user intervention. No data stored
on an encrypted volume can be read (decrypted) without using the correct password/keyfile(s) or
correct encryption keys. Entire file system is encrypted (e.g., file names, folder names, contents of every
file, free space, meta data, etc).
Files can be copied to and from a mounted TrueCrypt volume just like they are copied to/from any
normal disk (for example, by simple drag-and-drop operations). Files are automatically being decrypted
on the fly (in memory/RAM) while they are being read or copied from an encrypted TrueCrypt volume.
Similarly, files that are being written or copied to the TrueCrypt volume are automatically being
encrypted on the fly (right before they are written to the disk) in RAM. Note that this does not mean
that the whole file that is to be encrypted/decrypted must be stored in RAM before it can be
encrypted/decrypted. There are no extra memory (RAM) requirements for TrueCrypt. For an illustration
of how this is accomplished, see the following paragraph.
Let's suppose that there is an .avi video file stored on a TrueCrypt volume (therefore, the video file is
entirely encrypted). The user provides the correct password (and/or keyfile) and mounts (opens) the
TrueCrypt volume. When the user double clicks the icon of the video file, the operating system launches
the application associated with the file type – typically a media player. The media player then begins
loading a small initial portion of the video file from the TrueCrypt-encrypted volume to RAM (memory)
in order to play it. While the portion is being loaded, TrueCrypt is automatically decrypting it (in RAM).
The decrypted portion of the video (stored in RAM) is then played by the media player. While this
portion is being played, the media player begins loading next small portion of the video file from the
TrueCrypt-encrypted volume to RAM (memory) and the process repeats. This process is called on-the-fly
encryption/decryption and it works for all file types, not only for video files.
Note that TrueCrypt never saves any decrypted data to a disk – it only stores them temporarily in RAM
(memory). Even when the volume is mounted, data stored in the volume is still encrypted. When you
restart Windows or turn off your computer, the volume will be dismounted and files stored in it will be
inaccessible (and encrypted). Even when power supply is suddenly interrupted (without proper system
shut down), files stored in the volume are inaccessible (and encrypted). To make them accessible again,
you have to mount the volume (and provide the correct password and/or keyfile).
A beginner's tutorial to TrueCrypt is available here: http://www.truecrypt.org/docs/tutorial
Michael Chesbro
21
Cyber-Security Toolbox
Install Anti-Virus Software on Your Home Computer
To help protect your home and personal computers the DoD Antivirus Software License Agreement with
McAfee and Symantec allows active DoD employees to utilize the antivirus software for home use.
Home use of the antivirus products will not only protect personal PCs at home, but will also potentially
lessen the threat of employees bringing malicious logic into work and compromising DoD networks.
To obtain a copy of the free anti-virus software provided by the DOD, visit https://www.cert.mil. (DoD
PKI CAC Card Required)
For individuals who do not have DoD PKI to access the above software, there are other free anti-virus
programs available:
AVG Free Anti-Virus Software - http://free.avg.com/us-en/homepage
Avast Free Anti-Virus Software - http://www.avast.com/free-antivirus-download
Microsoft Security Essentials - http://www.microsoft.com/security_essentials/
Panda Cloud Antivirus Free Edition - http://www.cloudantivirus.com/en/
Michael Chesbro
22
Cyber-Security Toolbox
Trend Micro HouseCall - http://housecall.trendmicro.com/
Virus Scanner Test Files
http://ipinfo.info/html/testvirus.php
Testing virus scanner behavior in case of infection is quite simple. Download one of the files listed below
and save it to a location of your choice. If your virus scanner is functioning properly it must generate a
warning message upon saving the virus testfile. If you try this from within your company or organization,
chances are that the corporate firewall or proxy server already removes or blocks the infected file
before it reaches your PC. In this case your web browser will show an error message about not being
able to download, but the local virus scanner will not show any virus warning.
Of course, these files don´t contain any malicious code, they simply contain a specific signature created
by the EICAR organization (European Expert Group for IT Security) that was specifically designed to test
the functional behavior or antivirus software.
Michael Chesbro
23
Cyber-Security Toolbox
Participate in IA Education, Training and Awareness Programs
The DISA Information Assurance Support Environment http://iase.disa.mil/eta/ provides a variety of
free, on-line IA education, training, and awareness programs. IA training helps to ensure that the
privacy, reliability, and integrity of our information systems remain intact and secure.
Information Assurance Fundamentals Training - https://ia.signal.army.mil/IAF/default.asp
This course provides individuals an understanding of the information systems security policies, roles,
responsibilities, practices, procedures, and concepts necessary to perform the functions of an
Information Assurance Security Officer (IASO). The lessons presented will aid the IASO in developing an
effective security approach and in selecting cost-effective controls to meet the requirements of laws,
directives, and regulations.





Lesson 1 - Army Information Assurance Program (AIAP)
Lesson 2 - Federal Laws, DoD Regulations and Policies
Lesson 3 - Army Regulations and Policies
Lesson 4 - Army Information Assurance Training Program
Lesson 5 - Network/Hacker Threats
Michael Chesbro
24
Cyber-Security Toolbox











Lesson 6 - Malware
Lesson 7 - Physical Security
Lesson 8 - Risk Assessment and Management
Lesson 9 - Security Incident and Response Planning
Lesson 10 - Continuity of Operations (COOP)
Lesson 11 - DoD Information Assurance Certification and Accreditation Process (DIACAP)
Lesson 12 - Wireless Security
Lesson 13 - Intrusion Detection Systems (IDS) and Auditing
Lesson 14 - Firewalls and Perimeter Defense
Lesson 15 - Encryption and Common Access Cards (CAC)
Lesson 16 - Legal
InfraGard Awareness Information Security Awareness Course
https://www.infragardawareness.com/index.php
The InfraGard Awareness Information Security Awareness
course is FREE to all individuals and small businesses with 50 or
fewer employees. This training will help you and your
employees understand how you to help make your workplace
more secure. It will also teach you vital skills to protect yourself
and your family from cybercrime and identity theft.
The course is divided into 13 lessons. The time of each lesson
ranges from approximately three to nine minutes long. The total time for the entire course is
approximately 90 minutes.
The first part of the course focuses on the key behavioral challenges including;




helping employees make a personal connection with cybercrime and workplace security
understanding who commits these crimes and what their motives are
understanding why exploiting predictable employee behavior is critical to committing these
crimes
why modifying personal behavior can be so powerful in preventing these crimes.
The second part of the course focuses on security best practices and policies, and on how they
contribute to behavioral change and better workplace security. It addresses all the key security
vulnerabilities, including web and e-mail use, passwords, data protection, social engineering, virus
management, security outside the office, personal workspace security and more.
Standard lessons include:
Michael Chesbro
25
Cyber-Security Toolbox













Pre-Lesson Course Welcome and Overview
Lesson 1: The Impact of Cybercrime and Identity Fraud
Lesson 2: Today’s Threats
Lesson 3: How Employee Behavior is Exploited
Lesson 4: Strong Passwords Increase Security
Lesson 5: Understanding and Recognizing Social Engineering
Lesson 6: Email Best Practices
Lesson 7: Protecting Against Viruses, Spyware and Spam
Lesson 8: Protecting Your Personal Workspace
Lesson 9: Security You Can Live With
Lesson 11: Protecting the Workplace from Identity Fraud
Lesson 12: Risks and Acceptable Uses of Electronic Resources
Lesson 13: Secure Use of Networks
DHS/FEMA Certified Cyber Security Training is available through
the TEEX Domestic Preparedness Campus at:
http://www.teexwmdcampus.com/index.k2
Michael Chesbro
26
Cyber-Security Toolbox
Software Engineering Institute's Virtual Training Environment (VTE)!
https://www.vte.cert.org
VTE provides high-fidelity e-learning delivered right to your Web browser, which means that VTE
combines three unique capabilities:



On-demand lecture in the form of video, audio presentations, and demonstrations
Hands-on lab environments
A learning management system to manage enrollments and track progress
Use Your DoD CAC At Home
Step - 1
You will need to obtain a CAC Reader. This can be issued, or you may choose to buy one. The following
links are for CAC readers available from Amazon.Com:
SCM SCR3310 USB Smart Card Reader Common Access CAC ID DOD
SCM SCR331 - SMART card reader - USB
Step - 2
Go to http://militarycac.com and follow the instructions to download DoD Certificates and ActivClient.
Michael Chesbro
27
Cyber-Security Toolbox
Using your DOD CAC from home allows you to quickly log in to AKO / DKO, change your password, add
or sponsor guests, and avoid the KBA questions.
Be sure your CAC is registered with AKO / DKO. http://help.dr1.us.army.mil/cgibin/akohd.cfg/php/enduser/std_adp.php?p_faqid=264&p_sid=f1lawh*j&p_lva=95
Once you have your CAC set up at home, go to https://rw5.army.mil to access your office e-mail.
Use the Password Function in Microsoft Office to Protect Your Documents
To password protect a Microsoft document, workbook, or presentation (MS Word, Excel, or
PowerPoint):





Click the Microsoft Office Button, point to Prepare, and then click Encrypt Document.
In the Encrypt Document dialog box, in the Password box, type a password, and then click OK.
You can type up to 255 characters. By default, this feature uses AES 128-bit advanced
encryption.
In the Confirm Password dialog box, in the Reenter password box, type the password again, and
then click OK.
To save the password, save the file.
Michael Chesbro
28
Cyber-Security Toolbox
The default encryption algorithm is AES 128-bit. This value can be increased to AES 256-bit via a Registry
entry, local security policy, or domain Group Policy.
AES encryption is supported for Open XML formats used in previous versions of Microsoft Office when
those documents are created in a Microsoft 2007 Office system application. However, documents saved
in the older Office binary formats can only be encrypted using RC4 to maintain compatibility with older
versions of Microsoft Office.
The level of protection provided by the AES encryption is related to the strength of the password used
to protect the document. You should use complex passwords that include upper and lower case letters,
numbers and symbols and that are at least 10 characters long.
It’s important to note that there are two
options to add a password in Microsoft 2007
Office system documents.
One option enables you to encrypt the
document using a password; this is referred to
as a Password to open.
The second option does not use any
encryption. It is designed so you can
collaborate with content reviewers you trust,
but is not designed to help make the file more
secure. This is referred to as the Password to
modify.
Use a Secure Erase Utility to Destroy Electronic Data
Data erasure is a method of software-based overwriting that completely destroys all electronic data
residing on a hard disk drive or other digital media. Permanent data erasure goes beyond basic file
deletion commands, which only remove direct pointers to data disk sectors and make data recovery
possible with common software tools. Unlike degaussing and physical destruction, which render the disk
unusable, data erasure removes all information while leaving the disk operable, preserving assets and
the environment.
According to the Center for Magnetic Recording Research, "Secure erase does a single on-track erasure
of the data on the disk drive. The U.S. National Security Agency published an Information Assurance
Approval of single pass overwrite, after technical testing at CMRR showed that multiple on-track
Michael Chesbro
29
Cyber-Security Toolbox
overwrite passes gave no additional erasure.” [http://cmrr.ucsd.edu/people/Hughes/DataSanitizationTutorial.pdf]
"Secure erase" is a utility built into modern ATA hard drives that overwrites all data on a disk, including
remapped (error) sectors.
Center for Magnetic Recording Research - University of California, San Diego.
Secure Erase Utility http://cmrr.ucsd.edu/people/Hughes/SecureErase.shtml
Darik's Boot And Nuke | Hard Drive Disk Wipe and Data Clearing
http://www.dban.org/
Eraser
http://eraser.heidi.ie/
http://www.tolvanen.com/eraser/
Use Strong Passwords
The Department of Defense Password Management Guideline (CSC-STD-002-85) states:
“The probability that any single attempt at guessing a password will be successful is one of the most
critical factors in a password system. This probability depends on the size of the password space and the
statistical distribution within that space of passwords that are actually used. Since many user-created
passwords are particularly easy to guess all passwords should be machine generated...”
PC Tools - Secure Password Generator - http://www.pctools.com/guides/password/
The PC Tools Password Generator allows you to create random passwords that are highly secure and
extremely difficult to crack or guess due to an optional combination of lower and upper case letters,
numbers and punctuation symbols.
Brookhaven National Laboratory Cyber Security On-line Password Generator
https://www.bnl.gov/cybersecurity/pwgen/
Store Your Passwords in a Password Safe
A password safe is a computer program that stores your passwords in an
encrypted format on your computer. You create multiple, very complex,
passwords and store them in the password safe. You then memorize a
single complex password that grants you access to your password safe.
An excellent password safe was developed by Bruce Schneier, and is now
an open source project available on-line at: Password Safe -
Michael Chesbro
30
Cyber-Security Toolbox
http://passwordsafe.sourceforge.net/. Another password safe is the Keepass Password Safe, available
on-line at: http://keepass.info/.
Master Lock Vault - Safe and Secure Password Protection
https://www.masterlockvault.com/
Master Lock Vault™ provides a safe, free, and convenient place to store
your confidential data for quick and easy access, delivering the security
you need from Master Lock, a brand you trust. - Includes a Mobile
Version & Apps for I-Phone and Android.
Protect Data-At-Rest (DAR) – Enable Microsoft Encrypting File System
Microsoft Encrypting File System (EFS) is installed as part of the Windows operating
system.(http://technet.microsoft.com/en-us/library/bb457116.aspx)
Microsoft Windows Encrypting File System (EFS) enables users to encrypt individual files, folders, or
entire data drives. Because EFS provides strong encryption through industry-standard algorithms and
public key cryptography, encrypted files are confidential even if an attacker bypasses system security.
EFS users can share encrypted files with other users on file shares and in Web folders.
Security features such as logon authentication or file permissions protect network resources from
unauthorized access. However, anyone with physical access to a computer such as a stolen laptop can
Michael Chesbro
31
Cyber-Security Toolbox
install a new operating system on that computer and bypass the existing operating system’s security. In
this way, sensitive data can be exposed. Encrypting sensitive files by means of EFS adds another layer of
security. When files are encrypted, their data is protected even if an attacker has full access to the
computer’s data storage.
EFS allows users to store confidential information about a computer when people who have physical
access to your computer could otherwise compromise that information, intentionally or unintentionally.
EFS is especially useful for securing sensitive data on portable computers or on computers shared by
several users. Both kinds of systems are susceptible to attack by techniques that circumvent the
restrictions of access control lists (ACLs). In a shared system, an attacker can gain access by starting up a
different operating system. An attacker can also steal a computer, remove the hard drives, place the
drives in another system, and gain access to the stored files. Files encrypted by EFS, however, appear as
unintelligible characters when the attacker does not have the decryption key.
Because EFS is tightly integrated with NTFS, file encryption and decryption are transparent. When users
open a file, it is decrypted by EFS as data is read from disk. When they save the file, EFS encrypts the
data as it is written to disk. Authorized users might not even realize that the files are encrypted because
they can work with the files as they normally do.
In its default configuration, EFS enables users to start encrypting files from My Computer with no
administrative effort. From the user’s point of view, encrypting a file is simply a matter of setting a file
attribute. The encryption attribute can also be set for a file folder. This means that any file created in or
added to the folder is automatically encrypted.
To create an EFS Encrypted folder:
1. Choose a folder in your My Documents folder to be EFS protected.
2. Right-click and choose Properties.
3. Click the Advanced button.
4. Check the checkbox labeled Encrypt contents to secure data.
5. Click OK.
6. Click Apply.
7. If the Confirm Attribute Changes dialog appears, select the Apply changes to this folder, subfolders
and files radio button.
8. Click OK.
9. Click OK on Folder Properties.
10. Windows Explorer shows different colors for the following:
Michael Chesbro
32
Cyber-Security Toolbox
a. Black – normal files on the file system.
b. Green – files and/or folders are EFS encrypted.
c. Blue – files and/or folders are compressed.
11. Move or copy at least one file or record into the EFS protected folder.
Data-At-Rest (DAR) Protection - Enable EFS on USB Media
1. To run EFS on a USB device (thumb drive) – it needs to be formatted with the NTFS files system.
However, by default, only FAT32 and FAT are selectable.
2. Using Windows Explorer, format the USB device with FAT32.
3. Once the formatting is complete, right click the device and check properties. Verify that the file
format is FAT32.
4. At a command prompt, run the CONVERT command. Example: CONVERT E: /FS:NTFS (Where “E:”
represents the USB device drive)
5. Once the CONVERT command finishes, the USB device will have a NTFS file system on it which can
now accept EFS protected data. Using Windows Explorer, select Properties of the USB device to validate
that file format is NTFS.
Further details on Data-At-Rest protection can be found here:
http://www.gordon.army.mil/NEC/documents/BBP%20Data%20at%20Rest.pdf
Note: The EFS Encrypt feature is only available in the Vista Business, Ultimate, and Enterprise editions.
It will remain grayed out in the Vista Home Basic and Home Premium editions.
United States Postal Service Electronic Postmark
Protect the integrity of your content - https://www.uspsepm.com/
The USPS Electronic Postmark® (EPM)* is an auditable time-and-date stamp service offered by
authorized service providers, under license by the United States Postal Service. The EPM can be used to
Michael Chesbro
33
Cyber-Security Toolbox
verify the authenticity of a document or file sent electronically, and provides trusted proof of content as
of a specific point in time.
EPMs issued by an authorized EPM service provider are stored in their repositories and available for
verification for a period of up to seven years from the date of issuance. The USPS serves as the backup
verifier for all EPMs issued by any of the authorized providers of the USPS EPM service.
Use AKO/DKO IM & Chat
Many of us use IM & Chat program to talk with friends and colleagues on-line. When chatting
on-line with military members (or any other person with AKO/DKO access) you can secure your
conversation by using the AKO/DKO IM Client. All IM communications via AKO/DKO IM are
made via an encrypted channel (SSL). This includes IM's between AKO/DKO users and IM's
between AKO/DKO and Navy and Air Force IM users also.
You can access IM from the AKO/DKO homepage by clicking the IM button. You can also
download the AKO/DKO IM Client and install it on your home computer… running it as a standalone program.
Enable Secure Logon (CTRL+ALT+DELETE )
(From the Help File) It's important to keep your computer as secure as possible. One way to do so is to
enable secure logon so that you are required to press CTRL+ALT+DELETE to log on. Using secure logon
provides an additional layer of security for your computer by ensuring that the authentic Windows logon
screen appears. When secure logon is enabled, no other program (such as a virus or spyware) can
intercept your user name and password as you enter it.
Click to open Advanced User Accounts. If you are prompted for an administrator password or
confirmation, type the password or provide confirmation.
Michael Chesbro
34
Cyber-Security Toolbox
Click the Advanced tab, select the Require users to press Ctrl+Alt+Delete check box, and then click OK.
(From: http://support.microsoft.com/kb/308226)
To Enable or Disable the CTRL+ALT+DELETE Sequence
1. Click Start, click Control Panel, and then click User Accounts.
2. Click the Advanced tab.
3. In the Secure logon section, select or clear the Require users to press Ctrl+Alt+Delete check box.
Note If the Advanced tab is not available, click Start, click Run, type control userpasswords2, and then
click OK.
The Advanced tab is not available under certain conditions. For example, if you are a restricted user, the
Advanced tab is not available. For more information, click the following article number to view the
article in the Microsoft Knowledge Base:
306992 (http://support.microsoft.com/kb/306992/ ) How to manage stored user names and passwords
on a computer in a domain in Windows XP
* Disabling the CTRL+ALT+DELETE sequence creates a "security hole." The CTRL+ALT+DELETE sequence
can be read only by Windows, ensuring that the information in the ensuing logon dialog box can be read
only by Windows. This can prevent rogue programs from gaining access to the computer.
* If a Windows XP-based computer is part of a domain, domain-wide policies may have been set that
override the settings you make on the local computer.
* On MS-DOS-based computers (and some older UNIX-based systems), pressing CTRL+ALT+DELETE
gains the attention of the BIOS, causing a "warm" reboot. You can use the keyboard to shut down the
operating system. On Windows-based computers (starting with Microsoft Windows NT), the
CTRL+ALT+DELETE sequence is intercepted by Windows. The advantage of the keystroke-intercept
technique is to help prevent Windows from being shut down by someone who does not have access to
do so.
Michael Chesbro
35
Cyber-Security Toolbox
Cellular Telephones and PDAs
Cell-Phone Security Tips:
1 - Protect your phone like the valuable item it is. Even if the cost of
the phone itself is relatively inexpensive, the value of the
information stored on the phone can be considerable.
2 - Restrict access to your phone with a PIN or password. There are
three types of value associated with your phone: the cost of the
physical device itself, the value of the cell-phone service (i.e. making
calls), and the value of the information stored on the phone (all of
your contacts and personal information). Requiring a PIN or
password to access your phone helps protect against theft of your
cell-phone service and personal information.
3 - Write down the make and model of your phone, your phone
number, SIM number and/or IMEI number, and the contact
information for your service provider. If your phone is ever lost or
stolen you will need this information to quickly deactivate the phone
and report it stolen to the police.
4 - Make a back-up of the information stored on your phone. If your phone allows you to easily save
your data to your home computer, great! If not, at least write down your most important contact
numbers and similar information and store it safely away from your phone.
5 - Be sure you understand what liability you face if someone steals your phone and starts running up a
bill. Arrange with your cellular service provider for a maximum bill amount, after which they decline
service until the bill is paid. Perhaps you will set the limit at double your average monthly bill. This will
allow you to increase your usage when necessary, but will prevent a $20,000.00+ cell-phone bill if
someone runs up unauthorized charges. (Huffington Post, 2009)
6 - Consider anti-theft and recovery software for your phone. Services such as iHound
https://www.ihoundsoftware.com/, Theft Aware http://www.theftaware.com/, and Gadget Trak
http://www.gadgettrak.com/provide software that can help you recover a lost phone.
=====
Guidelines on Cell Phone and PDA Security: Recommendations of the National Institute of Standards
and Technology (October 2008) - http://csrc.nist.gov/publications/nistpubs/800-124/SP800-124.pdf
Cell phones and personal digital assistants (PDAs) have become indispensable tools for today's highly
mobile workforce. Small and relatively inexpensive, these devices can be used for many functions,
Michael Chesbro
36
Cyber-Security Toolbox
including sending and receiving electronic mail, storing documents, delivering presentations, and
remotely accessing data. While these devices provide productivity benefits, they also pose new risks to
organizations.
This document provides an overview of cell phone and PDA devices in use today and offers insights into
making informed information technology security decisions on their treatment. The document gives
details about the threats and technology risks associated with the use of these devices and the available
safeguards to mitigate them. Organizations can use this information to enhance security and reduce
incidents involving cell phone and PDA devices.
US CERT
Cyber Security Tip ST06-007 - Defending Cell Phones and PDAs Against Attack
http://www.us-cert.gov/cas/tips/ST06-007.html
Cyber Security Tip ST05-017 - Cybersecurity for Electronic Devices
http://www.us-cert.gov/cas/tips/ST05-017.html
Cyber Security Tip ST04-020 - Protecting Portable Devices: Data Security
http://www.us-cert.gov/cas/tips/ST04-020.html
Zfone
Zfone™ http://zfoneproject.com/ is a new secure VoIP
phone software product which lets you make encrypted
phone calls over the Internet. Its principal designer is Phil
Zimmermann, the creator of PGP, the most widely used
email encryption software in the world.
Zfone uses a new protocol called ZRTP, which is better
than the other approaches to secure VoIP, because it
achieves security without reliance on a PKI, key
certification, trust models, certificate authorities, or key
management complexity that bedevils the email
encryption world. It also does not rely on SIP signaling for
the key management, and in fact does not rely on any
servers at all. It performs its key agreements and key
management in a purely peer-to-peer manner over the
RTP media stream. It interoperates with any standard SIP
phone, but naturally only encrypts the call if you are
Michael Chesbro
37
Cyber-Security Toolbox
calling another ZRTP client. This new protocol has been submitted to the IETF as a proposal for a public
standard, to enable interoperability of SIP endpoints from different vendors. Zfone is available as a
universal "plugin" for a wide variety of existing VoIP clients, effectively converting them into secure
phones. It's also available as an SDK to allow VoIP product vendors to integrate encryption into their
products.
Zfone:





Doesn't depend on signaling protocols, PKI, or any servers at all. Key negotiations are purely
peer-to-peer through the media stream
Interoperates with any SIP/RTP phone, auto-detects if encryption is supported by other
endpoint
Available as a "plugin" for existing soft VoIP clients, effectively converting them into secure
phones
Available as an SDK for developers to integrate into their VoIP applications
Submitted to IETF as a proposal for a public standard, and source code is published
A public beta release of the Zfone software is available for download for Windows, Mac OS X, or Linux.
Vumber - Virtual Phone Number
A Vumber http://www.vumber.com/ is a virtual phone number – now you can have two numbers on a
single phone.
With Vumber, choose any area code you want and link it to your home, cell, or work phone. When
someone calls your Vumber, it will ring on your phone without ever revealing your private phone
number and you control how to handle the call; you can:
a) answer it;
b) send them to Vumber voicemail or Vumbermail as we call it;
c) give them a busy signal;
d) tell them the number is out of service; or…
e) play them a custom message you create.
Vumber lets you keep your phone number private, which means unequaled privacy protection. And it’s
not limited to a pre-defined one-to-one calling relationship like you sometimes see out there; it’s as
simple as having another phone number. Even simpler; Vumber puts you in total control of your
communications and your identity.
Michael Chesbro
38
Cyber-Security Toolbox
Most importantly, you can call “from” your Vumber, too. Just dial your Vumber, and then dial the
number and your Vumber will show up on their caller ID. It’s that easy. It’s simple and instant to use.
With Vumber, you get a flexible, privacy-protected, portable, disposable telephone number and a
private Vumbermail voice mailbox. And don’t worry... You still have your existing numbers, and you can
still call and get calls from them. But now you also have a number with total control - your Vumber.
Google Voice
Google Voice http://www.google.com/voiceis a telecommunications service by Google launched on
March 11, 2009. The service provides a US phone number, chosen by the user from available numbers in
selected area codes, free of charge to each user account. Inbound calls to this number are forwarded to
other phone numbers of the subscriber. Outbound calls may be placed to domestic and international
destinations by dialing the Google Voice number or from a web-based application. Inbound and
outbound calls to US (including Alaska and Hawaii) and Canada are free of charge. International calls are
billed according to a schedule posted on the Google Voice website.
Google Voice with a Google number







Use one number to manage all your phones; your Google Voice number is tied to you, not to a
particular device or location.
Voicemail like email: Save voicemail messages for as long as you'd like, star important ones, and
search through them
Voicemail transcription: Voicemail messages will be automatically transcribed to text and sent to
you via email and/or SMS.
Customize your callers' experience (custom voicemail greetings, decide which of your phones
ring based on who's calling, send some callers straight to voicemail, etc.)
Define which phones ring, based on who's calling, and even ListenInTM on voicemail before
answering the call. We use smart technology to route your calls. So, if you're already on a
Google Voice call, we'll recognize it and use call waiting to reach you on the phone you're on.
Works with mobile phones, desk phones, and work phones. There's nothing to download,
upload, or install, and you don't have to make or take calls using a computer.
International calling: Make low priced international calls from the web or from your phone.
Google Voice with your non-Google phone number
With this option you won't get some features (i.e. call forwarding, screening, and call recording), but
you'll still get plenty of others, including:

Voicemail like email: Save voicemail messages for as long as you'd like, star important ones, and
search through them
Michael Chesbro
39
Cyber-Security Toolbox



Voicemail transcription: Voicemail messages will be automatically transcribed to text and sent to
you via email and/or SMS.
Custom voicemail greetings: Customize your voicemail greeting based on who is calling.
International calling: Make low priced international calls from the web or from your phone.
Whisper Systems (Apps. for the Android Operating System)
http://www.whispersys.com/
RedPhone 0.4
Encrypted voice for your smartphone.
RedPhone provides end-to-end encryption for your calls, securing your conversations so that nobody
can listen in. It's easy to use, and functions just like the normal dialer you're accustomed to. RedPhone
uses your normal mobile number for addressing, so there's no need to have yet another identifier or
account name; if you know someone's mobile number you know how to call them using RedPhone. And
when you receive a RedPhone call your phone will ring just like normal, even if it is asleep.
TextSecure 0.5
Encrypted texts for your smartphone.
TextSecure is a drop-in replacement for the standard text messaging application, allowing you to send
and receive text messages as normal. All text messages sent or received with TextSecure are stored in an
encrypted database on your phone, and text messages are encrypted during transmission when
communicating with someone else also using TextSecure.
TOR
http://www.torproject.org/
Tor is an encryption tool that can help you protect the confidentiality of your communications. Tor is a
free, relatively easy to use tool primarily designed to protect your anonymity online. But it also has the
side benefit of encrypting your communications for some of their journey across the Internet.
Michael Chesbro
40
Cyber-Security Toolbox
Tor protects you by bouncing your communications around a distributed network of relays run by
volunteers all around the world: it prevents somebody watching your Internet connection from learning
what sites you visit, and it prevents the sites you visit from learning your physical location. Tor works
with many of your existing applications, including web browsers, instant messaging clients, remote
login, and other applications based on the TCP protocol.
Google Encrypted Search
https://encrypted.google.com/
With Google search over SSL, you can have an end-to-end encrypted search solution between your
computer and Google. This secured channel helps protect your search terms and your search results
pages from being intercepted by a third party. This provides you with a more secure and private search
experience.
To use search over SSL, visit https://encrypted.google.com each time you perform a search. Note that
only Google web search is available over SSL, so other search products like Google Images and Google
Maps are not currently available over SSL. When you're searching over SSL, these properties may not
appear in the left panel.
Here's how searching over SSL is different from regular Google search:



SSL encrypts the communication channel between Google and a searcher's computer. When
search traffic is encrypted, it can't be read by third parties trying to access the connection
between a searcher's computer and Google's servers. Note that the SSL protocol does have
some limitations — more details are below.
As another layer of privacy, SSL search turns off a browser's referrers . Web browsers typically
turn off referrers when going from HTTPS to HTTP mode to provide extra privacy. By clicking on
a search result that takes you to an HTTP site, you could disable any customizations that the
website provides based on the referrer information.
At this time, search over SSL is supported only on Google web search. We will continue to work
to support other products like Images and Maps. All features that are not supported have been
removed from the left panel and the row of links at the top. You'll continue to see integrated
results like images and maps, and clicking those results will take you out of encrypted search
mode.
Michael Chesbro
41
Cyber-Security Toolbox

Your Google experience using SSL search might be slightly slower than you're used to because
your computer needs to first establish a secure connection with Google.
Note that SSL search does not reduce the data that Google receives and logs when you search, or
change the listing of these terms in your Web History
How will SSL search affect content filtering services?
When searches are conducted using https://encrypted.google.com, those searches will bypass any
content filters that are in place on your network.
HTTPS Everywhere
https://www.eff.org/https-everywhere
Michael Chesbro
42
Cyber-Security Toolbox
Google Account 2-step verification
http://www.google.com/support/accounts/bin/static.py?page=guide.cs&guide=1056283&topic=1056284
Using 2-step verification will help prevent strangers from accessing your account with just a stolen
password. When you sign in with 2-step verification, you'll verify your identity using both a password
and a code that you receive on your phone.
2-step verification adds an extra layer of security to your Google Account by requiring you to have
access to your phone – as well as your username and password – when you sign in. This means that if
someone steals or guesses your password, the potential hijacker still can't sign in to your account
because they don't have your phone.
Temporary / Disposable E-mail Addresses





TempE-Mail (Address expires in 14 days) - http://www.tempemail.net/
10 Minute Mail - http://10minutemail.com/10MinuteMail/index.html
Trashmail - https://ssl.trashmail.net/
Mailinator - http://www.mailinator.com/
Jetable - http://www.jetable.org/en/index
Anonymous E-mail
Michael Chesbro
43
Cyber-Security Toolbox





http://www.sendanonymousemail.net/
http://deadfake.com/Send.aspx
https://www.silentsender.com/
http://send-email.org/
http://anonymouse.org/
EPIC Online Guide to Practical Privacy Tools
http://epic.org/privacy/tools.html
NIST Computer Security Division
Computer Security Resource Center
http://csrc.nist.gov/
US CERT Cyber Security Tips
http://www.us-cert.gov/cas/tips/
NSA - CSS Cyber Security Factsheets
http://www.nsa.gov/ia/guidance/security_configuration_guides/fact_sheets.shtml
Michael Chesbro
44
Cyber-Security Toolbox
Report Cyber-Crime
Report Phishing - http://www.us-cert.gov/nav/report_phishing.html
Report A Computer Security Incident - https://forms.us-cert.gov/report/
File a Cyber-Complaint On-line - http://www.onguardonline.gov/file-complaint.aspx
Internet Crime Complaint Center - http://www.ic3.gov/complaint/default.aspx
Federal Trade Commission Complaint Assistant - https://www.ftccomplaintassistant.gov/
Michael Chesbro
45