You are on page 1of 35

Cyber-Security Toolbox

Cyber-Security Toolbox

CYBER-SECURITY TOOLBOX
Compiled by: Michael Chesbro June 2011 Edition-3

The Cyber-Security Toolbox contains several security techniques and programs that can be employed by the individual user to make his or her electronic information and electronic communications more secure. The Cyber-Security Toolbox is compiled from multiple open sources, and system help files. This document is a compilation of data obtained from the links given herein, and is intended to aid users in establishing a more secure ‘cyber-environment’.

Every bit of cyber-security we use makes it that much more difficult for hackers, spies, criminals and other adversaries to access our electronic systems, steal our information, or disrupt our operations.

Michael Chesbro

1

Cyber-Security Toolbox

Table of Contents
                                    Encrypt an e-mail message in Microsoft Office Outlook 2007 Digital Certificates Use Safe Access File Exchange (SAFE) to Securely Exchange Large Files Use Encryption Wizard (EW) to Secure Your Files JavaScrypt: Browser-Based Cryptography Pretty Good Privacy (PGP) Hushmail Ironkey Create a Secure Computing Environment with Lightweight Portable Security Puppy Linux TrueCrypt - Free open-source disk encryption software Install Anti-Virus Software on Your Home Computer Participate in IA Education, Training and Awareness Programs Use Your DoD CAC At Home Use the Password Function in Microsoft Office to Protect Your Documents Use a Secure Erase Utility to Destroy Electronic Data Use Strong Passwords Store Your Passwords in a Password Safe Protect Data-At-Rest (DAR) – Enable Microsoft Encrypting File System United States Postal Service Electronic Postmark Use AKO/DKO IM & Chat Enable Secure Logon (CTRL+ALT+DELETE ) Cellular Telephones and PDAs Zfone Vumber - Virtual Phone Number Google Voice Whisper Systems (Encrypted voice and texts for your Android Smartphone) TOR Google Encrypted Search Google Account 2-step verification Temporary / Disposable E-mail Addresses EPIC Online Guide to Practical Privacy Tools NIST Computer Security Division - Computer Security Resource Center US CERT Cyber Security Tips NSA - CSS Cyber Security Factsheets Report Cyber-Crime

Michael Chesbro

2

Under Encrypted e-mail. 2. Compose your message and send it. Only the recipient who has the private key that matches the public key used to encrypt the message can decipher the message. 2. Encrypt all messages 1. click the Encrypt Message Contents and Attachments button. In the message.Cyber-Security Toolbox Encrypt an e-mail message in Microsoft Office Outlook 2007 Encrypting an e-mail message in Microsoft Office Outlook 2007 protects the privacy of the message by converting it from readable plaintext into ciphered (scrambled) text. on the Message tab. click Trust Center. Encrypt a single message 1. On the Tools menu. and then click E-mail Security. select the Encrypt contents and attachments for outgoing messages check box. Michael Chesbro 3 . in the Options group.

It is also simple to fully encrypt your communications to prevent unauthorized viewing. Michael Chesbro 4 . also adds your certificate. and send the contact card. such as choosing a specific certificate to use.cer file on a disk / CD-ROM. You can do this in a number of ways.cer file into your contact card.Cyber-Security Toolbox 3.com/client/class1MS. Publish your certificate to an LDAP (Lightweight Directory Access Protocol (LDAP): A protocol that provides access to Internet Directories. In order to send encrypted messages over the Internet.cer file. 4. This allows recipients of your emails to confirm your identity and ensure that the email you sent was not modified during transmission.cer file) with the recipient. 3DES is the default encryption algorithm. For example:     Send a digitally signed message. Post the certificate on a share that is available to the other person. Digital Certificates Digital ID A Brief Overview http://www.instantssl. Outlook uses the RC2 algorithm by default when running on a 40-bit operating system that does not have 128-bit encryption capabilities.htm Comodo Digital Certificate http://www. you need to exchange certificate files (. click Settings. Create a contact card with your .pdf VeriSignTM Class 1 Digital IDSM for Microsoft Internet Explorer https://digitalid. To change additional settings. Encryption strength is no longer restricted by the United States government.verisign.cer file attached or send the .) directory or another directory that is available to the other person.html Comodo's Free Email certificates allow you to use the digitally sign and encrypt features built into your personal email client to authenticate and secure your email communications.verisign.com/static/005326.com/ssl-certificate-products/free-email-certificate. it is not necessary to swap certificates. Send an e-mail message with your . Click OK twice. The recipient adds your e-mail name to Contacts and in doing so.  If your system administrator has set up security for your network using Microsoft Exchange. The recipient can import the .

mil/SAFE/ Michael Chesbro 5 . and various other determinates. and secure email by digitally signing and encrypting email using applications such as Microsoft Outlook or other S/MIME email software.zip file. By digitally signing a document or email. The SAFE server uses Department of Defense PKI certificates for identification and encryption. How Secure is SAFE? SAFE uses the SSL (Secure Socket Layer) protocol--128-bit encryption--when a file is uploaded and downloaded. Files of up to 2GB in size may be transferred through SAFE but the actual size is dependent of various factors such as connection speed. Use Safe Access File Exchange (SAFE) to Securely Exchange Large Files The AMRDEC Safe Access File Exchange (SAFE) application is for securely exchanging UNCLASSIFIED / FOUO files. • • • Any format of file(s).com/authentication-secure-email/digital-id/ GlobalSign offers a range of PersonalSign (Digital IDs issued to people) with varying trust levels. the network's congestion. this is acceptable. Users should be aware however that the limited use PIN that the users receive to access a file in SAFE is sent via email. may be sent to anyone with a valid email address Virus protection provided SAFE servers are less susceptible to worms or other email viruses AMRDEC SAFE . Since many organizations that do business within the Army limit the size of attachments that can be sent via email. the SAFE applications were created as alternative file-sharing methods to email and FTP. The same Digital ID can also digitally sign Microsoft Office documents. Digital IDs can be used to access online Government services to submit declarations electronically.globalsign. you can confirm that you are the originator of the document / email and help prove that the document / email has not changed since the time you signed it.https://safe.amrdec.army. authenticate you to SSL VPNs. Therefore the PIN is only as safe as your email system. including a . Since this system was designed as an alternative to simply attaching the file to an email anyway.Cyber-Security Toolbox GlobalSign Digital ID http://www.

Cyber-Security Toolbox Use Encryption Wizard (EW) to Secure Your Files EW is an SPC implementation of the Advanced Encryption Standard (AES)(Rijndael) augmented with a file manager Graphical User Interface (GUI) for ease of use. Free FIPS Version This restricted version uses a FIPS 140-2 validated encryption module from RSA® for use by the federal government and its contractors. drag-and-drop. Free Public Version -. To encrypt files or directories. press Encrypt. Encryption Wizard (EW) provides a user-friendly.htm . and enter a passphrase and/or use a PKI certificate.Download now from http://spi.dod. Michael Chesbro 6 . contact the Software Protection Initiative. Easy-to-Use Protection Quickly and easily protect your important data inside and outside your organization. To obtain the FIPS version or customize for your enterprise.mil/ewizard. The 128-bit encryption/decryption algorithm used by Encryption Wizard is considered cryptographically strong and is routinely used in National Security Agency (NSA) and National Institute of Standards and Technology (NIST) certified products. Encryption Wizard is designed to protect data at rest and in transit (such as email attachments). Fast. EW can also create encrypted (and optionally compressed) archives of files and directories. Escrow keys can be embedded for use in your enterprise. single window interface to encrypt any type of file on nearly any computer or media. Encrypted files are compatible with the public version. simply drag them into the EW window.

and nothing is sent to any Web site when you encrypt or decrypt a message. 128-bit AES encryption.fourmilab. and operating systems for a broad range of users.e. attach it to an e-mail and send it to yourself) or accessed on-line from the Fourmilab website.ch/javascrypt/"a collection of Web pages and programs in the JavaScript language [that] perform military-grade encryption (256 bit secret key AES) entirely within your Web browser--you needn't download nor install any software. Optional command line interface permits scripting of data protection. Enterprise Ready Encryption Wizard aims to protect data wherever stored and however transmitted between dissimilar networks. platforms. Listed on the Air Force Enterprise Products List. v1." An advantage of the JavaScrypt: Browser-Based Cryptography program is that its "lite" version is very small (32 KB) and can be stored in a web-based e-mail program (i. while stored on media. System Requirements   Java Runtime Environment SE. thus allowing one to encrypt sensitive communications from any computer which can access your web-based e-mail. and RSA digital signatures meet DoD requirements for transmitting and storing critical unclassified information. and during transmission across the Internet using a FIPS 140-2 validated module. Companion pages provide a text-based steganography facility and key generator suitable for preparing one-time key lists. SHA-256 hashes.Cyber-Security Toolbox Cryptographically Strong Encryption Wizard protects data on your network.5 (or newer) Administrator access not required for installation JavaScrypt: Browser-Based Cryptography The JavaScrypt: Browser-Based Cryptography is http://www. Installation packages available for common enterprise software distribution systems. You can download the page source and JavaScript programs to your own computer and use them even when not connected to the Internet. Michael Chesbro 7 . EW complements Data-at-Rest products for defense-in-depth and granular control.

http://keyserver.http://pgp.Cyber-Security Toolbox Pretty Good Privacy (PGP) Pretty Good Privacy or PGP is an encryption program developed by Phil Zimmermann and published in 1991.com/ University of Mainz (Germany) Public Key Server . If you included a copy of your own PGP public key in your e-mail.. PGP uses public key encryption. People who use PGP on a regular basis will often publish their PGP public key to a "key server". but some of the major key servers can be found on-line at:    MIT PGP Public Key Server .pgp.mit. With PGP installed on your computer you can encrypt a message to any person whose public key you possess.de/ If you use PGP you could visit anyone of these PGP key servers and locate the author's PGP public key. Michael Chesbro 8 .uni-mainz. and maybe even publish it on the Internet. but you keep your private key secret and secure. However. Thus when using PGP you give your public key to everyone.http://pgp.edu/ PGP Corporation Public Key Server . It was one of the first public-key encryption programs available to the general public. a reply that only you could read. and has today become the "unofficial standard" for encryption of e-mail and personal communication on the Internet. add it to key servers. only you can decrypt and read that message. or if your PGP public key was posted to the key server you could receive an encrypted reply to your e-mail. thereby ensuring that while anyone can encrypt a message and send it to you. PGP key servers are run by several groups and organizations.. It has one key (a public key) for encryption and a second key (a private key) for decryption. A key server is simply a site where you can search for a person's public key and post your own public key for others to use. This would give you a way to securely contact the author of this book without first having met him or otherwise exchanged any type of encryption key. the only way to then decrypt that message is to possess the associated private key.

developed 1999.org/ . Storage of up to 10GB is available for $49.gnupg. and is available as freeware from the PGP International site at: http://www. Ironkey https://www.com Michael Chesbro 9 .Cyber-Security Toolbox PGP is available for most operating platforms and systems.pgpi.98 per year.hushmail. Key features     Easy-to-use web-based email Standards-compliant encryption Works on iPhone and BlackBerry Optional Outlook integration The free Hushmail account is limited to 2MB of storage space.com/ Hushmail is a secure web-based free email service.ironkey. but adds strong encryption to your emails to protect your secrets from prying eyes. Hushmail https://www. Hushmail looks and feels just like any other web-mail site. GnuPG is available on-line at: http://www.org/ . Gnu Privacy Guard (GnuPG) is a PGP compatible free implementation of the OpenPGP standard.

pdf Create a Secure Computing Environment with Lightweight Portable Security http://spi. general-purpose solution for using web-based applications.Cyber-Security Toolbox Your identity and personal data are too valuable to risk.dod.spi. IronKey Personal simplifies your digital lifestyle while giving you added peace of mind. SPI created the LPS family to address particular use cases.htm Lightweight Portable Security (LPS) creates a secure end node from trusted media on almost any Intelbased computer (PC or Mac).Public. LPS boots a thin Linux operating system from a CD without mounting a local hard drive.ironkey.mil/ewizard_down. Administrator privileges are not required.dod. The result of extensive R&D and the collaboration of some of the world's leading experts in cryptography and the Internet. (http://www. Ironkey Datasheet: https://www. Java. a PDF and text viewer.com/files/datasheets/ironkey-personal-s200.mil/lipose. The accredited LPS-Remote Access is only for accessing your organization's private network.htm) Michael Chesbro 10 . IronKey Personal comes loaded with a secure private browser that lets you surf anonymously and protects your passwords whenever you go online. IronKey is the world's most secure flash drive. and Encryption Wizard . nothing is installed. It includes a CAC-enabled Firefox browser. IronKey Personal keeps you protected with military-grade encryption and easy-to-use identity management. LPS-Public is a safer. LPS-Public allows general web browsing and connecting to remote networks.

Fast . To get started. you can still boot Puppy via CD or USB and continue working. Old PCs that no longer work with new systems will still work good-as-new with Puppy. and it does not require antivirus software. an image that can be burned to CD or DVD. Save Money . Puppy Linux Linux is a free operating system. you can carry your programs and data anywhere. programs are first read from drive storage before being executed. download the LPS-Public ISO image and burn it to a CD.bad    Michael Chesbro 11 .Just use a CD or USB flash to boot a PC. Simply plug in your USB CAC-reader to access CAC-restricted DoD websites. Puppy Linux also enables you to save money while doing more work. it can live in your PC's memory and be ready to quickly execute your commands. With Puppy.   Easy . With Puppy Linux. whereas in other systems. which you can easily save to USB flash (Then forget about your operating system!). even in old PCs. Your data can be read by other computers. you just have to take care of your data. and Puppy Linux http://puppylinux. Example .Because Puppy is small.org is a special build of Linux meant to make computing easy and fast. Do More . Do Magic -Help your friends suffering from computer malware by booting Puppy and removing malware from their PC (use antivirus that is built-in or can be installed in Puppy).Even if your PC has no hard disk (ex.Puppy boots in less than a minute. Puppy Linux is downloadable as ISO. broken hard disk). No trace of work activity (or malware) can be written to the local computer. even allowing you to do magic by recovering data from destroyed PCs or by removing malware from Windows. Administering Puppy is quick and minimal.Cyber-Security Toolbox LPS-Public turns an un-trusted system (such as a home computer) into a trusted network client.

Simply burn the ISO to CD/DVD and boot the PC or laptop with it. so you can use it for booting the PC when a CD is not available. and Linux TrueCrypt http://www.org is a software system for establishing and maintaining an on-thefly-encrypted volume (data storage device). etc).Cyber-Security Toolbox Autorun. If your friend thinks that she has lost data from her corrupted hard disk. Michael Chesbro 12 . On-the-fly encryption means that data is automatically encrypted or decrypted right before it is loaded or saved..Free open-source disk encryption software Free open-source disk encryption software for Windows 7/Vista/XP. When installed to USB flash. You can save data to USB flash or even to Internet storage (like www. you can carry your programs and data with you. Puppy consumes only a little over 100 MB. You don't have to save data to hard drive to work with Puppy. boot Puppy and try saving her data! Carry Anywhere (Portable) . No data stored on an encrypted volume can be read (decrypted) without using the correct password/keyfile(s) or correct encryption keys.inf is easily removed by Puppy (Just delete it as well as its companion exe program).io ).  Are you now ready for Puppy? Keep these important reminders before using Puppy:  You don't have to install Puppy (to hard disk) to use it. without any user intervention. contents of every file.drop.Because Puppy is able to live in CD/DVD or USB flash.g. You can use the same USB flash (where Puppy is installed) for saving data. free space. as well as save data to these same devices.truecrypt.  TrueCrypt . file names. Entire file system is encrypted (e. Mac OS X. you can then install it to USB flash (see the Setup menu). or about 256 MB with OpenOffice. meta data. folder names. Once booted.

There are no extra memory (RAM) requirements for TrueCrypt. the volume will be dismounted and files stored in it will be inaccessible (and encrypted). The user provides the correct password (and/or keyfile) and mounts (opens) the TrueCrypt volume.Cyber-Security Toolbox Files can be copied to and from a mounted TrueCrypt volume just like they are copied to/from any normal disk (for example. This process is called on-the-fly encryption/decryption and it works for all file types. To make them accessible again. A beginner's tutorial to TrueCrypt is available here: http://www. by simple drag-and-drop operations). Similarly. The decrypted portion of the video (stored in RAM) is then played by the media player. files that are being written or copied to the TrueCrypt volume are automatically being encrypted on the fly (right before they are written to the disk) in RAM. Even when the volume is mounted. Note that TrueCrypt never saves any decrypted data to a disk – it only stores them temporarily in RAM (memory). The media player then begins loading a small initial portion of the video file from the TrueCrypt-encrypted volume to RAM (memory) in order to play it. the video file is entirely encrypted). Note that this does not mean that the whole file that is to be encrypted/decrypted must be stored in RAM before it can be encrypted/decrypted.truecrypt.avi video file stored on a TrueCrypt volume (therefore. While the portion is being loaded. When the user double clicks the icon of the video file. not only for video files. Let's suppose that there is an . While this portion is being played. TrueCrypt is automatically decrypting it (in RAM). For an illustration of how this is accomplished. Even when power supply is suddenly interrupted (without proper system shut down). you have to mount the volume (and provide the correct password and/or keyfile). files stored in the volume are inaccessible (and encrypted). When you restart Windows or turn off your computer. the operating system launches the application associated with the file type – typically a media player. see the following paragraph.org/docs/tutorial Michael Chesbro 13 . data stored in the volume is still encrypted. Files are automatically being decrypted on the fly (in memory/RAM) while they are being read or copied from an encrypted TrueCrypt volume. the media player begins loading next small portion of the video file from the TrueCrypt-encrypted volume to RAM (memory) and the process repeats.

com/us-en/homepage Avast Free Anti-Virus Software .com/free-antivirus-download Microsoft Security Essentials .trendmicro.mil.cloudantivirus.cert.com/en/ Trend Micro HouseCall . Home use of the antivirus products will not only protect personal PCs at home.Cyber-Security Toolbox Install Anti-Virus Software on Your Home Computer To help protect your home and personal computers the DoD Antivirus Software License Agreement with McAfee and Symantec allows active DoD employees to utilize the antivirus software for home use.http://www.com/ Michael Chesbro 14 . but will also potentially lessen the threat of employees bringing malicious logic into work and compromising DoD networks. there are other free anti-virus programs available: AVG Free Anti-Virus Software .avast.http://www.http://www.com/security_essentials/ Panda Cloud Antivirus Free Edition .microsoft. (DoD PKI CAC Card Required) For individuals who do not have DoD PKI to access the above software.http://housecall. To obtain a copy of the free anti-virus software provided by the DOD.avg. visit https://www.http://free.

and regulations. Information Assurance Fundamentals Training .mil/eta/ provides a variety of free. on-line IA education. directives. DoD Regulations and Policies Lesson 3 . reliability. The lessons presented will aid the IASO in developing an effective security approach and in selecting cost-effective controls to meet the requirements of laws. training. responsibilities. and concepts necessary to perform the functions of an Information Assurance Security Officer (IASO).      Lesson 1 . IA training helps to ensure that the privacy.army.asp This course provides individuals an understanding of the information systems security policies.disa. practices. and awareness programs.Cyber-Security Toolbox Participate in IA Education.Federal Laws.Network/Hacker Threats Michael Chesbro 15 .https://ia. Training and Awareness Programs The DISA Information Assurance Support Environment http://iase. and integrity of our information systems remain intact and secure.Army Information Assurance Training Program Lesson 5 . roles. procedures.signal.Army Information Assurance Program (AIAP) Lesson 2 .mil/IAF/default.Army Regulations and Policies Lesson 4 .

Malware Lesson 7 .Encryption and Common Access Cards (CAC) Lesson 16 .com/index.php The InfraGard Awareness Information Security Awareness course is FREE to all individuals and small businesses with 50 or fewer employees. It will also teach you vital skills to protect yourself and your family from cybercrime and identity theft.DoD Information Assurance Certification and Accreditation Process (DIACAP) Lesson 12 . It addresses all the key security vulnerabilities.Physical Security Lesson 8 . The time of each lesson ranges from approximately three to nine minutes long. personal workspace security and more. virus management.Continuity of Operations (COOP) Lesson 11 .Security Incident and Response Planning Lesson 10 .Firewalls and Perimeter Defense Lesson 15 . and on how they contribute to behavioral change and better workplace security.infragardawareness. The first part of the course focuses on the key behavioral challenges including. including web and e-mail use. security outside the office.Intrusion Detection Systems (IDS) and Auditing Lesson 14 . This training will help you and your employees understand how you to help make your workplace more secure. Standard lessons include: Michael Chesbro 16 .Risk Assessment and Management Lesson 9 .Cyber-Security Toolbox            Lesson 6 . social engineering. data protection. The course is divided into 13 lessons.Wireless Security Lesson 13 .Legal InfraGard Awareness Information Security Awareness Course https://www. passwords. The second part of the course focuses on security best practices and policies.     helping employees make a personal connection with cybercrime and workplace security understanding who commits these crimes and what their motives are understanding why exploiting predictable employee behavior is critical to committing these crimes why modifying personal behavior can be so powerful in preventing these crimes. The total time for the entire course is approximately 90 minutes.

Cyber-Security Toolbox              Pre-Lesson Course Welcome and Overview Lesson 1: The Impact of Cybercrime and Identity Fraud Lesson 2: Today’s Threats Lesson 3: How Employee Behavior is Exploited Lesson 4: Strong Passwords Increase Security Lesson 5: Understanding and Recognizing Social Engineering Lesson 6: Email Best Practices Lesson 7: Protecting Against Viruses.com/index.teexwmdcampus. Spyware and Spam Lesson 8: Protecting Your Personal Workspace Lesson 9: Security You Can Live With Lesson 11: Protecting the Workplace from Identity Fraud Lesson 12: Risks and Acceptable Uses of Electronic Resources Lesson 13: Secure Use of Networks DHS/FEMA Certified Cyber Security Training is available through the TEEX Domestic Preparedness Campus at: http://www.k2 Michael Chesbro 17 .

The following links are for CAC readers available from Amazon.USB Step .cert.com and follow the instructions to download DoD Certificates and ActivClient. and demonstrations Hands-on lab environments A learning management system to manage enrollments and track progress Use Your DoD CAC At Home Step .SMART card reader .Com: SCM SCR3310 USB Smart Card Reader Common Access CAC ID DOD SCM SCR331 .2 Go to http://militarycac. audio presentations.org VTE provides high-fidelity e-learning delivered right to your Web browser. This can be issued. which means that VTE combines three unique capabilities:    On-demand lecture in the form of video. Michael Chesbro 18 . or you may choose to buy one.Cyber-Security Toolbox Software Engineering Institute's Virtual Training Environment (VTE)! https://www.1 You will need to obtain a CAC Reader.vte.

workbook. or PowerPoint):      Click the Microsoft Office Button. and then click OK. in the Reenter password box. add or sponsor guests. In the Confirm Password dialog box. In the Encrypt Document dialog box. By default. Be sure your CAC is registered with AKO / DKO. type the password again. in the Password box. Use the Password Function in Microsoft Office to Protect Your Documents To password protect a Microsoft document. To save the password. save the file. change your password. and then click Encrypt Document. point to Prepare.dr1. go to https://rw5. You can type up to 255 characters. and avoid the KBA questions.mil/cgibin/akohd.Cyber-Security Toolbox Using your DOD CAC from home allows you to quickly log in to AKO / DKO.mil to access your office e-mail. or presentation (MS Word.us. Excel.php?p_faqid=264&p_sid=f1lawh*j&p_lva=95 Once you have your CAC set up at home.army.cfg/php/enduser/std_adp. http://help. Michael Chesbro 19 . type a password. this feature uses AES 128-bit advanced encryption.army. and then click OK.

documents saved in the older Office binary formats can only be encrypted using RC4 to maintain compatibility with older versions of Microsoft Office. data erasure removes all information while leaving the disk operable. However. local security policy. Use a Secure Erase Utility to Destroy Electronic Data Data erasure is a method of software-based overwriting that completely destroys all electronic data residing on a hard disk drive or other digital media. According to the Center for Magnetic Recording Research. The level of protection provided by the AES encryption is related to the strength of the password used to protect the document. but is not designed to help make the file more secure. The second option does not use any encryption. this is referred to as a Password to open. which render the disk unusable. National Security Agency published an Information Assurance Approval of single pass overwrite. It’s important to note that there are two options to add a password in Microsoft 2007 Office system documents. Permanent data erasure goes beyond basic file deletion commands. One option enables you to encrypt the document using a password. AES encryption is supported for Open XML formats used in previous versions of Microsoft Office when those documents are created in a Microsoft 2007 Office system application. You should use complex passwords that include upper and lower case letters.Cyber-Security Toolbox The default encryption algorithm is AES 128-bit. which only remove direct pointers to data disk sectors and make data recovery possible with common software tools. Unlike degaussing and physical destruction. This is referred to as the Password to modify. This value can be increased to AES 256-bit via a Registry entry. after technical testing at CMRR showed that multiple on-track Michael Chesbro 20 . numbers and symbols and that are at least 10 characters long. It is designed so you can collaborate with content reviewers you trust. The U.S. preserving assets and the environment. or domain Group Policy. "Secure erase does a single on-track erasure of the data on the disk drive.

org/ Eraser http://eraser. Secure Erase Utility http://cmrr.Cyber-Security Toolbox overwrite passes gave no additional erasure..University of California.Secure Password Generator . An excellent password safe was developed by Bruce Schneier..pdf] "Secure erase" is a utility built into modern ATA hard drives that overwrites all data on a disk. Brookhaven National Laboratory Cyber Security On-line Password Generator https://www. and is now an open source project available on-line at: Password Safe - Michael Chesbro 21 .com/guides/password/ The PC Tools Password Generator allows you to create random passwords that are highly secure and extremely difficult to crack or guess due to an optional combination of lower and upper case letters.tolvanen.gov/cybersecurity/pwgen/ Store Your Passwords in a Password Safe A password safe is a computer program that stores your passwords in an encrypted format on your computer.ucsd.” PC Tools .edu/people/Hughes/DataSanitizationTutorial. This probability depends on the size of the password space and the statistical distribution within that space of passwords that are actually used. passwords and store them in the password safe.” [http://cmrr.shtml Darik's Boot And Nuke | Hard Drive Disk Wipe and Data Clearing http://www. very complex.dban.com/eraser/ Use Strong Passwords The Department of Defense Password Management Guideline (CSC-STD-002-85) states: “The probability that any single attempt at guessing a password will be successful is one of the most critical factors in a password system.http://www. Center for Magnetic Recording Research . Since many user-created passwords are particularly easy to guess all passwords should be machine generated.heidi.ucsd. You create multiple.pctools.edu/people/Hughes/SecureErase.bnl. numbers and punctuation symbols. You then memorize a single complex password that grants you access to your password safe.ie/ http://www. San Diego. including remapped (error) sectors.

appear as unintelligible characters when the attacker does not have the decryption key.sourceforge. an attacker can gain access by starting up a different operating system. their data is protected even if an attacker has full access to the computer’s data storage. Encrypting sensitive files by means of EFS adds another layer of security. and gain access to the stored files. Because EFS provides strong encryption through industry-standard algorithms and public key cryptography. however. When files are encrypted. EFS allows users to store confidential information about a computer when people who have physical access to your computer could otherwise compromise that information. EFS is especially useful for securing sensitive data on portable computers or on computers shared by several users.(http://technet. intentionally or unintentionally. Security features such as logon authentication or file permissions protect network resources from unauthorized access. Both kinds of systems are susceptible to attack by techniques that circumvent the restrictions of access control lists (ACLs). Another password safe is the Keepass Password Safe. EFS users can share encrypted files with other users on file shares and in Web folders. or entire data drives. An attacker can also steal a computer.net/.Cyber-Security Toolbox http://passwordsafe. Protect Data-At-Rest (DAR) – Enable Microsoft Encrypting File System Microsoft Encrypting File System (EFS) is installed as part of the Windows operating system. Files encrypted by EFS. available on-line at: http://keepass.info/. In a shared system. place the drives in another system. In this way. encrypted files are confidential even if an attacker bypasses system security. Michael Chesbro 22 . folders. sensitive data can be exposed.com/en-us/library/bb457116. remove the hard drives. However.aspx) Microsoft Windows Encrypting File System (EFS) enables users to encrypt individual files.microsoft. anyone with physical access to a computer such as a stolen laptop can install a new operating system on that computer and bypass the existing operating system’s security.

To create an EFS Encrypted folder: 1. Michael Chesbro 23 . Right-click and choose Properties. c. 7. Black – normal files on the file system. by default. 11. select the Apply changes to this folder. EFS enables users to start encrypting files from My Computer with no administrative effort. EFS encrypts the data as it is written to disk. When users open a file. Authorized users might not even realize that the files are encrypted because they can work with the files as they normally do. Choose a folder in your My Documents folder to be EFS protected. Blue – files and/or folders are compressed. If the Confirm Attribute Changes dialog appears. 3. This means that any file created in or added to the folder is automatically encrypted. Check the checkbox labeled Encrypt contents to secure data. file encryption and decryption are transparent.Enable EFS on USB Media 1. 6. Green – files and/or folders are EFS encrypted. it is decrypted by EFS as data is read from disk. b. To run EFS on a USB device (thumb drive) – it needs to be formatted with the NTFS files system. subfolders and files radio button. From the user’s point of view. Move or copy at least one file or record into the EFS protected folder. When they save the file. The encryption attribute can also be set for a file folder. Data-At-Rest (DAR) Protection .Cyber-Security Toolbox Because EFS is tightly integrated with NTFS. 9. 4. Click OK. Windows Explorer shows different colors for the following: a. 5. Click OK on Folder Properties. 8. 10. 2. Click OK. encrypting a file is simply a matter of setting a file attribute. Click the Advanced button. only FAT32 and FAT are selectable. However. Click Apply. In its default configuration.

https://www. and provides trusted proof of content as of a specific point in time. Using Windows Explorer. Once the CONVERT command finishes. run the CONVERT command.gordon. The USPS serves as the backup verifier for all EPMs issued by any of the authorized providers of the USPS EPM service. and Enterprise editions.pdf Note: The EFS Encrypt feature is only available in the Vista Business. It will remain grayed out in the Vista Home Basic and Home Premium editions. format the USB device with FAT32.com/ The USPS Electronic Postmark® (EPM)* is an auditable time-and-date stamp service offered by authorized service providers. 3. United States Postal Service Electronic Postmark Protect the integrity of your content .army.mil/NEC/documents/BBP%20Data%20at%20Rest. Once the formatting is complete. Using Windows Explorer. Further details on Data-At-Rest protection can be found here: http://www. Verify that the file format is FAT32. Use AKO/DKO IM & Chat Michael Chesbro 24 .uspsepm.Cyber-Security Toolbox 2. Example: CONVERT E: /FS:NTFS (Where “E:” represents the USB device drive) 5. EPMs issued by an authorized EPM service provider are stored in their repositories and available for verification for a period of up to seven years from the date of issuance. select Properties of the USB device to validate that file format is NTFS. the USB device will have a NTFS file system on it which can now accept EFS protected data. right click the device and check properties. At a command prompt. 4. The EPM can be used to verify the authenticity of a document or file sent electronically. Ultimate. under license by the United States Postal Service.

Cyber-Security Toolbox Many of us use IM & Chat program to talk with friends and colleagues on-line.microsoft. no other program (such as a virus or spyware) can intercept your user name and password as you enter it. In the Secure logon section. (From: http://support. type control userpasswords2. This includes IM's between AKO/DKO users and IM's between AKO/DKO and Navy and Air Force IM users also. and then click OK. Click the Advanced tab. Click Start. and then click OK. You can also download the AKO/DKO IM Client and install it on your home computer… running it as a standalone program. select or clear the Require users to press Ctrl+Alt+Delete check box. When chatting on-line with military members (or any other person with AKO/DKO access) you can secure your conversation by using the AKO/DKO IM Client. 3.com/kb/308226) To Enable or Disable the CTRL+ALT+DELETE Sequence 1. Michael Chesbro 25 . type the password or provide confirmation. Click the Advanced tab. Click to open Advanced User Accounts. If you are prompted for an administrator password or confirmation. All IM communications via AKO/DKO IM are made via an encrypted channel (SSL). 2. When secure logon is enabled. select the Require users to press Ctrl+Alt+Delete check box. Note If the Advanced tab is not available. Using secure logon provides an additional layer of security for your computer by ensuring that the authentic Windows logon screen appears. and then click User Accounts. click Start. click Run. One way to do so is to enable secure logon so that you are required to press CTRL+ALT+DELETE to log on. You can access IM from the AKO/DKO homepage by clicking the IM button. click Control Panel. Enable Secure Logon (CTRL+ALT+DELETE ) (From the Help File) It's important to keep your computer as secure as possible.

3 . causing a "warm" reboot. if you are a restricted user. the Advanced tab is not available. You can use the keyboard to shut down the operating system. ensuring that the information in the ensuing logon dialog box can be read only by Windows. For more information. This can prevent rogue programs from gaining access to the computer. For example. domain-wide policies may have been set that override the settings you make on the local computer. the value of the information stored on the phone can be considerable.Cyber-Security Toolbox The Advanced tab is not available under certain conditions. The advantage of the keystroke-intercept technique is to help prevent Windows from being shut down by someone who does not have access to do so. Cellular Telephones and PDAs Cell-Phone Security Tips: 1 . your phone number. On Windows-based computers (starting with Microsoft Windows NT). the CTRL+ALT+DELETE sequence is intercepted by Windows. There are three types of value associated with your phone: the cost of the physical device itself. and the value of the information stored on the phone (all of your contacts and personal information). * If a Windows XP-based computer is part of a domain. pressing CTRL+ALT+DELETE gains the attention of the BIOS. 2 . SIM number and/or IMEI number.microsoft.e. * On MS-DOS-based computers (and some older UNIX-based systems). Requiring a PIN or password to access your phone helps protect against theft of your cell-phone service and personal information.com/kb/306992/ ) How to manage stored user names and passwords on a computer in a domain in Windows XP * Disabling the CTRL+ALT+DELETE sequence creates a "security hole. making calls).Write down the make and model of your phone." The CTRL+ALT+DELETE sequence can be read only by Windows.Restrict access to your phone with a PIN or password. click the following article number to view the article in the Microsoft Knowledge Base: 306992 (http://support. and the contact information for your service provider. Even if the cost of the phone itself is relatively inexpensive. If your phone is ever lost or stolen you will need this information to quickly deactivate the phone and report it stolen to the police. Michael Chesbro 26 . the value of the cell-phone service (i.Protect your phone like the valuable item it is.

While these devices provide productivity benefits. Perhaps you will set the limit at double your average monthly bill. delivering presentations. after which they decline service until the bill is paid.us-cert.Defending Cell Phones and PDAs Against Attack http://www.com/.00+ cell-phone bill if someone runs up unauthorized charges.gov/cas/tips/ST04-020.pdf Cell phones and personal digital assistants (PDAs) have become indispensable tools for today's highly mobile workforce. and remotely accessing data. at least write down your most important contact numbers and similar information and store it safely away from your phone. including sending and receiving electronic mail. Arrange with your cellular service provider for a maximum bill amount.theftaware.gov/publications/nistpubs/800-124/SP800-124.Make a back-up of the information stored on your phone.html Cyber Security Tip ST05-017 .ihoundsoftware. This document provides an overview of cell phone and PDA devices in use today and offers insights into making informed information technology security decisions on their treatment. If your phone allows you to easily save your data to your home computer.Consider anti-theft and recovery software for your phone.us-cert. Small and relatively inexpensive. 5 . but will prevent a $20.html Cyber Security Tip ST04-020 .nist.com/provide software that can help you recover a lost phone.Cyber-Security Toolbox 4 . these devices can be used for many functions. storing documents. Services such as iHound https://www.gov/cas/tips/ST06-007.Be sure you understand what liability you face if someone steals your phone and starts running up a bill.html Michael Chesbro 27 .000. and Gadget Trak http://www. Organizations can use this information to enhance security and reduce incidents involving cell phone and PDA devices.us-cert.Protecting Portable Devices: Data Security http://www.Cybersecurity for Electronic Devices http://www. (Huffington Post.gov/cas/tips/ST05-017.gadgettrak. 2009) 6 . great! If not. ===== Guidelines on Cell Phone and PDA Security: Recommendations of the National Institute of Standards and Technology (October 2008) . Theft Aware http://www. The document gives details about the threats and technology risks associated with the use of these devices and the available safeguards to mitigate them.com/. US CERT Cyber Security Tip ST06-007 . This will allow you to increase your usage when necessary. they also pose new risks to organizations.http://csrc.

It interoperates with any standard SIP phone.com/ is a new secure VoIP phone software product which lets you make encrypted phone calls over the Internet. the most widely used email encryption software in the world. effectively converting them into secure phones Available as an SDK for developers to integrate into their VoIP applications Submitted to IETF as a proposal for a public standard. Key negotiations are purely peer-to-peer through the media stream Interoperates with any SIP/RTP phone. PKI. Its principal designer is Phil Zimmermann. and in fact does not rely on any servers at all. It performs its key agreements and key management in a purely peer-to-peer manner over the RTP media stream. certificate authorities.Cyber-Security Toolbox Zfone Zfone™ http://zfoneproject. Zfone uses a new protocol called ZRTP. to enable interoperability of SIP endpoints from different vendors. effectively converting them into secure phones. Michael Chesbro 28 . Mac OS X. but naturally only encrypts the call if you are calling another ZRTP client. It also does not rely on SIP signaling for the key management. Zfone is available as a universal "plugin" for a wide variety of existing VoIP clients. or key management complexity that bedevils the email encryption world. This new protocol has been submitted to the IETF as a proposal for a public standard. Zfone:      Doesn't depend on signaling protocols. and source code is published A public beta release of the Zfone software is available for download for Windows. trust models. It's also available as an SDK to allow VoIP product vendors to integrate encryption into their products. the creator of PGP. which is better than the other approaches to secure VoIP. because it achieves security without reliance on a PKI. or Linux. or any servers at all. auto-detects if encryption is supported by other endpoint Available as a "plugin" for existing soft VoIP clients. key certification.

It’s simple and instant to use. disposable telephone number and a private Vumbermail voice mailbox. 2009. c) give them a busy signal. you get a flexible. But now you also have a number with total control . Inbound calls to this number are forwarded to other phone numbers of the subscriber.. chosen by the user from available numbers in selected area codes. Google Voice with a Google number Michael Chesbro 29 .com/voiceis a telecommunications service by Google launched on March 11. Even simpler.com/ is a virtual phone number – now you can have two numbers on a single phone. it’s as simple as having another phone number. When someone calls your Vumber. cell. or… e) play them a custom message you create. With Vumber. b) send them to Vumber voicemail or Vumbermail as we call it. With Vumber. you can: a) answer it. Vumber puts you in total control of your communications and your identity. portable. you can call “from” your Vumber. International calls are billed according to a schedule posted on the Google Voice website. Most importantly. You still have your existing numbers. d) tell them the number is out of service. Vumber lets you keep your phone number private. choose any area code you want and link it to your home.vumber. The service provides a US phone number. it will ring on your phone without ever revealing your private phone number and you control how to handle the call. Outbound calls may be placed to domestic and international destinations by dialing the Google Voice number or from a web-based application. Inbound and outbound calls to US (including Alaska and Hawaii) and Canada are free of charge. free of charge to each user account. which means unequaled privacy protection. Just dial your Vumber. It’s that easy. too. And it’s not limited to a pre-defined one-to-one calling relationship like you sometimes see out there.Cyber-Security Toolbox Vumber .your Vumber.Virtual Phone Number A Vumber http://www.. or work phone.google. And don’t worry. privacy-protected. Google Voice Google Voice http://www. and you can still call and get calls from them. and then dial the number and your Vumber will show up on their caller ID.

if you're already on a Google Voice call. securing your conversations so that nobody can listen in.com/ RedPhone 0. send some callers straight to voicemail. International calling: Make low priced international calls from the web or from your phone. desk phones. Customize your callers' experience (custom voicemail greetings. and search through them Voicemail transcription: Voicemail messages will be automatically transcribed to text and sent to you via email and/or SMS. Works with mobile phones. so there's no need to have yet another identifier or account name. RedPhone uses your normal mobile number for addressing. star important ones. and call recording).e. And when you receive a RedPhone call your phone will ring just like normal. call forwarding. etc. RedPhone provides end-to-end encryption for your calls.5 Michael Chesbro 30 . Voicemail like email: Save voicemail messages for as long as you'd like. star important ones. Custom voicemail greetings: Customize your voicemail greeting based on who is calling. and work phones. screening. based on who's calling. for the Android Operating System) http://www.whispersys.) Define which phones ring. even if it is asleep. There's nothing to download. including:     Voicemail like email: Save voicemail messages for as long as you'd like. and functions just like the normal dialer you're accustomed to. but you'll still get plenty of others. and search through them Voicemail transcription: Voicemail messages will be automatically transcribed to text and sent to you via email and/or SMS. your Google Voice number is tied to you. Whisper Systems (Apps. So. decide which of your phones ring based on who's calling. not to a particular device or location. It's easy to use.Cyber-Security Toolbox      Use one number to manage all your phones. and you don't have to make or take calls using a computer. TextSecure 0. if you know someone's mobile number you know how to call them using RedPhone. upload. or install. we'll recognize it and use call waiting to reach you on the phone you're on. International calling: Make low priced international calls from the web or from your phone. and even ListenInTM on voicemail before answering the call.   Google Voice with your non-Google phone number: With this option you won't get some features (i. We use smart technology to route your calls.4 Encrypted voice for your smartphone.

and other applications based on the TCP protocol. This provides you with a more secure and private search experience. Michael Chesbro 31 . TextSecure is a drop-in replacement for the standard text messaging application. and it prevents the sites you visit from learning your physical location. Tor protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit. But it also has the side benefit of encrypting your communications for some of their journey across the Internet. you can have an end-to-end encrypted search solution between your computer and Google. relatively easy to use tool primarily designed to protect your anonymity online. Tor works with many of your existing applications.torproject. and text messages are encrypted during transmission when communicating with someone else also using TextSecure.org/ Tor is an encryption tool that can help you protect the confidentiality of your communications. TOR http://www.Cyber-Security Toolbox Encrypted texts for your smartphone. This secured channel helps protect your search terms and your search results pages from being intercepted by a third party. including web browsers. allowing you to send and receive text messages as normal. remote login. instant messaging clients. Google Encrypted Search https://encrypted.com/ With Google search over SSL.google. All text messages sent or received with TextSecure are stored in an encrypted database on your phone. Tor is a free.

google. these properties may not appear in the left panel. By clicking on a search result that takes you to an HTTP site. those searches will bypass any content filters that are in place on your network.    Note that SSL search does not reduce the data that Google receives and logs when you search. search over SSL is supported only on Google web search. the potential hijacker still can't sign in to your account because they don't have your phone. 2-step verification adds an extra layer of security to your Google Account by requiring you to have access to your phone – as well as your username and password – when you sign in. and clicking those results will take you out of encrypted search mode. You'll continue to see integrated results like images and maps. Note that only Google web search is available over SSL. All features that are not supported have been removed from the left panel and the row of links at the top. When search traffic is encrypted. Google Account 2-step verification http://www. it can't be read by third parties trying to access the connection between a searcher's computer and Google's servers.com.Cyber-Security Toolbox To use search over SSL. Michael Chesbro 32 .py?page=guide. Note that the SSL protocol does have some limitations — more details are below. As another layer of privacy. Your Google experience using SSL search might be slightly slower than you're used to because your computer needs to first establish a secure connection with Google. When you're searching over SSL. visit https://encrypted. Web browsers typically turn off referrers when going from HTTPS to HTTP mode to provide extra privacy. SSL search turns off a browser's referrers .cs&guide=1056283&topic=1056284 Using 2-step verification will help prevent strangers from accessing your account with just a stolen password. When you sign in with 2-step verification. you'll verify your identity using both a password and a code that you receive on your phone. so other search products like Google Images and Google Maps are not currently available over SSL. Here's how searching over SSL is different from regular Google search:  SSL encrypts the communication channel between Google and a searcher's computer. We will continue to work to support other products like Images and Maps. At this time.com each time you perform a search.google. or change the listing of these terms in your Web History How will SSL search affect content filtering services? When searches are conducted using https://encrypted. This means that if someone steals or guesses your password. you could disable any customizations that the website provides based on the referrer information.com/support/accounts/bin/static.google.

com/ Jetable .org/privacy/tools.http://www.https://ssl.jetable.com/10MinuteMail/index.mailinator.gov/ US CERT Cyber Security Tips http://www.CSS Cyber Security Factsheets http://www.html NIST Computer Security Division Computer Security Resource Center http://csrc.gov/ia/guidance/security_configuration_guides/fact_sheets.http://www.nist.Cyber-Security Toolbox Temporary / Disposable E-mail Addresses      TempE-Mail (Address expires in 14 days) .trashmail.nsa.net/ 10 Minute Mail .http://www.shtml Michael Chesbro 33 .html Trashmail .us-cert.net/ Mailinator .http://10minutemail.tempemail.org/en/index EPIC Online Guide to Practical Privacy Tools http://epic.gov/cas/tips/ NSA .

CCIA.aspx Federal Trade Commission Complaint Assistant .Cyber-Security Toolbox Report Cyber-Crime Report Phishing .chesbro@leo. CHS-III.ftccomplaintassistant. CSS. CPO.gov/report/ File a Cyber-Complaint On-line .chesbro@us. SSI.https://www.https://forms. IAC Criminal Intelligence Specialist / Certified Crime & Intelligence Analyst DES OPSEC Officer / DES Security Manager / DES COMSEC Officer Joint Base Lewis-McChord Fusion Center .gov/nav/report_phishing.gov/file-complaint.ic3.http://www.gov/complaint/default.gov/ Michael Chesbro.us-cert.Directorate of Emergency Services Joint Base Lewis-McChord.html Report A Computer Security Incident .http://www.onguardonline.us-cert.aspx Internet Crime Complaint Center . CAS.mil LEO: michael. Washington 98433 Tel: 253-966-7303 / DSN: 347-7303 Fax: 253-966-7318 AKO: michael.gov Michael Chesbro 34 .army.http://www. CFC.