Tools for the paranoid: 5 free security tools to protect your data

PCWorld reveals five free tools for protecting passwords, browsing anonymously, and encrypting our most precious documents.
  • Erez Zukerman (PC World (US online))
  • — 01 February, 2013 17:30

You just read about another online database hack, and now 4 million users' names and passwords are floating around the Internet--and you have a sinking feeling that one of them might be yours. And then there are the security breaches you don't hear about, the ones that leave nasty surprises in your inbox or on your credit card statement.

Because even a law-abiding citizen like you has a few secrets to keep, we've found five industrial-grade tools to help you hang on to what's yours. No need to enter a credit card number to get them, either--they're all free.

The cornerstone: KeePass

If you adopt just one security tool from this article, make it KeePass. This free and open-source password manager is available for Windows, with unofficial ports for iOS, Android, Linux, and Mac OS X. A secure, lengthy, completely random password goes a long way towards improving your security--and having a separate password for each and every website and service you use is the single most important thing you can do to keep secure.

For too many of us, the alternative to a password manager is using the same password everywhere. This means that if the user database of any one website you sign up for is compromised, hackers can (and often do) try your username and password on many other websites and gain access. So, seriously: Use a unique, difficult password for each and every website you sign up for, no matter how little you plan to visit it.

KeePass lets you keep all of these username/password pairs in a securely encrypted database, protected behind a single master password--the only password you'll have to remember. And unlike commercial competitor LastPass, KeePass doesn't automatically put your password database in the cloud (although you can put it into Dropbox yourself).

KeePass features its own random password generator, so you don't have to come up with random passwords on your own. It includes a quick-search box where you can type just a fragment of a website's name to quickly find it on your list. The list itself is built to contain thousands of records, and you can subdivide it into folders and subfolders to keep things organized. KeePass isn't limited to just usernames and passwords, either: Each entry has several other fields, including a free-form Notes field for securely storing any sort of text.

One way the baddies circumvent password protection is with a keylogger: an application (or a physical hardware dongle connected to your computer) that sits in the background, quietly logging every single keystroke you type, and later transmitting this information to an attacker. With a keylogger installed on your system, an attacker could potentially learn every single word you type throughout the day, including all of your usernames and passwords.

KeePass protects against keylogging with its AutoType feature, which saves you the trouble of manually typing individual website passwords. KeePass pastes them into the browser window using a combination of virtual keystrokes and clipboard obfuscation, making it all the more difficult for a keylogger to figure out what the password is. AutoType is sometimes finicky, but when it works, it's very useful. KeePass also lets you enter your master database password in a prompt protected by UAC (User Account Control), blocking any software keylogger that isn't running with administrator rights on your machine.

Get KeePass, and start using it right now. You'll thank yourself next time a major website breach vents thousands of usernames and passwords into cyberspace.

For your files: TrueCrypt

Let me guess: You use Dropbox. Or maybe SkyDrive, or Google Drive, or one of the numerous other cloud file-hosting services out there. These services are invaluable for synchronizing data across different computers and mobile devices or sharing it with others. But here's an interesting bit of trivia: Did you know some Dropbox employees can access your files? Granted, that they would do anything with your data is a far-fetched scenario, but why take the risk? The free utility TrueCrypt lets you effortlessly encrypt entire folders, so your cloud-synced data remains truly yours.

TrueCrypt works by creating virtual encrypted disks; this means that, as far as Dropbox can tell, a TrueCrypt-encrypted disk is just a blob of random binary data. However, when you mount that volume using TrueCrypt, you need only enter the correct password and a new drive shows up on your system. Every file you put into this drive is instantly encrypted, secure from prying eyes. As soon as you unmount the volume (eject the disk, so to speak), it becomes completely inaccessible.

TrueCrypt is very serious about security, to the point of providing plausibly deniable encryption. Let's say that some person or legal entity finds out you're keeping files inside a TrueCrypt volume, and has the power to compel you to give away your password. With a less serious security solution, this is game over: As soon as you give over your password, your data is forfeit.

TrueCrypt lets you get around this limitation by creating a hidden volume inside a TrueCrypt container. Enter one password to decrypt the volume, and you get one set of files (decoy files you put there in advance, which should seem believable enough to stand in for the contents of that volume). Enter a different password to decrypt that same volume, and suddenly you get an entirely different set of files, which are the real files you're trying to protect. In other words, whoever coerced you to give away your password now thinks they have whatever files you were hiding, when in fact they don't (but you can claim they do, and there's no way to detect that two-password trick). This sounds like a scenario lifted out of a William Gibson novel, but it's a great option to have, especially in a free tool.

For browsing securely: Tor Browser Bundle

Judicious use of KeePass and TrueCrypt is more than enough for creating a very secure environment. We now officially leave essential apps territory and enter realms of luxury (or paranoia, depending on how you look at it). If you want to beef up your Internet browsing security as well, the Tor Browser Bundle is the way to go.

The Tor network provides a way to browse anonymously. When you connect to Tor, all of your Internet traffic is encrypted and routed through a complex network of anonymous nodes until it reaches its final destination. It's not 100 percent secure, but then again, no security solution is. Tor has been around since 2002, and has been field-tested in rough situations in Egypt and other oppressive regimes that restrict Internet access. It works.

Tor Browser Bundle is a portable, self-extracting package that contains a special version of Firefox, along with an application for connecting to Tor. Extract the bundle, double-click "Start Tor Browser," and the connection window comes up and steps through an initialization sequence. You don't have to do anything; just wait a moment while the progress bar fills up. As soon as a secure connection with Tor is established, Firefox loads, and you can start browsing.

Since Tor routes your data through so many layers and random endpoints, it's not exactly blazing fast. Then again, most of us don't live under a regime that makes Tor a necessary part of our daily browsing routines. For occasional use, it's an elegant solution that manages to simplify a complex security system down to a double-click.

For hiding information in plain sight: OpenPuff

Steganography, or hiding messages in plain sight, is a storied practice dating back to ancient Greece. In modern practice, steganography means taking a media file such as an MP3 or a JPEG image and burying data in it. The file still works as usual, and if you don't specifically look for the hidden data, you'll have no idea that the encrypted information is even there. In other words, you could hide an important text message in an innocent image file, and then post that file publicly online. Another party could then download the file and--using a steganography tool and a password that you both shared in advance--process the file and extract whatever information you've buried in it. One good tool for this purpose is OpenPuff, a powerful open-source steganography application that supports a wide variety of "carrier" formats for hiding data, including MP3, JPEG, and more.

By default, OpenPuff asks you to protect your information with three different passwords, although it does let you dial that down to just a single password of your choosing. It even supports plausibly deniable encryption, and this is where things get really paranoid: Even if someone somehow realizes your seemingly innocent image or music file contains a hidden message, OpenPuff lets you hide a decoy along with the real message. Simply provide a different password, and the other person will extract the decoy out of the image, thinking they've won--but actually, your real secret will still be hidden in the file.

Steganography usually works well for hiding short text messages or other condensed information; obviously, you can't hide an entire video file within another video file using steganography--there's just no room for all those extra bytes. Still, if you need to hide a large amount of information, OpenPuff lets you chain multiple carrier files together into one extended message. To extract the information, the recipient (or yourself) needs to have all of the carrier files, and feed them into OpenPuff in exactly the right sequence, along with the correct password or passwords. Not for the faint of heart.

For chatting privately: Cryptocat

If secure traffic tunneling and steganography sound too cloak-and-dagger for you, consider a friendly, real-world security hole: Chat. Chatting online is easier than ever; chatting securely, not so much. The chat clients built into Facebook and Gmail emphasize ubiquity and ease of use far more than encryption. Free chat client Cryptocat claims that you can have both security and convenience, and it made quite a splash upon its arrival.

The least mature tool in this roundup, Cryptocat demonstrates an important lesson about security software: Newer rarely means better. Following a glowing profile piece that Wired published on Cryptocat and its developer, 21-year-old Nadim Kobeissi, security guru Bruce Schneier published a cautionary post in his blog letting readers know Cryptocat wasn't as safe as it seemed. At the time, the problem was that Cryptocat handled security host-side, rather than locally. This issue has since been addressed, and Cryptocat now runs as a browser extension and handles encryption locally. Still, this is an important example to keep in mind: Encryption software, even when it's open-source, can't be considered secure until it's been thoroughly audited and battle-tested (preferably for years).

While I wouldn't use Cryptocat for mission-critical secret communications, it does add a modicum of security and privacy over the features built into Google and Facebook, and it's just as easy to use. After installing a Chrome or Firefox extension, all you have to do is pick a nick (a handle) and a title for your chat room, and presto--you can chat with any other Cryptocat user who joins the room. The aesthetic is decidedly old-school 8-bit, but that only adds to Cryptocat's charm. It's a nice way to chat with friends, and can serve as a reminder that it's important to use other forms of security, too.

A little security goes a long way

With security software, it's easy to go overboard. You could create a small KeePass database, steganographically embed it in an MP3 file, put that file into a TrueCrypt volume, and then launch Tor and tell your friends all about it on Cryptocat. That might be a fun experiment, but in reality, it takes just a handful of best practices to significantly bolster security. If this article makes you do just one thing, I hope it gets you to adopt KeePass and take password security more seriously. And if you're already using a password manager, well, there's always more you can do to further protect your privacy and reduce the risks that come with constantly being online.

Tags: passwords, security, encryption, security software

Forget BYOD – it's now BYOC

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]
Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

ZENworks® Endpoint Security Management

Get powerful mobile security capabilities, and protect the data the various mobile devices inside your organization.

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.