Sunday, December 31, 2017

Surveillance Detection

 
All training programs designed to protect individuals from becoming victims of terrorism recommend that people be alert to surveillance. This is excellent advice, but, unfortunately, in most instances it is insufficient, because people have had no training in detecting surveillance, and terrorist organizations are often relatively sophisticated in their surveillance methods. Detecting surveillance conducted by trained experts is not as easy as most Hollywood films would lead us to believe. Fortunately, however, the type of surveillance conducted by terrorist organizations is not normally as elaborate as that done by intelligence organizations nor does it involve as many people or as much equipment. Nevertheless, for people to have a reasonable chance at detecting most forms of surveillance they would have to be somewhat familiar with the techniques used.
 
The purpose of surveillance is to determine (1) the suitability of the potential target to attack, based upon the physical and procedural security precautions that the individual has taken, and (2) the most suitable time, location, and method of attack. This surveillance may last for days or weeks depending upon the length of time it takes the surveillants to obtain the information that they require. Naturally, the surveillance of a person who has set routines and who takes few precautions will take less time. The people undertaking the surveillance will often not take part in the attack, nor will the attack take place while surveillance is still in progress.
 
Before undertaking surveillance most experts gather information about the subject from other sources. Public records or information made available to the terrorist organization from a sympathetic individual within an organization, local police, or other government office may reveal useful facts about an individual such as the names of family members, an address, a description of vehicles and license numbers, photographs, etc. The surveillants will also make a reconnaissance of the neighborhood in which the target lives and works. This permits them to select positions of observation, the types of vehicles to use, the clothing to be worn, and the type of ruse to use that will give them an ordinary or normal appearance and plausible reasons to be in the area.
 
There are basically three forms of surveillance: foot, vehicle, and stationary (generally categorized as either mobile or static). A brief description of the most common techniques used for each of these forms and methods for detecting each one follows:
 
One or more individuals may undertake foot surveillance. One-person foot surveillance is rather complicated and fairly easy to detect. The surveillance must remain close to the target, particularly in congested areas, to avoid losing him or her. In less congested areas the surveillant can maintain a greater distance, but the lack of other pedestrians makes the surveillant that much more noticeable. The one complicating factor is the use of a disguise to make the surveillant look different (perhaps a uniform). One possible use of a disguise is a shopping bag or some other container for a change of clothes, particularly if the shopping bag is from a store not found in the area or the container somehow seems out of place. Where a disguise is suspected, pay particular attention to shoes and slacks or skirts. These items are less easily and, therefore, less commonly changed. In elevators, watch for people who seem to wait for you to push a button and then select a floor one flight above or below yours.
 
Two-person foot surveillance is more effective in that the second surveillant provides greater flexibility. Normally, one surveillant remains close to the target while the other stays at a greater distance. The second surveillant may follow the first on the same side of the street or travel on the opposite side. Periodically the two surveillants change position so that if the target spots one of them, that one will soon be out of sight, leading the target to think that he or she was mistaken. Obviously, spotting this form of surveillance is more complicated, but individuals who are alert to the people in their vicinity will eventually detect the same surveillant over a period of time.
 
Foot surveillance with three or more people uses the most sophisticated techniques and is the most difficult to spot. Generally, one surveillant remains behind the target close enough to respond to any sudden moves. A second surveillant remains behind the first on the same side of the street with the first surveillant in sight. A third surveillant travels on the opposite side of the street parallel with or just behind the target. In areas where the target has few paths to choose, one surveillant may walk in front of the target, where he or she is least likely to cause suspicion. The positions of the surveillants are frequently changed, most commonly at intersections. The surveillant directly behind the target may move to the opposite side of the street, while another surveillant moves in close behind the target. With the additional surveillants, any surveillant who feels that he or she has been observed may drop out of the formation. The use of this sophisticated technique requires that people be alert not only to those people behind them but also to those across the street and perhaps in front of them. If the same person is seen more than once over a certain distance, surveillance may be suspected even if that person is not continuously seen.
 
Common methods for detecting surveillance apply to all three forms of foot surveillance. The most effective are:
  • stopping abruptly and looking to the rear,
  • suddenly reversing your course,
  • stopping abruptly after turning a corner,
  • watching reflections in shop windows or other reflective surfaces,
  • entering a building and leaving immediately by another exit,
  • walking slowly and then rapidly at intervals,
  • dropping a piece of paper to see if anyone retrieves it,
  • boarding or exiting a bus or subway just before it starts, and
  • making sudden turns or walking around the block.
 
While taking these actions, watch for people who are taken by surprise, react inappropriately, suddenly change direction, or give a signal to someone else. Surveillants will not normally look directly at the target, but they may do so if they are surprised or unaware that you are observing them. It is important to understand however that these techniques for detecting surveillance can also indicate to those following you that you are aware of their presence.
 
Foot surveillance is often used in conjunction with vehicle surveillance since it is likely that the target will use a combination of foot and vehicle transportation. Vehicles used for surveillance are inconspicuous in appearance and of a subdued color. Frequently, the inside dome light is made inoperative so that it will not illuminate the interior of the car when the door is opened. Vehicles will have two or more people in them so that if the target parks his or her vehicle and walks away, the surveillance can be resumed on foot while the driver remains with the vehicle. While moving, the driver gives full attention to driving while the observer operates the radio, watches the target, and makes notes on the target's activities. Sometimes it will be necessary for surveillants to break traffic regulations to avoid losing you. If you see a vehicle run a red light, make an illegal U-turn, travel over the speed limit, or make dangerous or sudden lane changes in an apparent effort to keep up with you, you should, of course, be suspicious of that vehicle. The distance between a surveillance vehicle and the target will vary depending on the speed at which the vehicles are traveling and the amount of traffic. Surveillants will try to keep one or two vehicles between themselves and the target.
 
As with foot surveillance, vehicle surveillance may be undertaken using only one vehicle or using two or more vehicles. One-vehicle surveillance suffers from the same drawbacks as one-person foot surveillance. The target has to be kept in view at all times and followed by the same vehicle. Surveillants can try to overcome this advantage somewhat by changing seating arrangements within the vehicle; putting on and taking off hats, coats, and sunglasses; changing license plates; and turning off onto side streets and then turning back to resume the tail. This makes it necessary for a person suspecting surveillance to remember aspects of a following vehicle that cannot easily be changed such as the make, model, and color of the car and any body damage such as rust, dents, etc.
 
The use of two or more vehicles permits surveillance to switch positions or to drop out of the surveillance when necessary. One vehicle follows the target vehicle and directs other vehicles by radio. The other vehicle may follow behind the lead surveillance vehicle, precede the target vehicle, or travel on parallel roads. At intersections, the vehicle following directly behind the target vehicle will generally travel straight ahead while alerting all other vehicles of the direction in which the target vehicle has turned. Another vehicle in the formation will then take a position behind the target and become the lead vehicle, taking over the responsibility for giving instructions to other surveillants. The former lead vehicle then makes a U-turn or travels around the block to take up a new position ready to resume the lead vehicle position again when necessary.
 
People who have well established routines permit surveillants to use methods that are much more difficult to detect. If, for example, you leave the office at the same time each day and travel by the most direct route to your home or if you live in a remote area with a few or no alternate routes to your home, surveillants have no need to follow you all the way to your residence. An alternative method of surveillance in such situations is leading surveillance and progressive surveillance. In leading surveillance the surveillant travels in front of the target while the observer watches for turns. When the target turns, this is noted. The next day the surveillant makes a turn where the target did the previous day. Over a period of time the surveillants will discover the entire route to the residence while still driving in a position that creates much less suspicion. There are two forms of progressive surveillance. In the first form, surveillants are placed at intersections along the probable routes of the target. When the target makes a turn, this is noted and the position of the surveillants is adjusted to check the next intersection. Eventually, this method leads the surveillants to the residence. In the second form or progressive surveillance, a vehicle will follow the target for a short distance and then turn off. On successive days the surveillant picks up the target where he or she left off the previous day. Leading and progressive surveillance are extremely difficult to detect, but you should not give anyone the opportunity to use these methods.
 
The most effective methods for detecting most forms of vehicle surveillance are:
  • making a U-turn where it is safe to do so,
  • making a turn to the right or left (in general, left turns create greater complications for surveillants because of oncoming traffic that may delay a turn),
  • going through a traffic light just as it is turning red,
  • stopping just beyond a curve or hill, and
  • circling a block.
In each case, watch for the reactions of any vehicles that you may suspect. Any vehicles that make unusual maneuvers should be carefully noted. Do not forget to check for motorcycles or motorbikes, since in many parts of the world they seem to be favored by surveillants because they move easily through heavy traffic.
 
Stationary surveillance is commonly used by terrorist organizations. As mentioned earlier, most attacks take place near the residence or office because that part of the route is least easily varied. Most people are more vulnerable in the morning when departing for work, because morning departure times are more predictable than are evening arrivals.
 
Surveillants seek a position that permits them to observe the residence or office clearly without being observed or suspected. Surveillants want to identify observation points that afford the best view of the target. Foot and vehicular traffic, buildings and terrain around each government facility vary with each location. Pedestrian traffic, rush hour traffic flow, temporary street closure, etc. will affect observation points. If the surveillants decide that it is best not to be seen, they may obtain an apartment or rent office space in the area that provides for an adequate view, but such apartments or office space may not be available and the renting of an apartment or office space could provide clues for a subsequent investigation. The use of an apartment or office space for surveillance, while possibly the most difficult to detect, is generally not the easiest or safest method. Many surveillance teams use vans with windows in the side or back that permit observation from the interior of the van. Often the van will have the name of a store or utility company to provide some pretext for its being in the area. The driver may park the van and walk away, leaving the surveillance team inside. Some teams use automobiles for stationary surveillance, parking the vehicle far enough from the residence or office to be less noticeable, using other vehicles for cover, facing the vehicle away from the target, and using the rear view mirrors to watch.
 
Where it is not possible to watch the residence or office unobserved, surveillants must come up with a plausible reason for being in the area. The types of ruses used are limited only by the surveillant's imagination. Some of the more commonly used covers are automotive repairs due to engine trouble or a flat tire, door to door sales, utility repair crews, lovers in a park, walking a dog, construction work, or sitting at a café. Women and children are often used to give a greater appearance of innocence.
 
Some things to check for are parked vehicles with people in them, cars with more mirrors or mirrors that are larger than normal, people seen in the area more frequently than seems normal, people who are dressed inappropriately, and workers who seem to accomplish nothing.
 
If you become suspicious of a van, note any information printed on the side of the van, including telephone numbers. Check the telephone book to see if such a business exists. Note the license numbers of any suspicious vehicles and provide them to your security office so they can be checked. Make a habit of checking the neighborhood through a window before you go out each day.
 
Detecting surveillance requires a constant state of alertness and must become an unconscious habit. We do not want to encourage paranoia, but a good sense of what is normal and what is unusual in your surroundings could be more important than any other type of security precaution you take. Above all, do not hesitate to report any unusual events to the police. Many people who have been kidnapped realized afterwards that their suspicions had been well founded. If those suspicions had been reported, their ordeal might have been avoided.
 
Since surveillance attempts to determine the suitability of a potential target and the most opportune time for an attack, it is crucial to avoid predictability. Although the recommendation to vary routes and times of arrivals and departures has become trite, implementing it in one's daily schedule has proven to be effective in deterring sufficient terrorist planning. Varying times and routes apply to jogging, shopping and all activities where a pattern can develop.
 
The Federal Emergency Management Agency (FEMA) has a one-hour web-based course
IS-914: Surveillance Awareness: What You Can Do  that provides additional information about detecting surveillance.

Multi-jurisdictional Counterdrug Task Force Training (MCTFT) https://mctft.org offers an 8-hour Surveillance Operations Overview on-line course. This course will provide students with an understanding of the principles of basic surveillance techniques as they apply to the different types of surveillance performed by narcotic officers. During this presentation, the students will become acquainted with the various types and methods of surveillance, the purposes for conducting surveillance, the preparation of surveillance equipment, and the proper execution and documentation of surveillance operations. In the demonstration of basic surveillance techniques, the students will be shown how to apply the various principles discussed in class to actual surveillance situations, including a night time surveillance, via practical exercises and scenarios. (Enrollment in this course is limited to military and law enforcement personnel).
 
Other articles about surveillance that you may find of interest are:
 
 
 
 
 
 
This surveillance training book has been compiled as the ultimate guide and reference book for the surveillance operative. There is no other comparable book available in the world today in relation to covert surveillance training. This book will guide you through the process of carrying out covert surveillance whether you are on foot or by car, traveling by public transport or in a static rural or urban location. The book also teaches the aspects of digital photography using long range lenses and incorporates a large section on Surveillance Detection by Anti and Counter Surveillance methods.
 

Saturday, December 30, 2017

"Secret Conversations" in Facebook

1) Launch Messenger and tap the Me tab (this may be your FB profile photo).
2) Tap Secret Conversations.
3) Slide the Secret Conversations switch to the ON position.
A prompt says "This will be the only device you can use to send and receive encrypted messages." You will still be able to use Facebook Messenger on other devices (such as your computer), but Secret Conversations are limited to your smartphone.
4) Tap Turn On to enable Secret Conversations on this device or Cancel to abort the action.

When you enable Secret Conversations on one device, Messenger will automatically close all secret messages on your other devices.

If you disable Secret Conversations, your existing secret messages will remain on the device until you delete them, but you’ll no longer be able to send or receive them or start new Secret Conversations.

I had previously written about How to Encrypt Your Facebook Messages, but have received replies from some readers saying that they didn't have that option in Facebook Messenger on their smartphones. In order to send and receive "Secret Conversations" in Facebook Messenger you must enable that function using the steps listed above.



Onion Field Insurance


On the night of March 9, 1963, LAPD officers Ian Campbell (age 31) and Karl Hettinger (age 28), both former Marines, were riding in an unmarked car. They pulled over a 1946 Ford coupe containing two suspicious-looking men at the corner of Carlos Avenue and Gower Street in Hollywood. The two men, Gregory Ulas Powell (age 30) and Jimmy Lee Smith (a.k.a. "Jimmy Youngblood", age 32), had recently committed a string of robberies, and "each had a pistol tucked into his trousers." Powell, the driver, pulled a gun on Campbell, who "calmly told his partner, 'He has a gun in my back. Give him your gun." The two officers were then forced into Powell's car and, were driven north from Los Angeles on Route 99, to an onion field near Bakersfield, where Campbell was fatally shot. Hettinger was able to escape, running nearly four miles to reach a farmhouse.

Today, many businesses and organizations are concerned with the possibility of an "active shooter". Current advice when faced with an active shooter is "Run, Hide, Fight". But, fight with what? The potential victims of an active shooter are often prohibited from being armed, and thus having a means to fight back. Ill-conceived workplace policies, laws, and regulations take away our right to self-defense and give a distinct advantage to violent criminals - who don’t care about "gun free zones".

So, if you can, be armed always. Yes... I know. But consider the implications. Of those who died facing an armed attack, how many would have willingly disobeyed unconscionable laws, policies, and regulations in order to stay alive? 

According to U.S. Bureau of Justice Statistics data, having a gun and being able to use it in a defensive situation is the most effective means of avoiding injury (more so even than offering no resistance) and thwarting completion of a robbery, assault, or other violent attack. In general, resisting violent crime is far more likely to help than to hurt, and this is especially true if your attacker attempts to take you hostage...

Called "onion field insurance" by some in reference to the 1963 murder of Officer Campbell; small, hideout guns provide that last chance at survival when you are taken hostage and faced with a violent assailant intent on killing you. These small hideout guns are much smaller than a service pistol, or even your back-up gun (which is often just a compact version of your service pistol). Hideout guns are very small and can be deeply concealed so as to avoid detection, even during a cursory search. The hideout gun might be the gun you carry when you are "not carrying a gun". The hideout gun, your "onion field insurance" is also there to save your life if you are somehow disarmed of your primary weapon. Small in size, usually of a small caliber, the hideout gun is going to be limited in effective range from about arm’s length to maybe across a large room. But if you are being forced to walk out into a dark field some night, or are trapped in your office while an active shooter is breaking through the door - that little hideout gun can be the difference life and death.

One of the smallest and most easily concealed hideout guns is the North American Arms Pug, chambered in .22 magnum. This micro-revolver is easily concealed in a pocket, or clipped inside your waistband.


Moving up a little in size, we have the Ruger LCP-II in .380 Auto. This compact pistol (5.17" long and 3.71" tall) is also easily concealed and gives you 7 rounds (6+1) should the need arise.


And the Kahr Arms CW380 (4.96" long and 3.9" tall).


Just slightly larger than the LCP-II and Kahr CW380 is the Glock 42 (5.94" long and 4.13" tall), also in .380 Auto.


The Diamond Back DB9 is a 9x19mm pistol, in the same size range as the LCP-II, Kahr CW380, and Glock 42. Holding 6+1 rounds, the DB9 pistol gives you the advantage of the increased power of 9mm cartridge, while still maintaining a compact pistol design.  


All of these little hideout guns (and others like them), have the advantage of being easily concealed. But they suffer the disadvantages of lack of power, reduced accuracy, and limited magazine capacity. As you do with your service pistol and back-up gun, you must practice with your hideout gun as well. Consider the LEOSA Basic Covert Carry / Off-Duty Proficiency Qualification Course as a standard for your hideout gun. With the Glock 42 this course might offer little challenge, but with the NAA Pug this course becomes much more problematic. Still, we must balance the ability to conceal our hideout guns against our ability to use them effectively to protect ourselves against a violent attacker.

You will also want to choose the best performing ammunition available for your hideout gun. The first and most important consideration is that it feed flawlessly. And, of course, you want to carry the best defensive ammo that you can get. My personal choice is  Lehigh Defense 380 Auto 65gr Xtreme Defense Ammunition.

As with most insurance, you hope that you won't need it - and you may never need it; but if the day comes when you do... ???


Friday, December 29, 2017

Understanding Threat

 
There is no single solution for keeping yourself safe in cyberspace or in the physical world. Individual OPSEC and Personal Security isn’t about which tools you use; rather, it’s about understanding the threats you face and how you can counter those threats. To become more secure, you must determine what you need to protect, and from whom you need to protect it. Threats can change depending on where you’re located, what you’re doing, and with whom you’re working. Therefore, in order to determine what solutions will be best for you, you should conduct a threat assessment of your personal life.
 
When conducting this threat assessment, there are five main questions that you should ask yourself:
 
1. What do you want to protect?
2. Who do you want to protect it from?
3. How likely is it that you will need to protect it?
4. How bad are the consequences if you fail?
5. How much trouble are you willing to go through in order to try to prevent those consequences? (Electronic Frontier Foundation, 2015)
 
By increasing the effort required to target you it is often possible to cause an adversary to choose a different target. Cyber-criminals, corporate spies, foreign agents, and even government investigators frequently target the ‘low-hanging-fruit’, they go after the easiest, most cost-effective targets. Even if you are the specific target an adversary is after; it is important to remember that not all adversaries have unlimited resources, nor do they have unlimited capabilities. It is quite possible to employ security that requires greater resources to defeat than an adversary has readily available.
 
It is also important to employ security in depth.  An adversary may be able to defeat a single security measure.  No security is perfect.  By increasing layers of security, building depth into your security plan, the weaknesses and exploitable vulnerabilities in one security measure may be covered by the strengths of another.
 
Finally, remember that no security measure is of any value if it is not used. If security becomes too difficult, it will not be used regularly. The human factor is often the greatest weakness in any security program. When looking at the various security applications that we discuss here, choose the ones that you can and will employ on a regular basis. Good security employed consistently is better than great security employed occasionally.


Thursday, December 28, 2017

Apricorn Encrypted External Hard Drive

Apricorn's Aegis Padlock 3.0 is a state of the art hardware encrypted USB 3.0 portable drive. Simple and easy to use, Padlock 3.0 offers unparalleled security and supports AES XTS 256-bit encryption. Additionally, the software free design means it can be deployed without the need for Admin User rights and will work with any USB enable operating system. Completely cross compatible, the Padlock 3.0 is authenticated via the integrated keypad and can support up to 5 User PINs and an Admin PIN. The Aegis Padlock 3.0 ships with Padlock 3.0 drive with integrated USB 3.0 cable, USB 3.0 Y-extension cable, Quick Start Manual and is pre-formatted in NTFS.
 
The Apricorn's Aegis Padlock is an ideal solution for secure external storage of your sensitive information. The drive measures just 3.25 x 4.5 x 0.75 inches, so it will fit in a pocket and is easily portable, while providing a large amount (2TB) of storage. Data on the drive is AES encrypted using hardware contained in the device itself, and secured with a 6 to 16 digit number that you enter via the keypad. The drives are available with less storage space (500GB and 1TB) for a little less money, however I recommend getting the 2TB drive to ensure that you have sufficient data storage space over time.  
 
While the AES 256 bit hardware encryption of the Apricorn Aegis Padlock is likely sufficient security for most purposes, You can also use a program like VeraCrypt to create additional secure containers on the encrypted drive. I have used the Apricorn Aegis Padlock with additional VeraCrypt containers to keep a back-up copy of my sensitive files for the past couple of years, and have not experienced any problems with the function of the drive or the security of the combined encryption.  
 
 
Link to this Product on Amazon.Com:
 
 




Wednesday, December 27, 2017

Lock Picking and Lock Bumping

 

Most residential (home) locks can be quickly and easily bypassed by picking or bumping. This can allow an adversary covert access to your home, and if someone breaks into your home using these methods and steals your property a police report reading that there were "no signs of forced entry" can complicate any claim that you may file against your homeowner’s or renter’s insurance.
 
Lock picking and bumping leave little if any sign that a lock has been bypassed, and the basics of these skills can be easily learned from books, on-line video, and practice with inexpensive lockpick sets and training locks.

Some references I recommend for learning lock picking are:
 
 
 
 
I also highly recommend these two books by Deviant Ollam:


Keys to the Kingdom: Impressioning, Privilege Escalation, Bumping, and Other Key-Based Attacks Against Physical Locks
 
High-security locks can prevent successful picking and bumping attacks by all but the most skilled locksmiths. For high-security deadbolt locks I recommend either Medeco or Mul-T-Lock brands. Both of these manufacturers produce high-quality locks that are extremely resistant to picking and bumping. This high quality is also reflected in the high price of these locks, which can be four or five times the price of more common residential deadbolt locks. Still, if your threat model includes the possibility of surreptitious entry into your home, top quality locks are going to be worth the extra cost.

Some have recommended the Kwikset or Wiser Smart Key deadbolt lock as an inexpensive "pick and bump proof" lock. I do not recommend this lock type because it can be easily bypassed as can be seen in this video.

It should be understood that any lock (even Medeco and Mul-T-Lock) can be defeated given enough time and sufficient skill by the attacker. What we hope to do by using high-security locks is prevent the majority of individuals with lock picking skills from being able to bypass our locks and defeat our security.

Also, when installing high-security locks it is essential that they be properly installed and that your doors be reinforced to prevent them from being easily kicked in. The Victoria, TX Police Department has an excellent video "Home Security Tips: How a 50 cent investment can dramatically strengthen your doors" that shows a simple method of improving the strength of your doors. I also recommend that you include reinforcement on your doors with a product like Door Armor MAX which will defeat many forced entry attacks. Finally, when you are at home you may want to add additional security to your doors. The Defender High Security Door Reinforcement Lock (placing one on the top third of the door and one on the bottom third of the door) or the Nightlock Security Lock Door Barricade are options that you might want to consider.
 
 


Tuesday, December 26, 2017

OPSEC Resources

 
 
*** DOD OPSEC Pages on Facebook ***

https://www.facebook.com/AirForceOST/
https://www.facebook.com/USArmyOPSEC/
https://www.facebook.com/NavalOPSEC/
https://www.facebook.com/Joint.OPSEC.Support/
https://www.facebook.com/OPSECforFamilies/


*** OPSEC Resources ***

National OPSEC Program - Interagency OPSEC Support Staff
 
Naval Operations Security Support Team
http://www.navy.mil/ah_online/OPSEC/

OPSEC Professionals Association
Individual OPSEC & Personal Security (September 2017)
US DOD Education Activity - OPSEC
MARSOC - OPSEC Smart Cards
US Army CID, Cyber Crime Investigation Unit Advisories
http://www.cid.army.mil/cciu-advisories.html

DoD Social Media Hub
http://dodcio.defense.gov/Social-Media/
 
*** On-Line OPSEC Training ***

OPSEC Awareness for Military Members, DoD Employees and Contractors
OPSEC Fundamentals
New Faces of Threat Computer Based Training
 
Operational Security (OPSEC) for Control Systems
https://ics-cert-training.inl.gov/lms/
 
Identifying and Safeguarding Personally Identifiable Information (PII) Version 2.0
https://securityawareness.usalearning.gov/piiv2/index.htm
 
  

Alt.Anonymous.Messages



Alt.Anonymous.Messages is a newsgroup that allows the anonymous posting of encrypted messages. You can view the newsgroup through Google.  However, you should not post to the Alt.Anonymous.Messages newsgroup from Google as this would totally defeat the anonymity of your message (although the content could still be protected with encryption).
 
One of the best ways to use Alt.Anonymous.Messages is by using the program A.A.M. Direct.

A.A.M. Direct is a newsgroup reader and posting program whereby two or more people can communicate through the alt.anonymous.messages newsgroup using anonymous hsub subjects. A.A.M. Direct might be better explained and understood to be a type of email system whereby two or more people can communicate privately (and anonymously) without having to open and use an email account.  The message text is automatically encrypted and transmitted by a secure TLS connection to a free news group server and placed out in the alt.anonymous.messages newsgroup under a continuously changing encrypted subject line. The program is also used to download all messages from the alt.anonymous.messages newsgroup and search out and display the messages sent to you. There is no definitive way for two communicating parties to be linked together with this system.
 
Tom Ritter discussed De-Anonymizing Alt.Anonymous.Messages at Defcon 21 (2013). It is worth watching his presentation on YouTube.
 
So, what's the bottom line? While it is possible to analyze A.A.M. traffic, the procedure to do so is complex. If you want to communicate with someone, while limiting knowledge of the existence of a connection between the two of you, using Alt.Anonymous.Messages and A.A.M. Direct is an effective means of doing so. Use strong passwords in A.A.M. Direct, use different PGP keys in A.A.M. Direct than you use for other communications, use recursive encryption, and consider using multiple Nyms to disrupt traffic analysis. 
 
Once both you and a person with whom you want to communicate anonymously have downloaded and set up A.A.M. Direct, you must exchange your A.A.M Direct PGP public keys. (Be careful here as this can result in identification of a direct connection between the two of you.) 
 
You then use A.A.M. Direct to encrypt a message with that person's public key and post it to Alt.Anonymous.Messages. At some point that person downloads the latest group of messages posted to Alt.Anonymous.Messages and is able to decrypt and read those messages encrypted with his / her public key. Messages never pass directly between the two of you, and many people will download the encrypted messages, but be unable to read any message that is not encrypted with their public key.

 


Monday, December 25, 2017

Disposable E-mail Addresses

 

When you register at a web-site you are often asked to provide your e-mail address to complete the registration process, and soon thereafter your inbox is filled with Spam from that web-site, and from every other organization with which they share their marketing list. Order a product on-line, and you are asked for your e-mail address. Whether you want to be or not, you are then added to that company’s marketing list. 
 
Disposable e-mail addresses let you provide a working e-mail address that lasts for a few minutes to a few days, and then deletes itself. You can use these disposable addresses to register at a web-site, order an item, or receive a message from someone without providing your actual, personal e-mail address.
Some disposable e-mail providers include:
 
10 Minute Mail - https://10minutemail.com/
10 Minute Mail provides you with a disposable e-mail address that lasts, as the name would imply, ten minutes, and then deletes itself. While on the 10 Minute Mail web-site you can reset the self-destruct countdown back to ten minutes by clicking the “10 More Minutes” button, but once the countdown reaches zero that e-mail address is gone forever. E-mail sent to your 10 Minute Mail address appears as links on the web-site, allowing you to open, read, and reply to the e-mail. A 10 Minute Mail e-mail address looks something like this t585985@mvrht.net.
 
MailDrop - https://maildrop.cc/
MailDrop lets you make up any name you want and prepend it to the @maildrop.cc domain. E-mail sent to that e-mail address is posted to a publicly accessible web-site, where if you know the e-mail address you can access the e-mail. A MailDrop inbox holds a maximum of ten e-mail messages, and the inbox is deleted after 24 hours on no activity. When using MailDrop it is important to understand that anyone who knows the e-mail address can access the inbox for that address. A hard-to-guess user name, such as Gve8TTyz2, can add a little privacy to your MailDrop address – but just a little. If you need a little more privacy with your e-mail address, MailDrop creates an alias for each e-mail address. E-mail sent to the alias address will also show up in your inbox, but people cannot view the alias address inbox without knowing the original address.
 
GuerrillaMail - https://www.guerrillamail.com/  
GuerrillaMail provides you with a disposable e-mail address that allows you to receive messages, as well as compose e-mail to send to others. Composed e-mail may include attachments of up to 150MB. GuerrillaMail doesn't require account registration, anyone who knows the Inbox ID may have access to that inbox, so it's best to use a random address. To add protection, you can use the Scramble Address feature. GuerrillaMail deletes all email that was delivered to an inbox after 1 hour.  
 
YOPmail - http://www.yopmail.com/en/
YOPmail lets you choose any e-mail address @YOPmail.com. YOPmail is accessible to anyone who knows the inbox name (e-mail address), but YOPmail provides you with an e-mail alias to provide a little extra security for your e-mail. Messages are kept for 8 days and then deleted. You can also manually delete messages when you read them. Sending e-mail from YOPmail to external addresses is prohibited. You can however, send an anonymous email to another YOPmail address.
 
There are several other disposable e-mail providers that can be found with your favorite search engine. Experiment with several of them and find a couple that offer the features you like. Using a disposable e-mail address is a good way to help protect your personal privacy and defend against Spam and phishing.
 
E-mail Forwarding...
Sometimes you may want to receive multiple e-mails from someone, such as when you subscribe to a blog or newsletter, but you don’t want to provide your personal e-mail address. This is where e-mail forwarding is useful. Two e-mail forwarding services that I like are:
 
33 Mail - https://33mail.com
With 33 Mail you sign up and pick a username, for example, "joesmith". Now, any email address ending with ...@joesmith.33mail.com will be forwarded to you. The next time you visit a website that asks for your email address, instead of giving them your real email address, just make one up especially for them.
 
Not Sharing My Info - http://notsharingmy.info
Provide your e-mail address to Not Sharing My Info and they generate an e-mail alias for you. All e-mail sent to your @notsharinmy.info e-mail address is forwarded to the e-mail address you provided when signing up for your account.

With both 33 Mail and Not Sharing My Info, if you start receiving Spam at one of your alias e-mail addresses you can simply delete that alias and receive no further e-mail from it. E-mail forwarding helps protect your privacy, and helps you identify the source of data breaches - if you provide an e-mail address to only one company you will know the source of the compromise if you start receiving Spam through that e-mail address. 
 



Sunday, December 24, 2017

Season's Greetings

https://chesbro-on-security.blogspot.com
How did you think he knows who's been naughty and who's been nice?
 
Learn how to stay off of Santa's 'Naughty List'...
Read the Chesbro on Security blog.
 
 
 

Saturday, December 23, 2017

Start 2018 With A Clean Slate

 
 
Well, let’s at least start 2018 with a clean digital slate.  Now is a great time to get rid of those old text messages and e-mails, delete old search histories, and clean up your social media accounts. Here are a few things that you can do to get rid of digital clutter and start the new year with a clean slate.
 
Clear Your Facebook Search History
Go to your Facebook timeline page and click View Activity Log.
Then click More (below Comments) and choose Search from the list.
Once you’re on the search history page, you can delete individual search queries.
To delete a search, click the edit button next to lock. Click Delete.
A delete confirmation dialog box will appear. Click Remove Search.
To delete all the searches at once, look for Clear Searches option.

Delete Facebook Messages and Chat History on Your Computer
Open Facebook.
Click Messenger at the top right of the screen.
Select See All in order to bring up the full-screen view of Messenger.
Click Actions (cogwheel icon at the top right of the screen) to see the menu.
Select Delete Conversation to delete the entire conversation with a given contact.
Select Delete Messages if you'd prefer to delete one (or more) specific messages.
This will bring up an interface which will allow you to select specific messages to delete.
Click the checkbox next to each message that you'd like to delete.
Click Delete.

Clear Your Google Search History
On your computer, open Chrome.
At the top right, click More.
Click History and then History.
On the left, click Clear browsing data. A box will appear.
From the drop-down menu, select how much history you want to delete.
To clear everything, select the beginning of time.
Check the boxes for the info you want Chrome to clear, including "browsing history".
Click Clear browsing data.

Use a Search Engine That Does Not Track You
Set your default search engine to one that does not track your search history.
Consider using DuckDuckGo or StartPage.

Delete Old G-mail
In the G-mail inbox search bar, if you type older_than:6m, G-mail will list your e-mails older than six months. You can use "y" for years or "d" for days, in the above formula, as well.
If you want to delete all selected messages, click the Check all box, followed by the Delete button.
As a best practice you should never store messages older than 180 days (6 months) in your e-mail account. The content of e-mail older than 180 days is considered a "stored communication" and does not have the same protection under the law as newer e-mail.

Automatically Delete Old Text Messages on Your iPhone
On the iPhone, you can set the device to automatically delete all old messages. The only problem is that you can't make any exceptions - you can't change a setting that would allow all messages from a particular sender to stay even past the expiry date. If you want to save any information from a message, clip it and save it to a separate file.
To set up automatically cleaning old messages:
Open Settings > Messages.
Scroll down to the section labeled MESSAGE HISTORY.
Tap Keep Messages.
Choose either 30 days or 1 Year. This will delete messages older than one month or one year.

Delete Unused Social Media Accounts
If you have old social media accounts that you no longer use, take time to delete them and remove your personal information on-line. The web-site Account Killer https://www.accountkiller.com/en/ provides guidance on how to delete a large number of social media accounts.

Clean Up Your Current Social Media Accounts
Look through your current social media accounts to identify profanity, mentions of drugs or alcohol, check-ins at strip clubs, and questionable photos. Of course, the image you choose to portray on social media is entirely up to you, but does that profanity filled rant, or photo of you drunk and passed out at a party that you posted a couple years ago fit in with how you currently want to be seen on-line.  Remember, security clearance investigations include reviewing your social media activity, and a study from CareerBuilder revealed that 70 percent of employers now use social media to screen job candidates before hiring them.

Wipe the Drives of Old Computers
When disposing of an old computer, be sure that you securely wipe the hard-drive.
To do this I recommend using DBAN (Darik's Boot and Nuke).
Visit http://www.dban.org and click on the Download DBAN option.
Once the software is downloaded (it will be a .iso file), you'll need to burn it to a CD, DVD or USB storage device so it can run without booting up your operating system (which will be deleted in the wipe). Once you have DBAN on a CD, DVD, or USB, boot from that media and follow the instructions to wipe your hard-drives.
 
 


Friday, December 22, 2017

SecurityPlanner.Org

 
Security Planner is an easy-to-use guide with expert-reviewed advice for staying safer online. It provides recommendations on implementing basic online practices, like enabling two-factor authentication on important accounts, making sure software stays updated, and using encrypted chats to protect private communications. More advanced users can receive advice on where to go for more help.
 
Security Planner is a project of the Citizen Lab, an interdisciplinary group based at the Munk School of Global Affairs at the University of Toronto. It was incubated by Jigsaw (then known as Google Ideas) and handed off to the Citizen Lab in December 2015.
 
Security Planner recommendations are made by a committee of experts in digital security and have gone through a rigorous peer review evaluation, led by the Citizen Lab. We're supported by a community of organizations, including non-profits, educational institutions, and foundations, and never accept funds or services in exchange for making a recommendation.
 
Access Security Planner here: https://www.securityplanner.org/ 
 
 



Thursday, December 21, 2017

Yandex

Yandex (Яндекс) https://www.yandex.com/ is a Russian multinational technology company specializing in Internet-related services and products. It is Russia’s biggest technology company. Yandex operates the largest search engine in Russia with about 65% market share in that country. It also develops a number of Internet-based services and products.
 
Yandex provides you with a free e-mail account (Yandex Mail), on-line file storage (Yandex Disk), and the Yandex Browser. The Yandex search engine is the 4th most popular in the world, and provides results that you might not find using other search engines.  Based on the Chromium open source project, the Yandex browser uses the Blink engine and checks downloads through Kaspersky antivirus. Also, the browser uses Opera's Turbo technology to optimize web pages that are using a slow or disrupted connection. Yandex offers DNS spoofing protection, which claims to block malicious web pages and protects passwords and bank card details.

Is Yandex private? Well this is Russia and there is the Система Оперативно-Розыскных Мероприятий ("System for Operative Investigative Activities") which lets the FSB monitor all telephone and Internet communications. So, no Yandex is not private. However, Russia has little interest in the affairs and lives of ordinary Americans, so you may have greater privacy with Yandex than with a US based company such as Google.

So, is Yandex a good option for you? Well, Yandex is a very reliable and easy-to-use service. Yandex is available in both Russian and English. Yandex does not flood you with advertisements every time you conduct a search, so it has a clean interface.  It is, I believe, certainly worth looking at Yandex as an option for your on-line activities.  
 
Depending on your threat model, there may also be some advantage to transferring your web-mail and on-line file storage to Russia. Using Yandex does not keep your account from being monitored, rather it just transfers the ability to monitor your account from your home county (assuming that you are not Russian) to Russia.  
 
 



Wednesday, December 20, 2017

Rubber Hose Cryptanalysis

 
Strong, properly implemented encryption, will protect your data against most mathematical and technical attacks. The encryption available to the average person today will defeat attempts at decryption by anyone who does not have access to the associated keys (passwords) to decrypt the data. You as the owner of the encrypted data no doubt possess the encryption / decryption keys for your own data, but can you be forced to provide those keys to another person, against your will, thus providing that person access to your private information once it has been decrypted?
 
The phrase "rubber hose cryptanalysis" is a euphemism for the extraction of cryptographic secrets (e.g. the password to an encrypted file) from a person by coercion or torture - such as beating that person with a rubber hose, hence the name - in contrast to a mathematical or technical cryptanalytic attack. Of course, this coercion need not be an actual rubber hose; a court could order you jailed until such time as you provided the password to decrypt your files. Some countries, such as Australia and the United Kingdom have laws that require a suspect to provide known decryption keys to law enforcement, or face fines and jail. Other countries, such as the Czech Republic, Germany, and the United States have laws that protect a person from self-incrimination or being forced to provide testimony against themselves. But even in countries with protection against self-incrimination, courts have sometimes ruled that there are exceptions to those protections and ordered suspects to disclose their passwords or decryption keys.
 
In the case of State of Florida v. Aaron Stahl, Case No. 2D14-4283 (December 7, 2016) the court ordered Stahl to provide his password to decrypt is iPhone, stating:  "We are not inclined to believe that the Fifth Amendment should provide greater protection to individuals who passcode protect their iPhones with letter and number combinations than to individuals who use their fingerprint as the passcode." "Compelling an individual to place his finger on the iPhone would not be a protected act; it would be an exhibition of a physical characteristic, the forced production of physical evidence, not unlike being compelled to provide a blood sample or provide a handwriting exemplar." "This is a case of surrender and not testimony," the court concluded. This Florida appeals case is an exception, as many other courts - including the trial court in the above case - have held that suspects may not be compelled to disclose the content of their mind (i.e. provide a password or other testimony against themselves).
 
It is important to note here that while suspects may be protected against compelled testimony, this does not apply to being forced to unlock a device using a fingerprint or facial recognition scan. The police can force you to provide a fingerprint or facial scan to unlock a device. When the law protects against self-incrimination it only protects the content of your mind. The law allows you to remain silent, it does not protect against being compelled to provide other things to the police - such as fingerprints, facial scans, blood samples, and DNA. In May 2016, the Department of Justice obtained a warrant to compel everyone at a home in Lancaster, California to provide his or her fingerprint on the sensor of their cell-phones, thus allowing police to search them on the spot. Those individuals who used their fingerprint to unlock their phones had their private information reviewed by police. Those individuals who used a password / PIN could not be compelled to disclose it under the warrant. 
 

 
The National Domestic Violence Hotline has warned about the Dangers of Sharing Passwords, saying: "By obtaining a password, an abuser is able to use the digital realm to affect a victim’s offline daily life. They can monitor actions, watch bank accounts to limit access to money, isolate the victim by controlling social media interactions and even use online activities as validation or excuses for abuse. This extension of control can be extremely dangerous." An abuser could certainly force a victim to unlock a phone with a fingerprint, and might be able to coerce a victim into revealing passwords protecting computer files, on-line accounts, and e-mail.
 
Techniques to Survive Rubber Hose Cryptanalysis
 
Avoid using biometric identifiers (i.e. fingerprints, facial recognition) as the sole means of accessing sensitive information. You have no right against self-incrimination with biometric identifiers - police can compel you to use them to unlock devices - and an abuser could use physical force to cause you to use a fingerprint or facial scan to access your private data.
 
VeraCrypt Hidden Volume allows you to create a hidden and encrypted space inside of an existing VeraCrypt encrypted volume. If you are forced to provide the password to your VeraCrypt encrypted volume, the hidden volume still remains undisclosed. This allows you to give the appearance of cooperating with demands for your passwords without disclosing your hidden information.

Use two factor authentication whenever possible. In this way even if you are forced to reveal your password, your data or account is still protected by the second factor of your two factor authentication scheme.

The Electronic Frontier Foundation (EFF) has published a guide: Digital Privacy at the U.S. Border: Protecting the Data On Your Devices and In the Cloud that discusses protecting your personal information when traveling.

Use a data shredder, such as Freeraser, to permanently destroy sensitive data on your computer. Know how to remotely erase your Apple or Android smartphone if it is lost, stolen, or seized. Know how to do a factory reset on your smartphone if necessary. This procedure will vary from one model of phone to the next, but be sure that you know how to do it on your phone.

Use an encrypted password manager, such as KeePass, to store your passwords and decryption keys. Password managers create an encrypted database that is used to store your passwords. Use long, complex, non-memorable passwords to protect your accounts and sensitive information. When using a password manager you won't know what the passwords to your accounts are, rather you will remember a single password for the password manager. If you don't know the passwords to your accounts you can't be forced to reveal them. Use a data shredder to destroy your password manager database if you come under duress. Keep a copy of the database in a secure location outside of the reach and jurisdiction of your adversary. Arrange to recover the database only after it can be shown that you are not being coerced and are not under duress (perhaps you store a copy with your attorney).

Store sensitive data in the Cloud to prevent it from being compromised if your computer or smartphone is lost, stolen, or seized. Remember that all data stored in the Cloud should be encrypted before it is uploaded. I recommend SpiderOak for Cloud storage, but also use Yandex Disk for storing some files.

The techniques for defeating rubber hose cryptanalysis are twofold. First is to use technical means to prevent you from being able to reveal information while under duress (you can't disclose a password that you don't know, and you can't share a private key that you don't possess). Second is to employ obfuscation (i.e. hidden files) to allow you to give the appearance of cooperation without compromising your most sensitive data.  


  


Tuesday, December 19, 2017

Massive leak exposes data on 123 million US households

An article on C|Net today reported that a Massive leak exposes data on 123 million US households. An unsecured database that contained a wide range of personal details about virtually every American household, was left online by marketing analytics company Alteryx. The data set included 248 different data fields covering a wide variety of specific personal information, including address, age, gender, education, occupation and marital status. Other fields included mortgage and financial information, phone numbers and number of children in the household. The repository contained massive data sets belonging to Alteryx partner Experian, a consumer credit reporting agency that competes with Equifax. According to the article the data "would be invaluable for unscrupulous marketers, spammers and identity thieves, for whom this data would be largely reliable and, more importantly, varied."

These data breaches are becoming almost commonplace, and everyone time information about you, your family, or your household is disclosed you are put at risk of becoming a victim of identity theft, fraud, phishing, and other targeted cybercrimes. You should make it a point to limit the amount of information that you disclose about yourself, and whenever possible have your information removed from databases and other records. Individual OPSEC and Personal Security is becoming more important everyday.


The REAL ID Act - 2018

 
The REAL ID Act establishes minimum security standards for license issuance and production and prohibits Federal agencies from accepting for certain purposes driver’s licenses and identification cards from states not meeting the Act’s minimum standards. The purposes covered by the Act are: accessing Federal facilities, entering nuclear power plants, and, boarding federally regulated commercial aircraft. About half of the states are compliant with the REAL ID Act, while the remaining states have an extension until October 10, 2018 or are currently under review.

 

According to the Department of Homeland Security "Starting January 22, 2018, [now October 10, 2018 for most states with an extension] passengers who have driver’s licenses issued by a state that is not yet compliant with REAL ID and that has not received an extension will need to show an alternative form of acceptable identification for domestic air travel."


 

Are those states with a current extension until October 10, 2018 going to be in compliance with the REAL ID Act by that time? It seems unlikely. Will there be another extension granted to those states? Probably - but sooner or later there will be no more extensions granted to non-compliant states, and then residents of those states will need an alternate and Federally approved ID on to access Federal facilities or fly on a commercial aircraft.

If you are unsure whether your state will be in compliance with the REAL ID Act, and you are concerned with being able to enter Federal facilities or fly domestically, you might consider getting a U.S. Passport Card to use as your standard form of ID.

 
The Passport Card is Real ID compliant and can be used for domestic air travel. It also lets you enter the United States at land border crossings and sea ports-of-entry from: Canada, Mexico, The Caribbean, and Bermuda.
 
Another option is to obtain an "Enhanced Driver's License" if you reside in one of the five states that issue them (Michigan, Minnesota, New York, Vermont, and Washington).
 

Like the US Passport Card, an Enhanced Driver's License from one of these states meets REAL ID Act requirements and can be used to fly domestically and enter the United States at land crossings and sea ports from Canada, Mexico, The Caribbean, and Bermuda.

It should be noted that neither the US Passport Card nor an Enhanced Driver's License is accepted for international air travel. For that you will need a regular passport.

REAL ID and Privacy

Some states and organizations oppose the implementation of the Real ID Act (which may be why so many states are not currently in compliance with the Act). The ACLU has said "If fully implemented, the law would facilitate the tracking of data on individuals and bring government into the very center of every citizen’s life. By definitively turning driver’s licenses into a form of national identity documents, Real ID would have a tremendously destructive impact on privacy. It would also impose significant administrative burdens and expenses on state governments, and it would mean higher fees, longer lines, repeat visits to the DMV, and bureaucratic nightmares for individuals. Because of these problems, many states oppose the use of Real ID, and it has not gone into full effect. The ACLU has joined with these states to support the repeal of the law."

The Electronic Frontier Foundation has said "The federal government is trying to force states to turn your drivers license into a national ID... the Real ID Act will create grave dangers to privacy and impose massive financial burdens without improving national security in the least. Signed into law in May 2005 without meaningful debate the Real ID Act states that drivers licenses will only be accepted for "federal purposes" - like accessing planes trains national parks and court houses - if they conform to certain uniform standards. The law also requires a vast national database linking all of the ID records together. Once the IDs and database are in place their uses will inevitably expand to facilitate a wide range of surveillance activities. Remember the Social Security number started innocuously enough but it has become a prerequisite for a host of government services and been coopted by private companies to create massive databases of personal information. A national ID poses similar dangers; for example because "common machine-readable technology" will be required on every ID the government and businesses will be able to easily read your private information off the cards in myriad contexts."

The REAL ID Act was attached to an emergency supplemental, with no hearings, no votes, but what it is, the Federal Government will be dictating how the States go about the business of licensing residents to operate motor vehicles. State motor vehicle officials will be required to verify the legal status of applicants, adding to the responsibilities of already heavily burdened State offices... the Federal Government dictates responsibilities for what has traditionally been a State function--and adds layers of bureaucracy and regulation to effectively create a national ID card, and that is what it is--there is no help in footing these hefty bills. It is an unfunded mandate passed by the last Congress to add to the taxpayers of the States $23 billion in costs. [Senate Hearing 110-113]