Tuesday, October 31, 2017

Vehicle Ramming Attacks



 
At least eight people have been killed in New York after a pickup truck plowed down a bike path in lower Manhattan this afternoon (October 31, 2017). The driver was shot and taken into police custody. Authorities are treating the incident as a terror attack.
 
The attacker who turned a Home Depot truck into a deadly weapon in New York City, used a method that has become familiar in terror attacks across the world. He was identified by two law enforcement sources familiar with the investigation as Sayfullo Habibullaevic Saipov. The suspect is from the central Asian nation of Uzbekistan and came to the United States in 2010.  Witnesses reported that Saipov was yelling "Allahu Akbar," as he rammed his vehicle into cyclists along a bike path.
 
Today's terrorist attack is similar to others that have occured this year: 
  • In August 2017, Younes Abouyaaqoub drove a van into the crowded Las Ramblas mall in Barcelona, killing at least 13 and injuring more than 130. Another suspect, Moussa Oukabir, is thought to have rented the van. Oukabir, a teenager, was suspected of using his brother’s documents to hire the vehicle.
  • In June 2017 three terrorists killed eight people after driving a van into pedestrians on London Bridge before attacking nearby revellers. It later emerged the group had initially tried to hire a 7.5-tonne truck but were unsuccessful.
  • In April 2017, a hijacked truck was deliberately driven into crowds in Stockholm, Sweden, killing five and injuring 14 others.
  • In March 2017, Khalid Masood, a British citizen, rented the 4x4 he used to mow down pedestrians on London’s Westminster Bridge in March, killing four people, then fatally stabbed a policeman before being shot dead by police.
  • The most devastating of such attacks happened in July 2016 when Mohamed Lahouaiej-Bouhlel used a hired 19-tonne cargo truck to kill 86 people in Nice on Bastille Day. Then in December a truck was deliberately driven into a crowded Christmas market in Berlin, killing 12. On that occasion Anis Amri hijacked a truck before driving it into the crowd.
 
Protective Measures Against Vehicle Ramming Attacks
 
Watch for danger signs.  Be alert for speeding vehicles, sounds of collisions, revving engines, or sudden unusual vehicle movements.  If you see or hear something that is outside of the norm for your environment, don’t just blow it off.  Look around and actively figure out if you are in danger.  During attacks like these, a second or two of forewarning can be the difference between life and death.
 
Don’t loiter in any spaces that the terrorists can use as drive lanes. If you are walking on a busy street and need to stop in order to tie your shoes, write a text, or speak with a friend, stop at a spot on the sidewalk that offers you some protection from a car hopping the curb. The gaps between the parked cars are the likely routes the terrorists will use to get onto the sidewalk.  Don’t stand there.  You are much safer if you keep a parked car between you and the traffic lane.
 
Move indoors immediately, but don’t stay there.  A sturdy structure offers a decent refuge from a vehicle driven by a terrorist intent on killing people.  Get inside quickly.  Stay away from large glass windows/doors and exterior walls.  Once you get inside, you are relatively safe against a vehicular attack. The problem is created, however, when waiting with a large group of people indoors exposes you to risks from terrorist attacks that are conducted in the more traditional manner of shooting, bombing, and stabbing.  You don’t want to be huddled up into a tight group without an escape route.
 
Don’t rush to help the injured. Immediately after the attack, you may feel compelled to rush in and help those who have been hurt.  Take a moment and assess the scene before wading into the chaos.  Is the crashed vehicle a danger?  Are there people in the area shooting or cutting people with knives?  Is it possible that there is more than one attacker? 
 
Stay away from the attack vehicle and be alert for secondary attacks.  Here’s my prediction for the next evolution of this type of attack. Terrorists will place a bomb in the car they used to run people over. Explosives set to go off 10 minutes after the vehicle attack. It’s the perfect secondary device. The bomb will kill all the first responders and anyone giving aid to the victims.
 
Don’t draw your firearm while you are attempting to figure out what’s happening.  Those of you who regularly carry firearms may decide that the best course of action is to shoot the attack vehicle driver or his terrorist accomplices.  That’s great. Just recognize that it’s going to take you a few seconds to figure out what’s happening.  Keep your gun in your holster while you are evaluating the situation and making your hasty battle plan.
 

When shooting through a windshield fire multiple times, and remember that bullets deflect downward when fired into a vehicle through the windshield. Auto Glass is a very challenging tactical barrier. It is a hard and very strong material that universally deforms and deflects the handgun bullets that pass through it. The heavier the bullet, the less deflection. In tests a 230 grain FMJ (.45 ACP) deflected the least, while a 115 grain 9mm FMJ round deflected the most.
Posted by at No comments:

Monday, October 30, 2017

Things You Can Do to Avoid Fraud


1. Spot imposters. Scammers often pretend to be someone you trust, like a government official, a family member, a charity, or a company you do business with. Don’t send money or give out personal information in response to an unexpected request — whether it comes as a text, a phone call, or an email.
 
2. Do online searches. Type a company or product name into your favorite search engine with words like “review,” “complaint” or “scam.” Or search for a phrase that describes your situation, like “IRS call.” You can even search for phone numbers to see if other people have reported them as scams.
 
3. Don’t believe your caller ID. Technology makes it easy for scammers to fake caller ID information, so the name and number you see aren’t always real. If someone calls asking for money or personal information, hang up. If you think the caller might be telling the truth, call back to a number you know is genuine. (https://www.fcc.gov/consumers/guides/spoofing-and-caller-id)
 
4. Don’t pay upfront for a promise. Someone might ask you to pay in advance for things like debt relief, credit and loan offers, mortgage assistance, or a job. They might even say you’ve won a prize, but first you have to pay taxes or fees. If you do, they will probably take the money and disappear.
 
5. Consider how you pay. Credit cards have significant fraud protection built in, but some payment methods don’t. Wiring money through services like Western Union or MoneyGram is risky because it’s nearly impossible to get your money back. That’s also true for reloadable cards like MoneyPak, Reloadit or Vanilla. Government offices and honest companies won’t require you to use these payment methods. Make sure you're cautious when you're using your credit card online. Only enter your credit card number on secure websites that you can be 100% sure are legitimate. To be sure a website is secure, look for https:// in the address bar and lock in the lower right corner of your internet browser.
 
6. Don't Show ID with Your Credit Card. Security experts say the information on your driver’s license could be enough to steal your identity, which is why the Federal Trade Commission is cracking down on retailers who ask consumers to show theirs. Both MasterCard and Visa actually prohibit merchants from requiring identification as a condition for accepting their credit cards, provided the card is signed. A study by Javelin Strategy & Research found that an increasingly common method of identity theft is account takeover fraud... instead of just using a card for unauthorized transactions, fraudsters dive deeper and hack into existing accounts, change settings and make purchases in your name on-line. In order to do this effectively, the criminal needs additional personal information beyond that contained in the credit card transaction. This additional information is exactly what you provide by showing ID when making a credit card purchase.
 
7. Talk to someone. Before you give up your money or personal information, talk to someone you trust. Con artists want you to make decisions in a hurry. They might even threaten you. Slow down, check out the story, do an online search, consult an expert — or just tell a friend.
 
 

 
8. Be extremely cautious when dealing with anyone you’ve met online. Scammers use dating websites, Craigslist, social media, and many other sites to reach potential targets. They can quickly start to feel like a friend or even a romantic partner, but that is part of the con to get you to trust them.
 
9. Hang up on robocalls. If you answer the phone and hear a recorded sales pitch, hang up and report it to the FTC. These calls are illegal, and often the products are bogus. Don’t press 1 to speak to a person or to be taken off the list. That could lead to more calls. (https://www.consumer.ftc.gov/features/feature-0025-robocalls)
 
10. Be skeptical about free trial offers. Some companies use free trials to sign you up for products and bill you every month until you cancel. Before you agree to a free trial, research the company and read the cancellation policy. And always review your monthly statements for charges you don’t recognize.
 
11. Don’t deposit a check and wire money back to the sender. By law, banks must make funds from deposited checks available within days, but uncovering a fake check can take weeks. If a check you deposit turns out to be a fake, you’re responsible for repaying the bank.
 
12. Guard your personal information. Fraudsters use a variety of tricks to get you to divulge account numbers and passwords. They send bogus emails designed to look like it’s from your bank and make calls pretending to be with your credit card company. There’s always a reason why they need your personal information. A common ruse is for a phone bandit to ask for your account number and PIN to solve a computer problem or to stop fraudulent transactions spotted on your account. It doesn’t matter what they say – hang up! Those who need your account numbers, PINs or passwords already have them. They’d never call you or send you an email asking for them. When in doubt, contact the company in question by phone – use a number you know to be legitimate, from your statement or the phone book – and ask what’s up. Your Social Security number is the key to your life. A thief can use it to steal your money and your identity. Social Security numbers are also used to access many financial and medical records. So guard that number and only give it out when absolutely necessary to someone you know and trust.

Source:
https://www.consumer.ftc.gov/articles/0060-10-things-you-can-do-avoid-fraud


Posted by at No comments:

Saturday, October 28, 2017

Document Shredders for Home Use

 
 
To safeguard your personal privacy and help protect yourself from identity theft, fraud, and stalking; you should have a document shredder in your home. The type of shredder that you should buy depends upon your personal security requirements and the number of things you need to shred on a regular basis.
 
First let’s consider security levels. The security level of a shredder is broadly defined by how small the shredded pieces are and thus how difficult it would be for an adversary to reassemble a document or read information from shredded pieces of a document. The security levels also take into consideration the type of material being shredded (microfilm requires much smaller shredding than paper documents). For home use, and for most users in general, we will consider three general types of shredders: Strip-Cut, Cross-Cut, and Micro-Cut. Security levels run from P-1 (the lowest level) to P-6 (the highest level). Most shredders intended for home use have P-2 security if they are strip-cut, P-3 security if they are cross-cut, and P-4 if they are micro-cut.
 

Strip-cut shredders cut paper into long, thin, strips. Strip shredders can handle high volumes of paper and are good for low-level security documents (to include some home use). A better option however is a Cross-cut shredder which cuts documents into small pieces, usually less than two-inches in length. Cross-cut shredders are the most commonly used in both home and commercial environments. A cross-cut shredder will provide excellent security for almost any home use. Micro-cut shredders are like cross-cut shredders, but cut documents into even smaller pieces. If you need to destroy very sensitive documents, or believe you are being directly targeted by a corporate or state level adversary, then a micro-cut shredder is recommended.  
 
Next let’s consider usage levels. How many documents do you need to shred at one time? Do you need to shred optical media such as CD/DVD, and other non-paper items such as credit cards? What volume of material do you need to shred at any one time (i.e. how long do you need the shredder to run for before it needs a cool-down period)? Most home use does not require a high-volume shredder, since we are probably shredding fewer than twenty sheets of paper at any one time. We may not need to shred documents for hours on end, but being able to simply drop junk mail into the shredder without having to open it is useful. Choosing a shredder that has the ability to shred at least eight sheets of paper at the same time allows you to shred folded documents (i.e. a folder letter) without having to open them first. Having the ability to shred CD/DVDs and credit cards is also useful if you have a computer in your home and store any type of personal or sensitive information on CD/DVD.
 
Examples of good document shredders for home use include:
 
 
It is possible to find documents shredders for a little bit less money ($30 - $50), but these cheaper shredders tend not to hold up to continuous use. Still, if you are looking for a home shredder for occasional use, the Amazon Basics 12-Sheet Cross-Cut Paper, CD, and Credit Card Shredder is a reasonable choice.
 
The Privacy Rights Clearinghouse (https://www.privacyrights.org) recommends shredding the following documents:
  • Monthly bills. Even if you bank online, also shred payment coupons, which might contain your full account number, even if the bill did not.
     
  • Receipts or other papers that show your signature, which ID thieves could use to forge other documents.
     
  • Employer pay stubs.
     
  • Documents that contain account information, such as statements from your bank, credit-card companies, 401(k) administrator, and broker and other investment statements. Don't forget courtesy checks from your credit-card issuer or bank. Call that source and ask it to stop sending the checks.
     
  • Anything that contains your Social Security number, including annual statements from the Social Security Administration. Don't forget old identification cards, including an expired driver's license.
     
  • Expired credit cards, and prescreened credit-card offers and applications, even if they contain incorrect personal information. All can be used to obtain fake credit cards.
     
  • Explanation-of-benefits forms from your medical insurer. They usually include your member ID number, which leaves you vulnerable to medical-ID theft. Also shred papers and labels with prescription numbers on them.
     
  • Tax forms and tax-related documents more than seven years old.
     
  • Any documents that list a password or PIN, and anything else with personal information that you wouldn't want a stranger to see.
     
  • All mail from your financial institution, including change-of-terms notices. Even documents that don't have account information can tell fraudsters a little more about you than you might want them to know.
     
  • Documents from companies you've done business with recently, including those from recent travel. Thieves could call you masquerading as a representative from one of those businesses to try to trick you into disclosing personal information.
 
 

Posted by at No comments:

Wickr Privacy Survey



Wickr is one of my favorite communication apps. It is strongly encrypted and does the right things to support individual privacy. Wickr is conducting a short (10 question) privacy survey to gather current opinions on the state of privacy. You can participate in the survey here: https://www.wickr.com/privacy-survey-oct-2017
 
If you don't currently use Wickr you can download it for free from here: https://www.wickr.com/personal/.  Wickr is available for Android, iOS, and Desktop.
 
 
 
 
Posted by at No comments:

Thursday, October 26, 2017

Foreign Travel

To travel overseas you will need a passport. If you have a current passport, great... if not you should get one as soon as possible. The US Department of State explains how to apply for your passport here (you cannot apply online). Once you have obtained the necessary documentation and completed the required forms, you take all of this to a local passport office and apply for your passport. The passport agent will make sure that all required paperwork is complete, take your applications fees, and submit your application. In a few weeks you will receive your passport in the mail.

With a passport in hand, you can travel internationally. Country entrance requirements are listed on the State Department’s web-site: https://travel.state.gov/content/passports/en/country.html.
 
International Driving Permit
 

 
In the United States there are two organizations authorized to issue International Driving Permits. These organizations are the American Automobile Association (AAA) - http://www.aaa.com, and the National Auto Club - http://www.thenac.com. The International Driving Permit is not a driver’s license in and of itself, rather it is a translation of your driver’s license and is a recognized and often required piece of identification when driving an automobile overseas. According to the National Auto Club,  "International Driving Permits are a recognizable form of identification which can help you communicate with foreign authorities. The IDP provides an official translation of your U.S. driver’s license into 9 foreign languages and is acknowledged as valid identification in 174 countries around the world. IDPs are not a replacement for your U.S. license, but should be used as a supplement to it. Experienced travelers always carry the International Driving Permit while traveling outside the USA."

Even if you don’t plan to drive while overseas, the International Driving Permit can serve as a useful piece of secondary identification when dealing with officials in a foreign country. To obtain an International Driving Permit from either AAA or the National Auto Club, simply fill out an application and mail it along with a copy of your driver’s license and two passport type photographs to the address on the web-site. At the time of this writing the cost for an International Driving Permit was $20.00, and processing time was between one and two weeks. From the date of issue an International Driving Permit is valid for one year. 
 
Travel Alerts & Warnings


 
Before travelling to a foreign country it is important to have an understanding of what the situation in that country is like, and that understanding should extend well beyond the brochures at your local travel agency. Being aware of long-term threats and short-term problems can keep you out of trouble. Knowing what risks you may face in a specific country or area of the world can help you mitigate those risks. It always pays to know before you go, because what you don’t know can kill you. 

The United States Department of State publishes country information and travel guidelines on its web-site: http://travel.state.gov/. The United Kingdom, Foreign Office publishes foreign travel advice and country information on its Gov.UK web-site: https://www.gov.uk/foreign-travel-advice. The Government of Canada provides country travel advice and advisories on its web-site: http://travel.gc.ca/travelling/advisories. The Australian Government, Department of Foreign Affairs and Trade publishes similar information on its web-site: http://smartraveller.gov.au/countries/; as does the Government of New Zealand on its 'Safe Travel' web-site: https://www.safetravel.govt.nz/.  The United States Center for Disease Control & Prevention (CDC) provides traveler health information on its web-site: http://wwwnc.cdc.gov/travel, as does the World Health Organization at http://www.who.int/ith/en/.
 
For additional details about a country, the CIA World Fact Book also provides general information about every country in the world. Each of these country information and travel advisory web-sites is run by a country’s State Department or Department of Foreign Affairs and will be colored somewhat by the current politics of the country providing the information. The information may seem a bit general and vague at times - we would always like more detailed information - but overall the information provided on these web-sites will be of value to anyone planning to travel overseas, especially if you have never travelled to that specific country or area of the world before.
 
The Overseas Security Advisory Council (OSAC) has prepared an eleven-page ‘Travel Security Form’ to help individuals prepare for overseas travel. OSAC says  "More U.S. private-sector employees, students, and staff are traveling abroad than ever before. At the same time, the overseas security landscape has grown increasingly dynamic, with threats posed by terrorists, insurgents, and criminals, as well as non-human forces like natural disasters and diseases. The objective of this guide is to equip international travelers with tactics and procedures that may reduce the risks inherent to overseas travel." The form can be downloaded from the OSAC web-site at: https://www.osac.gov/pages/ContentReportDetails.aspx?cid=19177 
 
OSAC Crime and Safety Reports https://www.osac.gov/pages/ContentReports.aspx provide information about current crime patterns in various countries and cities, and offers safety tips and advice for travelers to those areas. 
 
Foreign Language
 
 
Speaking the language of the country or area to which you will be traveling is always a significant advantage. Speaking the local language allows one to communicate with others in order to meet basic needs, show courtesy to others, and build relationships and friendships in the local community. Furthermore, someone who speaks the local language will be less likely to stand out and attract attention. 
 
There are several on-line foreign language courses that can be found with a simple Internet search. Some of these courses are free, while others can cost up to several hundred dollars for basic language instruction. The quality of these on-line course range from just OK to absolutely outstanding, but also depends on one’s learning style and ability to learn from an on-line program. Regardless of how you choose to learn a foreign language, learning even just a few basic words, phrases, and courtesies can make for a more enjoyable and ultimately safer foreign travel experience.
 
International Medical Insurance
 


What will you do if you become sick or injured while away from home? At home your medical insurance may cover hospitalization, treatment, a recovery programs. Off in some remote corner of the world "western-style medicine" may not be readily available, and even if it is your insurance coverage may not be valid there. Other forms of medicine (i.e. Traditional Chinese Medicine, or Ayurvedic Medicine) may also provide effective treatments, but again doctors don’t always work for free. If you need medical treatment it is essential that you have a way to pay for it. Your current health insurance plan may be able to add coverage to pay medical and emergency services while you are away from home. You may also want to choose a short term policy to cover you while you are traveling.
 
There are several insurance companies that can provide travel insurance. Some of the better known of these companies are:
 
Regardless of the company you choose, do your research and ensure that it meets your specific needs, and most importantly that it will be accepted by medical establishments in the specific area to which you will be traveling.
 
In remote and unstable areas of the world you may also want to have a medical and security evacuation plan. Companies such as
can provide emergency evacuation services from remote areas of the world. These emergency evacuation service plans work much like other travel insurance, but are focused on getting you back home in case of emergency.
 
Robert Young Pelton’s web-site , Edward Hasbrouck’s web-site, and the Lonely Planet web-site all provide excellent information for planning travel to remote and dangerous areas. Both Pelton’s site (Black Flag Café Forum) and the Lonely Planet (The Thorn Tree Forum) offer an on-line forum where one can exchange information with other people who are planning similar travel, or perhaps who are currently at your planned destination. The Daily Telegraph Expat site offers information for individuals traveling, living, and working overseas. The Escape Artist web-site is focused on Americans and provides information about living, working and retiring overseas. Just Landed is a similar web-site providing information for the expatriate communities in several countries.   
 
 
 


Posted by at No comments:

Wednesday, October 25, 2017

EPIC Privacy Browser

 
 
"Epic is a private browser that's fast, simple and actually works. When you're using Epic with our encrypted proxy on, your data is encrypted and hidden from the government, from your ISP, from Google, from your employer, and from hundreds of data collectors. On close of Epic, there's no easily accessible record of your browsing history left on your computer. We believe what you browse & search should always be private."
 
 
 

Posted by at No comments:

Tuesday, October 24, 2017

Encrypting File System (EFS)

 

Many businesses share computers between multiple employees, and even if you have an assigned computer at your office it is probably connected to a network. Any networked computer can be accessed over the network given the proper permissions. Laptop computers are often used while traveling and thus have an increased risk of being stolen and having criminals gain access to sensitive business data stored on the computer.
 
One way to protect data on your computer is to use the Encrypting File System (EFS). The EFS on the business and professional versions (i.e. Windows 10 Pro, Enterprise, and Education) of Microsoft Windows provides file-level encryption to help protect data from attackers who have physical access to your computer. EFS encryption is tied to your user log-on credentials (password or access token), so if another user logs on to your computer, files protected with the EFS will not be accessible to that person. EFS also protects against off-line attacks, such as booting the computer from a CD or USB; or removing the hard-drive from a password protected computer and putting it in another computer to bypass operating system security.
  
To protect a file or folder with the EFS:
  1. Right-click a file or folder that you want to encrypt.
  2. Click Properties.
  3. Click Advanced, on the ‘General’ tab.
  4. Click the checkbox next to Encrypt contents to secure data.
  5. Click OK.
  6. Click Apply. A window will pop up asking you whether or not you want to only encrypt the selected folder, or the folder, subfolders, and files.
  7. Click either Apply changes to this folder only or Apply changes to this folder, subfolders, and files.
  8. Click OK.
 
Right click on the folder again, and choose the 'Security' tab. In the 'Group or user names:' box ensure that only 'SYSTEM' and your own user name are present. If an ‘Administrators’ group is listed in this box you may want to remove it to prevent system administrators from being able to access these encrypted files.
 
The EFS is a useful tool on a network when you need to restrict access to specific files to specified users. Files and folders encrypted with the EFS are accessed normally when you are logged in with the proper account or token, but if you are not properly logged in you will be denied access to any EFS encrypted document. It is important to note however that if your log-on credential changes (i.e. you get a new access token or delete your user account) you will lose access to any files encrypted with your old credential. In Windows 10, EFS encrypted have a small padlock displayed on the file icon. In Windows 7, EFS encrypted filenames are displayed with green letters.
 
For more information about the EFS, I recommend the YouTube Video: MCTS 70-680: Encrypting File System (EFS).


 

Posted by at No comments:

National Gang Report - 2015

 
 
https://www.fbi.gov/file-repository/national-gang-report-2015.pdf/view
 
 
After I posted the link to the 2017 National Drug Assessment, some readers asked if there was a similar assessment for gangs in the United States. Yes, there is, but the latest public version of that report is 2015. It should be noted that the 2015 National Gang Report is not an extension of the 2013 or 2011 installments. Rather, it is an independent overview of data obtained between 2013 and 2015.
 
I recommend that you read each of these reports 2011, 2013, and 2015 to gain the most complete understanding of the national gang threat.

 

Posted by at No comments:

Monday, October 23, 2017

National Drug Threat Assessment - 2017

 
https://www.dea.gov/docs/DIR-040-17_2017-NDTA.pdf
 
 
The Drug Enforcement Administration (DEA) released the 2017 National Drug Threat Assessment today.
 
You can download a PDF copy of the assessment here:
https://www.dea.gov/docs/DIR-040-17_2017-NDTA.pdf
 
Over the past 10 years, the drug landscape in the United States has shifted, with the opioid threat (controlled prescription drugs, synthetic opioids, and heroin) reaching epidemic levels, impacting significant portions of the United States. While the current opioid crisis has deservedly garnered significant attention, the methamphetamine threat has remained prevalent; the cocaine threat appears to be rebounding; new psychoactive substances (NPS) continue to be a challenge; and the focus of marijuana enforcement efforts continues to evolve. Drug poisoning deaths are the leading cause of injury death in the United States; they are currently at their highest ever recorded level and, every year since 2011, have outnumbered deaths by firearms, motor vehicle crashes, suicide and homicide.
 
 


Posted by at No comments:

SecureDrop

 
https://securedrop.org
 
SecureDrop is an open-source whistleblower submission system that media organizations can use to securely accept documents from and communicate with anonymous sources. It was originally created by the late Aaron Swartz and is currently managed by Freedom of the Press Foundation.
 
Review the SecureDrop web-site (listed above), and try the demo to see how the system works. A few news agencies that use SecureDrop are listed below. Reading their SecureDrop pages will provide additional tips for providing information anonymously.

Although SecureDrop is intended for media organizations to receive information from anonymous and confidential sources, any organization with the ability to set-up and run a server can install and use SecureDrop. Of course, it helps to have the clout and infrastructure of a major news service to maintain your SecureDrop and ensure that it isn't seized or otherwise compromised. Still, if you have an organization that needs to communicate with anonymous and confidential sources, SecureDrop may be an option.
 
 
 


Posted by at No comments:

Saturday, October 21, 2017

ProtonMail + TOR

 
I have previously recommended using ProtonMail to protect your personal communications. Now there is an additional reason to like ProtonMail. You can add a degree of anonymity to your ProtonMail by creating and always accessing your account via TOR. ProtonMail has created a TOR hidden service at https://protonirockerxow.onion. (You will, of course, need TOR installed on your computer in order to access this .onion web-site. Download your copy of TOR here: https://www.torproject.org.)
 
Additional details about the integration of ProtonMail and TOR can be found on the ProtonMail blog at: https://protonmail.com/blog/tor-encrypted-email/.
 
 




Posted by at No comments:

Financial Privacy - Opt-Out Info

 
 
According to the Federal Deposit Insurance Corporation (FDIC) companies that offer financial services may share your private financial information with others. Companies that offer financial services include:
  • Banks, savings and loans, and credit unions
  • Insurance companies
  • Securities and commodities brokerage firms
  • Retailers that directly issue their own credit cards (such as department stores or gas stations)
  • Mortgage brokers
  • Automobile dealerships that extend or arrange financing or leasing
  • Check cashers and payday lenders
  • Financial advisors and credit counseling services
  • Sellers of money orders or travelers checks.
 
According to Federal law these companies must send you an annual privacy notice, giving you the opportunity to opt-out of the sharing of some parts of your personal financial information with others. The FDIC points out that “Financial companies share information for many reasons: to offer you more services, to introduce new products, and to profit from the information they have about you… If you prefer to limit the promotions you receive or do not want marketers and others to have your personal financial information, you must take some important steps.”
 
Unfortunately, you cannot opt-out of all sharing of your private financial information. The law lets financial companies share your information for some purposes without your permission. For example, a financial company can share your private financial information with
  • firms that help promote and market the company's own products or products offered under a joint agreement between two financial companies
  • Records of your transactions--such as your loan payments, credit card or debit card purchases, and checking and savings account statements--to firms that provide data processing and mailing services for your company
  • Information about you in response to a court order
  • Your payment history on loans and credit cards to credit bureaus.
 
In these cases, you have no right to opt-out of the sharing of your private financial information. If you choose to do business with these financial companies, they can share and profit from your private financial data. However, you do have the right to opt-out of sharing of your private financial information for marketing purposes. When you receive a privacy notice in the mail from your financial companies, take a few minutes to read the notice and if you want to limit the sharing of your private financial information for marketing purposes – Opt-Out.
 
Examples of privacy notices can be seen at the following sites:
 
If you haven’t already reviewed the privacy notice from each of your financial companies, contact them and ask for a copy of the privacy notice and inform each of these financial companies that you wish to opt-out of the sharing of your information.
 
 
 
Posted by at No comments:

Thursday, October 19, 2017

Freeware Encryption

 
 
 
In 2001, I published a short book, “Freeware Encryption & Security Programs”. Although this book is now out of print, I have made a PDF copy of it available to readers of Chesbro on Security. You can download a copy from my Google Drive here: https://goo.gl/7YtDwY.
 
Some of the encryption programs I discussed in the book, are still available today. Others have been overtaken by time and technology, and are no longer available. The need and desire for encryption however have not gone away. New freeware encryption programs are now available to help you protect the content of your files, folders, and on-line communications.
 
Encryption should be used for everything, not a feature you turn on only if you're doing something you consider worth protecting. This is important. If we only use encryption when we're working with important data, then encryption signals that data's importance.  If only dissidents use encryption in a country, that country's authorities have an easy way of identifying them. But if everyone uses it all of the time, encryption ceases to be a signal. No one can distinguish simple chatting from deeply private conversation. The government can't tell the dissidents from the rest of the population. Every time you use encryption, you're protecting someone who needs to use it to stay alive.

A Google search for "encryption programs" will return a large number of results. The following encryption programs are some that I have used, at least to some extent while studying encryption.  Whether one program is better than the next depends on your specific needs, the computer operating system that you are using, and compatibility with what those with whom you share information are using to protect their own data. Experiment with the encryption programs on the following list. Save and use those programs that meet your personal needs.
   
AES Crypt (https://www.aescrypt.com)

Cyphr Encrypted Messaging App (https://www.goldenfrog.com/cyphr)

Encipher It (https://encipher.it)

GNU Privacy Guard (https://gnupg.org)

JavaScrypt: Browser-Based Cryptography (http://www.fourmilab.ch/javascrypt/)

miniLock (http://minilock.io)

Paranoia Text Encryption (PTE) (https://paranoiaworks.mobi)

Encryption is an essential part of your personal privacy and security, but it is not a 100% solution. Consider the following tips while choosing and using your encryption programs.
 
1) Hide in the network. Implement hidden services. Use Tor, I2P, Freenet, and VPNs to anonymize yourself. The less obvious you are, the safer you are.
 
2) Encrypt your communications. Use TLS. Use IPsec. While it's true that some agencies target encrypted connections - and may have explicit exploits against these protocols - you're much better protected than if you communicate in the clear. Woe betide whomever transmits plaintext.
 
3) Assume that while your computer can be compromised, it would take work and risk to do so - so it probably isn't. Still physical security is important and should be included in your overall personal security plan.
 
4) Be suspicious of commercial encryption software, especially from large vendors. My guess is that most encryption products from large US companies have back doors, and many foreign ones probably do as well. It's prudent to assume that foreign products also have foreign-installed backdoors. Closed-source software is easier to backdoor than open-source software. Systems relying on master secrets are vulnerable to adversaries, through either legal or more clandestine means.
 
5) Try to use public-domain encryption that has to be compatible with other implementations. For example, it's harder to backdoor TLS than BitLocker, because any vendor's TLS has to be compatible with every other vendor's TLS, while BitLocker only has to be compatible with itself, giving an adversary a lot more freedom to make changes. And because BitLocker is proprietary, it's far less likely those changes will be discovered. Prefer symmetric cryptography over public-key cryptography. Prefer conventional discrete-log-based systems over elliptic-curve systems; the latter have constants that governments influence when they can.
 
 

Posted by at No comments:

21-Day Personal Privacy Challenge

 
Day 1 – Register your telephone numbers with the National Do Not Call Registry (https://www.donotcall.gov/), and Opt-Out of sharing of your personal information with companies that offer credit and insurance (https://www.optoutprescreen.com/).
 
Day 2 – Install “HTTPS Everywhere” (https://www.eff.org/https-everywhere) and “Privacy Badger” (https://www.eff.org/privacybadger) in your Firefox, Chrome, or Opera browser. Install and run Malwarebytes (https://www.malwarebytes.com) and Bleachbit (https://www.bleachbit.org) or CCleaner (https://www.piriform.com/ccleaner) on your computer.  
 
Day 3 – Sign up for an end-to-end encrypted e-mail service such as ProtonMail (https://protonmail.com/) or Tutanota (https://www.tutanota.com/). Start using this new encrypted e-mail to protect your personal communications.
 
Day 4 – Stop using SMS/Text messages for personal communication. Switch to an end-to-end encrypted messenger such as Wickr (https://www.wickr.com/personal) or Signal Private Messenger (https://signal.org/).
 
Day 5 – Start conducting your on-line searches with a search engine that does not track you, such as DuckDuckGo (https://duckduckgo.com/) or Startpage (https://www.startpage.com/).
 
Day 6 – Set up two-factor authentication on all your on-line counts where it is available (https://twofactorauth.org). Use a hardware token, such as Yubikey, where possible or as the next best option use a software token such as Google Authernticator or Authy App.
 
Day 7 – Install a Password Manager. Examples of password managers include: LastPass (https://www.lastpass.com/), KeePassXC (https://keepassxc.org), Dashlane (https://www.dashlane.com), and 1Password (https://1password.com).  
 
Day 8 – Change all of your passwords. Use a very strong password, generated by your password manager, or use an external password generator such as the GRC Ultra High Security Password Generator (https://www.grc.com/passwords.htm) to generate new passwords.
 
Day 9 – Review and strengthen the privacy settings on all of your social media accounts. The US Army CID Computer Crime Investigative Unit provides guides to assist you in securing Facebook, Twitter, LinkedIn, Google Plus. Search the help settings on other social networks for ways to improve your privacy and security.
 
Day 10 – Order and review a copy of your credit reports (https://www.annualcreditreport.com/).
 
Day 11 – Protect your financial information by adding a Credit Freeze to your account with each of the major credit reporting agencies (https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs).
 
Day 12 – Search your name and other personal information on-line. Make note of where any of your personal information appears. Set up Google Alerts (https://www.google.com/alerts) to monitor the Internet for the appearance of any new information about you.
 
Day 13 – Protect access to your smartphone with a password or long numeric PIN. Avoid using fingerprint access, a swipe pattern, or the short 4-digit PIN to protect your smartphone.
 
Day 14 – Install VeraCrypt (https://www.veracrypt.fr/en/Home.html) and create a secure / encrypted volume to protect sensitive files on your computer. Alternately use BitLocker on your Windows computer or FileVault on your Mac computer to create this encrypted volume.  
 
Day 15 – Back up your important data and store it as an encrypted volume on some type of removable media (i.e. CD/DVD or USB Drive). Store this back-up someplace safe. Note that you can create a compressed and AES-256 encrypted archive using the free program 7-Zip (http://www.7-zip.org).
 
Day 16 – Make a list of all of your credit card numbers and the telephone number from the back of the card to call and report if your cards are lost or stolen. Store this list in a secure place.
 
Day 17 – Make a list of all your high value items (i.e. electronics, jewelry, firearms, collectables). Record the serial numbers, makes, models and other descriptive information. Include photos where appropriate. Include your automobile’s license plate number and VIN. Store this list in a secure place.
 
Day 18 – Improve your cybersecurity awareness by completing these three on-line courses from the DoD Information Assurance Support Environment (IASE):
Cyber Awareness Challenge (https://iatraining.disa.mil/eta/disa_cac2018/launchPage.htm)
Phishing Awareness (https://iatraining.disa.mil/eta/disa_phishing_v31_fy17/launchPage.htm)
Social Networking (https://iatraining.disa.mil/eta/disa_sn_v21_fy17/launchPage.htm)
 
Day 19 – Download a copy of TOR (https://www.torproject.org/). Start using TOR to protect your privacy and anonymity on-line.
 
Day 20 – Start using a Virtual Private Network (VPN) to improve your on-line security. Some VPN include: Private Internet Access (https://www.privateinternetaccess.com/),  Nord VPN (https://nordvpn.com/), VyprVPN (https://www.goldenfrog.com/vyprvpn).  
 
Day 21 – Consider Abine Blur (https://www.abine.com/index.html) and Privacy.Com (https://privacy.com) to protect your financial privacy.
 



Posted by at No comments:

Tuesday, October 17, 2017

Google Advanced Protection

 
 
Google has today launched a free, opt‐in program aimed at users who believe their Google accounts - such as Gmail, Drive, YouTube etc. - to be at particularly high risk of targeted online attacks. The Advanced Protection Program currently consists of the three main elements: defending Gmail and Google account users against phishing attacks by requiring 2FA via a token generated by a hardware security key; locking down the risk of malicious applications grabbing sensitive data by automatically limiting full access to Gmail and Drive to just Google apps (for now); and reducing the risk of hackers gaining access to a Gmail account via impersonation by adding more steps to the account recovery process.
 
 
 

Posted by at No comments:

Monday, October 16, 2017

Governments Call for Breakable Encryption

 
 
Sophos Naked Security wrote, US government calls for "responsible" - as in breakable - encryption.
 
Well, this is nothing new... but it is still concerning as the government continues to demand access to private communications. Now you may believe that the government's argument has merit, and that it should be able to access private communications with the appropriate legal process leading to a warrant issued by an impartial judge. However, that doesn't solve the problem because strong encryption is already available from sources outside the United States, such as JavaScrypt: Browser-Based Cryptography Tools (https://www.fourmilab.ch/javascrypt/), ProtonMail (https://protonmail.com/), and GnuPG (https://www.gpg4win.org/), just to name a few.
 
As with calls for gun control, calls for encryption control simply limit the ability of people who are committing no crimes, and pose no threat to national security. Groups of people using encryption to engage in organized crime or terrorist activities are not going to limit their use of strong encryption just because the United States government thinks that they should.  
 
Of course the United States government is not the only one looking to prevent its citizens from having access to strong encryption:
 
"In a statement released recently by Australian Attorney General George Brandis and the Minister for Immigration and Border Protection Peter Dutton, the two officials called for weakening encryption standards and for increased sharing of surveillance between Five Eyes countries." (Deep Dot Web, July 2017)
 
"In an interview with the BBC, Home Secretary Amber Rudd called the use of end-to-end encryption communications offered by tech companies and used by terrorists as a "completely unacceptable" situation. Rudd insists organizations behind encrypted messaging systems should not "provide a secret place for terrorists to communicate with each other." (Apple Insider)
 
"A leaked document reveals the UK government has drawn up yet further, disturbingly dystopian draft bulk surveillance powers, which would give authorities carte blanche to monitor citizens' live communications, and effectively illegalize encryption. A cybersecurity expert told Sputnik this has terrifying implications not merely for internet privacy. The rules would compel all communications companies — including phone networks and ISPs — to provide real-time access to any named individual's full content within a single working day, as well as any "secondary data" related to that individual, including encrypted content." (Sputnik News)
 
"After being threatened with a ban, it looks like Telegram is playing ball with Russia's government. Russian communications regulator Roskomnadzor confirmed in a statement [in June 2017] that Telegram, an app with over 100 million users globally, had submitted all required data and now works within the country's legal framework. The announcement comes after Russian authorities put pressure on the company on Monday to register itself with the government as an "organiser of information dissemination," saying the messaging app allowed terrorists to communicate secretly, with "high degree of encryption." Failure to do so would cause Telegram to be banned, authorities had threatened." (CNET)
 
The question is one of whether governments have a compelling interest in weakening encryption in the name of national security, or in order to fight organized criminal activity. Will preventing you and I from having strong encryption to safeguard our own privacy make us safer from criminals and terrorists? Government seems to think it will...  do you? 
 


Posted by at No comments:
Subscribe to: Posts (Atom)