Saturday, November 11, 2017

Is Your Security Compromised?

 
 
When attempting to add security and privacy to our lives, few of us design and produce our own security tools. We have to rely on security products produced and marketed by others. This isn’t necessarily a bad thing. Companies that specialize in security are generally better at designing effective security products than we would be trying to design a similar product on our own. Of course, a company that designs and markets a security product may also be able to compromise the security of those products.
 
Hushmail (https://www.hushmail.com) a Canadian company that provides encrypted e-mail services has marketed its services saying "not even a Hushmail employee with access to our servers can read your encrypted e-mail, since each message is uniquely encoded before it leaves your computer." However, we saw in 2007, that that statement was not entirely true. In response to a court order, Hushmail was able to access encrypted user accounts and turn over the content of e-mail from accounts being used by individuals who were alleged to be illegally selling steroids.
 
In another case from Canada, we find that Blackberry (https://ca.blackberry.com/) PIN to PIN messages were able to be intercepted and decrypted by the Royal Canadian Mounted Police (RCMP). According to an article on Vice “Canada's federal policing agency has had a global encryption key for BlackBerry devices since 2010... and has intercepted and decrypted roughly one million PIN-to-PIN BlackBerry messages.”
 
I recently mentioned in this blog the case of PureVPN (https://www.purevpn.com/) turning over its network logs to the FBI, even though PureVPN had marketed its service claiming that it maintained no logs. Using the logs obtained from PureVPN, the FBI was able to arrest an individual suspected of cyberstalking.
 
In each of these cases, and many others like them, we see companies that are supposed to be safeguarding their customer’s privacy and anonymity compromising that trust when presented with a court order as part of a criminal investigation. Of course, these companies have little choice but to comply with court orders or face charges themselves.

Most people, I think, want effective law enforcement, and want the police to be able to gather evidence when investigating a crime. The problem, however, is that any security that can be compromised to aid law enforcement can also be compromised by a “hacker” or other criminal for unlawful purposes; while I believe that most law enforcement personnel only use their privileged access to information for legitimate purposes, this may not always be the case. According to September 28, 2016, Associated Press News report: "Police officers across the country misuse confidential law enforcement databases to get information on romantic partners, business associates, neighbors, journalists and others for reasons that have nothing to do with daily police work, an Associated Press investigation has found. Criminal-history and driver databases give officers critical information about people they encounter on the job. But the AP’s review shows how those systems also can be exploited by officers who, motivated by romantic quarrels, personal conflicts or voyeuristic curiosity, sidestep policies and sometimes the law by snooping. In the most egregious cases, officers have used information to stalk or harass, or have tampered with or sold records they obtained."

When a company providing a "secure" on-line service states that it cannot decrypt our e-mail, read our text messages, or keeps no logs of our Internet connections; as customers of those companies we should be able to rely on those statements – unfortunately we can’t!
 
Even when a company does not directly compromise our security, failure to understand how a security tool works, and failure to use that security tool properly can result in exploitable vulnerabilities.

TOR (https://www.torproject.org/) is often used to maintain anonymity on-line.  While TOR is a very effective tool to preserve one’s privacy, if you are careless with your security procedures an agency with sufficient resources (i.e. the FBI) may be able to exploit vulnerabilities in your security. This was the case in 2013, when a Harvard University student e-mailed a bomb threat to the university in an attempt to disrupt final exams. According to an article in The Verge, the student used "the routing service Tor, which covered his web traffic, and the temporary mail service Guerrilla Mail, which offered a one-time email — but neither one was enough to throw authorities off the trail. [The student's] mistake, it turns out, was connecting through Harvard's wireless network. The FBI quickly traced the emails back to Guerrilla Mail, which in turn indicated that the service had been accessed through Tor." [Security researcher Runa Sandvik, who previously worked on the TOR Project, points out that the originating IP address would have been revealed in the email header, which would have indicated Tor usage.] When confronted by the FBI the student confessed.
 
So, what can you do to prevent your security from being compromised?
 
First, and perhaps most importantly, don’t commit crimes. Subpoenas and warrants are powerful tools to compromise your security, but they require a government agency to show a reasonable belief that you are committing a crime before issuing a subpoena or obtaining a warrant.

Second, read and understand the privacy policies of every company you provide any type of information to. We need only look to the reports of government agents going on fishing expeditions through the DNA databases of Ancestry and 23andMe to understand why this is important. Whenever possible have your information deleted from databases and records.
 
Third, research your security tools, know how they work, and know how to use them effectively. For example, the VPN Logging Report  gives details on just what type of data, if any, is maintained by the more popular VPN services. The TOR Project provides additional information that will help you run TOR more securely. Regardless of what security tools you use, learn to use them properly, and be aware of any weaknesses or vulnerabilities they may have.
 
Fourth, don’t rely on a single security tool, thereby creating a single point of failure. Use a VPN in conjunction with TOR. Use encrypted messaging with self-destructing messages. Use an encrypted e-mail service, such as ProtonMail or Tutanota, in conjunction with PGP encryption where you encrypt the e-mail before sending it through the encrypted e-mail service. Use TOR when you sign up for an e-mail service, and always access your account through TOR. Use proxy chains across multiple countries.  
 
Fifth, encrypt all of your communications using end-to-end encryption. Always encrypt your connection to the Internet. Use TLS. Use IPsec. Use SSL. Installing HTTPS Everywhere will help with this.
 
Sixth, assume that while your computer can be compromised, it would take work and risk on the part of an adversary - so it probably isn't. Even so, ensure that you use encryption, such as VeraCrypt, Bitlocker, or EFS encryption, to protect files and folders on your computer. Consider using full-disk encryption to help protect your entire system.

Seventh, hide in the Dark Web. Use TOR (https://www.torproject.org), I2P (https://geti2p.net/en/), and FreeNet (https://freenetproject.org).
 
Remember, just because you're paranoid doesn't mean they aren't out to get you.
 


 
 
 
 


No comments:

Post a Comment

Note: Only a member of this blog may post a comment.