Saturday, November 11, 2017

Is Your Security Compromised?

 
 
When attempting to add security and privacy to our lives, few of us design and produce our own security tools. We have to rely on security products produced and marketed by others. This isn’t necessarily a bad thing. Companies that specialize in security are generally better at designing effective security products than we would be trying to design a similar product on our own. Of course, a company that designs and markets a security product may also be able to compromise the security of those products.
 
Hushmail (https://www.hushmail.com) a Canadian company that provides encrypted e-mail services has marketed its services saying "not even a Hushmail employee with access to our servers can read your encrypted e-mail, since each message is uniquely encoded before it leaves your computer." However, we saw in 2007, that that statement was not entirely true. In response to a court order, Hushmail was able to access encrypted user accounts and turn over the content of e-mail from accounts being used by individuals who were alleged to be illegally selling steroids.
 
In another case from Canada, we find that Blackberry (https://ca.blackberry.com/) PIN to PIN messages were able to be intercepted and decrypted by the Royal Canadian Mounted Police (RCMP). According to an article on Vice “Canada's federal policing agency has had a global encryption key for BlackBerry devices since 2010... and has intercepted and decrypted roughly one million PIN-to-PIN BlackBerry messages.”
 
I recently mentioned in this blog the case of PureVPN (https://www.purevpn.com/) turning over its network logs to the FBI, even though PureVPN had marketed its service claiming that it maintained no logs. Using the logs obtained from PureVPN, the FBI was able to arrest an individual suspected of cyberstalking.
 
In each of these cases, and many others like them, we see companies that are supposed to be safeguarding their customer’s privacy and anonymity compromising that trust when presented with a court order as part of a criminal investigation. Of course, these companies have little choice but to comply with court orders or face charges themselves.

Most people, I think, want effective law enforcement, and want the police to be able to gather evidence when investigating a crime. The problem, however, is that any security that can be compromised to aid law enforcement can also be compromised by a “hacker” or other criminal for unlawful purposes; while I believe that most law enforcement personnel only use their privileged access to information for legitimate purposes, this may not always be the case. According to September 28, 2016, Associated Press News report: "Police officers across the country misuse confidential law enforcement databases to get information on romantic partners, business associates, neighbors, journalists and others for reasons that have nothing to do with daily police work, an Associated Press investigation has found. Criminal-history and driver databases give officers critical information about people they encounter on the job. But the AP’s review shows how those systems also can be exploited by officers who, motivated by romantic quarrels, personal conflicts or voyeuristic curiosity, sidestep policies and sometimes the law by snooping. In the most egregious cases, officers have used information to stalk or harass, or have tampered with or sold records they obtained."

When a company providing a "secure" on-line service states that it cannot decrypt our e-mail, read our text messages, or keeps no logs of our Internet connections; as customers of those companies we should be able to rely on those statements – unfortunately we can’t!
 
Even when a company does not directly compromise our security, failure to understand how a security tool works, and failure to use that security tool properly can result in exploitable vulnerabilities.

TOR (https://www.torproject.org/) is often used to maintain anonymity on-line.  While TOR is a very effective tool to preserve one’s privacy, if you are careless with your security procedures an agency with sufficient resources (i.e. the FBI) may be able to exploit vulnerabilities in your security. This was the case in 2013, when a Harvard University student e-mailed a bomb threat to the university in an attempt to disrupt final exams. According to an article in The Verge, the student used "the routing service Tor, which covered his web traffic, and the temporary mail service Guerrilla Mail, which offered a one-time email — but neither one was enough to throw authorities off the trail. [The student's] mistake, it turns out, was connecting through Harvard's wireless network. The FBI quickly traced the emails back to Guerrilla Mail, which in turn indicated that the service had been accessed through Tor." [Security researcher Runa Sandvik, who previously worked on the TOR Project, points out that the originating IP address would have been revealed in the email header, which would have indicated Tor usage.] When confronted by the FBI the student confessed.
 
So, what can you do to prevent your security from being compromised?
 
First, and perhaps most importantly, don’t commit crimes. Subpoenas and warrants are powerful tools to compromise your security, but they require a government agency to show a reasonable belief that you are committing a crime before issuing a subpoena or obtaining a warrant.

Second, read and understand the privacy policies of every company you provide any type of information to. We need only look to the reports of government agents going on fishing expeditions through the DNA databases of Ancestry and 23andMe to understand why this is important. Whenever possible have your information deleted from databases and records.
 
Third, research your security tools, know how they work, and know how to use them effectively. For example, the VPN Logging Report  gives details on just what type of data, if any, is maintained by the more popular VPN services. The TOR Project provides additional information that will help you run TOR more securely. Regardless of what security tools you use, learn to use them properly, and be aware of any weaknesses or vulnerabilities they may have.
 
Fourth, don’t rely on a single security tool, thereby creating a single point of failure. Use a VPN in conjunction with TOR. Use encrypted messaging with self-destructing messages. Use an encrypted e-mail service, such as ProtonMail or Tutanota, in conjunction with PGP encryption where you encrypt the e-mail before sending it through the encrypted e-mail service. Use TOR when you sign up for an e-mail service, and always access your account through TOR. Use proxy chains across multiple countries.  
 
Fifth, encrypt all of your communications using end-to-end encryption. Always encrypt your connection to the Internet. Use TLS. Use IPsec. Use SSL. Installing HTTPS Everywhere will help with this.
 
Sixth, assume that while your computer can be compromised, it would take work and risk on the part of an adversary - so it probably isn't. Even so, ensure that you use encryption, such as VeraCrypt, Bitlocker, or EFS encryption, to protect files and folders on your computer. Consider using full-disk encryption to help protect your entire system.

Seventh, hide in the Dark Web. Use TOR (https://www.torproject.org), I2P (https://geti2p.net/en/), and FreeNet (https://freenetproject.org).
 
Remember, just because you're paranoid doesn't mean they aren't out to get you.
 


 
 
 
 


Friday, November 10, 2017

Don't Talk to the Police

 
We all recognize the need for effective law enforcement, but we should also understand our own rights and responsibilities - especially in our relationships with the police. Regent Law Professor James Duane provides details about how to interact with the police.
 
Don't Talk to the Police  (47 minutes)
Regent Law Professor James Duane gives viewers startling reasons why they should always exercise their 5th Amendment rights when questioned by government officials. Professor Duane's paper "The Right to Remain Silent: A New Answer to an Old Question" can be found here.
 
Law professor James Duane became a viral sensation in 2008 for a lively lecture that explained why people shouldn’t agree to answer questions from the police. In his new book, You Have the Right to Remain Innocent, Duane expands on that presentation, offering a vigorous defense of every citizen’s constitutionally protected right to avoid self-incrimination. By using case histories of innocent persons who were wrongfully imprisoned because of information they gave to police, Duane debunks the claim that "if you haven’t done anything wrong, then you don’t have anything to worry about".
 
 
https://goo.gl/eUR1os

 
 

 
 

Wednesday, November 8, 2017

Spotting A Hidden Handgun

Back in 2007, Robert Gallagher, a detective with the New York City Police Department published a graphic on spotting a hidden handgun. That graphic has appeared in many places across the Internet since that time. Being able to spot someone carrying a hidden handgun is an important skill, so with full credit to Detective Gallagher, I provide you with a copy of his excellent graphic "Spotting a hidden handgun". 
 
 

 
 


Tuesday, November 7, 2017

Active Shooter

 
An "active shooter" is an individual actively engaged in killing or attempting to kill people in a confined and populated area. In most cases, active shooters use firearms and there is no pattern or method to their selection of victims. Active shooter situations are unpredictable and evolve quickly. Because active shooter situations are often over within 10 to 15 minutes, before law enforcement arrives on the scene, individuals must be prepared both mentally and physically to deal with an active shooter situation.
 
VIDEOS

WEBPAGES
 
 
 
 
 

 


Monday, November 6, 2017

Security Engineering, by: Ross Anderson

 
Spammers, virus writers, phishermen, money launderers, and spies now trade busily with each other in a lively online criminal economy and as they specialize, they get better. In this indispensable, fully updated guide, Ross Anderson reveals how to build systems that stay dependable whether faced with error or malice. Here's straight talk on critical topics such as technical engineering basics, types of attack, specialized protection mechanisms, security psychology, policy, and more. Available on-line here: https://www.cl.cam.ac.uk/~rja14/book.html
 
If your prefer a hardcopy of the book, you can order a copy here: https://goo.gl/qrmMSH


Sunday, November 5, 2017

‘No-Logs’ VPN Provider - PureVPN - Shares User Logs with the FBI

 

FBI Arrests Cyberstalker After ‘No-Logs’ VPN Provider - PureVPN - Shares User Logs
 
A cyber-stalker in the United States was arrested by the FBI after a popular VPN provider with a no-logs policy - PureVPN - allowed the government agency skim through its user logs to find and track the culprit’s IP address. According to the Department of Justice, 24-year-old Ryan Lin, of Newton, Mass. allegedly waged "an extensive, multi-faceted campaign of computer hacking and cyberstalking that began in April 2016 and continued until the date of his arrest"... While the FBI truly did a great job; PureVPN, whose first line of the privacy policy is - "We Do Not monitor user activity nor do we keep any logs" - has literally betrayed its users who trusted PureVPN to protect their activities online.

Read more... https://thehackernews.com/2017/10/no-logs-vpn-service-security_8.html

PureVPN responded to the claims that it shared logs with the FBI here:
Setting the Record Straight: Addressing VPN Privacy and VPN Logs
https://www.purevpn.com/blog/vpn-logs-explained/


A VPN helps to protect your privacy on-line, but it is not a tool to be used for criminal activity. As we have seen with PureVPN, just because your VPN claims that it does not monitor your activity, and claims that it does not keep logs, there is no guarantee that this is actually true.