Saturday, December 23, 2017

Start 2018 With A Clean Slate

 
 
Well, let’s at least start 2018 with a clean digital slate.  Now is a great time to get rid of those old text messages and e-mails, delete old search histories, and clean up your social media accounts. Here are a few things that you can do to get rid of digital clutter and start the new year with a clean slate.
 
Clear Your Facebook Search History
Go to your Facebook timeline page and click View Activity Log.
Then click More (below Comments) and choose Search from the list.
Once you’re on the search history page, you can delete individual search queries.
To delete a search, click the edit button next to lock. Click Delete.
A delete confirmation dialog box will appear. Click Remove Search.
To delete all the searches at once, look for Clear Searches option.

Delete Facebook Messages and Chat History on Your Computer
Open Facebook.
Click Messenger at the top right of the screen.
Select See All in order to bring up the full-screen view of Messenger.
Click Actions (cogwheel icon at the top right of the screen) to see the menu.
Select Delete Conversation to delete the entire conversation with a given contact.
Select Delete Messages if you'd prefer to delete one (or more) specific messages.
This will bring up an interface which will allow you to select specific messages to delete.
Click the checkbox next to each message that you'd like to delete.
Click Delete.

Clear Your Google Search History
On your computer, open Chrome.
At the top right, click More.
Click History and then History.
On the left, click Clear browsing data. A box will appear.
From the drop-down menu, select how much history you want to delete.
To clear everything, select the beginning of time.
Check the boxes for the info you want Chrome to clear, including "browsing history".
Click Clear browsing data.

Use a Search Engine That Does Not Track You
Set your default search engine to one that does not track your search history.
Consider using DuckDuckGo or StartPage.

Delete Old G-mail
In the G-mail inbox search bar, if you type older_than:6m, G-mail will list your e-mails older than six months. You can use "y" for years or "d" for days, in the above formula, as well.
If you want to delete all selected messages, click the Check all box, followed by the Delete button.
As a best practice you should never store messages older than 180 days (6 months) in your e-mail account. The content of e-mail older than 180 days is considered a "stored communication" and does not have the same protection under the law as newer e-mail.

Automatically Delete Old Text Messages on Your iPhone
On the iPhone, you can set the device to automatically delete all old messages. The only problem is that you can't make any exceptions - you can't change a setting that would allow all messages from a particular sender to stay even past the expiry date. If you want to save any information from a message, clip it and save it to a separate file.
To set up automatically cleaning old messages:
Open Settings > Messages.
Scroll down to the section labeled MESSAGE HISTORY.
Tap Keep Messages.
Choose either 30 days or 1 Year. This will delete messages older than one month or one year.

Delete Unused Social Media Accounts
If you have old social media accounts that you no longer use, take time to delete them and remove your personal information on-line. The web-site Account Killer https://www.accountkiller.com/en/ provides guidance on how to delete a large number of social media accounts.

Clean Up Your Current Social Media Accounts
Look through your current social media accounts to identify profanity, mentions of drugs or alcohol, check-ins at strip clubs, and questionable photos. Of course, the image you choose to portray on social media is entirely up to you, but does that profanity filled rant, or photo of you drunk and passed out at a party that you posted a couple years ago fit in with how you currently want to be seen on-line.  Remember, security clearance investigations include reviewing your social media activity, and a study from CareerBuilder revealed that 70 percent of employers now use social media to screen job candidates before hiring them.

Wipe the Drives of Old Computers
When disposing of an old computer, be sure that you securely wipe the hard-drive.
To do this I recommend using DBAN (Darik's Boot and Nuke).
Visit http://www.dban.org and click on the Download DBAN option.
Once the software is downloaded (it will be a .iso file), you'll need to burn it to a CD, DVD or USB storage device so it can run without booting up your operating system (which will be deleted in the wipe). Once you have DBAN on a CD, DVD, or USB, boot from that media and follow the instructions to wipe your hard-drives.
 
 


Friday, December 22, 2017

SecurityPlanner.Org

 
Security Planner is an easy-to-use guide with expert-reviewed advice for staying safer online. It provides recommendations on implementing basic online practices, like enabling two-factor authentication on important accounts, making sure software stays updated, and using encrypted chats to protect private communications. More advanced users can receive advice on where to go for more help.
 
Security Planner is a project of the Citizen Lab, an interdisciplinary group based at the Munk School of Global Affairs at the University of Toronto. It was incubated by Jigsaw (then known as Google Ideas) and handed off to the Citizen Lab in December 2015.
 
Security Planner recommendations are made by a committee of experts in digital security and have gone through a rigorous peer review evaluation, led by the Citizen Lab. We're supported by a community of organizations, including non-profits, educational institutions, and foundations, and never accept funds or services in exchange for making a recommendation.
 
Access Security Planner here: https://www.securityplanner.org/ 
 
 



Thursday, December 21, 2017

Yandex

Yandex (Яндекс) https://www.yandex.com/ is a Russian multinational technology company specializing in Internet-related services and products. It is Russia’s biggest technology company. Yandex operates the largest search engine in Russia with about 65% market share in that country. It also develops a number of Internet-based services and products.
 
Yandex provides you with a free e-mail account (Yandex Mail), on-line file storage (Yandex Disk), and the Yandex Browser. The Yandex search engine is the 4th most popular in the world, and provides results that you might not find using other search engines.  Based on the Chromium open source project, the Yandex browser uses the Blink engine and checks downloads through Kaspersky antivirus. Also, the browser uses Opera's Turbo technology to optimize web pages that are using a slow or disrupted connection. Yandex offers DNS spoofing protection, which claims to block malicious web pages and protects passwords and bank card details.

Is Yandex private? Well this is Russia and there is the Система Оперативно-Розыскных Мероприятий ("System for Operative Investigative Activities") which lets the FSB monitor all telephone and Internet communications. So, no Yandex is not private. However, Russia has little interest in the affairs and lives of ordinary Americans, so you may have greater privacy with Yandex than with a US based company such as Google.

So, is Yandex a good option for you? Well, Yandex is a very reliable and easy-to-use service. Yandex is available in both Russian and English. Yandex does not flood you with advertisements every time you conduct a search, so it has a clean interface.  It is, I believe, certainly worth looking at Yandex as an option for your on-line activities.  
 
Depending on your threat model, there may also be some advantage to transferring your web-mail and on-line file storage to Russia. Using Yandex does not keep your account from being monitored, rather it just transfers the ability to monitor your account from your home county (assuming that you are not Russian) to Russia.  
 
 



Wednesday, December 20, 2017

Rubber Hose Cryptanalysis

 
Strong, properly implemented encryption, will protect your data against most mathematical and technical attacks. The encryption available to the average person today will defeat attempts at decryption by anyone who does not have access to the associated keys (passwords) to decrypt the data. You as the owner of the encrypted data no doubt possess the encryption / decryption keys for your own data, but can you be forced to provide those keys to another person, against your will, thus providing that person access to your private information once it has been decrypted?
 
The phrase "rubber hose cryptanalysis" is a euphemism for the extraction of cryptographic secrets (e.g. the password to an encrypted file) from a person by coercion or torture - such as beating that person with a rubber hose, hence the name - in contrast to a mathematical or technical cryptanalytic attack. Of course, this coercion need not be an actual rubber hose; a court could order you jailed until such time as you provided the password to decrypt your files. Some countries, such as Australia and the United Kingdom have laws that require a suspect to provide known decryption keys to law enforcement, or face fines and jail. Other countries, such as the Czech Republic, Germany, and the United States have laws that protect a person from self-incrimination or being forced to provide testimony against themselves. But even in countries with protection against self-incrimination, courts have sometimes ruled that there are exceptions to those protections and ordered suspects to disclose their passwords or decryption keys.
 
In the case of State of Florida v. Aaron Stahl, Case No. 2D14-4283 (December 7, 2016) the court ordered Stahl to provide his password to decrypt is iPhone, stating:  "We are not inclined to believe that the Fifth Amendment should provide greater protection to individuals who passcode protect their iPhones with letter and number combinations than to individuals who use their fingerprint as the passcode." "Compelling an individual to place his finger on the iPhone would not be a protected act; it would be an exhibition of a physical characteristic, the forced production of physical evidence, not unlike being compelled to provide a blood sample or provide a handwriting exemplar." "This is a case of surrender and not testimony," the court concluded. This Florida appeals case is an exception, as many other courts - including the trial court in the above case - have held that suspects may not be compelled to disclose the content of their mind (i.e. provide a password or other testimony against themselves).
 
It is important to note here that while suspects may be protected against compelled testimony, this does not apply to being forced to unlock a device using a fingerprint or facial recognition scan. The police can force you to provide a fingerprint or facial scan to unlock a device. When the law protects against self-incrimination it only protects the content of your mind. The law allows you to remain silent, it does not protect against being compelled to provide other things to the police - such as fingerprints, facial scans, blood samples, and DNA. In May 2016, the Department of Justice obtained a warrant to compel everyone at a home in Lancaster, California to provide his or her fingerprint on the sensor of their cell-phones, thus allowing police to search them on the spot. Those individuals who used their fingerprint to unlock their phones had their private information reviewed by police. Those individuals who used a password / PIN could not be compelled to disclose it under the warrant. 
 

 
The National Domestic Violence Hotline has warned about the Dangers of Sharing Passwords, saying: "By obtaining a password, an abuser is able to use the digital realm to affect a victim’s offline daily life. They can monitor actions, watch bank accounts to limit access to money, isolate the victim by controlling social media interactions and even use online activities as validation or excuses for abuse. This extension of control can be extremely dangerous." An abuser could certainly force a victim to unlock a phone with a fingerprint, and might be able to coerce a victim into revealing passwords protecting computer files, on-line accounts, and e-mail.
 
Techniques to Survive Rubber Hose Cryptanalysis
 
Avoid using biometric identifiers (i.e. fingerprints, facial recognition) as the sole means of accessing sensitive information. You have no right against self-incrimination with biometric identifiers - police can compel you to use them to unlock devices - and an abuser could use physical force to cause you to use a fingerprint or facial scan to access your private data.
 
VeraCrypt Hidden Volume allows you to create a hidden and encrypted space inside of an existing VeraCrypt encrypted volume. If you are forced to provide the password to your VeraCrypt encrypted volume, the hidden volume still remains undisclosed. This allows you to give the appearance of cooperating with demands for your passwords without disclosing your hidden information.

Use two factor authentication whenever possible. In this way even if you are forced to reveal your password, your data or account is still protected by the second factor of your two factor authentication scheme.

The Electronic Frontier Foundation (EFF) has published a guide: Digital Privacy at the U.S. Border: Protecting the Data On Your Devices and In the Cloud that discusses protecting your personal information when traveling.

Use a data shredder, such as Freeraser, to permanently destroy sensitive data on your computer. Know how to remotely erase your Apple or Android smartphone if it is lost, stolen, or seized. Know how to do a factory reset on your smartphone if necessary. This procedure will vary from one model of phone to the next, but be sure that you know how to do it on your phone.

Use an encrypted password manager, such as KeePass, to store your passwords and decryption keys. Password managers create an encrypted database that is used to store your passwords. Use long, complex, non-memorable passwords to protect your accounts and sensitive information. When using a password manager you won't know what the passwords to your accounts are, rather you will remember a single password for the password manager. If you don't know the passwords to your accounts you can't be forced to reveal them. Use a data shredder to destroy your password manager database if you come under duress. Keep a copy of the database in a secure location outside of the reach and jurisdiction of your adversary. Arrange to recover the database only after it can be shown that you are not being coerced and are not under duress (perhaps you store a copy with your attorney).

Store sensitive data in the Cloud to prevent it from being compromised if your computer or smartphone is lost, stolen, or seized. Remember that all data stored in the Cloud should be encrypted before it is uploaded. I recommend SpiderOak for Cloud storage, but also use Yandex Disk for storing some files.

The techniques for defeating rubber hose cryptanalysis are twofold. First is to use technical means to prevent you from being able to reveal information while under duress (you can't disclose a password that you don't know, and you can't share a private key that you don't possess). Second is to employ obfuscation (i.e. hidden files) to allow you to give the appearance of cooperation without compromising your most sensitive data.  


  


Tuesday, December 19, 2017

Massive leak exposes data on 123 million US households

An article on C|Net today reported that a Massive leak exposes data on 123 million US households. An unsecured database that contained a wide range of personal details about virtually every American household, was left online by marketing analytics company Alteryx. The data set included 248 different data fields covering a wide variety of specific personal information, including address, age, gender, education, occupation and marital status. Other fields included mortgage and financial information, phone numbers and number of children in the household. The repository contained massive data sets belonging to Alteryx partner Experian, a consumer credit reporting agency that competes with Equifax. According to the article the data "would be invaluable for unscrupulous marketers, spammers and identity thieves, for whom this data would be largely reliable and, more importantly, varied."

These data breaches are becoming almost commonplace, and everyone time information about you, your family, or your household is disclosed you are put at risk of becoming a victim of identity theft, fraud, phishing, and other targeted cybercrimes. You should make it a point to limit the amount of information that you disclose about yourself, and whenever possible have your information removed from databases and other records. Individual OPSEC and Personal Security is becoming more important everyday.


The REAL ID Act - 2018

 
The REAL ID Act establishes minimum security standards for license issuance and production and prohibits Federal agencies from accepting for certain purposes driver’s licenses and identification cards from states not meeting the Act’s minimum standards. The purposes covered by the Act are: accessing Federal facilities, entering nuclear power plants, and, boarding federally regulated commercial aircraft. About half of the states are compliant with the REAL ID Act, while the remaining states have an extension until October 10, 2018 or are currently under review.

 

According to the Department of Homeland Security "Starting January 22, 2018, [now October 10, 2018 for most states with an extension] passengers who have driver’s licenses issued by a state that is not yet compliant with REAL ID and that has not received an extension will need to show an alternative form of acceptable identification for domestic air travel."


 

Are those states with a current extension until October 10, 2018 going to be in compliance with the REAL ID Act by that time? It seems unlikely. Will there be another extension granted to those states? Probably - but sooner or later there will be no more extensions granted to non-compliant states, and then residents of those states will need an alternate and Federally approved ID on to access Federal facilities or fly on a commercial aircraft.

If you are unsure whether your state will be in compliance with the REAL ID Act, and you are concerned with being able to enter Federal facilities or fly domestically, you might consider getting a U.S. Passport Card to use as your standard form of ID.

 
The Passport Card is Real ID compliant and can be used for domestic air travel. It also lets you enter the United States at land border crossings and sea ports-of-entry from: Canada, Mexico, The Caribbean, and Bermuda.
 
Another option is to obtain an "Enhanced Driver's License" if you reside in one of the five states that issue them (Michigan, Minnesota, New York, Vermont, and Washington).
 

Like the US Passport Card, an Enhanced Driver's License from one of these states meets REAL ID Act requirements and can be used to fly domestically and enter the United States at land crossings and sea ports from Canada, Mexico, The Caribbean, and Bermuda.

It should be noted that neither the US Passport Card nor an Enhanced Driver's License is accepted for international air travel. For that you will need a regular passport.

REAL ID and Privacy

Some states and organizations oppose the implementation of the Real ID Act (which may be why so many states are not currently in compliance with the Act). The ACLU has said "If fully implemented, the law would facilitate the tracking of data on individuals and bring government into the very center of every citizen’s life. By definitively turning driver’s licenses into a form of national identity documents, Real ID would have a tremendously destructive impact on privacy. It would also impose significant administrative burdens and expenses on state governments, and it would mean higher fees, longer lines, repeat visits to the DMV, and bureaucratic nightmares for individuals. Because of these problems, many states oppose the use of Real ID, and it has not gone into full effect. The ACLU has joined with these states to support the repeal of the law."

The Electronic Frontier Foundation has said "The federal government is trying to force states to turn your drivers license into a national ID... the Real ID Act will create grave dangers to privacy and impose massive financial burdens without improving national security in the least. Signed into law in May 2005 without meaningful debate the Real ID Act states that drivers licenses will only be accepted for "federal purposes" - like accessing planes trains national parks and court houses - if they conform to certain uniform standards. The law also requires a vast national database linking all of the ID records together. Once the IDs and database are in place their uses will inevitably expand to facilitate a wide range of surveillance activities. Remember the Social Security number started innocuously enough but it has become a prerequisite for a host of government services and been coopted by private companies to create massive databases of personal information. A national ID poses similar dangers; for example because "common machine-readable technology" will be required on every ID the government and businesses will be able to easily read your private information off the cards in myriad contexts."

The REAL ID Act was attached to an emergency supplemental, with no hearings, no votes, but what it is, the Federal Government will be dictating how the States go about the business of licensing residents to operate motor vehicles. State motor vehicle officials will be required to verify the legal status of applicants, adding to the responsibilities of already heavily burdened State offices... the Federal Government dictates responsibilities for what has traditionally been a State function--and adds layers of bureaucracy and regulation to effectively create a national ID card, and that is what it is--there is no help in footing these hefty bills. It is an unfunded mandate passed by the last Congress to add to the taxpayers of the States $23 billion in costs. [Senate Hearing 110-113]







Monday, December 18, 2017

Google Voice


If you have a Google account you can set up a free Google Voice number allowing you to make and receive VOIP calls, as well as send and receive text messages.  When you set up a Google Voice number, calls and texts placed to that number are forwarded to one or more other numbers that you select. This allows you to have a single phone number ring at all of your phones (i.e. home, cell, work), or you can use Google Voice numbers to separate callers into groups - one Google Voice number for work colleagues, another Google Voice number for social activities, etc.

Google Voice also provides you with voice mail, and voice mail transcription which sends your voice mail to you as an e-mail. You can use Google Voice for call screening and routing of your calls based on Caller ID, time of day, and more. Google Voice is useful for providing yourself with a permanent number (you can always change the number Google Voice forwards to, without changing your Google Voice number). You can also use Google Voice as a temporary number, when you don’t want to provide your actual home or cellular number. 

Google Voice is a good service, but as is the case with many Google products there is a privacy concern when using Google Voice. All of your calls and text messages are routed through Google and thus Google has a record of whom you call, who has called you, and a copy of your text messages and voice mail. According to Google’s Privacy & Terms "Google Voice stores, processes and maintains your call history (including calling party phone number, called party phone number, date, time and duration of call), voicemail greeting(s), voicemail messages, Short Message Service (SMS) messages, recorded conversations, and other data related to your account in order to provide the service to you."

Although Google captures all of the information that goes through your account; Google Voice does add a layer of privacy to your calls if set-up from a new Google account, because the number traces back to the Google account and not to you personally. Once a number is identified as a Google Voice number, someone attempting to identify the owner of the number must then go to Google to obtain the forwarding number connected to that Google Voice account. Google doesn’t publish a directory of Google Voice numbers or generally publish personal information from Google accounts, however Google will release information from your account in response to a subpoena, court order, or warrant.

So, is Google Voice worth having? Yes, I believe that it is. Google Voice call screening and routing features helps you ensure that you can always be reached by people you want to hear from, such as close friends and family, and that you can screen calls from others - sending them straight to voice mail, or even blocking unwanted callers. Google Voice isn't a secure calling option, but for any time that you would provide your home or cell-phone number Google Voice might be a good option.

If you still have a home phone (or would like one without the costs associated with a landline from your local telephone company), you can use an OBi202 2-Port VoIP Phone Adapter with Google Voice and Fax Support to set up a home phone number.

With an OBi device and your existing broadband Internet connection, from the comfort of your home phone, you have the power to make and receive phone calls using a multitude of VoIP services for free or at a fraction of the cost a traditional telco would charge. Local, long distance and even international calling are all possible.

The OBi200 and OBi202 support up to four (4) VoIP services like Google Voice, and a multitude of 'Bring Your Own Device' Internet phone services.
  • Use Google Voice with the OBi and enjoy free calls inside the USA and Canada
  • Call internationally at amazingly low rates to over 150 destinations
  • Rates to China, India, and Mexico as low as 1¢ per minute - with no connection fee
  • When someone calls, ring multiple OBi devices, anywhere
  • Block unwanted nuisance and tele-marketer calls
  • Voicemail that acts like email
  • Designed, developed and supported in the USA


You can get instructions to Set up a Google Voice account here:
  1. On your computer, open Google Voice (https://google.com/voice/).
  2. Sign in to your Google Account.
  3. Accept the Terms of Service and Privacy Policy.
  4. Search by city or area code for a number. Google Voice doesn't offer 1-800 numbers.
  5. If there aren't any numbers available in the area you want, try somewhere nearby.
  6. Next to the number you want, click Select. Follow the instructions.

Sunday, December 17, 2017

Center for Homeland Defense and Security | Self-study Courses

 
The Naval Postgraduate School Center for Homeland Defense and Security offers non-credit, self-study courses online. These courses are developed by the NPS CHDS teaching faculty and are derived from course content (lecture material and course readings) from the Center's homeland security master's degree curriculum. The courses, offered at no cost, are designed for homeland defense and security professionals who wish to enhance their understanding of key homeland security concepts and require the flexibility of self-paced instruction. NPS does not provide graduate credit for the courses; however, participants are encouraged to check with their professional associations regarding continuing education units/credits.

Current Self-study Courses include:
  • The Global Jihadi Threat
  • Intelligence for Homeland Security: Organizational and Policy Challenges
  • Counterterrorism in the United Kingdom
  • Social Network Analysis: an Introduction
  • Deception Detection Techniques (Law Enforcement Only)
  • Research Process and Methods
  • Understanding Terrorism: A Social Science View on Terrorism
  • Transportation Security
  • Terrorist Financing and State Response
  • Homeland Security in Israel

Access is granted to local, tribal, state and federal U.S. government officials; members of the U.S. military; corporate homeland security managers or contractors; homeland security researchers or educators; and students currently enrolled in homeland security degree programs. Apply for a self-study course here: https://www.chds.us/selfstudy/

Non-eligible persons can find open learning materials and lectures at https://www.chds.us/ed/