1) Launch Messenger and tap the Me tab (this may be your FB profile photo).
2) Tap Secret Conversations.
3) Slide the Secret Conversations switch to the ON position.
A prompt says "This will be the only device you can use to send and receive encrypted messages." You will still be able to use Facebook Messenger on other devices (such as your computer), but Secret Conversations are limited to your smartphone.
4) Tap Turn On to enable Secret Conversations on this device or Cancel to abort the action.
When you enable Secret Conversations on one device, Messenger will automatically close all secret messages on your other devices.
If you disable Secret Conversations, your existing secret messages will remain on the device until you delete them, but you’ll no longer be able to send or receive them or start new Secret Conversations.
I had previously written about How to Encrypt Your Facebook Messages, but have received replies from some readers saying that they didn't have that option in Facebook Messenger on their smartphones. In order to send and receive "Secret Conversations" in Facebook Messenger you must enable that function using the steps listed above.
Saturday, December 30, 2017
Onion Field Insurance
On the night of March 9, 1963, LAPD officers Ian Campbell (age 31) and Karl Hettinger (age 28), both former Marines, were riding in an unmarked car. They pulled over a 1946 Ford coupe containing two suspicious-looking men at the corner of Carlos Avenue and Gower Street in Hollywood. The two men, Gregory Ulas Powell (age 30) and Jimmy Lee Smith (a.k.a. "Jimmy Youngblood", age 32), had recently committed a string of robberies, and "each had a pistol tucked into his trousers." Powell, the driver, pulled a gun on Campbell, who "calmly told his partner, 'He has a gun in my back. Give him your gun." The two officers were then forced into Powell's car and, were driven north from Los Angeles on Route 99, to an onion field near Bakersfield, where Campbell was fatally shot. Hettinger was able to escape, running nearly four miles to reach a farmhouse.
Today, many businesses and organizations are concerned with the possibility of an "active shooter". Current advice when faced with an active shooter is "Run, Hide, Fight". But, fight with what? The potential victims of an active shooter are often prohibited from being armed, and thus having a means to fight back. Ill-conceived workplace policies, laws, and regulations take away our right to self-defense and give a distinct advantage to violent criminals - who don’t care about "gun free zones".
So, if you can, be armed always. Yes... I know. But consider the implications. Of those who died facing an armed attack, how many would have willingly disobeyed unconscionable laws, policies, and regulations in order to stay alive?
According to U.S. Bureau of Justice Statistics data, having a gun and being able to use it in a defensive situation is the most effective means of avoiding injury (more so even than offering no resistance) and thwarting completion of a robbery, assault, or other violent attack. In general, resisting violent crime is far more likely to help than to hurt, and this is especially true if your attacker attempts to take you hostage...
Called "onion field insurance" by some in reference to the 1963 murder of Officer Campbell; small, hideout guns provide that last chance at survival when you are taken hostage and faced with a violent assailant intent on killing you. These small hideout guns are much smaller than a service pistol, or even your back-up gun (which is often just a compact version of your service pistol). Hideout guns are very small and can be deeply concealed so as to avoid detection, even during a cursory search. The hideout gun might be the gun you carry when you are "not carrying a gun". The hideout gun, your "onion field insurance" is also there to save your life if you are somehow disarmed of your primary weapon. Small in size, usually of a small caliber, the hideout gun is going to be limited in effective range from about arm’s length to maybe across a large room. But if you are being forced to walk out into a dark field some night, or are trapped in your office while an active shooter is breaking through the door - that little hideout gun can be the difference life and death.
One of the smallest and most easily concealed hideout guns is the North American Arms Pug, chambered in .22 magnum. This micro-revolver is easily concealed in a pocket, or clipped inside your waistband.
Moving up a little in size, we have the Ruger LCP-II in .380 Auto. This compact pistol (5.17" long and 3.71" tall) is also easily concealed and gives you 7 rounds (6+1) should the need arise.
And the Kahr Arms CW380 (4.96" long and 3.9" tall).
Just slightly larger than the LCP-II and Kahr CW380 is the Glock 42 (5.94" long and 4.13" tall), also in .380 Auto.
The Diamond Back DB9 is a 9x19mm pistol, in the same size range as the LCP-II, Kahr CW380, and Glock 42. Holding 6+1 rounds, the DB9 pistol gives you the advantage of the increased power of 9mm cartridge, while still maintaining a compact pistol design.
All of these little hideout guns (and others like them), have the advantage of being easily concealed. But they suffer the disadvantages of lack of power, reduced accuracy, and limited magazine capacity. As you do with your service pistol and back-up gun, you must practice with your hideout gun as well. Consider the LEOSA Basic Covert Carry / Off-Duty Proficiency Qualification Course as a standard for your hideout gun. With the Glock 42 this course might offer little challenge, but with the NAA Pug this course becomes much more problematic. Still, we must balance the ability to conceal our hideout guns against our ability to use them effectively to protect ourselves against a violent attacker.
You will also want to choose the best performing ammunition available for your hideout gun. The first and most important consideration is that it feed flawlessly. And, of course, you want to carry the best defensive ammo that you can get. My personal choice is Lehigh Defense 380 Auto 65gr Xtreme Defense Ammunition.
As with most insurance, you hope that you won't need it - and you may never need it; but if the day comes when you do... ???
Friday, December 29, 2017
Understanding Threat
There is no single solution for keeping yourself safe in cyberspace or in the physical world. Individual OPSEC and Personal Security isn’t about which tools you use; rather, it’s about understanding the threats you face and how you can counter those threats. To become more secure, you must determine what you need to protect, and from whom you need to protect it. Threats can change depending on where you’re located, what you’re doing, and with whom you’re working. Therefore, in order to determine what solutions will be best for you, you should conduct a threat assessment of your personal life.
When conducting this threat assessment, there are five main questions that you should ask yourself:
1. What do you want to protect?
2. Who do you want to protect it from?3. How likely is it that you will need to protect it?
4. How bad are the consequences if you fail?
5. How much trouble are you willing to go through in order to try to prevent those consequences? (Electronic Frontier Foundation, 2015)
By increasing the effort required to target you it is often possible to cause an adversary to choose a different target. Cyber-criminals, corporate spies, foreign agents, and even government investigators frequently target the ‘low-hanging-fruit’, they go after the easiest, most cost-effective targets. Even if you are the specific target an adversary is after; it is important to remember that not all adversaries have unlimited resources, nor do they have unlimited capabilities. It is quite possible to employ security that requires greater resources to defeat than an adversary has readily available.
It is also important to employ security in depth. An adversary may be able to defeat a single security measure. No security is perfect. By increasing layers of security, building depth into your security plan, the weaknesses and exploitable vulnerabilities in one security measure may be covered by the strengths of another.
Finally, remember that no security measure is of any value if it is not used. If security becomes too difficult, it will not be used regularly. The human factor is often the greatest weakness in any security program. When looking at the various security applications that we discuss here, choose the ones that you can and will employ on a regular basis. Good security employed consistently is better than great security employed occasionally.
Thursday, December 28, 2017
Apricorn Encrypted External Hard Drive
Apricorn's Aegis Padlock 3.0 is a state of the art hardware encrypted USB 3.0 portable drive. Simple and easy to use, Padlock 3.0 offers unparalleled security and supports AES XTS 256-bit encryption. Additionally, the software free design means it can be deployed without the need for Admin User rights and will work with any USB enable operating system. Completely cross compatible, the Padlock 3.0 is authenticated via the integrated keypad and can support up to 5 User PINs and an Admin PIN. The Aegis Padlock 3.0 ships with Padlock 3.0 drive with integrated USB 3.0 cable, USB 3.0 Y-extension cable, Quick Start Manual and is pre-formatted in NTFS.
The Apricorn's Aegis Padlock is an ideal solution for secure external storage of your sensitive information. The drive measures just 3.25 x 4.5 x 0.75 inches, so it will fit in a pocket and is easily portable, while providing a large amount (2TB) of storage. Data on the drive is AES encrypted using hardware contained in the device itself, and secured with a 6 to 16 digit number that you enter via the keypad. The drives are available with less storage space (500GB and 1TB) for a little less money, however I recommend getting the 2TB drive to ensure that you have sufficient data storage space over time.
While the AES 256 bit hardware encryption of the Apricorn Aegis Padlock is likely sufficient security for most purposes, You can also use a program like VeraCrypt to create additional secure containers on the encrypted drive. I have used the Apricorn Aegis Padlock with additional VeraCrypt containers to keep a back-up copy of my sensitive files for the past couple of years, and have not experienced any problems with the function of the drive or the security of the combined encryption.
Link to this Product on Amazon.Com:
Wednesday, December 27, 2017
Lock Picking and Lock Bumping
Most residential (home) locks can be quickly and easily bypassed by picking or bumping. This can allow an adversary covert access to your home, and if someone breaks into your home using these methods and steals your property a police report reading that there were "no signs of forced entry" can complicate any claim that you may file against your homeowner’s or renter’s insurance.
Lock picking and bumping leave little if any sign that a lock has been bypassed, and the basics of these skills can be easily learned from books, on-line video, and practice with inexpensive lockpick sets and training locks.
Some references I recommend for learning lock picking are:
Some references I recommend for learning lock picking are:
Locks: Basic Operation and Manipulation - by Schuyler Towne - YouTube Channel
Padlock Shim Video - ITS Tactical - How to Open a Padlock with a Coke Can
EZ Decoder: Easily Decipher or Bypass a Multi-Wheeled Combination Lock
Padlock Shim Video - ITS Tactical - How to Open a Padlock with a Coke Can
EZ Decoder: Easily Decipher or Bypass a Multi-Wheeled Combination Lock
I also highly recommend these two books by Deviant Ollam:
Keys to the Kingdom: Impressioning, Privilege Escalation, Bumping, and Other Key-Based Attacks Against Physical Locks
High-security locks can prevent successful picking and bumping attacks by all but the most skilled locksmiths. For high-security deadbolt locks I recommend either Medeco or Mul-T-Lock brands. Both of these manufacturers produce high-quality locks that are extremely resistant to picking and bumping. This high quality is also reflected in the high price of these locks, which can be four or five times the price of more common residential deadbolt locks. Still, if your threat model includes the possibility of surreptitious entry into your home, top quality locks are going to be worth the extra cost.
Some have recommended the Kwikset or Wiser Smart Key deadbolt lock as an inexpensive "pick and bump proof" lock. I do not recommend this lock type because it can be easily bypassed as can be seen in this video.
It should be understood that any lock (even Medeco and Mul-T-Lock) can be defeated given enough time and sufficient skill by the attacker. What we hope to do by using high-security locks is prevent the majority of individuals with lock picking skills from being able to bypass our locks and defeat our security.
Also, when installing high-security locks it is essential that they be properly installed and that your doors be reinforced to prevent them from being easily kicked in. The Victoria, TX Police Department has an excellent video "Home Security Tips: How a 50 cent investment can dramatically strengthen your doors" that shows a simple method of improving the strength of your doors. I also recommend that you include reinforcement on your doors with a product like Door Armor MAX which will defeat many forced entry attacks. Finally, when you are at home you may want to add additional security to your doors. The Defender High Security Door Reinforcement Lock (placing one on the top third of the door and one on the bottom third of the door) or the Nightlock Security Lock Door Barricade are options that you might want to consider.
Tuesday, December 26, 2017
OPSEC Resources
https://www.facebook.com/AirForceOST/
https://www.facebook.com/USArmyOPSEC/
https://www.facebook.com/NavalOPSEC/
https://www.facebook.com/Joint.OPSEC.Support/
https://www.facebook.com/OPSECforFamilies/
*** OPSEC Resources ***
National OPSEC Program - Interagency OPSEC Support Staff
Naval Operations Security Support Team
http://www.navy.mil/ah_online/OPSEC/
http://www.navy.mil/ah_online/OPSEC/
OPSEC Professionals Association
Individual OPSEC & Personal Security (September 2017)
US DOD Education Activity - OPSEC
MARSOC - OPSEC Smart Cards
US Army CID, Cyber Crime Investigation Unit Advisories
http://www.cid.army.mil/cciu-advisories.html
DoD Social Media Hub
http://dodcio.defense.gov/Social-Media/
*** On-Line OPSEC Training ***
OPSEC Awareness for Military Members, DoD Employees and Contractors
OPSEC Fundamentals
New Faces of Threat Computer Based Training
Operational Security (OPSEC) for Control Systems
https://ics-cert-training.inl.gov/lms/
https://ics-cert-training.inl.gov/lms/
Identifying and Safeguarding Personally Identifiable Information (PII) Version 2.0
https://securityawareness.usalearning.gov/piiv2/index.htm
https://securityawareness.usalearning.gov/piiv2/index.htm
Alt.Anonymous.Messages
Alt.Anonymous.Messages is a newsgroup that allows the anonymous posting of encrypted messages. You can view the newsgroup through Google. However, you should not post to the Alt.Anonymous.Messages newsgroup from Google as this would totally defeat the anonymity of your message (although the content could still be protected with encryption).
One of the best ways to use Alt.Anonymous.Messages is by using the program A.A.M. Direct.
A.A.M. Direct is a newsgroup reader and posting program whereby two or more people can communicate through the alt.anonymous.messages newsgroup using anonymous hsub subjects. A.A.M. Direct might be better explained and understood to be a type of email system whereby two or more people can communicate privately (and anonymously) without having to open and use an email account. The message text is automatically encrypted and transmitted by a secure TLS connection to a free news group server and placed out in the alt.anonymous.messages newsgroup under a continuously changing encrypted subject line. The program is also used to download all messages from the alt.anonymous.messages newsgroup and search out and display the messages sent to you. There is no definitive way for two communicating parties to be linked together with this system.
Tom Ritter discussed De-Anonymizing Alt.Anonymous.Messages at Defcon 21 (2013). It is worth watching his presentation on YouTube.
So, what's the bottom line? While it is possible to analyze A.A.M. traffic, the procedure to do so is complex. If you want to communicate with someone, while limiting knowledge of the existence of a connection between the two of you, using Alt.Anonymous.Messages and A.A.M. Direct is an effective means of doing so. Use strong passwords in A.A.M. Direct, use different PGP keys in A.A.M. Direct than you use for other communications, use recursive encryption, and consider using multiple Nyms to disrupt traffic analysis.
Once both you and a person with whom you want to communicate anonymously have downloaded and set up A.A.M. Direct, you must exchange your A.A.M Direct PGP public keys. (Be careful here as this can result in identification of a direct connection between the two of you.)
You then use A.A.M. Direct to encrypt a message with that person's public key and post it to Alt.Anonymous.Messages. At some point that person downloads the latest group of messages posted to Alt.Anonymous.Messages and is able to decrypt and read those messages encrypted with his / her public key. Messages never pass directly between the two of you, and many people will download the encrypted messages, but be unable to read any message that is not encrypted with their public key.
Monday, December 25, 2017
Disposable E-mail Addresses
When you register at a web-site you are often asked to provide your e-mail address to complete the registration process, and soon thereafter your inbox is filled with Spam from that web-site, and from every other organization with which they share their marketing list. Order a product on-line, and you are asked for your e-mail address. Whether you want to be or not, you are then added to that company’s marketing list.
Disposable e-mail addresses let you provide a working e-mail address that lasts for a few minutes to a few days, and then deletes itself. You can use these disposable addresses to register at a web-site, order an item, or receive a message from someone without providing your actual, personal e-mail address.
Some disposable e-mail providers include:
10 Minute Mail - https://10minutemail.com/
10 Minute Mail provides you with a disposable e-mail address that lasts, as the name would imply, ten minutes, and then deletes itself. While on the 10 Minute Mail web-site you can reset the self-destruct countdown back to ten minutes by clicking the “10 More Minutes” button, but once the countdown reaches zero that e-mail address is gone forever. E-mail sent to your 10 Minute Mail address appears as links on the web-site, allowing you to open, read, and reply to the e-mail. A 10 Minute Mail e-mail address looks something like this t585985@mvrht.net.
10 Minute Mail provides you with a disposable e-mail address that lasts, as the name would imply, ten minutes, and then deletes itself. While on the 10 Minute Mail web-site you can reset the self-destruct countdown back to ten minutes by clicking the “10 More Minutes” button, but once the countdown reaches zero that e-mail address is gone forever. E-mail sent to your 10 Minute Mail address appears as links on the web-site, allowing you to open, read, and reply to the e-mail. A 10 Minute Mail e-mail address looks something like this t585985@mvrht.net.
MailDrop - https://maildrop.cc/
MailDrop lets you make up any name you want and prepend it to the @maildrop.cc domain. E-mail sent to that e-mail address is posted to a publicly accessible web-site, where if you know the e-mail address you can access the e-mail. A MailDrop inbox holds a maximum of ten e-mail messages, and the inbox is deleted after 24 hours on no activity. When using MailDrop it is important to understand that anyone who knows the e-mail address can access the inbox for that address. A hard-to-guess user name, such as Gve8TTyz2, can add a little privacy to your MailDrop address – but just a little. If you need a little more privacy with your e-mail address, MailDrop creates an alias for each e-mail address. E-mail sent to the alias address will also show up in your inbox, but people cannot view the alias address inbox without knowing the original address.
MailDrop lets you make up any name you want and prepend it to the @maildrop.cc domain. E-mail sent to that e-mail address is posted to a publicly accessible web-site, where if you know the e-mail address you can access the e-mail. A MailDrop inbox holds a maximum of ten e-mail messages, and the inbox is deleted after 24 hours on no activity. When using MailDrop it is important to understand that anyone who knows the e-mail address can access the inbox for that address. A hard-to-guess user name, such as Gve8TTyz2, can add a little privacy to your MailDrop address – but just a little. If you need a little more privacy with your e-mail address, MailDrop creates an alias for each e-mail address. E-mail sent to the alias address will also show up in your inbox, but people cannot view the alias address inbox without knowing the original address.
GuerrillaMail - https://www.guerrillamail.com/
GuerrillaMail provides you with a disposable e-mail address that allows you to receive messages, as well as compose e-mail to send to others. Composed e-mail may include attachments of up to 150MB. GuerrillaMail doesn't require account registration, anyone who knows the Inbox ID may have access to that inbox, so it's best to use a random address. To add protection, you can use the Scramble Address feature. GuerrillaMail deletes all email that was delivered to an inbox after 1 hour.
GuerrillaMail provides you with a disposable e-mail address that allows you to receive messages, as well as compose e-mail to send to others. Composed e-mail may include attachments of up to 150MB. GuerrillaMail doesn't require account registration, anyone who knows the Inbox ID may have access to that inbox, so it's best to use a random address. To add protection, you can use the Scramble Address feature. GuerrillaMail deletes all email that was delivered to an inbox after 1 hour.
YOPmail - http://www.yopmail.com/en/
YOPmail lets you choose any e-mail address @YOPmail.com. YOPmail is accessible to anyone who knows the inbox name (e-mail address), but YOPmail provides you with an e-mail alias to provide a little extra security for your e-mail. Messages are kept for 8 days and then deleted. You can also manually delete messages when you read them. Sending e-mail from YOPmail to external addresses is prohibited. You can however, send an anonymous email to another YOPmail address.
YOPmail lets you choose any e-mail address @YOPmail.com. YOPmail is accessible to anyone who knows the inbox name (e-mail address), but YOPmail provides you with an e-mail alias to provide a little extra security for your e-mail. Messages are kept for 8 days and then deleted. You can also manually delete messages when you read them. Sending e-mail from YOPmail to external addresses is prohibited. You can however, send an anonymous email to another YOPmail address.
There are several other disposable e-mail providers that can be found with your favorite search engine. Experiment with several of them and find a couple that offer the features you like. Using a disposable e-mail address is a good way to help protect your personal privacy and defend against Spam and phishing.
E-mail Forwarding...
Sometimes you may want to receive multiple e-mails from someone, such as when you subscribe to a blog or newsletter, but you don’t want to provide your personal e-mail address. This is where e-mail forwarding is useful. Two e-mail forwarding services that I like are:
33 Mail - https://33mail.com
With 33 Mail you sign up and pick a username, for example, "joesmith". Now, any email address ending with ...@joesmith.33mail.com will be forwarded to you. The next time you visit a website that asks for your email address, instead of giving them your real email address, just make one up especially for them.
With 33 Mail you sign up and pick a username, for example, "joesmith". Now, any email address ending with ...@joesmith.33mail.com will be forwarded to you. The next time you visit a website that asks for your email address, instead of giving them your real email address, just make one up especially for them.
Not Sharing My Info - http://notsharingmy.info
Provide your e-mail address to Not Sharing My Info and they generate an e-mail alias for you. All e-mail sent to your @notsharinmy.info e-mail address is forwarded to the e-mail address you provided when signing up for your account.
Provide your e-mail address to Not Sharing My Info and they generate an e-mail alias for you. All e-mail sent to your @notsharinmy.info e-mail address is forwarded to the e-mail address you provided when signing up for your account.
With both 33 Mail and Not Sharing My Info, if you start receiving Spam at one of your alias e-mail addresses you can simply delete that alias and receive no further e-mail from it. E-mail forwarding helps protect your privacy, and helps you identify the source of data breaches - if you provide an e-mail address to only one company you will know the source of the compromise if you start receiving Spam through that e-mail address.
Sunday, December 24, 2017
Season's Greetings
How did you think he knows who's been naughty and who's been nice?
Learn how to stay off of Santa's 'Naughty List'...
Read the Chesbro on Security blog.