Saturday, January 13, 2018
Kaspersky and the FSB
There was an interesting article in the Moscow Times today "The Specter of Kaspersky Looms Over Russian Cybersecurity Firms". I have highlighted a few passages from the article below, and encourage you to read the entire article if you work, travel, or communicate with friends, family, or business associates in Russia. Although it is no surprise to the Russians, all communications in Russia are monitored by the FSB, and the Russian government maintains escrowed encryption keys that allow the FSB to access all encrypted communication. This ability to monitor communications and have access to escrowed encryption keys is the goal and intent of the FBI in America, in their "Going Dark" debate.
Russian hackers have also struck fear in Western governments and voters. U.S. authorities have accused them of breaking into the servers of the Democratic National Committee and the emails of Hillary Clinton’s campaign staff.
Kaspersky Lab, Russia’s most successful cybersecurity firm and the only one to have established a firm presence abroad, has been accused of cooperating with Russia’s Federal Security Service (FSB) - one of the intelligence agencies accused of directing the hacks.
As a large cybersecurity firm, Kaspersky is a natural ally of Russian intelligence agencies in catching cybercrooks. It is a role that Eugene Kaspersky, the co-founder of the company that carries his name, has welcomed.
That the company has a relationship with intelligence agencies is not unusual, says Mark Galeotti, the coordinator of the Center for European Security at the Institute of International Relations Prague.
"Any major cybersecurity company will have a relationship with the intelligence agency in its country," he says. "If Kaspersky was based in Manchester, it would have a connection with British intelligence."
Until recently, Kaspersky’s close connection with the FSB was not a major worry in the United States.
As Soldatov explains, prior to allegations that it interfered in the 2016 U.S. presidential elections, the FSB was well regarded in the West. In the war against terror, the agency was viewed as an ally, especially after it tried to warn the United States about the Boston bombers.
Whether or not Kaspersky believes his company has helped the FSB spy, however, might be besides the point.
There are legal structures in Russia that render the work of cybersecurity companies transparent to the FSB, says Soldatov. As he puts it, for cybersecurity firms based in the country, the agency is "impossible to escape." That’s because encryption developers are required to procure a license from the FSB that "allows the agency access to everything they do."
There are also laws that allow the Russian government to surveil the country’s internet service providers through a system called the System of Operative-Investigative Measures, or SORM. In October, an American industry official who was briefed by the FBI on Kaspersky Lab pointed to that system as a key concern.
"Whether Kaspersky is working directly for the Russian government or not doesn’t matter; their internet service providers are subject to monitoring," he told the Washington Post. "So virtually anything shared with Kaspersky could become the property of the Russian government."
And a lot is shared with Kaspersky. Because, by definition, antivirus software is invasive. When users download it to their computers, they give the software free reign to rifle through their data for malware. What is recognized as malware is then sent back to Kaspersky headquarters in Moscow, where it is analyzed for threats.
There are also informal structures in Russia the firms must navigate, says Soldatov. These are the so-called siloviki - officials from the country’s military and security agencies, like the FSB, who have their own interests to satisfy.
The agency could have easily planted its own people in the company, says Michael Kofman, a researcher at the Washington-based Wilson Center focusing on security in Russia. "The most effective resource is an organization that doesn't know it's being used," he says.
In effect, Galeotti says, there is simply not much a cybersecurity firm in Russia can do to maintain its autonomy. "If you’re operating in Russia," he says, "you have to accept all the rules of the game."
Friday, January 12, 2018
OPSEC Fundamentals Course
The Operations Security Professional's Association (OSPA) is a non-profit organization dedicated to providing free OPSEC tools, resources, and training. OSPA offers a free, open to the public, "OPSEC Fundamentals" course that you can complete on-line. The course consists of two lessons and a final assessment. If you pass the short end-of-course assessment you will earn an OSPA certificate of completion.
The "Going Dark" Debate
Don't Panic. Making Progress on the "Going Dark" Debate
A report from the Berkman Center for Internet and Society at Harvard University
February 1, 2016
A report from the Berkman Center for Internet and Society at Harvard University
February 1, 2016
The decisions of Apple, Google, and other major providers of communications services and products to enable end-to-end encryption in certain applications, on smartphone operating systems, as well as default encryption of mobile devices, at the same time that terrorist groups seek to use encryption to conceal their communication from surveillance, has fueled [the "Going Dark"] debate.
The U.S. intelligence and law enforcement communities view this trend with varying degrees of alarm, alleging that their interception capabilities are "going dark." As they describe it, companies are increasingly adopting technological architectures that inhibit the government's ability to obtain access to communications, even in circumstances that satisfy the Fourth Amendment's warrant requirements. Encryption is the hallmark of these architectures. Government officials are concerned because, without access to communications, they fear they may not be able to prevent terrorist attacks and investigate and prosecute criminal activity. Their solution is to force companies to maintain access to user communications and data, and provide that access to law enforcement on demand, pursuant to the applicable legal process. However, the private sector has resisted. Critics fear that architectures geared to guarantee such access would compromise the security and privacy of users around the world, while also hurting the economic viability of U.S. companies. They also dispute the degree to which the proposed solutions would truly prevent terrorists and criminals from communicating in mediums resistant to surveillance.
The FBI discusses the going dark issue on its web-page, saying "Law enforcement at all levels has the legal authority to intercept and access communications and information pursuant to court orders, but it often lacks the technical ability to carry out those orders because of a fundamental shift in communications services and technologies. This scenario is often called the "Going Dark" problem. Law enforcement faces two distinct Going Dark challenges. The first concerns real-time court-ordered interception of data in motion, such as phone calls, e-mail, text messages, and chat sessions. The second challenge concerns "data at rest" - court-ordered access to data stored on devices, like e-mail, text messages, photos, and videos. Both real-time communications and stored data are increasingly difficult for law enforcement to obtain with a court order or warrant. This is eroding law enforcement’s ability to quickly obtain valuable information that may be used to identity and save victims, reveal evidence to convict perpetrators, or exonerate the innocent."
An article on Deep Dot Web made a counter argument stating “Going dark–this is a crock. No one’s going dark. I mean really, it’s fair to say that if you send me a message and it’s encrypted, they can’t get that without going to you or to me, unless one of us has it in our cloud at this point. But we shouldn’t all be fixated just on what’s not available. We should take a step back and look at the total that’s available, because there’s a mountain of information about us.” Grossman, Lev. “Apple CEO Tim Cook: Inside His Fight With the FBI.” Time, 17 Mar. 2016. Web. 12 May 2017. “Going Dark” is a myth. State hackers possibly outrank the FBI in a cat and. mouse scenario. Not singular entities. Not darknet marketplace vendors. Not CP forum owners. The FBI simply wants their job easier. Not an unreasonable desire as encryption can be a pain to deal with. But their argument is backed up by numerous success stories, proving the exact opposite of what they claim.
My personal opinion is in favor of strong encryption. Yes, this may on occasion make it more difficult for law enforcement to obtain information that want during an investigation, but I believe that the advantages of strong encryption far outweigh any risks posed to law enforcement investigations. Weakening encryption creates a backdoor that can be exploited by hackers and other criminals, and there is no guarantee that the government could protect an escrow / law enforcement decryption key from being compromised. Just look at the number data breaches that have occurred, or something as simple as TSA being unable to safeguard the master keys to "TSA Approved Travel Locks". Simply put if we accept weakened encryption and escrowed keys - our encryption will in time be compromised.
Mary had a crypto key.
She kept it in escrow.
And everything that Mary said the Feds were sure to know.
Thursday, January 11, 2018
Flying with Firearms
At DEFCON 17, Deviant Ollam discussed flying with firearms. His talk is available on YouTube here: DEFCON 17 - Deviant Ollam - Packing and the Friendly Skies.
Deviant Ollam is now presenting a 3-part series about Flying with Firearms, on the Firearms Blog. The first two articles in the series are available below, and the third article will be published soon.
Packing in the Friendly Skies - Basic Training for Flying with Firearms
When Things Go Pear Shaped - Packing in the Friendly Skies - Article 2
The NRA-ILA webpage "Flying with Firearms - Get the Facts" is also worth reading. As is their web-page "Guide To The Interstate Transportation Of Firearms".
I travel frequently with firearms, and generally don't have any problems, but it pays to fully understand the procedures for transporting your firearms and to plan ahead for dealing with security procedures, and in some case violations of your rights be over-zealous law enforcement and security personnel. Although most travel will go smoothly, be prepared for surprises. TSA may clear your guns at departure, only to have some other TSA agent cut your locks off somewhere between your departure gate and your final destination. They’re not supposed to do that, but it happens.
A CNN analysis of passenger property loss claims filed with the TSA from 2010 to 2014 shows 30,621 claims of missing valuables, mostly packed in checked luggage. The rest occurred at security checkpoints. Total property loss claimed: $2.5 million.
So, should you travel with your firearms? Yes, absolutely! But, understand how to do so securely.
Properly Paranoid
- Four Free Browser Tools for Privacy on the Net - Properly Paranoid
- Creepy Things They Know About You
- Brute-forcing your Box : Password Security
- Set Up a Secure Network / File Sharing Server in 5 Minutes
- Password Managers : Why You Need Them - Keepass
Wednesday, January 10, 2018
Encryption Wizard
Encryption Wizard (EW) https://www.spi.dod.mil/ewizard.htm is simple, strong, Java-based file and folder encryption software, developed by the American military, for protection of sensitive information. EW encrypts all file types for data-in-transit protection, and supplements data-at-rest protection. Without requiring a formal installation or elevated privileges, EW runs on Microsoft Windows, Mac OS X, Linux, Solaris, and many other operating systems. Behind its simple drag-and-drop interface, EW offers 128- or 256-bit AES encryption, several secure hashing algorithms, searchable metadata, encrypted archives with compression, secure file deletion (often called "scrubbing" or "shredding"), and PKI/CAC/PIV support.
EW Public Edition may be downloaded and used by anybody at no charge. It uses the cryptography support already present in Java. It contains all the important features of EW and serves as a good introduction to the software. EW Government Edition is FIPS 140-2 validated. It uses a third-party cryptography module licensed for use by Federal employees and contractors only. EW Unified Edition is FIPS 140-2 validated, and may be downloaded and used by anybody at no charge. It uses a third-party (Bouncy Castle) cryptography module with no distribution restrictions. The Unified edition requires that your Java installation be permitted to use 256-bit keys, even if you never actually use anything stronger than normal 128-bit keys. The three editions (Public, Government, and Unified) are interoperable.
EW Public Edition doesn't provide its own implementation of AES, it just uses whatever is supplied by your Java Runtime Environment. The AES algorithms and their underlying Rijndael ciphers are well known, publicly available, and extensively analyzed. No feasible attacks against AES have yet been demonstrated.
Is there a backdoor in EW? The software authors say no, explaining that a backdoor to a system needs a key. If the key to a backdoor were to get out (whether by accident, malfeasance, or disgruntled employees is irrelevant), then whatever is protected by that system becomes vulnerable. Given that the primary use of Encryption Wizard is to protect sensitive information relevant to the US DoD, inserting a master backdoor would be dangerously risky and profoundly shortsighted.
Can Encryption Wizard be trusted? Yes probably, as much as any encryption software can be trusted. It provides strong encryption that is more than sufficient for most personal or business use. Encryption Wizard is particularly useful for encrypted communication between US Government agencies and other agencies and organizations that don't have compatible PKI encryption.
EW Public Edition may be downloaded and used by anybody at no charge. It uses the cryptography support already present in Java. It contains all the important features of EW and serves as a good introduction to the software. EW Government Edition is FIPS 140-2 validated. It uses a third-party cryptography module licensed for use by Federal employees and contractors only. EW Unified Edition is FIPS 140-2 validated, and may be downloaded and used by anybody at no charge. It uses a third-party (Bouncy Castle) cryptography module with no distribution restrictions. The Unified edition requires that your Java installation be permitted to use 256-bit keys, even if you never actually use anything stronger than normal 128-bit keys. The three editions (Public, Government, and Unified) are interoperable.
EW Public Edition doesn't provide its own implementation of AES, it just uses whatever is supplied by your Java Runtime Environment. The AES algorithms and their underlying Rijndael ciphers are well known, publicly available, and extensively analyzed. No feasible attacks against AES have yet been demonstrated.
Is there a backdoor in EW? The software authors say no, explaining that a backdoor to a system needs a key. If the key to a backdoor were to get out (whether by accident, malfeasance, or disgruntled employees is irrelevant), then whatever is protected by that system becomes vulnerable. Given that the primary use of Encryption Wizard is to protect sensitive information relevant to the US DoD, inserting a master backdoor would be dangerously risky and profoundly shortsighted.
Can Encryption Wizard be trusted? Yes probably, as much as any encryption software can be trusted. It provides strong encryption that is more than sufficient for most personal or business use. Encryption Wizard is particularly useful for encrypted communication between US Government agencies and other agencies and organizations that don't have compatible PKI encryption.
Tuesday, January 9, 2018
FBI chief calls encryption a ‘major public safety issue’
FBI Director Christopher A. Wray on Tuesday [January 9, 2018] renewed a call for tech companies to help law enforcement officials gain access to encrypted smartphones, describing it as a "major public safety issue." Wray said the bureau was unable to gain access to the content of 7,775 devices in fiscal 2017 - more than half of all the smartphones it tried to crack in that time period - despite having a warrant from a judge. "Being unable to access nearly 7,800 devices in a single year is a major public safety issue," he said, taking up a theme that was a signature issue of his predecessor, James B. Comey. (Washington Post)
Unintended consequences
Technology companies as well as many digital security experts claim that the FBI’s attempts to order all devices to have a way for investigators to access a criminal suspect’s phone would harm internet security while also empowering malicious hackers.
Any laws that have the effect of weakening the encryption schemes used by popular Internet services could have unintended consequences, according the chief technology officer of security software vendor Sophos.
"I think it’s unreasonable to ask anyone who writes any kind of software to intentionally weaken the security of that software, whether that’s in the form of introducing a backdoor or whether it’s in the form of creating this kind of a ‘reversible crypto scheme’ where data could subsequently be decrypted even by authorized party," Joe Levy, CTO at Sophos, told Computerworld in an interview conducted in late 2017.
"No matter how you slice it, you’re basically asking the vendor to weaken the security of the product."
"It might be requested with the very best of intentions and certainly fighting terrorism is a very important and a very noble goal, but there’s this unintended consequence of creating these vast exposures that are inevitably going to be exploited by some bad actor," Levy said.
"You can’t just trust that it will only be the government who is going to have that key or have that ability to decrypt content. You just have to expect that, with knowledge that this capability exists in the product, that bad actors are going to seek to exploit that, especially when you have any kind of a centralization of an ability to do that."
"It’s basically an advertisement saying ‘come and attack me; this will give you the keys to the kingdom’," the CTO said. (Computer World)
Disguised and Concealable Weapons
Below are examples of some of these disguised and concealable weapons. Whenever possible I have linked to a major retailer (i.e. Amazon.Com) or to the web-site of the company producing the item listed. Any item that can be easily found or purchased on-line should be considered commonplace and is something that may very likely be encountered in the field.
I would like to acknowledge the work of Wendy Kierstead, CCA, of the Brunswick, Maine Police Department. For several years Ms. Kierstead published a law enforcement safety handbook, identifying unusual weapons and concealment devices. Ms. Kierstead’s work contributed significantly to officer safety and very probably saved lives by making officers aware of new and unique threats they might come up against in the field. Ms. Kierstead has since retired from the Brunswick Police Department, but the last update of her work (2006) can still be found on-line (http://www.icops.org/PDFs/LawEnforcementSafetyHandbook.pdf) and is still contributing to officer safety.
In 2012, I published an updated Catalog of Unique, Concealed & Disguised Weapons, Concealments, Escape Techniques, Tactics & Tradecraft which is available from Archive.Org.
The Los Angeles County Sheriff's Department Published a guide to Improvised Weapons and Other Officer Safety Concerns, which is available on the Public Intelligence web-site.
Monday, January 8, 2018
Private Browsing
When you browse the Internet normally, your web browser stores data about your browsing. Your browser logs websites that you visit in your browser history, saves cookies from the website, and stores form data it can autocomplete later. It also saves other information, such as a history of files you’ve downloaded, passwords you’ve chosen to save, searches you’ve entered in your browser’s address bar, and bits of web pages to speed page load times in the future (in the web cache).
Privacy mode or "private browsing" or "incognito mode" is a privacy feature in some web browsers to disable browsing history and the web cache. This allows you to browse the Internet without storing local data that could be retrieved by someone examining your computer at a later date. Privacy mode will also disable the storage of data in cookies and Flash cookies. Privacy mode also includes tracking protection, which prevents companies from tracking your browsing history across multiple sites.
This privacy protection is only on the local computing device as it is still possible to identify frequented websites by associating the IP address at the web server. Privacy mode doesn't make you anonymous on the Internet. Your Internet service provider, employer, or the sites themselves can still track what pages you visit. Privacy mode also doesn't protect you from keyloggers or spyware that may be installed on your computer.
Privacy mode doesn't make you invisible on the Internet, but it does block web-sites from recognizing that you've been there before, or from putting cookies on your computer so that they know when you come back again.
To open private browsing in different browsers, use the following key combinations:
- Internet Explorer = Control+Shift+P
- Mozilla Firefox = Control+Shift+P
- Google Chrome = Control+Shift+N
Have I Been Pwned?
I have always encouraged people to check their email addresses on sites such as HaveIBeenPwned (https://haveibeenpwned.com/). If present, your account is included in a known breach, and you should change your passwords immediately. This site has been the standard as far as reported breaches, and the owner stays on top of the latest threats.
A similar site is Hacked-Emails (https://hacked-emails.com/). Hacked Emails constantly scans paste sites and other release resources, and immediately updates its database. This may be redundant information, but the constant update could reveal a compromised account that may not be present on other similar sites. Overall, I now check both of these services regularly for any of my email addresses that may have been compromised.
Sunday, January 7, 2018
EasyCrypt - Email Privacy Crash Course
EasyCrypt is a cutting edge e-mail privacy service that provides end-to-end encryption, metadata protection and anonymity, at your existing email address. In 2016, EasyCrypt published an excellent, six part series called the "E-mail privacy crash course". I highly recommend reading this series if you are interested in learning more about e-mail privacy.
While I recommend reading the "E-mail privacy crash course", I am not recommending the EasyCrypt encryption service at this time. This has nothing to do with any flaws or vulnerabilities in the EasyCrypt system, rather I simply haven't used it long enough to provide a good evaluation and recommendation. That being said, I always encourage readers to test new privacy and security applications and let me know your thoughts and recommendations after you have used something for a while.
Email privacy crash course - Part 1: Introduction
Email privacy crash course - Part 2: Encryption
Email privacy crash course - Part 3: Metadata and Anonymity
Email privacy crash course - Part 4: Usability vs. Security
Email privacy crash course - Part 5: Ubiquity and People Network
Email privacy crash course - Part 6: Make your choice
Subscribe to:
Posts (Atom)