Saturday, March 3, 2018
U.S. v. Microsoft Has Big Implications for Data Privacy & Security
Wired Magazine reporting on U.S. v. Microsoft, a case before the US Supreme Court has stated that "Five years ago, US law enforcement served Microsoft a search warrant for emails as part of a US drug trafficking investigation. In response, Microsoft handed over data stored on American servers, like the person’s address book. But it didn’t give the government the actual content of the individual’s emails, because they were stored at a Microsoft data center in Dublin, Ireland, where the subject said he lived when he signed up for his Outlook account. In a case that begins Tuesday, the Supreme Court will decide whether those borders matter when it comes to data.
As the case has worked its way through appellate courts, Microsoft has taken the position that US law enforcement needs to go through Irish authorities if they want to obtain the emails. The United States has a Mutual Legal Assistance Treaty with Ireland, as it does with over 60 other countries and the European Union. Microsoft holds that US law enforcement could simply use the MLAT to ask Irish authorities for help.
The Justice Department argues that the warrant issued in the US should suffice, without needing to deal with Ireland to obtain the emails. It says the warrant is valid not because it has international reach, but because the actions required for Microsoft to obtain the data could take place within the United States. In other words, the government is saying that copying or moving the subject’s emails stored in Ireland isn’t search and seizure - only directly handing the emails to the US government is."
Commenting on Internet security, renowned security expert Bruce Schneier has stated: "If there's a lesson here, it's that the Internet constantly generates data about what people are doing on it, and that data is all potential evidence. The FBI is 100% wrong that they're going dark; it's really the golden age of surveillance, and the FBI's panic is really just its own lack of technical sophistication."
Active Shooter and Kidnapping Response
This document provides active shooter and kidnapping response tips. While it was designed to accompany an OSAC Annual Briefing whitepaper on terrorism in the Sahel, insights are not terrorism or region-specific. U.S. private-sector organizations that operate in a variety of environments and face active shooter and/or kidnapping threats may find these tips useful.
This report is only available in a PDF, which can be found on the OSAC web-page, to the right under "Attachments."
Friday, March 2, 2018
Covert Communications
Covert communication channels are used for the secret transfer of information. Encryption only protects communication from being understood by unauthorized parties, whereas covert communication channels aim to hide the very existence of that communication.
The Electronic Frontier Foundation (EFF) has an excellent web-page about "Communicating with Others". The page discusses communication in detail, and makes an argument for the importance of end-to-end encryption of our communications. A very important part of this page is the section that describes what encryption does not do. The EFF points out that while end-to-end encryption will protect the content of your communication, it does not protect your metadata. Metadata can provide extremely revealing information about you even when the content of your communication remains secret.
Metadata can give away some very intimate and sensitive information. The EFF provides the following examples:
- They know you rang a phone sex service at 2:24 am and spoke for 18 minutes, but they don't know what you talked about.
- They know you called the suicide prevention hotline from the Golden Gate Bridge, but the topic of the call remains a secret.
- They know you spoke with an HIV testing service, then your doctor, then your health insurance company in the same hour, but they don't know what was discussed.
- They know you received a call from the local NRA office while it was having a campaign against gun legislation, and then called your senators and congressional representatives immediately after, but the content of those calls remains safe from government intrusion.
- They know you called a gynecologist, spoke for a half hour, and then called the local Planned Parenthood's number later that day, but nobody knows what you spoke about.
To communicate covertly you must hide any connection that you have with the person with whom you are communicating. This means no direct communications - no telephone calls, no exchange of e-mails, and no communication through messaging apps.
Let us assume that Bob wants to communicate with Alice. Unfortunately, Eve is able to monitor Bob’s activity and recover the metadata from his communications. Bob uses strong encryption so Eve is unable to read the content of Bob’s messages, but she really only needs to show a connection between Bob and Alice to make her case.
One possible way for Bob and Alice to communicate is through Alt.Anonymous.Messages.
Both Bob and Alice can post anonymous, encrypted, messages to this newsgroup. Users of Alt.Anonymous.Messages all download the latest group of posted messages, but can only read those messages encrypted with their own PGP public key. While Bob and Alice might be shown to both be using Alt.Anonymous.Messages, so too are thousands of other people - so there is no direct connection between Bob and Alice that Eve can see.
Bitmessage is a P2P communications protocol used to send encrypted messages to another person or to many subscribers. It is decentralized and trustless, meaning that you need-not inherently trust any entities like root certificate authorities. It uses strong authentication which means that the sender of a message cannot be spoofed, and it aims to hide "non-content" data, like the sender and receiver of messages, from passive eavesdroppers like those running warrantless wiretapping programs. Bitmessage uses the blockchain concept for communication. Using Bitmessage you download an entire block of messages, but are only able to read those messages that are encrypted to you.
Ricochet Chat App uses the TOR network to reach your contacts without relying on messaging servers. It creates a hidden service, which is used to rendezvous with your contacts without revealing your location or IP address. Because Ricochet operates on the TOR network, someone monitoring your activity can see that you are connected to TOR, but is unable to see any of your connections inside of the network.
TOR - Whenever possible communication should be made through the TOR Network. TOR helps to anonymize your on-line activities and prevents anyone who might be monitoring your activities from seeing what you are doing.
A technique used by CIA Director General David Petraeus & US Army Intelligence Officer Paula Broadwell was to have shared access to an on-line e-mail account. Both Petraeus and Broadwell knew the user name and password to the e-mail account. Each could log-in and write a message to the other, but instead of sending the e-mail they just saved the draft in the account. No e-mail was ever sent or received from this account, they just logged-in, read the draft message and replied with another draft message. The downfall to this communication plan was that both Petraeus’ and Broadwell’s IP addresses were associated with this account. Had they accessed the e-mail account always through the TOR network, and had each draft message been encrypted before being saved, this technique would have been more secure.
Steganography involves techniques for concealing the fact that a secret message is being sent as well as concealing the contents of the message. There are several steganography programs available, and one that I recommend is Open Puff. Using steganography, messages can be encrypted and hidden in graphic or audio files that are posted to a public area (such as a blog or podcast). Anyone can see and download the container file, but only those who are aware of the hidden message and have the program necessary to reveal and decrypt the message can retrieve it. When posting to a public site, it is important to make sure that the posted files are not altered (compressed) thus destroying the hidden message. For example, posting to Facebook usually destroys any message hidden in a photo because compresses all uploaded photos.
Regardless of the covert communications channel you choose to use, you will have to have some type of an initial meeting with your communication partners to set-up and test this channel. Take extreme precautions here, because a mistake at this time can later reveal a connection. If you set up a shared e-mail account, the IP address used when creating the account is probably recorded. If that IP address can be tied to you, that could disclose your identity.
You will need to share encryption keys and passwords. These keys and passwords should only be used inside of the covert communications channel. If you use a PGP key for covert communication and also use that key for other communications you have established a link between your overt and covert communications.
Covert communications channels help hide the existence of communications and connections between specific individuals, but it is also important that those channels are secured in case the are discovered. Assume that even covert communications channels are being monitored, and always take precautions to keeps your messages inside of those channels secure.
Dead Drops
Another form of covert communication is the dead drop. A dead drop or dead letter box is a method of espionage tradecraft used to pass items or information between two individuals (e.g., a case officer and an agent, or two agents) using a secret location, thus not requiring them to meet directly and thereby maintaining operational security.
The location and nature of the dead drop must enable retrieval of the hidden item without the operatives being spotted by a member of the public, the police, or other security forces - therefore, common everyday items and behavior are used to avoid arousing suspicion. Any hidden location could serve, although often a cut-out device is used, such as a loose brick in a wall, a (cut-out) library book, or a hole in a tree.
The Black Scout Survival YouTube channel has a short video about dead drops: Black Scout Tradecraft- How to Use a Dead Drop, and ITS Tactical also provides information about using dead drops in their articles: Pass Information Like a Spy with Dead Drops and DIY Dead Drop Devices to Hide and Pass Messages like a Spy.
Thursday, March 1, 2018
The One-Time Pad
In cryptography, the one-time pad is an encryption technique that cannot be cracked, but requires the use of a one-time pre-shared key the same size as, or longer than, the message being sent. In this technique, a plaintext is paired with a random secret key (also referred to as a one-time pad). Then, each bit or character of the plaintext is encrypted by combining it with the corresponding bit or character from the pad using modular addition. If the key is truly random, is at least as long as the plaintext, is never reused in whole or in part, and is kept completely secret, then the resulting ciphertext will be impossible to decrypt or break.
There are two significant issues with using the one-time pad for communication. The first is generating a truly random key. While a true random key is difficult to generate, a pseudorandom sequence with a long enough period may offer practical security if not perfect security. The Khan Academy videos on cryptography explain in greater detail the theory behind the one-time pad. The second issue is distribution of the one-time pad. If we have a secure way of transmitting the one-time pad, which must be as long as the message, then why not use that method to transmit the message itself. But if we exchange a one-time pad ins a face-to-face meeting it can be used at a later time for secure communication.
Dirk Rijmenants has an explanation of the one-time pad on his Cipher Machines and Cryptology web-site. His paper, The Complete Guide to Secure Communications with the One Time Pad Cipher is an excellent guide to using the one-time pad for real-world secure communication. Now in most cases we will use computer-based encrypted communications, but if there is a need for strong encryption when a computer cannot be used; and if we can overcome the problems of random key generation and distribution, the one-time pad is a useful tool for protecting our sensitive communications.
One place to obtain random strings is RANDOM.ORG. Random.Org offers true random numbers to anyone on the Internet. The randomness comes from atmospheric noise, which for many purposes is better than the pseudo-random number algorithms typically used in computer programs.
Wednesday, February 28, 2018
Cellebrite Can Now Unlock iPhones for the US Government
According to Forbes: "The Feds Can Now (Probably) Unlock Every iPhone Model In Existence". In a February 26, 2018 article we read: "In what appears to be a major breakthrough for law enforcement, and a possible privacy problem for Apple customers, a major U.S. government contractor claims to have found a way to unlock pretty much every iPhone on the market. Cellebrite, a Petah Tikva, Israel-based vendor that's become the U.S. government's company of choice when it comes to unlocking mobile devices, is this month telling customers its engineers currently have the ability to get around the security of devices running iOS 11. That includes the iPhone X... Indeed, the company's literature for its Advanced Unlocking and Extraction Services offering now notes the company can break the security of "Apple iOS devices and operating systems, including iPhone, iPad, iPad mini, iPad Pro and iPod touch, running iOS 5 to iOS 11."
Tuesday, February 27, 2018
What Can My ISP See?
Unless you are paying your bill or having connectivity issues, you probably don’t give much thought to your Internet Service Provider (ISP). But, you might want to take a minute to think about what your ISP knows about you. Despite the privacy precautions you take, your ISP may be able to see everything that you do on-line.
Of course, there probably isn’t someone sitting behind his desk at your ISP watching every click you make, but that doesn’t mean your browsing history isn’t getting stored somewhere on their systems. Your ISP tracks your clicks for a number of reasons. For them, your browsing history is a revenue stream. Many ISPs compile anonymous browsing logs and sell them to marketing companies. What’s more, the data your ISP collects may be accessed by outside organizations, such as the police department or another government agency. If provided with a subpoena, your ISP is legally required to provide whatever information they have on you.
Some of the things that your ISP knows about you include:
1. The exact web-sites you visit
If the web-sites you visit are unencrypted, (i.e., they still use HTTP and not HTTPS), your ISP will know the exact sites you visit. If the web-sites you visit use HTTPS, all your ISP will see is that you visited the site, but not what you do on it.
2. Your emails
If you use an email service that doesn’t use Transport Layer Security (TLS) encryption, your ISP can likely see the contents of your emails, and if your ISP is also your email service provider, they definitely can.
3. Whether you’re using BitTorrent
Your ISP can see when you use BitTorrent to download files, even if they are legal (a game update, for instance). While they may not care so much about the contents you’re torrenting as much as some corporations (who can see your IP address from the torrent, mind you), once the ISP notices you’re using bandwidth for torrenting they might throttle your download speeds.
Your ISP can see all unencrypted data that you send and receive. Remember this, and take precautions to mask your on-line activities from your ISP.
Using a Virtual Private Network (VPN) can keep your ISP from seeing what sites you are connecting to on-line, as can connecting through TOR. While your ISP will be able to tell that you connected to the TOR network (you can mitigate this by using bridges), they can't know what hidden services you're visiting, nor what content you are sending or receiving through the Tor network. Accessing the Internet through an anonymous proxy, using an HTTPS connection can also help mask your on-line activities.
Check that every site has HTTPS. Use HTTPS Everywhere. Use an email with TLS encryption. Better yet, use an email service that won’t keep track of your messages. Using an encrypted e-mail service such as Protonmail or Tutanota can help safeguard the content of your e-mail messages. Create inbound traffic by playing audio streams when you’re not at home, and create outbound traffic by sharing popular files through file-sharing services.
Controversial ‘Stalkerware’ Used by the Police and Military
Consumer spyware is popular not just with the general population, but also with members of the US government.
According to a February 23, 2018 article on Motherboard: "Dozens of employees from US federal law enforcement agencies and the armed forces have bought smartphone malware that can, in some cases, intercept Facebook messages, track GPS locations, and remotely activate a device’s microphone, according to a large cache of data stolen by a hacker and obtained by Motherboard."
The spyware company in question is Mobistealth, which sells its products to monitor children and employees, but has also marketed malware to spy on spouses suspected of having an affair. Some label the malware as spouseware or stalkerware.
Contained in the Mobistealth data are customer accounts linked to email addresses from the FBI, DHS, TSA, ICE, and several different branches of the military. It’s not clear whether the individuals paid for the malware themselves or through their respective organizations.
But at least 40 of the Mobistealth accounts were connected to the US Army.
--
This isn't the first time there have been reports of the government using spyware. In 2015, RT News reported that "Internal documents of the Italian malware maker Hacking Team, leaked online in a hacker attack, show that the FBI, Drug Enforcement Agency and the US Army all made use of its controversial spyware known as Remote Control System, or Galileo."
A 2017 article in the Huffington Post reported: "The US Army has admitted to eavesdropping on a confidential listserv of defendants and their legal counsel, taking sensitive information from the listserv vital to a pending criminal trial and passing it on... to local prosecutors, forcing a mistrial in a case the defense was winning handily. The case was later dismissed for prosecutorial misconduct. Even after US Army employees were reprimanded for this illegal activity, in a 2014 deposition the Army admitted that it "continued to anonymously spy on email listservs of political activists."
And just this month we saw reports of Social Media Surveillance of U.S. Persons by the Police and Military.
Whether the police and military are acting within the law, and within the scope of their duties, when conducting these types of activities, is a question that can't be answered in a blog post. It is certainly possible to find government employees knowing violating law and regulation - keeping hidden files on government computer networks, ordering secret psychiatric evaluations, filing false police reports as part of harassment campaigns (In the words of the government agencies involved, they aimed to neutralize [those individuals they targeted] through a pattern of false arrests and detentions, and attacks on homes and friendships...) (Boghosian, 2013).
There can however be no question that this type of activity breeds fear and mistrust of the government. According to a 2015 Gallup Poll, 75% of Americans see widespread corruption in their government (Gallup, 2015). It is not just a belief that the government is corrupt, but an actual fear of this corruption by the majority of Americans that raises the greatest concern. According to the Chapman University Survey of American Fears: "Of the 89 potential fears the survey asked about, the one that the highest share of Americans said they were either "afraid" or "very afraid" of was federal government corruption. It was also the only fear that a majority of Americans said they shared." (Rampell, 2015) Within the top fears of Americans, after fear of corruption of government officials, the Chapman University Survey found that Americans also feared, cyber-terrorism, corporate tracking of personal information, government tracking of personal information, and identity theft (Zolfagharifard, 2015). The Pew Research Center conducted a study of public trust in government between 1958 and 2014 and found that Americans’ trust of their government was at an all-time low in 2014 (Pew Research Center, 2014).
And, now in 2018 let us ask ourselves... has our trust of government improved?
Monday, February 26, 2018
Equifax Data Breach - Even Worse
Equifax hack put more info at risk than consumers knew.
According to a February 2018 article in the Washington Post: The Equifax data breach exposed more of consumers’ personal information than the company first disclosed last year, according to documents given to lawmakers.
The credit reporting company announced in September that the personal information of 145.5 million consumers had been compromised in a data breach. It originally said that the information accessed included names, Social Security numbers, birth dates, addresses and - in some cases - driver’s license numbers and credit card numbers.
However, Atlanta-based Equifax Inc. recently disclosed in a document submitted to the Senate Banking Committee, that a forensic investigation found criminals accessed other information from company records... that included tax identification numbers, email addresses and phone numbers. Finer details, such as the expiration dates for credit cards or issuing states for driver’s licenses, were also included in the list.
Equifax’s disclosure, which it has not made directly to consumers, underscores the depth of detail the company keeps on individuals that it may have put at risk.
---
To help protect yourself, you may want to consider adding a Freeze to your credit reports.
List of Consumer Reporting Companies
You may know that your credit record affects your ability to get an affordable loan, a job, an apartment, or many other essentials of daily life. But, do you know where and how to actually request your credit report and what you can do once you order your consumer reports?
The list of consumer reporting companies, updated for 2018, provides information about consumer reporting companies that collect information and provide reports to other companies about you. Companies then use these reports to inform decisions about providing you with credit, employment, residential rental housing, insurance, and in other decision making situations.
The list includes the three nationwide consumer reporting companies and several other reporting companies that focus on certain market areas and consumer segments. The list gives you tips so you can determine which of these companies may be important to you. It also makes it easier for you to take advantage of your legal rights to obtain the information in your consumer reports, and dispute suspected report inaccuracies with companies as needed.
Download a copy of the List of Consumer Reporting Companies. (Alternate Link).
Where possible I recommend adding a Freeze to your record with any consumer reporting agency.
Sunday, February 25, 2018
WSU Data Breach - Class Action Lawsuit
Lawsuit claims WSU was negligent with data
Washington State University faces a class-action lawsuit over allegations that its negligence led to a burglary that put the names, Social Security numbers, health records and other personal data of nearly 1.2 million people at risk.
Earlier this year WSU had a backup hard drive containing confidential information, including Social Security numbers, from more than 1 million people. The hard drive was stored in a $126-a-month, 8-by-10 self-storage locker in Olympia, inside a $159, 86-pound safe that you can buy at Home Depot.
This burglary and data breach occurred in April 2017. The alleged negligence of WSU in failing to secure the personal data of 1.2 million people is the foundation of the class-action suit.
Credit Freeze for Privacy and Security
If you’re concerned about identity theft, those reported mega-data breaches, or someone gaining access to your credit report without your permission, you might consider placing a credit freeze on your report. When you place a credit freeze with each of the credit reporting agencies (Equifax, Experian, Innovis, and Transunion), access to your credit file is restricted / "frozen" until you re-contact each of the credit reporting agencies and lift the freeze.
A credit freeze will prevent potential lenders from accessing your credit report, thereby stopping a thief from opening an account or getting credit in your name - even if they have your personal information. Most creditors will not open an account and establish credit for anyone until they check your credit history, and a credit freeze prevents this from happening.
To place a credit freeze on your accounts, you will need to contact each of the credit reporting agencies, request the freeze, and pay a small fee – around $10.00. Once the credit freeze is established each credit reporting agency provides you with a security code / PIN that you will need to lift the credit freeze (don’t lose these numbers).
I recommend having a credit freeze in place with each of the credit reporting agencies, but there are some potential issues of which you should be aware. Running your credit isn’t just about borrowing money. If you try to rent an apartment, establish an account with a utility company, or set up service with a new cellular telephone provider they may run a credit check. Employers conducting a background check on a new hire may also run a credit check. With a credit freeze in place these checks won’t go through. A credit freeze can delay you when you are legitimately trying to do something that requires the check to be completed. A credit check doesn’t just keep the bad guys from accessing your credit report - it stops all new inquires. Note here that a credit freeze won’t stop hackers from taking control of your current accounts - only from opening new ones.
If you are in the process of renting an apartment, buying a new car, or anything else that is going to require a credit check, then you should wait until that is done before establishing a credit freeze. On the other hand, if you don’t plan on applying for credit anytime soon, then definitely get that credit freeze in place and lock down your accounts.
A credit freeze does not affect your current credit score, and if you decide to apply for credit sometime in the future you can always lift your credit freeze with the credit reporting agency where the check is being run. Remember to put it back in place when the credit check is complete.
The Federal Trade Commission (FTC) provides more information about credit freezes on its consumer web-site.
Consumer Reports has an article "Security Freeze vs. Fraud Alert: Deciding the Best Option" that will give you more information. The article states: "A security freeze placed on your credit file will block most lenders from seeing your credit history. That makes a freeze the single most effective way to protect against fraud."