Complete Privacy & Security Podcast

The Complete Privacy & Security Podcast
# 075-A Conversation with the EFF (an interview with Gennie Gebhart)
Every week I listen to the Complete Privacy & Security Podcast. I am a supporter of the EFF, and a fan of the writings of Ms. Gennie Gebhart. This week's podcast and interview with Ms. Gebhart brought it all together, and is definitely worth listening to. 

Comply Socially - Social Media Training

Social Media Training is an open education initiative with social media policy training, social media education and social media classes.

You can watch all the social media training courses on this site at no charge. Each lecture is approximately 38 minutes long.

• Social Media Compliance Training
• Social Media Disclosure Training
• Social Media Ethics Training
• Social Media Privacy Training
• Social Media and Intellectual Property
• Social Media Security Training
• Social Media Mobile Security Training
• Social Media and Privacy for Employers
• Social Media Management
• Social Media Monitoring
• SEO Training
• Facebook Training
• Twitter Training
• Linkedin Training

United Nations Department of Safety & Security Courses

The United Nations Department of Safety & Security (UNDSS) offers free, on-line training is four course areas:

• Basic Security in the Field II
• Advanced Security in the Field
• Preparing and Responding to Active Shooter Incidents
• Information Security Awareness Training

Registering for the courses requires only that you provide your Name, Nationality, and E-mail Address.

While I have completed all of the UNDSS courses, I found the 'Information Security Awareness Training' to be of the greatest overall value. For someone deploying to a unstable area of the world, the Field Security courses might take precedence.

The Field Security courses are available in:

•  Arabic
•  Chinese
•  English
•  French
•  Russian
•  Spanish

If you are looking for a new security awareness training opportunity, the UNDSS courses are definitely worth considering.

A UNDSS certification of achievement is provided upon completion of the course and passing the final quiz.

Center for Development of Security Excellence (CDSE)

The Center for Development of Security Excellence (CDSE) produces training shorts that are usually ten minutes or less, allow security professionals to refresh their knowledge of a critical topic quickly. (Please note, you will not receive a certificate of completion for watching a short.)

The CDSE Security Awareness Hub provides on-line courses in Counterintelligence, Cyber-security, Information Security, Insider Threat, and Operations Security. A certificate is provided after each course is completed; however, there is no record maintained by CDSE.

Both CDSE Shorts and the CDSE Security Awareness Hub courses are available to the public.

CDSE also offers instructor-led, eLearning, and virtual instructor-led training courses for DoD personnel and contractors with security responsibilities. You must have a STEPP account to take these courses.

Advanced and Graduate Courses are semester-long, education courses are designed specifically to develop leaders for the DoD security community and are similar in scope to graduate level courses. Courses are delivered using an online collaborative learning environment and available to U.S. Government civilian personnel and U.S. military service members worldwide.

Harvard Business Review Highlights Dangers of Data Monopolies

A March 27, 2018 article in Harvard Business Review listed "All the Reasons It’s a Bad Idea to Let a Few Tech Companies Monopolize Our Data". Well, the article listed eight threats from data monopolization. Among them were:

Surveillance and security risks.

In a monopolized market, personal data is concentrated in a few firms. Consumers have limited outside options that offer better privacy protection. This raises additional risks, including:
   
Government capture. The fewer the number of firms controlling the personal data, the greater the potential risk that a government will "capture" the firm. Companies need things from government; governments often want access to data. When there are only a few firms, this can increase the likelihood of companies secretly cooperating with the government to provide access to data. China, for example, relies on its data-opolies to better monitor its population.
   
Covert surveillance. Even if the government cannot capture a data-opoly, its rich data-trove increases a government’s incentive to circumvent the data-opoly’s privacy protections to tap into the personal data. Even if the government can’t strike a deal to access the data directly, it may be able to do so covertly.
   
Implications of a data policy violation/security breach. Data-opolies have greater incentives to prevent a breach than do typical firms. But with more personal data concentrated in fewer companies, hackers, marketers, political consultants, among others, have even greater incentives to find ways to circumvent or breach the dominant firm’s security measures. The concentration of data means that if one of them is breached, the harm done could be orders of magnitude greater than with a normal company. While consumers may be outraged, a dominant firm has less reason to worry of consumers’ switching to rivals.

Political concerns.

Economic power often translates into political power. Unlike earlier monopolies, data-opolies, given how they interact with individuals, possess a more powerful tool: namely, the ability to affect the public debate and our perception of right and wrong.

Many people now receive their news from social media platforms. But the news isn’t just passively transmitted. Data-opolies can affect how we feel and think. Facebook, for example, in an "emotional contagion" study, manipulated 689,003 users’ emotions by altering their news feed. Other risks of this sort include:
   
Bias. In filtering the information we receive based on our preferences, data-opolies can reduce the viewpoints we receive, thereby leading to “echo chambers” and “filter bubbles.”
   
Censorship. Data-opolies, through their platform, can control or block content that users receive, and enforce governmental censorship of political or religious information.
   
Manipulation. Data-opolies can promote stories that further their particular business or political interests, instead of their relevance or quality.

--

Making it Safer: A Study of LE Fatalities 2010-2016

The National Law Enforcement Officers Memorial Fund, in partnership with the United States Department of Justice's Office of Community Policing Services (COPS), has released Making it Safer: An Analysis of U.S. Law Enforcement Fatalities Between 2010-2016  a report that contains data-driven analysis of line-of-duty deaths across an array of circumstances. The primary purpose of this report is to provide an in-depth analysis of the types of calls for police service that resulted in a law enforcement fatality, identify any emerging patterns or trends and offer recommendations which will reduce future fatalities.

If you are a police officer, you should read this report.  Stay Safe!

Can We Trust Tech Companies?

According to a Reuters/Ipsos poll released in March 2018, fewer Americans trust Facebook than other tech companies when it comes to obeying laws protecting personal information.

The poll found that only 41 percent of Americans trust Facebook to obey U.S. privacy laws, considerably less than other major tech companies that gather user data. By comparison, 66 percent said they trust Amazon, 62 percent trust Google and 60 percent feel they can rely on Microsoft to keep their data safe. Apple and Yahoo! also had higher levels of trust at 53 and 48 percent respectively. (Forbes, March 27, 2018)

If you are not paying for the product, then you are the product. Tech companies - like all companies - are in business to make money. If you are using a free product or service from that company, then the company does not make a profit from your use of that product or service. To stay in business, turn a profit, and grow a company can either sell advertising - presenting those, often targeted, ads to users of their products and services; or the company can sell its customers' information to others for research and marketing purposes.

Called before Congress this week, Mark Zuckerberg tried to present Facebook’s approach to user data as open and transparent. In question after question, he focused on the privacy choices available to users, and their ownership over all the data they share - and it wasn’t all wrong. Facebook has data because users share it (mostly). Users control that data and can review it or delete it whenever they want (with a few exceptions). And if you delete your account, (almost) all of that data will disappear from Facebook’s servers within 90 days. None of it’s false, but as the parentheses should tell you, it is incomplete - and by the second day of hearings, members of Congress were starting to catch on.

Facebook keeps non-user data attached to something Hill calls a shadow profile - a reliable bank of information held in reserve so that, if you ever do sign up for Facebook, the company will know exactly who to recommend as friends. Facebook’s collection of data on non-Facebook users opens up a world of questions about what data is and isn’t covered by Zuckerberg’s vision of user consent and control.

Russian Court Rules to Block Telegram 'Immediately'

A Russian court on Friday ordered that access to the Telegram messenger service should be blocked in Russia, Russian news agencies reported, heralding communication disruption for scores of users - including government officials.

The decision came a week after Russia’s state communication watchdog filed a lawsuit to limit access to Telegram messaging app following the company’s refusal to give Russian state security services access to its users messages.

With more than 200 million users worldwide, the mobile messaging app allows users to communicate via encrypted messages which cannot be read by third parties, including government authorities.

Pavel Durov, founder of the Telegram, had repeatedly said his company would not hand over encryption keys to Russian authorities as it does not share confidential user data with anyone.

In Russia, Telegram is increasingly popular as an app for mobile devices and desktops - not only among ordinary people but is widely used by authorities.

The Kremlin uses Telegram to coordinate timings of regular conference calls with Vladimir Putin’s spokesman, while many government officials use the messenger to communicate with media.

When Reuters asked a person in the Russian government on how they would operate without access to Telegram, the person, who asked not be identified due to the sensitivity of the issue, replied by sending a screenshot of his mobile phone with an open VPN app.

Users in Russia actively use virtual private networks, or VPNs, and other technologies, known as anonymisers, that allow people to get around restrictions that Russian authorities periodically impose on internet resources.

Telegram became the second global network after LinkedIn to be blocked in Russia. LinkedIn was blocked in 2016 when a court found the firm guilty of violating a law that requires companies holding Russian citizens’ data to store it on servers on Russian soil.

The ban on using Telegram in Russia comes at a time when the company is undertaking the world’s biggest initial coin offering - a private sale of tokens which could be traded as an alternative currency, similar to bitcoin or Ethereum. The company has so far raised $1.7 billion in pre-sales via the offering, according to media reports.

FBI Raids Against Attorney Michael Cohen Threaten Everyone's Rights

The Monday (April 9, 2018) FBI raids on the office, home and hotel room of President Donald Trump's attorney, Michael Cohen, were raids not just against Michael Cohen. They were raids against the U.S. Constitution and the rights of all Americans to be able to communicate with their lawyers without fear of government seizure of such attorney-client communications, which have until now been protected from government snooping.

With stunning speed and shocking impunity, the Fourth Amendment to the Constitution - part of the Bill of Rights that safeguards our basic freedoms as Americans - is now at risk. The Fourth Amendment is crystal clear in its protections of our rights. It states: "The right of the people to be secure in their persons, houses, papers and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized." The well-established meaning of this constitutional right, built on more than two centuries of precedent and sober caution against politically inspired home or office raids, makes the raids against Cohen uniquely chilling.

The chilling effect of these raids on a long-established presumption of attorney-client privilege ricochets widely. If that privilege can be tossed by a zealous special counsel, whether or not politically motivated, it effectively no longer exists. The next prosecutor will be feared all the more; truthful dialogue between attorney and client will be impaired. The attorney-client privilege is derailed, since it only exists if all prosecutors honor it.  (Fox News)

WSJ Comments Highlight Telegram

An April 1, 2018 article in the Wall Street Journal highlighted Telegram as a communications application that can help safeguard users from surveillance and monitoring by law enforcement and abusive governments.

Part of the article stated:

Telegram is an example of a service offering users complete security. Encrypted from end to end, domiciled in a country out of reach of subpoenas - and very easy to use - the app is among the top choices of people worried about snooping governments and malicious third parties. Telegram’s reputation has been a double-edged sword.

Telegram is popular in countries like Iran, where it was instrumental in helping the population organize the wave of antigovernment protests that swept across the country in early January.
Mr. Watts, who previously worked as an FBI special agent on a counterterrorism task force, said law-enforcement agencies need to invest a lot more in human intelligence and undercover investigators to penetrate secure online spaces.

Some U.S. firms are already adapting to fears of new regulation and offering even greater security than Telegram. Signal, in San Francisco, is emerging as one of the more successful examples. It says it deletes all user information once it is no longer necessary for communication, making it impossible to comply with demands for users’ personal data.

That would make Signal more secure than, for example, WhatsApp, the popular encrypted messaging service, which Facebook bought in 2014 and that stores information such as with whom users are communicating and when.

"When we receive a subpoena for user data," Signal founder Moxie Marlinspike posted on the company’s website, we "have nothing to send back but a blank sheet of paper."

Observers warn the #deletefacebook movement will drive more users to these secure systems.
Telegram’s founder, the Russian entrepreneur Pavel Durov, said the firm recorded 200 million active users in March, a 70% increase on the year. "We don’t do deals with marketers, data miners or government agencies," he wrote in the post on Wednesday. "For us Telegram is an Idea: it is the idea that everyone on this planet has a right to be free."

Mr. Durov has relocated the company several times since leaving Russia, where it faces a court order to turn over encryption keys to the intelligence services. It is now based in the United Arab Emirates.

Telegram’s terms are simple: No calls to violence, porn or copyright infringement on public channels. The app can’t take action on private channels because all private content is encrypted and largely inaccessible even to the company.

--

Daesh terrorists were reported to have used Telegram to communicate and plan attacks, which resulted in some bad press for the company. However, just because someone uses a tool to commit a crime does not mean that there is anything wrong with the tool itself.

Some evaluations of Telegram have also questioned its encryption algorithms and protocols, and a 2017 report in the Verge claimed that the app's encryption had been cracked by the Russian FSB.

That being said, I do like and use Telegram. It is a good platform for communicating and sharing data, and Telegram's strong privacy stance and its willingness to stand up to attempted government intrusions make it a favorite.

The Complete Cyber-Security Course (Nathan House)

 

Nathan House is a UK cyber-security expert who teaches The Complete Cyber-Security Course on-line. The course consists of four volumes, each with 10+ hours of video.

Mr. House makes these courses available on Udemy, where you can often find them offered for less than $20 each. Additionally, Station X, Mr. House's own web-site frequently offers a package of the four volumes for around $65.

I have completed all four volumes of The Complete Cyber-Security Course, and I recommend these courses to anyone interested in developing a foundation in cyber-security and being safer on-line.

The video courses are very well presented, easy to follow, and provide information that you can actually use to be safer - more than just theory, these courses provide practical and workable advice.

The Wolf (Security Awareness Video)

The Wolf: The Hunt Continues is a 7-minute security awareness video / advertisement from Hewlett Packard (HP). - Nothing Is Safe.

And to those of you in the hallowed seats of power and government, know this... You're Next!

Cloud Storage

Part of protecting your data means ensuring that it is available when you need it. Having a secure back-up of your important files is essential.

There are a large number of cloud storage providers, offering different services, storage volumes, and prices depending on your specific needs.  For individual / personal use a few gigabytes of cloud storage space is usually enough to store your sensitive files and protect them from loss. Below are a few cloud storage providers that offer those few gigabytes of storage space for free.

• Amazon Cloud - 5GB free; free unlimited photo storage with Amazon Prime
• Apple iCloud Drive -  5GB of free cloud storage
• Box - 10GB of free cloud storage
• Drop Box - 2GB of free cloud storage
• Google Drive - 15GB of free cloud storage
• Mega - 50GB of free cloud storage
• Microsoft OneDrive - 5GB free storage
• pCloud - 20GB of free cloud storage
• Sync - 5GB free cloud storage
• Syncplicity - 10 GB of free cloud storage
• Yandex Disk - 10GB free cloud storage

Regardless of which cloud storage provider you choose, to ensure security of your data it is absolutely essential that you encrypt your data BEFORE you upload it to the cloud.

There are various ways to encrypt your data prior to uploading it. I like to create a VeraCrypt container with the data I want to save, and then upload that encrypted container to the cloud. This works especially well with Dropbox because Dropbox can synchronize only the changed portions of large files, while Google Drive and Microsoft One Drive can only synchronize entire files (as far as I can tell). This means that, if you have a 2GB VeraCrypt drive and change a small file in it, Dropbox will upload a small portion of the VeraCryptfile, while Google Drive and Microsoft One Drive  will re-upload the entire 2GB file.  You can also create compressed and encrypted archives using programs like 7Zip or Encryption Wizard and then upload the archive to the cloud.

This being said, it is often better to upload several smaller files to the cloud, rather than one large file.

Using programs like Boxcryptor, Encrypto, and Odrive you can automate the encryption of files you are uploading to your cloud storage site. Of these options, I like Boxcryptor, but both Encrypto and Odrive also seem to work well.

When choosing a method of encryption it is also important to consider its future availability. Any program that you maintain and run locally on your computer can be available to you at any time in the future simply by storing a copy of the program. The same can be said of the cloud storage service itself - will the company still be in business and providing cloud storage in five years? Ten years?

So, yes make use of free (and paid) cloud storage to back-up and protect your data, but remember the first rule of cloud storage: Encrypt BEFORE You Upload to the Cloud!

The Surveillance Imposed on Us Today Far Exceeds That of the Soviet Union

In an article in the Guardian (April 3, 2018) Richard Stallman, the president of the Free Software Foundation, stated "The surveillance imposed on us today far exceeds that of the Soviet Union. For freedom and democracy’s sake, we need to eliminate most of it. There are so many ways to use data to hurt people that the only safe database is the one that was never collected."

The robust way to do that, the way that can’t be set aside at the whim of a government, is to require systems to be built so as not to collect data about a person. The basic principle is that a system must be designed not to collect certain data, if its basic function can be carried out without that data.

Mr. Stallman argues that systems should be designed not to collect personal data. If personal data is needed for a particular purpose, then that data must be deleted once the particular purpose is accomplished.

Data breaches would have little adverse affect on people if the data simply did not exist. Mr. Stallman titled his article "A radical proposal to keep your personal data safe", and perhaps it is... but I think it is something worth considering. Too often businesses and government agencies are asking for just a little information for their records, but is this information that they really need?

How Can I Tell If My Facebook Info Was Shared with Cambridge Analytica?

Visit this Facebook support page and log into your account. Look for the Was My Information Shared? section, and it will tell you whether you or any of your friends used the now-banned quiz app called "This Is Your Digital Life," which scraped friends' personal information and then passed it to Cambridge Analytica, a data consulting firm linked to the 2016 presidential campaign.

In addition, all 2.2 billion Facebook users will receive a notice titled "Protecting Your Information," seen at left in the graphic below, with a link to see what apps they use and what information they have shared with those apps. If they want, they can shut off apps individually or turn off third-party access to their apps completely.

Fraud Alert: Scammers Calling About New Medicare Cards

The Centers for Medicare and Medicaid Services (CMS) will start mailing out new and improved Medicare cards in May. With these new cards, the Medicare Claim Number is no longer based on the beneficiary's Social Security number. It will be a randomly-generated series of 11 letters and numbers.

The goal is to make seniors less vulnerable to identity theft. If someone steals this new Medicare number, it can't be used to access your bank account or steal your tax refund or Social Security benefits.

Unfortunately, the switch to the new cards has created a golden opportunity for scammers. Scammers are calling seniors trying to get payment or personal information, saying they’re necessary in order for you to get your new Medicare card.

Medicare will never call you uninvited and ask you to give us personal or private information to get your new Medicare Number and card. There is no temporary card. There is no activation process or fee.

The CMS will be sending out the new cards in the mail, so Medicare recipients are not required to take any action, other than making sure the agency has the correct mailing address on file. The CMS will begin sending out new Medicare cards in April 2018, distributing them across the country over 12 months. See the schedule for your state here. 

Hackers Can Drain Your Bank Account by Hijacking Your Cellphone Service

A lot of us use "two-factor authentication" to add an extra layer of security to our important online accounts.

The concept behind two-factor authentication is simple: You need more than a user name and password to log onto an account. You need a one-time code that goes to a device that only you control. In many cases, that's a text or call to your mobile phone.

While I strongly recommend using two-factor authentication whenever possible, receiving the authentication code via text message or telephone call is the least secure method of receiving that code.  Where possible use an authentication app such as Google Authenticator or Authy App or a hardware token such as Yubikey  in place of a text message or telephone call.

If the only method of two-factor authentication offered by a web-site or service is text message or a telephone call then use that service. Any form of two-factor authentication is better than none at all, but be sure to take additional steps to secure your cell-phone account against the port-out scam as well.

A hacker can hijack your phone number - they don't steal the phone - they switch the victim's number to a phone or phone account they control. This lets them intercept those one-time verification codes sent to that mobile number by text, email, or phone call.

Mobile phone hijacking is on the rise. NBC News warned about this "port-out scam" in June 2016. Most victims find out about this when they go to use their cellphone and it won't work.

If you haven't already done so, call your wireless carrier and set up PIN authentication for your accounts. Without that PIN, your account cannot be accessed, and your service cannot be switched to another phone.

Sprint requires customers to create a PIN when they open a new account.

AT&T: Log into your ATT.com account, go to your profile by clicking your name, and under the wireless passcode drop down menu, click on "manage extra security."

T-Mobile: Call 611 from your cellphone or (800) 937-8997 to speak with customer service.

Verizon: Visit vzw.com/PIN or call (800) 922-0204.

What Do These Men Have In Common?

Steven Seagal, Jeff Monson, Cary-Hiroyuki Tagawa - what do all these men have in common? Well... they are all skilled martial artists, and they are all 'public figures', but there is something else they have in common as well.

They are all Americans who became Russian Citizens.

Russia's constitution permits Russian citizens to have dual citizenship. However, the owner of two passports is considered exclusively a Russian citizen, except in cases that are provided for by international agreements, such as the one Russia has in place with Tajikistan and Turkmenistan.

The United States does not formally recognize dual citizenship. However, it also has not taken any stand against it, either legally or politically. Typically, no American will forfeit his or her citizenship by undertaking the responsibilities of citizenship in another country.

Obtaining Russian citizenship is not particularly difficult, it's just a matter of time, paperwork, and dealing with the massive Russian bureaucracy.  To become a Russian citizen you must:

• Speak the Russian language.
• Have a legal source of income and pay taxes. (The Personal Income Tax Rate in Russia stands at 13 percent.)
• Adopt lawful behavior (i.e. not violate Russian law).
• Be a temporary / permanent resident of Russia for at least 5 years. (This can be less if you are married to a Russian citizen, or have significant investments in Russia.)

Dual citizens enjoy certain benefits, such as the ability to live and work freely in two countries, own property in both, and travel between the countries with relative ease.

A second citizenship can provide a safe haven in case of political instability, social unrest or economic turmoil in your country of origin. This can be particularly important for the protection of your loved ones. Dual citizenship can provide access to the world’s top-ranking facilities in education and healthcare, a fact that appeals to families, those in need of high quality medical care or simply people planning for retirement.

There are drawbacks, however, including the potential for double taxation, the long and expensive process for obtaining dual citizenship, and the fact that you become bound by the laws of two nations.

Murder in the United States Concentrated in Just a Few Areas

A study by the Crime Prevention Research Center (25 April 2017) found that murders in the United States are very concentrated: 54% of US counties in 2014 had zero murders, 2% of counties have 51% of the murders.

According to the report, "The United States can really be divided up into three types of places. Places where there are no murders, places where there are a few murders, and places where murders are very common.

In 2014, the most recent year that a county level breakdown is available, 54% of counties (with 11% of the population) have no murders.  69% of counties have no more than one murder, and about 20% of the population. These counties account for only 4% of all murders in the country.

The worst 1% of counties have 19% of the population and 37% of the murders. The worst 5% of counties contain 47% of the population and account for 68% of murders. Over half of murders occurred in only 2% of counties."

This study shows how murders in the United States are heavily concentrated in very small areas. Few appreciate how much of the US has no murders each year.  Murder isn’t a nationwide problem.  It’s a problem in a very small set of urban areas, and any solution must reduce those murders.

Configure a Proxy in Your Browser

When you access the Internet your IP Address is visible to every web-site that you access. I have previously discussed using web-proxies to hide your IP Address, but you can also configure a proxy in your browser.

To configure a proxy in Internet Explorer, use the following steps:

First obtain a list of useable proxies from a web-site like Free Proxy List or Hide My Name.

-- Start Internet Explorer and go to Tools (Keyboard shortcut: Alt+X). Then, click "Internet options."

-- When the Internet Properties window is opened, click on the the Connections tab and press the "LAN settings" button on the bottom of the window.

-- Check the box that says "Use a proxy server for your LAN." Then, in the Address field, type the IP address. In the Port field, type the port that is used by the proxy server.

-- You might want to check the box that says "Bypass proxy server for local address" so that the proxy is not used when accessing websites and services from your network and only when accessing the internet.

-- When done setting things up, click OK in the Local Area Network (LAN) Settings window and then in the Internet Properties window.

Now when you check your IP Address visible to external sites, you should see the IP Address you just entered into your LAN Settings.

With a proxy configured in your browser, you can still use a web-proxy to access web-sites.  Using a chain of proxies helps to conceal your identity / true IP Address from the web-sites that you visit.

How the FBI uses FOIA to Track Down Whistleblowers

According to the Washington Post (April 9, 2018), the FBI uses the Freedom of Information Act to track down whistleblowers.

Late last month, the FBI arrested Terry James Albury, a longtime agent in its Minneapolis field office, for allegedly providing classified documents to the Intercept.

The classified documents in question, on their own, should concern anyone who cares about civil liberties. A set of policies and procedures, the documents outline how the FBI can access journalists’ phone records without search warrants or subpoenas approved by a judge. The documents also identify loopholes in FBI rules allowing undercover agents and informants to infiltrate and spy on members of churches, political organizations and universities - something, the Intercept said, that even the FBI acknowledged was a "risk to civil liberties." Additionally, they reveal the FBI was targeting surveillance based on race and religion.

The FBI used as evidence against Albany FOIA requests made by the Intercept. According to an affidavit for a warrant obtained by Minnesota Public Radio, "on or about March 29 and 30, 2016, a presumed U.S. Person representing an online media outlet - made two separate requests for copies of specific documents from the FBI pursuant to the Freedom of Information Act." The FBI is able to tell who accesses documents on its network. After the Intercept published the documents, the timing of the earlier FOIA request allowed the FBI to pinpoint Albury as a likely source. "Albury accessed the document on February 19, 2016, approximately one month and ten days prior to the FOIA request" and made images, the affidavit said.

The FBI used as evidence against Albany FOIA requests made by the Intercept. According to an affidavit for a warrant obtained by Minnesota Public Radio, “on or about March 29 and 30, 2016, a presumed U.S. Person representing an online media outlet … made two separate requests for copies of specific documents from the FBI pursuant to the Freedom of Information Act.” The FBI is able to tell who accesses documents on its network. After the Intercept published the documents, the timing of the earlier FOIA request allowed the FBI to pinpoint Albury as a likely source. “Albury accessed the document on February 19, 2016, approximately one month and ten days prior to the FOIA request” and made images, the affidavit said.

Severe Bleeding & Death from Synthetic Cannabinoids (Fake Marijuana) Use

A total of 94 people -- 89 in Illinois, two in Indiana and one each in Maryland, Missouri and Wisconsin -- were seen in emergency departments with heavy bleeding between March 10 and April 5, according to the CDC outbreak alert.

Both of the fatalities occurred in Illinois. Interviews with 63 of the Illinois patients revealed that all had used synthetic cannabinoids.

Synthetic cannabinoids are mind-altering chemicals that are made in a lab and sold either sprayed on shredded plant material so it can be smoked like marijuana or as liquid that can be vaporized in e-cigarettes. "Fake weed" products are marketed in shiny packages with hundreds of brand names, including Spice, K2, Joker, Black Mamba, Kush and Kronic.

At least three product samples in the latest outbreak tested positive for brodifacoum -- rat poison -- and further laboratory tests confirmed this exposure in at least 18 of the Illinois patients.

Selling Girls | Sex Traffickers are Targeting American Children

King 5 News has a very informative (and somewhat disturbing) presentation on sex trafficking in the United States.

Right here, in the United States, there is a thriving underground economy based on selling children for sex.

This is how sex traffickers do business. It’s all about supply and demand.

First, they need someone to sell. Traffickers target young people in their own homes, by combing through social media profiles, looking to spark a conversation. The trafficker targets pre-teens and teens by finding something to bond over and earn their trust.

It could be the promise of a modeling career. The trafficker might buy them drugs or alcohol or provide protection from an already dangerous situation at home.

Traffickers gain psychological control and use violent threats to force victims to stay. Once the child is isolated from family and friends, the trafficker puts them up for sale. This is where the demand comes in.

So who are these buyers?

Court records show they’ve been teachers, pastors, cops and judges. They could be the guy next door. The trafficker gets the money. The buyer gets the sex. The child victim gets exploited and sold.
--

DHS offers a Human Trafficking Awareness course for those that would like additional information.

Don’t Give Away Details About Yourself

Social media sites are littered with seemingly innocuous little quizzes, games and surveys urging people to reminisce about specific topics, such as “What was your first job,” or “What was your first car?”

The problem with participating in these informal surveys is that in doing so you may be inadvertently giving away the answers to “secret questions” that can be used to unlock access to a host of your online identities and accounts.

Consider, for example, the following quiz posted to Facebook by San Benito Tire Pros, a tire and auto repair shop in California. It asks Facebook users, “What car did you learn to drive stick shift on?”

I hope this is obvious, but for many people the answer will be the same as to the question, “What was the make and model of your first car?”, which is one of several “secret questions” most commonly used by banks and other companies to let customers reset their passwords or gain access to the account without knowing the password.

The Great Courses (Privacy, Surveillance, Free Speech, Big Data... and You)

In these days of Big Brother and Big Data it is essential that we understand our rights to privacy, free speech, and free thought. The following programs from The Great Courses will provide you with an understanding of the threats we face, and provide you with some ideas on how to address these issues. While these courses are not free, I believe that they are worth the investment in your education and perhaps in your right to privacy and freedom.


Privacy, Property, and Free Speech: Law and the Constitution

Dizzying new technologies are putting unprecedented stress on America’s core constitutional values, as protections for privacy, property, and free speech are shrinking due to the wonders of modern life - from the Internet to digital imaging to artificial intelligence. It’s not hard to envision a day when websites such as Facebook, Google Maps, and Yahoo! introduce a feature that allows real-time tracking of anyone you want, based on face-recognition software and ubiquitous live video feeds.

Does this scenario sound like an unconstitutional invasion of privacy? In fact, ubiquitous surveillance may be perfectly legal, according to Supreme Court rulings that give corporations broad leeway to gather information. The Court has even come close to saying that we surrender all privacy when we step out in public.

Although the courts have struggled to balance the interests of individuals, businesses, and law enforcement, the proliferation of intrusive new technologies puts many of our presumed freedoms in legal limbo. Today, it’s easy to think that we have far more privacy and other personal rights than we in fact do. Only by educating ourselves about the current state of the law and the risks posed by our own inventions can we develop an informed opinion about where to draw hard lines, how to promote changes in the system, and what we can do to protect ourselves.


The Surveillance State: Big Data, Freedom, and You

A police officer places a GPS device on a suspected drug dealer’s car to trace his whereabouts and build a case against him. A popular retail store uses predictive analytics to send pregnancy-related advertising to a teenager who has yet to tell her parents about her condition. A Kentucky man shoots down a neighbor’s drone that is flying over his private property.

The news is full of stories like these, in which new technologies lead to dilemmas that could not have been imagined just a few decades ago. The 21st century has seen remarkable technological advances, with many wonderful benefits. But with these advances come new questions about privacy, security, civil liberties, and more. Big Data is here, which means that government and private industries are collecting massive amounts of information about each of us - information that may be used in marketing, to help solve criminal investigations, and to promote the interests of national security. Pandora’s Box has been opened, but in many ways the government is behind the times, relying on legislation from the 1970s to inform its stance on regulating the collection and use of this information. Our society now faces a host of critical questions, including:

• Where is the line between promoting national security and defending personal liberty?
• What information may the government collect about you from your Internet service provider?
• When it comes to search and seizure, is a cell phone any different from a diary?
• How will we respond to future technologies such as quantum computers and artificial intelligence?

Thinking about Cyber-Security: From Cyber Crime to Cyber Warfare

Cyberspace is the 21st century's greatest engine of change. And it's everywhere. Telecommunications, commercial and financial systems, government operations, food production - virtually every aspect of global civilization now depends on interconnected cyber systems to operate; systems that have helped advance medicine, streamline everyday commerce, and so much more. Which makes keeping these systems safe from threat one of the most pressing problems we face.

Thinking about Cybersecurity is laid out in a clear, systematic fashion so that you never feel overwhelmed by a topic that can seem mindboggling. Professor Rosenzweig starts by giving you a solid foundation of how the Internet and cyberspace are built, why cyber systems work the way they do, and how technical experts and scientists have attempted to "map" them out.

From there, you'll take a comprehensive look at the different types of viruses and vulnerabilities infecting the cyber domain and interfering with both technology and the real aspects of life that technology supports. You'll explore an entire cyber arsenal of threats both large and small, including:

• spiders, automated programs that crawl around the Internet and harvest personal data;
• keystroke loggers, programs that actually capture the keystrokes entered on a computer's keyboard; and
• advanced persistent threats, which intrude into computer systems for long periods of time and make computers vulnerable to continuous monitoring.

And those are only a few. Using case studies drawn straight from contemporary headlines, Professor Rosenzweig gives you a solid grasp of who in cyberspace is using these and other weapons - individual hackers, "hacktivists," crime syndicates, and, increasingly, large nations - and what their motivations are for doing so.

Social Media Privacy Courses On-Line

The following on-line courses will help you understand social media privacy, digital footprints, and cyber-security techniques that you can employ to protect yourself  in a digital world.

Social Media Monitoring and Privacy Law (38 minutes - Always Open)

Learn to monitor social networks without violating privacy rights in this course on lawful social media surveillance. Just because you CAN monitor conversations on social media, doesn’t make it lawful. If you monitor social media, this course could save you hundreds of thousands of dollars on attorney’s fee and damages. Respect personal privacy rights when you monitor social media conversations and collect meta data. Learn your right to monitor the use of any computers, smartphones and networks you own or sponsor, what the Electronic Communications Privacy Act requires, how the Fair Credit Reporting Act impacts job applicant screening and how to override social media password protection laws and gain access to personal social media and email accounts.


Social Media Privacy Training (31 minutes - Always Open)
Just cause you've shared it, doesn't mean anyone can lawfully read it. Learn to protect your digital privacy rights. Social networks may be the fastest way to relay information, but the byproduct of all that sharing is information that can be used against you in a lawsuit or investigation. Learn how to protect your right to privacy, how to recognize and prevent an intrusion or invasion of privacy, what’s considered a reasonable expectation of privacy, how to determine who lawfully owns a social media account and what types of information others can prevent you from sharing online. Keep the trust of your customers, clients and coworkers. Protect your reputation and your brand by learning how privacy laws apply to online social networking.


Privacy, Reputation, and Identity in a Digital Age (Coursera) (April 23, 2018)

* A two hour course - 2 hours of engagement in one session *

Reputation has long been prized. In its traditional form, people who know something about you use this knowledge to form opinions. Their collective sense of who you are - your reputation - affects how people treat you: it shapes all of your social interactions. In today's world, additional knowledge about you resides in "big data" collected by individuals, organizations, companies, and governments. Increasingly, data about you are being processed by algorithms to draw conclusions: to form something like opinions.  This combination of data and algorithms creates a new digital reputation which increasingly shapes your life, from recommending purchases and suggesting friends to prompting actions based solely on your digital footprint. Who gathers, owns, and controls this data? Where do they get it, and how? How do they use it? Is it shared with people, processed by algorithms, used to construct your choices? What should we think about all of this? In this Teach-Out we will consider questions of privacy, reputation, and identity using a case study approach. Learners will hear from experts and engage in conversation using real-world scenarios across multiple topic areas.


Digital Footprint (Coursera) (Starts April 30, 2018 - 3 Week Course)

As we move around the online world we leave tracks and traces of our activity all the time: social media accounts, tagged images, professional presences, scraps of text, but also many artefacts we don't always realise we are leaving behind, or that others leave about us. 
In this course you will hear from a range of experts and you will have an opportunity to explore and reflect on your own online tracks and traces, to understand why your digital footprint is important. We will introduce you to some of the tools and approaches to effectively manage your online presence (or digital footprint).   The course will focus on the different dimensions of a digital footprint, including developing an effective online presence, managing your privacy, creating opportunities for networking, balancing and managing professional and personal presences (eprofessionalism). By the end of this course (MOOC) you should be equipped to ensure that your digital footprint works for you, whether you want to be more private online, or are looking to create a more effective and impactful presence. 


Introduction to Cyber Security (Starts May 7, 2018 - 8 Week Course)
Our lives depend on online services. Gain essential cyber security knowledge and skills, to help protect your digital life. This online course will help you understand online security and protect your digital life, whether at home or work. Guided by Cory Doctorow, you will learn how to recognize threats that could harm you online and take steps to reduce the chances that they happen to you. The course will frame your online safety in the context of the wider world, introducing concepts like malware, viruses, Trojans, network security, cryptography, identity theft and risk management. The course was supported by the UK Government’s National Cyber Security Programme, is GCHQ Certified Training and IISP accredited.

Avoid Last Minute Tax Scams

Although the deadline for filing taxes - April 17 this year - is looming, more than half of Americans have yet to file. For many taxpayers, this simply means that they will get their refund a little later than usual. But for scammers, it means something much more sinister: opportunity. In the days leading up to tax day, scammers shift into high gear to cheat Americans out of their tax refunds.

The good news is that knowing how to identify two common last-minute tax scams can protect you from getting fooled.

1. The phishing scam. This scam can affect both those who filed and those who have not yet done so. In this scam, a taxpayer receives an email, allegedly from their tax preparer, the IRS, or bank. The fraudulent email prompts them to give up personal information like bank account info, Social Security numbers, and passwords--which scammers can use to steal their victim’s identity, empty their bank account, or even file a fraudulent tax return in their name. To protect yourself from this scam, it is important to:

Remember that the IRS will never initiate communication with you via email. If you receive an unsolicited email from the IRS requesting additional information, delete it. It is a scam.

Never "confirm" sensitive information through an email. If you receive an email that requests that you verify or provide sensitive information, it’s probably a scam. If you receive one of these emails, don’t reply to it or click on any links. If you’re not sure, call the IRS yourself at (800) 829-1040.

2. The erroneous refund scam. If money you were not expecting suddenly appears in your account, or if you receive an unexpected check from the government, you may think it is your lucky day. Unfortunately, odds are you just stumbled on the erroneous refund scam. In this scam, a fraudster steals customer data (from a tax return preparer, for example), files a fraudulent return in the customer’s name, and then has the fraudulent return money routed to the customer’s bank account.

Once the money is in your possession, the scammer will go to great lengths to get his hands on this money, including impersonating the IRS or a collection agency. Posing as one of these, the scammer will threaten their second victim (the individual he sends the fraudulent tax refund to) with jail time and fines in an attempt to get them to hand over the refund the scammer stole from the other taxpayer. If you receive a refund check or deposit that you were not expecting:

Do not cash the check or spend the money that was deposited into your account. This money is from a fraudulently filed tax return and will need to be returned to the IRS. Follow the steps outlined by the IRS to return the misdirected refund.

Do not communicate with the fraudster. When the scammer contacts you, pretending to be a figure of authority requesting the refund back, do not fall victim to high-pressure tactics or threats. Instead, hang up and call the IRS to let them know about the error and that you would like to return the fraudulent refund. You can reach the IRS at (800) 829-1040.

Contact your financial institution. If you receive a deposit that is not meant for you, a scam artist likely has your sensitive account information. Your bank can take steps to protect your account, such as setting up additional account security features.  If your personal information has been compromised, you’ll need to take the steps outlined at IdentityTheft.gov to protect yourself.

Both the IRS phishing scam and the erroneous refund scam are just two common last-minute tax scams. Unfortunately, there are many other forms of tax-related scams out there. In order to protect yourself, it is always good to:

File as early as possible. The sooner you file, the less chance a scammer has to file a tax return in your name and steal your refund.

Avoid fly-by-night operators. Instead, choose a preparer that is trusted in your community, and that has a Preparer Tax Identification Number (PTIN), which is required by the IRS to file taxes professionally.

Never pay a tax penalty to your preparer or a collection agency. You should always pay the IRS directly to avoid falling victim to an unscrupulous preparer.

Spotting a tax scam is not always easy. If you fall victim to one, immediately report it to the IRS and file a complaint at Fraud.org via their secure online complaint form. We’ll share your complaint with our network of more than 200 law enforcement and consumer protection agency partners who can and do put fraudsters behind bars.

Ten Things Everyone Should Know About Lockpicking & Security - Deviant Ollam

Ten Things Everyone Should Know About Lockpicking & Security
by: Deviant Ollam (Black Hat Europe, 2008)

1. Locks are not complicated mechanisms
2. Most locks are wildly easy to pick
3. Unpickable doesn't mean invulnerable
4. Minor changes make a big difference
5. Advanced features aren't a panacea
6. Adding electricity isn't magical
7. Safe locks vary as widely as door locks
8. Bump keying is a real problem, but one with real solutions
9. Large facilities have their own unique concerns
10. Security in the Real World (most physical security risks are not from elegant finesse tacticts but rather from brute force attacks.)

Video: Deviant Ollam Ten Things You Should Know About Lockpicking (1 hour) 

Deviant Ollam is a security auditor and penetration testing consultant from The CORE Group. He is also a member of the Board of Directors of the US division of TOOOL, The Open Organisation Of Lockpickers. Every year at DEFCON and ShmooCon Deviant runs the Lockpick Village, and he has conducted physical security training sessions for Black Hat, DeepSec, ToorCon, HackCon, ShakaCon, HackInTheBox... and more.

Deviant Ollam is one of my favorite resources for security information on-line, and I highly recommend his articles and videos.

Survival Lilly - Austrian Survival Expert

Survival Lilly is an Austrian survival expert, with a YouTube channel with 643,000+ viewers. Now, my blog - Chesbro on Security - is not focused specifically on survival. I do however write about personal security, and part of security is preparedness. Having an every day carry (EDC) bag (tools to help you get home in an emergency), a survival kit for your home, and maybe even a survival cache (depending on where you live) are all important considerations for personal security.

Some Survival Lilly videos that might help you with your personal security planning include:

Urban Survival Pack - Get Home Bag (2017)

My URBAN Survival Kit (Get Home Bag) (2015)

Survival Kit For Your Home

Planting A Survival Cache - Bug Out Survival

Top 5 Urban Survival Skills

Survival Lilly has hundreds of YouTube videos, and I really enjoy most of them. Her ideas on urban survival and daily preparedness make a lot more sense than some of the end of the world / SHTF type videos that are out there, and her videos are really just fun to watch.

So, check out the Survival Lilly YouTube Channel, and take the time to develop your urban (and wilderness) survival skills.

Surgeon General Says More People Should Carry Naloxone, the Opioid Antidote

The U.S. Surgeon General, Dr. Jerome Adams, issued a public health advisory on April 5, 2018 urging more Americans to carry and learn to use the opioid overdose-reversing drug naloxone.

Naloxone, which is often referred to by the brand name Narcan, can be lifesaving for people overdosing on opioids. As the nation’s opioid crisis has increased in recent years, first responders, emergency medical technicians and police officers have used naloxone to help revive people who are suspected of overdosing.

Adams said Thursday that community members, family and friends of people using opioids, and individuals using the drugs themselves, can help too. "Knowing how to use naloxone and keeping it within reach can save a life."

The National Institute on Drug Abuse offers resources for where to find naloxone, including this naloxone finder, that allows people to enter their city or zip code and find overdose prevention programs that may offer the drug for free.

The Internet: Encryption & Public Keys Video

In this short YouTube video, Mia Epner, who works on security for a US national intelligence agency, explains how cryptography allows for the secure transfer of data online.  This educational video explains 256 bit encryption, public and private keys, SSL & TLS and HTTPS.

End-To-End Encrypted Messengers Pt.2

SMS (Text) Messages Are NOT Secure. The telephone numbers to and from which your SMS messages are sent and received, and the content of your messages themselves, are visible to anyone monitoring your phone. An example of a monitored SMS Text Message can be seen here:

Using end-to-end encryption will help to prevent this type of monitoring of your text messages.

Some end-to-end encrypted messengers are:

ChatSecure - https://chatsecure.org
CoverMe - http://www.coverme.ws/en/index.html
Cyphr - https://www.goldenfrog.com/cyphr
Dust (Cyber Dust) - https://www.usedust.com
Facebook Messenger (Secret Conversations) - https://www.messenger.com
Line (Letter Sealing) - https://line.me/en/
Signal - https://signal.org
SureSpot - https://www.surespot.me
Telegram (Secure Chats) - https://telegram.org
Threema - https://threema.ch/en
Viber - https://www.viber.com
Wire - https://wire.com/en/
WhatsApp - https://www.whatsapp.com
Wickr Me - https://www.wickr.com/personal/

Which of these end-to-end encrypted messengers should you use? They each have their own strengths and weaknesses, and depending on your specific needs and personal threat model one messenger may have advantages over the others. In many cases you will want to use more than one encrypted messenger. I have used all of the above messengers at one time or another, and will they all off good protection for the content of my messages, I do have my personal favorite apps; as you too will no doubt find an app or two that you prefer over others.

It is important to note that not all apps readily deploy end-to-end encryption by default. Some (like Facebook Messenger and Telegram) will require users to enable specific functions or set chats in certain modes before the messages are end-to-end encrypted.

If you have an iPhone and communicate with another iPhone user, then you have end-to-end encryption with Face Time and iMessage. This encryption only work between Apple/iOS devices.

I discussed end-to-end encrypted messenger apps here in the blog back in October 2017. You can read more about secure communication in that post.