Saturday, April 28, 2018
What If We Ended the Injustice of Bail?
On any given night, more than 450,000 people in the United States are locked up in jail simply because they don't have enough money to pay bail. The sums in question are often around $500: easy for some to pay, impossible for others. This has real human consequences -- people lose jobs, homes and lives, and it drives racial disparities in the legal system.
This TED Talk makes some interesting points. What I found particularly interesting (and disturbing) was the claim that 90% of people who cannot afford to pay bail plead guilty, yet when the Bail Project paid bail and cases went to trial, 50% of those cases were dismissed, and less than 2% of those convicted at trial received a jail sentence.
Gmail Confidential Mode
In rolling out major updates to Gmail, Google announced Wednesday (April 25, 2018) that the popular email service will soon feature a new "confidential mode" that promises to give users more control over who sees the emails they send, and for how long.
When you write an email using confidential mode, you can select for how long the recipient will be able to read the email. Recipients will not be able to forward, copy and paste, download or print the content. You can't stop anybody from taking a picture of the screen of course, but what's maybe more important here is that if anybody ever hacked the recipient's account, that email with your confidential information will be long gone. For added security, you can also add a second-factor authentication here, where the recipient will have to receive an SMS message with a Google-generated passcode to read the email.
Some online privacy experts, such as Sydney Li, staff technologist at the Electronic Frontier Foundation, argue that calling the new feature "confidential mode" is misleading. For one, Gmail's servers will still contain a copy of the email, Li said. -- While I understand EFF's point here, I think that confidential mode will be a good tool for those of you who use Gmail as your primary personal e-mail account. (Although moving your e-mail to a service like Protonmail would provide more confidentiality and security for your personal communications.)
Confidential mode isn't quite here yet, but should begin to roll out in the coming weeks. If you use Gmail keep an eye out for this new feature in new Gmail. In your Gmail account, click the gear icon in the top right corner, you will see an option to "Try the new Gmail" up top. Once you are using new Gmail, watch for confidential mode icon to be added to your new message options, during the coming weeks.
Who Has More of Your Personal Data Than Facebook? Try Google !
An April 26, 2018 article in the Wall Street Journal asks: Who Has More of Your Personal Data Than Facebook? Try Google !
Recent controversy over Facebook Inc.’s hunger for personal data has surfaced the notion that the online advertising industry could be hazardous to our privacy and well-being. As justifiable as the focus on Facebook has been, though, it isn’t the full picture. If the concern is that companies might be collecting some personal data without our knowledge or explicit consent, Alphabet Inc.’s Google is a far bigger threat by many measures... Google's data-gathering empire is bigger and more pervasive than Facebook's - and while it hasn't been plagued by scandal, it can't evade scrutiny forever.
In 2016, Google changed its terms of service, allowing it to merge its massive trove of tracking and advertising data with the personally identifiable information from our Google accounts.
Google uses, among other things, our browsing and search history, apps we've installed, demographics like age and gender and, from its own analytics and other sources, where we've shopped in the real world. Google says it doesn't use information from "sensitive categories" such as race, religion, sexual orientation or health. Because it relies on cross-device tracking, it can spot logged-in users no matter which device they're on. Google fuels even more data harvesting through its dominant ad marketplaces. There are up to 4,000 data brokers in the U.S., and collectively they know everything about us we might otherwise prefer they didn't -- whether we're pregnant, divorced or trying to lose weight. Google works with some of these brokers directly but the company says it vets them to prevent targeting based on sensitive information. Google also is the biggest enabler of data harvesting, through the world's two billion active Android mobile devices.
Friday, April 27, 2018
DNA From Genealogy Sites Used By Police to Find Criminals in Your Family Tree
Have you or your family members submitted DNA to a genealogy site like Ancestry or 23andme? If so, your DNA may be included in police investigations without your knowledge, and without you ever being suspected of a crime.
According to an ABC News (April 27, 2018) report, genealogy / DNA websites were used to find the suspected 'Golden State Killer', Joseph James DeAngelo.
Authorities used genealogical websites to track down the suspected serial killer known as the "Golden States Killer," sources told ABC News, describing it as a long, painstaking process.
The "Golden State Killer" is believed to have committed 12 murders, at least 50 rapes and multiple home burglaries in the 1970s and 1980s.
Investigators used DNA from one of the crime scenes and compared it to what’s available on genealogy websites to find a family tree for the suspect, sources said.
Officials then worked their way down that family tree until they found Joseph James DeAngelo, a 72-year-old former police officer.
Police placed DeAngelo under surveillance and later obtained his DNA from an item officers collected. It was confirmed as a match.
Privacy advocates are concerned that these companies leave the door open to sharing a customer’s genetic information with law enforcement. They say that doing so represents Orwellian state overreach and worry that customers may not realize what they’re agreeing to — or, even worse, that the imperfect technology involved puts innocent people at risk.
Bicka Barlow, a San Francisco-based defense attorney who specializes in DNA cases, says the public should think long and hard before completing an at-home DNA testing kit.
Barlow argues that DNA evidence "is not fool proof" and that new technology is actually increasing the chance of misidentifying people with DNA.
"When you did DNA testing back in the good old days you would get a single profile of one individual and that makes it quite easy to do a comparison," Barlow told ABC7 News. "But nowadays, the tests are so sensitive that crime labs come up with mixtures, meaning multiple people in a sample, somewhere around 70 to 80 percent of the time."
Lawful Duration of a Traffic Stop
Two recent cases have ruled on the lawful duration of a traffic stop:
United States v. Bowman: Duration of a traffic stop. (4th Circuit)
It was undisputed that the initial traffic stop was complete when the officer issued Bowman a warning citation, returned his documents, and shook his hand. It was also undisputed that Bowman consented to the officer’s request to answer additional questions, which the officer did for approximately 40 seconds. However, the court concluded that this brief consensual encounter became a Fourth Amendment seizure when the officer told Bowman to "hang tight". As a result, the court held that the officer unreasonably prolonged the duration of the traffic stop; therefore, the district court should have suppressed the evidence recovered from [the] vehicle.
United States v. Rodriguez-Escalera: Duration of a traffic stop. (7th Circuit)
While the court recognized that an officer does not need to rule out a suspect’s explanation for conduct that appears to be suspicious at first, a court may consider how facts later obtained confirm or dispel that initial suspicion. The court added that no criminal history, tips, or surveillance supported the trooper’s suspicions. Based on these facts, the court concluded that the trooper did not establish reasonable suspicion of criminal activity during the stop. Consequently, the court held that it was unreasonable to detain [the vehicle] beyond the time needed to complete the original purpose of the traffic stop because the only on-duty K-9 was busy with another stop.
In a previous case, Rodriguez v. United States, 135 S. Ct. 1609 (2015), the U.S. Supreme Court stressed that a seizure justified only by a police-observed traffic violation becomes unlawful if it is prolonged beyond the time reasonably required to complete the mission of issuing a ticket for the violation. The stop may not exceed the time needed to handle the matter for which the stop was made. In Rodriguez, the issue was raised in the context of whether the police unnecessarily extended the traffic-violation stop to conduct a dog sniff of the exterior of the vehicle for drugs.
Lower courts applying Rodriguez have had the difficult task of determining whether a vehicle stop for a traffic violation was unnecessarily and unlawfully prolonged by police so that they could pursue unrelated suspicions, usually related to illegal drugs. While the courts often observe that there is no rigid time limit for determining when a detention has lasted longer than necessary to effectuate the purposes of the stop, they nevertheless often look to the total time of the stop and the length of what is deemed the unnecessary delay in determining whether the police conduct was lawful. In State v. Linze, No. 42321, 2016 WL 90669 (Idaho Ct. App. Jan. 8, 2016), the court held that where the police extended a routine traffic stop (that lasted 19 minutes) by only approximately another two and a half minutes to conduct a dog sniff (or canine sweep) of the vehicle, such delay was unlawful and violated the driver's Fourth Amendment rights.
"A police stop exceeding the time needed to handle the matter for which the stop was made violates the Constitution’s shield against unreasonable seizures," Justice Ruth Bader Ginsburg wrote for the majority. The vote was 6 to 3.
--
Although written for Washington State, the publication "Traffic Stops in Washington: A Judge's Bench Book" provides guidance for citizens in every state wishing to understand traffic stops and what courts (WA Courts) consider when hearing cases arising from a traffic stop.
The Seattle Police Department Manual - Section 6.220 - Voluntary Contacts, Terry Stops & Detentions is also informative, and included some things that I found surprising, such as:
- Officers Cannot Require Subjects to Identify Themselves or Answer Questions on a Terry Stop.
- Under [WA] State Law, Traffic Violations May Not Be Used as a Pretext to Investigate Unrelated Crimes for Which the Officer Lacks Reasonable Suspicion.
Just Paste It
Just Paste It is a free blogging platform, similar to Telegraph, but offering a premium service with more features.
Using the Just Paste It free service you can post notes (articles) up to 10MB each. Once you post a note on Just Paste It you are provided with a link to that note which you can share with others.
Additional features of Just Paste It include the ability to upload pictures, movies, and audio files along with your note. By using the "Upload images" module you can easily add new images to your notes, or you can paste the images directly from the clipboard into the editor. You can also embed videos using the [video] tag, e.g., [video]https://www.youtube.com/watch?v=tmXmTGyIXgc[/video].
Just Paste It offers additional premium services, such as 50MB notes and password protection, for just $5 per year.
Just Paste It uses a "Captcha" challenge when you post a note. The Captcha caused some problems when connecting over TOR, but worked without issue when connecting through a VPN.
Just Paste It is a quick and easy way to share information. The site is owned by Wise Web Mariusz Żurawek, a company in Warsaw, Poland, but the site is registered through Cloud Flare, a US company.
China Assigns Every Citizen A ‘Score’ To Identify Who Is And Isn’t Trustworthy
CBS New York (April 24, 2018) reported that China Assigns Every Citizen A ‘Social Credit Score’ To Identify Who Is And Isn’t Trustworthy.
China Determines Your Standing Through Use Of Surveillance Video, Plans To Have 600 Million Cameras By 2020. China is rolling out a high-tech plan to give all of its 1.4 billion citizens a personal score, based on how they behave. Every Chinese citizen is being assigned a social credit score - a fluctuating rating based on a range of behaviors. It’s believed that community service and buying Chinese-made products can raise your score. Fraud, tax evasion and smoking in non-smoking areas can drop it. China’s growing network of surveillance cameras makes all of this possible.
How far into people’s daily mundane activities does this go? No doubt, the government and the people running the plan would like it to go as deeply as possible to determine how to allocate benefits and also how to impact and shape their behavior. How the new scoring system truly works is kept secret and could be easily abused by the government. The fear, of course, it that the government may use this social credit scoring system to punish people that it deems not sufficiently loyal to the communist party. And trying to clear your name or fight your score is nearly impossible, because there’s no due process.
--
China provides an extreme example of where many other governments and government agencies would like to go. The ability to totally monitor citizens' activities, and to take adverse action as the result of on-going investigations, or even bogus allegations and false reports made by government employees, is a serious problem.
Thursday, April 26, 2018
Colonel in Re-Enlistment Puppet Video: 'Given a Death Sentence'
Speaking to Military.Com (April 25, 2018), Now retired at the rank of lieutenant colonel as a result of the caper, Kevin "Bly" Blaser said realizes he should have stopped the ceremony.
Blaser, who said after a video of him performing the re-enlistment ceremony for Master Sgt. Robin Brown circulated to millions on social media, said he equates the whole blunder to running a stop sign.
"My analogy to all of this is I ran a stop sign," he said. "I should have probably stopped the ceremony. That was bad judgment, I one hundred percent admit that."
But, he continued, the penalty for running a stop sign is a warning or a ticket. In his case, the equivalent might have been a reprimand. "I was given a death sentence," he said.
--
Regardless of your personal belief as to whether the ceremony should have been conducted in a more dignified or professional manner, or whether this was just one of many weird re-enlistment ceremonies, it brings to the forefront the effect of social media.
What you post to social media can quickly take on a life of its own. What you say in e-mail is subject to FOIA (if you are a government employee), and even if you work in the private sector an e-mail could easily find its way into the public view.
The effect of the actions taken against COL Blaser go far beyond this one case. From this point forward any type of weird or out-of-the-ordinary military re-enlistment becomes problematic; and individuals who participated in previous "weird re-enlistment ceremonies" that have a social media presence may now be at risk for future reprimand.
Faraday Bags for Privacy
When you turn-off your cellphone it goes into a dormant state, but unless you remove the battery it is still possible that the phone can still send and receive some signals. In February 2018, I wrote here in the blog Creepy Tech - Google is Tracking You, and in this post, we saw that turning off location services on your cell-phone provides some limited tracking protection, but to ensure that your phone isn’t gathering data to transmit to Google the next time it connects you have to block all signals to the phone. This means removing the battery so that it has no power whatsoever or placing your phone in a Faraday Bag so that it blocks all signals to and from your phone.
A 2013 article in the Washington Post reported that as early as 2004 the NSA had developed a technique that enabled the agency to find cellphones even when they were turned off. Simply put, just powering down your cell-phone does not stop it from sending and receiving some types of signals, such as base band access, nor does it keep it from gathering data which can be transmitted the next time it has a cellular connection.
The Privacy & Security Podcast #28 - Faraday Bags discusses the topic of faraday bags in detail. It is worth your time to spend an hour listening to this podcast to learn more about faraday bags and why you should use them.
In addition to protecting you from cell-phone tracking, faraday bags also block RFID and NFC signals protecting you from having your credit card and ID information captured. A 2015 article by KOMO4 News "Digital pickpockets using smartphones to steal credit cards" showed how the news agency was able to "steal" credit card numbers using RFID scanning and then use those stolen credit card numbers to make purchases in Seattle area stores.
Even the US Government recognizes the risk of RFID data collection, issuing a RFID blocking sleeve to protect DOD CAC cards (military ID cards) and the US Passport card.
I use faraday bags to help protect my privacy and safeguard my electronic data. If you are concerned about data privacy and personal security, this might be something that you should consider as well.
The following links to faraday bags on Amazon will show you some examples of what is available.
Mission Darkness Non-Window Faraday Bag for Phones
Co-link Cell Phone Anti-tracking Anti-spying GPS RFID Signal Blocker
Blackout RFID Blocking Faraday Cage Privacy Bag
Wednesday, April 25, 2018
A Field Cipher
(Click on Cipher Sheet to Enlarge)
Encrypting Numbers with the Field Cipher
Some examples of numeric encryption are:
My telephone number is: 3A AF MZ YL RG HQ (202-555-1379)
The camp is at grid: 7P VJ ZC HT EK (9489 2671)
The meeting is at 5D RT PS Main Street on 2U QY NR IL, at MC BD. (2437 Main Street on 06/26/12 at 7.30) Note that in this message we switched keys after the street number, but continued with the same key for the date and time.
The cipher is always represented by letter pairs, while the key is a number-letter combination. Whenever you receive a new key as part of a message, simply change to the new cipher row indicated by that key. In practice you should transmit no more than 20 characters before sending a new key and changing cipher rows.
Spelling with the Syllabary Table
The syllabary table allows the conversion of letters and letter groups into numbers so that they may be encrypted using the field cipher. There is some small degree of security afforded by the random coordinate numbers of the syllabary table, but the syllabary table should not be used alone to send messages without first encrypting the message using the key/cipher table.
When beginning and ending spelling with the syllabary table it is important to indicate this in the text of the message. This is done by encrypting the indicator of two hash tags / pound signs “##” at the beginning and end of the syllabary spelling sequence.
To convert letters to numbers using the syllabary table, simply choose the number coordinates that identify the cell containing the letter or letters you want to encrypt. For example, the message "Attack planned for dawn." could be converted to numbers using the syllabary table like this: 22 30 24 87 18 89 95 95 43 56 48 68 95.
The numbers are then encrypted using the key/cipher table:
3A WW AB GF MS NH RK KU QZ UY JC LT JK PN QY OW.
Authentication Using the Field Cipher
Authentication is a method of challenge and reply used to ensure that the person with whom you are speaking is an authorized operator in your communications network. To issue an authentication challenge choose a number from the far left column of the authentication table, and a second number from the top most row of the authentication table. Note that these are each single digits. For example you might choose the number five and seven. At the intersection of row 5 and column 7 we find the number 22. Thus the challenge is: "Authenticate 57" and the proper reply is "I authenticate 22".
Likewise if the authentication challenge was 89, the reply should be 31.
Using the Brevity List
The purpose of the brevity list is to rapidly transmit a number of standardized short messages. If one wanted to send the 18th message on the brevity list one sends “Message 3A DK”. Note that this could also be sent a “Message 3A AN”.
The messages included in the brevity list are developed and standardized locally to meet the needs of personnel operating in the field. Once developed the brevity list remains constant on all field cipher sheets, but may be much longer that what is displayed here. Multiple additional columns for the brevity list could be included on the back of the field cipher sheet, or a separate brevity code book could be provided to signalers.
Security of the Field Cipher
The security of the field cipher is found in its short cipher period and, in its low volume of traffic.
Normally a new field cipher sheet is used every day.
It should be noted that the only mathematically unbreakable cipher is the One-Time Pad, but the complexities of distributing and maintaining a one-time pad system in the field are far greater than that involved with the field cipher.
CLOUD Act: Attack on Data Protection & Privacy Rights (TUTANOTA)
In a blog post Tutanota wrote : The CLOUD Act enables US law enforcements to ask for any record stored by Gmail, Facebook, Twitter, Dropbox, etc. on foreign servers - so long as this would not break that country's law, e.g. the GDPR. However, as there is no juridical oversight (apart from a US court order to a US cloud service), European users of US cloud services cannot be sure that their data is being protected.
Amnesty International describes the CLOUD Act as a threat to human rights and press freedom globally. "The CLOUD Act jeopardizes the lives and safety of thousands of human rights defenders around the world at a time when they face unprecedented threats, intimidation and persecution."
The Electronic Frontier Foundation (EFF) also criticizes the executive agreements in a statement saying: The CLOUD Act is a far-reaching, privacy-upending piece of legislation that will:
- Enable foreign police to collect and wiretap people's communications from U.S. companies, without obtaining a U.S. warrant.
- Allow foreign nations to demand personal data stored in the United States, without prior review by a judge.
- Allow the U.S. president to enter "executive agreements" that empower police in foreign nations that have weaker privacy laws than the United States to seize data in the United States while ignoring U.S. privacy laws.
- Allow foreign police to collect someone's data without notifying them about it.
- Empower U.S. police to grab any data, regardless if it's a U.S. person's or not, no matter where it is stored.
Please take a few minutes to read the Tutanota blog post. And, check out Tutanota e-mail. It is a great, privacy focused e-mail provider that I like and recommend.
Your Privacy is Now Under a Dark CLOUD (Podcast)
A very interesting and informative podcast. - Your privacy and 4th amendments rights were dealt another blow while no one was really looking. Congress opened the door to more warrantless surveillance by tacking on a little-known, unvetted bill to the monster spending legislation passed last week. This bill, benignly titled the Clarifying Overseas Use of Data ("CLOUD") Act, removes the need for foreign countries to obtain a search warrant before demanding data from US companies. This bill was never debated. It wasn’t reviewed or marked up by a single committee. There were no hearings. But it is now law. David Ruiz, from the Electronic Frontier Foundation, helps us to understand the stark implications of this new law and together we explore how it can be used to completely circumvent your 4th Amendment rights.
Your Privacy is Now Under a Dark CLOUD is just one of several podcasts on the Firewalls Don't Stop Dragons web-site.
CIA Officers Under Digital Surveillance
In a CNN article (April 22, 2018), Jenna McLaughlin wrote "CIA officers working overseas used to expect to be followed after hours by adversarial spies hoping to find their sources. But now, foreign spies often don't need to bother because technology can do it for them... Digital surveillance, including closed-circuit television and wireless infrastructure, in about 30 countries is so good that physical tracking is no longer necessary."
Of course the fact that governments use digital tracking to keep an eye on suspected spies and foreign embassy personnel should come as no surprise. We saw in January 2018 how Strava's fitness tracking apps exposed U.S. military bases.
As early as 2010 (and probably well before that) there were concerns that your personal cell-phone served as a tracking device, recording everywhere that you went - creating records available to the government. So, of course if a foreign government can determine what cell-phone is carried by a suspected CIA officer, that government is going to keep an eye on where that cell-phone goes.
You don't have to be a CIA office for this to be a concern. Other government and military personnel assigned overseas should be aware that they may become targets of foreign government digital surveillance. The same concern applies to corporate executives and businesspersons travelling to sensitive meetings, as well.
If the government knows where you are, it knows who you are... and very likely it knows everyone with whom you come into contact.
Tuesday, April 24, 2018
They Know What You Clicked...
According to a 2017 study by Ghostery, 77 percent of all page loads contain at least one tracker. Be it for statistical or advertising purposes, tracking scripts enable companies to look over our shoulder when we’re surfing the web.
These personalized offers that appear to be following you around are based on a practice called retargeting, i.e. the targeting of consumers based on their previous online activity. Once the consumer looks at a certain product, he or she is "tagged" with a tracking pixel, enabling the advertiser to show targeted display ads to that person on third-party websites. Apart from the obvious lesson not to look for your spouse’s birthday presents on the family computer, this tells us something that we should probably all be aware of when using the internet: we are not alone. (Statista)
Amazon Will Deliver Packages to Your Parked Car
Amazon's new in-car delivery service, which will be available in 37 cities and surrounding areas, is a variation of Amazon Key. Some of the available delivery cities include: San Francisco, Seattle, Atlanta, Nashville, Milwaukee, Salt Lake City, and Washington, D.C.
For in-car delivery to work, customers must have a 2015 or later Chevrolet, Buick, GMC or Cadillac vehicle with an active account with OnStar, the roadside assistance and navigation service from General Motors. Car owners with 2015 or newer Volvos with a similar service, On Call, can also receive in-car deliveries from Amazon.
Couriers can use those assistance services to find the cars through satellite location-tracking and unlock the trunk. Customers can park their vehicle anywhere in a roughly two-block radius of their regular delivery address and the driver will find it; and you must give Amazon the make, model, color and license plate number of your car to help the delivery person find it. In case of any problems, the driver will default to that address for the delivery.
The service seems aimed especially at people who leave their vehicles in the lots of large, easily accessible suburban office parks.
Canary Trap with Zero-Width Characters
Someone within your team is leaking confidential information but you don’t know who. Simply send each team member some classified text with their name encoded in it. Wait for it to be leaked, then extract the name from the text - the classic canary trap.
Unlike various other ways of text fingerprinting, zero width characters are not removed if the formatting is stripped, making them nearly impossible to get rid of without re-typing the text or using a special tool. In fact you’ll have a hard time detecting them at all - even terminals and code editors won’t display them.
This JavaScript example lets you test out the claim that you can paste the text without losing the hidden data. Try pasting it into Notepad - which would normally strip out formatting - and then into a newly opened version of the demo site.
Countermeasures for journalists or others engaged with leakers, in decreasing order of effectiveness:
- Avoid releasing excerpts and raw documents.
- Get the same documents from multiple leakers to ensure they have the exact same content on a byte-by-byte level.
- Manually retype excerpts to avoid invisible characters and homoglyphs.
- Keep excerpts short to limit the amount of information shared.
- Use a tool that strips non-whitelisted characters from text before sharing it with others.
Monday, April 23, 2018
The Raytheon Field Guide to Hackers
Cyber actors, from black to white hat and all shades between...
Not all hackers are compiled from the same code. They vary in principle, purpose and practice.
The following list describes that role and other types of hackers encountered in the wild, wild web.
White hat hackers — These are the good guys, named after the white-hatted heroes in Western movies. They’re cybersecurity professionals who track and monitor threats, as well as researchers and students trying to make the Internet of Things safer. “They reverse-engineer malicious code, pulling it apart and seeing how it works,” said Mark Orlando, chief technology officer for cyber services at Raytheon. “You’ll find white hats who are security operations center analysts, network defenders, incident responders, penetration testers and bug bounty hunters.”
Gray hat hackers — These are the vigilantes of cyberspace. They could be citizens or professionals who will sometimes run across a botnet or uncover a threat actor, and then take matters into their own hands, engaging the attacker or threat. “A white hat hacker will escalate an intrusion or threat to a higher authority or report it to law enforcement,” Orlando said. “A gray hat hacker will, instead, try blocking the threat and attempt to move in, trying to take down an attacker’s infrastructure or interact with them in some way. It’s called ‘hacking back.’”
Black hat hackers —A black hat hacker cracks computers and breaks into networks for ill intent or personal gain. “If you’re not a white hat or a gray hat, then you’re more than likely a black hat,” Orlando said. “Black hats can any fall into any of the categories that follow on this list, and can be a combination of several categories at the same time, like an insider threat who is also a hacktivist, like a whistleblower or somebody with a cause that leaks sensitive information.”
Cyber mercenaries — These are cyber "guns for hire," serving as experts to attackers who don’t have hacking skills. “A country can enlist the services of a cyber mercenary so they can have plausible deniability,” Orlando said. “A good example would be a ‘bot herder,’ who controls a large network of compromised computers. These bot herders will take payments to turn on a botnet to unleash a DOS [Denial of Service] attack against a company or enemy.”
Nationalist hackers —These actors aren’t actual nation states, but who further the state's agenda. They vandalize websites, leak proprietary information and cause damage in the name of their country. “Nationalist hackers, again, allow a state to deny any responsibility for an attack,” Orlando said. “Sometimes the hacker’s motivation is purely financial, but sometimes it just gives them leverage and status, or just national pride. They’re often cyber mercenaries or organized criminals.”
Organized and disorganized criminals — These hackers cash in on their cyber skills. Organized criminals run much like a business, using spam operations, spearphishing campaigns, ransomware, credit card data theft and hosting operations. Disorganized criminals can be lone wolves or loosely knit bands of hackers. “Attribution is really hard when it comes to high-profile breaches like the ones we’ve heard about with some major retailers,” Orlando said. “But in these cases, it’s all about information—credit card numbers, social security numbers or intellectual property — that can be sold on the dark web’s blackmarket. For disorganized criminals, it’s oftentimes opportunistic. They’re just out there, seeing what they can get, and then going after it.”
Hacktivists — These could be individuals with a political or personal agenda, or larger groups like the various Anonymous factions. “They’re usually motivated by ideology or politics, trying to expose or embarrass their opposition,” Orlando said. “Think of the fictional ‘The fSociety’ group of hackers on the TV show ‘Mr. Robot.’”
Nation state actors — These are cyber soldiers and agents with huge budgets and sophisticated tools. With intelligence-gathering and military objectives, their mission is to monitor and if necessary, attack or interfere with an adversary country’s network. “Sometimes, they’ll place a trusted insider into an organization to steal classified, sensitive or proprietary information,” Orlando said.
Script kiddies — These are hackers with little or few skills, who download rootkits and scripts from the dark web, seeking fortune and fame. “These aren’t children…script kiddies can be any age,” Orlando said. “They either buy or download tools for free, and they can even learn how to use them by watching videos online. These attacks are generally low in sophistication and relatively obvious to spot.”
Insider threats — These are employees, often disgruntled, with an axe to grind. They leak, steal or vandalize their own company’s network for money, revenge and attention-seeking. “They take advantage of their access and privileges to compromise systems,” Orlando said. “In the past 20 years, we’ve heard about quite a few high-profile cases of employees stealing and selling secrets, or leaking them.”
Cyber pickpockets — These criminals might pick your packets or your pockets. Some physically steal devices like mobile phones, tablets and laptops, mining the device for information and credentials. Others might “sniff for packets” and steal information over the air by setting up a free WiFi network at a coffee shop or hotel. “It’s usually not very organized or sophisticated.
"Official" Security Tips and Fact Sheets
There are many things that we can, and probably should, do to safeguard our privacy and improve our personal security. There are also many resources that provide tips and guidance along this line, but sometimes - especially when preparing our own publications and briefings - we want to cite an "official" or government source. Below, in no particular order, are security tips and fact sheets from official sources.
US-CERT Tips
US-CERT Home and Business
US Army CID - Computer Crimes Investigative Unit
Cybercrime Prevention Fliers
NSA Best Practices for Keeping Your Home Network Secure
US Army Cyber Command - Cyber Fact Sheets
Federal Trade Commission - How to Keep Your Personal Information Secure
NYPD - Crime Prevention and Safety Tips
IN DFI: Credit Card Signature All The ID Needed
FDIC - A Bank Customer's Guide to Cybersecurity
NSA's Top 5 Security Operations Center (SOC) Principles
At last week’s RSA conference in San Francisco, Dave Hogue, technical director of the US National Security Agency (NSA), reviewed the organization’s best practices for defense - as the NSA often sees attacks against their systems within 24 hours of a new vulnerability being disclosed or discovered in the wild. One important point was that 93% of all security incidents in the last year at the NSA were found to be entirely preventable using best practices they already advocated. Attackers are depending on governments and organizations to lapse in the tried-and-true basic principles so they can rely on tried-and-true basic methods, and they don’t have to burn their best (and often more difficult to use) secrets and methods.
The NSA's Top 5 Security Operations Center (SOC) Principles are worth reviewing for anyone who runs a computer network.
Palantir is Using War on Terror Tools to Track American Citizens
According to an article in Bloomberg (April 19, 2018) Palantir, a data-mining company, is using War on Terror tools to track American citizens. The software combs through disparate data sources - financial documents, airline reservations, cellphone records, social media postings - and searches for connections that human analysts might miss. The U.S. Department of Health and Human Services uses Palantir to detect Medicare fraud. The FBI uses it in criminal probes. The Department of Homeland Security deploys it to screen air travelers and keep tabs on immigrants.
Police and sheriff’s departments in New York, New Orleans, Chicago, and Los Angeles have also used it, frequently ensnaring in the digital dragnet people who aren’t suspected of committing any crime. People and objects pop up on the Palantir screen inside boxes connected to other boxes by radiating lines labeled with the relationship: "Colleague of," "Lives with," "Operator of [cell number]," "Owner of [vehicle]," "Sibling of," even "Lover of."
If the authorities have a picture, the rest is easy. Tapping databases of driver’s license and ID photos, law enforcement agencies can now identify more than half the population of U.S. adults.
The LAPD uses Palantir’s Gotham product for Operation Laser, a program to identify and deter people likely to commit crimes. Information from rap sheets, parole reports, police interviews, and other sources is fed into the system to generate a list of people the department defines as chronic offenders... The list is distributed to patrolmen, with orders to monitor and stop the pre-crime suspects as often as possible, using excuses such as jaywalking or fix-it tickets. At each contact, officers fill out a field interview card with names, addresses, vehicles, physical descriptions, any neighborhood intelligence the person offers, and the officer’s own observations on the subject.
The cards are digitized in the Palantir system, adding to a constantly expanding surveillance database that’s fully accessible without a warrant.
Cash App
Since 2009, Square has provided payments for millions of businesses and people all across the world. Square also has a Cash App (launched in October 2013) which includes the ability to buy, sell, and store Bitcoin. If you need a safe way to buy and sell Bitcoin, Cash App gives you that option.
Cash App is available for both personal and business use, and you can set up both a personal and a business account, both of which are linked directly to your bank account.
Cash App also allows you to set up a $Cashtag on your account so that you don't need to provide your name to someone sending you money. Maybe you’d rather not give your full name to the guy who buys your couch off Craigslist. Of course, Cash App doesn't make you 100% anonymous; it is tied to your bank account so Square definitely knows who you are, but I think it is better than either PayPal or Venmo. LifeHacker compared Cash App, Venmo, and PayPal in this 2016 article, stating: "Bottom Line: Venmo for Social Spenders, Square Cash for Anonymous, Simple Transfers, and PayPal for the Most Reach, Currencies, and Options."
If you looking for a way to transfer money among friends and family, or have a small business and want a way to accept electronic payments, then Cash App may be worth considering.
Learn more about getting started with Cash App here.
Sunday, April 22, 2018
China Launches Foreign Spy Reporting Web-Site - Offers Rewards for Tips
According to the South China Morning Post (April 16, 2018), the Chinese Ministry of State Security has launched a new website that allows citizens to report people they suspect of being foreign spies or separatists.
The reporting platform even offers rewards to citizens who report those who are trying to "overthrow the socialist system."
Accessible in both English and Mandarin, the website (www.12339.gov.cn) was launched on April 15 as part of China's National Security Education Day.
The new website details an exhaustive list of offenses that can be reported, including collusion with foreign countries, plotting to "dismember the state" and "fomenting subversion of state power" through "rumor, libel or other ways."
--
What could possibly go wrong with a web-site that lets someone submit unsubstantiated reports to the Ministry of State Security?
Police Enter Funeral Home - Use Dead Man's Fingerprint to Unlock Phone
Largo, Florida police detectives entered a funeral home in Clearwater and attempted to unlock the phone of the late Linus F. Phillip, a man killed in March by another officer at a traffic stop, using the deceased man’s hands.
Victoria Armstrong, the fiancé of Phillip, said she felt "so disrespected and violated" after police entered the funeral home she was present at and attempted to use Phillip’s corpse to unlock the device. While the police may not have been violating the law by doing so, Phillip’s family certainly felt the move was disrespectful:
Ms. Armstrong, 28, happened to be at Sylvan Abbey Funeral Home in Clearwater the day two detectives showed up with Phillip’s phone, she said. They were taken to Phillip’s corpse. Then, they tried to unlock the phone by holding the body’s hands up to the phone’s fingerprint sensor.
Police Lt. Randall Chaney said it was an unsuccessful attempt to access and preserve data on the phone to aid in the investigation into Phillip’s death and a separate inquiry into drugs that involved Phillip, 30. While Chaney said detectives didn’t think they’d need a warrant because there is no expectation of privacy after death - an opinion several legal experts affirmed - the actions didn’t sit right with Phillip’s family.
It’s not clear from the report what kind of phone Phillip owned, but if it was an iPhone, the 48-hour window in which the device could be unlocked with a fingerprint alone would have long expired.
It’s unconstitutional for police to search cell-phones without a warrant, and living criminal suspects can cite Fifth Amendment protections against self-incrimination if police demand to know the password to a phone. But courts have ruled the Fifth Amendment protections do not apply to devices with fingerprint-based security on the legal understanding that fingerprints are like other kinds of biometric indicators such as DNA or handwriting samples.
Florida police used a dead man’s finger in attempt to access his phone. It’s legal, but is it right? (Tampa Bay Times, April 22, 2018)
A Google Update Just Created a Big Problem for Anti-Censorship Tools
The Verge (April 18, 2018) reports that "A Google update just created a big problem for anti-censorship tools."
The Google App Engine is discontinuing a practice called domain-fronting, which let services use Google’s network to get around state-level internet blocks. A recent change in Google’s network architecture means the trick no longer works. First spotted by Tor developers on April 13th, the change has been rolling out across Google services and threatens to disrupt services for a number of anti-censorship tools, including Signal, GreatFire.org and Psiphon’s VPN services.
Domain-fronting allowed developers to use Google as a proxy, forwarding traffic to their own servers through a Google.com domain. That was particularly important for evading state-level censorship, which might try to block all the traffic sent to a given service. As long as the service was using domain-fronting, all the in-country data requests would appear as if they were headed for Google.com, with encryption preventing censors from digging any deeper.
Senators Demand More Information About DC Mobile Snooping Devices
A bipartisan group of senators is pushing the Department of Homeland Security (DHS) to make public more information about the use of rogue surveillance devices colloquially known as "Stingrays."
Homeland Security recently acknowledged the devices are being used by hostile actors in Washington, D.C. The use of those devices by criminals and foreign spies to eavesdrop on cellphone calls and messages in the U.S. has long been suspected, but the department's disclosure was the first official confirmation of their presence.
In a letter to DHS official Christopher Krebs, the Senators said: "The American people have a legitimate interest in understanding the extent to which U.S. telephone networks are vulnerable to surveillance and are being actively exploited by hostile actors."
So-called International Mobile Subscriber Identity-catchers, or IMSI-catchers - known as Stingrays after a popular brand used by U.S. police departments - work by tricking cellphones into locking onto the device instead of a legitimate cellphone tower. Once they are deployed, they can intercept data from a target phone.
Experts say they are widely used by foreign embassies, which are on sovereign soil, and police departments have quietly used them for years to some controversy. (The Hill)