Saturday, May 5, 2018

A Step-by-Step Guide to Using SecureDrop


In October 2017, I commented briefly here in the blog about SecureDrop. SecureDrop is an open-source whistleblower submission system that media organizations can use to securely accept documents from and communicate with anonymous sources. The platform has been deployed and is being actively used by an array of journalistic organizations to provide a secure and usable platform for whistleblowers to get in touch with journalists while protecting their own identity.

A reader recently asked for more information about how to safely use SecureDrop. I was going to add some recommendations here, but then came across the following video from the Globe & Mail:


This short video explains clearly how to use SecureDrop, and is probably better than anything I could provide here in written instruction.

Of course, in addition to how to use Secure Drop, we must ask should you use Secure Drop? Before going to the media, did you report your concerns within your organization? Was your organization responsive, or did the leadership retaliate against you? Who else has access to the information that you intend to provide to the media?

While Secure Drop will certainly protect your communication with the press, it will not necessarily prevent an organization from discovering that you are the leak. You may want to consider other factors involved in providing Confidential Tips to news agencies.

If you wanted to communicate with a news agency other then the Globe & Mail you would need to start with one of these other web-sites, but all of the instruction in the video would still apply. If you find it useful to provide a confidential tip to one news agency, you may want to provide that tip to several news agencies to ensure that it receives appropriate attention (every agency has its own editorial policy).

Associated Press

Washington Post

The Intercept

The Guardian

VICE News

WIRED

CBC

The New York Times

The Globe and Mail

Forbes

The Verge

•  Motherboard

NPR


$5-Million Tort Claim Against WSP for Deleting Public Records, Retaliation...



According to a May 3, 2018 report by KUOW and the Tacoma News Tribune: a Washington State Trooper has accused a leader in the State Patrol’s aviation unit of ordering staff to illegally delete public records... Trooper Ryan Santhuff makes the allegations in a $5 million tort claim filed against the state in February. Santhuff contends the alleged incidents and retaliation from supervisors contributed to a "work environment that no reasonable person could tolerate."

Santhuff also accuses [a WSP Lieutenant] of directing troopers to delete public records after a disclosure request was filed related to May Day protests in Olympia, in 2014. "Not only did the Lieutenant direct staff to delete emails, he also instructed them on ways to remove all copies of these emails from hidden folders on the computers and servers, essentially scrubbing the network of relevant documents," the claim states.

The tort claims states Santhuff reported all of these alleged incidents in 2016 and that WSP subsequently "began a campaign of retaliation against Trooper Santhuff" that included implicit threats, exclusion from meetings, ostracization and lies about Santhuff’s job performance.
--
According to WA State law:  To be a "public record," a document must relate to the "conduct of government or the performance of any governmental or proprietary function." RCW 42.56.010(3). Almost all records held by an agency relate to the conduct of government.  A "public record" is a record "prepared, owned, used, or retained" by an agency.

Thus it is likely that the e-mail sent and received by WSP in their official accounts are public records, and may not be deleted to prevent disclosure following a public records request.

WSP Trooper Santhuff's claims against the Department will be resolved through the courts, but what I believe is of general interest here is twofold: first that as government employees whatever you send or receive in your official e-mail is likely a public record; and second if Trooper Santhuff's claims are true, government agencies (WSP) are destroying public records to prevent their disclosure under FOIA / Public Records Acts.

--

In a related issue, A May 4, 2018 article on Motherboard noted that Gmail's 'Self Destruct' Feature Will Probably Be Used to Illegally Destroy Government Records
“As more local and state governments and their various agencies seek to use Gmail, there is the potential that state public records laws will be circumvented by emails that 'disappear' after a period of time,” the National Freedom of Information Coalition wrote in a letter to Google CEO Sundar Pichai. “The public’s fundamental right to transparency and openness by their governments will be compromised.”


Technology Turns Our Cities Into Spies


The LA Times reported (May 2, 2018) that "more than 30 Oakland Police Department patrol cars are roaming the city with license plate readers, specialized cameras that can scan and record up to 60 license plates per second. Meanwhile, the Alameda County Sheriff's Office maintains a fleet of six drones to monitor crime scenes when it sees fit. The Alameda County district attorney's office owns a StingRay, a device that acts as a fake cell tower and forces phones to give up their location. And that's just in one little corner of California."

Most cities don't just keep this data to themselves. Rather they share it with their regional "fusion centers" of which there are 77 across the country, or share the data directly with other agencies across the United States as we saw with the San Diego Police Department.


Now, most people want law enforcement to have the tools it needs to do its job. Tracking an identified criminal subject based upon probable case and a warrant issued by a judge is no doubt a good thing. Using technology to conduct mass-surveillance of a community in the hope of finding a criminal by chance is problematic at best.

Friday, May 4, 2018

Russian Government Blocks Access to VPN and Proxies to Stop Telegram Use


Roskomnadzor (Роскомнадзор) - The Russian Federal Service for Supervision of Communications, Information Technology and Mass Media - has blocked more than 50 VPN and Proxies in Russia in an effort to prevent people from accessing the secure messaging app Telegram. Roskomnadzor has also suggested that it could block access to 15 foreign hosting companies if they continue to provide IP addresses that route users to Telegram.   

Telegram and millions of related IP addresses were blocked following an April 13 Moscow court order against the app for refusing to give the FSB access to users’ private messages. Telegram founder and CEO Pavel Durov has maintained that providing encryption keys or gaining access to information beyond the device is impossible. (Moscow Times, May 4, 2018)
--

The blocking of access to Telegram by the Russian government may be seen as a portent of things to come in the United States as the FBI and other Federal government agencies seek a master key / backdoor to access encrypted devices and applications.


How to Steal A Police Rifle or Shotgun


OK, I don't really suggest that you go steal a police rifle or shotgun, but if you are a police officer with a rifle or shotgun mounted in your vehicle it may be easy for someone to steal it.

How often do you leave your patrol vehicle unattended? If you have a 'take home' vehicle do you leave your rifle or shotgun locked in the vehicle over night?

Many departments use Santa Cruz Gunlocks to secure long-guns in their patrol vehicles.  Recently, rapid bypass techniques to defeat Santa Cruz Gunlocks (SC-1 & SC-5) have been demonstrated on YouTube.

Police Car Shotgun Lock Picked (Santa Cruz Gunlocks SC-1)

Magnet Opens Police Car Shotgun Lock (Santa Cruz Gunlocks SC1)

Police Car Rifle Lock Opened 4 Ways (Santa Cruz Gunlocks SC-5)

I also note that with AR-15/M-4 style rifles the weapon can be removed from the gunlock in under a minute by simply taking the rifle apart. The lower receiver isn't secured by the gunlock, and once the lower receiver is removed from the rifle, the upper receive can be easily worked out of the gunlock with very little effort.

Reducing Privacy and Security Risks With Threat Modeling


Reducing privacy and security risks starts with knowing what the threats really are. An excellent article appeared in ARS Technica (July 8, 2017) that discussed personal threat modeling.

"Who you are, what you are doing, and where you are doing it are all major factors in determining what threats you face. Where you work, your social and political activities, your notoriety, social connections, travel, and other factors all play into your threat model, too. Such characteristics introduce different sets of potential risks to your security and privacy, and these traits could attract different sorts of potential adversaries. Of course, some activities invite risk in and of themselves based on the kind of information being exposed. In the world of threat modeling, these are often referred to as "assets" - the important pieces of information you want to use in an activity but simultaneously want to protect. Pieces of information that could be used to expose your assets are just as essential to protect as the assets themselves. Personal biographical and background data might be used for social engineering against you, your friends, or a service provider. Keys, passwords, and PIN codes should also be considered as valuable as the things that they provide access to."

Creating Your Own Personal Threat Model
 
To create your own personal threat model, ask yourself the following questions:

* What are the assets you care most about protecting? (emails, images, video, your location, identity, financial information, etc.)

* Who are the different user groups you interact with? (friends, family, employer, random person on the train)

* What are the systems where your data is stored? (Websites you frequent, devices, and services)

* How do all of these things interact? (It usually helps to draw a picture)

* What are the rules I want to maintain? (Who can see my pictures? How much can my employer know about me?)

* What are the top threats that I am worried about? (Hackers? Government intrusion?)

* What steps can I take to best protect against the top threats?


Thursday, May 3, 2018

Active Shooter Incidents in the United States in 2016 and 2017


The FBI Report, Active Shooter Incidents in the United States in 2016 and 2017 is now available in the FBI file repository.

Previous editions of the report are also available:

Active Shooter Incidents in the United States in 2014 and 2015

A Study of Active Shooter Incidents in the United States Between 2000 and 2013



Notorious Hate Group Atomwaffen Includes Active-Duty Military


PBS reports that journalists with ProPublica and FRONTLINE gained insight into Atomwaffen’s ideology, aims and membership after obtaining seven months of messages from a confidential chat room used by the group’s members. The chat logs, as well as interviews with a former member, reveal Atomwaffen has attracted a mixture of young men - fans of fringe heavy metal music, a private investigator, firearms aficionados - living in more than 20 states.

But of greater concern is that a number of Atomwaffen members are current or former members of the U.S. military.

ProPublica and FRONTLINE have identified three Atomwaffen members or associates who are currently employed by the Army or Navy. Another three served in the armed forces in the past. Vasillios Pistolis [identified in the PBS article], who remains an active-duty Marine, left Atomwaffen in a dispute late in 2017 and joined up with another white supremacist group. Reporters made the identifications through dozens of interviews, a range of social media and other online posts, and a review of the 250,000 confidential messages obtained earlier this year.

Joshua Beckett, who trained Atomwaffen members in firearms and hand-to-hand combat last fall, served in the Army from 2011 to 2015, according to service records. Online, Beckett, 26, has said that he worked as a combat engineer while in the Army. Combat engineers are the Army’s demolitions experts.

Last year, nearly 25 percent of active-duty service members surveyed by the Military Times said they’d encountered white nationalists within the ranks. The publication polled more than 1,000 service members.

In February 2018, the Seattle Times reported that Atomwaffen a white supremacist group linked to multiple homicides has one of its largest chapters in Washington state, as did KUOW in its report "The covert white supremacist group lurking in Washington state;" and Wenatchee World in its report "Washington state home to one of the largest cells of notorious white supremacist group."

Washington state is not the only place where Atomwaffen is active, but it should be noted that Washington state has a large military presence (Joint Base Lewis-McChord, Fairchild Air Force Base, Naval Base Kitsap, Naval Air Station Whidbey Island, Naval Station Everett, etc.), and Atomwaffen seeks to recruit military members into its ranks.

Anytime a group (such as our military personnel) becomes a target for recruitment by a violent and extremist faction (such as Atomwaffen) this creates a personal security concern for all members of the group. Most military personnel - the vast majority - simply are not going to lured by the recruitment efforts of groups like Atomwaffen, but as we have seen that doesn't mean that no military member will choose to participate in these extremist activities.

Mailvelope (Open PGP Encryption)


Mailvelope lets you use Open PGP encryption with web-mail applications such as Gmail, Yahoo Mail, and GMX. Mailvelope integrates with your web-based e-mail application within both the Chrome and Firefox browsers.

I recommend that everyone create an Open PGP key-pair, thereby allowing others the option of sending you encrypted e-mail, by making use of your public key and any Open PGP application. Mailvelope makes this easy. By using Mailvelope you can exchange PGP encrypted e-mail with others, thereby protecting the content of your communications.

A YouTube Video "How to Use PGP Encryption With Gmail and Other Web Email With Mailvelope" gives a good overview of Mailvelope.

Protecting Privileged Communication


Privileged communication is an interaction between two parties in which the law recognizes a private, protected relationship. Whatever is communicated between these pairs of parties shall remain confidential, and the law cannot force disclosure of these communications. The individual that initially makes the privileged communication legally has the ability to prevent the other party in the relationship from disclosing the content of the privileged communication. One of the most commonly cited relationships where privileged communication exists is the attorney and client relationship. This relationship is called attorney-client privilege. Other recognized privileged communication includes doctor/psychotherapist-patient, clergy-penitent, and communication to one's spouse.

There are conditions that must be met in order to preserve the confidential status of these communications. First, the communication must be between people in a legally recognized protected relationship. Next, the communication must take place in a private setting, where the communicators have a reasonable expectation of confidentiality (like a private office). Lastly, the privileged status of the communication is lost if or when the communication is shared with a third party that is not part of the protected relationship. However, agents of the recipient of the information - such as an attorney's paralegal or a doctor's nurse - would generally not be considered a third party that defeats the privileged status of the communication.

Under the law the recipient of a privileged communication has a duty to safeguard and protect that information from disclosure. The person making the privileged communication may however waive that privilege and disclose the information. For example, my doctor may not discuss my health and medical treatment with an outside party, but that doesn't prevent me from discussing my own medical conditions with whomever I choose.

There are legal complexities as to what may be considered privileged communication, which go beyond the content of this post, but once you have determined that a communication is in fact privileged, here are a few things you should consider.

Encrypt all e-mail and attachments. This requires a compatible encryption between all parties of a privileged communication.  Encrypted file transfer / messaging systems like Encyro and Sendinc may be a way of establishing encrypted communication with a client who does not have other secure e-mail options.

Never send sensitive information in a SMS/Text Message. If you must communicate short sensitive messages use an end-to-end encrypted messenger with expiring / disappearing messages. One example would be Signal Private Messenger.

Voice communication should be over an end-to-end encrypted channel, or preferably face-to-face in a private area.

Use password protection on all sensitive documents. This limits that ability of someone with access to your computer system from accessing sensitive documents unless they have the document password.

Store all electronic records in an encrypted container (i.e. Bitlocker / FileVault2 / VeraCrypt).

Store all paper files in a locked security container.

Destroy sensitive information when no longer needed using an electronic wipe program and/or a cross-cut paper shredder.

Be aware of who else might have access to privileged communication and confidential records. System administrators may have access to everything on your computer network, and janitorial / maintenance staff may have access to offices after business hours.

--

Wednesday, May 2, 2018

First Responder Suicides


Suicides left more officers and firefighters dead last year than all line-of-duty deaths combined - a jarring statistic that continues to plague first responders but garners little attention.

Last year, 103 firefighters and 140 police officers committed suicide, whereas 93 firefighters and 129 officers died in the line of duty, which includes everything from being fatally shot, stabbed, drowning or dying in a car accident while on the job.

First responders work in high-stress jobs, yet less than 5% of departments have suicide-prevention programs. Job-related stress and thoughts of suicide is something first responders are too often ashamed to talk about and address, which is having a deadly result.

Police and firefighters witness death and destruction daily. It would be silly to think it wouldn’t put a toll on them.

Combine this with department internal investigations - witch hunts - that drag on for months, based on clearly unfounded, and frivolous allegations; or political agendas within departments to cover-up actual misconduct and you have an environment that can lead to suicide, or lesser destructive behaviors such as alcoholism and drug use.

Peer-to-peer assistance, mental health check-ups, time off after responding to a critical incident and family training programs to identify the warning signs of depression and PTSD are essential to the mental and emotional well-being of the men and women in our police and fire departments, but too often those programs simply don't exist.   (Firehouse, April 12, 2018)


Hotwatch - Tracking Your Credit Card Use



Do you make purchases with a credit card, or use your debit card to withdraw money from an ATM? The records maintained by your credit card company and bank can return a detailed picture of your life. A complete record of your purchases are associated with your credit card. Additionally, point of sale transactions (i.e. you present your credit card to the merchant) create a record of your location at the time of purchase. Someone monitoring your credit card transactions has near real-time data about your location, and what you are buying / doing.

Under a program called "Hotwatch" Federal law enforcement agencies can engage in real-time tracking of Americans' credit card purchases, use of calling cards, car rentals, and even purchases made using store loyalty programs.

“The act is called "Hotwatch" and in a nutshell means that the government can watch in real time the activity of credit card transactions, airline and hotel reservations, debit card transactions, cell phone calls, and rental car activities of its own citizens… The Feds don’t have to have a warrant, in fact the DOJ... stresses that the preferred way to execute a hotwatch is to bypass the protections provided by the Fourth Amendment to the Constitution and instead use a subpoena to order credit card issuers and other retailers to provide detailed real time information about the financial moves of the person being watched.  A judge then orders a non-disclosure order, which insures that the target will never know they’re being watched… No one knows how many of these hotwatches have occurred, or even who exactly the government is spying on. There appears to be no judicial oversight, and... it was the government’s intention to keep the program a secret.” (Chen 2011).

All of your credit card and debit card transactions are recorded. At a minimum your credit card company will have the date, time, amount of transaction, merchant category code, and whether the card was present for the transaction (i.e. you made the purchase in-person, on-line, or over the telephone). Because many businesses itemize receipts (look at the receipt from the grocery store the next time you go shopping) an exact record of your purchases can be made. Even with just the merchant category code (MCC), it is possible to develop a good picture of someone’s lifestyle. Some MCC include:

4900 Bail and bond payments
5921 Packaged beer, wine, and liquor stores
5933 Pawn shops
5813 Bars and nightclubs
7273 Dating / Escort Services
7297 Massage Parlors
7277 Counseling services (debt, marriage, personal)
8651 Political organizations
7995 Betting / Casinos / Gambling
9211 Court costs (child support and alimony payments)
5912 Drug stores and pharmacies
8062 Hospitals
8011 Doctors

Keeping a record of just the type of business you frequent can provide a detailed, though perhaps misinterpreted, view of your lifestyle. Are you an alcoholic – MCC 5921? Do you have a gambling problem – MCC 7995? Are you having personal or family problems – MCC 9211, MCC 7277, MCC 4900? Are you sick – MCC 8062, MCC 8011, MCC 5912? Ask yourself whether there are some things in your life that you would rather not have becoming a permanent record with your credit card company. If there are, consider where you use your credit card.

Hotwatch isn't a new program, rather as far back as 2005 we see, in documents obtained by the Electronic Frontier Foundation (EFF), that: "Currently, the government routinely applies for and upon a showing of relevance to an ongoing investigation receives “hotwatch” orders issued pursuant to the All Writs Act. Such orders direct a credit card issuer to disclose to law enforcement each subsequent credit card transaction effected by a subject of investigation immediately after the issuer records that transaction." (EFF. October 11, 2005)

So, is it possible to spend money without being tracked? Yes to some extent, but the sad truth is that most people have no choice but to use the banking system to do things like make mortgage payments, pay your taxes, or collect your salary or payments for business services.

However, you can make it a lot harder for people to track you. If you limit your use of the banking system, you can create a much smaller profile to track. A good basic method of limiting tracking is to make as many purchases as possible with cash. Use cash for such purposes as buying groceries, gas and items you want to keep private (i.e. guns, survival supplies, medications).

Cash is still the only method you can use that does not leave an electronic trail or a paper trail directly connecting you to purchases. Try returning to the old-fashioned method where you get a specific amount of cash out of the bank each week to pay for what you need. There still will be a record of the weekly withdrawal from your bank, but not of the actual purchases you make each week.

The advent of the ATM makes it easier than ever to get cash, so there’s no excuse not to use cash for most retail transactions. If you can get into the habit of using cash, you can make it easier to budget and make it far harder for banks to track your transactions.

Banks, Credit Card Companies Explore Ways to Monitor Gun Purchases



According to MSN (April 30, 2018), banks and credit-card companies are discussing ways to identify purchases of guns in their payment systems, a move that could be a prelude to restricting such transactions, according to people familiar with the talks.

The financial companies have explored creating a new credit-card code for firearms dealers, similar to how they code restaurants, or department stores. Currently, card companies, including networks and banks that issue credit cards, have little to no insight into gun purchases. Gun sellers fall into broader categories such as sporting-goods retailers or specialty retail shops. Big-box retailers that also sell guns are often assigned codes that include “variety” or “discount” stores.

Some talks have gone further. At least one large U.S. bank has had early conversations with lawmakers about potential legislation to require merchants to share information about specific gun-related products consumers are buying with their cards, according to people familiar with the matter.

Such data could allow banks to restrict purchases at certain businesses or monitor them. Banks have at times blocked consumer-card purchases, and they also act as agents of the government in monitoring payments for suspicious activity. 

--
A policy where your bank or credit card company monitors your specific legal purchases is fraught with privacy issues. While banks and credit card companies may have a duty and responsibility to monitor their networks for fraud and illegal transactions - it is absolutely none of their business how customers legally spend their money, what businesses they favor, or what specific items they purchase.


Tuesday, May 1, 2018

A Legal Guide to Privacy and Data Security (2017)



Understanding the laws and regulations that govern our right to privacy can help us, as individual citizens, stand up for those rights. As businesses and organizations that may gather personal information, understanding these laws and regulations can help us protect the privacy rights of our clients and customers.

Download a copy of A Legal Guide to Privacy and Data Security (2017).


FBI Visits in Seattle Prior to May Day


IGD (April 30, 2018) reported in A Note on Recent FBI Visits in Seattle that "FBI agents visited at least three houses in Seattle and left business cards with the names of individuals they wanted to talk to written on the back. These visits have become a yearly ritual. In the week before May Day, the feds do the rounds to make sure that everyone knows they are watching." The article was originally posted by Puget Sound Anarchists.

May Day in Seattle has frequently been the scene of violence and targeted property damage. The FBI Joint Terrorism Task Force (JTTF) likely seeks contact with known activists and anarchists in the Seattle area in order to develop information and sources.
Local anarchist groups have claimed for years that the FBI, state fusion centers, and even the local military is spying on them and denying their Constitutional rights; as can be seen in this article in The Seattle Globalist (July 25, 2014)

Anarchists groups in turn target law enforcement, military, and government employees in campaigns of information collection and harassment. A circle of events that repeats itself each year on May 1st, in Seattle and other cities around the world.




Violent action will always trigger a police response, and planned violent protests that occur year after year will almost certainly result in known activists and anarchist being the focus of government surveillance and intelligence collection.

Susceptibility to Persuasion


Researchers at the University of Cambridge have developed an online questionnaire which measures a range of personality traits to identify individuals who are more likely to fall victim to internet scams and other forms of cybercrime. The psychometric tool asks participants to answer a range of questions in order to measure how likely they are to respond to persuasive techniques.

The test (54 questions), called Susceptibility to Persuasion II (StP-II)  is freely available and consists of the StP-II scale and several other questions to understand persuadability better.

A brief, automated, interpretation of the results is displayed at the end of the questionnaire.


Wirecutter Reports on the Best VPNs

Wirecutter spent more than 130 hours over four months researching 32 VPN services, testing 12, interviewing the leadership of five, and consulting information security and legal experts about our results. We found that most people should prioritize other security tools and privacy practices first, but in the cases where a VPN makes sense - such as when you’re connecting to public Wi-Fi - IVPN is the most trustworthy provider that offers fast, secure connections with an easy setup process on both computers and mobile devices. Read the complete report here. It's a good read, although I would have like perhaps a little more detail.

After reading the Wirecutter report, I recommend that you also read the Torrent Freak article (March 4, 2018) "Which VPN Services Keep You Anonymous in 2018?"

You might also be interested in the list of VPNs on the Privacy Tools site.



How to Save Your Privacy from the Internet's Clutches


Reading an article in TechCrunch (April 14, 2018) I was struck by just how much personal privacy we sacrifice everyday, just by going on-line and interacting in the digital world. Take a few minutes to read this article and consider some of the recommendations to help protect your personal privacy.
  • Tape over all your webcams
  • Install HTTPS Everywhere
  • Use tracker blockers
  • Use an ad blocker
  • Make a private search engine your default
  • Use private browser sessions
  • Use multiple browsers and/or browser containers
  • Get acquainted with Tor
  • Switch to another DNS
  • Disable location services
  • Approach VPNs with extreme caution
  • Build your own VPN server
  • Take care with third-party keyboard apps
  • Use end-to-end encrypted messengers
  • Use end-to-end encryption if you use cloud storage
  • Use an end-to-end encrypted email service
  • Choose iOS over Android
  • Delete your social media accounts
  • Say no to always-on voice assistants
  • Block some network requests
  • Use a privacy-focused operating system
  • Write to your political reps to demand stronger privacy laws
  • Throw away all your connected devices - and choose your friends wisely
  • Ditch the Internet entirely

There is nothing surprising in these recommendations, they are the same things that I discuss here in my blog, and that privacy experts recommend in various forums and publications. Still the TechCrunch article is well-written and is certainly worth your time to read and perhaps adopt some of the recommendations therein.

Along with the above article, I also found an article on Deep Websites Links, "27 Best Privacy Tools for Complete Digital Privacy Online and Offline", that I also though provided good tools and references.

There is no one perfect tool, nor perfect set of tools, but the more privacy and security tools you have available to you, the greater your ability to secure your private data and enhance your personal security, both on-line and off.


Monday, April 30, 2018

Telegram Protest in Moscow (4/30/18)

 
 
Блокировка Telegram - это национальный позор: ни одно государство, претендующее на лидерство в XXI веке, не должно препятствовать развитию собственных технологий и цифровому прогрессу. (YouTube)

(Blocking Telegram is a national disgrace: no state claiming leadership in the 21st century should impede the development of its own technologies and digital progress.)



Thousands of protesters gathered on Monday afternoon to show their support for the Telegram messaging service.

The anti-censorship demonstration, organized by the Russian Libertarian Party, was held on Prospekt Sakharova in central Moscow.

State media regulator Roskomnadzor began blocking websites en masse to enforce an April 13 court order to ban Telegram over its refusal to provide access to its users’ private messages to Russia's security services.

The organizers behind today's protest demanded that Roskomnadzor restore access to Telegram and affected services. According to their Telegram statement, they are seeking the repeal of all "repressive Internet laws," and the dissolution of Roskomnadzor.

"Our rights regarding secrecy of correspondence, freedom of speech and conscience are guaranteed by the Constitution and cannot be restricted either by law or by conscience," the statement said.

Free speech supporters brought paper planes — the messaging service's logo — of various sizes and placards bearing slogans against censorship. Over 12,000 people participated in the demonstration, according to the crowd-counting service White Counter.  (Moscow Times, April 30, 2018)

Microsoft Cites 24% Jump in Tech Support Scams



A report in Computer World (April 24, 2018) stated "Microsoft cites 24% jump in tech support scams". These scams are designed to trick users into believing their devices are compromised or broken. They do this to scare or coerce victims into purchasing unnecessary support services. According to company data, Microsoft received 153,000 reports from customers who had encountered or fallen for tech support scams in 2017, an increase of nearly a quarter over the year prior. Of that number, approximately 15,000 - or about 1 in 10 - admitted that they'd lost money from such scams; with victims losing between $200 and $400 each.

In March, the Internet Crime Complaint Center (IC3) released a similar report saying it had seen complaints rise even higher - by 86 percent. The IC3 also added that as the number of scammers has increased, criminals’ tactics have also evolved, from posing as tech support to pretending to be law enforcement or government officials who are trying to recover losses incurred by support fraud schemes.


No legitimate tech support agent will contact you unsolicited, and especially not by phone. Pop-ups on your computer warning of some security issue and urging you to immediately call some telephone number for support are always a SCAM! 

You can read more about Tech Support Fraud in this IC3 / FBI Public Service Announcement.



How to Protect Your Children from Synthetic Identity Theft



When we think of identity theft, we often think of a criminal using our personal information (i.e. name, DOB, SSN) in toto to commit some kind of fraud. Synthetic identity theft however doesn’t steal all of your identity, just a piece of it – often your SSN – to create a new identity.

To create a new identity for the purpose of synthetic identity theft a criminal first needs to obtain an SSN that doesn’t have an active credit profile. A young child’s SSN is ideal for this since the child will have an SSN, but probably isn’t establishing and using credit.

Randomized SSN put children born after 2011 at especially high risk for synthetic identity theft - and the theft of a child’s SSN can go undetected for years. Taking over a child’s SSN was made easier after the Social Security Administration switch to randomization in 2011. Before then, the digits were tied to birth year and geography, so it was more difficult to use a child’s SSN without it being discovered.

Once a criminal has an SSN the next step is to manufacture additional identity information such as name, date-of-birth, and an address to receive mail. The criminal now applies for credit using the made-up identity and the child’s SSN. This application for credit will almost certainly be declined because there is no established credit profile for this identity. It does however create a record with the credit reporting agencies (Trans Union, Equifax, Experian) for that identification.

Over several months, or perhaps even a couple of years the criminal works to build this identity and most importantly to establish credit associated with that identity. Given time, and some work on the part of the criminal perpetrating this synthetic identity theft, the made-up identity gains some initial credit.

The criminal can now run up that credit with purchases and cash advances and probably get away with a couple thousand dollars in ill-gotten gain. A more savvy criminal might however play this out a bit longer and build the initial credit limit, even using and paying the initial credit line to establish it as legitimate. 

Once the credit for the synthetic identity is built to a high enough level the criminal “cashes out” by maxing out the credit cards, loans, etc. and then abandoning the identity.

When we work to protect our personal privacy, it is essential that we don’t overlook adding safeguards to protect our children’s privacy as well.

The Federal Trade Commission offers guidance on protecting your child from identity theft.

Sunday, April 29, 2018

SDPD Shares Its License Plate Database with Hundreds of Other Agencies


The San Diego Police Department (SDPD) initially told Voice of San Diego it had no control over who can see its massive ALPRS database that tracks where cars go in the region. But it later conceded that it has broad leeway over who can access the data, and that it has not elected to limit that access. Agencies that can see the data range from Border Patrol to tiny local police departments across the country.

The list of agencies (14 pages) with near immediate access to the travel habits of San Diegans includes law enforcement partners you might expect, like the Carlsbad Police Department, but also obscure agencies like the police department in Meigs, Georgia, population 1,038, and a private group that is not itself a police department, the Missouri Police Chiefs Association.

The widespread information-sharing across agencies creates a surveillance network that can sketch out the travel patterns of individuals - where they live and work, which places they frequently visit, and with whom the associate for instance.

In February 2018, I wrote about the use of ALPRS here in the blog, and noted that groups like the ACLU and the EFF have expressed concern that misuse of these systems threaten our privacy.


Wired Magazine Subscription + YubiKey 4 For Just $10


Wired Magazine is one of my favorite publications. I also like YubiKey to protect my on-line accounts.

Now Wired is giving you a free YubiKey 4 when you subscribe to their magazine.  For just $10 you get a year of Wired and a YubiKey 4, that if purchased separately would cost you $40.

I have no association with either Wired or YubiKey, other than being a fan of both, but this seems like such a good deal that I though I would pass it along to readers of Chesbro on Security.

Not sure how long the deal will last, so if you are thinking that you would like to subscribe to Wired and get a free YubiKey 4 in the process now is the time.

Telegram Ban Is Forcing Ordinary Russians to Break the Law


Russia’s ban on the secure messaging app Telegram hasn’t exactly been met with unquestioning obedience and support. According to the Moscow Times (April 24, 2018) The Telegram Ban Is Forcing Ordinary Russians to Break the Law.   

State banking giant Sberbank sent its employees instructions on how to get around the blocking of Telegram (the bank currently uses the service for its corporate communications). Deputy Telecom and Communications Minister Alexei Volin, a state official, no less, hinted at how to bypass the ban, and admitted that he himself uses a VPN to do so.

Instructions on circumventing the block even appeared on the website of Rossia, a state-run television channel, though the material was quickly deleted. Many other state officials and parliamentary deputies have refrained from publicly expressing their disapproval, but have admitted in private conversations to having installed a VPN to continue using the service.

If communication via the messenger can’t be monitored, it must be banned, Roskomnadzor argued, and started blocking IP addresses linked to Telegram on April 16. As a rule, Russians have greeted bans by the authorities with approval or indifference. But with Telegram, everything has changed. Unlike in previous cases, this time a significant proportion of Russian society that was previously far from opposition-minded is willfully refusing to obey the new ban.

--
When governments ban those things that large portions of the population want, and more importantly when government ban those things to which people have a right - such as freedom of speech and privacy in personal communications - the people will find a way to obtain those things in violation of the government bans.  This creates an "outlaw culture" where people begin to disregard the authority of government in general.

Should Telegram provide encryption / decryption keys to the Russian government so that it can read the communications of anyone using Telegram? The Russian courts have ruled that it must, but is doing so the right thing to do? Probably not! Should the Russian government in an attempt to ban Telegram disrupt several other Internet services? Absolutely not!


Amazon, Google Still Uncooperative in Telegram Ban, Says Russian Regulator


According to the Moscow Times (April 26, 2018) Russia’s state media regulator is in talks with Amazon and Google as it attempts to gain the tech giants’ cooperation in blocking the Telegram messaging service.

Regulator Roskomnadzor began enforcing a court ordered ban on Telegram on April 16 after the messaging app refused to grant the Russian security services access to users’ encrypted messages. In its effort to block access to Telegram, Roskomnadzor has blacklisted almost 18 million Internet Protocol (IP) addresses, including those of Google and Amazon, disrupting the work of hundreds unrelated online services.

“Contact with Amazon has not yet led to positive results, perhaps for political reasons,” Roskomnadzor reported Wednesday, citing its deputy chief Vadim Subbotin following talks with IT representatives. Contact with Google “is, on the contrary, becoming more constructive, a substantive dialogue has begun,” Subbotin said.

--

When the government (any government) seeks to block the private communications and conversations of its citizens, because it is unable to read those communications or listen in on those conversations, this creates a chilling effect that can only lead to further mistrust of the government engaged in this type of action.