Five + Five Digital Security Tools

Five digital security tools to protect your work and sources
An article from the International Consortium of Investigative Journalists

1. Signal and other end-to-end encrypted apps
2. Secure file storage and encrypted sharing
3. Password managers
4. Two-factor authentication and its innovations
5. Slack alternatives for your office

. and .

Five EFF Tools to Help You Protect Yourself Online

1. Privacy Badger
2. Panopticlick
3. Https:// Everywhere
4. Certbot
5. Surveillance Self-Defense

Spying on Democracy

Spying on Democracy:
Government Surveillance, Corporate Power and Public Resistance

By Heidi Boghosian

"In Spying on Democracy, National Lawyers Guild Executive Director Heidi Boghosian documents the disturbing increase in surveillance of ordinary citizens and the danger it poses to our privacy, our civil liberties, and to the future of democracy itself. Boghosian reveals how technology is being used to categorize and monitor people based on their associations, their movements, their purchases, and their perceived political beliefs. She shows how corporations and government intelligence agencies mine data from sources as diverse as surveillance cameras and unmanned drones to iris scans and medical records, while combing websites, email, phone records and social media for resale to third parties, including U.S. intelligence agencies."

* (pp. 108-109)  A civilian employee of the Fort Lewis Force Protection Division in Washington State, struck up friendships with many peace activists. For at least two years he posed as an activist... He gave information... to his supervisor Thomas Rudd, who wrote threat assessments that local law enforcement officials used in harassment campaigns that included "preemptive arrests and physical attacks on peaceful demonstrations, as well as other harassment." In the words of the government agencies involved, they aimed to neutralize PMR [a local political / activist group] through a pattern of false arrest and detentions, attacks on homes and friendships, and attempting to impede members from peacefully assembling and demonstrating anywhere, at any time."

I thought that "Spying on Democracy: Government Surveillance, Corporate Power and Public Resistance" was very well-written and highlights concerns that many in our communities have about invasions of our personal privacy and abuse of our civil liberties.

WhatsApp

WhatsApp is a very popular messaging application, with more than 1-billion registered users.
WhatsApp messages are end-to-end encrypted, using the Signal encryption protocol developed by Open Whisper Systems. The encryption protocol is very secure, and Signal has its own messaging app, separate from WhatsApp.

Because of WhatsApp’s immense popularity, WhatsApp is an easy way to get your family, friends, and co-workers to begin using a encrypted communications. WhatsApp messages are far more secure than unencrypted text (SMS) messages and unencrypted chats.

According to the WhatsApp web-site, "When end-to-end encrypted, your messages, photos, videos, voice messages, documents, and calls are secured from falling into the wrong hands."

Control What you Share

You can also decide what to share with your contacts on WhatsApp, and we encourage you to think carefully before you decide to share something. Ask yourself: would you want others to see what you've sent?

Please be advised that we do not retain messages after they have been delivered, in the ordinary course of providing our service. Once a message is delivered over WhatsApp, to help ensure the safety, confidentiality and security of the messages you send we do not store the message.

However, when you share a chat, photo, video, file or voice message with someone else on WhatsApp, they will have a copy of these messages. They will have the ability to re-share these messages with others on and off WhatsApp.

WhatsApp also has a location feature that you can use to share your then-current location via a WhatsApp message. You should only share your location with people you trust.

WhatsApp Weaknesses and Vulnerabilities

WhatsApp’s parent company is Facebook, and information from your WhatsApp account, such as the telephone number you used to verify your account and the last time you logged on, may be shared with Facebook. While this doesn’t expose the content of any of your WhatsApp encrypted messages, it does associate your WhatsApp contacts with your Facebook profile.

The messages you send via WhatsApp are end-to-end encrypted meaning that only your device has the ability to decode them. This prevents your messages being intercepted during transmission, but says nothing of their safety while on your device. On both iOS and Android it is possible to create a backup of your messages to either iCloud or Google Drive. The backups that WhatsApp create contain the decrypted messages on your device. The backup itself is not encrypted. If someone wanted access to your messages, they would only need the latest copy of your daily backup. It is also vulnerable as there is no ability to change your backup location, meaning that you are at the mercy of the cloud service to keep your data protected. iCloud in particular has suffered a poor reputation for security, especially after its role in the largest celebrity leak in history. One of the supposed benefits of encryption is, for better or worse, being able to prevent government and law enforcement from being able to access your data. As the unencrypted backup is available on one of two US based cloud storage providers, all it would need is a warrant and they would have unfettered access to your messages. In many instances, this renders the end-to-end messaging encryption as redundant.

I recommend that you turn off backups of your WhatsApp messages.  Also, don’t keep messages stored in your phone. Once you have read, replied, and no longer need a message - Delete It!

WhatsApp - Should You Use It?

While nothing can be 100% secure, I believe that the security offered by WhatsApp is a significant improvement over unencrypted text messages, chats, and telephone calls. Because of WhatsApp’s popularity, many people with whom you wish to communicate may already be using WhatsApp, but if they are not, WhatsApp is a free, easy, cross-platform application that anyone can quickly install.

By encouraging everyone with whom you communicate to use an encrypted means of communication - like WhatsApp - you greatly improve the security and privacy of your personal communications. 

Key Scrambler

 

Protect yourself against keyloggers. A keylogger is a piece of malicious software, usually called "spyware" or "malware," that records every keystroke you make on a keyboard. Keyloggers can be installed without your knowledge or consent, and once installed, the keylogger records all your keystrokes, and then e-mails the information and other data to whomever is targeting you.

 

One way to defend against keyloggers is to install software, such as Key Scrambler (Personal) from QFX Software that encrypts your keystrokes as you type. The basic version of Key Scrambler is available for free, and works well at protecting your keystrokes without slowing down your system. A short YouTube video introduces Key Scrambler. I have used Key Scrambler for a few years now, and recommend it as important security software, if you run Windows as your operating system. Key Scrambler runs on Windows 10, 8.1, 8, 7, 2003, XP, and Vista (32-bit and 64-bit).

Get Copies of Your Government Records

Do you know what records the government has about you? You are likely aware of the most common records, such as your birth certificate, driver’s license, passport, etc., but what other records are out there? Does your local police department have a file about you? Does the FBI? If you served in the military, do you know what’s in your Official Military Personnel File, and what’s in your Background Investigation Records?

The Privacy Act of 1974 (Pub.L. 93-579, 88 Stat. 1896, enacted December 31, 1974, 5 U.S.C. § 552a), a United States federal law, establishes a Code of Fair Information Practice that governs the collection, maintenance, use, and dissemination of personally identifiable information about individuals that is maintained in systems of records by federal agencies. The Act also provides individuals with a means by which to seek access to and amendment of their records and sets forth various agency record-keeping requirements. Additionally, with people granted the right to review what was documented with their name, they are also able to find out if the "records have been disclosed".. and are also given the rights to make corrections.

The Freedom of Information Act (FOIA) is a United States federal law that grants the public access to information possessed by government agencies. Upon written request, U.S. government agencies are required to release information unless it falls under one of nine exemptions listed in the Act. 

Most states also have similar public records laws, allowing you to access records from state and local governments, to review records about yourself and to make corrections to those records when necessary. The Open Government Guide can help you find the laws and procedures to obtain records from your state. 

To access records under the Privacy Act or the Freedom of Information Act you need to submit a request to the agency holding those records.  The following web-sites, by way of example, provide information on requesting information from the agencies listed:

Requesting FBI Records

BATF - How to Request ATF Records

Access to Official Military Personnel Files (OMPF) for the General Public

How Can I Get a Copy of Background Investigation Records NBIB May Have On Me?

US Department of State - How to Make a Request for Personal Records

View your U.S. arrival and departure history for the past 5 years on-line

Social Security Administration Guide to FOIA

There are numerous other government agencies, and you will have to determine which ones are likely to have information about you. Even if you have had no interaction with an agency, it is still possible that you are included in that agency's records as we saw in Social Media Surveillance of U.S. Persons by the Police and Military.

If you have never requested a copy of your government records, it is worth your time to submit requests to review and if necessary correct the information the government has about you. Submit requests to Federal agencies, your state agencies (such as your state police), and county agencies (such as your sheriff's office).

Like checking your credit report annually, I believe that it is also important to use FOIA and the Privacy Act (and the equivalent laws in your state) to determine what records government agencies hold about you. At a minimum check with your state and local police departments, and county sheriff's office to determine if any records have been created about you during the year.

 

 

Creepy Tech - Google is Tracking You

On February 7, 2018, carrying two identical Android phones, with no SIM card in either of two phones and one set on Airplane Mode, Fox News Headlines 24/7 anchor Brett Larson visited several major landmarks in Washington D.C., from the Fox News bureau on North Capitol Street, to the Children's Hospital in the north, the Washington National Cathedral in the northwest and back to Capitol Hill. During that time, he was not connected to WiFi and only took photos at the cathedral. Back at the Fox News Channel bureau, Larson hooked the phones up to a device that copied the data the phones sent to Google. He found it knew exactly where he was throughout the day. "It knows when I got out of the car!" he exclaimed, examining metadata in the report.

Google uses a methodology called "Surveillance Capitalism" to capture and track your movements and habits.  Even with your phone turned off it has the ability to track your movements and transmit that data to Google as soon as it connects to the network or internet.   

Read the complete story and watch the video at Fox News.
'It Knows When I Got Out of the Car!': Tucker's Special Report on How Google's Tracking You

Turning off ‘Location Services’ provides some limited protection, but to ensure that your phone isn’t gathering data to transmit to Google the next time it connects you have to block all signals to the phone. This means removing the battery so that it has no power whatsoever, or placing your phone in a Faraday Bag so that it blocks all signals to and from your phone.

 

New York Times Confidential Tips

The New York Times is one of the leading newspapers in the United States. At least some part of its reporting comes from tips provided by confidential sources. To facilitate receiving confidential tips, the New York Times provides a number of ways to provide information to the newspaper confidentially.

Now I am not suggesting that you become a confidential source for the New York Time. Sure, if you found out that some out-of-control government employee was sitting a basement office somewhere keeping illegal files about you... well this might be a story for the New York Times. For most of us however, the reason we want to look at how the New York Times receives confidential tips is to see how one of the most powerful newspapers in the country protects its sources.

The New York Times recommends the following means of communicating with them securely:

WhatsApp - WhatsApp is a free messaging app owned by Facebook that allows full end-to-end encryption for its service. Only the sender and recipient can read messages, photos, videos, voice messages, documents and calls. Though you can limit some account information shared to Facebook, WhatsApp still keeps records of the phone numbers involved in the exchange and the users’ metadata, including timestamps on messages.

Signal - The free and open source messaging app offers end-to-end encryption to send messages, photos, video and calls. Signal retains only your phone number, when you first registered with the service and when you were last active. No metadata surrounding communications is retained. The app also allows messages to self-destruct, removing them from the recipient’s and sender’s phones (once it’s been seen) after a set amount of time. I wrote about Signal here in the blog in November 2017.

PGP Encrypted E-mail - Pretty Good Privacy (PGP) is an encryption software that allows you to send encrypted emails and documents. Mailvelope is a browser extension for Chrome and Firefox that makes it easy to use PGP. The extension will only encrypt the contents of the email you’re sending. Mailvelope will not encrypt metadata such as sender, recipient, subject or information about when the email was sent. This metadata will be available to your email provider. I strongly recommend PGP and have mentioned it in the blog here and here.

Postal Mail - Mail delivered through the postal service is another secure means of communication. The New York Times recommends that you use a public mailbox, not a post office.

Secure Drop - This encrypted submission system set up by The Times uses the Tor anonymity software to protect your identity, location and the information you send us. We do not ask for or require any identifiable information, nor do we track or log information surrounding our communication.  I previously wrote about Secure Drop here in the blog. 

Are there other means of secure and anonymous communication? Of course there are. But, if you need to set up some way of receiving information securely, the techniques recommended by the New York Times are good places to start.

I also note that the New York Times Onion Service on http://nytimes3xbfgragh.onion  is a more secure way to access the website over Tor.