Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘Privacy’ Category

Creating Your Own Privacy & ROI

leave a comment »

img courtesy of XKCD http://xkcd.com/

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Preamble

With all the alleged revelations over the drift net surveillance happening to us all by the government I and others have been pondering the processes needed to protect one’s communications online and over the phone. Wired and other venues have put out reasonably ok articles on this but generally I think they have lacked on the ROI factor for the varying degree’s of surveillance that has been carried out for some time now, not just the NSA with PRISM. The immensity of it all I think can put one off on the idea of being able to keep their privacy especially given the pains that one must take to keep it on the nation state scale. However, there is much that could be done to have a modicum of privacy but one just has to understand the idea of OPSEC and have some technical base to work from in order to use the technologies such as TOR or CRYPTO in the first place. It is another thing altogether to keep that mindset every day and to understand the import of their use and the cause and effect that comes from failing to use them.

PRISM and NATION STATE SURVEILLANCE

As Ali (@packetknife) alluded to on the “Loopcast” recently with me, the idea that someone can completely deny the nation state program of surveillance is a tough one to swallow today. We all are connected to the net in some way whether it be your smartphone or some other connected device that we carry with us 24/7. In the case of the smart phone the utter and total pwn that goes on there is spectacular to think about. There is no need for tinfoil hat conspiracies about barcode tattoo’s on one’s neck here, all you really need is an iPhone and connectivity to know quite a bit about a person. This is why the metadata issue is a big one and people are seemingly unable to comprehend it. Let me clarify this for you all by also saying that not only are the calls to and from being easily monitored and mined (stored later for perusal when needed) by the NSA it seems, but also the GPS data as well. Remember the hubbub over the Apple collection of GPS data on the phones a couple years back? Remember the outrage on some parts over this? Well, now look at that in relations to how much of that data is accessible by the government too in this program. More to the point and this has not really been talked about, but are they correlating that data as well in the phone surveillance being carried out? My assumption is yes but like I said that seems to have been dwarfed and drowned out by the PRISM revelations.

Ok so now we are being data mined and correlated on the phone calls we make (metadata). Of who we are calling, how long we are talking, and when as well as  the GPS (location) as well?  All of that data is very informational about the habits of a person alone but start to analyze it from a personal and psychological perspective and you can build quite the dossier on someone without even having to listen to their conversations. Which I hasten to add that there are rumors of the caching of conversations generally not just under warrant from FISA. At this level, the nation state level of surveillance, one cannot hope to really be secure in their communications using technologies as they are because of the access the government has built for themselves post 9/11 with the Patriot Act as it’s fulcrum. Access mind you that we are giving them by proxy of the devices we buy and the services that provide the connection because without them we have no way to communicate other than in person or pen to paper with the post offices help right?

All of this though does not mean that the government is spying on you now. What it means though is that the legalities have been created or bent to the will of the government to have the illusion that the wholesale collection of all kinds of data for later use of anyone using these systems is legal. It also means that no matter the protestation of the government and the law enforcement bodies that they take all due care not to collect/use/surveill you vis a vis your data that there is a chance that someone within the system “could” and “might” do so outside of the rules and that is the problem here … Well other than the Constitutional, moral, and ethical issues that is. Just because it is against the rules does not mean someone won’t do it if they have the access. You know.. Like EJ Snowden having access to highly classified data that perhaps he shouldn’t have? Or furthermore the availability of Mr. Snowden being able to insert a USB drive into systems and siphon off said data to give to the press or anyone who’d listen right?

PRIVATE SECTOR or THE LITTLE SISTERS

Another issue that seems to be taking a back seat here is the notion of the Little Sisters to Big Brother. This idea springs from something I alluded to above in that the corporations that offer you the services (Gmail/ATT/Facebook etc) all collect data on you every minute of every day. They use this data for advertising, data mining, selling that data to other companies to form synergies on how to sell you on things etc. It is this practice of collecting all this data on us and our complicity in it that has given rise to the drift net approach that the government has taken with the surveillance programs like PRISM. The government is simply leveraging the capacities that are already there in the first place! You want to blame someone for this mess? Look in the mirror as you have allowed your data to be collected in the first place. YOU have placed your minute details out there on the internet to start with in email or posts to Twitter and Facebook for example. YOU are the culprit because you fail to understand OPSEC (Operational Security) and just scattered it on the net for anyone to see.

Of course other bits are more arcane. Cookies, tracking data within browsers and the like also give away much data on who you are, what you like, and allow the marketers to tailor ads for you when you go to sites that pay for the services. The aggregate of all of this data makes a digital portrait of you that unless you take pains to disallow the collection, will be sold and used by the corporations to package YOU as the commodity. I mean, how do you think Facebook works? It’s a social contract to connect to others and allow Facebook to make money off of your habits. Zucky is not in this to win a Nobel Peace Prize here ya know.

So when you think about all this surveillance going on please remember that you are complicit in it every time you surf the web, make a facebook post, a tweet, or send an email unencrypted (Google analytics kids) because they are all sifting that data to “get to know you better” *cough* It’s just a friends with benefits thing as the government see’s it being able to just hit them with an NSL and plant a server in the infrastructure to cull the data they want. As long as it doesn’t effect the bottom line (money) for them I suspect their worries about privacy are, well, pretty low on average. I mean after all you have already signed away your rights have you not? The little sisters are insidious and subtle and I am afraid they have already become metasticized within the society body.

The Only Privacy You Can Have Is That Which You Make Yourselves

“The only privacy that you have today  is that which you make for yourself” is something I said a while back on a blog post or podcast and I still stand by it. It seems all the more relevant in the post Snowden world today. By creating privacy I mean leveraging technologies like encryption to keep your communications private and OPSEC to consider how you transmit information over the internet and telco. There are inherent problems though with all of these things as you can always make a mistake and end up leaking information either technically (an instance would be logging online with your own IP address to something) or process wise like putting your current location on Facebook and saying you’re on vacation for two weeks. It is all a matter of degree though and even if you are practicing OPSEC there are things outside of your control when the nation state is looking to spy on you. There are just no two ways about it, you can only fight the nation state so much with technology as they have more resources to defeat your measures eventually by end run or by brute force.

On the level of defeating the little sisters, well the same applies but with limitations. You can in fact surf the net on TOR with NOSCRIPT, cookies disallowed and on an inherently anonymized OS on a USB stick right? The little sisters can only do so much and they only interact when they see a profit in it. They after all are not looking to be voyeurs just for the fun of it. They want to sell you something or sell you as metadata right? However, if you start to anonymize yourself as much as you can and you are diligent about it you can stop the Little Sisters which in turn may minimize what the Big Brother can use too. The caveat is that you have to take pains to do this and you have to know what you are doing. There are no magic easy button offerings on the shelf that will hide you from them all and if you care then you will take the time to learn how to perform these measures.

ROI On Privacy

Finally, I would like to take stock of the fight here that you need to take on and what the ROI is for each adversary involved. In reality unless you go off the grid, change your identity and never touch another piece of technology ever again there is a high likelihood that your information will be tracked. One may in fact create a separate identity to pay bills with and use that one to surf online as well as other things but that is an extreme just like the idea of becoming a Luddite. There must be a middle road where you can feel that you are protecting a certain portion of your lives from the unblinking eye of the companies and governments that own or access the technologies that we use every day. You have to though, understand all of this and accept that in the end you may fail at keeping your privacy yours and yours alone. Come to grips with this and be smart and you can have a modicum of success if you are diligent.

A for instance of this ROI would be on the phones. If you TRULY want to be private then you have to lose your smartphone that you have billed to you and buy a burn phone. Cash is king and there is no information taken if you do it right. The unfortunate thing is that you then have to call only others who have the same burn phones out there without any metdata that ties it back to their real identities. You just try getting mom and dad to buy burn phones to talk to them on… It’s not that easy. So really, some of the ROI is minimized by the nuisance factor. The same can be said for the lay individual who is not going to go buy encryption products nor are they capable of installing a Linux system and running something like GPG. This is not going to work for everyone as well as not everyone is going to care about their privacy as the recent Pew poll showed where 56% of polled ok with surveillance program by NSA.

In the end it all comes back to the idea that you create your own privacy by your own actions. Do not trust that the government is going to protect your privacy and certainly don’t believe that the corporations will either. I mean, just look at how many spectacular fails there were on passwords that weren’t hashed or encrypted in any way by companies hacked by LulzSec. As well you should not trust the government, no matter how well intended, that they will be ABLE to protect your privacy as we have seen with recent events like Brad Manning’s theft of (S) data as well as now Snowden (TS/SCI) The actions of one person can be the downfall of every carefully crafted system.

So what is the ROI here? Well….

NATION STATE:

Crypto and anonymized traffic online will minimize your footprint but eventually they will break you if they want to. You have to be exceptional to fight the nation state level of surveillance. As for the driftnet out there well, unless you go luddite they have a lot of data to sift and commingle. They have a pretty good picture of who you are and much of that comes from the little sisters. Your ROI here is minimal because they have the power and the thing you MUST remember is that CRYPTO IS YOUR FRIEND!! Encrypt sessions for chat and emails and you will leave them with the task of either having to break that crypto or hack your endpoint to see the plain text. Make them work for it. Otherwise you may as well just BCC the NSA.GOV on each and every email today it seems.

LITTLE SISTERS:

The little sisters though are another thing. You can in fact obscure a lot of what you do online and through telco but you have to be diligent. It means time and sometimes money (burn phones or laptops in some cases) to obfuscate as much as you can. The ROI here is that IF you take these pains you are then able to deny them easy access to your habits and patterns. If you start using crypto in sessions and in communications like emails then you will be also geometrically heightening your privacy status. But you have to do it.. AND that seems to be the hard part for many whether it is laziness or apathy I am not sure.

Privacy is what you make of it… He says as he hits enter on a public blog post!

K.

[Jmhhw Kutdegc ohl Vmgi Uizvsr pspmspw avuzyiw ypicl Qephcv Tmwfcj’a yere. Kutdegc plqfkw sd Vqklsn vcukipd.]
Polvc Ayzfiui: Elr npwr, xfslm’k Qephcv Tmwfcj…[tgsoq on i xspbsl ezmpc Auzlmr fom i tpely mbsvi. Uoftsgi rilvk xlc titviv rc mpga mr vua fs tydyzk] Li bcyaf’x wcsg bg lets u xswx.
Zwmpgt: [Ayzea saew] W’g agvvw, pob A hsl’h qwjo jmf npw kstslveirr.
Rckc Kspriv: Oi hm. [Gbwow e aoll] Fexgchid Wiailqlc Eeshkq.
Fmqvix: Sl. Cmi’lm lli eisa A liyf vzwexfwho gr xfs ibziv cbx wx qc nvivw.
Hmay Awjhsl: Bi, bzex’q hbm XFM. Us’lm fsx avuzlivcr zwj hsksmbag wsfpmappybwm.
Tmwfcj: Wz, M wcs. Swm nyqh idwvxffie yszcfhuwrxq. Gyb mt jpwyvvpc bwwbsxspg.
Xquo Kmfxwf: Rs, rvub’k xlc QCI. Oi tpcnmux ssf awnivlayvl’w gmagcfmgyhcwfw, ac hlg ls fpsus lli mhbmj jijzu’a ushcg. Qm’ji xfs awgh ksmm, Usvxw.
Pcazst: Esy, Q uer’r hytd css kbil e vczcmx xlyh ca…Vmgi.
Rckc Kspriv: Uleluy ggyv kwhl, uepj im il xlgg hcefip… [ucdww Fggbwh e jmzxmv tmcqy wx tensl] Uj. Fvgqy.

The PrimorisEra Affair: Paradigms In Social Networking and SECOPS

with 5 comments

EDIT 5.24.2011

As of last night, I had heard that PrimorisEra was back and posting to a new blog. Today Wired has fired off a follow up to the earlier report and her return. It seems from the report that perhaps the Pentagon investigation is over and that in fact Shawna Gorman may indeed be the First Lady of Missiles. It remains to be seen if this is really the case but since she is back and blogging, I would have to lean toward my assessment from before. Still though, my cautionary statements about social networking and SECOPS still apply.

See below:

K.

From Wired:

It started out with a leggy, bikini-clad avatar. She said she was a missile expert — the “1st Lady of Missiles,” in fact — but sometimes suggested she worked with the CIA. With multiple Twitter and Facebook accounts, she earned a following of social media-crazed security wonks. Then came the accusations of using sex appeal for espionage.

Now everyone involved in this weird network is adjusting their story in one way or another, demonstrating that even people in the national security world have trouble remembering one of the basic rules of the internet: Not everyone is who they say they are.

“I think anyone puts pictures out online to lure someone in,” the woman at the center of the controversy insists. “But it’s not to lure men in to give me any information at all… I liked them. They’re pretty. Apparently everyone else thought so too.”

This is a strange, Twitter-borne tale of flirting, cutouts, and lack of online caution in the intelligence and defense worlds. Professionals who should’ve known better casually disclosed their personal details (a big no-no in spook circles) and lobbed allegations they later couldn’t or wouldn’t support (a big no-no in all circles). It led to a Pentagon investigation. And it starts with a Twitter account that no longer exists called @PrimorisEra.

Yesterday, Wired posted a news article about another potential social networking attack on the .mil and .gov types involving Twitter, Facebook, and Google Buzz. The snippet above really sums up what is alleged to have happened and the problems with Social media’s blasé attitudes where people who have jobs that require secrecy meet and chat.

Presently, according to the article, a Pentagon investigation is under way into this story, but once again, this is not the first time we have heard this type of story in the press with these same players. It was last year when a profile online named “Robin Sage” made the rounds on LinkedIn and other social media formats. This “cutout” as they are called in the espionage community, was in fact a fake profile used by a security researcher to prove a point. By using an attractive woman as the persona, the researcher was able to get people within the military and governmental community to add her and flirt. Through the flirting, the unsuspecting connections gave up valuable data on what they did for a living, where they were, and perhaps even locations in country around the battlefield in Afghanistan.

Many just fell for the profile hook line and sinker.. And that is a bad thing for anyone in this sector. It was a lesson in OPSEC and it’s failure. Potentially, this emerging case from the Wired story could also be much the same. The number of online personae that are involved in this story are just a little too many to just think that it was an innocent mistake on the part of a young woman seeking attention online from her peers within the government and military. However, its also just as possible that that is all it really is.

Time will tell.

Shawn Elizabeth Gorman Daughter of Nancy Gorman 1983

Site with SEG photo (1983)

The thing about this is that this type of exploit is not new at all. This is commonly known as a honeypot in the espionage area and before there was an Internet, there was the local cafe or bar, where one would just happen to meet a lovely young thing and start a relationship. That relationship would then be turned into blackmail (either emotional or literal) and suddenly, you are an asset for the adversary. The new twist is that services need not deploy an asset to a foreign country to search for and find access to those who they want to get information from. Today all they need to have is an Internet connection and Google. It is only even more easily carried out now that there are Social Media sites like Facebook and others to sidle digitally up to anyone you like and start to work on them if you know how.

There used to be a time where every operator was given the tutorials on espionage means and methods. People were forewarned about travelling to other countries and if you are cleared, you have to report suspicious contacts to the DSS. Today though, I don’t think that they have even attempted to try this with online content. I mean, how many reports a day would you have to make to DSS if you are online and just talking to people in a chat room or on Facebook? It would be impossible. So it is understandable, as social animals, that we develop this technology to connect with others and being that it is a rather insular means of communications, feel that we can just let loose with information. After all, how does one really assure that who they are talking to is indeed that person that they claim to be?

So, people forget and really, this is still all relatively new isn’t it? There are no maps here.

Now, back to this story, no one has claimed that data has been leaked. It is only the appearance of things have set off the alarm bells for people and agencies. When one user finally decided to call the alleged cutout’s profile out, a subsequent shit storm began that ended up with @primosera deleting their Twitter, Facebook, and Google accounts thus making the story seem even more suspect.

Was Shawn E Gorman a cutout? Is she really the grad student and contractor she claims to be in her tweets? What about the allusions to the CIA? All of the missile tech and political discussions? Well, given the background of what can be located readily online, there is a Shawn Elizabeth Gorman attending Johns Hopkins as a research assistant getting her MBA in Government, so, perhaps. Or maybe someone has just taken on the persona of Ms. Gorman to use as a cutout for these activities?

Frankly, I am leaning toward it really being her. As you can see from the photos above, I located a photo other than the one from Wired that purports to be Shawn E. Gorman born 1983 to a Nancy Gorman. I also located data that shows a Shawn E. Gorman living in Bethesda MD with the same mother. Given that the photo is an early one, and one of the few out there easily found, I am thinking it is one in the same. However, this does not mean that it has been her behind that keyboard when she was talking to all of the people involved.

Time will tell what is what once the Pentagon’s investigation gets done. It could be that this is all for naught security wise from the compromise perspective. However, this once again is an object lesson for everyone online. Nevermind if you work in a job that requires security, everyone should be cognisant that when they are online talking to someone that they do not know in real life, are just that much more possibly talking to someone who is not their “friend” and looking to just have a chat. From the common data thief to the corporate spy, we all may have data that someone wants and will be willing to pretend a while to get it.

We want to be social and open as we are social animals… Just so happens that sometimes that is a bad idea.

I think though, that everyone who works in security or within a security centric job space will have to go through some more training in the near future. This is just a warning bell and I think it best that the government and military listen to it. Even as the article goes on to mention, there are restrictions on the military about posting online, but still they cannot deny these people access to the likes of Facebook for morale. It is really playing with fire either way, in denying the access it seems draconian and people will fight it. On the other hand, if you allow it and monitor it, you are damned for monitoring people’s interaction online.

Hell, even the CIA has set up its own social networks within the CIA’s Intranet so people can talk and ostensibly share ideas and data. However, that is on an Intranet that is well protected….

Meanwhile, back on the Internet, we have places like LinkedIn. Sounds like a great idea, networking for jobs and such. Then the .gov and .mil folks all got online and began to show themselves and much of their data in a contained space. So much of a treasure trove is LinkedIn that Anna Chapman (as seen above from her Russian Maxim shoot) was only 2 degrees of separation from me within my network on LinkedIn! She was mining the connections as a sleeper for the SVR and all she had to do was put up a pretty picture and say hi.

For me it comes down to this;

1) If you sign up for these places hide as much of your data as you can.

2) Pay attention to the security measures that the sites have in place.. Or don’t. Facebook has had a terrible record on personal privacy but look how many people they have on there and just how much personal data is available to anyone who can look at the page, even a cached version.

3) When you get invites from people check them out. Use other means than the current site (aka LinkedIn) to do that research. See if you can nail down who they are in reality. Even then, once you are friends, think before you type. You may be giving out data that you personally don’t want anyone to have.

4) Placing too much family data on the Internet is a threat. Anything from Identity theft to outright stalking and physical danger can be the outcome if you make it too easy for someone to get your data.

5) If you suspect that someone you are talking to is not indeed who you think they are, walk away.

6) AND for God’s sake, if you are a guy, in the military or government, or hold a classified status and some hot avatar’d chick starts PM’ing you, its either a bot or it’s likely another cutout. ESPECIALLY if you lay out your life’s story online as to what you do and where you work.

7) Finally, remember what I have repeated over and over again. Whoever you are talking to MAY NOT BE WHO THEY SAY THEY ARE!

Just don’t put that data out there and end up in the hot seat with your job on the line over a little virtual tail.

K.

From John Yoo and Torture to Warrantless Searches of Papers and Effects: Welcome To The Panopticon

with one comment

“They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety.”

Recently, a story has come up in the news concerning certain police departments (Michigan to be precise) have been taking more or less “forensic” images of people’s cell phones and other PDA devices when they have them stopped for traffic violations. Since the reports went live, the Michigan PD has sent out a rebuttal saying that they are in fact asking the citizen if they can scan their data. I say, whether or not they actively are doing it or not, they have the ability to do so per the courts since the loosening of the laws on search and seizure in places like California and Michigan where electronic media is concerned. The net effect is that our due process rights are being eroded in an ever rapid pace.

From Dailytech.com

I. Police Seize Citizens’ Smartphones

In January 2011, California’s Supreme Court ruled 5-2 that police could conduct warrantless inspections of suspects’ cell phones.  According to the majority decision, when a person is taken into police custody, they lose privacy rights to anything they’re carrying on them.

The ruling describes, “this loss of privacy allows police not only to seize anything of importance they find on the arrestee’s body … but also to open and examine what they find.”

In a dissenting ruling, Justice Kathryn Mickle Werdegar stated, “[The ruling allows police] to rummage at leisure through the wealth of personal and business information that can be carried on a mobile phone or hand-held computer merely because the device was taken from an arrestee’s person.”

But California was not alone.  Michigan State Police officers have been using a device called Cellebrite UFED Physical Pro for the last couple years.  The device scrapes off everything stored on the phone — GPS geotag data, media (pictures, videos, music, etc.), text messages, emails, call history, and more.

Michigan State Police have been reportedly regularly been scraping the phones of people they pull over.

In neighboring Wisconsin, the state Supreme Court has ruled that while such searches are generally illegal, their evidence can become admissible in court if the police demonstrate an exigency (a press need) for the information.

Essentially this ruling offers support for such searches as it indicates that they can give solid evidence and ostensibly offers no repercussions to law enforcement officials conducting the officially “illegal” procedure.

So far the only state to have a high profile ruling against the practice was Ohio.  The Supreme Court of Ohio ruled that warrant-less smart phone searching violated suspects’ rights.  The requested the U.S. Supreme Court review the issue, but the request was denied.

II. What Does the Constitution Say?

The United States Constitution ostensibly is the most important government document in the U.S.  It guarantees essential rights to the citizens of the U.S.

Some of those rights are specified in the Fourth Amendment, part of the original Bill of Rights.  It states:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

The Constitution explicitly states that effects of a person cannot be unreasonably seized without a warrant.

Of course courts must play the vital role of defining what a “reasonable” search is.  But by extending the limits of searches to deem nearly all searches “reasonable”, no matter how tenuous the connection to a suspects detainment, this and several other decisions have created an erosion of the protections in the amendment.

Essentially what court rulings in California, Michigan, and Wisconsin indicate is that the courts believe the Constitution is no longer valid, or that certain Constitutional freedoms can be specially selected for elimination.

The law and our losing the path :

The legal battle over the terms here has come down to the nature of papers and effects where they regard digital media as I understand it. I sat in on the EFF talk at Shmoocon where this very topic was brought up. It seems, that the gray areas of just what is a laptop or a phone as opposed to a “cabinet or desk” is a key factor in how some interpret the legalities of searching someone’s hard drive or phone. In my opinion, they are the same thing. A laptop is a case in which my data is stored, just like a desk or a room, which, you MUST get a warrant to search.

But, that’s just me I guess.

Personally, as the title of this post alludes, I believe that all of this started as soon as John Yoo and the Bush administration began to twist the laws concerning not only torture, but moreover, the use of warrant-less wiretaps. Post 9/11 the US went mad for tapping of phones/data at the trunk level in such instances like the one in the MAE West where they put in the NARUS STA6400. This was the biggie for me because that system hoovers ALL of the traffic, there is no selectivity over it at all. Sure the STA6400 can sift the data, but it needs ALL of the data in order to sift and data-mine. Who’s to say what data becomes important other than those who are running the compartmentalised program that has to report nothing to anyone because it is too secret.

What allowed for all of this to happen and then for the over-reaching to continue was 9/11 itself. Having been in NYC at the towers just before the attacks and working there just after in the hole, I know how many felt after it all went down. We here in the US had only had a handful of terrorist attacks within our borders and those were nothing in comparison to what took place on that day.

We all felt vulnerable and wanted the government to take care of us. We wanted vengeance, and we wanted a take charge guy.

Unfortunately that “guy” was GW Bush and his posse of cowboys who then began to run rough shod over the constitution and other documents like the Geneva conventions. It was from this need to be protected that the American people just went along with the things they knew about, as well as a healthy dose of over classification by the Bush administration that kept us in the dark as to what they really were doing. It was only later, toward the end of the second term that the full scope of abuses were coming out, and yet, the American populace really did nothing. Sure, we elected Obama who made promises to end the nightmare of abuse… But.. He hasn’t has he?

So, here we are in 2011. Ten years post 9/11, and we are finding our rights being eroded by legal positions and decisions that remove the most basic and cherished rights to reasonable searches slipping away.

Who’s to blame?

Us.

We the people have failed to keep in check the actions of the government and in some cases the courts because we have taken our collective hand off the tiller steering this country. Perhaps we really have no hand on that tiller to start simply because we have created a beast that is too big to control or have any sway over. By just looking at the state of affairs today within the political arena, one has to admit that its becoming more and more akin to what it used to be back in the days of Boss Tweed than anything looking like the era of J.F.K.

Simply put, without the people standing up and calling a foul on these types of erosions to liberty, then we have nothing to complain about when the liberties are taken away. On that list is the rights granted to us all by the fourth amendment. The tough thing now though is that where once your personal belongings were either in your house or on your person. Now, those “papers and effects” live digitally not only on your device that you have on you, but also may exist “in the cloud” as well. A cloud that you “use” and is not “owned” by you.

So sure, a cop could ask you if they can look at your phone data. Do they have to say that they are taking an “alleged” forensic image? Perhaps not, but, the thing about the whole Michigan PD thing is that independent reports have shown that they were not asking, they were just taking images when they felt they wanted to, and this is where they run afoul of due process. As far as I am concerned, a file on a phone that is not on the screen as a cop looks at it while it sits in front of him in plain view, is NOT a document that he should just have the right to fish for without a warrant.

Sorry cops… It’s a country of laws, no matter how you try to spin them so you can cut corners.

On the other hand, I know how hard it must be for the police forces of the world to do their jobs now in a digital world. Especially one that so few really understand and likely fear. These magic boxes called phones and computers now hold data that could easily make a case for crimes, but, you just can’t take them and rummage through them just like anything else where due process is concerned. What’s more, I know for a fact that unless you are a forensic investigator, AND you have a decent tool, YOU WILL MISS DATA. Which will lead potentially to acquittal because you did not follow processes such as chain of custody in E-Discovery.

For some though, I am sure it’s just about cutting a corner to make a collar… And that is not how the law is supposed to work.

Our complicity in our own privacy erosion:

Meanwhile, in the last few days another spate of news articles warned about how the iOS and Android systems were collecting data on our movements and details. This particular story is not new if you have been paying attention, it was just the aggregate amount of data that we saw being collected by the iOS particularly that shocked the general populace. For these people I have news for you;

This data and even more have been collected on you all for every service that you sign up for on the Internet. Every phone call you make, every text you send, every picture you upload. All of it is available to someone else who has access to the data.

It’s not private.

YOU have been giving away your personal data every minute of every day that you upload or pass through the telco/Internet systems.

So, even if laws are being subverted on personal searches, your data can and will be taken from the likes of Twitter and other services, perhaps even through NSL letters to those hosts and you will be none the wiser. For every post you put up on Facebook with all of your personal details, not only are you sharing that data with your “friends” but the company and whoever they want to sell it to as well.

The privacy you think you have.. Doesn’t exist.

In the case of the iOS data, no one knew about it from a customer perspective, but I am sure that there was some small print somewhere in the EULA when you bought the phone that allows Apple to collect the data… Not that they have to tell you they are doing it in big letters or clear language. So, that data too is not completely yours any more once you have agreed to their agreement to use/own the phone.

The short and long of it is that we are giving up our right to privacy for shiny toys and a sense of security that we can never really have.

In the end, the data that the iOS collects has yet to be proven to be sent to the Apple mother ship. Apple to date, has made no statement on the collection of the data nor the reasons for doing so. One can assume though, that they have some sort of location based software solution that they want to sell down the road and really, it’s caveat emptor. I am just glad that the security community likes to tinker and found this stuff, bringing it to light.

We are all to blame.

Unless we all take up the battle against the loss of privacy then we have none. Just as well, unless we speak truth to power and stop the erosion of rights to privacy within our body of laws, then we have nothing to complain about. We will have done it to ourselves.

K.

Getting Into Bed With Robin Sage: The Fallout & The Proof of Concept

with 2 comments

So why the pictures of Anna Chapman you ask? Well, because it may well have been Anna on the profile.. The principle is the same.

The Robin Sage Affair:

Recently, the INFOSEC community found itself with its virtual pants around its digital ankles through the machinations of “Robin Sage” a faux profile created on a number of social networking sites including InkedIn. The profile sported a goth girl and the attending personal data claimed that she worked for N8 Naval Warfare Center and was basically the inspiration for Abby Sciuto, a character from NCIS (Naval Criminal Investigative Service) on CBS.

The man behind the profile and the experiment is Thomas Ryan, the co-founder and Managing Partner of Cyber Operations and Threat Intelligence for Provide Security. His idea was to test the social networking process to see if he by proxy of this profile, could get people to just add Robin without any real vetting. A secondary part of the experiment was also to see just how much information could be gathered by the cutout and see just how damaging such actions could be to end users who “just click yes” to anyone who wishes to be added.

In the end, within a 28 day period the account harvested not only compromising data (much of the worst from LinkedIn) but also invitations to speak at conferences, job offers, and I am sure, the odd lascivious offers to “meet” The byproduct of this experiment in the short term (after her outing, so to speak) is that the Infosec community members who were duped are feeling, well, a bit sheepish right now. After all, these are the people who are supposed to be teaching others on how not to get compromised like this. Especially so with a social engineering exploit that worked so knee jerk well.

Twitter has been abuzz with condemnation and who knows what’s being said in the halls of power and in the military since many of the folks who got duped were military operators. All of this though glosses over a pertinent fact for me however. One that may be in fact brought out in the talk at Black Hat, but I thought it interesting to write about here. The problems of how humans are wired neurologically and our needs to be “social” We come pre-loaded and then taught social norms that are counter much of the time to secure actions.

Hardwired:

It is my contention that human beings are a social animal that are wired and trained to be trusting as well as gullible when a pretty woman says “please add me” Sure, we can train ourselves to be skeptical and to seek out more information, but, in our society of late it seems that we have even lost more of this capability because we do not teach critical thinking in school as much as wrote learning. Of course this is just one aspect of a bigger picture and I really want to focus on the brain wiring and social training.

As social animals, we ‘want” to be social (most of us that is) and long to communicate. After all, that is what the internet is all about lately huh? Not being actually in the room with people but able to talk/chat with them online in “social networks” In other cases we are forced to be social in the sense that our lives depend on our social natures. We cooperate with others, we live with others and we depend on others for our safety in numbers, infrastructure continuance, etc. Thus we evolved into tribes, clans, societies, and now its going global. All of this is predicated on some modicum of trust in relationships.

Trust relationships though are just one thing. We trust as we walk down the street that the people walking toward us will not whip out a gun and just start shooting at you. We trust that the driver on the other side of the road will not just veer out in front of us for no apparent reason because that would be counter productive and not the “norm” However, these things can and do happen from time to time, yet, we do not find ourselves on permanent alert as we walk the streets because if we were then we would be a wreck. Turning that around, we would then be seen as paranoid and not “normal”

See where I am going with that?

So, in the sense of online social networks and security, these things are just diametrically opposed. If you want to be social, don’t enter into areas of discourse where your “security” is supposed to be protected. It is akin to walking up to a stranger and telling them your doors at home are unlocked most of the time. Believe me it happens now and then, but don’t you then start thinking that that person just has something fundamentally wrong with them? Its the same for any online relationship. Nickerson said it best.. Unless you really know them or have.. “spit roasted” someone with them, then don’t add them or tell them secret things… But.. Then there is that whole trust issue.

We are trusting and want to follow social norms. THIS is why social engineering works so well! We are just wired for it and to change these behaviors really requires training.

Additionally, lets take into account the hotness factor with this particular experiment. The pictures of “Robin” were obvious to some as being of someone who would NOT have a job at N8 or any facility/group with classified access and responsibilities. I took one look and thought;

“Look at that nip slip and belly shot there on the Facebook.. No way this is a real profile because her clearance would be yanked ASAP”

Others though, may have looked at those pics and thought “damn, I want to meet her, I will add her and chat her up” This begs the question of just what the ratio was of men to women who asked to be added or just clicked add on the Robin Sage profile. Were the numbers proportionally higher men to women I wonder? I actually believe that to be the case. In fact, this is an important thing to take note of as we are dealing with a very familiar tactic in espionage realms.

“The Swallow” or “Honeytrap”

How many have fallen for the “Russian Secretary” over the years and then been turned into an agent for Russia? The same principle is being used here. The bait is a cute goth chick who happens to work in the very same field you do! A field mind you that is still primarily loaded with guys. So this is just moth to the flame here. It is so common that perhaps we cannot get past our own hard wired brain and sexual drives huh? It will be interesting to see the talk at Black Hat to get the stats.

The Community:

So, once again, those who got spanked by this and are griping now, I say take a long look at the problem. You fell victim to your own programming. You could potentially have not fallen prey to it, and perhaps in the future you won’t, but, take this as a learning experience and move on.

Use this experience to teach others.

Object lesson learned.

Full CSO article HERE

CoB

Napolitano: Internet Monitoring Needed to Fight Homegrown Terrorism

with one comment

fox news

Napolitano: Internet Monitoring Needed to Fight Homegrown Terrorism

Published June 18, 2010

|Associated Press

WASHINGTON — Fighting homegrown terrorism by monitoring Internet communications is a civil liberties trade-off the U.S. government must make to beef up national security, the nation’s homeland security chief said Friday.

As terrorists increasingly recruit U.S. citizens, the government needs to constantly balance Americans’ civil rights and privacy with the need to keep people safe, said Homeland Security Secretary Janet Napolitano.

But finding that balance has become more complex as homegrown terrorists have used the Internet to reach out to extremists abroad for inspiration and training. Those contacts have spurred a recent rash of U.S.-based terror plots and incidents.

“The First Amendment protects radical opinions, but we need the legal tools to do things like monitor the recruitment of terrorists via the Internet,” Napolitano told a gathering of the American Constitution Society for Law and Policy.

Napolitano’s comments suggest an effort by the Obama administration to reach out to its more liberal, Democratic constituencies to assuage fears that terrorist worries will lead to the erosion of civil rights.

The administration has faced a number of civil liberties and privacy challenges in recent months as it has tried to increase airport security by adding full-body scanners, or track suspected terrorists traveling into the United States from other countries.

“Her speech is sign of the maturing of the administration on this issue,” said Stewart Baker, former undersecretary for policy with the Department of Homeland Security. “They now appreciate the risks and the trade-offs much more clearly than when they first arrived, and to their credit, they’ve adjusted their preconceptions.”

Underscoring her comments are a number of recent terror attacks over the past year where legal U.S. residents such as Times Square bombing suspect Faisal Shahzad and accused Fort Hood, Texas, shooter Maj. Nidal Hasan, are believed to have been inspired by the Internet postings of violent Islamic extremists.

And the fact that these are U.S. citizens or legal residents raises many legal and constitutional questions.

Napolitano said it is wrong to believe that if security is embraced, liberty is sacrificed.

She added, “We can significantly advance security without having a deleterious impact on individual rights in most instances. At the same time, there are situations where trade-offs are inevitable.”

As an example, she noted the struggle to use full-body scanners at airports caused worries that they would invade people’s privacy.

The scanners are useful in identifying explosives or other nonmetal weapons that ordinary metal-detectors might miss — such as the explosives that authorities said were successfully brought on board the Detroit-bound airliner on Christmas Day by Nigerian Umar Farouk Abdulmutallab. He is accused of trying to detonate a bomb hidden in his underwear, but the explosives failed, and only burned Abdulmutallab.

U.S. officials, said Napolitano, have worked to institute a number of restrictions on the scanners’ use in order to minimize that. The scans cannot be saved or stored on the machines by the operator, and Transportation Security Agency workers can’t have phones or cameras that could capture the scan when near the machine

Umm Janet? Yeah, uh, do you have a clue? I didn’t think so.. Would you like to buy one? Look, we all know in the infosec field that you are basically trying to dress up a massive surveillance vacuum program to look all friendly like and harmless. Just how do you propose to “monitor” all these comm’s without just setting up a huge digital driftnet like the NARUS systems in the MAE’s?

We already monitor many of the jihadist websites and chat rooms etc now, so what else would you suggest we do to catch these guys? The only thing I can think of would be to have a searchable (on the fly) database of emails, chats, and all other communications online captured by something like the NARUS STA6400 or its progeny. Something that would just be doing a DPI type of inspection process of ALL traffic to flag for an analyst to look at and pass on.. Gee.. Where have I heard that before.. Hmm ECHELON perhaps? C’mon! This has been being done by the NSA for YEARS!

I have an idea.. Why don’t you call Fort Meade huh?

Here.. I have the phone number for you: 410-674-7170 Ask for DIRNSA.. Phonetically DUR-N-SA

Maybe they can lead you to understanding of the problem and the solution.. A solution they already have and I am sure are NOT willing to share with you.. But, you can at least try.

Frankly, I fear that you Janet, and the DHS, are clearly incompetent in the field of INFOSEC/HACKING/CYBERSEC as well as do not have a mandate, funding, nor staff to really deal with this issue properly. So, uhh yeah, why not just forget about it? Perhaps you should just leave it up to the NSA hmm?

Oh, and yeah, I am not “for” all of this hoovering of the internet’s traffic as a means to an end on “home grown” jihad. I am instead a realist and know that this is how it is. Of course there is an immense amount of data that is passing through the internet every second of every day, so not all of the bad guys can be caught. I also know that much of that data is in the clear and is in fact our every day email that could be spied upon and we have a real privacy issue here… But, what can I do about it huh?

Well, I can at least say that lets leave it to the professionals at the NSA and not in your completely incompetent hands at DHS.

Yours,

CoB

Written by Krypt3ia

2010/06/20 at 10:44

Weapons Of Mass Disruption: Cyberpocalypse-a-palooza

leave a comment »

To avoid a digital doomsday, Clarke and co-author Robert Knake argue that America needs to treat cyberattack capabilities as nothing less than weapons of mass destruction that can “skip over the battlefield” to target civilian life. That sort of threat, like nuclear weapons, calls for a multi-tiered response: treaties, transparency, beefed-up defenses and a focused concern on rogue states.

Cyberwar treaties face a problem that traditional ones don’t. An enemy could easily hide the source of attacks by routing them through hijacked computers in another country or attributing them to independent criminals.

But Clarke contends that a government could be held accountable for helping to track down any cyberattack originating within its borders, just as the Taliban was held responsible for harboring Osama bin Laden. Although attribution on the Internet isn’t as simple as in traditional warfare, cyberattacks can be traced. Clarke says forensic hackers can follow the trail of bits when they’re given time and leave to breach enemy computers.

“The NSA can do that. And the NSA tells me that attribution isn’t actually a problem,” he says bluntly.

Full article HERE

Dick, Dick, Dick, I am with you in so many ways.. BUT, when you start talking about DPI of the WHOLE INTERNET, then you lose me pal.

Sorry *shrug*

I personally don’t want the whole of the internet being siphoned even MORE than it already is by DPI at every providers NOC with a NARUS STA6400 system installed.

Nope, no thank you.

Now, on the other things likes accountability for nations with server on their soil I am with you. If a server is public/private and is on your soil, there should be “some” responsibility there. At least there should be enough to enforce security practices be carried out to prevent it from becoming the botnet slave in the first place no? Of course Obama wussed out on that one here didn’t he? No rules will be created to enforce that type of accountability here in the private sector.. No sir! It would put an undue strain on the private sector!

*tap tap* Uhh sir, most of the infrastructure is in “private” hands… Umm without making them do some due diligence we are fucked mmmkay?

Yeah…

Meanwhile, lets talk to the italicized and BOLD text. Back in the days of yore, when pirates roamed the seas, there was a thing called a “Letter of Marque” basically, government would give a pirate hunter the letter and say “go git em” This is what we need today I think. Of course this is touchy, but, this is pretty much what Dick is alluding to. He says that he “knows” that were the NSA given a letter of marque, they could not only penetrate the systems involved, but also run the forensics to attribute where the perp really is.

“Whoa” to quote Neo…

Yes, it’s quite true. Not only the NSA could do this though. Go to the BlackHat or Defcon and you would have a plethora of people to choose from really. So this is no mysterious mojo here. Its just that this type of action could cause much more ire than the original attack maybe and lead us into that physical war with the nukes. Who knows.

I guess though, that what has been seen as the model for the future “internet” with cyber-geographic demarcations might just be the real future state we need. At least that is what Dick’s advocating here and I can sorta see that as a way to handle certain problems. If we break up cyberspace so to speak, into regions (like the whole .XXX debacle) then we can have set rules of governance. At present the internet is just a giant wild west stage complete with digital tumbleweeds and an old whore house.

*pictures the dual swinging doors and spurs jangling*

The one thing that rings true though, is that there needs to be some accountability.. Just what form that will take is anyone’s guess. For now though, we will continue on with the lame government jabbering and frothing with the lapdog that is the so called “press” lapping it all up and parroting it back to the masses.

Smoke em if ya got em…

CoB

Our Cyber Tsar’s Security Companies Web Presence. Mmmm feel the warm glow of security.

leave a comment »

The above is.. err “was” as of oh, a day ago, the online presence of Howard Schmidt our newly appointed “Cyber Tsar” The site has been yanked since the report came out. Obviously for reasons likely to be “Shit, it’s gonna get hacked and defaced within minutes” So, the only way to see it now would be the Google cache or maybe the Wayback machine.
Yes, this is who has been chosen to lead our cyber security for the nation. Did I mention that he was CSO at Microfaccid for many years? Yeah, M$, that paragon of computer security…
More to come as I dig it out of the intertubes…
Article
Howard A. Schmidt
President and CEO
R & H Security Consulting LLC
PO Box 2447
Issaquah, WA 98027
Tel: 425-557-9334
Fax: 425-642-8079
howard@cyber-security.us,
cheryl@schmidt.org

Written by Krypt3ia

2009/12/26 at 13:05