Little Snitch

Just to be different, I started using a Mac to do some IIR. One of my quick fixes for security was  Little Snitch, a firewall for OSX. It monitors outgoing network traffic and alerts you if a program you’re running is trying to contact a strange server. This could be a shell or a program that snaps photos using your webcam or one that takes screenshots and sends them to an outside server.

The Old YouTube Scrape Trick

The Old YouTube Scrape Trick

Don’t be fooled by the old YouTube scrape trick. A scrape is an old video downloaded from YouTube which is then presented as a new and original eyewitness account of a different event.

Defeating The Old YouTube Scrape Trick

Amnesty International provides a handy tool called YouTube DataViewer.  Enter the video’s URL and it will extract the clip’s upload time and all associated thumbnail images. This data isn’t readily accessible via YouTube, however, this two-pronged approach allows you to identify the earliest upload, which is probably the original version.  Conducting a reverse search on the thumbnails often uncovers web pages containing the original version of the video along with other uses of it.

Ashley Madison Hack

The Ashley Madison hack has a lot of people running around like a bunch of headless chickens. The simple fact is, you cannot trust this data. Let me explain why this data must be treated with extreme caution.

Registration was free but you needed to buy credits to contact other members. Stolen credit card numbers appear in the data. Nobody has verified the number of real and active accounts. The website would allow new accounts to be set up without confirming the email, therefore, anyone could open an account using someone else’s name and email address as a prank or out of malice, and of course, the hackers could add names to the list before publishing it. This type of malicious prank is truly viscious in the 79 countries where homosexuality is illegal. For example, in Afghanistan, Iran, Mauritania, Nigeria, Qatar, Saudi Arabia and the United Arab Emirates, the punishment for homosexuality is death.

Here are my favorite headless chicken searches:

 

Productivity in Perdition

As I make my way through the infernal regions of the Internet, I have had to start using new tools. The most disconcerting form of torment has been the change to Linux to avoid malicious code. This has forced me to start using alternatives to Microsoft Office for some work.

There is nothing more disconcerting than changing word processing software. Nothing is in the right place and productivity decreases dramatically.  I’m not sure which of the two flavours of the open source alternatives I like best–I lean towards LibreOffice at this point.

Some people who don’t really work for a living will say it’s stupid to try to attempt to use Microsoft Office on Linux, but they don’t have to quickly produce reports on a daily basis. I have tried running MS Office 2010 (32 bit) with some success using Wine. This makes report creation easier and faster. However, this isn’t as stable as using LibreOffice–but that’s perdition for you.

Survival in the Netherworld

Over the last couple of years we have seen a trend developing in the nether regions of the Internet that is changing how I conduct research. This netherworld is populated by malign crooks who create sites loaded with malicious code.

I now conduct a lot of research using fresh installs of Linux and the programmes that I need for each job. I conduct the research from behind my own anonymizing proxy and an assortment of VPNs. Browsers operate in a sandbox to prevent movement of malicious code from an attack site to other programmes on my machine.

This is a nasty environment. It takes time and experience to operate in this infernal region. In two years I have learned a lot, but most of all, I have learned how little I really know. The crooks are much further along the learning curve in this environment.

Safe Recharging with a USB Condom

The mobile phone adaptor USB cable is a combination power-and-data connection that can expose your device to manipulation by some very unsavory characters. This practice is called Juicejacking and I have written about it before.

If you must recharge your mobile devices at a public recharging station then you need to practice safe recharging just like your high school health class recommended.

USB Condom

The USB Condom protects personal and private data stored on your mobile device while recharging. The USB Condoms only transfer power, not your data as it cuts off the data pins in a standard USB cable, preventing any data from transferring in either direction.  It sells for $9.99. This is very hygienic.

However, you can abstain entirely and achieve the same results by using a power-only USB cable.

FinSpy & Browser Hygiene

Recently, I had run-in with the FinSpy trojan, or some variation of it. FinSpy is a component of the surveillance product FinFisher, a commercial trojan made and sold by Gamma International, a UK company. This thing was sold to some very nasty state actors, but now it’s in the wild. It allows the operator of the trojan to have complete access to the computer. Its design  makes it very difficult for the target or his anti-virus software to recognise its presence. It even permits the villain to activate the computer’s webcam and microphone to see and hear what is happening near the computer. Everything collected by the trojan goes to a command and control server located somewhere on the Internet.

This insidious thing tried to masquerade as Firefox. I think it was part of an image I examined for Exif data. It tried to ‘update” Firefox. The funny thing was that I wasn’t using Firefox, but a browser based on it. I was conducting the research within a Windows virtual machine hosted on a Linux distribution; therefore, it was unable to cause any damage.

What surprised me was that the subjects had seeded the site with information that would interest me to get FinSpy onto my PC. They created the site to gather intelligence on anyone who might investigate them. They are not state actors, just a bunch of criminals.

Chrome is Listening

So you want to use Chrome as your browser. Are you aware that it has recently been reported that a Chrome Bug Allows Sites to Listen to Your Private Conversations?

The best way to avoid this threat is as follows:

  • Go to chrome://settings/content
  • Scroll down to Media
  • Select “Do not allow any sites to access my camera and microphone.

This will disable Google’s Conversational Search, etc. but security will be increased.

I never liked the way Chrome ‘phoned home’ to Google with user tracking, bug tracking etc. I have also found extensions that had malware-filled updates. However, it is faster than Firefox, which over the course of a research project may save hours of extra time. I resisted using Chrome due to security & privacy issues.

I now use is Comodo Dragon, which is based on the open-source Chrome browser, however, it is more private and secure if used properly. I disable the camera & mic as SOP, so I haven’t investigated how Dragon responds to this exploit. The setting change that I outlined was in reference to the actual Chrome browser and this particular exploit, there may be more that I don’t know about.

I am very careful about exposing myself to the internet. My outward-facing computers don’t have cameras or mics to entirely circumvent malicious software like this and the likes of Finspy.

Fortress Firefox II

The browser is the most used outward facing software you will use. It interacts with suspect web sites and other internet sites. Firefox is still my first choice for security and plug-ins, even though Chrome offers a speed advantage that adds-up over the course of many hours of research, while this little problem makes me avoid MS Internet Explorer: Microsoft warns of critical IE9, IE10 zero-day-Just visit the wrong web site and get remote-code execution.

No matter which browser you use, it will require proper configuration. No browser blocks JavaScript and all third-party cookies by default. These are my first security concerns.

In Firefox, go to Tools>Add-ons>Plugins and set the Java Script and Toolkit to Ask to Activate. I also set all the other plugins to Ask to Activate as well. This prevents a plugin from activating at the wrong time and thereby sending out data to the site that caused it to activate. A malicious site may activate a plugin to have it to transmit data that can be used to thwart your investigation.

Third party cookies compile a long-term record of your browsing history. This is dangerous as it can reveal what you are investigating. In Options>Privacy>History select Never for third party cookies. In my sandbox, I have several versions of the browser with different settings. For example, I prefer to never accept cookies of any kind, but some sites need them to function so I have a version with normal cookies enabled.

Getting Out of Google

Google and other search engines are wonderful things for gathering information, we all know that, but what if people with evil intent are gathering information about you?

Getting out of Street View

Google Street View provides a great deal of data that can be used to plan an attack on a facility, a person, or to conduct a kidnapping. Google offers an easy, free, and effective way to restrict access to this data.

At a client’s home, I found that his car licence plate was legible. This usually occurs when the car is parked inside a garage or car port. At the client’s workplace, several security measures were clearly visible as were other features of the facility that raised concerns.

Google’s solution is to place an opaque digital wall around your house or facility. To get out of Google Street View, first search for the street address. Once the property is visible, you will find a small box at the bottom right of the image that says “Report a problem”. Click on this to select a reason for blurring the image of the property. I usually select Other: This image presents security concerns. Add some discriptive data to help Google identify the property and complete the CAPTCHA (an acronym for “Completely Automated Public Turing test to tell Computers and Humans Apart”) thing that takes me several tries to get right. In 2 or 3 days a blurred wall should appear around the property.

The Dangers of a Bad Pretext

The Daily Mail newspaper in the UK reports that the receptionist who was subjected to a pretext call by two Australian DJs may have committed suicide.

In the call at 5.30am on Tuesday impersonating the Queen, Miss Greig said: ‘Oh, hello there. Could I please speak to Kate please, my granddaughter?’

Thinking she was speaking to the Queen, the receptionist replied: ‘Oh yes, just hold on ma’am’.

She then put the presenters through to one of the nurses who was caring for the Duchess.

The nurse also believed she was speaking to the Queen and went on to make a number of deeply personal observations about Kate’s health.

This prank/pretext was bragged about by the two Australian DJs. This no doubt subjected the receptionist to a lot of ridicule.

The Australian DJs violated two of the three rules for doing pretext calls.

The three rules:

  1. Do not personate a living person.
  2. Do not personate a representative of any existing company (or business) or anything to do with government.
  3. Do not cause anybody to be concerned for their own safety or the wellbeing of any person, business, company, or property.

Guilt by Association

When searching for media articles, we are reporting more often about the tricks editors use to create guilt by association. It is important for the Investigator to recognise and report the  most common tricks used by editors to promote their social or political agendas. Bias in a news media article is as important as the content of the article.

The most common sly trick we see is the ways in which photo captions are used to support the editor’s social or political agenda after reporters have turned in an otherwise objective article.

The most common guilt by association Web trick is to run a news story immediately before, and with a link to, a story that supports the editor’s agenda.

Reporting on these editorial tricks is an important part of evaluating the data in the article.

 

Remote File Handling

High Risk Files

When doing IIR, I often come across files that I don’t want to handle for security reasons. These can be Word documents, PDF documents, PostScript, or even Gzipped PostScript files. These file may include a load of malicious code. I sometimes don’t want any record of viewing the file on my computer. To accomplish this I must load these files remotely and safely so they don’t touch your system (the web cache should be disabled to accomplish a true remote viewing of the file as should the swap and home partitions, if the whole system isn’t encrypted).

Unless you verify each file through checksum verification (like MD5 or GPG) there’s a chance they could’ve been trojaned or the file may contain phoning home instructions or some other type of malicious feature within the file. If I don’t want to be recorded as a recipient of the file via something like ReadNotify then the file must be verified clear of such code or it must be viewed remotely.

The Remote File Viewer

I use the site at http://view.samurajdata.se/. I have only used it with PDF and Word documents. PDF and Word files are transformed into single paged graphics which you may navigate through. Most of the time it works, occasionally a PDF does not load. It doesn’t require Flash and works without cookies or javascript enabled.

I don’t know anything about the site’s privacy policy and how that might that might affect anonymity.

 

 

Lucifer’s Kingdom

Managing risk is sometimes akin to a black art because it involves predicting future events. By the time I get a mandate, things have started to happen and the client wants a quick resolution to his torment. This always involves predicting the adversaries next move and planning your counter move.

A recent engagement began after some libelous Internet posts. What struck me was that the libel was directed at people who had no direct interest in the libeled company, but rather at a low income neighbourhood near its main plant. This agitating nearly forgotten resentments, fanning hostilities, and exaggerating a controversy from decades past struck a cord in me. It was like a nearly forgotten memory that I couldn’t bring out of the shadows.

After analyzing pamphlets, flyers, and Internet material, it struck me what I was witnessing.

Very quickly a small group of organisers began recruiting local groups to the ill-defined cause — churches, unions, politicians, and an assortment of unsavory gadflies. This was quickly followed with events that were obviously intended to goad the company into rash actions and statements. A so-called news reporter ambushed a senior executive at a charity event and began asking slanderous questions intended to elicit an angry and intemperate response.

What I was witnessing came straight out of Rules for Radicals, written by Saul Alinsky in 1971, which begins, “Lest we forget at least an over-the-shoulder acknowledgment to the very first radical: from all our legends, mythology, and history… the first radical known to man who rebelled against the establishment and did it so effectively that he at least won his own kingdom — Lucifer.”

Fortunately, I had read a lot of 60’s and 70’s radical literature at one point in my career. Being older and more cynical I realised that this would evolve into a shake-down to acquire something from the company unrelated to the needs of the community.  With that expectation, substantial resources were used for surveillance, lawyers, and police involvement.

Surveillance identified vandals and organisers. Police interrogated. Lawyers sued. Prosecutors prosecuted. One Rochdale College educated con man turned crooked property developer is now on the lam after being exposed as the “brains” behind the scheme. It looks like he won’t get his kingdom any time soon.

I recommend reading Rules for Radicals first, and then proceeding to Reveille for Radicals as these books are as relevant today as they were when they were written. The tactics and strategies are relevant for today’s G20 ruckus as they were in the 50’s and 60’s.  I don’t want to change the world, but I like to know how other people try to.

Disgruntled Employees Outdo Terrorists

Two articles on the Brand Killer Robots blog drew my attention. Not because the data offered anything new, but that Stephen Ryan was able to create a bot to clearly show that insiders, employees, and former employees are the most likely to launch cyber attacks.

Raps BOT : Predicts Insider Cyber Terrorism Threat HIGH

Raps Bot : Sniper Attack Methods – Number 1 Cyber Terrorism Threat