Apple or Bust

My Linux experience seems to match that of Darryl Daugherty (@DarrylDaugherty) who is an IT start-up survivor turned commercial investigator and OSINT operator in Bangkok, Thailand. Like Darryl, with Linux, I spent too much time configuring and patching while never knowing what will break. The Apple is easier to live with–set it up once, harden it, and get to work.

I have been learning how to use the Apple computers for IIR. Thanks to many friends like Darryl who have used them for years, I feel like I am in good hands.

To avoid expensive errors while learning, I’m starting with a refurbished Mini made after 2010. These older models will upgrade to current versions of OS X (El Capitan) and they continue to enjoy Apple Software Updates.

You may ask, why a refurbished machine? The answer is simple, if I buy from Apple, then I get a full warranty on the machine. If I make a horrendous mistake in some security settings and modifications and permanently lock myself out of the machine (like not having the recovery key in FileVault2), then it won’t cost so much to start over.

The Darknet & Freenet

Freenet is like BitTorrent with web sites. Freenet is an anonymous peer-to-peer data-sharing network where uploaded data is assigned a unique key then broken-up into small, encrypted chunks which are then scattered across multiple computers on the network.

When someone wants a document, photograph or some other data, they “fetch” it from the network using the unique key assigned to that data. The fetch requests get routed through intermediary computers that don’t house the requested data, This ensures that no single computer on the network knows the contents of any individual data file.

With the Freenet client running on your PC, you can use most Web browsers to browse files and websites (AKA freesites) on the Freenet. The client allows you to access the Freenet welcome page (http://127.0.0.1:8888/) using your normal browser. From this welcome page, you can move on to browse Freenet, chat on Freenet forums, and communicate with other Freenet users.

Freenet has a darknet mode (AKA friends-only mode) for maximum privacy. In darknet mode, you connect to Freenet through trusted associates with whom you exchange encryption keys, which makes it difficult for anyone to track your movements on Freenet or even that you’re using Freenet. Of course, funneling your Freenet access through a handful of trusted associates may create a traffic bottleneck that slows response times. To avoid this, get five or ten friends to join up with you so you can fetch Freenet websites and files at greater speed.

Don’t expect this to provide total anonymity if you are doing something that is illegal or a risk to national security. Freenet has been infiltrated by police agencies that have created their own Freenet nodes to deanonymize users. You can be certain that national intelligence agencies have done the same.

Disk Encryption

TrueCrypt, the ultimate encryption freeware, abruptly announced that the software is no longer secure after Microsoft ended support for Windows XP. It was the most popular application of its type and it was widely to communicate securely and encrypt sensitive files or folders. Currently, the TrueCrypt home page advocates moving to Microsoft BitLocker.

Unfortunately, in the Windows 10 Home edition, the full-disk BitLocker encryption must use a Microsoft account and the recovery key needed to decrypt your drive resides on Microsoft’s servers. With this arrangement, theoretically, a third party could decrypt your drives remotely. However, Windows 10 Pro doesn’t have this restriction: you can use BitLocker with a local account and keep your key out of the cloud.

Under such circumstances, users should stay away from both TrueCrypt and BitLocker and shift to some other free file encryption software.

Veracrypt entered market within months after Truecrypt died and seems to be the best of the alternatives. There are other free TrueCrypt alternatives like AESCrypt, FreeOTFE, and DiskCryptor. Here are the download sites for the alternatives:

Confidential File Transfers

Google Drive and Dropbox don’t provide privacy. Onionshare is an open-source program that lets you send big files via Tor. When you use it to share a file, it creates a Tor Hidden Service, which is a temporary and anonymous website hosted on your computer. Give the recipient of the file the .onion address for that site, and they can securely and anonymously download it using their Tor Browser. The person who is receiving the file doesn’t need OnionShare. All they need is to open the URL you send them in Tor Browser to be able to download the file.

For now it only runs as a bare-bones command-line tool on the Tor-based operating system Tails, which can be launched on Windows or Mac machines.

If you’re trying to send a secret file then it’s important to send this URL secretly. I recommend you use Off-the-Record encrypted chat to send the URL. This provides an end-to-end encrypted conversation over services like Google Talk and Facebook chat that prevents Google or Facebook from having access to the contents of your conversation.

Windows Error Reporting Risk

Windows Error Reporting (WER) is a crash reporting technology introduced by Microsoft with Windows XP. However, we now know that it may send Microsoft unencrypted personally identifiable information contained in the memory and application data that may make you vulnerable to attack. WER is turned on by default. WER from Windows 8 may now use TLS encryption.

The Snowdon leaks described how the U.S. National Security Agency intercepts the unencrypted WER logs to fingerprint machines like some malware to identify potential system, network and application weaknesses to execute attacks that move through an enterprise network. WER reports on more than Windows crashes. It reports hardware changes, such as the first-time use of a new USB device and mobile devices. It sends time-stamp data, device manufacturer, identifier and revision, along with host computer information such as default language, operating system service pack and update version, hardware manufacturer, model and name, as well as BIOS version and unique machine identifier. This creates a blueprint of the applications running on a network to help an attacker develop or execute attacks with little chance of detection.

This is only one example of the OS, applications, browsers, etc. leaking information that the investigator must be aware of when conducting investigative internet research.

To shut-off WER in Windows 7 go to Control Panel>System and Security>Action Center>Change Action Center settings>Related settings>Problem reporting settings. The selections for “Each time a problem occurs, ask me before checking for solutions” and “Never check for solutions” disable WER. Choosing Never check for solutions will fully disable error reporting in Windows 7.

 

Secured URL

Secured URL allows you to encrypt a URL with a password. It works like TinyURL.

Enter a URL, its password, and choose the expiration date of the resulting encrypted link. The expiration date can be up to 90 days hence. The encrypted link that you get from this can be shared by email without revealing its contents. You send the password to open the link in a separate email.  It’s best to send passwords to one email address and the encrypted content to another email address.

I can think of many uses for Secured URL where confidentiality is required.

Rule Three — Secure Instant Messaging

Both Yahoo and Google offer an encryption option in their IM clients, but they have full access to the original content as they handle the encryption.

Your best bet for secure IM communication is to use Pidgin for Windows or Adium for the Mac OSX. Both programs have an encryption that uses 256-bit AES that is applied before the message is sent through the IM service. They work with all major IM servers and offer other useful features:

Rule Three – Privacy & Security for Email

For low-risk communications using web-based “secure” e-mail services that encrypt your messages before sending might be reasonable.  However, when a third-party service or server is used the email isn’t really secure. If the email represents a low risk to the sender, then some security is better than no security.  Some “secure” email services  to check out:

Hushmail.com
S-mail.com
PrivacyHarbor.com
BurnNote.com

The best solution is to encrypt messages yourself before sending them. This can easily be done using MEO Encryption which can be used with your existing e-mail provider. The message can be sent as a self-extracting executable file so that the recipient doesn’t need any software to open the message. The sender will need to communicate the password to the recipient.

Another encryption option is an public-key system like PGP. This is much more secure. However, Symantic now owns this and that means it will become difficult to use and expensive. Managing the keys is the problem with any public key encryption, but it is the most secure if used properly. If a public-key system is used, everybody needs to learn how to use it and how to find and control the public keys.

Rule Three – Privacy & Security in Communications

Rule #3, always use encryption when communicating.

Secure Communication

Every e-mail message will go through numerous servers before it is delivered. At any step in that route the message may be read or copied. Rule #1, if you don’t want it overheard or read, don’t say or write it, might be your best course of action. If the risks involved warrant exchanging the information by email or other internet-based method, then you can start with file exchanges.

Using an encrypted third party service adds an unknown level of risk, so I just don’t use such services.

File Exchange

To exchange encrypted files with others, there are some free solutions that offer encryption. However, the recipient also needs the same software along with the password to decrypt the files, unless the encrypted file is in a self extracting file like the ones produced by MEO Encryption.

The next article in this series will deal with email communications.

Rule Two – Privacy & Security

If you are starting to employ encryption for the first time on a computer, then you must do so on drives that do not have any readable data. Specialised software exists to examine hard drives and extract otherwise invisible data. This can also be done if the drive has been overwritten up to seven times. Copies of what you want to protect might be sitting there for the data thief or other snoop to read.

Read more

The Three Rules of Privacy & Security

I am not a data security expert, but I have spent many hours a day for almost two decades using the internet and watching it evolve. During that time, I have also observed the growing number of snoops monitoring everything we do when we communicate and conduct research.

The following should help you maintain the small amount of privacy we have left when it comes to the data on our computers and in our online activities. However, there is no such thing as absolute privacy or security. Encryption can be broken if enough resources are committed to the effort.

There are three rules regarding privacy and security for computer and internet users:

  1. if you don’t want it overheard or read, don’t say or write it
  2. always start using disk encryption on an utterly clean machine, and
  3. always use encryption when communicating.

The first rule should be obvious, but I am always surprised at how lazy, thoughtless, and undisciplined people can be.

The second rule is a necessity. Erasing files or formatting a drive does not remove the data from the hard drive. If it is a flash drive, then there is no effective way to remove the data.

If your machine has a normal hard drive, then use Boot and Nuke. Create a CD or DVD from the downloaded .iso file, and then re-boot using that disc to wipe clean the hard drive to DoD/NSA over-writing standards.

If you simply encrypt data already on the hard drive, then remnants of the data may still be readable on the drive. The next article will deal with encrypting a large number of files or drive partitions.

Asymmetric Warfare & Business Continuity

In a previous article, I wrote about a system that created a single point of failure. In a strategic sense, computers and IT as a whole have become a single point of failure in both government and industry.

Chinese military leaders call automation the great equalizer, since its enemies heavily depend upon computers. An effective attack upon their enemy’s IT infrastructure provides an immediate and disproportionate impact which is the core concept of asymmetric warfare.

This asymmetry benefits the attacker, regardless of his motives or methods.

This Message Will Self-Destruct

This Message Will Self-Destruct offers the ability to send an encrypted email-like message to another person either with or without a password.  As a reassurance that your message is secure, it’s never stored with TMWSD.  The optional password salts the encryption key for even more security.

Once you have entered your message and clicked on  SAVE THIS MESSAGE, you will be given a URL to pass on to the recipient.  When the intended recipient reads your message (with or without the password you may have given them) the encrypted message is deleted forever. If you lose the password your message is also lost!

Secret Squirrel

Concealing one’s activities on the Web is something every Investigator should understand.  You should understand this for your own use and to understand how these techniques may deny you needed information.  Yet using these techniques may also target you as an undesirable in some circumstances.

The following are methods used to obscure Internet traffic and avoid IP blacklists  and content filters.

Read more