Safe Recharging with a USB Condom

The mobile phone adaptor USB cable is a combination power-and-data connection that can expose your device to manipulation by some very unsavory characters. This practice is called Juicejacking and I have written about it before.

If you must recharge your mobile devices at a public recharging station then you need to practice safe recharging just like your high school health class recommended.

USB Condom

The USB Condom protects personal and private data stored on your mobile device while recharging. The USB Condoms only transfer power, not your data as it cuts off the data pins in a standard USB cable, preventing any data from transferring in either direction.  It sells for $9.99. This is very hygienic.

However, you can abstain entirely and achieve the same results by using a power-only USB cable.

Chrome is Listening

So you want to use Chrome as your browser. Are you aware that it has recently been reported that a Chrome Bug Allows Sites to Listen to Your Private Conversations?

The best way to avoid this threat is as follows:

  • Go to chrome://settings/content
  • Scroll down to Media
  • Select “Do not allow any sites to access my camera and microphone.

This will disable Google’s Conversational Search, etc. but security will be increased.

I never liked the way Chrome ‘phoned home’ to Google with user tracking, bug tracking etc. I have also found extensions that had malware-filled updates. However, it is faster than Firefox, which over the course of a research project may save hours of extra time. I resisted using Chrome due to security & privacy issues.

I now use is Comodo Dragon, which is based on the open-source Chrome browser, however, it is more private and secure if used properly. I disable the camera & mic as SOP, so I haven’t investigated how Dragon responds to this exploit. The setting change that I outlined was in reference to the actual Chrome browser and this particular exploit, there may be more that I don’t know about.

I am very careful about exposing myself to the internet. My outward-facing computers don’t have cameras or mics to entirely circumvent malicious software like this and the likes of Finspy.

Getting Out of Google

Google and other search engines are wonderful things for gathering information, we all know that, but what if people with evil intent are gathering information about you?

Getting out of Street View

Google Street View provides a great deal of data that can be used to plan an attack on a facility, a person, or to conduct a kidnapping. Google offers an easy, free, and effective way to restrict access to this data.

At a client’s home, I found that his car licence plate was legible. This usually occurs when the car is parked inside a garage or car port. At the client’s workplace, several security measures were clearly visible as were other features of the facility that raised concerns.

Google’s solution is to place an opaque digital wall around your house or facility. To get out of Google Street View, first search for the street address. Once the property is visible, you will find a small box at the bottom right of the image that says “Report a problem”. Click on this to select a reason for blurring the image of the property. I usually select Other: This image presents security concerns. Add some discriptive data to help Google identify the property and complete the CAPTCHA (an acronym for “Completely Automated Public Turing test to tell Computers and Humans Apart”) thing that takes me several tries to get right. In 2 or 3 days a blurred wall should appear around the property.

Spys & Surveillance

I came across a book written during the Great War that has some good tips for the surveillance operator. It introduces the essentials of spycraft of a bygone era, but it remains particularly relevant to the Investigator who conducts surveillance operations.

The attitude that espionage is a sport in which the players appreciate and honor each other is truly misplaced, but the author’s observations about how to look like you belong in a place and about the key elements of disguise are timeless. The author’s description of how he gained access to critical installations to make observations are as relevant today as the Balkans in the 1890’s.

My Adventures as a Spy, By Lt. Gen. Sir Robert Baden-Powell, is an excellent short read.

 

 

Rule Three — Secure Instant Messaging

Both Yahoo and Google offer an encryption option in their IM clients, but they have full access to the original content as they handle the encryption.

Your best bet for secure IM communication is to use Pidgin for Windows or Adium for the Mac OSX. Both programs have an encryption that uses 256-bit AES that is applied before the message is sent through the IM service. They work with all major IM servers and offer other useful features:

Rule Three – Privacy & Security for Email

For low-risk communications using web-based “secure” e-mail services that encrypt your messages before sending might be reasonable.  However, when a third-party service or server is used the email isn’t really secure. If the email represents a low risk to the sender, then some security is better than no security.  Some “secure” email services  to check out:

Hushmail.com
S-mail.com
PrivacyHarbor.com
BurnNote.com

The best solution is to encrypt messages yourself before sending them. This can easily be done using MEO Encryption which can be used with your existing e-mail provider. The message can be sent as a self-extracting executable file so that the recipient doesn’t need any software to open the message. The sender will need to communicate the password to the recipient.

Another encryption option is an public-key system like PGP. This is much more secure. However, Symantic now owns this and that means it will become difficult to use and expensive. Managing the keys is the problem with any public key encryption, but it is the most secure if used properly. If a public-key system is used, everybody needs to learn how to use it and how to find and control the public keys.

Rule Three – Privacy & Security in Communications

Rule #3, always use encryption when communicating.

Secure Communication

Every e-mail message will go through numerous servers before it is delivered. At any step in that route the message may be read or copied. Rule #1, if you don’t want it overheard or read, don’t say or write it, might be your best course of action. If the risks involved warrant exchanging the information by email or other internet-based method, then you can start with file exchanges.

Using an encrypted third party service adds an unknown level of risk, so I just don’t use such services.

File Exchange

To exchange encrypted files with others, there are some free solutions that offer encryption. However, the recipient also needs the same software along with the password to decrypt the files, unless the encrypted file is in a self extracting file like the ones produced by MEO Encryption.

The next article in this series will deal with email communications.

Rule Two – Privacy & Security

If you are starting to employ encryption for the first time on a computer, then you must do so on drives that do not have any readable data. Specialised software exists to examine hard drives and extract otherwise invisible data. This can also be done if the drive has been overwritten up to seven times. Copies of what you want to protect might be sitting there for the data thief or other snoop to read.

Read more

The Three Rules of Privacy & Security

I am not a data security expert, but I have spent many hours a day for almost two decades using the internet and watching it evolve. During that time, I have also observed the growing number of snoops monitoring everything we do when we communicate and conduct research.

The following should help you maintain the small amount of privacy we have left when it comes to the data on our computers and in our online activities. However, there is no such thing as absolute privacy or security. Encryption can be broken if enough resources are committed to the effort.

There are three rules regarding privacy and security for computer and internet users:

  1. if you don’t want it overheard or read, don’t say or write it
  2. always start using disk encryption on an utterly clean machine, and
  3. always use encryption when communicating.

The first rule should be obvious, but I am always surprised at how lazy, thoughtless, and undisciplined people can be.

The second rule is a necessity. Erasing files or formatting a drive does not remove the data from the hard drive. If it is a flash drive, then there is no effective way to remove the data.

If your machine has a normal hard drive, then use Boot and Nuke. Create a CD or DVD from the downloaded .iso file, and then re-boot using that disc to wipe clean the hard drive to DoD/NSA over-writing standards.

If you simply encrypt data already on the hard drive, then remnants of the data may still be readable on the drive. The next article will deal with encrypting a large number of files or drive partitions.

Asymmetric Warfare & Business Continuity

In a previous article, I wrote about a system that created a single point of failure. In a strategic sense, computers and IT as a whole have become a single point of failure in both government and industry.

Chinese military leaders call automation the great equalizer, since its enemies heavily depend upon computers. An effective attack upon their enemy’s IT infrastructure provides an immediate and disproportionate impact which is the core concept of asymmetric warfare.

This asymmetry benefits the attacker, regardless of his motives or methods.

The Olde Ways

I was summoned to a meeting with a client. The client firm is over a century old. This successful firm has learned a thing or two about security.

I was asked to surrender my electronic gadgets. Being of the old school, I had none. This pleased the gatekeeper. I was led to a room furnished with only a curious table and four old wooden bankers chairs. No telephone, no electrical outlets, one florescent light fixture above the table.  The gatekeeper had to unlock the room. She then waited at the open door until my contact arrived.

My contact enters and places pieces of chalk and a chalkboard eraser on the the table. Most of the table top is painted with chalkboard paint.

We eventually compose a handwritten Memorandum of Agreement regarding the engagement, sign it, and off we go.

These people understand the rules, especially Rule #1 — If you don’t want it overheard, don’t say it. But I must admit, I have never seen a “Magic Slate” table before.

Corporate blogging passed off as independent newsgathering

Masquerading as an independent blogger might seem like an easy way to gather some intel, at least until you are exposed as this guy was.

Corporate Blogger, or Corporate Espionage?

Doug Cantwell, a Boeing spokesman who attended a recent industry symposium as an “independent blogger.” By passing himself off as a blogger — and not as a Boeing employee — Cantwell stirred up a controversy that could have serious implications for both companies that want to experiment with social media — and for reporters who work in the new medium.

your job will be much harder when you have to persuade someone that, yes, your blog  is a legitimate, independent news outlet and no, you’re not masquerading as a reporter for the purposes of collecting intel, corporate or otherwise.

when traditional journalism jobs — particularly in newspapers — are rapidly disappearing. A venture like Defensedialogue.com, it seems, opens the door to more cynical operators who are willing to blur the lines between journalism and other lines of business.