An article titled, Tim Hortons apologizes for blocking gay and lesbian news website by The Canadian Press on Friday, July 19, 2013 caught my attention. Tim Hortons is a popular Canadian coffee shop chain.
The online site of a popular paper that caters to the gay community was blocked by the coffee shop chain as “not appropriate for all ages viewing in a public environment.”. Once the outrage got going, Tim Hortons relented and changed its WiFi network policy.
What has all this got to do with Investigative Internet Research (IIR), you ask? Well, think about it. We often work while on the road and that means doing some aspects of IIR in places like coffee shops.
When you do IIR outside your normal work environment, different rules apply. How do you know what the WiFi network allows and what it doesn’t? How do you know if some things are censored and others are not? How do you know that your results are complete?
Now do you understand the dangers that doing this presents? I haven’t even mentioned the security issues.
Secured URL allows you to encrypt a URL with a password. It works like TinyURL.
Enter a URL, its password, and choose the expiration date of the resulting encrypted link. The expiration date can be up to 90 days hence. The encrypted link that you get from this can be shared by email without revealing its contents. You send the password to open the link in a separate email. It’s best to send passwords to one email address and the encrypted content to another email address.
I can think of many uses for Secured URL where confidentiality is required.
File erasure is something every Investigator needs to consider. Investigators collect a lot of data that never makes into a report. Sometimes that data is irrelvant or something that cannot be reported. That stuff should not be left hanging around to be recovered later and then missused. Some form of file erasure software should be used to make it unrecoverable.
Some examples of file erasure software:
Google isn’t a search engine — it’s an advertising engine. Google makes its money from advertising. You may have noticed that the advertisments that appear on your Google search results page is related to what you are searching.
Some of this advertising results from cookies placed on your computer. If you use Gmail, it is even more intrusive as each email is read, and you get ads associated with the content of your email. This is a good business strategy for Google but intrudes upon the user’s privacy. You should shut-off the collection of web history in your Google account. To do this sign into your Google account and then go to http://google.com/history. Once there, click on Remove all Web History and then click on Pause to stop further collection of your web history. There is also a way to rid yourself of the intrusive monitoring of you normal web searching.
Google uses DoubleClick to monitor your web browsing. To eliminate this monitoring go to http://google.com/ads/preferences/plugin and download this small file for each browser that you use. The instalation prceedure will vary with each browser. This file won’t disappear when you use a file wiping program to clearout all the trash web browsing accumulates.
Most people give up a frightening amount of information in a very short period of time during their social interactions, both on social media and in person. Marital status, children, hometowns, schools, and more are the nuggets of information given out which can end-up in the wrong hands.
Safe topics for making conversation with strangers is not your job, but rather a “safe” hobby, like woodworking, sports, or local history. It’s good to avoid politics and religion.
Most privacy conscious Investigators create a throwaway profile. They learn about something that is not related to their identifying features – cooking, gardening, fishing, etc. – and know enough to pass as a amateur enthusiast. This becomes the first-contact profile used to evaluate a stranger.
A browser extension for Firefox called Disconnect disables tracking by Google, Facebook, and Digg. The same firm provides the Collusion extension for Chrome and Safari that does the same thing.
Disconnect provides more more protection than the Do Not Track feature in the browser. Firefox, Internet Explorer (9 and later versions), and Safari have Do Not Track privacy options that you may enable. However, implementation of Do Not Track is voluntary on the part of the websites you visit. Disconnect and Collusion stops tracking on all sites.
Stealth Search Engine
When I first looked at this search engine in November 2011, I wasn’t impressed at all — it didn’t even find me!
In April 2012 this is actually looking like a useful search engine. It now uses “Alpha SSL, a secure encryption, which helps prevent sending your search terms to sites you visit. The encryption protects your search from being leaked” and it doesn’t save your search history. The search results have improved because Stealth now uses Bing’s search API, Google’s Ajax API, Yahoo Boss, and does its own crawling. They even found me, at last!
The version without Java Script does not seem to work properly. A search for my name yields no results while the normal version yields results that I would expect.
Sealth seems to have been discontinued.
A good investigation can be derailed by tracking cookies. Disable cookies when doing an investigation. Here are some detailed instructions on how disable cookies in the most common web browsers:
Both Yahoo and Google offer an encryption option in their IM clients, but they have full access to the original content as they handle the encryption.
Your best bet for secure IM communication is to use Pidgin for Windows or Adium for the Mac OSX. Both programs have an encryption that uses 256-bit AES that is applied before the message is sent through the IM service. They work with all major IM servers and offer other useful features:
For low-risk communications using web-based “secure” e-mail services that encrypt your messages before sending might be reasonable. However, when a third-party service or server is used the email isn’t really secure. If the email represents a low risk to the sender, then some security is better than no security. Some “secure” email services to check out:
The best solution is to encrypt messages yourself before sending them. This can easily be done using MEO Encryption which can be used with your existing e-mail provider. The message can be sent as a self-extracting executable file so that the recipient doesn’t need any software to open the message. The sender will need to communicate the password to the recipient.
Another encryption option is an public-key system like PGP. This is much more secure. However, Symantic now owns this and that means it will become difficult to use and expensive. Managing the keys is the problem with any public key encryption, but it is the most secure if used properly. If a public-key system is used, everybody needs to learn how to use it and how to find and control the public keys.
Rule #3, always use encryption when communicating.
Every e-mail message will go through numerous servers before it is delivered. At any step in that route the message may be read or copied. Rule #1, if you don’t want it overheard or read, don’t say or write it, might be your best course of action. If the risks involved warrant exchanging the information by email or other internet-based method, then you can start with file exchanges.
Using an encrypted third party service adds an unknown level of risk, so I just don’t use such services.
To exchange encrypted files with others, there are some free solutions that offer encryption. However, the recipient also needs the same software along with the password to decrypt the files, unless the encrypted file is in a self extracting file like the ones produced by MEO Encryption.
The next article in this series will deal with email communications.
If you are starting to employ encryption for the first time on a computer, then you must do so on drives that do not have any readable data. Specialised software exists to examine hard drives and extract otherwise invisible data. This can also be done if the drive has been overwritten up to seven times. Copies of what you want to protect might be sitting there for the data thief or other snoop to read. Continue reading ‘Rule Two – Privacy & Security’
I am not a data security expert, but I have spent many hours a day for almost two decades using the internet and watching it evolve. During that time, I have also observed the growing number of snoops monitoring everything we do when we communicate and conduct research.
The following should help you maintain the small amount of privacy we have left when it comes to the data on our computers and in our online activities. However, there is no such thing as absolute privacy or security. Encryption can be broken if enough resources are committed to the effort.
There are three rules regarding privacy and security for computer and internet users:
- if you don’t want it overheard or read, don’t say or write it
- always start using disk encryption on an utterly clean machine, and
- always use encryption when communicating.
The first rule should be obvious, but I am always surprised at how lazy, thoughtless, and undisciplined people can be.
The second rule is a necessity. Erasing files or formatting a drive does not remove the data from the hard drive. If it is a flash drive, then there is no effective way to remove the data.
If your machine has a normal hard drive, then use Boot and Nuke. Create a CD or DVD from the downloaded .iso file, and then re-boot using that disc to wipe clean the hard drive to DoD/NSA over-writing standards.
If you simply encrypt data already on the hard drive, then remnants of the data may still be readable on the drive. The next article will deal with encrypting a large number of files or drive partitions.