Recently, I had run-in with the FinSpy trojan, or some variation of it. FinSpy is a component of the surveillance product FinFisher, a commercial trojan made and sold by Gamma International, a UK company. This thing was sold to some very nasty state actors, but now it’s in the wild. It allows the operator of the trojan to have complete access to the computer. Its design makes it very difficult for the target or his anti-virus software to recognise its presence. It even permits the villain to activate the computer’s webcam and microphone to see and hear what is happening near the computer. Everything collected by the trojan goes to a command and control server located somewhere on the Internet.
This insidious thing tried to masquerade as Firefox. I think it was part of an image I examined for Exif data. It tried to ‘update” Firefox. The funny thing was that I wasn’t using Firefox, but a browser based on it. I was conducting the research within a Windows virtual machine hosted on a Linux distribution; therefore, it was unable to cause any damage.
What surprised me was that the subjects had seeded the site with information that would interest me to get FinSpy onto my PC. They created the site to gather intelligence on anyone who might investigate them. They are not state actors, just a bunch of criminals.
So you want to use Chrome as your browser. Are you aware that it has recently been reported that a Chrome Bug Allows Sites to Listen to Your Private Conversations?
The best way to avoid this threat is as follows:
- Go to chrome://settings/content
- Scroll down to Media
- Select “Do not allow any sites to access my camera and microphone.
This will disable Google’s Conversational Search, etc. but security will be increased.
I never liked the way Chrome ‘phoned home’ to Google with user tracking, bug tracking etc. I have also found extensions that had malware-filled updates. However, it is faster than Firefox, which over the course of a research project may save hours of extra time. I resisted using Chrome due to security & privacy issues.
I now use is Comodo Dragon, which is based on the open-source Chrome browser, however, it is more private and secure if used properly. I disable the camera & mic as SOP, so I haven’t investigated how Dragon responds to this exploit. The setting change that I outlined was in reference to the actual Chrome browser and this particular exploit, there may be more that I don’t know about.
I am very careful about exposing myself to the internet. My outward-facing computers don’t have cameras or mics to entirely circumvent malicious software like this and the likes of Finspy.
The browser is the most used outward facing software you will use. It interacts with suspect web sites and other internet sites. Firefox is still my first choice for security and plug-ins, even though Chrome offers a speed advantage that adds-up over the course of many hours of research, while this little problem makes me avoid MS Internet Explorer: Microsoft warns of critical IE9, IE10 zero-day-Just visit the wrong web site and get remote-code execution.
In Firefox, go to Tools>Add-ons>Plugins and set the Java Script and Toolkit to Ask to Activate. I also set all the other plugins to Ask to Activate as well. This prevents a plugin from activating at the wrong time and thereby sending out data to the site that caused it to activate. A malicious site may activate a plugin to have it to transmit data that can be used to thwart your investigation.
Third party cookies compile a long-term record of your browsing history. This is dangerous as it can reveal what you are investigating. In Options>Privacy>History select Never for third party cookies. In my sandbox, I have several versions of the browser with different settings. For example, I prefer to never accept cookies of any kind, but some sites need them to function so I have a version with normal cookies enabled.
To create my everyday fortress Firefox, I use the following:
For more anonymity, privacy, and security, I do the following to my instance:
- To preserve privacy, I use a VPN.
- To preserve anonymity, I use Tor to connect to an anonymous VPN.
- To maintain security, I work from a Virtual Machine hosted by a different OS on a clean machine.
If you aren’t doing the same, then you don’t know what is on your PC and what it might be doing to work against you. There are a lot of bad actors out there trying to insinuate malware onto as many machines as possible. If you are using your PC to gather evidence, malware can destroy the integrity of everything you collect.
Conducting Investigative Internet Research is not as easy as it might seem. There is more to it than doing a few poorly structured Google searches. You need to understand how to create a clean machine that will pass muster under S. 31 Canada Evidence Act. You must prevent all your research, and your identity, from ending-up in the hands of the very people that you are investigating. This happens. I have to believe that it happens often but isn’t recognised by most investigators. Would you know if your machine had a trojan like FinSpy? Do you know how to prevent the installation of something like FinSpy? Do you know how to get rid of it?
If you frequent bad internet neighbourhoods, then you will encounter bad people doing bad things, and they will try to do bad things to you.
Your search and browsing behaviour allows Google to personalise your search results. To escape this filtering of your results use a private browser window called incognito as it is called in Chrome. Google will then ignore tracking and search cookies to stop personalising your results. To get a private browser or incognito window use the following key combinations:
- Chrome – Ctrl+Shift+N
- FireFox – Ctrl+Shift+P
- Internet Explorer – Ctrl+Shift+P
I have found that this approach doesn’t work with Bing.
I sat in a hotel lobby recently enjoying a coffee while waiting for someone. I decided to write an entirely different blog article than this one while I waited. This lobby has convenient tables for road warriors and their portable computers–that is why I often arrange short meetings in that lobby.
At another table, I notice something rather familiar connected to someone’s laptop. It was a WiFi Pineapple. This was a bit disturbing.
Do you know what the WiFi Pineapple can do?
Surveillance & the WiFi Pineapple
The WiFi Pineapple allows an attacker to launch a “Man in the Middle” or MiTM attack by inspecting the data flow between the target and any resources he accesses on the web via a WiFi connection. This little Linux box equips the investigator or spy with a versatile surveillance and information-gathering tool.
From a surveillance perspective, it will reveal the names of all the WiFi networks the victim connected to on the highway, in hotels, and far-flung airports. The subject’s computer will cycle through all of the network identities (names) it has previously used. All of this is sent in the clear and can be captured by the WiFi Pineapple. The same applies to smartphones.
All of the network names to which it previously connected are disclosed over a few minutes. Coupled with an online resource such as WiGLE, this information can be used to establish a profile of the device owner–where he lives, works, eats, drinks coffee, his gym, his favorite no-tell motel, and more. Combine the Pineapple with Wireshark and you have an excellent surveillance toolkit or one that could facilitate some real mischief.
The simplest protection is the best. Shut-off the WiFi on your portable device. Use WiFi in secure environments only.
Bitcoins have interested me of late as I am writing my next book which is about issues of security, privacy, and anonymity while doing investigative internet research. Continue reading ‘Taking Bitcoins to the Laundry’
Windows Error Reporting (WER) is a crash reporting technology introduced by Microsoft with Windows XP. However, we now know that it may send Microsoft unencrypted personally identifiable information contained in the memory and application data that may make you vulnerable to attack. WER is turned on by default. WER from Windows 8 may now use TLS encryption.
The Snowdon leaks described how the U.S. National Security Agency intercepts the unencrypted WER logs to fingerprint machines like some malware to identify potential system, network and application weaknesses to execute attacks that move through an enterprise network. WER reports on more than Windows crashes. It reports hardware changes, such as the first-time use of a new USB device and mobile devices. It sends time-stamp data, device manufacturer, identifier and revision, along with host computer information such as default language, operating system service pack and update version, hardware manufacturer, model and name, as well as BIOS version and unique machine identifier. This creates a blueprint of the applications running on a network to help an attacker develop or execute attacks with little chance of detection.
This is only one example of the OS, applications, browsers, etc. leaking information that the investigator must be aware of when conducting investigative internet research.
To shut-off WER in Windows 7 go to Control Panel>System and Security>Action Center>Change Action Center settings>Related settings>Problem reporting settings. The selections for “Each time a problem occurs, ask me before checking for solutions” and “Never check for solutions” disable WER. Choosing Never check for solutions will fully disable error reporting in Windows 7.
An article titled, Tim Hortons apologizes for blocking gay and lesbian news website by The Canadian Press on Friday, July 19, 2013 caught my attention. Tim Hortons is a popular Canadian coffee shop chain.
The online site of a popular paper that caters to the gay community was blocked by the coffee shop chain as “not appropriate for all ages viewing in a public environment.”. Once the outrage got going, Tim Hortons relented and changed its WiFi network policy.
What has all this got to do with Investigative Internet Research (IIR), you ask? Well, think about it. We often work while on the road and that means doing some aspects of IIR in places like coffee shops.
When you do IIR outside your normal work environment, different rules apply. How do you know what the WiFi network allows and what it doesn’t? How do you know if some things are censored and others are not? How do you know that your results are complete?
Now do you understand the dangers that doing this presents? I haven’t even mentioned the security issues.
Secured URL allows you to encrypt a URL with a password. It works like TinyURL.
Enter a URL, its password, and choose the expiration date of the resulting encrypted link. The expiration date can be up to 90 days hence. The encrypted link that you get from this can be shared by email without revealing its contents. You send the password to open the link in a separate email. It’s best to send passwords to one email address and the encrypted content to another email address.
I can think of many uses for Secured URL where confidentiality is required.
File erasure is something every Investigator needs to consider. Investigators collect a lot of data that never makes into a report. Sometimes that data is irrelvant or something that cannot be reported. That stuff should not be left hanging around to be recovered later and then missused. Some form of file erasure software should be used to make it unrecoverable.
Some examples of file erasure software:
Google isn’t a search engine — it’s an advertising engine. Google makes its money from advertising. You may have noticed that the advertisments that appear on your Google search results page is related to what you are searching.
Some of this advertising results from cookies placed on your computer. If you use Gmail, it is even more intrusive as each email is read, and you get ads associated with the content of your email. This is a good business strategy for Google but intrudes upon the user’s privacy. You should shut-off the collection of web history in your Google account. To do this sign into your Google account and then go to http://google.com/history. Once there, click on Remove all Web History and then click on Pause to stop further collection of your web history. There is also a way to rid yourself of the intrusive monitoring of you normal web searching.
Google uses DoubleClick to monitor your web browsing. To eliminate this monitoring go to http://google.com/ads/preferences/plugin and download this small file for each browser that you use. The instalation prceedure will vary with each browser. This file won’t disappear when you use a file wiping program to clearout all the trash web browsing accumulates.
Most people give up a frightening amount of information in a very short period of time during their social interactions, both on social media and in person. Marital status, children, hometowns, schools, and more are the nuggets of information given out which can end-up in the wrong hands.
Safe topics for making conversation with strangers is not your job, but rather a “safe” hobby, like woodworking, sports, or local history. It’s good to avoid politics and religion.
Most privacy conscious Investigators create a throwaway profile. They learn about something that is not related to their identifying features – cooking, gardening, fishing, etc. – and know enough to pass as a amateur enthusiast. This becomes the first-contact profile used to evaluate a stranger.