Archive for the 'Security' Category

Page 2 of 9

ICANN Wants to Close Whois

A working group for Internet regulators at ICANN wants to close all Whois databases. They what to force anybody needing this data to grovel before them before granting access. They are trying to centralize global control over a key component of the Internet. WHOIS allows you to find out who owns a domain name. Without this data, fraud and other crimes will become easier to commit and harder to solve.

Contingency Planning

Recently, I wrote about the dangers of government action when preparing for adverse conditions. While conducting some research on this topic for a planning document I came across a couple of interesting examples.

In the old Soviet Union during the Chernobyl reactor catastrophe, it became illegal for an ordinary citizen to possess any type of radiation meter.  I came across reports that Japanese police confiscated radiation meters from citizens who were taking their own measurements after the Fukushima disaster.

Perhaps I should have recommended that the client read Fuller’s The Day We Bombed Utah.

Threat Spirals

Security professionals undertake planning in relation to threat spirals. As a threat escalates, it inspires new defensive countermeasures. The security professional endeavors to get inside an opponent’s threat spiral. This means anticipating the next escalation and instituting countermeasures that insulate his principal from the future threat. Getting inside an opponent’s threat spiral requires tools, technology, and manpower.

Some form of surveillance usually precedes attacks against people and facilities. This hostile effort will include research using open sources, social engineering, and both technical and physical surveillance.

Surveillance Detection

One powerful tool to get inside the threat spiral is surveillance detection. Hostile surveillance is a precursor to attack – recognising the surveillance activity gets you inside the opponent’s threat spiral.

OPSEC and Business Continuity

Operational Security (OPSEC) is the first consideration when preparing for adverse conditions.

In Canada, I always advise clients to read the Emergencies Act (R.S.C., 1985, c. 22 (4th Supp.)), Section 8  carefully before they take any action or commit to any preparations. The same applies to any individual preparations. Section 8 (1)(c) allows public officials carte blanche to loot your storehouse of supplies during a declared emergency. The provinces have similar legislation, for example, in Ontario it is the Emergency Management and Civil Protection Act, R.S.O. 1990, c.E.9. Politicians wrote all of these acts so that the government can always find a ‘legal’ way to do whatever it wants to do. This problem isn’t unique to Canada. During Hurricane Sandy, so called ‘First responders’ broke into Shore Army-Navy in Seaside Heights and looted it for supplies. During Hurricane Katrina, officials in New Orleans went further, and according to many accounts, committed armed robbery. In the face of armed troops or police, you will be helpless to prevent such looting. Of course, when government is the looter, they get a free pass from government lawyers and politicians.

Undertaking business continuity planning requires a very high degree of OPSEC given the propensity of governments, rioters, and criminals to take what they want. This leads to the question, what are the OPSEC requirements of business continuity planning?

I always advise that all business continuity (BC) assets be separated geographically, and in other ways, from the business they serve. Transfer ownership of BC assets to  obscure sole-purpose subsidiaries. For example, one entity owns the BC site while another buys the supplies and equipment. Yet another entity takes delivery of the supplies at an unrelated location. Execute all the BC planning and implementation on a strict need-to-know basis. The quick dissemination of the BC plan during an emergency must occur on a need-to-know basis. The employees only get the information they need to accomplish their part of the plan. Large-scale rehearsals should not reveal the actual location of the real BC site. To reveal the location of the BC site to all those involved in the rehearsal invites the looting of the site long before it is needed. Experience dictates the use a rented property in the general area of the real BC site for rehearsals.

These considerations are not irrational paranoia for any business located in an area subject to catastrophic disruptions such as riots, protests, natural disasters, or terrorist attack. Discontinuing business activity during such an upheaval is surrendering to these adverse forces.

Risk Assessment Adventure: When Havoc Strikes

Business Continuity

Awhile back I wrote about one of my adventures in risk assessment.  This involved identifying the risks to a Business Continuity site located in a rural area outside a large metropolitan area.

When Havoc Strikes

What happens to Spot when havoc strikes?

The U.S. Humane Society say that 46% of U.S. households own at least one dog and there are 78.2 million dogs owned. In the Canadian Census of 2006 there were 6,070,783 dogs in Canada.

Feral Dogs

After a prolonged catastrophic event, feral dogs will form packs and begin to hunt. They have all the tools they need — fangs, claws, and a fur coat to keep warm. Feral dogs will interbreed with other canids.  Over time, you will encounter dog-wolf and dog-coyote hybrids. The domestic dog ancestry will ensure that they are not afraid of man, and their offspring will inherit this trait.

Feral dogs have better noses, better ears, and sharper teeth than humans. Their reflexes are faster, they possess better protection from the elements, and they move through the environment in near silence. They will attack as a pack and they will do so silently. Their arsenal includes stealth and surprise. When they don’t fear us, we are at a disadvantage.

Solutions

The dog pack will be hunting you. You’re not the hunter, you’re prey. How good is your gun-handling? Can you hit a 2 foot tall predator charging at you?  How about several of them at once?

Security in such a situation will entail modified small unit tactics, marksmanship, and muzzle control. This client took our advice on training and on-site rehearsals. Twelve bore shotguns and 30-30 lever-action rifles won’t get a doomsday prepper’s heart racing, but they get the job done safely when combined with proper training, rehearsals, and forethought.

Note: This article about an attack by a pack of feral dogs appeared in one of my news feeds:
Houston woman in critical condition after pack of 15 dogs attack

This clearly illustrates how dangerous a pack of feral dogs can be. Even feral cats can inflict dangerous wounds as illustrated by this article:

Warning to tourists in France after attack by feral cats

 

Hazardous Material

The Emergency Response Guidebook published jointly by the Canadian Department of Transportation, Mexican Transportation agencies, and the USDOT lets you identify the hazardous contents of pipelines, trucks, or trains from the placards on the side of the tanker, rail car, or pipeline. The guide lists specific hazards and evacuation distances for spills or fires. However, it doesn’t provide any spill/fire/explosion protocols.

If you are around hazardous materials and their transport conveyances then you need this guidebook.

Tim Horton’s & Investigative Internet Research

An article titled, Tim Hortons apologizes for blocking gay and lesbian news website by The Canadian Press on Friday, July 19, 2013 caught my attention. Tim Hortons is a popular Canadian coffee shop chain.

The online site of a popular paper that caters to the gay community was blocked by the coffee shop chain as “not appropriate for all ages viewing in a public environment.”. Once the outrage got going, Tim Hortons relented and changed its WiFi network policy.

What has all this got to do with Investigative Internet Research (IIR), you ask? Well, think about it. We often work while on the road and that means doing some aspects of IIR in places like coffee shops.

When you do IIR outside your normal work environment, different rules apply. How do you know what the WiFi network allows and what it doesn’t? How do you know if some things are censored and others are not? How do you know that your results are complete?

Now do you understand the dangers that doing this presents? I haven’t even mentioned the security issues.

Secured URL

Secured URL allows you to encrypt a URL with a password. It works like TinyURL.

Enter a URL, its password, and choose the expiration date of the resulting encrypted link. The expiration date can be up to 90 days hence. The encrypted link that you get from this can be shared by email without revealing its contents. You send the password to open the link in a separate email.  It’s best to send passwords to one email address and the encrypted content to another email address.

I can think of many uses for Secured URL where confidentiality is required.

What’s in an Employee Number

I was reviewing a stalled investigation into an apparent corporate fraud when I noticed something interesting. A surveillance photograph was in the paper file — you don’t see many real surveilance photographs any more, just muddy images taken from video.

This particular photo was so clear and detailed that I had to talk to the investigator who took it. It was taken with a long lens mounted on a camera with a 22 mp full-frame CMOS sensor. The investigator directed me to the server and directory that contained over one hundred images along with video taken using the same camera. All of this data was summarised in two paragraphs in the investigation report. This proved unfortunate, as this fine work happened early in the investigation. The investigator wrote a detailed report that someone summarised without including a proper citation. The person who did this failed to recognise that the problem had been solved. Over one year later I was hired to solve this difficult and persistent problem.

The surveillance picture clearly showed an employee pass card. The pass card clearly showed the name of the security system vendor, employee name, employee picture, and worst of all, the employee number. The employee number was the defacto authentication required for gaining information the crooks needed. During social engineering the crooks were challenged and asked for their employee number. When they provided the number the information flood gates opened.

Further investigation revealed that a fake employee pass card was made and used to gain access to the facility. The card didn’t have any electronic component, but the crook was wearing a authentic-looking employee card just like everybody else, and that was enough for him to repeatedly gain the access he needed. He just walked throughout he front door at the right time of day and followed the real employees to the department where he committed his crime, over and over again.

Once captured, this crook freely admitted that he got everything he needed from the passcards that employees wore prominently around their necks. He copied it from pictures he took, just like the first investigator did.

File Erasure

File erasure is something every Investigator needs to consider. Investigators collect a lot of data that never makes into a report. Sometimes that data is irrelvant or something that cannot be reported. That stuff should not be left hanging around to be recovered later and then missused. Some form of file erasure software should be used to make it unrecoverable.

Some examples of file erasure software:

How To Hide From Twitter

Lately, I have been working with clients who face serious security threats. Some of these people are surprised by what can be learned about them from internet searches. Removing this information is a challenge, especially from social media sites like Twitter.

Twitter presents an interesting challenge. Once you publish a Tweet, a lot of other websites take your Tweet and reproduce it in a database. Topsy, Snap Bird, the Library of Congress, and many others get in on the act.

Of course, you can delete your Twitter account, but your Tweets will live on in a third party database.

The best solution that I have found is to remove all the Tweets from your account rather than deleting the account itself. When some third party site comes to collect your tweets to update their database, they also overwrite or delete your old Tweets and replace them with nothing matching the empty Twitter profile.

Doing this also prevents some malicious adversary from waiting thirty days then opening a new account using your deleted Twitter account name. Of course, keeping the account also allows you to start using it for some subtle disinformation.

If your Twitter account has thousands of Tweets like mine does, then you need an automated deletion service.

Twit Wipe fits the bill. Provide the service with your Twitter password and set it lose. Once Twit Wipe has done its job, change the Twitter password.

After thirty days, you should start searching for the deleted Tweets to identify any sites that still have them. If they still exist on some sites after sixty days, then consider requesting their removal.

How To Hide from Google

Google isn’t a search engine — it’s an advertising engine. Google makes its money from advertising. You may have noticed that the advertisments that appear on your Google search results page is related to what you are searching.

Some of this advertising results from cookies placed on your computer. If you use Gmail, it is even more intrusive as each email is read, and you get ads associated with the content of your email. This is a good business strategy for Google but intrudes upon the user’s privacy. You should shut-off the collection of web history in your Google account. To do this sign into your Google account and then go to http://google.com/history. Once there, click on Remove all Web History and then click on Pause to stop further collection of your web history. There is also a way to rid yourself of the intrusive monitoring of you normal web searching.

Google uses DoubleClick to monitor your web browsing. To eliminate this monitoring go to http://google.com/ads/preferences/plugin and download this small file for each browser that you use. The instalation prceedure will vary with each browser. This file won’t disappear when you use a file wiping program to clearout all the trash web browsing accumulates.

The Throwaway Profile

Most people give up a frightening amount of information in a very short period of time during their social interactions, both on social media and in person. Marital status, children, hometowns, schools, and more are the nuggets of information given out which can end-up in the wrong hands.

Safe topics for making conversation with strangers is not your job, but rather a “safe” hobby, like woodworking, sports, or local history. It’s good to avoid politics and religion.

Most privacy conscious Investigators create a throwaway profile. They learn about something that is not related to their identifying features – cooking, gardening, fishing, etc. – and know enough to pass as a amateur enthusiast. This becomes the first-contact profile used to evaluate a stranger.

CITIZEN’S ARREST AND SELF-DEFENCE ACT

The Citizen’s Arrest and Self-defence Act comes into full force on March 11, 2013. The act may be found at http://laws-lois.justice.gc.ca/eng/AnnualStatutes/2012_9/FullText.html and some background on the act may be found at http://www.justice.gc.ca/eng/news-nouv/nr-cp/2012/doc_32762.html.

The Canada Gazette entry regarding the act coming into effect may be found at http://gazette.gc.ca/rp-pr/p2/2013/2013-02-13/html/si-tr5-eng.html.

Disconnect from Tracking

A browser extension for Firefox called Disconnect disables tracking by Google, Facebook, and Digg. The same firm provides the Collusion extension for Chrome and Safari that does the same thing.

Disconnect provides more more protection than the Do Not Track feature in the browser. Firefox, Internet Explorer (9 and later versions), and Safari have Do Not Track privacy options that you may enable. However, implementation of Do Not Track is voluntary on the part of the websites you visit. Disconnect and Collusion stops tracking on all sites.