Recently, I had run-in with the FinSpy trojan, or some variation of it. FinSpy is a component of the surveillance product FinFisher, a commercial trojan made and sold by Gamma International, a UK company. This thing was sold to some very nasty state actors, but now it’s in the wild. It allows the operator of the trojan to have complete access to the computer. Its design makes it very difficult for the target or his anti-virus software to recognise its presence. It even permits the villain to activate the computer’s webcam and microphone to see and hear what is happening near the computer. Everything collected by the trojan goes to a command and control server located somewhere on the Internet.
This insidious thing tried to masquerade as Firefox. I think it was part of an image I examined for Exif data. It tried to ‘update” Firefox. The funny thing was that I wasn’t using Firefox, but a browser based on it. I was conducting the research within a Windows virtual machine hosted on a Linux distribution; therefore, it was unable to cause any damage.
What surprised me was that the subjects had seeded the site with information that would interest me to get FinSpy onto my PC. They created the site to gather intelligence on anyone who might investigate them. They are not state actors, just a bunch of criminals.
So you want to use Chrome as your browser. Are you aware that it has recently been reported that a Chrome Bug Allows Sites to Listen to Your Private Conversations?
The best way to avoid this threat is as follows:
- Go to chrome://settings/content
- Scroll down to Media
- Select “Do not allow any sites to access my camera and microphone.
This will disable Google’s Conversational Search, etc. but security will be increased.
I never liked the way Chrome ‘phoned home’ to Google with user tracking, bug tracking etc. I have also found extensions that had malware-filled updates. However, it is faster than Firefox, which over the course of a research project may save hours of extra time. I resisted using Chrome due to security & privacy issues.
I now use is Comodo Dragon, which is based on the open-source Chrome browser, however, it is more private and secure if used properly. I disable the camera & mic as SOP, so I haven’t investigated how Dragon responds to this exploit. The setting change that I outlined was in reference to the actual Chrome browser and this particular exploit, there may be more that I don’t know about.
I am very careful about exposing myself to the internet. My outward-facing computers don’t have cameras or mics to entirely circumvent malicious software like this and the likes of Finspy.
The browser is the most used outward facing software you will use. It interacts with suspect web sites and other internet sites. Firefox is still my first choice for security and plug-ins, even though Chrome offers a speed advantage that adds-up over the course of many hours of research, while this little problem makes me avoid MS Internet Explorer: Microsoft warns of critical IE9, IE10 zero-day-Just visit the wrong web site and get remote-code execution.
In Firefox, go to Tools>Add-ons>Plugins and set the Java Script and Toolkit to Ask to Activate. I also set all the other plugins to Ask to Activate as well. This prevents a plugin from activating at the wrong time and thereby sending out data to the site that caused it to activate. A malicious site may activate a plugin to have it to transmit data that can be used to thwart your investigation.
Third party cookies compile a long-term record of your browsing history. This is dangerous as it can reveal what you are investigating. In Options>Privacy>History select Never for third party cookies. In my sandbox, I have several versions of the browser with different settings. For example, I prefer to never accept cookies of any kind, but some sites need them to function so I have a version with normal cookies enabled.
To create my everyday fortress Firefox, I use the following:
For more anonymity, privacy, and security, I do the following to my instance:
- To preserve privacy, I use a VPN.
- To preserve anonymity, I use Tor to connect to an anonymous VPN.
- To maintain security, I work from a Virtual Machine hosted by a different OS on a clean machine.
If you aren’t doing the same, then you don’t know what is on your PC and what it might be doing to work against you. There are a lot of bad actors out there trying to insinuate malware onto as many machines as possible. If you are using your PC to gather evidence, malware can destroy the integrity of everything you collect.
Conducting Investigative Internet Research is not as easy as it might seem. There is more to it than doing a few poorly structured Google searches. You need to understand how to create a clean machine that will pass muster under S. 31 Canada Evidence Act. You must prevent all your research, and your identity, from ending-up in the hands of the very people that you are investigating. This happens. I have to believe that it happens often but isn’t recognised by most investigators. Would you know if your machine had a trojan like FinSpy? Do you know how to prevent the installation of something like FinSpy? Do you know how to get rid of it?
If you frequent bad internet neighbourhoods, then you will encounter bad people doing bad things, and they will try to do bad things to you.
I sat in a hotel lobby recently enjoying a coffee while waiting for someone. I decided to write an entirely different blog article than this one while I waited. This lobby has convenient tables for road warriors and their portable computers–that is why I often arrange short meetings in that lobby.
At another table, I notice something rather familiar connected to someone’s laptop. It was a WiFi Pineapple. This was a bit disturbing.
Do you know what the WiFi Pineapple can do?
Surveillance & the WiFi Pineapple
The WiFi Pineapple allows an attacker to launch a “Man in the Middle” or MiTM attack by inspecting the data flow between the target and any resources he accesses on the web via a WiFi connection. This little Linux box equips the investigator or spy with a versatile surveillance and information-gathering tool.
From a surveillance perspective, it will reveal the names of all the WiFi networks the victim connected to on the highway, in hotels, and far-flung airports. The subject’s computer will cycle through all of the network identities (names) it has previously used. All of this is sent in the clear and can be captured by the WiFi Pineapple. The same applies to smartphones.
All of the network names to which it previously connected are disclosed over a few minutes. Coupled with an online resource such as WiGLE, this information can be used to establish a profile of the device owner–where he lives, works, eats, drinks coffee, his gym, his favorite no-tell motel, and more. Combine the Pineapple with Wireshark and you have an excellent surveillance toolkit or one that could facilitate some real mischief.
The simplest protection is the best. Shut-off the WiFi on your portable device. Use WiFi in secure environments only.
Recent involvement in investigations into industrial accidents and incidents involving security officers caused me to look into the state of first-aid training. I have some concerns that lessons-learned are not being applied as well as they should.
Recent wars have taught us how to teach personnel to control severe bleeding and maintain an airway under adverse situations. Unfortunately, from what I have seen, this hasn’t filtered down to industry in the form of better training and equipment.
This battlefield experience should be of interest security personnel at sites that might experience an active shooter or similarly catastrophic event. Those involved in emergency and business continuity planning should also take note of these lessons. My comments do not reflect the specific situation in any one Canadian province. I am aware of all the regulatory inertia, concerns about costs, and legal implications that inhibit change, but these are weak excuses for inaction when lives may be at risk. The injured person who is beading to death or suffocating doesn’t give a damn about laws and regulations–he simply does not want to die. Continue reading ‘The Individual First Aid Kit (IFAK)’
Windows Error Reporting (WER) is a crash reporting technology introduced by Microsoft with Windows XP. However, we now know that it may send Microsoft unencrypted personally identifiable information contained in the memory and application data that may make you vulnerable to attack. WER is turned on by default. WER from Windows 8 may now use TLS encryption.
The Snowdon leaks described how the U.S. National Security Agency intercepts the unencrypted WER logs to fingerprint machines like some malware to identify potential system, network and application weaknesses to execute attacks that move through an enterprise network. WER reports on more than Windows crashes. It reports hardware changes, such as the first-time use of a new USB device and mobile devices. It sends time-stamp data, device manufacturer, identifier and revision, along with host computer information such as default language, operating system service pack and update version, hardware manufacturer, model and name, as well as BIOS version and unique machine identifier. This creates a blueprint of the applications running on a network to help an attacker develop or execute attacks with little chance of detection.
This is only one example of the OS, applications, browsers, etc. leaking information that the investigator must be aware of when conducting investigative internet research.
To shut-off WER in Windows 7 go to Control Panel>System and Security>Action Center>Change Action Center settings>Related settings>Problem reporting settings. The selections for “Each time a problem occurs, ask me before checking for solutions” and “Never check for solutions” disable WER. Choosing Never check for solutions will fully disable error reporting in Windows 7.
Managers sometimes tie themselves into knots worrying about the risk or threat rather than analysing the impact of interrupted business processes. My advice is to stop fretting about the cause and concentrate on alleviating the impact of the interrupted business processes.
To do this, defeat the problem in detail as follows:
- Decide which processes are critical and which are not.
- Determine how long any particular process can be interrupted before it’s loss become detrimental to operations, profitability, and customer satisfaction.
- Design a plan of action to determine if the disruption will continue beyond the tolerable time limit.
- Have a plan to replace each missing process.
- Plan for the concurrent loss of several critical processes.
The key to a successful business continuity plan is concentrating on the critical day-to-day operations.
How does this relate to investigtion and research? The answer is quite simple:
- Have you ever done a security survey?
- Have you ever done a competitor SWOT analysis?
- Have you ever done due diligence on a critial supplier?
A few months later and another practice disaster is under way. These practice sessions are supposed to take the emergency out of emergency management.
The building’s automated locking system is working properly now. The new security guard provider is more responsive and the guards are performing their jobs in a more professional manner this time around. The performance of the maintenance staff has improved and the ground floor windows are completely boarded-up. Ten hours into the exercise and the generators are running flawlessly. Everything inside the building is working properly, people included. After breakfast, I decided to look for something that is screwed-up.
A Vapour on the Wind
It’s a nice Sunday morning — cool but slightly overcast as the sun rose. I decide to take a walk around the neighbourhood. Not much is moving about this early.
The additional soundproofing surrounding the generators eliminates their sound entirely when standing at street level, even at dawn on a Sunday.
I start to crave another coffee but nothing is open this early so I take another walk around the building. Somebody is up early, that bacon smells better than the oatmeal I had for breakfast.
Now I realise how I screwed-up this time.
Nine Meals From Anarchy
Nine meals from anarchy is an expression coined by Lord Cameron of Dillington who headed the Countryside Agency to describe the precarious nature of Britain’s food supply. If some catastrophe occurs and the supermarket shelves are not restocked, he estimated that they had three full days without food on supermarket shelves before law and order started to break down and British streets descended into chaos. This isn’t far-fetched – it happened in New Orleans in the aftermath of Hurricane Katrina.
The smell of cooking bacon would be very enticing to somebody who hasn’t eaten for three days. If this occurred during a protracted cataclysm, then it would add some emergency back into emergency management. Hungry people, especially normally over-fed but now hungry people, will do almost anything to get food.
Practice doesn’t make perfect – it shows you how many ways you can screw-up. I’m a big believer in practice.
I was working on a project to improve a company’s emergency preparedness that began with a risk assessment which then led to many interesting adventures. One adventure was a little bit of practice to test how they could operate during an extended power outage.
The extra guards didn’t show-up on time. The maintenance staff didn’t want to play the game unless they got time and a half. Someone had pilfered about half of the plywood with an intumescent coating intended for window coverings. The fancy locking system left all the doors open on one side of the building. So far, so good!
Wandering around outside, I was marvelling at how quiet the generators were – those mufflers were really good. Things were going just fine and I was enjoying the nice spring day and then the generators started to make strange sounds, then they belched black smoke. Then they died an ignoble death. Oh well, we got through four and one half hours and the imaginary blackout became permanent.
Now it was time to earn my keep. I had to quantify the screw-ups. The worst was the generator failures. All the generators died as if on cue. We traced this to a single diesel fuel source for all the generators. A single point of failure is never good.
I learned that the new low sulfur diesel creates a storage problem. While the reduced sulfur is good for the environment, it eventually mixes with water that condenses in the fuel tank to form black sediment or emulsified water that can damage the engines. No system was in place to deal with this problem. Some research revealed the type of filtering system needed to maintain the usability of the fuel.
No good deed goes unpunished. I became the point man for the efforts to correct this situation. Product sourcing, procurement, and construction – who knew I could do all that stuff?
Google and other search engines are wonderful things for gathering information, we all know that, but what if people with evil intent are gathering information about you?
Getting out of Street View
Google Street View provides a great deal of data that can be used to plan an attack on a facility, a person, or to conduct a kidnapping. Google offers an easy, free, and effective way to restrict access to this data.
At a client’s home, I found that his car licence plate was legible. This usually occurs when the car is parked inside a garage or car port. At the client’s workplace, several security measures were clearly visible as were other features of the facility that raised concerns.
Google’s solution is to place an opaque digital wall around your house or facility. To get out of Google Street View, first search for the street address. Once the property is visible, you will find a small box at the bottom right of the image that says “Report a problem”. Click on this to select a reason for blurring the image of the property. I usually select Other: This image presents security concerns. Add some discriptive data to help Google identify the property and complete the CAPTCHA (an acronym for “Completely Automated Public Turing test to tell Computers and Humans Apart”) thing that takes me several tries to get right. In 2 or 3 days a blurred wall should appear around the property.
Far too often, security relies on brawn alone — uniformed guards, guns, alarms, locks, armoured vehicles, blast and ballistic resisent engineering. Unfortunately, force can be defeated by guile and superior force.
An example of brawn’s failure is that of Alfred Herrhausen, the Deutsche Bank Chief who was murdered by the Red Army Faction in 1989.
He knew that he was a target. He had a thirty-man security detail and armored vehicles. His murderers had work clothes, a city works vehicle, and explosives. Posing as city workers, his murderers engaged in their own construction project to mine the road that their victim frequently used.
Brawn thrice failed. The first failure was to notice the initial surveillance that led to the terrorists identifing the attack site. Second, brawn failed to recognize and regularly inspect an obivous attack location. Finally, the terrorists were engaged in their construction project for about one month and the security detail didn’t call the city to confirm that the construction activity was legitimate.
The brain would have had a surveillance detection detail. The brain would conduct a route survey to identify likely attack locations. The brain would assign the surveillance detection detail to observe possible attack locations to look for unusual activity. The brain would have called the city about the construction activity.
The brain’s greatest enemy is the budget wala. Brawn is tangible, surveillance detection isn’t. Surveillance detection is like insurance — an expense for something you probably won’t use. Budget walas want proof that surveillance detection is worth the cost because when they spend money on brawn they get something tangible.
A working group for Internet regulators at ICANN wants to close all Whois databases. They what to force anybody needing this data to grovel before them before granting access. They are trying to centralize global control over a key component of the Internet. WHOIS allows you to find out who owns a domain name. Without this data, fraud and other crimes will become easier to commit and harder to solve.