Defence Against the Dark Arts

I wander through the nether regions of the Internet and Dark Net looking for data to support my clients’ causes. This exposes me to severe risks from the nasty creativity of Beelzebub’s demonic gangsters and hackers.

It seems that a Windows system only lasts about 1/2 hour before getting infected without some form of anti-virus (AV). I regularly boot a clean live Linux USB, and then scan for viruses. This is like Safe Mode on steroids. In most instances, I find something malicious missed by the typical AV programs. However, this is only a temporary measure.

I am migrating to Linux for Investigative Internet Research because very little Linux malware exists in the wild. I only need AV on the Linux file server (or an email server if I had one). I do this because an infected Windows computer may upload infected files or an uninfected one might access infected files on the Linux machine, which then allows it to infect other Windows systems. AV on the file server isn’t protecting the Linux system–it’s protecting the Windows computers from themselves. I recommend the paid version of ESET Antivirus and Security Software as it doesn’t try to upsell you on other services.

Disk Encryption

TrueCrypt, the ultimate encryption freeware, abruptly announced that the software is no longer secure after Microsoft ended support for Windows XP. It was the most popular application of its type and it was widely to communicate securely and encrypt sensitive files or folders. Currently, the TrueCrypt home page advocates moving to Microsoft BitLocker.

Unfortunately, in the Windows 10 Home edition, the full-disk BitLocker encryption must use a Microsoft account and the recovery key needed to decrypt your drive resides on Microsoft’s servers. With this arrangement, theoretically, a third party could decrypt your drives remotely. However, Windows 10 Pro doesn’t have this restriction: you can use BitLocker with a local account and keep your key out of the cloud.

Under such circumstances, users should stay away from both TrueCrypt and BitLocker and shift to some other free file encryption software.

Veracrypt entered market within months after Truecrypt died and seems to be the best of the alternatives. There are other free TrueCrypt alternatives like AESCrypt, FreeOTFE, and DiskCryptor. Here are the download sites for the alternatives:

OPSEC & Social Network Sites

OPSEC

An investigator can use LinkedIn, Facebook, and other sites to build a profile of someone’s personal and work life, but like so many things in life, this is both good and bad. What might happen if it is done to your business’s employees? How might this hurt your company? Most businesses do not think about this and if they do, they usually consider key executives to be most at risk. This is entirely wrong!

Operational security (OPSEC) is the lens through which to view this risk. View each employee in terms of what he knows and to what he has access. This will change your entire outlook.

The janitor has keys and is in the building alone. Security guards possess sensitive information. The secretary to the VP of Marketing knows when you will launch a new product. Are you starting to get the picture? This leaves the problem of how to analyse the content of sites like LinkedIn and Facebook.

Facebook

For example, Facebook identifies your friends and family, and where they live. It knows your likes and dislikes. It knows your travel destinations. It knows posting habits and posts to which you will respond. All of this creates an OPSEC nightmare.

The Wolfram Alpha Facebook Report lets you see what information Facebook knows about you and your friends. It yields easy-to-understand charts, tables, and graphs in a personalized report.

This needs the account holder to log into Facebook before it will run, however, this will not stop an industrial spy, foreign agent, gangster, or terrorist. In certain dark corners of the Internet, hacking a social media account will cost about $350. Changing the privacy settings is a meagre deterrent. With the hacked account and the Wolfram Alpha Facebook Report, the crook or spy has everything he needs to plan the compromise of an employee.

LinkedIn & Spies

Using LinkedIn, researchers found the personal details of 27,000 intelligence officers that the researchers say are working on surveillance programs. They compiled the records into the ICWatch database, which is searchable by company, title, name, and location.

What might a skilled researcher find regarding your employees?

Solutions

The biggest part of dealing with this OPSEC risk is recognising that it exists. The rest of the solution involves a combination of strict social media policies, non-disclosure agreements, conditions of employment, and employment contracts coupled with employee indoctrination and training.

Google-Free Wednesday–Escaping Google

The Great Google Escape

Google’s products are fast, intuitive and reliable–but they are not free. You pay Google with your identity, behaviour, habit, and preference information. Google then collates and analyses this data and sells it to advertisers and gives it to government and intelligence services. The longer Google does this, the more valuable the data becomes. This raises some very real privacy and security concerns for people who use Google.

There are solutions to this privacy and security issue. The first obvious solution is to avoid putting all your digital eggs in one basket. Use a different email and calendar provider. Use Firefox not Chrome as a browser. Use providers in Europe to take advantage of European Union privacy laws.

Sign in to your Google account and Use Google Takeout to export your data to a downloadable ZIP file from all the Google products. Getting out of Gmail is easy–getting out of Calendar and Contacts not so much. Google sets file standards for their calendar and address-book to make migration awkward. However, migrating to mailbox.org in Germany seems to go ahead without any real difficulty. It even allows you to encrypt your emails and other files before storing them on the server. Best of all they do not scan your data and try to monetize it. However, it costs €1 per month.

If you use the free Google Drive, consider using the Omnicloud from Germany’s Fraunhofer Institute, which allows you to encrypt all data locally before uploading it to the cloud.

Install a tracker blocker such as Ghostery and Self-Destructing Cookies (SDC) in Firefox to guard against browser cookies and use a search engine like Duck Duck Go which does not record your search history.

 

Damnable Hyperlinks–Part II

In my last article on this topic, I asked the following questions:

  • Should you include a warning about following links in your reports?
  • Should you include a warning about visiting URLs in reports?
  • Should you remove the links?

My answer is yes to all these questions. The content at the linked sites may not only change–it might plant malicious code on any computers used to visit it. This is more common than most private investigators recognise or admit. My research computers are almost immune to this but most other people do not go to the extremes that I do to avoid malicious code.

I do not like sending Word documents to clients. I much prefer sending PDF files. Unfortunately, much of my work is part of larger projects and the Word file allows a client to incorporate my work into other documents.

Sending Word documents has many risks but doing so is unavoidable in many cases. This leaves the investigator in a tight spot if he does not warn the recipient about the risks associated with visiting the links in the report. In addition to written warnings at the start of all reports, I now remove all links using Ctrl+Shift+F9. After being duly warned, to go to his doom, the reader must do more than just click a link.

I now include the following warning under the heading of Security Warning.

Warning about visiting reported links and URLs

All Universal Resource Locators (URL) or hyperlinks (links) cited in this report only report where we found data. We do not attest to the safety or security of any internet site or URL. Nor do we evaluate the security implications of visiting any URL.

Do not visit any cited URL or link without understanding the security risk of doing so. We only report the content associated with links, URLs, and Internet sites. You may compromise the security of your computer system and network by visiting URLs or links in this report.

If I recognise a site as an attack site or one that includes dubious code, I do report it, however, I have never had a request from a client that we evaluate the security risks of the sites from which I collect data. If I received such a request, I would turn away the job, as I do not have the expert staff to perform such complicated work.

Self-Destructing Cookies

Maintaining privacy during online research is as important as avoiding malicious code. Privacy begins with properly configuring the browser and installing the best oddons (for Firefox) such as HTTPS Everywhere and Self-Destructing Cookies (SDC).

SDC establishes a new cookie policy within your browser. It automatically removes cookies when an open browser tab no longer uses them. With this installed, cookies only identify you while you actually use them and they cannot stalk you across the entire web. It detects tracking cookies by their behaviour and removes them immediately—it doesn’t use a blacklist. SDC complements blacklist-based solutions such as Adblock and Ghostery. It also allows you to whitelist cookies from sites that you trust. Just remember, SDC’s whitelist is stored in site preferences. If you want to keep the whitelist from session to session, you must adjust your settings if you selected Clear History when Firefox closes. SDC does not work at all in private browsing mode.

This is a moderately complicated addon that requires the user to understand browser settings and how the browser handles cookies. Reading the addon documentation is required.

Preparedness, Business Continuity, and Risk

A recent study indicates that a two day interruption of key business functions could cost your business $3M.  As most businesses are in urban areas, you could face much worse. One of my clients is located in Ferguson, Missouri and they have had weeks of disruption.

If your company is to continue operations during an upheaval, then the people who do the work must have the skills and resources needed to get through each workday. This requires a common-sense approach to urban survival planning for your employees rather than trying to create urban survivalists who grow an acre of food, raise goats, and live in underground bunkers, or worse having an entirely unprepared workforce. As most of your workforce probably lives in an urban setting, this bears serious consideration.

After researching this topic for several years I have come to the conclusion that you can’t train all your employees. You must select key people and train them and then make every reasonable effort to retain them. This may require a change in the corporate culture. It will certainly require looking beyond the next quarterly results.

Unfortunately, most business owners are risk-takers. They will see a major urban upheaval as an unlikely event. They will take the risk that during their tenure the event will not occur. This characteristic also explains many business failures, data breaches and large scale fraud events.

Business leaders need to understand their risk-taking behaviour. Without this risk-taking the business wouldn’t exist. Unfortunately, this same risk-taking may also destroy the business. Does your business have a risk committee of the board and does it consider this risk? Many businesses have an audit committee and compensation committee, why did so many abandon the practice of  having a risk committee?

The full board has overall responsibility for risk oversight and this mirrors board responsibility for overseeing strategy. When an audit committee takes responsibility for risk management, the result is usually, in my experience, unfocused and inept. They do not have the skills and knowledge needed to evaluate all the business and operational risks faced by the enterprise. Audit committees often obscure the transparency needed for effective risk management and risk oversight by authorising such things as off-balance sheet transactions.

A separate risk committee of the board is not a one-size fits-all solution, but companies facing rapid changes in the business environment and emerging risks such as new technologies and security threats, should have a risk committee. Deteriorating urban infrastructure, poor city governments, inept policing, IT security, and other factors that affect business operations in our degenerating urban conditions certainly advocates the creation of a proper risk committee with business continuity on its agenda. The committee usually requires independent directors with specialised knowledge and experience with the critical risks facing the enterprise.

Productivity in Perdition

As I make my way through the infernal regions of the Internet, I have had to start using new tools. The most disconcerting form of torment has been the change to Linux to avoid malicious code. This has forced me to start using alternatives to Microsoft Office for some work.

There is nothing more disconcerting than changing word processing software. Nothing is in the right place and productivity decreases dramatically.  I’m not sure which of the two flavours of the open source alternatives I like best–I lean towards LibreOffice at this point.

Some people who don’t really work for a living will say it’s stupid to try to attempt to use Microsoft Office on Linux, but they don’t have to quickly produce reports on a daily basis. I have tried running MS Office 2010 (32 bit) with some success using Wine. This makes report creation easier and faster. However, this isn’t as stable as using LibreOffice–but that’s perdition for you.

Murder starts with your Mouth

The excellent book The Dark Side Of Man reports that David Luckenbill studied all of the murderers in a California county over a 10-year period and asked them why they killed their victims. All the death row inmates interviewed listed one of only two reasons for killing:

  • 34% said they killed because the victim challenged the killer’s authority
  • 66% said they killed because the victim insulted them in some way

What matters is the criminal’s perception. If he perceives a challenge or an insult, he is more likely to kill you.

This information provides a basis for planning a strategy for dealing with criminal violence.

Understand that the criminal is not operating under the same moral imperatives as his victim. A large proportion of violent criminals are psychopaths without any empathy for their victims. Never think, “He won’t shoot me because I wouldn’t shoot him in the same situation.” You would be wrong and this will cost you your life.

False bravado will also get you killed. Criminals learn to quickly judge people and use that judgement to manipulate them. Your bluff will be transparent and you will experience a violent response to your challenge.

Never insult an attacker. There is a big difference between screaming “GET AWAY FROM ME!” and screaming “GET AWAY FROM ME YOU MOTHERFUCKER!” Insulting an armed criminal will not yield positive results.

Be especially cautious during the times when the criminal is under the most stress and be chose your words carefully, especially at the early and end stages of the attack.

Develop a verbal response for the most likely scenarios you may face rather than thinking on the fly, just say exactly what you have practiced. Your script should avoid any challenging language or insults. Deliver your script in a calm monotone even if you are planning violent resistance. Surprise is a very potent weapon in your arsenal.

If you are in an environment that exposes you or your staff to the risk of criminal attack, then The Dark Side Of Man is a book you must read.

Know your enemy and plan to prevail.

Motherpipe

Do you want a search engine that does the following:

  • doesn’t keep details on what you are searching for
  • doesn’t store your IP address
  • doesn’t use cookies
  • doesn’t track you
  • doesn’t send your search term to the site you clicked on
  • doesn’t store or share your search history
  • doesn’t share your personal information
  • doesn’t have servers in the U.S.A.
  • doesn’t hide the search results amongst a deluge of ads

Try Motherpipe. It operates privacy oriented search engines at motherpipe.com, motherpipe.co.uk, motherpipe.de and motherpipe.se that don’t do things I don’t want done.

It gets its data from Yahoo!Bing. It offers the search operators “site:” and Boolean operators “AND” and “OR“. It also searches Twitter anonymously.

Safe Recharging with a USB Condom

The mobile phone adaptor USB cable is a combination power-and-data connection that can expose your device to manipulation by some very unsavory characters. This practice is called Juicejacking and I have written about it before.

If you must recharge your mobile devices at a public recharging station then you need to practice safe recharging just like your high school health class recommended.

USB Condom

The USB Condom protects personal and private data stored on your mobile device while recharging. The USB Condoms only transfer power, not your data as it cuts off the data pins in a standard USB cable, preventing any data from transferring in either direction.  It sells for $9.99. This is very hygienic.

However, you can abstain entirely and achieve the same results by using a power-only USB cable.

Anonymize Your Email

Guerrilla Mail is a temporary, disposable email service. It lets you to easily set-up random email addresses. If accessed through Tor, it ensures that no one can connect your IP address with a Guerrilla Mail address.

Encrypting messages for webmail is awkward. You must copy and paste messages into text windows and use PGP to scramble and unscramble them. To avoid this, you can use a privacy-focused email host like Riseup.net and Mozilla Thunderbird with the encryption plugin, Enigmail, along with another plugin called TorBirdy that routes email through Tor.