Safe Recharging with a USB Condom

The mobile phone adaptor USB cable is a combination power-and-data connection that can expose your device to manipulation by some very unsavory characters. This practice is called Juicejacking and I have written about it before.

If you must recharge your mobile devices at a public recharging station then you need to practice safe recharging just like your high school health class recommended.

USB Condom

The USB Condom protects personal and private data stored on your mobile device while recharging. The USB Condoms only transfer power, not your data as it cuts off the data pins in a standard USB cable, preventing any data from transferring in either direction.  It sells for $9.99. This is very hygienic.

However, you can abstain entirely and achieve the same results by using a power-only USB cable.

Anonymize Your Email

Guerrilla Mail is a temporary, disposable email service. It lets you to easily set-up random email addresses. If accessed through Tor, it ensures that no one can connect your IP address with a Guerrilla Mail address.

Encrypting messages for webmail is awkward. You must copy and paste messages into text windows and use PGP to scramble and unscramble them. To avoid this, you can use a privacy-focused email host like and Mozilla Thunderbird with the encryption plugin, Enigmail, along with another plugin called TorBirdy that routes email through Tor.

Confidential File Transfers

Google Drive and Dropbox don’t provide privacy. Onionshare is an open-source program that lets you send big files via Tor. When you use it to share a file, it creates a Tor Hidden Service, which is a temporary and anonymous website hosted on your computer. Give the recipient of the file the .onion address for that site, and they can securely and anonymously download it using their Tor Browser. The person who is receiving the file doesn’t need OnionShare. All they need is to open the URL you send them in Tor Browser to be able to download the file.

For now it only runs as a bare-bones command-line tool on the Tor-based operating system Tails, which can be launched on Windows or Mac machines.

If you’re trying to send a secret file then it’s important to send this URL secretly. I recommend you use Off-the-Record encrypted chat to send the URL. This provides an end-to-end encrypted conversation over services like Google Talk and Facebook chat that prevents Google or Facebook from having access to the contents of your conversation.

Microsoft’s Ban on Guns & the Investigator

Since 2009 Microsoft’s Code of Conduct has been applied to more and more of their online services. Under this Code of Conduct, users are prohibited from using it in  “any way that promotes or facilitates the sale of ammunition and firearms” (See bullet point #13). You have to trust that Microsoft’s definition of “promotes or facilitates the sale of ammunition and firearms” is the same as yours and that one of their robots doesn’t delete all your data. Not recognising this risk could mean the loss of all your investigation reports and data. A lot of my investigations have included large volumes of data on firearms and ammunition. Imagine the damage to your reputation, if at a crucial juncture in the investigation, some Microsoft employee or robot decides my data and reports are “promoting guns” and deletes everything.

Most of Microsoft’s online services are covered by their “Code of Conduct”. This includes Windows Live, Office 365, Microsoft Sharepoint,,, Windows OneDrive, Exchange Online, MSN and more.

Searching for firearms and ammunition data on Bing may already produce censored results as a result of the Code of Conduct.

Only Skype, Microsoft Azure and XBox Live are now exempt. I expect Skype will be the next to come under the Code of Conduct.

Windows OneDrive, formally Microsoft SkyDrive, is part of Windows 7, Windows 8, Windows 8 for Phones and Windows 8 for Tablets. If you handle information about firearms you should avoid these products. You could find your account terminated and all your emails, contacts, calendar, and everything else deleted.

Windows Live powers a number of Microsoft services including Microsoft’s cloud email and cloud Office suite. Windows Live, and Exchange Online power many large institutions. If you work in such an institution be very careful, especially if you have signed documents agreeing to abide by Microsofts Terms of Use.

If you use Microsoft Office and the Office 365 service to share files about guns, then you will eventually find everything has gone down the memory hole.

Microsoft’s Code of Conduct can affect everything an investigator does. Searching, email, voice calls, storing data, and preparing reports are all potentially at risk if you use these services in relation to firearms and ammunition related topics. Now ask yourself how Microsoft knows the content of your data and think about the confidentiality and security of your data.

You must have a due diligence process in place before starting to even look for online and cloud services. You have to read and understand the implications of all the stuff hidden in the fine print.

Alberta Court Stikes Down Trespass to Premises Act

An Alberta Court struck down the provincial Trespass to Premises Act (TPA) as “unconstitutional” as it relates to public property in R v S.A. This decision prevents Transit Authorities across Alberta from using the Trespass to Premises Act to ban individuals from using their facilities.

R v S.A was about a young woman who was banned from all Edmonton LRT stations due to her involvement in an altercation at a single station. This eliminated her ability use public transit in Edmonton.

This is a long and thoughtful decision addresses the Liberty interest found in S.7 of the Charter. On reading the decision, I believe this decision will, over time, extend to all public places where the Trespass to Premises Act might be used by any public authority in Alberta.

Since 1976, Canadian courts have been whittling away at the right of private property owners to keep out trespassers under provincial trespass legislation. The reasoning presented in this decision may become the norm throughout Canada and it may have unforeseen implications for private landowners.

Security and facility management should begin reviewing trespass policies, operating practices, and training in the light of the direction and standards outlined in this case. It seems that the prudent course is to ensure trespass bans are objectively defensible and proportionate to the inappropriate behaviour. Implementing an appeal process for a trespass ban also seems judicious.

Please note that this decision is currently under appeal. It is also from a Provincial Court and not binding. However, understand that landowners rarely get expanded rights from the courts; it usually goes in the other direction.

Normalcy Versus Risk

Feral Dogs

In the past I have written about the risks associated with feral dogs. Currently, the town of Kenora Ontario is experiencing some difficulties with feral dogs. Having a pack of feral dogs circling your house is not something to take lightly.

When Knives Attack

The recent Calgary mass murder illustrates how people assess risk wrongly. Statistics Canada reports (in 2008) that one-third of homicides and attempted murders involved edged weapons. That is more than any other type of weapon. StatsCan also reported that edged weapons were used against six per cent of victims of violent crime while firearms were used against two per cent of victims. Yet most people and organisations dither over plans for mass shootings.

Knives are easy to obtain, easy to conceal, they don’t run out of ammunition, and they cut in any direction. No training is required and if you can move your hand with the knife in your grasp, then you can kill with it.

This type of crime occurs quite often. Here is a recent sampling:

  • four people were stabbed in a Regina shopping mall
  • student was stabbed at a Brampton, Ontario, high school
  • four coworkers stabbed at a Toronto office by a man who was being fired
  • two people killed and four wounded in a Loblaw’s warehouse stabbing attack

Of course the knee-jerk reaction will be to ban assault knives. Of course all prohibitions fail miserably and probably make the situation worse as happened with the ‘war on drugs’ and ‘gun control’. Some foolish individuals will no doubt say that the StatsCan figures prove that ‘gun control’ works and we now need ‘knife control’, no doubt a knife registry will follow.

In the Calgary case, the accused probably took the knife from the kitchen and then started his rampage. I’m sure registering their kitchen knives after getting a licence to buy them would have stopped this attack.

Risk Assessment

Whether it’s feral dogs or knife attacks, you have to measure the relative probability of the event occurring against the consequences of the event. We are hard wired to believe that we live in a safe world–if we weren’t, then we would never have ventured out of our caves to create the world we now live in. This is called the normalcy bias.

Normalcy Bias Vs. Risk

I am paid to respond to situations where the normalcy bias got the better of someone or to plan for situations that nobody wants to contemplate. Decades of experience has taught me that nobody wants to contemplate the low probability, high consequence events.   Legislation and hand wringing won’t change this–planning, preparation, and training might. Unfortunately, the interest in preparation and training wanes quickly as memory of the event that spawned this dissipates, and thereby allowing the normalcy bias to reassert itself.

FinSpy & Browser Hygiene

Recently, I had run-in with the FinSpy trojan, or some variation of it. FinSpy is a component of the surveillance product FinFisher, a commercial trojan made and sold by Gamma International, a UK company. This thing was sold to some very nasty state actors, but now it’s in the wild. It allows the operator of the trojan to have complete access to the computer. Its design  makes it very difficult for the target or his anti-virus software to recognise its presence. It even permits the villain to activate the computer’s webcam and microphone to see and hear what is happening near the computer. Everything collected by the trojan goes to a command and control server located somewhere on the Internet.

This insidious thing tried to masquerade as Firefox. I think it was part of an image I examined for Exif data. It tried to ‘update” Firefox. The funny thing was that I wasn’t using Firefox, but a browser based on it. I was conducting the research within a Windows virtual machine hosted on a Linux distribution; therefore, it was unable to cause any damage.

What surprised me was that the subjects had seeded the site with information that would interest me to get FinSpy onto my PC. They created the site to gather intelligence on anyone who might investigate them. They are not state actors, just a bunch of criminals.

Chrome is Listening

So you want to use Chrome as your browser. Are you aware that it has recently been reported that a Chrome Bug Allows Sites to Listen to Your Private Conversations?

The best way to avoid this threat is as follows:

  • Go to chrome://settings/content
  • Scroll down to Media
  • Select “Do not allow any sites to access my camera and microphone.

This will disable Google’s Conversational Search, etc. but security will be increased.

I never liked the way Chrome ‘phoned home’ to Google with user tracking, bug tracking etc. I have also found extensions that had malware-filled updates. However, it is faster than Firefox, which over the course of a research project may save hours of extra time. I resisted using Chrome due to security & privacy issues.

I now use is Comodo Dragon, which is based on the open-source Chrome browser, however, it is more private and secure if used properly. I disable the camera & mic as SOP, so I haven’t investigated how Dragon responds to this exploit. The setting change that I outlined was in reference to the actual Chrome browser and this particular exploit, there may be more that I don’t know about.

I am very careful about exposing myself to the internet. My outward-facing computers don’t have cameras or mics to entirely circumvent malicious software like this and the likes of Finspy.

Fortress Firefox II

The browser is the most used outward facing software you will use. It interacts with suspect web sites and other internet sites. Firefox is still my first choice for security and plug-ins, even though Chrome offers a speed advantage that adds-up over the course of many hours of research, while this little problem makes me avoid MS Internet Explorer: Microsoft warns of critical IE9, IE10 zero-day-Just visit the wrong web site and get remote-code execution.

No matter which browser you use, it will require proper configuration. No browser blocks JavaScript and all third-party cookies by default. These are my first security concerns.

In Firefox, go to Tools>Add-ons>Plugins and set the Java Script and Toolkit to Ask to Activate. I also set all the other plugins to Ask to Activate as well. This prevents a plugin from activating at the wrong time and thereby sending out data to the site that caused it to activate. A malicious site may activate a plugin to have it to transmit data that can be used to thwart your investigation.

Third party cookies compile a long-term record of your browsing history. This is dangerous as it can reveal what you are investigating. In Options>Privacy>History select Never for third party cookies. In my sandbox, I have several versions of the browser with different settings. For example, I prefer to never accept cookies of any kind, but some sites need them to function so I have a version with normal cookies enabled.

Fortress FireFox

To create my everyday fortress Firefox, I use the following:

For more anonymity, privacy, and security, I do the following to my instance:

  • To preserve privacy, I use a VPN.
  • To preserve anonymity, I use Tor to connect to an anonymous VPN.
  • To maintain security, I work from a Virtual Machine hosted by a different OS on a clean machine.

If you aren’t doing the same, then you don’t know what is on your PC and what it might be doing to work against you. There are a lot of bad actors out there trying to insinuate malware onto as many machines as possible. If you are using your PC to gather evidence, malware can destroy the integrity of everything you collect.

Conducting Investigative Internet Research is not as easy as it might seem. There is more to it than doing a few poorly structured Google searches. You need to understand how to create a clean machine that will pass muster under S. 31 Canada Evidence Act. You must prevent all your research, and your identity, from ending-up in the hands of the very people that you are investigating. This happens. I have to believe that it happens often but isn’t recognised by most investigators. Would you know if your machine had a trojan like FinSpy? Do you know how to prevent the installation of something like FinSpy? Do you know how to get rid of it?

If you frequent bad internet neighbourhoods, then you will encounter bad people doing bad things, and they will try to do bad things to you.

Surveillance in a WiFi World

I sat in a hotel lobby recently enjoying a coffee while waiting for someone. I decided to write an entirely different blog article than this one while I waited. This lobby has convenient tables for road warriors and their portable computers–that is why I often arrange short meetings in that lobby.

At another table, I notice something rather familiar connected to someone’s laptop. It was a WiFi Pineapple. This was a bit disturbing.

Do you know what the WiFi Pineapple can do?

Surveillance & the WiFi Pineapple

The WiFi Pineapple allows an attacker to launch a “Man in the Middle” or MiTM attack by inspecting the data flow between the target and any resources he accesses on the web via a WiFi connection. This little Linux box equips the investigator or spy with a versatile surveillance and information-gathering tool.

From a surveillance perspective, it will reveal the names of all the WiFi networks the victim connected to on the highway, in hotels, and far-flung airports. The subject’s computer will cycle through all of the network identities (names) it has previously used. All of this is sent in the clear and can be captured by the WiFi Pineapple. The same applies to smartphones.

All of the network names to which it previously connected are disclosed over a few minutes. Coupled with an online resource such as WiGLE, this information can be used to establish a profile of the device owner–where he lives, works, eats, drinks coffee, his gym, his favorite no-tell motel, and more. Combine the Pineapple with Wireshark and you have an excellent surveillance toolkit or one that could facilitate some real mischief.

Protect yourself

The simplest protection is the best. Shut-off the WiFi on your portable device. Use WiFi in secure environments only.

The Individual First Aid Kit (IFAK)

Recent involvement in investigations into industrial accidents and incidents involving security officers caused me to look into the state of first-aid training. I have some concerns that lessons-learned are not being applied as well as they should.

Recent wars have taught us how to teach personnel to control severe bleeding and maintain an airway under adverse situations. Unfortunately, from what I have seen, this hasn’t filtered down to industry in the form of better training and equipment.

This battlefield experience should be of interest security personnel at sites that might experience an active shooter or similarly catastrophic event. Those involved in emergency and business continuity planning should also take note of these lessons. My comments do not reflect the specific situation in any one Canadian province. I am aware of all the regulatory inertia, concerns about costs, and legal implications that inhibit change, but these are weak excuses for inaction when lives may be at risk. The injured person who is beading to death or suffocating doesn’t give a damn about laws and regulations–he simply does not want to die.

Read more

Windows Error Reporting Risk

Windows Error Reporting (WER) is a crash reporting technology introduced by Microsoft with Windows XP. However, we now know that it may send Microsoft unencrypted personally identifiable information contained in the memory and application data that may make you vulnerable to attack. WER is turned on by default. WER from Windows 8 may now use TLS encryption.

The Snowdon leaks described how the U.S. National Security Agency intercepts the unencrypted WER logs to fingerprint machines like some malware to identify potential system, network and application weaknesses to execute attacks that move through an enterprise network. WER reports on more than Windows crashes. It reports hardware changes, such as the first-time use of a new USB device and mobile devices. It sends time-stamp data, device manufacturer, identifier and revision, along with host computer information such as default language, operating system service pack and update version, hardware manufacturer, model and name, as well as BIOS version and unique machine identifier. This creates a blueprint of the applications running on a network to help an attacker develop or execute attacks with little chance of detection.

This is only one example of the OS, applications, browsers, etc. leaking information that the investigator must be aware of when conducting investigative internet research.

To shut-off WER in Windows 7 go to Control Panel>System and Security>Action Center>Change Action Center settings>Related settings>Problem reporting settings. The selections for “Each time a problem occurs, ask me before checking for solutions” and “Never check for solutions” disable WER. Choosing Never check for solutions will fully disable error reporting in Windows 7.


Business Interrupted

Managers sometimes tie themselves into knots worrying about the risk or threat rather than analysing the impact of interrupted business processes. My advice is to stop fretting about the cause and concentrate on alleviating the impact of the interrupted business processes.

To do this, defeat the problem in detail as follows:

  • Decide which processes are critical and which are not.
  • Determine how long any particular process can be interrupted before it’s loss become detrimental to operations, profitability, and customer satisfaction.
  • Design a plan of action to determine if the disruption will continue beyond the tolerable time limit.
  • Have a plan to replace each missing process.
  • Plan for the concurrent loss of several critical processes.

The key to a successful business continuity plan is concentrating on the critical day-to-day operations.

How does this relate to investigtion and research? The answer is quite simple:

  • Have you ever done a security survey?
  • Have you ever done a competitor SWOT analysis?
  • Have you ever done due diligence on a critial supplier?