The Mac & Malware

Like many Mac users, I’m not too concerned about malware. Traditionally, the vast majority of these were directed at Microsoft OS platforms. But recent headlines prompted me to consider two pieces of Mac software: Avast Mac Security and Malwarebytes for Mac.

Malwarebytes seems particularily useful if you download software from questionable sources. I’m still not certain AV software is really needed.

Apple or Bust

My Linux experience seems to match that of Darryl Daugherty (@DarrylDaugherty) who is an IT start-up survivor turned commercial investigator and OSINT operator in Bangkok, Thailand. Like Darryl, with Linux, I spent too much time configuring and patching while never knowing what will break. The Apple is easier to live with–set it up once, harden it, and get to work.

I have been learning how to use the Apple computers for IIR. Thanks to many friends like Darryl who have used them for years, I feel like I am in good hands.

To avoid expensive errors while learning, I’m starting with a refurbished Mini made after 2010. These older models will upgrade to current versions of OS X (El Capitan) and they continue to enjoy Apple Software Updates.

You may ask, why a refurbished machine? The answer is simple, if I buy from Apple, then I get a full warranty on the machine. If I make a horrendous mistake in some security settings and modifications and permanently lock myself out of the machine (like not having the recovery key in FileVault2), then it won’t cost so much to start over.

Escaping Windows–Mac OS X

As you can see, I no longer trust MS Windows to keep my data private.

One alternative is OS X, which is a series of Unix-based graphical interface operating systems (OS) developed by Apple Inc. It is designed to run on Macintosh computers. It has been pre-installed on all Macs since 2002. This is a proven and reliable performer. Unfortunately, the switch to Apple can be expensive as it really does require Apple hardware for optimum performance.

The advantage of OS X is that it runs MS Office and that keeps the natives calm, even if they have to hunt and peck through the GUI to find things. The open source LibreOffice and Open Office are different enough from Word (and Excel) to drive the writers in your organisation, me included, absolutely mad. There really is a steep learning curve for a new word processor and spreadsheet software. Keeping MS Office also allows you to keep your templates intact. However, even on OS X, MS Office creates its own threat surface.

If you must harden MS Office by eliminating all macro’s, portable templates, and most of it’s network and workgroup features, then that is the point where LibreOffice or Open Office becomes a better option.

There is little risk of a serious malware infection of OS X itself, especially if you use Little Snitch.  OS X is easier to configure for online security as most of the work has been done for you. This isn’t the case with most versions of Linux.

Disabling the WIN 10 Upgrade Nagging

In June 2016, this nagging became much more intrusive. MS began squatting on your machine with the Win 10 install files. They then began installing Win 10 without warning on unsuspecting users.

Given the privacy and security concerns with Win 10, you may not  want to be nagged to update, here’s how to stop the Windows 10 upgrade notifications and run Windows 7 or 8 forever.

There are a few methods which worked in the past but no longer stop the nagging and surreptitious install of Win 10. Never10 is the current tool that most easily disables the upgrade.

Windows 10 as Spyware

Current users of Windows 7 or 8 have been offered free upgrades to Windows 10. This would be tempting except for the liability that this may create. As we all know, there is no such thing as a free lunch.

Many experts deem lots of the new so-called features to be spyware. It is one thing to find an application misbehaving; it is entirely different to use an OS designed to allow Microsoft (MS) to monetize your data and squat on your computer hard drive. Built into the Windows 10 OS are spying and data-mining features that deliver data to MS which MS then uses to generate profits.

The long-winded Microsoft Services Agreement runs to 40,000 words of impenetrable legalese and you must agree to everything in it to get your new OS. Unfortunately, or is it predictably, the agreement appears to grant Microsoft the right to read, save, and share anything stored on or accessed using any computer running MS Windows as well as any computer using MS products or services. By default, all of this snooping is turned on and I have serious concerns that it may be impossible to entirely prevent this snooping.

Portions of Microsoft’s privacy policy, which is part of the services agreement, indicates that the MS may use a keylogger to collect users’ data. This means, if you open a file and type, MS has access to what you type, and the file containing the what you type. This may also apply to voice information from speech processing software. Of course, MS offers a way to shut-off all this logging, but you have to believe that it actually works and stays off.

If you are careful in planning your upgrade to Windows 10, and if you have the technical knowledge, then you can probably upgrade the OS while preserving your professional obligation to protect client confidentiality and privacy, at least initially.

To maintain privacy and confidentiality you should use Microsoft’s Media Creation tool. This gives you a copy of the OS installation files. You’ll need at least a 6 GB USB drive. You can use it on multiple PCs. During an upgrade, the installation will look to see if you already have a product key. To do a clean install you may need to have your Windows 7 or 8 product key. You should tape it on your PC. Keep the USB since there’s no other way to get back to Windows 10 if anything unexpected happens. Doing the installation otherwise may allow MS to scrape data from your computer.

By clicking on “Express Settings” during installation you give away your contacts, calendar details, text and touch input, location data, and a whole lot more. It is clear that MS wants to monetize the confidential information on your computer. This creates a serious liability for Canadian private investigators who maintain personal identifiers and other confidential information on Windows 10 machines. Under Canada’s Personal Information Protection and Electronic Documents Act (PEPIDA), by accepting the terms of the Microsoft Services Agreement you have chosen to share this information and in most cases that may be illegal. Accepting this agreement may also put private investigators in contravention of their licencing statutes.

If you click on the small “Customise settings” button at installation, you must toggle many settings on two pages to ‘off’. Don’t forget to include Wi-Fi Sense. Using the Privacy App to turn-off the data stream to MS for those who have already installed the OS using “Express Settings” will be even more confusing to the average user. After doing all the above, Windows 10 continues to send confidential data to MS unless you dig into the registry and group policy editor. Stopping the snooping will disable many features like the digital assistant Cortana that MS is marketing as a reason to upgrade to Windows 10. However, what I am describing here only describes what we can see. Without conducting packet-level analysis, we you don’t really know what data is being sent back to Microsoft, and by which service.

You will also need to go into Windows Firewall and turn-off the rules that allowed a whole slew of Microsoft applications to transmit information.

Windows 10 Home comes with full-disk BitLocker encryption. To enable it, you must use a Microsoft account and the recovery key needed to decrypt your drive resides on Microsoft’s servers. Doing this violates your professional obligations. However, Windows 10 Pro doesn’t have this restriction: you can use BitLocker with a local account and keep your key out of the cloud. Most investigators would use Windows 10 Home and theoretically, a third party could decrypt their drives remotely.

The data stream from your PC to MS is bad enough, but somebody will learn to intercept this data stream and this will leave you open to a targeted attack. If the hacker releases the stolen data and it is tracked back to you or your computer, then your career is likely over. You can expect some form of action under PEPIDA and/or prosecution under your licencing statute. This data breach will almost certainly result in a civil suit and adverse publicity. Who would hire a PI or researcher like that?

Another concern is how updates are delivered. Like Bittorrent, Win 10 updates will be distributed from other Win 10 PCs  This presents an extreme risk, as you don’t know where the update is really coming from. You have to know enough to choose how your updates are delivered.

Privacy & the PI

Let’s address this situation realistically from the perspective of the PI or researcher determined to use Windows 10.

Let’s assume that you are a trusting individual. You trust MS government officials, litigants, lawyers, and everybody else to not understand or care that you accepted the Microsoft Service agreement that grants MS access to all your confidential data and the right to save and share it. You must also trust that your own technical expertise is up to the task of properly installing Windows 10 to circumvent all the efforts of MS to access your data.

At the outset, you pay extra for the Pro version to set-up disk encryption with a local account because you are security conscious.

First, you try to install the OS without it being connected to the Internet to ensure it doesn’t scrape data from your PC. This doesn’t work, as it needs connectivity to complete the installation. You discover that you must use the clean install method (using Microsoft’s Media Creation tool) described above to isolate your PC from the Internet to ensure that MS doesn’t scrape data from you computer during the installation. There are reports of Win 10 install files being placed on your computer on Patch Tuesday to use your PC to further distribute the OS installation files. You must learn how to get your patches from only a trusted source and to prevent MS from using your PC to distribute the OS.

Second, upon ensuring that it will not scrape data from your PC during installation, you toggle two pages of settings to ‘off’ and lose many of the new features.

Third, you edit registry and group policies to staunch the continuing flow of data to MS. Doesn’t everybody know how to do this without damaging the usability of the OS?

Fourth, in Windows Firewall, you turn-off the rules that allow MS applications to transmit information to MS.

Fifth, you then choose how your updates are delivered to prevent updates from untrusted sites. You ensure that updates come from trusted computers in your own network.

Sixth, you conduct packet-level analysis and shut-off any service that continues to send data to MS. Doesn’t everybody know how to do this and have the time to do it?

Finally, with every update and patch, you do a packet-level analysis to make sure your privacy and security is intact.

Of course, sending all this private and confidential data to MS is not necessary to have a functioning OS and applications. It is only necessary for MS profits and probably some government snooping.

Next, how to stop the Win 10 install nagging.

Turn Your PC into an iPhone

Some web sites cannot be viewed properly using Firefox. Sometimes it is an old site that requires MS Internet Explorer (IE) or it may be a site designed for mobile devices.

The User Agent Switcher extension adds a menu and a toolbar button to switch the user agent of a browser. It allows you to chose from three versions of IE or an iPhone. Selecting the iPhone user agent often reveals additional  functionality on the site. The extension is available for Firefox and will run on any platform that this browser supports including Windows, OS X and Linux.

Disk Encryption

TrueCrypt, the ultimate encryption freeware, abruptly announced that the software is no longer secure after Microsoft ended support for Windows XP. It was the most popular application of its type and it was widely to communicate securely and encrypt sensitive files or folders. Currently, the TrueCrypt home page advocates moving to Microsoft BitLocker.

Unfortunately, in the Windows 10 Home edition, the full-disk BitLocker encryption must use a Microsoft account and the recovery key needed to decrypt your drive resides on Microsoft’s servers. With this arrangement, theoretically, a third party could decrypt your drives remotely. However, Windows 10 Pro doesn’t have this restriction: you can use BitLocker with a local account and keep your key out of the cloud.

Under such circumstances, users should stay away from both TrueCrypt and BitLocker and shift to some other free file encryption software.

Veracrypt entered market within months after Truecrypt died and seems to be the best of the alternatives. There are other free TrueCrypt alternatives like AESCrypt, FreeOTFE, and DiskCryptor. Here are the download sites for the alternatives:

Firefox’s Most Irritating Bug

Have you noticed in Firefox that you can’t scroll down through a web page whilst selecting text?

This problem is associated with Mozilla’s inept fiddling with the add-on bar. This bug was fixed once, but has re-emerged. There are convoluted solutions to this problem, but I’m not a convoluted type of guy. I found a simple solution.

The easiest solution is to install Status-4-Evar and you can then scroll whilst selecting text. Classic Theme Restorer may also solve this problem, but I haven’t tried it yet and I think you need to use this in a new, clean profile. To use a new profile, it’s probably wise to install ProfileSwitcher.

Good-bye Windows XP

If you have older machines running Windows XP, then  Microsoft will cut-off support of the operating system on April 8, 2014. That means no more patches, no more new software versions, no more drivers for new peripherals–and most importantly, no security updates and patches.

If you have an older machine that is running properly with XP, then you will probably find that installing Windows 7 or 8 will make it run like molasses in January. Most machines running XP don’t have enough memory to run Windows 7 or 8 efficiently.

I’ve been using Ubuntu 12.04 because it is the most secure of all the current OS offerings. The CESG, the UK government’s arm that assesses operating systems and software security agrees with me. Ubuntu also has the largest collection of applications in the Linux world.

Zorin OS 7, is also a good option when switching from Windows XP. It is faster, looks better and offers better performance than Windows, yet its user interface is similar to Windows and intuitive for long-time Windows users. It allows you to run Windows programs using WINE and PlayOnLinux emulators, as will other Linux distributions.

The US Department of Justice has “found” that Microsoft Windows is run by more than 95% of personal computers and that means that there are thousands of programs that will only run on Windows. WINE and PlayOnLinux allow you to use familiar programs to avoid a steep learning curve.

Chrome is Listening

So you want to use Chrome as your browser. Are you aware that it has recently been reported that a Chrome Bug Allows Sites to Listen to Your Private Conversations?

The best way to avoid this threat is as follows:

  • Go to chrome://settings/content
  • Scroll down to Media
  • Select “Do not allow any sites to access my camera and microphone.

This will disable Google’s Conversational Search, etc. but security will be increased.

I never liked the way Chrome ‘phoned home’ to Google with user tracking, bug tracking etc. I have also found extensions that had malware-filled updates. However, it is faster than Firefox, which over the course of a research project may save hours of extra time. I resisted using Chrome due to security & privacy issues.

I now use is Comodo Dragon, which is based on the open-source Chrome browser, however, it is more private and secure if used properly. I disable the camera & mic as SOP, so I haven’t investigated how Dragon responds to this exploit. The setting change that I outlined was in reference to the actual Chrome browser and this particular exploit, there may be more that I don’t know about.

I am very careful about exposing myself to the internet. My outward-facing computers don’t have cameras or mics to entirely circumvent malicious software like this and the likes of Finspy.

Windows Error Reporting Risk

Windows Error Reporting (WER) is a crash reporting technology introduced by Microsoft with Windows XP. However, we now know that it may send Microsoft unencrypted personally identifiable information contained in the memory and application data that may make you vulnerable to attack. WER is turned on by default. WER from Windows 8 may now use TLS encryption.

The Snowdon leaks described how the U.S. National Security Agency intercepts the unencrypted WER logs to fingerprint machines like some malware to identify potential system, network and application weaknesses to execute attacks that move through an enterprise network. WER reports on more than Windows crashes. It reports hardware changes, such as the first-time use of a new USB device and mobile devices. It sends time-stamp data, device manufacturer, identifier and revision, along with host computer information such as default language, operating system service pack and update version, hardware manufacturer, model and name, as well as BIOS version and unique machine identifier. This creates a blueprint of the applications running on a network to help an attacker develop or execute attacks with little chance of detection.

This is only one example of the OS, applications, browsers, etc. leaking information that the investigator must be aware of when conducting investigative internet research.

To shut-off WER in Windows 7 go to Control Panel>System and Security>Action Center>Change Action Center settings>Related settings>Problem reporting settings. The selections for “Each time a problem occurs, ask me before checking for solutions” and “Never check for solutions” disable WER. Choosing Never check for solutions will fully disable error reporting in Windows 7.


Searchable Clipboard Extender

Ethervane Echo from Tranglos software is a clipboard extender that will hold all your data from the clipboard until you delete it, and it has excellent search capabilities. It works with Microsoft Windows XP or later. This is the kind of utility that nobody thinks about, but everyone uses once they have it.

If you are an Investigator, Journalist, Writer, or Translator, then this will be very useful. The search feature allows you to easily find words, phrases, etc., that you have previously copied. To use the search feature just type a few characters, and the list of clips will be automatically filtered to include only those that match the characters you have typed. It also has more advanced search features. Of course, you can delete any item or the entire content of the clipboard extender.



FireFox V.10

The biggest change in V.10 that most Firefox users will see is the smaller number of add-ons marked as incompatible. About 80 percent of all add-ons should now be compatible. Previously, most add-ons would break when Firefox released a major update.

V.10 seems to work much better than any V.9 iteration. No more crashing and the add-ons and extensions work properly. I guess I will be able to stay with Firefox for a while yet.

Extended Support Release

Mozilla also released the enterprise version of Firefox, called ESR (Extended Support Release), which will release updates on a slower cycle (once per year) so that businesses don’t have to worry about their internal tools and security protocols failing. This should help make Firefox more popular in the corporate world.


The Clean Machine

When doing IIR, the computers must be free of malicious code (S. 31 Canada Evidence Act). We often set aside a computer for this purpose after doing some Spring-Cleaning. But how we prepare the machine for the installation of the clean version of the OS and application software is important.

We use Darik’s Boot and Nuke (“DBAN“) which is a self-contained boot disk that securely wipes the hard disks of most computers. DBAN will automatically and completely delete the contents of any hard disk that it can detect, which also makes it an appropriate utility for bulk or emergency data destruction. DBAN is a means of ensuring due diligence in computer prepartation for IIR. It is also a good way to periodically clean a Microsoft Windows installation of viruses and spyware.


Securing Firefox – Configuration Settings

This is about stopping the dreaded disease, Data Diarrhea. The websites you visit can leave behind a trail of data on your computer and in their server logs. All of this Data Diarrhea can identify the Investigator and this can complicate the problem he is trying to solve. Lax privacy & configuration settings may also leave the Investigator’s computer vulnerable to attack by hackers.

This article describes more advanced methods of customizing Mozilla applications, by editing the configuration files.

about:config entries

about:config is a feature of Mozilla applications which lists application settings (known as preferences) that are read from the profile files prefs.js and user.js, and from application defaults. Many of these preferences are not present in the Options or Preferences dialog. Using about:config is one of several methods of modifying preferences and adding other “hidden” ones.

Editing the user.js and prefs.js files are an alternative method of modifying preferences and recommended for very advanced users only. Unless you need a prefs.js and/or user.js file modified for a specific purpose, you should use about:config instead.

This article refers to the Firefox V. 9 edition of the browser. These entries may have adverse effects on Thunderbird and Mozilla Suite/SeaMonkey and older versions of Firefox. These settings will affect all profiles of the browser.

In Firefox, type about:config in the Location Bar (address bar) and press Enter to display the list of preferences. You may get a warning page next, just click OK and move on.

about:config > browser.display.use_document_fonts > change value to 0

0: Never use document’s fonts
1: Allow documents to specify fonts to use
2: Always use document’s fonts (deprecated)

Don’t let the site access to the fonts on your computer. That grants too much access that can be abused.

about:config > browser.sessionhistory.max_entries > change value to 2

The maximum number of pages in the browser’s session history, i.e. the maximum number of URLs you can traverse purely through the Back/Forward buttons. Default value is 50.  Set it to 2 so that the site you visit can’t see where you have been during your Investigative Internet Research (IIR) assignment.

about:config > > double click to false is a mechanism allowing web pages to store information with a web browser (similar to cookies) called “client-side session and persistent storage.” Although use of session storage is subject to a user’s cookie preferences, this preference allows it to be disabled entirely.

about:config > geo.enabled > double click to false

True is location aware browsing enabled. Default is true. You want to disable this. See for details of geolocation in Firefox.