Over at Canadian Security Magazine, my first article explained the nature of security intelligence (SI) and its OPSEC challenges. This second article explains the OPSEC challenges facing security intelligence in an iconic commercial enterprise or location.
If you believe that the search results from any search engine, let alone Google, are neutral and do not reflect the search engine’s owners interests and biases, then you are very niave or entirely delusional. To prosper in the ‘information age’ one must be skeptical, open minded, and use many search engines.
For example, Google monitors what we’re searching on and decides what search results are best for its own interests. In the USA, Google was the second-largest contributor to Obama, but Google protests that it doesn’t manipulate search results in his, and the democrat’s favour.
Some very enlightening information is now comming to light about how a small change the search algorithm may dramatically change the outcome of an election. I strongly suggest that you read Big Data Meets Popular Vote in today’s National Post.
TrueCrypt, the ultimate encryption freeware, abruptly announced that the software is no longer secure after Microsoft ended support for Windows XP. It was the most popular application of its type and it was widely to communicate securely and encrypt sensitive files or folders. Currently, the TrueCrypt home page advocates moving to Microsoft BitLocker.
Unfortunately, in the Windows 10 Home edition, the full-disk BitLocker encryption must use a Microsoft account and the recovery key needed to decrypt your drive resides on Microsoft’s servers. With this arrangement, theoretically, a third party could decrypt your drives remotely. However, Windows 10 Pro doesn’t have this restriction: you can use BitLocker with a local account and keep your key out of the cloud.
Under such circumstances, users should stay away from both TrueCrypt and BitLocker and shift to some other free file encryption software.
Veracrypt entered market within months after Truecrypt died and seems to be the best of the alternatives. There are other free TrueCrypt alternatives like AESCrypt, FreeOTFE, and DiskCryptor. Here are the download sites for the alternatives:
I often go looking for simple sites created by the subject of an investigation. These simple or forgotten sites often appear at universities, at ISPs that offer free web space, and on free web space servers.
Did you know that Google Drive has always offered to host basic web sites for free. This will continue until August 31st, 2016. Google Sites will continue, but these sites cost a bit of money to operate.
Others, like GitHub, offer a very similar service. Amazon’s S3 cloud storage service offers static web pages for free. Occasionally, I find sites that use Dropbox to host files used or accessed by a free web site. Sometimes I find a domain that forwards to files hosted on Dropbox. Dropbox isn’t the only service that can be used to offer a static web page.
The Ashley Madison hack has a lot of people running around like a bunch of headless chickens. The simple fact is, you cannot trust this data. Let me explain why this data must be treated with extreme caution.
Registration was free but you needed to buy credits to contact other members. Stolen credit card numbers appear in the data. Nobody has verified the number of real and active accounts. The website would allow new accounts to be set up without confirming the email, therefore, anyone could open an account using someone else’s name and email address as a prank or out of malice, and of course, the hackers could add names to the list before publishing it. This type of malicious prank is truly viscious in the 79 countries where homosexuality is illegal. For example, in Afghanistan, Iran, Mauritania, Nigeria, Qatar, Saudi Arabia and the United Arab Emirates, the punishment for homosexuality is death.
Here are my favorite headless chicken searches:
- Ashley Madison Email Search
- Ashley Madison Email Search
- Ashley Madison Name & Address Search
- Ashley Madison Phone Number Search
A lot has changed since I wrote Sources and Methods for Investigative Internet Research. For example:
• We are abandoning Windows entirely due to privacy concerns with the Windows 10 operating system
• We are moving to a process for conducting all IIR from a sandbox to protect our collection process, collected data, and privacy
• VPNs, Tor, VMs, and encryption are our new best friends
• The existence of Wi-Fi proves that the Devil wears a black-hat
Have you noticed in Firefox that you can’t scroll down through a web page whilst selecting text?
This problem is associated with Mozilla’s inept fiddling with the add-on bar. This bug was fixed once, but has re-emerged. There are convoluted solutions to this problem, but I’m not a convoluted type of guy. I found a simple solution.
The easiest solution is to install Status-4-Evar and you can then scroll whilst selecting text. Classic Theme Restorer may also solve this problem, but I haven’t tried it yet and I think you need to use this in a new, clean profile. To use a new profile, it’s probably wise to install ProfileSwitcher.
Disconnect Search is a specialized VPN that lets you search privately using Google, Bing, and Yahoo search engines. They say they don’t log searches, IP addresses, or any other personal info.
Using Disconnect search, your ISP shouldn’t see your search terms as they don’t have access to your searches. Normally, when you click a result link, the site you go to may see your search terms, but Disconnect should prevent this. Search engines save your searches, which can be connected to your real name or IP address. Disconnect should anonymize your searches.
I am currently writing the 2nd Edition of Sources and Methods for Investigative Internet Research. This is a lot more work than you might expect and it is occupying time I would normally spend writing blog articles.
Please bear with me. When I get to the editing stage of this project I will again have time to write more blog articles. However, I am still posting interesting articles, sources, and methods on my Confidential Resource Twitter feed @LocusCommunis.
The first of my 6 articles about maintaining operational security for the security intelligence function in the private sector is now online at Canadian Security Magazine.
Ontario wants to launch the Administrative Monetary Penalty (AMP) system. It’s a cute name for an extortion racket.
AMP will treat Highway Traffic Act (HTA) offences as a tax that you must pay. The accused cannot contest the charge; only discuss the amount of the penalty or perhaps the number of demerit points. This discussion will occur online with an ‘independent arbiter’.
The arbiter isn’t there to provide justice. You’re already guilty—you can only discuss the amount of the penalty. The money goes to the municipality and the municipality employs the so-called ‘independent arbiter’. The independence is a fiction.
The entire thing is an effort to bilk drivers. The government knows we must drive vehicles to exist in Ontario. Economists call this an inelastic demand. In such a demand, the quantity demanded is the same at any price because we must have it, and therefore, it may be taxed at any rate. The provincial government creates this tax by replacing the judicial process with automatic convictions and arbiters with a quota to meet—true government efficiency at last!
In 2011, the Law Society of Upper Canada specifically told the Law Commission of Ontario that AMP was not appropriate for HTA offences. The Ontario Para Legal Association rightly calls this an egregious violation of our legal rights. In rebuttal, the Ontario government imperiously states that there was a six-week public consultation about AMP that ended a couple of months ago, but I never heard of it and I haven’t found anybody else who heard about it either–some public consultation that was.
This will cause a drastic increase in the cost of insurance for residents of rent-seeking municipalities, as they will acquire artificially bad driver’s records. The term rent-seeking isn’t typically applied to government but I don’t see any alternative. Rent-seeking is seeking to increase your share of existing wealth by using the political process while not creating any new wealth. A rent-seeking government uses its discretionary and legislated authority to extract ‘rent’ for its own benefit.
What economists might call ‘rent-seeking’ is a coercive extortion racket, plain and simple. King John would feel a deep kinship with today’s Ontario government, since this type of behaviour brought about the Magna Carta eight hundred years ago.
An investigator can use LinkedIn, Facebook, and other sites to build a profile of someone’s personal and work life, but like so many things in life, this is both good and bad. What might happen if it is done to your business’s employees? How might this hurt your company? Most businesses do not think about this and if they do, they usually consider key executives to be most at risk. This is entirely wrong!
Operational security (OPSEC) is the lens through which to view this risk. View each employee in terms of what he knows and to what he has access. This will change your entire outlook.
The janitor has keys and is in the building alone. Security guards possess sensitive information. The secretary to the VP of Marketing knows when you will launch a new product. Are you starting to get the picture? This leaves the problem of how to analyse the content of sites like LinkedIn and Facebook.
For example, Facebook identifies your friends and family, and where they live. It knows your likes and dislikes. It knows your travel destinations. It knows posting habits and posts to which you will respond. All of this creates an OPSEC nightmare.
The Wolfram Alpha Facebook Report lets you see what information Facebook knows about you and your friends. It yields easy-to-understand charts, tables, and graphs in a personalized report.
This needs the account holder to log into Facebook before it will run, however, this will not stop an industrial spy, foreign agent, gangster, or terrorist. In certain dark corners of the Internet, hacking a social media account will cost about $350. Changing the privacy settings is a meagre deterrent. With the hacked account and the Wolfram Alpha Facebook Report, the crook or spy has everything he needs to plan the compromise of an employee.
LinkedIn & Spies
Using LinkedIn, researchers found the personal details of 27,000 intelligence officers that the researchers say are working on surveillance programs. They compiled the records into the ICWatch database, which is searchable by company, title, name, and location.
What might a skilled researcher find regarding your employees?
The biggest part of dealing with this OPSEC risk is recognising that it exists. The rest of the solution involves a combination of strict social media policies, non-disclosure agreements, conditions of employment, and employment contracts coupled with employee indoctrination and training.
The Great Google Escape
Google’s products are fast, intuitive and reliable–but they are not free. You pay Google with your identity, behaviour, habit, and preference information. Google then collates and analyses this data and sells it to advertisers and gives it to government and intelligence services. The longer Google does this, the more valuable the data becomes. This raises some very real privacy and security concerns for people who use Google.
There are solutions to this privacy and security issue. The first obvious solution is to avoid putting all your digital eggs in one basket. Use a different email and calendar provider. Use Firefox not Chrome as a browser. Use providers in Europe to take advantage of European Union privacy laws.
Sign in to your Google account and Use Google Takeout to export your data to a downloadable ZIP file from all the Google products. Getting out of Gmail is easy–getting out of Calendar and Contacts not so much. Google sets file standards for their calendar and address-book to make migration awkward. However, migrating to mailbox.org in Germany seems to go ahead without any real difficulty. It even allows you to encrypt your emails and other files before storing them on the server. Best of all they do not scan your data and try to monetize it. However, it costs €1 per month.
If you use the free Google Drive, consider using the Omnicloud from Germany’s Fraunhofer Institute, which allows you to encrypt all data locally before uploading it to the cloud.
Install a tracker blocker such as Ghostery and Self-Destructing Cookies (SDC) in Firefox to guard against browser cookies and use a search engine like Duck Duck Go which does not record your search history.
Are you uncomfortable with how much Google knows about you? Google makes a lot of money mining your search history. A Boston-based privacy company Abine has a solution to this problem.
The Blur Private Search service prevents Google from linking a search query to you. Search results appear normally, except your search, IP address, and the links that you click on can’t be identified or connected to you by the search engine. It is easy to set-up and use—you don’t have to sign-up using Gmail or other service. Create an account using a throw-away email address.
Nothing is perfect. Private Search only works with Firefox because Chrome tells Google about everything you do all by itself. It won’t protect you from other search engines like Bing or Yahoo.