Good-bye Windows XP

If you have older machines running Windows XP, then  Microsoft will cut-off support of the operating system on April 8, 2014. That means no more patches, no more new software versions, no more drivers for new peripherals–and most importantly, no security updates and patches.

If you have an older machine that is running properly with XP, then you will probably find that installing Windows 7 or 8 will make it run like molasses in January. Most machines running XP don’t have enough memory to run Windows 7 or 8 efficiently.

I’ve been using Ubuntu 12.04 because it is the most secure of all the current OS offerings. The CESG, the UK government’s arm that assesses operating systems and software security agrees with me. Ubuntu also has the largest collection of applications in the Linux world.

Zorin OS 7, is also a good option when switching from Windows XP. It is faster, looks better and offers better performance than Windows, yet its user interface is similar to Windows and intuitive for long-time Windows users. It allows you to run Windows programs using WINE and PlayOnLinux emulators, as will other Linux distributions.

The US Department of Justice has “found” that Microsoft Windows is run by more than 95% of personal computers and that means that there are thousands of programs that will only run on Windows. WINE and PlayOnLinux allow you to use familiar programs to avoid a steep learning curve.

FinSpy & Browser Hygiene

Recently, I had run-in with the FinSpy trojan, or some variation of it. FinSpy is a component of the surveillance product FinFisher, a commercial trojan made and sold by Gamma International, a UK company. This thing was sold to some very nasty state actors, but now it’s in the wild. It allows the operator of the trojan to have complete access to the computer. Its design  makes it very difficult for the target or his anti-virus software to recognise its presence. It even permits the villain to activate the computer’s webcam and microphone to see and hear what is happening near the computer. Everything collected by the trojan goes to a command and control server located somewhere on the Internet.

This insidious thing tried to masquerade as Firefox. I think it was part of an image I examined for Exif data. It tried to ‘update” Firefox. The funny thing was that I wasn’t using Firefox, but a browser based on it. I was conducting the research within a Windows virtual machine hosted on a Linux distribution; therefore, it was unable to cause any damage.

What surprised me was that the subjects had seeded the site with information that would interest me to get FinSpy onto my PC. They created the site to gather intelligence on anyone who might investigate them. They are not state actors, just a bunch of criminals.

Chrome is Listening

So you want to use Chrome as your browser. Are you aware that it has recently been reported that a Chrome Bug Allows Sites to Listen to Your Private Conversations?

The best way to avoid this threat is as follows:

  • Go to chrome://settings/content
  • Scroll down to Media
  • Select “Do not allow any sites to access my camera and microphone.

This will disable Google’s Conversational Search, etc. but security will be increased.

I never liked the way Chrome ‘phoned home’ to Google with user tracking, bug tracking etc. I have also found extensions that had malware-filled updates. However, it is faster than Firefox, which over the course of a research project may save hours of extra time. I resisted using Chrome due to security & privacy issues.

I now use is Comodo Dragon, which is based on the open-source Chrome browser, however, it is more private and secure if used properly. I disable the camera & mic as SOP, so I haven’t investigated how Dragon responds to this exploit. The setting change that I outlined was in reference to the actual Chrome browser and this particular exploit, there may be more that I don’t know about.

I am very careful about exposing myself to the internet. My outward-facing computers don’t have cameras or mics to entirely circumvent malicious software like this and the likes of Finspy.

Fortress Firefox II

The browser is the most used outward facing software you will use. It interacts with suspect web sites and other internet sites. Firefox is still my first choice for security and plug-ins, even though Chrome offers a speed advantage that adds-up over the course of many hours of research, while this little problem makes me avoid MS Internet Explorer: Microsoft warns of critical IE9, IE10 zero-day-Just visit the wrong web site and get remote-code execution.

No matter which browser you use, it will require proper configuration. No browser blocks JavaScript and all third-party cookies by default. These are my first security concerns.

In Firefox, go to Tools>Add-ons>Plugins and set the Java Script and Toolkit to Ask to Activate. I also set all the other plugins to Ask to Activate as well. This prevents a plugin from activating at the wrong time and thereby sending out data to the site that caused it to activate. A malicious site may activate a plugin to have it to transmit data that can be used to thwart your investigation.

Third party cookies compile a long-term record of your browsing history. This is dangerous as it can reveal what you are investigating. In Options>Privacy>History select Never for third party cookies. In my sandbox, I have several versions of the browser with different settings. For example, I prefer to never accept cookies of any kind, but some sites need them to function so I have a version with normal cookies enabled.

Fortress FireFox

To create my everyday fortress Firefox, I use the following:

For more anonymity, privacy, and security, I do the following to my instance:

  • To preserve privacy, I use a VPN.
  • To preserve anonymity, I use Tor to connect to an anonymous VPN.
  • To maintain security, I work from a Virtual Machine hosted by a different OS on a clean machine.

If you aren’t doing the same, then you don’t know what is on your PC and what it might be doing to work against you. There are a lot of bad actors out there trying to insinuate malware onto as many machines as possible. If you are using your PC to gather evidence, malware can destroy the integrity of everything you collect.

Conducting Investigative Internet Research is not as easy as it might seem. There is more to it than doing a few poorly structured Google searches. You need to understand how to create a clean machine that will pass muster under S. 31 Canada Evidence Act. You must prevent all your research, and your identity, from ending-up in the hands of the very people that you are investigating. This happens. I have to believe that it happens often but isn’t recognised by most investigators. Would you know if your machine had a trojan like FinSpy? Do you know how to prevent the installation of something like FinSpy? Do you know how to get rid of it?

If you frequent bad internet neighbourhoods, then you will encounter bad people doing bad things, and they will try to do bad things to you.

Exif Viewers

In a past article, I explained Exchangeable Image File or Exif data and pointed you to www.regex.info, an easy to use exif viewer with a geo-locator. The regex.info Exif viewer allows you to enter the image URL or to upload an image for analysis. It doesn’t require JavaScript and it doesn’t have any widgets.

Another easy to use online exif viewer may be found at www.fotoforensics.com, but you must enable JavaScript to use it. You can use the URL of the picture instead of uploading the image.

The online exif viewer at www.gbimg.org has a lot of widgets on it.

My last discovery was the Exif site at http://www.findpicturelocation.com. Just upload the picture and it will show the location where it was taken. It only works with .jpg or .tif files. You must upload the image to the site, so who knows where it might end-up. This uses the Google API for the mapping. Not all pictures have the GPS coordinates in them.

Trolling RSS Feeds

RSS (Rich Site Summary) is a format for delivering regularly changing web content. Many news-related sites, blogs and other online publishers syndicate their content as an RSS Feed to whoever wants it.

I have written quite a lot about RSS in the past. The following are my choices for both installation on a PC and for a web-based reader.

RSSOwl

RSSOwl is cross-platform as it’s Java-based. It handles RSS, Atom and RDF in terms of feed formats. You must have Java installed, no matter where you run it. It cooperates with Firefox to add feeds to RSSOwl from the browser. Just go to the feed and copy the URL then go to RSSOwl and click on add feed and it knows where to find the feed. You can also drag and drop Feeds from Firefox into RSSOwl. RSS Owl has an embedded web browser, so you don’t have to open up a separate browser window to view links or to view the full version of feed items that are shortened. You do have to set this up under “Browser” in the Preferences menu option. Choose to Default to the Embedded Browser. To get the RSSOwl embedded browser to work properly with OneNote so that it includes the URL in pasted items, you must enable Java Script. I do not recommend doing this except on an isolated machine otherwise, malicious Java Script code could cause serious problems.

RssBandit

When I need to collect video and podcasts from RSS feeds, I turn to RssBandit. The embedded browser is MS Internet Explorer, therefore, it includes the pertinent URL when you copy to OneNote as the embedded browser is the same.

This is my favorite RSS reader overall, though, I have experienced occasional problems with exporting feeds for another implementation of the reader. This problem seems to stem from differences in the underlying OS on the importing computer. It can be an irritation when starting a project with tight deadlines.

RSSOwl has an edge for a group of researching working in a collaborative environment as it is easier to set-up and distribute to the group.

Web-based RSS Reader

The two most popular seem to be Feedly and Inoreader readers that offers similar features and options.

Inoreader offers secure HTTPS access and over 40 different customization options. If I must use a web-based reader this is the one.

I refuse to use Feedly because extensions like NoScript, Adblock, HTTPS Everywhere, etc. prevent the site from loading. I never use sites infested with stuff that my normal suite of extensions prevents from loading. You only have to encounter one ad with malicious code to cost you many hours of work to purge the problem code from your machine.

Incognito Searching

Your search and browsing behaviour allows Google to personalise your search results. To escape this filtering of your results use a private browser window called incognito as it is called in Chrome. Google will then ignore tracking and search cookies to stop personalising your results. To get a private browser or incognito window use the following key combinations:

  • Chrome –  Ctrl+Shift+N
  • FireFox – Ctrl+Shift+P
  • Internet Explorer – Ctrl+Shift+P

I have found that this approach doesn’t work with Bing.

Google-Free Wednesday–Metasearch

Metasearch for the Big Guys

Dogpile returns results from Google, Yahoo!, and Yandex. The Russian engine, Yandex, is the fourth largest search engine in the world and Yahoo! is really the Bing search engine database.

Dogpile is only good for short and simple search statements, however, it is a good for a quick look at what you are likely to get from the largest search engines.

Copernic Agent

Copernic has stopped selling its professional version metasearch tool and discontinued all support for both the professional and free personal versions of Copernic Agent. It only searches five of the 15 search engines it purports to search (Google, Bing, Yahoo, Dogpile, and Open Directory Project).

Copernic is Windows only.

iMetaSearch

iMetaseach is a possible replacement for Copernic. It is now in version 5.03, so it isn’t a new kid on the block. The paid version searches Google and purports to search 11 other search engines.

The program groups search results by concept; click a group that interest you and the search results will be revised. This is an effective method to refine search results and get the most relevant results. It’s very effective for ambiguous search terms.

Unfortunately, iMetasearch has a steep learning curve, but if you frequently conduct Investigative Internet Research it is worth the effort to learn how to use this advanced web search tool.

iMetasearch is Windows only.

Sly Pols & Crats

There is nothing slipperier than a politician or bureaucrat trying to avoid accountability while extolling how transparent and open they are. These craven creatures turn our access to information laws into the proverbial greased pig. Continue reading ‘Sly Pols & Crats’

Surveillance in a WiFi World

I sat in a hotel lobby recently enjoying a coffee while waiting for someone. I decided to write an entirely different blog article than this one while I waited. This lobby has convenient tables for road warriors and their portable computers–that is why I often arrange short meetings in that lobby.

At another table, I notice something rather familiar connected to someone’s laptop. It was a WiFi Pineapple. This was a bit disturbing.

Do you know what the WiFi Pineapple can do?

Surveillance & the WiFi Pineapple

The WiFi Pineapple allows an attacker to launch a “Man in the Middle” or MiTM attack by inspecting the data flow between the target and any resources he accesses on the web via a WiFi connection. This little Linux box equips the investigator or spy with a versatile surveillance and information-gathering tool.

From a surveillance perspective, it will reveal the names of all the WiFi networks the victim connected to on the highway, in hotels, and far-flung airports. The subject’s computer will cycle through all of the network identities (names) it has previously used. All of this is sent in the clear and can be captured by the WiFi Pineapple. The same applies to smartphones.

All of the network names to which it previously connected are disclosed over a few minutes. Coupled with an online resource such as WiGLE, this information can be used to establish a profile of the device owner–where he lives, works, eats, drinks coffee, his gym, his favorite no-tell motel, and more. Combine the Pineapple with Wireshark and you have an excellent surveillance toolkit or one that could facilitate some real mischief.

Protect yourself

The simplest protection is the best. Shut-off the WiFi on your portable device. Use WiFi in secure environments only.

Google Free Wednesday—DDG Site Search Command

The DuckDuckGo (DDG) search engine aggregates content to provide search results while offering significant privacy features. My favorite search shortcut in DDG is its version of the Google site: command. Place an exclamation point before the site you want to search–for example, “private investigator” !facebook. The exclamation point directs the search to a specific site. In this case, you will have to login to your Facebook account to see the results.

The Individual First Aid Kit (IFAK)

Recent involvement in investigations into industrial accidents and incidents involving security officers caused me to look into the state of first-aid training. I have some concerns that lessons-learned are not being applied as well as they should.

Recent wars have taught us how to teach personnel to control severe bleeding and maintain an airway under adverse situations. Unfortunately, from what I have seen, this hasn’t filtered down to industry in the form of better training and equipment.

This battlefield experience should be of interest security personnel at sites that might experience an active shooter or similarly catastrophic event. Those involved in emergency and business continuity planning should also take note of these lessons. My comments do not reflect the specific situation in any one Canadian province. I am aware of all the regulatory inertia, concerns about costs, and legal implications that inhibit change, but these are weak excuses for inaction when lives may be at risk. The injured person who is beading to death or suffocating doesn’t give a damn about laws and regulations–he simply does not want to die. Continue reading ‘The Individual First Aid Kit (IFAK)’

Social Media Monitoring for Security Departments

A client that operates a security guard company called recently to ask a question spawned by a structure fire near one of the buildings his company guarded. He wanted to know if his guard posts could monitor the news and social media for events near the sites that they guard. All these sites have high-speed internet access. Continue reading ‘Social Media Monitoring for Security Departments’

Taking Bitcoins to the Laundry

Bitcoins have interested me of late as I am writing my next book which is about issues of security, privacy, and anonymity while doing investigative internet research. Continue reading ‘Taking Bitcoins to the Laundry’