Android Phone Security Risk

Android handsets ‘leak’ personal data

Many applications installed on Android phones interact with Google services by asking for an authentication token …

Sometimes, found the researchers, these tokens are sent in plain text over wireless networks. This makes the tokens easy to spot…

Armed with the token, criminals would be able to pose as a particular user and get at their personal information.

Even worse, found the researchers, tokens are not bound to particular phones or time of use so they can be used to impersonate a handset almost anywhere.

Now what might an unscrupulous person do with this? Might one be able to observe a person using his Android phone, capture the  token, then use it to find-out more about the person?

The Toilet Paper Shortage of 1973

The writers for Johnny Carson heard that the U.S government was having a hard time getting bids for the supply toilet paper and that it might be possible that in a few months the United States could face a shortage of toilet tissue.  They took the words of a Wisconsin congressman who said this, Harold Froehlich, and decided to add a joke for Carson for the next evening show.

This had some far-reaching and unintended consequences.

Read more

This Message Will Self-Destruct

This Message Will Self-Destruct offers the ability to send an encrypted email-like message to another person either with or without a password.  As a reassurance that your message is secure, it’s never stored with TMWSD.  The optional password salts the encryption key for even more security.

Once you have entered your message and clicked on  SAVE THIS MESSAGE, you will be given a URL to pass on to the recipient.  When the intended recipient reads your message (with or without the password you may have given them) the encrypted message is deleted forever. If you lose the password your message is also lost!

Secret Squirrel

Concealing one’s activities on the Web is something every Investigator should understand.  You should understand this for your own use and to understand how these techniques may deny you needed information.  Yet using these techniques may also target you as an undesirable in some circumstances.

The following are methods used to obscure Internet traffic and avoid IP blacklists  and content filters.

Read more

COMSEC

Thou shalt not be afraid for the terror by night; nor for the arrow that flieth by day; Nor for the pestilence that walketh in darkness; nor for the destruction that wasteth at noonday. (Psa 91:6)

I don’t think they were talking about Communication Security (COMSEC) when they wrote that Psalm, but good COMSEC helps avoid terrors that come in the night.

Zfone for VOIP

Zfone  appears to be the lowest cost solution for robust VOIP encryption that you control.

Skype

Calls made over Skype are encrypted by 256-bit long Skype encryption keys are a length that at least in theory, would take a literal eternity to crack. But you don’t have control over the encryption, Skype does.

Oldstyle COMSEC

To avoid an electronic trail, hard copy letters that are distributed via snail mail in a circular rotation might work– these are known as circular letters.  Each letter is given a number, and each addenda that is added is given a letter. Subsequent letters can reference the content of earlier ones, for example, “as mentioned in Letter 2-A”, etc., etc..

This can be modified to include an emailed file that is encrypted and the message sending it digitally signed by each person.  Using nearly anonymous email accounts accessed through TOR would make this very secure.

21st Century Hi-Tech Magic Slate

The four-ounce, $30USD,  Boogie Board runs on a watch battery and mimics the feel of putting pen to paper. To erase, simply press a button. It is a 8.75 x 5.5 inch thin plastic slate that has the same functionality as the Magic Slate (it doesn’t store what you write) except that it uses LCD technology. However, the battery that powers the Boogie Board is not replaceable. Once it’s depleted, the board is useless. According to the Boogie Board site, that’s around 50,000 erase cycles.

Please note:

I won’t tell you why I’ve been so interested in the Magic Slate, 18th Century PDA, or this gadget, but I’m sure you might be able to imagine some uses for them.

18th Century PDA

If Moleskines are a throwback to a time before PDA’s, then 18th century version of the PDA is the pocket notebook  made of sturdy brass stock with 4 old ivory pages and a pencil can be written on with pencil, smudged off with your finger, and used over and over again. It closes into a 1-1/8 inches by 4-1/2 inches by 3/16 inch thick package. It seems like an 18th century version of the Magic Slate.

FireFox Pdf It! Addon

Pdf It! is more than PDF

The Pdf It! extension is designed for FireFox running on Windows, Mac OS X, or Linux. The Pdf It! menu item appears in the Tools menu as well as context menu.

The Pdf It! extension features are as follows:

  • Convert current page(Whole Page or Visible Part) to Image(PNG or JPEG)
  • Add title to generated image (Firefox 3 only)
  • Specify the color/position/font size for title
  • Apply up to 16 filters while converting page to Image

ImageVenue

I don’t have much use for the PDF function of this addon (based on an online service) . The PDF function does not provide a full colour rendition of the Web page. It is the ability to create a JPEG of a web page that can be emailed or put up on a site like ImageVenue.

If you use ImageVenue, then you only need to send a link to the image, which must be either JPEG or JPG with a maximum size of 3 meg. For example, an image of our web page  is easier to send as a link than as an image file. Of course this is not secure from outside viewing but it is handy for some things.

Email Overload

How to write attention-grabbing e-mail messages

Email filled with typos, spelling mistakes and irrelevant information can make you look stupid. This article contains seven tips to improve your use of e-mail to make look more professional.

The article also points-out things for which you should not use email. For example, document collaboration.

Expert tips to guard against e-mail overload

“We have created a cultural urgency with e-mail that is not correct.”

“You can fight e-mail overload with a few commonsense practices, experts say.”

Where did this email come from?

Tracking down the origin of email messages has become a staple of many Private Investigators. Without getting into  mind-numbing technical details, here are the steps I take to find the origin of anonymous email missives.

  1. Search the sender’s email address using Google, Bing, and other search engines to see if it appears. Next search using Intelius’ reverse email lookup.  If the email appears registered to a name, you can pay a fee of $4.95.
  2. Even when a misleading email address is the origin, read the IP addresses in the header from bottom to  top. The IP address in square brackets is the origin IP.  Or, use IP tool to track the IP address. Copy the headers into the box and select your email system.
  3. Go to What Is My IP Address and enter the IP address to see where it originates.
  4. Search the email address using Spokeo.
  5. Try ReadNotify.com and email the anonymous correspondent. If he opens your message, then it will notify you and send back the reader’s IP address, the date and time the message was opened, location of recipient, map of location, apparent email address of opening (if available), referrer details (ie; if accessed via web mail etc), URL clicks, how long the email was read for, how many times your email was opened and if your email was forwarded, or opened on a different computer. If he opens your message in his office, then you will know where he works. However, this seems to only work with HTML enabled email programs. Remember, the header data from the original message will probably tell you what email program sent the message. NOTE: This does not work if the recipient opens the email in the Web version of Gmail. If he receives it in a desktop client that polls Gmail, then it will work.

 

 

Secure File Delivery

Delivery of large reports and file material is becoming a problem for many organisations. Electronic file delivery poses risks to the integrity and security of the data, and delivery of printed copies is too slow and expensive. Email delivery is not possible in many cases as the files may be too large, even when zipped.

You can resort to establishing an FTP site of your own, or create a secure delivery site using something like OWL, or use a third party service.

A usable third party solution to this problem is YouSendIt. This lets you send and receive files up to 2GB in size. A zipped 2GB file represents a large volume of data. Passwords control access to files you are sending and receiving, but YouSendIt does not encrypted files on their servers.

Regardless of the solution selected, the person transmitting the data must assume responsibility for the encryption. Never, ever, let somebody else take responsibility for the encryption — do it yourself on your own computer.

China’s Espionage and Cyber Attack Strategy

An excellent article about the “recent discovery of Chinese cyber warfare attacks on foreign computers, on communication computers of visiting dignitaries, and espionage activities to assist a friendly country is building weapons of mass destruction (WMDI)” entitled China’s Silent Warfare at BLOg Source INTelligence reveals a lot about China’s espionage and cyber attack strategy.