Remote File Handling

High Risk Files

When doing IIR, I often come across files that I don’t want to handle for security reasons. These can be Word documents, PDF documents, PostScript, or even Gzipped PostScript files. These file may include a load of malicious code. I sometimes don’t want any record of viewing the file on my computer. To accomplish this I must load these files remotely and safely so they don’t touch your system (the web cache should be disabled to accomplish a true remote viewing of the file as should the swap and home partitions, if the whole system isn’t encrypted).

Unless you verify each file through checksum verification (like MD5 or GPG) there’s a chance they could’ve been trojaned or the file may contain phoning home instructions or some other type of malicious feature within the file. If I don’t want to be recorded as a recipient of the file via something like ReadNotify then the file must be verified clear of such code or it must be viewed remotely.

The Remote File Viewer

I use the site at http://view.samurajdata.se/. I have only used it with PDF and Word documents. PDF and Word files are transformed into single paged graphics which you may navigate through. Most of the time it works, occasionally a PDF does not load. It doesn’t require Flash and works without cookies or javascript enabled.

I don’t know anything about the site’s privacy policy and how that might that might affect anonymity.

 

 

Android Phone Security Risk

Android handsets ‘leak’ personal data

Many applications installed on Android phones interact with Google services by asking for an authentication token …

Sometimes, found the researchers, these tokens are sent in plain text over wireless networks. This makes the tokens easy to spot…

Armed with the token, criminals would be able to pose as a particular user and get at their personal information.

Even worse, found the researchers, tokens are not bound to particular phones or time of use so they can be used to impersonate a handset almost anywhere.

Now what might an unscrupulous person do with this? Might one be able to observe a person using his Android phone, capture the  token, then use it to find-out more about the person?

New Standard for Privacy on Ontario Work Computers

I think R V. Cole, 2011 ONCA 218 will become the leading case on an employee’s expectation of privacy on a work-provided computer. This appeal was a partial victory to a Sudbury high school teacher charged with possession of child pornography. The Ontario Court of Appeal ruled that police violated his Charter rights when they searched his laptop without a warrant.

A search of Cole’s computer by the high school’s IT staff found sexually explicit photos of a Grade 10 student that he acquired from the student’s email account. The laptop was then turned over to the police and searched without a warrant. The proceeds of the police search were excluded while the IT technician’s search was proper as it was for the purposes of maintaining the school board’s network and the laptop.

Justice Karakatsanis wrote for the Ontario Court of Appeal which found the employee had a reasonable expectation of privacy in the contents of his laptop based on the following factors:

  • he had exclusive possession of the laptop;
  • he had permission to use it for personal use;
  • he had permission to take it home on evenings, weekends and summer vacation;
  • there was no evidence the board actively monitored teachers’ use of laptops;
  • the school board had no clear and unambiguous policy to monitor, search, or police the teacher’s use of his laptop.

This seems consistent with the prevailing case law regarding the recognition of an employer’s right to govern the use of their systems through policy, but it also recognises the rising privacy expectations of employees in the personal use of an employer’s system.

Detecting Firesheep

I wrote about Firesheep awhile back. Predictably, a countermeasure has appeared called Blacksheep.

New Firefox Add-On Detects Firesheep, Protects You on Open Networks

If you’re concerned about using open Wi-Fi networks because of Firesheep, the highly popular new hacking tool, you should check out BlackSheep, a Firefox add-on that makes surfing on open networks safe once again.

Hijacking Social Network Connections

The Firesheep Firefox plugin makes it easy to hijack someone’s social network connections. For example, Facebook authenticates the client using cookies. If someone logs on using a public WiFi connection, the cookies are sniffable. Firesheep uses Wincap to capture the authentication information which allows you to hijack the connection.

Protect yourself by forcing the authentication through TLS or stop logging into Facebook using public networks.

Facial Recognition for the Masses

Facial recognition software

Enter a photo at  http://developers.face.com/tools/#faces/detect and locate all photos of the same individual on Facebook.  This is limited to your friends at this point, but some developers are putting this on iphone apps. You can snap a photo on the street and get all their info through Facebook and other services this way.  In May 2010 they state that their Facebook apps have scanned over 7 billion photos in total and identified no less than 52 million faces.

This is something to watch as it has some interesting applications for the Investigator.  Of course some people will think the sky is falling due to the  mere existence of this app, but the technological genie was let out of the bottle a long time ago.

Secret Squirrel

Concealing one’s activities on the Web is something every Investigator should understand.  You should understand this for your own use and to understand how these techniques may deny you needed information.  Yet using these techniques may also target you as an undesirable in some circumstances.

The following are methods used to obscure Internet traffic and avoid IP blacklists  and content filters.

Read more

Surveillance in a Wireless World

When a Windows PC, in its default configuration, is unable to find any wi-fi access point,  it actively seeks one out. In doing this it broadcasts signals trying to connect with any network to which it has previously connected. It will cycle through all of the network identities (names) it has previously used. All of this is sent in the clear and can be captured by anyone with a simple wireless tool running in “sniffing mode” nearby.  All of the network names it  connected with are disclosed over a few minutes. Coupled with an online resource such as WiGLE, this information can be used to establish a profile of the PC owner – where he lives, works, eats, drinks coffee, his gym, his favorite no-tell motel, and more. Any network that PC has connected to using wi-fi is an open book.

Defeating Forensic Examination of Computers

The incinerator and shredder were the crook’s best friend prior to the computer era. Today, software is available for the same purpose. A search for “anti-forensics” turns-up a lot of usable information and guidance for those so-inclined.

Of particular interest should be the Metasploit Anti-Forensics Project.  If you are unaware of the tools that  come under the term, anti-forensics, then an article from CIO entitled, How Online Criminals Make Themselves Tough to Find, Near Impossible to Nab, should illustrate that Investigators now face anti-forensics as part of everyday life.

Facebook & Privacy

Facebook recently responded to a subpoena from Virginia by saying that it was “overly broad” because the federal Electronic Communications Privacy Act (ECPA) protects the privacy of user accounts. The lawyer who issued the subpoena then requested a “contempt citation against Facebook” from the Virginia’s Workers Compensation Commission. Facebook argued successfully that “Courts have interpreted the ECPA to prohibit services such as Facebook from producing a non-consenting subscriber’s communications even when those communications are sought pursuant to a court order or subpoena.” This was a case were a claimant’s Facebook content contradicted the details of her claim.

For many years, “privacy rights” have been used to conceal the proceeds or methods of crime. Some businesses like Facebook aggressively support “privacy rights” to enhance their bottom line.

The article cited above, displays of how large internet services such as Facebook can make investigation and litigation impractical from time and cost standpoints. This article illustrates the type of  a battle you may be forced into to get evidence in not only civil cases, but also in criminal cases such as fraud. These multimillion dollar internet companies have the money to fight the production of any court ordered information. If the word “privacy” can be attached to any issue, then these companies are indorsed by assorted “privacy rights” groups.

Yet, in Toronto, Canada, we see how Facebook seems to be acting in contravention of the Personal Information Protection and Electronic Documents Act (PIPEDA) for refusing to grant Playboy model Anissa Holmes access to her own pictures or delete them from Facebook servers after shutting down her profile. This isn’t the first time Facebook has run afoul of Canada’s premier privacy law, PIPEDA.

It seems that it doesn’t matter which side of the privacy issues you’re on, it’s a good payday for lawyers.

Xerobank, Zero Customer Service

In a previous post we mentioned XeroBank as a possible alternative to TOR.

Once you’ve figured it out, XeroBank is a great system! It’s a VPN connection to their servers which assigns you either a Dutch,
US or Canadian IP address; other nation’s IP addresses are not available. There is some confusion on their website as to whether other countries are available or not. The website merely says you can choose a country.

Once connected via the VPN, you can use all your browser and other programs to access the internet. We did not try their email service. The system is fast and you can even stream in video quite easily. Basically, it’s a great service if you have lots of time to read up on it and figure it out on your own because there is no customer support or documentation from the company; the public forums are the only place you’ll get any answers.

The sign up process and administration process are not straightforward.  It is very hard to understand how to log in to the account and how to use it. Four emails to customer service over the course of 3 weeks after sign up and no answers.

They say the first month of the service is free but as you’re signing up you’re asked for your credit card and they charge you $1 for the first month; it is then very difficult to cancel your subscription, actually you can only put it on hold by going onto the website of the billing company that they use and suspend your account, but we only learned that by asking the question on their public forum where we received an answer from someone we presume to be an employee; emails to support were never answered.

Customer support is non-existent. They are more interested in the technology than their customers.   (If you want to see the people who might be behind the XeroBank, please have  look at the delegation they sent to the last DEFCON event.)