The Individual First Aid Kit (IFAK)

Recent involvement in investigations into industrial accidents and incidents involving security officers caused me to look into the state of first-aid training. I have some concerns that lessons-learned are not being applied as well as they should.

Recent wars have taught us how to teach personnel to control severe bleeding and maintain an airway under adverse situations. Unfortunately, from what I have seen, this hasn’t filtered down to industry in the form of better training and equipment.

This battlefield experience should be of interest security personnel at sites that might experience an active shooter or similarly catastrophic event. Those involved in emergency and business continuity planning should also take note of these lessons. My comments do not reflect the specific situation in any one Canadian province. I am aware of all the regulatory inertia, concerns about costs, and legal implications that inhibit change, but these are weak excuses for inaction when lives may be at risk. The injured person who is beading to death or suffocating doesn’t give a damn about laws and regulations–he simply does not want to die.

Read more

Who’s Watching & Listening

You never know who is watching. Please note that if you are Investigating someone inside your own company, and using the company network to search the Internet, at least use the encrypted search sites.  However, it is becoming more common for large companies to insert an inline HTTPS proxy in the network to  read and analyze this traffic by creating a man-in-the-middle. You can’t be sure that your investigation won’t be compromised because someone sees what you are searching and then tells the wrong person.


Remote File Handling

High Risk Files

When doing IIR, I often come across files that I don’t want to handle for security reasons. These can be Word documents, PDF documents, PostScript, or even Gzipped PostScript files. These file may include a load of malicious code. I sometimes don’t want any record of viewing the file on my computer. To accomplish this I must load these files remotely and safely so they don’t touch your system (the web cache should be disabled to accomplish a true remote viewing of the file as should the swap and home partitions, if the whole system isn’t encrypted).

Unless you verify each file through checksum verification (like MD5 or GPG) there’s a chance they could’ve been trojaned or the file may contain phoning home instructions or some other type of malicious feature within the file. If I don’t want to be recorded as a recipient of the file via something like ReadNotify then the file must be verified clear of such code or it must be viewed remotely.

The Remote File Viewer

I use the site at I have only used it with PDF and Word documents. PDF and Word files are transformed into single paged graphics which you may navigate through. Most of the time it works, occasionally a PDF does not load. It doesn’t require Flash and works without cookies or javascript enabled.

I don’t know anything about the site’s privacy policy and how that might that might affect anonymity.



The Clean Machine

When doing IIR, the computers must be free of malicious code (S. 31 Canada Evidence Act). We often set aside a computer for this purpose after doing some Spring-Cleaning. But how we prepare the machine for the installation of the clean version of the OS and application software is important.

We use Darik’s Boot and Nuke (“DBAN“) which is a self-contained boot disk that securely wipes the hard disks of most computers. DBAN will automatically and completely delete the contents of any hard disk that it can detect, which also makes it an appropriate utility for bulk or emergency data destruction. DBAN is a means of ensuring due diligence in computer prepartation for IIR. It is also a good way to periodically clean a Microsoft Windows installation of viruses and spyware.


Securing Firefox – Configuration Settings

This is about stopping the dreaded disease, Data Diarrhea. The websites you visit can leave behind a trail of data on your computer and in their server logs. All of this Data Diarrhea can identify the Investigator and this can complicate the problem he is trying to solve. Lax privacy & configuration settings may also leave the Investigator’s computer vulnerable to attack by hackers.

This article describes more advanced methods of customizing Mozilla applications, by editing the configuration files.

about:config entries

about:config is a feature of Mozilla applications which lists application settings (known as preferences) that are read from the profile files prefs.js and user.js, and from application defaults. Many of these preferences are not present in the Options or Preferences dialog. Using about:config is one of several methods of modifying preferences and adding other “hidden” ones.

Editing the user.js and prefs.js files are an alternative method of modifying preferences and recommended for very advanced users only. Unless you need a prefs.js and/or user.js file modified for a specific purpose, you should use about:config instead.

This article refers to the Firefox V. 9 edition of the browser. These entries may have adverse effects on Thunderbird and Mozilla Suite/SeaMonkey and older versions of Firefox. These settings will affect all profiles of the browser.

In Firefox, type about:config in the Location Bar (address bar) and press Enter to display the list of preferences. You may get a warning page next, just click OK and move on.

about:config > browser.display.use_document_fonts > change value to 0

0: Never use document’s fonts
1: Allow documents to specify fonts to use
2: Always use document’s fonts (deprecated)

Don’t let the site access to the fonts on your computer. That grants too much access that can be abused.

about:config > browser.sessionhistory.max_entries > change value to 2

The maximum number of pages in the browser’s session history, i.e. the maximum number of URLs you can traverse purely through the Back/Forward buttons. Default value is 50.  Set it to 2 so that the site you visit can’t see where you have been during your Investigative Internet Research (IIR) assignment.

about:config > > double click to false is a mechanism allowing web pages to store information with a web browser (similar to cookies) called “client-side session and persistent storage.” Although use of session storage is subject to a user’s cookie preferences, this preference allows it to be disabled entirely.

about:config > geo.enabled > double click to false

True is location aware browsing enabled. Default is true. You want to disable this. See for details of geolocation in Firefox.


Securing Firefox – General Privacy Settings

General Firefox Privacy Settings

The basic privacy settings in general settings, are found in the options bar in Firefox 9.0 (Firefox > Options > Options) or for iOS, Preferences.

  1. Content: Enable block popup windows and disable Javascript when it isn’t needed.
  2. Privacy: Enable the DNT (Do-Not-Track). For History, use custom settings. “Always use private browsing mode” should be enabled. “Remember my browsing history”, “Remember download history” and “Remember search and form history” should be turned off. “Accept cookies from sites”, but un-check “Accept third party cookies” as they aren’t needed often. Location bar: select “Suggest nothing”.
  3. Security: Enable “Warn me when sites try to install add-ons”, “Block reported attack sites” and “Block reported web forgeries”. Under Passwords, disable “Remember passwords for sites” and use a master password.
  4. Advanced – General – System Defaults: Disable “Submit crash reports and performance data”.
  5. Advanced – Network – Offline Storage: Check “Override automatic cache management and limit cache to 0MB space”. Further—you can un-check “Tell me when a website asks to store data for offline storage use”.
  6. Advanced – Encryption: Ensure both “Use SSL 3.0 and Use TLS 1.0” are enabled. Then click validation > check “When an OCSP server connection fails, treat the certificate as invalid”.



Security & Privacy Add-ons for Firefox

Firefox is the online researcher’s best friend. No other browser gives so much control to the user as Firefox. It is more customizable than either Google Chrome or Internet Explorer.

Like any browser, you must be aware of what data you are releasing when you visit a Web site. The following add-ons help eliminate two serious security threats that occur when doing Investigative Internet Research (IIR).

BetterPrivacy—This add-on is pretty basic, but a must have. BetterPrivacy deletes flash cookies (LSOs/SuperCookies).

KeyScrambler—Check out Alex Long’s post from Null Byte for information about what KeyScrambler is and how it works.

I have already written about:

  • NoScript— NoScript allows JavaScript, Java and other executable content to run only from trusted domains of your choice, e.g. your home-banking web site, and guards the “trust boundaries” against cross-site scripting attacks (XSS). Such a preemptive approach prevents exploitation of security vulnerabilities (known and even unknown!). This is a must-have for IIR.
  • HTTPS Everywhere—This is a must-have add-on provided by the Electronic Frontier Foundation. HTTPS Everywhere enables a secure connection on pages that have SSLCertificates.  For example, when you use Google search most people use the unencrypted version. This add-on will force Google to deploy its SSL certificate. The DuckDuckGo (DDG) search engine also uses a version of this.



Android Phone Security Risk

Android handsets ‘leak’ personal data

Many applications installed on Android phones interact with Google services by asking for an authentication token …

Sometimes, found the researchers, these tokens are sent in plain text over wireless networks. This makes the tokens easy to spot…

Armed with the token, criminals would be able to pose as a particular user and get at their personal information.

Even worse, found the researchers, tokens are not bound to particular phones or time of use so they can be used to impersonate a handset almost anywhere.

Now what might an unscrupulous person do with this? Might one be able to observe a person using his Android phone, capture the  token, then use it to find-out more about the person?

The Olde Ways

I was summoned to a meeting with a client. The client firm is over a century old. This successful firm has learned a thing or two about security.

I was asked to surrender my electronic gadgets. Being of the old school, I had none. This pleased the gatekeeper. I was led to a room furnished with only a curious table and four old wooden bankers chairs. No telephone, no electrical outlets, one florescent light fixture above the table.  The gatekeeper had to unlock the room. She then waited at the open door until my contact arrived.

My contact enters and places pieces of chalk and a chalkboard eraser on the the table. Most of the table top is painted with chalkboard paint.

We eventually compose a handwritten Memorandum of Agreement regarding the engagement, sign it, and off we go.

These people understand the rules, especially Rule #1 — If you don’t want it overheard, don’t say it. But I must admit, I have never seen a “Magic Slate” table before.

Erase Data with a Hammer

Flash-based solid-state drives nearly impossible to erase

Researchers from the University of California at San Diego delivered a paper at the FAST-11 Conference in San Jose, Calif., last week that shows it’s almost impossible to reliably erase data from a solid state drive.

The report, Reliably Erasing Data from Flash-Based Solid State Drives (PDF), goes through all of the known techniques for erasing data and they found the best method was a big hammer.


Anonymous Searching

In the past I have written about hiding your tracks as you search the Internet and about the Google SSL search interface.

Scroogle via SSL

Now let me introduce you to the SSL version of Scroogle.  Like the SSL Google, it hides your search terms from IP logging.  No one snooping between your browser and Scroogle can figure out what you were looking for, because the information is encrypted.  Unlike the SSL version of Google, your IP address is dropped before your search terms are sent to Google. Therefore, Google has no idea who is conducting the search.

When you click on any of the links in the Scroogle results on the secure results page, SSL does not allow the browser to record the address of where that secure page came from, and attach it to any outgoing non-SSL links on that page. Using SSL blanks-out this referrer, so that any non-SSL site you click on from a Scroogle SSL page won’t even know that you arrived at their site from Scroogle or anywhere else.

Using Scroogle

In practice, Scroogle isn’t the greatest for finding video and clicking on a link does not open a new window in Firefox. This makes it somewhat awkward when doing high-volume searching, but it offers excellent security.

URL Shorteners

An article on URL shorteners was recently published in the Share section of FUMSI.

The FUMSI article doesn’t address the security issues surrounding the use of these things.  For the security issues, see these articles on Evil URL Shorteners and How to Preview Shortened URLs.  The ability to preview the shortened link is key to the proper use of URL Shorteners.

Now you know everything you need to know about URL Shorteners.

Detecting Firesheep

I wrote about Firesheep awhile back. Predictably, a countermeasure has appeared called Blacksheep.

New Firefox Add-On Detects Firesheep, Protects You on Open Networks

If you’re concerned about using open Wi-Fi networks because of Firesheep, the highly popular new hacking tool, you should check out BlackSheep, a Firefox add-on that makes surfing on open networks safe once again.

Hijacking Social Network Connections

The Firesheep Firefox plugin makes it easy to hijack someone’s social network connections. For example, Facebook authenticates the client using cookies. If someone logs on using a public WiFi connection, the cookies are sniffable. Firesheep uses Wincap to capture the authentication information which allows you to hijack the connection.

Protect yourself by forcing the authentication through TLS or stop logging into Facebook using public networks.

Regulatory Risk From Bribery

According to the 2010/2011 Kroll Annual Global Fraud Report, many companies do not recognise the risks associated with bribery.

“Companies are unprepared for regulation: Increased regulation through the Foreign Corrupt Practices Act (FCPA) and the introduction of the UK’s new Bribery Act has created new challenges for companies. According to the survey, nearly two-thirds (63%) of businesses with operations in the US or UK believe the laws do not apply to them or are unsure. As a result, many are unprepared to deal with the regulatory risks: less than one-half (47%) are confident that they have the controls in place to prevent bribery at all levels of the operation, compared with 42% who say they have assessed the risks and put in place the necessary monitoring and reporting procedures.”