Just Another Dent in Your Privacy

The wholesale and undemocratic removal of personal freedoms and erosions of privacy without consultation also includes a plan to gain access to data from Viber, Skype, Whatsapp and other providers that allow IP based phone calls.

The EU’s Justice and Home Affairs Committee held an extraordinary meeting in Brussels this week. They did as they normally do – made a bunch of decisions that affect your privacy – without consulting you – their normal MO.

The Irish Justice Minister – some middle aged woman with about as much awareness of the basis of global jihadism as the average infant – stated that she was finalising a “statutory instrument” which will provide the legal basis through which Irish-based airlines and ferry companies will provide the UK authorities with API data (Advance Passenger Information).

From then on all passengers entering the Common Travel Area in the EU will have their data shared amongst what is being called “the appropriate law enforcement and immigration authorities” before they start their journey. As usual the definition of “appropriate” is code for just about anybody they feel like sharing it with – without oversight.

European Ministers said they were also preparing to share information from national criminal databases with each other. Seems like national data protection legislation was also unilaterally abolished at this “meeting”.

The wholesale and undemocratic removal of personal freedoms and erosions of privacy without consultation also includes a plan to gain access to data from Viber, Skype, Whatsapp and other providers that allow IP based phone calls.

In a final measure we can look forward to our data being shared with upstanding nations such as Turkey in an effort to “step up counter-terrorism efforts”. Other human rights luminaries who will have access to this info includes representatives from North Africa, the Middle East and the Western Balkans.

The 180 Day Email Rule

Emails that are older than 180 days are considered abandoned and that makes them subject to search without a warrant.

Have you heard of the 1986 Electronic Communications Act? Probably not.

The law was passed by Congress many years before the vast majority of people were online. The main take out from the legislation is this:

Emails that are older than 180 days are considered abandoned and that makes them subject to search without a warrant. 

That’s a little intrusive. And a totally ridiculous definition of abandoned. A secret 181 days ago is still a secret today. A private matter 181 days ago is still a private matter today.

The process for one of the alphabet agencies to access your “abandoned” emails is that they need only ask your Internet service provider for the messages.

A bill seeking to extend Fourth Amendment privacy protections for personal papers to digital files and repeal the 1986 law has repeatedly failed to make progress since being proposed in 2012.

See more on the debate here from Philip Wegmann the congressional correspondent for The Daily Signal.

 

"Has My Phone Been Hacked? Am I Being Surveilled?" – You Have No Idea

When someone asks that question do they mean that they are worried about rootkits, backdoors, trojans, worms, spyware, keystroke logging; are they concerned that someone has clocked their PGP private key; do they suspect LE have a warrant to eavesdrop their voice comms; or do they fret about the integrity of SIM card encryption and the Gemalto hack? Do they fuck.

Continued Happiness & Abundant Joy (For Hackers)

No, they don’t worry about these things because they don’t know about these things, they don’t care to spend the time understanding the threats or pay for the solutions and I don’t blame them. And that simple reality assures the continued happiness and abundant joy of the hacking for profit community.

If they are an above ordinary John Q then they follow a few simplistic tips they read after a quick Google and subsequently consider themselves bullet-proof and smart. If they are a small business they get comfortable when some self proclaimed infosec expert in a suit charges them a small fortune for “steal your watch & charge to tell you the time” consulting.

Good Old Fashioned Olde Worlde Surveillance 

And it’s not all about super-elegant hacks written by PLA Unit 61398 swirling around in the matrix gobbling up industrial secrets. A scene in the documentary CitizenFour showed Snowden using a blanket to cover his head and his laptop screen. The Snowden-Greenwald dialogue was as follows:

37:35 [Snowden pulling blanket over his head/laptop]
37:44 Greenwald: Is that about the possibility of…
37:47 Snowden [still under blanket, interrupts] visual, yeah visual collection
37:50 [Greenwald looking around the room, seems not rather sure what to think and say]
37:55 Greenwald: I don’t think at this point there is anything in this regard that will shock us. [laughter in room]

Gras Double commented on this precaution and noted that allegedly: “Still, using some advanced audio software, from the typing sound of the pressed keys, deducing from echo, reverb, comparing with the sound of a keyboard of an identical laptop, you could determine their coordinates in space. You can also analyse the movement of muscles of Snowden’s arms and extrapolate up to its fingers’ location and movement.” – a bold claim.

Another bright spark on Information Security Stack Exchange stated “He was using the blanket to fool visual recording devices attempting to steal his password, even though with modern technology x-ray or thermal imaging you could effectively ‘see through’ the blanket.” In rebuttal it was noted “I can see how an IR Thermographic Camera has a chance to detect something if the wrong kind of blanket is used. No idea how you want to use XRay, as it requires an emitter as well as a receiver.”

Line of Sight Surveillance for the Common Man

Still – the point is made I think – visual intercepts are economically viable even for local LE – it’s just an ultra low light wifi enabled pin-hole snake camera in the right spot. One above the driver and passenger seat belt brackets in a private vehicle is a good loc (easy access to and plenty of space behind the plastic covering the B pillar to store the bits). Five uninterrupted minutes and both are installed. Just wait for the target to take a Sunday drive and game on.

Most people rest the handset on their lap while typing stationary in traffic or better still upright and in front or on top of the wheel when driving – using one hand – which gives a nice unobstructed keystroke by keystroke view of their typing activities.

From a low value non-tech savvy target you will get screen lock password, SIM lock password, their main contacts, their email password and transcripts of their conversations during the time slot – even more if they are road safety conscious and use a speaker phone. For the high value target – encryption keys, app locks, timeline stats and so on and so on.

Turning Everyday Visual Objects into Visual Microphones 

When sound hits an object, it causes small vibrations of the object’s surface. This project shows how, using only high-speed video of the object, those minute vibrations can be extracted and partially recover the sound that produced them, allowing you to turn everyday objects—a glass of water, a potted plant, a box of tissues, or a bag of chips—into visual microphones.

The sound is recovered from high speed footage of a variety of objects with different properties, and uses both real and simulated data to examine some of the factors that affect the ability to visually recover sound.

The researchers evaluate the quality of recovered sounds using intelligibility and SNR metrics and provide input and recovered audio samples for direct comparison. They also explore how to leverage the rolling shutter in regular consumer cameras to recover audio from standard frame-rate videos, and use the spatial resolution of the method to visualize how sound-related vibrations vary over an object’s surface, which they can use to recover the vibration modes of an object.

In simple terms:

1. Two guys talking out of sight in a room;
2. You, outside at a distance pointing a video camera, through a window at a glass of beer on a table in the room;
3. Record the glass of beer for the duration of their conversation;
4. Take the footage and process it and extract the audio contents of the conversation that was happening out of sight;
5. No installs, no intrusion, no access to the room required, no need to see the targets;

SIM Card Encryption 

Here is a sobering thought in plain language that applies to every SIM card that you have ever owned:

“US and UK intelligence agencies after the Gemalto hack in 2010 and 2011 have the ability, with the stolen encryption keys, to monitor mobile communications without seeking or receiving approval from telecom companies and foreign governments. Possessing the keys also sidesteps the need to get a warrant or a wiretap, while leaving no trace on the wireless provider’s network that the communications were intercepted. Bulk key theft additionally enables the intelligence agencies to unlock any previously encrypted communications they had already intercepted, but did not yet have the ability to decrypt.”

Sentimentality is Your Enemy

The easiest way to ensure that your smart phone remains un-hacked or returns to an un-hacked state is to be willing to survive on cheap throwaways – but most people are not willing to do that. If you are it’s simple as 🙂

1. Take the SIM out of your phone every few days / weeks / months (depending on your level of paranoia or the reality of your work / life), drill a hole in the motherboard, hit it with a hammer, microwave the mess and flush the remnants down a public toilet or a subset thereof;

2. Insert your SIM card in another cheap smart phone with the proper set of reliable tools that reduce (note the use of the word “reduce” not “remove”) your risk of infection, don’t transfer the data from the old phone or the apps and carry on. For maximum safety – bin your SIM too and buy a new one;

3. As before following a few simple rules like not downloading apps from random sites (although even the Google Play & Apple App Stores have their fair share of dodgy apps and are no guarantee of malware avoidance), don’t click on links in emails from Eastern European porn sites and don’t give your unlocked phones to strangers at airports – although you can just as easily be hacked remotely.

However, if you will insist on treating your phone as a treasured fashion accessory and have to travel everywhere with tons of personal data you haven’t looked at in years at your finger tips – just in case – then you will not want to do the above and will insist on a different answer to the question.

The Advice “Out There” 

A simple search on DuckDuckGo demonstrates the amount of posts out there on the subject and the amount of bizarre “clues” which are considered worthy of worrying about – that’s before you even get into the Android / iPhone variations and exposures.

Alarm bells should ring for you apparently, according to many of these posts if:

1. On checking your bank accounts / credit cards you see unusual activity that seems to arise from app purchases that you did not make (sort of blindingly obvious I would have thought);

2. You are also to worry if your pointer starts levitating across the screen to select specific options as opposed to the random behaviour of the pointer on a busted or water damaged handset (I would have thought this would worry even the most non-savvy user or really interest all paranormal investigators);

3. Seeing photos in your gallery that you did not take (Really?) – be very worried if they are of you while watching PornHub 🙂 – RansonWare;

4. Getting text messages from unrecognized numbers with weird characters in them (Oops);

5. Notifications that flash across your screen, disappear and then can’t be found in any app or the notification centre (Seems fair);

Subscribe to New Posts

To be notified as each post is published please subscribe to the blog – over there on the right – yes over there in the right column at the top where it says “Follow by Email”.

No new content, no email for you – ever – and we won’t sell your email details to the NSA either and we are subpoena proof too so we can’t be forced to either.

END. 

Anonymizing Your Identity Draws the Attention of Who …. ?

Some companies that you have a registered relationship with, who detect your use of VPN / Proxy Services –  will impose another authentication process on you – which is highly inconvenient, in some cases downright intrusive and often requires you to submit much more personal information than you were required to provide when you originally registered with the service.

The point is this – if you intend to use VPN / Proxy services then get ready to re-authenticate many of the services that you regularly use as a registered customer.

Appropriate Protection 

Very few people want or need Tor, Tails, PGP, Whonix or the host of other helpful TSCM tools to confuse that NSA bogey man or the spook in the corner who is stalking you because of your political views 🙂 – most people just want their traffic protected and avoid having their passwords and emails hacked while using Starbucks wifi.

Enter VPN’s (Virtual Private Network) and proxy servers, both of which are handy tools to protect your privacy and security while using the internet. At home, at work or on public Wi-Fi a good VPN will offer you security features and privacy guarantees that make them worth your while using. Not all VPN’s are created equal though and many do not deserve your trust, so do your research. For the uninitiated VPNs create an encrypted ‘tunnel’ between your computer and the host server, with the internet traffic going in and out of the host server. An open proxy server is a computer that acts as an intermediary between your computer and the internet. Any traffic routed through a proxy server will appear to come from its IP address, not your computer’s.

You want “plug and play”, low to zero learning curve and hands-off ops in your VPN if you are not a power user. Typically you want log free services, zero knowledge (In cryptography, a zero-knowledge proof or zero-knowledge protocol is a method by which one party (the prover) can prove to another party (the verifier) that a given statement is true, without conveying any information apart from the fact that the statement is indeed true), no discrimination based on traffic type or protocols being used, anonymity protection, exit servers to help you get around location-restricted content blocks and trustworthy encryption.

Private Internet Access 

One of the best ones IMHO is Private Internet Access who protect both your privacy and security by encrypting all of the traffic between your device (laptop, PC, cell phone) and their servers. In addition the traffic is anonymized. PIA does not log data about your session or connection details, they don’t discriminate against protocols or IP addresses, and they don’t host any data about their users’ activities at all, anywhere.  They support a number of different authentication and encryption methods, support virtually every mobile and desktop operating system. They also provide connectivity options for your home router so you can stay constantly connected, connect to your home network when you’re away, or customize your solution. They also offer a choice of close to 1000 exit servers in 10 different countries.

But be aware many commercial outfits dislike VPNs and proxy services. In particular, some companies actively discourage and block methods of geolock circumvention. These companies are normally concerned with copyright infringement and the illegal reproduction or distribution of music files, videos, movies, e-books or any other copyrighted digital file.

Hulu and Amazon have actively combated people trying to use their services from other countries and failed miserably. Many other outfits have also been spectacularly unsuccessful in their efforts but there is also a shift occurring in the attitude of companies with whom you have a stated relationship and where your use of a VPN is not to facilitate illegal activity or breach the stated terms and conditions of a service.

Intrusive Requests

In these cases, some companies who you have a registered relationship with, who detect your use of VPN / Proxy Services –  will impose another authentication process on you – which is highly inconvenient, in some cases downright intrusive and in a number of cases required much more personal information that you were required to provide when you originally registered with the services. The point is this – if you intend to use these VPN services then get ready to re-authenticate many of the services that you regularly use as a registered customer.

Here are some examples of my experiences with this in the last few weeks:

PayPal

Dear Graham Penrose,

Thank you for providing as much information to help you with your enquiry. Before continuing, I would like to assure you that any difficulties you have had is acknowledged and your patience is appreciated.

Mr. Penrose, you need to have a UK phone number so you can verify your account. Ensure that you are making your payment from your country of residence.

If possible attempt to complete the payment from your home computer or the computer you most frequently use to access your PayPal account. To help you in completing a transfer, please call our customer service department. Please call us on 0800 358 7911 (freephone from a UK landline. Rates from overseas landlines and mobiles may vary).

We’re open from 8am to 10pm Monday to Friday, from 8am to 9pm on Saturday and from 9am to 9pm on Sunday. If you’re calling from outside the UK, call 00353 1 436 9004 (international call charges may apply). We appreciate your utmost patience and understanding on this matter.

Thank you for choosing PayPal.

Full Tilt Poker

Hello Graham,

We are writing to inform you that your Full Tilt account has been temporarily suspended. To protect the integrity of our games, we routinely review accounts and complete player verification. In order to verify your Full Tilt account, please send scanned, clear copies of the following documents to verification@fulltilt.com:

1) Photo ID: One of the following: valid driver’s license, passport, or other government-issued ID that clearly shows your birth date and the ID’s issue or expiry date.

2) Address verification (less than 90 days old): Bank or credit card statement, utility bill, home or auto insurance papers.

3) Digital photo: A digital photograph of you holding your ID document, so that we can compare you to your ID document.

4) Scan of the Card ending 3287.

5) Digital photo with Credit Card: A digital photograph of you holding your Credit Card(s) listed above.

PokerStars

Dear Graham,

Your PokerStars account has been temporarily suspended as part of a routine review.

It has come to our attention that you are connecting to PokerStars via a VPN, proxy, or similar service. Whilst we do not prohibit the use of such services, we have reason to believe that you may be hiding your true location through them.

All players are required to provide accurate account information as per our Terms of Service:
17.5. The User must provide full and truthful information in respect of all details and information requested by PokerStars in connection with the User’s use of the Service subject at all time to the terms of the Privacy Policy. The complete Terms of Service are available here:

http://www.pokerstars.com/poker/room/tos/ Please be advised that, on occasion, we may be required to amend the Terms of Service. It is your responsibility to keep up to date with any changes made to the Terms of Service.

Subscribe to New Posts

To be notified as each post is published please subscribe to the blog – over there on the right – yes over there in the right column at the top where it says “Follow by Email”.

No new content, no email for you – ever – and we won’t sell your email details to the NSA either and we are subpoena proof too so we can’t be forced to either.

END. 

So You Want To Be A Digital Ghost – Introduction

This series of posts are provided as a guide to the private citizen who holds concerns regarding their information security and the protection of their data from unauthorized access from state and non-state actors.

This information is not intended for use for any other purpose in particular to access the deep web or dark net to conduct illegal transactions or engage in illegal activities.

Caveat

The implementation of these guides are intended for legal use and not to facilitate acts of criminality – these guides are for those of us who seek to protect our privacy in the belief that in a democracy every law abiding individual is entitled to a private life.

Caveat on the Caveat 

These posts are not intended to be Blackhat however like any hints and tips on any subject they can be used the wrong way.

If you are the type of person who feels the need to use internet to hire a hit-man to shoot your dog, buy poor viagra substitutes online or trade bomb making tips with your jihadi buddies then these guides are just as effective but …..

You also leave non-digital footprints and the forums which you may intend to visit, using the anonymity tools and tips described herein, are no doubt compromised and riddled with honeypots and lurking super secret squirrels and in those we trust.

Getting What You Want 

Some readers looking for answers / hacks / links / shortcuts will be aware of elements of the content of these posts and to avoid frustration a section at the top of each new post will call out what subject is being discussed in that post and what sub categories it contains – for example:

POST: Internet Censorship Software & Workarounds
Sub-Categories: Blue Coat Systems; SmartFilter; Fortinet; Websense; Netsweeper; Making Invisible Spyware Footprints Visible; Keyloggers; Malware Detection; Man in the Middle; TSCM; 

You will then be able to jump to the section you are interested in – or wholly ignore the post – or patiently wait for your section of interest. This series will run for twelve months with three posts per week so thats 156 pearls of wisdom riddled, real life expertise indispensable posts for you.

A complete contents and navigation guide will be included in the next post with the subject of each post, sub-categories, a clickable link and an intended publication date.

Subscribe to New Posts

To be notified as each post is published please subscribe to the blog – over there on the right – yes over there in the right column at the top where it says “Follow by Email”.

No new content, no email for you – ever – and we won’t sell your email details to the NSA either and we are subpoena proof too so we can’t be forced to either.

END.