Is Digital Privacy a Privilege Of The Wealthy?

Posted on by

It’s a chilly spring morning in 1987, and things aren’t going so well for you. The threats and stalking weren’t your fault, but you’re genuinely afraid for your safety and the police couldn’t help much. After thinking long and hard, you’ve decided your best option is to disappear and start over. You pack your family’s belongings into your Fiero, empty your bank accounts (a couple grand in cash), close out your accounts without forwarding, and hit the road. You’re sick to your stomach scared to leave, but you’re also relatively confident – you can find cash work and lodging pretty much anywhere, (under an assumed name with counterfeit papers, if necessary). Go far enough and keep your head down, and it’s not likely he’ll find you again without a good PI or a string of bad luck.

★ ★ ★

It’s 30 years later, and the business of fleeing an abuser has changed dramatically. Many elements of our world are still familiar, but the nature of personal privacy has changed dramatically. The internet, mobile phones, and social media brought the world closer, often in incredible and inspiring ways, but also in ways that fundamentally harm our ability to keep any element of our daily activity private or secure. The field of network security has grown from an afterthought to a standard college degree program and a major element of global military forces. News coverage shows us terrifying ways our personal data and digital devices can be abused, constantly bombarding us with reminders to restrict access to our data and internet presence.

Yet, the “common sense” security and privacy advice we offer frequently carries costs. Security experts can tweet about an Android version being obsolete and horrifically vulnerable to snooping a thousand times, but billions of people in the world simply can’t go out and buy a good quality new phone. There are wonderful commercial identity monitoring and digital privacy services available, for a yearly fee that might cut into many people’s medication budget. Even finding quality security education has tangible and intangible costs.

Whenever I tackle an extremely complex and contentious security topic, I endeavor to offer a variety of differing expert views to readers. Through a series of eight scenarios, I’ve invited seven security and digital privacy professionals to join me weighing in on the fundamental question of how much of a privilege digital privacy, and the abilities to “restrict” or  “remove” our digital footprint, really are. The discussion is generally North America-centric  – international privacy laws vary greatly. However, many of our privacy and personal security solutions are not specific to any country. Our general conclusion is that while convenience and absolute anonymity can be a privilege that comes with resources, there are many effective low-cost ways to drastically improve personal digital privacy.

My colleagues, who generously contributed their time and knowledge to this article without compensation or sponsorship, are as follows:

  • Viss / Dan Tentler – Founder of Phobos Group. Dark Wizard. Breaker of things. Essentially a static analog for “targeted, skilled espionage for hire”.
  • Munin / Eric Rand – Blue team consultant; amateur blacksmith; consistently paranoid
  • Krypt3ia – Old Crow, DFIR, Threat Intel, Targeter: krypt3ia.com @krypt3ia
  • Lloyd Miller – Managing Director at Delve, a competitive intelligence, research, and policy consulting firm
  • plum / Chris Plummer – Former IBM, DoD, now staff at exeter.edu. Oxford commas at 603security.com, chasing120.com, and @chrisplummer.
  • CiPHPerCoder / Scott Arciszewski – CDO at Paragon Initiative Enterprises, writes and breaks cryptography code. https://paragonie.com/blog/author/scott-arciszewski – @CiPHPerCoder on Twitter
  • evacide / Eva Galperin – Director of Cybersecurity at the Electronic Frontier Foundation.

 

Question 1: Mobile Device Privacy

Smartphones are woefully vulnerable to compromise and surveillance by numerous sources, from advertisers, to criminals, to suspicious spouses, to nation state adversaries. As our “second brain”, they contain massive amounts of our sensitive information, such as where we’ve been, our contacts, and our account logins. The common security boffin recommendation is to always own an up to date phone (often specifically an iPhone), replacing it whenever it becomes obsolete. Good quality phones aren’t cheap, but smartphones are frequently a necessary part of modern life. What are your privacy and security suggestions to somebody who can’t afford a new iPhone every few years, but needs a smartphone for work or school?

Munin – Limit your threat surface. Only install those apps that are essential for what you need, and avoid random web browsing on it. Don’t open attachments on it – set your email client to text only. Apply updates if they’re available for your platform. Don’t root or jailbreak it – yes, it lets you do a bunch of cool things, but it also opens up significant maintenance problems.

Lesley – Even if you can’t afford a new phone, please routinely check the version of Android or iOS you’re using. Once the phone is out of date and no longer receiving updates, reset it to factory and treat it as cautiously as you would a public computer. No matter the age of your phone, avoid installing any apps with too many permissions, including access to your microphone, GPS, camera, contacts, or phone identification. Keep location services turned off.

On another note, while the ubiquitous iPhone has pretty good security “out of the box”, there are also very good arguments for using an up-to-date Android phone from which the battery can be physically removed, if privacy is a big concern. There are few things more reliable than physically breaking a circuit.

Viss – There are carrier free phones that you can buy that cost half of what carrier phones do. A OnePlus2 will cost you around $300, and they get software updates several times a year. You can also get a Google Nexus or Google Pixel. All of these non-carrier phones get software updates way way more often than any phone that a carrier will try to sell you. That alone is a pretty huge improvement, even before taking personal measures to secure a mobile device. Also, a OnePlus, Nexus or Pixel will likely last years, and remove the need to buy a new phone every 12 months.

Lloyd – I don’t think good security comes cheap with phones, but Munin gives the best advice – if nothing else, only do the bare minimum necessary to accomplish what you need to do, and cut out the rest.

plumIn theory, devices purely for work or school should not be all that demanding in terms of features, so they should be remotely affordable. The carrier market is white hot right now.  Chances are, there’s at least one in your region with a pretty compelling deal on a handset. This is difficult because for short money you’re into a new phone that you may not necessarily understand how to secure.  To that end, don’t go out on an island – buy something your friends and family are familiar with, so they can help you.  While many are averse to working with salespeople, you may find one that knows quite a bit about keeping your handset locked down. It’s worth the ask; there are really good people out there who know a lot more than simply how to sell you a phone.  You may not get it perfect, but it will be better than out-of-the-box.

Krypt3ia Phones, like much of the technology today we buy and use that could lead to compromise of significant amounts of our data are coming down in price in certain spaces while going up in others. So if you want to have a burn phone (and now you can get smart phones too cheaply) you can try to firewall yourself off by only doing certain things with a burner phone. I guess the thing is that generally here any phone at any time could be that device that leads to your data being open to attack.

It may also be of use to have a phone that has less functionality like a flip phone to carry out some tasks as the lesser the technology level the less the adversary has to work with as attack surfaces go. The reality however is no matter what you do you are subject to technologies that you do not have control over completely. As an example, I recently gave up a phone that I liked quite a bit because the provider did not update the operating system for security patches and had not done so in over a year. They just don’t really care, so I had to move on to a system that I could push the updates on. Still though, if you are relying on technology to protect you and YOU aren’t in control of every aspect of that, and are competent at it, it is a null sum game. Best I can advise you is to compartmentalize as much as you can. Use code words for things (i.e. appointments in calendars, names in phone books, etc) to obfuscate and make it that much harder for the adversary to get a toe hold.

CiPHPerCoderNon-carrier phones like One Plus are a good idea, as Viss said, but one important obstacle is how purchasing is structured. If you get a carrier phone, you probably aren’t dropping $800 right then and there; instead, they roll the cost of the device into your monthly payments. If you get a non-carrier phone, you have to purchase it yourself. I believe it’s worth it to find a way to overcome this obstacle (so that you won’t be left vulnerable when an Android vulnerability surfaces if your carrier is negligent) but this comes down to a cost-benefit decision.

A related concern for most people is data privacy. For example, using a secure, private messaging app like Signal or WhatsApp instead of an insecure choice (Telegram, unencrypted SMS) to communicate with your friends is a great move. Encrypting your phone with a passphrase (to be clear: not a PIN code, swipe pattern, or fingerprint; you want a passphrase) prevents anyone (for example, at the airport) from accessing your private data while it’s powered off. I recommend a longer passphrase (e.g. 20 lowercase letters, generated randomly) instead of mixing different character classes, to minimize frustration and typos.

evacide – (most of the useful technical advice has already been given, so I am going on a bit on a tangent here) Phones are one of the most clear-cut examples of money buying security, but when you’re making digital security/privacy decisions, always keep in mind the attacker in mind. Your most up-to-date iPhone will not help you if you’ve been coerced into giving your password to your abusive partner or that partner has installed an app (covertly or otherwise)  on your phone that allows them to spy on you. For these cases, it may be appropriate to covertly purchase a cheap second burner phone, which may not be as secure against hackers, but which may allow you to covertly communicate without alerting your abuser.

Question 2: You, on the Internet

Companies like FamilyTreeNow and Intelius collect data about every US citizen they can; even ones who don’t regularly use a computer. This data often includes addresses, phone numbers, social media profiles, criminal history, as well as family member names and birthdates. Obviously, this data can be very damaging when used inappropriately, and generates global privacy and security concerns far beyond simply being in a local phone book. Removing this data from hundreds of these companies is a huge undertaking, but commercial subscription services that do it reliably aren’t cheap. What’s the best option on a tight budget?

Viss https://www.abine.com/deleteme/landing.php – spend $129.

Munin – Do what you can to minimize the harm – that’s the name of the game here. If you can’t afford a good service, do what you can by yourself. It won’t be perfect, but reducing the threat surface to a minimum will help. Remember, you don’t always have to outrun the bear – you can last a lot longer if you can outrun the other campers.

Lloyd – I don’t believe takedown notices are an effective strategy in the whack-a-mole world of personal data aggregation. You can send them, but the sites can ignore them. Additionally, a lot of that information including birth, property, voter registration, and criminal/legal records are government-generated and legally protected public records. There are several very reputable services, including Intelius (get it?), you can pay to do help remove some of this information, but I would ensure they offer guarantees and other identity/credit protection services.

Lesley – Third party privacy services are out of many people’s’ price range, but certainly the most effective solution for everyday privacy concerns short of a new identity. Privacy is also a constant battle – you need to look at a subscription service more than a one-time removal. If you absolutely can’t afford one, you can opt-out of many services for free, but it’s a time consuming and convoluted process. As a last resort, at least remove your data from the top 20-25 services to try to delay and frustrate people trying to research you. Don’t make a harasser’s life easy.

plumTwo years ago I discovered a downloadable database of voter registration data that included DOB from eight US states, and it had already been online for several years and mirrored in Europe. For the individuals in these states, through no fault of their own, their identities are permanently at risk.  In truth we’re talking about mitigation, not prevention. Anyone’s best hope is an annual ID theft monitoring service. Some employers actually offer these free of charge.  Tight budget? You’re left to pull a free credit report once a year and hope you catch something. The system is pretty broken here.

Krypt3ia The ONLY way to avoid this is to not be you any more. So, you fake your own death after getting decent documentation with another name. Get credit set up for that person, a whole “new suit” as they say and then live that life and never talk to anyone from your past.

But oh wait… Now you have a new name and series of datapoints to worry about!

Best bet, go live off the grid in the woods or become homeless.

Another null sum game.

CiPHPerCoderI’ve got personal experience with the downside of these services. When I was a teenager, my mother’s hobby (which consumed most of her waking hours when not working) was genealogy research through websites like Ancestry.com. It’s kind of funny in that, as I taught myself more about computer security and online privacy, she was unwittingly working hard to ensure that I would never have privacy online. Many years ago (either 2009 or 2010), an Internet troll had used this publicly available data to send me harassing emails, demanding that I take my blog offline forever.

Despite that experience, I don’t have a solution here.

It’s obviously an extortion racket; using the threat of public exposure to get people to pay up. The alternative to reaching into your wallet is playing whack-a-mole with third parties that mirror your personal information. The first option provides this industry with the incentive and resources to continue harming people’s’ lives. The other maximizes the harm they cause your own life (by wasting time trying to achieve a modicum of the privacy you should, rightfully, already have).

However, like many other areas of security, layered defenses work wonders to fend off attackers. Making a new pseudonym and linking it to a false persona is challenging and requires a ton of discipline to be successful. Even if you can’t protect your personal information, you can prevent malicious parties from connecting your screen name to your real name without drowning in a moral quandary.

Question 3: Traveling Abroad with Digital Devices

Travel is often considered a privilege, but people from all backgrounds do travel internationally. There are firm warnings from security professionals about bringing mobile devices and computers into less friendly countries (especially ones that conduct extensive monitoring and seizure) as they may conduct forensics on them or insert surveillance hardware or software. This adds a layer of risk to somebody who is trying to remain unseen. The blanket advice is usually to bring a separate, disposable computer and phone if they’re required. Computers and phones aren’t cheap. What would you recommend to somebody who needs to travel overseas to a dubious location but doesn’t have a big budget?

Munin – If you’re travelling for business, see about having your company handle the purchase of separate, designated equipment. If you’re there for a conference or just visiting, see if any of your friends in that country [social media’s great for making friends in foreign parts] will be willing to let you borrow equipment while you’re there. Remember that any kind of electronics you bring across a border – especially these days – is probably going to get searched, so avoid the problem if possible. Also, take some time ahead of time to set up a benign social media profile – put some noncontroversial or patriotic looking activity on it, and lock down or suspend your real accounts before you travel. If you end up being forced, coerced, or pressured into giving up online activity, refer to that account as your only account. Part of being safe is looking like you’re not worth harassing – so keep the lowest profile possible.

Viss – Do you HAVE to travel with your phone? Or your laptop? Can you use a chromebook, and just buy a burner phone while you’re in another country? Do you feel that you’re in a position where customs here or there will try to get into your phone? Here’s a fun trick: Select a cloud backup provider (Spideroak, Box, Dropbox, ec2, whoever, doesn’t matter). Make a titanium backup or nandroid backup of your phone. Make sure to use the encryption option. Put your encrypted phone backup into cloud storage before you leave. Format your phone in the air on the plane. If anybody wants to look at your phone, they can see it – there’s nothing on it. Have fun. When you get to your destination, pull down your phone backup and restore it. You may want to remove all your downloads and stored media beforehand. If you take the time to either A) have a dedicated travel phone that you do this to, or B) just occasionally trim your phone storage down you can get this to under a gig.

Lesley Echoing Viss, consider very carefully if you really need the phone, or you just feel irrationally naked without it. Payphones may be rare, but they still exist in most transportation hubs, as do calling cards that work internationally (they are often sold in airports), and paper maps. If there is no way you can function without a phone, there are relatively cheap (<$40) options for unlocked disposable phones such as BLU’s, and SIM cards can usually be purchased a convenience stores when you arrive at your destination. Leave your sensitive personal data, including your fingerprints, off of any burner phone. Use it for travel essentials only. Stick to a “dumb phone” if you can.

Lloyd – For short term use, you can get used smartphones off Craigslist, get a prepaid SIM card, install just the contacts and apps you need for the trip, and then toss it on your way home. And, as everyone else has said, if you don’t need it, don’t bring it.

plum – I would never travel internationally with personal devices. Everyone has done well to discuss the risks, and from a practical perspective the logistics alone of getting a lost device returned to you from across a border – presuming a scenario that involves total honesty and goodwill – we’re talking long odds.

Krypt3ia – A USB stick with TAILS and an internet cafe or other access to a PC. Light footprint or you are in trouble. At this point you are dealing with nation states, and you will not win. INFIL and EXFIL into and out of countries is best done with very little on you. A mini USB (32 gig) can easily be tossed or eaten or destroyed. Not so much any other more expensive and luggable assets. For that matter you can cache them and in some cases secret them in your luggage where the color X-Ray and other schemes of detection can be obfuscated.

CiPHPerCoder – These are all good answers, so the only thing I can really offer is my setup. For domestic travel, I just have an encrypted laptop and encrypted mobile phone. If I’m traveling internationally, however, I’ll do the following:

  1. Rent a throwaway Virtual Private Server (VPS) from one of the providers on LowEndBox.
  2. Configure the VPS so that I can only SSH in via a Tor Hidden Service, using public key authentication (no passwords) with a SSH keypair unique to that server. (Ed25519.)
  3. Encrypt anything I need and store it on the server. (Veracrypt.)
  4. Purchase or repurpose a new laptop with a fresh Windows install for traveling purposes.
  5. Carry a USB or SD card with a Veracrypt-encrypted file containing the SSH private key.

TAILS can be procured on-site, and verified through other channels. I’d leave the phone at home.

Total cost: less than $10 if you already have the hardware on hand.

evacide – If you’re traveling for business, your business should have a policy in place your digital devices and travel. If they don’t already have one, this is the time to encourage them to do so. If you are crossing the US border, I recommend reading the advice EFF has written up as part of Surveillance Self Defense on this subject: https://ssd.eff.org/en/module/things-consider-when-crossing-us-border.  In general, I would make sure my devices are password-protected, encrypted, and turned off when crossing the border. Particularly sensitive information should be removed from the device in advance, encrypted, and stored on a server for (secure! encrypted!) download if you need it when you arrive at your destination.

Question 4: Credit and Identity Theft Monitoring

Identity goes hand in hand with privacy. More Americans have had a credit or debit card stolen in the past couple years than those who have not, and data breaches and identity theft are huge problems. Services that proactively monitor and protect against this come with a monthly or yearly fee. What’s an affordable and effective solution for responsibly keeping an eye on your identity and credit? Are there solutions for people who can’t get a credit card?

Viss – Most credit cards these days come with alerting capabilities that will tell you if a charge comes through past a certain amount. Turn that on and set it to like $50. Anything over $50 and you get a text or an email. INSTANT notification if something sneaky is going on. You can’t do much about it not getting stolen in the first place, for example in the case of Target, the malware was in the cash registers and nobody knew. But you can know immediately if an attacker tries to use your card for evil, and you can call it in right away. Simply do this with every card.

Munin – If at all possible, do -not- use a debit card for anything. Every transaction is a gamble – so gamble with the bank’s money, not your own, and use a credit card if at all possible. An affordable alternative to paid services is to be ‘lucky’ enough to be in a breach – haven’t we all, at this point, received several years’ worth of “credit monitoring” to compensate us for the time and stress of having our identities compromised? More seriously, though, follow Krebs’ advice – lock down your account with the major credit bureaus, and unlock it if you have a specific need for a credit check. It’s not perfect, but it’s affordable and will reduce harm.

Lloyd – Using anonymizing services like Sudo, Blur (Abine), or Privacy.com allow you to make purchases with credit cards you have 100% control over. Therefore, if an online store’s is comprised, you can just delete the card and move on. Lock down your credit reports and do that for any of your children as well – people don’t monitor their children’s credit, making them vulnerable to identity theft as well. You can also get prepaid credit cards using very little information. You should research which features you prefer like ease of reloading, low or no monthly fee versus per-purchase fees, or usability. Generally, Chase and Amex are great introductory options. For international travel, Kaiku offers a prepaid card with no foreign transaction fees, great for short trips abroad. Keep in mind Know Your Customer laws make it very difficult to access to U.S. banking system and stay anonymous from the U.S. government for very long or while handling large transactions.

plumThe OPM breach, the Target breach, the Home Depot breach have really paid off for me; the past few years of free monitoring have been nice.  LastPass actually bundles free credit monitoring, so that is worth exploring when this is done.

And as Munin mentioned, debit cards are cast from pure evil in a mold of good intentions. Never gamble on a retailer’s security posture with real money. Charge everything.  If you don’t have access to credit, use as much cash as possible and be very judicious in your check writing.  Every check you write says “hi, here’s my full name, here’s where I live, and here’s where I keep all of my money; in fact here’s my account number”.  That’s a lot to hand over to a complete stranger.

Krypt3iaMost banks do this now for you at no charge. I would not trust these companies to protect my data anyway. It is just adding to the complex web of your data being out there for others to abuse. Keep an eye on your accounts regularly and make sure your credit card/bank has your current number to call. Don’t waste money.

Lesley – Cash is your friend. Otherwise, a few people have already correctly noted how very risky bank debit cards are for your privacy and money. Unfortunately, many people are financially unable to get credit (or credit that promotes responsible use). There are a few options out there. Prepaid debit cards are one – although they may not have fraud protection, the amount of money which can be stolen from them is limited by the amount of money the purchaser loads them with. They can also lend some anonymity. Another option is a reputable credit card designed for people with low or no credit, designed to theoretically build credit over time. Legitimate options tend to be low limit, from a reputable creditor, with some security deposit required, and should always be designed to be paid off every month in full. Unfortunately this is a security blog, so I recommend you seek some free financial advice.

CiPHPerCoderThe credit bureaus are not your friend. Do not count on them correcting any mistakes on your credit history. Do as Munin and Viss suggested. Normally, the saying goes, “An ounce of prevention is worth a pound of cure,” but in this case prevention is your only recourse: There is no effective cure.

evacide – When you make online purchases, consider not storing your credit card number as part of your account. The same goes for storing your credit card number in your browser. Use 2FA whenever possible to protect your accounts and a password manager to create strong, unique passwords, so that if one account is compromised, the rest of them are still safe.

Question 5: On the People Still Using Windows XP

Tons of people have computers. Some of those computers are so old they are no longer patched or remotely secure.  While operating system vendors have gotten better at forcing security updates in recent versions, security (especially in the era of the cloud) doesn’t necessarily indicate personal privacy. In terms of fundamentals from operating system, to browser, to antivirus, what are your suggestions to somebody who wants to upgrade their computer in a privacy-friendly way, but can’t afford more than a couple hundred dollars?

Viss – Microsoft gives updates to small businesses and students. Linux is free. Running linux is generally fine for people who simply need “a browser so they can Facebook and Gmail”, and that will keep them from the vast majority of exploits, drive by downloads and other attacks that by and large only target Windows. From the perspective of the operating systems, it tends to get a little hairy because they are designed to spy on people at this point. Github has several examples of an “unfuck script” that one can run on a Windows 10 installation to turn off all that telemetry. Once that’s done, I wager a combination of Windows Defender, EMET, and Malwarebytes for ransomware run all together and cranked all the way up should be a pretty good start. It’s surely more than most consumers would do on their own reconnaissance.

Munin – Most folks will be fine with a Chromebook. They’re kind of stuck in the Google ecosystem, which I don’t like, but they get continual patching and have a vastly lowered threat surface. If you’re OK with the whole “webapps for everything” thing – and let’s get real; that’s 90% of everyone’s usage these days anyway – then a Chromebook will likely meet your needs.

Lloyd – Chromebooks sacrifice some measure of privacy to Google in exchange for affordable computing experience. If you are not concerned what Google knows about you, this is a fine option. It is very difficult to keep operating systems up to date long term without regularly upgrading your computer.

plumBasic, cheap ($200-ish), new systems seem easy enough to find. Certainly my best advice here concerns the disposal of old systems, as the general public is almost entirely in the dark when it comes to sanitizing equipment they don’t want anymore.  I say this a lot – the lifecycle of personal computing is so incomplete.  It’s so easy to get a new system, but we never really talk about how to get rid of the old one.  Getting familiar with a utility like DBAN, which for $0 will wipe any trace of your existence from a hard drive, is a great first step.

Krypt3ia Become more savvy about how  your systems work. Keep them patched and try to keep up with the attacks out there. However, for the average normal person out there these things I just said sound like the teacher on Peanuts. Once again, do not trust any operating system unless you have complete control over it and frankly no one out there can do this. It is thus important that you learn some OPSEC lessons. But again, try getting this through to Gramma, it is not that easy. It takes education and not the once a year kind.

CiPHPerCoderIf you’re still on Windows XP, this probably means one of the following:

  1. You lack the capital to purchase a newer computer.
    • In this case, make the switch to Ubuntu or Linux Mint, which are great and user-friendly GNU/Linux operating systems.
    • If you’d like to get familiar before you commit to a new OS, get Virtualbox (it’s free).
  2. You’re a company that needs to use software that doesn’t work on newer versions of Windows.
    • Consider switching to something like Qubes and running your Windows XP-dependent software inside of an isolated virtual machine to minimize the risk of a full system compromise.

Otherwise, you should just upgrade to a newer version of Windows. Laziness is incompatible with security.

Lesley – Part of this comes down to a distinction between privacy from companies, privacy from governments, or privacy from traditional criminals and the average nosy Joe or Jane.

An updated version of Chrome OS or Windows has a professional security team behind it releasing patches and responding to reports of vulnerabilities. This is really important. Of course, those companies rely heavily on cloud computing and telemetry – that’s how they provide the user experience which their customers expect. We’ve been focusing heavily on solutions for people facing criminal / stalker-type privacy concerns. In those situations, Chrome OS is an affordable option (assuming associated Google accounts are well-secured). Up-to-date Windows (while pricier) can be a good choice, too.

If you’re worried about privacy from companies, commercial options probably aren’t a great choice. This is where more user friendly versions of Linux like Mint or Ubuntu may be feasible. Of course, these distributions of Linux are ostensibly free, but that’s somewhat offset by the amount of time required to learn to configure and secure them.

If you’re worried about sophisticated actors, not only should you keep sensitive data off the internet, but you should restrict sensitive work to full disk encrypted systems without any speakers or network, Bluetooth, or wireless adapters physically installed.

Question 6: Private Digital Communications

There are numerous reasons to use encryption, and communicate and browse the internet privately. Abuse and harassment victims, whistleblowers, celebrities, journalists, and even government and military personnel may have to contend with being targets of surveillance, physical threats, or blackmail. Beyond overt risk, we have a fundamental right to privacy from the massive networks of data collection of advertisers and marketing firms that buy and sell our intimate details. While some services like Signal, Tor, and Protonmail are free, trustworthy VPN often isn’t. What are your suggestions for somebody non-technical who wants to communicate and browse with minimal potential for interception, without paying a lot?

Viss – Wire is free. Signal is free. Tor is free. VPNs are not. I run a small VPN service for exactly this reason. It’s IPSEC not SSL. That’s an important distinction, as well as it’s not “an app”. My VPN service uses Cisco hardware, not just “some cloud instances”. Do some homework on any VPN provider you elect to choose and try to steer clear of SSL based VPNs. They usually collect data about you and where you go, so while it may protect you from the skiddies in the coffee shop, it’s not protecting you from the vendor collecting your data for your $5 VPN account. If you’re a bit more technically inclined you could simply use an SSH tunnel. For that same $5 you could spin up a Digital Ocean host and use that as an SSH tunnel endpoint. Or you could stand up your own VPN. If you’re concerned about a private messenger on your phone being an indicator of you doing something shady, then install a bunch of them and use them for silly things. I have a wire room setup for “only gifs, no talking allowed”. There are nearly 40 people in there and nobody says a word, we just post silly gifs. So while it looks like there may be discussions happening to any outside viewers who can’t see the messages, it’s just noise. If you make lots of noise, it’s super easy to get signal through it. You just have to make sure the patterns of signal to noise aren’t super obvious.

Munin – “Use Tor, Use Signal” is the cliche in our world now, but it’s really going to depend on your specific needs. Harassment victims have different threats than whistleblowers, than celebrities, than journalists – there’s no one-size-fits-all solution. Perhaps talk to one of us, or some other trusted source, to figure out what your threat surface is, and work out what tools you have available that can best be used to manage it?

Lloyd – Depending on who you’re concerned about watching you, Signal, Wickr, and WhatsApp are fine for communication. I’m also a big fan of a pen and a piece of paper, and old fashioned face-to-face meetings. And never use a free VPN.

Krypt3ia Use Signal, Use TOR Browser, and understand that everything you do on the net, everything you put out there is a threat to that privacy. For that matter, every device is giving up your private data and giving the companies and governments a portrait of “you” that can be used against you. How would I obfuscate this data? There are some means such as add-ons to FireFox (TrackMeNot and uBlock) You may also want to read Obfuscation: A User’s Guide for Privacy and Protest (MIT Press), which had some good ideas on how to use digital chaff to try and limit the real data these corporations have on us. If you have an adversary though that is directly in opposition, then use encryption (GPG, Protonmail, etc) but always know that the endpoints are always suspect (those you email with and the company serving you the service) so really, own the end point, forget the secrecy.

plumGreat points have already been made.  I’ll add that it is critically important to remember to assess all of your online activity and electronic communication through the lens of litigation. If it exist(s)(ed), it can be subpoenaed.  If this presents an unacceptable operational risk for you, hash things out face-to-face.  If the logistics are not practical, follow Lloyd’s golden rule above: never use a free VPN.  Tor is a go-to. While a little different, I would also keep an eye on Brave.

CiPHPerCoder – The only VPN you can trust is the one you’ve setup and administer. Most users aren’t technical enough to do this, and therefore shouldn’t use VPNs.

That said, there isn’t a winning concoction here that doesn’t require some user education to provide robust security against sophisticated threats.

Tor is great, but only if you understand its limitations. Tor + unencrypted HTTP means the exit node can sniff or alter your traffic.

Signal is great, but only if the person you’re talking with also uses it; otherwise, you’re communicating over unencrypted SMS. (You can turn the SMS fallback off.)

Whatever technology you choose, take 5 minutes to read through the documentation. The better you know your tools, the less likely you’ll make a fatal mistake when using them.

evacide – Before you choose a secure or private communications tool, think about your threat model: are you trying to protect your communications from criminals? From the government or law enforcement? From your parents or your spouse? These are all very different models. How important is it to you that the message should be secure? How important is it that the message actually gets to you in a timely fashion? (I’ve lost track of the number of arguments I’ve gotten into with my friends and family because a Signal message didn’t go through).  Are you OK with giving out your phone number for this communication?  Seriously, and I cannot emphasize this enough, Signal is not always the answer.

Lesley – A lot of differing opinions and options have been provided with regards to this problem – hopefully providing a starting point for consideration and discussion about private communications. I want to stress again that no matter what options you choose, noise is critical. Most of the private communications methods listed above hide the message, not the fact that you’re hiding a message. If you use VPN or encrypted messaging only for sensitive conversations or browsing you’re trying to hide, anybody watching will immediately start to look at that specific communication in more detail. For this reason, one of the first things I check in a computer under forensic investigation is the private / incognito browsing history. It usually contains only activity the user wanted to hide.

Whether want to prevent an angry ex or a multinational criminal organization from intercepting your sensitive communications, make sure they are lost in a sea of everyday benign private traffic. That’s why Tor usage is so highly encouraged by privacy advocates for everyday communication – if only foreign journalists under death threat by rogue dictators used it, their traffic would be easy to spot and target.

Question 7: Authentication

Online accounts are always a target, and passwords are generally easy to guess by casual criminals and advanced actors alike. So, we frequently advise people to enable two-factor authentication on their accounts through an app or (less desirably) SMS. The problem is, not everybody has a smartphone of their own – particularly one that works everywhere reliably. What are your suggestions to somebody who uses online accounts, but doesn’t own their own phone?

Viss get a Google voice number, and set up hangouts to accept SMS messages. DO NOT SHARE THIS NUMBER WITH ANYBODY. You can set up 2FA SMS for everything that uses it, and those texts will hit Google hangouts. You can get them on a desktop/laptop, or through hangouts on your phone. The connection between your phone and Google is cert-pinned SSL, and the ‘secure texts’ will come through over data not SMS. It’s not a silver bullet, but it defeats Stingray attacks and mobile phone “man in the middle” attacks. You can also configure Google voice to either forward those SMS messages to another number, or email them to you, or another email account. There are many options.

Lesley – An alternative option is a physical two-factor security key, a tiny object which is inserted into the USB port of the computer you are using while you log into a wide range of web services. U2F keys are well under 20 dollars, easily purchased from many online retailers, and should theoretically last far longer than many electronic devices. The downsides are that if you lose the key you may be in trouble, it won’t be usable in places which block the use of USB ports, and it could potentially be seized.

Lloyd – U2F keys aren’t a cheaper option than what Viss recommends. I like physical keys but they have weaknesses: your key can be stolen, there is still limited support for physical keys, and they cost money. If you’re someone who forgets things, leaving your key at home or in the wrong bag can cost you a day of work if you aren’t careful.

plumWithout a true “something you have”, 2FA starts down a road of compromise.  Like Viss, I have not completely criminalized the use of SMS, and he presents a creative solution.  Burner phones can serve this purpose well.  For five bucks, a refill card for a thousand text messages could last a while.

CiPHPerCoderThis came up a lot in the discussion of the Guardian’s terribly misleading WhatsApp article. In the real world, a lot of users share phones and swap out SIM cards rapidly. In the WhatsApp case, this makes public keys change rapidly, which could create a UX nightmare for people who have used WhatsApp for years and never even heard of encryption. Many of the 2FA assumptions break down in a shared-device scenario.

If you’re in dire straits here, Viss’ Google Voice number suggestion is probably your best bet. I’ve not heard any other realistic solutions for folks who share phones and don’t own security keys. If 2FA isn’t available, outright, consider making it more of a point to use a password manager (KeePassX, LastPass, 1Password, etc.) than if you had 2FA.

Munin – This particular question’s been giving me problems for a few days now. The long and short of it is that, as far as 2FA is concerned, the users are entirely at the mercy of the vendors as to what nature of 2FA solutions the vendors support – for instance, though I really, -really- want to use a yubikey with twitter, twitter declines to support this option and only allows SMS based second-factor auth.

Unlike the other questions here, this is one in which the user has very little control over whether or not they can effectively follow the advice given.

The ‘correct’ solution would be to only use services from vendors that support proper 2FA – but when those services won’t “do the job” – e.g. all your contacts are on a service that doesn’t do this correctly – you’re inherently limited in what you can do.

So my ultimate advice here would be – if you -can- follow the solutions given above, do so; if you’re not able to, then do the absolute best you can with what you have available. If you don’t have a unique device available for a second factor, it’s best not to push for a compromised second factor over a non-compromised single factor. Control what you can, and look for opportunities to make it better; and pay special attention to those things you cannot control – monitoring is a kind of mitigation.

Question 8: You, in the Real World

We’ve discussed our online lives in detail, but what we do every day in the physical world leaves a huge digital footprint as well. This includes all kinds of activities, like shopping, banking, and our hobbies and work. Let’s think in terms of our introductory example of a victim of stalking and abuse (this time, in 2017). What are feasible actions he or she can take in day-to-day life, with a small budget, to reduce the digital footprint left by his or her activities (while still remaining a part of modern society)?

Viss – Use a combination of personal travel and ridesharing applications or public transit to mask surface travel. Combine using different credit cards with paying in cash. Change travel routes to not consistently use the same path to get to destination. Make random stops (at shops, for coffee, etc, whatever) to make it harder to determine where you are going. Turn off your phone from time to time (yank the battery if you can). Don’t spend a lot of time walking on the street in the open. Travel in a vehicle or on public transit as often as you can. Do not dress to impress. Do not stand out. Plain shoes, jeans, t-shirt. If you want to blend in, then blend in. You can look spectacular later. Pay attention to your surroundings. See if people are pointing cameras at you. Take detours and see if you see the same people over and over again. If you think you are being followed, validate that feeling by taking more detours and seeing if the same people are there. If you are confident you are being followed, let the people following you see you taking their photo or recording them. It helps if you have more than a phone – like a GoPro or a camera of some kind. Usually in that scenario they’ll have no idea WTF to do. The easiest way to not be a victim is to not simply lie down and take it. If you feel you’re being victimized, complaining about it on Facebook or writing a longwinded gif-riddled post on imgur will solve nothing. Get evidence of stalking or abuse. As much as you can. Confront the problem head on. If your abuser is physically abusing you get a restraining order and back that up with video evidence. http://www.wikihow.com/Be-More-Perceptive This is a good start.

TL;DR: everything on the internet leaves some kind of log. Don’t post stuff online then try to remove it. Just don’t post it in the first place. Don’t openly volunteer information for the sake of small talk. If someone asks how your day was, tell them – but don’t feel obligated to explain that it’s going poorly because your car insurance carrier dropped you because you were unable to make your last payment, and that was because trouble at work led to you being fired. That’s a lot to unpack and gives random people WAY WAY MORE INFORMATION than they need to just chat you up. It takes a bit of practice, but you can usually turn those kinds of conversations around onto them, and have them tell you a life story while not saying a word.

Krypt3ia

Physical:

  1. Enhance your situational awareness
  2. Understand where the cameras are and seek places with less of them to do business
  3. Understand where the cameras are and seek to obfuscate their seeing you (hat, glasses, scarf etc and look down, not into them.
  4. Randomize your routine, in fact do not have a routine
  5. Read up and practice counter-surveillance techniques (I can recommend books) but really having real practical experience and mentorship is key

Digital:

  1. Take all of the advice above in this document and use it.
  2. Leave your digital equipment behind or put them in Faraday bags
  3. Understand the precepts of OPSEC with regard to the internet
  4. Be vigilant

plumEndeavor to use more cash.  Every time you use a credit card, you’re generating data about where you are and what you’re doing.

Don’t allow mobile apps to use your location automatically, or at all.  Don’t check in.  The world doesn’t need to know you’re going for a run on your lunch break *right now*.  Tell them later about how you had a great run today, without mentioning where and when.  Small things like this. You’re not hiding your habits, you’re just removing the unnecessary precision in describing them.

Augment your digital protection strategy with self-defense skills.  You may never need to use them, but you’ll feel a hell of a lot more confident.  And when you’re confident, you carry yourself better, you’re more aware of your surroundings, and you turn the tables on being vulnerable.

Lloyd – Privacy and security are practice, and can’t be done alone. Your information, even your home address, is known and stored in devices and on paper by your friends, family, and coworkers. Most “hacks” occur via social engineering, where unsophisticated people are exploited for the information they keep. Educating the people around you should always be a part of any physical security practice.

Lesley – Pseudonyms and fake backgrounds aren’t just for criminals, people on the run, or spies. Sometimes, a little white lie is legal and okay, and even recommended. There are lots of places in your daily life where you can operate outside your real identity without even violating terms of use agreements. Countless examples include the fact that you don’t have to ship or receive packages at your house, you don’t have to provide real answers to your security questions, and you rarely are required to register for incentive or loyalty programs under your real name or address. Consider what information you are providing third parties out of naive, good-hearted honesty, versus what information you are providing out of legally-obligated honesty. Data collection and marketing firms don’t have your interests in mind. Why are you treating them like you have an honest, confidential relationship?

CiPHPerCoderIf you can, turn your phone off and take the battery out when traveling or discussing anything sensitive with your friends or family. Try to practice common sense at all times. Don’t, for example, take needless selfies and then share them publicly on social media if you’re trying to attain better privacy. Simply put: They don’t need to know, so don’t tell them.

Paying with cash has two benefits: It’s not directly linked to your bank account, and it promotes better money management discipline than debit/credit cards (which in turn will allow you to save money toward some of the solutions discussed above that might be out of your budget).

evacideA lot of the advice above means making major changes to the way you live. Think about how much you’re willing to change in order to avoid your stalker/abuser. A lot of victims are trying to balance their desire for privacy and distance from their abuser with a desire to continue living their lives in a normal fashion. Some simple steps such a person can take include using a pseudonym on social media accounts, locking down one’s social media accounts so that content can only be viewed by trusted friends, and making one’s trusted friends aware of the situation so that they can alter you if they are contacted by your stalker/abuser trying to get information out of them.

Munin – The advice above is all good, but ultimately, the real problem is in balancing proper paranoia with the ability to function as a person. This is very difficult.

Balancing the need to stay hidden with the very real psychological dangers of isolation is difficult even for trained professionals – so maintaining such a cover will necessarily cause stress and strain. If you have anyone that you can trust, make sure you can stay in contact with them to keep an even keel. That will help with balance, and help you remember how to use the other advice appropriately.

★ ★ ★

(Additional credit on this article goes to Bill Sempf, who contributed extensive expertise on skiptrace investigative methodology.)

All opinions in this article are that of the individual contributors, and do not necessarily reflect the views of their employers, past, present, or future.

Ask Lesley InfoSec Advice Column: 2017-01-30

Posted on by

Thanks for another wonderful week of submissions to my “Ask Lesley” advice form. Today, we’ll discuss digital forensics methodology, security awareness, career paths, and hostile workplaces.

 

Dear Lesley,

I’m a recent female college graduate that didn’t study computer science but is working in technical support at a software company. The more I learn about infosec, the more curious and interested I get about if this is the field for me. What do you resources/videos/courses/ANYTHING you recommend for people who want to make a serious stab at learning infosec?

– Curious Noob

Dear Curious,

I’m really glad to hear you’re discovering a passion for infosec, because curiosity is really the most fundamental requirement for becoming a good hacker. I wrote a long blog series about information security careers which I hope you may find helpful in discovering niches and planning self-study. For brevity’s sake, here are some options for you.

  • Study up on any fundamental computer science area you’re underexposed to in your current work – that means Windows administration, Linux administration, TCP/IP, or system architecture. You need to have a good base understanding of each.
  • Get involved in your local CitySec, DEF CON local, or 2600 meet up group. They are great networking opportunities and a fabulous place to find a mentor or people to study with. There are meet ups all over the world in surprising places.
  • Consider attending an infosec / hacking conference. The BSides security conference in the nearest major city to you is a great option and should be very affordable (if not free). Attend some talks and see what speaks to you. Consider playing in the CTFs or other security challenges offered there, or at least observing.
  • Security Tube and Irongeek.com are your friends, with massive repositories of conference talk videos you can watch for free. Nearly any security topic that piques your interest has probably been spoken about at some point. I would favor those sites over random YouTube hacking tutorials which really vary in quality (and legality).
  • Consider building your own home lab to practice with basic tools and techniques. Networked VMs are adequate as long as you keep them segregated: Kali Linux and a Windows XP VM are a great place to start. You need to take stuff apart to learn about hacking.

These are only some brief suggestions – there’s no streamlined approach to becoming a great hacker. Get involved, ask questions, and don’t be afraid to break stuff (legally)!


Dear Lesley,

What do you do when you provide security awareness training to your employees, but they still click on phishing links!

– Mr. Phrustrated

Dear Phrustrated,

Beyond generally poor quality “death by PowerPoint” training, one of the biggest problems I see in corporate security awareness programs is poor, unsustainable measures of success. For instance, it’s become really trendy to conduct internal phishing tests to identify how many people click on a phish. It’s incredibly tempting to show off to executives that this number is trending down, but that metric is really pretty worthless.

No matter how ruthlessly trained, somebody (and anybody) will click on a well-enough crafted phish, and it only takes one compromise to breach a network’s defenses. What we should be measuring is the reporting of phishing messages and good communication between employees and the security team. The faster we know an attack is underway, the faster we can respond and mitigate the threat.

In conclusion, you should be less concerned if “somebody is still clicking” phishing messages than if nobody is telling you they clicked, and they resist or lie in embarrassment when asked.

Dear Lesley,

Is there a mental checklist while doing digital forensics to not make your evidence point to your quick conclusions, even if you think you have seen a similar case?

– Jack Reacher Jr.

Dear Jack,

Identifying that this is a problem is a great first step. While intuition is an important part of being a good investigator, sound methodology is even more important. The checklist you use to collect evidence and perform an investigation is going to vary by where you work and what types of things you investigate, but you should always have and follow a checklist – and I recommend it be a paper checklist, not mental.

Don’t ever shortcut or skip steps, even when you’re in a high pressure situation. Shortcuts and assumptions are incredibly dangerous to the legal and technical validity of investigations. Gather all the facts available to you at the time, and document ever step you take so that a colleague (or a legal professional) can follow your work even far in the future.

Finally, always remember that in a digital forensic investigation we are generally providing evidence to reach conclusions about “what, when and how”. “Who” is shaky ground, because in most cases it involves context outside the digital device. “Why” is almost never the business of a forensic analyst (and is indeed often not within the capacity of a company to responsibly answer). If you find yourself looking for evidence to fit a presumed “why” scenario, you have a big problem and you need to step back.

Dear Lesley,

I’m this girl like I said, who just started working in the field, and for the past 4 months, I worked at this huge corporation, who has, among other services, an information security related one, offering technical security (pen testing, …) and non-technical security services. At that time, I had little information about advanced hacking techniques as well as the good practices that should be followed to secure our systems.

During the first weeks I got hacked by someone who’s working with me, and I was harassed and shamed by them since then. I knew it because this person would talk about their findings to everyone, even to non-technical people, in the corporation. People would look at me and laugh, smile, smirk, or look at me pathetically, in addition of other situations.

Knowing that this person is an expert (12 or more years working in information security) and that I don’t have any proofs on their actions, what should I do in your opinion ? What kind of advice would you give to girls and women like me, who want to work in the field but get harassed by their experienced co-workers instead of being encouraged by them ?

– I

Dear I,

Your story gave me pause enough to discuss it substantially with several colleagues in information technology who have also worked in extremely hostile environments.

This is a horrific situation. I want to make it crystal clear that this is utterly shameful on the part of your employer, your infosec colleagues, and your organizations’ corporate culture. I truly hope it does not drive you from our field. The most important thing I can tell you is that this is not your fault. and this is not normal.

The first thing I recommend you do is document everything that’s happening in as much detail as possible, even if you don’t feel you have evidence right now. The activity you’re talking about may not only be harassment, but violate hacking laws. Since device compromise is a concern, please maintain this documentation offline.

What you do next depends on factors you don’t mention in your note. First of all, if you have a trusted supervisor, manager outside your team, or senior mentor in your organization, please turn to them for assistance and ensure they are corroborating what has been happening to you on paper. It’s their responsibility to assist you in resolving the issue at a work center or corporate level, even if they’re not directly in your reporting chain.

If there’s nobody at all you can go to in confidence, the situation becomes substantially more unpleasant. Your options are to ignore the behavior to stick out the requisite ~2 years of entry level security at the organization(obviously the worst option), seek employment elsewhere, or contact an HR representative (with the risk of retribution and legal battles that can bring). Obviously, my personal recommendation is taking you and your computer straight to HR. As a wise colleague of mine pointed out, this is most likely not an isolated incident – the behavior and dismal culture will continue for you and others. Sadly, in some places in the world with less employment protections, this can carry the risk of termination. Keep in mind that it is okay to confidentially consult a lawyer within the terms of your employment contract, and pro bono options may be available.

If HR / legal action is not an option, you can’t find employment elsewhere, and you’re toughing it out to build entry level experience, please network and find a local mentor and support structure outside of your company as soon as possible. As well as much needed emotional support, these people could help you study, network, bite back, and explore other recourse against the employer. Feel free to reach out to me anonymously and we’ll try to connect you with somebody in your area.

Best,
Lesley

Thwart my OSINT Efforts while Binging TV!

Posted on by

There’s been a bit of a social media uproar recently about the data collection practices of people search service FamilyTreeNow. However, it’s certainly not the first, only, (or last) service to provide potentially uncomfortable private information about people on the internet without their knowledge or consent. Even the most technologically disconnected people are frequently searchable.

In conducting OSINT research on people, services like FamilyTreeNow are often a gold mine, and are one of my first stops when I’m searching out useful facts to pivot into more intimate details about a target. Do you really want any casual stranger to know your home address, phone numbers, email addresses, and the names and ages of your kids? While disappearing from the internet completely can be nigh impossible, spending a little time removing easily accessible data can cause frustration and extra work for a nefarious (or nosy) person investigating you. I speak from experience. So, it’s worth taking some time to do, as we always want to make bad guys and gals’ lives harder.

So, grab a snack and a beverage, queue up a TV show to binge watch, and let’s make some quick and easy wins in helping you disappear from the malfeasant public eye. I’ll only ask you do five quick tasks per episode. You can do them during the boring parts.

Before we start, I highly recommend setting up a new webmail account to perform these removals. Almost all of the services require an email to opt out, and many require account registration. Since we’re dealing with firms that collect information about people, it’s sensible to avoid using your day to day or work email.

One last thing! It’s important to remember these services are not always accurate. You may have more than one entry for yourself at any of these services. Make sure to check!

Let’s begin!

  • Let’s get the aforementioned FamilyTreeNow out of the way. Their opt-out form is here: https://www.familytreenow.com/optout. They’ll require you to search for yourself through the opt-out page then click a red “opt out this record” at the top of your entry. (You must repeat this process from the start for every profile you wish to remove.)
  • Next, let’s head over to Instant Checkmate. Their Opt Out form is here: https://www.instantcheckmate.com/optout/ and requires you enter a name, birth date, and a contact email address.
  • We’ll head over to PeekYou, next, which requires you search their database first and provide the numeric profile ID in your page(s) URL, as well as an email address. Their opt out page is: http://www.peekyou.com/about/contact/optout/
  • Next up is Spokeo. You’ll once again need to search for yourself, but this time all you need to do is copy the full URL of your page(s). Then, head here: http://www.spokeo.com/opt_out/new, paste that link and enter your email address.
  • Let’s head to BeenVerified’s opt out page at https://www.beenverified.com/f/optout/search. Simply enter your name and location, select your entry or entries, enter your email, and click the verification link that is immediately sent to you.

SNACK, BEVERAGE, NEXT EPISODE BREAK!

  • So, Whitepages has two different types of profiles – free and paid, and they seem to have little to do with one another in terms of removal. For the free side, you’ll have to sign up for their service to remove entries, (which includes email verification). Once logged in, you simply need to paste the link to your entry here: https://secure.whitepages.com/me/suppressions.
  • For Whitepages Premium, you must open a quick support ticket with their help desk. Full details and the Help interface are here: https://premium.whitepages.com/help#about. You will need to copy and paste the link to your premium profile in the ticket (not the free Whitepages entry).
  • Let’s head over to PeopleFinders, http://www.peoplefinders.com/manage/. This one’s super easy; just use the search box to find your profile, and then click the opt-out button.
  • PeopleSmart is also relatively simple. Search for yourself at https://www.peoplesmart.com/optout-go. You will need to enter an email address and click a verification link.
  • USA People Search’s opt out page is here: https://www.usa-people-search.com/manage/ and simply requires clicking your profile and entering a captcha.

 SNACK, BEVERAGE, NEXT EPISODE BREAK!

  • Let’s head to Radaris, at https://radaris.com/. Search for yourself. Click “full profile”, then click on the down arrow to see the full menu of options. There is one that states “Control Information”. This will prompt you to register for an account with their service and claim your profile as yourself. Once you have done so, you will have the option to “Remove Information” or take your aggregated profile private, at any time.
  • The last information service we’ll tackle today is Peoplelooker, at https://www.peoplelooker.com/f/optout/search. Once again, a relatively easy opt-out process using a verification email.
  • Finally, let’s do a little social media cleanup!
    • If you have a Facebook account, perform a Privacy Checkup. It won’t take too long. Ensure your posts and likes are as private as possible.
    • If you use Google or YouTube services, perform their Privacy Checkup. Once again, ensure nobody but the right friends and family can see your activity.
    • Head to LinkedIn. On the header menu, select Privacy & Settings, then select the “Privacy” tab. Consider how much sensitive detail you are providing about your workplace, their tools and processes, and yourself. Consider restricting certain data on your profile to only connections and members.

Good work! Enjoy the rest of your snack and your show! Be proud that you’ve done some good work cleaning up your public presence, today.

***

It’s important to note that I’ve left a couple services out of this guide that are referenced in other comprehensive lists, (like this one), due to the complexity and frustration of removing data from their services. Notable examples, Intelius (and their many subsidiaries) and US Search unfortunately require a form and photo ID for information removal – the latter by fax or snail mail(!) So, while we won’t tackle these removals while we watch TV and enjoy a nice cold beverage, they are something to consider addressing with a little time and during business hours.

If you are in a sensitive situation and need a clean slate as soon as possible, I do recommend considering a paid data removal service like Abine.

 

Ask Lesley InfoSec Advice Column: 2017-01-19

Posted on by

Thanks for your interesting question submissions to “Ask Lesley”! This column will repeat, on no specific schedule, when I receive interesting questions that are applicable to multiple people. See further details or submit a question, here. Without further ado, today we have OS debates, management communication issues, nation state actors, and career questions galore!


Dear Lesley,

So last year’s Anthem breach was from a nation state – why would a nation state want to hack health insurance info? I understand the identity theft motivation of a criminal, but why do you think a nation state would want this type of data?

– Inquisitive

Dear Inquisitive,

First off, I can’t confirm the details of the Anthem breach – I wasn’t involved in the investigation and haven’t had the privilege of reviewing all the evidence. However, when generally talking about why a state-sponsored actor might want to acquire data, you have to look at a bigger picture than data sets. Nation states usually view hacking as a means to an end. They (ab)use data with a firm political or military objective in mind. Whether a nation state intended to steal 80 million records, or the theft was a crime of opportunity when looking for something more specific, what they stole may unfortunately be useful to them for years to come.

You can obviously already see how the data stolen in a healthcare breach is a treasure trove for general identity theft. The piece I believe you might be missing considers how the data could be combined with other public domain and stolen information to facilitate political objectives. If you already have a target in mind, healthcare data could be a great boon to social engineering, blackmail, and surveillance efforts. For example, consider how much leverage knowing that a target’s child is ill could provide. Or that a target family is hundreds of thousands of dollars in medical debt. These are attractive attack vectors. I can only speculate on potential scenarios, but based on my experience in OSINT, the data stolen from Anthem adds attractive private information about many millions of people.

 

Dear Lesley,

The ‘researcher’ portion of ‘security researcher’ implies graduate school – is PhD study in cybersecurity worth it? There doesn’t seem to be many programs that are worthwhile (except on paper only)

– Not in Debt, Yet


Dear Not in Debt, Yet,

That’s an interesting implication – not one I necessarily agree with based on empirical evidence. I know full time, professional security researchers studying everything from exploits to governance who have every level of formal education, from GEDs to PhDs.  I do see certain fields of security research represented in higher education more than others – a couple examples are high level cryptography and electronic engineering.

I have always been an advocate for higher education and I see little harm and many benefits in getting a good education in a field you enjoy (particularly, a well-rounded education) if you can afford it. However, at the present, there are very few information security careers or communities of research which require a degree, and fewer good quality degree programs. You should see few credential-related barriers to participating in or publishing security research if your work and presentation is good quality.

In some ways, existing exclusively in academia can also make it harder to work in practical security research, as the security field changes more quickly than university curricula can keep up. As a result, some academic security research ends up impractical and theoretical to a fault. (See my yearly rants on steganography papers.) If you go the academic route, choose your field of study carefully, and be careful not to lose touch with the working world.

Dear Lesley,

While working on my 5 BILLION dollar data breach, I wanted some blue cheese dip and chips (The Spice House in Chicago has the best mix btw), a co-worker looked at me with disgust. Am I wrong? Also what’s a good resource to learn about file carving?

– Epicurean EnCE

Dear Epicurean,

Clearly, your coworker is a Ranch dressing fan and should therefore be looked upon with disdain. In regards to file carving, your mission, (should you choose to accept it), is to review how files are physically and logically stored on a hard drive. Next, you’ll want to start familiarizing yourself with typical file headers and footers. Gary Kessler has a pretty killer list, here. Some file types will be more relevant to your specific work in forensics than others; I can’t tell you which those will be.  Your best bet is to pick a couple file types you look at a lot and look at them in a hex editor, then start searching for them in a forensic image.

Brian Carrier’s File System Forensics book, while a bit older, is still a stellar resource for understanding How Disk Stuff Works. SANS SIFT kit includes the tools you will need to get started carving files from disk, and the associated cheat sheets will help with the commands.

If you want to carve files from packet captures, similar header/footer knowledge is required, along with a different tool set. Wireshark’s export alone will often suffice; if it fails, look at Network Miner.

Dear Lesley,

What was the silliest / dumbest thing you’ve googled this week?

– Curious in Cincinnati


Dear Curious,

“The shirt, 2017”

I still don’t get what’s up with that.

 

Dear Lesley,

I teach high school computer science courses and many students biggest interest is infoSec stuff. What should they do to prepare at that age? Any recommendations on software or skills I can teach them? I’m willing to put in the time and effort to learn things to teach and we have class time, but this isn’t what my tech career focused on so I need some help. Thank you, you’re the best!

– Mentor in Michigan

Dear Mentor,

Being a crummy hacker requires learning to use a few tools by following YouTube. Being a good hacker requires a great deal of foundational knowledge about other, less entertaining computer stuff.

The better one knows how computer hardware, operating systems, and networks work, the better he or she will be at hacking. If kids come out of your classes unafraid of taking their own software and hardware apart, you did your job right. That means a lot of thinking about how Windows and Linux function, how computer programs work all the way down to Assembly, and how data gets from point A to point B. If you are going to encourage kids to take stuff apart, make sure they also understand that law and ethics are involved. Provide them a safe and legal sandbox to explore, and explain why it’s important to know how to break things in order to fix them.

As an aside – by high school, kids are more than old enough to be actively participating in the infosec community if they wish. Numerous kids and teens attend and even present at hacker events, these days; in fact, many conferences have educational events and sponsorships specifically for youth.

 

Dear Lesley,

 I normally use a Chromebook, but I also have to use Windows 10 so that I can use Cisco packet tracer (I’m studying CCNA). I really trust the security of my Chromebook, but Windows 10 – not so much. I have antivirus, anti-exploit and anti-ransomware software on my Windows laptop. But my question to you is: Is there a resource that you know of that can help lock down Windows 10 for the home user? Most of what I find is for enterprises and Enterprise versions of Windows 10 and if I do find something for the home user it invariably talks about privacy rather than security.

–  Kerneled Out


Dear Kerneled Out,

The OS wars, while somewhat befuddled by 2016, are alive and well. There are dogmatic Linux fans, and dogmatic Windows fans, and so on and so forth. My opinion is that every OS has its place when used correctly by the right person. Many serious security people I know use every major OS on a daily basis – I sure do.

Swift On Security has a nice guide here on securing Windows 10 that should suit your needs.

As for Chrome over Windows – please don’t fall into the “security by obscurity” trap that MacOS and Chrome can encourage. They are both solid OSes with interesting ideas on security, and viable choices for home and business use cases. However, modern versions are not inherently more or less secure than modern Windows. MacOS, Windows, Chrome, and major Linux distros are as secure as they are configured and used by human beings. Of course, the complexity of configuring them can vary based on user experience and training.

 

Dear Lesley,

How come everyone wants 5 years experience for an entry level infosec job? I’ve been trying to get gainful employment in an offensive role for more than 6 months and no one wants anyone with less than 5 years of pentesting/red teaming experience. Can’t exactly do pen tests until you’re a pentester, so what do I do?

– Frustrated

Dear Frustrated,

I’m sorry to hear you’re having so much trouble finding a position. I have written quite a lot about infosec career paths and job hunting in previous blogs, and I hope that they can assist you a little. Red teaming is unfortunately much harder and more competitive to find work in than Blue teaming, so my suggestions here are not going to be particularly pleasant:

  • Consider your willingness to move. There are simply more red team jobs in places like DC and the west coast.
  • Consider if you can take a lower-paid internship. It sucks, but it’s an in, and pen testing firms do offer them.
  • Consider doing blue team SOC work for a couple years. It’s not exactly your cup of tea, but it will give you solid security experience.
  • Network like crazy. Get to the cons and the meet-ups in person. Talk to people and build relationships.
  • Do research and speak about it. Pick something that intrigues you, even if you have no professional experience, and do a few months work, and submit to a CFP. It will get you name recognition.

Dear Lesley,

Many infosec professionals feel that signature-based antivirus is dead. If that is the case… What do you recommend we replace it with to protect our most vulnerable endpoints (end users) with?

– Sigs Uneasy

Dear Sigs,

That’s the kind of black and white statement that makes a good headline, but exaggerates the truth a bit. Yes, there are a couple companies who have been able to ditch antivirus because of their topology and operations. The vast majority still use it. While signatures alone don’t cut it against quickly replaced and polymorphic threats, other antivirus features, such as HIPS and heuristics, still provide a benefit. (So, if you’re still using some kind of antivirus that can’t do those things, it’s time to upgrade.)

Antivirus today is useful as part of a “defense in depth” solution. It is not a silver bullet, and it’s certainly defeatable. However, it still catches mass malware and the occasional targeted threat. The threats AV misses should be caught by your network IPS, your firewall, your web filters, your application whitelisting solution, and so forth. None of those solutions is bulletproof alone, and even the efficacy of trendy solutions like whitelisting is limited if you don’t architect and administer your network securely.

Dear Lesley,

I was testing a network and found some major flaws. The management doesn’t seem too bothered but I feel the issues are huge. I want to out them because these flaws could impact many innocent people. But if I do, I won’t be hired again. I look forward to your response.

– Vaguely Disturbed

Dear Disturbed,

Before whistle-blowing and potentially getting in legal trouble, I highly recommend you approach this argument from a solid risk management perspective. Sometimes, “it could be hacked” means a lot less to management than, “9 companies in our industry were breached in 2016, and if we are, it will probably cost us over 70 million dollars in lost revenue”. If you have access to anybody with a risk analysis background you can reach out to under the relevant NDA, I highly recommend you have a chat with them and put together a quantified, evidenced argument, ASAP. The more dollar signs and legal cases, the better your chances of winning this.

At the very least, win or lose, ensure you’ve covered your butt. This means written statements and acknowledgements stating you clearly explained the potential risk and also that they willfully chose to ignore it. Not only does requiring a notarized signature make the appearance of threat go up, but it will be helpful in case they decide to blame you or your employer two years from now.

I would suggest you consult a lawyer before breaking NDA or employment contract by whistle blowing, no matter how noble your intentions. I am not a lawyer, nor do I play one on TV.

Dear Lesley,

I make software and web applications that connect to software and services from other companies. Sometimes those companies disable or cripple some features due to possible security exploits. When I’ve met with security people from those companies and asked them about the features they nerfed (disabled or crippled), I’m met with an awkward silence similar to the vague errors I get from their servers. As a developer, I’m so used to the open-source community that wants to help that this feels weird. Is there some certification, secret handshake, or specific brand of white fedora I need to have conversations with security people about their products security issues? Just trying to learn and grow, and not cause a mess for anybody.

– Snubbed

Dear Snubbed,

No secret handshake. Here are a couple suggestions from the receiving end of these types of concerns:

  • Set up a security lab with your applications and a client on it. Install a Snort or Suricata sensor(s) with the free Emerging Threats ruleset in the midst of them to intercept their communication. (Security Onion is a nice, relatively easy to install option.) Send normal application traffic back and forth and see what security signatures are firing on the network.  That will give you some idea of what might be getting blocked before you even start the discussion (and help you reduce false positives).
  • Ensure your applications are getting proper vulnerability testing before release. Again, even if you’re coding securely and responsibly, this can help reduce false positive detection by vulnerability scanners or sensors.
  • Ask the security people what security products or appliances they are using on the hosts and on the network, and what signatures are firing. You might not have access to a 20,000 dollar security appliance to test, but their sensor might have full packet capture functionality or verbose logs that will help you troubleshoot.
  • Try to build a better professional relationship with these teams if you can. If they’re involved in a local security group, perhaps drop by and have a drink with them.

 

Dear Lesley,

I’m feeling it is time to move on from Windows XP, but only because many things no longer support it, and 3Gb is a bit limiting when running VMs and the like. I’ve tried Windows 10, and it is completely alien, and I worry about security – it streams things back to Microsoft, and is less secure than my hardened XP install. I’ve tried Mint Linux, and that was quite good, but underneath it is even more alien than Windows 10. I’ve heard of BSD, but I’m worried that my political career could be over if word about that got out, so I’ve not tried it. What do you suggest?

– Unsupported in UK

Dear Unsupported,

It is indeed high time to move off XP.

Windows XP is unsupported, highly vulnerable, and trivially exploitable by hackers. It is not in the same league as Windows 10 in terms of security. Even application whitelisting (which is considered a bit a last resort silver bullet in industry) isn’t a reliable means of securing XP against attacks anymore.

Yes, there are some IT professionals who dislike Windows 10. Those concerns usually have to do with things like UI, embedded ads and system telemetry, not the underlying security (which is quite well engineered).

If those are your specific concerns, a current version of Mint (which you tried), Ubuntu, or MacOS are all okay options. They would all need to be thoughtfully configured for security just as much as Windows. BSD will feel just as unfamiliar if you were uncomfortable operating in Mint, but I certainly don’t discourage you from giving it a try. Even MacOS is *nix based under the hood.

Unfortunately, it seems to me that you’re stuck with two options if you want to maintain any semblance of security: cope with your dislike of Windows 10, or dedicate some time to learning the inner workings of a new operating system. Either way, please get off XP as soon as possible.

Dear Lesley,

My friend, since birth – who I’ll call M. E., has had a 23-year, jack-of-most-trades career in IT. ME is currently serving as the IT Decider (and Doer) at an SMB financial firm. Over the last five years, ME has enjoyed focusing on security. Technology, security in particular, is still near the top of his hobby list. However, compared to when he started his IT career, ME places a greater value on having a work-life balance. ME wonders if it’s too late for a change to the cyberz – without “starting over.” In your experience, is there a reasonable way for ME to jump from the “IT rail” to the “security rail” without touching the third rail and returning to Go, without collecting $200?

– ME’s Friend

Dear ME’s Friend,

Your ‘friend’ sounds like a great candidate for many security positions, but he or she might have to take a pay cut. 23 years of experience in systems administration and networking is 23 years of experience in how to take things apart, which is really mostly what security is behind the neat hats and the techno music.

ME is going to need to figure out two important things. Firstly, ME will need to gain some security-specific vocabulary to tie things together – a course or certification might be a nice feather in the cap. Then, ME is going to have to carefully plan out how to present him or herself as an Awesome Security Candidate in interviews and resumes. That will involve taking those 23 years of generalized experience, as well as security hobby work, and selling them as 23 years of Awesome Security Experience. For example, it takes a lot of understanding of Windows administration and scripting to be a good Windows pen tester. Or, it takes a lot of TCP/IP knowledge to do packet analysis of an IPS signature fire. Every niche of security requires deep knowledge of one or more areas of general IT.

All that being said, there are some security skills that need to be learned on the job. I wouldn’t push ME towards an entry level gig, but it may not be an easy lateral move to any senior technical position, either. A good segue if seniority is critical might be security engineering (IPS / SIEM / log aggregation administration, etc).

Dear Lesley,

How does an organization go about starting a patch testing program? Ours seems to be stuck in a “don’t update it, you’ll break the application” mindset. –

– TarPitted in Texas

Dear TarPitted,

As I noted to a reader above, sometimes this type of impasse with management can only be solved through presenting things as quantifiable risk. If you are telling management that your application is vulnerable, and they are saying it will cost too much if it breaks when you patch it, somebody else is quantifying risk better than you. You’d best believe that team saying, “the application might break” is also saying, “if this application breaks, it will cost us n dollars a day”. So, play that game. Tell management specifically how much money and time they stand to lose if a security incident occurs. Present this risk clearly – get help if you need to from all of the impacted teams, your disaster recovery and risk management professionals, and even your finance team.

Your managers should be making a decision based on monetary and other quantifiable business impact of the application going down for patching, vs. the monetary and other quantifiable business impacts of a potential security incident at x likelihood. Once they do that on paper, you’ve done due diligence.

 

How do security professionals study threat actors, & why do we do it?

Posted on by

I receive a lot of great questions about my work in Digital Forensics and Incident Response (DFIR), and while I’ve written a bit on the topic of threat actors and attribution, I’ve been repeatedly asked some interesting questions about this in specific. In the interest of not answering the same question 101 more times, today I will attempt to tackle some of the most popular, difficult, and ambiguous ones.

Before we begin, there are a couple things that are really important to understand before we deep dive into a conversation about modern computer hacking:

  1. Digital attacks are often launched through hacked or infected computers which belong to innocent people or companies. Those computers might not even be in the same country as the bad guy. The bottom line is: gone is the notion of “just trace the IP address back”.
  2. There are often computers in many countries used in the same digital attack, whether as part of a big DDoS attack, or something more complex like exfiltrating some stolen data through a bunch of computers. The bottom line is: It’s not uncommon to see computers in 10 countries used in the same criminal operation, online.

With that in mind, let’s have a short chat about the strange world of attack attribution, the secret sauce that goes into making it happen, and why it sometimes appears like we as computer security professionals really, really suck at catching bad guys.

Why would anybody care who is hacking them?

I’ve noted before that for the average commercial company, it’s usually not terribly relevant to discuss the specific national origin of attacks at an executive level.  That energy is better spent in understanding why a breach occurred, and preventing it from happening again. Companies are rarely going to cease business operations in a country because of attacks sourced there.

That being said, it can potentially be helpful for the right operational security staff to have an understanding of the actors who are attempting to breach their defenses. Once a team knows that actor CRAZY HAMSTER is attacking their company, they can read reports on attacks by CRAZY HAMSTER against other companies. Reports often document tools, tactics, and procedures used by the attacker, and the security team can use this information to ensure they have appropriate mitigation and detection in place. It might also give the security team an idea of what ends CRAZY HAMSTER is trying to accomplish through their campaign of digital villainy.

Outside of the commercial space, things become a lot more complex. I’ve noted previously that espionage and sabotage are as old as human civilization – and they are still just as relevant to politics and warfare, today. It is very important to not think of “cyber war” as a domain entirely independent of the other realms of warfare, political maneuvering, and espionage. No matter how tempting it is to worry about catastrophic digital attacks on critical infrastructure or the internet, precedent and rhetoric support hacking mostly being used as one component of more complex global conflicts. So, hacking really has to be analyzed as one part of a whole, but it certainly shouldn’t be ignored.

 How can anybody know with any certainty who is hacking whom?

I’ve talked about the complexities of digital attribution in the past, and I always take the time to note that attribution is a complex, time-consuming process. That does not make it impossible, (with the right resources and substantial work hours), for qualified experts to make some determination beyond a reasonable doubt.

I already told you that IP addresses alone aren’t very useful for figuring out the source of attacks, anymore. That’s okay – that doesn’t mean that hackers and their tools don’t leave lots of digital evidence. In essence, the entire field of Digital Forensics and Incident Response (DFIR) centers around responding to and analyzing compromised networks, systems, and their logs, then providing detailed reports on what occurred. DFIR tends to focus on hard evidence like recovering deleted tools, files, and malware, retrieving command history and even tiny changes made to the computer, identifying communication with other systems, and then building a very comprehensive timeline of an attackers’ activity.

In plain English – an unencrypted computer hard drive is an archaeological treasure trove of information, containing stuff like what has been typed in a search bar, which sites were viewed in private browsing mode, what’s been plugged in to it, to what process started exactly five months and 16 days ago. Computer memory contains even more juicy details about use and abuse of computers. It’s very hard to hide every artifact of an attack on a computer that is not encrypted or hasn’t been powered down. Reliable evidence can persist for months, or even years.

Where DFIR tends to answer the “how”, “when”, and the “what” of a hacking incident, cyber threat intelligence strives to grow our understanding into “who” and “why”. Much like traditional Intelligence, good threat intel professionals take a more holistic approach in looking at attackers: taking hard evidence found by DFIR analysis and combining it with softer evidence like typical attacker behavior, linguistics, favored tools, target selection, previous attacker activities and indicators, and global events.

A balance of good quality evidence that DFIR discovers with the comprehensive view that good quality intelligence provides is the secret sauce that can allow agencies and researchers to point towards the source of an attack.

But what if reports on an attack or threat actor conflict?

It happens. Two good investigators can look at similar evidence and come to slightly different conclusions. Our recourse is to carefully read all available reports, then look hard at the quality of the expertise, reasoning, and access to evidence within each. Again, good detective work doesn’t lead to absolute certainty. The goal is to reach the most reasonable and supported conclusion possible. Some assembly is required.

But what about those “false flag” operations?

There’s certainly lots of precedent for false flag operations in the (very, very) long and storied history of espionage and counterespionage.  Digital attacks are no exception. Bad guys can try to pretend to be other bad guys, and people can claim credit for other peoples’ activities for a multitude of reasons.

This is why good intelligence, as opposed to merely digital forensics alone, is crucial to any attribution. It is rare to see a human computer compromise occur without any attacker mistakes (or evidence of those mistakes), and those small errors in syntax, language, or exploitation can be quite telling to a keen and attentive analyst.

Who are these commercial threat intelligence companies?

It takes a lot of resources for a company to build a large-scale threat intelligence program. So, a number of successful companies have popped up which hire intelligence specialists, linguists, security researchers, and political scientists to provide detailed threat intelligence to organizations, for profit. A small word of caution: keep in mind that while it is certainly in these companies’ best interests to be technically correct when they release reports and findings, they are still businesses and their objectives are to sell a product. They will probably not give everything away for free.

So if you know who’s hacking an organization, why aren’t they getting arrested?

Unfortunately, even if we know who is hacking who, there’s often not a lot we can do about the perpetrators. Hacking the attacker back in retaliation is extremely murky legal water, especially since we already noted that hackers like to use innocent people’s computers to launch their attacks. One misstep and we could end up sued or prosecuted ourselves. Government action could have even more severe repercussions.

We can certainly go to the appropriate law enforcement agencies and report theft, intrusion, or damage – indeed, I highly recommend it. However, LEOs don’t have it easy, either. Not only are their computer crimes groups often overtaxed by the surge in ransomware and phishing, but as we noted earlier, computer crimes often cross many international borders. Taking down a big criminal hacking operation usually takes coordination between private firms and several countries’ law enforcement agencies. That means each one has to approve and fund the takedown. It happens fairly regularly, but it’s a big effort.

Then, there’s the issue of state-sponsored attacks, which are a matter of politics above most law enforcement organizations’ ability to pursue. If one country conducts espionage or sabotage against a public or private institution in another, politicians must weigh retaliation for what was done versus the potential of souring international relations (or worse).

So, sometimes we really do know who is attacking, but there’s no feasible way to pursue them ourselves, right at the moment.

I want to see evidence of CRAZY HAMSTER attacking companies first hand. Why can’t I?

First of all, make sure you really can’t. Not every threat intelligence company uses the same nomenclature for the same actors – a sore spot for many security professionals. When in doubt, please check first, and ask if needed.

Many commercial intelligence companies and research firms produce reports for the public that contain an executive summary that is easily readable at any technical skill level. A good report should also contain substantial technical detail including indicators of compromise – specific evidence found in the analysis of the attack which can potentially be used to identify the same actor elsewhere.

Unfortunately, in any breach or attack, there will very likely be a lot of evidence unavailable to the general public. The first problem with releasing it all is that raw digital forensic evidence almost always contains proprietary and confidential data. That’s just the nature of raw network traffic and system drives. Even attacker activity alone usually contains passwords, account lists, and sensitive network configuration and vulnerability data. Some of this information may be made available to information sharing partners and colleagues through NDA/TLP, while some is kept strictly confidential.

The second problem is that any data provided to the general public is by its nature also being made available to the attackers. If they are still operating, showing all cards could really hurt efforts to bring them to justice.

Why aren’t you security professionals and researchers doing anything about these threat actors?

We are. While we might not be able to get every perpetrator arrested today, there are concerted efforts to share data on attackers and malware between commercial companies, law enforcement, and government agencies. The ISAC program is a great example of this. Many threat researchers and non-profit organizations release and share threat intelligence data and malware research for free.

Information sharing not only helps in law enforcement efforts, but it mutually improves detection of attackers and preventative security with their behaviors in mind. If we can’t stop the attackers right now, we can work together to hinder them at every turn.

Health and Wellness in InfoSec

Posted on by

Most of us know that being a hacker isn’t exactly the lowest stress gig out there. With the holiday season fast approaching, thinking about taking care of our well-being and that of our colleagues, family, and friends becomes even more important than usual. I’d like to have a quick chat about ways I personally have approached health and self-care, some lessons I’ve learned after nearly two decades in IT, and some suggestions for caring for yourself and those around us. Of course, I’m not a doctor. I don’t even play one on TV.  I can only speak to my own personal experiences coping with extreme and long-term stress. I hope they provide some food for thought.

Nutrition

Eating a portioned, balanced diet is an oft forgotten but very important element of our overall physical and mental health and longevity. How we eat is also very important. Let’s start with some really easy changes.

I’ve personally found great value in (whenever possible) ensuring I eat on a regular schedule. I also try force myself to eat a minimum of a couple meals a week at a table (not in front of my computers or my TV), from an actual plate. This forces me to eat more slowly, control portions, and gets my focus away from work and news during the meal.

It’s no secret that I’m a pretty incompetent chef, which sometimes hurts my eating habits. I’ve worked hard to balance this out a bit by eating more steamed and raw vegetables and fresh fruit, carefully reading nutrition, preservative, and preparation facts on microwave meals, and occasionally utilizing delivery services with semi-prepared or pre-prepared healthy meals. I also try to get together for shared meals with friends or family on a regular basis (they cook, I bake, everybody lives 😉 ) Check out MealSharing if you don’t live near friends or family, or arrange something with your local hacking group. I saw a lot of Hacker Family holiday meals out there this year.

I’ve never seen a ‘fad diet’ or non-FDA-approved weight loss pill that worked long term – I’m not even terribly keen on excessive meal replacements. Be cautious about anything that seems too good to be true. We’re hackers, and we are some of the best out there at uncovering bad science and scams. Never forget to research while looking for a quick fix. Unless your doctor says otherwise, start with simple things like portion control, balanced nutrition, fresh foods, and avoiding too much added sugar and sodium. Eating sensibly and reducing portions is a lot easier to stick with than drastic dietary changes and lack of variety, in the long term.

Finally, try to drink more water. There are tons of reasons to avoid the added sugars of soda and the sugar substitutes in calorie-free drinks, as well as excessive caffeine and alcohol consumption. Drinking more water can make a huge physical and mental impact on our health. Using reusable water bottles instead of plastic soda bottles or cans is also great for the environment.

Exercise

Many people in information security work long hours and travel extensively. This makes getting regular exercise difficult. So, let’s have a little chat about the exercise that wiser experts than I say you should be doing at a minimum.

The American Heart Association currently recommends the following for healthy adults:

For Overall Cardiovascular Health:

  • At least 30 minutes of moderate-intensity aerobic activity at least 5 days per week for a total of 150

OR

  • At least 25 minutes of vigorous aerobic activity at least 3 days per week for a total of 75 minutes; or a combination of moderate- and vigorous-intensity aerobic activity

AND

  • Moderate- to high-intensity muscle-strengthening activity at least 2 days per week for additional health benefits.

For Lowering Blood Pressure and Cholesterol

  • An average 40 minutes of moderate- to vigorous-intensity aerobic activity 3 or 4 times per week

Obviously, 75 – 150 minutes of exercise can be pretty hard to get when we’re working long nights and sleeping at airports. Hotel gyms get really old. That doesn’t mean we shouldn’t still make an effort, because not only does exercise provide physical benefits, but it can get our minds off troubles as well.

In my personal experience, getting involved in group exercise classes in which missed attendance is noticed and checked on was a great help. I chose martial arts and yoga. Martial arts gave me a structured, moderate to vigorous intensity activity with concrete goals to achieve, and strict attendance and coaching requirements. Even if I’m exhausted and flying out the same night, I have to make my classes or provide a valid excuse.

Yoga provides me a low-medium intensity stress-relieving exercise activity I can do almost anywhere I travel. Finding yoga schools wherever I go for work has become an exciting adventure – I always meet new instructors with new ideas and perspectives. There’s no reason national or international exercise programs like crossfit, BJJ, or aerobics can’t provide the same for you. Find an exercise routine you find fun and captivating, not something that’s a chore you try to get out of. (Always consult a doctor and research the routine before starting a new exercise program – we’ll talk about this shortly.)

Community & Friendship

Introversion is pretty common in hackers; I’m no exception. As unappealing as it can feel, there are good reasons for us to have a community of support and a little regular interaction with other humans. We’re very fortunate as hackers to have a tremendous community of practice with many local, regional, and international events, which we all should try to attend if able. However, those don’t ensure that we aren’t isolated on a day-to-day basis. Folks who work from home are especially vulnerable to the trap of staying home surrounded by hobbies, games, and gadgets, frustrated with other people.

Ask yourself, “Have I spoken out loud to another human today?”.

There will be Really Bad Days in your life where the escapism of books, games, and the toys, and what box you popped aren’t enough. You will eventually need some support to dig out of a dark, overwhelming place. The best way to ensure that safety net is there is to build it right now, even as watching Netflix or con videos might seem a lot more fun and less stressful. Be part of the hacker community, your local community, and your communities of interest.

Yes, the internet is a great resource for friendships, especially when we’re geographically isolated from folks with similar interests. If possible, don’t rely on the internet alone. Make sure you have a couple real phone numbers to call on the Really Bad Day. Make sure somebody relatively local can pick you up at the hospital, or bring you a can of gas, or bail you out of jail on that Really Bad Day. Be that person for your friend’s Very Bad Day, too.  It can be very wearing to put yourself out there, but it’s easier to meet people with common interests and hobbies than ever before in human history. Join your local 2600, CitySec, or DEF CON local group.  I also highly recommend Meetup.com for finding or starting low-key hobby and geekdom groups in your area.

Remember that we have family that we are born with, but we can also have family that we choose – and sometimes those bring us much more compassion and care on the Bad Days.

Sleep

I promise, no matter what you think, you really, really do need it. Even if your 3 energy drinks tell you that you don’t. If you start crashing hard on your days off, repeatedly, you are probably pushing yourself too hard. The National Sleep Foundation recommends between 7-9 hours of sleep for adults. Below 6 hours isn’t even considered healthy on their scale. I know a lot of people in infosec talk about living on 4 or 5 hours of sleep routinely as a matter of pride, but you’re only hurting yourself (or your employees, if you promote this). You will very likely notice a physical and mental performance improvement when you get enough rest.

Humanitarianism

Kindness, service, and volunteer work not only help those around us, but they improve our personal well-being as well, and get us involved in local and global communities. A small act of kindness, like showing honest appreciation to people around us, or showing compassion to somebody in need, can make endless difference in another person’s life.

Quite a few of you might be surprised that I (a humanist and an atheist) go to church on a regular basis. Let me endeavor to answer the immediate questions raised by this. Firstly, I attend a humanist church that doesn’t promote any specific religious ideology (Unitarian Universalist). Secondly, it forces me to listen to people with varied philosophies about their concerns and their perspectives, which gives me a more nuanced and human view of worldviews that are different than mine. Thirdly, it allows me to be part of a supportive community of humanitarians who are also interested in helping less fortunate people in organized ways. Some problems are too big to tackle alone.

No matter your philosophical and spiritual views (or lack thereof), the idea of the golden rule is pretty universal. I personally ascribe to the concept of leaving the world a little better than I came into it, for future humans. Others did it for me, and we all benefit from random acts of kindness. Find a way to give back to the communities you are a part of by choice or by chance.

Seeing That Doctor

I honestly can’t count the number of friends in infosec, including myself, who have ended up in the hospital after ignoring health problems due to high pressure, fast-paced lifestyles. Nobody likes going to to the doctor, and health insurance can be a nightmare in the US. I can’t stress enough – learn from our mistakes, or suffer the consequences.

Even if you’re in your 20’s or 30’s, go to your yearly physical. Make sure you have routine blood work done to check for stuff like vitamin deficiencies. Vitamin D deficiency is super common in IT and shift work, and as many can attest it can have a huge impact on your physical and mental well-being. Get screened for cancer and hereditary conditions appropriately for your age, gender, and risk factors. No job is ever worth your life.

I’m Still Really Stressed, What Now?

Here are some thoughts for you.

  • Try to reduce excessive caffeine intake. It raises your heart rate, and artificially reduces your desire to get (needed) rest.
  • Have a cup of herbal tea. Take the time to put in some honey or lemon, and try to relax for a few minutes while drinking it.
  • Remove your social media apps from your phone if your feeds are stressing you out. Social media vacations are okay.
  • Actual vacations are okay, too. They are not a mark of shame. The things you did out of the routine are the things you will remember in a decade.
  • Call a friend, and chat for a while. Even better, chat with a friend in person.
  • Try a new hobby. Groupon Local is great for this. It doesn’t have to be something intense like skydiving. Try something low-pressure that you’ve always wanted to learn more about, like photography, painting, sushi making, or home brewing. It’s a big world out there, full of endless things.
  • Meditate. This doesn’t necessarily mean sit still on the floor, cross-legged. Moving meditation is a thing, too. Sweeping can be meditation. Lockpicking can be meditation. So can music or art. For something more traditional, Tai Chi, Hatha Yoga, and Qi Gong are organized moving meditation. We’re just talking about calm, repetitive motion activity that allows you to focus your thoughts and breathe without getting frustrated.
  • ASMR videos, however silly-seeming, help some folks relax.
  • For the “Type-A” hackers: find something to plan out that doesn’t stress you out. It can be a totally mental, pretend exercise. For example, plan out a vacation, a CFP submission, a research project, a business you’d like to start, or a job change. Have fun working out the logistics or details, and don’t worry about the real life roadblocks or requirements. If you get inspired, that’s great. If not, move on to something else.
  • Read an actual, physical book that you enjoy. Or replay an old game that you enjoy, that won’t stress you out. Something you equate to happy memories.
  • Finally, and most importantly,

Professional Help

There is no shame in seeking professional help when you’re in a dark place. While I’ve offered a few suggestions of possible ways to improve the quality of your life, health, and support structures, there are truly long term and short term conditions that can best be worked through with a licensed professional. Depression and substance abuse are sadly huge problems in the hacker family, and they call for proper care. We don’t want to lose anybody else. Please do not hesitate to seek out professional resources when you need them. You are valued. You are important. You can do good in the world.

The National Suicide Hotline: 1-800-273-8255
SAMHSA Substance Abuse Hotline: 1-800-662-HELP

Bridging the Gap between Media and Hackers: An Olive Branch

Posted on by

I had a lovely interview about IoT security with Emmy-award-winning reporter Kerry Tomlinson of Archer News this past week at BSides Jackson. It’s unfortunately rare in our field that we get to have such productive, mutually beneficial conversations with members of the media. There’s a lot of uncertainty and (often justified) lack of trust between both parties – which makes it easy to forget that presenting a coherent, technically correct, and comprehensible message on information security and privacy is crucial for everyone.

Since organizations like I Am the Cavalry are already approaching the outreach problem primarily from the side of security professionals, I’d like to take a slightly different approach by specifically addressing journalists and the media.

We need your help!

With the plethora of hacker conferences which are gaining legitimacy and attention across the world, there are many opportunities to address our community. Hacking conference call-for-papers are often open to everybody, not just people gainfully employed in security. You are welcome to apply and lend your unique perspective to these problems. It doesn’t have to be DEF CON or Black Hat. There are many smaller options which record and post talks, and have great reach within our community.

Here are some important topics which you could help educate us about, by sharing your perspective:

  • What is it like being a journalist covering security? What are the challenges?
  • How should we prepare for a media interview?
  • Many people in security feel burnt by misquotes and misinterpretations of their work. How can we better avoid this? What should we do if we feel we have been misrepresented by a media organization?
  • How can we better vet news outlets which want to work with us?
  • How can we help you as subject matter experts or fact checkers?
  • How can we help you present our most important security research to society without sensationalizing?
  • How can we better format and target our blogs and research for the media?

We want to help you!

There are plenty of security topics that are timely and  highly relevant to journalists and the media, and many of us are willing to offer education and insights to your communities of practice, if offered opportunities to do so.

Here are some topics which many willing security professionals (including myself) could provide a range of insights and training on at media conferences and educational programs:

  • How to conduct secure and private communications with sources and colleagues.
  • How to maintain operational security and avoid leakage of sensitive personal information.
  • How to secure computers and mobile devices.
  • Understanding, detecting, and avoiding social engineering.
  • How to approach hackers (white, grey, and black hat) for information on security research.
  • The realities of hacker “culture” and work, and how these differ from fictional stereotypes.
  • Current issues with malvertising on news sites, how to better decrease the risk thereof, and their effect on the rise of adblockers.

I want to take a moment to thank the many journalists and reporters who do fabulous coverage of security topics right now (especially Steve Ragan, who wrote the essential article on how to deal with the media as a hacker) who associate with our community on a regular basis. Thanks for dealing with our foibles and for doing great work.

Using Team Cymru’s MHR with Volatility

Posted on by

Today we’ll briefly discuss crosschecking Team Cymru’s Malware Hash Registry against files found in memory or hibernation files by Volatility. We’re going to do it by hand at the command line, as a quick exercise in some ways to manipulate both tools and think through command line problems. Please note Team Cymru places restrictions on automated use of their lookup tool, so don’t automate anything like this without speaking to them.

To do this, we’ll obviously need a memory image and a Linux environment with Volatility functioning (I recommend downloading the SIFT kit VM if you don’t have one). Our starting point in this exercise is after memory has been properly retrieved with an imaging tool, we’ve identified an appropriate Volatility profile with imageinfo, and we’ve identified a suspicious process or processes using our standard toolkit of commands like malfind, malsysproc, unloadedmodules, etc…

We shall begin by dumping some files of interest from our memory image using a command like moddump (which extracts kernel drivers) or dlldump. For this example we will simply be dumping dlls. To avoid a mess, we will first make a directory to put the dumped files in.

mkdir dlls

Next, we perform the dump. In practice, we should be focusing on specific suspicious processes using –pid, or the results of a search with –regex. There will be a cap on the number of hashes we can submit using this mechanism, so don’t try to submit the entire raw results of dumpfiles. However, as an example, examining only .exe files output by dumpfiles -n might be interesting. Each command has its purpose.

vol.py -f [mem]  –profile=[Profile] dlldump –dump-dir=dlls

(As a reminder, that command is:

vol.py -f [filename of the memory file] –profile=[The profile that imageinfo / kdbgscan identified) dlldump –dump-dir=[the path to our dump directory]  –pid=[suspicious process ID if available])

Now, we ought to have a big folder full of dll files which Volatility found in memory. Let’s head here and make sure everything worked okay.

cd dlls
ls

Team Cymru requires their input be in a specific format with a begin and end marker. So let’s make a new file that starts with that.

echo begin > hashes.txt

We can’t just use the output of md5sum or sha1sum because it contains two columns (hash and then filename) and the MHR service needs line-delimited hashes, only. We have to do something to remove that second column. There are a lot of solutions in Linux. In this example, I chose to pipe the results of md5sum into Gawk, with which I select only column 1. I’ll then stick that output into our hashes.txt file.

md5sum * | awk ‘{ print $1 }’ >> hashes.txt

(Grep is a powerful tool. We could certainly do some file filtering at this point if we failed to do so properly within Volatility – for instance, in our example of dumpfiles -n, this might be where we filter for only .exes, with md5sum * | grep .exe | awk ‘{print $1 }’ >> exehashes.txt)

Now let’s properly close our file as requested.

echo end >> hashes.txt

The bulk command line submission method for Team Cymru is netcat to whois. We shall upload the file we just made, and a new file with their response will be generated as a result.

netcat hash.cymru.com 43 < hashes.txt > hashescheck.txt

Remember that our syntax for netcat will be [destination server]  [port] < [the file we are sending] > [the returned output’s destination].

Now, we can check the contents of the resulting file. If we sent a larger list of files, we’ll probably want to filter out noise by eliminating any line returned NO_DATA. For verification, there should be a header returned at a minimum.

cat hashescheck.txt | grep -v NO_DATA

# Bulk mode; hash.cymru.com [2016-x-x x:x:x +0000]
# SHA1|MD5 TIME(unix_t) DETECTION_PERCENT

And that’s that!

(Please don’t ask me about submitting files to VirusTotal, because that already exists; all you’ll need is your API key.)