Category Archives: Security – computer and devices

Fingerprint-electronicInvestigation

Are You Unique – How to Check Your Browser Fingerprints & Online Privacy?

Think you have taken all measures to remain anonymous and untraceable online? Or are you still (unknowingly) leaving browser fingerprints that can be traced to you and your devices?

The good news is, there’s a way to check and confirm if you are unique in cyberspace.

A browser fingerprint, or device fingerprint, is the systematic collection of information about a remote device for identification purposes, even when cookies are turned off.

There’s a web site “Am I Unique” which you can visit and check by clicking “View my browser fingerprint” as shown below:

Fingerprinting-Browser

That should give much food for thoughts for the Christmas holidays?

According to a recent international survey on 23,376 Internet users in 24 countries, carried out between October 7, 2014 and November 12, 2014, which found some 64 percent confessed they’re more concerned today about online privacy than they were a year ago.

Privacy-survey

That’s one way to gauge the post-Snowden effects. And if you still wonder why privacy matters, I highly recommend the Glenn Greenwald’s TEDTalk on “Why Privacy Matters“.

FBI-SilkRoad

Shhh… The FBI Unmasking of TOR Users with Metasploit

I like to share this WIRED updates on the use of TOR.

The FBI Used the Web’s Favorite Hacking Tool to Unmask Tor Users
By Kevin Poulsen 12.16.14 | 7:00 am

For more than a decade, a powerful app called Metasploit has been the most important tool in the hacking world: An open-source Swiss Army knife of hacks that puts the latest exploits in the hands of anyone who’s interested, from random criminals to the thousands of security professionals who rely on the app to scour client networks for holes.

Now Metasploit has a new and surprising fan: the FBI. WIRED has learned that FBI agents relied on Flash code from an abandoned Metasploit side project called the “Decloaking Engine” to stage its first known effort to successfully identify a multitude of suspects hiding behind the Tor anonymity network.

That attack, “Operation Torpedo,” was a 2012 sting operation targeting users of three Dark Net child porn sites. Now an attorney for one of the defendants ensnared by the code is challenging the reliability of the hackerware, arguing it may not meet Supreme Court standards for the admission of scientific evidence. “The judge decided that I would be entitled to retain an expert,” says Omaha defense attorney Joseph Gross. “That’s where I am on this—getting a programming expert involved to examine what the government has characterized as a Flash application attack of the Tor network.”

A hearing on the matter is set for February 23.

Tor, a free, open-source project originally funded by the US Navy, is sophisticated anonymity software that protects users by routing traffic through a labyrinthine delta of encrypted connections. Like any encryption or privacy system, Tor is popular with criminals. But it also is used by human rights workers, activists, journalists and whistleblowers worldwide. Indeed, much of the funding for Tor comes from grants issued by federal agencies like the State Department that have a vested interest in supporting safe, anonymous speech for dissidents living under oppressive regimes.

With so many legitimate users depending upon the system, any successful attack on Tor raises alarm and prompts questions, even when the attacker is a law enforcement agency operating under a court order. Did the FBI develop its own attack code, or outsource it to a contractor? Was the NSA involved? Were any innocent users ensnared?

Now, some of those questions have been answered: Metasploit’s role in Operation Torpedo reveals the FBI’s Tor-busting efforts as somewhat improvisational, at least at first, using open-source code available to anyone.

Created in 2003 by white hat hacker HD Moore, Metasploit is best known as a sophisticated open-source penetration testing tool that lets users assemble and deliver an attack from component parts—identify a target, pick an exploit, add a payload and let it fly. Supported by a vast community of contributors and researchers, Metasploit established a kind of lingua franca for attack code. When a new vulnerability emerges, like April’s Heartbleed bug, a Metasploit module to exploit it is usually not far behind.

Moore believes in transparency—or “full disclosure”—when it comes to security holes and fixes, and he’s applied that ethic in other projects under the Metasploit banner, like the Month of Browser Bugs, which demonstrated 30 browser security holes in as many days, and Critical.IO, Moore’s systematic scan of the entire Internet for vulnerable hosts. That project earned Moore a warning from law enforcement officials, who cautioned that he might be running afoul of federal computer crime law.

In 2006, Moore launched the “Metasploit Decloaking Engine,” a proof-of-concept that compiled five tricks for breaking through anonymization systems. If your Tor install was buttoned down, the site would fail to identify you. But if you’d made a mistake, your IP would appear on the screen, proving you weren’t as anonymous as you thought. “That was the whole point of Decloak,” says Moore, who is chief research officer at Austin-based Rapid7. “I had been aware of these techniques for years, but they weren’t widely known to others.”

One of those tricks was a lean 35-line Flash application. It worked because Adobe’s Flash plug-in can be used to initiate a direct connection over the Internet, bypassing Tor and giving away the user’s true IP address. It was a known issue even in 2006, and the Tor Project cautions users not to install Flash.

The decloaking demonstration eventually was rendered obsolete by a nearly idiot-proof version of the Tor client called the Tor Browser Bundle, which made security blunders more difficult. By 2011, Moore says virtually everyone visiting the Metasploit decloaking site was passing the anonymity test, so he retired the service. But when the bureau obtained its Operation Torpedo warrants the following year, it chose Moore’s Flash code as its “network investigative technique”—the FBI’s lingo for a court-approved spyware deployment.

Torpedo unfolded when the FBI seized control of a trio of Dark Net child porn sites based in Nebraska. Armed with a special search warrant crafted by Justice Department lawyers in Washington DC, the FBI used the sites to deliver the Flash application to visitors’ browsers, tricking some of them into identifying their real IP address to an FBI server. The operation identified 25 users in the US and an unknown number abroad.

Gross learned from prosecutors that the FBI used the Decloaking Engine for the attack — they even provided a link to the code on Archive.org. Compared to other FBI spyware deployments, the Decloaking Engine was pretty mild. In other cases, the FBI has, with court approval, used malware to covertly access a target’s files, location, web history and webcam. But Operation Torpedo is notable in one way. It’s the first time—that we know of—that the FBI deployed such code broadly against every visitor to a website, instead of targeting a particular suspect.

The tactic is a direct response to the growing popularity of Tor, and in particular an explosion in so-called “hidden services”—special websites, with addresses ending in .onion, that can be reached only over the Tor network.

Hidden services are a mainstay of the nefarious activities carried out on the so-called Dark Net, the home of drug markets, child porn, and other criminal activity. But they’re also used by organizations that want to evade surveillance or censorship for legitimate reasons, like human rights groups, journalists, and, as of October, even Facebook.

A big problem with hidden service, from a law enforcement perceptive, is that when the feds track down and seize the servers, they find that the web server logs are useless to them. With a conventional crime site, those logs typically provide a handy list of Internet IP addresses for everyone using the site – quickly leveraging one bust into a cascade of dozens, or even hundreds. But over Tor, every incoming connection traces back only as far as the nearest Tor node—a dead end.

Thus, the mass spyware deployment of Operation Torpedo. The Judicial Conference of the United States is currently considering a Justice Department petition to explicitly permit spyware deployments, based in part on the legal framework established by Operation Torpedo. Critics of the petition argue the Justice Department must explain in greater detail how its using spyware, allowing a public debate over the capability.

“One thing that’s frustrating for me right now, is it’s impossible to get DOJ to talk about this capability,” says Chris Soghoian, principal technologist at the ACLU. “People in government are going out of their way to keep this out of the discussion.”

For his part, Moore has no objection to the government using every available tool to bust pedophiles–he once publicly proposed a similar tactic himself. But he never expected his long-dead experiment to drag him into a federal case. Last month he started receiving inquiries from Gross’ technical expert, who had questions about the efficacy of the decloaking code. And last week Moore started getting questions directly from the accused pedophile in the case— a Rochester IT worker who claims he was falsely implicated by the software.

Moore finds that unlikely, but in the interest of transparency, he answered all the questions in detail. “It only seemed fair to reply to his questions,” Moore says. “Though I don’t believe my answers help his case at all.”

Using the outdated Decloaking Engine would not likely have resulted in false identifications, says Moore. In fact, the FBI was lucky to trace anyone using the code. Only suspects using extremely old versions of Tor, or who took great pains to install the Flash plug-in against all advice, would have been vulnerable. By choosing an open-source attack, the FBI essentially selected for the handful offenders with the worst op-sec, rather than the worst offenders.

Since Operation Torpedo, though, there’s evidence the FBI’s anti-Tor capabilities have been rapidly advancing. Torpedo was in November 2012. In late July 2013, computer security experts detected a similar attack through Dark Net websites hosted by a shady ISP called Freedom Hosting—court records have since confirmed it was another FBI operation. For this one, the bureau used custom attack code that exploited a relatively fresh Firefox vulnerability—the hacking equivalent of moving from a bow-and-arrow to a 9-mm pistol. In addition to the IP address, which identifies a household, this code collected the MAC address of the particular computer that infected by the malware.

“In the course of nine months they went from off the shelf Flash techniques that simply took advantage of the lack of proxy protection, to custom-built browser exploits,” says Soghoian. “That’s a pretty amazing growth … The arms race is going to get really nasty, really fast.”

iPhone-Encryption

Shhh… DOJ Uses 18th Century Law to Make Apple Unlock Encrypted iPhones

It’s time to raise the antenna again on smartphone encryption matters.

Law enforcement agencies, particularly the FBI, have been desperately pressurizing the Congress to force Apple and Google to do away with their new default smartphone encryption. And authorities are apparently giving in.

According to an exclusive report by Ars Technica (below) earlier this week, court documents from 2 federal criminal cases in New York and California show the US Department of Justice on October 31 this year went as far as exercising a 18th century law – the All Writs Act – to compel Apple and at least one other company to cooperate with law enforcement officials in investigations dealing with locked and encrypted smartphones.

The 225-year-old law gives the courts the right to issue whatever writs or orders in order to compel someone to do something.

To the extent that Apple has recently beefed up encryption in its latest iOS 8, the fact that the DOJ would go to such absurd lengths might set worrying precedence – recall a recent ludicrous DOJ assertion that the new encryption standards would kill a child.

A more disturbing question: What would you do if you were FBI director James Comey making his rounds to denounce smartphone encryption?

Make the DOJ use the All Writs Act to force manufacturers to install convenient backdoors. Why not?

—————————————-

Feds want Apple’s help to defeat encrypted phones, new legal case shows

Prosecutors invoke 18th-century All Writs Act to get around thorny problem.
by Cyrus Farivar – Dec 1 2014, 10:00pm CST

OAKLAND, CA—Newly discovered court documents from two federal criminal cases in New York and California that remain otherwise sealed suggest that the Department of Justice (DOJ) is pursuing an unusual legal strategy to compel cellphone makers to assist investigations.

In both cases, the seized phones—one of which is an iPhone 5S—are encrypted and cannot be cracked by federal authorities. Prosecutors have now invoked the All Writs Act, an 18th-century federal law that simply allows courts to issue a writ, or order, which compels a person or company to do something.

Some legal experts are concerned that these rarely made public examples of the lengths the government is willing to go in defeating encrypted phones raise new questions as to how far the government can compel a private company to aid a criminal investigation.

Two federal judges agree that the phone manufacturer in each case—one of which remains sealed, one of which is definitively Apple—should provide aid to the government.

Ars is publishing the documents in the California case for the first time in which a federal judge in Oakland specifically notes that “Apple is not required to attempt to decrypt, or otherwise enable law enforcement’s attempts to access any encrypted data.”

The two orders were both handed down on October 31, 2014, about six weeks after Apple announced that it would be expanding encryption under iOS 8, which aims to render such a data handover to law enforcement useless. Last month, The Wall Street Journal reported that DOJ officials told Apple that it was “marketing to criminals” and that “a child will die” because of Apple’s security design choices.

Apple did not immediately respond to Ars’ request for comment.

Meet the “All Writs Act”

Alex Abdo, an attorney with the American Civil Liberties Union, wondered if the government could invoke the All Writs Act to “compel Master Lock to come to your house and break [a physical lock] open.”

“That’s kind of like the question of could the government compel your laptop maker to unlock your disk encryption?” he said. “And I think those are very complicated questions, and if so, then that’s complicated constitutional questions whether the government can conscript them to be their agents. Then there’s one further question: can the government use the All Writs Act to compel the installation of backdoors?”

But, if Apple really can’t decrypt the phone as it claims, the point is moot.

“Then that’s pretty much the end of it,” Hanni Fakhoury, a staff attorney at the Electronic Frontier Foundation, told Ars. “The writ doesn’t require Apple to do something that is impossible for it to do.”

Andrew Crocker, a legal fellow also at the Electronic Frontier Foundation, pointed out on Twitter on Tuesday that back in 2005, a different New York magistrate refused to accept the government’s invocation of the All Writs Act to obtain real-time cell site data.

As Magistrate Judge James Orenstein wrote at the time:

Thus, as far as I can tell, the government proposes that I use the All Writs Act in an entirely unprecedented way. To appreciate just how unprecedented the argument is, it is necessary to recognize that the government need only run this Hail Mary play if its arguments under the electronic surveillance and disclosure statutes fail.

The government thus asks me to read into the All Writs Act an empowerment of the judiciary to grant the executive branch authority to use investigative techniques either explicitly denied it by the legislative branch, or at a minimum omitted from a far-reaching and detailed statutory scheme that has received the legislature’s intensive and repeated consideration. Such a broad reading of the statute invites an exercise of judicial activism that is breathtaking in its scope and fundamentally inconsistent with my understanding of the extent of my authority.

“Any capabilities [Apple] may have to unlock the iPhone”

One of the new phone search cases was filed in federal court in Oakland, just across the bay from San Francisco, while another was filed in federal court in Manhattan.

In the Oakland case, prosecutors asked a federal judge in to “assist in the execution of a federal search warrant by facilitating the un-locking of an iPhone.”

Ars went in person to the Oakland courthouse on Wednesday to obtain the documents and is publishing both the government’s application and the judge’s order for the first time here. The All Writs Act application and order are not available via PACER, the online database for federal court records.

“This Court has the authority to order Apple, Inc., to use any capabilities it may have to unlock the iPhone,” Garth Hire, an assistant US attorney, wrote to the court and cited the All Writs Act.

“The government is aware, and can represent, that in other cases, courts have ordered the unlocking of an iPhone under this authority,” he wrote. “Additionally, Apple has routinely complied with such orders.”

“This court should issue the order because doing so would enable agents to comply with this Court’s warrant commanding that the iPhone be examined for evidence identified by the warrant,” he continued. “Examination of the iPhone without Apple’s assistance, if it is possible at all, would require significant resources and may harm the iPhone. Moreover, the order is not likely to place any unreasonable burden on Apple.”

In response, Magistrate Judge Kandis Westmore ordered that Apple “provide reasonable technical assistance to enable law enforcement agents to obtain access to unencrypted data.” She did not specifically mention the All Writs Act.

But she added:


It is further ordered that, to the extent that data on the iOS device is encrypted, Apple may provide a copy of the encrypted data to law enforcement but Apple is not required to attempt to decrypt, or otherwise enable law enforcement’s attempts to access any encrypted data.

Westmore’s language is a near-duplicate of a June 6, 2014 order issued by a different judge from the Northern California district, San Jose division, which is about 40 miles south of Oakland. There, Magistrate Judge Howard Lloyd ordered Apple to assist in the search of an iPad Mini, months before the release of iOS 8.

New spying tools afoot

On Tuesday, The Wall Street Journal reported on an order issued by a federal magistrate in New York in a case involving alleged credit card fraud.

In that Manhattan case, Magistrate Judge Gabriel Gorenstein granted the government’s proposed order on the same day as Westmore (October 31, 2014), also citing the All Writs Act, which compels the unnamed phone manufacturer to provide “reasonable technical assistance” in unlocking the device.

The mystery company could challenge the judge’s order, according to Brian Owsley, a former federal magistrate judge who now is a law professor at Indiana Tech.

“Unfortunately, we will probably not know because the issue will likely be sealed even though there should be more transparency in these issues,” he told Ars by e-mail, noting that during his tenure on the bench he could not remember a time when the government invoked the All Writs Act.

“It is only through greater transparency will we start to get the answers. If the provider simply complies we will know nothing. Here, Judge Gorenstein’s approach strikes me as very even-handed, but the inherent problem is that those who are concerned about privacy issues in general simply have to hope that the provider will speak up for us.”

But Orin Kerr, a law professor at George Washington University and a former federal prosecutor, does not believe that the seized phone in the New York case was an iOS 8 device.

“The government obtained a warrant on October 10 for a phone already in its possession,” he told Ars by e-mail. “Apple’s announcement was something like September 18. If it was an iPhone, it was probably an iPhone running [on] an earlier operating system.”

Still, Alex Abdo, the ACLU attorney, after reading a copy of the Oakland documents, concluded that the “government’s application raises troubling questions about the extent to which it can force companies to break the products they sell.”

“We are heartened, however, that the court recognized that possibility and stopped short of ordering Apple to come up with a way to decrypt its customers’ data,” he added.

“More broadly, it is disconcerting that the government is relying on a catch-all law to seek surveillance powers that it should be seeking from Congress and the public,” said Abdo. “If the government wants new spying tools, it should allow our democratic process to debate them openly first.”

UPDATE 1:50pm CT: Jonathan Mayer, a lecturer at Stanford Law, said that use of the All Writs Act is not as novel as it may seem. (He recommended his recent lecture on the subject!)

“The TL;DR is that there is nothing new about using the All Writs Act to compel assistance,” Mayer told Ars by e-mail. “And there is also nothing new about using it to compel assistance with unlocking a phone. That repeated language you saw? It’s provided by Apple itself!”

“As for the opinion discounting the All Writs Act, that had to do with surveillance under the Electronic Communications Privacy Act. Where ECPA applies, the All Writs Act doesn’t. (It’s just a default, as the court rightly noted.) Phone unlocking isn’t covered by ECPA, so the All Writs Act remains in play.”

USBdrive-Dropped

Shhh… USB Thumb Drives Everywhere

Here’s one topic I have long wanted to post and I found this one below serves a nice reminder: Just be careful with any USB thumb drives lying around. In fact, you should ignore them altogether because chances are good that they were there for a reason.

JamesRisen

Shhh… Glenn Greenwald with James Risen on “Pay Any Price: Greed, Power, and Endless War”

Photo (above) Source: https://www.youtube.com/watch?v=wZ68ZQhzwPs

I like to share with you this interview on the new book by James Risen, the two-time Pulitzer Prize-winning New York Times investigative reporter at the center of one of the most significant press freedom cases in decades who exposed the warrantless wiretapping of Americans by the National Security Agency as early as 2005, 8 years before the Snowden revelations. Risen also hit headlines after being on Obama’s blacklist after he was threatened with prison terms by the Justice Department for refusing to reveal the source of one of his stories.

And here is the transcript from The Intercept.

WhatApp-Read

Shhh… How to Prevent Someone from Knowing When You’ve Seen Apps Messages

Here’s a recent LifeHacker article that may be well received: a manual on how to turn off the “read receipt” feature in some of the most popular apps, including What’s App. And yes, that’s another one up for privacy.

BBC-MikeHarris

Shhh… Views on the “Don’t Spy On US” Campaign

I saw this Sky News clip earlier this week and thought I should share it. The 2 opposing views illustrate how these arguments could go on forever. But which side are you on?

Above from Sky News: The Campaign Director of the Don’t Spy On Us campaign, Mike Harris and the Director of the Centre for Security and Intelligence Studies at the University of Buckingham, Professor Anthony Glees discuss whether the UK needs more anti-terror laws.

Assange-EcuadorEmb

Shhh… Assange to Appeal Swedish Court Decision After Ecuador Guarantees Indefinite Asylum

WikiLeaks founder Julian Assange said he will appeal, according to The Sydney Morning Herald, after a Swedish appeals court upheld last Thursday an arrest warrant issued 4 years ago – for accusations of sexual assault and rape allegations that Assange said are false and politically motivated.

Meanwhile, Ecuador has voiced its continued support and guaranteed him political asylum for “as long as necessary”. So it looks like poor Assange will continue to live in the Ecuadorian Embassy in London where he has stayed for more than 2 years to avoid extradition to Sweden, which he feared would then hand him over to the United States where a death penalty possibly awaits if he is convicted of uploading troves of US government secrets through WikiLeaks.

LondonPolice

Shhh… Lawsuit After Proof of British Police Spying on Reporters for Years

A media friend once revealed how a stranger called him to offer some leaks, tried to force him to disclose his sources (which he declined) when they met and eventually coerced him to cooperate or “bear the consequences”.

He sought my advice after running away from the stranger – that he assumed to be a Chinese spy – as he reckoned all his communication channels have been snooped. It was a fear he lives to this day.

I suppose he is not as “lucky” as these British journalists (see story below), who filed a lawsuit against the London’s Metropolitan Police and Britain’s Home Office after they discovered evidence of how the British police have spent years stalking and detailing their movements.

UK Police Spied on Reporters for Years, Docs Show

LONDON — Nov 21, 2014, 12:28 PM ET
By RAPHAEL SATTER Associated Press

Freelance video journalist Jason Parkinson returned home from vacation this year to find a brown paper envelope in his mailbox. He opened it to find nine years of his life laid out in shocking detail.

Twelve pages of police intelligence logs noted which protests he
covered, who he spoke to and what he wore all the way down to the color of his boots. It was, he said, proof of something he’d long suspected: The police were watching him.

“Finally,” he thought as he leafed through documents over a strong black coffee, “we’ve got them.”

Parkinson’s documents, obtained through a public records request, are the basis of a lawsuit being filed by the National Union of Journalists against London’s Metropolitan Police and Britain’s Home Office. The lawsuit, announced late Thursday, along with recent revelations about the seizure of reporters’ phone records, is pulling back the curtain on how British police have spent years tracking the movements of the country’s news media.

“This is another extremely worrying example of the police monitoring journalists who are undertaking their proper duties,” said Paul Lashmar, who heads the journalism department at Britain’s Brunel University.

The Metropolitan Police and the Home Office both declined to comment.

Parkinson, three photographers, an investigative journalist and a newspaper reporter are filing the lawsuit after obtaining their surveillance records. Parkinson, a 44-year-old freelancer who has covered hundreds of protests some of them for The Associated Press said he and his colleagues had long suspected that the police were monitoring them.

“Police officers we’d never even met before knew our names and seemed to know a hell of a lot about us,” he said.

Several journalists told AP the records police kept on them were sometimes startling, sometimes funny and occasionally wrong.

One intelligence report showed that police spotted Parkinson cycling near his then-home in northwest London and carried detailed information about him and his partner at the time.

Jules Mattsson, a 21-year-old journalist with the Times of London, says another record carried a mention of a family member’s medical history, something he says made him so upset he called the police to demand an explanation.

“No one could possibly defend this,” he said.

Jess Hurd, a 41-year-old freelance photographer and Parkinson’s partner, said she was worried the intelligence logs were being shared internationally.

“I go to a lot of countries on assignment,” she said. “Where are these database logs being shared? Who with, for what purpose?”

The revelations add to public disclosures about British police secretly seizing journalists’ telephone records in leak investigations. Several senior officers have recently acknowledged using anti-terrorism powers to uncover journalists’ sources by combing through the records.

Some police argue they’re hunting for corrupt officers, a particularly salient issue in the wake of Britain’s phone hacking scandal, which exposed how British tabloid journalists routinely paid officers in exchange for scoops.

It isn’t yet clear how often the practice takes place, but the admission drew concern in Parliament and outrage from media groups.
Lashmar, a member of the National Union of Journalists who is not involved in the lawsuit, said the specter of terrorism was pushing police to be bolder and bolder about how closely they watch the nation’s press.

“Police seem to have got the message that journalists are now fair game and you can surveil and watch them,” he said.

USsenate2

Shhh… US Senate Vote Falls Short of Curbing NSA Surveillance

It’s a fitting scene from the classic movie Gone with the Wind with the famous closing quote “Frankly, my dear, I don’t give a damn”.

The US Senate vote on the USA Freedom Act Tuesday night to rein in the NSA spying power came shy of just 2 votes of the 60 needed to take up the legislation, which would have otherwise stopped the controversial phone record metadata collection by the NSA

Any hope will now hinge on June next year as the legal grounds for the NSA phone snooping, as revealed by the Snowden revelations, under the Patriot Act will then expire – which means the NSA would require then new legislation to justify their access to these mass data.

Wifi-Hear&See

Shhh… We Can Now Hear & See Wi-fi?

A new software called Phantom Terrains, developed by London-based science writer Frank Swain, can now help the deaf listen to the sounds of wi-fi signals.

The software would utilize the wi-fi sensors of an iPhone to pick up, analyze and transform the invisible data around us – in the form of wi-fi networks and radio waves – into audible sound which are then sent wirelessly to a customized Bluetooth-enabled hearing aid – see video below.

But it turned out that we can also see wi-fi signals – see pictures above and below.

Wifi-Signals

Wifi-Signals2

In a project called “A creative exploration of wireless spectres”, artist Luis Hernan used a “Kirilian device” to capture the images of invisible wireless networks that levitate around us at all times every day – the resulting eerie and ghost-like images are no surprise because Kirilian photography is often associated with paranormal activity.

DroneCamera

Shhh… A Personal Gadget to Block Wireless Surveillance Devices Like Drones & Google Glass

Are you concerned that someone might be spying on you using drones, Google Glass or hidden cameras and microphones – and streaming the recording online? Fancy owning a gadget that can detect and disconnect these intrusive surveillance devices?

A new German product called Cyborg Unplug, now available for online order (at 52 Euros), is designed to block wireless surveillance where you are most vulnerable – in public spaces where the devices can be easily prying, and streaming online, without your knowledge.

It sniffs the air for wireless signatures from devices you don’t want around, sending an alert to your phone when detected. Should the target device connect to a network you’ve chosen to defend, Cyborg Unplug will immediately disconnect them, stopping them from streaming video, audio and data to the Internet.”

But do note that whilst this Cyborg Unplug can disconnect the spying devices, it cannot prevent them from saving the video and audio recording locally. It’s only half the problem solved…

And equipments like the Cyborg Unplug are considered illegal in some countries, including the US.

QuietZone-US

Shhh… “Quiet Zone” for the perfect holiday?

Are you in trouble – still without any Christmas holiday plan? If that’s the case, maybe it’s a blessing in disguise.

Have you ever (even secretly) fancy a holiday with absolute peace, ie. where no one can reach or find you AT ALL? Or is that even remotely possible? Seriously, in this post-Snowden era?

Now, there’s actually a place where you’ll find no modern conveniences at all – no cell phones, no wi-fi and not even digital cameras? And it’s in the US: Pocahontas County in West Virginia.

Now where are my tents and books…??

Hotel-wifi

Shhh… Hotel Cyber Blues

Business travels carry a huge price tag in security risks. Hence a common (but unspoken) practice amongst sleuths is particularly noteworthy: Avoid the biggest hotels in the biggest cities.

This is relevant because a Kaspersky Lab report (below) released earlier this week found a sophisticated industrial espionage campaign aimed at business executives using in-house wireless connections in luxury hotels across Asia, with thousands of victims since 2009 who otherwise believed they were using private and secure networks.

However, the risk with using hotel internet (both LAN and wireless) connections is nothing new.

The FBI has warned 2 years ago about malware being spread across hotel wi-fi systems.

And in the scandal involving former CIA director David Petraeus and his mistress Paula Broadwell (picture below) back in 2012, the way the FBI managed to trace emails sent by Broadwell from her hotel rooms also underscored the problems associated with using supposedly secure hotel internet connections – despite her attempt to shield her identity by using anonymous email accounts, the FBI were able to find out where the emails were sent from (ie. which cities, which wi-fi locations and which hotels) which eventually led to her name.

DavidPetraeus&PaulaBroadwell-2

Previously on Shhh-cretly, several columns also highlighted the perilous voyage business travelers faced, especially in Asia and the risks go well beyond hotel internet connections. Some fellow sleuths are well aware of how some government would send their agents to break into hotel rooms when the house guests were out for the day. For example, a Shhh-cretly post 2 years ago revealed how the FBI had video footage, covertly taken in a hotel room somewhere in China, showing how Chinese agents broke in and swept through the belongings and laptop of an American businessman.

It also helps to know that the locks found on between 4 and 5 million hotel room doors worldwide can easily be opened by a simple hacking device.

And one is still not necessarily safe inside a hotel room, even if the door is locked and blocked. Spy gadgets may have been planted inside the room to snoop on the unwary house guests. And some rooms even have “spying walls“.

With these knowledge, some sleuths have gone to great lengths to protect themselves – such as planting a covert camera in the room, weighing a data-less laptop, with and without the battery, and the power plug before and after leaving the hotel room as well as hiding a SD card (which store all your data transferred from your laptop prior to a business trip, thus the data-less laptop) under the tongue, etc.

According to the Kaspersky report, “a key mystery remains how attackers appear to know the precise travel itinerary of each victim”.

Well, recall the Snowden revelations have also revealed that the British intelligence agency GCHQ had a secretive “Royal Concierge” program that broke into the global hotel booking system of some 350 luxury hotels for about 3 years, specifically to trace and wiretap the suites of traveling diplomats.

Now, has the world reached a state of paranoia?

Execs in Asian luxury hotels fall prey to cyber-espionage -study

By Eric Auchard
FRANKFURT Mon Nov 10, 2014 5:04am EST

Nov 10 (Reuters) – Security researchers have uncovered a sophisticated industrial espionage campaign that targets business executives in luxury hotels across Asia once they sign on to computers using in-room wireless connections they consider private and secure.

The attacks, which go well beyond typical cybercriminal operations, have claimed thousands of victims dating back to 2009 and continue to do so, Kaspersky Lab, the world’s largest private security firm, shows in a report published on Monday.

Executives from the auto, outsourced manufacturing, cosmetic and chemical industries have been hit, the security firm said. Others targeted include military services and contractors.

In 2012, the FBI issued a general warning to U.S. government officials, businessmen and academics, advising them to use caution when updating computer software via hotel Internet connections when travelling abroad (1.usa.gov/1xAP4YI).

Kaspersky’s report goes further in detailing the scale, methods and precise targeting of these attacks on top business travelers. (bit.ly/1xcU0Gs)

The movements of executives appear to be tracked as they travel, allowing attackers to pounce once a victim logs on to a hotel Wi-Fi network. Hackers cover their tracks by deleting these tools off hotel networks afterward.

“These attackers are going after a very specific set of individuals who should be very aware of the value of their information and be taking strong measures to protect it,” said Kurt Baumgartner, principal security researcher for Kaspersky, the world’s largest privately held cybersecurity firm.

Unsuspecting executives who submit their room number and surname while logging on to their hotel room’s wireless network are tricked into downloading an update to legitimate software such as Adobe Flash, Google Toolbar or Microsoft Messenger, Kaspersky said. Because attacks happen at sign-on, encrypted communications set up later offer no defence against attack.

The same elite spying crew has used advanced keystroke-logging software and encryption-breaking at multiple hotel chains across Asia, it said.

Kaspersky declined to name the executives involved or the luxury destinations targeted but said it had informed the hotels as well as law enforcement officials in affected locations.

Ninety percent of the victims came from five countries — Japan, Taiwan, China, Russia and South Korea. Business travelers to Asia from Germany, Hong Kong, Ireland and the United States have also been duped, Baumgartner said.

The Kaspersky report said a key mystery remains how attackers appear to know the precise travel itinerary of each victim, which points to a larger compromise of hotel business networks that researchers say they are continuing to probe. (Reporting By Eric Auchard; Editing by Clara Ferreira Marques)

SnowdenRick

Shhh… List of Celebrities & Intellectuals in Support of Snowden

More than 50 well known musicians, actors and Nobel laureates (full list below) have shown their support for Edward Snowden and other whistleblowers like WikiLeaks and they are encouraging the public, through their social media outlets, to donate to the Courage Foundation which oversees the official legal defense fund for Edward Snowden and other whistleblowers, as well as fights for whistleblower protections worldwide.

SnowdenMovie

Meanwhile, The Guardian reported that actor Joseph Gordon-Levitt (best remembered for his roles in “Lincoln,” “The Dark Knight Rises” and “Inception” – photo above) has been confirmed to play Snowden in a movie to be directed by Oliver Stone, who has won best director Oscars for “Platoon” and “Born on the Fourth of July”. Stone is also noted for his political films like “JFK”, “Nixon” and “Looking for Fidel”.

According to a press release Monday, the list of signatories in support of Snowden includes:

Udi Aloni
Pamela Anderson
Anthony Arnove
Etienne Balibar
Alexander Bard
John Perry Barlow
Radovan Baros
David Berman
Russell Brand
Victoria Brittain
Susan Buck-Morss
Eduardo L. Cadava
Calle 13
Alex Callinicos
Robbie Charter
Noam Chomsky
Scott Cleverdon
Ben Cohen
Sadie Coles
Alfonso Cuaròn
John Deathridge
Costas Douzinas
Roddy Doyle
Bella Freud
Leopold Froehlich
Terry Gilliam
Charlie Glass
Boris Groys
Michael Hardt
P J Harvey
Wang Hui
Fredric Jameson
Brewster Kahle
Hanif Kureishi
Engin Kurtay
Alex Taek-Gwang Lee
Nadir Lahiji
Kathy Lette
Ken Loach
Maria Dolores Galán López
Sarah Lucas
Mairead Maguire
Tobias Menzies
M.I.A.
W. J. T. Mitchell
Moby
Thurston Moore
Tom Morello
Viggo Mortensen
Jean-Luc Nancy
Bob Nastanovich
Antonio Negri
Brett Netson
Rebecca O’Brien
Joshua Oppenheimer
John Pilger
Alexander Roesler
Avital Ronell
Pier Aldo Rovatti
Susan Sarandon
Peter Sarsgaard
Assumpta Serna
Vaughan Smith
Ahdaf Soueif
Oliver Stone
Cenk Uygur
Yanis Varoufakis
Peter Weibel
Vivienne Westwood
Tracy Worcester
Slavoj Zizek

FBIdoc-OpOnymous

Shhh… Counting the Costs of FBI’s Operation Onymous

Op-Onymous

The FBI announced last week that law enforcement agencies including the bureau, the Department of Homeland Security and Europol have arrested 26-year old San Francisco resident Blake Benthall (below) who was allegedly the operator and administrator – under the handle “Defcon” – of the online drugs marketplace Silk Road 2.0, just a year after the original Silk Road’s alleged mastermind, Russ Ulbricht, was also arrested in San Francisco.

BlakeBenthall

According to related court documents, Benthall was charged last Friday with narcotics trafficking, as well as conspiracy charges related to money laundering, computer hacking, and trafficking in fraudulent identification documents – which Benthall reportedly “admitted to everything”.

“The website [Silk Road 2.0] has operated on the “Tor” network, a special network of computers on the Internet, distributed around the world, designed to conceal the true IP addresses of the computers on the network and thereby the identities of the network’s users,” according to the FBI.

The globally coordinated effort involving 17 nations dubbed Operation Onymous – obviously as opposed to the “anonymous” Tor network – has reportedly led to 17 arrests and a seizure of more than 400 “hidden services” and darknet domains, $1 million in bitcoins, $250,000 in cash plus a variety of drugs, gold and silver.

It later emerged there were actually just over 27 sites seized – including Silk Road 2.0 – instead of more than 400 as initially reported: the FBI spokesperson David Berman later clarified the 400 URLs amounted only to a dozen or so sites.

However, several pertinent questions surfaced:

- Is Tor still safe given the FBI has obviously broken (how?) into it?

- Is the world really a safer place after the FBI shut down a major “darknet” marketplace? What makes the authorities rule out the emergence of a more secure, bigger and effective Silk Road 3.0? (The FBI said in its press release that “Those looking to follow in the footsteps of alleged cyber-criminals should understand that we will return as many times as necessary to shut down noxious online criminal bazaars. We don’t get tired.”)

- How much of taxpayers’ monies were spent to make these 17 arrests in 17 nations with this global operation?

Blackberry-Encryption

Shhh… Former NSA Attorney: Encryption Behind Blackberry’s Demise & Warning to Apple and Google

The authorities hate smartphone encryption and it shows. And they’re in concerted efforts to wage a war against it.

In echoing the recent messages from FBI director James Comey and GCHQ chief Robert Hannigan, former NSA general counsel Stewart Baker told the Web Summit audience in Dublin earlier this week that the moves by Google and Apple and others to encrypt user data was more hostile to western intelligence gathering than to surveillance by China or Russia.

In a conversation with Guardian special projects editor James Ball, Baker used Blackberry as an example:

Encrypting user data had been a bad business model for Blackberry, which has had to dramatically downsize its business and refocus on business customers. “Blackberry pioneered the same business model that Google and Apple are doing now – that has not ended well for Blackberry,” said Baker.

He claimed that by encrypting user data Blackberry had limited its business in countries that demand oversight of communication data, such as India and the UAE and got a bad reception in China and Russia. “They restricted their own ability to sell. We have a tendency to think that once the cyberwar is won in the US that that is the end of it – but that is the easiest war to swim.”

Baker said the market for absolute encryption was very small, and that few companies wanted all their employees’ data to be completely protected. “There’s a very comfortable techno-libertarian culture where you think you’re doing the right thing,” said Baker.

“But I’ve worked with these companies and as soon as they get a law enforcement request no matter how liberal or enlightened they think they are, sooner to later they find some crime that is so loathsome they will do anything to find that person and identify them so they can be punished.

This latest anti-encryption blabbing drew quick defense from Blackberry COO Marty Beard, who found Baker’s remarks “don’t make any sense”.

“Security is a topic that’s increasing in importance,” Beard told the audience at FedScoop’s FedTalks event Thursday. “It’s the reason that all G7 countries and the G20 work with BlackBerry.

“We just see it growing in importance. The increasing cybersecurity threats are exploding, security across all [technology] layers is critical.”

2CCTVhack24-HanoiVN

Shhh… CCTVs Live Broadcast

Do not be surprised to find yourself and your treasured private space broadcast round the clock and around the world if whoever installed the security surveillance systems at your home, office or the public areas simply left the default login and password unchanged.

The still images captured (with high-speed broadband) below are just some samples for illustration – the compromised CCTV cameras were conveniently categorized by countries and cities plus the details and exact coordinates like:

- Latitude
- Longitude
- ZIP code
- Time zone
- Channels
- Manufacturer (of the camera)
- Default login
- Default password

According to the web site:

Here you can see thousands of such cameras located in a cafes, shops, malls, industrial objects and bedrooms of all countries of the world. To browse cameras just select the country or camera type.

This site has been designed in order to show the importance of the security settings. To remove your public camera from this site and make it private the only thing you need to do is to change your camera password.

2CCTVhack8-Rome
Photo: Someone bought the latest iPhone in Rome, Italy?

2CCTVhack14-CorunaSPAIN
Photo: Early diners at a restaurant in Coruna, Spain.

2CCTVhack18-KrasnodarRUSSIA
Photo: Someone bothering a receptionist in Krasnodar, Russia?

2CCTVhack22-HanoiVN
Photo: She’s probably lost in Hanoi, Vietnam.

2CCTVhack13-BerlinGermany
Photo: He switched off the lights in a staff quarters at the end of the day in Berlin, Germany.

2CCTVhack11-BakerSt-London
Photo: A quiet part of Baker Street in London, England.

2CCTVhack17-SanFelipeCHILE
Photo: A busy gardener in San Felipe, Chile.

2CCTVhack9-AustinUSA
Photo: No one’s home in Austin, USA.

2CCTVhack16-LoPradoCHILE
Photo: Home in Lo Prado, Chile.

2CCTVhack20-KawasakiJPN
Photo: Home in Kawasaki, Japan.

SeattleTimes

Shhh… FBI’s Mock-Up As Newspaper to Hack Suspect’s Computer

Previously on Shhh-cretly, we reported how the FBI could legally impersonate someone’s identity to create a phony Facebook account in that person’s name without that person’s knowledge in order to reach out to suspected criminals – and separately the NSA also disguised itself as Facebook servers in order to gain access to the computers of intelligence targets.

Well the buck doesn’t stop there. It turned out that the FBI, in the spirits of catching suspects, was also involved in planting fake news stories: The editor of The Seattle Times found out only last week that the FBI made a mock-up of the publication’s website in 2007 in order to spread spyware onto the computer of a suspect.

The FBI is reportedly defending its right to rely on such tactics to prevent “possible act of violence” – and let’s not forget FBI director James Comey is not impressed with Apple and Google phones being “too secure” and he’s been busy making his rounds pressurizing the Congress to force Apple and Google to do away with their new default smartphone encryption so that the bureau can access those devices, in the namesake of law enforcement of course.

Or do you think the bureau has gone well overboard and beyond its restraints?

Right2Bforgotten

Shhh… The BBC “Forgotten” List (& Forgotten Company Directors?)

The BBC plans to publish a regularly updated list of articles removed from the search engine Google following the controversial “right to be forgotten rule”.

Google has so far received some 153,000 requests which have involved about half a million different link and 40 percent of these links have been removed. However, according to associate professor David Glance, director of the Center for Software Practice at the University of Western Australia:

… there is a great deal of concern about the sorts of things that are being removed. So, for example, information about former company directors have been removed. So various people are now asking for that type of information to be restored because it’s part of the public record and important information when you are considering the effectiveness or the background of a company or the directors.”