Current and Future Assessment of U.S U.K and German Cyber Intelligence and Cyber Surveillance Programs and Tradecraft - An Analysis

Spooked by evil aliens? Did the Klingons did it again? Worry about your latest and very greatest porn collection leaking online? Thinking about your IP (Intellectual Property) as if it were U.S National Security? Want to find a meaningful way to contribute to a bigger cause - The U.S Intelligence community. Keep reading.

In this rather long analysis I'll walk you though all the currently relevant U.S Intelligence Community Cyber Intelligence and Cyber Surveillance programs in non-alphabetical order with the idea to provoke a meaningful discussion on current tactics techniques and procedures courtesy of the U.S Intelligence community how you can protect yourself and most importantly how the U.S Intelligence community can "perform better" including practical software applications and services solution based recommendations for general users and organizations.

The data in this research has been obtained from Cryptome.org the Snowden archive and the Electrospaces.net research blog including the following archive.

For this purpose of this article I'll discuss the ABSOLINE EPILSON Top Secret and Classified program and use it as example into how modern cyber surveillance and eavesdropping courtesy of the U.S Intelligence Community and nation-state including rogue actors works for the purpose of establishing the foundations for a successful discussion on the basis of which I'll offer practical and relevant examples on the basics of how you can properly protect yourself from modern cyber surveillance and eavesdropping campaigns courtesy of nation-state actors including rogue actors.

Program name: ABSOLINE EPILSON - PDF - "This paper describes standard analysis techniques that have been used to both discover iPhone target end point machines and implant target iPhones directly using the QUANTUM system. It shows that the iPhone Unique Device Identifier (UDID) can be used for target tracking and can be used to correlate with end point machines and target phone. It highlights the exploits currently available and the CNE process to enable further targeting."

Current status: The current status of the program is active in terms of possible collerations between iPhone user ID's including an end user's end point Internet user activities in terms of traffic and Web site cookie acquisition for the purpose of interception profiling and active monitoring.

How it works: Every mobile has a unique ID? The problem? It tends to "phone back" to a manufacturers infrastructure and can be uniquely attributed to an end user including -- possibly -- to their end point potentially acting as the "weakest link" potentially exposing and end user's end point Internet activities to the U.S Intelligence community.

The digitally naughty part: Data colleration on a third-party device for the purpose of exposing the actual infrastructure behind the device including related end-points and related devices associated with the user in question - is nothing new. The digitally naughty part? It can be done - and the mobile device in question -- an iPhone -- in this particular case can be easily labeled as the "weakest link" in a possible corporate and end user private environment.

How you can make it work better: Shipping and delivery including supply chain infiltration tactics for the purpose of collerating unique mobile device IDs to a specific isn't new including possible "purchase-order-to-user-ID" colleration and data infiltration through basic social engineering and offensive CNO-based tactics. Potentially launching a targeted and geo-located phishing campaign on a per country city-basis could definitely lead to a positive results in terms of good old fashioned social engineering campaigns in terms of exfiltrating the necessary data including mobile device IDs including possible browser-based Web-based decoys for the purpose of further exposing an end user or an organization's private network and the necessary collerated end point devices.

• Target application-isolation software and service solution providers and owners - launching a variety of malicious and fraudulent potentially disruptive type of attack campaigns should be considered as as option for the purpose of ensuring that the project owner's time remains spend on fighting the malicious attacks including the eventual slowing down of the project development including the project's eventual shutdown. Possible portfolio of attacks might include online identity discrimination including spear phishing campaigns DDoS attack campaigns including possibly mail-flood attacks including possibly TDoS (Telephony Denial of Service attacks) against a variety of tailored and predefined project owner's contact points.
• Develop an internal bug-bounty program for sand-boxing and application isolation software and service providers - crowd-sourcing the bug bounty through public and official channels including the possible outsourcing of the bug hunting process through third-parties while offering the necessary financial incentives might be the best approach to undermine the credibility of the project including the actual owner's credibility and reputation to maintain and operate the project.
• Aim to wage disruptive warfare against private project owners - it should be clearly noted that modern Intelligence Agencies have the capacity to wage disruptive warfare against private project and software owners using a variety of means which include a variety of technical and human-oriented online disruption tactics which should be easily considered as a threat to the project and software owner's existence where the appropriate measures to protect their online assets should be taken into consideration
• Passively measuring and estimating product market-share for Targets of Opportunity - modern Intelligence Agencies have the potential to easily measure the product or project that also includes the software's market share in an attempt to better position a disruptive campaign targeting the project owner including the software owner in a variety of ways and positioning the project owner including the actual software owner as a Target of Opportunity to participate in related mass surveillance and eavesdropping campaigns

How you can take measures to protect yourself: Consider obtaining one of the following "stripped" mobile devices in terms of hardened mobile OS offering in-depth and multi-layered security and privacy protection features for the purpose of bypassing wide-spread surveillance techniques and techniques. Ensuring that you possess a "stripped" mobile device is crucial for ensuring the necessary degree of personal privacy to stay ahead of current and emerging Cyber Threats including wide-spread privacy violations courtesy of the U.S Intelligence Community and various other nation-state and rogue actors including cybercriminals.

On the majority of occasions modern cyber surveillance and eavesdropping campaigns on passive or active SIGINT which has to do with legal and passive lawful surveillance techniques which also includes offensive techniques such as for instance direct attempts to interact with someone's online infrastructure in place for the purpose of compromising and obtaining direct access to their digital assets including personal information.

Among the first things that a concerned user should take into place would be to ensure that a proper network security is taking place going beyond your ISP's supplied network router which "definitely" comes with a built-in antivirus and anti-malware solution in place in particular the use of pfSense which offers advanced and market relevant security and IDS/IPS (Intrusion Detection System and Intrusion Prevention System) including build-in sophisticated malicious Web site blocking features which also includes a modern and relevant geolocation-based security solution in place. The same goes for Cisco Firepower ASA which is a highly recommended and market relevant network-based protection including IDS/IPS solution in place. Both devices are easily adoptable and a cost-effective solution for basic network level protection mechanisms that can greatly assist against widespread nation-state surveillance and eavesdropping including active computer network exploitation (CNE) attempts.

Among the key benefits of using such type of device would be to ensure that no incoming traffic is allowed to enter the network using a basic network level access policy which has the potential to greatly mitigate a huge number of attack campaigns including active network reconnaissance campaigns. The second logical approach would be to utilize publicly accessible that also included proprietary sources of real-time threat intelligence information for the purpose of ensuring that current and emerging threats are properly taken care of such as for instance publicly accessible Web site blocking and URL reputation lists that also included proactive and reactive solutions as for instance Snort which offers a pretty good coverage of current and emerging cyber threats that also includes a variety of high-profile and relevant network-based including DoS (Denial of Service) and network reconnaissance type of threats. 

It should be clearly noted that both the public and free instance of Snort offers an in-depth network-based and sophisticated current and emerging threats type of protection and that the rule set gets properly updated on a daily basis with relevant signatures for a variety of threats which should be considered as a must use including Cisco's proprietary Snort rule set which also gets updated on a periodic basis which also includes that use of Cisco's Threat Grid in terms of offering real-time protection against current and emerging threats including the geolocation-based firewall which basically allows a user to only allow access to a specific country's online assets and to also deny access to the majority of countries internationally potentially mitigating a possible breach and intrusion scenario where an attacker would attempt to phone back and actually attempt to access the compromised network which is a where a geolocation based firewall comes into play properly protecting a network and its infrastructure from possible leaks and malicious software attempting to phone back including possible IP (Intellectual Property) leaks which could easily allow a nation-state or a sophisticated online to easily map and attempt to build a bigger picture in terms of a company or an end user's online activity for the purpose of establishing the foundation for successful and related type of malicious attack campaigns launched against a specific network or an end user.

Among the basic principles that should drive an individual or an organization that seeks to protect itself from modern nation-state or rogue actors type of threats should include the use of community driven and basically commercially free services and products which also include the use of Snort including the use of Cisco's global threat intelligence grid for the purpose of preventing and responding to modern cyber attack outbreaks including currently active and live threats.

Yet another highly recommended and extremely relevant in  terms of proactive and reactive protection feature courtesy of Cisco's Firepower ASA appliance is the Botnet Traffic Filter feature which offers an additional set of botnet traffic mitigation features which basically protects a compromised network from possible data leaks and possible attempts for the malicious software to actually phone back to a rogue and malicious infrastructure.

For users interested in protecting their mobile device from possible mass surveillance and eavesdropping campaigns there are several scenarios which should be considered such as for instance the use of VPN on a mobile device including actual real-time and email communication which should be properly encrypted using for instance PGP including modern real-time communication protections mechanisms such as for instance the use of XMPP/Jabber's OMEMO real-time encryption feature including the use of stripped and proprietary mobile devices which greatly mitigate the threat posed by modern mobile malware in the context of using a proprietary operating system which often offers an additional layer of security and privacy for the user.

Recommended "stripped" mobile devices to use potentially preventing widespread surveillance efforts including personal privacy violations:

• "Stripped" mobile device with hardened security and privacy-aware mobile OS
• "Stripped" mobile device with hardened security and privacy-aware mobile OS 01
• "Stripped" mobile device with hardened security and privacy-aware mobile OS 02
• "Stripped" mobile device with hardened security and privacy-aware mobile OS 03
• "Stripped" mobile device with hardened security and privacy-aware mobile OS 04
• "Stripped" mobile device with hardened security and privacy-aware mobile OS 05
• "Stripped" mobile device with hardened security and privacy-aware mobile OS 06
• "Stripped" mobile device with hardened security and privacy-aware mobile OS 07
• "Stripped" mobile device with hardened security and privacy-aware mobile OS 08
• "Stripped" mobile device with hardened security and privacy-aware mobile OS 09
• "Stripped" mobile device with hardened security and privacy-aware mobile OS 10

The next logical step would be to ensure that the metadata on the device in terms of Web browsing including possible public and proprietary service use is properly obfuscated. Among the primary concerns whenever you choose to obfuscate a particular set of data would be possible supply-chain infiltration on behalf of the U.S Intelligence community in particular purchase orders that would further allow me to collerate and potentially identify a particular end user based on the actual supply-chain infiltration. One of the primary concerns in today's modern Internet world largely dominated by wide-spread surveillance courtesy of the U.S Intelligence Community including rogue and potentially malicious actors including nation-state and cybercriminals is the direct exposing of an individual's private network including possible collerated-based events that could potentially identify and track down a particular individual. 

In terms of mobile device obfuscation the end user is largely advised to take advantage of personal firewall for the purpose of monitoring outgoing and incoming connections on the device in particularly blocking all-incoming connections and closely monitoring outgoing connections. Furthermore, what an end user can potentially do in terms of hardening their mobile device is to ensure that it does not leak back any internal IP addresses including possibly the device MAC address potentially exposing the device user's internal and private network potentially falling victim to "ABSOLINE EPILSON" type of end point and mobile device targeting type of attacks and campaigns courtesy of the U.S Intelligence Community including other rogue factors including nation-state actors and cybercriminals in general. How you should proceed in order to archive this process? Keep reading.

Next to the general use of "stripped" mobile devices end users should also consider the following highly recommended tactics techniques and procedures for the purpose of protecting their IP (Intellectual Property) including their mobile device and end point device's confidentiality availability and integrity:

• WebCRT - Among the most common privacy-exposing scenarios in terms of "ABSOLINE EPILSON" remains the active utilization of unsecure browsing habits namely a misconfigured browser in terms or browser extension including the newly introduced "local IP exposing" WebCRT feature found in a variety of browsers. What should end users better do to protect their local IP including adding additional privacy and security features to their browser? Keep reading. The first thing a user should ensure from a network-based perspective is that their browser fingerprint remains as private as possible including the inability of the U.S Intelligence Community.
• Personal Host Based Firewall - the first thing to look for in a personal firewall is a bi-directional firewall functionality allowing you to block all incoming traffic and successfully allowing you to allow all ongoing traffic based on a variety of rules including possible white-listing. The next logical step would be to implement basic ARP-spoofing prevention solution for the purpose of ensuring that your ISP including VPN provider cannot perform basic ARP-spoofing attack campaigns which could compromise the confidentiality of the targeted host and expose to it a multitude of network-based attack deception attack campaigns.

• HIPS-based firewall - a decent and highly recommended solution to protect end points from malicious software including web-based client-side exploits who might attempt to drop malicious software on the affected hosts include the use of host-based intrusion prevention system which has the potential to stop a wide variety of threats that have the potential to expose an end point to a multi-tude of malicious software such as for instance the use of Comodo Firewall which is a highly relevant and recommended solution for a huge number of end points in terms of offering advanced and sophisticated malware protection mechanisms.
• Basic Network Deception - it should be clearly noted that every network is a subject to possibly compromise including automated and targeted attacks which could be easily prevented and actually allow a network operator or a network user to gather the necessary cyber attack information which could easily offer an in-depth peek inside the activities of the cyber attacker in particular the type of information that they're interested in obtaining. Case in point would be the use of a proprietary network-based deception appliance such as for instance Thinkst Canary including the use of the Nova Network Deception Appliance which empowers a network operator with a sophisticated network deception techniques which allows them to trick a cyber attacker into falling victim into a rogue network-based assets with the actual network operator in a perfect position to gather intelligence on the real intentions of the cyber attacker while properly protecting their infrastructure from malicious attackers

• Custom-Based DNS-based DNSSEC-based servers with no logs policy - worry about the U.S Intelligence Community and your ISP eavesdropping on your traffic and Web browsing history potentially launching man-in-the-middle attacks? Consider utilizing basic free privacy-conscious DNS service provider with DNSSEC-enabled no-logs policy such as for instance - DNS Watch - which you can freely use without worry that your Web browsing history and DNS request history will be logged and potentially abused. A possible logical recommendation in the context of improving an end-point's in-depth security strategy might be the utilization of the so called protective DNS which offers an in-depth protection techniques and is often available online for free. Case in point is the use of Cisco's Umbrella solution which offers an in-depth protection mechanism and is available to end users and organizations online for free.

Windows-based users should definitely consider using and learning how to use the Advanced Tor Router application which basically offers a diverse set of unique privacy-enhancing and privacy-preserving featuring while utilizing the Tor Network further ensuring and offering a free solution for end users interested in preserving their Web browsing activities including possible network-wide Tor Network adoption on per OS and on per application-based basis. What does this application has to offer in terms of unique privacy-preserving features? Basically it offers a variety of unique and never presented or discussed before type of Tor-Network and end-point privacy-enhancing or preserving features further ensuring that the end user will remain properly protected from sophisticated network-based and client-based type of attack campaigns potentially aiming to identify and expose their identity. What's worth emphasizing on in terms of the application is the unique set of privacy-preserving and oriented client-side feature in terms of possibly privacy-oriented and secure browsing experience.

Sample Screenshot of the Privacy-Preserving Browser-Based Advanced Tor Router features:

• Anti-forensics - it used to be a moment in time when users were primarily concerned with their browsing habits and use of online resources which is where specific browsers that don't log anything on the hard drive come into play. A possible solution and recommendation here include the use of the Sphere anti-forensics browser which doesn't log anything on the hard drive and should be considered as a decent anti-forensics solution for anyone who's interested.
• VeraCrypt containers - a proper full-disk encryption solution should be taken into consideration in case the user wants to protect their information and intellectual property from physical type of attacks that also includes the use of Virtual Desktops with built-in security and privacy mechanisms in place such as for instance the use of Comodo Secure Desktop
• Application isolation - it should be clearly noted that a modern and in-depth defense strategy should include the use of application sandboxing solutions which has the potential to prevent a huge number of client-side based exploitation attempts including to actually protect an end user from a variety of Web based client-side exploits serving threats such as for instance the use of Sandboxie which is a free solution that actually works and has the potential to prevent a huge number of Web based threats that expose users to a variety of threats
• Hardware-Based Isolation - a proper network based strategy should consist of a basic hardware-isolation methodology where for instance malicious attackers would have hard time trying to penetrate and compromise due an additional level of hardware-isolation applied methodologies and techniques
• Whitelisting - although this approach has been widely discussed throughout the years it should be clearly noted that modern anti-malware solutions should be also providing a possible application whitelisting feature where users should only whitelist a basic application which would allow them to still perform their activities and basically block and prevent and execution of related applications

Sample tips for the purpose of ensuring a proper and secure installation of end-point security solutions include:

• always password-protect your end-point software including possibly ensuring that the end-point security software can self-protect from having it shut down
• always ensure that a manual update is properly taking place compared to automatic updates which leaves a window of opportunity for a possible network traffic colleration including possibly rogue and bogus update entering your network
• ensure that you're not utilizing the cloud-database feature for the purpose of looking up your Web browsing history including possible host-based application execution which could lead to a possible data and end-point inventory colleration which basically leaves you with a properly secured "stripped" security solution that you can use to properly secure your end-point without the risk of having your Web browsing history exposes including your end-point application inventory which could lead to possible fingerprinting and inventory-mapping which could lead to possible targeted attacks

What would be an appropriate choice for a VPN-provider basically offering the necessary peace of mind in terms of network-based connectivity with privacy-enabled solutions in mind in terms of possible no-logs policy including related value-added features further enhancing the necessary privacy-based no-logs policy in today's modern Internet World with widespread surveillance and privacy-violations courtesy of the U.S Intelligence Community and various other rogue actors including nation-state and cybercriminals in general? Keep reading.

The next logical step would be to stay away from mainstream mobile devices citing potential Security and Privacy in mind including the use of a properly selected VPN service provider for the purpose of applying basic traffic obfuscation techniques including end-point network isolation in this particual context the end user and the organization should definitely look forward to implement a possible VPN provider actually "mixing" public legitimate jurisdiction-aware infrastructure with privacy-aware public or proprietary network technology - in this particular case VPN2Tor type of technology.

Mainstream VPN provider as an entry point to a proprietary hardened and privacy-features tailored network - such as for instance the Tor network - NordVPN is a highly recommended solution against "ABSOLINE EPILSON" type of end-point colleration-based targeting type of attacks. What do I have in mind? Basically the off-the-shelf commercial vendor is also currently capable of offering VPN2Tor type of access which basically offers a variety of privacy-enhancing features which basically can offer stealth and commercially-relevant solution which basically combines VPN functionality with access to the Tor Network which basically offers a high-degree of security and anonymity which can be used to protect against "ABSOLINE EPILSON" type of attacks in terms of traffic and geographical location deniability including possibly offering limited data-colleration capabilities on behalf of U.S Intelligence Agencies.

A proprietary off-the-shelf VPN service provider basically taking you a step higher in preserving your online privacy by introducing and actually providing a unique set of no-logs jurisdiction-aware type of encryption-protocols and basic traffic-mixing tactics and strategies - Cryptohippie.

Want to find out more? Are you interested in a possible evaluation of your organization's Security Project or Security Product in terms of a Security Assessment or a possible OPSEC (Operational Security) based Privacy Features Evaluation? Interested in inviting me to speak at your event including possible sensitive and classified project involvement?

Feel free to reach me at dancho.danchev@hush.com

Stay tuned!

Continue reading →

Censoring Seductive Child Behaviour

define:seductive

define:unaware
define:immature
define:maturing

"Covert pedophilia in the Victorian society". Is that a good line, or is that a good line? Censorship as a matter of viewpoint - as of recently Globe and Mail want you to purchase the article without realizing the click-through rates for both, Doubleclick serving the ads at their site and them, if it were distributing it for free, but anyway guess they should have told Google either :

"The Legards' central thesis is that the debate over children and sexual imagery has been dominated and distorted by two opposing myths: one is "the quasi-religious conception of childhood innocence," which involves "the irrational denial of childhood sexuality"; the other is "the ideology" of the artist as someone "possessing mystical abilities and unique rights" that should not be constrained by the state."

After thoughtcrime and intention-crime policing, it's about time behaviour-policing starts taking place, now wouldn't that be truly outrageous? Something no one is again going to do anything about, thinking he's either the only one seeing it, or perhaps prefers to keep playing in his own corner?

Anyway, discussions like these should only happen after the real problem, with real child porn online gets solved. And that wouldn't happen by fighting the distribution channels as they're too many to control and police, but by making sure the production stage never happens at the first place.

Another article on the topic "Clothed Child Porn Online?". By the way, are you finally seduced now? A rocket scientist doesn't seem to be, throughout the "decade of dedicating downloading". Such a collection can now definitely acts as a new digitally fingerprinted database to keep track of. Continue reading →

Big Brother in the Restroom

Wikes! This is nasty, and while the porn industry has commercialized the idea a long time ago, I never imagined the levels of crime in public restrooms would "reach" levels requiring CCTVs to be installed -- if there's so much vandalism going on in public restrooms, these will definitely get stolen as well, picture the situation! Norway installs surveillance cameras in park restrooms.

Hint : once you get involved in the CCTV irony, I say irony mainly because the dude behind the 40 motion detection and face recognition wall is having another CCTV behind his back, you end up spending tax payers money to cover "blind spots", and end up with a negative ROI while trying to achieve self-regulation, if one matters!

Surveillance and Society's journal still remains the most resourceful publication on surveillance studies and its impact on society.

Further reading and previous cases:
The Hidden Camera
Iowa Judge Says Hidden Restroom Camera Case Can Proceed to Trial Continue reading →

World's Internet Censorship Map

While it seems rather quiet on the Internet's censorship front, the media coverage on the topic represents a cyclical buzz that reemerges with the time.

Thankfully, initiatives as the OpenNet one, and organizations such as Reporters Without Borders never stop being the society's true watchdogs when it comes to Internet censorship. ONI's neat visualization of the Internet filtering map is a great way of pin pointing key locations, and provide further details through their in-depth reports, take a look for yourself!

Censorship is capable of running entire governments, maintaining historical political power, and mostly ruling by "excluding the middle". Recently, two of China's leading Internet portals were shut down due to maintenance issues acting as the excuse for improving their filtering capabilities. Reporters Without Borders conducted an outstanding analysis of the situation, coming to the conclusion "that the search engines of China’s two leading Internet portals, Sina and Sohu, after they were shut down from 19 to 21 June for what they described as a “technical upgrade” but which in fact was designed to improve the filtering of their search results."

What is Google up to? Making business compromises in order to harness the power of the growing Chinese Internet population. And while the Wall is cracking from within, the world is also taking actions against the fact that there're currently 30 journalists behind bars in China. Continue reading →

Pocket Anonymity

While the threats posed by improper use of removable media will continue to make headlines, here's a company that's offering the complete all-in-one pocket anonymity solution -- at least that's how they position it. From the article :



"Last month, a company called Stealth Ideas Inc. of Woodland Hills, Calif., came out with its StealthSurfer II ID Protect. The miniature flash drive lets you surf anonymously from any computer using an integrated browser that runs in an encrypted mode. It comes loaded with several tools, including Anonymizer Anonymous Surfing 1.540 (which has IP masking), RoboForm Pass2Go 6.5.9 (a user ID/password management application) and Thunderbird 1.0.7 (for e-mail access). But before you buy, check to see if the company has upgraded its browser, which, according to company officials at the product’s launch, is Firefox 1.5.0.1. US-CERT and others have warned about significant vulnerabilities in certain versions of Firefox (and Thunderbird, for that matter). The version available as of press time, Version 1.5.0.2, addresses those flaws."



Is the Anonymizer behind the idea, or is it a middleman trying to add value to the Anonymizer's existing offer, and harness the brand powers of Firefox and Hushmail all in one? Wise, but the entire idea of anonymity is based on the Anonymizer's service, when anonymity still can be freely achieved to a certain extend. Very portable idea, the thing is there are already free alternatives when it comes to pocket anonymity and that's TorPark: Anonymous browsing on a USB drive, and I think I can live without the enhancements. Continue reading →

The Cell-phone Industry and Privacy Advocates VS Cell Phone Tracking

I've once mentioned various privacy issues related to mobile devices, the growing trend of "assets tracking", and of course, cell phones tracking. Yesterday I came across to great summary of the current situation -- privacy groups make a point of it. From the article :



"Real-time tracking of cell phones is possible because mobile phones are constantly sending data to cell towers, which allows incoming calls to be routed correctly. The towers record the strength of the signal along with the side of the tower the signal is coming from. This allows the phone's position to be easily triangulated to within a few hundred yards. But the legal grounds for obtaining a tracking order is murky -- not surprising since technology often outpaces legislation. The panel agreed that Congress should write rules governing what level of suspicion cops need to have before tracking people through their cell phones."



While on the other hand, there's also an ongoing commercialization of the service by the industry itself, if the government were to start using practices like these with grey subpoenas, it would undermine the customers' trust in the industry and BigBrother is going to get even bigger. Enthusiasts are already experimenting with DIY cell phone tracking abilities, so if you worry about being tracked through your phone, you should also start worrying about having an extra one in your bag. Physical insecurities such as digital forensics on cell phones, even counter-offerings are today's reality, while flexible lawful wiretapping may still be taking one way or another -- I guess the NSA got all the attention recently, with their domestic spying program.



As the Mindmaker pointed out, we must assume that we are trackable wherever we go, but I think this dependence would get even more abused in the future by the time proposed laws match with the technology. Continue reading →

April's Security Streams

Hi folks, it's about time to quickly summarize April's Security Streams. As of today, my blog is officially six months old and the feeling of witnessing change and improvements has always been a pleasant one. Blogging "my way" takes a lot of time, that is, posts going beyond "preaching" but emphasizing on "teaching", a little bit of investigative research, full-disclosure, and constructive key points on emerging or possible future trends related to infosec. Thanks for everyone's feedback, and actually reading not just going my posts as far as the average visitors' time spent is concerned!



1. "Wanna get yourself a portable Enigma encryption machine?"Already sold, but auctioned on Ebay, it's remarkable how the seller managed to preserve an original Enigma in such a condition, and the bids were worth it!



2. "The "threat" by Google Earth has just vanished in the air" Coming across Microsoft's Windows Live Local Street-Side Drive-by provoked contradictive thoughts, so I've decided to sum up recent ideas on the issue. The use of public satellite imagery for conducting OSINT is inevitable, while on the other hand the providers are simply making the world a smaller place. It is also questionable whether potential terrorists are "abroad" or within the countries themselves, that is knowing each and every corner of a possible "attack location", but with the ability to syndicate and share maps it would be naive not to think that they way you chat, they also do, and the way you plan activities while "zooming-out", they also do. At the bottom line, snooping from above might actually deal more with self-confidence than anything else. Have an opinion? Feel free to comment on the topic



3. "Insider fined $870" Virtual worlds are emerging and so are security techniques to steal someone's sword, be it through insiders, phishing, or trojan horse attacks. What's important to keep in mind when it comes to insiders is that on the majority of occasions you're are never aware that there's an ongoing potential breach on its way, and moreover, that the quantitative losses due to insiders are totally based on a company's sales projections, rather than successfully (if one can) measuring the value of intellectual property



4. "Securing political investments through censorship" We constantly talk on how the Internet is changing our daily lifes, our attitudes, and giving us the opportunity to tap into the biggest think-tank in the world -- on the majority of occasions for free. Internet censorship is still a very active practice by well-known regimes, while this post was trying to emphasize on the current situation - securing political investments through censorship



5. "Heading in the opposite direction" Companies and financial institutions are the most often targets of phishing attacks, and it's getting hard for them to both, convince their users and society that they're working on fighting the problem, and most importantly where's the real problem and how to fight it. In this post, I try to emphasize that building communications over a broken channel Bank2Customer over email is the worst possible strategy you could start executing. The irony in here is how in the way both, phishers and any bank in question may sometimes be using images stored on the banks server -- altogether!



6. "IM me" a strike order" It's a common myth that the military have came up with a Über secret and secure communications network, going beyond the Internet. And while there're such, they all suffer the same weakness, lack of usability, and budget deficits compared to IP based communications, that is the Internet. The post goes through research surveys on IMs in the military, and tries to bring more awareness on how age-old IM threats can easily exploit military IM communications as well



7. "Catching up on how to lawfully intercept in the digital era" On as daily basis we discuss security breaches, threats, privacy violations, whereas constantly misses the fact that there's a practice called lawful interception, namely that even if the NSA's domestic spying program got so much attention and concerns, it doesn't mean they aren't going to continue keeping themselves up-to-date with what is going wherever OSINT, SIGINT and HUMINT are applicable. The bottom line is that a person behind a CCTV camera's network is also under surveillance, so I advise you go through a very good resource on the topic, the Surveillance and Society Journal



8. "On the Insecurities of the Internet" IP spoofing by default, DNS and BGP abuses, Distributed Reflection Denial of Service Attacks, are among the ones worth mentioning, while perhaps the biggest insecurity lies in the fact that the Internet we're all striving to adapt for E-commerce and E-business, was developed as a scientific network we got used to so fast



9. "Distributed cracking of a utopian mystery code" Continuing the "distributed concepts" series of posts, this one deals with virtual worlds, and a wise idea on how to keep the players coming back for more -- let them even bruteforce the next part of the puzzle



10. "Fighting Internet's email junk through licensing" China's Internet population is about to surpass the U.S one and it would continue to grow resulting in China becoming the "novice" king of insecure networks. Trying to centrally control spam, they you can control the flow of traffic going out and coming in the country is a typical, but weak approach that could have worked years ago as no one needs a mail server to generate spam of phishing attacks these days. In respect to their concerns of users learning more about infosec, in China a cyber dissident is a heroic potential hacker, one that can easily bypass the Great Firewall and spread the word on how it can be done. As a matter of fact, PBS has done an outstanding job in their Tank Man episode, and while many considered the Chinese students' inability to recognize the infamous photo, what they were actually afraid of is showing a face-gesture that they indeed recognized it -- as they did of course.



11. "Would somebody please buy this Titan 1 ICBM Missile Base?" I think the buyer of this base should have better though of what he's buying, or let's just say how on Earth was he expecting to break-even given he missed the post-cold war momentum itself? It's indeed once in a lifetime purchase that you would think twice before not purchasing, and so I hope the auction would continue to attract visitors the way it is -- high-profit margins whenever the momentum is lost is a "lost case" by itself



12. "Spotting valuable investments in the information security market" An in-depth post on current market and vendor trends, as well as more info on the, now fully realistic acquisition of SiteAdvisor my McAfee, something I've blogged about in January. It's great to know that both parties came across the posts themselves, and to witness how such a wide-scale community power, but still backed by technology, startup got so easily acquired. What the acquirer must now ensure, is that it doesn't cannibalize the culture at SiteAdvisor -- every day is a startup day for us type of attitude is a permanent generator of creativity and attitude



13. "Digital forensics - efficient data acquisition devices" A resourceful post mentioning on the release of the CellDEK, no, it's not a portable DJs one, but a acquisition device detecting over 160 cell phone models and having the capacity to simultaneously acquire it from numerous devices all at once. Virtual cyber crime is all about quality forensics, whereas different legislations and approaches for gathering and coordinating such data across various countries remains a problem



14. "The anti virus industry's panacea - a virus recovery button" Try to get this on the Super Bowl and watch a generating falling for the lack of complexity in this "solution". Gratefully, I got many comments from readers with cheers on mentioning this and how useless the button is at the bottom line



15. "Why's that radar screen not blinking over there?" Quite some sites picked up the story, yet we can always question, and than again, so what? In a crucial situation a scenario like this could prove invaluable for the final outcome, but right now it's just a PR activity from the other side of the camp. Symmetric warfare is a tangible defense/offensive concept, whereas asymmetric warfare is fully capable of balancing powers -- to a certain extend as no matter how much NCW you put on the ground, you would still need "tangible" forces on the finish line



16. "25 ways to distinguish yourself -- and be happy?" A little bit of self-esteem is never too much and that's what these series can help you with



17. "Wild Wild Underground" An in-depth summary of some findings I intended to post for quite some time, but didn't have the time to. If you just take yourself some time to rethink over, you would hopefully realize that a guy like this is capable of recruiting people who actually come up with their own algorithms -- beyond their will in one way or another. Moreover, responding to comments I received, of course I did report the links, which are now down, as well as some of the forum posts I managed to digg. Ryan1918 is rather active though



18. "In between the lines of personal and sensitive information" Government reclassification of documents isn't the most pragmatic way, as these have already been online once, therefore someone out there still keeps a copy, and is now more than ever motivated to disseminate it, given someone is trying to censor it. I feel a common structure of the different types of information, formal training for those dealing with that type of info etc. and putting in place risk management solutions, considering that humans are totally not to be trusted (are computers to be?) is a way to mitigate these risks. Trying to censor something you end up making it even more popular that it could have been without you censoring it, just a thought



19. "DIY Marketing Culture" Personalization and Customization are emerging by default, and so is virtual viral marketing. In this post I mention the possibility to get your own custom MMs, and FireFox's FireFlicks initiative



20. "A comparison of US and European Privacy Practices" You can rarely come across a infosec survey with well formulated questions, ones that are the basis of a quality one. I think this company did a very good job in formulating and summarizing the outcome of a very trendy topic



Updated to add the averages for each month since I've started tracking my readers, looks nice, and in case you're interested you can also go through the summaries of previous months. Continue reading →

A comparison of US and European Privacy Practices

A new study on "US and European Corporate Privacy Practices" was released two days ago, and as I constantly monitor the topic knowing EU's stricter information sharing and privacy violations laws comparing to the U.S, thought you might find this useful. To sum up the findings :



"European companies are much more likely to have privacy practices that restrict or limit the sharing of customer or employees' sensitive personal information and are also more likely to provide employees with choice or consent on how information is used or shared," said David Bender, head of White & Case's Global Privacy practice." still at the "sharing sensitive information is bad"


promotional stage, I feel the research reasonable points out the lack of a systematic technical approach, bureaucracy can also be an issue, but with so many CERTs in Europe there's potential for lots of developments I think. Established in 2004, ENISA is the current body overseeing and guiding the Community towards data protection practices -- slowly, but steadily gaining grounds.



"But the research also revealed that US companies are engaging in more security and control-oriented compliance activities than their European counterparts. As a result, US corporations scored higher in five of the eight areas of corporate privacy practice." - structured implementation on a technical level, that is people auditing networks and being accountable in case of not doing so, and privacy policies by default. A little something bringing more insight from the Safe Harbor framework :



"The United States uses a sectoral approach that relies on a mix of legislation, regulation, and self regulation. The European Union, however, relies on comprehensive legislation that, for example, requires creation of government data protection agencies, registration of data bases with those agencies, and in some instances prior approval before personal data processing may begin."



Of course there are differences and there should always be as they provoke constructive discussions, but among the many well-developed survey questions, some made me a quick impression :



"Is there a process for communicating the privacy policy to all customers and consumers?" Europe - 33% United States - 69%



"Is privacy training mandatory for key employees (those who handle, manage or control personal information)?" Europe - 22% United States - 62%



"Do you use technologies to prevent unauthorized or illegal movement or transfer of data or documents?" Europe - 17% Unites States - 45%



"Will the company notify individuals when their personal information is lost or stolen?" Europe 33% United States - 62%



Perimer based defenses naturally dominate as a perception of being secure, still, I feel that the growing infosec market and IT infrastructures in both the U.S and Europe would continue to fuel the growth of new technologies and also result in more informed decision makers -- at the bottom line it's always about a common goal and better information sharing. Continue reading →

Catching up on how to lawfully intercept in the digital era

In one of my previous posts "A top level espionage case in Greece" I blogged about two cases of unlawful interception -- good old espionage practices in modern environment. What's also worth mentioning is the rush for lawful interception in the post 9/11 world, that is free spirits get detained for singing or being nerds, activities you can hardly datamine at the bottom line, and then again, so what?


Last month, Australia extended its phone-tap laws to e-mails and SMS, OMG, good morning Vietnam. An excerpt from the news item :



"Australia has passed new laws that would allow police to intercept phone calls, e-mails, and text messages of people who are just suspected of a crime. Attorney-General Philip Ruddock says the new laws account for challenges posed by technology; in December 2005, Middle Eastern and white supremacist youth used SMS messages to coordinate during race riots. However, civil liberties groups warn that the laws could allow police to target the privileged conversations of lawyers and journalists or to target innocent people for investigation. Australia has been tightening security laws since the September 11, 2001, terrorist attacks in the US."



Whether compliance, or new revenue sources from a telecom/network giant's point of view, lawful interception has always been happening. A single vendor's box can easily monitor over 30,000 DSL connections, and while the problem still remains processing power and decentralized/encrypted communications, steganography as a concept has always been the biggest downsize of any approach from my point of view.



At the bottom line it would eventually provide the ECHELON's community with more information to take hold of, whereas retaining or trying to data mine it still remains an abstract concept whose only justification has been the contradictive Able Danger scenario. It is my opinion that erasing terrabytes of intelligence information on a terrorist group is a pure science-fiction scenario, they way there's a desperate need for a clear ROI in respect to CCTV cameras.



Don't over-empower the watchers for the sake of your Security, or you'll end up with a false feeling of it.



More resources on surveillance and lawful interception worth going through are :

International Campaign Against Mass Surveillance
Development of surveillance technology and risk of abuse of economic information
Legal Analysis of the NSA Domestic Surveillance Program
Wiretapping, FISA, and the NSA
Can the government track your cell phone's location without probable cause?
Attack Detection Methods for All-Optical Networks
2006 = 1984?
Privacy issues related to mobile and wireless Internet access
Lawful Interception of the Internet
Using MAC Addresses in the Lawful Interception of IP Traffic
Open Source Intelligence (OSINT)
Making Intelligence Accountable: Legal Standards and Best Practice for Oversight of Intelligence Agencies
What is Project ECHELON?
Surveillance and Society Journal
Cybercrime in New Network Ecosystem: vulnerabilities and new forensic capabilities
Strategies for Lawful Intercept
Summary - Lawful Interception plugtest
Whistle-Blower Outs NSA Spy Room



Technorati tags:
Security, Intelligence, Surveillance, Wiretapping, Privacy, Lawful Interception Continue reading →

Securing political investments through censorship

I try to extensively blog on various privacy and Internet censorship related issues affecting different parts of the world, or provide comments on the big picture they way I see it.



Spending millions -- 6 million euro here, and I guess you also wouldn't let someone spread the word whether the cover is fancy enough for a vote or not -- on political campaigns to directly or indirectly influence the outcome of an election, is a common practice these days. Whereas, trying to build a wall around a government's practices is like having a tidal wave of comments smashing it. I recently came across the following article : "



"Singapore has reminded its citizens that web users who post commentary on upcoming elections could face prosecution. Election commentary is tightly controlled under Singaporean law; independent bloggers may comment on the election, but must register their site with the Media Development Authority (MDA)."



I'm so not into politics -- and try not to -- but threatening with prosecution on commentary, registering users, while not first "introducing yourself" as "During the November 2001 elections, Singapore's political parties limited their use of the Internet to posting schedules and candidate backgrounds." isn't the smartest long-term political strategy ever, don't you think?



More resources on the state of censorship in Singapore worth checking out are :

Internet Filtering in Singapore in 2004- 2005: A Country Study
EFF "Censorship - Singapore" Archive
Censorship in Singapore
To Net or Not to Net: Singapore’s Regulation of the Internet
Censorship Review Committee 2002/2003
The Internet and Political Control in Singapore



Technorati tags:
Censorship, Politics Continue reading →

What search engines know, or may find out about us?

Today, CNET's staff did an outstanding job of finding out what major search companies retain about their users. AOL, Google, Microsoft and Yahoo! respond on very well researched questions!

Whatever you do, just don't sacrifice innovation and trust in the current services for misjudged requests at the first place from my point of view.

At the bottom line, differentiate your Private Searches Versus Personally Identifiable Searches, consider visiting Root.net, and control your Clickstream. You can also go through Eric Goldman's comments on the issue and his open letter regarding Search Engines and China.

As a matter of fact, I have just came across a very disturbing fact that I compare with initiatives to mine blogs for marketing research, EPIC has the details on its front page. It was about time a private entity comes up with the idea given the potential and usability of the idea. Could such a concept spot, or actually seek for cyber dissidents in restrictive regimes with the idea to actually reach them, besides mining for extremists' data? I really hope so!

Technorati tags:  

Privacy, search engine, Google, Yahoo, MSN, AOL

Continue reading →

January's Security Streams

It's been quite a busy month, still I've managed to keep my blog up to date with over 30 posts during January, here they are with short summaries. Thanks for the comments folks!

I often get the question, how many people is my blog attracting, the answer is quantity doesn't matter, but the quality of the visits, still, for January there were 7,562 unique visits and over 13,000 pageloads. I'm already counting over 400 .mil sub domains, have the majority of security/AV vendors(hi!) reading it, and the best is how long they spend on average, and how often they come back. To sum up, 60% of all visits come from direct bookmark of my blog, 30% through referers, and 10% from search engines. It is also worth mentioning my last referring link, notice the domain and what they are interested in.

1. What's the potential of the IM security market? Symantec thinks big" gives a brief overview of the wise acquisition Symantec did and a little something the IM security market.

2. "Keep your friends close, your intelligence buddies closer!" mentioning the release of a book excerpt and provides further resources on various NSA and intelligence related topics

3. "Security quotes : a FSB (successor to the KGB) analyst on Google Earth" is Google Earth or satellite imagery a national security threat? At least the Russian FSB thinks so!

4. "How to secure the Internet" discusses the U.S National Strategy to Secure Cyberspace and some thoughts on the topic

5. "Malware - Future Trends" the original announcement for the release of my research

6. "Watch out your Wallets!" gives more info on ID theft and talks about a case that left a 22 years old student in debt of $412,000

7. "Would we ever witness the end of plain text communications?" a released report on the growth of VPNs prompted me to open up the topic, recently, Yahoo! communicate over SSL by default which is a great progress from my point of view

8. "Why we cannot measure the real cost of cybercrime?" an in-depth summary of my thoughts on why we cannot measure the real cost of cybercrime, and why I doubt the costs outpace those due to drug smuggling

9. "The never-ending "cookie debate" tries to emphasize on how the Cookie Monster should worry about cookies only, and what else to keep in mind concerning further techniques that somehow invade your privacy

10. "The hidden internet economy" here I argue on what would the total E-commerce revenues be given those afraid to purchase over the Internet actually start doing it.

11. "Security threats to consider when doing E-Banking" provides a link to practical research conducted by a dude I happen to know :)

12. "Insecure Irony" is indeed an ironical event, namely how a private enterprise, one used to gather intelligence actually lost sensitive info belonging to the Intelligence Community

13. "Future Trends of Malware" the post mentioning my Slashdotted research and the rest of the people and respected sites that recognized it

14. "To report, or not to report?" how can you measure costs when the majority of companies aren't even reporting the breaches, cannot define a breach, or think certain breaches don't require law enforcement intervention?

15. "Anonymity or Privacy on the Internet?" argues on what exactly different individuals are trying to achieve, is it Anonymity, is it Privacy and provides further resources on the topic

16. "What are botnet herds up to?" gives a brief overview of recent botnet herds' activities the ways used to increase the revenues through affiliate networks, or domaining. It also provides good resources on the topic of Bots and Botnets

17. "China - the biggest black spot on the Internet’s map" a very recent and resourceful overview of Internet Censorship in China, that also provides further resources on the topic

18. "FBI's 2005 Computer Crime Survey - what's to consider?" one day after the release of the FBI's survey I summarized the key points to keep in mind

19. "Why relying on virus signatures simply doesn't work anymore?" a very practical post that argues and tries to build more awareness on how the number of signatures detected by a vendor doesn't actually matter, still there are other solutions that will get more attention with the time. I received a lot of feedback on this, both vendors and from folks I met through my blog, thanks for the ideas!!

20. "2006 = 1984?" gives more details on private sector companies innovating in the wrong field, and further resources on censorship and surveillance practices

21. "Cyberterrorism - recent developments" an extended overview of Cyberterrorism, and a lot of facts worth mentioning obtained through a recently released report on the topic

22. "Still worry about your search history and BigBrother?" Some humor, be it even a black one is always useful

23. "Homebrew Hacking, bring your Nintendo DS!" Homebrew hacking is slowly emerging and I see a lot of potential in the "do it yourself culture"

24. "Visualization, Intelligence and the Starlight project" a post worth checkin' out, it provides an overview of various visualization technologies and talks about the Starlight project

25. "The Feds, Google, MSN's reaction, and how you got "bigbrothered"?" I'm not coining new terms here, "bigbrothered" is slowly starting to be used be pretty much everyone, yet I try to give practical tips on why the whole idea was wrong from the very beginning, and how other distribution vectors should also be considered

26. "Personal Data Security Breaches - 2000/2005" I came across a great report summarizing the issue, and tried to highlight the cases worth mentioning, some are funny, others are unacceptable

27. "Skype to control botnets?!" good someone is brainstoring, but that's rather unpractical compared to common sense approaches botnet herders currently use

28. "Security Interviews 2004/2005 - Part 1" Grab a beer and start going through this great contribution, soon to appear at Astalavista itself!

29. "Security Interviews 2004/2005 - Part 2" Part 2

30. "Security Interviews 2004/2005 - Part 3" and Part 3

31. "Twisted Reality" Everything is not always as it seems, and it's Google I have in mind :(

32. "How we all get 0wn3d by Nature at the bottom line?" :)

33. "Was the WMF vulnerability purchased/sold for $4000?!" among the few vendors I actually trust released a nice summary no one seems to be taking into consideration, still I find it truly realistic given the potential of the 0day market for software vulnerabilities

Till next month, and thanks to all readers for taking their time to go through my research and contributions!

Technorati tags :
security, information security

Continue reading →