Clean out your contact lists

I recently watched Rob Braxman on the security of encrypted messaging apps like Signal and WhatsApp. In his video, Rob pointed out that many apps access our contact lists and build webs of associations. Even though the cryptography protecting message contents is generally effective, it may be possible for law enforcement and intelligence agencies to know the identity of a person’s connections.

Let’s dig deeper.

If a law enforcement agency considers you a person of interest, they may discover that you use encrypted messaging apps like Signal. While law enforcement will not be able to easily view the contents of your conversations, they will be able to see with whom you are conversing.

Image courtesy Aussie Broadband

Also, the appearance of using an encrypted messaging app could suggest that you have something to hide.

Let’s look at this from a different perspective. Consider an active law enforcement investigation focusing on a particular person. If you are in the person’s contact list, and if that person is known to be communicating with you on an encrypted service, then you may become another person of interest in the investigation.

I watched Rob’s video twice, and then I recalled something I see in Signal often: when someone in my contact list installs Signal, I get a notification from Signal that the contact is using the app. I recently noticed that I frequently do not recognize the contact’s name, and I dismiss the notification. I’ve had this occur dozens of times this year.

Then it hit me: I have been collecting contacts for decades, and they’re stored in multiple services (primarily, Yahoo and Google). In previous jobs, I’ve had associations with numerous clients, partners, vendors, co-workers, and other associates, resulting in an accumulation of thousands of contacts, most of whom I barely know.

Last week, I found it difficult to rationalize keeping all of these contacts and purged them. In Google alone, I had well over one-thousand contacts. After spending time last weekend deleting extraneous contacts, I’m down to about three hundred, and I might go back through them and remove many more.

Encrypted apps and your association with contacts are not the only risks related to maintaining a long contact list. Another issue is this: if someone breaks into any of my services where I keep many contacts, I don’t want people getting Joe Job and other attacks made possible through contact harvesting.

Until recently, I didn’t consider my accumulated contacts a liability, but I do now.

In my day job, one of my responsibilities includes leading numerous programs, including data governance, which includes data classification and data retention. And, having been a QSA for many years, the concept of data-as-asset and data-as-liability are clear to me. For instance, retaining credit card data after a transaction has been completed may provide value to an organization. Still, it also presents itself as a liability: if that stored card data is compromised, the consequences may significantly outweigh its benefit.  Somehow, I didn’t apply this concept to personal contact data. Thanks again to Rob Braxman for nudging me to realize that contact data can be just as toxic as other forms of sensitive information.

Postscript: think about this in another way: would you want others you worked with in the past to remove you from their contact lists?

Prism, XKeyscore, and International Business

Disclaimer: I do not, nor ever had, any level of secret clearance for any government. I have no connections to Snowden, the NSA, or any person or organization linked to them.

From 2006 through 2012, I was the information security officer for a global financial services company, selling subscription based services to the largest companies in the world in every industry sector.  Understandably, many of the larger corporate customers expressed a lot of concern over the confidentiality of their financial data when stored in our systems. Despite having numerous external audits and penetration tests (with reports available to these customers), many of the larger customers won additional concessions in the form of additional security controls, in exchange for their business.

The U.S. PATRIOT Act was a tremendous stumbling block for many potential non-U.S. customers. They were concerned about the ability for law enforcement to serve secret subpoenas and obtain business records without their knowledge or consent.  Our only argument was that we were not the source for original data, and that federal law enforcement would more likely go after original records, such as banking and telecommunications. Still, many non-U.S. companies elected not to do business with our U.S. based company because of PATRIOT.

Revelations of Prism and XKeyscore represent U.S. law enforcement and spy agencies taking a gigantic leap beyond PATRIOT. With PATRIOT (as I understand it — my former employer was never, to my knowledge, served with a National Security Letter), a judge was required to sign or approve the national security letter on behalf of the federal law enforcement agency that wished to obtain information.  But with Prism and XKeyscore, U.S. federal law enforcement and other agencies have unilaterally obtained – and apparently continuously obtain – many forms of electronic records, without the consent of anyone.

Prism and XKeyscore, in my belief, will prove to be extremely harmful to U.S. based electronic services providers at every level: Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), and virtually all other forms of electronic services that store, transmit, or process electronic information.  With PATRIOT, the mere prospect of law enforcement obtaining information in special, limited circumstances was enough to scare away many potential customers. With XKeyScore and Prism, law enforcement continuously obtains much of this same information.  Thus, the probability of law enforcement (and other agencies) obtaining sensitive information increases from longshot to near absolute certainty.

This has got to be bad for U.S. based businesses in nearly every sector that provides services to customers worldwide.

————-

Aug 5 update: headline article in Puget Sound Business Journal echos my sentiments. http://www.bizjournals.com/seattle/news/news-wire/2013/08/05/nsa-revelations-could-cost-us-lead.html

Cloud service providers and the U.S. PATRIOT Act

The U.S. PATRIOT Act has a lot of non-U.S. companies wondering whether it is a sound practice to store data in a U.S. based cloud services organization. The concern is this: the cloud services provider may be obligated to turn over stored data on receipt of a National Security Letter, which is essentially a subpoena with a gag order.

But what if the customer is the legal owner of the data, and not the cloud services provider?

If legal contracts between the cloud services provider and its customers define customers as the owner of stored data, what happens when the cloud services provider receives a National Security Letter asking for that data? Can the provider say, “sorry – this is not our data, you need to ask the owner for it”?

I could see this going both ways.  Using the precedent of wiretapping, the law enforcement agency issuing the subpoena might argue that data ownership is irrelevant.

* * *

While we’re on the topic of PATRIOT… I often wonder about non-U.S. companies’ concern about it. Rationale I sometimes hear is that storing data in the U.S. is riskier because of PATRIOT.

Let me assert this: in the interest of national security, any nation’s law enforcement or intelligence agencies are going to search and sieze data as needed, whether there are laws on the books or not. The fact that the U.S. has its PATRIOT Act only means that the U.S. is being more transparent about a practice that we all know is pervasive around the world. Taking this argument further, you could argue that storing data in the U.S. is safer, because at least the U.S. has laws governing the use of search and seizure in the name of national security. In countries without such laws, what will limit the reach of law enforcement and intelligence agencies?

* * *

Finally, I want to say that I am not expressing an opinion about PATRIOT – whether I agree with it or not. It is simply a fact to be dealt with.

* * *

References:

The Patriot Act and your data: Should you ask cloud providers about protection? – InfoWorld article, January 2012.

Patriot Act Threatens American Cloud Computing – Wall Street Cheat Sheet, January 2012.

TSA learns redaction lesson the hard way…

…and we will all pay for it. Today it has been made public that the TSA’s detailed airport security procedures manual has been posted to the Internet. The TSA was putting out some services to bid, and posted what they believed to be a redacted version of the document. Well it turns out that the redaction technique they chose was ineffective.

Now that everyone can see TSA’s airport screening procedures in detail, they will have to resort to more pat-downs, wand scans, and body scans. Procedures for identifying CIA, air marshalls, and law enforcement personnel may need to change as well.

Some of the details revealed in the procedures include:

• The size of wires that can pass through magnetometers without setting alarms
• Procedures used for screening liquids
• Items that do not require extra screening such as wheelchairs and casts
• Procedures for verifying the identity of CIA, NSA, air marshalls, and other law enforcement personnel

See my earlier posting on redaction here.

Proper redaction of sensitive data in electronic documents is more than just covering up sensitive words and images. Instead, sensitive information is actually removed and replaced with solid black, so that the redacted text or images are not merely “underneath” it. I suspect that the NSA merely “covered” sensitive items without actually removing them from documents.

[picapp align=”right” wrap=”false” link=”term=tsa&iid=3702199″ src=”c/9/9/e/New_Airport_Security_d307.jpg?adImageId=8254188&imageId=3702199″ width=”234″ height=”236″ /]News stories here:

CNN

Yahoo News

Washington Post

New York Times

Rest in peace: officers Renninger, Griswold, Owens and Richards

Update 12/12/2010: Donate to Lakewood Police Independent Guild to benefit the families of the four slain officers

Today, four Lakewood WA police officers were assassinated in cold blood while conducting police business in a local coffee house. This happened very close to where I live, less than a month after a Seattle police officer was gunned down.

In my work I collaborate with and support law enforcement. I appreciate what they do for us.

These four officers leave nine children behind. This aspect makes this especially tragic.

References:

Tacoma News Tribune

Seattle Times

Published authors: stop the illegal file sharing hemorrhaging

Recently I was made aware of a file sharing site that reportedly had digital copies of published books, as well as music and other copyright content.  I had a look for myself, and found this to be true.

The site, 4shared.com, has thousands – maybe tens of thousands – of copyrighted books, music, and other content, freely online and available for anyone who wants to browse the site and download content.

Readers: it is illegal to post copyright content in any form online, unless you are the legal owner of the content or have written permission from the owner.  It is against the law.  Do not be deceived by the lure of free content.

Professionals: if you are found to be in possession of illegally copied protected content, you may be in jeopardy of losing your professional licenses or certifications.  You can also be sued by the copyright owner.

4shared.com will remove content on request.  It is necessary to state, in detail, who the owner of each item is, and why it should be removed.  Digital copies of many of my books were on the site, and I filed removal requests for each.  Yes, it was time consuming.  To request illegal content be removed, send an e-mail (with the full URL of the offending item(s)) to abuse@4shared.com, or visit http://www.4shared.com/contact.jsp , click on the “Copyrighted Materials” link, and complete the short form there.

The extent of illegal content on 4shared.com is appalling – it is a cesspool of of illegal content.  A quick search showed that almost one-thousand “For Dummies” titles were on the site.

FBI mystery man identified

The Federal Bureau of Investigation has allegedly identified the “mystery man” who has as many as 32 aliases. He is identified as Scott Andrew Shain.

Articles:

John Doe identified as Boston man

Six new photos of FBI’s Seattle mystery man

Fake fingerprints, multiple aliases, in FBI custody; name=??

Six new photos of FBI’s Seattle mystery man

The FBI has released several more photos of the career identity thief but they still don’t know who he is. The FBI is asking anyone who knows this person to call them at 206-622-0460.

Aliases: William Everett Gee, Robert Allen Lowe, Robert Allan Loew, Dwayne Spill

Click on photo for larger image

Seattle Times article: Mastermind or troubled mind?

Fake fingerprints, multiple aliases, in FBI custody; name=??

The FBI has taken a career identity thief into custody in Seattle. Problem is, they have no idea who it is.

Aliases: William Everett Gee, Robert Allen Lowe, Robert Allan Loew, Dwayne Spill

More on this FBI web site (now a dead link)

Update: Six new photos released

Stories:

Seattle Times

KOMO TV Seattle

Seattle Post-Intelligencer

InfraGard like Neighborhood Watch

Copy of a comment made on another blog that demonstrated a deep distrust for InfraGard and all national and local law enforcement…

David, your comments seem to indicate that you are distrustful of InfraGard. I want to challenge your distrust and suggest that you join InfraGard and find out for yourself that your fears are unfounded. We are all ordinary people – the only thing that makes us different is that we recognize the fact that we need to learn more about how to protect our citizens and assets.

We are not a ‘secret organization’. We do not have security clearances, and InfraGard membership does not grant us any such clearance. A good way to describe InfraGard is to liken it to a “Neighborhood Watch“, but instead of being aligned with neighborhoods we are aligned with industries. And like neighborhood watch, InfraGard members are equipped with knowledge on how to better deter, recognize, and report criminal activity. InfraGard helps the financial, agriculture, public utilities, telecommunications, transportation, chemical, and other industries with critical asset protection. These are the core industries that our nation depends on every day.

What it really comes down to is this: do you want criminal activity curbed, or not? Or perhaps you would prefer to live in a society without law enforcement at all – your blog suggests a deep distrust and disregard for all levels of law enforcement. Do you not recognize that, imperfect as it is, law enforcement protects your own liberties?

As to InfraGard’s Code of Ethics – my including it in my blog does not reassure myself, as I have a well-formed and clean conscience with regards to my professional conduct. I do not need the reassurance. It’s posted as an educational tool for others who are considering a career in information and business security. In this profession we are held to a high standard of professional conduct – higher than those of our peers, in the context of protecting our employers’ and country’s citizens and assets.

Todd’s position at King County Health does not give the FBI “access” to public medical information – the FBI, like any other law enforcement agency, must obtain a subpoena to access protected information.

I spoke with Nolan and Jeff – they are puzzled as to why you label them as InfraGard “recruiters”. They are ordinary members like the rest of us. All of us recognize InfraGard’s good works and benefits of membership (access to sensitive non-public (but not classified) information, training in the protection of our country’s critical infrastructure, networking with other members), and as such we frequently encourage our colleagues and acquaintances to join. InfraGard is just like a good Neighborhood Watch – most participants immediately recognize the benefits and encourage other neighbors to join.

InfraGard’s work benefits all citizens – so instead of sitting on the sidelines and criticizing what you don’t understand, why don’t you join us. We and your neighbors could use your help.

Join InfraGard to boost your security knowledge and contacts

Critical infrastructure doesn’t just mean information systems. It includes many industries vital to national interests including energy, telecommunications, financial institutions, chemical, agriculture, and many more.

We need to protect our vital assets, but how to begin? In the U.S., join your local InfraGard chapter. InfraGard is a Federal Bureau of Investigation (FBI) program that began in the Cleveland Field Office in 1996. It was a local effort to gain support from the information technology industry and academia for the FBI’s investigative efforts in the cyber arena. The program expanded to other FBI Field Offices, and in 1998 the FBI assigned national program responsibility for InfraGard to the former National Infrastructure Protection Center (NIPC) and to the Cyber Division in 2003. InfraGard and the FBI have developed a relationship of trust and credibility in the exchange of information concerning various terrorism, intelligence, criminal, and security matters.

Joining IngraGard is good for your career, by helping you network with other professionals in your industry, and through knowledge gained in meetings and training events.

Joining InfraGard is good for your organization, when you learn how to better protect your organization’s assets.

Joining InfraGard is easy – go to www.infragard.org and download the membership application. You must pass a records check and be a U.S. citizen.

More information:

InfraGard Members Alliance

Wikipedia article

Law enforcement unable to perform lawful wiretaps of Skype calls

Skype uses robust encryption that protects its Internet-based phone calls from eavesdroppers. The problem is, if you’re law enforcement and need to conduct a lawful wiretap on a Skype account, you’re out of luck.

Skype’s encryption is end-to-end, and its design includes no provision for a lawful wiretap such as those that are routinely conducted over cellular and landline based phones.

There is no question in my mind that Skype’s encryption is robust. Here is an excellent cryptanalysis (PDF) of the Skype service that was performed by Tom Berson of Anagram Laboratories.

Recent article: Internet Telephone Encryption Stumps German Police

Most Americans favor increased surveilliance

A recent ABC News poll shows that seventy-one percent of Americans are in favor of increased video surveillance in cities as an anti-crime measure.

London’s “Ring of Steel” surveillance system is the model for U.S. cities that are considering similar systems, including New York, Chicago, and Baltimore.

Poll results here:

http://abcnews.go.com/images/US/1041a5Surveillance.pdf

More articles:

http://abcnews.go.com/US/story?id=3422372

New York City plans “ring of steel”:

http://www.newsfactor.com/story.xhtml?story_id=0210025GT3LF

Border patrol checking Seattle island ferry runs for dirty bombs:

http://seattletimes.nwsource.com/html/dannywestneat/2004300343_danny23.html

Q&A on FBI’s CIPAV

Great Computerworld article on CIPAV. And there’s more to come: Computerworld filed a FOIA (USDOJ site here) request to get more information.

Questions answered include:

• What is CIPAV?
• What does CIPAV do?
• What happens to the data the CIPAV collects?
• Does the CIPAV capture keystrokes?
• Can the CIPAV spread on its own to other computers, either purposefully or by accident?
• Does CIPAV erase itself after its job is done?
• Does the FBI have just one stock CIPAV model?
• How did the CIPAV get onto the targeted computer?
• Is CIPAV related to “Magic Lantern”?

Full article here:

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9028298

Disclaimer/disclosure: I’m an InfraGard member. In my writing about CIPAV, I’m providing only information that has already been published.

my personal position on the FBI’s CIPAV capability

In the days since I posted a story on the FBI’s use of CIPAV (which may be their “magic lantern” capability), my blog has been visited by many individuals who are trying to figure out how to detect whether CIPAV is running on their systems and, if so, how to disable or remove it.

Sorry, can’t help you. Won’t help you.

As a security professional, I deeply understand the concern about spyware, key loggers, and other tools that track our movements and even our keystrokes. When they originate from commercial or malicious sources, of course I want the ability to detect, disable, and remove. I wrote a book on the subject three years ago.

But when law enforcement obtains a court order and uses the same sort of software, I will not publicly discuss if such capabilities exist or how they work. Being an InfraGard board member, I have visibly close ties with the FBI and other branches and levels of law enforcement. As my disclaimer reads, I am 100% white hat. I support law enforcement as long as law enforcement is acting within established laws. My disclaimer is reproduced below.

My professional codes of ethics ((ISC)², ISACA, GIAC, InfraGard) forbid me from activities that give even the appearance of impropriety. Hence, I do not possess, and never have possessed, nor downloaded, examined, or viewed, any tools that can be used to exploit weaknesses. I do not associate with those who do. I am 100% white hat.

Policeware: the spyware that aids law enforcement

Policeware is the new term to describe spyware that is used by law enforcement to gather evidence in law enforcement investigations.

It is highly likely that anti-virus and anti-spyware software will look the other way if they detect policeware. Or, more likely, they won’t carry signatures for policeware at all.

So will it be possible to detect policeware? Possibly. I think that policeware will be the backdrop for the next cat-and-mouse game between law enforcement and the underworld.

Hackers are anxious to get a copy of CIPAV, the investigative tool (that gets installed on a suspect’s PC) used by the FBI to log outbound TCP/IP connections. Certainly they will device tools to detect and block CIPAV and other such tools. In fact, this may be history as I write this – the capability to detect and remove CIPAV may already exist. And given that Magic Lantern and Carnivore have been around for several years, I can’t help but wonder if tools exist to detect its activities.

FBI implanted spyware leads to arrest of bomb threat suspect

Submit:

The FBI used a novel type of remotely installed spyware last month to investigate who was e-mailing bomb threats to a high school near Olympia, Wash.

Federal agents obtained a court order on June 12 to send spyware called CIPAV to a MySpace account suspected of being used by the bomb threat hoaxster. Once implanted, the software was designed to report back to the FBI with the Internet Protocol address of the suspect’s computer, other information found on the PC and, notably, an ongoing log of the user’s outbound connections.

My earlier blog entry on whether anti-virus can detect law enforcement-installed malware.

Entire story here:

http://news.com.com/8301-10784_3-9746451-7.html

AV vendors will block law enforcement key loggers, for now

Updated 7/19/07: FBI nabs bomb threat suspect with spyware
Updated 7/19/07: Policeware: the spyware used by law enforcement

A recent case that was heard by the U.S. Court of Appeals involved law enforcement use of a key logger on a suspect’s computer. The case involved a suspected illicit drug maker that was under investigation by the U.S. Drug Enforcement Agency (DEA). The DEA obtained permission from a judge to install key logging software on the suspect’s computer in order to harvest passwords for PGP and Hushmail encryption.

This case highlights a question that I’ve been thinking about for years: would my anti-virus program alert me to the presence of key logger software, even if it was installed by law enforcement? C|Net News interviewed representatives from several anti-virus/malware companies and got answers to that question. Would the following vendors’ programs detect key loggers even if installed by law enforcement?

▪ Grisoft/AVG: Yes
▪ Checkpoint: Yes
▪ Computer Associates: Yes
▪ eEye: Yes
▪ IBM: Yes
▪ Kaspersky: Yes
▪ McAfee: Yes
▪ Microsoft: Yes
▪ Sana: Yes
▪ Sophos: Yes
▪ Symantec: Yes
▪ Trend Micro: Yes
▪ Websense: Yes

C|Net News also asked these vendors if they had ever received requests from law enforcement (including subpoenas) that their products not inform a specific user of the presence of a law enforcement installed key logger. Some of the companies have a policy to not discuss specific dealings with law enforcement – and the rest said they had received no such request.

I am wondering just now – what would McAfee, Trend, Symantec, or any of the others do if law enforcement DID request / require that their products not report the presence of a key logger. How would they accomplish that feat? I can imagine a number of scenarios on how that would be accomplished:

• The specific anti-virus vendor would design in a mechanism that would silence the software’s alert of a key logger if it received a specific signal from the vendor’s update service. To accomplish this, the vendor would have to know precisely which PC should be silenced, and be able to do so silently.

Other, less serious, alternatives come to mind:

• Law enforcement could sneak into the suspect’s computer and run a program that would disable anti-virus programs’ ability to detect or report the presence of the key logger. I can easily imagine malware that would perform the same disabling feature in order to hide its own key logger. Some malware already has the ability to completely shut down anti-virus programs, firewalls, and so on, so this capability is not that far-fetched.
• Law enforcement could send an e-mail to the suspect, where the e-mail either contained an executable, or a URL to a law enforcement website. “Please run this program or visit this web site so that we can install a key logger for you.” Uh huh.

Remember: anything that law enforcement can do, hackers can do. In fact, hackers are often one step ahead of law enforcement, experienced with the illicit installation of key loggers.

Anyway, I can imagine a future where law enforcement may have the ability to get key loggers onto computers, and at the same time get anti-malware programs to look the other way. But I expect that there will be capabilities of detecting and disabling such key loggers: hackers are notoriously anti-law enforcement and they would quickly fill the need to detect and block law enforcement key loggers.

In the meantime I can think of a few countermeasures:

• Regularly scan your computer with one of several available online malware scanners (see this tip for more information).
• Run one or more anti-rootkit programs to scan for rootkits (I feel that key loggers and/or the means for blocking anti-malware’s alerting it may be done by rootkits).
• Switch your OS: use MacOS or Linux instead of Windows.

I have a feeling that the Electronic Frontier Foundation and the ACLU will be watching these developments.

Links to stories:

http://news.com.com/Security+firms+on+police+spyware%2C+in+their+own+words/2100-7348_3-6196990.html?tag=st.num

http://news.com.com/8301-10784_3-9741357-7.html