Unpatched Windows Vulnerability – Cost of Closed Source Software

September 8th, 2017

Bug in Windows Kernel Could Prevent Security Software From Identifying Malware by Catalin Cimpanu.

From the post:

Malware developers can abuse a programming error in the Windows kernel to prevent security software from identifying if, and when, malicious modules have been loaded at runtime.

Continue on with Cimpanu for a good overview or catch Windows’ PsSetLoadImageNotifyRoutine Callbacks: the Good, the Bad and the Unclear (Part 1).

Symantec says proactive security includes:

  • Inventory of Authorized and Unauthorized Devices
  • Inventory of Authorized and Unauthorized Software
  • Secure Configurations for Hardware & Software
  • Constant Vulnerability Assessment and Remediation
  • Malware Defense

But since Windows is closed source software, you can’t remedy the vulnerability. Whatever your cyberdefenses, closed source MS Windows leaves you vulnerable.

Eternal (possibly) vulnerability – the cost of closed source software.

It’s hard to think of a better argument for open source software.

Open source software need not be free, just open source so you can fix it if broken.

PS: Open source enables detection of government malware.

The International Conference on Functional Programming – 2017

September 5th, 2017

The International Conference on Functional Programming – 2017 – Papers

If you are on the Gulf or East coast of the United States, take this opportunity to download papers to read following land fall of Irma.

You may not have Internet service but if you have printed several papers out as emergency preparedness, you won’t be at a loss for reading materials.

I’ve been in the impact zone of several hurricanes and while reading materials don’t make repairs go any faster, they do help pass the time.

Chess Captcha (always legal moves?)

September 5th, 2017

I saw this on Twitter. Other games you would use for a captcha?

Graham Cluley says chess captchas aren’t hard to defeat in: Chess CAPTCHA – a serious defence against spammers?

But Cluley, like most users, is assuming a chess captcha has a chess legal solution.

What if the solution is an illegal move? Or more than one illegal move?

An illegal move would put the captcha beyond any standard chess program.

Yes?

Reserving access to those told of the solution.

Tor Browser 7.0.5 is released – Upgrade! Stay Ahead of Spies!

September 5th, 2017

Tor Browser 7.0.5 is released

From the webpage:

Tor Browser 7.0.5 is now available from the Tor Browser Project page and also from our distribution directory.

This release makes HTTPS-Everywhere compatible with Tor Browser on higher security levels and ensures that browser windows on macOS are properly rounded.

Well, no guarantee you will stay ahead of spies but using the current release of Tor is the best one can do. At least for browsers.

Enjoy!

Guide to Investigative Web Research (Populating A Topic Map)

September 5th, 2017

Guide to Investigative Web Research

From the webpage:

We’ve just finished working with a partner to create an introductory guide to investigative web research.

As part of our aim to encourage shared, open documentation about the use of technology in social change, we’re publishing it so that other people can use it too.

The guide is designed for researchers, activists and journalists who need to collect online information about people, entities or events and use it for investigative research or advocacy. If you’re tracking corporate ownership, monitoring corruption or mapping political influence, this guide is for you.

Read our guide to investigative web research

It’s designed to be practical and straightforward, pointing you to more detailed resources and giving you the context to decide what tools you might need.

As part of our philosophy of reuse and replication, we publish all our research and guides in the same open format on our Library. The Library aims to help build our collective knowledge of how technology can help activists and organisations. It has guides in Spanish, Portuguese, French, Bahasa and English, is responsive (unlike a PDF), and is designed to let people find and reuse content quickly and easily. Topics range from drones and messaging apps to participatory budgeting – and there are more guides coming soon!

Check out more guides from The Engine Room’s Library

The Library code is available on Github, and all the content is Creative Commons-licensed. We’ll keep you updated whenever new guides are added. If you’d like to chat about investigative web research techniques and how they could help your work, get in touch.

Once you decide to author a topic map, the really hard work comes in populating it with information. At least, if you want information that can be traced to verifiable sources (unlike presidential press releases these days).

The Investigative Web Research guide is a useful starting point, especially if you aren’t a seasoned web user. The more web experience you have, the less useful it will become.

There are a number of links to other resources, which is useful, but collections of links can only take the reader so far.

I had to smile when I read:

A key difference between hacking and web scraping is respect for legitimate legal barriers.

“…[L]egitimate legal barriers” support illegitimate, oppressive, patriarchal and discriminatory regimes, along with more just ones. Consider legal barriers for your own personal safety, but nothing more. Legal barriers are the carriers (in the sense of infection) of privilege in a society. Act accordingly.

DACA: 180 Days to Save 800,000 : Whose Begging Bowl to Choose? (Alternative)

September 5th, 2017

Trump administration ending DACA program, which protected 800,000 children of immigrants by Jacob Pramuk | @jacobpramuk.

From the post:

  • President Trump is ending DACA, the Obama-era program that protects hundreds of thousands of “dreamers.”
  • Attorney General Jeff Sessions says there will be a six-month delay in terminating it to give Congress time to act.
  • Sessions says the immigration program was an unlawful overreach by Obama that cannot be defended.

Check out Pramuk’s post if you are interested in Attorney General Sessions’ “reasoning” on this issue. I refuse to repeat it from fear of making anyone who reads it dumber.

Numerous groups have whipped out their begging bowls and more are on the way. All promising opposition, not success, but opposition to ending Deferred Action for Childhood Arrivals (DACA).

Every group has its own expenses, lobbyists, etc., before any of your money goes to persuading Congress to save all 800,000 children of immigrants protected by the DACA.

Why not create:

  • low-over head fund
  • separate funds for house and senate
  • divided and contributed to the campaigns* of all representatives and senators who vote for replacement to DACA within 180 days
  • where replacement for DACA protects everyone now protected
  • and where replacement DACA becomes law (may have to override veto)

*The contribution to a campaign, as opposed to the senator or representative themselves, is important as it avoids the contributions being a “gratuity” for passage of the legislation, which is illegal. 2041. Bribery Of Public Officials.

Such funds would avoid the overhead of ongoing organizations and enable donors to see the results of their donations more directly.

I’m not qualified to setup such funds but would contribute to both.

You?

PS: You do the math. If some wealthy donor contributed 6 $million to the Senate fund, then sixty (60) senatorial campaigns would each get $600,000 in cash. Nothing to sneeze at.

GIJN’s Complete Global Guide to Freedom of Information (Attn: Activists/Journalists)

September 4th, 2017

Unlocking Laws to Set Information Free: GIJN’s New Global Guide by Toby McIntosh.

From the post:

More than 115 countries worldwide have laws that require officials to turn over public records. Of course, even in the countries that have no laws it never hurts to ask. But there’s an advantage to using an access law — variously called freedom of information laws, access to information laws, right to information and right to know laws.

There are many resources for journalists seeking to file records requests in countries with laws governing access to information. To help exploit these legal tools, we’ve lined up GIJN’s Complete Global Guide to Freedom of Information, a resource with three sections:

  • Tips and Tricks: A collection of the best advice on how to use access laws.
  • Inspirational FOI: Ideas of what to ask for and stories about journalists active in using FOI.
  • Global Resources: Country-by-country guidance and links to national resources.

Government information can be obtained by:

  • liberating government information
  • insiders leaking government information
  • “laws governing access to information”

Assuming you place credence in information a government disgorges voluntarily, this is a great resource for activists and journalists around the world.

If you like these resources, be sure to visit/support freedominfo.org.

Charity Based CyberSecurity For Mercenaries?

September 3rd, 2017

That was my question when I read: Insecure: How A Private Military Contractor’s Hiring Files Leaked by Dan O’Sullivan.

The UpGuard Cyber Risk Team can now disclose that a publicly accessible cloud-based data repository of resumes and applications for employment submitted for positions with TigerSwan, a North Carolina-based private security firm, were exposed to the public internet, revealing the sensitive personal details of thousands of job applicants, including hundreds claiming “Top Secret” US government security clearances. TigerSwan has recently told UpGuard that the resumes were left unsecured by a recruiting vendor that TigerSwan terminated in February 2017. If that vendor was responsible for storing the resumes on an unsecured cloud repository, the incident again underscores the importance of qualifying the security practices of vendors who are handling sensitive information.

The exposed documents belong almost exclusively to US military veterans, providing a high level of detail about their past duties, including elite or sensitive defense and intelligence roles. They include information typically found on resumes, such as applicants’ home addresses, phone numbers, work history, and email addresses. Many, however, also list more sensitive information, such as security clearances, driver’s license numbers, passport numbers and at least partial Social Security numbers. Most troubling is the presence of resumes from Iraqi and Afghan nationals who cooperated with US forces, contractors, and government agencies in their home countries, and who may be endangered by the disclosure of their personal details.

While the process errors and vendor practices that result in such cloud exposures are all too common in the digital landscape of 2017, the month-long period during which the files remained unsecured after UpGuard’s Cyber Risk Team notified TigerSwan is troubling.

Amazing story isn’t it? Even more amazing is that UpGuard sat on the data for a month, waiting for TigerSwan to secure it. Not to mention UpGuard not publicly posting the data upon discovery.

In case you don’t recognize “TigerSwan,” let me refresh your memory:

UpGuard finds 9,402 resumes, applicants seeking employment with TigerSwan/Blackwater type employers.

Did they expose these resumes to the public?

Did they expose these resumes to the press?

Did they expose these resumes to prosecutors?

None of the above.

UpGuard spends a month trying to keep the data hidden from the public, the press and potential prosecutors!

Unpaid charity work so far as I know.

Thousands of mercenaries benefit from this charity work by UpGuard. Their kind can continue to violate the rights of protesters, murder civilians, etc., all the while being watched over by UpGuard. For free.

Would you shield torturers and murderers from their past or future victims?

Don’t be UpGuard, choose no.

Sharing Mis-leading Protest Data – Raspberry Pi PirateBox

September 2nd, 2017

Police surveillance of cellphone and Wi-Fi access points is standard procedure at all protests.

The Raspberry Pi PirateBox enables protesters to re-purpose that surveillance to share mis-leading data with police officers, anonymously.

Using prior protests as a model, even re-using audio/video footage, create “fake” reports and imagery for posting to your “My Little Protest News Site.” (Pick a less obvious name.)

With any luck, news media reps will be picking up stories your news site, which will increase the legitimacy of your “fake” reports. Not to mention adding to the general confusion.

Mix in true but too late to be useful news and even some truthful, prior to happening calls for movement so your reports are deemed mostly credible.

Predicting flare gun attacks on reserve formations, only moments before it happens, will go a long way to earning your site credibility with its next prediction of an uptick in action.

The legality of distributing fake reports and use of flare guns at protests varies from jurisdiction to jurisdiction. Always consult with legal counsel about such conduct.

US Labor Day (sic) Security Reading

September 1st, 2017

I know, for the US to have a “labor day” holiday is a jest too cruel for laughter.

But, many people will have a long weekend, starting tomorrow, so suggested reading is in order.

Surveillance Self-Defense, a project of the EFF, has security “playlists” for:

Academic researcher? Learn the best ways to minimize harm in the conduct of your research.

Activist or protester? How to keep you and your communications safe wherever your campaigning takes you.

Human rights defender? Recipes for organizations who need to keep safe from government eavesdroppers.

Journalism student? Lessons in security they might not teach at your j-school.

Journalist on the move? How to stay safe online anywhere without sacrificing access to information.

LGBTQ Youth Tips and tools to help you more safely access LGBTQ resources, navigate social networks, and avoid snoopers.

Mac user? Tips and tools to help you protect your data and communications.

Online security veteran? Advanced guides to enhance your surveillance self-defense skill set.

Want a security starter pack? Start from the beginning with a selection of simple steps.

Have a great weekend!

Google As Censorship Repeat Offender : The Kashmir Hill Story

September 1st, 2017

That Google is a censorship repeat offender surprises no one. Censorship is part and parcel of its toadyism to governments and its delusional war against “dangerous” ideas.

Kashmir Hill‘s story of Google censorship put a personal spin on censorship too massive to adequately appreciate.

Reporter: Google successfully pressured me to take down critical story by Timothy B. Lee.

From the post:

The recent furor over a Google-funded think tank firing an anti-Google scholar has inspired Gizmodo journalist Kashmir Hill to tell a story about the time Google used its power to squash a story that was embarrassing to the company.

The incident occurred in 2011. Hill was a cub reporter at Forbes, where she covered technology and privacy. At the time, Google was actively promoting Google Plus and was sending representatives to media organizations to encourage them to add “+1” buttons to their sites. Hill was pulled into one of these meetings, where the Google representative suggested that Forbes would be penalized in Google search results if it didn’t add +1 buttons to the site.

Hill thought that seemed like a big story, so she contacted Google’s PR shop for confirmation. Google essentially confirmed the story, and so Hill ran with it under the headline: “Stick Google Plus Buttons On Your Pages, Or Your Search Traffic Suffers.”

Hill described what happened next:

No government, practitioners of censorship themselves, will punish Google for this and its continuing acts of censorship.

Some things you can do:

  • Follow and support Kashmir Hill, who is likely to catch a lot of shit over this report.
  • Follow and support Ars Technica, anyone for boosting their search results?
  • Vote with your feet for other search services.
  • Place ads with other search services.
  • Hackers, well, do what you do best.

And to those who respond: “Well, that’s just good business.”

For some sense of “good business,” sure. But users are also free to make their own choices about “good business.”

If Google ad revenue takes a measurable hit between now and December 31, 2017, user choices may be heard.

Secure Data Deletion on Windows (Or Not)

August 31st, 2017

How to: Delete Your Data Securely on Windows

From the post:

Most of us think that a file on our computer is deleted once we put the file in our computer’s trash folder and empty the trash; in reality, deleting the file does not completely erase it. When one does this, the computer just makes the file invisible to the user and marks the part of the disk that the file was stored on as “available”—meaning that your operating system can now write over the file with new data. Therefore, it may be weeks, months, or even years before that file is overwritten with a new one. Until this happens, that “deleted” file is still on your disk; it’s just invisible to normal operations. And with a little work and the right tools (such as “undelete” software or forensic methods), you can even still retrieve the “deleted” file. The bottom line is that computers normally don’t “delete” files; they just allow the space those files take up to be overwritten by something else some time in the future.

The best way to delete a file forever, then, is to make sure it gets overwritten immediately, in a way that makes it difficult to retrieve what used to be written there. Your operating system probably already has software that can do this for you—software that can overwrite all of the “empty” space on your disk with gibberish and thereby protect the confidentiality of deleted data.

Note that securely deleting data from solid state drives (SSDs), USB flash drives, and SD cards is very hard! The instructions below apply only to traditional disk drives, and not to SSDs, which are becoming standard in modern laptops, USB keys/USB thumb drives, or SD cards/flash memory cards.

This is because these types or drives use a technique called wear leveling. (You can read more about why this causes problems for secure deletion here.)

If you’re using an SSD or a USB flash drive, you can jump to the section below.

On Windows, we currently suggest using BleachBit. BleachBit is a free/open source secure deletion tool for Windows and Linux, and is much more sophisticated than the built-in Cipher.exe.

BleachBit can be used to quickly and easily target individual files for secure deletion, or to implement periodic secure deletion policies. It is also possible to write custom file deletion instructions. Please check the documentation for further information.

The EFFs reminder:


Time required: 10 minutes to several hours (depending on size of files/disks to be securely deleted)

is reassurance that most drives retired from government and industry may be loaded with goodies.

If in doubt, share this EFF resource with office level decision makers. It’s almost certain they will not tax their users with secure data deletion duties.

Monitoring Malware Sinkhole Traffic

August 31st, 2017

Consolidated Malware Sinkhole List by Lesley Carhart, Full Spectrum Cyber-Warrior Princess.

From the post:

A common practice of researchers studying a piece of malware is to seize control of its malicious command and control domains, then redirect traffic to them to benign research servers for analysis and victim notification. I always highly recommend monitoring for traffic to these sinkholes – it is frequently indicative of infection.

I’ve found no comprehensive public list of these sinkholes. There have been some previous efforts to compile a list, for instance by reverse engineering Emerging Threats Signatures (mikesxrs – I hope this answers your questions, a little late!). Some sinkholes are documented on the vendors’ sites, while others are clearly labeled in whois data, but undocumented. Still others are only detectable through behavior and hearsay.

Below, I share my personal list of publicly-noted sinkholes only. Please understand that with few exceptions I have not received any of this information from the vendors or organizations mentioned. It is possible there is some misattribution, and addresses in use do change over time. This is merely intended as a helpful aid for threat hunting, and there are no guarantees whatsoever.

An incomplete malware sinkhole list by her own admission but an interesting starting point for data collection/analysis.

When I read Carhart’s:

I always highly recommend monitoring for traffic to these sinkholes – it is frequently indicative of infection.

I had to wonder, at what level will you be monitoring traffic “…to these sinkholes?”

Sysadmins monitor their own networks, but traffic monitoring at higher levels is possible as well.

Above network level traffic monitoring for sinkhole would give a broader picture of possible “infections.”

Upon discovery, a system already infected by one type of malware, may be found to be vulnerable to other malware with a similar attack vector.

It certainly narrows the hunt for vulnerable systems.

If you don’t already, follow Lesley Carhart, @hacks4pancakes, or visit her blog, tisiphone.net.

brename – data munging tool

August 31st, 2017

brename — a practical cross-platform command-line tool for safely batch renaming files/directories via regular expression

Renaming files is a daily activity when data munging. Wei Shen has created a batch renaming tool with these features:

  • Cross-platform. Supporting Windows, Mac OS X and Linux.
  • Safe. By checking potential conflicts and errors.
  • File filtering. Supporting including and excluding files via regular expression.
    No need to run commands like find ./ -name "*.html" -exec CMD.
  • Renaming submatch with corresponding value via key-value file.
  • Renaming via ascending integer.
  • Recursively renaming both files and directories.
  • Supporting dry run.
  • Colorful output. Screenshots:

Binaries are available for Linux, OS X and Windows, both 32 and 64-bit versions.

Linux has a variety of batch file renaming options but I didn’t see any short-comings in brename that jumped out at me.

You?

HT, Stephen Turner.

FCC Supports Malware Distribution!

August 31st, 2017

Well, not intentionally.

FCC “apology” shows anything can be posted to agency site using insecure API by Sean Gallagher

Gallagher reports that with an API key (use gmail account) you can post malicious Word documents to the FCC site.

Not formal support for malware distribution but then next best thing.

The FCC has been given notice so this is probably a time limited opportunity.

Don’t despair!

Knowing what to look for, you can begin scanning other government websites for a similar weakness.

Journalist tip: As APIs with this weakness are uncovered, trace them back to the contractors who built them. Then run forward to see who the contractors are afflicting now.

Confirmation: Google Does Not Support Free Speech

August 30th, 2017

Google-Funded Think Tank Fired Google Critics After They Dared Criticize Google by Sam Biddle and David Dayen.

From the post:

THE NEW AMERICA FOUNDATION’S Open Markets group was a rare, loud voice of protest against Google’s ever-growing consolidation of economic and technological power around the world. But New America, like many of its fellow think tanks, received millions in funding from one of the targets of its anti-monopoly work, and according to a New York Times report today, pulled the plug after the company’s chief executive had enough dissent.

After EU regulators fined Google $2.7 billion earlier this summer, Barry Lynn, who ran the Open Markets division, cheered the decision, adding that “U.S. enforcers should apply the traditional American approach to network monopoly, which is to cleanly separate ownership of the network from ownership of the products and services sold on that network, as they did in the original Microsoft case of the late 1990s.” It didn’t take long for Lynn and his colleagues to suffer the consequences, the Times reports:

Google has long suppressed speech as a government toady but its open suppression of criticism portents wider and more active censorship of the marketplace of ideas.

Biddle and Dayen do a great job of identifying those who bowed to “displeasure” and those who were displeased. Something to keep in mind when deciding how to act on your displeasure with this misconduct by Google.

We all know that Google makes invaluable contributions to any number of projects but that isn’t a “bye” for abuse of their economic power or the sycophants they fund.

Are You Investing in Data Prep or Technology Skills?

August 30th, 2017

Kirk Borne posted for #wisdomwednesday:

New technologies are my weakness.

What about you?

What if we used data driven decision making?

Different result?

Inspiring Female Hackers – Kronos Malware

August 29th, 2017

Hasherezade authored a two part series:

Inside the Kronos malware – part 1

Inside the Kronos malware – part 2,

an in depth examination of the Kronos Malware.

It’s heavy sledding but is one example of current work being done by a female hacker. If it seems alien now, return to it after you learn some hacking skills to be properly impressed.

BTW, Hasherezade has a blog at: hasherezade’s 1001 nights

PS: There’s a lot of talk about white-hats and black-hats in the cybersecurity community.

My question would be: “What color hat are you paying me to wear? Otherwise, it’s really none of your concern.”

Drop-n-Retrieve Honeypots, Portals, Deception

August 28th, 2017

A low-cost drop-n-retrieve WiFi device, suitable use in public, private, commercial and governmental locations.

YouTube has a series of videos on WiNX under the playlist Hacker Arsenal.

You don’t want to search using “WiNX” at YouTube. The most popular results are for Winx Club. Not related.

What Being a Female Hacker Is Really Like

August 28th, 2017

What Being a Female Hacker Is Really Like by Amanda Rousseau.

I never imagined citing a TeenVogue post on my blog but this one is a must read!

Amanda Rousseau is a white-hat malware expert and co-founder of the blog, VanitySec.

I won’t attempt to summarize her four (4) reasons why women should consider careers as hackers, thinking you need to read the post in full, not my highlights.

Looking forward to more hacker oriented posts in TeenVogue and off now to see what’s up at VanitySec. (Today’s top post: Fall Bags to Conceal Your RFID Reader. Try finding that at your tech feed.)

Hacking For Government Transparency

August 28th, 2017

The 2017 U.S. State and Federal Government Cybersecurity Report by SecurityScorecard lacks details of specific vulnerabilities for identified government units, but paints an encouraging picture for hackers seeking government transparency.

Coverage of the report:


In August 2017, SecurityScorecard leveraged its proprietary platform to analyze and grade the current security postures of 552 local, state, and federal government organizations, each with more than 100 public-facing IP addresses, to determine the strongest and weakest security standards based on security hygiene and security reaction time compared to their peers.

Security Rankings by Industry

Out of eighteen (18) ranked industries, best to worst security, government comes in at a tempting number sixteen (16):

Financial services, with the fifth (5th) best security, is routinely breached, making it curious the government (#16) has any secrets at all.

Why Any Government Has Secrets

Possible reasons any government has secrets:

  • 1. Lack of interest?
  • 2. Lack of effort by the news media?
  • 3. Habituation to press conferences?
  • 4. Habituation to “leaks?”
  • N. Cybersecurity?

You can wait for governments to embarrass themselves (FOIA and its equivalents), wait for leakers to take a risk for your benefit, or, you could take the initiative in obtaining government secrets.

The SecurityScorecard report makes it clear the odds are in your favor. Your call.

Good News For Transparency Phishers

August 25th, 2017

If you are a transparency phisher, Shaun Waterman has encouraging news for you in: Most large companies don’t use standard email security to combat spoofing.

From the post:

Only a third of Fortune 500 companies deploy DMARC, a widely-backed best-practice security measure to defeat spoofing — forged emails sent by hackers — and fewer than one-in-10 switch it on, according to a new survey.

The survey, carried out by email security company Agari via an exhaustive search of public Internet records, measured the use of Domain-based Message Authentication, Reporting and Conformance, or DMARC.

“It is unconscionable that only eight percent of the Fortune 500, and even fewer [U.S.] government organizations, are protecting the public against email domain spoofing,” said Patrick Peterson, founder and executive chairman, Agari. A similar survey of federal government agencies earlier this month, by the Global Cyber Alliance, found fewer than five percent of federal domains were protected by switched-on DMARC.

The Agari survey found adoption rates similarly low among companies in the United Kingdom’s FTSE and Australia’s ASX 100.

DMARC is the industry standard measure to prevent hackers from spoofing emails — making their messages appear as if they’re sent by someone else. Spoofing is the basis of phishing, a major form of both cybercrime and cyber-espionage, in which an email appearing to a come from a trusted company like a bank or government agency contains malicious links, directing readers to a fake site which will steal their login and password when they sign on.

Only eight (8) percent of the Fortune 500 and less than five (5) percent of federal (US) domains have DMARC protection.

I expect DMARC protection rates fall rapidly outside the Fortune 500 and non-federal government domains.

If you are interested in transparency, for private companies or government agencies, the lack of DMARC adoption and use presents a golden opportunity to obtain otherwise hidden information.

As always, who you are and who you are working for, determines the legality of any phishing effort. Consult with an attorney concerning your legal rights and obligations.

FBI As Unpaid Cybersecurity Ad Agency

August 25th, 2017

Despite its spotty record on cybersecurity expertise, the FBI is promoting competitors of Kaspersky Lab.

Patrick O’Neill‘s account of the FBI’s efforts, FBI pushes private sector to cut ties with Kaspersky:


In the briefings, FBI officials give companies a high-level overview of the threat assessment, including what the U.S. intelligence community says are the Kaspersky’s deep and active relationships with Russian intelligence. FBI officials point to multiple specific accusations of wrongdoing by Kaspersky, such as a well-known instance of allegedly faking malware.

In a statement to CyberScoop, a Kaspersky spokesperson blamed those particular accusations on “disgruntled, former company employees, whose accusations are meritless” while FBI officials say, in private and away from public scrutiny, they know the incident took place and was blessed by the company’s leadership.

The FBI’s briefings have seen mixed results. Companies that utilize ISC and SCADA systems have been relatively cooperative, one government official told CyberScoop, due in large part to what’s described as exceptional sense of urgency that dwarfs most other industries. Several of these companies have quietly moved forward on the FBI’s recommendations against Kaspersky by, for example, signing deals with Kaspersky competitors.

The firms the FBI have briefed include those that deal with nuclear power, a predictable target given the way the electric grid is increasingly at the center of catastrophic cybersecurity concerns.

The traditional tech giants have been less receptive and cooperative to the FBI’s pitch.

leaves the impression Kaspersky competitors are not compensating the FBI for the additional business.

That’s just wrong! If the FBI drives business to vendors, the public merits a cut of those contracts for services rendered. Members of Congress pushing for the exclusion of Kaspersky are no doubt being compensated but that doesn’t benefit the general public.

The only known validation of the FBI’s nationalistic fantasy is the relationship between the US government and US software vendors. Microsoft says it’s already patched flaws exposed in leak of NSA hacks What motive does the NSA have to withhold flaws from US vendors other than to use them against other nations?

Expecting other governments act like the US government and software vendors to be spineless as US vendors makes the FBI Kaspersky fantasy consistent with its paranoia. Consistency, however, isn’t the same as a factual basis.

Free tip for Kaspersky Lab: Starting with your competitors and likely competitors, track their campaign contributions, contacts with the U.S. government, news placements, etc. No small task as acceptance of the FBI’s paranoid delusions didn’t happen overnight. Convictions of incautious individuals for suborning the government for commercial gain would go a long way to countering that tale.

DOJ Wanted To Hunt Down DisruptJ20.org Visitors

August 25th, 2017

National Public Radio (NPR) details the Department of Justice (DOJ) request for web records from DisruptJ20.org, which organized protests against the coronation of the current U.S. president, in Government Can Search Inauguration Protest Website Records, With Safeguards and Justice Department Narrows Request For Visitor Logs To Inauguration Protest Website. (The second story has the specifics on the demand.)

The narrowed DOJ request excludes:

f. DreamHost shall not disclose records that constitute HTTP requests and error logs.

A win for casual visitors this time, but no guarantees for next time.

The NPR stories detail this latest governmental over-reaching but the better question is:

How to avoid being scooped up if such a request were granted?

One word answer: Tor!

What is Tor?

Tor is free software and an open network that helps you defend against traffic analysis, a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security.

Why Anonymity Matters

Tor protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, and it prevents the sites you visit from learning your physical location.

What’s your default browser?

If your answer is anything but Tor, you are putting yourself and others at risk.

Air Gapping USB Sticks For Journalists (Or Not! For Others)

August 25th, 2017

CIRCLean – USB key sanitizer

Journalists are likely to get USB sticks from unknown and/or untrustworthy sources. CIRCLean copies potentially dangerous files on an untrustworthy USB stick, converts those files to a safe format and saves them to your trusted USB stick. (Think of it as not sticking a potentially infected USB into your computer.)

Visual instructions on using CIRCLean:

Written instructions based on those for CIRCLean, without illustrations:

  1. Unplug the device.
  2. Plug the untrusted USB stick into the top usb slot.
  3. Plug your own, trusted USB stick into the bottom usb slot.
  4. Note: Make sure your USB stick is bigger than the untrusted one. The extracted documents are sometimes bigger than the original ones.

  5. Connect the power to the device.
  6. If your device has a diode, wait until the blinking stops.
  7. Otherwise, plug a headset and listen to the music that is played during the conversion. When the music stops, the conversion is finished.

  8. Unplug the device and remove the USB keys

Label all untrusted USB sticks. “Untrusted” means it has an origin other than you. Unicode U+2620 ‘skull and crossbones” works, ☠. Or a bit larger:


(Image from http://graphemica.com/)

It’s really that easy!

On The Flip Side

Modifying the CIRCLean source to maintain its present capabilities but adding your malware to the “trusted” USB stick offers a number of exciting possibilities.

Security is all the rage in the banking industry, making a Raspberry Pi (with diode), an attractive case, and your USB malware great banking convention swag.

Listing of banking conferences are maintained by the American Bankers Association, the European Banking Association, and Asian Banking & Finance, to name just a few.

A low-cost alternative to a USB cleaning/malware installing Raspberry Pi would to use infected USB sticks as sway. “Front Office Staff: After Hours” or some similar title. If that sounds sexist, it is, but traps use bait based on their target’s proclivities, not yours.

PS: Ethics/legality:

The ethics of spreading malware to infrastructures based on a “white, cisheteropatriarchal*” point of view, I leave for others to discuss.

The legality of spreading malware depends on who’s doing the spreading and who’s being harmed. Check with legal counsel.

* A phrase I stole from: Women’s Suffrage Leaders Left Out Black Women. A great read.

Blasphemy and Related Laws (Censorship)

August 24th, 2017

Years ago I encountered a description of a statement as being so vile that it made:

…strong men curse and women faint…

The author did not capture the statement and I don’t remember the book with that description. Based on the sexism in the quote, I’m assuming either the work or the time described was late 19th century.

Suggestions?

Blasphemy is a possible subject area for such a statement and the Library of Congress has helpfully compiled:

Blasphemy and Related Laws.

Description:

This report surveys laws criminalizing blasphemy, defaming religion, harming religious feelings, and similar conduct in 77 jurisdictions. In some instances the report also addresses laws criminalizing proselytization. Laws prohibiting incitement to religious hatred and violence are outside the scope of this report, although in some cases such laws are mentioned where they are closely intertwined with blasphemy. The report focuses mostly on laws at the national level, and while it aims to cover the majority of countries with such laws, it does not purport to be comprehensive.

I recognize not blaspheming in the presence of believers as a social courtesy but the only true blasphemy, in my view, is censorship of the speech of others.

Censorship of blasphemy implies a Deity threatened by human speech. That is a slander of any Deity worthy of worship.

58 Newsletters About Journalism

August 23rd, 2017

An incomplete list of newsletters about journalism (Compiled by Joseph Lichterman, Lenfest Institiute for Journalism, joseph@lenfestinstitute.org)

Fifty-eight (58) newsletters as of today.

Some you will recognize, some you won’t.

Anything you see missing?

Censors To Hate: Alison Saunders, Crown Prosecution Services

August 23rd, 2017

There is no complete list of censors to hate, but take all the posts marked censorship as a starting point for an incomplete list.

Alison Saunders in Hate is hate. Online abusers must be dealt with harshly announces the bizarre proposition:


the Crown Prosecution Service (CPS) today commits to treat online hate crimes as seriously as those committed face to face.

Not distinguishing between face to face versus online hate crimes places the value of a University of Leeds legal education in question.

Unlike a face to face hate crime, all online users have access to an on/off button to immediately terminate any attempt at a hate crime.

Moreover, applications worthy of use offer a variety of filtering mechanisms, by which an intended victim of a hate crime can avoid contact with a would be abuser.

Saunders claims 15,000 hate crime prosecutions in 2015-2016, but fails to point out their conviction rate was 82.9%. More hate crimes prosecuted by the Crown Prosecution Service than ever before.

If these were all online crimes, Saunders and the CPS would be prosecuting almost 1 in 5 cases where no crime was committed.

Or put differently, there is a four out of five chance if charged with a hate crime, you will be convicted.

Are you more or less likely to make a strong objection or post if there is a four out of five chance you will be convicted of a crime?

Check your local laws before acting on any hatred for Alison Saunders or Crown Prosecution Services.

Citizens of the world must oppose censors and censorship everywhere. If you can’t criticize local censorship, speak out against censors elsewhere.

Rethinking (read abandoning) Free Speech

August 19th, 2017

If The A.C.L.U. Needs to Rethink Free Speech by K-Sue Parkaug were an exercise in legal logic, Parkaug would get an F.

These paragraphs capture Pakkaug’s argument:


After the A.C.L.U. was excoriated for its stance, it responded that “preventing the government from controlling speech is absolutely necessary to the promotion of equality.” Of course that’s true. The hope is that by successfully defending hate groups, its legal victories will fortify free-speech rights across the board: A rising tide lifts all boats, as it goes.

While admirable in theory, this approach implies that the country is on a level playing field, that at some point it overcame its history of racial discrimination to achieve a real democracy, the cornerstone of which is freedom of expression.

I volunteered with the A.C.L.U. as a law student in 2011, and I respect much of its work. But it should rethink how it understands free speech. By insisting on a narrow reading of the First Amendment, the organization provides free legal support to hate-based causes. More troubling, the legal gains on which the A.C.L.U. rests its colorblind logic have never secured real freedom or even safety for all.

For marginalized communities, the power of expression is impoverished for reasons that have little to do with the First Amendment. Numerous other factors in the public sphere chill their voices but amplify others.

Without doubt, the government, American society in general and the legal system in particular is not race, gender, class or in any other meaningful sense, blind. Marginalized communities bear the brunt of that lack of blindness.

If the legal system deprives those with privilege and power of free speech, what does logic and experience dictate will be the impact on marginalized communities?

Are you expecting a different free speech result for the marginalized from courts that discriminate against them?

If yes, call your mother to say your failure at legal logic is putting the marginalized in harm’s way. (post her reaction)