Title of this article doesn’t really do it justice. It is a good article that gives a high-level understanding of the concept of Trusted Booting of a device. Good read for individuals in or working with law enforcement and digital forensics. As this type of technology becomes more and more mainstream, it will become much more difficult to surreptitiously obtain access to or data from devices without the owners cooperation.
Archive - Privacy and Anonymity
RSS Feed
Obama’s blackberry and the lack of ephemeral conversations today
Another well written article on the lack of privacy in the digital world, how conversations are no longer ephemeral with excellent referenced examples, entitled “Wy Obama Should Keep His Blackberry – but won’t”. Personally I find it quite amazing what people use and transmit via e-mail, SMS messages, IM conversations. Add to that the explosion of wireless devices that do all this, people (myself included) are not careful enough. The article is by security technologist Bruce Schneier.
Google Flu Trends
I wrote about Google Flu Trends the other day. Yesterday, I came across this article discussing if there is a privacy risk with Google Flu Trends, and made a note that I was going to comment on the article. Lauren Weinstein has written a pretty good commentary on the article and I pretty much agree with what he has written.
Google Flu Trends is a result of taking individual personal data and aggregating it. This has the advantage of anonmizing the data as well as providing another tool in the toolbox of mechanisms to track flu outbreaks. This trending could be applied to many other concepts with similar results. I and others like me have done this type of analysis for our clients years now. While I applaude people that monitor privacy violations, attaching privacy violations to this data is incorrect. Privacy should be attached to the methods that Google and others use to track and store data. Associating IP addresses to search terms and unique cookies and keeping that data for extended periods of time as one example. Google and other search sites along with social sites such as Facebook all track detailed data. Facebook for example tracks every profile you look at including date and time, by IP and unique ID. This data can be obtained by interested parties. This is where privacy advocates should be focused.
Skype has a backdoor
An article expressing concern that Skype has a backdoor. There may or may not be a backdoor. Regardless it is important that everyone that uses Skype assume there is a backdoor. Why? The client they produce is closed source so the code is not reviewed independently of the company. The protocol they used is encrypted and closed source as well. This protocol is not reviewed by anyone outside the company. The authentication servers are completely under their control. The entire functionality of the Skype system, the clients, servers, data routing, data encryption is all under their control, not yours.
Assuming the above is true, let’s pretend that Skype has inserted a backdoor. Why would they do this? There are several reasons. Testing is the first one that comes to mind. A new version of the client is being developed and the ability to test and analyze for any issues is necessary. A backdoor permits developers and testers to capture calls to check for problems, call quality and anything else that would be necessary to diagnose. Maybe the country where head office is located requires all VoIP providers to have the ability to intercept VoIP calls. If they wish to do business in this county they have no choice but to comply. I have consulted for companies where the government requires that Skype be blocked because it can not be intercepted. If Skype wishes to get presence in these countries it makes sense for it to comply.
If Skype adds interception and monitoring capabilities, and they have competition with other VoIP vendors for market share, it may not make good business sense for them to announce this publically. Especially if they have no legal reason to do so.
This problem is not Skype specific. As more and more online services such as Gmail, Google Docs, CRM vendors, backup vendors and others (this list is not conclusive and it will grow) stop offering systems to purchase and offer a ‘service’ where your data is in their possession this is a risk. Companies need to assess this risk. If you choose to put confidential client information on GoogleDocs, or use Gmail for confidential email you should always assume that someone at Google has the ability or can create the ability to extract the data if necessary. The company may state that they will not do this, but if they are ordered to by Government, Law Enforcement or the have a ‘bad’ employee that is willing to do it then you are out of luck.
A perfect example of this happening in the past is with Hushmail. The news article is here. Hushmail was considered a free email service that was ‘secure’. They originally sold themselves as using encryption where only you had the password to unlock the data. They stated that even Hushmail and its employees could not unlock the data without your passphrase. Then one day ‘surprise’ they provided a bunch of CDs containing unencrypted emails of a Hushmail account to officials when requested. If you think about it, the ability to do this makes complete sense. They offered a Java program where an individual would type in their passphrase which would unlock the encryption key stored on the Hushmail server and permit the java program to decrypt the stored e-mail to display in clear text. It would be trivial to write the code to include a ‘switch’ on an account that would send a copy of the passphrase to Hushmail when the user keyed it in. Now on the Hushmail servers is the encrypted secret key and the passphrase to decrypt it. Using this key, they can now decrypt all your email which is stored on the servers and do with it as required.
At any point if a company chooses to store its data off site, use programs or services from third parties that have control of the source code and/or the associated services there is a risk of data being lost or ending up in unintended hands. This is a buisness risk that needs to be evaluated in each case. These type of issues will only increase as more and more services are offered over the Internet.
Digital device search and imaging at the border
I have commented on this before here and here. EFF just posted a blog entry discussing The Statement of Lee Tien. He testified in a Senate hearing outlining the dangers of random searches of traveler’s digital devices. It is worth the read for those interested.
Although this applies to U.S citizens and the U.S. I suspect whatever the outcome of the permissibility of random searches of electronic devices, someone like myself entering the U.S. as a visitor would be under different rules. My concern is that they are willing to execute random searches period including the copying and imaging of data ‘just because’. And it isn’t just the U.S. either like many claim. With ACTA, random border searches of electronic devices are coming soon to Canada and other participating countries.
A few years ago, I was involved with a client that had a legal case against a Government. My laptop contained data that I was providing analysis on that affected the case. What if the government was to just image my laptop? They would now have information that they should not be privy to. That is bad. It under minds the legal system of all countries involved.
Any sensitive data on my laptop is encrypted and I consciously make sure that a forensic search won’t reveal the passphrases or anything like that. It annoys me that I have to worry about and deal with this prior to travel. The last few months due to ACTA, I now remove any sensitive client data from my laptop till I reach the hotel and then securely download what I need. Some say this is just silly. Most if not all of the data on my laptop I really don’t care if they saw or copied it, nothing really bad or incriminating about it — its the principle I guess.
I’m thinking about going a step further. Take a laptop that has nothing on it, and an O/S that runs from a CD or DVD. Boot off the DVD, download the data you need. Prior to travel back home, upload the data, and forensically wipe the hard drive.
If there is valid suspicion that an individual is doing something which could harm others or is illegal, search away. But random searches just because you can? I’m starting to feel like some of those old Russian movies I watched as a child, where you had to carry “papers” to show officials if requested. Not a free society.
Monitoring E-Mail
Today on CBC Search Engine, there was discussion about companies that read employee e-mail, why companies read e-mail and the fact that many have a manual process for accomplishing this task. The company that was interviewed by Search Engine was Proofpoint. They make several automated solutions to accomplish monitoring e-mail. One of the comments made was that they can monitor e-mails via Hyper Text Transfer Protocol (HTTP) or web based e-mail, such as Gmail, Hotmail or other type of web based mail services. This is all true and very possible.
What I find amusing is there are so many simple ways to smuggle out information from a company that monitoring e-mail seems to be a waste of time and money. One could copy the information to a laptop and download it to a computer at home. Copy the information to a USB key, CD or DVD and take it home. One could print the information out on paper (since most companies don’t monitor what is printed). None of these methods require expensive, or complicated technology. If I wanted to get information out of the office and I even suspected that e-mail, IM or transmissions were being monitored these ways are the simplest and least to arouse suspicion. Unless a company plans to manually search you and your belongings every time you enter or exit the building including checks of laptops, USB keys, and other media investment in technology to monitor e-mail I don’t see the point.
Proofpoint stated that it is often used to watch for employees spending too much time on personal versus work related issues. I suppose this is a valid use, but personally I don’t manage that way and I doubt I would ever work for a company that did manage that way. If people are getting their work done then I’m not going to worry if they send personal e-mail, surf the web or decide to take an extra 10 minutes at lunch. I believe it is important that you can trust your employees and they feel a sense of responsibility towards their work. If this is missing then the company has bigger issues that monitoring e-mail or other flows of information will not solve.
The other concern I have with all this “monitoring” going on is that it will increase the adoption rate of encryption and other stealth technologies . Governments, businesses, and law enforcement wanting to monitor people’s e-mail, web surfing, files shared and download will force software and developers to add encryption and other forms of covert data transmission into the software more quickly. Most E-Mail servers for example have encryption (TLS) support now. As encryption becomes more available in e-mail clients and set to be the default mode of communication the encryption will be transparent to the user. Encryption is something that law enforcement is running into more and more. It hampers their investigations. This is bad when you are actually trying to catch the bad people distributing drugs or child pornography. I picture an Internet where all communication is encrypted or obfuscated in different ways to avoid “monitoring.” What will we do then? Probably have discussions about key escrow,outlawing encryption, and other silly conversations we have had in the past and never worked.
Identity Theft and your SIN number
In Canada most citizens will have a Soical Insurance Number, commonly referred to as a SIN number. I recall getting mine when I was a teenager and was going to start working. Nowadays, you get one almost as soon as you are born. My daughter obtained one within months of her birth. I recall that, because I was surprised and for some reason I recall it was required. Of course, that immediately triggered thoughts of why do they need to do this now? Tracking? More detailed history of people? These and other conspiracy thoughts went through my mind.
Here is an article about an individual in Ontario, Canada, who was the culprit of identify theft through no fault of his own. The government, unable to properly secure sensitive information had his identity stolen. In the article it is stated:
“I don’t want any money — not a dime,” he said. “I just want a new social insurance number so that I can disassociate myself from the fraud and start my life over again.”
Seman said he has been fighting for a new SIN number in writing, in person and on the telephone for five years, but hasn’t been able to get one.
“How hard can it be?” he said.
Unfortunately, very hard. This is very difficult and expensive problem, and even trying to solve it will not guarantee a solution. Today, a SIN number is the one thing that connects you the most. Almost any form you send to the government will have your SIN number. This number will be linked with all medical information on procedures that you have had, doctors you have seen, prescriptions you have been given. Financial corporations require it for financial transactions, bank accounts, mortgages, loans, stock trading. It is the key to your credit rating. Companies you work for require so they can submit income and other financial information to the government. This one number links you throughout the government, throughout the medial and financial worlds both in public and private databases and paper file systems. It really is a ‘key’ to finding out everything about you. And that is exactly how it is used.
In order to offer the ability to change your SIN number, the government would have to have a way to change every record in every database both public and private. It would have to be able to change this number on forms and records that have been filled out that are not electronic. If any mistake is made, then information on you is effectively lost. For example, suppose you were rushed to a hospital unconscious from a car accident. From the Identification on you, a drivers license confirmed your identity, which led them to your SIN number. The SIN number permitted the hospital to pull your medial records. Now suppose you had your SIN number changed, and a major medical procedure you had a few years ago at a medical facility did not change the SIN number. That information is now lost and is not available to the medical staff getting ready to treat you in the current emergency situation. One could argue that they can use name, birth date, and other details to find the required information. Although this is somewhat true, it is not as guaranteed as a SIN number. The SIN number is the best assurance of the accuracy of the linking of the information. Is this a bad thing? Maybe or maybe not.
The risk of giving individuals the ability to have their SIN number changed is not worth the overall risk or not being able to gather information or missing information by government, law enforcement and any one else looking to obtain details about you. That is why the solution is to give you negligible amounts of money, and offer you free credit report checking. It is easier and much less risky. Currently the number of people that have their identity stolen versus those that don’t is small.
Of course identity theft will only increase and this problem will get worse. Eventually, they will be forced to deal with it on a global scale. There are procedures I believe to obtain a new SIN number. Witness protection program and things of that nature, but these are very few scenarios, few people and are manageable.
Today, the problem is expensive to solve, difficult to solve with no guarantees of not having information lost, and it affects a few minor people’s lives. Government response is unfortunate, but logical. Personally, I don’t agree with it, but until it gets more visibility either by many more people being affected or a few very public people having their identities stolen not much will happen beyond the preventative steps you see today.
Authorization on the Internet
I recently read a post here and here by EFF on laws that make it a criminal offense to simply access an e-mail server or to test if personal data of yours kept by a third party can be accessed by others. This lead me to an article referred to in the first one with more detail on some of the cases (that article is here).
With respect to the Internet, the court needs to view ‘authorization’ in the same context as the expectation of privacy. When a person is sitting in their home, they have a certain expectation of privacy. They expect that covert cameras are not capturing pictures or movies of them and their family. They expect that their conversations, movements, and actions are not being recorded. This expectation changes when a person leaves their home. Security cameras can and do record them walking down the street. An audio conversation between them and a store clerk could be recorded by store equipment (currently not likely, but I suspect it would be considered legal). This type of activity is expected and assumed. You can not claim that a store you were in or the city you were in did not seek your permission to record you prior to being recorded. Privacy is not assumed in public.
In my opinion the same is true for systems on the Internet. If an entity places a mail server on the public Internet, then it is reasonable to expect that it will be connected to, both for reasons it was intended and reasons it was not. Expectations that a mail server will only be used by individuals to route e-mail or route e-mail that is ‘authorized’ is not the responsibility of individuals on the Internet. It is the responsibility of the owner of the server to ensure this. I send e-mail all the time, and I have no idea what servers are accepting and routing my e-mail to the appropriate destination (yes, I can figure these things out but that is not the point). If an individual directly routes e-mail to a server that should not accept or route the e-mail, the company needs to configure their servers to not accept this. The company needs to configure their servers and networks so that they are not open to attack.
Similarly with a web server. If someone is accessing a server that contains their personal medical information and they notice the URL in the browser is: https://medicalfiles.medi/userProfile.asp?id=1234. The user then changes the URL to https://medicalfiles.medi/userProfile.asp?id=1235 and suddenly they are viewing someone else’s profile information, that is completely the responsibility of the company that owns of the server. The company chose to put the server on the public Internet. The company chose to develop, purchase, or otherwise use a particular application to allow private user information to be displayed. The company chose a set of methods to secure this information and ensure that only the authorized individuals could access specific information. With these choices comes a responsibility and consequences for not living up to that responsibility.
Just as there is no expectation of privacy in public, there should be no expectation of proper or in-proper authorization for a server on the Internet. It is the owners responsibility to configure their servers and network devices correctly to enforce the authorization they desire and failure to do so is their own fault and responsibility, period.
Framing someone by planting evidence
I hope there is more evidence than what is in this story and I hope this evidence is really compelling. If the man is actually guilty of child pornography related offenses then I hope he is charged and convicted to the full extent of the law. I was driving into work and heard this story on the news and it got me thinking about how easy it would be to frame someone with child porn or other incriminating evidence and then just ‘tip’ off the police.
Presently, I am putting the finishing touches on an advanced security course geared toward service providers. Shortly, I will be running this course for a major service provider. In the course we do actual malware deployment and analysis. The malware used is reasonably up-to-date and can be found active on the Internet today. The malware is very easy to use. Much easier than it was even 2 years ago. In some cases the malware uses standard libraries designed to write malware that are available on the Internet. One of the malware samples used for this course includes the ability to write ‘plug-ins’, similar to how you can write a plug-in for a web browser such as Firefox.
I am confident that law enforcement will do a detailed investigation of the suspects computers in the story above. But I’d argue that today it is possible to get malicious code, pictures or any type of incriminating evidence onto a PC leaving minimal to no trace behind. I’d suggest that this has gotten easier over the years and will probably get easier in the future. I and others have worked with malware that doesn’t ever write to storage, but stays resident in memory. Even if there is evidence left on the suspect system, does law enforcement do a detailed analysis for every complaint? I doubt they have the resources for that. For the sake of argument, lets assume that they do have the resources to do a detailed investigation of every system. Lets also assume that the investigation revealed that the evidence was planted externally and the owner had no knowledge of its existence and is innocent. Unfortunately it isn’t over for the owner when the investigation is concluded. There will be issues that will follow them for the rest of their lives. There will be the embarrassment of being suspected of a criminal act. The record of the arrest which can make it difficult to travel in the future even if there is no conviction. Looks and suspicions of others always wondering “Was he really innocent or did he just get lucky and is really guilty?”
Presentation on anonymous surfing and anonymous emailing
I recently did a presentation on anonymous surfing and anonymous emailing for the High Technology Crime Investigation Assocation. HTCIA is a community that has goals to encourage, promote, aid and effect the voluntary interchange of data, information, experience, ideas and knowledge about methods, processes, and techniques relating to investigations and security in advanced technologies among its membership. The membership includes law enforcement, government, and private sector from different countries including Canada and the United States.
One thing I found challenging when creating the presentation was the technical level to target. HTCIA membership includes individuals and groups from many different disciplines. Most members have different levels of knowledge and experience within any given discipline. With that in mind, I tried to create a presentation that would be beneficial to the majority of individuals.
A PPT compressed slideshow of the presentation is here. There is also a PDF that can be found here. I’d recommend the PPT slideshow over the PDF. Animation doesn’t show well in the PDF and as a result some of the slides are covered over with different layers of the animation.
