A Bad Week For Govt Snoops

November 13, 2009

* How to Deny Service to a Federal Wiretap

It turns out that the standard sets aside very little bandwidth — 64K bits per second — for keeping track of information about phone calls being made on the tapped line. When a wire tap is on, the switch is supposed to set up a 64Kbps Call Data Channel to send this information between the telco and the law enforcement agency doing the wiretap. Normally this channel has more than enough bandwidth for the whole system to work, but if someone tries to flood it with information by making dozens of SMS messages or VoIP (voice over Internet protocol) phone calls simultaneously, the channel could be overwhelmed and simply drop network traffic.

That means that law enforcement could lose records of who was called and when, and possibly miss entire call recordings as well, Sherr said.

Of course, criminals have plenty of easier ways to dodge police surveillance. They can use cash to buy prepaid mobile phones anonymously, or reach out to their accomplices with encrypted Skype calls, said Robert Graham, CEO with Errata Security. Luckily for the cops, criminals usually don’t take their communications security that seriously. “Most criminals are stupid,” he said. “They just use their same cell phone.”

* Microsoft Police Forensics Tool Leaked

The police-only forensics tool made by Microsoft to capture forensics data from a live system has been leaked online. The tool, Coffee, has been the subject of much speculation by the tech media who now finally has a chance to see it. According to reports, it grabs process information, network data, user passwords, and all sorts of information. Could the methods needed to gather that data be exploited by others? Given Microsoft’s security history the answer is most likely.

Coffee is hosted on Cryptome. User guide here.

Vanishing online posts

July 23, 2009

This Vanish program/service for limiting data persistence on things you post online has some interesting implications:

Computing and communicating through the Web makes it virtually impossible to leave the past behind. College Facebook posts or pictures can resurface during a job interview; a lost or stolen laptop can expose personal photos or messages; or a legal investigation can subpoena the entire contents of a home or work computer, uncovering incriminating or just embarrassing details from the past.

Vanish is a research system designed to give users control over the lifetime of personal data stored on the web or in the cloud. Specifically, all copies of Vanish encrypted data — even archived or cached copies — will become permanently unreadable at a specific time, without any action on the part of the user or any third party or centralized service.

For example, using the Firefox Vanish plugin, a user can create an email, a Google Doc document, a Facebook message, or a blog comment — specifying that the document or message should “vanish” in 8 hours. Before that 8-hour timeout expires, anyone who has access to the data can read it; however after that timer expires, nobody can read that web content — not the user, not Google, not Facebook, not a hacker who breaks into the cloud service, and not even someone who obtains a warrant for that data. That data — regardless of where stored or archived prior to the timeout — simply self-destructs and becomes permanently unreadable.

Though this is a research prototype, it’s available as a downloadable program (with a firefox plugin) or an online service. It will be interesting to see how projects like this develop and what legal ramifications they will have.

[Link]

The Riseup Collective just released a PDF zine on Digital Security for Activists, which is a combination of personal stories and practical advice. Worth checking out.

ssd banner

This is old news, having gone live several months ago, but the EFF’s Surveillance Self-Defense site is an excellent resource on the technologies and legalities of government surveillance and practical measures you can take to defend yourself. Definitely worth checking out if you haven’t seen it yet.

Surveillance Self-Defense.

CryptoFox

May 20, 2009

Now this is cool. Chris Acheson was tired of crypto being too confusing for most people to grasp, so he put together Firefox Portable, GNU Privacy Guard, and FirePG into a simple-to-use package called CryptoFox.

The idea behind this is to lower the barrier to entry for using PGP encryption.  If you want to communicate privately with someone, instead of having to guide them through the install process for 3 different components, you can just have them download CryptoFox and run it.  No installation is required.

CryptoFox can be stored and run from USB drives, making it an excellent portable crypto tool. It’s also free and open source. Share it with your friends. Share it with everybody!

Get CryptoFox.

FBI Spyware **Updated**

April 18, 2009

spywareSome more details have emerged about the spyware that the FBI has used in a number of cases to gather evidence. It’s safe bet to say they use software like this for political surveillance and not just criminal investigations.

What does the software do? According to Wired:

The software’s primary utility appears to be in tracking down suspects that use proxy servers or anonymizing websites to cover their tracks.

Naturally, quite a few radicals use anonymizers specifically to deter government surveillance. Wired also has more details:

it gathers and reports a computer’s IP address; MAC address; open ports; a list of running programs; the operating system type, version and serial number; preferred internet browser and version; the computer’s registered owner and registered company name; the current logged-in user name and the last-visited URL.

After sending the information to the FBI, the CIPAV settles into a silent “pen register” mode, in which it lurks on the target computer and monitors its internet use, logging the IP address of every server to which the machine connects.

The documents shed some light on how the FBI sneaks the CIPAV onto a target’s machine, hinting that the bureau may be using one or more web browser vulnerabilities. In several of the cases outlined, the FBI hosted the CIPAV on a website, and tricked the target into clicking on a link.

The Wired article suggests that the Feds routinely seek out search warrants in order to use this spyware, but given the continued expansion of state surveillance powers and their documented willingness to regularly break their own rules, this shouldn’t be assumed.

One question to wonder is: if details on this spyware were to come to light, would non-US based security software vendors enable their programs to detect it?

UPDATE (4/19): Wired also posted the actual documents, and they note the feds also talk about engaging in wireless hacking.

Image credit: Sophos

So I recently stumbled across an interesting program called Computrace — a sort of “laptop lojack” system that theoretically can be used to locate a stolen laptop. This article describes how an LA school district used it to find stolen laptops.

The interesting thing about the Computrace software is that it apparently comes pre-loaded in the BIOS of millions of laptops. That’s right, there’s a good chance that your laptop has this software built-in, without you knowing about it. (You can check to see if your computer model carries it here). There’s a term for programs like this: “spyware.”

According to Absolute, the software manufacturer, Computrace software is automatically shipped as disabled in your BIOS (full FAQ here). It is not enabled until you pay and sign up for the Computrace services and install another piece of software. Of course, we can only take Absolute’s word for this. And the manufacturer’s. There’s no easy way to tell if the software has been activated on your computer, of course, and there’s no easy way to disable it (otherwise laptop thieves could easily remove it). We must simply trust the authorities.

Let me repeat. There’s no easy way to detect or remove this program, and it is built into your machine’s BIOS. It is designed for reporting your location and activity. Who knows what other functionality it may have. There’s a term for programs like this: rootkit.

Some of the capabilities noted in Journal article:

The agent contacts the Absolute data center to say it’s activated, and it creates a small application on the machine’s hard drive, explained Hawks. From that point forward, every 24.5 hours, the application sends a small update to the data center, to maintain a current profile of hardware, software, and licensing for the computer, including the IP address that’s being used to send the update from. When a theft of a particular computer is reported, he said, a flag goes up in the system that the computer has been stolen. The next time contact is made with the data center through the Internet, the computer is told, “instead of every 24.5 hours, we want you to report back every 15 minutes.”

The data center uses a set of forensic tools to begin recording historical data, including IP address information and keystroke logging. Unless the user is sophisticated enough to use an IP address anonymizer, that IP address can be used to track the computer to a specific Internet service provider. Absolute’s recovery services team, made up of retired and former police officers, works with local law enforcement agents to accumulate the facts necessary to obtain a subpoena. That, in turn, can be used to find out from an ISP what customer is using a particular IP address and where that Internet access is originating from.

[...]

The same agent can be used not only for theft recovery, but also for asset tracking and remote deletion. Absolute’s Hawks said that some districts have misplaced computers and used the technology to track them down. If a computer can’t be recovered quickly, the remote deletion function allows for all selected data on the machine to be deleted the next time contact is made with the data center. IT administrators can access those profiles from a browser to view assets and generate reports.

So we must trust a privately held corporation, Absolute, that they do not have some secret and remote method of enabling this software. A privately held corporation with government contracts and ex-military types on their board of directors. And we must trust that the government would not see the value of taking advantage of such a program and exploit it to the fullest.

Yeah, right.

Some theoretical ideas for finding/disabling Computrace can be found here. Anyone have more information?

Follow

Get every new post delivered to your Inbox.