Email Security - The Petraeus Case

...via Zack Whittaker
There's no such thing as a truly 'anonymous' email account, and no matter how much you try to encrypt the contents of the email you are sending, little fragments of data are attached by email servers and messaging companies. It's how email works and it's entirely unavoidable...which first led the FBI on a path that led up to the very door of Petraeus' office door in Langley, Virginia.

Ultimately, only Google had access to the emails. Because it's a private company, it does not fall under the scope of the Fourth Amendment. If the U.S. government or one of its law enforcement agencies wanted to access the private Petraeus email account, it would have to serve up a warrant.

In this case, however, the Foreign Intelligence Services Act (FISA) would not apply. Even the Patriot Act would not necessarily apply in this case, even though it does allow the FBI and other authorized agencies to search email. However, in this case, above all else, the Stored Communications Act does apply -- part of the Electronic Communications Privacy Act.

The act allows for any electronic data to be read if it has been stored for less than 180 days. In this case, the law was specifically designed -- albeit quite some time before email became a mainstream communications medium -- to allow server- or computer-stored data to be accessed by law enforcement.

However, a court order must be issued after the 180 days, and in this case it was...

Once it knew Ms. Broadwell was the sender of the threatening messages, the FBI got a warrant that gave it covert access to the anonymous email account. And that's how they do it. (more)

Watergate's Next Watergate

A history professor hopes that a federal court's recent order to release long-sealed Watergate documents will shed light on the motivations behind the infamous 1972 scandal and help set an example for how to unseal court records.

Federal District Judge Royce Lamberth in Washington, D.C., on Friday ordered the National Archives and Records Administration to review and release some of the documents within a month. The order came in response to Texas A&M history professor Luke Nichter's 2009 informal request to Lamberth to unseal a trove of documents relating to the 1973 trials of Watergate conspirators G. Gordon Liddy and James McCord.

Nichter's letter said that some of the sealed materials "purportedly will demonstrate that exposing a prostitution ring was the real motivation for the break-in." Liddy had alleged a similar theory in the mid-1990s, although he claimed that motive was unknown to him when he orchestrated the break-in. (more) (previous report)

Get Alerts from your Local Police & 5,000 other Public Safety Agencies

One thing Hurricane Sandy taught us was truth beats rumors. Sign up for the truth... 

"This service, NIXLE, delivers trustworthy and important neighborhood level public safety and community event notifications instantly sent to you by cell phone text message, email and web. There is NO spam or advertising and the service is available at no cost.

Register at www.nixle.com. This service is simple to use, reliable and trusted.

Stay connected to your world, from the public safety alerts that are relevant to you, to the important neighborhood advisories you want to know about and other valuable community information."

More iPhone Security Tips

Important Points
• iPhone / iPad / iPod muggings are common.
• Reduce risk...
-- Minimize usage while in very public places.
-- Use iOS's security features...
---- for tracking a stolen device and remote wiping of data.
---- for preventing thieves from: turning off tracking, accessing data and accounts.
• If theft occurs, go to the police first, not the phone company. 
-- Police will try to track. 
-- Carrier will shut off service.
• Seal the SIM card with serial numbered security tape to detect tampering.

Setting tips via Martin Williams...
1. Select Settings.
2. Click General.
3. Select Restrictions.
4. Set a Restrictions passcode.
5. Click Enable Restrictions.
6. Look for Deleting Apps and toggle the switch from On to Off. This will mean that no one can delete an app such as Find My iPhone without your Restrictions passcode.
7. Scroll down the list of options until you reach the Privacy section, here you’ll find a link to Locations Services, click it.
8. Select Don’t Allow Changes. This will mean it is impossible for a robber to disable the Find My iPhone application from broadcasting your GPS. You will now need manually to approve all new apps to access your location data.
9. Go back to the main Restrictions menu and select Accounts, changing this setting to Don’t Allow Changes. This makes it impossible for a mugger to disconnect your iCloud account that connects to Find My iPhone.
10. If your iPhone is stolen, it is only going to transmit its location for as long as a SIM card is inserted and is active.

Government Strength Mobile Spyware

In the secretive world of surveillance technology, he goes just by his initials: MJM. His mystique is such that other security professionals avoid using wireless Internet near him...

MJM -- Martin J. Muench -- is the developer of Andover, U.K.-based Gamma Group’s FinFisher intrusion software, which he sells to police and spy agencies around the world for monitoring computers and smartphones to intercept Skype calls, peer through Web cameras and record keystrokes...

Of Gamma’s products, FinFisher has become the flashpoint. It represents the leading edge of a largely unregulated trade in cybertools that is transforming surveillance, making it more intrusive as it reaches across borders and spies into peoples’ digital devices, whether in their living rooms or back pockets...

...researchers including Claudio Guarnieri of Boston-based security risk-assessment company Rapid7; Bill Marczak, a computer science doctoral candidate at the University of California Berkeley; and Marquis-Boire, whose day job is working as a security engineer at Google Inc., found computers that appeared to be command servers for FinSpy in at least 15 countries.

They also documented FinSpy’s ability to take over mobile phones -- turning on microphones, tracking locations and monitoring e-mails...


On Oct. 12, U.S. law enforcement officials warned smartphone users to protect themselves against FinFisher, calling it malware, or malicious software.

“FinFisher is a spyware capable of taking over the components of a mobile device,” the Internet Crime Complaint Center, a partnership between the Federal Bureau of Investigation and National White Collar Crime Center, said in a Website alert to the public. “FinFisher can be easily transmitted to a Smartphone when the user visits a specific web link or opens a text message masquerading as a system update.”

FinSpy Mobile can infect almost every kind of device, including Apple Inc.’s iPhones and smartphones running Google’s Android or Microsoft Corp.’s Windows systems, according to a pamphlet Muench provides. (more)

Meet the Superheroes Fighting for Your Right to Mobile Privacy

Five years into the smartphone era, the threats to user privacy have never been higher.  

The complex and mostly unregulated privacy concerns of the mobile ecosystem have driven many users to take their privacy into their own hands, whether that means deleting apps that ask for too much information or turning off location services.

However, the fight over mobile privacy is just really starting to take shape. We wanted to get a beat on where that fight is now, and about what – if truly anything – privacy advocates think will change the future of mobile towards a more user controlled experience... (more)

A Salute to Our Native American Code Talkers

George Smith, one of the Navajo code talkers who helped the U.S. military outfox the Japanese during World War II by sending messages in their obscure language, has died, the president of the Navajo Nation said.

"This news has saddened me," Ben Shelly, the Navajo president, said in a post Wednesday on his Facebook page. "Our Navajo code talkers have been real life heroes to generations of Navajo people."

Smith died Tuesday, Shelly said, and the Navajo Nation's flag is flying at half-staff until Sunday night to commemorate his life.

Several hundred Navajo tribe members served as code talkers for the United States during World War II, using a military communications code based on the Navajo language. They sent messages back and forth from the front lines of fighting, relaying crucial information during pivotal battles like Iwo Jima.

Military authorities chose Navajo as a code language because it was almost impossible for a non-Navajo to learn and had no written form. It was the only code the Japanese never managed to crack.

The Navajo code talkers participated in every assault the U.S. Marines carried out in the Pacific between 1942 and 1945.

The code talkers themselves were forbidden from telling anyone about the code -- not their fellow Marines, not their families -- until it was declassified in 1968.

Now in their 80s and 90s, only a handful of code talkers remain. (more)

Security Quote of the Day

"Protecting classified information depends, today more than ever, on the security awareness of employees. They can literally make or break your security program." NSI, Security NewsWatch

How to Surf the Web in Secret

via Brad Chacos...

They say no one can hear you scream in space, but if you so much as whisper on the Web, you can be tracked by a dozen different organizations and recorded for posterity. 

Simply visiting a website can allow its operators to figure out your general physical location, identify details about your device information, and install advertising cookies that can track your movements around the web. (Don't believe me? Check this out.)

Not everyone likes the idea of having his or her entire digital lives scraped, analyzed and (in countries with restrictive regimes) controlled outright by third parties. 

So please consider the following tools and tips, which will hide your IP address and have you surfing the web in blissful anonymity in no time. (more)

Checklist...
• Use a second web browser.
• Set it to anonymous / private mode.
• Have it wipe all cookies when closed.
• Use a web-based proxy. (Proxify, Anonymouse, Hide My Ass, or one from Proxy.org)
• Better... Use a virtual private network (VPN) like The Onion Router (aka TOR).
• Send your email anonymously via Anonymouse or Hide My Ass.

Seeing Through Shower Curtains and Other Light Scattering Materials

via Gizmodo.com...

Taking a shower while secure in the knowledge that no one can see through the curtains may soon be a thing of the past. Researchers Ori Katz, Eran Small and Yaron Silberberg of the Weizmann Institute of Science, Rehovot, Israel, have developed a method for de-scattering light to form coherent images in real time. 

In other words, they have found a way to look through shower curtains, frosted glass and other image-blurring materials. The technique may one day aid scientists in seeing through living tissue or around corners. (more)

And, I have found their research. ~Kevin

Maltego - For the PI and Security Director of the Future

via techhive.com...
What Maltego does is quickly and succinctly draws on public data sources to put together a graphical digital footprint...

Click to enlarge.

Maltego is highly efficient at quickly assembling digital crumbs and linking those pieces together, which would be tedious work otherwise. 

Roelof Temmingh (co-creator) used Maltego to search Twitter with coordinates for the vicinity of the NSA's parking lot...

Temmingh pulled up a web of scattered tweets in Maltego. He picked out one person...

Then Maltego combed social networking sites, checking sources such as Facebook, MySpace, and LinkedIn. An identical photo linked the person's Facebook and MySpace page. From there, Maltego spotted more information. After a day of searching, Maltego discovered the person's email address, date of birth, travel history, employment, and education history.

"This is about a day's worth of digging around," Temmingh said. "It's not weeks and weeks."

Other interesting information can come from EXIF (exchangeable image file) data, which is information often embedded in a photograph... (more)

An investigative tool, and vulnerability assessment tool. For cutting-edge PIs, a  competitive advantage. For the average security director, a mini FBICIANSA. ~Kevin

FBI Issues Warning Regarding Android Malware

The FBI's Internet Crime Complaint Center has issued a warning alerting users about malware that targets the Android mobile operating system. 

The intelligence note from the IC3 was issued last week, and highlighted on Monday by Apple 2.0. It noted there are various forms of malware out in the wild that attack Android devices.

Two forms of malware cited byt he IC3 are Loozfon, which steals information from users, and FinFisher, which can give nefarious hackers control over a user's device. 

Loozfon can lure in victims by promising users a work-at-home opportunity in exchange for sending out an e-mail. Visiting a link in the e-mail will push Loozfon to the user's device, allowing the malware to steal contact details from the device's address book.

The FinFisher spyware highlighted by the IC3 allows for a mobile device to be remotely controlled and monitored from anywhere. FinFisher is installed by simply visiting a Web link or opening a text message that disguises itself as a system update. (more)

New Burglar Alarm... not for you, for the burglar.

Criminals no longer need to stake out a home or a business to monitor the inhabitants' comings and goings. Now they can simply pick up wireless signals broadcast by the building's utility meters.

In the US, analogue meters that measure water, gas and electricity consumption are being replaced by automated meter reading (AMR) technology. Nearly a third of the country's meters - more than 40 million - have already been changed. The new time-saving devices broadcast readings by radio every 30 seconds for utility company employees to read as they walk or drive around with a receiver. But they are not the only ones who can tune in, says Ishtiaq Rouf at the University of South Carolina in Columbia, and his colleagues.

The team picked up transmissions from AMR meters - operated by companies that they did not name in their paper - and reverse-engineered the broadcasts to monitor the readings. To do this they needed about $1000 worth of open-source radio equipment and information available through online tutorials. (more)

Bad guy logic leap: When you are not home, you are not using much electricity.

Bike Race Dopes - Another DIY TSCM Failure

via a Blue Blaze Irregular...
On page 218 of the new book, "The Secret Race: Inside the Hidden World of the Tour de France: Doping, Cover-ups, and Winning at All Costs" by Tyler Hamilton and Daniel Coyle, is a description of the TSCM techniques allegedly used by the U.S. Postal Service cycling team against covert audio and video surveillance:
"According to Landis, Postal performed two transfusions to the entire team during the 2004 Tour de France. The first was after the first rest day in a hotel in Limoges. Riders were taken in small groups to a room and told not to speak. For safety, team staffers were stationed at each end of the hallway. To guard against the possibility of hidden cameras, the air conditioner, light switches, smoke detector, and even the toilet were covered with dark plastic and taped off." 

Fun Facts: 
• Many types of "dark plastic" – garbage bags, for example – do not block near-IR light. 
• Many cameras are sensitive to near-IR light.
• Putting dark plastic over camera hiding spots is no guarantee you blinded the camera.
• (more about seeing through black plastic)
~Kevin 

$89.99 Wi-Fi Bug You Control With Your iPhone... from anywhere!

"WeMo Baby conveniently turns your iPad, iPhone, or iPod touch into a baby monitor so you don't have to carry an extra device to keep in touch with your baby. 

It works with your existing Wi-Fi router to wirelessly stream audio from your baby's room to your mobile device." (more)

Why is this scary?
• It will be repackaged into a covert listening device.
• Unlike previous baby-mon mods, this one is digital.
• Its signal hides among legitimate Wi-Fi signals.
• Listen in from anywhere via the Internet.
• Digitally clear audio.
• Pair with a voice activated recorder for "TiVO" spying.
• It can send text messages when it hears audio.

P.S. Although this product hasn't launched yet, Murray Associates has a detection solution ready. ~Kevin