Saturday, February 1, 2014

Privacy World - The WORLD'S SHREWDEST PRIVACY NEWSLETTER

> Privacy World - The WORLD'S SHREWDEST PRIVACY NEWSLETTER
> 
> Petraeus Affair: 7 Privacy Techniques To Avoid Trouble
> 
> One of the many perplexing questions in this story remains technological:
> Couldn't the director of the CIA think of a better way to coordinate his
> liaisons than using a free webmail service? From a bigger-picture
> standpoint, meanwhile, the scandal raises this security question: Can two
> people communicate securely online, without a third party being able to
> intercept their communications, or even see that they're communicating?
> 
> Here are seven related facts:
> 
> 1. Techniques For Swapping Secret Messages Abound.
> The techniques for sending secret communications, or indicating a desire
> to
> communicate, are endless. There's Magic ink. Creating rudimentary codes to
> transmit communications via seemingly innocuous messages, such as making
> only the first letter of a sentence "count." Taping an "X" to your window.
> Using a "dead drop" to leave a message in a predefined physical location.
> Leaving coded messages on Craigslist.
> 
> 2. Burner Phones Make Traceability, Attribution Difficult.
> When there's the threat of having your communications traced, every fan of
> The Wire or Breaking Bad knows about burner cell phones. Buy cell phones
> using cash, use them to communicate -- by voice or text message -- for a
> finite period of time, and then replace them with different phones. Anyone
> trying to follow your trail will have difficulty reconstructing the entire
> pattern of communication.
> 
> 3. Numerous Technologies Offer Secure Communications.
> Many technologies promise to encrypt digital communications so they can't
> be intercepted. Use Zip files, encrypted with a passphrase that's been
> agreed in advance, and swap them via email. Similarly, technologies such
> as
> PGP, or the open-source GPG alternative, enable emails to be encrypted, as
> do a number of other webmail services. Meanwhile, Wickr provides for
> self-destructing messages, while for secure voice communications, look to
> Silent Circle from PGP creator Phil Zimmermann for Android and iOS, or
> Whisper Systems for Android.
> 
> Although these services might hide the message, they won't disguise that
> the sender and receiver have been communicating. For that, the Tor
> Project's anonymizing networks offer the opportunity to mask the fact that
> communications are occurring at all.
> 
> 4. Hide Data In Pictures, Videos.
> Another widely used technique for hiding communications involves the
> practice of steganography. In the digital realm, it means hiding
> information inside files -- for example, in digital pictures or Sodoku
> images.
> Based on a 2006 Department of Justice criminal complaint filed against
> eight people who were allegedly working as agents for Russia's foreign
> intelligence service, known as SVR or "Moscow Center," the practice of
> steganography might be in widespread use by intelligence agencies. "Moscow
> Center uses steganographic software that is not commercially available.
> The
> software package permits the SVR clandestinely to insert encrypted data in
> images that are located on publicly-available websites without the data
> being visible," according to the complaint. "The encrypted data can be
> removed from the image, and then decrypted, using SVR-provided software."
> 
> 5. Beware VPNs.
> When it comes to hiding the fact that two parties are in communication,
> beware VPNs. Many Anonymous and LulzSec suspects learned the hard way
> after
> using VPN services such as HideMyAss.com that VPN providers keep access
> records, and tend to comply with court orders requiring them to share
> those
> records. In other words, VPNs will secure your communications, but don't
> count on it to cover your tracks.
> 
> 6. Avoid Free Webmail Services.
> It's a bad idea, as Broadwell and Petraeus discovered, to rely on free
> webmail services to provide secure communications or cover your tracks.
> "Webmail providers like Google, Yahoo and Microsoft retain login records
> (typically for more than a year) that reveal the particular IP addresses a
> consumer has logged in from," said Christopher Soghoian, principal
> technologist and senior policy analyst for the ACLU Speech, Privacy and
> Technology Project, in a blog post.
> Those records helped the FBI trace the anonymous emails sent from
> Broadwell
> to Kelley back to the sender. "Although Ms. Broadwell took steps to
> disassociate herself from at least one particular email account, by
> logging
> into other email accounts from the same computer (and IP address), she
> created a data trail that agents were able to use to link the accounts,"
> he
> said.
> 
> 7. With Eavesdropping, All Bets Are Off.
> There's a big caveat with the use of any digital security tool or
> technique, whether it's PGP, GPG, Tor, or steganography. Namely, if a
> third
> party -- your government, a foreign intelligence service, unscrupulous
> competitors -- sneaks a keylogger or Trojan application onto your PC, they
> can see every message or voice communication you initiate or receive, full
> stop.
> 
> That was the beauty of the Flame malware, which was allegedly built by the
> U.S. government for spying purposes, and which wasn't detectable by
> antivirus software for a significant length of time after it was first
> deployed. Using world-class crypto, Flame's creators were able to spoof
> Microsoft Update and automatically install their software on targeted PCs.
> For a target that's connected to the Internet, is there any way to
> reliably
> defend against that?
> 
> Likewise, last year's compromise of digital certificate registrar
> DigiNotar
> would have allowed attackers to generate fraudulent digital certificates
> for Facebook, Google, Microsoft, Skype, Twitter, and WordPress, as well as
> the CIA, MI6, and Mossad intelligence services, and the Tor Project. As a
> result, the attackers -- who were likely allied with the Iranian
> government
> -- could have launched man-in-the-middle attacks that allowed them to
> eavesdrop on all communications made through those websites or services,
> for any country-wide network they controlled.
> 
> Curious Choices For Spy Chief
> With so much secure communications technology on offer, why did Petraeus
> choose a hidden Gmail account for coordinating his affair? The likely
> answer is that because Petraeus' extracurricular activities related solely
> to the marital, not espionage, realm, he thought simple track covering
> would suffice. Then again, security also involves a tradeoff between
> protection and usability -- easier to use typically means less secure, and
> harder to use means more secure -- and Petraeus and Broadwell might have
> simply opted for a simple communications technique. "It strikes me that
> the
> recent downfall of the CIA director speaks less to his tradecraft than the
> usability of encryption/anonymity tools," said Canadian privacy researcher
> Christopher Parsons via Twitter.
> 
> Beyond the scarcity of reliable communications techniques that are both
> secure and invisible, what the Petraeus scandal has also highlighted is
> that when authorities begin investigating your electronic communications,
> the game can quickly be over, sometimes with nary a warrant or subpoena
> being required.
> 
> Regardless, with the array of techniques available for clandestine
> communications, one of the strangest aspects to the scandal -- for many --
> remains a spy chief's apparent lack of security finesse when it came to
> cloaking his own identity.
> 
> Recent breaches have tarnished digital certificates, the Web security
> technology. The new, all-digital Digital Certificates issue of Dark
> Reading
> gives five reasons to keep it going.
> 
> The above article first appeared at informationweek.com
> 
> Until our next issue stay cool and remain low profile!
> 
> Privacy World
> 
> PS - Need an inexpensive (US$135 plus shipping) NO id ATM card that
> allows you to withdraw cash from PayPal and BitCoin? No problem,
> just send us an email with "$135 ATM" in your subject heading.
> 
> -----------------------------------------------------------------------------
> To subscribe,   send a blank message to PrivacyWorld-on@mail-list.com
> To unsubscribe, send a blank message to PrivacyWorld-off@mail-list.com
> To change your email address, send a message to
>    with your old address in the Subject: line
> To contact the list owner, send your message to
> 
> Privacy World, 502 Hotta-kata, 3-6-10 Hirusaido, Kagurazaka, Shinjyuku-ku,
> Tokyo Japan

> 

No comments: