System7 » privacy

Conducting open source intelligence gathering

Sat, 14 Jan 2012 15:50:43 +0000

There’s an excellent article, The Subtle Art of OSINT, that details gathering intelligence from freely available sources.

Some of the sources discussed include:

Google hacking
Wayback machine
Social media
WHOIS / Robtex
Maltego

A Guide to Defending Privacy at U.S. Border

Thu, 12 Jan 2012 12:52:23 +0000

Take a look at the EFF’s latest article “Defending Privacy at the U.S. Border: A Guide for Travelers Carrying Digital Devices”

Account Passwords vs. Full Disk Encryption:

This distinction makes a major practical difference. Bypassing an account password is a routine operation that can be done automatically with forensic software that bypasses the operating system and looks directly at the disk, your account password is no obstacle for this forensic software. Fortunately, modern computer systems come with comparatively easy full-disk encryption tools that let you encrypt the contents of your hard drive with a passphrase that will be required when you start your computer. Using these tools is the most fundamental security precaution for computer users who have confidential information on their hard drives and are concerned about losing control over their computers — not just at a border crossing, but at any moment during a trip when a computer could be lost or stolen.

Simply deleting data from your hard drive with your normal OS file deletion features is not secure and the data is still present and recoverable on your hard drive. Just because deleted files are no longer visible in your operating system’s file manager does not mean that a forensic expert can’t undelete them or deduce that they were once present.

If a border agent asks you to provide an account password or encryption passphrase or to decrypt data stored on your device, you don’t have to comply. Only a judge can force you to reveal information to the government, and only to the extent that you do not have a valid Fifth Amendment right against self-incrimination.

It’s extremely important that you do not tell a lie to a border agent. If you are absolutely sure that you don’t want to answer a specific question, it’s better to politely decline to answer than to give a false answer.

Be aware that border agents may search your camera, copy its contents, or try to undelete images or videos that you believe you’ve deleted and that are no longer visible from the camera’s user interface.

Uncrackable Passwords

Thu, 05 Jan 2012 15:09:26 +0000

The H has an interesting article on storing passwords to prevent unauthorized access and identity theft. The article discusses the following methods and downfalls associated with each:

Plaintext
Hashing
Hashing with salt
Key stretching
Hashing with multiple rounds
Determining cipher used

Most importantly, don’t reinvent the wheel if you’re building an application requiring authentication. Rely on tested frameworks such as OAuth or PHPass.

Stallman: Still an eccentric?

Tue, 03 Jan 2012 14:34:25 +0000

There’s an interesting article at OSNews about Richard Stallman and his FSF principles. His philosophy rings especially true in these times with the recent passing of the NDAA, SOPA discussions, and the growing threat of increased monitoring and restrictions.

To summarize:

However, as the world changes, the importance of the ability to check what the code in your devices is doing – by someone else in case you lack the skills – becomes increasingly apparent. If we lose the ability to check what our own computers are doing, we’re boned.

The article also links to Cory Doctorow’s 28C3 keynote titled ‘The Coming War on General Purpose Computation‘. (video and transcript available)

Abstract:

The last 20 years of Internet policy have been dominated by the copyright war, but the war turns out only to have been a skirmish. The coming century will be dominated by war against the general purpose computer, and the stakes are the freedom, fortune and privacy of the entire human race.

Future of the Global Positioning System (GPS)

Mon, 19 Dec 2011 18:18:39 +0000

There’s an interesting read from the Congressional Budget Office (USA) on cost estimates for the next generation GPS system. This is particularly of interest now due to reports that Iran may have jammed the captured US drone’s GPS receiver in order to prevent it from returning “home”.

What is GPS?

The GPS uses a constellation of at least 24 satellites, each of which transmits precise data on the time and its location. Receivers—both military and civilian—use the data transmitted by the satellites to calculate their own position; information from a minimum of 4 satellites is required to determine a position accurately in three dimensions.

Solutions for next generation GPS:

As the Department of Defense’s satellites reach the end of their service lives, the department plans to replace them with ones that can counter deliberate interference by generating stronger signals. Analysis —namely, improving military receivers to retain the GPS signal even in the presence of such jamming—would be less expensive than DoD’s plan for upgrading its constellation of GPS satellites. Furthermore, the alternative would yield benefits almost a decade earlier than DoD’s plan. However, the improvements to military receivers could make them larger and heavier (and thereby less useful to personnel operating on foot) until they could incorporate the substantial gains that have been achieved in miniaturization in other applications.

Option 1 would improve current military GPS receivers by fitting them with better antennas and by adding inertial navigation systems.
Option 2 would capitalize on a DoD research and development program by enabling current GPS receivers to integrate information received via the Iridium commercial communications satellite network.
Option 3 would include the improvements of both Option 1 and Option 2.

Read the complete article here.

Dropbox’s new ToS, Privacy Policy and Security Overview

Mon, 04 Jul 2011 21:36:48 +0000

I received an email from Dropbox stating they’ve updated their terms of service and privacy policy. I took a look at the update page and I really like the new layout.

Take a look here and see for yourself. I’d like to see every website adopt a standard format to present their privacy policy to users.

I really like the work is doing at CMU and hopefully it will get mass adoption someday….

Cloud Computing Security Considerations

Thu, 23 Jun 2011 13:20:49 +0000

Cloud computing offers potential benefits including cost savings and improved business outcomes for government and private industry. However, there are a variety of information security risks that need to be carefully considered. Risks will vary depending on the sensitivity of the data to be stored or processed. The Australian Department of Defence has released their initial guidance on cloud computing.

This paper assists agencies to perform a risk assessment to determine the viability of using cloud computing services. This document provides an overview of cloud computing and associated benefits. Most importantly, this document provides a list of thought provoking questions to help agencies understand the risks that need to be considered when using cloud computing.

You can find the document here: Cloud Computing Security Considerations

pandaflux’s list o’ recommended browser plugins

Fri, 17 Jun 2011 00:23:12 +0000

Firefox

googlesharing: encrypts your google traffic and routes it through a proxy where it is combined with many other people.
https-everywhere: Automatically enables a secure connection for websites that supports it.
better privacy: Among other things, Better Privacy will delete “flash cookies” that are difficult to manage otherwise.

Chrome¶

disconnect: Stop third parties and search engines from tracking the webpages you go to and searches you do.
click & clean: Deletes your browsing history, typed URLs, Flash cookies, all traces of your online activity to protect your privacy.
KB SSL Enforcer: Automatic security, browse encrypted.
NOREF: Suppress Referrer (referer) for Hyperlinks

List of 2010 Annual Security Reports

Wed, 02 Feb 2011 18:23:56 +0000

As the 2010 Annual Security reports are released from the various security firms I’ll keep our security report page updated as well as a summary of what everyone is highlighting. So far, the main issue is “borderless security” and the consumeratization of the market which is bringing more and more personal devices into the workplace. Organizations see an increase in the level of risk they face due to the use of social networking, cloud computing and personal mobile devices in the enterprise.

Panda Report http://isc.sans.edu/diary.html?storyid=10240&rss

Ernst & Young’s 2010 Global Information Security Survey

Ernst & Young’s Top privacy Issues for 2010

Limit Your Information Sharing via Credit Lenders

Fri, 21 Jan 2011 13:04:17 +0000

Privacy policies are a pain to read and interpret. However, they’re crucial to understand in order to protect your privacy. Hopefully the work being done at Carnegie Mellon University to create a standard privacy policy template similar to the nutritional label on food will soon become reality.

Until then, study your privacy policies and at a minimum conduct a search for “opt” or “limit”. Here’s a few phone numbers for your reference:

Citi Bank customers can limit exposure via 1877-640-3983
Chase Bank call 1-888-868-8618