TAG | russia
On September 24, the Russian Duma passed a bill moving the date on which all Internet services must host local data locally from Sept 1, 2016 to Jan 1, 2015. That is an effectively impossible timeline for international Internet companies, which is probably the whole point.
While the bill has not been finally passed, the remaining steps are mostly formality.
Russia is suggesting that foreign firms could rent infrastructure, if they will have no time to build, giving Russia even stronger leverage.
The Russian Ministry of Internal Affairs recently announced a contest to create a method to identify Tor users, with a prize of about $114,000.
Clearly the government is worried about the ability of Tor to allow people to bypass the increasingly draconian Internet laws that have been put in place. This puts a big target on Tor, but people have been working on breaking Tor for years. This year a talk at Black Hat on cracking Tor anonymity was pulled without explanation after it was announced and scheduled.
Being free and well established, Tor has the largest user base of any privacy service, so it is the obvious first target. Its distributed design also introduces paths for attack not available in other designs like Anonymizer Universal.
It will be interesting to see if this move drives Tor users to other services, and whether that in turn leads to expanded efforts to crack those tools.
Continuing the pattern of Internet restrictions I talked about before, Russia has passed a new law requiring Internet companies to keep the personal data of Russians in data centers within the country. The ostensible reason for this is to protect Russians against US Government snooping (in the wake of the Snowden leaks), and against other outside threats.
The law requires that companies doing business in Russia must open data centers within the borders by 2016 or be blocked.
There are many ways for people motivated to bypass these restriction to access whatever they want, but most people will just use what is available, giving the Russian government more ability to monitor the activities of their citizens themselves.
- The need to target your privacy efforts
- Why your secrets may not be safe with secrecy apps
- The possibility of more light shining on National Security Letters
- Conflicted feelings about censorship in the Russian government
- Google and the right to be forgotten
- What you need to do to deal with all these password breaches
- A demonstration of a stealthy camera snooping app for Android
- and a quick announcement about Anonymizer
Russia seems to have a conflicted relationship with Twitter and Internet censorship in general.
While trying to portray themselves as open and democratic, they clearly have a real problem with the radical openness of social media like Twitter.
Maxim Ksenzov, deputy head of Roscomnadzor (Russia’s censorship agency), said Twitter is a “global instrument for promoting political information” and that they could block Twitter or Facebook in minutes.
Prime Minister Dimitri Medvedev responded on his Facebook account, saying that state officials “sometimes need to turn on their brains” rather than “announcing in interviews the shutdown of social networks.” Which is not quite the same as saying that they would not do so.
The primary desire in Russia is for Twitter and all other social networks to open offices in Russia. That would smooth communications, but also provide leverage to push for censorship or access to data as needed.
UPDATE: According to Errata security the NBC story about the hacking in Sochi total BS. Evidently: They were in Moscow, not Sochi. The hack was from sites they visited, not based on their location. They intentionally downloaded malware to their Android phone. So, as a traveler you are still at risk, and my advice still stands, but evidently the environment is not nearly as hostile as reported.
According to an NBC report, the hacking environment at Sochi is really fierce. After firing up a couple of computers at a cafe, they were both attacked within a minute, and within a day, both had been thoroughly compromised.
While you are vulnerable anywhere you use the Internet, it appears that attackers are out in force looking for unwary tourists enjoying the olympics.
Make sure you take precautions when you travel, especially to major events like the Sochi Olympics.
- Enable whole disk encryption on your laptop (FileVault for Mac and TrueCrypt for Windows), and always power off your computer when you are done, rather than just putting it to sleep.
- Turn off all running applications before you connect to any network, particularly email. That will minimize the number of connections your computer tries to make as soon as it gets connectivity.
- Enable a VPN like Anonymizer Universal the moment you have Internet connectivity, and use it 100% of the time.
- If you can, use a clean computer with a freshly installed operating system.
- Set up a new Email account which you will only use during the trip. Do not access your real email accounts.
- Any technology you can leave behind should be left back at home.
In March of 2013 the Bureau of Diplomatic Security at the US State Department issued a travel advisory for Americans planning to attend the 2014 winter Olympics in Sochi, Russia.
As I blogged before, this is expected to be one of the most aggressively surveilled events ever.
The advice for cyber protection in the advisory is interesting:
Consider traveling with “clean” electronic devices—if you do not need the device, do not take it. Otherwise, essential devices should have all personal identifying information and sensitive files removed or “sanitized.” Devices with wireless connection capabilities should have the Wi-Fi turned off at all times. Do not check business or personal electronic devices with your luggage at the airport. … Do not connect to local ISPs at cafes, coffee shops, hotels, airports, or other local venues. … Change all your passwords before and after your trip. … Be sure to remove the battery from your Smartphone when not in use. Technology is commercially available that can geo-track your location and activate the microphone on your phone. Assume any electronic device you take can be exploited. … If you must utilize a phone during travel consider using a “burn phone” that uses a SIM card purchased locally with cash. Sanitize sensitive conversations as necessary.
Obviously this is not just good advice for attending the Olympics, but would also apply to China, or any other situation where it is important to protect your electronic information.
The ability to conduct sophisticated surveillance and cyber attack is widespread. If you are engaged in business that is a likely target of economic espionage, then you should be following these kinds of practices any time you travel anywhere, and perhaps even at home.
Welcome to episode 13 of our podcast for September, 2013.
In this episode I will talk about:
A major security breach at Adobe
How airplane mode can make your iPhone vulnerable to theft
Russian plans to spy on visitors and athletes at the winter Olympics
Whether you should move your cloud storage to the EU to avoid surveillance
Identity thieves buying your personal information from information brokers and credit bureaus
How to stop google using your picture in its ads
Why carelessness lead to the capture of the operator of the Silk Road
And how Browser Fingerprinting allows websites to track you without cookies.
Please let me know what you think, and leave suggestions for future content, in the comments.