Do sanctions prevent dissidents from accessing secure communications tools?

in ,

Stomp by boot US Tech Sanctions In Sudan Are Empowering The Regime, Tamping Down Opposition | Techdirt

This article makes an interesting argument that sanctions against repressive regimes, particularly sanctions that block providing communications and security technologies to end users, harm dissidents more than they do the repressive regimes they are designed to target.

In particular, companies are unable to provide cryptography and anonymity tools to the people who really need them.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook and Google+.

A novel use for Anonymizer Universal

in

AU screenshot INFO: Maintaining a connection on the Verizon Novatel MIFI 4510L | Kurt Shintaku's Blog

The linked blog is from last year, but just came to my attention. It discusses a use for Anonymizer Universal that I had not thought about before.

The author’s problem was that his MiFi mobile hotspot kept dropping the connection any time it was idle for more than a short time.

His solution was to enable the Anonymizer Universal VPN, which then generates frequent “keep alive” traffic to maintain the VPN connection, and at the same time keeps the MiFi awake.

Very cool.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook and Google+.

Turkey passes new laws to enable rapid Internet censorship.

in , , ,

Turkey Rubber StampTurkey passed legislation to allow the government to censor access to websites within four hours of receiving an allegation of privacy violations. WSJ Article behind paywall.  CNET Article The law also requires web hosts to store all traffic information for two years. While the putative purpose of the legislation is privacy protection, it is widely assumed that this is an attempt to grab more control of the Internet, which has been repeatedly blasted by the Turkish government reporting on government corruption and graft.

As usual with these attempts at censorship, interested citizens can generally get around them. VPNs like Anonymizer Universal allow anyone to punch a hole through the national censorship firewalls to access any content.

I would be very interested to hear about efforts to block tools like Anonymizer in countries enforcing Internet censorship, like Turkey and the UK. Blocking of circumvention tools is already well documented in both China and Iran, and has been seen sporadically in many other countries.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook and Google+.

Security advice for travelers to Sochi Olympic hacking hotzone

in , ,

Sochi passport stampsSochi visitors entering hacking 'minefield' by firing up electronics | Security & Privacy - CNET News UPDATE: According to Errata security the NBC story about the hacking in Sochi total BS. Evidently: They were in Moscow, not Sochi. The hack was from sites they visited, not based on their location. They intentionally downloaded malware to their Android phone. So, as a traveler you are still at risk, and my advice still stands, but evidently the environment is not nearly as hostile as reported.

According to an NBC report, the hacking environment at Sochi is really fierce. After firing up a couple of computers at a cafe, they were both attacked within a minute, and within a day, both had been thoroughly compromised.

While you are vulnerable anywhere you use the Internet, it appears that attackers are out in force looking for unwary tourists enjoying the olympics.

Make sure you take precautions when you travel, especially to major events like the Sochi Olympics.

  • Enable whole disk encryption on your laptop (FileVault for Mac and TrueCrypt for Windows), and always power off your computer when you are done, rather than just putting it to sleep.
  • Turn off all running applications before you connect to any network, particularly email. That will minimize the number of connections your computer tries to make as soon as it gets connectivity.
  • Enable a VPN like Anonymizer Universal the moment you have Internet connectivity, and use it 100% of the time.
  • If you can, use a clean computer with a freshly installed operating system.
  • Set up a new Email account which you will only use during the trip. Do not access your real email accounts.
  • Any technology you can leave behind should be left back at home.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook and Google+.

The Privacy Blog Podcast - Ep. 16: Leaking mobile apps, surveillance, TorMail, UK censorship, and SHA-1

in , , ,

PrivacyPodcastGraphicIn episode 16 of the Privacy Blog Podcast for January, Twenty Fourteen I talk about:Biological Advanced Persistent Threats The Apps on your mobile devices that may be enabling surveillance Why you may soon know more about how much information your service providers are revealing to the government The total compromise of the TorMail anonymous email service How the British government is using pornography as a trojan horse for Internet Censorship. And finally why continued use of a deprecated cryptographic signature algorithm could undermine the security of the Web

Turkey is preparing to implement massive new Interenet censorship and surveillance scheme.

in ,

Turkey map flagTurkey Debates New Law to Control Web Users - Emerging Europe Real Time - WSJ Turkey already requests more takedowns from Google than any other country in the world, almost 1700 in the first half of 2013. They have a history of blocking popular websites like Youtube, and Vimeo, and Prime Minister Erdogan lashes out against Twitter at every opportunity.

Now the government is about to enact sweeping new powers to force providers to keep complete records of all user activity for 2 years, and give the government total access to that information.

This appears to be a reaction to citizen use of social media to coordinate protests and spread information about Turkish government corruption.

Unless they implement a ban on privacy technologies, VPN services like Anonymizer Universal will provide a way of getting around this kind of logging. I would strongly suggest that people in Turkey make a habit of always using VPNs, and moving to search engines, email, and social media platforms located outside of the country.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook and Google+.

Facial recognition apps: I both desire and fear them.

in

B W Mask ImageFacial recognition app matches strangers to online profiles | Crave - CNET Google has adopted a privacy protecting policy of banning facial recognition apps from the Google Glass app store. I appreciate the effort to protect my privacy but facial recognition is probably the ONLY reason I would wear Google Glass.

I am hopeless at parties or networking events. I have no ability at all to remember names, and I know I am far from alone in this. The ability to simply look at someone and be reminded of their name, our past interactions, and any public information about their recent activities, would be absolute gold.

Obviously I am less enthusiastic about having third party ratings of my intelligence, integrity, hotness, or whatever, popping up to the people looking at me. As usual, humans are in favor of privacy for themselves but not for others.

A new app is coming out soon called Nametag, which is planned to do exactly this. On iOS, Android, and jail broken Glass, you will be able to photograph anyone and, using facial recognition, pull up all available social media information about them.

To opt out you will need to set up an account with NameTag, and I presume you will also need to upload some high quality pictures of yourself so they can recognize you to block the information. Hurm…..

Whatever we all think about this, the capability is clearly coming. The cameras are getting too small to easily detect, high quality tagged photos are everywhere, and the computing power is available.

While citizens have some ability to impact government surveillance cameras and facial recognition, it will be much harder to change course on the use of these technologies with private fixed cameras, phones, and smart glasses. Even if we convince device makers to block these applications, the really creepy people will jailbreak them and install them anyway.

For years I have said that the Internet is the least anonymous environment we inhabit. With this kind of technology, it may soon be much easier to hide yourself online than off. Police really don’t like you wearing masks.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook and Google+.

Advice from the USG on securing yourself from surveillance

in

Sochi MapRussia's Surveillance State | World Policy Institute In March of 2013 the Bureau of Diplomatic Security at the US State Department issued a travel advisory for Americans planning to attend the 2014 winter Olympics in Sochi, Russia.

As I blogged before, this is expected to be one of the most aggressively surveilled events ever.

The advice for cyber protection in the advisory is interesting:

Consider traveling with “clean” electronic devices—if you do not need the device, do not take it. Otherwise, essential devices should have all personal identifying information and sensitive files removed or “sanitized.” Devices with wireless connection capabilities should have the Wi-Fi turned off at all times. Do not check business or personal electronic devices with your luggage at the airport. … Do not connect to local ISPs at cafes, coffee shops, hotels, airports, or other local venues. … Change all your passwords before and after your trip. … Be sure to remove the battery from your Smartphone when not in use. Technology is commercially available that can geo-track your location and activate the microphone on your phone. Assume any electronic device you take can be exploited. … If you must utilize a phone during travel consider using a “burn phone” that uses a SIM card purchased locally with cash. Sanitize sensitive conversations as necessary.

Obviously this is not just good advice for attending the Olympics, but would also apply to China, or any other situation where it is important to protect your electronic information.

The ability to conduct sophisticated surveillance and cyber attack is widespread. If you are engaged in business that is a likely target of economic espionage, then you should be following these kinds of practices any time you travel anywhere, and perhaps even at home.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook and Google+.

Can the market drive privacy protections?

in ,

Study: Consumers Will Pay $5 for an App That Respects Their Privacy - Rebecca J. Rosen - The Atlantic

This is refreshing. Some evidence that most people ARE actually willing to pay for privacy. If the market shows that this is a winner, we might start to see more privacy protecting applications and services.

The real question is whether invading your privacy generate more revenue than what we are willing to pay to be protected.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook and Google+.

NSA's TAO -- Leaked catalog of tools and techniques

in , , , ,

NSA's TAO -- Dark Reading

The Internet has been buzzing with reports of the recently leaked NSA exploits, backdoors, and hacking / surveillance tools. The linked article is good example.

None of this should be news to anyone paying attention. Many similar hacking tools are available from vendors at conferences like BlackHat and DefCon.

We all know that zero-day exploits exist, and things like Stuxnet clearly show that governments collect them.

Intentionally introducing compromised crypto into the commercial stream has a long history, perhaps best demonstrated by the continued sales of Enigma machines to national governments long after it had been cracked by the US and others.

This reminds me of a quote I posted back in March. Brian Snow, former NSA Information Assurance Director said “Your cyber systems continue to function and serve you not due to the expertise of your security staff but solely due to the sufferance of your opponents.”

One can focus on making this difficult, but none of us should be under the illusion that we can make it impossible. If you have something that absolutely must be protected, and upon which your life or liberty depends, then you need to be taking drastic steps, including total air gaps.

For the rest of your activities, you can use email encryption, disk encryption, VPNs, and other tools to make it as difficult as possible for any adversary to easily vacuum up your information.

If you are of special interest, you may be individually targeted, in which case you should expect your opponent to succeed. Otherwise, someone hacking your computer, or planting a radio enabled USB dongle on your computer is the least of your worries. Your cell phone and social media activities are already hemorrhaging information.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook and Google+.

Did you give Google permission to track your every movement?

in , ,

Google’s Location History Browser Is A Minute-By-Minute Map Of Your Life | TechCrunch

TechCrunch has a nice article on the location tracking of Android based devices.

It is an “opt in” thing, but I suspect that most people are robo-approving all the questions they are asked when they are trying to get their new phones or tablets set up for the first time.

In this case, you may have given Google permission to track and maintain high resolution location information on you. That information is used to discover where you live and work, to improve weather, travel, and traffic information.

If you follow this link, you can see a track of your activities for up to the last 30 days. Really cool in a very frightening way.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook and Google+.

The Privacy Blog Podcast - Ep. 15: BitCoin theft, Identity theft, anonymous bombers, iSight Cameras and more.

in

This is  episode 15 of the Privacy Blog Podcast for December, 2013 In this episode I talk about:

How people are tracking the biggest ever theft of Bitcoins

A keylogger that has compromised 2 million accounts

Why a majority of Turks may be at risk of identity theft

How an anonymous bomb hoaxer got caught

A demonstration of activating iSight cameras without the indicator light

and finally, some thoughts on staying safe this holiday season.

 

Why TOR failed to hide the bomb hoaxer at Harvard

in

On Monday, Dec 16, during final exams, someone sent an email  to Harvard University administrators saying that there were bombs in two of four named buildings on campus. The threat was a hoax to get out of final exams. The sender used TOR and Guerrilla Mail, a disposable email address service, to hide his identity.

Despite that, police quickly identified Eldo Kim, he confessed, and was arrested. So, why did the privacy tools fail?

According to the FBI affidavit, the lead came from Harvard University, which was able to determine that Mr. Kim had accessed TOR from the university wireless network shortly before and while the emails were being sent.

This is really a case of classic police work. A bomb threat during finals is very likely to be from a student trying to avoid the tests. A student trying to avoid a test is unlikely to have the discipline to find and use a remote network. Therefor, the one or hand full of students using TOR at the time of the email are the most likely suspects…. and it turns out that they are right.

This case provides some important lessons to the rest of use who are trying to protect our identities for less illegal reasons.

First, clearly the Harvard Wireless network is being actively monitored and logged. It is reasonable to assume that your ISP or government might be monitoring your activities. One way to reduce correlations of your activity is to use privacy tools all the time, not just when you need them. This provides plausible deniability.

After all, if you never use such services, except for ten minutes exactly when some message was sent, and you are a likely suspect, then the circumstantial evidence is very strong. If you are using them 24/7, then the overlap says nothing.

Second, if Mr. Kim used anonymous email, how did they know he used TOR to access the email service? Because GuerrillaMail embeds the sending IP address in every outgoing email. The service only hides your email address, not your IP. In this case, they must have embedded the IP address of the exit TOR node. Even if they had not embedded the IP, GuerrillaMail keep logs which would have been available to the FBI with a warrant.

The lesson here is to look closely at your privacy tools, and to understand what they do protect and what they don’t.

The most important takeaway is that there is no privacy tool which will let you turn it on and turn off your brain. You always need to be thinking about what you are hiding, from whom, and how much effort they are likely to expend in finding you.

If you are hiding your IP address to get a better price on airline tickets, the threat is very low across the board. If you make terrorist threats, it is very hard to stay hidden afterwards.

Government to launch 'Netra' for internet surveillance - The Times of India

in

Government to launch 'Netra' for internet surveillance - The Times of India

India is preparing to deploy a comprehensive Internet content monitoring system. They claim that it will be able to trigger on messages containing specific words. There is also mention of capturing “dubious voice traffic” over Skipe and other voice channels.

Use of VPNs like Anonymizer Universal will allow traffic to pass through these systems unanalyzed, but the fact that you are using a VPN will be visible.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook and Google+.

Would you sell your privacy for $20 per month?

in ,

AT&T thinks that Austin, TX residents will sell their on-line privacy for less than $20 per month. AT&T is launching a service called U-verse with GigaPower, which will provide 300Mbps of bandwidth to the home initially, increasing to 1Gbps in 2014. The cost of the service is $99 per month, but they have a special offer.

If you sign up for the Premier plan you can get the service for $70 per month. Additionally a bunch of setup and install fees are waived and you get free HBO. If you follow the footnote on the offer, you will see that Premier is only available if you agree to participate in the “AT&T Internet Preferences” program.

This invites AT&T to monitor your Internet usage to better profile you and so more effectively target ads at you.

GIGAOM reports that AT&T says "we will not collect information from secure (https) or otherwise encrypted sites, such as online banking or when a credit card is used to buy something online on a secure site. And we won’t sell your personal information to anyone, for any reason.”

I am pleased that they are not doing active man in the middle attacks on customer encryption, but that is a very very low privacy hurdle.

So, is $20 per month enough for you to allow AT&T to monitor, record, and monetize everything you on the Internet? Let me know if the comments.

Of course, if you use Anonymizer Universal for all of your on-line activity, there is nothing for them to see.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook and Google+.

The Privacy Blog Podcast - Ep. 14: Mobile device privacy and the anti-surveillance tent.

in , , , ,

Standard Profile PictureThis is episode 14 of the Privacy Blog Podcast for November,2013.In this episode I talk about: How your phone might be tracked, even if it is off The hidden second operating system in your phone Advertising privacy settings in Android KitKat How Google is using your profile in caller ID and the lengths to which Obama has to go to avoid surveillance when traveling.

The paradox of irresponsible responsibility

in

This article got me thinking: People's ignorance of online privacy puts employers at risk - Network World

There is an interesting paradox for security folks. On the one hand, almost two thirds of people feel that security is a matter of personal responsibility. On the other hand, few are actually doing very much to protect themselves.

In the workplace we see this manifest in the BYOD (bring your own device) trend. Workers want to use their own phones, tablets, and often laptops. Because it is their personal device, they don’t think the company has any business telling them how to secure it, or what they can or can’t do with it. Yet they want to be able to work with the company’s documents and intellectual property, and access company sensitive networks from that device.

When that trend intersects with the poor real-world security practiced by most people, the security perimeter of businesses just got both larger and weaker.

Realistically, it is too much to expect that users will be able to fully secure their devices, or that security professionals will be able to do it for them. The productivity impact of locking users out of the devices they use (whether BYOD or company provided) is often too high, especially in the case of technical workers. Spear Phishing attacks eventually penetrate a very high fraction of targets, even against very sophisticated users. How then can we expect average, or below average, users to catch them, and catch them all.

Increasing use of sandboxing and virtualization is allowing a change in the security model. Rather than assuming the user will detect attacks, the attack is encapsulated in a very small environment where it can do little or no damage, and from which it is quickly eliminated and prevented from spreading. The trick will be to get people to actually use these tools on their own devices.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook and Google+.

The second operating system hiding in every mobile phone

in , ,

OS News has an interesting article: The second operating system hiding in every mobile phone It discusses the security implications of the fact that all cell phones run two operating systems. One is the OS that you see and interact with: Android, iOS, Windows Phone, BlackBerry, etc. The other is the OS running on the baseband processor. It is responsible for everything to do with the radios in the phone, and is designed to handle all the real time processing requirements.

The baseband processor OS is generally proprietary, provided by the maker of the baseband chip, and generally not exposed to any scrutiny or review. It also contains a huge amount of historical cruft. For example, it responds to the old Hays AT command set. That was used with old modems to control dialing, answering the phone, and setting up the speed, and other parameters required to get the devices to handshake.

It turns out that if you can feed these commands to many baseband processors, you can tell them to automatically and silently answer the phone, allowing an attacker to listen in on you.

Unfortunately the security model of these things is ancient and badly broken. Cell towers are assumed to be secure, and any commands from them are trusted and executed. As we saw at Def Con in 2010, it is possible for attackers to spoof those towers.

The baseband processor, and its OS, is generally superior to the visible OS on the phone. That means that the visible OS can’t do much to secure the phone against these vulnerabilities.

There is not much you can do about this as an end user, but I thought you should know. :)

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook and Google+.

Tech companies respond to reports of NSA tracking switched-off mobile phones | Privacy International

in ,

Tech companies respond to reports of NSA tracking switched-off mobile phones | Privacy International

Based on a single line in a Washington Post article, Privacy International has been investigating whether it is possible to track cell phones when they have been turned off. Three of the 8 companies they contacted have responded.

In general they said that when the phone is powered down that there is no radio activity, BUT that might not be the case if the phone had been infected with malware.

It is important to remember that the power button is not really a power switch at all. It is a logical button that tells the phone software that you want to turn the phone off. The phone can then clean up a few loose ends and power down… or not. It could also just behave as though it were shutting down.

They don’t cite any examples of this either in the lab or in the wild, but it certainly seems plausible.

If you really need privacy, you have two options (after turning the phone “off”):

1) If you can remove the phone’s battery, then doing so should ensure that the phone is not communicating.

2) If you can’t remove the battery (hello iPhone) then you need to put the phone in a faraday cage. You can use a few tightly wrapped layers of aluminum foil, or buy a pouch like this one.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook and Google+.