A year in digital insecurity – nothing, and no one is safe

I have a relative who has been terrified of the Internet for years. Two decades ago, he was a heavy CompuServe user. Now, he only goes online at the library. But even he can’t escape. The Internet is everywhere now. It is in cars, on TV. It connects to medical devices, to toys (Barbie). It flies on airplanes, touches the power grid.

Andy Greenberg’s automobile-hacking crash-test dummy piece gets my nod as cybersecurity story of 2015.

Credit: Andy Greenberg

In reviewing the past year’s top cybersecurity stories, Lorenzo Franceschi-Bicchierai said 2015 proved that nothing, and no one, is really safe from hackers.” Children were not spared (Vtech). Nor were corporate hackers (Hacking Team).  Customers of 55 U.S. health care providers were hacked, the biggest Anthem, which did not encrypt social security numbers.

Journalists and political dissidents were targeted, of course. Citizen Lab’s sleuths and the AP uncovered a South American cyber-espionage operation with all the hallmarks of state sponsorship.

Kim Zetter at Wired predicts more hacker shakedowns, break-ins in which attackers extort victims, threatening to publish pilfered data. Brian Krebs, who broke the Ashley Madison hack story, noted the opportunistic extortions that followed. (Hollywood was still smarting from the Sony hack, and celebrities led by Jennifer Lawrence are surely thinking twice now about storing nude photos on iCloud).

The proliferation of ransomware _ which holds data hostage _ is scary enough. Zetter anticipates a growing threat of cyber-attacks that compromise the integrity of data. The Stuxnet hack, of course, did so much more than that, and a robot last year killed a human at a Volkswagen plant in Germany, violating Asimov’s first law of robotics. Ted Koppel, meanwhile, sounded the alarm on the threat a cyber-attack could pose to the U.S. power grid. Ukraine’s grid was hit in December in what security researchers called the first known hacker-caused outage.

The year’s biggest hack was of the U.S. government’s Office of Personnel Management. It exposed sensitive personal information from job applications, including of intelligence and military employees with security clearances. In all, 21.5 million people were potentially affected, 5.6 million sets of fingerprints obtained. The authors were Chinese, though Beijing claimed the hack was NOT state-sponsored. They told U.S. officials the culprits were arrested, @nakashimae reported, but provided no further information.

The U.S. government has not proven itself an trustworthy bearer of data; protection efforts fall short.

On the cusp of Christmas, a major vulnerability was announced. Juniper Networks found two unauthorized backdoors in its NetScreen firewalls that would allow “a knowledgeable attacker” to gain access to encrypted traffic on virtual private networks. Major U.S. corporations, banks, universities and government agencies were affected. A looming question in this unsolved mystery is whether the GCHQ (and by extension the NSA) had a role in creating the vulnerabilities.  Backdoors are exactly what U.S. and U.K. law enforcement want as theoretical tools against terrorism.

Silicon Valley has resisted the idea, and rightly so. Tim Cook of Apple emerged as its most passionate, articulate voice on how encryption and digital privacy are essential to our First Amendment rights and should not be sacrificed to satisfy the Department of Homeland Security.

“If you put a key under the mat for the cops, a burglar can find it, too. Criminals are using every technology tool at their disposal to hack into people’s accounts. If they know there’s a key hidden somewhere, they won’t stop until they find it,” Cook said in June.  Tim CookWeakening encryption makes no sense, he said. “The bad guys will still encrypt; it’s easy to do and readily available.”

So all the 2015 security news isn’t bad, after all.

Bitcoin: More about philosophy than finance

Alan Feuer got it right in today’s NYTimes. The virtual digital currency Bitcoin was not chiefly created as a money-making venture.

“To its creators and numerous disciples, bitcoin is — and always has been — a mostly ideological undertaking, more philosophy than finance,” he writes.

All that we’re reading about Bitcoins getting stolen from digital wallets is not anywhere near as interesting as who is recognizing them as currency.

Bitcoin is news because it is disruptive. It embodies a throwing down of the gauntlet by a person or persons (Satoshi Nakamoto) fed up with how the global banking system _ comprised of “fiat” currencies created by nation-states – had fallen prey in 2008 to the machinations of greedy bankers and spineless politicians.

Satoshi was simply fed up with the banks deemed “too big to fail” that failed us all and whose bailout we bankrolled. Stateless digital currencies _ electronic cash as David Chaum envisioned it when he patented the idea in 1982 _ will allow us to develop new models for making payments that cut out the usurious middleman and democratize the economy.

And the key, of course, is public-key cryptography. Want to geek out on how a Bitcoin transation works?  Try this illustration from IEEE Spectrum: “The CryptoAnarchists’ Answer to Cash.”

 

Brazil Looks to Break from U.S.-Centric Internet

RIO DE JANEIRO (AP) — Brazil plans to divorce itself from the U.S.-centric Internet over Washington’s widespread online spying, a move that many experts fear will be a potentially dangerous first step toward fracturing a global network built with minimal interference by governments.

President Dilma Rousseff ordered a series of measures aimed at greater Brazilian online independence and security following revelations that the U.S. National Security Agency intercepted her communications, hacked into the state-owned Petrobras oil company’s network and spied on Brazilians who entrusted their personal data to U.S. tech companies such as Facebook and Google.

The leader is so angered by the espionage that on Tuesday she postponed next month’s scheduled trip to Washington, where she was to be honored with a state dinner.

Internet security and policy experts say the Brazilian government’s reaction to information leaked by former NSA contractor Edward Snowden is understandable, but warn it could set the Internet on a course of Balkanization.

Read full article on AP Big Story

The Most Important Snowden Documents Yet

I have always trusted Bruce Schneier, author of the much-respected 1996 “Applied Cryptography.”

Glenn Greenwald showed Schneier some of the Snowden documents that featured in today’s stories by The Guardian, The New York Times and Propublica. They are the most important, upsetting revelations to date from the Snowden trove. Without doubt.

The NSA, says Schneier, has been breaking most of the encryption on the Net.  He says the U.S. government has betrayed the Internet and we need to take it back.

Schneier summarizes what the NSA has done to make the Internet a more dangerous place and five ways to stay safe online:  Hide in the network. Encrypt your communications. Assume that while your computer can be compromised, it would take work and risk by the NSA – so it probably isn’t.  Be suspicious of commercial encryption software, especially from large vendors. Try to use public-domain encryption.

The NSA was told in the mid-1990s that it could not have the Clipper Chip, the backdoor it wanted into our digital lives . Silicon Valley and Bill Gates objected. By 1996 the Clipper Chip was defunct. So the NSA decided to begin breaking-and-entering on its own. Without our approval.

Greenwald/Snowden gave the public some time to prepare today’s disclosure. First, give it a series of primers on the extent to which the NSA is spying on the American public (not to mention allies). Then unload this zinger.

I want more details. What exactly is compromised? Is everything I do using SSL on my Mozilla Firefox browser compromised?

Boing Boing tweeted KEEP CALM AND USE OPEN SOURCE CRYPTO. Excellent advice. Time to revise my anti-surveillance toolkit.

Two small encrypted email services down. Hire the lawyers.

The Snowden backlash is only just beginning. And so is the resistence. Expect U.S. tech companies that have given the National Security Agency direct access to your data to suffer commercially.  How badly, hard to say. Depends on how deep the public outrage. Three of  Germany’s biggest Internet services, one of them Deutsche Telekom, announced they’ll encrypt customers’ emails.  Unfortunately, their encryption appears to be a bad joke. Here’s Chaos Computer Club release (German).

Phil Zimmermann

The U.S. government forced the hand of a small Texas-based email service,  It seems clear that Lavabit’s owner, Ladar Levison, shut down rather than agree to grant the government access to the data of customers. Snowden is reported to have been among his users. Levison has set up a legal defense fund and is accepting contributions. He likely received a National Security Letter, a search warrant or a subpoena with a gag order attached. He can’t say but he says he’s preparing an appeal to the 4th Circut.

“This experience has taught me one very important lesson: without Congressional action or a strong judicial precedent, I would strongly recommend against anyone trusting their private data to a company with physical ties to the United States,” The New York Times quoted Levison as saying.  I can’t find an image of him online.

The other U.S. email service that preemptively shut down belonged to Silent Circle, a company co-founded by Phil Zimmerman, creator of Pretty Good Privacy encrypted email. It says it wiped the discs containing all that email. The encryption keys were on the servers. Not so with the keys that Silent Circle uses for its text-messaging, video and voice comms services. They are end-to-end secure. The encryption keys are erased when the communcation ends.

Now, which big U.S. tech companies will join the legal challenge in defense of First and Fourth Amendment rights?

Yahoo is the only one known to have challenged a gag order of the type Levison apparently got.

The Internet Archive’s Brewster Kahle, an Internet giant committed to nothing less than providing “universal access to all knowledge,” successfully fought a gag order and is one of the few people who can openly discuss what it’s like to get a National Security Letter.  Read here the New Yorker’s interview with him about it.
Meanwhile, more and more people are posting PGP public keys to servers.

Anti-Surveillance tools and tips – not just for journalists

(updated Dec. 12, 2016)

Long before Snowden, we who snoop in the public interest knew that if we weren’t being watched we would be eventually. So we took steps to protect ourselves. Digital self-defense is now vital for everyone, not just journalists. Our toolboxes are ongoing projects. This is mine, and I am grateful to the coders who help protect us. Questions/suggestions/criticisms encouraged.

SECURE BROWSING
The point of greatest vulnerability in our interaction with the Internet is the browser. That’s is why it is a must to use end-to-end encryption via Secure Socket Layer, or SSL. It is not perfect. In fact we learned in 2013 that it had been compromised by the NSA. Where, we don’t know. But the HTTPS secure communications protocol remains the best available shield for standard browsing. It was designed to protect against such scourges as identity theft. It is especially important on open Wi-Fi networks. I use the browser add-on “HTTPS Everywhere” from the Electronic Frontier Foundation. HTTPS does not hide your online activity, the websites you visit, from “sniffers” that monitor traffic. What it does is encrypt your interactions with websites that use HTTPS. If your favorite news website does not offer HTTPS, tell them to get with the program!

ANONYMOUS ON THE INTERNET
If you want to hide your online activity, a good option is Tor, originally short for The Onion Router. Tor is designed to hide your IP address, concealing your location and erasing your online footprints.  It is best with a VPN (virtual private network) connection. It is open source, free and supported by a nonprofit. It encrypts users’ online communications – supporting applications including browsing and instant messaging – and bounces them around through a random set of servers called onion routers operated by volunteers. It makes web browsing slow, but much more secure.  *Don’t not expect it to be effective, however against the NSA or other governments equipped with sophisticated global surveillance tools. Download it here and read the directions carefully. How Tor works.

A Tor proxy exists for Android operating systems. It’s called Orbot. On the Mac (as well as for iPads and iPhones) the Onion browser tunnels web traffic through the Tor network. Developer Mike Tigas formerly charged 99 cents. Now it’s free!

Tor is best used with a VPN proxy service. They are popular for circumventing censors. I am not going to tell you which one I use. But it’s smart to use one with exit nodes in multiple countries. Best if some of those countries are not apt to cave to the NSA and its Five Eyes allies and let them spy on your traffic.

ANONYMOUS SEARCH
Duckduckgo.com is the most popular anonymous alternative to Google’s search engine.  Its makers explain why it’s a good idea even if you’re not trying to hide from the NSA or other spooks. It has its own web crawler and also uses other sites.  There’s a Duckduckgo Firefox browser extension. Another good option is the Epic privacy browser that’s built on top of Firefox. Google search can be run through a Tor browser for more complete results. Google will demand that you prove you are not a machine. Startpage is an anonymous search engine hosted in the U.S. and the Netherlands that gets its results from Google.

EMAIL ENCRYPTION
Pretty Good Privacy (PGP) doesn’t just encrypt your email. It also authenticates them with digital signatures. Plus it can be used to encrypt disk partitions and files. What it does not do is hide from eavesdroppers the identity of those with whom you are communicating. Easiest to use of the free PGP products is the combination of Enigmail and the Thunderbird email client. I formerly used a commercial product from PGP Corp. until it was purchased by Symantec. Now I use gpg40, an Outlook plug-in. It is not free but works well. Also worth looking at are RiseUp (for the more technically inclined), Peerio (which is quite popular and available for IOS, Android, Mac, Linux and Windows) and Protonmail.com (Swiss-based and browser dependent).

VOICE COMMS/TEXT:
For private smartphone calls, the absolute gold standard is Signal from WhisperSystems. It is free and does instant messaging, too. WhatsApp employs its technology but Signal is more trustworthy because it’s not owned by Facebook, which spies on WhatsApp users and accesses their address books unless specifically told not to. (Good article on Signal by Brian Chen)

INSTANT MESSAGING
For encrypted chat the easiest tool is WhatsApp. Purists opt for instant-messaging with the Off-the-Record Messaging protocol (OTR). It can be installed as a plug-in for Pidgin, an open-source chat program that can talk to all manner of propietary chat programs including AIM and Yahoo! (Google Talk was discontinued). Get plug-in here. Jabber.org is a free, public instant-messaging system that uses the XMPP communications protocol (originally called Jabber) and supports OTR. You’ll need to choose a server that supports XMPP to host your account.  I use the server of the merry pranksters of cyberspace, Germany’s Chaos Computer Club. For MAC OS X there is Adium. It is free and can connect to AIM, Jabber, MSN, Yahoo and more.

AUDIO/VIDEO COMMS and CHAT
Skype, as we know, is insecure. To replace pretty much everything it does there is Jitsi. It supports some of the most popular instant messaging and telephony protocols and works for secure video calls, conferencing, chat. The easiest way to use the technology is to use meet.jit.si . It creates a secure video/audio chatroom to which one can invite multiple parties.

DISC ENCRYPTION
I have used TrueCrypt, freeware that supports Windows, Mac OSX and Linux. But there are questions as to whether it remains secure. There are also sophisticated ways to obtain the encryption keys of a TrueCrypt install on machines on which these products are installed, but not if the computers are shut off and the attacker is doing a cold boot. Some people use Windows’ Bitlocker. I tend to distrust Microsoft. Security expert Bruce Schneier recommends BestCrypt.

SAFE TRAVELS
A strategy is vital for what to do if border guards _ or local police, for that matter  _demand that you unlock the data on your cellphone or laptop so they can review it. Especially in need of a strategy are people who handle information so sensitive it could get people killed if revealed . Not carrying the information when you travel is one option. Putting it on a cloud-based encrypted backup service like SpiderOak One is another. There are many.

Journalists who travel internationally will benefit from this good guide by the Electronic Frontier Foundation on strategies for taking computers across borders, where airport searches aren’t just possible. They’re happening: EFF’s – Defending Privacy at the U.S. Border: A Guide for Travelers Carrying Digital Devices.

Whatever you do, make sure you LOCK your PHONE with a long password. Mine is nine digits. They might be able to crack it after I’m dead.

FURTHER READING:
(There is a lot out there! Do send me links to guides not listed that should be)
A good guide with a catchy name to open source, free infosec solutions: https://prism-break.org/
The Committee to Protect Journalists includes an infosec page in its online Journalists’ Security Guide.
Press Freedom Foundation compendium of online security tools and how they work.
Surveillance Self-Defense from EFF: https://ssd.eff.org/
The Tactical Tech Collective
have a very good list of tools and a how-to booklet at SecurityinaBox.org
AP colleague Raphael Satter’s June 14, 2013 piece on keeping your data private from prying eyes.