> Privacy World - The WORLD'S SHREWDEST PRIVACY
NEWSLETTER
>
> Petraeus Affair: 7 Privacy Techniques To Avoid
Trouble
>
> One of the many perplexing questions in this story
remains technological:
> Couldn't the director of the CIA think of a better
way to coordinate his
> liaisons than using a free webmail service? From a
bigger-picture
> standpoint, meanwhile, the scandal raises this
security question: Can two
> people communicate securely online, without a third
party being able to
> intercept their communications, or even see that
they're communicating?
>
> Here are seven related facts:
>
> 1. Techniques For Swapping Secret Messages Abound.
> The techniques for sending secret communications, or
indicating a desire
> to
> communicate, are endless. There's Magic ink.
Creating rudimentary codes to
> transmit communications via seemingly innocuous
messages, such as making
> only the first letter of a sentence
"count." Taping an "X" to your window.
> Using a "dead drop" to leave a message in
a predefined physical location.
> Leaving coded messages on Craigslist.
>
> 2. Burner Phones Make Traceability, Attribution
Difficult.
> When there's the threat of having your
communications traced, every fan of
> The Wire or Breaking Bad knows about burner cell
phones. Buy cell phones
> using cash, use them to communicate -- by voice or
text message -- for a
> finite period of time, and then replace them with
different phones. Anyone
> trying to follow your trail will have difficulty
reconstructing the entire
> pattern of communication.
>
> 3. Numerous Technologies Offer Secure
Communications.
> Many technologies promise to encrypt digital
communications so they can't
> be intercepted. Use Zip files, encrypted with a
passphrase that's been
> agreed in advance, and swap them via email.
Similarly, technologies such
> as
> PGP, or the open-source GPG alternative, enable
emails to be encrypted, as
> do a number of other webmail services. Meanwhile,
Wickr provides for
> self-destructing messages, while for secure voice
communications, look to
> Silent Circle from PGP creator Phil Zimmermann for
Android and iOS, or
> Whisper Systems for Android.
>
> Although these services might hide the message, they
won't disguise that
> the sender and receiver have been communicating. For
that, the Tor
> Project's anonymizing networks offer the opportunity
to mask the fact that
> communications are occurring at all.
>
> 4. Hide Data In Pictures, Videos.
> Another widely used technique for hiding
communications involves the
> practice of steganography. In the digital realm, it
means hiding
> information inside files -- for example, in digital
pictures or Sodoku
> images.
> Based on a 2006 Department of Justice criminal
complaint filed against
> eight people who were allegedly working as agents
for Russia's foreign
> intelligence service, known as SVR or "Moscow
Center," the practice of
> steganography might be in widespread use by
intelligence agencies. "Moscow
> Center uses steganographic software that is not
commercially available.
> The
> software package permits the SVR clandestinely to
insert encrypted data in
> images that are located on publicly-available
websites without the data
> being visible," according to the complaint.
"The encrypted data can be
> removed from the image, and then decrypted, using
SVR-provided software."
>
> 5. Beware VPNs.
> When it comes to hiding the fact that two parties
are in communication,
> beware VPNs. Many Anonymous and LulzSec suspects
learned the hard way
> after
> using VPN services such as HideMyAss.com that VPN
providers keep access
> records, and tend to comply with court orders
requiring them to share
> those
> records. In other words, VPNs will secure your
communications, but don't
> count on it to cover your tracks.
>
> 6. Avoid Free Webmail Services.
> It's a bad idea, as Broadwell and Petraeus
discovered, to rely on free
> webmail services to provide secure communications or
cover your tracks.
> "Webmail providers like Google, Yahoo and
Microsoft retain login records
> (typically for more than a year) that reveal the
particular IP addresses a
> consumer has logged in from," said Christopher
Soghoian, principal
> technologist and senior policy analyst for the ACLU
Speech, Privacy and
> Technology Project, in a blog post.
> Those records helped the FBI trace the anonymous
emails sent from
> Broadwell
> to Kelley back to the sender. "Although Ms.
Broadwell took steps to
> disassociate herself from at least one particular
email account, by
> logging
> into other email accounts from the same computer
(and IP address), she
> created a data trail that agents were able to use to
link the accounts,"
> he
> said.
>
> 7. With Eavesdropping, All Bets Are Off.
> There's a big caveat with the use of any digital
security tool or
> technique, whether it's PGP, GPG, Tor, or
steganography. Namely, if a
> third
> party -- your government, a foreign intelligence
service, unscrupulous
> competitors -- sneaks a keylogger or Trojan
application onto your PC, they
> can see every message or voice communication you
initiate or receive, full
> stop.
>
> That was the beauty of the Flame malware, which was
allegedly built by the
> U.S. government for spying purposes, and which
wasn't detectable by
> antivirus software for a significant length of time
after it was first
> deployed. Using world-class crypto, Flame's creators
were able to spoof
> Microsoft Update and automatically install their
software on targeted PCs.
> For a target that's connected to the Internet, is
there any way to
> reliably
> defend against that?
>
> Likewise, last year's compromise of digital
certificate registrar
> DigiNotar
> would have allowed attackers to generate fraudulent
digital certificates
> for Facebook, Google, Microsoft, Skype, Twitter, and
WordPress, as well as
> the CIA, MI6, and Mossad intelligence services, and
the Tor Project. As a
> result, the attackers -- who were likely allied with
the Iranian
> government
> -- could have launched man-in-the-middle attacks
that allowed them to
> eavesdrop on all communications made through those
websites or services,
> for any country-wide network they controlled.
>
> Curious Choices For Spy Chief
> With so much secure communications technology on
offer, why did Petraeus
> choose a hidden Gmail account for coordinating his
affair? The likely
> answer is that because Petraeus' extracurricular
activities related solely
> to the marital, not espionage, realm, he thought
simple track covering
> would suffice. Then again, security also involves a
tradeoff between
> protection and usability -- easier to use typically
means less secure, and
> harder to use means more secure -- and Petraeus and
Broadwell might have
> simply opted for a simple communications technique.
"It strikes me that
> the
> recent downfall of the CIA director speaks less to
his tradecraft than the
> usability of encryption/anonymity tools," said
Canadian privacy researcher
> Christopher Parsons via Twitter.
>
> Beyond the scarcity of reliable communications
techniques that are both
> secure and invisible, what the Petraeus scandal has
also highlighted is
> that when authorities begin investigating your
electronic communications,
> the game can quickly be over, sometimes with nary a
warrant or subpoena
> being required.
>
> Regardless, with the array of techniques available
for clandestine
> communications, one of the strangest aspects to the
scandal -- for many --
> remains a spy chief's apparent lack of security
finesse when it came to
> cloaking his own identity.
>
> Recent breaches have tarnished digital certificates,
the Web security
> technology. The new, all-digital Digital
Certificates issue of Dark
> Reading
> gives five reasons to keep it going.
>
> The above article first appeared at
informationweek.com
>
> Until our next issue stay cool and remain low
profile!
>
> Privacy World
>
> PS - Need an inexpensive (US$135 plus shipping) NO
id ATM card that
> allows you to withdraw cash from PayPal and BitCoin?
No problem,
> just send us an email with "$135 ATM" in
your subject heading.
>
> -----------------------------------------------------------------------------
> To subscribe,
send a blank message to PrivacyWorld-on@mail-list.com
> To unsubscribe, send a blank message to PrivacyWorld-off@mail-list.com
> To change your email address, send a message to
> with your
old address in the Subject: line
> To contact the list owner, send your message to
>
> Privacy World, 502 Hotta-kata, 3-6-10 Hirusaido,
Kagurazaka, Shinjyuku-ku,
> Tokyo Japan
>
No comments:
Post a Comment