The Paranoid PC – Part 1a – Risks to Email

Hello again, Patriots.

At the end of our last Paranoid PC article, I gave you some homework.  I asked you to consider three ways that someone could gain access to your email, what the consequences would be, and how you could counter.

The obvious place to look first is your password.  How would an attacker get your password?

  • Guessing (weak password).
  • Reusing the same password in multiple places.
  • Writing your password down.
  • Keystroke Logger

Another way an attacker could access your email is through physical access to your computer.  If your password is saved (either in a browser or mail client), or with the “keep my computer logged in” cookie selected in Gmail, all they need to do it open it up.  Losing physical access to your smartphone, with your email logged in, is a similar risk.

If you access your personal email from work, that’s another potential risk.  Aside from the physical access issue, there’s usually a team of people who can get limitless access to your machine making you vulnerable to keystroke loggers, cookie theft, and man in the middle attacks.

Do you share your password with anyone?  Do you share your account with anyone else (such as family)?  You’ve now multiplied all of those other risks we’ve already discussed by each person who knows your password.

Coercion is another threat, and now we’re getting serious.  However, if someone is shoving splinters under your fingernails to gain access to it at least you know you’ve been compromised.

Who runs your mail servers?  Do they actually secure it correctly?  Do they comply with law enforcement “requests”, or do they require an actual warrant?

That’s not all of the ways someone could access your email, but it’s the high points.

Now, let’s address the consequences of someone accessing your email without your consent.

  • On it’s face, your personal correspondence is now open to your attacker.
  • Many of your other accounts (Facebook, banking, etc) are now vulnerable if the attacker uses the “forgot my password” function to send a password reset to your email address.
  • Your attacker can now impersonate you and either discredit you or entrap or endanger your contacts.
  • Speaking of your contacts, your attacker can now start mapping relationships between you and everyone you’ve ever contacted.  Guess who’s next on their list?

So, how do we protect against these attacks?

The weak password is the easiest to deal with.  Don’t use a weak password. One suggestion from this guide is:

So if you want your password to be hard to guess, you should choose something that this process will miss. My advice is to take a sentence and turn it into a password. Something like “This little piggy went to market” might become “tlpWENT2m”. That nine-character password won’t be in anyone’s dictionary. Of course, don’t use this one, because I’ve written about it. Choose your own sentence — something personal.

Also, don’t reuse passwords.  I’ll be honest; I reuse mine sometimes too, but only for the most trivial of accounts.  If I need to sign on to some obscure site one time, that doesn’t have any personal info, then I’ll give a common password.  It’s better to use a throwaway email account for those, however.

“But,” I hear you say, “if we have all of these complex passwords, how are we supposed to remember them?”  The answer to that is a password manager such as Password Safe or Keepass.  We’ll discuss that further in a future piece.  Whatever you do, don’t write it down…

Two factor authentication is incredibly helpful.  Even though we don’t recommend Gmail for serious work, their two-factor authentication system is easy to use.  Once enabled, when you go to login, Gmail will send you a text message with an authentication code that is also required before you are able to access your email.  This serves two purposes: aside from blocking the attacker, it also notifies you that someone just tried to log in other than you and your password has been compromised.

When it comes to the risk of losing physical control of your device, good physical device security plays a part; that will be discussed in more detail later in the series, but having a good password for your computer (that is different than your email!), full disk encryption, and a fully updated OS goes a long way to stopping anyone that’s not a nation state.  Further, make sure you don’t leave your PC or your email logged in when you are away.

I’d recommend that if you use your email account for anything serious that you not access it from work.  With the click of a couple of buttons it’s fairly trivial for your system administrators to access your computer and compromise you.  If you need to access your email, do it with a personal device of some kind.

If you are being coerced, assume that you’re going to eventually give in.  PGP helps here, but if your enemy is pressuring you enough to give up your password, you’ll probably be giving up your keys, too.

Who runs your email server?  Are they in the US or UK, or in another country that’s less likely to quietly submit to the NSA or GCHQ?  Consider getting an account on a site such as unseen.is.

We mentioned PGP earlier.  If you encrypt all of your emails, then it doesn’t matter who your provider is; as long as they don’t have the relevant keys, they aren’t going to get anything but the recipient and subject line.  With proper key management, this helps with everything but the loss of physical device.

I know that’s a lot to digest.  Hopefully you can see that you need a layered defense.  If there is a weakness a dedicated enough or powerful enough enemy will use it to obtain useful intelligence about your activities.

Since this turned into a post of its own, we’ll put off the supply chain and identifying characteristics post for another day.  Stay agile and train hard.

EDUCATE. EMPOWER. RESIST.

4 Ways That Cognitive Dissonance Makes You Ineffective

Today we’ll be looking at the concept of cognitive dissonance. While we tend to consider cognitive dissonance to be an affliction most targeting non-preppers and Obama fans, the truth is that patriots engage in it just as much as anyone. Unfortunately, even though we scoff at others, we are being rendered just as ineffective when we fall victim to it ourselves.

What is Cognitive Dissonance?

Cognitive dissonance refers to a situation involving conflicting attitudes, beliefs or behaviors.

This produces a feeling of discomfort leading to an alteration in one of the attitudes, beliefs or behaviors to reduce the discomfort and restore balance etc.

Deborah C. Tyler at American Thinker talks about how cognitive dissonance has resulted in a near carte blanche state for Obama, stating that “The immensity of Obama’s disloyalty is key to why people cannot face the truth about him.” It’s a fantastic read, and will explain how dissonance works, as well as what subdissonance is.

Cognitive Dissonance and OPSEC

Patriots are just as susceptible to dissonance as anyone. We may be better informed about certain things than the average person, but we’re still human.

One classic example is the knowledge/belief that OPSEC is important, juxtaposed with the constant behavior of posting photos, videos, and information about things that should remain secure and internal to a group. The feeling of discomfort occurs, and people adjust their belief, rather than their behavior. When confronted about their poor OPSEC people often change their attitude to fit their behavior instead of the other way around. They do this in several ways.

  • Taking a “bring it on” attitude (seen in statements such as “They can go ahead and come and get me if they think I’m doing something wrong!”) The problem is, as we’ve seen lately, they will do just that. Then what good are you?
  • Rationalizing (statements such as “Well, nothing is secure,” the insinuation being that there’s no point in OPSEC because “the feds know everything anyway.”)
  • Defensiveness (verbally attacking or attempting to undermine the credibility of the person calling attention to their OPSEC failure).

These types of statements boil down a resistance to behavioral change. The problem is that we do know that OPSEC is important, and therefore we run into a problem. Do we change our behavior to come in line with what we know is true? Or do we find a way to alter our beliefs so that we can continue in our current patterns? Sadly, many choose option 2.

Cognitive Dissonance and Fitness

fitnessThis is one of the biggest areas where patriots fall victim to dissonance. We all know that physical fitness is a necessary and even critical part of our training. Even so, look around you at your next group meeting. How many of your fellow patriots are obese? You’ve almost certainly heard the same type of statements we just talked about, applied to the physical fitness aspect.

  • “I might be fat but I am an expert in [insert physical skill here].” This is about as dissonant as you can get. If you are not in physical shape, then you cannot be a practicing expert in a physical activity—key word being “practicing.”
  • “I don’t care HOW fat I am, if ‘they’ show up at my door I’ll give them a run for their money.” This is the “bring it on” attitude we saw in the OPSEC section above.
  • “I don’t need to be physically fit. I’m the comms/intel/supply/etc. guy.” Yes, you do. We all do.

These and many other statements get said all the time by patriots who, deep down, know better. We can all do better at our physical fitness—myself included.

Cognitive Dissonance and Vetting

TrustingOne of the more dangerous areas to experience dissonance is that of vetting your people. Trusting the wrong folks can get you arrested or even killed. It can compromise your entire group, and even the larger movement. Even though we know these things, evidence of cognitive dissonance abounds. Below is a list of actual statements that people have said to me regarding how they vet their people, or what’s involved in their decision on who to let in their group or whether to trust them with information.

  • “I always check out their Facebook and see what they post about before we let them into our group.”

It should go without saying, but anyone can post anything. You can make your page look like the staunchest patriot or the most ardent Communist, or nothing at all. The fact that this even needs to be said is sad, but here we are: Facebook posts will not ever prove someone is trustworthy. If anything, social media posts will only help show the negative factors. Not the positive ones. What they don’t post is even more important that what they do post. (I explain this in the Patriot Security 101 class.)

  • “I refuse to dig into people’s personal lives. That’s what we’re fighting. If they say they’re a patriot that’s good enough for me.”

If you are willing to expose yourself, your family, and your group to danger because of some noble (and misunderstood) idea about what privacy is or what is acceptable in terms of vetting, then you should not be in a group. In fact, you’re a liability, plain and simple.

  • “It’s okay if that guy is a fed. I have nothing to hide and neither does my group. I’m the president so I would know.”

This statement alone shows a lack of understanding of a host of basic concepts: privacy, security, OPSEC, COMSEC, basic infiltration, the list goes on and on.

  • “I’m an excellent judge of character. I always know when someone is good people or not.”

Trusting your gut is always a good thing. Refusing to collect any other information to confirm your gut reaction, however, is not.

Cognitive Dissonance and Training

We all like to do what we like to do, and we don't like to do anything else.One last area where patriots exhibit dissonance is in the area of training. In fact, patriot training can be summed up thusly: We all like to do what we like to do, and we don’t like to do anything else. We offer a myriad of reasons why, all of which camouflage the basic fact that we are engaging in cognitive dissonance. We know we need to train in a variety of areas. We know a lot less than we should, and we’re already aware of it. In the face of the belief/behavior disagreement, however, we will find ways to rectify that disagreement that doesn’t involve a behavioral change. Again, here’s a list of actual statements made to me while discussing the need for varied training within the patriot community.

  • “I don’t need to learn encryption. It doesn’t work anyway.”
  • “Everyone knows that all you need for firearms is an AR and a pistol. Training on anything else is just stupid.”
  • “There’s no point in learning computers. Once the grid goes down they won’t even work.”
  • “Intel and comms are for the people who can’t run and gun.”
  • “Someone else in my group does that job. I only do ___.”
  • “I’ve been doing this for 20 years. You can’t teach an old dog new tricks.”

We often don’t like to admit it, but there are definitive, proven, unassailable truths in the patriot movement and prepping in general. We know them, we may even preach them…yet our behavior doesn’t match. We engage in the equivalent of someone who talks about prepping on Facebook all the time yet has no food storage of their own, even though we know that if we do not store food we will not have any when the grid is down. We are like the guy who screams that the 2nd Amendment is the most important one of all…and yet has never owned a gun. Our own cognitive dissonance hampers us, renders us unable to contribute to the level we need to, and ultimately ensures our defeat.

If we are to be true partisans, we all need to be aware of the existence of cognitive dissonance in our own lives, and take steps to mitigate it. We have no other choice, if we expect to be effective in our operations and our actions as patriots.

Next time you catch yourself behaving in a manner that doesn’t fit information you know to be true, don’t change your perception or belief. Don’t alter your thinking so you can keep behaving the way you’re used to. Change your behavior to match the truth. That may mean learning a new skill, training more often, or simply changing your diet and adding exercise. If it helps you, helps your group, and helps the cause, isn’t it worth it?

 

Tuesday Links: The Deep Web

Today we have a couple of links for you to check out on the deep web and dark web. You might have heard these terms, and maybe you’re even fairly comfortable with surfing on Tor. But do you really know what the deep and dark web are? Do you know the difference, what they’re used for, and how they work?

First up we have this link about what the deep and dark web are.

Billions of people use the web on a daily basis. However, most of them usually consume less than 5 percent of its content. This 5 percent is known as the Surface Web, the part of the web whose content can be indexed and found by standard search engines that use link-crawling techniques, like Google, Bing, Yahoo, etc. These search engines use automated robots, called “crawlers”, which move from link to link in order to reach as much content as possible, and index it in the search engines’ special databases.

The remaining 95 percent (which cannot be found by search engines) is known as the Deep Web.  In fact, it is impossible to calculate the precise size, but most experts believe the percentage falls somewhere between 95 percent and 99 percent.

The link also goes into the different levels and how to access them.

The dark web does have some unsavory characters in it, and they run illegal businesses selling everything from drugs to identities. What’s yours worth on the black market? Find out here. There’s a great infographic there for you to refer to as well.

We’ll be back tomorrow with updates on our upcoming classes, and Thursday there will be a new feature article. Stay tuned!

The Paranoid PC – Part 1 – Bad Actors

Hello Patriots,

We here at TOWR hope that you had a good Christmas.  Today we’re going to start a series that I have tentatively titled, “The Paranoid PC”.  We’re going to look at many ways that your computer could betray you today and in a future Excessive Rule of Law environment.  We’ll discuss the capabilities of various different actors.  We’ll take a high level view of the supply chain.  Then we’ll discuss the vulnerabilities in an example piece of hardware and ways that you can remediate them.

Let’s talk about our enemies.  Who is coming after you?

Common Criminals:
Common criminals are generally just after your hardware.  They’re going to steal your computer and sell it on Craigslist.  Strong passwords, encryption, and off-site backups will protect your data, which is the most important thing in this case.

Opportunistic Cyber-criminals:
These are folks that aren’t necessarily after you in particular.  They’re looking to pick off the weak in the herd.  They will attack you in ways that are as seemingly innocuous as tracking your browsing habits and pushing ads to your computer, to extorting money from you by locking your data away from you, to having your computer join a botnet be used for attacks.  Basic safe browsing and computer maintenance will generally protect you from these attackers.

Personal Enemies:
Personal enemies are those who are after you personally.  Obviously, if your enemy is a l33t hacker dude, it’s a different story than your opponent for school board president.  Generally speaking, if your enemy isn’t somehow involved in IT or IT Security, your biggest threats will be theft of your equipment and/or poor passwords.  A motivated party might spend money hiring an expert to attack, at which point you’ll be happy that you took your security seriously.

Organized Crime:
If you are targeted by organized crime, it is because you have some kind of value to them.  IT Administrators and Security personnel are targets.  So are executives, business owners, or anyone who deals with customer data.  Even if you don’t have PII (personally identifiable information) on your own computer, an operative for an organized crime organization may attempt to coerce you via blackmail or other pressure points to obtain information for them.  Be aware of your pressure points and have plans to deal with it if they are exploited.

Opposing Political Organizations:
Let’s say you run a blog that takes a severe anti-abortion stance and you’re actually starting to get some traction.  Do you think that Planned Parenthood, or another pro-abortion organization would take notice and perhaps try to act against your blog?  Anonymous is well-known for attacking organizations based on their political persuasion.  Opposing Political Organizations may have more compelling motives, more money, more contacts, and more resources in general to attack you with.

For those of us who are Conservative/libertarian this can be a challenge; many of those who are technically proficient black/grey hat hackers fall ideologically with the progressive/socialist/Occupy camp.  If you rise to the level that Anonymous is taking notice, then watch out.  While many question how technically proficient they are, they are certainly adept at attacking known vulnerabilities and making headlines.

Nation State:
Once the Eye of Mordor turns to you, escape will be very difficult; more to the point, while government and commercial databases are lousy at predicting criminal activity (such as San Bernardino), they are fantastic at putting the pieces together once attention has been brought to a target.

Everything that we said about organized crime and opposing political organizations applies here, but multiplied exponentially.  Nation states have limitless (for our purposes) resources, incredibly clever teams of technical people, a monopoly of force, and with a little old national security letter, access to the information of pretty much any company you’ve ever done business with.  All they have to do is call you a terrorist.

I want to make this painfully, painfully clear: If a nation state comes after you they will find a way to get what they want from you.  We’ll discuss ways to minimize the risk, but their reach is far and their fists are big.

On that happy note, I’ll bid you adieu.  Keep learning and keep training.  Keep your mind agile.  Homework for next time: Think of three ways someone could gain access to your email, what the consequences would be, and how you could counter.

EDUCATE. EMPOWER. RESIST.

Don’t Use Web-Based Email Search Services for OSINT Unless…

We often use web-based email search to find information about an email address, and in some cases, to find out information about who that email address communicates with. For those of us performing open source intelligence (OSINT) research for our various groups and personal vetting, email search is pretty important. Two of the most known web-based email search services are Reverse Genie and Email Sherlock.

While the services do provide information you need about an email address, it also notifies the owner of the email address that someone in your geographical area performed that search, and gives them a copy of the information it provided to you. This compromises your research and possibly your identity, especially if the target is aware that they’re on your radar in the first place.

Obviously, having your target notified that you’ve done a search on their email address defeats many purposes.

(For a general explanation of OSINT and some of the tools available, you can start here with this paper. There are MANY more resources on the web, including here at TOWR.)

You might be asking “Well, what am I supposed to use then?” There are a few things you can try; we aren’t saying stop performing email searches. Some of the issues could possibly be averted by using a VPN for all OSINT research—and not using that same VPN server again or for anything else (there are a host of VPN servers out there, even if you stick with only one provider). Using the Tor Browser is also a common-sense given. In addition, I’d recommend doing your OSINT research from a public wifi not in your immediate area. We all love doing our work while in comfy pants and our own recliner, but doing things right is far more important than doing them conveniently.

Whatever you do, don’t stop vetting your people—and by vetting I don’t mean “checking their Facebook profile to see what they post about and if you have mutual friends.” Keep in mind that there are currently known federal agents and informants that have mutual friends with you…and might even be friends with you themselves….collecting everything you post. Remember: it only takes one mistake to compromise your entire group.

If you’d be interested in a one-day class on how to vet your people and tighten your contact networks, contact us at TOWR@whiterose.us.