Keystroke Loggers in USB Chargers

The FBI, interestingly enough, is warning private industry partners to beware of “highly stealthy keystroke loggers that surreptitiously sniff passwords and other input typed into wireless keyboards.” You think?

“If placed strategically in an office or other location where individuals might use wireless devices, a malicious cyber actor could potentially harvest personally identifiable information, intellectual property, trade secrets, passwords, or other sensitive information,” FBI officials wrote in last month’s advisory. “Since the data is intercepted prior to reaching the CPU, security managers may not have insight into how sensitive information is being stolen.”

Before you get excited and think the FBI was looking out for you, take note of the following:

The FBI’s Private Industry Notification is dated April 29, more than 15 months after whitehat hacker Samy Kamkar released a KeySweeper, a proof-of-concept attack platform that covertly logged and decrypted keystrokes from many Microsoft-branded wireless keyboards and transmitted the data over cellular networks. [emphasis added]

Keep in mind how simple it would be to put one in a hotel room or other public place. Do you leave your laptop in your hotel room? Extremely bad idea. And by the way…if you think that the FBI is being altruistic somehow…you’d be wrong.

Here’s another article on the Evil Maid attack type. You should most definitely read it.

One last thing. If you’re thinking about buying a Blackphone, don’t. Here are three reasons why…but there are more.

How to Make a Truly Anonymous Facebook Account Part I

There are plenty of articles about how to use social media without making your information public, or leaking it to various ad services and info-grabbing bots. That’s not what we’re doing. We’ll be setting up a Facebook account that is not linked to us in any way—even for those who know how to look. Keep in mind that this is NOT your standard alias account. This account not only hides your name and identity from others on Facebook, but it also hides your identity from people or agencies that might be tracking your activity–not by hiding your name, but by making you into someone else.

 

 

Why This Needs to Be Split Into Multiple Articles

Because people have short attention spans, and because the actual process of setting up the framework and getting this put together requires very careful adherence to the process. Before you even create the account, you need certain things set up—including your own head and mindset. This is a building block exercise. Today we are simply exploring the concept. Next we will start making the building blocks necessary to create and run that alternate identity on Facebook—and ultimately online in general.

Why Have a Fake/Anonymous Facebook Account?

  1. Because you want to join groups and communities without it being displayed on your personal page.
  2. Because you don’t want people in the groups you’re joining to know who you really are.
  3. Because you don’t want people who add you or interact with you to know who you are.
  4. Because you don’t want your information tracked or cataloged.
  5. Because you plan to use Facebook as a means to disseminate and/or collect information and propaganda that you don’t want linked to you.
  6. Because you plan to use this account to infiltrate a group.
  7. Because you plan to derail discussions or do some social engineering/rapport building/elicitation.
  8. Because you can, and you shouldn’t have to explain why to anyone.

Any one of these reasons is reason enough, and you may have other reasons not listed here. Whatever your thought process, let’s assume that you want/need an anonymous Facebook account that is not in any way traceable back to you. The nice thing is, this process is repeatable as many times as you need.

The Mindset You Need

In order for this to work, it needs to be used a certain way. Before undertaking this, think through your purpose in creating this account and what you want to do with it. Keep in mind that if you just want an alias account there are ways to do that. This isn’t a how-to for making an account where your name is listed as Bamf Fo Real, or Sheepdog Extraordinaire, or *Your Name* followed by a III.  That will not help you.

If you want an account where you have a new name and story, and you become someone else, that’s what this article is for.

DON’T try to make an anonymous account if:

  • You plan to immediately add all the same friends you already have.
  • You plan to use it to go right back to all of the same groups you’re already in.
  • You plan to talk to your friends and family or even known contacts with it.
  • You plan to list your location, hobbies, employer, or any other personal information.
  • You plan to use it in any way that mimics how you personally, currently use Facebook.
  • You cannot control your temper, need for attention, or need to be in charge of something.
  • You plan to use it to engage in any kind of drama involving people already in your life (such as spying on your significant other or sending jackass messages to your arch-nemesis).
  • You are too lazy to use it correctly (“I’m just gonna check this one thing quick while I’m here at home…”)

DO make an account if:

  • You are joining your local leftist/anti-gun/communist/liberal group and you need a new ‘identity’ to get into it.
  • You are planning to use the account for controlling discussion in various groups through tactics discussed elsewhere, such as these.
  • You plan to use it for disruption in certain groups, or releasing information that exposes people.
  • You don’t plan to really post anything but the kind of stuff your targets and/or groups are looking for and aren’t going to foster discussion on your page; you just want to be able to lurk.
  • You need to have a Facebook account to ‘back up’ the name or identity you’re giving people for your liberty activities.
  • You want to keep Uncle Sugar out of your liberty activities (if you plan to perform support functions and/or ‘gray’ activities, you need to keep Uncle Sugar out of your stuff).

Facebook is horrible. We all know that. However, there are times you may need to use it. This is for those times.

**Note: We are not advocating that you use this for illegal activity. We are not responsible if you decide to watch/buy/sell/interact illegal, immoral, or just plain disgusting stuff. Use your powers for good.

The Tools You Need

In order to pull this off, you need to have a few things in place. Setting up the account itself is rather simple, but you need to have a framework in place to make it as airtight as possible (keeping in mind that nothing is 100% perfect…this will definitely make them work for it, if they can get it at all). Here’s a basic list of things you need already set up. (We’ll go over these in more detail).

  1. Access to a VPN, ideally two. (check PrivacyTools.io for a list of solid VPNs that do not operate in the US.)
  2. An updated and current Tails OS running on a flash drive, or a virtual machine.
  3. The Tor Browser (found on Tails as well as a standalone for other uses)
  4. At least $20 in Bitcoin, already mixed, split, and sitting in an anonymous wallet (or five). Bonus points if you also have at least two other wallets in other cryptocurrencies and did some swapping back and forth there as well.
  5. A new name and basic cover (try this site if you get stuck thinking of a random name/identity).
  6. Patience.

What can we do with all of that? A lot.

In the next article we will walk through some of the steps necessary to set up your completely new identity on Facebook. In future articles we’ll go over how to flesh out that identity, give it some depth, and start using it for various activities even outside Facebook. In the meantime, get familiar with the tools and articles above, and start thinking about how to leverage them in your favor.

Basic Privacy and Anonymity Class, 25 June 2016

This class is geared to those who either need to learn the basics of privacy and anonymity, or who would like a refresher. Everyone has the right to conduct their affairs in private, this class will show you how to do that. Whether you’re a total beginner who’s never heard of any of this, or someone who’s dabbled but doesn’t feel comfortable or wants to make sure they’re doing it right, this class is for you. If you missed the Groundrod Primer class last month, then here’s your chance to get in on the same subject matter.

We’ll cover the following:

  • the Tor Browser – how to browse the clearnet and darkweb anonymously.
  • TAILS operating system – how to run a live system from a flash drive.
  • Secure messaging – which ones are best for privacy?
  • Virtual Private Networks (VPN) – how to connect to the internet anonymously.
  • Bitcoin Basics – how to buy and sell cryptocurrency for anonymous purchases.
  • Best practices for online activities – how to evade digital surveillance and protect your metadata.

This is a one-day class, to be held in Bellevue, WA, and is open to all; there will be no vetting for this particular class. Make sure to get in on this one, because we’ll be offering a second class as a sequel to this covering things like creating a new identity for online activities, and how to make anonymous purchases that are not traced back to you.

Bring your laptop or tablet, a blank USB flash drive of 4 GB or more, and get ready to learn some critical skills.

DATE: Saturday, 25 June 2016
TIME: 10AM-5PM
LOCATION: Bellevue, WA

The cost for this is only $50 for the whole day of hands-on training. As with all of our classes, 100% of all money taken in goes directly toward funding more classes. You’ll leave with a working TAILS system, some anonymous messaging accounts, and a Bitcoin wallet–with the skills to use them all.

Email us at towr@hushmail.com to save your seat!

 

Is Your Cell Phone Fingerprint Security Really Secure?

In 2013, the iPhone came out with a new feature: Instead of a PIN or passcode, users could use their fingerprint to unlock their phone and various apps. People thought it was quite convenient; no remembering passwords or PINs, just hold your finger to the screen. But, like everything else it seems, fingerprint security has a dark side.

It can be easily hacked.

The whole point of fingerprint security is for it to be more secure; no one is supposed to be able to get into the phone unless they are you (or they cut off your finger movie-style and used it to access your phone). That’s not quite how it works, however. Hackers were able to get into a fingerprint-locked iPhone after only a week. On laptops it was even worse (keep in mind that the phrase “Windows security model” is almost as big a joke as “fingerprint security.”).

It’s not considered protected by the Constitution.

That’s right, folks. A VA court ruled in 2014 that while the government cannot force you to give up your phone’s passcode, they can force you to give your fingerprint to unlock it. See, you know a passcode; that falls under the 5th Amendment according to their logic—you can’t be forced to tell something you know that incriminates you. However, your fingerprint is something you have; therefore, they can “seize” that as part of their investigation.

a judge ruled that police, who suspected there was incriminating evidence on a suspect’s smartphone, could legally force the man to unlock his device with its fingerprint scanner. While the Fifth Amendment protects defendants from revealing their numeric passcodes, which would be considered a self-incriminating testimonial, biometrics like fingerprint scans fall outside the law’s scope.

I don’t write the crappy BS laws, I just write about them.

If they can’t hack it, they can now just copy it.

No need to mess with latex; just lift a good fingerprint (which of course they’d have anyway if they arrested you) and use an ink jet printer to copy. Or….Play-Doh. Yes, that’s what I said.

According to a paper published by Michigan State University researchers Kai Cao and Anil Jain, fingerprint scanners on Android devices can be duped with a high-resolution photo of the owner’s fingerprint. Photos need only be flipped horizontally and then printed on a certain paper with photo-conductive ink cartridges…As the Daily Mail reports, it was recently suggested that an iPhone could be broken into with Play-Doh – although it requires the phone’s owner to press their finger into the modeling material for five minutes.

If this isn’t creepy enough, there are plenty more biometrics being tested.

Meanwhile fingerprint scanners aren’t the only biometrics that manufacturers are experimenting with – heartbeat monitors are being trialled as a way to provide secure banking, and even wearables that measure your gait.

Sam Shrauger, Visa senior VP of digital solutions, told WSJ that Visa is involved with plans to make biometric mobile payments better and more secure. That could be, for example, using a consumer’s iris as a way to verify an identity. He suggested using multiple biometric authentication techniques — on top of a password — for the best password.

There are ways to get around all of this (such as using a strong passphrase), but the crux of the problem is simple: People don’t like inconvenience. They’ll trade their own security for convenience every time. Baaaaa.

Do You Need OPSEC if You Have Nothing to Hide?

[dropcap]W[/dropcap]e talk a lot about OPSEC and PERSEC, as well as how you should be communicating with and protecting your group—or yourself.

One of the biggest objections we hear about OPSEC or see posted by people on social media is that OPSEC is unnecessary because “we have nothing to hide.” This article will answer that, and is the first in a series where we’ll explore those objections in detail.

OPSEC and Chess

The Cryptosphere has a fantastic explanation of why you do have something to hide. All of you. And you very well SHOULD. To paraphrase for the folks who don’t spend their days dealing with game theory:

Imagine you’re playing chess. You see the whole board, you see all the pieces, and every possible move and rule is available to you.  People involved with game theory call that “perfect information,” or “the same information to determine all of the possible games (all combinations of legal moves) as would be available at the end of the game.” When you’re playing chess, all possible moves are right there. The other player isn’t hiding the board, they’re not hiding their pieces, they’re not suddenly changing the rules (hence the phrase “above board.”).  Chess is chess. Now, this would be a situation of “perfect information” except for one problem.

Most humans don’t possess the cognitive processing paths allowing them to treat chess as a game of perfect information. We’re simply not primed or trained to see all those possible moves from all sides.

Why do you think it was such a big deal when Garry Kasparov beat Big Blue the supercomputer at chess in 1996? Because computers have perfect information. Your brain usually doesn’t have the capacity to gain it, even if it’s available to you.

Tic-tac-toe is another game he mentions, to break it down further. If you put a 9-square TTT board, you could use a decision tree to plan out every possible move by both players throughout the game. You could literally have a blueprint for how to win because in any given board configuration you would know all possible moves by your opponent. That is called having perfect information.

How does this apply to you? Now imagine playing chess when your opponent decides midway through the game that the rules changed. He hid his pieces, and then suddenly has extra. Then you realize you don’t even know how many pieces he’s playing with. He’s hiding half the board, and changes which half he’s hiding at any given time. How well could you play?

Guess what? That’s exactly the kind of chess game you’re playing right now, whether you like it or not.

The Game is Stacked Against You

Before saying “I have nothing to hide” I’d have to say that I possessed perfect information in the context of making that decision. That’s perfect information not only about every past move leading up to this decision but every future move after it. It assumes that all “pieces” are above the board and that I know all the rules to this game. And that’s demonstrably incorrect.

Let’s take the assets and programs of the National Security Agency as some of our game pieces. For them to be above the board we’d need the government to be both honest and accountable about them. Instead, NSA Director Keith Alexander has repeatedly lied to the public about every aspect possible. So has Director of National Intelligence James Clapper. They’ve lied to us as individual players and Congress as what we might call a Superplayer; about buildings, assets, programs, collected materials. Everything we’d need to get a good idea, no less a complete idea, about the pieces on the playing board.

Now, that’s just the pieces. Let’s look at the board you’re playing on.

In order to play chess you’ve got to abide by certain rules, but there’s a trade-off: the rules are all made plain beforehand. You’re not going to get midway through the game and then be challenged about the legality of your opening move, either due to a rule that was hidden from you or due to a new interpretation of an old rule. But in the game model we’re dealing with here, government in general and intelligence agencies in particular have established exactly this possibility. As one example: the very court opinions and administration interpretations of the Patriot Act allowing the government to order telecommunications companies to collect and provide massive amounts of data on US citizens are secret.

…once you seemingly violate a rule that you’re not aware of, or once the administration alters its interpretation of the rule to make you a violator, they can now go back through every communication within their grasp and piece it together in any way they desire in order to make you appear guilty as sin. [emphasis added]

Without you knowing, at any step of the process.

What’s It All Mean?

This all adds up to a very simple bottom line. By saying “I have nothing to hide,” you are making very dangerous and false assumptions.

Both players in the chess game (you and the government) are in agreement as to the rules of the game, and those rules won’t change. We have seen plenty to know that we are all most definitely NOT in agreement about the rules, and those rules change at the opponent’s whim–or even after the fact.

Both players know how many pieces are on the table. We also know this is false; your opponent has pieces you aren’t aware of, many of which are deployed against you and others like you. They swap those pieces out at will, upgrade them when possible, and even stack their pieces in ways that violate whatever rules it previously agreed to.

Both players are playing openly. Obviously this is false as well. While you’re playing “openly” and claiming you’re pure as the driven snow, your opponent is playing the game at a whole other level—a level you don’t see. When it moves pieces, you don’t know. When it changes the rules, you don’t know. When it decides to add a host more pieces or even have one of its pieces pretend to be one of yours, you don’t know.

Your moves only affect your own game. If you truly believe this, then you are the worst kind of security risk: the person who thinks he can act how he wants and it doesn’t affect anyone else. Your moves affect every game being played around you; your opponent is able to play many, many games simultaneously, and has no problem taking strategy or information from your game and using it to beat another player. Your arrogance, lack of understanding, and refusal to comprehend the “game” can and will get someone else killed or arrested.

“I have nothing to hide” means you’re playing an asymmetric information game like other players would want you to: poorly. Out of some mythical principle you’ve chosen to tie both hands behind your back in order to play a game that the intelligence agencies won’t even tell you the rules to. This is a game you will lose every time. Because not only do other players have more information than you, they also have just about all the power in the situation. And remember what I said above: strategy in asymmetric games is dictated by power imbalance between the players. Relinquishing both your power and your information is not a strategy, it’s a suicide.

The thing about suicide is, it affects everyone around them. It’s not a solo activity. So next time you shrug your shoulders on Facebook and turn your nose up at protecting your own information and that of your group, remember this: You don’t have perfect information and this game isn’t being played fairly. If you want to play that way anyhow, then others will pay the price for your actions.