The Paranoid PC – Part 2 – Hunting You Down

Hello Patriots and Partisans,

Let’s talk a little about the markers that can identify a computer to an attacker or investigator.  We’ll consider the typical perspective of tying Internet activity to a user and computer, as well as that of an investigator who, having gotten his hands on a laptop, is trying to find out who it belongs to.

As I was working on this article, CCC published a talk from the #32c3 by Joanna Rutkowska.  You can find it here.  If you’re not a techie, you don’t need to watch it, but the primary takeaway is that your computer is vulnerable to many attacks which cannot be effectively mitigated.  We’ll discuss those attacks and what you can do to reduce their effectiveness in a future article, but my desire is that you’ll understand that if the machine cannot be trusted, then you should work that much harder at your privacy.

“Personal computers are extensions of our brains… yet they are insecure and untrustworthy. -Joanna Rutkowska”

While this list is fairly thorough, it is not exhaustive.  Items listed are in no particular order.

Serial Number

The Serial Number is of course usually on a sticker on the machine, but did you know that it is written to memory on the computer?  For most manufacturers it is very difficult to change the serial number saved on the computer.  In order to change the serial number on the motherboard you’ll need a maintenance disc from the manufacturer.  You can often find these leaked online.

Here are a couple of examples of how someone with root/administrator access to your system can find your serial number without physical access.

In Windows, there are a few ways to do it.  For example, you can open PowerShell and run the Get-WMIObject win32_bios command.  In Linux, the dmidecode utility will do effectively the same thing.

Linux Serial Number

So what does that mean to you?  Let’s say you use your laptop for partisan things.  You’ve behaved well, running a secure OS, and protected your identity.  Now, let’s say somehow you’ve lost your laptop; perhaps you loaned it to a friend who was using it to keep a log of the birds he was observing at a particular wildlife refuge.  However it’s happened, your laptop is now in evidence and someone really wants to find the owner.

Let’s pretend that everything is perfect from an IT perspective.  Their forensics guys can’t get any data off of your hard drive.  Then, they extract the serial number and start down the supply chain.

First, they contact the manufacturer, let’s say, Dell.  Here’s one way it could go:

Dell looks up the serial number and says, “It was sold directly to Joe Smith on March 14, 2014, was shipped on March 21 to 123 Main Street, Seattle, and delivery was confirmed on March 24.  They had one service request for a bad LCD cable on June 26 of the same year.  The technician’s note says they had an aggressive dog.”  The investigators now go and find Joe to see if he can explain what happened to the laptop after that.  Was it still Joe’s?  Did he lend it out?  Did he sell it?  How did he sell it?  Does he have the buyer’s information?

If Joe sold the laptop on Craigslist maybe it’s a dead end…  unless Joe still has his emails with the buyer, boyer’s email address, and phone number.  If Joe sold it via eBay, you’ve got all of that information, plus likely a PayPal account and so on.  Our investigator now goes to the next person and repeats the process.

Here’s another way it could go:

Dell looks up the serial number and says, “It was sold to Walmart for retail sale and shipped to the distribution center in Grandview, Washington on March 21, 2014.”  Our intrepid gumshoe then calls up Walmart and asks them what happened to it.  “It was sent on to store number 1234 in Oak Harbor.”  “Can you tell me who bought it?” asks the investigator.  “Four of them were sold in the three months after we sent your unit to the store.  Here are the transaction numbers and the credit cards used in each of them.”

Our investigator now has four names to chase down.  Three of them probably still have their computers, leaving us with the original buyer.

Asset Number

If you purchased your computer used from a company, they may have filled in the “Asset Number” field in the BIOS.  If they did, and an investigator follows the trail to them, then their accounting department may be able to say who they sold the computer to, or which recycler they sold the computer to.

MAC Address

All networking devices have one more more MAC Addresses.  Your ethernet adapter, wireless network adapter and bluetooth radio all have a MAC address.  The MAC address is a unique (with a few minor exceptions) identifier that can be used to identify your computer.  Without getting into too much detail, the MAC address is essential to any kind of networking, must be unique, and pretty much anyone on your network can see it.

An investigator armed with your MAC address can go to the chipset manufacturer (for example, Intel), who can say who they sold that device (or chip) to, who will then be able to tie it to your serial number.

If they know what networks you were connected to, and their administrators log things, they could find out what you accessed based off of your MAC address.

ESN/IMEI

Similar to a MAC address, if your laptop has a cellular modem (even if it’s not enabled), it has an IMEI number, just like your cell phone.  In addition to the investigational methods used for tracking down someone by their MAC address, if the device ever was registered with a cellular carrier an investigator might be able to trace you from there, too.

Screen Resolution

Anything that makes you unique can track you.  For example, Tor Browser warns you against maximizing your window:

Screen Resolution

That covers many of the moderate difficulty ways to track you.  There are a number of much easier ways for Windows users in particular to be traced or victimized.  There are also some harder methods that are a bit out of scope for our discussion.

Considering all of the above, that there are numerous ways to track the provenance of a device for an investigator with significant resources, how do we disassociate ourselves from our device, as far as we can?  Part of the answer is thoughtfulness and tradecraft.

The target for this series is the laptop you’re using for “serious” work.  This isn’t about watching Youtube, this is about securely and privately doing research, communicating with other patriots, and staying under the wire.  With that in mind, here are some suggestions for separating yourself from your device:

  • Pay for the device in cash.
  • Buy from somewhere without cameras (fly-by-night guys found on craigslist, contacted with a burner email and phone are great).
  • Buy outside of your normal area.  Leave your normal phone at home.
  • Don’t buy the extended warranty.
  • Don’t connect it to your home network.
  • Don’t sign in to any of your “real” accounts from it.

Do you have any other suggestions?  Hit us up in the comments!

Coming up, we’re going to discuss some common and extreme methods for adding misdirection and obfuscation to our device to confuse any pursuers.

EDUCATE. EMPOWER. RESIST.

The Paranoid PC – Part 1a – Risks to Email

Hello again, Patriots.

At the end of our last Paranoid PC article, I gave you some homework.  I asked you to consider three ways that someone could gain access to your email, what the consequences would be, and how you could counter.

The obvious place to look first is your password.  How would an attacker get your password?

  • Guessing (weak password).
  • Reusing the same password in multiple places.
  • Writing your password down.
  • Keystroke Logger

Another way an attacker could access your email is through physical access to your computer.  If your password is saved (either in a browser or mail client), or with the “keep my computer logged in” cookie selected in Gmail, all they need to do it open it up.  Losing physical access to your smartphone, with your email logged in, is a similar risk.

If you access your personal email from work, that’s another potential risk.  Aside from the physical access issue, there’s usually a team of people who can get limitless access to your machine making you vulnerable to keystroke loggers, cookie theft, and man in the middle attacks.

Do you share your password with anyone?  Do you share your account with anyone else (such as family)?  You’ve now multiplied all of those other risks we’ve already discussed by each person who knows your password.

Coercion is another threat, and now we’re getting serious.  However, if someone is shoving splinters under your fingernails to gain access to it at least you know you’ve been compromised.

Who runs your mail servers?  Do they actually secure it correctly?  Do they comply with law enforcement “requests”, or do they require an actual warrant?

That’s not all of the ways someone could access your email, but it’s the high points.

Now, let’s address the consequences of someone accessing your email without your consent.

  • On it’s face, your personal correspondence is now open to your attacker.
  • Many of your other accounts (Facebook, banking, etc) are now vulnerable if the attacker uses the “forgot my password” function to send a password reset to your email address.
  • Your attacker can now impersonate you and either discredit you or entrap or endanger your contacts.
  • Speaking of your contacts, your attacker can now start mapping relationships between you and everyone you’ve ever contacted.  Guess who’s next on their list?

So, how do we protect against these attacks?

The weak password is the easiest to deal with.  Don’t use a weak password. One suggestion from this guide is:

So if you want your password to be hard to guess, you should choose something that this process will miss. My advice is to take a sentence and turn it into a password. Something like “This little piggy went to market” might become “tlpWENT2m”. That nine-character password won’t be in anyone’s dictionary. Of course, don’t use this one, because I’ve written about it. Choose your own sentence — something personal.

Also, don’t reuse passwords.  I’ll be honest; I reuse mine sometimes too, but only for the most trivial of accounts.  If I need to sign on to some obscure site one time, that doesn’t have any personal info, then I’ll give a common password.  It’s better to use a throwaway email account for those, however.

“But,” I hear you say, “if we have all of these complex passwords, how are we supposed to remember them?”  The answer to that is a password manager such as Password Safe or Keepass.  We’ll discuss that further in a future piece.  Whatever you do, don’t write it down…

Two factor authentication is incredibly helpful.  Even though we don’t recommend Gmail for serious work, their two-factor authentication system is easy to use.  Once enabled, when you go to login, Gmail will send you a text message with an authentication code that is also required before you are able to access your email.  This serves two purposes: aside from blocking the attacker, it also notifies you that someone just tried to log in other than you and your password has been compromised.

When it comes to the risk of losing physical control of your device, good physical device security plays a part; that will be discussed in more detail later in the series, but having a good password for your computer (that is different than your email!), full disk encryption, and a fully updated OS goes a long way to stopping anyone that’s not a nation state.  Further, make sure you don’t leave your PC or your email logged in when you are away.

I’d recommend that if you use your email account for anything serious that you not access it from work.  With the click of a couple of buttons it’s fairly trivial for your system administrators to access your computer and compromise you.  If you need to access your email, do it with a personal device of some kind.

If you are being coerced, assume that you’re going to eventually give in.  PGP helps here, but if your enemy is pressuring you enough to give up your password, you’ll probably be giving up your keys, too.

Who runs your email server?  Are they in the US or UK, or in another country that’s less likely to quietly submit to the NSA or GCHQ?  Consider getting an account on a site such as unseen.is.

We mentioned PGP earlier.  If you encrypt all of your emails, then it doesn’t matter who your provider is; as long as they don’t have the relevant keys, they aren’t going to get anything but the recipient and subject line.  With proper key management, this helps with everything but the loss of physical device.

I know that’s a lot to digest.  Hopefully you can see that you need a layered defense.  If there is a weakness a dedicated enough or powerful enough enemy will use it to obtain useful intelligence about your activities.

Since this turned into a post of its own, we’ll put off the supply chain and identifying characteristics post for another day.  Stay agile and train hard.

EDUCATE. EMPOWER. RESIST.

6 More of the Best Tools for OSINT Research

BLMThere are a ridiculous amount of tools out there for intelligence. Some are better than others, and if you’re just getting into OSINT research, the last thing you want to do is have to dig through all of them to find the best ones, or the ones that are easy enough for you to start using out of the box. That’s where we come in.

Here’s the TOWR Guide for 6 OSINT Research tools – a list and handy infographic you can come back and refer to over and over. Take a look at the tools below and see what you think!

SocialMention

SocialMention is a tool that does exactly what you’d think. It searches across all manner of social media for mentions of a specific search term. What makes it interesting is that it gives far more than just a list of results. Here’s a small snippet of a search for “blacklivesmatter.” Keep in mind these are partial results.

As you can see, SocialMention keeps track of everything from how often the term is mentioned to the context and feeling it’s mentioned in. This helps take a temperature, so to speak, of the social media culture on that particular topic. It also offers everything from who, specifically, is talking about it to where they’re talking. It’s a great way to get a quick pulse on a keyword or phrase.

AddictOMaticAddict

Along the same lines of SocialMention is AddictOMatic. This tool pulls information from a host of search engines and different sites on a topic and aggregates them all for you. Keeping our search on “blacklivesmatter” we see the following sources are available for search all at once.  It’s not foolproof, and it’ll miss some results, but in terms of a quick and dirty search it’ll get you started.

SocialSearcher

hashtagsAnother great social media tool is SocialSearcher. It’s more complete than AddictOMatic and offers results from a different set of sites. SocialSearcher’s real power, however, is in the time and keyword analysis features. It shows not only where people are talking about your search term, but when. In addition, it offers related search terms. We see here that when we search for “blacklivesmatter” we also get related terms listed such as “blackchristmas” and even “#Black lives matter,” so you can even catch the results from people who don’t understand hashtags. 😉 You’ll notice that some of the terms showing have nothing to do with our search term; this is also normal. It shows what the people who talk about “blacklivesmatter” also talk about.

CheckUserNames

checkCheckUserNames is a very powerful search engine. You plug in a username, and then watch as it searches across 250 different websites to see where that username has an account. If you’re ‘hunting’ someone, and they use the same username across several websites (many people do), then you can find all the places where they frequent.

Obviously this requires some work. In the example (which is a tiny snip from the results), I used the username “patriot1”. The chances of the same person being patriot1 across the internet are next to zero. If you have someone whose username is their first and last name, or something specific to them, your chances of doing a successful search go up significantly. Once you have the list, you can go to each site and glean whatever bits about themselves they’ve left in their various profiles. It’s tedious and time-consuming, but then again, a lot of OSINT research is. Good thing the results can be so worth it.

Carrot2

carrotCarrot2 is a visualization search engine. It offers search results collated into lists, foam trees, or circles (shown here).  The nice thing is that it includes links from places like PubMed, Put, and even image engines. If you’re doing an image search and want to be able to grab related topics without having to perform 50 different searches, this engine is very good. There’s also a desktop version.

One Million Tweet Map

tweetThe last tool we’ll look at today is the One Million Tweet Map. Twitter, being real-time, is a great place to find out what’s going on RIGHT NOW. This site lets you pop in a search term or hashtag, and then shows you where the tweets are coming from on that topic. Since it’s also real-time (you can change that to pull from a timeframe up to 6 hours) it lets you stay up to date on a specific event or trend. In our example, this shows the clusters of tweets using the #blacklivesmatter hashtag from only the last 2 minutes. This can give you an idea when things start trending, or if an event is starting to ramp up.

 

These are only six of the many tools available. We’ll add more in later guides. For now, try them out and perform your own searches. Use them to pull information about your own AO, or about your nearest metro area, or even about people you need to find out about.

Subscribe to TOWR in the box below to keep informed of new guides, tools, and resources for privacy, security and intelligence.

Download our infographic here!

6 Tools for OSINT Research - TOWR Guide

 

8 Great and Free Open Source Alternatives

Welcome to the first installment of TOWR Guides, handy infographics that you can save, share, and refer to. This first foray deals with open source alternatives to the software that we’ve all been using for years—the Microsofts and Googles and Facebooks of the world. These companies are the go-to for so many types of things that we do on our computers every day, and yet they’ve become data collection platforms and festering cesspools of personal data, just waiting to be purchased or subpoenaed or even stolen…and that’s not even counting the warrantless searches and worse that are occurring. There’s good news, though—you have options.

Welcome to the first installment of TOWR Guides, handy infographics that you can save, share, and refer to. This first foray deals with open source alternatives to the software that we’ve all been using for years—the Microsofts and Googles and Facebooks of the world. These companies are the go-to for so many types of things that we do on our computers every day, and yet they’ve become data collection platforms and festering cesspools of personal data, just waiting to be purchased or subpoenaed or even stolen…and that’s not even counting the warrantless searches and worse that are occurring. There’s good news, though—you have options.

Data: The Crime Frontier

Data breaches have almost become a way of life, the new normal. In 2015, it wasn’t just cheating spouses that got hit. VTech’s hack exposed children’s photos and home addresses to any predator savvy enough to access the security hole. The Office of Personnel Management hack compromised 5.6 million sets of fingerprints and much more; the victims of the worst hack in US history were only offered credit monitoring services and a few platitudes. Last week, security giant Juniper found “unauthorized code” running on its servers that showed a level of sophistication found in nation-state level operations—and evidence shows that the code was there for three years before it was discovered.

In a world where true cybersecurity is an elusive and possibly even unattainable prize, it’s even more important to do our part to protect ourselves. Part of that means being very careful what software you use, what sites you visit, and what information you let those programs and websites have. Enter one solution: Open source software.

Open Source What?

For those new to the term, open source software means the code is available for anyone to look at. Other programmers can go through the code and find errors or security holes, or make modifications; they release the modified (or forked) version back to the community.5,754

The benefits of this are huge. When looking for a secure text messaging app, for instance, which app would you have more confidence in: A proprietary program where the company says it’s secure and you’re expected to trust them (and watch their site for any patches coming out after the fact)? Or an open source program with several public audits and discussions on the code, explaining whether it works or not, why it works, and what updates or tweaks it still needs?

All of this can be pretty overwhelming for the average person who’s been ‘in the Matrix’, so to speak, of proprietary commercial big-name software their whole lives. Thankfully, there are plenty of resources to help you make the switch. The first thing you can check out is our infographic. It’ll get you started with some basic alternatives. After you take a look at those, surf over to Alternative.to. It’s a huge database of open source software links for every operating system and program you can think of. Own a Windows laptop and an iPhone? Mac and Android? Whatever you have, there are options.

What Now?

Click the graphic below to enlarge, and right click to save it. Better yet, use the sharing buttons to spread the information to others! Do you have a favorite open source program? Let us know in the comments. Be sure to subscribe so you don’t miss any of our other guides!

8 Easy OPEN SOURCE ALTERNATIVES

 

 

 

 

 

 

Run Your Own Mail Server

If you read our article on secure email yesterday and still wonder if that’s enough to protect your communications, then perhaps you’ve thought about setting up and hosting your own mail server. While this might sound fairly daunting, the truth is that you don’t have to be a technical guru to pull it off. Mail in a Box is a production-quality project allowing you to set up your own email server. This gives you total control over all facets of its security and any other options. The site has very clear setup instructions and even a video you can follow along.

Keep in mind that you won’t be able to run this at home because computers on most residential networks are blocked from sending mail both on the sending end (e.g. your ISP blocking port 25) and on the receiving end (by blacklists) because residential computers are all too often hijacked to send spam. Your home IP address is also probably dynamic and lacks configurable “reverse DNS.” If any of these apply to you, you’ll need to use a virtual machine in the cloud. You can, however, set it up on that virtual machine.

While we don’t recommend this for the beginner, it’s also not as difficult as you might think. Take a look and see what you think. From the website:

Mail-in-a-Box is based on Ubuntu 14.04 LTS 64-bit and uses very-well-documented shell scripts and a Python management daemon to configure the system. Take a look at the system architecture diagram and security practices.

Development takes place on github at https://github.com/mail-in-a-box/mailinabox.

Note that the goals of this project are to . . .

  • Make deploying a good mail server easy.
  • Promote decentralization, innovation, and privacy on the web.
  • Have automated, auditable, and idempotent system configuration.
  • Not make a totally unhackable, NSA-proof server (but see our security practices).
  • Not make something customizable by power users.

Mail-in-a-Box is dedicated to the public domain using CC0.

There’s another option too, if you’ve got a Raspberry Pi laying around. This guide will literally walk you through booting your Raspberry Pi for the first time, all the way up to getting a secure webserver running. In fact, the guide itself is hosted on a Raspberry Pi. Take a look.