TOWR Security Brief – 08 August 2016

[et_pb_section admin_label=”section” transparent_background=”off” background_color=”#ffffff” allow_player_pause=”off” inner_shadow=”off” parallax=”off” parallax_method=”off” padding_mobile=”on” make_fullwidth=”off” use_custom_width=”off” width_unit=”on” make_equal=”off” use_custom_gutter=”off” custom_padding=”||0px|”][et_pb_row admin_label=”row” make_fullwidth=”off” use_custom_width=”off” width_unit=”on” use_custom_gutter=”off” custom_padding=”||0px|” padding_mobile=”on” allow_player_pause=”off” parallax=”off” parallax_method=”off” make_equal=”off” parallax_1=”off” parallax_method_1=”off” column_padding_mobile=”on”][et_pb_column type=”4_4″][et_pb_text admin_label=”Text” background_layout=”light” text_orientation=”center” text_font=”PT Sans|on|||” text_text_color=”#bcbcbc” use_border_color=”off” border_color=”#ffffff” border_style=”solid” text_letter_spacing=”2px” custom_margin=”||0px|” custom_padding=”||0px|”]

TOWR TECH & SECURITY

[/et_pb_text][et_pb_text admin_label=”Text” background_layout=”light” text_orientation=”center” max_width=”660px” text_font=”PT Sans||||” text_font_size=”72″ text_text_color=”#1d1d1d” use_border_color=”off” border_color=”#ffffff” border_style=”solid” custom_margin=”18px||80px|” text_line_height=”1.1em” text_font_size_last_edited=”on|desktop” text_font_size_tablet=”52″]

TOWR Security Brief: 08 August 2016

[/et_pb_text][/et_pb_column][/et_pb_row][/et_pb_section][et_pb_section admin_label=”Section” fullwidth=”off” specialty=”off” transparent_background=”off” background_color=”#f7f7f4″ allow_player_pause=”off” inner_shadow=”off” parallax=”off” parallax_method=”off” padding_mobile=”on” make_fullwidth=”off” use_custom_width=”off” width_unit=”on” make_equal=”off” use_custom_gutter=”off” custom_padding=”0px|||”][et_pb_row admin_label=”row” make_fullwidth=”off” use_custom_width=”on” width_unit=”on” use_custom_gutter=”off” custom_padding=”0px|||” padding_mobile=”on” allow_player_pause=”off” parallax=”off” parallax_method=”off” make_equal=”off” parallax_1=”off” parallax_method_1=”off” parallax_2=”off” parallax_method_2=”off” column_padding_mobile=”on” custom_width_px=”620px”][et_pb_column type=”4_4″][et_pb_image admin_label=”Image” src=”https://www.whiterose.us/wp-content/uploads/2016/08/kit.jpeg” show_in_lightbox=”off” url_new_window=”off” use_overlay=”off” animation=”off” sticky=”on” align=”center” force_fullwidth=”off” always_center_on_mobile=”on” use_border_color=”off” border_color=”#ffffff” border_style=”solid” custom_margin=”-48px|||”] [/et_pb_image][et_pb_text admin_label=”Text” background_layout=”light” text_orientation=”center” text_font=”PT Sans||||” text_font_size=”18″ text_text_color=”#323232″ text_line_height=”1.4em” use_border_color=”off” border_color=”#ffffff” border_style=”solid” custom_margin=”14px||0px|”]

Kit Perez

[/et_pb_text][et_pb_text admin_label=”Text” background_layout=”light” text_orientation=”center” text_font=”PT Sans|on|||” text_text_color=”#363636″ use_border_color=”off” border_color=”#ffffff” border_style=”solid” custom_margin=”0px|||”]

08 August 2016

[/et_pb_text][/et_pb_column][/et_pb_row][et_pb_row admin_label=”row” make_fullwidth=”off” use_custom_width=”on” width_unit=”on” use_custom_gutter=”off” custom_padding=”0px|||” padding_mobile=”on” allow_player_pause=”off” parallax=”off” parallax_method=”off” make_equal=”off” parallax_1=”off” parallax_method_1=”off” parallax_2=”off” parallax_method_2=”off” column_padding_mobile=”on” custom_width_px=”620px”][et_pb_column type=”4_4″][et_pb_text admin_label=”Text” background_layout=”light” text_orientation=”left” max_width=”620px” text_font=”PT Serif||||” text_font_size=”24″ text_text_color=”#363636″ use_border_color=”off” border_color=”#ffffff” border_style=”solid” custom_margin=”40px||0px|” text_line_height=”1.4em” text_font_size_last_edited=”on|tablet”]

Welcome to the first installment of TOWR Security Briefs. The privacy/tech world is constantly changing, and it’s important that you stay informed because any one of those changes may affect how you need to conduct yourself on the internet. Our briefs are designed to give you a short overview of the pertinent news items over the last week, and let you know what you need to do about them.

[/et_pb_text][et_pb_text admin_label=”Text” background_layout=”light” text_orientation=”left” max_width=”620px” text_font=”PT Serif||||” text_font_size=”20″ text_text_color=”#363636″ use_border_color=”off” border_color=”#ffffff” border_style=”solid” custom_margin=”30px||0px|” text_line_height=”1.5em” text_font_size_last_edited=”on|tablet”]

In this week’s brief:

  • So-called “secure” messaging app Telegram was caught with a big data leak problem.
  • As we’ve mentioned, just using Tor isn’t enough. A federal judge has let slip some interesting info.
  • Android users aren’t safe either: Almost 900 MILLION users are affected by a new security hole found.
  • If that’s not enough, now your monitor can be hacked too.
  • All Delta flights got grounded this morning because of an IT problem. But sure, our infrastructure is safe.

[/et_pb_text][/et_pb_column][/et_pb_row][et_pb_row admin_label=”Row” make_fullwidth=”off” use_custom_width=”off” width_unit=”on” use_custom_gutter=”on” custom_padding=”50px|||” padding_mobile=”on” allow_player_pause=”off” parallax=”off” parallax_method=”off” make_equal=”off” parallax_1=”off” parallax_method_1=”off” column_padding_mobile=”on” custom_padding_tablet=”17px|||” custom_padding_last_edited=”on|tablet” custom_width_px=”830px” parallax_2=”off” parallax_method_2=”off” gutter_width=”2″][et_pb_column type=”3_4″][et_pb_image admin_label=”Image” src=”https://www.whiterose.us/wp-content/uploads/2016/08/shutterstock_334629809.jpg” show_in_lightbox=”off” url_new_window=”off” use_overlay=”off” animation=”fade_in” sticky=”on” align=”left” force_fullwidth=”off” always_center_on_mobile=”on” use_border_color=”off” border_color=”#ffffff” border_style=”solid”] [/et_pb_image][/et_pb_column][et_pb_column type=”1_4″][et_pb_divider admin_label=”Divider” color=”#aeaeac” show_divider=”on” divider_style=”solid” divider_position=”top” hide_on_mobile=”off” custom_css_main_element=”width:130px;”] [/et_pb_divider][et_pb_text admin_label=”Text” background_layout=”light” text_orientation=”left” text_text_color=”#363636″ use_border_color=”off” border_color=”#ffffff” border_style=”solid” text_font=”PT Serif||on||” text_font_size=”16″ text_line_height=”1em” custom_margin=”20px||0px|” max_width=”130px”]

Telegram claims to be a secure messaging app, but there are a lot of issues—enough to pass on it completely.

[/et_pb_text][et_pb_text admin_label=”Text” background_layout=”light” text_orientation=”left” text_text_color=”#363636″ use_border_color=”off” border_color=”#ffffff” border_style=”solid” text_font=”PT Serif||on||” text_font_size=”12″ text_line_height=”1.2em” custom_margin=”6px|||” max_width=”130px”]

Photograph by Shutterstock

[/et_pb_text][/et_pb_column][/et_pb_row][et_pb_row admin_label=”row” make_fullwidth=”off” use_custom_width=”on” width_unit=”on” use_custom_gutter=”off” custom_padding=”0px|||” padding_mobile=”on” allow_player_pause=”off” parallax=”off” parallax_method=”off” make_equal=”off” parallax_1=”off” parallax_method_1=”off” parallax_2=”off” parallax_method_2=”off” column_padding_mobile=”on” custom_width_px=”620px”][et_pb_column type=”4_4″][et_pb_text admin_label=”Text” background_layout=”light” text_orientation=”left” max_width=”620px” text_font=”PT Serif||||” text_font_size=”20″ text_text_color=”#363636″ use_border_color=”off” border_color=”#ffffff” border_style=”solid” custom_margin=”46px||0px|” text_line_height=”1.5em” text_font_size_last_edited=”on|tablet”]

So called secure messaging app Telegram ran into (another) snag last week, as it was discovered that the app leaks anything that’s pasted into it.

In the OS X version, text that was copied-and-pasted into the app was also written to the file /var/log/system.log, better known as the syslog, creating a sort of ad-hoc and unnoticed backup of any private conversations or notes.

The app’s founder replied on Twitter that “any app can read your clipboard,” but Telegram quickly released a patch to fix the leak. Even so, there are far better apps to use if you’re looking for secure communications (at least, as secure as you can get using digital means).

[/et_pb_text][/et_pb_column][/et_pb_row][et_pb_row admin_label=”Row” make_fullwidth=”off” use_custom_width=”on” width_unit=”on” use_custom_gutter=”off” custom_padding=”50px|||” padding_mobile=”on” allow_player_pause=”off” parallax=”off” parallax_method=”off” make_equal=”off” parallax_1=”off” parallax_method_1=”off” column_padding_mobile=”on” custom_width_px=”620px”][et_pb_column type=”4_4″][et_pb_divider admin_label=”Divider” color=”#aeaeac” show_divider=”on” divider_style=”solid” divider_position=”top” hide_on_mobile=”off”] [/et_pb_divider][et_pb_text admin_label=”Text” background_layout=”light” text_orientation=”left” text_font=”PT Serif||||” text_font_size=”32″ text_text_color=”#363636″ use_border_color=”off” border_color=”#ffffff” border_style=”solid” custom_margin=”16px||30px|” text_line_height=”1.3em” text_font_size_last_edited=”on|tablet” max_width=”900px”]

“With all of Telegram’s problems thus far, it’s safe to say there are much better apps out there.”

[/et_pb_text][et_pb_divider admin_label=”Divider” color=”#aeaeac” show_divider=”on” divider_style=”solid” divider_position=”top” hide_on_mobile=”off”] [/et_pb_divider][/et_pb_column][/et_pb_row][et_pb_row admin_label=”row” make_fullwidth=”off” use_custom_width=”on” width_unit=”on” use_custom_gutter=”off” custom_padding=”17px|||” padding_mobile=”on” allow_player_pause=”off” parallax=”off” parallax_method=”off” make_equal=”off” parallax_1=”off” parallax_method_1=”off” parallax_2=”off” parallax_method_2=”off” column_padding_mobile=”on” custom_width_px=”620px”][et_pb_column type=”4_4″][et_pb_text admin_label=”Text” background_layout=”light” text_orientation=”left” max_width=”620px” text_font=”PT Serif||||” text_font_size=”20″ text_text_color=”#363636″ use_border_color=”off” border_color=”#ffffff” border_style=”solid” custom_margin=”30px||0px|” text_line_height=”1.5em” text_font_size_last_edited=”on|tablet”]

The Tor browser took a hit lately as well. Recently, Ovie Carroll, who is with the Cybercrime Laboratory of the Department of Justice, advised a roomful of about 100 federal judges to use Tor because of data leaks and security problems on the ‘regular’ internet. Before you nod sagely and point to your own Tor install, take note of the second half of this story. A federal judge in Tacoma, WA who was present at that event had this to say:

I was surprised to hear him urge the federal judges present, a hundred or so of them, that they should use the Tor network to protect their personal information on their computers, like work or home computers, against data breaches and the like.

I did not respond to that. I almost felt like saying, “That’s not a good way to protect stuff, because the FBI can go through that like eggshells.”

What would make him say that? Here’s where it gets shady. That particular federal judge is the same one who “suppressed the FBI’s evidence in a recent child abuse case – evidence that was acquired even though the defendants allegedly used Tor to “protect” themselves from being tracked down.” Part of the reason that there was a controversy about that evidence at all was because the FBI didn’t want to reveal their Network Investigative Technique (NIT) that was used, which would have exposed their method of getting around Tor’s anonymity to begin with.

Naked Security asks some pointed yet valid questions:

Did the FBI hack the child abuse website and implant its NIT in a fake video on that very site, and thereby reveal a list of IP numbers that could be used to establish probably cause for a bunch of search warrants?

Or did it exploit a general security hole in Tor itself, and therefore perhaps pick up accidental visitors during the investigation?

Those of who you are still claiming “but I’m not doing anything illegal” would do very well to remember this story, and the questions it raises. If you think the government is above such conduct, think again.

[/et_pb_text][/et_pb_column][/et_pb_row][et_pb_row admin_label=”Row” make_fullwidth=”off” use_custom_width=”off” width_unit=”on” use_custom_gutter=”on” custom_padding=”50px|||” padding_mobile=”on” allow_player_pause=”off” parallax=”off” parallax_method=”off” make_equal=”off” parallax_1=”off” parallax_method_1=”off” column_padding_mobile=”on” custom_padding_tablet=”17px|||” custom_padding_last_edited=”on|tablet” custom_width_px=”830px” parallax_2=”off” parallax_method_2=”off” gutter_width=”2″][et_pb_column type=”4_4″][et_pb_image admin_label=”Image” src=”https://www.whiterose.us/wp-content/uploads/2016/08/android-thumb-150×150.jpeg” show_in_lightbox=”off” url_new_window=”off” use_overlay=”off” animation=”fade_in” sticky=”on” align=”left” force_fullwidth=”off” always_center_on_mobile=”on” use_border_color=”off” border_color=”#ffffff” border_style=”solid”] [/et_pb_image][et_pb_text admin_label=”Text” background_layout=”light” text_orientation=”left” text_text_color=”#363636″ use_border_color=”off” border_color=”#ffffff” border_style=”solid” text_font=”PT Serif||on||” text_font_size=”16″ text_line_height=”1em” custom_margin=”20px||0px|”]

Over 900 million Android users are affected by the latest security hole in Qualcomm chips.

[/et_pb_text][et_pb_text admin_label=”Text” background_layout=”light” text_orientation=”left” text_text_color=”#363636″ use_border_color=”off” border_color=”#ffffff” border_style=”solid” text_font=”PT Serif||on||” text_font_size=”12″ text_line_height=”1.2em” custom_margin=”6px|||”]

You do have a burner phone or five, right?

[/et_pb_text][/et_pb_column][/et_pb_row][et_pb_row admin_label=”row” make_fullwidth=”off” use_custom_width=”on” width_unit=”on” use_custom_gutter=”off” custom_padding=”17px|||” padding_mobile=”on” allow_player_pause=”off” parallax=”off” parallax_method=”off” make_equal=”off” parallax_1=”off” parallax_method_1=”off” parallax_2=”off” parallax_method_2=”off” column_padding_mobile=”on” custom_width_px=”620px”][et_pb_column type=”4_4″][et_pb_text admin_label=”Text” background_layout=”light” text_orientation=”left” max_width=”620px” text_font=”PT Serif||||” text_font_size=”20″ text_text_color=”#363636″ use_border_color=”off” border_color=”#ffffff” border_style=”solid” custom_margin=”30px||0px|” text_line_height=”1.5em” text_font_size_last_edited=”on|tablet”]

A new set of vulnerabilities affecting Android phones was revealed at this year’s DEFCON. Named Quadrooter, the vulnerabilities are in the microchip at the heart of the Android device, and would give unfettered, complete access to a target’s phone.

An attacker can exploit these vulnerabilities using a malicious app. Such an app would require no special permissions to take advantage of these vulnerabilities, alleviating any suspicion users may have when installing.

So far the phones affected include:

  • BlackBerry Priv
  • Blackphone 1 and Blackphone 2
  • Google Nexus 5X, Nexus 6 and Nexus 6P
  • HTC One, HTC M9 and HTC 10
  • LG G4, LG G5, and LG V10
  • New Moto X by Motorola
  • OnePlus One, OnePlus 2 and OnePlus 3
  • Samsung Galaxy S7 and Samsung S7 Edge
  • Sony Xperia Z Ultra

Check Point, the group responsible for discovering Quadrooter, has released a free scanner app to help Android users know if their personal devices are at risk.

 

[/et_pb_text][/et_pb_column][/et_pb_row][et_pb_row admin_label=”Row” make_fullwidth=”off” use_custom_width=”off” width_unit=”on” use_custom_gutter=”on” custom_padding=”50px|||” padding_mobile=”on” allow_player_pause=”off” parallax=”off” parallax_method=”off” make_equal=”off” parallax_1=”off” parallax_method_1=”off” column_padding_mobile=”on” custom_padding_tablet=”17px|||” custom_padding_last_edited=”on|tablet” custom_width_px=”830px” parallax_2=”off” parallax_method_2=”off” gutter_width=”2″][et_pb_column type=”4_4″][et_pb_image admin_label=”Image” src=”https://www.whiterose.us/wp-content/uploads/2016/08/Untitled-design.jpg” show_in_lightbox=”off” url_new_window=”off” use_overlay=”off” animation=”fade_in” sticky=”on” align=”left” force_fullwidth=”off” always_center_on_mobile=”on” use_border_color=”off” border_color=”#ffffff” border_style=”solid”] [/et_pb_image][et_pb_text admin_label=”Text” background_layout=”light” text_orientation=”left” text_text_color=”#363636″ use_border_color=”off” border_color=”#ffffff” border_style=”solid” text_font=”PT Serif||on||” text_font_size=”16″ text_line_height=”1em” custom_margin=”20px||0px|”]

This is a monitor. This kind of monitor does not get hacked. Be like this monitor.

[/et_pb_text][et_pb_text admin_label=”Text” background_layout=”light” text_orientation=”left” text_text_color=”#363636″ use_border_color=”off” border_color=”#ffffff” border_style=”solid” text_font=”PT Serif||on||” text_font_size=”12″ text_line_height=”1.2em” custom_margin=”6px|||”]

No, really.

[/et_pb_text][/et_pb_column][/et_pb_row][et_pb_row admin_label=”row” make_fullwidth=”off” use_custom_width=”on” width_unit=”on” use_custom_gutter=”off” custom_padding=”17px|||” padding_mobile=”on” allow_player_pause=”off” parallax=”off” parallax_method=”off” make_equal=”off” parallax_1=”off” parallax_method_1=”off” parallax_2=”off” parallax_method_2=”off” column_padding_mobile=”on” custom_width_px=”620px”][et_pb_column type=”4_4″][et_pb_text admin_label=”Text” background_layout=”light” text_orientation=”left” max_width=”620px” text_font=”PT Serif||||” text_font_size=”20″ text_text_color=”#363636″ use_border_color=”off” border_color=”#ffffff” border_style=”solid” custom_margin=”30px||0px|” text_line_height=”1.5em” text_font_size_last_edited=”on|tablet”]

As if finding out that your phone has a new security hole in it isn’t bad enough, your monitor can also be hacked. In fact, this particular vulnerability also targets almost one billion devices.

if a hacker can get you to visit a malicious website or click on a phishing link, they can then target the monitor’s embedded computer, specifically its firmware…the computer that controls the menu to change brightness and other simple settings on the monitor. The hacker can then put an implant there programmed to wait…for commands sent over by a blinking pixel, which could be included in any video or a website. Essentially, that pixel is uploading code to the monitor. At that point, the hacker can mess with your monitor…

[T]his could be used to both spy on you, but also show you stuff that’s actually not there. A scenario where that could dangerous is if hackers mess with the monitor displaying controls for a power plant, perhaps faking an emergency. The researchers warn that this is an issue that could potentially affect one billion monitors, given that the most common brands all have processors that are vulnerable…

[/et_pb_text][/et_pb_column][/et_pb_row][et_pb_row admin_label=”row” make_fullwidth=”off” use_custom_width=”on” width_unit=”on” use_custom_gutter=”off” custom_padding=”17px|||” padding_mobile=”on” allow_player_pause=”off” parallax=”off” parallax_method=”off” make_equal=”off” parallax_1=”off” parallax_method_1=”off” parallax_2=”off” parallax_method_2=”off” column_padding_mobile=”on” custom_width_px=”620px”][et_pb_column type=”4_4″][et_pb_text admin_label=”Text” background_layout=”light” text_orientation=”left” max_width=”620px” text_font=”PT Serif||||” text_font_size=”20″ text_text_color=”#363636″ use_border_color=”off” border_color=”#ffffff” border_style=”solid” custom_margin=”30px||0px|” text_line_height=”1.5em” text_font_size_last_edited=”on|tablet”]

And one more item for those blissfully ignorant souls that think a massive power outage wouldn’t reduce American society to a bunch of feral animals… This morning Delta airlines experienced a fire in their data center, resulting in a loss of power that took down all flight operations and bookings. All flights were grounded for several hours.  If there’s anything that can drive a group of people to feral behavior, it’s a FUBAR situation at the airport.  Remember this story from Southwest a few weeks ago?

This is the second severe IT-induced travel disruption in recent weeks. On July 20, Southwest Airlines lost a router in its Dallas data center, which resulted in 2,300 flight cancellations. Southwest’s CEO Gary Kelly described that event as a “once-in-thousand-year flood.”

Think about the ripple effect from these incidents. These aren’t just people going on vacation or going to see Grandma (and even cancelling or grounding their flights causes financial hardship, issues with work, etc). These are business professionals, packages, documents, you name it. A disruption in U.S. air travel affects industries all over the world.

We included this story in this week’s brief to get you thinking. What if you were the one stranded someplace other than home due to a natural disaster or power grid attack? How would you get home? Could you get home? Do you have a plan in place for that scenario? Does your family know what to do if they’re in that situation? These types of scenarios are exactly why we train and prepare.

That’s it for this week. Feel free to discuss these stories in the comments!

[/et_pb_text][/et_pb_column][/et_pb_row][et_pb_row admin_label=”Row” make_fullwidth=”off” use_custom_width=”on” width_unit=”on” custom_width_px=”980″ use_custom_gutter=”off” padding_mobile=”on” allow_player_pause=”off” parallax=”off” parallax_method=”off” make_equal=”off” parallax_1=”off” parallax_method_1=”off” column_padding_mobile=”on” custom_padding=”50px||0px|”][et_pb_column type=”4_4″][et_pb_image admin_label=”Image” src=”https://www.whiterose.us/wp-content/uploads/2015/12/TOWR_LOGO_V2.png” show_in_lightbox=”off” url_new_window=”off” use_overlay=”off” animation=”off” sticky=”off” align=”center” force_fullwidth=”off” always_center_on_mobile=”on” use_border_color=”off” border_color=”#ffffff” border_style=”solid”] [/et_pb_image][/et_pb_column][/et_pb_row][et_pb_row admin_label=”Row” make_fullwidth=”off” use_custom_width=”on” width_unit=”on” custom_width_px=”980px” use_custom_gutter=”on” padding_mobile=”on” allow_player_pause=”off” parallax=”off” parallax_method=”off” make_equal=”off” parallax_1=”off” parallax_method_1=”off” parallax_2=”off” parallax_method_2=”off” parallax_3=”off” parallax_method_3=”off” column_padding_mobile=”on” gutter_width=”2″ custom_padding=”30px|||” custom_padding_tablet=”6px|||” custom_padding_last_edited=”on|tablet”][et_pb_column type=”1_3″][et_pb_blog admin_label=”Blog” fullwidth=”off” posts_number=”1″ include_categories=”68″ show_thumbnail=”on” show_content=”off” show_more=”off” show_author=”on” show_date=”on” show_categories=”on” show_comments=”on” show_pagination=”on” offset_number=”0″ use_overlay=”off” background_layout=”light” use_dropshadow=”off” use_border_color=”off” border_color=”#ffffff” border_style=”solid” header_font_size=”15″ saved_tabs=”all” global_module=”26311″] [/et_pb_blog][/et_pb_column][et_pb_column type=”1_3″][et_pb_blog admin_label=”Blog” fullwidth=”off” posts_number=”1″ include_categories=”87″ show_thumbnail=”on” show_content=”off” show_more=”off” show_author=”on” show_date=”on” show_categories=”on” show_comments=”on” show_pagination=”on” offset_number=”0″ use_overlay=”off” background_layout=”light” use_dropshadow=”off” header_font_size=”15″ use_border_color=”off” border_color=”#ffffff” border_style=”solid”] [/et_pb_blog][/et_pb_column][et_pb_column type=”1_3″][et_pb_blog admin_label=”Blog” fullwidth=”off” posts_number=”1″ include_categories=”62″ show_thumbnail=”on” show_content=”off” show_more=”off” show_author=”on” show_date=”on” show_categories=”on” show_comments=”on” show_pagination=”on” offset_number=”0″ use_overlay=”off” background_layout=”light” use_dropshadow=”off” use_border_color=”off” border_color=”#ffffff” border_style=”solid” header_font_size=”15″] [/et_pb_blog][/et_pb_column][/et_pb_row][/et_pb_section]

Security Tips for Signal Users

If you’re a fan of the secure text messaging app Signal (and you should be), there are a few things you need to know about using it properly. From The Intercept:

Lock Down Your Phone

Common sense thing #1. There is no point to having a (more) secure texting app if your phone doesn’t even have a passcode on it. And I don’t mean a 4-digit PIN that matches your birthday or ATM pin, either. Use the full QWERY keyboard password option. Yeah, it’s less convenient. Security always is.

And for the love of all that’s holy, don’t use the Touch ID/fingerprint option. That’s just asking for trouble.

Hide Signal Messages on Your Lock Screen

If you’re worried about people seeing your private texts enough to use Signal, then it stands to reason that it’s pretty stupid to allow the content of your texts to show up on your locked phone screen. At the very least, make it so the content doesn’t show. If you’re truly security conscious, you may want to disable notifications on your lock screen completely.

Verify That You’re Talking to the Right Person

Makes sense, right? Man in the middle attacks, interceptions, taps, you name it and it’s happening. If you’re trying to talk to someone about something, somewhere, someone is trying to listen to it. Signal has identity verification for the people you’re talking to. Use it.

Archive/Delete Messages

Okay so you installed Signal, put a password on your phone, turned off notifications. You can text and text now, right? Sure…as long as you don’t leave the texts on your phone. Layered security is called that for a reason. If someone IS able to get into your phone, there should be nothing for them to find…at least in your Signal. When you’re done, archive it. Delete it. Get rid of it.

The original article has a how-to guide for all of the above. Go read it. And if you’re still using Wickr…..might want to think about that.

Elicitation: Is It Happening to You?

Something we don’t talk about often enough–and we should–is the concept of elicitation, or the process of getting someone to tell you information without them realizing they’re giving it to you. The biggest problem with it is simple: It’s getting done TO us a lot more than we’re doing it to anyone else. That needs to change.

Something we don’t talk about often enough–and we should–is the concept of elicitation, or the process of getting someone to tell you information without them realizing they’re giving it to you. The biggest problem with it is simple: It’s getting done TO us a lot more than we’re doing it to anyone else. That needs to change.

There are several ways to elicit information from someone, and they range from the blatantly obvious instant gratification type to the completely sneaky, long-game, over time version. You should be familiar with both–especially because the folks with the .gov after their name have all kinds of time to do it. Let’s take a closer look.

Why Does Elicitation Work?

The beauty of elicitation is that it isn’t some kind of magic. It’s simply leveraging and exploiting facets of people’s personality, and the basic things that exist in human nature. In our quest to learn from everyone, and not just the people we like, we’re going to look at the FBI’s page on elicitation (I refuse to link to it, however. You can find it yourself). Here’s a list of traits that the FBI likes to exploit:

  • A desire to be polite and helpful, even to strangers or new acquaintances
  • A desire to appear well informed, especially about our profession
  • A desire to feel appreciated and believe we are contributing to something important
  • A tendency to expand on a topic when given praise or encouragement; to show off
  • A tendency to gossip
  • A tendency to correct others
  • A tendency to underestimate the value of the information being sought or given, especially if we are unfamiliar with how else that information could be used
  • A tendency to believe others are honest; a disinclination to be suspicious of others
  • A tendency to answer truthfully when asked an “honest” question
  • A desire to convert someone to our opinion

elicitation 2How many of those fit you? I guarantee a good number of them. If you love those Facebook debates, guess what? You’re on this list. If you can’t stand to hear incorrect information without standing up and saying “That’s wrong because…” then you’re on this list. If you’ve never done an assessment of your critical information, you’re probably underestimating the information you know. If you need to feel like you’re contributing something and have those efforts recognized, you’re on the list. In other words, whoever you are, something on this list will probably work on you if you’re not paying attention.

How it All Works

Elicitation is actually less work, in some ways, than you might think. It simply requires setting aside your own wants and beliefs and needs (such as your need to talk a lot in a conversation), and encouraging the person you’re talking with, to talk more. Let’s look at some examples.

Target: I can’t believe the laws about guns and ammo they just passed here in California.
Collector: I haven’t had a chance to study them. Are they really that bad?
Target: YES they are horrible! I don’t know how my group is going to keep up our weekly ammo buys now.
Collector: Weekly ammo buys?
Target: Yeah, we do a group buy of 5000 rounds every week. It lets all 10 of us get bulk ammo at a reduced price. We’ve been doing it for about 6 months now.
Collector: Oh, nice. That’s pretty shrewd of you! Good planning!
Target: We’ve got some very good connections. One of my guys’ cousins works at the gun shop on 173rd, and he makes sure we get a good price under the table. I could hook you up if it wasn’t for the stupid law. We’re not sure how we’ll get any now. Good thing we stocked up.

Three different tactics were going on here, in succession.

Tactic 1: Naive Mentality, or playing stupid. In the first exchange, the target made a complaint; the collector paid attention, and played as though he didn’t know what the fuss was about. The target was all too happy to expound on his anger and how that law will affect him directly.

Information gained:

  • He’s in a group.
  • They do weekly ammo buys in bulk.

Tactic 2: Repetition. This is where the collector picks up on the key words in the statement, and repeats them back to the target, who will then (again) expand on his statement.

Information gained:

  • Number of rounds purchased.
  • Number of people in the group.
  • Time factor.
  • These three figures mean the collector now knows a baseline of how much ammo each individual in the group has (not counting any previous or side purchases). He knows, at the very least number, what the ammo count is for that group.
  • It’s a good bet that the 5000 rounds is also all in one caliber, which means the collector now can guess that they all run the same weapons platform as well.

Tactic 3: Flattery. People love to be complimented on their skills, their looks, whatever. It’s no different in the patriot/liberty/III movement. In this case, all the collector had to do was compliment the target’s “planning skill” and he got a few more nuggets.

Information gained:

  • Source of the ammo.
  • Location of the source.
  • Nature of the source, and the fact that he’s not internal.
  • The sales are “under the table,” and from a legal gun shop.
  • Perhaps most important: a peek into the target’s mindset. Not exactly an out of the box thinker. They “can’t” get ammo because of the “law.”

If you were playing for a different side, what could you do with that information? How hard would it be to shut down that avenue completely–ensuring that not only can they not get bulk ammo, but no one else in the area can buy anything from that shop?

These are only three very common tactics. There are plenty more. At this point you might be thinking, “who cares if the group has 5 or 50,000 rounds? How is that critical?” What if the collector is a fed looking to know about supply caches? What if he’s simply a ‘marauder’ planning to steal the supplies of others instead of preparing for himself? What if…? And you may, through your critical information assessment (you’re doing one, right?), decide that the amount of ammo you have available to you is okay to be public knowledge. That’s fine—except this guy also decided that the other 9 members of his group ALSO have their ammo numbers as public knowledge. As I’ve said before: your choice to employ information security is yours alone. However, you don’t get to make that decision for others. And if your being a big mouth puts THEIR information at risk, then you’re a jackass.

All of the above comes down to this: The tactics can be used against anyone, on any topic. I have done them, I have seen them work, and I’ve even been caught by them myself. It sounds like a good time to talk mitigation and prevention.

How to Combat It

Here’s an alternative conversation that could/should have happened:

Target: I can’t believe the laws about guns and ammo they just passed here in California.
Collector: I haven’t had a chance to study them. Are they really that bad?
Target: Yeah. I’ll send you a link. Or just do a search for them. You’ll see. Let me know what you think.
Collector: Are these going to affect you and your group?
Target: I don’t have a group. I can’t even keep my own family in line.

See the difference? Here the collector used a new tactic as well when the first one didn’t work–he straight up went fishing. By pretending to already know the target had a group, he encouraged the target to confirm that yes, this will affect them. The target did something that is not exactly easy for a lot of people to do: He hinted at his own incompetence. Even when it’s false, people have a hard time with this. They want to be seen as knowledgeable and competent–which, if you remember from the beginning of this article, is one of the exact things that can be exploited.

Being vigilant can be difficult, but it’s worth it. Here are a few basic examples on what to look for.

  • Flattery – If someone frequently compliments you and you’re not married to them, they want something. People who constantly tell you how amazing/skilled/etc. you are should trip an alarm in your head. If it sounds too good to be true, it is.
  • Frequent repetition – If you’re having conversations where someone is repeating key pieces of your side of the conversation, be aware. Don’t expand. Think through what you just told them that prompted the repetition and decide if you just screwed up–and if you did, how to stop the damage.
  • Be aware of leading questions and fishing expeditions. Figure it this way: Does the person you’re talking to need to know the information you’re about to give them? If not, then it doesn’t matter if it seems as though they may already know. Don’t fall for it.
  • If they are bold enough to flat out ask a direct question, simply ignore it or tell them you don’t know (another difficult thing for folks to do). If you don’t want to lie to people, you can simply say, “Look, I don’t have those kinds of conversations,” and let that be the end of it.
  • Normally I would say to trust your gut. Unfortunately, far too many people have managed to put their “brotherhood” over their brains. It cannot be said enough: Just because someone calls you “brother” does not make them so, and just because you trust someone does not make them trustworthy.
  • Think before you talk. Every time, no matter who you’re talking to.

Elicitation can’t be taught in the space of an article, nor will reading this make you impervious to all forms of it. What it can do, however, is make you want to learn more, to do some research, and to get familiar with it yourself. It does come in handy for a lot of reasons–good, solid ones.

Here’s an interesting case for you to see it in action. And when you’re done, here’s a bit more.

Lessons for Vetting: UK Undercover Manual

Grugq has a link to very interesting material: a manual for undercover police work used in the UK. While you may flip through it, see the organizational stuff and wonder why it’s important, you may be surprised to learn that there are some pretty decent nuggets in there. How a group does something is perhaps even more important than what they’re doing, and understanding how they’re set up and how they facilitate their activities is a critical part of resisting them or dealing with them at all. While you may think it’s for the UK and therefore not applicable to us, you’d do well to read it anyway and note that some things are universal, especially when it comes to vetting.

A few examples:

Page 34: Backstopping and legend building – In case you didn’t know, there are personnel who “develop, maintain and support covert identities and structures capable of withstanding scrutiny.” That means they’ve already thought about your piddly vetting measures, and they already planned ahead. When you’re dealing with an intelligence service or agency who is willing and able to put work and expense into making sure that their fake identities hold up even if you’re looking into them, then it can be taken as gospel that your simple “internet footprint” check and $29 background peek is not going to expose them. They’ve already covered those bases.  And even if you think you’ve got a hookup for deeper checks, like an FFL who’s figured out how to run NICS checks under the table or a federal level contact who’s willing to do some searching on your behalf, they’ve probably thought about that too. In fact, they’ll have documents that back up their story, and your buddy at the Alphabet Agency may not be as helpful as you think–that’s even if he’s really trying to help at all.

Does this mean the moles and UCs can’t be exposed, or that you cannot protect yourself? No. You can, and you should, and there are ways to do it (that involve a lot more than simply checking someone’s Facebook page or paying someone to go look at public records for you).

Page 54: Conduct – This whole section talks about all of the things they can and cannot do. While you might be chuckling to yourself and thinking, “Well, that means the person I’m smoking pot with/sleeping with/acquiring materials with must be fine because they can’t do that stuff if they’re undercover,” please note the following phrase that finds its way into every single section of conduct:

“If the UCO engages in unauthorized ______ for whatever reason, this activity will be restricted to the minimum conduct necessary to mitigate the threat…” That means that the whole list of “can nots” just became a “can, as long as you can justify it.” Well, if it’s “necessary” to spend 18 months hanging out with someone before they trust you enough to let you talk them into a bomb plot, they’re okay with that. If it’s “necessary” for them to go to your activities, engage in some civil disobedience and lawbreaking, and act just as anti-tyranny as you, they’re okay with that too. And for the record, honey traps, or seduction operations, have been extremely effective for thousands of years. Do you really think they’re going to stop using them because they’re worried about the UC’s feelings, or worried that it’s not “fair?” By the way…when you see the phrase “mitigate the threat,” keep in mind that you’re the target. You’re the threat. This means they have rules, but ALL of those rules are breakable if it means they can “mitigate the threat”….that’s you.

Page 56: Agent Provocateur – Here’s something we’re all becoming very familiar with. They define an AP as someone who “entices another to commit an express breach of the law which they would
not otherwise have committed and then proceeds to inform against them in respect of such an offence.” Pay attention to that: they specifically say “which they would NOT have otherwise committed.” Think about that. Their entire purpose is to get you to do things you would not normally do, and wouldn’t do at all if they weren’t enticing you. People like to call this being “framed.” It’s not. They like to claim that being set up in this way absolves you of responsibility and makes you a victim. That’s not the case.  At the end of the day, you CAN keep yourself from being set up in this way.

(Are they willing to flat out make things up to get you? Sure. But they don’t often have to, because so many people allow themselves to be manipulated into actually doing it.)

We carry firearms and talk about how our security is OUR problem, how self-defense means no one will protect you except you. The same people, oddly enough, will engage in shoddy vetting practices, or think that whoever calls them brother and shows up to the FTX is trustworthy. They’ll turn off their location settings on Facebook “for security reasons” and then post 30 photos of themselves in the parking lot of their FTX, where anyone with a laptop and a few skills can piece together everything from license plates to home addresses to blood type, gear condition and type, who’s in what unit and what position they hold, and based on body language, sometimes even the group dynamics. It takes little time to choose someone to target, and sadly it sometimes doesn’t take long to gain their trust. Keep in mind that those who would target you have all the time in the world. They can afford to be patient, to slowly prove themselves trustworthy and slowly earn your loyalty while moving you closer and closer to the fire.

We don’t get to go through life oblivious to the threat, and we don’t get to assume that we know all the threats. Yes, the person you train next to may already be trained by someone else. The fellow ‘patriot’ offering you a good deal on a firearm or other materials may not be doing so out of the goodness of his heart. The female you’ve been talking to and trying to impress may be dutifully recording all your FTX stories. Just because you trust someone does not make them trustworthy.

Take the time to learn how to properly vet someone; don’t assume you know how, or that it’s even as simple as an internet check. Don’t press for “unity” and “national affiliation.” Don’t be afraid to question the people who you work with–even the ones you’ve worked with for a while. Don’t take on new people easily (or ever). It’s not a popularity contest, and you don’t get a bonus for having the biggest group.

Above all, be open to learning from anyone, whether you like them or not, whether you agree with them or not, even if they’re criminals. Just because you look at a drug dealer or environmental terrorist and think “well THOSE guys are criminals” doesn’t mean you can’t learn from them. Remember, there are those who look at you and think the same thing! Lastly, don’t ever be willing to bet your life or the lives of others on substandard vetting. So-called “unity” isn’t worth it.

Additional Reading:

7 Ways the Cops Will Bust You on the Dark Web

How to Make a Truly Anonymous Facebook Account, Part 1

Two Things You Need to Know About Division

Sparks31: Down-Grid Communications Book Review and Thank You!

Good day, patriots!

Recently a friend of TOWR gave us a copy of Sparks31’s latest tome, “Down-Grid Communications”.  It then, I’m sorry to say, sat on my shelf for a few days before I got around to picking it up.

First of all, THANK YOU, Tom, for thinking of us when writing your acknowledgements.  We greatly enjoyed having you up here.  For those who don’t know, Tom’s introductory class was the first one we sponsored at TOWR, and remains our most successful to date.  Now, on to the review.

If you are the newly minted “comms guy” in your group, or your team’s intel officer, “Down-Grid Communications” is the stepping off point you want as you begin gathering intelligence information from your local area.   This book is not one that you buy and stick on your shelf until something goes sideways; it’s an action plan that you need to put into effect today.

The book begins briefly by considering common news sources, their trustworthiness, and whether or not the information they provide is relevant to you when it comes to monitoring your AO.  Even if you think Fox News is the greatest thing since sliced beef, which is more immediately important: the latest presidential hullabaloo or the meth house down the street?  The author then lays out a basic five step plan that the rest of your communications will hang on.

Next, the author focuses on your education.  Specifically, what you need to know to use and maintain the equipment that will support your mission.  He briefly covers a basic library of books that will help get you up to speed on maintenance, repair, and modifications of communications equipment to maximize their use.

I’m not going to go step by step through the entire book and ruin it for you, but the sections on monitoring equipment and techniques are definitely worth the price of admission.  He also covers the major available radio services (such as CB, FRS, Amateur Radio), basic One Time Pad generation, and field phones.

“Down-Grid Communications” packs a lot of information into its 80 pages, but it’s up to you to act on it.  At the risk of being redundant, this isn’t a book you skim and file away for when the zombies rise.  It’s an introduction to the skills you need to develop.  You can buy the book on Lulu for $9.99.  Sparks31’s current blog is http://sparks-31.blogspot.com/.

EDUCATE. EMPOWER. RESIST.