TOWR TECH & SECURITY

TOWR Security Brief: 12 September 2016

Kit Perez

08 August 2016

Welcome to this week’s TOWR Security Brief. The privacy/tech world is constantly changing, and it’s important that you stay informed because any one of those changes may affect how you need to conduct yourself on the internet. Our briefs are designed to give you a short overview of the pertinent news items over the last week, and let you know what you need to do about them.

In this week’s brief:

  • The Killer USB stick, a flash drive that fries any computer it’s plugged into, is now on sale. You need one–for your own computer.
  • Tor Messenger 0.2.0b2 is out, so you’ll want to upgrade (or get it to begin with).
  • Speaking of Tor, we’ve got more information on how you can be identified on Tor if you’re not careful.
  • You know all those Bluetooth- and Wifi-enabled devices and appliances you thought were so cool at first? They’re spying on you. That’s their actual purpose.
  • Still think that people don’t get paid to be trolls, disrupting your social media conversations and forum threads or posting disinformation to color your opinion on an issue? Think again.

You need this…for yourself.

Photograph by USBKill.com

You’ve got all kinds of data on your computer. Whatever you have on your computer is your business….until the feds make it their business. Should you find yourself in need of ditching the info on your computer at a moment’s notice, there’s a little something called USBKill that can help you out with that. It was a proof of concept but now it’s real.

The USB Kill collects power from the USB power lines (5V, 1 – 3A) until it reaches ~ -240V, upon which it discharges the stored voltage into the USB data lines.
This charge / discharge cycle is very rapid and happens multiple times per second.
The process of rapid discharging will continue while the device is plugged in, or the device can no longer discharge – that is, the circuit in the host machine is broken.

They’re $50, and you can get them here. (No, we’re not getting a kickback for that endorsement. We’re buying them too!)

“USB Kill stick could be a boon for whistleblowers, journalists, activists…” – thehackernews.com

Tor Messenger is out with an updated version. You can get it here. One of the biggest changes is secure updating:

Moving forward, Tor Messenger will prompt you when a new release is available, automatically download the update over Tor, and apply it upon restart. Keeping Tor Messenger up-to-date should now be seamless, painless, and secure.

Nifty.

Are Tor hidden services making you easier to catch?

Photo by Shutterstock

At this point you’re probably using the Tor Browser, and you may or may not be using it to browse the Dark Web. Can you trust Tor’s Hidden Services DIrectories? Naked Security says no way.

In their presentation, Non-Hidden Hidden Services Considered Harmful, given at the recent Hack in the Box conference, Filippo Valsorda and George Tankersley showed that a critical component of the Dark Web, Tor’s Hidden Service Directories (HSDirs), could be turned against users.

Targeting HSDirs is so easy that the researchers suggest you should avoid the Dark Web if you really care about your anonymity.

Isn’t that fun?

If that didn’t put a dent in your day, let’s talk about the Internet of Things, or IoT. Everything in our house is seemingly tied to wifi or Bluetooth now, it seems. From your smart fridge to your smart TV to your security cameras to the thermostat. Apps like IFFFT automate things even further (allowing you to set conditions and actions such as “If my phone leaves the house, turn the thermostat down to 60 degrees, and turn it back up when I am showing as 1 mile from home.”), moving data between apps and devices that normally wouldn’t talk.

One of the things we hammer home in the Basic Privacy class is that the more convenient something is, the less secure and/or safe it is. Robert Gore at Straight Line Logic rounds up a few articles that are so must-read that we’d forgive you if you went over there before finishing this security brief. You need to understand the nature of the IoT threat and what it means for you and your family. You may realize, after reading, that maybe you don’t need all those conveniences after all.

And lastly, we have this gem. DIsinformation is not only a favorite tool of the Powers That Be and their lackeys, but it’s big business. Schneier has details.

But Aglaya had much more to offer, according to its brochure. For eight to 12 weeks campaigns costing €2,500 per day, the company promised to “pollute” internet search results and social networks like Facebook and Twitter “to manipulate current events.” For this service, which it labelled “Weaponized Information,” Aglaya offered “infiltration,” “ruse,” and “sting” operations to “discredit a target” such as an “individual or company.”

Schneier makes the salient point that some of the claims made could possibly be exaggerated, but the real point, as he reminds us, is that there are governments interested in these services, and willing to pay big money for them. Do you really think no one’s providing them?

That’s all for this week’s brief. Stay tuned tomorrow for a list of updated class offerings for the next 6 months!

73 Rules of Spycraft for Patriots – Rules 61-73

This entry is part 7 of 7 in the series Dulles' 73 Rules of SpycraftHappy Sunday, Patriots. Check out our upcoming events – there are still a few seats for the AR-15 80% Receiver Completion course.  Think about this: for only $200 you leave the class with new...

Clef two-factor authentication