Welcome to this week’s TOWR Security Brief. The privacy/tech world is constantly changing, and it’s important that you stay informed because any one of those changes may affect how you need to conduct yourself on the internet. Our briefs are designed to give you a short overview of the pertinent news items over the last week, and let you know what you need to do about them. We’re dispensing with the fancy formatting today because we have so much to cover, so let’s get down to it.
The new version of Tor is out; this is the hardened 6.5a3 build. You could grab it from the Tor site, or you could just go get the new version of Tails OS; you need both, and of course Tor comes with Tails.
Whether or not Bitcoin is legally considered money has just been answered; apparently that answer is yes…this week.
In July, a Florida judge ruled that cryptocurrency is not money in a case involving a Bitcoin vendor caught in a sting set up by a Miami police detective. In 2013, however, a Texas-based federal judge came to the opposite conclusion in a case involving a Bitcoin-based hedge fund. The Financial Crimes Enforcement Network (FinCEN) also advised in 2013 that Bitcoin-based businesses should be considered Money Services Businesses under US law, but the Internal Revenue Service treats the cryptocurrency as property rather than currency, meaning it’s subject to capital gains tax.
Two Harvard students have done some pretty solid open source collection/analysis work with this project. They went to markets on the dark net (the sites that sell drugs, guns, etc.) and collected images of drugs taken by the respective vendors—over 200,000 of them. “The duo found 229 images that contained unique GPS coordinates which, unless spoofed, can be used by investigators to locate the places where the photos were taken within the range of two kilometers.” Take another look at the numbers: Apparently out of 200K+ images, 229 of those had geolocation data. That means, the owners of 229 photos are stupid and/or careless. As we keep saying…it only takes once. Think about that next time you are struck with an uncontrollable urge to post pics from your THUPER THECRET FTX.
Speaking of stupid and careless, people in Australia are finding unknown USB sticks in their mailboxes…and plugging them into their computers. What a shocker…there’s malware.
“Members of the public are allegedly finding unmarked USB drives in their letterboxes.
Upon inserting the USB drives into their computers victims have experienced fraudulent media streaming service offers, as well as other serious issues [malware].
The USB drives are believed to be extremely harmful and members of the public are urged to avoid plugging them into their computers or other devices.”
That’s why we keep telling folks not to do that. it’s bad, mmmkay? Human nature, however, seems to win over common sense.
Meanwhile, the site Krebs on Security was attacked last night with one of the biggest DDoS attacks the Internet has ever seen. What makes this so significant isn’t just the size, either—it’s that it used hacked devices from the Internet of Things (IoT) in its attack. In other words, it used other people’s devices–NOT their computers.
There are some indications that this attack was launched with the help of a botnet that has enslaved a large number of hacked so-called “Internet of Things,” (IoT) devices — routers, IP cameras and digital video recorders (DVRs) that are exposed to the Internet and protected with weak or hard-coded passwords.
Think about that…and then think about whether or not all that convenience in your devices is a good idea.
New York City, by the way, crowdsourced a manhunt. This should bother you to the soles of your shoes, because it means that if you are ever on the run from people looking to arrest you for political dissent or “antigovernment statements,” you aren’t running from just law enforcement and/or government agents. You’re running from everyone with a smartphone. (Side note: Speaking of smartphones, want to get into an iPhone the way the FBI did?)
Rahami, suspected of executing bombings in Manhattan and New Jersey over the weekend, would be arrested hours later following a brief shootout with police — his apprehension reportedly an unlikely combination of detective work, a vigilant New Jersey resident, and, apparently, some petty street thieves who saw something and said something.
Pay attention: other CRIMINALS “saw something and said something.” You will not be able to run or hide if you get this deployed against you. Act accordingly…and that means, act under the radar. Stop drawing attention to yourself. Read up on that kind of thing.
Lastly…Eleven US cities are ‘cracking down on warrantless surveillance’ by looking to pass city ordinances that ‘severely limit’ the use of stingrays and other similar surveillance tools. Before you get excited, please look at the language of these principles that they’re patterning the ordinances after….
The ordinances will be built on these principles:
Surveillance technologies should not be funded, acquired, or used without prior express city council approval.
Local communities should play a significant and meaningful role in determining if and how surveillance technologies are funded, acquired, or used.
The process for considering the use of surveillance technologies should be transparent and well-informed.
The use of surveillance technologies should not be approved generally; approvals, if provided, should be for specific technologies and specific, limited uses.
Surveillance technologies should not be funded, acquired, or used without addressing their potential impact on civil rights and civil liberties.
Surveillance technologies should not be funded, acquired, or used without considering their financial impact.
To verify legal compliance, surveillance technology use and deployment data should be reported publically on an annual basis.
City council approval should be required for all surveillance technologies and uses; there should be no “grandfathering” for technologies currently in use.
- As long as the council approves it, it’s fine. And naturally the council WILL approve it.
- Local communities should play a role, but they don’t have the last say.
- It SHOULD be transparent and well-informed, but it doesn’t have to be.
- We gotta approve it all piece by piece. Just means more paperwork, but can be done.
- As long as we perform lipservice about civil rights we can go ahead and still do what we want.
- “Consider” the financial impact but it doesn’t have to affect the decision.
- By the time it gets reported, even worst case scenario says we have a whole year to use it at will.
- Again….we can certainly get the council to go along.
Right…pretty effective, I’m sure. Also, NYC says no one can talk about the stingrays because it makes them hackable.
BONUS ITEM: Selco has an article on keeping yourself from starting a riot. Included here for a comment on the post that is pure gold:
Do this in your own community but in the bad part of town. It really is a different country. when I leave work and decide to stop at the ghetto walmart, I silence and pocket my iphone and iwatch, untuck my shirt partially to look a bit more slobbish. I then walk a little hunched over and have my head down instead of up and looking confident.
The only thing that is a dead giveaway for me is the $400 shoes, and I really should keep a pair of $9.00 beat up sneakers in the car.
I go from professional with a good job and wealth to guy that is down on his luck in minutes. I pay with a creditcard that you can have as a photo, I used the image of the local area food stamps card for it. so it completely looks like I am paying with food stamps like all the other poor people. [emphasis added]
Ignore tone. Look at tactic. Brilliant.
Have a good week.