Category Archives: Counter Surveillance

Does anyone have experience of “KAYMERA MOBILE THREAT DEFENSE SUITE”

We are looking at this platform in parallel with the SaltDNA app which I previously posted about.

Kaymera has a pre-installed secured Android OS with integrated high-end security components to detect, prevent and protect against all mobile security threats without compromising on functionality or usability. A contextual, risk-based app uses a range of indicators to identify a risk in real-time and apply the right security measure so mitigation is performed only when needed and appropriate. Their Cyber Command Centre framework manages and enforces organization-specific permissions, security protocols and device policies. Monitors risk level, threat activities and security posture per device and deploys countermeasures.

Any thoughts welcome.

ENDS.

The CIA Dark Triad – Windows, macOS & Linux

According to the WikiLeaks Vault 7 dump the CIA deploys malware that includes the capability to hack, remotely view and/or clone devices running the Windows, macOS, and Linux operating systems.

This seems to suggest that the agency has no problem bypassing encryption, proxies, VPN and that Tor anonymity is a myth.

This does not mean that each of the point solutions offering a product under each of the above headings have been compromised. Rather it means that the OS level hack capability of the CIA – as seen on iOS and Android – means that they can gain full control of the device and render any point solution counter measures moot.

Therefore they subvert the platform which by extension means that anything that is running on the platform is subverted.

Tablet, laptop, smart-phone, AV device – it seems they are all fair game and in that case so is everything that you do on them.

You have been warned.

You are being watched.

ENDS

“Bypassing” Encryption is the same as “Breaking” Encryption

According to the Vault 7 WikiLeaks data the CIA made phone malware that can read your private chats without breaking encryption.

Anyone with half a clue always knew that the best way to subvert encryption was to bypass encryption as we at TMG Corporate Services have always done. From our blog post Am I Being Surveilled? on 29th March 2016:

Still – the point is made I think – visual intercepts are economically viable even for local LE – it’s just an ultra low light wifi enabled pin-hole snake camera in the right spot. One above the driver and passenger seat belt brackets in a private vehicle is a good location (easy access to and plenty of space behind the plastic covering the B pillar to store the bits).

Five uninterrupted minutes and both are installed. Just wait for the target to take a Sunday drive and game on. Most people rest the handset on their lap while typing stationary in traffic or better still upright and in front or on top of the wheel when driving – using one hand – which gives a nice unobstructed keystroke by keystroke view of their typing activities.

Most successful hacks are low tech

Today I have seen a bunch of publications and experts trying to assure people that this is nothing to worry about. The purity of encryption is in tact. It is an academic point.

If you are in the business of handling sensitive data then don’t use your cell phone to transmit it. It’s that simple.

* In the hours since the documents were made available by WikiLeaks, a misconception was developed, making people believe the CIA “cracked” the encryption used by popular secure messaging software including Signal and WhatsApp.

WikiLeaks asserted that: “These techniques permit the CIA to bypass the encryption of WhatsApp, Signal, Telegram, Wiebo, Confide and Cloakman by hacking the “smart” phones that they run on and collecting audio and message traffic before encryption is applied.”

This statement by WikiLeaks made most people think that the encryption used by end-to-end encrypted messaging clients such as Signal and WhatsApp has been broken. No, it hasn’t. Instead, the CIA has tools to gain access to entire phones, which would of course “bypass” encrypted messaging apps because it fails all other security systems virtually on the phone, granting total remote access to the agency.

The WikiLeaks documents do not show any attack particular against Signal or WhatsApp, but rather the agency hijacks the entire phone and listens in before the applications encrypt and transmit information.

It’s like you are sitting in a train next to the target and reading his 2-way text conversation on his phone or laptop while he’s still typing, this doesn’t mean that the security of the app the target is using has any issue.

In that case, it also doesn’t matter if the messages were encrypted in transit if you are already watching everything that happens on the device before any security measure comes into play.

But this also doesn’t mean that this makes the issue lighter, as noted by NSA whistleblower Edward Snowden, “This incorrectly implies CIA hacked these apps/encryption. But the docs show iOS/Android are what got hacked—a much bigger problem.”

* From The Hacker News

ENDS

Mass Surveillance & The Oxford Comma Analogy

Acknowledgments, Contributions & References: This blog post was written in collaboration with and using contributions from Mr. Dean Webb (find Dean’s profile on PeerLyst). The clever and insightful bits are all Dean, the space fillers and punctuation are mine – except the “Oxford Comma” analogy, which even though it is lifted from @Grammarly on Twitter, is mine – and I like it (a lot). Enjoy.

Who Do We Like, Who Do We Dislike (Today)

Wearable tech is on its way, for surveillance during times when one is away from the vidscreen. But we need this stuff in order to protect against Eurasia. We have always been at war with Eurasia. We will always be at war with Eurasia until 20 January, at noon. Then we will always have been at war with Eastasia. And then we will need all this stuff to protect against Eastasia.

On a more serious note, anonymity has been dead for quite some time. As an example, about 10 years ago Dean Webb was running a web forum for students involved in an academic competition.

He and other teachers had volunteered to be admins for the board. They had a student that began to harass others on the board and post some highly inappropriate material. They banned his account, and he would connect again with another account.

So, Dean took down the IP addresses he’d used for his accounts and did a quick lookup on their ownership. They were at a certain university, so he contacted that university with the information and the times of access and they were able to determine which student was involved.

He was told to stop posting, or face discipline at the university. That got him to stop.

Simple Methods, Complex Implications

The point is, that IP address and timestamp for most people is going to be what gets them in the end. They don’t know what a VPN is from a hole in the ground, let alone what a TOR node is.

At best, most of them will use a browser in anonymous / incognito mode, without realising that cookies are still retained and updated, credit card transactions remain on the record, and ISPs will still retain IP address information with timestamps.

It could be argued that a Layer 2 hijacking of someone else’s line is the way to go anonymously, but that involves a physical alteration of someone’s gear, and that means physical evidence, which is very difficult to erase completely.

Even if anonymity is not completely dead (mostly dead, perhaps?), it is certainly outside the reach of most people because they lack general IT knowledge about the basics of the Internet.

I (Graham) was met with the following comment when I posted a tweet some time before Xmas 2016 about Identity Theft:

“despite the hysteria the theft of most peoples personal information is / will be inconsequential”

The use of the word “inconsequential” by the commenter on my post reminded me of the hilarious Doctor Evil therapy session monologue in the Austin Powers movie when Doctor Evil stated, when asked about his life, that “the details of my life are quite inconsequential”. But 60 seconds of monologue later it was quite clear that they were far from “inconsequential” – it is a matter of perspective as to what is and what is not. That is the problem. And that is the potential worry.

Threat Awareness & Counter Measures

The vast majority of people and their browsing habits are innocuous. The point though that the comment misses and which is the point that Dean makes in his comments about the average John Q. Citizen’s awareness of the threats and the countermeasures available is that the public in general has moved their private communications on to a platform where they do not understand the implications of the ability of externals to eavesdrop or to store and reference data at a future point.

There was a blog post I (Graham) made some time ago about the risk of “profiling” and of “false positives” and the threat that they posed especially with respect to miscarriages of justice. (See “The Sword of Islam” story below)

The point is not whether “the theft of most peoples personal information is / will be inconsequential” or the storage of most peoples browsing history or contacts with other parties is / will be inconsequential or not – the point is that it can be made to look very different to what was actually happening originally.

Like a misquoted partial comment in a newspaper article – actions taken out of context can look very different.

The Oxford Comma Analogy

Recently I posted a tweet about the Oxford comma and it does indirectly inform the point that I am trying to make here:

Excerpt begins from Grammarly

“Unless you’re writing for a particular publication or drafting an essay for school, whether or not you use the Oxford comma is generally up to you. However, omitting it can sometimes cause some strange misunderstandings.

“I love my parents, Lady Gaga and Humpty Dumpty.”

Without the Oxford comma, the sentence above could be interpreted as stating that you love your parents, and your parents are Lady Gaga and Humpty Dumpty. Here’s the same sentence with the Oxford comma:

“I love my parents, Lady Gaga, and Humpty Dumpty.”

Those who oppose the Oxford comma argue that rephrasing an already unclear sentence can solve the same problems that using the Oxford comma does. For example:

“I love my parents, Lady Gaga and Humpty Dumpty.”

could be rewritten as:

“I love Lady Gaga, Humpty Dumpty and my parents.”

Excerpt Ends

The analogy serves to demonstrate one of the main concerns of mass surveillance and mass retention of user data. People are now being profiled and tracked and their behaviours stored and analysed and they do not know why or by whom or for what purpose – they barely understand how to use a browser.

In the wrong hands that potentially makes them cannon fodder. Accuse me of being alarmist and dramatic – fair enough – so did everyone four years ago when I wrote about mass immigration as a weapon, the rise of radical Islam and the dangers of the USA supporting a sectarian Shi’a government in Baghdad, the marginalisation of Sunnis and the Ba’ath party, the randomness of the Arab Spring, the threat of Libya turning into a terrorist haven and so on.

The point is people ignore these developments at their peril but you may as well be talking to a concrete block. You can make all the compelling philosophical points that you like to someone but if they do not have the capacity to understand them then you are wasting your time.

And most of our politicians fall into that category.

Mass Profiling, Mass Surveillance Will Be Inconsequential Until It Isn’t

Dean once met a man named Saifal Islam. He has a devil of a time getting on an airplane because a terror group has the same name – “Sword of Islam”.

He is constantly explaining that the man (him) isn’t the group (them) and that he’s had his name longer than they’ve had theirs. That, yes, the group (them) should be banned from getting on airplanes, but that, no, the man (him) should be allowed on the plane.

Hell of a false positive, and that’s not the only one. Mismatches on felon voting lists, warrants served to the wrong address for no-knock police invasions, people told that they can’t renew driver’s licenses because they’re dead, the list goes on.

Be happy in the knowledge though that your data is apparently “inconsequential” and this privacy debate and the growing intrusion on your personal life is all “hysterical” alarmism.

You can use that statement when you are in the dock defending your very own hysterical “false positive” – no charge.

The next post will be “KarmaWare & Thieves of Thoughts” again in collaboration with Mr. Dean Webb.

ENDS

Surveillance Self Defense Advice from the Electronic Frontier Foundation

Choosing the VPN That’s Right for You What’s a VPN? VPN stands for “Virtual Private Network.” It enables a computer to send and receive data across shared or public networks as if it is directly connected to the private network—benefiting from the functionality, security, and management policies of the private network.

What is a VPN Good For?

You can use a VPN to connect to the corporate intranet at your office while you’re traveling abroad, while you are at home, or any other time you are out of the office.

You can also use a commercial VPN to encrypt your data as it travels over a public network, such as the Wi-Fi in an Internet café or a hotel. You can use a commercial VPN to circumvent Internet censorship on a network that blocks certain sites or services.

For example, some Chinese users use commercial VPNs to access websites blocked by the Great Firewall. You can also connect to your home network by running your own VPN service, using open source software such as OpenVPN.

What Doesn’t a VPN Do?

A VPN protects your Internet traffic from surveillance on the public network, but it does not protect your data from people on the private network you’re using. If you are using a corporate VPN, then whoever runs the corporate network will see your traffic. If you are using a commercial VPN, whoever runs the service will be able to see your traffic.

A disreputable VPN service might do this deliberately, to collect personal information or other valuable data.

The manager of your corporate or commercial VPN may also be subject to pressure from governments or law enforcement to turn over information about the data you have sent over the network.

You should review your VPN provider’s privacy policy for information about the circumstances under which your VPN provider may turn your data over to governments or law enforcement. You should also take note of the countries in which the VPN provider does business. The provider will be subject to the laws in those countries, which may include both legal requests for your information from that government, and other countries with whom it has a legal assistance treaty.

In some cases, the laws will allow for requests without notice to you or an opportunity to contest the request.

Most commercial VPNs will require you to pay using a credit card, which includes information about you that you may not want to divulge to your VPN provider. If you would like to keep your credit card number from your commercial VPN provider, you may wish to use a VPN provider that accepts Bitcoin, or use temporary or disposable credit card numbers.

Also, please note that the VPN provider may still collect your IP address when you use their service, which can be used to identify you, even if you use an alternative payment method. If you would like to hide your IP address from your VPN provider, you may wish to use Tor when connecting to your VPN.

Republished without editing from the article Choosing the VPN That’s Right for You published and last updated on 2016-06-09 by The Electronic Frontier Foundation.

END 

State Surveillance in Ireland Part 3: Surveillance Powers & “Authorisation” Processes

Under the 1993 & 2009 legislation governing surveillance‍ powers in the Republic of Ireland there are wide ranging number of measures available to the relevant sections within An Garda Siochana, The Defence Forces and The Office of the Revenue Commissioners.

This post does not cover the measures available in the 2011 Communications (Retention of Data) Actwhich will be covered in a separate post.

To greatly summarise, under the 1993 and 2009 Acts the various organs of State can:

  1. Place phone taps on fixed line communications;
  2. Eavesdrop fixed line communications;
  3. Carry out unrestricted interception of postal correspondence;
  4. Open and read said correspondence;
  5. Place trackers on postal parcels;
  6. Siphon (Man in the Middle Attacks) and read email communications;
  7. Monitor and record internet usage;
  8. Conduct audio and video surveillance;
  9. Store captured audio and video footage, gained from covert surveillance, for an unrestricted period of time;
  10. Covertly enter a private dwelling or vehicle and install a range of devices to facilitate the above activities;
  11. Covertly re-enter a private dwelling or vehicle to retrieve said devices;
  12. Covertly place tracking devices on any vehicle that it is felt is connected with an investigation;
  13. Track all movements of said vehicles within and outside the jurisdiction of the Republic of Ireland;

In order to carry out covert surveillance there are several short cuts available to An Garda Siochana, The Defence Forces and The Office of the Revenue Commissioners to circumvent involving a judge or higher external legal entity outside of the particular organisation seeking permission to perform the surveillance on a person or persons.

It really does not matter though as there is an almost 100% approval rate for surveillance requests whether granted by the famous “Superior Officer” or a Judge. “Superior Officers” can grant surveillance periods of 3 to 4 months depending on which Act is being invoked and all are capable of being granted extensions.

Many surveillance requests are granted in “emergency” situations which does not require external permission and while the Acts themselves cover a range of surveillance methods there are a host of other surveillance tactics that are not governed by the Acts and are carried out with little if any oversight and certainly no transparency with respect to process.

As far as disclosure is concerned – all attempts to gather statistics or specifics are met with a wall of silence or derisory replies.

END

State Surveillance in Ireland Part 2: Establishing Credibility & Demonstrating A Culture of Silence

In Part 2, I simply briefly describe my attempts to acquire information from the various entities – organisations, government departments and individuals – responsible for oversight with respect to the 1993 interception of Postal Packets and telecommunications messages Act and the 2009 Criminal Justice (Surveillance) Act.

I sought their opinions on certain matters in order to inform my findings on the subject of accountability and the chain of command and oversight with respect to state sponsored surveillance programmes in the Republic of Ireland.

In July 2014, after issuing multiple unanswered requests under The Freedom of Information Act 1997 (FOI) as amended by the Freedom of Information (Amendment) Act 2003 I then proceeded to send information packets by registered post to multiple organisations, government departments and individuals.

The packets contained detailed background information on the reasons for my questions and a detailed articulation of each of the questions I was seeking answers to / opinions on (including their views on why they thought that I had not received the requested information via the FOI process) :

  1. Mr. Michael Noonan TD, Minister for Finance, Department of Finance, Government Buildings, Upper Merrion Street, Dublin2
  2. Ms. Frances Fitzgerald TD, Minister for Justice & Equality, Department of Justice, Government Buildings, Upper Merrion Street, dublin 2
  3. Ms. Claire Loftus, Director of Public Prosecutions, The Office of the Director of public Prosecutions, Infirmary Road, Dublin 2
  4. Ms. Nóirín O’Sullivan, Garda Commissioner, Office of the Garda Commissioner, Garda HQ, Phoenix Park, Dublin 8
  5. Citizens Information Board, Ground Floor, George’s Quay House, 43 Townsend St, Dublin 2
  6. Blanchardstown / D15 Citizens Information Centre, Westend House, Snugborough Rd, Blanchardstown, Co. Dublin
  7. Office of the Revenue Commissioners, The Revenue Solicitors Office, Ship Street Gate, Dublin Castle, Dublin 2
  8. Ms.Marie-Claire Maney, Revenue Solicitor, The Revenue Solicitors Office, Ship Street Gate, Dublin Castle, Dublin 2
  9. Ms.Josephine Feehily, Chairman, Office of the Revenue Commissioners, Castle Yard, Dublin Castle, Dublin 2
  10. Mr.Michael Gladney, Collector General, Sarsfield House, Francis Street, Limerick
  11. Principal Officer, Office of the Revenue Commissioners, Dublin Region, investigations District, BlockD, Ashtowngate, Navan Road, Dublin 15
  12. Principal Officer, Office of the Revenue Commissioners, Dublin Region, South County District, Plaza Complex, Belgard Road, Tallaght, Dublin 24
  13. Principal Officer, Office of the Revenue Commissioners, Investigations & Prosecutions Unit, Castle View, 52-57 South Great George’s St, Dublin 2
  14. Principal Officer, Office of the Revenue Commissioners, Customs Criminal Investigations, 5th Floor, block D, Ashtowngate, Navan Road, Dublin 15
  15. Principal Officer,, Office of the Revenue Commissioners, Customs Enforcement Unit, M:TEKII Building, Armagh Road, Monaghan, Co.Monaghan
  16. The Hon. Mrs. Justice Ms. Susan Denham, Chief Justice of supreme court of Ireland, Four Courts, Inns Quay, Dublin 7
  17. The Hon. Mr. Justice Mr. Nicholas Kearns, President of the High Court, Four Courts, Inns Quay, Dublin 7
  18. Simon O’Brien, Commissioner, Garda Siochana Ombudsman Commission, 150 Upper Abbey Street, Dublin 1
  19. The Office of the Ombudsman
  20. The Office of Garda Siochana Ombudsman Commission

I received one response – from the secretary to Mr. Michael Noonan TD, Minister for Finance, Department of finance – acknowledging receipt of my correspondence.

That is all.

END