Category: privacy

The Dark Web – Secure and Sinister or Just Slow

The darknet is often cited on news stories and the mainstream media as a mysterious, scary place full of criminals and terrorists however part of that is simply not true.  There are actually plenty of criminals on there, in fact illicit substances and pornography seem to form a huge proportion of the anonymised sites.

man-65049_640

For anyone who has never ventured onto the darknet perhaps a quick introduction is in order.  The Darknet exists completely independently of the mainstream world wide web and crucially none of the sites or information exist on a single identifiable web server.  The darknet is accessed via a plugin which can be installed in your browser and enables you to access an Open Network called TOR available from here.   TOR also allows you to communicate anonymously on the traditional web without being identified although it’s not completely anonymous.

You can identify a Darknet (or Deep Web) address from it’s extension, instead of the traditional html ending – all hidden web sites end in the extension .onion.  You will not be able to access any of these addresses without using the TOR plugin in your browser however.   As mentioned none of these web pages exist on a single web server, but are hosted on thousands of computers anonymously on the TOR network – ensuring that people can post and access information without being traced.

This all sounds fantastic for anyone up to no good and you’d expect to find thousands of terrorist sites and information however there are hardly any, a handful at most.  So why aren’t ISIS and al-Qaeda hosting all their information sites here, why aren’t there thousands of message boards and downloadable how to make bombs pdfs hosted on the Darknet?   Well the answer is not completely certain but it’s likely  the reason is simple – it’s incredibly irritating to use.

Browsing the Darknet is not a a super slick experience, in fact it’s like to trying to use the current web on a 15 year old computer.  The sinister mystery of the place soon gives way to time-outs, broken links and crashing browsers – you can access a site one minute then face a ten minute delay whilst it reloads.  It’s understandable really, after all it’s an open network hosted on thousands of disparate machines on varying quality internet connections, it works but sometimes only just.

Your average terrorist has probably grown up with all the latest technology, he probably has a smart phone that’s much better than mine.  In between listening to anti-west sermons he’s probably streaming Breaking Bad on his Netflix account using a VPN. Crucially they are likely to have as much patience with slow web pages as my children who have been brought up in a household that’s always offered – 30 MB download speeds.  I get irritated with slow web pages, and I remember downloading a newsgroup on 14.8k modem which would often take several hours.

Terrorists are often super active on social media and on the traditional web, the Darknet simply doesn’t function that way – its’ slow and requires a lot of patience sometimes.  The same reason  why people often don’t use TOR for privacy, Smart DNS to bypass filters or VPNs for anonymity in their browsing on the normal web.  These options do hide your web requests for 99% of the time and some of them are free but again very slow to use. Using something like Identity Cloaker provides privacy and has virtually no impact on your normal internet connection speed.

So this is my conclusion – Terrorists Don’t Use the Darknet because it’s a bit rubbish!

 

Do You Trust Your TV? It Could be Spying on You.

Well if you have a new Samsung TV then perhaps you should think twice before answering that question.  Their new generation of Smart TVs have a voice activation feature that allows you to switch on and off, change channels and stuff like that, but it’s possible that this comes at a significant cost.

 

An eagle eyed EFF activist called Parker Higgins, took the time to read the privacy policy of these TVs and discovered a rather alarming paragraph which stated –

Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition.

So let’s just have a think about this, if you enable the voice recognition function on your shiny new Samsung Smart TV, the bloody thing will not only listen to all your conversations it will also transmit them to a myriad of  third party companies.  Your TV would actually be sitting in the corner of your room spying on you!

Now putting aside my personal dislike of all voice enabled devices, I mean why is talking to an inanimate device preferable to pushing a button, this is a seriously worrying threat to people’s privacy.  For a start you’d have to be permanently on your guard, who knows where your conversations are going to – just some spotty Samsung technical geek  or more likely a selection of marketing companies?   Secondly, it’s not only spying on you the owner of the TV but anyone who happens to be in the room – have they given their permission ?  Should anyone entering your living room be given a disclaimer and need to sign a consent form !!

Samsung have now modified the wording in their policy insisting that the TV doesn’t in fact listen to ordinary conversations.  This is however rather difficult to believe after the initial policy wording,  I mean you’d never put that down in writing if it wasn’t in some way true.  There is obviously little thought being put into the design of these devices, as far as privacy goes – relying on stuffing a few sentences deep in the TVs documentation (which it probably thought nobody would read).

There are other aspects to the technology which makes it even more unlikely that conversations can’t be monitored by the device.  For start the TV is capable apparently of recognising complex requests like –

‘recommend a good Sci-Fi Movie’ or ‘open BBC iPlayer

I mean a TV would have to listen to pretty much everything to pick up and filter requests like that, this is beyond someone like me shouting OFF  in his stupid accent.

What is more that the TV doesn’t have a single microphone, you can’t just huddle in the corner away from the TV whispering – there’s another in the damn remote control.   Cunning move, the TV remote in my house for example it is the singlest most difficult to find device by far.  It routinely turns up in all sorts of obscure locations and I’m sure my children are on some sort of retainer to hide it every time they’ve finished watching.

Well I for one, will not be purchasing one of these things, however unfortunately it will also involve me upgrading my general level of paranoia.  I foresee a future of creeping around electronic stores or checking the backs of friends TV sets when I enter their house  (and of course enquiring about the location of the remote).

Does anyone really need this rubbish !!

Surprising New Palestine Charity Donors

If you follow the security and hacker world, you’ll know that there is a constant tit-for-tat battle going on across countries, religions and ideologies.  One group will deface a certain web site usually with badly spelt propaganda and  ‘1337 speak’, then a few days later another group will retaliate with an attack on a different web site.  There’s lots of threats and tough talk, and it sometimes seems like there are literally thousands of these groups all over the world fighting their own cyber way.
computercrime

The reality is that it’s been happening for so long it doesn’t really make much impact any more, unless it’s a really big commercial name.  There’s another problem with this attack method, especially due to the minimal impact – it usually takes much more effort than it’s worth.  Of course there are literally thousands of ways to hack a web site – vulnerabilities on the code, the host, bruteforce passwords or pinch user credentials – the list is virtually endless.

However it does take time, and can take an awful lot of effort which is why it often looks like a complete waste of time.  You spend days finding out a web sites vulnerabilities and hack into it, replace it with your leet message – then take a couple of screenshots.  What happens then?  The owner changes all the password, closes the vulnerability and restores the original from backup and it’s all back to normal.  Unless you dash out and advertise the hack, then it’s likely not that many have even noticed and those who do have seen it all before anyway.   Of course if it’s a bank or a big commercial site then there is much more of an impact and of course commercial implications – but those sites are likely to take much more effort and resources to hack into anyway.

Which is why I think this was a rather innovative angle by a group of  pro-palestinian (or perhaps just anti-Israeli) hackers called AnonGhost (not impressed with that name!).  They’re involved in an cyber offensive against the Israeli’s, which sounds a bit more impressive than the reality, and have been for several years in line with other Muslim extremist groups like ISIS.  It all get’s very messy here as you have a ‘free speech’ hacker group like Anonymous, working towards the same target alongside ISIS sympathising hacking groups such as AnonGhost.  Obviously supporting any ISIS related group is kind of a backwards step toward promoting free speech and liberty.

Anyway the point is that instead of just stealing a few user details and posting up a bit of tedious cyber graffiti which is overwritten half an hour later, they did something different.   They stole lots of credit card details from an Israeli based site and posted some of them online, the rest they used to make donations to a Palestinian children’s charity.

anonghostdonate

Well that’s the story at least, there is a little bit of evidence to support it but not enough to be completely sure. The irony of course relies on these being stolen Israeli credit cards. Though whether the payments were completed by the charity site – fundrazr, is also perhaps difficult to believe -especially after the facts were posted all over the web.

As usual, the attackers probably didn’t hide their tracks very well and unless they used some very secure VPNs, like these, have probably now got loads of their details listed on databases compiled by various security agencies like GCHQ and the NSA.  However as a stunt,  it was at least a little bit innovative.

What Information is Hidden on My PC?

The majority of people who just use the internet every day for browsing, shopping and entertainment probably imagine that they have quite a decent level of privacy by default.    They probably expect that there browsing is private, passwords are secure and emails confidential at least to a certain extent.  Unfortunately the reality is a completely different story.

The problem is that people are blissfully unaware of simply how much of their online lives is completely open and unprotected.    Take for example your computer or laptop,  most people’s are stuffed with all sorts of web browsing history, passwords, login details and a host of other stuff often going back years.

So here’s something to try if you’ve got a spare few minutes – download this free computer forensics tool – here.

It’s called Systems Information for Windows and is a pretty advanced tool for scanning your computer and analysing detailed information about it.   It takes minutes to run and in fact doesn’t even need installing as it runs from a stand alone executable.

Passwords on Your PC

Here’s a screen shot that it picked up from my laptop.  Although obviously I needed to censor it – every single line in that picture contains a website I accessed and the password I used to access the site.  SIW picked up hundreds of these all stuffed with personal details, login accounts and even the passwords I used to access.

Try it on your laptop and PC – you’ll be amazed at what information can be picked up from your computer.

Here’s a selection of the sort of passwords and login details it can pick up –

  • Screen Saver Passwords
  • Windows Logons
  • RAS Passwords (Remote access and Dial UP for your ISP)
  • Outlook (Email accounts)
  • Firefox, Chrome and IE passwords
  • MSN and Messenger Passwords
  • Wireless Keys (WPA, WEP, WPSK, SSID)
  • FTP Login Details

That’s only a sample, all stored on your local machine – all easily accessible to anyone with access to the computer either physically or remotely.

I urge you to take a look and see how much of that information you are potentially leaking to the world.  Most people will see lots of details and passwords that they would consider private.

Also remember this is the free version of the software – there are plenty of professional tools floating around the internet used by hackers and forensic scientists that can pick up much much more.

What sort of problems could this cause you if the information fell into the wrong hands – perhaps an identity thief or hacker.  Perhaps run from a virus or when you accessed free Wifi from that cafe last week.  Email passwords, Paypal, Ebay or banking details can be used very easily to steal and defraud.

Even if a sensitive website doesn’t appear in the list – how many of us use the same password for our online banking or Paypal that appears in the list?

There are privacy modes in most modern browsers that stop this information leaking out, security programs like IDC or Smart DNS – keep your connection secure and free programs like CCleaner can be used to tidy up your computer to start with.   Ultimately knowledge and some awareness of the (lack of) privacy situation online is your best defence – a little paranoia is definitely called for when you surf the web!

 

How Secure is Email – Privacy Issues

There is a common analogy used in security discussions about how secure email is. It’s generally considered that using standard email is about as secure and private as taking a postcard, writing down your secret thoughts, then handing it to a passing stranger and asking them to post it for you. If you take in to account how emails are sent and the technology involved it’s not far from the mark. Mind you I can’t remember the last time I got a postcard so maybe this particular analogy will be out of date soon.

You can go to extraordinary lengths to secure your email though, there are many secure software solutions that will encrypt your emails and patch up the various privacy holes in email in general. However for many of us, who simply strive for a reasonable level of privacy this can be a daunting and expensive task. In some senses, it’s perhaps best to stay clear of email if you want real, gold standard levels of privacy and security and look for another method of transferring information. The most serious privacy concern with email, that everything you send is sent in clear text. Anyone on the distribution route of your email can simply eavesdrop on the content and read it without any fuss – no hacking or cracking of passwords is required.

Packet Trace of an Email

Packet Trace of an Email

Take a look at this packet capture, taken from the sending of an email using Thunderbird.
The entire email – the sender, the recipient, time stamps and the message is in clear text – all of it readable without any effort.

So let’s add a level of privacy to this transmission, I’m going to use Identity Cloaker to secure my email. We fire up the application, select a secure server in another country (I’ve chosen a Swiss server here) and then tell Identity Cloaker what to encrypt using the application screen.

Set-encryption-email

In this example I’ve told it to encrypt Thunderbird, which is the email client I use on this particular PC. I’ll then resend the email and see what you can pick up from the wire using a packet capture program (Wireshark available for free here!).

Encrypted Email Traffic
As you can see, or perhaps I should say ‘can’t see’ now all the data regarding the email is encrypted and is inaccessible to anyone reading it on it’s journey. Using this technology, adds a huge level of email privacy and can be used with all applications which don’t properly encrypt your data including messaging clients, browsers and a host of others. However it is important to remember that the email is only encrypted during it’s journey, when it hits your client or mailbox then the message will be in clear text again unless some additional encryption solution is used to protect here. Having said that at least all your messages are protected in transit and aren’t left sitting unprotected in logs on routers and servers all across the net!