The internet is growing darker day-by-day

tunnel

In the deepest corners of the dark web, anything goes. These are sites that cannot be found using typical search browsers like Google and Yahoo and are usually not accessed via a standard operating system like Microsoft or Apple. Instead, individuals access these sites using The Onion Router (TOR) browser and a hidden operating system (e.g. Tails) booted from a USB or CD.

TOR isn’t secret, in fact TOR is widely used by a diverse range of groups including criminals, non-criminals, NGOS, journalists, security researchers and government authorities alike who need to browse anonymously for a number of reasons. It is the security in numbers that can protect a TOR user’s anonymity and freedom from censorship.

For those interested in using TOR though – beware. TOR is not banned, which means that authorities, like the NSA, may be gaining good intelligence on TOR users. For user’s who are not security savvy, the government may even know what they are visiting.

TOR is a free utility that anyone can download and configure. The TOR website offers clear instructions on how to do this. Once set-up, the user connects to a series of encrypted TOR servers (which are also physically located in a secure location) before they connect to the destination site. As the connection is encrypted at each node, it is not possible to detect where the original request came from through traffic packet analysis alone. However, it is possible for Internet Security Provider’s (ISP’s) to distinguish TOR traffic from regular traffic– they just won’t know what you are accessing. Even if authorities took over a hidden dark web server or set-up a dark web honeypot to lure users, it will be difficult for them to identify the users (but not impossible*).

Despite the risks of being caught – the use of TOR in accessing the dark web is increasing. On the dark web, users can purchase personal credentials, illegal drugs and weapons. They can also hire hitmen, order DDos or other attacks and plan criminal/terrorist activities. The dark web is also full of some of the most terrifying web content shared by disturbed minds. Silk Road may have been closed down but it can easily be replaced. It is a continual struggle of power between criminals and authorities.  

8 things to stop doing immediately

We can always take online security a little for granted but some behaviours put us at more risk than others. This isn’t an exhaustive list so if you can think of more, please add it to the comments. Another one I wanted to add but couldn’t find a picture for is failing to verify a BSB/Account Number with someone you are transferring money to. You should always verify over two different mediums before transferring e.g. sms/email/phone (especially if you are transferring a large amount of money). People have lost a lot of money by missing this simple step.

1. Give away personally identifiable information about children’s whereabouts, likes/dislikes and birthdays.

firstdayatschool

2. Plastering family/bumper stickers all over your car. You might as well wear a “come rob me” sign.

Car-Photo-with-Stickers-Cropped

3. Using Windows XP and/or Internet Explorer 6. No anti-virus/spyware protection

winxp

4. Checking emails/banking accounts/social media accounts over “Free Public Wifi”. Ok so if this is a little hard to avoid, at the very least be aware of the risks, avoid doing banking over this channel and change your passwords frequently. Also, set different passwords for your accounts…

FREE WIFI

5. Logging in/entering your password details from email links. This can be a phishing attack to steal log in credentials. Instead, always log in via the official website.

PHISHING

6. Going to the official site and entering login/password details in without checking the URL/certificate details. Instead, look for a green bar.

notcheckingcertificate

7. Doing stupid things in public like Karen Bailey’s epic racist rant against Chinese people. You will be publicly disgraced and even arrested.

Do: Stand up to racists (non-violently). The guy in the background became a national hero after hitting back with “You’re scum”

caughtracist

8. Posting stupid things online that you can never take back. Justine learnt the hard way after losing her job after this tweet. The tweet spread like wildfire and a campaign for her immediate dismissal had taken off during her return flight. By the time she landed, she had already lost her job.

BADTWEET

UK close to banning the use of WhatsApp, iMessage and SnapChat to protect National Security.

whatsappbanwhatsappbanned

Applications that provide an encrypted messaging platform, like WhatsApp, are under threat by countries that are increasingly reliant on snooping as part of their National Security strategy. The UK is proposing a new law as part of their “Snoopers Charter”, also known as Draft Communication Bill, to enforce a ban on applications like WhatsApp, iMessage and SnapChat that use encrypted messages. Under this new proposed bill, Internet Service Providers must monitor the online activity of customers and keep logs of their activities for 12 months.

This isn’t a surprise though, as the use of mass surveillance to protect national security and counter terrorism is widely used and increasing around the world. The five most controversial ones include:

China – 1998 the Great Firewall of China

ChinaFirewall This is a censorship and surveillance program designed by the Chinese government to filter and control the content that is accessed by the public. This program also prohibits individuals from using the internet to harm national security, spread false rumors or encourage socially undesirable behavior like gambling, violence or murder. This is an extremely controversial program that China has been widely criticized for by human rights and civil liberties groups.
USA – 2001 Patriot Act
USA This was introduced following the September 11 and anthrax attacks. This was an extremely controversial bill which many felt was an over-extension of the US government’s surveillance powers. Some of the most controversial parts allowed government agencies to:
  • Confiscate the property of foreigners who are believed to have aided in a war or an attack on the USA.
  • Authorize the roving surveillance of any individuals under investigation (using any means available to intercept a person’s communications. An extension of wire-tapping)
  • Authorize the use of National Security Letters to demand a release of information about individuals without them knowing.
  • Detain terrorism suspects without providing them with access to lawyers and without hearings or formal charges

This law was controversial as it reversed many of the civil liberties that were guaranteed under the US Constitution e.g. right to privacy and freedom from unreasonable searches and seizures.

Originally introduced by the Bush administration, subsequent US administrations have tried to remove it but the US has grown too reliant on this as an Anti-Terrorism measure. The original bill which expired in 2011, has been renewed two times since (including in 2015) and will be up for renewal again in 2019.

France – 2015 Patriot Act
france Following the Charlie Hebdo attacks, France passed their own version of the Patriot Act in June this year. Despite opposition from civil liberties groups, the bill was passed by the Senate on June 9 2015 with overwhelming support. This gives French government agencies the authorization to conduct mass surveillance over all communications without judicial approval and deploy new infrastructure to sniff all electronic communications. The new law also requires Internet Service providers to be able to crawl through internet traffic to identify terrorist activities.
Australia – 2015 Data Retention laws
fiveeyes Australia has been wire-tapping phones for years and this has increased year-on-year. The government has also requested ISP’s and search engines (like Google) to provide private information on web browsing histories and private user information. And transparency reports have shown that this activity is increasing. As of August 2014, government agencies can obtain this information without a warrant or user disclosure. Recently, the government has passed a data retention bill that mandates ISP’s to store data on user activities for two years. Australia is also part of the Five Eyes alliance.
Russia – SORM (System of Operative Measures)
russia Russia is a surveillance state and their powers are extensive. This has even led to US issuing this travel warning ahead of tourists travelling to Sochi for the 2013 Winter Olympics.
“Consider traveling with “clean” electronic devices—if you do not need the device, do not take it. Otherwise, essential devices should have all personal identifying information and sensitive files removed or “sanitized.” Devices with wireless connection capabilities should have the Wi-Fi turned off at all times. Do not check business or personal electronic devices with your luggage at the airport. … Do not connect to local ISPs at cafes, coffee shops, hotels, airports, or other local venues. … Change all your passwords before and after your trip. … Be sure to remove the battery from your Smartphone when not in use. Technology is commercially available that can geo-track your location and activate the microphone on your phone. Assume any electronic device you take can be exploited. … If you must utilize a phone during travel consider using a “burn phone” that uses a SIM card purchased locally with cash. Sanitize sensitive conversations as necessary” http://www.worldpolicy.org/journal/fall2013/Russia-surveillance

Cracking the Enigma: How Alan Turing was destroyed by the people he saved

alan-turing-s-100th-12-celebratory-images-from-across-the-web-f0424e174dDuring WW2, Germany coordinated their war strategy through a series of encrypted messages, passed from central command to their armed forces. German cryptologists used an Enigma machine to do this. Enigma used Symmetric Cryptography, meaning that the same key was used for both encryption and decryption. Each letter was sent through a series of circuits (consisting of a plug board and 3 rotating wheels) to create a highly randomized output.  The key is the Enigma set-up itself, which is the choice/order of the wheels, the ring setting and plug connections. Enigma configurations were changed daily. Every month, the Germans distributed a key sheet to Enigma operators. This contained a list of different configurations for each day of the month. This key sheet was critical to be able to decrypt the codes. As there were 159 million possible Enigma settings, the time taken to go through all the possible Enigma configurations to decrypt a message would not have been worth the effort.
2009-09-25_3946 The British needed a fast method to decrypt the codes. German troops were advancing fast and the Allied troops needed an advantage. They hired a team of mathematicians and problem solvers to create a decryption machine. Alan Turing lead efforts in Bletchley Park to create one he called The Bombe (not to be confused with another Polish machine of the same name). Exploiting a critical flaw in Enigma, the Bombe was able to decrypt Enigma messages in under 20 minutes. As the Enigma has a rule that a letter could not become itself, the Bombe worked backwards to deduce all the impossible rotor and plug board configurations that violated this rule. It was able to do this very quickly via electrical circuits.

Click here for more information about how Enigma worked and how it was finally broken: 
royal-navy3

As the British wanted to continue to spy on the German forces, the operation continued on in secret. This action resulted in the saving of countless lives and the allied success of key battles, including D-Day. After the war, Alan Turing went on to work for the National Physical Laboratory and published a paper on Artificial Intelligence in 1950 called “The Turing Test”.

Despite all his achievements, Alan Turing’s contributions to allied war victory went mostly unnoticed. He was disgraced and arrested for homosexuality in 1952. He was given a choice of imprisonment or hormone treatments to “cure” his homosexuality. He chose hormone treatments. This didn’t “cure” his homosexuality, instead it resulted in his suffering of emotional and physical scars during the ordeal, eventually culminating to his death at the young age of 41. It wasn’t until 2009 that Britain issued an official apology to Turing.

152074-apple-versus-samsung-sorry-seems-to-be-the-hardest-word1_4352093

Gordon Brown “He truly was one of those individuals we can point to whose unique contribution helped to turn the tide of war,” said Brown. “The debt of gratitude he is owed makes it all the more horrifying, therefore, that he was treated so inhumanely. … Alan and the many thousands of other gay men who were convicted as he was convicted, under homophobic laws, were treated terribly.”

http://www.findingdulcinea.com/news/on-this-day/March-April-08/On-this-Day–British-WWII-Code-Breaker-Goes-on-Trial-for-Homosexuality.html

images6D2USYA6

Alan Turing is now regarded as a father of Cryptography, Artificial Intelligence and the modern computer. In 2014, Benedict Cumberbatch starred as Alan Turing in The Imitation Game, which became the highest grossing independent film in the year. It was nominated in eight categories in the 87th Academy Awards and won the People’s Choice Award at the 39th Toronto International Film Festival. This film was also honored for bringing Turing’s legacy to the public. Alan Turing was also honored at the 2015 London Pride march as a Pride Hero for his contributions. His family represented him in the march. This also happened to coincide with a landmark USA Supreme Court ruling that gay marriage would be recognized under the US Constitution, making all marriages legal across America

Gay-Pride_2015

5 Distressing cases of cyber bullicide

bullied

Bullicide is the unofficial term for being bullied to death. The bullies that used to torment their victims in the schoolyard have gone online and now it’s 24/7. This is ripping families apart. The bullying tactics have become a lot more invasive in the online world. From using private spycams and organising viewing parties, to online trickery and blackmail and setting up hoax accounts, bullies have a lot more tools at their disposal but also a lot more to lose. The barriers of traditional bullying have been completely broken and this new form of cyberbullying is terrifying.

1. Ryan Halligan

ryanhalligan
Ryan Halligan of Vermont US took his own life at the tender age of 13 in 2003.  Due to a stroke of bad luck, he became the target of school bullies. One of the bullies was a popular girl called Ashley who he had a crush on. She began chatting to him online to gain personal information about him that would later be copied into other chats. This included private confessions of his learning difficulties. Bullies also spread rumours about him, leading to more online bullying. Although his parents knew about the school bullying, they didn’t realise that his torment would carry on well into the night. He found no way to escape and instead searched for ways to end his life. His lifeless body was discovered by his older sister.

2. Megan Meier

Megan
Leading up to her 14th birthday, Megan Meier took her life in 2006. Her bully was a former friend who set up a fake online persona, a 16 year old boy called Josh Evans to deliver cruel messages to her.  At first, “Josh” showed an interest in her, telling her that she was pretty, adding her on MySpace and regularly communicating with her online. Then the exchanges took a colder turn when “Josh” lost interest in her, shared embarrassing exchanges online with others, told her that she was hated by everyone and to essentially kill herself. According to her mum, Megan struggled with weight and self-esteem all her life and Josh was the first guy to tell her that he found her pretty. Her small body was discovered by her mother.

3. Amanda Todd

AmandaToddVideo
At the age of 13, Amanda Todd began using video chat to meet new people. It was through this that she came across a relentless cyber stalker who had managed to convince her to show him her breasts. Despite declining this request for a whole year, she finally gave in. Once he obtained the footage, he used it to attempt to blackmail her into further sexual acts. When she declined, he circulated her video online which led to her being bullied at school. She tried to change schools twice and even tried to move to a new city, but each time, he would track her down, share her video with her new classmates and teachers, and resume the cycle of abuse. She was hospitalised for depression, engaged in self-harm and bullied at every school. On September 7, 2012, Amanda posted a video online titled “My story: Struggling, bullying, suicide, self-harm”. A month later, she took her life. She was 15.

4. Daniel Perry

Daniel-Perry
At the age of 17, Daniel was targeted by online scammers who tricked him into recording an explicit video to blackmail him. At the time, he believed he was chatting to a girl his own age. They threatened to share his video with family and friends if he didn’t pay. An hour after receiving the threat, he jumped off a bridge and died shortly after being rescued. Before his jump, he asked the blackmailers what options he had to avoid payment. He was told that he would be better off dead if he couldn’t pay. What is remarkable about this is that despite being very close to his family, he didn’t want them to know this was happening to him. He was left so embarrassed that he decided that ending his life would be better than having those videos circulated to his friends and family.

5. Tyler Clementi

tyler
Tyler Clementi, a talented violinist from Rutgers University was only 18 years old when two roommates bullied him into taking his own life. The world may have lost a great musical prodigy, but this is something we will never know now because Dharun Ravi and Molly Wei robbed us of this legacy. Dharun deliberately targeted Tyler for reasons unknown to anyone but himself. It was an organised attack. He conducted a background research into Tyler and found out that he was gay. That was all he needed to do something as ruthless as it was illegal. He and his sidekick privately filmed Tyler’s sexual encounters in the dorm room on two separate encounters without his knowledge, streamed this online and even organised a viewing party to add insult to injury. Dharun also encouraged his Twitter followers to share these encounters. Although Tyler was confident about coming out and stood up to his roommate’s trysts, it was the online taunting about his sexuality that got to him. He died in 2010.

On rallying the troops
“Children can be cruel”. A statement that is oft repeated and is true. It is also true to say that children aren’t usually aware of how cruel their actions might be. There are psychological reasons for this but it basically means that most people who aren’t bad may end up doing bad things (this is true of some adults as well). In many of these cases, there would have been classmates and friends who would have done little to help or even participated themselves. It’s easier to participate by “liking” or “sharing” a disturbing post than it is stick up for the victim and potentially become one yourself. What is also true about the online world is how unforgiving it can be. Once something is shared, you can’t take it back nor control the consequences. There are growing legal and employment consequences for perpetrating and/or participating in online bullying.

Why parents need to read Alicia’s story (aliciaproject.org)

alicia_parents

In 2002, a bright 13 year girl named Alicia Kozakiewicz was abducted by an online predator she met on Yahoo chat. With the help of the FBI, she managed to escape, but not before she was taken interstate, assaulted, filmed and held in captivity. After her miraculous rescue, she launched “The Alicia Project” to prevent children from being abducted and to support children who have. The project provides internet safety and awareness education to parents, children, teachers, governments and agencies.

Here are some sobering statistics about online predators.
Statistics are from http://www.internetsafety101.org/predatorstatistics.htm

  • Online predators used social networking sites to gain information about
    1. the child’s likes and dislikes (82% cases)
    2. home and school information (65% cases)
    3. whereabouts (25% cases)
  • Most children will not report sex crimes to an adult out of shame and/or embarrassment
  • 1/7 children received a sexual solicitation online. Over half (56%) of sexually solicited kids were asked to send a picture, with 27% of the pictures being sexually-oriented in nature. In some (4%) cases, these requests were aggressive and involved threats to their offline lives
  • About 200 million girls and 100 million boys will be sexually victimized before they reach their adulthood

“Predators do not discriminate based on gender, ethnicity, education, socioeconomic status, income, or religion. It can happen. It does happen. It is happening.” AliciaProject.org

To become a victim, you only have to be unlucky enough to cross paths with a predator. If this happens, you may still be able to defeat them if the right precautions are taken.

1. Disable geotagging on mobile devices before taking photos of children

Geotagging uses GPS trackers to pinpoint your location. While Geotagging is turned on by default and can be useful for some applications (e.g. Google Maps), you can turn it off for others (e.g. photos/videos of children). There are many online resources that provide step-by-step instructions on how to do this. Neglecting to do so may actually be giving away free information to the predators.

Example: You share a picture of your daughter with your 200 Facebook friends. In the photo, she is at home opening a birthday gift. 50 friends like and comment on the photo. This simple action can provide an online predator with information about where she lives, how old she is, name of her parents and what she likes.

Tip 1: Turn off geotagging/check privacy settings when taking photos/videos of children, especially when you are at a place where your child frequents (home/school).

Tip 2: When friends take photos/videos of your children, kindly remind them to do the same before publishing these photos/videos online. You cannot control their privacy/sharing settings and you don’t know who they are friends with (they may not even know)original

2. Don’t “check in” to your home or someone else’s home

While many people try to keep their home address and landline phone details private, they can be surprisingly lax when it comes to “Check In’s” on their social media. Even for those who know not to check-in to their own home, they may leave their judgement behind when they check in at their friends home. E.g. “At Dan’s 8th birthday!” or “Checking out Mary’s impressive diamond collection”.

This happened to me a while ago, a friend checked in at my house. At the time, it wasn’t a big deal as I was living in a rental with no assets and no children (not much has changed since) but I learnt a lesson from that and now remind my friends not to check in when they come over. I can imagine this being a bigger deal if my circumstances were different.

Tip 3.  Do not check in at your home and kindly remind your friends not to check in at yours. You can’t blame them if they did not know

GIFSec.com
GIFSec.com

3. Monitor child activity online

Some people may disagree with spying on anyone but with the growing use of mobile and tablets, kids are spending more time online. This places them at risk of accessing porn/illegal sites, publishing unemployable content, sexting, getting groomed by predators/terrorists, cyberbullying, oversharing personal information and more. It is for this reason why the benefits of child monitoring, combined with site blocking and education, may outweigh any costs. It is also legal and ethical as long as kids are aware they are being monitored. It remains unethical and illegal to spy on spouses/friends or any adults.

Monitoring their online behaviour also sets them up for the real world. Everything we do online is monitored in some way or form by our ISP, government or employer so getting children accustomed to the idea that online is not private, is not a bad thing to learn.

There are applications available that allow parents to monitor their children’s online behaviour. For a small price, the options are quite comprehensive and parents are able to adjust the settings to suit their needs. When selecting an application, also do some background research on the company to ensure you are comfortable with how they manage the information collected.

Tip 4: Monitor your children’s online behaviour, but also ensure they are kept educated.

For more tips, please go to http://www.aliciaproject.org/internet-safety-tips.html (highly recommended reading).onlinefamily

Is cloud ever secure enough?

cloud

The simplest way to define cloud is to describe it as a shared service. Instead of individuals and businesses setting up their own software/platforms or infrastructure to manage their data, they can outsource this to a cloud provider. Cloud is seen as a cost effective and environmentally friendly solution. There are now many providers offering different cloud solutions including SaaS (Software as a Service), PaaS (Platform as a Service) and IaaS (Infrastructure as a Service). But is cloud secure enough?

This is a big question to tackle and there is no right or wrong answer that can be applied en masse. Instead, deciding on whether adopting cloud will fulfil your business/individual requirements will need to be assessed on a case-by-case basis. To make this assessment, here are some of the key questions that may be considered.

1. How good is my local storage?

How good are you currently at protecting the availability, confidentiality, integrity and authenticity of your data?
If your data is stored on a hard-drive on a networked computer then chances are, you may not be applying best practice. However, if your data is stored encrypted & backed up on two or more file-servers, with good physical/logical access control and logging, then there may not be much to improve on than what you already do. These are two extremes and most likely, you will be sitting somewhere in between.

2. How much am I willing to invest?
To avoid spending too much on protecting data that is not really critical or too little where data needs be secured, you should assess the availability, confidentiality, authentication and integrity of your data against current local storage protections to see how it stacks up. This should help you identify whether you have been investing adequately in protecting your data or if it needs to be adjusted. Then, you will be able to determine whether going to a cloud provider will be a cost effective and secure solution for you.

3. How important is availability?
Despite whatever assurances cloud providers give about providing a highly-available solution, end-users will still need an active internet connection to access the data, which is not always guaranteed. This also makes it harder and more time consuming to detect connection problems should they arise. Additionally, there is also the added problem of network latency which can result in additional delay/drop-outs when connecting to the cloud provider. This will only get worse over the next few years with ever more connections choking up bandwidth and causing congestion/more drop-outs.

4. How important is confidentiality and trust?
Cloud offers new challenges for data confidentiality as the data needs to travel over the internet, is stored remotely and is administrated by somebody else. Even with cloud providers providing assurances that they apply best practices to secure your data at rest and in transit, there is still the danger that even given best intentions, their security controls may not be up to the mark. E.g. Adobe’s security breach leading to stolen logins and IDs. . Additionally, transport layer encryption may not always be that secure. I have described in previous blog posts, the security defects affecting SSL and weak TLS encryption.
The best way to guarantee confidentiality is to encrypt the data before sending it to the cloud and to keep the keys yourself!

What do you think of these questions and should there be more? Please add to the discussion below.