Motherboard has obtained and published a copy of the forensics report that suggests that Jeff Bezos's phone was hacked by Prince Mohammad Bin Salman Al Saud, possibly in a scheme to obtain kompromat that could be used as leverage to prevent the Washington Post of reporting on the death of Jamal Khashoggi, who was murdered and mutilated by agents of the prince. Read the rest
[Yesterday, we published my review of Tim Schwartz's new guide for whistleblowers, A Public Service: Whistleblowing, Disclosure and Anonymity; today, I'm delighted to include this generous excerpt from Schwartz's book. Schwartz is an activist whom I've had the pleasure of working with and I'm delighted to help him get this book into the hands of the people who need to read it. -Cory]
Collection As you collect documents and bring new information to light, be aware that you are in an escalating digital arms race. There will always be new ways that data forensics can identify you, or uncover information based on data that you inadvertently leave in your files, or data that is retained in logs noting who has accessed what files on what network. Recently it was discovered that noise from electrical grids can be used to quite accurately pinpoint when, and potentially where, an audio recording was made. The best way to win this war—or at least to avoid becoming collateral damage—is to work outside the standard methods and find partners who have experience. Read the rest
In my 2008 novel Little Brother, the underground resistance uses a secure operating system called "Paranoid Linux" that is designed to prevent surveillance and leave no evidence of its use; that was fiction, but there's a real Paranoid Linux out there: Tails, The Amnesic Incognito Live System, and it turns 10 today. Read the rest
Evan from Fight for the Future writes, "A new investigation from Gizmodo just revealed that anyone, anywhere can get geographic coordinates of Ring devices from Amazon’s Neighbors App. Not only can someone find out where users live, they can use footage to track bystanders, locate children, and monitor people going into buildings, like clinics, for private appointments. Amazon sells these devices under the guise of keeping us safe. They’re lying. Their surveillance devices and network puts us all in danger. We need lawmakers to fully investigate the threats associated with Amazon’s dragnet and its impact on our privacy, security, and civil liberties. Fight for the Future has launched a campaign calling for Congress to investigate Amazon's surveillance practices. You can add your name here." (Image: Dan Calacci/MIT) Read the rest
DMARC is an anti-email-spoofing tool that mail-server administrators can enable; it's designed to reject emails with forged return addresses. Read the rest
Runa Sandvik (previously) is a legendary security researcher who spent many years as a lead on the Tor Project; in 2016, the New York Times hired her as "senior director of information security" where she was charged with protecting the information security of the Times's newsroom, sources and reporters. Yesterday, the Times fired her, eliminating her role altogether, because "there is no need for a dedicated focus on newsroom and journalistic security." Read the rest
I will never forget the moment on June 9, 2013, when I watched a video of a skinny, serious, unshaven man named Edward Snowden introduce himself to the world as the source of a series of blockbuster revelations about US spy agencies' illegal surveillance of the global internet. Please, I thought, be safe. And Please, don't turn out to be an asshole. Read the rest
The millions of Hong Kong people participating in the #612strike uprising are justifiably worried about state retaliation, given the violent crackdowns on earlier uprisings like the Umbrella Revolution and Occupy Central; they're also justifiably worried that they will be punished after the fact. Read the rest
Google has published the results of a study of the efficacy of standard anti-account-hijacking techniques like two-factor authentication (2FA), secret questions, and passwords: the good news is that when these are used, they are incredibly effective at stopping both automated and targeted attacks, including "advanced" attacks of the sort that are often characterized as unstoppable. Read the rest
After collaring a woman who got past security at Mar-a-Lago (described by Chris Hayes as President Donald Trump's "bribery palace") the Secret Service found a USB drive in her possession. So they stuck it in a computer to see what was on it.
From the Miami Herald:
Secret Service agent Samuel Ivanovich, who interviewed Zhang on the day of her arrest, testified at the hearing. He stated that when another agent put Zhang’s thumb-drive into his computer, it immediately began to install files, a “very out-of-the-ordinary” event that he had never seen happen before during this kind of analysis. The agent had to immediately stop the analysis to halt any further corruption of his computer, Ivanovich said. The analysis is ongoing but still inconclusive, he testified.
Experts say don't do that.
Read the rest
Jake Williams, founder of Rendition Infosec and former NSA hacker, criticized the agent’s actions “threatened his own computing system and possibly the rest of the Secret Service network." ...
Williams said the best way to forensically examine a suspect USB drive is by plugging the device into an isolated Linux-based computer that doesn’t automatically mount the drive to the operating system.
“We would then create a forensic image of the USB and extract any malware for analysis in the lab,” he said. “While there is still a very small risk that the malware targets Linux, that’s not the normal case.”
A few years ago, a friend of mine, Nico Sell (who runs the Defcon kids' programming track r00tz) asked me to join the advisory board for her startup, Wickr, which does "ephemeral messaging," a subject that is greatly in the news with Facebook's recent announcement of a new kind of "ephemeral messaging" option. Read the rest