SECURING YOUR EMAILS WITH PGP

 

So what is PGP?

PGP stands for Pretty Good Privacy. It’s considered the De Facto when it comes to encrypting and decrypting emails, files, etc. It allows a sender confidence that his/her data was not compromised as it makes its way through the internet to the receiver. It is the most widely used solution by not only individual users but major Forture 500 corporations. It was developed by Philip R. Zimmerman in 1991.

Despite PGP being designed to protect Constitutional privacy, Mr. Zimmerman became a target of the Federal Government and a three year criminal investigation. From the Fed perspective, restrictions for cryptographic software was violated by PGP when it spread worldwide despite funding, staff, or corporation to stand behind it. Eventually the investigation was dropped in early 1996 and Zimmerman went on to head up as a senior consultant to help PGP gain its wings in the internet security community.

How does PGP work?

A variation of the public key system is used. With PGP, a user has a publicly known encrypted key and a private key only known to that specific user. If you want to send an encrypted message, you will encrypted it using the receivers public key with a symmetric encryption algorithm. When the receiver receives the encrypted message, the user can decrypt with their private key.

pgp

TOR PROJECT : THE ONION ROUTER

 

So what is Tor?

tor-logoTor started out as “The Onion Router” when it was created by the U.S. Navel Research Laboratory, under the guise of DARPA. Tor has been financially supported Electronic Frontier Foundation and under a 501(c)(3) research-education nonprofit organization. As of 2012, over 80% of the Tor Project is funded by the United States Government.

Tor is free software that can be run cross-platform and is currently being used by over 36 million users around the world allowing to bypass government dragnet and blocking of certain websites deemed threatening to their status quo. It is by far one of the best tools to allow whistle blowers and activists worldwide to spread certain information without being exposed by their IP address.

In essence, Tor is nothing more than a proxy server system. Anyone can add their nodes to the Tor network, whether a client, a relay server, or exit node. As a client, all you need to do is install the software and run the modified Firefox browser and you are ready to surf the internet anonymously.

How does it work?

Tor allows a client to disguise it’s clients address, surfing profile and other system actions from observation and investigations of activity by dividing recognizable proof and tracking. Tor encrypts the client’s network traffic and routes traffic through the network of relays run by users that volunteer their node and bandwidth.

Not only does Tor allow for hidden services such as a typical censored website but since Tor relay servers are kept secret, it allows users to bypass to censored websites by certain governments.

The client’s IP address of the sender and recipient are not clear text so no matter what hop your client takes, no one can eavesdrop along the route to decipher the traffic. The receiver will see the communication as traffic coming from the Tor exit node instead of the client’s actual address.

tor-route

Potential Exposure

Tor has many potential exposures that can reveal your identity to the public.

Exit Relay Sniffing

Although your IP is hidden and data encrypted as it moves through the Tor system, the point that it leaves the Tor network it becomes unencrypted traffic. The destination will see the Tor exit node as the IP but any confidential information that ties to the user will immediately be open to sniffing (capturing) data as traffic moves out of Tor. Unless you are using HTTPS (Secure Encrypted Browsing Protocol), the operator of the site will be able to access vital information on the user.

Browser Exploiting

Although your IP and node information will be encrypted, there are many ways that the destination node can trick your browser to offer up information that should be kept hidden. This is done by using Flash code or Java script. To stay anonymous, it is always good to install a browser plug-in that blocks all Java script as you connect to a website. As you connect to the website, a plug-in like NoScript will allow you to accept certain types of scripts but this should be used with caution as you may never know what kind of malicious code may be behind Java.

End to End Timing

This may be the most unlikely style of attack to track your online activity, however it is still a possibility. ETE timing is when someone will watch traffic coming from your computer and also traffic that is landing on the target node. With statistical analysis, it can be used to discover what circuit the user may be on. This is extremely unlikely and very time-consuming for the unlikely payoffs.

DNS Leak

Some applications running through Tor can leak DNS queries. Since a node has to find out the IP address of a target, it will use a DNS query to find out that node’s IP address before sending encrypted data. To any IT security technician, it really isn’t that hard to watch your traffic and make a connect between a DNS query and the following secure connection to the destination over the Tor network.

Welcome to the Darknet

After Tor was picked up as a public project and open to the public, it has been scrutinized as a way for criminals to communicate and leaves Law Enforcement Agencies without much remedy to track activities, i.e. pointing at sites like Silk Road, Atlantis, or Freedom Hosting. This leaves quite the question. Who is to blame for this when the Tor network was originally created by the US Navy. As an activist myself, it seems rather funny that the US Government had created a service that it now attacks as the enemy. Meanwhile, Federal Agents use the Tor network everyday without an oversight to the activities that are performed by these agents. In my opinion, the only reason why it was brought out publicly was to add more information into the network to cover their tracks as well as a possible backdoor to the system to track “criminals”.

At the end of the day, I feel Tor is a valuable tool for citizen’s that would prefer their constitutional privacy and taking down the system would damage the populace by not having a extremely secure way to surf anonymously without worrying about being tracked by rogue corporations that contract with government surveillance.

OBAMA ADMINISTRATION’S CYBER WAR

 

State of Affairs in Network Security

It has been no real secret that there is definitely a lackadaisical stance in network security through out the beginning of the computer’s entrance into the American home and work place. In one computer is a universe of information arranged in away that it takes a lifetime to understand it all. With the collective efforts of brilliant men throughout our history we are on the shoulders of giants to get to where we are. But this proves the point. Even if you ask the best security expert if his personal computer has any malware on it and if he is honest with you, he will admit that he doesn’t know for sure. So where does that leave someone that doesn’t know anything about computers? This leaves for a vast amount of room for attackers to program code that is almost nonexistent to the end user. I perform penetration testing myself and I wouldn’t be able to get by without Backtrack. It is a Linux based operating system specifically setup for professional technicians to stress test their network. This software is distributed freely on the internet and anyone can pick this up, from a cyber terrorist to a curious kid. I can tell you as a kid if this was out there I would definitely have gotten into some trouble. Through my years on the internet, I really haven’t seen that much security changes and most of the attacks that when on in the 1990s are the exactly same approach. Don’t get me wrong, I am not saying that the IT professions at fault here for the most part. Look how they tightened up things like WEP to WPA2, or wireless encryption for the layman. Attackers are always going to go after easy targets or gold mine servers that are overlooked by companies” slack IT department. The approach could be brute which might will raise suspicion and blow the operations or another approach. This would be a friendly invite from the very people you are trying to attack. So this is where most attackers are relying on, getting the other party to download software that allows access into the network.

Stuxnet

In mid 2010, a very high tech worm was discovered in the wild called Stuxnet. It targeted to spy and subvert industrial systems, that included a PLC rootkit. Basically, it is not existent to the end user without certain tools. I personally have tested removing it in a virtual machine and I have to admit, without some guidance on what to specifically look for I don”t know if I could pick it completely out of a pc. This is some serious stuff we’re dealing with here. Now obviously the big question was “who build it ?” By 2012, it had already been reported that Stuxne twas part of a U.S. and Israeli intelligence operation called”Operation Olympic Games” that just happened to escape the lab some how. The big question, “why isn’t this in the news and what precautions have been taken to make sure this won’t happen again?” We all understand that it is important to make sure thatwe have a good handle on national security but this is actually taking it the other way. Some of the code in Stuxnet was actually stolen digital signatures from reputable global software companies including Microsoft! Digital signatures are the only thing we have on the internet that counts for trust. This means that the U.S.Government is really stealing corporate identities to promulgate destructive software. The U.S. Government has said many times that if cyber attacks are implemented against the U.S. it will be considered an act of war. The origin of the Stuxnet happened to be in the middle east and Iran. So you can see the motives of someone that would implement malware that steals industrial network information in that area. ( Nuclear Development ? )

Where’s the Flame?

Just before the Stuxnet responsibility was release, a new highly sophisticated piece of malware was announced on the scene. In fact, by the Budapest University of Technology and Economics reported as saying that Stuxnet, “is certainly the most sophisticated malware we encountered during our practice; arguably, it is the most complex malware ever found.”It had also be cited that some of the coding in Flame was actually of the same origins as from Stuxnet. So is the U.S. behind this as well?

When will this stop?

Not only has it been openly admitted that the U.S. Government it is behind some of the most dangerous malware in the world but it had been suspected for years from lots of high ups in Microsoft and other organizations through out the years. It is very scary when someone says that if you commit cyber terrorism against them, they will declare war on you. Meanwhile they are infiltrating your industrial network infrastructure with the most wicked malware on the earth. I think it’s finally time to address this issue openly because if we really care about network security and the safety of our delicate global network: we need to weed out the biggest threats to it.

KEEPING TRACK OF YOUR PASSWORDS WITH KEEPASSX

 

Are you looking for a tool to consolidate all your online passwords?

After testing many password databases, I have found KeepassX to be the simpliest, yet most effective password locker out there. Here is a shot of its simple interface.

“>keepass1

KeepassX Features

  • Extensive management
  • Search functionality
  • Autofill
  • Database security
  • Automatic generation of secure passwords
  • Encryption (AES or Twofish)
  • Import and export entries
  • Cross Platform
  • Free!

Having a password locker not only protects your passwords in a secure application but organizes your passwords by group. Each entry has options to store title, username, url, password, comments, as well as attachments.

keepass2

Can’t think of new unique passwords for your expired passwords?

Password strength is extremely important. However, coming up with new passwords after expiration is always something that I find to be a pain. Crackers have gigabytes of password lists so if your password is weak, it is probably in their lists. What if you had access to a password generator that has options to generate to the parameters of your account policy yet allowing the most secure password as possible. KeepassX has you covered here and this is probably my most favorite feature. This allows you to specify the length and character groups for your password.

keepass3

Will this keep out attackers?

Network security is a game of cat and mouse. However, the more tools the mouse has it keeps the cat at bay. If you want to keep your accounts as secure as possible, KeepassX is the best password storage and generator out there. Try KeepassX today to see what I am talking about. It’s cross-platform so you should be good to go.

Visit the website and grab a copy today at http://www.keepassx.org/

 

HOW TO UPGRADE YOUR LINUX DISTRIBUTION

 

APT-GET

The easiest way to update your security patches for a Linux distribution is to use the apt-get commands. APT stands for Advanced Packaging Tool, and it works with core library repositories that hold software to remove and install functions on your box. This tool simplifies the process of software installation by automatically retrieving the appropriate program, configuring and installing pre-compiled files, and compiling the source code.

The library repositories are massive, and apt-get runs of a source list that can be configureed for stable, un-stable, and bleeding edge versions of whatever software you are seeking.

To update your source list, go to /etc/apt/sources.list and add the repositories which correspond with your Linux distribution. After that, updating, upgrading and installing software is easy.

Just go to your command line and type the following commands:


apt-get update

root@computer~# apt-get update

This command synchronizes the package index files from the source lists that you just added to your sources.list file. This is the first step to updating software and security patches.


apt-get upgrade

root@computer~#apt-get upgrade

This command installs the newest versions of software packages installed on your system. Once again, this is working off your sources.list file. A very useful function of apt-get is that it looks for dependency packages that an install may need so you don’t have to look all over the place for dependent software.


apt-get dist-upgrade

root@computer~#apt-get dist-upgrade

This command is where the “smart” technology comes into play. It looks for conflict of packages and will only upgrade the highest of importance, leaving lower priority packages alone.


apt-get install <package name>

root@computer~#apt-get install php5

This command installs the package of your choice.


apt-get remove <package name>

root@computer~#apt-get remove php5

This command removes the package of your choice.


apt-get purge <package name>

root@computer~#apt-get purge php5

This command removes the package and all configurations associated with it.


apt-get autoclean

root@computer~#apt-get autoclean

This command removes old packages that are no longer installed on your system.


apt-get clean

root@computer~#apt-get clean

This command removes all packages from the package cache. This is needed to rebuild your apt-get cache if something goes wrong. Use apt-get update, and you’re right as rain again.

Overall, these commands are completely necessary to keep your Linux system up to date with the latest security packages, as well as everyday installation of packages used for various purposes. Learn these commands and your box will always be up to date.

FIXING DNS LEAK WITH TOR / FIREFOX

 

When surfing the internet through Tor, DNS leakage is one of the biggest concerns when using a browser. If you are not aware of what DNS is, let’s explain this real quick.

Servers on the internet are identified by their IP address so they can communicate with other nodes on the network. This is a set of 4 octets such as 8.8.8.8 (Google’s Public DNS Server). It would be a complete nightmare if we had to remember Facebook’s IP address every time we wanted to login to the website.

Thankfully along the way we came up with a grand solution. We attached what is called an A record to the IP address. This means that when we query a DNS server for, say Facebook.com, the DNS server will look at its A records to point your browser to Facebook’s IP address. (173.252.110.27) Now that a DNS query is granted, your browser can now connect to Facebook servers to login.

This is a potential problem if you are using Tor as it leaves you exposed to what is known as DNS leakage. If you do not have your browser configured right, your browser will first go to your DNS servers to query a website’s IP address, after it grabs the IP it will then go to the target website.

If your traffic is being monitored, it wouldn’t take a rocket scientist to analyze your traffic and see that every time you connected with encryption to an unknown IP address, everytime before you just made a DNS query to your DNS server thus allowing a snooper to see every site you connected to.

Tor Bundle comes with Firefox that is modded to work with Tor. However, without extra configuration, it will leave you with DNS leakage. To get around this we have to go into Firefox’s config file.

Go to Firefox’s address bar, type ‘ about:config ‘ and hit enter.

There are three settings you have to look for :

network.proxy.socks_remote_dns

Default is False, You need to turn this value to True

browser.safebrowsing.enabled

browser.safebrowsing.malware.enabled

Default is True, You need to turn these values to False

That’s it. Now you can surf the internet without your DNS queries giving you away.

DODD FRANK ACT, A SLEEPING GIANT

 

The bankers are back at it again and this time it is a bombshell. If you were to read the Dodd-Frank Act, I am certain that it will make your head spin reading it in its entirety. I know this because I have and I am still spinning from its complexities. This bill is over 2300 pages with numerous amendments to congressional acts dating back to 1934. This bill deals mainly with the finance and banking sectors of the United States. I am not an economist or financier so I will touch lightly into the actual regulations but mainly in the details of the usurping of power to private non-governmental powers in our banking system. This had been done through the establishment of new institutions and councils that are all in control by the Federal Reserve System, which is a private institution not subject to the jurisdiction of the Federal Government. The failure in the Federal Reserve Act of 1913 to restrict the autonomy of this central bank is some of the reasons we are where we are today.

This act begins with the establishment of the “Financial Stability Oversight Council”. The chairman of this council is the Secretary of the Treasury. Among other voting members includes the Comptroller of the Currency and Director of Consumer Financial Protection ( Two new positions I will discuss in detail later ), Chairman of Securities and Exchange Commission, Chairman of Federal Deposit Insurance Corporation, Chairman of Commodity Future Trading Commission, Director of Federal Housing Finance Agency, Chairman of National Credit Union Administration, and an independent member assigned by the President that is qualified in insurance issues. The council also includes non-voting members which include Director of Office of Financial Research, Director of Federal Insurance Office, as well as appointed State insurance, banking, and securities commissioners. Non-voting members are allowed to advise or influence, however, no voting rights in council matters. They also have selected term periods yet voting members are held indefinitely.

I contend that this council is established to usurp the last standing powers that are not held by the Federal Reserve System. I base this on what the authority of this council oversights and regulates. The council is created to oversight and promulgate regulations on non bank financial and bank holding companies. There is also authority delegated to demote certain companies out of bank-holding status.

The council has at its disposal an establishment of the Office of Financial Research. This office is a branch of the Department of the Treasury. The purpose of OFR is to collect data for the council. A most interesting point is how this office is funded. The Act states that the “Financial Research Fund” shall be held at the Treasury of the United States [ Notice : Not Department of the Treasury]. It also states that this fund is not to be construed as a government or appropriate fund. It is plain as day that even in congressional acts, there is a distinction between the Treasury of United States and the Department of the Treasury, which is a subsidiary of the Federal Reserve System. Apparently, it is the U.S. Treasury’s obligation to hold funds for private institutional research. As of now I am not sure the reasoning behind this.

In Title 3, this details the transfer of powers from the now dismantled Office of Thrift Supervision that was created in 1989. In recent years OTS has been stained by supposed unethical, criminal, and irresponsible conduct and behavior.

In the “Enhancing Financial Institution Safety and Soundness Act of 2010” part of Dodd-Frank; it details the transfer of powers of the OTS to the Board of Governors of the Federal Reserve System, Comptroller of the Currency ( Established in this Act as a branch of the Department of the Treasury), and the FDIC. For purposes of providing safe and sound banking system, protecting the Federal and State chartered depositories, supervising all depositories, and streamlining supervision.

The Board of Governors acquires all functions of the OTS. This includes the authority of issuing orders and rule making of the OTS. The Board assumes supervision of savings and loan holding companies and all subsidiaries thereof. This Act sights specific supervision under the Home Owners Act. (12 U.S.C. 1468)

The remaining supervision is divided up between the Comptroller of the Currency and the FDIC. As stated before, the COTC is established inside the private Department of the Treasury. In fact, it states that the Comptroller shall perform duties under the Secretary of the Treasury. The transfer of powers to the Comptroller from OTS is supervision of all Federal Savings Associations. Assuming the rest of supervision, the FDIC picks up all State Savings Associations.

As insult to injury to the OTS, as if the dismantling wasn’t enough; the Act leaves no safeguard for current or future suits against the OTS or its directors. It could be construed that perhaps the OTS wasn’t playing nice with the Board and allowed some retaliatory measures despite allowing conditions of immunity. Continuing on, duties and actions, orders and regulations move and continue under the Board. Keep an eye out as the Board is required to publish all continuing regulations in the Federal Register upon the transfer date.

Back to the Office of the Comptroller of the Currency for purposes of detailing its funding. It states that the COTC may charge any entity under section 3(q)(i) of the Federal Deposit Insurance Act (12 U.S.C 1813(q)(i)). COTC has power to establish amounts by nature and scope of activities of entity, amount and assets it holds, financial and managerial conditions. This pretty much allows charges up to the Comptroller’s discretion. Dually noted that COTC funds should not be construed as government funds or appropriated monies and not subject to apportionment for purposes of Chapter 15 of Title 31 of the U.S. Code. COTC also has the power to enter contracts, execute instruments, and acquire, hold, sell, or lease real property.

The Board of Governors’ funding comes from charging bank holding companies, savings and loan holding companies holding $50 trillion or more, as well as all non bank financial companies under section 13 of the Act. The FDIC may charge for examinations by 12 U.S.C 1820(e).

This part of the Act has over 70 pages of amendments systematically transferring powers in the Banking Enterprise Act of 1991, Bank Holding Act of 1956, Bank Protection Act of 1968, Bank Service Company Act, Community Reinvestment Act of 1977, Crime Control Act of 1990, Depository Institution Management Interlocks Act, Emergency Home Owners Relief Act, Federal Credit Union Act, Federal Deposit Insurance Act, Federal Home Loan Act, Financial Housing Enterprising Financial Safety and Soundness Act of 1992, Federal Reserve Act, Federal Institution Reform, Recovery, and Enforcement Act of 1989, Flood Disaster Protection Act of 1973, Home Owners Loan Act, Housing Act of 1948, Housing and Development Act of 1992, Housing and Urban Rural Recovery Act of 1983, National Housing Act, Neighborhood Reinvestment Corporation Act, Securities Exchange Act of 1934, Public Law 93-100, and U.S.C. Title 18 and 31. Now that alone you can imagine how much power was concentrated in to the private banking system. It boggles the mind that there are minds out there that have the capacity to manipulate code like that.

Now if that wasn’t enough power for the Federal Reserve System, it establishes within itself the Bureau of Consumer Financial Protection. Sounds nice. It is considered an executive agency under 5 U.S.C. Section 105. Its purpose is to examine and enforce powers to prescribe rules, issue orders, and law under enumerated statutes that includes Alternative Mortgage Transaction Parity Act of 1982, Gram-Leach-Bliley Act, Equal Credit Opportunity Act, Fair Credit Reporting Act, Home Owners Protection Act of 1998, Fair Debt Collection Practice Act, Home Mortgage Disclosure Act of 1975, Home Ownership and Equal Protection Act of 1975, Real Estate Settlement Procedures Act of 2008, Truth in Lending Act, Truth in Savings Act, Interstate Land Sales Full Disclosure Act, and Omibus Appropriations Act. For those of you that think this is intended to help consumers, CFPB has jurisdiction over “persons” defined in this Act as individuals, partnerships, company, associations (incorporated or unincorporated), trust, estate, cooperate organization, or other entity. As you can see everything and everyone is fair game for the CFPB and I will show you why that is most terrifying further along. It is interesting to know that this new bureau’s director will be managing the FDIC. CFPB also may exercise powers over all Federal laws, dealing with Public or Federal contracts, property, works, officers, employees (14th amendment citizens), budgets, or funds. CFPB implements the Federal Consumer Financial Laws through rules, orders, guidance, interpretations, statement of policy, examinations, and enforcement action. There is also an autonomy clause that allows CFPB to govern itself without interference. The Board of Governors may delegate to the Bureau the authority to examine [persons] subject to the jurisdiction of the Board.

Funding for the Bureau; the Board of Governors shall transfer earnings of the Federal Reserve System a fixed percentage yearly in this case an increase of 1% for every year for the next 3 years. These funds cannot be subject to review by the committee of appropriations of the House of Representatives or the Senate. There are two funds created for the Bureau. The “Consumer Financial Protection Fund” is held separate in the Federal Reserve System to be controlled by the Board of Governors. Yet again, this fund is not a government or appropriated fund. The “Civil Penalty Fund” holds penalties and fees held against persons in any judicial or administrative action. This fund is also held in the Federal Reserve and if victims of suits cannot be located for damages, CFPB is allowed to use for their discretion.

As a general overview of the Bureau’s powers, the list includes : enforcing Federal Consumer Financial Laws, collecting, researching, monitoring, and publishing information relevant to the functioning of markets, issuing rules, orders, and guidance; issue exemptions to a class or person conditionally or unconditionally, own rules i.e. confidentiality of persons in regard to authority, and shall have access to reports of any Federal agency.

In addition to, offer reports of tax non-compliance to the IRS commissioner, intervene in civil actions, prohibit rules for retaliation against CFPB, may petition a Federal District Court of U.S. To prosecute, conduct hearings and adjudication proceedings, referrals for criminal prosecution, civil actions to compel compliance, CFPB may commence civil action administratively or court action. Penalty schedule is as follows: 1st tier is $5,000 per day for violation or failure to pay, 2nd tier is $25,000 per day for reckless engagement of violation. And 3rd tier is $1,000,000 per day for knowing violations.

It is no question that this is a terrifying piece of legislation that has received almost no media coverage or questioning what so ever. It speaks volumes of what the goals of the Federal Reserve System is trying to create in the United States. This has been a systematic exchange of powers from our U.S. Corporate Government to a private autonomous banking system thats sole goal is to rape and pillage the American People of their property and wealth. Although there is some commentary in this research paper, most of its content has come right out of the Dodd-Frank Act. This is scary for the fact that the Federal Reserve cares not to even hide its intentions and goals at this point. The powers have shifted so far as to leaving very little to do at this point and the author has little remedy to encourage at this point besides the shift of consciousness and to pass on this information to everyone you know to ensure that the next generation is prepared to combat what they will grow up in. Andrew Jackson’s words of central banks holds truth as much as it did then; “if a central bank is ever created in America, through inflation and deflation the bankers will rob the Americans.