[This is a post about security and privacy. In this post, I speak about what could go wrong if you do not properly secure your computer, and my thoughts about encryption and privacy.]
I am reviewing a case where a group of “zombie” infected computers have been hacked to work together (a “botnet”), and it appears as if the courts are going after ZeroAccess as the crime ring behind the botnet. In my readings, a federal judge has blocked the IP addresses belonging to ZeroAccess-infected computers because they allegedly directed many of their millions of infected computers to click on a number of paid ads, where the advertisers using Google, Bing, and Yahoo! have paid out an estimated $2.7 Million per month from the ad revenue generated as a result of these clicks. The lawsuit is for what is known as “click fraud,” and it got me thinking about 1) the application to the bittorrent lawsuits, and 2) to privacy and security in general.
While I have NO REASON to think the following is happening, it is completely plausible that one or more “infected” computers could be directed to connect to various bittorrent files without the computer owners being aware of the “zombie” status of their computers (e.g., the software is being run as a service, or minimized without an icon showing on the desktop). While the connections to the bittorrent swarms are happening, the copyright trolls could be “coincidentally” monitoring the bittorrent swarms as the downloads are happening unbenownst to the computer owner. When the copyright holders (“copyright trolls”) send the DMCA letters to the ISPs, or when they file John Doe copyright infringement lawsuits against the subscribers, the ISPs would correctly confirm and coroborate that it was the subscriber’s ISP who was connected to the bittorrent swarm at that particular date and time, and the problematic conclusion would be that it was the subscriber who downloaded the file. And, when the download was complete, even though the malware would likely “cover its tracks” by deleting all traces of itself, it would be programmed to leave the downloaded copyrighted file in some obscure randomized file folder on the subscriber’s computer to be “conveniently” found by the forensic examiners during the lawsuit. I understand that malware could also actually alter the computer’s logs based on analyzing the computer owner’s past browsing history and program usage (most people do not clean this) to make it look as if it was the ACCUSED SUBSCRIBER who was “at his computer at the time of the download.” This could all happen without the knowledge of the subscriber being aware that the computer was infected with the malware or that the illegal downloads were taking place.
While this feels a bit sci-fi’ish, and again, I have no reason to think this is actually taking place, the technology is certainly around for this to happen. I have personally watched enough podcast videos on Hak5 demonstrating how this could be done, and I could figure out ways to alter the malware program to gain administrator access to the computer and change the system logs on the computer before deleting itself. If someone as simple as me could figure out how to do it, for sure the more crafty ones will eventually stumble onto this scheme as well. For this reason, I am writing this article as a warning to take your computer’s security and your online privacy seriously, and here are the simple steps I would take if it were my own computer.
Step 1: Don’t balk, but make sure you have antivirus software and anti-malware software running on your machine. Also make sure your software and virus definitions are up to date. I have my personal favorites as far as software goes, but quite frankly, free or paid software both do their job fine. There are many free anti-malware programs out there, so make sure the one you use is not malware itself. For free malware detection, I find SuperAntiSpyware and MalwareBytes to be sufficient.
Step 2: Protect your identity and your browsing habits. This depends on how much “tin hat” you want to go, but I personally use JonDoFox’s version of the Firefox browser. There is a STEEP learning curve to use it (meaning, the add-ons will initially break most of the websites you use, and most websites need to be configured once before you get it the way you like it), but in my opinion it is worth the effort to learn. You can check your current browser security at http://ip-check.info/ (by the way, I do not use JonDo anonymization software because they charge by the actual usage; rather, I opt for the less secure route of encrypting my traffic using a secure VPN provider). On the flip side, for convenience, I also use Comodo Dragon Chrome which is a faster, less secure browser, but I have many add-ons that I’ve installed (e.g., Scriptsafe, AdBlock Plus, etc.), and I keep the software running in the Sandboxie software. That way, if some critter gets past my defenses (e.g., think, “CryptoLocker,” or other ransomware which encrypts your files and charges you hundreds of dollars in bitcoins as ransom to decrypt them), it won’t get access to my hard drive files.
Step 2.1: This belongs to the previous step, but encrypting your traffic is very important. There is a phrase, “I have nothing to hide… from people I trust,” and I stand by that phrase. With the NSA and government snooping, and the ISPs watching your every move, regardless of whether you are doing something wrong or not, it is a smart idea to not give all of your shopping and browsing activities to your ISP and to Uncle Sam. There are also many commercial trackers and social networks who track you for commercial purposes as well — everything I say above applies for them too.
Step 3: Secure e-mail, secure chat… The best way to protect your e-mail is to encrypt it. Unfortunately, e-mail by its nature is insecure, and even if you encrypt the contents of your e-mail, the METADATA (e.g., your own e-mail address, to whom you are e-mailing, the time and date of your e-mail, along with the geolocation of you IP address you use to connect to the e-mail server, etc.) remains exposed. The only foolproof way I know to encrypt e-mail is to use Pretty Good Privacy (PGP) software. The problem is that it is simply inconvenient. In order to encrypt your e-mail, you need to not only setup and share your own public and private keys, but you need to find and look up the keyrings of those you want to communicate with. While there are attempts to incorporate encryption into e-mails (e.g., projects such as gnupg), the average person does not encrypt their e-mails, and trying to get everyone to do so is just an exercise in futility. Plus, we know that the NSA saves encrypted e-mails for the sole purpose of trying to “break” the encryption because “if you use encryption, you are presumed to be using it for a criminal purpose.” Thus, I am unhappy with the current state of technology with the adoption of encryption for sending e-mails, but for the time being, this is the way it is.
Secure chat is very easy, and there are many convenient ways to encrypt your instant messages. Whether you are using the Pidgin software with the encryption plug-in, or whether you are using Cryptocat or any of the secure chat softwares readily available for the PCs, iPhones, and Androids, achieving perfect security is very doable. For me, I do not encrypt my e-mails, and whenever I have a friend or peer who has the capability to encrypt our chat sessions, I have him do so just for the “geeky” fun excitement of it.
Step 4: Keeping your own computer clean and neat. Your Microsoft Windows operating system keeps logs of pretty much everything you do, and it is specifically the failure to clean up after yourself which can give malware the chance to impersonate you. Similarly, by not regularly cleaning up after yourself, should you one day face a lawsuit, a forensics expert can glean an ungodly amount of information about you, your whereabouts on a certain date and time, and your activities (e.g., whether you were surfing the web or writing a text file, and, which text file you were writing at that particular time and date) just by reviewing your logs. Now I personally do not trust my Microsoft Windows operating system not to “spy” on me, and if I had it my way, I’d run a Linux operating system (I have in the past, and I may in the future), but for the time being, be aware that the “privacy” settings in Windows stops NOBODY from snooping on you. I have not figured this one out yet (especially since most of my law firm’s software are Windows-based), but Windows is simply a minefield of privacy leaks and data you don’t want about yourself recorded and logged.
While this is certainly not even close to a solution, I run CCleaner from Piriform regularly to clean up the logs and to keep my computer relatively clean. I would love to delve into the depths of my operating system and tweak certain settings to shut off the “phone home” leaks in my system — I simply do not have the time, the “tin hat” motivation, or the skill to do so.
Step 5: Lastly (and there are probably a million other steps I could take, but I like to keep things simple). I encrypt my hard drive data 1) in my computer, 2) outside of my computer (e.g., external drives and thumb drives), and 3) in the cloud. There are many ways to do this, most popularly is the “TrueCrypt” software. If you cannot encrypt your drives (I cannot, since my computer is a Windows 8 machine and TrueCrypt has not figured out how to encrypt UEFI systems yet), then create a large container, and set up your programs (e.g., Thunderbird Mail) to store your files in your encrypted container. Better yet, install the program onto the encrypted drive so that it is not in your C:\Program Files folder. That way, if your computer is ever stolen or lost, your programs and your data will remain unusable and encrypted. I often take this one step further and have Windows configured (to the extent possible) to use the encrypted drive to store my “Desktop” and my “My Documents” folder. Thus, if I do not unlock the encrypted drive when I first log in, my computer does not work properly, and I get a blank desktop. Along with this, my computers have log-in passwords which I have activated before the operating systems even boot. I have this running because even little me knows which piece of software one can run to bypass the password on Microsoft Windows machines.
In sum, you could take privacy to an extreme. The best privacy is the “trust no one” type of privacy. For some cases (e.g., our cloud storage backup servers are “trust no one,” meaning not even the company who hosts our data has the keys to unencrypt the encrypted data which is stored on their servers), using the best security is feasible and doable. But there are limits and there are sacrifices to your privacy, and it usually comes at the benefit of having more convenience. Truly, the most secure password is one not stored in a text file, or written on a piece of paper, but one that is in someone else’s head (not even your own). The best security is not using a computer or connecting to the internet at all. Then again, that is not feasible to most of us who live in the internet. However, learning to take steps to protect your privacy (within reason) can only work towards your benefit.