Category Archives: Views

How to get on a USA Government Surveillance list

Use any advanced search techniques in Google and you’re a Cyber-Terrorist

A recent warning was posted to USA law enforcement listing advanced Google search techniques as indicators of Cyber-Terrorism is slightly chilling. Thanks to: Sadly, this is not the Onion
saw this story. The advanced techniques are old school ways of ensuing you return only the filtered data you want in a more accurate manner. Google Dorking, as it’s called in slang is a method of searching for a specific keyword in specific conditions. For example, if you want to search only the website CNN.com for the keyword LolCats in Dorking terms is: site:CNN.com + “LolCats”.

Sean Gallagher from ArsTechnica, commented he believed the notice is meant to be more of a wakeup call to make law enforcement IT more aware of the techniques. I slightly disagree and saw only FUD in the law enforcement notice. The same story commentary also mentions how using advanced Google searches has already landed some reporters in trouble and wrongfully accused of criminal activity due to massive technology misunderstandings. Using a search engine is not illegal, at least not yet.

My advice if you are a law enforcement agency IT, learn more about Open Source Intelligence and disregard FUD notices written by technologically challenged policy makers. Here are ten friendly tips to help find or protect your internet exposed assets:

  1. Keep all public facing digital assets updated and harden them. There is no reason why you should be running old, weak crud on the internet.
  2. Apache Security read if you are running an Apache web server.
  3. How to Improve Security on the Edge with Windows Web Server 2008 and Internet Information Services with Security Guidance of ISS Security if you are running Windows Server.
  4. Best option: Rent space on Amazon AWS or Microsoft Azure they have DDoS defenses and can get you an inexpensive, new server version up and running. This gets a web server off your network, cheaply, with defenses available and limits damage only to reputation no information leakage. Also, if hardware breaks, no interruption for the most part and they fix everything within tight time service level agreements.
  5. Scan your public servers and internal servers with Evil FOCA from Informatica64. Scan all your domains, download all documents, analyze and take a look at what you have up for the public to see and the baddies to exploit. Review your metadata exposure.
  6. Google Dorking is a good passive reconnaissance tool but if I wear my Ethical Hacker Hat I wouldn’t use it before committing a crime. I would move to non-tracking search engines such as DuckDuckGo.com also combined with untraceable connections and several hops away. Run regular searches using different search engines to learn your public exposure.
  7. Use ShodanHQ against your domain, IP range and keywords by using a filter. I love Shodan J Try a super advanced search word like: police. I’m disappointed but not surprised: Owen Sound Police Services – FirePro event data server and Wildwood Crest Police webmail server. Try and limit the amount of data available on your public facing assets. Please don’t advertise unless you are running a Honeypot so obviously!
  8. If budgets have your IT bogged down. Network and pool external resources and contractors. What if four departments could share 1 full time, traveling IT Security contractor?
  9. Cover over all Web enabled Cameras when not in use, especially in interrogation rooms!:

  1. Read the SANS Diary Internet Storm Center every day and listen to the Podcast.

 

Using Google Dorking or any other advanced internet searches are not illegal nor indicators of cyber terrorism. However, exposing private IT assets to the internet without proper hardening helps no one but criminals.

TSA, Opt-out and you’re a “Criminal Hacker” Yippee!

The continuing adventures of the Freedom Fondle and the nerve of some who choose to opt-out

Traveling to and from the USA, even for US citizens is a challenge. I’m getting used to the “random” SSSS on my boarding pass, intrusive and wholly inappropriate questions about my work, employer, ethnicity and religion. The accusations of carrying a fake passport because I have an “accent” or otherwise known as traveling whilst Hispanic in the USA. I travel with limited clothing as I expect them to be ripped or otherwise destroyed in-front of my eyes, again by Customs and Boarder Patrol. I stopped carrying anything which could even remotely be confused with the Arabic language. I travel with very limited, encrypted data. My family expects detainment and knows to contact a USA attorney if I don’t check in quickly enough after landing. Today was a new one and rather unexpected. I forgot to expect the unexpected with the TSA.

I opt-out when I’m traveling within the United States. This isn’t an option when flying from Europe to the USA due to an underwear obsessed, idiotic terrorist; but it is and a right whilst traveling within the USA boarders. As per usual I arrived in plenty of time for my flight, checked-in and got in the security theater TSA line for the shredding of my 4th amendment rights. As I approached the full body scanner I politely informed the male officer I wished to opt-out. Without engaging with any other ancillary officers, I waited patently to be freedom fondled in full public view. Standing up for your rights sometimes involves strangers groping my private parts, and I can live with that.

The female TSA officer by the scanner decided to loudly voice her option of those who opt-out. Standing by the full body, 4th amendment dissolving scanner. She explained to her male co-worker at a volume all in the area could clearly hear. A rant on how “all these criminals, so-called hackers, are a bunch of useless posers who should be in a jail cell not flying or pulling their BS by opting out”. For a few minutes she continued to spew her utter ignorance in an attempt to intimidate and humiliate me. I had no choice but to listen, the other passengers being screened had to as well. I wore no identifiable “hacker” shirt, just glasses and my usual pile of technology. My jacket was from an off-Broadway play, Avenue Q and I wore glasses. I guess glasses, computers and opting out is now a sure sign you are a criminal hacker that should be thrown into jail. I must have looked dangerous in my -7.00 bottle thick glasses!

Hopefully the situation will have a somewhat happy ending. When my freedom fondling by a different TSA officer began. I explained I wished to file a complaint, in writing, as soon as her glove was off. I was sent to a very understanding and sympathetic supervisor. After explaining I had absolutely no verbal or other engagement with the verbally abusive officer. I was given a form, the officer’s full name and a very friendly verbal acknowledgment that no TSA officer should act in such a verbally abusive manner. As many of the passengers on my flight heard the comments whilst being screened. I didn’t have to engage in any flight chit-chat. An added bonus for being labeled a criminal prior to boarding an airplane (?)

Not all the TSA are bad, just enough to taint the organization and cause disrepute to the actual honest hard-working agents. Hopefully my written complaint will be taken. Hackers are not criminals, nor are those who opt out. Those in government positions which chose to openly attempt to intimidate people into giving up their rights are.

We are the Calvary!