On Q Professional Investigations

How can we ensure that someone is who they say they are? How can be sure that the person in our system, both digitally speaking or physically in front of us, is who whom they claim to be?

You may think that a good password is the answer, but with so many ways to break into a computer system these methods are clearly not always effective – as can be seen from the unfortunate hacked celebrities whose naked pictures were strewn across the internet recently, or the Oleg Pliss ransomware that locks iPhones until the extortioner is paid. Even a combination of a good username and password may not be enough.

An organic alternative to passwords

What about biometrics? This technology uses human physical attributes as locks and keys, such as fingerprints, iris scans or, as is now suggested, the veins in the human fingertip, making them highly individual ways to identify one user from another.

Using biometrics is not especially new. For example, while the likes of iris scanners may be familiar from sci-fi films, they’re also (or were until recently) found in real life airports too. Often mistakenly called retinal scanners, they are based on scanning the unique pattern of the iris, the coloured part of the eye.

But the technology needed to complete an effective and trusted scan is expensive and can be tricked by technologically capable hackers. These are great for entry control systems on the buildings of large organisations, or for the occasional secret bunker seen in films. But they are extremely costly – prohibitively so if a bank was to insist that every customer had one at home – and false readings become a problem as the number of people using it scales.

On the other hand, fingerprint technology has become cheaper and more available – fingerprint scanners are now sufficiently small and accurate that they started appearing in laptops 10 years ago, and are even in small devices like the iPhone 5S. This is one way that banks could allow smartphone and laptop users to access their financial services, with users presenting a finger rather than a passcode.

In fact it’s easy to obtain a range of low-cost scanners for all sorts of authentication uses. But that doesn’t mean the users will like doing so – there are ethical issues to consider, as some UK schools discovered in 2012 when their use of fingerprint scanners to monitor pupil attendance led to an outcry and a government ban without explicit consent from parents.

Read More

Behind a closed door in the administrative area of North Bergen High School sits a huge monitor, upon which are displayed dozens of images from throughout the building and vicinity.

The same images can be viewed by the police in real time at the town’s CCTV monitoring center, or even on handheld devices by school personnel.

A similar scenario applies to all the schools in the district. It’s all part of a $1.4 million effort to keep the school children of North Bergen safe and protected.

“Every time the school system can add a layer of security, whether it’s identification cards or uniforms or cameras, it only helps to increase the level of safety on the campus so that eventually they can meet their real goal, which is to give the best learning environment the students can possibly receive,” said Police Chief Robert Dowd.

As an example, “We had an incident last year where a woman came in demanding that her child was assaulted, and when we went to the video, we found out that her child was actually the aggressor,” said Dowd. “We got a girl who pulled the fire alarm too. It was clear she was the one who pulled the fire alarm.”

From analog to digital

The district first installed cameras in the high school about 12 years ago, at a time when thefts from lockers were common. Initially 65 or so cameras went into the hallways and were eventually increased to nearly l00. The cameras were low-resolution, with grainy images stored on clunky videotapes. Still, they served their purpose.

“As soon as word got around that we arrested people who stole things out of lockers, it was unbelievable how the thefts stopped,” recalled Superintendent of Schools Dr. George Solter. “The other thing was fighting in the hallway between students. We were able to see how the fight started so we were able to discipline appropriately. So the safety of the kids was greatly improved.”

Some incidents were caught even with the previous generation of equipment. “The old cameras were replaced entirely,” said School Business Administrator Steve Somick.

Read More

It’s time to change your Gmail password — again.

Around 5 million Gmail usernames and associated passwords were leaked on a Russian Internet forum on Tuesday.

Thankfully, less than 2 percent of real, current username and password combinations, or about 100,000, were released, Google’s Spam & Abuse Team wrote in a blog post. Many are old and many don’t match — for example, the user name is for Gmail, but the password is for Facebook.

If your current Gmail password and username were compromised, Gmail would have let you know by now.

“It’s important to note that in this case and in others, the leaked usernames and passwords were not the result of a breach of Google systems,” Google wrote. “Often, these credentials are obtained through a combination of other sources.”

Hackers may have gotten these names and passwords from other sites. If people used the same usernames and passwords on Gmail as they do on a site that was hacked, your Gmail could be compromised. We’ve said it before and we’ll say it again: don’t repeat or reuse passwords.

There’s a link being passed around called IsLeaked.com, where you can allegedly check to see if your Gmail was hacked. DO NOT DO THAT!

Some point out that the website launched right before the hacks, and may be a trap to gather more email addresses.

When in doubt, just change your password.

View Source

A single fingerprint, lifted with a pipe cleaner and super glue, has led investigators to reopen a 30-year-old murder case.

The fingerprint was saved for three decades, and thanks to DNA testing, it could be the key that unlocks this case.

“I can’t help believe that somebody does know,” Lois Lawrence said.

Lawrence’s son, Robbie Lawrence, was a teacher and business owner running for Perry County school superintendent.

Robbie Lawrence was projected to win, but the Thursday before the election, he was shot and killed in his own home with a rifle.

Read More

As the trial of alleged Silk Road drug market creator Ross Ulbricht approaches, the defense has highlighted the mystery of how law enforcement first located the main Silk Road server in an Icelandic data center, despite the computer being hidden by the formidable anonymity software Tor. Was the FBI tipped off to the server’s location by the NSA, who used a secret and possibly illegal Tor-cracking technique?

The answer, according to a new filing by the case’s prosecution, is far more mundane: The FBI claims to have found the server’s location without the NSA’s help, simply by fiddling with the Silk Road’s login page until it leaked its true location.

In a rebuttal filed Friday to a New York court Friday and accompanied by a letter from the FBI, the prosecution in Ulbricht’s case laid out an argument dismissing a series of privacy concerns Ulbricht’s lawyers had expressed in a motion submitted to a New York court last month. That earlier motion had accused the government of illegal searches in violation of the Fourth Amendment, including a warrantless search of the Silk Road server, and argued that those privacy violations could render inadmissible virtually all of the prosecution’s evidence. The defense motion also demanded that the government explain how it tracked down the Silk Road’s server, and reveal whether the NSA had participated in that hunt.

IF THE JUDGE ACCEPTS THE PROSECUTION’S EXPLANATION, IT COULD REPRESENT A MAJOR BLOW TO ULBRICHT’S CHANCES OF BEATING THE SEVEN CHARGES AGAINST HIM.

In the latest filing, however, former FBI agent Christopher Tarbell counters Ulbricht’s defense by describing just how he and another FBI agent located the Silk Road server in June of last year without any sophisticated intrusion: Instead, he says, they found a misconfiguration in an element of the Silk Road login page, which revealed its internet protocol (IP) address and thus its physical location.

As they typed “miscellaneous” strings of characters into the login page’s entry fields, Tarbell writes that they noticed an IP address associated with some data returned by the site didn’t match any known Tor “nodes,” the computers that bounce information through Tor’s anonymity network to obscure its true source. And when they entered that IP address directly into a browser, the Silk Road’s CAPTCHA prompt appeared, the garbled-letter image designed to prevent spam bots from entering the site.

Read More

For some of us, fall is about to begin and the graduates of the class of 2014 are heading off to colleges across the country. It’s an exciting time — there’s a reason so many people call college the best four years of their lives. You learn so much about the world and yourself. You make lifelong friends. You are an adult without the full responsibility of being an adult.

It’s pretty easy to believe that because you are young and not in the “real world” yet that you are immune to identity theft or credit card fraud. But crime isn’t so choosy about age. College students are actually a prime target for identity thieves because of naiveté. According to University of Colorado—Boulder, only 21 percent of college students are concerned about identity theft. And lack of concern leads to lack of managing financial and personal data making college students vulnerable to identity theft.

Luckily, managing your identity doesn’t have to be hard. Whether you’re an incoming freshman or a graduate student, here are four simple habits to help you protect your identity.

Read More

The New York Police Department will begin equipping a small number of its officers with wearable video cameras, a pilot program geared toward eventually outfitting the nation’s largest police force with technology that promises greater accountability.

A total of 60 cameras will be deployed in the coming months in five high-crime police precincts, one in each of the city’s five boroughs, Commissioner William J. Bratton said on Thursday.

“It is the next wave,” Mr. Bratton said at Police Headquarters with two officers who wore the small cameras on their uniforms. He likened the introduction of cameras to the rollout, decades before, of hand-held police radios whose crackling codes and blips are now a quintessential part of policing everywhere.

The Axon Flex, an advanced body camera form Taser, can be clipped to an officer’s sunglasses, hat, helmet or epaulettes, and captures a wide-angle view that is close to what an officer sees while on patrol.State of the Art: Police Cameras Can Shed Light, but Raise Privacy ConcernsAUG. 20, 2014

A federal judge last year ordered the department to test the cameras for one year in five precincts as a way of evaluating their effectiveness in curbing unconstitutional stop-and-frisk interactions by officers. The court ordered an independent monitor to help set the policy for the cameras, though that order has been delayed pending an appeal.

Mr. Bratton said the department was proceeding “independent of the order” because the subject is “too important to wait.” The announcement also comes in advance of federal guidelines on body cameras worn by the police, expected to be released by the Justice Department in the coming weeks.

The cameras, which attach to the uniforms officers wear on patrol, can offer visual evidence in he-said-she-said encounters between the police and the public. Calls for all officers to wear them have grown after the fatal shooting by a white officer of an unarmed black teenager in Ferguson, Mo., last month.

Darius Charney, a lawyer for the plaintiffs in the stop-and-frisk case, criticized the department’s plans to move ahead on the cameras unilaterally.

“This kind of unilateral decision on the part of the N.Y.P.D. is part of the same uncollaborative, nontransparent, go-it-alone approach to police reform we saw with the prior N.Y.P.D. and mayoral administration,” Mr. Charney, of the Center for Constitutional Rights, said in an email.

Read More

Talk about a suspicious package.

Customs agents seized 20 live giant millipedes hidden inside a box marked “toy car model” that arrived at the mail facility at San Francisco International Airport last week.

The box was shipped from Germany, the U.S. Customs and Border Protection office said, and routed through an X ray machine. That’s when “agriculture specialists on duty were quick to notice the deception.”

Inside the package was a large plastic foam box and a large mesh bag “containing the foot-long millipedes, along with chunks of soil and paper,” the agency said. They were referred to the U.S. Department of Agriculture Animal and Plant Health Inspection Service for positive identification.

While it is not illegal to import exotic animals — including giant millipedes — the package “lacked required import permits and was misrepresented in an attempt to bypass federal regulations.” It has since been turned over to the USDA Smuggling Interdiction and Trade Compliance office.

It’s the second strange animal shipment to be intercepted by customs officials in recent months.

In July, officials at Los Angeles International Airport seized 67 live African snails the size of hams.

The giant mollusks arrived from Lagos, Nigeria, in packages labeled “Achatina fulica for human consumption,” the U.S. Customs & Border Protection office said. But the snails were deemed “Archachatina marginata,” which the customs agency described as “a very serious threat to our agriculture, natural ecosystem, public health and economy.”

The snails were transferred to the U.S. Agriculture Department.

“They can consume more than 500 types of plants and, if vegetables or fruits are not available, will even eat the paint and stucco off of houses,” officials added. “They can be carriers of several parasites which are harmful to humans, one of which can lead to meningitis.”

View Source

Before companies like Microsoft and Apple release new software, the code is reviewed and tested to ensure it works as planned and to find any bugs.

Hackers and cybercrooks do the same. The last thing you want if you’re a cyberthug is for your banking Trojan to crash a victim’s system and be exposed. More importantly, you don’t want your victim’s antivirus engine to detect the malicious tool.

So how do you maintain your stealth? You submit your code to Google’s VirusTotal site and let it do the testing for you.

It’s long been suspected that hackers and nation-state spies are using Google’s antivirus site to test their tools before unleashing them on victims. Now Brandon Dixon, an independent security researcher, has caught them in the act, tracking several high-profile hacking groups—including, surprisingly, two well-known nation-state teams—as they used VirusTotal to hone their code and develop their tradecraft.

“There’s certainly irony” in their use of the site, Dixon says. “I wouldn’t have expected a nation state to use a public system to do their testing.”

VirusTotal is a free online service—launched in 2004 by Hispasec Sistemas in Spain and acquired by Google in 2012—that aggregates more than three dozen antivirus scanners made by Symantec, Kaspersky Lab, F-Secure and others. Researchers, and anyone else who finds a suspicious file on their system, can upload the file to the site to see if any of the scanners tag it malicious. But the site, meant to protect us from hackers, also inadvertently provides hackers the opportunity to tweak and test their code until it bypasses the site’s suite of antivirus tools.

Dixon has been tracking submissions to the site for years and, using data associated with each uploaded file, has identified several distinct hackers or hacker teams as they’ve used VirusTotal to refine their code. He’s even been able to identify some of their intended targets.

He can do this because every uploaded file leaves a trail of metadata available to subscribers of VirusTotal’s professional-grade service. The data includes the file’s name and a timestamp of when it was uploaded, as well as a hash derived from the uploader’s IP address and the country from which the file was submitted based on the IP address. Though Google masks the IP address to make it difficult to derive from the hash, the hash still is helpful in identifying multiple submissions from the same address. And, strangely, some of the groups Dixon monitored used the same addresses repeatedly to submit their malicious code.

Using an algorithm he created to parse the metadata, Dixon spotted patterns and clusters of files submitted by two well-known cyberespionage teams believed to be based in China, and a group that appears to be in Iran. Over weeks and months, Dixon watched as the attackers tweaked and developed their code and the number of scanners detecting it dropped. He could even in some cases predict when they might launch their attack and identify when some of the victims were hit—code that he saw submitted by some of the attackers for testing later showed up at VirusTotal again when a victim spotted it on a machine and submitted it for detection.

Read More

Rogue cell phone towers can track your phone and intercept your calls, and it’s only a matter of time before they’re as ubiquitous as GPS trackers. But at least now there’s a way to spot them.

A firewall developed by the German firm GSMK for its secure CryptoPhone lets people know when a rogue cell tower is connecting to their phone. It’s the first system available that can do this, though it’s currently only available for enterprise customers using Android phones.

GSMK’s CryptoPhone 500, a high-end phone that costs more than $3,000 and combines a Samsung Galaxy S3 handset with the CryptoPhone operating system, offers strong end-to-end encryption along with a specially hardened Android operating system that offers more security than other Android phones and the patented baseband firewall that can alert customers when a rogue tower has connected to their phone or turned off the mobile network’s standard encryption.

The problem with rogue cell towers is widespread. The FCC is assembling a task force to address the illicit use of so-called IMSI catchers—the devices that pose as rogue cell towers. But the task force will only examine the use of the devices by hackers and criminals—and possibly foreign intelligence agencies—not their warrantless use by law enforcement agencies bent on deceiving judges about their deployment of the powerful surveillance technology.

IMSI catchers, stingrays or GSM interceptors as they’re also called, force a phone to connect to them by emitting a stronger signal than the legitimate towers around them. Once connected, pings from the phone can help the rogue tower identify a phone in the vicinity and track the phone’s location and movement while passing the phone signals on to a legitimate tower so the user still receives service. Some of the IMSI software and devices also intercept and decrypt calls and can be used to push malware to vulnerable phones, and they can also be used to locate air cards used with computers. The systems are designed to be portable so they can be operated from a van or on foot to track a phone as it moves. But some can be stationary and operate from, say, a military base or an embassy. The reach of a rogue tower can be up to a mile away, forcing thousands of phones in a region to connect to it without anyone knowing.

Read More