On Q Professional Investigations

The tech entrepreneur Ross McNutt wants to spend three years recording outdoor human movements in a major U.S. city, KMOX news radio reports.

If that sounds too dystopian to be real, you’re behind the times. McNutt, who runs Persistent Surveillance Systems, was inspired by his stint in the Air Force tracking Iraqi insurgents. He tested mass-surveillance technology over Compton, California, in 2012. In 2016, the company flew over Baltimore, feeding information to police for months (without telling city leaders or residents) while demonstrating how the technology works to the FBI and Secret Service.

The goal is noble: to reduce violent crime.

There’s really no telling whether surveillance of this sort has already been conducted over your community as private and government entities experiment with it. If I could afford the hardware, I could legally surveil all of Los Angeles just for kicks.

And now a billionaire donor wants to help Persistent Surveillance Systems to monitor the residents of an entire high-crime municipality for an extended period of time––McNutt told KMOX that it may be Baltimore, St. Louis, or Chicago.

McNutt’s technology is straightforward: A fixed-wing plane outfitted with high-resolution video cameras circles for hours on end, recording everything in large swaths of a city. One can later “rewind” the footage, zoom in anywhere, and see exactly where a person came from before or went after perpetrating a robbery or drive-by shooting … or visiting an AA meeting, a psychiatrist’s office, a gun store, an abortion provider, a battered-women’s shelter, or an HIV clinic. On the day of a protest, participants could be tracked back to their homes.

In the timely new book Eyes in the Sky: The Secret Rise of Gorgon Stare and How It Will Watch Us All, the author Arthur Holland Michel talks with people working on this category of technology and concludes, “Someday, most major developed cities in the world will live under the unblinking gaze of some form of wide-area surveillance.”

At first, he says, the sheer amount of data will make it impossible for humans in any city to examine everything that is captured on video. But efforts are under way to use machine learning and artificial intelligence to “understand” more. “If a camera that watches a whole city is smart enough to track and understand every target simultaneously,” he writes, “it really can be said to be all-seeing.”

Read More

At least two Calgary malls are using facial recognition technology to track shoppers’ ages and genders without first notifying them or obtaining their explicit consent.

A visitor to Chinook Centre in south Calgary spotted a browser window that had seemingly accidentally been left open on one of the mall’s directories, exposing facial-recognition software that was running in the background of the digital map. They took a photo and posted it to the social networking site Reddit on Tuesday.

The mall’s parent company, Cadillac Fairview, said the software, which they began using in June, counts people who use the directory and predicts their approximate age and gender, but does not record or store any photos or video from the directory cameras.

Cadillac Fairview said the software is also used at Market Mall in northwest Calgary, and other malls nationwide.

“We don’t require consent, because we’re not capturing or retaining images,” a Cadillac Fairview spokesperson said.

The software could, for example, say approximately how many men in their 60s used the directory, but not store images of those men’s faces or collect any other biometric data, the spokesperson said.

Instead, they said the data is used in aggregate to understand directory usage patterns to “create a better shopper experience.”

The use of facial recognition software in retail spaces is becoming commonplace to analyze shopper behaviour, sell targeted space to advertisers, or for security reasons like identifying shoplifters.

Read More

“The world has seen the most unsettling attack yet resulting from the so-called Rowhammer exploit, which flips individual bits in computer memory. It’s a technique that’s so surgical and controlled that it allows one machine to effectively steal the cryptographic keys of another machine hosted in the same cloud environment.

Until now, Rowhammer has been a somewhat clumsy and unpredictable attack tool because it was hard to control exactly where data-corrupting bit flips happened. While previous research demonstrated that it could be used to elevate user privileges and break security sandboxes, most people studying Rowhammer said there was little immediate danger of it being exploited maliciously to hijack the security of computers that use vulnerable chips. The odds of crucial data being stored in a susceptible memory location made such hacks largely a matter of chance that was stacked against the attacker. In effect, Rowhammer was more a glitch than an exploit.

Now, computer scientists have developed a significantly more refined Rowhammer technique they call Flip Feng Shui. It manipulates deduplication operations that many cloud hosts use to save memory resources by sharing identical chunks of data used by two or more virtual machines. Just as traditional Feng Shui aims to create alignment or harmony in a home or office, Flip Feng Shui can massage physical memory in a way that causes crypto keys and other sensitive data to be stored in locations known to be susceptible to Rowhammer.”

Read More

What do more than 870,000 students across the nation have in common?

Since 2012, they have all completed the FBI’s Safe Online Surfing (SOS) Internet Challenge. Available through a free website at https://sos.fbi.gov, this initiative promotes cyber citizenship by teaching students in third through eighth grades how to recognize and respond to online dangers through a series of fun, interactive activities.

Anyone can visit the website and learn all about cyber safety, but teachers must sign up their school to enable their students to take the exam and participate in the national competition. Once enrolled, teachers are given access to a secure webpage to enroll their students (anonymously, by numeric test keys) and request their test scores. E-mail customer support is also provided. Top-scoring schools each month are recognized by their local FBI field office when possible. All public, private, and home schools with at least five students are welcome to participate.

Now entering its fifth season, the FBI-SOS program has seen increased participation each year. From September 2015 through May 2016, nearly a half-million students nationwide finished the activities and took the exam. We look forward to even more young people completing the program in the school year ahead. The challenge begins September 1.

Read More

“Today, the FBI’s Internet Crime Complaint Center (IC3) is embarking on a campaign to increase awareness of the IC3 as a reliable and convenient reporting mechanism to submit information on suspected Internet-facilitated criminal activity to the FBI. As part of the campaign, digital billboards featuring the IC3’s contact information are being placed within the territories of a number of Bureau field offices around the country.

While the number of complaints being reported to the IC3 did increase in 2015 from the previous year, anecdotal evidence strongly suggests that there are many other instances of actual or suspected online frauds that are not being reported, perhaps because victims didn’t know about the IC3, were embarrassed that they fell victim to a scammer, or thought filing a complaint wouldn’t make a difference. But the bottom line is, the more complaints we receive, the more effective we can be in helping law enforcement gain a more accurate picture of the extent and nature of Internet-facilitated crimes—and in raising public awareness of these crimes.

The FBI field offices taking part in the billboard campaign include Albany, Buffalo, Kansas City, Knoxville, New Orleans, New York City, Phoenix, Oklahoma City, Salt Lake City, and San Diego. They were selected because they house multi-agency cyber task forces that participate in an IC3 initiative called Operation Wellspring. This initiative connects state and local law enforcement with federal cyber resources and helps them build their own cyber investigative capabilities, which is important because not all Internet fraud schemes rise to the level necessary to prosecute them federally. We hope to expand Operation Wellspring to other FBI offices in the future.”

Read More

If your evidence room contains any digital evidence on VHS tapes, it should be digitized as soon as possible

In this day and age, you’d probably be as surprised as we were to learn that many law enforcement agencies around the country are still using VHS tapes to store digital evidence. Most police departments have already stopped using VHS tapes, but still maintain a lot of old digital evidence, some of which is crucial, on VHS tapes. A few months ago, we published a blog post about the Problems with using CDs/DVDs to store digital evidence and today we thought it’s important to mention few of the problems you will face in the near future if you continue to use VHS tapes.

1. There is no real of custody for digital evidence as far as who has viewed the tapes or who has copied them. While you probably have a chain of custody for the VHS tape itself, that’s simply not enough.

2. There is no security. Once the VHS tape (or a copy) leaves the evidence room, you have no control over what happens to it. Imagine the embarrassment if a sensitive recording were to show up in the press or on YouTube.

3. There is no way to verify authenticity. Tapes could be altered before being copied to another tape and no one would ever know.

4. It can be tough to manage the digital evidence on large cases. For example, you receive multiple tapes from a crime scene, then, a few days later, more tapes arrive from the lab or from a search warrant.
Later on you receive videos from multiple suspect interviews. There are a lot of labeling considerations just to keep it all straight. It can be particularly challenging when investigators or prosecutors want to review the digital evidence. You’ll have to sort through all of those tapes and try find the exact ones you need, then go through the time consuming dubbing process.

5. Cross referencing one case with another or sharing a single piece of evidence between related cases is complicated.

6. The labor involved can be intensive. Even when the case is closed you still need to dispose the related physical evidence.

7. One little known technical problems with VHS tapes is that they go bad and become unusable after a certain period of time. Losing digital evidence might be catastrophic to your case and you will have to make new copies of VHS tapes for each case every 2-3 years just to preserve the evidence on them.

8. VHS tapes players are very rare in the marketplace today. What if yours breaks and you need to play that tape 5 years from now? Will you even be able to find a player by then?

9. Having any VHS tape close to any magnetic field will destroy the tape in a very short period of time.

Read More

When you start your first day at Quartz, you get peppered with passwords.

There’s a password to log into your new Mac, which you are immediately prompted to change once you’re up-and-running. The new password allows you log into your email. Once there, you are invited to join our password protected—with double-authentication—CMS. It’s not much of an exaggeration to say your first Quartz workday consists largely of password management.

I had that in mind, as I helped a new hire settle in on Monday. So, I urged him—repeatedly—to take a moment and sign-up for a password client that I had used to help me beat my own long-standing struggle with password amnesia: LastPass. For months, the service, which essentially creates an encrypted vault of all your passwords and protects it with a master password, had made my life much better.

Until Tuesday morning. That’s when I received an opened an from LastPass indicating that the service had been compromised, and that some sensitive information—including email addresses, password reminders—had been taken. For its part, LastPass says its “vaults” where users keep their passwords to various sites and applications were not compromised.

“So no data stored in your vault is at risk,” officials said. But I still had to explain this to the guy I had convinced to use it less than 24 hours before.

A recent survey commissioned by Telesign—a company that sells two-step verification technology—found that roughly 70% of 2,000 people in the UK and US they surveyed don’t trust that their password will protect them. They shouldn’t. After all, it’s abundantly clear that we are living in an era of profound data insecurity.

I mean, Russian hackers read President Obama’s unclassified email. And just to review, over the last few months alone we’ve learned that hackers have breached not only the White House, the but the IRS and the Federal government’s office of personnel management, where they perused—among other things—the form people fill out as they apply for security clearances.

What’s more, today we learned that the FBI is investigating front office officials from the St. Louis Cardinals in connection with hacking into the Houston Astros’ “baseball operations database.” The New York Times reports:

Investigators believe Cardinals officials, concerned that [former Cardinals executive, and current Astros general manager Jeff] Luhnow had taken their idea[s] and proprietary baseball information to the Astros, examined a master list of passwords used by Mr. Luhnow and the other officials who had joined the Astros when they worked for the Cardinals. The Cardinals officials are believed to have used those passwords to gain access to the Astros’ network, law enforcement officials said.

There’s a reason why hackers—whether they be associated Red China or the St. Louis red birds—aim for passwords. Long ago, we reached the human limits of our ability to remember them. The human mind has pretty strict limitations on remembering long sequences numbers and letters. (Essentially it’s about seven items, plus or minus two.) And they’re best remembered when they’re in familiar chunks, you know, like letters in words. This is why consumers have an average of 24 online accounts, but only about six unique passwords, according to the Telesign study.

In other words, passwords aren’t the problem. We are.

And humans will remain the problem until we get to the post-password era.

Over the next few years we’ll increasingly be authenticating ourselves not with passwords, but with our fingerprints, faces, irises, retinas, palm-prints and speech patterns. But humanity still presents profound engineering problem.

“Passwords or tokens are easy to change while it is compromised. But, biometric traits are inherent and fixed forever, that is, the biometric data is irrevocable,” wrote academics in a paper published in April.

If you think the resetting your password is a pain, trying resetting your fingerprint.

Engineers are addressing the problem, coming up technologies that enable cancelable crypto-versions of our biometric data that can be reset. But I can’t help but be overcome by the suspicion that that the digital world might just work a lot better if it didn’t have to put up with all these people.

View Source

SEVEN YEARS AFTER the Federal Aviation Administration first warned Boeing that its new Dreamliner aircraft had a Wi-Fi design that made it vulnerable to hacking, a new government report suggests the passenger jets might still be vulnerable.

Boeing 787 Dreamliner jets, as well as Airbus A350 and A380 aircraft, have Wi-Fi passenger networks that use the same network as the avionics systems of the planes, raising the possibility that a hacker could hijack the navigation system or commandeer the plane through the in-plane network, according to the US Government Accountability Office, which released a report about the planes today.

A hacker would have to first bypass a firewall that separates the Wi-Fi system from the avionics system. But firewalls are not impenetrable, particularly if they are misconfigured. A better design, security experts have warned for years, is to air gap critical systems from non-critical ones—that is, physically separate the networks so that a hacker on the plane can’t bridge from one to the other, nor can a remote hacker pass malware through the internet connection to the plane’s avionics system. As the report notes, because the Wi-Fi systems in these planes connect to the world outside the plane, it opens the door for malicious actors to also remotely harm the plane’s system.

“A virus or malware planted in websites visited by passengers could provide an opportunity for a malicious attacker to access the IP-connected onboard information system through their infected machines,” according to the report.

Read More

The controversy surrounding former Secretary of State Hillary Clinton’s email has brought data destruction to the forefront of the national conversation. Clinton used a server housed at her New York residence for her personal and official emails and online communications while she was at Foggy Bottom Lawmakers investigating the 2012 death of an ambassador in Libya have been concerned that official government emails from Clinton that might assist in the investigation were deleted despite assurances from Clinton that she turned over all emails pertaining to government work to the State Department.

Now reports say Clinton “wiped the server,” deleting all emails. But how easy is it to permanently wipe data from servers or storage media? According to experts who were interviewed recently by the Washington Post, the congressional committee charged with investigating the U.S. ambassador’s death in Benghazi might still be able to obtain Clinton’s deleted emails – in the event they can access the server.

Provided Clinton simply hit the delete button on her emails, they probably still exist. Files are not permanently deleted when a user hits the delete button. “Instead, the pointer the computer uses to find the file is removed, and the computer treats the space on your hard drive as reusable,” explained the Post. Though, depending on the amount of activity one performs on a device, data that is randomly stored could replace deleted items as it needs the space. Typically, additional steps must be taken in order to permanently delete items from a server.

If experienced experts were able to access Clinton’s server with the intention of retrieving emails, they might create a “physical forensic image,” which “creates an ‘identical, bit-by-bit, zero-by-zero copy of the original hard drive,’” the Post reported. This step is used to view the emails as they would appear in a read-only format preventing alterations. Following the physical forensic image, experts might attempt to locate and extract databases that house emails and then conduct a forensic analysis of unallocated spaces within those databases.

Read More

Apple’s current Find My Friends feature could one day expand into more of a Track My Friends feature.

Granted to Apple on Tuesday by the US Patent and Trademark Office, a patent called “Sharing location information among devices” describes a procss that would let you view a visual representation of the path taken by another person using a mobile device as a way of following that person’s entire journey.

For example, someone is going for a hike or a trip and wants you to stay informed of his or her whereabouts. That person would enable a feature on a mobile device to allow you to see and track in real time the path being taken on your own mobile device or computer. On the flip side, you could also share your route so the two of you can stay abreast of each other’s ongoing location.

Apple already offers a feature called Find My Friends, which lets you find the specific location of another person via his or her iPhone or iPad. But Find My Friends is geared more toward pointing you to a specific spot, whereas Apple’s patented invention allows for path tracking, or following several points along a specific route.

As described in the patent, your respective devices could also share mapping directions so that you and your friend would be able to easily find each other via your mobile devices. Even further, your devices could tap into a “mirroring” mode that would replicate the view seen on each other’s respective devices.

The system would rely on GPS for navigation purposes but could enable communication between the devices via a cellular network, Wi-Fi or Bluetooth. Assuming both you and your friend had a sufficient signal, cellular would obviously be the most efficient technology as it would allow for the greatest distance between the two of you.

Read More