Microsoft Windows 7/Vista Law Enforcement Guides

Public Intelligence got a hold of some interesting slides that Microsoft seems to present to law enforcement personnel. Microsoft explains the weaknesses in their privacy/security functions and how law enforcement et al. can leverage them best.

Here are some highlights:

InPrivate

 

Microsoft Law Enforcement Cover Your Tracks

A benefit to law enforcement of InPrivate is that website data for sites added to favorites will be left alone if a box remains ticked.

Microsoft Law Enforcement Tor Project

Not surprisingly, The Tor Project comes up in the presentation (because anyone using Tor must be doing something bad!!), associated with the user name ‘bad guy’.

Microsoft Law Enforcement InPrivate

Common uses of the InPrivate mode include checking e-mail on public computers and “shopping for gifts” on family computers.

Microsoft Law Enforcement InPrivate 3

In a plea to not lose their law enforcement buddies because of the inclusion of these inconveniencing features, Microsoft says that they’re not alone including private browsing functionality, ie. they were forced to do this because the competition was doing it (good job Firefox and Chrome).

Microsoft Law Enforcement InPrivate 2

Bitlocker

Microsoft Law Enforcement Bitlocker

Microsoft says that it’s not all bad, BitLocker isn’t available to any commoner, it “has a number of ‘Recovery’ scenarios that we can exploit”, and that users are scared of encryption.

Microsoft Law Enforcement Bitlocker 2

“We are the good guys!” Who are the bad guys then? The people using encryption/BitLocker?

Microsoft Law Enforcement Forensic First Responders

Virtual PC Undo Disks

Microsoft Law Enforcement Virtual PC Undo Disks

Virtual PC Undo Disks are scary for law enforcement.

Full presentations are here.

How To Counterfeit Money

PhotoShop banknote block

Not with Photoshop (and apparently Paint Shop Pro), or your printer, anyway.

The counterfeit deterrence system

If you try to open an image of specific currencies (and I assume at a specific resolution or higher) in Photoshop, you’ll receive the same error message as above. It’s interesting to note that New Zealand’s money isn’t blocked from being opened. Probably because we’re too busy trying to stop our passports from being counterfeited.

You can test it out using images from Banknotes.com. This one and this one throw up the error for me.

Here is Adobe’s information page on their ‘Counterfeit deterrence system’. What Photoshop is looking for is apparently a Digimarc digital watermark, different from the EURion constellation printers, or at least colour photocopiers look out for.

How to get around it

So what if your counterfeiting plans were going well so far, and now you’re at a standstill because of Adobe? You can use Gimp. It opens banknotes without trouble. So do old versions of Photoshop. And Microsoft Paint.

Why did Adobe think it was a good idea to add this? Counterfeiters will already know that they can use an older version of Photoshop, or use other software to get around this additional ‘feature’ and will be doing that.

All Adobe is doing is pissing off people who are trying to use Photoshop for a legitimate reason.

The Rules For Use website the dialog box directs users to even lists situations where you can reproduce banknotes legally (e.g. at a certain size), but Photoshop blocks opening banknotes full stop.

Why is it included?

Adobe will have had to spend time and money on including this system, with no returns in the form of additional sales. I assume they were pressured to include it, or even paid to include it by the Central Bank Counterfeit Deterrence Group.

Perhaps more concerning is that Adobe apparently has no idea what they have actually included in their software on behalf of the CBCDG:

“The inner workings of the counterfeit deterrence system are so secret that not even Adobe is privy to them. The Central Bank Counterfeit Deterrence Group provides the software as a black box without revealing its precise inner workings, Connor said.”

Secrecy

If you’ve bought Photoshop, were you aware of this system at the time of sale? You bought the software to open and edit images, but there are limitations you wouldn’t have been told about.

Here’s the two places where this system is talked about on Adobe’s website. A forum post and the information post linked to above.Adobe search CDS

Where’s the information page linked to from on Adobe’s website? My guess is not very many places, because they should have come up in the search too.

Printers are in on this too

I tried to print United States banknotes from Banknotes.com too. And the job failed. Here’s a New Zealand banknote that printed (and scanned) fine, with one of the United States notes below, which stopped printing halfway through.

Printing money

Here’s the error message in the print dialog.

Banknote print error reading pixels

Error 9707 seems to be specific to the counterfeit deterrence system, but is only described as “reading pixels failed”.

So I guess every time I print something, either the printer or the driver is all: “IS THIS LOOK LIKE MONEY?! NOPE, SEEMS TO BE A GIRAFFE.”

 

What I wonder is what other, potentially less visible and transparent “features” are being included in systems because of pressure or money?

I don’t want manufacturers including these non-features in their products for me and I don’t want my technology making decisions for me.

Eftpos Terms and Conditions

Credit cards

BNZ specifies an interesting use for your Eftpos card PIN that’s not permitted in their newest card terms and conditions – using it for the lock code on your phone.

1.5 PIN selection
… Your PIN should not be used for any other purpose including your lock/unlock code for your mobile phone.

In the new card letter they also make an interesting comparison of PINs to electronic signatures. But I think their next sentence shows why this is a potentially confusing example to give:

“When selecting a PIN please remember that this is your electronic signature. You must not keep a written record of your PIN, give your PIN to any other person or select a PIN that can be readily associated with you such as birth dates, addresses, parts of telephone numbers, car registrations, sequential numbers (eg 1234, 9999) or any other easily found personal information.”

Signatures are often written down, given away and are made up of personal information. Perhaps there is a better comparison available?

Image credit: Andres Rueda

Follow Up: Personal Information In Emails, Library Edition

Deleting messages

I posted a while ago about a security issue with TelstraClear’s webmail. Mainly that I could access an email account through the referring URL gathered through this blog’s statistics.

This made me think about the personal information that I have in my email account.

The library here in Christchurch includes users’ addresses in the header of all emails that they send out automatically (reminders about due books, holds, etc). I gather libraries around the country do this.

This always struck me as strange, because there’s no need to include this information.

An address isn’t the most private information in the world, but if someone broke into my email account, it’s something I wouldn’t like them to have.

So I asked the library about it. Here’s their response:

“Thank you for your recent query as to why postal address details are included in Christchurch City Libraries customer email notifications.

SirsiDynix, the integrated library system provider used by Christchurch City Libraries, have responded that identical address information is shown on both notification options [email and snail mail] because the reports draw on the same User Address information. Their opinion is that modifying the script to suit emailed notices would harm the report’s ability to print the needed addresses for mailed notices.

Unfortunately in-house report customisation is not currently a viable option because of time and financial constraints but we would certainly re-evaluate should there be further customer demand. We are not aware of any likely changes to the SirsiDynix system in the near future.”

No dice.

Image credit: Fiona Bradley

Clear Webmail Security: A Series Of Unfortunate Events

When you visit this website, like most others, analytics software on this end records some information about you, including what website brought you here.

Someone visited here by following a link from an email which they accessed using Clear/TelstraClear’s webmail (thank you person who shared my blog with someone, hopefully this post isn’t too discouraging against sharing). With other webmail services, this doesn’t seem to be a problem. However with Clear, it is. Or was.

The Clear referring URL let me access the customer’s emails by clicking on the link (until, I assume, the session is logged out, timed out or the customer’s password is changed). I then had the ability to navigate through the entire folder of emails, see the person’s address book and see their recent contacts.

This isn’t limited to my site, but applies to virtually any site visited through TelstraClear’s webmail.

Authenticity required

What’s in your emails?

This becomes a very big problem when you think about what someone keeps around in their emails. Google wants to encourage its users to archive everything. Perhaps this post contains a very convincing argument as to why you shouldn’t archive everything, and instead make liberal use of the delete button (or move the emails to your computer).

Here’s some examples of information contained in that email account that would be very useful to someone with bad intentions:

  • Unencrypted payslips, with IRD and bank account numbers (Ministry of Education)
  • Shipping notifications, with addresses, phone numbers and courier tracking codes (Apple)
  • Work emails that have made it into a personal email account
  • Information on utilities like address supplied from power company e-bills (Meridian)
  • A broadband activation email, containing username and plain text password to webmail and probably internet access (Hi TelstraClear, again)

Response

The Ministry of Education never got back to me (nor did Apple, however the information in a shipping notification wouldn’t cause the end of the world). Meridian did and the information contained in their e-bills isn’t all that private. They said that their customers like the convenience of not having to log in to access their bill and that they consider all feedback on their services.

TelsraClear said that the issue has been fixed, that “this was the first time the issue has been raised” and that they “take security very seriously”.

Not sure if they still send passwords in their broadband activation emails.

Understandably TelstraClear were “not too keen” on this post going ahead as “it might encourage attempts to hack the webmail application” which “might still cause service problems for legitimate users if such an attack was to take place”.

However, maybe a real life example will hit home with people, even if they’re not with TelstraClear.

Because how secure is your personal information?

Update: Christchurch City Libraries responds with why they include addresses in the emails they automatically send out.

Image credit: Dev.Arka