CD-ROMs and DVDs and USB flash memory media

CD-ROMs and DVDs and USB flash memory media

If your whistleblowing documents are too large to fit onto a floppy disk e.g. they contain lots of digital photos or video or audio clips etc. then you might be tempted to write them to a CD-ROM or DVD disc or USB flash memory media (USB memory sticks, MP3 players, digital camera or mobile phone removable memory etc.), which can be ok, if you remember that

  1. CD-ROM and DVD discs are excellent for taking fingerprint impressions and DNA samples, which may betray the identity of a whistleblower or a courier who has physically handled them or their plastic packaging.

  2. Most CDROM or DVD writer equipment sold since 1995 contains an industry standard mandated (.pdf) Serial Number called a Recorder Identification Code, which is in three parts, denoting the Manufacturer, the Model, and a 20bit Serial Number uniquely allocated to each recorder. The RID was introduced as a sop the powerful music and film industry lobbyists seeking to commercially exploit copyrighted material.


    This RID is burnt into each CDROM or DVD disc which the writer copies, This serial number may provide evidence matching a whistleblower's home or office computer to a leaked copy of documents or photos or videos etc on a seized or intercepted CDROM or DVD.

  3. Given the difficulty, or, with some of the technologies, virtual impossibility short of physical destruction of securely erasing or genuinely overwriting data files, a whistleblower should use a fresh "virgin" blank or at least a low level formatted floppy disc, CD-ROM, DVD or flash memory device, on which to copy their whistleblowing leak documents or other video or audio data files, even if these files are themselves protected with strong encryption or other steganographic techniques which embed the data hidden within, say, graphics or music files.

USB keys and SmartMedia

These are useful to spies or to whistleblowers, for smuggling out electronic copies of documents. Given the size of the memory capacity these days, which is often larger than hard disks of only a few years ago, a very large amount of data can be carried.

They are small and easy to hide, and can also legitimately be hidden in mobile phones, digital cameras or MP3 music players etc.

  1. Some Government Departments e.g. the UK Ministry of Defence do tend to use modified operating systems software which controls access to floppy disk drives, CDROM, DVD or USB devices, either totally preventing their use, or logging all such uses to a central audit server.

    We suspect that not every desktop PC in the Home Office is protected in this way.

  2. The use of USB memory or other USB connected devices e.g. an Apple iPod or other MP3 player, leaves a trail on the Windows computer to which it was attached e.g. you can see a list of such devices which have been connected successfully to a particular PC running WIndows XP via the Registry Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBTOR.

  3. Some US government departments and agencies, like the Department of Homeland Security (DHS), use the National Security Agency (NSA) developed USBDetect scanning software, (see page 13 of this 2008 report Review of DHS Security Controls for Portable Storage Devices (.pdf) which centrally audits the Registries of connected Windows computers, looking for the Registry traces of USB devices. Such software can only detect "policy violations" and it "does not identify if USB devices are currently connected, nor if any sensitive information was copied"

  4. If you have permission to access the Registry on the Computer, you can, of course delete the entries generated by your use of a particular USB device. However, most corporate or government PCs will have this sort of access restricted to privileged systems administrators only, so a whistleblower should make sure that they are not using an unusual brand of USB device which stands out from the crowd of entries which might plausibly be found in that environment.

  5. USB memory devices (and also CDROM or DVD devices) leave traces of their use in the Windows Registry. It is even possible to correlate the amount of data transferred with the time taken to do it in, to narrow down or even specifically identify, the make and model of USB device used.

    This may be enough of a clue to "leak investigators", although this experimental technique is certainly not yet established in Court for legal evidential purposes.

    See this New Scientist article

    USB fingerprints identify 'pod slurping' data thieves

    * 16 February 2010 by Paul Marks

    [...]

    Vasilios Katos and Theodoros Kavallaris at the Democritus University of Thrace in Komotini, Greece, have been testing every make and model of USB stick and iPod/iPhone. They have discovered that each one has a distinctive transfer rate when copying data from a PC's hard drive (Computers and Security, DOI: 10.1016/j.cose.2010.01.002). This is due to the differences in the microcircuitry and components that go into making each type of device.

    They are able to find out if files have been copied by consulting the Windows registry, which records the make and model of every USB device plugged into that computer with a time stamp. The pair then check all document folders for any files that were accessed shortly after the USB device was plugged in - the computer registry counts copying as file access.

    When they find a folder they suspect has been copied, they list the times the files within it were accessed. If the total time it took to access all the files matches the transfer rate of a particular USB stick or iPod plugged into the PC at that point, then it is fair to assume a pod-slurping attack has taken place.

    Kavallaris is writing a program to automate the process of trawling the Windows registry to work out which files have been copied to a USB stick.

    [...]


  6. Deliberately "erasing" the "whistleblower files" stored on USB memory sticks, Digital Camera or MP3 music player memory devices, which can then be recovered with File recovery utilities (e.g. those designed to recover accidentally erased Digital Camera images , such as PhotoRescue) once the whistleblower is in a safe place, may well be enough to let a whistleblower smuggle out copies of sensitive documents past cursory security checkpoints,

  7. Depending on the operating system and the particular settings on your PC, USB memory devices may have a local Trash or Trashcan folder on the USB device itself, in addition to the main one on the computer Desktop. Sometimes this is a Hidden folder or directory on the USB memory device, e.g. Apple Mac OS X and Ubuntu Linux.

  8. However, if you are caught with a USB key or MP3 player or SmartMedia memory stick or card, which uses Flash Memory, they are nigh on impossible to securely erase electronically, and there is a good chance that data on them, even if "deleted" can be forensically recovered.

  9. It is even possible for USB Flash memory data to eventually be permanently "burned in" to memory cells, which cannot then be erased. There are also "wear leveling" and "block write" algorithms, which may fail to physically overwrite crucial data, which you are trying to erase.Therefore do not store your PGP Private Keyring or other vital data, on unencrypted USB Flash memory. See the Wikipedia article on Flash Memory

  10. Older operating systems like Windows 98 or WIndows 2000 require that you Stop the USB memory device before you physically remove it, otherwise the latest data which you have tried to save / overwrite or erase may not actually get written from the memory buffers into the Flash Memory cells, since this tends to use "block writes", rather than random access writes, to the individual memory cell locations. Obviously this can also lead to supposedly erased or overwritten or amended files not being updated properly, if the USB Flash Memory device is simply yanked out of the slot in a hurry.

  11. We hope to publish information on the levels of risk for (in)secure data erase behavior of different types of USB or other SmartMedia. - see the File Deletion hints and tips section.

    c.f. this academic paper:

    Reliably Erasing Data From Flash-Based Solid State Drives
    Michael Wei∗, Laura M. Grupp∗, Frederick E. Spada†, Steven Swanson∗
    ∗Department of Computer Science and Engineering, University of California, San Diego
    †Center for Magnetic Recording and Research, University of California, San Diego

    https://www.usenix.org/events/fast11/tech/full_papers/Wei.pdf


  12. Obviously, sometimes the all too common failures with CDROM, DVD and USB data handling security, by government or corporate employees, is itself the actual source material for whistleblower leaks.

The Daily Telegraph reports that the former MI6 employee Daniel Houghton, who is being tried under the Theft Act and the Official Secrets Act, for ineptly trying to sell alleged MI6 and MI5 "intelligence gathering techniques" secrets to undercover UK counter intelligence agents, used this USB technology to smuggle out and store the alleged top secret and secret documents:

Spycatchers trap MI6 man 'trying to sell secrets'


Daniel Houghton, 25, was caught in a sting operation after allegedly approaching a foreign intelligence agency offering to sell them information he had collected while working for the Secret Intelligence Service, known as MI6.

The files, which belonged to the domestic security service MI5, allegedly related to the capabilities of the security and intelligence services and the techniques they have developed to gather intelligence, sources said, and were labeled "top secret" and "secret."

Houghton, who worked for MI6 between September 2007 and May 2009, allegedly telephoned the foreign intelligence service three months after leaving MI6 to try and arrange a deal.

But undercover MI5 officers, known as "spy catchers", met him in February to view the material on his laptop and allegedly negotiated a price of £900,000, while recording the meeting with hidden listening devices.

Houghton allegedly told them he had downloaded the information onto a number of CDs and DVD disks which he then copied onto a secure digital memory card of the type used in cameras.

He also allegedly told the undercover MI5 officers that he had copied material onto a second memory card which he had hidden at his mother's home in Devon.

They arranged to meet him again at a central London hotel where he allegedly showed them the material on a laptop and then handed over two memory cards and a computer hard drive.

Sources said he was allowed to leave the hotel room with £900,000 in a suitcase before he was arrested as he waited for a hotel lift by plain clothes officers from the Metropolitan Police Counter Terrorism Command.

[...]

Presumably this smuggling out and storage of the sensitive secret electronic files on to USB SD card camera memory went undetected, until his inept, amateur attempt to sell the information.

About this blog

We know that there are decent, honest, trustworthy individual politicians, civil servants, law enforcement, intelligence agency personnel and broadcast, print and internet journalists etc., who often feel powerless or trapped in the system. They need the assistance of external, detailed, informed, public scrutiny to help them to resist deliberate or unthinking policies, which erode our freedoms and liberties.

Some of these people will, in the public interest, act as whistleblowers, and may try to leak documents or information to the mainstream media, or to political blog websites etc.

Here are some Spy Blog "Hints and Tips", giving some basic preecautions, and some more obscure technical tips, which both whistleblowers, journalists, and bloggers need to be aware of, in order to help preserve the anonymity of whisteleblowing or other journalistic sources, especially in the United Kingdom, but applicable in other countries as well.

Whistleblower anonymity may not always be possible, or even necessary, forever into the future, but it is usuially crucial during at least the early stages of a "leak", whilst it is being evaluated by others, to see if it merits wider publication and publicity.

Email & PGP Contact

Please feel free to email your views about this blog, or news about the issues it tries to comment on.

blog@spy[dot]org[dot]uk

Our PGP public encryption key is available for those correspondents who wish to send us news or information in confidence, and also for those of you who value your privacy, even if you have got nothing to hide.

Current PGP Key ID: 0xA165A29480CFAA4C which will expire on 6th September 2014

pgp-now.gif
You can download a free copy of the PGP encryption software from www.pgpi.org
(available for most of the common computer operating systems, and also in various Open Source versions like GPG).

We look forward to the day when UK Government Legislation, Press Releases and Emails etc. are Digitally Signed so that we can be assured that they are not fakes. Trusting that the digitally signed content makes any sense, is another matter entirely.

Pages

Tag Cloud

Syndicate this site (XML):

Categories

Tor Hidden Service

In order to make censorship a little more difficult, a copy of this Hints and Tips for Whistleblowers guide is also being published as a Tor Hidden Service.

You will need to have installed the Tor software and established a working Tor connection, and then you will be able access this copy via end to end encryption and a high degree of anonymity through the Tor cloud:

http://r3lb3r3an7uj7bos.onion/

If you do not have Tor installed, you can still access this Hidden Service via the tor2web.org proxy: https://r3lb3r3an7uj7bos.tor2web.org/ still with encryption, but without as much anonymity.

Convention on Modern Liberty - 28th Feb 2009

Convention on Modern Liberty - 28th Feb 2009
Convention on Modern Liberty - 28th Feb 2009

The Convention is being held in the Logan Hall and adjoining rooms at the Institute of Education in Bloomsbury, central London.

Address:

The Institute of Education
20 Bedford Way
London
WC1H 0AL

There are video linked screenings or other parallel meetings being held across the UK in Belfast. Bristol, Cambridge, Cardiff and Manchester.

Convention on Modern Liberty blog

Campaign Button Links

Watching Them, Watching Us, UK Public CCTV Surveillance Regulation Campaign
UK Public CCTV Surveillance Regulation Campaign

NO2ID Campaign - cross party opposition to the NuLabour Compulsory Biometric ID Card
NO2ID Campaign - cross party opposition to the NuLabour Compulsory Biometric ID Card and National Identity Register centralised database.

Gary McKinnon is facing extradition to the USA under the controversial Extradition Act 2003, without any prima facie evidence or charges brought against him in a UK court. Try him here in the UK, under UK law.
Gary McKinnon is facing extradition to the USA under the controversial Extradition Act 2003, without any prima facie evidence or charges brought against him in a UK court. Try him here in the UK, under UK law.

FreeFarid_150.jpg
FreeFarid.com- - Kafkaesque extradition of Farid Hilali under the European Arrest Warrant to Spain

Peaceful resistance to the curtailment of our rights to Free Assembly and Free Speech in the SOCPA Designated Area around Parliament Square and beyond

Parliament Protest blog - resistance to the Designated Area restricting peaceful demonstrations or lobbying in the vicinity of Parliament.

Petition to the European Commission and European Parliament against their vague Data Retention plans
Data Retention is No Solution Petition to the European Commission and European Parliament against their vague Data Retention plans.

Open_Rights_Group.png
Open Rights Group

renew for freedom - renew your passport in 2006
Renew For Freedom - renew your Passport in the Summer Autumn of 2006.

The Big Opt Out Campaign - opt out of having your NHS Care Record medical records and personal details stored insecurely on a massive national centralised database.

Tor - the onion routing network
Tor - the onion routing network - "Tor aims to defend against traffic analysis, a form of network surveillance that threatens personal anonymity and privacy, confidential business activities and relationships, and state security. Communications are bounced around a distributed network of servers called onion routers, protecting you from websites that build profiles of your interests, local eavesdroppers that read your data or learn what sites you visit, and even the onion routers themselves."

Tor - the onion routing network
Anonymous Blogging with Wordpress and Tor - useful Guide published by Global Voices Advocacy with step by step software configuration screenshots (updated March 10th 2009).

irrepressible_banner_03.gif
Amnesty International's irrepressible.info campaign

anoniblog_150.png
BlogSafer - wiki with multilingual guides to anonymous blogging

ngoiab_150.png
NGO in a box - Security Edition privacy and security software tools

homeofficewatch_150.jpg
Home Office Watch blog, "a single repository of all the shambolic errors and mistakes made by the British Home Office compiled from Parliamentary Questions, news reports, and tip-offs by the Liberal Democrat Home Affairs team."

rsf_logo_150.gif
Reporters Without Borders - Reporters Sans Frontières - campaign for journalists 'and bloggers' freedom in repressive countries and war zones.

committee_to_protect_bloggers_150.gif
Committee to Protect Bloggers - "devoted to the protection of bloggers worldwide with a focus on highlighting the plight of bloggers threatened and imprisoned by their government."

wikileaks_logo_low.jpg
Wikileaks.org - the controversial "uncensorable, anonymous whistleblowing" website based currently in Sweden.

public_concern_at_work.gif
Public Concern at Work - "(PCaW) is the independent authority on public interest whistleblowing. Established as a charity in 1993 following a series of scandals and disasters, PCaW has played a leading role in putting whistleblowing on the governance agenda and in developing legislation in the UK and abroad. All our work is informed by the free advice we offer to people with whistleblowing dilemmas and the professional support we provide to enlightened organisations."