Privacy & Security Resources and Web Sites

• Privacy Issues: Identity Theft, Spam, Junk mail, Online privacy
• Security Issues, Firewalls
• Carnivore: FBI's Internet Surveillance System
• Magic Lantern: FBI's Encryption Key logging Virus
• Cryptography, Encryption

Privacy Issues

Identity Theft Information by the Federal Trade Commission

The U.S. government's central website for information about identity theft.

"How can someone steal your identity? By co-opting your name, Social Security number, credit card number, or some other piece of your personal information for their own use. In short, identity theft occurs when someone appropriates your personal information without your knowledge to commit fraud or theft." http://www.consumer.gov/idtheft/

Identity Theft Resources by Privacy Rights Clearinghouse

http://www.privacyrights.org/identity.htm

The Anti-Spam Home Page:

Tired of wading through all that junk mail? Learn how to stop the spammers -- here are instructions to automatically filter your e-mail, defend your site from exploitation by the spammers, and get involved! http://www.arachnoid.com/lutusp/antispam.html

Anonymity and Privacy on the Internet:

On this site you will find information on how to be anonymous, and how to secure your communications and files from third parties, as well as several other important security aspects that may arise when you are on the Internet. http://www.stack.nl/~galactus/remailers/

Freedom.net:

Online privacy should be everyone's business. http://www.freedom.net/info/why.html

Center For Media & Democracy:

Authors of "Toxic Sludge Is Good For You: Lies, Damn Lies and the Public Relations Industry."
"The Center for Media & Democracy is a nonprofit, public interest organization dedicated to investigative reporting on the public relations industry. The Center serves citizens, journalists and researchers seeking to recognize and combat manipulative and misleading PR practices.

Whether the issue is health, consumer safety, environmental preservation or democracy and world peace, citizens today find themselves confronted by a bewildering array of paid propagandists paid to convince the public that junk food is nutritious, pollution is harmless, and that what's good for big business and big government is good for the rest of us." http://www.prwatch.org/

Digital Freedom Network:

A human rights coalition posting banned material on the Internet, along with updates on the plight of the authors and journalists fighting oppression worldwide. http://www.idt.net/dfn/

Getting rid of unwanted mail

Methods to get your name and address removed from mass mailing lists.

Privacy International:

Formed in 1990 as a watchdog on surveillance by governments and corporations. With members in more than 40 countries, it has created an international movement that has helped to counter abuses of privacy by way of information technology. (202-544-9240): http://www.privacy.org/pi

Electronic Frontier Foundation:

A non-profit civil liberties organization working in the public interest to protect privacy, free expression, and access to public resources and information online, as well as to promote responsibility in new media. http://www.eff.org/

The Spy Store

Surveillance and security merchandise. http://www.spy-stores.com/

Cyber-Knights Templar

Crusaders for an Internet free of government regulation.

"The Cyber-Knights Templar is a group participating in the RC5-64 challenge, through distributed.net. The goal of the project is to show the relative weakness of the U.S. government's DES (digital encryption standard) which currently sits at 56-bits." http://members.tripod.com/cyberkt

The Privacy Pages

A good all-purpose source of information on privacy issues. http://www.2020tech.com/maildrop/privacy.html

Slam That Spam! by Paula Lovejoy at ZDNet

"Spam" originally referred to nonsense or commercial messages that were mass-posted on Usenet to thousands of users at a time. Today, the definition has expanded to include all unsolicited commercial or junk e-messages delivered electronically.

Fortunately, an arsenal of software, tricks, and tools are available to zap spam before it ever gets to your mailbox. Our Protect Yourself section introduces you to the first line of defense, filtering software. Quick and Easy Tricks tells how to stay off junk e-mail lists, how to reply to spam messages, and more. http://www.zdnet.com/zdhelp/howto_help/spam/spam1.html

Junkbusters:

Learn self-defense against privacy-invading marketing. http://www.junkbusters.com/

Yahoo's junk e-mail page

http://www.yahoo.com/Computers_and_Internet/Communications_and_Networking/Electronic_Mail/Junk_Email/

Allwhois.com

This search will find the "whois" database for the particular domain name. http://www.allwhois.com/

OptOut: WHO YOU ARE should not be THEIR BUSINESS

"The Internet community was recently rocked by rumors and reports that a popular system for creating advertiser-supported software was, in fact, functioning as an Internet "Trojan horse". (Here's CNET's 02/28 summary story.) The rumors stated that the unwitting user's computer was being "inventoried", the system registry was being scanned, and all manner of personal, private, and confidential information was being sent out across the Internet for collection by Aureate Media Corporation (pronounced: or'-ee-ate)." http://grc.com/optout.htm

Marketing List Opt Out

Every day your mailbox contains another interesting offer of credit or merchandise, such as catalogs, vacations, or credit cards. Shopping by mail gives you numerous choices and opportunities. However, while millions of Americans welcome these choices, others prefer not to receive such mailings.

Opt-Out Contact Information TransUnion wants to help direct marketers give American consumers the choices they want. This choice includes the right to say, "No, thank you" to these direct mail offers. If you want your name and address removed from all mailing lists offered by the main consumer credit reporting agencies — TransUnion, Experian, Equifax, and Innovis — call 888-5OPTOUT (888-567-8688), or write to the following address: http://www.transunion.com/personal/marketingoptout.asp

TransUnion LLC's Name Removal Option
P.O. Box 97328
Jackson, MS 39288-7328

Include the following information with your request:

First, middle, and last names (including Jr., Sr., III)
Current address
Previous address (if you've moved in the last six months)
Social Security number
Date of birth
Signature

Contacting the Direct Marketing Association If you opt out, you will no longer appear on direct marketing lists offered by these four credit reporting agencies. However, you may continue to receive commercial mailings based on lists from other sources.

The Direct Marketing Association (DMA) can provide information about opting out of lists produced by companies that subscribe to their Mail and Telephone Preference Services. Contact the DMA at the following addresses:

Direct Marketing Association
Mail Preference Service
P.O. Box 9008
Farmingdale, NY 11735

Direct Marketing Association
Telephone Preference Service
P.O. Box 9014
Farmingdale, NY 11735-9014

Include the following information with your request:

First, middle, and last names (including Jr., Sr., III)
Current address
Home area code and telephone number (only for Telephone Preference Service)

Security, Firewalls, etc.

Shield Up! by Gibson Research Corp.

"Without your knowledge or explicit permission, the Windows networking technology which connects your computer to the Internet may be offering some or all of your computer's data to the entire world at this very moment!"
Shields UP! quickly checks the SECURITY of YOUR computer's connection to the Internet. http://www.grc.com/

Remote Security Tester

Check if your common TCP ports are open. http://www.mycgiserver.com/servlet/kalish.Security

FireHole

How to bypass your personal firewall outbound detection
or
Game Over: An exercise in futility

"I want to reiterate what I said right at the start of this article. This, and all similar techniques rely on a rogue program getting onto your system and executing. If you can stop this then you are safe. If you can't stop it then it is game over - the rogue program has your computer completely under it's control. So keep your antivirus program up-to-date, keep your email client locked down with correct security zone settings, never open attachments that can contain executable content and maybe restrict the ports that your web browser and other commonly used applications can talk on." http://keir.net/firehole.html

HackerWhacker

Security Scan your computer. Covers more test than Shields Up. Links to Security news on the Net. http://hackerwhacker.com/

Microsoft Security Advisor

Provides a list of security-related issues with Microsoft's products.
Also check out, Microsoft Office Security and Microsoft TechNet Security. http://www.microsoft.com/security/default.asp

SANS Institute

The SANS (System Administration, Networking, and Security) Institute is a cooperative research and education organization through which more than 96,000 system administrators, security professionals, and network administrators share the lessons they are learning and find solutions for challenges they face.
How To Eliminate The Ten Most Critical Internet Security Threats http://www.sans.org/

CERT Coordination Center

The CERT Coordination Center is part of the Survivable Systems Initiative at the Software Engineering Institute at Carnegie Mellon University. We were started by DARPA (the Defense Applied Research Projects Agency, part of the U.S. Department of Defense) in December 1988 after the Morris Worm incident crippled approximately 10% of all computers connected to the Internet. The original press release is on our web site, along with several other announcements about us. http://www.cert.org/

AntiOnline

Daily Security News Links
FIGHT-BACK! - Learn About Security
Security Analysis Of Your Computer http://www.antionline.com/

Technotronic.com

Security Related Categories: Novell Netware 3.x/4.x/5.x, Microsoft Windows 95/98/NT/IIS, Unix Variants, Denial of Service Attacks, Privacy, Encryption, Firewalls, RFCs, Tutorials, Whitepapers, Technical Support, TCP/UDP Port Information, Search Technotronic Website. http://www.technotronic.com/

Secure-Me by DSLReports.com

Check the security of your DSL connection. http://www.dslreports.com/r3/dsl/secureme

Internet Firewalls: Frequently Asked Questions

http://www.interhack.net/pubs/fwfaq/

ZoneAlarm

Control which local applications can access the Internet. v2.0 adds blocking.
"Combining the safety of a dynamic firewall with total control over applications' Internet use, ZoneAlarm gives rock-solid protection against thieves and vandals. ZoneAlarm makes ironclad Internet security easy-to-use."

ZoneAlarm is free for individual use.

"It is my FIRM belief that ZoneAlarm 2.0 has the potential to become the PERFECT FIREWALL for the typical security conscious Internet user." Steve Gibson
http://www.zonelabs.com/

BlackICE Defender Personal Firewall

"BlackICE silently monitors communications between your computer and the network. When suspicious activity occurs, BlackICE immediately springs into action defending your computer, your data, and your business." http://www.networkice.com/Products/BlackICE/

ClearICE Reporting Utility for BlackICE Defender:

If you are using BlackICE Defender from Network ICE to protect your system from intrusion you can now download a free reporting utility to assist you in analyzing the data that BlackICE produces. http://www.y2kbrady.com/clearicefaq.htm

DoShelp.com's Network Security & Intrusion Reporting Center

Protection Tools, Unix/Linux Security, Firewall Reviews, Info Warfare, Security Sites, OS Patchfiles, Intrusion Tests, Ports to Block, Network Exploits, Report Attacks, Download Files, Attacks from: AOL, NewsLetter, IRC Help Tips, ICQ Security, Search Engines, I'm Infected? Denial of Service.

Multi-user, multi-tasking operating systems are subject to ``denial of service'' attacks where one user can render the system unusable for legitimate users by ``hogging'' a resource or damaging or destroying resources so that they cannot be used. Denial of service attacks may be caused deliberately or accidentally. Taking precautions to prevent a system against unintentional denial of service attacks will help to prevent intentional denial of service attacks. http://www.doshelp.com

FAQ: Network Intrusion Detection Systems

http://www.robertgraham.com/pubs/network-intrusion-detection.html

Eliminate "Web Bugs" by WinMag.com

"A Web bug can be planted on your PC quite easily. First, the bug planter sends out an e-mail message to you in HTML format. In most popular e-mail readers, the message appears very much the way it would in your browser, complete with graphic images that are retrieved from a Web site over the Internet. So, the process starts when you open the spam message. As the HTML e-mail renders, it sends a request to the bug planter's Web site for a graphic. However, that request also contains the e-mail address where the message was sent--your e-mail address. In return, the Web site sends back a cookie that is stored on your PC."
Also check out the Web Bug FAQ by Richard M. Smith. http://www.winmag.com/fixes/webbugs.htm

L0pht Heavy Industries

"The L0pht spends considerable time researching and documenting security flaws that exist in the internet infrastructure. These flaws may be in operating systems, networking protocols, or application software. So that system administrators, users, and software and hardware vendors may benefit from our knowledge, we share some of it with you."
Makers of L0pht Crack for Windows 95/NT. http://www.l0pht.com/

NTBugtraq

NTBugtraq is a mailing list for the discussion of security exploits and security bugs in Windows NT and its related applications. http://www.NTBugtraq.com/

The Four Myths of Online Security

Make sure your PC is really secure from 'Net-based hacker attacks -- without spending a dime. This article also debunks the following myths:

Myth #1: "I'm not on a network, so my PC is safe."
Myth #2: "I just use Dial-Up connections, so my PC is safe."
Myth #3: "I use an anti-virus app, so my PC is safe."
Myth #4: "I use a firewall, so my PC is safe."

http://www.winmag.com/columns/explorer/2000/04.htm

Protecting Your Privacy & Security On a Home PC

This site contains links to numerous pages on the Web where home users can find software and information relevant to Windows PC privacy and security. It also contains a rudimentary "checklist" of basic steps that home users can take to enhance their privacy and security while using the Internet. http://www.staff.uiuc.edu/~ehowes/main.htm

Carnivore (a.k.a. DCS 1000): Internet Surveillance System

FBI Programs and Initiatives - Carnivore Diagnostic Tool

"The Carnivore device provides the FBI with a 'surgical' ability to intercept and collect the communications which are the subject of the lawful order while ignoring those communications which they are not authorized to intercept. The Carnivore device works much like commercial "sniffers" and other network diagnostic tools used by ISPs every day, except that it provides the FBI with a unique ability to distinguish between communications which may be lawfully intercepted and those which may not. For example, if a court order provides for the lawful interception of one type of communication (e.g., e-mail), but excludes all other communications (e.g., online shopping) the Carnivore tool can be configured to intercept only those e-mails being transmitted either to or from the named subject. Carnivore serves to limit the messages viewable by human eyes to those which are strictly included within the court order. ISP knowledge and assistance, as directed by court order, is required to install the device." http://www.fbi.gov/programs/carnivore/carnivore.htm

Computerworld's Focus on Carnivore page

http://www.computerworld.com/resources/carnivore/

Altivore

In an attempt to give service providers a way to comply with court orders without installing Carnivore, Network Ice Inc. is developing Altivore.c, an Internet-sniffing program complete with inspectable source code. http://www.networkice.com/altivore/

NANOG 20 - Carnivore Update (Marcus Thomas, FBI)

The Carnivore update presented by the FBI's Marcus Thomas at the 20th NANOG meeting held in Washington DC October 22-24, 2000 in Washington DC, is arguably the most complete and detailed briefing yet on the functionality, use and legal implications of Carnivore. This talk was meant for a technical audience, and the dicussion and questions from the audience are very enlightening. Major thanks should go to the folks from Merit/NANOG for managing to schedule this talk, to Marcus Thomas and the FBI for their candor, and the NANOG crowd for asking the important questions.
More NANOG info can be found on the web at http://www.nanog.org, including past meetings, slides for talks, and archived real-player streams. http://videolab.uoregon.edu/nanog/carnivore/

The video is available from this site:
   (Runtime is 54 minutes, Bitrate is 1000Kb/s, Filesize total is 382MB)
ftp://limestone.uoregon.edu/pub/videolab/video/nanog_20/nanog-20-carnivore-update.mpg

A mirror, provided by sol.net a Milwaukee based service provider is at:
ftp://snarchive.sol.net/pub/nanog/carnivore/nanog-20-carnivore-update.mpg

A mirror provided by oven digital to the nanog list is at:
http://people.oven.com/asr/carnivore.mpg

Does Carnivore go too far?

Read the opening statements from our debaters, then jump in with your comments and questions.
Yes, it goes too far - James Dempsey, Center for Democracy and Technology.
No, it doesn't - John Collingwood, FBI. http://www.nwfusion.com/cgi-bin/WebX.cgi?230@@.ee6f90e

Magic Lantern Keystroke Logger

Details are sketchy, but Magic Lantern reportedly works by masquerading as an innocent e-mail attachment that will insert FBI spyware inside your computer.

'Lantern' Backdoor Flap Rages

Network Associates has been snared in a web of accusations over whether it will place backdoors for the U.S. government in its security software. http://www.wired.com/news/conflict/0,2100,48648,00.html

FBI software cracks encryption wall

The FBI is developing software capable of inserting a computer virus onto a suspect�s machine and obtaining encryption keys, a source familiar with the project told MSNBC.com. The software, known as �Magic Lantern,� enables agents to read data that had been scrambled, a tactic often employed by criminals to hide information and evade law enforcement. The best snooping technology that the FBI currently uses, the controversial software called Carnivore, has been useless against suspects clever enough to encrypt their files.

MAGIC LANTERN installs so-called "keylogging" software on a suspect�s machine that is capable of capturing keystrokes typed on a computer. By tracking exactly what a suspect types, critical encryption key information can be gathered, and then transmitted back to the FBI, according to the source, who requested anonymity.

The virus can be sent to the suspect via e-mail, -- perhaps sent for the FBI by a trusted friend or relative. The FBI can also use common vulnerabilities to break into a suspect�s computer and insert Magic Lantern, the source said.

Magic Lantern is one of a series of enhancements currently being developed for the FBI�s Carnivore project, the source said, under the umbrella project name of Cyber Knight. http://www.msnbc.com/news/660096.asp?0na=x21017M32&cp1;=1

McAfee Will Ignore FBI Spyware (SlashDot.org)

"The Washington Post is reporting on the FBI's new spyware called 'Magic Lantern.' According to their article, 'At least one antivirus software company, McAfee Corp., contacted the FBI on Wednesday to ensure its software wouldn't inadvertently detect the bureau's snooping software and alert a criminal suspect.' It is ridiculous that the software companies that are supposed to help us protect computers purposefully leave in loopholes for the FBI to operate their spyware."

FBI Develops Eavesdropping Tools

The FBI is going to new lengths to be sure it can eavesdrop on high-tech communications, secretly building "Magic Lantern" software to monitor computer use.

Separately, the agency is urging phone companies to change their networks for more reliable wiretaps in the digital age.

At a conference Nov. 6 in Tucson, Ariz. � and in a 32-page follow-up letter sent about two weeks ago � the FBI told leading telecommunications officials that increasing use of Internet-style data technology to transmit voice calls is frustrating FBI wiretap efforts.

The FBI told companies that it will need access to voice calls sent over data networks within a few hours in some emergency situations, and that any interference caused by a wiretap should be imperceptible to avoid tipping off a person that his calls might be monitored.

The Magic Lantern technology, part of a broad FBI project called "Cyber Knight," would allow investigators to secretly install over the Internet powerful eavesdropping software that records every keystroke on a person's computer, according to people familiar with the effort.

The software is somewhat similar to so-called trojan software already used illegally by some hackers and corporate spies. The FBI envisions one day using Magic Lantern to record the secret unlocking key a person might use to scramble messages or computer files with encryption software. http://www.washingtonpost.com/wp-dyn/articles/A1436-2001Nov22.html

Cryptography / Encryption

PGP: Pretty Good Privacy:

PGP is a high-security cryptographic software application that allows people to exchange messages with both privacy and authentication.

" Pretty Good Privacy, Inc. has historically designed encryption software programs for individuals based on the principle that email, like conversations, should be private. But, as pointed out by the media on a daily basis, intercepting email is far from difficult, given the right software and ingenuity. The text of an email can be "stolen," as well as the valuable confidential documents attached to an email. As more and more individuals use the Internet for communication, more and more personal information is at risk. Plus, the theft of data from laptops and desktop computers has been rising at a dramatic rate." http://web.mit.edu/network/pgp.html

Pretty Good Privacy, Inc. Home Page:

PGP is a high-security cryptographic software application that allows people to exchange messages with both privacy and authentication.
PGP News, Public Key Directory Server, Private Conversations, a monthly audio magazine covering privacy issues in the electronic age, Privacy Discussion Center. http://www.pgp.com/

The International PGP Home Page

The purpose of the International PGP Home Page is to promote the use of PGP worldwide, and to be a resource pool for information on PGP. http://www.pgpi.com/

comp.security.pgp FAQ

This is the list of Frequently Asked Questions for the Pretty Good Privacy (PGP) encryption program written by Phillip Zimmermann. It is posted to all comp.security.pgp newsgroups once a month, and is also available on the World-Wide Web. http://www.pgp.net/pgpnet/pgp-faq/

Newsgroup: alt.security.pgp

news:alt.security.pgp

HushMail.com

"HushMail is the world's premier secure Web-based email system. We offer ease of use and total end-to-end security. Thanks to a unique key pair management system, HushMail eliminates the risk of leaving unencrypted files on Web servers. HushMail messages, and their attachments, are encrypted using OpenPGP standard algorithms. These algorithms, combined with HushMail's unique OpenPGP key management system, offer users unrivalled levels of security." https://www.hushmail.com/

---

Anonymity and privacy on the Internet

On this site you will find information on how to be anonymous, and how to secure your communications and files from third parties, as well as several other important security aspects that may arise when you are on the Internet. http://www.stack.nl/~galactus/remailers/

Popular Cryptography

Interesting information on Cryptography, including, Practical Attacks on PGP, The Complete, Unofficial TEMPEST Information Page, Something Wicked this Web Comes - Web hacking revealed, and Privacy sources. http://www.eskimo.com/~joelm/popcrypt.html

International Computer Security Association

Find out which programs are certified by the ICSA. http://www.ncsa.com/

Cryptography: The Study of Encryption

There are two kinds of cryptosystems: symmetric and asymmetric. Symmetric cryptosystems use the same key (the secret key) to encrypt and decrypt a message, while asymmetric cryptosystems use one key (the public key) to encrypt a message and a different key (the private key) to decrypt it. Assymetric cryptosystems are also called public key cryptosystems. http://world.std.com/~franl/crypto/

Philip Zimmermann

Philip R. Zimmermann is the creator of Pretty Good Privacy. For that, he was the target of a three-year criminal investigation, because the government held that US export restrictions for cryptographic software were violated when PGP spread all around the world following its 1991 publication as freeware. Despite the lack of funding, the lack of any paid staff, the lack of a company to stand behind it, and despite government persecution, PGP nonetheless became the most widely used email encryption software in the world. After the government dropped its case in early 1996, Zimmermann founded PGP Inc. That company was acquired by Network Associates Inc (NAI) in December 1997, where he stayed on for three years as Senior Fellow. Zimmermann currently serves as Chief Cryptographer at Hush Communications, and is also consulting with a number of companies and industry organizations on matters cryptographic. http://www.philzimmermann.com/

OpenPGP Alliance

OpenPGP is the most widely used email encryption standard in the world. It is defined by the OpenPGP Working Group of the Internet Engineering Task Force (IETF) standard RFC 2440. The OpenPGP standard was originally derived from PGP (Pretty Good Privacy), first created by Phil Zimmermann in 1991.

The OpenPGP Alliance is a growing group of companies and other organizations that are implementers of the OpenPGP standard. The Alliance works to facilitate technical interoperability and marketing synergy between OpenPGP implementations. http://www.openpgp.org/

GNU Privacy Guard

GnuPG is a complete and free replacement for PGP. Because it does not use the patented IDEA algorithm, it can be used without any restrictions. GnuPG is a RFC2440 (OpenPGP) compliant application.

PGP, on which OpenPGP is based, was originally developed by Philip Zimmermann; see his page for background information on PGP. http://www.gnupg.org/