Ask a REAL data security expert, copy how NSA does it, or give up, go home

I was really impressed with my first thread shooting to main page within days, I was like WTF? in a good way

I decided to open up and give you guys some hardcore information that maybe some of you are well versed in

I am a security expert both software and hardware dealing with data security LONG BEFORE Snowden became household name and I always ask my clients

Who do you want to protect yourself from.

Ordinary hackers/criminals ?

Government hackers/criminals ?

Protecting against ordinary civilian hackers is super easy, tighten up the hardware (usually at router level) and teach users how to follow access and encryption protocols.

Human/user mistakes happen, but that is not my problem, that is company/client problem and the staff being lazy

Protecting against government foreign or domestic ????

You better be rich my friend. You better have the mullah for this one.

First, kiss goodbye to latest and greatest windows by Microsoft, I'll have you running win XP or win 7 and ONLY in limited capacity, even limited RAM capacity for complicated reasons

Forget smart phones, I don't care what you got, smart phone can not even enter a premise, too complicated to go into. Smart phone software is not under your control, period.

I'll have you running ONLINE PCs and OFFLINE PCs

They can not be connected, air gap jumps removed by removing or destroying receivers on OFFLINE PCs

Yup, ever heard of a guy destroying an antenna by hand on an integrated circuit board, you have now

Most software can't even report properly on the "changes" made lol

Next comes the money spender, TEMPEST protection, cheapest is various mesh faraday tent. And the cost goes sky high if you want large room or rooms protected without tents.

That means I gotta redecorate your walls and windows, we can make it look pretty but it is additional cost. (and time), don't forget pesky things like power supply.

What's that, you think we are done ?

Oh no we are not done.

In the end I explain to my clients, everything we have done will be for nothing if you don't have trustworthy human guards guarding outside the building/house.

I have watched for 15 years government spy agents simply walk into a secure area when owner is sleeping or on a Euro/Asia trip.

They open the locks, walk in, they copy your data, they bug your premise. They walk out and lock the door behind them.

I never glorified government spies, they are not heroes, they are high tech criminals who just robbed your company of R&D, you spent time and money on research - they got it for free.

Cameras ???

You think you can rely on Cameras ?

Not only do government agents erase and damage cameras if they have to, but even when you have a video of couple of civilian looking guys enter and exit your place, what good is that to you. Local Cops will just laugh behind your back.

Your data is gone, your premise no longer secure.

You spent 20- 800 k on protecting your data from the government but you were too cheap to find good human guard(s).

Does NSA have guards guarding ?

Does CIA, FBI ? Pentagon ?

But what, you thought human guards are soooo 60s.

If something is truly of "lunar" or "cosmic" secret, you can do it Russian style, non electronic typewriter and a completely loyal secretary. Simple and effective. Old school.

You still need guards though.

Share this thread with anyone interested in security because I swear to you, it is the truth.

I wrote this because most people don't have real knowledge on data security and government likes to keep people/companies ignorant and "accessible"

We are a 4 men team
We are based in BC Canada but can travel world wide
Pm me if you wanna talk

I'll be back in few days or a week to answer if anyone got questions in this thread

Peace out

a reply to: DannyBoy555

You are going to be a great resource on ATS.

I always new "Smart" anything (particularly phones, since people are basically attached at the hip to them) were a no-no if you are trying to protect your privacy.

You were articulate in explaining how you go about determining what steps you take in assessing someone's data security needs.

Sending you a U2U..

a reply to: DannyBoy555

That's pretty cool, and extensive. Thanks for the bit of info there.

I figured a lot went into this sort of thing but of course I never imagined just how much goes into it!

-Alee

a reply to: DannyBoy555


Since most of us are fairly average across the board in computer equipment and not business clients such as is your custom, can you lower you sights to tell us what we can do besides taping the camera, etc.

a reply to: DannyBoy555

It's easy to turn a room into a Faraday cage and then soundproof. I did it in my recording studio. I had 3 quotes from contractors ranging from 18k to about 40k. I did it myself for less than a thousand dollars. My secure servers and my recording systems were in Faraday cage racks in the control room, I used threaded air transfer systems that I designed with a number of millimetre mesh grounded air filters, again, very low cost. For Internet access, I set up TCP wrappers on the front end plus a router using custom firmware for my first triplet. That was followed by two other routers with customer firmware running different triplets. There was no wireless anything. To measure my emf amplitude, which was 0 above background once finished, I used my Narda field strength analyzers.

A little common sense and critical thinking goes a long way. It probably helps that I locked down the 347 Apache servers and 117 client machines for the second largest porn portal in the late 90's and worked for a number of years as chief of r&d a project management for the military in special weapons programs overseas ;-) Physical and electronic security methodologies are free and all over the Internet, some are real, others assist in opening systems to attack.

You are correct on physical intrusions, your data is only as safe as your physical security. I had two well known security companies install and monitor parallel systems in my location. They were both compromised, but they got nothing because all my data travels with me. You are correct on Windows 8 or 10, run from it, it is incredibly compromised by Microsoft and easily opened by malicious entities, both private and public sector. Cell phones are just a joke, but you can turn a smartphone into better than a burner, an explanation of which would be considered outside the toc.

Cheers - Dave

I actually heard a story from a coworker this week about one of her military contractor engineer friends. He was doing a job with lockeed and went to a terminal to fix a piece of manufacturing equipment and basically set the whole place off. Apparently he was pretty impressed as the security in place.

Back to the topic. Great thread it's good to have a picture from the inside.

This is interesting "inside baseball" information.

I'd be curious what kinds of clients would ask for these various levels of security and why.

I don't expect names but maybe just a "for example ..." in each category.

a reply to: LanceCorvette

All sorts, if you have something you want to keep away from prying eyes, can be down to the special formula for your restaurants meals. For that sort of level a safe/alarm and some sort of cctv system probably will be enough to keep the others in your town from stealing it...no real need for tech as while is worth something but not hiring a team of professions to get it.

When I worked for a local UK council we did some testing and the test came back we were up to the governments standards for data security and everyone looked at me when I laughed as they'd not made any effort to provide for anything beyond the actual IT equipment which would of had councillors emails to each other and other stuff some probably restricted.

We had a few simple problems, while we were 2 mins from the local cop shop they'd pretty much closed it down outside of office hours, too many people had access to outside the room and too many also had the alarm codes and being near a large loading bay if someone could get in they could just drag all the kit out and then spend their time working out how to get the passwords and then when i mentioned possible kidnapping of kids/family to ensure co-operation with alarm codes/passwords they started to make other arrangements to beef it up.

originally posted by: DannyBoy555

First, kiss goodbye to latest and greatest windows by Microsoft, I'll have you running win XP or win 7 and ONLY in limited capacity, even limited RAM capacity for complicated reasons

Why would you run windows in the first place? Windows is never secure. Saying you would recommend windows XP is also very suspect as any 0day found on XP will not be fixed as XP has been EOL'd

Forget smart phones, I don't care what you got, smart phone can not even enter a premise, too complicated to go into. Smart phone software is not under your control, period.

somewhat agree. You can do many things with your phone.

- Remove battery and sim
- pocket faraday
- leave it wherever
- get a sidekick

I'll have you running ONLINE PCs and OFFLINE PCs

They can not be connected, air gap jumps removed by removing or destroying receivers on OFFLINE PCs

Yup, ever heard of a guy destroying an antenna by hand on an integrated circuit board, you have now

I hope you're running white noise as well, as i can listen to your keyboard clicks and see what you are typing.

citation

Most software can't even report properly on the "changes" made lol

Next comes the money spender, TEMPEST protection, cheapest is various mesh faraday tent. And the cost goes sky high if you want large room or rooms protected without tents.

That means I gotta redecorate your walls and windows, we can make it look pretty but it is additional cost. (and time), don't forget pesky things like power supply.

my sides just split from laughing

What's that, you think we are done ?

Oh no we are not done.

In the end I explain to my clients, everything we have done will be for nothing if you don't have trustworthy human guards guarding outside the building/house.

I have watched for 15 years government spy agents simply walk into a secure area when owner is sleeping or on a Euro/Asia trip.

They open the locks, walk in, they copy your data, they bug your premise. They walk out and lock the door behind them.

I never glorified government spies, they are not heroes, they are high tech criminals who just robbed your company of R&D, you spent time and money on research - they got it for free.

Anyone can do this. This is why physsec is important. i can pick most door locks within 30 seconds.

Magnetic locks can be popped with a whiskey or perhaps a vape cloud. back side of door

Cameras ???

You think you can rely on Cameras ?

Not only do government agents erase and damage cameras if they have to, but even when you have a video of couple of civilian looking guys enter and exit your place, what good is that to you. Local Cops will just laugh behind your back.

This is assuming they find all of your cameras.

Your data is gone, your premise no longer secure.

You spent 20- 800 k on protecting your data from the government but you were too cheap to find good human guard(s).

Does NSA have guards guarding ?

Does CIA, FBI ? Pentagon ?

But what, you thought human guards are soooo 60s.

If something is truly of "lunar" or "cosmic" secret, you can do it Russian style, non electronic typewriter and a completely loyal secretary. Simple and effective. Old school.

You still need guards though.

Share this thread with anyone interested in security because I swear to you, it is the truth.

I wrote this because most people don't have real knowledge on data security and government likes to keep people/companies ignorant and "accessible"

This post is FUD

originally posted by: DannyBoy555


First, kiss goodbye to latest and greatest windows by Microsoft, I'll have you running win XP or win 7 and ONLY in limited capacity, even limited RAM capacity for complicated reasons

Locked down Windows XP or 7 ??? Really???

Wow....I would have thought a locked down version of an EOL MS OS would still be less secure than....well any of the currently supported secure Linux builds?

ETA : Vizzle Beat me to the call out....dubious "expert" advice on numerous counts
Who is target audience???/OP's clients??? his Nan??

a reply to: DannyBoy555

I stopped reading when you suggested running deprecated versions of Winblows.

Get some Linux in your life. Gentoo Hardened is a good choice, but well above the understanding of the average Microsuck user. There are easier to learn alternatives such as Heardened Ubuntu, which is the Ubuntu answer to Gentoo's security hardened OS.

Encryption is every ones friend. Learn to use GPG/PGP to protect private communications. Learn about Signal SMS encryption for text messages, and Signal mobile call encryption. These are all free solutions. Remember! Encryption only works if both parties are using it. There is no such thing as open ended encryption!

A quick Google search about learning to use Linux should get interested people pointed in the right direction. Oh, did i mention that Linux is free? The open source development community is pretty awesome. We value sharing information and technology freely to benefit everyone. Proprietary software, like Microsuck, Is updated less frequently, and operates behind closed doors! The opensource community is, well, OPEN. You can look at the source code of all software distributed under the Gnu GPL, MIT, open source, and Common Development licenses.

I will have to agree with others, Windows XP has fatal flaws if your machine is behind a router/firewall you might survive but a Windows XP hooked directly to the internet as in DMZ or port forwarded its screwed no matter what you do.

One major thing I find interesting and kinda weird the OP did not mention is hardware backdoors. In todays world even your mouse and keyboard report back to the company who made them. Now that doesn't mean NSA is gathering your data through your mouse and keyboard it just means the hardware it self has firmware to make call requests back to the original manufacture to send back logistics and diagnostics.

Now imagine an entire motherboard, the components in your motherboard your NIC (Ethernet Port) your Wireless, your processor, harddrives etc. Lets not even talk about Routers your ISP and software and OS's. In todays world the attack vectors are WIDE OPEN, no one is anonymous on this here net.

I would also suggest taking a look at creating your own linux distro and changing binaries, this could theoretically stop hardware from spying but then you will have no internet, and usb ports and other connections won't work since you have rewritten the protocols.

Very cool thread tho btw, I'm excited to see what others think and the info they may share.

I don't have high security needs like this, but my setup for a renderfarm means running an internal network of offline windows 10 rigs and remotely tapping in via a VPN. The VPN is running a linux distro, and can be accessed via SSH only with a key, and with OpenVPN only via TLS cert. All unused ports are locked down, and I called it a day. It's simple enough, and I've had no intrusions. I do have security cameras installed that can be viewed remotely after tapping into the VPN. I also get (outbound only, of course) email on certain events that happen to the system, like a power outage, or motion sensor breaching a threshold. Nothing over the top, just some basic measures.

Personally I think high security is a waste, you're delusional if you think you can keep everyone out 100% of the time. If not the system, the human... we all wind up with vulnerabilities.

a reply to: DannyBoy555

Meh, If you ever want peace, just let them own you...BUT under your own terms. The more you resist, the more effort they`ll put into it until they get what they want. So let them have it under your supervision

I do agree with you on one thing though. If you truly want to protect your data, go analog.

a reply to: Algorithm

I'm pretty sure I've seen the exact post the OP put up other places, matter of fact I've seen it or variations of it so much that I'm pretty sure it comes as part of a turn key "business kit"...

Oh and from my VERY limited understanding of current "tempest" site hardening can be much harder than the stuff he listed.

a reply to: pl3bscheese

a reply to: Algorithm

Great points made!

For the regular computer user who wants to learn the basics of OpSEC (Operational Security) The EFF has some good basic tutorials! EFF Security Starter Pack

Purchase a good VPN! This can be obtained for less than 100 dollars per year and is well worth the investment. Read through their privacy policy and be sure that it includes a no logging clause. Also check what kinds of encryption they are using. You should seek a provider that uses nothing less than 4096 bit RSA. How to use OpenVPN

These are only the first steps at securing your personal information and protecting your privacy. Faraday cages and air-gapped machines are definitely useful for some people. But, for average computer users my recommendation would be to concern yourself with protecting your data and closing the security holes found in the ever growing 'Internet of Things' . All of those wireless devices consumers like to haphazardly connect to a personal network or a business network are easily hackable. Proofs of concept of this can be found on Google by the thousands. Hardware backdoors and small programs that relay data to outside sources (like companies who can pipe that to the government) exist and are 100% real.

Good luck! Enjoy the world of Linux and have fun learning about the ever changing landscape of cyber security.

a reply to: AnonyMason

If I were you, I would be careful with VPN services claiming to not store the logs. VPN is no go for me. Although it does protect your communication, it is just one more party to worry about getting hacked into. Only thing I ever used was Hamachi....for entertainment purposes

a reply to: Op3nM1nd3d

You realize you can anonymously rent a server in China and setup your own VPN, right?

a reply to: pl3bscheese

That`s just the thing, isn`t it? Do you have physical access to the server in China? Does someone else have it? I know, I`m talking like a paranoid shizo but hey, isn`t that what this thread is all about?