Within my InfoSec community to which most of you subscribe and read on a daily basis, I have…

Jan 1, 2016

ṤⱧǠᴆ Ő Ɯ
Misconceptions & Fact
—
Information Security

Within my InfoSec community to which most of you subscribe and read on a
daily basis, I have noticed quite a few misconceptions regarding safe practices with
respect to secure methods of communication methodologies and/or mediums stated
to be factual or rather being employed by companies or individuals that sufficiently
serve the purpose of maintaining ones privacy over web-based mediums including
but not limited to SSL website services and online public/private key email
cryptographic services claiming erroneous statistics and/or unreasonable promises
to keep your communications secure.
The difficulty in ones ability to discern what is fact and what is erroneous
with regard to claims stated by security companies, online articles, online security
groups, tech magazine articles, tech news casts, tech shows and general advertising
media spawns a dichotomy within the InfoSec industry. One one hand, the
disinformation and erroneous material assertions are the direct result of simple
ulterior motivations that have but one purpose, revenue. In both cases, which I will
get to in a moment, the target advertising paradigm for both sides of this
dichotomy is directed sorely at less knowledgeable and less advanced technological
person(s) to which false trust in those assertions is simply accepted due to a few
factors that we will mention later.
On the other hand, the disinformation and erroneous material assertions are
indirectly rooted to attain revenue but in a way such that, for instance a technology
show, magazine or online article inadvertently gains popularity to which the priorparagraph advertising paradigm places adds within these very shows, magazines
and articles completing the disinformation circle.
We have an extremely large disconnect within the InfoSec community, trust
vs. knowledge, each item below can be directly related to one of these facts. As
previously stated, the primary factors which these assertions are accepted are as
follows:
• Education
◦ Knowledge —
▪ Lack of education is a direct result of acceptance of disinformation.
• Laziness
◦ Trust —
▪ Persons whom blindly trust will not be motivated to question improper
procedure leading to laziness.
• Company Policy
◦ Trust —
▪ Persons whom are forbidden to think outside company policy are
restricted and therefor unable to implement security enhancements for
fear of employment loss leading to security holes. Persons
implementing these policies also have a psychological disconnect with
reality when refusing input from staff that would benefit company
security.
• Poor Training
◦ Knowledge —
▪ Poor training has a number of reasons but primarily are rooted within
monetary psychology. Generally companies will attempt to save on
payroll by hiring entry level grads and laying off senior analysts
greatly reducing the companies security footprint.
• Government Policy
◦ Trust —
▪ Those employed by governmental bodies know all too well that policy
and red tape by these organizations are extremely detrimental to all
involved. Employees are given no choice to trust the upper echelon
directly resulting in a failure to effectively govern and protect a
citizens information. This is had been on countless occasions be proven
in real world scenarios with the U.S itself.• Outdated Hardware
◦ Knowledge —
▪ As we have stated before, we can associate most of the previous
statements with this one. Generally one can discern that not only all of
the above apply, but mostly the ones making the decisions to upgrade
hardware do not in fact understand in any realm the importance of
security. Security, especially in our government has taken a back-seat
to almost every other Information Technology item. This has proven
to be disastrous even a midst the countless warnings, papers, evidence
and security experts providing pure evidence that to ignore said
evidence would put not only the countries national security at risk but
the citizens within. One can only come to one of two conclusions:
• They are inept
• They do not care
The overall conclusion of the above discussion is that the dichotomy
discussed is a self-serving end unto itself perpetuating the overall American
monetary psychological paradigm, more to the point, money is more important
than people in laymen’s terms.
Finally, allow me to discuss how this affects the real world, my community
and the InfoSec industry itself. First lets take a few comments from my InfoSec
Community and apply the above theory:
• True or False: It is secure to use an online web-based mail system, type a
message and leave it in the draft box?
◦ False: Remember, you care connecting to a remote system under SSL,
which has been cracked by the government, so once you type this message,
the data is saved over SSL and THEN encrypted on the server, e.g. Proton
Mail. This is a self-defeating method of secure communication. The only
true method of security is local GPG encryption and then saving it into a
draft folder online.
• True or False: Is online banking secure?
◦ Yes and No, generally home-based banking is ok but really you are a the
mercy of the bank itself. If you are asking is my banking information
secure from the government, the answer is absolutely not. What one must•
•
•
•
•
•
•
remember is that all of your banking information is already online even if
you choose not to bank or shop online. Everything is run by computer, in
essence, banking and credit-card companies gamble with your personal
information every single day.
True or False: If I use the OTR [Off The Record Plugin] am I safe.
◦ Yes and No, remember that OTR encrypts data to and from you and your
partner, in that it is secure, however, if you are using a computer that is
infected with a virus, a screenshot will undo everything. This goes out to
you windows users.
True or False: I use windows 10, does it really spy on me?
◦ YES! Get rid of it.
True or False: Is TrueCrypt Safe?
◦ Yes, version 7.1a is safe, but only use a passphrase and not a keyfile to be
completely safe.
True or False: Is Windows bitlocker safe?
◦ NO NO NO!Any and All cryptography on windows is NOT safe. I would
also not use TrueCrypt on it.
Is Metasploit Backdoored?
◦ I decline to answer, just use it in a Virtual Machine.
Is there any way to be completely anonymous on the Internet?
◦ Yes and no, the only way to accomplish this is to have control over the
hops that you are using to communicate. Logs and spy software are the
downfall of any anonymous communication, that being said, to achieve a
high level of anonymity, location wise, is to systematically destroy, in
sequence, all hops that a connection has used. This however does not
guarantee that the information captured over the wire cannot be
decrypted. Depending on the skill of the user, location information is
always contained within the communication protocol, as such, if one is
good enough, spoofing packet data headers would accomplish the
anonymity goal.
Does social media service create dossiers’ of me?
◦ Yes, absolutely. In the data age, information is as valuable to government
and companies as currency.These are the facts my fellow hackers, security buffs and end users. You can trust
that this information is accurate simply because I have no ulterior motives
whatsoever. If you have any other questions you wish to pose, please let me know,
or if I have inaccurately disseminated this information.
Our Network
ṤⱧǠᴆ Ő Ɯ — Founder Shadow-Corp/Shadow’s Government
IRC irc.shadowsgovernment.com
Channel #shadowsgovernment
Social :
{ https://plus.google.com/communities/105314280241482065594 }
Google+
{ https://twitter.com/00_SHADOW_00}
Twitter
{https://www.facebook.com/Shadow-Corp-288108517940713/timeline/ Facebook
Web Resources:
{ http://shadowsgovernment.com }
{ http://shadowsgovernment.com }
{ http://shadowsgovernment.com }
Main Site
Radio Show
Public Library