5 important security questions...

[KingNeil]

I have some important security questions that I would like answered.

1. If you were to strip down a web browser to remove all plugins and Javacsript... are there any browser exploits that would work...? Can it still be hacked..?

2. How would you go about downloading something like Tor or Tails properly, given that the NSA has packet injection systems like QUANTUMINSERT (see Snowden docs)..? Couldn't they just send you a fake version of Tor, which has spying built into it..?

3. Can the BIOS of a computer communicate with the network, or not...? I've heard about BIOS keyloggers, but how could the BIOS even transfer that keylogged data to anywhere else on the system...? Surely, unless the main operating system requested data from the BIOS, then it couldn't obtain it in the first place...? Surely the BIOS can't just push out this data over the network by itself...?

4. If you were to use a tool like DBAN to totally write over the hard drive, would that totally wipe out any viruses...? I guess this goes back to the question on whether viruses can really hide in BIOS or not...

5. If you were to use a recording app on a phone or computer, would this prevent someone listening to the microphone in the background... picking up background noise...?? I have noticed on a computer that a microphone can only be accessed by one application at a time... Like, if you use Audacity and Windows sound recorder at the same time, it won't let you.... So, if I had an app constantly recording in the background, would that prevent someone from using a hack to listen to me in the background...?

Thanks

 

[johnb35]

1. Depends on the browser. IE has many security flaws.

2. Unable to discuss Tor.

3. It's possible. The bios communicates with the OS directly.

4. Dban will totally wipe the drive and any viruses it may have.

5. Not sure but since phones can use 2 apps at once then I would assume someone could still listen. I think you can be on a phone call and still use google to voice search.

 

[Agent Smith]

1. If you were to strip down a web browser to remove all plugins and Javacsript... are there any browser exploits that would work...? Can it still be hacked..?

There's other things like XSS, etc. Use Sandboxie and a Mozilla veriant browser like Pale Moon with the addon NoScript. You can allow base 2nd level domains by default or just deactivate Noscript and chose basic protection to lessen the cumbersomeness.

2. How would you go about downloading something like Tor or Tails properly, given that the NSA has packet injection systems like QUANTUMINSERT (see Snowden docs)..? Couldn't they just send you a fake version of Tor, which has spying built into it..?

Tor is a privacy nightmare. I have a blog entry about this. Look in my sig. I can't link it because I'm using a VPN with a connection to a Leaseweb server and I block Leaseweb on my site. A good VPN is what you want. https://torrentfreak.com/which-vpn-services-take-your-anonymity-seriously-2014-edition-140315/

3. Can the BIOS of a computer communicate with the network, or not...? I've heard about BIOS keyloggers, but how could the BIOS even transfer that keylogged data to anywhere else on the system...? Surely, unless the main operating system requested data from the BIOS, then it couldn't obtain it in the first place...? Surely the BIOS can't just push out this data over the network by itself...?

There is BIOS malware in the wild. I'm sure it's possible.

4. If you were to use a tool like DBAN to totally write over the hard drive, would that totally wipe out any viruses...? I guess this goes back to the question on whether viruses can really hide in BIOS or not...

There have been viruses written in the firmware of HDDs. You can't get rid of that. In fact I think the NSA did it to HDDs sent to Iran. DBAN is good, but I have no idea if a state or federal forensics agency could read the data. Best to encrypt the computer with Truecryp using at least a 20 digit upper and lower case alpha, numeric and symbol password committed to memory only! This is what I have. Read the manual thoroughly if you will use TC.

5. If you were to use a recording app on a phone or computer, would this prevent someone listening to the microphone in the background... picking up background noise...?? I have noticed on a computer that a microphone can only be accessed by one application at a time... Like, if you use Audacity and Windows sound recorder at the same time, it won't let you.... So, if I had an app constantly recording in the background, would that prevent someone from using a hack to listen to me in the background...?

There are so many security concerns with a smartphone I wouldn't bother. There's also the mute on the mic for a computer. There is malicious code that can take over your mic and cam. If you want to use a smartphone though turn off location sharing. I would use a black phone from the company Silent Circle. They also have end to end phone encryption, but both users need the app for end to end encryption. There is other hardware too, but your talking at least dropping $500. I wonder if there is an AES texter app?

Text messages, voice mail and E-mail all stay logged. Do not trust them.

Common sense is your first line of defense. There are many aspects to security. I wonder how many people strip the meta data from their pictures? HAHAHA

 

[KingNeil]

OP here.

OK.... Some interesting responses.

The thing that I really want to know, above all, is whether you could use a 2nd recording app, to prevent a mic from being listened to in the background.

I have personally used systems like removing a mic, or smashing a mic with needles, and using an external plug-in mic.

But this is not practical for other people. They don't want to use a plug-in mic whenever they want to make a call.

So..... this is why I wanted to create some kind of app for Android/iPhone etc that essentially records in the background constantly, and deletes the recording constantly too... The purpose is to use up the mic all the time, so it can't be used by Spyware.

I just want to know whether this works, or whether it really is possible for mics to be used by 2 apps simultaneously anyway.

Thanks

 

[Agent Smith]

Can't you just mute the mic input on a smartphone?