Thoughts, essays, and writings on Liberty. Written by the heirs of Patrick Henry.

“There has grown up in the minds of certain groups in this country the notion that because a man or corporation has made a profit out of the public for a number of years, the government and the courts are charged with the duty of guaranteeing such profit in the future, even in the face of changing circumstances and contrary to public interest. This strange doctrine is not supported by statute or common law. Neither individuals nor corporations have any right to come into court and ask that the clock of history be stopped, or turned back.”     Robert A. Heinlein,    Life Line

March 28, 2008

The FBI Hyperlink Honeypot, and what you can do to stay safe

by Quincy

This post is intended to help internet users who make legitimate, non-criminal use of the internet avoid being caught by the FBI’s hyperlink honeypot. While there are methods that can be used to cover deliberate criminal activity on the internet, I will not post them here.

Declan McCullagh brings scary news of the latest tactics from the FBI (via Instapundit, via Classical Values):

The FBI has recently adopted a novel investigative technique: posting hyperlinks that purport to be illegal videos of minors having sex, and then raiding the homes of anyone willing to click on them.

Undercover FBI agents used this hyperlink-enticement technique, which directed Internet users to a clandestine government server, to stage armed raids of homes in Pennsylvania, New York, and Nevada last year. The supposed video files actually were gibberish and contained no illegal images.

This is serious stuff, and not for the reasons you may think. The FBI is operating from the assumption that one IP address equals one household. It’s also operating from the assumption that all HTTP requests are user initiated. Both are wrong.

First, with NAT routing and WiFi, one IP address could be several houses, or even a sizeable chunk of an apartment building. The way most homes are set up with broadband and wireless is pretty simple and extremely open to abuse. The broadband connection comes in the home and has a single IP address. The device closest to the connection is a modem, which acts as a bridge between the home network and the broadband provider. The device after that is a wireless router, which takes traffic from all devices that connect to it and channels it to the modem.

This means that, to anyone on the other side of the modem, like web sites, your ISP, or the FBI, all the traffic looks like it’s coming from a single source. Since someone has to pay for that broadband connection, all the traffic is automatically assumed to come from that person. So, as a user, it’s in your best interest to be in control of all the traffic going over your internet connection, which leads us to…

TIP #1: Lock down your wireless network with WPA

In a utopian world, free love and free WiFi might seem like wonderful things. With creeps running around and the FBI trailing after them, not so much. Since people are actually getting jailed for clicking on hyperlinks based on their IP address, it’s time to get serious about making sure only the people you want get on your network.

WPA stands for Wireless Protected Access, and it is the only secure way to prevent access to your wireless network. WPA works using a pre-shared key (PSK) of up to 63 characters to encrypt network traffic. This means that any device must have the key before any traffic can be sent or received on the wireless network.

(Don’t confuse this with WEP, which is so-called Wired Equivalent Protection. WEP has been thoroughly broken and can be cracked in less than 5 minutes.)

If you need a good, strong password, I highly recommend visiting GRC’s Perfect Passwords page. This page provides extremely secure pseudo-random passwords that make password attacks almost impossible.

If the FBI can’t tell what behind an IP address accessed a given URL, they probably can’t tell whether the user initiated the access or whether the machine did automatically. In addition to making sure that there aren’t machines on your network doing things out of your control, you have to make sure there aren’t things on your machine doing things outside your control. This brings us three more tips…

TIP #2: Scan your system for viruses and malware

Any software on your system can request any web address at any time. Well-behaved programs only do so at the user’s command. Malware, however, doesn’t. Most malware running today exists to use compromised machines as a platform to run the creator’s software on a mammoth scale, usually to generate spam. (You didn’t think there were actual people typing up those ads for Vi4g00, did ya?)

A piece of malware could very well access a honeypot link and get you, the user, into trouble. So, install that anti-virus software and run it, often.

For those who don’t want to load down their (Windows) systems with bloated software like Norton or McAfee, I personally recommend Avast‘s free anti-virus. It’s lightweight and does a good job of catching crud.

Also, no matter what anti-virus you use, be sure and keep your software up to date. Anti-virus software works best when it has the latest virus definitions.

TIP #3: Turn off the preview pane in your e-mail program.

This one’s an inconvenience, but it’s important. If your e-mail program is rendering e-mail without your specific instruction, it’s accessing addresses without your specific instruction.

Every time an e-mail has an image or other embedded content, your e-mail program has to fetch it from the internet. If the FBI were using a JPEG image as the honey pot, all it would take your e-mail program rendering an HTML e-mail with the image in it to make it look like an attempted access.

Once the preview pane is turned off, it’s still your responsibility to delete suspicious messages without opening them. (Hey, sometimes it’s tough to do. Personally, I’m always open to a little chuckle from the latest generic drug scams and variations on the always classic Nigerian money scam. Now, I’m going to behave myself.)

TIP #4: Turn off link prefetching

If you use Mozilla Firefox, iCab, or Google Web Accelerator, your computer is accessing links without your knowledge. This feature is called link prefetching. In a perfect world, this would be a good thing for the user. Not so when a person can be arrested for being associated with the IP that accessed a link.

Here are the directions for turning off link prefetching in Firefox. Google Web Accelerator should be completely uninstalled to prevent prefetching.

These are just the things I can come up with for preventing accidental ensnarement in this despicable FBI trap. I’d appreciate any more tips and tricks for preventing you might have.

Also, for those with a larger interest in security, I highly recommend Security Now! with Steve Gibson and Leo Laporte. It’s a weekly podcast that deals solely with security, and the archives are a wealth of information.

(If you have a few minutes, please come by and check out the new blog at http://pith-n-vinegar.blogspot.com/)


Permalink || Comments (8) || Categories: Technology
TrackBack URI: http://www.thelibertypapers.org/2008/03/28/the-fbi-hyperlink-honeypot-and-what-you-can-do-to-stay-safe/trackback/
Read more posts from
• • •

8 Comments

  1. I am surprised that they left out a very important part of wireless security: MAC address filtering – only permitting the access point to only communicate with specific wireless cards.

    Put this in place, and even your unencrypted network is safe from the dreaded war-driving pervert.

    Comment by tarran — March 29, 2008 @ 6:06 am
  2. tarran –

    MAC address filtering is too easily defeated to be relied upon. All it takes is someone using a packet sniffer to find some ARP packets, which contain the MAC address, and then spoofing said MAC address to gain access.

    Like WEP, it does offer a layer of security, but only a trivial one. I absolutely don’t recommend that it be relied upon in place of WPA encryption.

    Comment by Quincy — March 29, 2008 @ 7:47 am
  3. This is exactly why WI-FI is not the smartest way to use @ home on a computer that’s constantly on. The only devices that I feel comfortable using WI-FI with is gaming consoles, as typically they are not fully fledged computers that house sensitive information.

    LAN is and always will be the best way to go; at least until something similar to LAN makes the rounds.

    Comment by Nitroadict — March 29, 2008 @ 8:40 am
  4. MAC address filtering is too easily defeated to be relied upon.

    Damn, now I am really embarrassed. I should have known that…

    Comment by tarran — March 29, 2008 @ 10:30 am
  5. Last I checked, LAN & a NAT worked pretty well. I don’t worry as much since switching to Ubuntu, but I should probably read up on making my own separate linux firewall box out of cheap parts…

    Comment by Nitroadict — March 29, 2008 @ 11:17 am
  6. Nitro –

    A hard-wired LAN and NAT router are absolutely the best way to go if you can run the cable, both in terms of security and performance. That said, a WiFi network with WPA and a strong key is plenty trustworthy.

    tarran –

    The weakness of MAC address filtering has not been widely publicized, as far as I know, though it certainly should be. A lot of people still believe MAC address filtering and turning off SSID broadcasting are adequate security measures.

    My first rule of security is always assume everyone has access to everything you’re sending and receiving. Address filtering never follows this rule because anyone who has access to your traffic can see the address. In the case of MAC address filtering, the combination of WiFi packet sniffers and MAC address spoofing lead to a trivial crack.

    Comment by Quincy — March 29, 2008 @ 9:09 pm
  7. What about MAC filtering, no SSID broadcast, and WPA? Is that safe? I ask because that’s my setup at home.

    Comment by Scooby — April 1, 2008 @ 9:11 am
  8. Scooby –

    As long as the WPA network has a secure key, i.e. greater than 20 characters and not composed of dictionary words, you’ll be fine with that setup.

    Comment by Quincy — April 1, 2008 @ 6:10 pm

Comments RSS

Subscribe without commenting

Sorry, the comment form is closed at this time.

Powered by: WordPress • Template by: Eric • Banner #1, #3, #4 by Stephen Macklin • Banner #2 by Mark RaynerXML