Cyber SWAT Unit
Announcement
We are glad to announce one of the most unique, relevant and much needed services to legal, medical and executive professionals. We have launched our Cyber SWAT Unit.
We offer a cyber security assessment, cyber threat modeling evaluation and the implementation of the most effective technological infrastructure to legal professionals, medical professionals and business executives.
Our services include equipping attorneys, investigators, medical professionals, business owners and executives with a State-of-the-art implementation of cryptographic tools and devices to ensure the privacy, security, confidentiality and integrity of their digital files and the privacy, security and/or anonymity of their researches.
Legal Security Requirements for Attorneys and Investigators Handling Client Data
Both Nevada and Massachusetts have legally mandated encryption as part of their consumer protection regulations. The Massachusetts Attorney General has been very active in enforcing consumer data protection. In July 2014, the Attorney General, enforced a civil penalty of $150,000 against the Women & Infants Hospital of Rhode Island (“WIH”) to resolve allegations that it lost unencrypted data. This legal action demonstrates that the Massachusetts Attorney General is aggressively engaged in enforcing both Federal and Massachusetts information security law against out-of-state entities who insecurely store the personal data of Massachusetts residents.
Massachusetts information security law, M.G.L. c. 93H, applies to “persons who own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts.” The law applies to all private businesses including lawyers and law firms and requires that an organization have a written security plan that includes “to the extent technically feasible, . . . encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly.” The organizational program also must include encryption of all personal information stored on laptops or other portable devices.” Covered “personal information” includes Social Security numbers, driver’s license numbers, state- issued identification card numbers, financial account numbers and credit card numbers. This law has been enforced against out-of-state businesses having sufficient minimum contacts with the Commonwealth of Massachusetts.
Nevada also has a robust data protection law with two principal sets of provisions. First, Nevada gives the Payment Card Industry Data Security Standard (“PCIDSS”), an industry standard developed by a private rule-making body, the force of law in the state. The PCIDSS aspect of the law requires all data collectors who do business in the state of Nevada and that accept a payment card in connection with a sale of goods or services must maintain their personal data securely. The second set of provisions requires encryption of personal information during electronic transmission or while in storage on data storage devices. The transmission provisions of the law require that a “data collector doing business in this State to whom subsection 1 does not apply [i.e., that is not required to comply with the PCIDSS] shall not . . . transfer any personal information through an electronic, non-voice transmission other than a facsimile to a person outside of the secure system of the data collector unless the data collector uses encryption to ensure the security of electronic transmission.”
In addition to state-mandated legal schema, attorneys have a clear ethical responsibility to protect client information. Rule 1.6 of the Model Rules of Professional Responsibility states that, “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” As the comments to the section reads, the “fundamental principle in the client-lawyer relationship is that, in the absence of the client’s informed consent, the lawyer must not reveal information relating to the representation.”
In 2012 the ABA modified the language of the applicable rule to impose an explicit obligation on attorneys to take positive steps to protect the confidentiality of information concerning their clients and cases. Each state bar has its own interpretation of how to define “reasonable effort.” Pennsylvania’s state bar, for example, has defined reasonable effort in a way that specifically encourages attorneys to regularly use encryption to protect their clients.
Law firms and attorney associations have been slow to secure their systems and are leaving themselves open to adverse legal action and significant fees as a result. State laws mandating encryption and uniform organizational security planning for attorney-client information are an important first step to real security and ethical responsibility in the information age.
Long gone are the years when only the NSA, FBI, DHS, DOD, White House, U.S Congress and the United States Military had all the powers of encryption solely in their hands. This power can also and should also be used by civilian institutions and professionals who are in possession of confidential files, evidence, and other private information. Attorneys, investigators from the private sector and other legal professionals, should all abide by the same requirements, regulations, standards and validations specified by the Federal Information Processing Standard (FIPS) and the Homeland Security Presidential Directive (HSPD12) with its Personal Identity Verification (PIV) used by all federal employees across the country whose job is to protect data, gain access to data, gain access to secured buildings and facilities as well as to authenticate themselves digitally.
Det. Martin uses his smart card for the decryption and signing of every digital evidence gathered in a given case. This ensures total confidentiality and privacy through encryption standards set forth by the Federal Government specified in the Homeland Security Presidential Directive (HSPD12), which gives a guarantee of evidence preservation, integrity and verification, protecting the evidence from spoliation between the time of acquisition and presentation in Court. Det. Martin's cryptographic devices follow the FIPS 140-2 Level 3 validation, the same used by federal agents and investigators of the United States Federal Government, members of the U.S Department of Defense, Homeland Security and many physicians in possession of patients medical records of Military Hospitals. Det. Martin's smart card uses both the Personal Identity Verification Federal Standard (PIV-II) for use with LibreSSL, as well as the Open Source Cryptographic Standard OpenPGP for use with the GNU Privacy Guard (GPG).
Upon hiring Det. Martin, All your digital files are kept in either an encrypted BIOCTL Container or an encrypted LUKS container in a SSD, HDD drive, and/or in a non-writeable CD/DVD. Your files are stored and digitally signed using an asymmetric cryptographic RSA key of 4096 bits, or an Elliptic Curve ECDSA key. Det. Martin's cryptographic key lives inside his smart card, and his smart card is not vulnerable to cloning or key extraction, the same as today's modern chip-based debit cards. This method of investigation used by Det. Martin is scientifically and forensically sound and is used by many federal investigators across the country for purposes of crime scene authentication and the preservation of chain of custody documents and evidence through means of cryptographic standards. He takes the privacy and confidentiality of our client's case extremely serious and take every technological effort to protect their files and their investigative evidence.
Storage devices, are extensions of our brains. You can certainly retain and protect all the information in your brain by just remaining silent; however, in the minute you put your thoughts into words by means of typing them into a computer, phone or sending them via email, they are no longer privileged unless cryptography and free/open source software and hardware is involved. Have no doubt that most proprietary solutions are spying on you. They promise you that your information is “safe”, but they are the ones holding the encryption keys or putting back doors in their algorithms. DO NOT fall into these traps. Use instead, software and hardware that can be audited and verified by other software developers and engineers.
Our CYBER SWAT UNIT can assist you with the following:
1) Workshop/Seminar on the various layers involving digital security:
- Web Browsing Layer: TOR Browser, Sand-boxed or Jailed Firefox with all the privacy/security add-ons and tweaks or Surf Browser
- Networking Layer: Wireguard as a VPN Protocol, pf & routing tables (OpenBSD) or IP Tables (Linux)
- Application Layer: Minimalistic/Non-bloated Command Line Tools (UNIX Philosophy/Principles & Softwares from Suckless.org)
- Operating System Layer: OpenBSD, Qubes-OS, Linux-varients Whonix and Tails
- System’s Initializer Layer: The rc.d system, which is basically a lightweight version of System V init that strips out all of the runlevels, rcN.d directories, SNN and KNN symlinks, and so on to wind up with just shell scripts in /etc/rc.d. Other options are RUNIT and OpenRC. On the other hand, SystemD is not a viable option. SystemD is a bloated-morbid-obese piece of software designed by horrible programmers. I do not recommend it.
- Kernel Layer: OpenBSD Kernel, XEN Type-1 Hypervisor Micro-Kernel, Linux Kernel
- Boot Loader Layer: OpenBSD Biosboot & Boot Program and/or GRUB (Linux)
- Bios & Firmware Layer: Coreboot and/or Libreboot (depending on your machine)
- Micro-chip Layer: Removed and/or Disabled Intel Management Engine, or Neutralized Intel ME (machine-dependant)
- Motherboard/Computer Schematics: Tinkerable/Freeedom-loving Motherboards, De-soldered Mics, Disconnected Speakers, Disabled Bluetooth, No webcam, Atheros wifi-card, etc
The rabbit hole goes deep when it comes to addressing the security of your cyber infrastructure. Unless you make every effort to know you are safe in every layer, you are extremely vulnerable to hacking, cyber attacks, illegal spying and mass surveillance.
In this presentation and workshop, Det. Martin goes over his workflow through his own laptop working station, smart cards, and cryptographic devices. His approach also involves sharing some federal laws and RFC standards, regulations, certifications, validations and best practices.
2) Cyber Security Assessment Consultation
This service involves Det. Martin meeting with you in person for a consultation and revealing to you what you should be doing as a legal professional. In this consultation you will be given the necessary steps to take and the plan of action regarding the software, hardware and devices to use when storing (data-at-rest), transporting (data-in-motion) or transmitting confidential data (data-in-transit).
3) Implementation and Configuration of your Computer System and Smart Cards
- Installation, Configuration & Implementation of Qubes Operation System (based on the XEN Bare-Metal Type-1 Hypervisor)
- Installation and Configuration of OpenBSD Operating System (the most secure monolithic operating system in the world)
- OpenBSD Operating System hardening and audit
- Administration and Maintenance of your OpenBSD and Qubes OS boxes
- Use & Implementation of Public Key Cryptography via OpenSSH, LibreSSL, Signify and OpenPGP
- Use & Implementation of free-softwares from (suckless.org)
- Full Disk Encryption via BIOCTL/softraid0 (OpenBSD) and/or LUKS/Cryptsetup (Qubes OS & Linux)
- Virtual Machines Setup with Security through Isolation and Compartmentalization Approach
- Air-gaped & Encrypted Digital Vaults
- BIOCTL/softraid0 Encrypted Containers, a RAID Management Interface with Crypto discipline
- LUKS/Cryptsetup: Linux Unified Key System Encrypted Containers (LUKS Containers)
- Creation of your Cryptographic Keypair (Master Key and subkeys)
- Configuration of your Smart Card(s): Yubikeys, GPG and/or PIV chip-based smart cards
- Proxy Virtual Private Network Standalone VM & Multi-layered Internet Setup (Wireguard Protocol)
- Email service with end-to-end encryption and with both symmetric and asymmetric keys
- Multi-factor authentication configuration with smart cards (2FA)
4) Train you and/or your agents for the use of the new cyber infrastructure:
- Hands-on training for the proper and efficient use of every device, every software and tools, which were implemented in the new system and the safe use of the new computer.
- Training has three phases: phase one involves the training itself; phase two involves a follow-up training to work on any difficulties developed by the user(s) along the process of transition. Phase three involves coaching new users for their entire first year during their transition. Phase three is the only phase that is optional.
5) Verification of Digital Evidence and Data Integrity:
Det. Martin can assist you with cryptographically verifying whether your legal adversaries, in this case, the police investigators working against you, acquired and preserved the digital evidence they obtained against you in a proper manner in compliance with the FBI standards of digital evidence acquisition and preservation: data integrity through mathematical hashing of every file, time stamping of acquisition, and the digital signature of the lead police detectives assigned to your case. In case the police investigators did not comply with such standards, your attorney can assign Det. Martin to scientifically contest the forensic procedures taken by your legal adversaries. If there was evidence spoliation during the process of acquisition and/or preservation of a case involving you, then such evidence may not be admissible in Court. If this situation applies to your case, do not hesitate to contact Det. Martin for a consultation at 570-550-0900.
6) Seminars and Workshops:
- Det. Martin is an instructor and educator in the areas of Cryptography Applied to Investigations and Dignitary Protection Missions, such as: forensic preservation of digital evidence with UNIX, Linux and GNU cryptographic software and hardware tools, the implementation of the Homeland Security Presidential Directive (HSPD-12) via the usage PIV-compliant smart cards and FIPS 140-2 Level III validated hardware devices used by Federal Government Agencies to be also applied within the realm of investigations by attorneys and private investigators, which involves data encryption, data confidentiality, digital signatures, digital authentication and data integrity.
- Det. Martin also teaches about Advanced Methods and Techniques in Forensic Photography and Surveillance: the proper use of a 35mm Full Frame "Nikon" DSLR Camera during surveillance assignments and incident response; proper use of macro, wide angle and telephoto lenses; proper use of infrared/night vision camcorders during low light situations and night surveillance; proper use of a "Sekonic" Light Meter and "X-rite" Color-checker-passport measuring device to measure and capture perfectly exposed photographs and true color rendition; proper use of a tripod and off-camera flash along with "pocketwizard" radio triggers for the photographic capture and acquisition of footprints; proper use of post-processing software for photo enhancement and analysis. He teaches on the application and use of collision-free hashing algorithms for every digital photo and raw file, the digital signature of all the hashes and time-stamps of every report.
- His students range from members of Law Enforcement, the Military, attorneys to investigators from the private sector.