Saturday, October 21, 2017

ProtonMail + TOR

 
I have previously recommended using ProtonMail to protect your personal communications. Now there is an additional reason to like ProtonMail. You can add a degree of anonymity to your ProtonMail by creating and always accessing your account via TOR. ProtonMail has created a TOR hidden service at https://protonirockerxow.onion. (You will, of course, need TOR installed on your computer in order to access this .onion web-site. Download your copy of TOR here: https://www.torproject.org.)
 
Additional details about the integration of ProtonMail and TOR can be found on the ProtonMail blog at: https://protonmail.com/blog/tor-encrypted-email/.
 
 





Financial Privacy - Opt-Out Info

 
 
According to the Federal Deposit Insurance Corporation (FDIC) companies that offer financial services may share your private financial information with others. Companies that offer financial services include:
  • Banks, savings and loans, and credit unions
  • Insurance companies
  • Securities and commodities brokerage firms
  • Retailers that directly issue their own credit cards (such as department stores or gas stations)
  • Mortgage brokers
  • Automobile dealerships that extend or arrange financing or leasing
  • Check cashers and payday lenders
  • Financial advisors and credit counseling services
  • Sellers of money orders or travelers checks.
 
According to Federal law these companies must send you an annual privacy notice, giving you the opportunity to opt-out of the sharing of some parts of your personal financial information with others. The FDIC points out that “Financial companies share information for many reasons: to offer you more services, to introduce new products, and to profit from the information they have about you… If you prefer to limit the promotions you receive or do not want marketers and others to have your personal financial information, you must take some important steps.”
 
Unfortunately, you cannot opt-out of all sharing of your private financial information. The law lets financial companies share your information for some purposes without your permission. For example, a financial company can share your private financial information with
  • firms that help promote and market the company's own products or products offered under a joint agreement between two financial companies
  • Records of your transactions--such as your loan payments, credit card or debit card purchases, and checking and savings account statements--to firms that provide data processing and mailing services for your company
  • Information about you in response to a court order
  • Your payment history on loans and credit cards to credit bureaus.
 
In these cases, you have no right to opt-out of the sharing of your private financial information. If you choose to do business with these financial companies, they can share and profit from your private financial data. However, you do have the right to opt-out of sharing of your private financial information for marketing purposes. When you receive a privacy notice in the mail from your financial companies, take a few minutes to read the notice and if you want to limit the sharing of your private financial information for marketing purposes – Opt-Out.
 
Examples of privacy notices can be seen at the following sites:
 
If you haven’t already reviewed the privacy notice from each of your financial companies, contact them and ask for a copy of the privacy notice and inform each of these financial companies that you wish to opt-out of the sharing of your information.
 
 
 

Thursday, October 19, 2017

Freeware Encryption

 
 
 
In 2001, I published a short book, “Freeware Encryption & Security Programs”. Although this book is now out of print, I have made a PDF copy of it available to readers of Chesbro on Security. You can download a copy from my Google Drive here: https://goo.gl/7YtDwY.
 
Some of the encryption programs I discussed in the book, are still available today. Others have been overtaken by time and technology, and are no longer available. The need and desire for encryption however have not gone away. New freeware encryption programs are now available to help you protect the content of your files, folders, and on-line communications.
 
Encryption should be used for everything, not a feature you turn on only if you're doing something you consider worth protecting. This is important. If we only use encryption when we're working with important data, then encryption signals that data's importance.  If only dissidents use encryption in a country, that country's authorities have an easy way of identifying them. But if everyone uses it all of the time, encryption ceases to be a signal. No one can distinguish simple chatting from deeply private conversation. The government can't tell the dissidents from the rest of the population. Every time you use encryption, you're protecting someone who needs to use it to stay alive.

A Google search for "encryption programs" will return a large number of results. The following encryption programs are some that I have used, at least to some extent while studying encryption.  Whether one program is better than the next depends on your specific needs, the computer operating system that you are using, and compatibility with what those with whom you share information are using to protect their own data. Experiment with the encryption programs on the following list. Save and use those programs that meet your personal needs.
   
AES Crypt (https://www.aescrypt.com)

Cyphr Encrypted Messaging App (https://www.goldenfrog.com/cyphr)

Encipher It (https://encipher.it)

GNU Privacy Guard (https://gnupg.org)

JavaScrypt: Browser-Based Cryptography (http://www.fourmilab.ch/javascrypt/)

miniLock (http://minilock.io)

Paranoia Text Encryption (PTE) (https://paranoiaworks.mobi)

Encryption is an essential part of your personal privacy and security, but it is not a 100% solution. Consider the following tips while choosing and using your encryption programs.
 
1) Hide in the network. Implement hidden services. Use Tor, I2P, Freenet, and VPNs to anonymize yourself. The less obvious you are, the safer you are.
 
2) Encrypt your communications. Use TLS. Use IPsec. While it's true that some agencies target encrypted connections - and may have explicit exploits against these protocols - you're much better protected than if you communicate in the clear. Woe betide whomever transmits plaintext.
 
3) Assume that while your computer can be compromised, it would take work and risk to do so - so it probably isn't. Still physical security is important and should be included in your overall personal security plan.
 
4) Be suspicious of commercial encryption software, especially from large vendors. My guess is that most encryption products from large US companies have back doors, and many foreign ones probably do as well. It's prudent to assume that foreign products also have foreign-installed backdoors. Closed-source software is easier to backdoor than open-source software. Systems relying on master secrets are vulnerable to adversaries, through either legal or more clandestine means.
 
5) Try to use public-domain encryption that has to be compatible with other implementations. For example, it's harder to backdoor TLS than BitLocker, because any vendor's TLS has to be compatible with every other vendor's TLS, while BitLocker only has to be compatible with itself, giving an adversary a lot more freedom to make changes. And because BitLocker is proprietary, it's far less likely those changes will be discovered. Prefer symmetric cryptography over public-key cryptography. Prefer conventional discrete-log-based systems over elliptic-curve systems; the latter have constants that governments influence when they can.
 
 


21-Day Personal Privacy Challenge

 
Day 1 – Register your telephone numbers with the National Do Not Call Registry (https://www.donotcall.gov/), and Opt-Out of sharing of your personal information with companies that offer credit and insurance (https://www.optoutprescreen.com/).
 
Day 2 – Install “HTTPS Everywhere” (https://www.eff.org/https-everywhere) and “Privacy Badger” (https://www.eff.org/privacybadger) in your Firefox, Chrome, or Opera browser. Install and run Malwarebytes (https://www.malwarebytes.com) and Bleachbit (https://www.bleachbit.org) or CCleaner (https://www.piriform.com/ccleaner) on your computer.  
 
Day 3 – Sign up for an end-to-end encrypted e-mail service such as ProtonMail (https://protonmail.com/) or Tutanota (https://www.tutanota.com/). Start using this new encrypted e-mail to protect your personal communications.
 
Day 4 – Stop using SMS/Text messages for personal communication. Switch to an end-to-end encrypted messenger such as Wickr (https://www.wickr.com/personal) or Signal Private Messenger (https://signal.org/).
 
Day 5 – Start conducting your on-line searches with a search engine that does not track you, such as DuckDuckGo (https://duckduckgo.com/) or Startpage (https://www.startpage.com/).
 
Day 6 – Set up two-factor authentication on all your on-line counts where it is available (https://twofactorauth.org). Use a hardware token, such as Yubikey, where possible or as the next best option use a software token such as Google Authernticator or Authy App.
 
Day 7 – Install a Password Manager. Examples of password managers include: LastPass (https://www.lastpass.com/), KeePassXC (https://keepassxc.org), Dashlane (https://www.dashlane.com), and 1Password (https://1password.com).  
 
Day 8 – Change all of your passwords. Use a very strong password, generated by your password manager, or use an external password generator such as the GRC Ultra High Security Password Generator (https://www.grc.com/passwords.htm) to generate new passwords.
 
Day 9 – Review and strengthen the privacy settings on all of your social media accounts. The US Army CID Computer Crime Investigative Unit provides guides to assist you in securing Facebook, Twitter, LinkedIn, Google Plus. Search the help settings on other social networks for ways to improve your privacy and security.
 
Day 10 – Order and review a copy of your credit reports (https://www.annualcreditreport.com/).
 
Day 11 – Protect your financial information by adding a Credit Freeze to your account with each of the major credit reporting agencies (https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs).
 
Day 12 – Search your name and other personal information on-line. Make note of where any of your personal information appears. Set up Google Alerts (https://www.google.com/alerts) to monitor the Internet for the appearance of any new information about you.
 
Day 13 – Protect access to your smartphone with a password or long numeric PIN. Avoid using fingerprint access, a swipe pattern, or the short 4-digit PIN to protect your smartphone.
 
Day 14 – Install VeraCrypt (https://www.veracrypt.fr/en/Home.html) and create a secure / encrypted volume to protect sensitive files on your computer. Alternately use BitLocker on your Windows computer or FileVault on your Mac computer to create this encrypted volume.  
 
Day 15 – Back up your important data and store it as an encrypted volume on some type of removable media (i.e. CD/DVD or USB Drive). Store this back-up someplace safe. Note that you can create a compressed and AES-256 encrypted archive using the free program 7-Zip (http://www.7-zip.org).
 
Day 16 – Make a list of all of your credit card numbers and the telephone number from the back of the card to call and report if your cards are lost or stolen. Store this list in a secure place.
 
Day 17 – Make a list of all your high value items (i.e. electronics, jewelry, firearms, collectables). Record the serial numbers, makes, models and other descriptive information. Include photos where appropriate. Include your automobile’s license plate number and VIN. Store this list in a secure place.
 
Day 18 – Improve your cybersecurity awareness by completing these three on-line courses from the DoD Information Assurance Support Environment (IASE):
Cyber Awareness Challenge (https://iatraining.disa.mil/eta/disa_cac2018/launchPage.htm)
Phishing Awareness (https://iatraining.disa.mil/eta/disa_phishing_v31_fy17/launchPage.htm)
Social Networking (https://iatraining.disa.mil/eta/disa_sn_v21_fy17/launchPage.htm)
 
Day 19 – Download a copy of TOR (https://www.torproject.org/). Start using TOR to protect your privacy and anonymity on-line.
 
Day 20 – Start using a Virtual Private Network (VPN) to improve your on-line security. Some VPN include: Private Internet Access (https://www.privateinternetaccess.com/),  Nord VPN (https://nordvpn.com/), VyprVPN (https://www.goldenfrog.com/vyprvpn).  
 
Day 21 – Consider Abine Blur (https://www.abine.com/index.html) and Privacy.Com (https://privacy.com) to protect your financial privacy.
 




Tuesday, October 17, 2017

Google Advanced Protection

 
 
Google has today launched a free, opt‐in program aimed at users who believe their Google accounts - such as Gmail, Drive, YouTube etc. - to be at particularly high risk of targeted online attacks. The Advanced Protection Program currently consists of the three main elements: defending Gmail and Google account users against phishing attacks by requiring 2FA via a token generated by a hardware security key; locking down the risk of malicious applications grabbing sensitive data by automatically limiting full access to Gmail and Drive to just Google apps (for now); and reducing the risk of hackers gaining access to a Gmail account via impersonation by adding more steps to the account recovery process.
 
 
 


Monday, October 16, 2017

Governments Call for Breakable Encryption

 
 
 
Well, this is nothing new... but it is still concerning as the government continues to demand access to private communications. Now you may believe that the government's argument has merit, and that it should be able to access private communications with the appropriate legal process leading to a warrant issued by an impartial judge. However, that doesn't solve the problem because strong encryption is already available from sources outside the United States, such as JavaScrypt: Browser-Based Cryptography Tools (https://www.fourmilab.ch/javascrypt/), ProtonMail (https://protonmail.com/), and GnuPG (https://www.gpg4win.org/), just to name a few.
 
As with calls for gun control, calls for encryption control simply limit the ability of people who are committing no crimes, and pose no threat to national security. Groups of people using encryption to engage in organized crime or terrorist activities are not going to limit their use of strong encryption just because the United States government thinks that they should.  
 
Of course the United States government is not the only one looking to prevent its citizens from having access to strong encryption:
 
"In a statement released recently by Australian Attorney General George Brandis and the Minister for Immigration and Border Protection Peter Dutton, the two officials called for weakening encryption standards and for increased sharing of surveillance between Five Eyes countries." (Deep Dot Web, July 2017)
 
"In an interview with the BBC, Home Secretary Amber Rudd called the use of end-to-end encryption communications offered by tech companies and used by terrorists as a "completely unacceptable" situation. Rudd insists organizations behind encrypted messaging systems should not "provide a secret place for terrorists to communicate with each other." (Apple Insider)
 
"A leaked document reveals the UK government has drawn up yet further, disturbingly dystopian draft bulk surveillance powers, which would give authorities carte blanche to monitor citizens' live communications, and effectively illegalize encryption. A cybersecurity expert told Sputnik this has terrifying implications not merely for internet privacy. The rules would compel all communications companies — including phone networks and ISPs — to provide real-time access to any named individual's full content within a single working day, as well as any "secondary data" related to that individual, including encrypted content." (Sputnik News)
 
"After being threatened with a ban, it looks like Telegram is playing ball with Russia's government. Russian communications regulator Roskomnadzor confirmed in a statement [in June 2017] that Telegram, an app with over 100 million users globally, had submitted all required data and now works within the country's legal framework. The announcement comes after Russian authorities put pressure on the company on Monday to register itself with the government as an "organiser of information dissemination," saying the messaging app allowed terrorists to communicate secretly, with "high degree of encryption." Failure to do so would cause Telegram to be banned, authorities had threatened." (CNET)
 
The question is one of whether governments have a compelling interest in weakening encryption in the name of national security, or in order to fight organized criminal activity. Will preventing you and I from having strong encryption to safeguard our own privacy make us safer from criminals and terrorists? Government seems to think it will...  do you? 
 



Sunday, October 15, 2017

End-to-End Encrypted Messenger Apps

 
 
According to an article on BGR, “Just about anyone can read your private conversations if you use SMS”, and USA Today has said “Your texts are not as secure as you think”.  Simply put, standard text messages are not secure, they can be intercepted and read by other than the addressee (your intended recipient).

Your cellular service provider also has the ability to intercept, store, and read your text messages. PC Magazine published an article “How Long Does Your Wireless Carrier Retain Texts, Call Logs?” that discussed the data retention policies of the major cellular service providers.
 
In order to protect the content of your “text messages” you should be using an end-to-end encrypted messenger. In order to send end-to-end encrypted messages, everyone with whom you communicate must have the same encrypted messenger.  One of the most popular end-to-end encrypted messengers is WhatsApp (https://www.whatsapp.com). As of July 2017, WhatsApp had an estimated 1.3 Billion active users. Because so many people use WhatsApp and because of its easy-to-use interface I recommend that you include WhatsApp among your messaging tools.

My personal favorites for end-to-end encrypted messengers are Wickr (https://www.wickr.com/) and Signal Private Messenger (https://signal.org). Other encrypted messengers that may be of interest are ChatSecure for iOS (https://chatsecure.org), Cyphr (https://www.goldenfrog.com/cyphr), and CoverMe (http://www.coverme.ws/en/index.html).
 
There are other encrypted messengers available, such as Telegram (https://telegram.org) and Viber (https://www.viber.com), and the one you choose is going to be tied to what others with whom you are communicating are currently using, or what you can get them to use. As you research the various messenger apps, be sure that you only use those apps that use end-to-end encryption. Almost all apps encrypt your messages in transit, but if the app does not provide end-to-end encryption then it is likely that your messages are stored in plaintext on the messaging server.
 
Facebook Messenger offers the ability to turn on end-to-end encryption using its Secret Conversation mode. I am not particularly a fan of the Secret Conversation mode, because it is not turned on by default and thus you must remember to select it at the start of every conversation. Still if you are going to use Facebook Messenger, you should make it a point to always use it in Secret Conversation mode.
 
If you use an iPhone, then your iMessages and FaceTime chats are end-to-end encrypted with other iPhone users. However, if the person with whom you are communicating is not using an iPhone (i.e. they have an Android or Windows phone) then your messages are just unsecure text messages; and of course, FaceTime is not available to non-iPhone users.
 
Now it is important to understand that while end-to-end encryption protects the content of your messages, it does not necessarily protect the metadata of those messages. Someone who is able to monitor your cell-phone might be able to tell with whom you are communicating, but end-to-end encryption would keep them from knowing what you were saying.
 
Do a bit of research. Talk with friends and family with whom you regularly communicate by text message, and get everyone to use an end-to-end encrypted messenger. You may think that you have nothing to hide, and maybe this is true. But, saying that you don’t care about secure communications because you have nothing to hide, is kind of like saying that you don’t care about freedom of speech because you have nothing to say.