post

EFF: Encrypting the Web

Each year I donate to the Electronic Frontier Foundation (EFF) but did more in 2016 than ever before. You should donate too since they’re the ONLY digital legal watchdog that’s protecting our cyber rights!

post

Steve's Security Tips For Keeping Your Stuff Private

While discussing cyber security and online safety with clients, family and friends, I’ve had several of them ask me for guidance on how to secure their communications and web activities. While a thorough examination of all the detail surrounding privacy, security, and good online habits could be the length of a book, let me give you some of the basics along with a few links to learn more.

There are several reasons you should care about whether your online, digital communications and web surfing are private:

a) Tracking: Ever wonder how Facebook knows you just shopped for Corningware at Amazon and suddenly the ads on Facebook are displaying other bakeware companies? Would you be surprised to know that nearly all websites you visit set a little digital file called a “cookie”—a file that can prove to be very beneficial most times—but that some cookies are set by third party companies that do nothing but track ALL of your website visits (and much more) everywhere? 

b) Are You Naked on Public Wifi? If you ever connect to a public Wifi hotspot, you should know that it is trivial for a Wifi hotspot to be spoofed and you might have already inadvertently connected to it! There are also packet-sniffers that can view any unencrypted traffic going back and forth between your laptop or device and the Wifi router and some blackhat hacker can view it.

Want to see how incredibly trivial it is to create a man-in-the-middle attack and spoof a Wifi hotspot? Then read this article which should scare the beejesus out of you (it did me). It’s called Maybe It’s Better If You Don’t Read This Story on Public WiFi and its tagline is this:

We took a hacker to a café and, in 20 minutes, he knew where everyone else was born, what schools they attended, and the last five things they googled.

If after you have read that article you are still logging on to public Wifi hotspots without using a VPN, please comment below and give me your argument as to why you think it’s OK to get online with public Wifi and no VPN. I’ve yet to hear a single, valid reason why someone shouldn’t connect securely.

c) Government Surveillance: You’ve undoubtedly heard about Edward Snowden who revealed the vacuum mass surveillance apparatus in place by the National Security Agency and that they’re are scooping up ALL metadata about who called whom; what websites you visit and searches you perform; what texts you send; who your Facebook/Twitter and other friends are; what photos you post; and much more.

As a preview to what might very well happen here in the U.S. under a Trump administration, a new law just passed in the United Kingdom and it will give you a taste of what is probably coming to America…and soon…and why we all need to be more diligent about our privacy and security. The UK Now Wields Unprecedented Surveillance Powers — Here’s What It Means spells out what we could expect in the US in the near future:

The UK is about to become one of the world’s foremost surveillance states, allowing its police and intelligence agencies to spy on its own people to a degree that is unprecedented for a democracy. The UN’s privacy chief has called the situation “worse than scary.” Edward Snowden says it’s simply “the most extreme surveillance in the history of western democracy.”

The legislation in question is called the Investigatory Powers Bill. It’s been cleared by politicians and granted royal assent on November 29th — officially becoming law. The bill will legalize the UK’s global surveillance program, which scoops up communications data from around the world, but it will also introduce new domestic powers, including a government database that stores the web history of every citizen in the country. UK spies will be empowered to hack individuals, internet infrastructure, and even whole towns — if the government deems it necessary.

It is also probable that both the UK and the US will take steps to ban end-to-end encryption (one reason I use more and more services outside the US) and/or legally force companies to insert backdoors in their software so law enforcement can get in to the computer or device you own, especially without having to secure one of those pesky search warrants. It’s actually a lot more ominous than that, but writing much more about it is beyond the scope of this post.

Are you scared now?

You should be. I am, and I stay abreast of all of this every, single day. Read on for some specific tips and tricks to stay safe online.

Edvard Munch’s painting The Scream…and a few scared internet users

[Read more…]

post

Secure Your Communications *Before* Trump Takes Office

eff-ssdSeveral people I know have asked me for guidance on how to secure their communications prior to Trump taking office. The reason they are concerned is the same reason I am: The Trump administration could very well accelerate (or use extensively) the vacuum mass surveillance apparatus in place by the National Security Agency.

Electronic Frontier Foundation Guide
Here is the guide you should use for staying safe with email, chat, voice calls, if you’re at a protest, and so on.

eff-logoModern technology has given those in power new abilities to eavesdrop and collect data on innocent people. Surveillance Self-Defense is EFF’s guide to defending yourself and your friends from surveillance by using secure technology and developing careful practices.

The guide has an Overview if you’ve not yet secured your computer, tablet or smartphone, to Tutorials that include step-by-step guides on how to install software and tools, and finally with Briefings which are detailed guides for specific situations.

Bonus link from The Intercept: Surveillance Self-Defense Against the Trump Administration

Could Trump Accelerate the Use of NSA’s “Google for Private Communications?”

Illustration: Blue Delliquanti and David Axe for The Intercept

Illustration: Blue Delliquanti
and David Axe for The Intercept

Yes, possibly and perhaps even likely. I would say it is likely since the Trump administration people—especially those like the highly controversial pick of advisor to the president, Steve Bannon—won’t be able to help themselves with the power of the office and the tools at their disposal…so I am going to assume the answer is yes, they will.

One of those tools is XKEYSCORE, the name of the NSA’s Google-like search engine and one of the agency’s “…most powerful tools of mass surveillance (which) makes tracking someone’s Internet usage as easy as entering an email address, and provides no built-in technology to prevent abuse.

The NSA’s XKEYSCORE program, first revealed by The Guardian, sweeps up countless people’s Internet searches, emails, documents, usernames and passwords, and other private communications. XKEYSCORE is fed a constant flow of Internet traffic from fiber optic cables that make up the backbone of the world’s communication network, among other sources, for processing. As of 2008, the surveillance system boasted approximately 150 field sites in the United States, Mexico, Brazil, United Kingdom, Spain, Russia, Nigeria, Somalia, Pakistan, Japan, Australia, as well as many other countries, consisting of over 700 servers.

NOTE: All we actually know of XKEYSCORE is from 2013 and no one knows what advances have been made in the last three years. The deep concern is that the tool has become more powerful, and access could be as simple as logging in with a White House web browser. Imagine that someone’s full communications portfolio is instantly laid out for review by anyone wanting to know what you’re texting, browsing, who you’re calling and more, all at the click of a mouse.

Unless, of course, your communications are secure.

fairy2I hope I’m wrong and President-elect Trump becomes a centrist and moves away from his childish, vindictive behaviors. That hope extends to Trump stopping his being tone-deaf on what more than half this country needs from a president. But I don’t believe in fairy tales, magic, or that “God will make it OK” like many people I know believe.

Instead, my communications are already secure so I highly recommend you make your communications secure and do so right now…while you still can.

post

Why You Should Use The Signal App

hackerUnless you’ve been traveling in space for the last few years, you obviously know all about the mass surveillance by the National Security Agency and Edward Snowden‘s revelations, as well as the continued acceleration in security hacks globally.

Besides using a virtual private network (VPN) when you are on public Wifi (here is why a VPN is extremely important), I’ve found the simplest method for my family, friends and even clients is to use a super-secure, open source app on our phones called Signal by Open Whispher Systems.

Even non-geeks know that email is laughingly insecure, which is why this app is so important and how I use it:

a) My bookkeeper sends me important, private information over the Signal app.

b) I have clients send me passwords and credentials for their services.

c) Several of my friends and family members I’m connected to use Signal to send me messages that need to be secure. We often share items like passwords, especially when I’m helping one of them with some website or online application requiring me to login.

c) But what really sold me on Signal was when my wife was on a recent business trip to Hong Kong. Her hotel’s Wifi was set up to disallow the use of VPNs so she was not able to set up a secure, encrypted channel. This is because of what is euphemistically called the great firewall of China which the country uses to restrict what their citizenry has access to outside of China.

So my wife and I connected on Signal and, because the system has both private messaging and voice calling, we knew we would be secure and assured that some Chinese government flunky wasn’t eavesdropping on our messages or listening-in on our calls.

As I’d mentioned, Signal boasts highly secure private messaging using end-to-end encryption. In fact, the Signal protocol (the underlying technology) is being used by WhatsApp (though there are other insecurity issues with the app so I do NOT recommend using it). As of this writing, all other messaging apps (yes, even Apple’s Messages) have good security layers, but some are still accessible by the NSA’s warrantless surveillance activities, law enforcement, or possibly a system administrator at the app company.

End-to-end encryption (especially the way Signal implements it) means NO ONE can eavesdrop on your messages. Same thing with phone calls made via Signal due to its quality. When my wife and I were talking over Signal between Minnesota and Hong Kong I was pleasantly surprised with the quality of those calls while using the app on our iPhones (Signal is available for both iPhones and Android phones). It was better than if we had been talking over mobile connections (she was on good Wifi in her hotel, but often other voice-over-internet-protocol (VoIP) phones like the insecure Skype don’t sound very good).

SIGNAL FOR THE DESKTOP
signal-iconOnce you start using Signal you will probably come to the realization (like most Signal users do, I suspect) that it would sure be great to be able to use Signal on the desktop. Well now you can!

Signal is now an app for Google Chrome, the browser I use every day (Note: it does require that you have already set up Signal on your smartphone). Besides the computer version of Chrome, I also have two colleagues that use Chromebooks and now can use Signal on them.

You can connect the Chrome app with your smartphone’s Signal app by opening the app and instantly scanning a QR code. Once done you are connected and can even have your smartphone’s Signal app contacts imported in to your desktop version.

This is so easy to use and so secure that there really is no reason why you shouldn’t be using Signal right now.

post

Tinfoil Hat & Edward Snowden

tinfoil-hatsJust after the horrific tragedy of 9/11, I began to see quite disturbing things unfolding in the U.S. in the name of “security” that was (in my, and many other’s, minds) clearly trampling on the Constitution. Most of my friends teased me for several years about wearing a “tinfoil hat” to shield my brain, but then Edward Snowden came on the scene, ensuring that the unconstitutional domestic surveillance underway by the National Security Agency (NSA) was exposed.

Photo by Laura Poitras / Praxis Films

Edward Snowden
Photo by Laura Poitras, Praxis Films, under a CC BY 3.0 license.

While I was (and am) less disturbed by some of the global spying activities the NSA is performing—other than egregious hacking of world leaders’ mobile phones and such—there is no question that making U.S. citizens aware of the extent of the domestic spying was the first wake-up call for those ignoring the signs of the obvious, disturbing and unconstitutional activities going on.

After essentially reading every single news article and snippet about what Snowden (and others, I might add) have released to date, yes I believe Snowden did the world a great service and is a patriot. No, I don’t think he will get a pardon (yet) since it’s still too early on and Congress has not yet bothered to rein in the NSA in any meaningful way with regard to domestic spying.

The U.K. news organization The Guardian has an entire section called the NSA files which is likely the most comprehensive compendium of items sparked by Snowden’s whistleblowing document release. It’s a bit daunting to wade through, so I was intrigued this morning to see that Business Insider just compiled this bullet-point list of items Snowden had provided to select journalists that were released between 2013 and 2014. It’s pretty amazing to see them listed and realizing just how profound were these leaks and, in my view, extremely important. 

Here are just a handful of those links just to get you started:

  • The NSA accessed and collected data through backdoors into U.S. internet companies, such as Google and Facebook, with a program called Prism. — June 6, 2013
  • The NSA has a program codenamed EvilOlive that collects and stores large quantities of Americans’ internet metadata, which contains only certain information about online content. Email metadata, for example, reveals sender and recipient address and time but not content or subject. — June 27, 2013
  • Internal NSA document reveals an agency “loophole” that allows a secret backdoor for the agency to search its databases for U.S. citizens’ email and phone calls without a warrant. —Aug. 9, 2013
  • The NSA broke privacy rules thousands of times per year, according to an internal audit. —Aug. 15, 2013
  • Expanding upon data gleaned from the “black budget,” the NSA is found to be paying hundreds of millions of dollars each year to U.S. companies for access to their networks. — Aug. 29, 2013

Read more here at Business Insider

post

Why the "Wireless Passcode" AT&T?

UPDATE on April 2, 2016

attIt’s been quite awhile since I’ve had to call AT&T but I wanted to ask a question today since my wife is headed to Puerto Rico and was wondering if there was a roaming charge when she was in this unincorporated U.S. territory.

Calling in to customer service surprised me since I asked her, “Does AT&T charge roaming for mobile use in Puerto Rico?” but the rep wouldn’t answer until I gave her my name (since she could see my mobile number) and then the surprise: “What is your wireless access code?”

Huh?

I had no idea what this was and she explained that we couldn’t do anything over the phone without it, or in-store if I didn’t have a government issued photo ID with me. I WAS JUST NEEDING AN ANSWER TO A SIMPLE QUESTION for God’s sake. But no matter, we were stuck so I hung up and figured “the Google” would satisfy my needs.  [Read more…]

post

John Oliver on Encryption

John Oliver’s show Last Week Tonight talks about the Apple/FBI controversy and that strong encryption poses problems for law enforcement, but is weakening it worth the risks it presents? It’s…complicated.

post

Seriously Minneapolis StarTribune? "U.S. security at stake as Apple defies order"

Click for an update - 4:04pm
iphone-in-handTo say I was stunned reading this editorial in this morning’s Minneapolis StarTribune is an understatement. I rarely get fired up enough to write a letter to the editor, but this time I felt compelled since they got this so wrong and I’m embarrassed for them that they published this editorial.

I just sent them my rebuttal and I reprint it below with the StarTribune’s paragraphs in italics and green. Also, since the StarTribune apparently did little-to-no research, I’ve provided them with helpful links.

Curiously the StarTribune changed the linkbait-like editorial title in the online version by toning it down, perhaps realizing that characterizing it as “Apple defies order” is wrong: National security is at stake in Apple’s faceoff with feds.

U.S. security at stake as Apple defies order

Apple Inc., the world’s largest info-tech company, now stands in defiance of a federal court order, saying it will fight attempts to force it to help the FBI crack the iPhone of a San Bernardino terrorist involved in a major attack on U.S. soil that left 14 dead and 22 injured. Apple says the government is overreaching and would be setting a dangerous precedent.

The company is wrong on both counts, but the world of encrypted information is a complex one. It is worthwhile to proceed carefully, because this could prove to be a critical showdown in the growing clash between privacy and national security.

Your editorial, “U.S. security at stake as Apple defies order” was one of the most stunningly naive positions I’ve read yet when it comes to the controversy over Apple’s stand on weakening the encryption of one, single iPhone. A weakening that would instantly open a Pandora’s box of cyber threat problems of which you are obviously clueless and seemingly dismissed out-of-hand.

First, it should be noted that the government negotiated for two months with Apple executives. When those talks fell apart, Justice Department officials turned to a federal judge, who ordered the company to create a way to bypass the security feature on the phone. The FBI had obtained a warrant to search the phone and, not incidentally, the consent of the employer that had issued the phone to Syed Rizwah Farook.

First off, it should be noted that the FBI permitted San Bernardino officials to change the password on the terrorist’s iCloud account (rebutted by FBI, now blaming official) and only then, obviously realizing their mistake, requested Apple’s help. Had they not done so Apple has stated publicly it would have been possible to obtain the shooter’s iCloud backup data. Since this mistake was made, the FBI then negotiated with Apple to recover what they could. Discovering that doing so was not possible, and subsequently failing in convincing Apple to create software to weaken iOS (the operating system that controls the iPhone and iPad) so they could break into the device without having it ‘wiped’ by its ten password attempt limit, the FBI then obtained a court order hoping to force Apple to create a method to do so.

Apple has complied with what Justice officials characterize as “a significant number” of government requests in the past, including unlocking individual phones. Apple CEO Tim Cook has become increasingly concerned about customer privacy, particularly after 2013 revelations by whistleblower Edward Snowden about massive government surveillance operations. The company has continued to tighten its security systems and decided to no longer maintain a way into individual phones. Farook’s iPhone 5c was among those with a 10-tries-and-wipe feature that essentially turns it into a brick if too many false passwords are entered. Newer operating systems employ ever-more-sophisticated security features.

The government’s authority to get private information, such as texts, photos and other stored data, through a warrant is not at issue. The key here is whether the government can compel a private company to create a means of access that the company contends will weaken its premier product.

Cook maintains that creating a “master key” to disable security on Farook’s phone ultimately would jeopardize every iPhone. With more than 100 million in use across the country, that is no small threat. There are, however, technology experts who say Apple could create a bypass — allowing for what’s called a brute force hack — without affecting other phones.

With respect to your position on Apple’s creating this sort of “bypass” for this single iPhone, all while acknowledging this is not a “small threat” for the 100 million iPhones already in existence, you then opined, “There are, however, technology experts who say Apple could create a bypass” “without affecting other phones.” This is your supposed justification for minimizing the threat of putting in a backdoor (or what you euphemistically characterize as a “bypass”) for those 100 million+ iPhones already in existence? Who are these so-called “experts” anyway?  [Read more…]

post

Mac Ransomware is Close & You're at Risk

macuserAs Mac users, most of us have been quite smug about the fact that our operating system isn’t as vulnerable to trojans, malware and ransomware as those other guys running Windows. While mostly still true, the growing popularity of Macs means that we users of OS X are A LOT more at risk than ever before.

The first Mac OS X ransomware has been demonstrated by a Brazilian cybersecurity researcher Rafael Salema Marques (see Mabouia, the first crypto-ransomware for Macs arrives). Since the concept is now out, it’s just a matter of days or weeks before we see some malware like it in the wild. The security software and services firm, Symantec, has confirmed the concept is real and would work.

[Read more…]

post

Backing Up Your Digital Life

firefighters

You are probably like me when it comes to backing up computers and digital devices: It is SUCH a pain-in-the-butt that only the terrified-of-disaster actually take any action. Make sure you look at the Newegg deal at the bottom of this post (and no, I’m not an ‘affiliate’ and get nothing from Newegg for linking to the deal).

Fortunately I’ve never had a house fire but have experienced multiple hard drive failures over the years. Only once, 10 years ago, did I have a hard drive crash to the point where it was unrecoverable. Ever since I’ve been of the mindset that hard drive failures and disasters are not a matter of “if” but rather “when”.

During that 10 years, however, I’ve heard so many personal stories of drive failures (or stolen drives), house or business building fires, a laptop accidentally being dropped overboard while on a cruise ship (and it contained vital, one-of-a-kind business planning documents), that I get after friends, family, and colleagues to backup; backup; and backup!

mom-n-kidAfter hearing one of those stories this past April, I wrote Your Mom DEMANDS That You Backup Your Computer! to see if it would kickstart conversations. It did, but specifically the two friends I was hoping would backup their mission-critical files, tens of thousands of one-of-a-kind digital photos, and other irreplaceable digital stuff….did nothing.

What happens if you have a fire in the house? Or the fireman spray water all over your office—even though the fire hasn’t yet reached in to it—and effectively ‘drowns’ your computer and drives?

Basically you’re screwed. Unless… [Read more…]