Email is your most important application whether you access it in a web browser or with an app on your smartphone or tablet. If your email gets hacked, it is trivial for a blackhat hacker to go to your online accounts with a bank, stock brokerage, ecommerce site, and reset your passwords…
…and then gain control of all your accounts!
But you can easily and quickly protect your email. If you set 2FA up and turn it on, a hacker would have to have both your email password and your smartphone in order to gain control over your email account! In the case of Gmail, you can set up another layer of protection though: two-factor authentication (2FA…also called 2-step verification). 2FA makes your smartphone an additional, secure method of proving it is you trying to login to your Gmail.
There is a new tool for hacking in to an iOS device (i.e., iPhone or iPad) you should be aware of and why you should change your password NOW…but also make it a strong one.
A Motherboard investigation has found that law enforcement agencies across the country have purchased GrayKey, a relatively cheap tool for bypassing the encryption on iPhones, while the FBI pushes again for encryption backdoors.
According to Matthew Green, assistant professor and cryptographer at John Hopkins Information Security Institute, said on Twitter that GrayKey has an exploit that disables Apple’s passcode-guessing protections (i.e., SEP throttling) AND that a 4-digit passcode can be cracked in as little as 6.5 minutes on average, while a 6-digit passcode can be calculated in roughly 11 hours:
Guide to iOS estimated passcode cracking times (assumes random decimal passcode + an exploit that breaks SEP throttling):
4 digits: ~13min worst (~6.5avg)
6 digits: ~22.2hrs worst (~11.1avg)
8 digits: ~92.5days worst (~46avg)
10 digits: ~9259days worst (~4629avg)
— Matthew Green (@matthew_d_green) April 16, 2018
Another Motherboard article emphasized that you should immediately Stop Using 6-Digit iPhone Passcodes and yes, you should.
Why a Long, Secure Password Now?
Security and convenience are always a trade-off. But I’ve set up a password for my devices that, according to this password checker, will take 44 thousand years to crack BUT it is easy for me to remember, and to use, as my iOS “custom alphanumeric code.” This password has numbers, upper/lower case letters, along with a few special characters (e.g., !@#$%^&*()).
Do I have something to hide? Nope. But the reason I lock my front door, have security cameras and alarm system, and don’t invite random people in to dig through my drawers or important-papers in filing cabinets, IS THAT MY STUFF IS *MY* STUFF AND PRIVATE! I intend to keep it that way so I protect the shit out of things I want to keep private AND SECURE.
If you travel outside the U.S. like my wife or I do and come back in with your device, TURN IT OFF. That is because U.S. Customs is increasingly grabbing traveler’s devices and disappearing with them to a back-room, apparently to hook them up to a device to suck off all the data. While this hasn’t yet directly affected U.S. citizens, there is nothing stopping other countries from doing the same thing.
Plus, once all of your data is captured, there are enough cracking resources available to government agencies to be able to take their time to crack your device data they have previously stored. It might take them a year or, after quantum computing becomes a reality (if it isn’t already real) in the next several years, those times to crack may be reduced to minutes instead of days or years.
Police agencies within the United States may also be less adherent to the U.S. Constitution and Bill of Rights when it comes to the gray area surrounding digital search and seizures, even though in 2014, the U.S. Supreme Court addressed two cases, Riley v. California and United States v. Wurie, dealing with cell phones searches and the search incident to arrest exception to the warrant requirement. During searches incident to arrest, the high court has not required warrants under certain circumstances where protecting officer safety and preventing evidence destruction are at issue. For more, read this at FindLaw.
The U.S. Border Patrol also could be in a position to do whatever they damn well please — within 100 miles of the U.S. border — as you can see from this article at the American Civil Liberties Union (ACLU):
Why Can You Do?
- How to Create a Password You Can Remember
- Four Methods to Create a Secure Password You’ll Actually Remember
- Know Your Rights is a good primer you should read it now at the Electronic Frontier Foundation and download their printable “pocket guide” here.
The Department of Homeland Security (DHS) is doing something unprecedented for a tactical government bureau: they just released a draft request for companies to bid on their “Media Monitoring Services.” This request from DHS seeks a firm that could build them a searchable database that has the ability to monitor up to 290,000 global news sources:
Services shall enable [the DHS’s National Protection and Program’s Directorate] to monitor traditional news sources as well as social media, identify any and all media coverage related to the Department of Homeland Security or a particular event. Services shall provide media comparison tools, design and rebranding tools, communication tools, and the ability to identify top media influencers.
They’re claiming “standard practice” but DHS is NOT an intelligence service and global monitoring is what the National Security Agency performs as does the Central Intelligence Agency. WTF is DHS going to do with this sort of database? Why do they need “media influencers” and “bloggers”? The request specifically requests:
24/7 Access to a password protected, media influencer database, including journalists, editors, correspondents, social media influencers, bloggers etc.
Most troubling was their intent to have this database indicate what the coverage “sentiment” is:
[The database shall have the] ability to analyze the media coverage in terms of content, volume, sentiment, geographical spread, top publications, media channels, reach, AVE, top posters, influencers, languages, momentum, circulation.
Why am I concerned and bringing forth a story like this one? Because our Department of Homeland Security potentially has an enormous tactical advantage set forth in the Constitution that could allow them to subvert our protections under that very Constitution and our Bill of Rights. Don’t believe me or think I’m paranoid? Then read this about our Constitution and the 100-mile border zone that DHS could essentially do whatever they damn well please within, like searching our “sentiments” when within a border zone and restricting our movements if we’re deemed a threat to homeland security.
To say the shit-hit-the-fan after this release is an understatement. Here is a Google search that has articles from Forbes, Bloomberg, CBS News, CNN, Chicago Sun-Times, and a host of others. Here is a Twitter search to allow you to read thousands of tweets questioning why in the world DHS needs such a database.
Many of we “bloggers” also leapt on this story as it is clearly easier for DHS to level suspicions at us. It’s also significantly easier to intimidate an individual than it is an institution filled with journalists like CBS News or CNN.
That said, other government agencies, like the FBI, have adopted secret rules to spy on journalists who publish classified information and hunt down their anonymous sources.
While all the articles I read were questioning the ‘why’ behind having this database, DHS’ spokesperson, Tyler Q. Houlton, had this to say in response to their sh*t hitting media’s fan:
Despite what some reporters may suggest, this is nothing more than the standard practice of monitoring current events in the media. Any suggestion otherwise is fit for tin foil hat wearing, black helicopter conspiracy theorists. https://t.co/XGgFFH3Ppl
— Tyler Q. Houlton (@SpoxDHS) April 6, 2018
My gut tells me that the “why” behind this database is that DHS wants to have a searchable one so they can perform quick lookups for those crossing our borders, being stopped at checkpoints, and potentially for those of us who happen to be within 100 miles of any border.
Read the bid yourself below or download it here:RNBO-18-00041_SOW_-_Draft (1)
Staying secure with our communications is finally easy and, only recently, Signal added a computer-client for Mac, Windows and Linux which ties to your smartphone’s Signal app and works flawlessly.
Using encryption for your critical communications has always been a challenge, even for those of us who are hard-core technoweenies. But all that changed when an American computer security researcher and cypherpunk named Moxie Marlinspike created the Signal protocol and later an app called Signal (which is available here for iPhone, Android or desktop/laptop computers).
Signal is widely regarded as the most secure and easiest to use encrypted texting and calling application. It’s a vital tool for journalists, whistleblowers, and ordinary citizens. But it is also so good that the U.S. Senate approved the use of Signal by its staffers due to its end-to-end encryption and bulletproof security.
Even WhatsApp, the communication app that boasts well over 1 billion users, leverages the Signal protocol as the underpinnings of their wildly successful messaging platform.
Why should you use it? With Signal you can send high-quality group, text, voice, video, document, and picture messages anywhere in the world without SMS or MMS fees (obviously you need an internet connection on your phone or computer). But rather than re-hash all the reasons why you should use it, take a peek at a post I wrote in October of 2016 that will detail Why You Should Use the Signal App.
Don’t just take my word for it though:
After Equifax finally revealed that they had been breached and personal credit information (and credit card numbers) on as many as 143 million Americans had been stolen, they created EquifaxSecurity2017.com for information and enrollment which, as it turns out, should have been named EquifaxINSECURITY.com.
Why? It’s because of trying to sign up and having their web application for TrustedID not come up, return an error, and then finally display after two minutes without a theme! As you will see from the screenshots below, someone like me with A LOT of cyber security knowledge is concerned, even though I did verify that their certificates were valid but my Equifax trust level is very, very low.
View five screenshots of why this failed and why even me, someone with the skills to determine if this is a real app loading from Equifax, don’t trust it:
Regardless of browser-type used, I’ve always been **extremely** cautious about loading extensions, especially if they’ve been created in God-knows-what-country and ask for permissions that are worse than leaving your front door open with the key in the lock!
There have been a number of compromised extensions recently in Chrome (see Attackers Go on a Chrome Extension Hijacking Spree” – Several More Compromised) and other browsers are not immune. But it’s this recent spate of Chrome-based extension compromises that is the biggest worry.
How-To Geek just published Browser Extensions Are a Privacy Nightmare: Stop Using So Many of Them and it is absolutely worth a read, especially with warnings like this:
“Modern web browsers like Google Chrome and Microsoft Edge have a permission system for extensions, but many extensions require access to everything so they can work properly. Even an extension that just requires access to one website could be dangerous, however. For example, an extension that modifies Google.com in some way will require access to everything on Google.com, and therefore have access to your Google account—including your email.
These aren’t just cute, harmless little tools. They’re tiny programs with a huge level of access to your web browser, and that makes them dangerous. Even an extension that only does a minor thing to web pages you visit may require access to everything you do in your web browser.”
So either don’t load extensions or be very, very, very careful when you do so.
The team of scientists and engineers that came out last year with the wildly successful end-to-end encrypted email service, ProtonMail, has now officially made public their new highly secure (and very fast!) virtual private network (VPN) called ProtonVPN.
As a ProtonMail user I’ve been incredibly pleased with the service and its security and this morning I signed up for their newest offering, ProtonVPN. I did so mainly because of the features, but also because it’s from a company I trust and, as a beta user, found it to be fast, robust, secure, and rock-solid.
I’m also stunned by how quickly they’ve nailed the key features needed in both email and VPN to keep us private and secure. A big plus also is that the company, Proton Technologies AG, is based in Switzerland, a country whose laws favor privacy, security and non-disclosure which is the perfect place to headquarter the firm:
“ProtonMail was founded in 2013 by scientists who met at CERN and were drawn together by a shared vision of a more secure and private Internet. Since then, ProtonMail has evolved into a global effort to protect civil liberties and build a more secure Internet, with team members also hailing from Caltech, Harvard, ETH Zurich and many other research institutions.
Today, we help our community of millions of users secure their private data online. More than 10,000 supporters have assisted us in this mission by donating to make this project possible. Thanks to your support, we are continuing to develop state of the art email privacy and security technology from our home base of Geneva, Switzerland.”
ProtonVPN has several key features that are a bit geeky, but have turned my head as someone who is deep in to cyber security:
- Secure Core: This architecture gives their secure VPN service the unique ability to defend against network based attacks. Secure Core protects your connection by routing your traffic through multiple servers before leaving our network. This means an advanced adversary who can monitor the network traffic at the exit server will not be able to discover the true IP address of ProtonVPN users, nor match browsing activity to that IP.
- Strong Encryption: All your network traffic is encrypted with AES-256, key exchange is done with 2048-bit RSA, and HMAC with SHA256 is used for message authentication which means it is VERY secure.
- Forward Secrecy: The encryption cipher suites they use only include ones that have Perfect Forward Secrecy. This means that your encrypted traffic cannot be captured and decrypted later if the encryption key from a subsequent session gets compromised. With each connection, ProtonVPN generates a new encryption key, so a key is never used for more than one session.
- Strong Protocols: They exclusively use VPN protocols which are known to be secure (OpenVPN and IKEv2). Though I’m not a cryptographer, every one that is whom I follow online swears by both of those protocols which have been examined and certified secure by top cryptographers all over the world.
- Physical Security: The company has gone to extreme lengths to protect ProtonVPN’s Secure Core servers to ensure their security. Critical infrastructure in Switzerland is located in a former Swiss army fallout shelter 1000 meters below the surface. Similarly, our Iceland infrastructure resides in a secure former military base. Our servers in Sweden are also located in an underground datacenter. By shipping our own equipment to these locations, we ensure that our servers are also secure at the hardware level.
Other Key Features Include:
- Open Source: Goes without saying that their transparency level is very high and having their software reliant on open source software examination and certification is a big selling point for any of us.
- No Logs Kept: Under Swiss law they don’t have to keep them so they do not.
- DNS Leak Protection: They ensure that your browsing activity cannot be exposed by leaks from domain name service (DNS) queries.
- Kill Switch: Their desktop and mobile applications come with a built-in Kill Switch feature which will block all network connections in the event that the connection with the VPN server is lost.
- Tor VPN: ProtonVPN comes with Tor support built-in. Through their selected Tor servers, you can route all your traffic through the Tor anonymity network and also access dark web sites. This provides a convenient way to access Onion sites with just a single click.
Take a look at their pricing page. They have a free offering (which is currently shutdown due to the overwhelming response and signups this week) and I signed up for the “PLUS” level today since, as a current ProtonMail user, I got a bit of a larger discount on both ProtonMail and ProtonVPN as a bundle.
I need to end with this: I’ve analyzed more than a dozen of the top VPN providers and previously chose Private Internet Access (which I still have active since I’m paid through April of 2018) and, especially for the non-geeks out there, it’s still the easiest to use, they keep no logs, have the most data centers, and still has my strong recommendation.
But if you’re extra-serious about your VPN — or have specific needs to be highly secure when online — I’d absolutely recommend you immediately go and signup for ProtonVPN.
My daughter sent me an email last night asking me if an app called Disconnect might work to help keep her safe online, especially since she has experienced her virtual private network (VPN) connection slowing down her online activity.
Here is some of what I emailed to her and thought I’d expand it a bit and post it as it might help you too.
A VPN’s encrypted tunnel does have overhead so it will slow down your internet connection. No way around that and there are always trade-offs like this in order to have good security. A VPN’s encrypted “tunnel” through your internet connection — for your traffic to travel through — typically requires using 10-15% of your internet connection’s bandwidth, but it’s worth it almost all of the time.
One tradeoff many of us make is using good, hard to remember, and always different passwords for every website and app we use. Doing so is very challenging as is keeping track of them (which is why using a password manager like LastPass is so important).
That Disconnect app is just a tracking blocker, but it does offer a VPN in their Premium version for both blocking trackers and keeping traffic encrypted and somewhat anonymous (and it’s good to see that Disconnect does not keep logs of your VPN traffic and use). Disconnect’s VPN will slow down your internet connection just like any VPN does, but I haven’t done a side-by-side comparison between Disconnect’s VPN and the one we use.
Our chosen VPN is Private Internet Access (PIA), a provider that also keeps no logs and has 3,194 servers in 36 locations across 24 countries. Our entire family (and our business) uses PIA. Unless one uses the Disconnect Premium with their built-in VPN, your ISP and trackers can still know where you go and what your iPhone’s apps do (i.e., websites you visit; connections your phone makes through apps; etc.).
My preference is to use best-in-class tracking blockers and a VPN, but want to keep them separate (e.g., Disconnect’s Premium product is $5 per month or $50 per year for only 3 devices while PIA’s is $6.95 per month or $39.95 for a year but they allow up to 5 devices).
Just know that, even with all of the measures I’m going to outline below, you always, always want to use a VPN when you connect to public Wifi (as well as a few other things) regardless of whether you are only concerned about being tracked while online.
Also, understand that there isn’t anything that is 100% foolproof. Cyber security is an “arms race” and as the good guys build better defenses, the bad guys are building better hacking/cracking and tracking tools. For example, the tech news site Ars Technica had this comprehensive article about how sites can still fingerprint you online even when you use multiple browsers so do your best to stay untracked and anonymous as you can.
By now you should have heard at least something about the WannaCry ransomware attack that’s been going on over the last few days. When I ask people about it and what they know, most have vague responses like, “those computers must be old or not updated” or “people were stupid and did something wrong.”
While both have some truth in it, this analysis by Richard Clarke* about an ABC News story on WannaCry had one of the best paragraphs that describe the #1 problem I’ve been mad about for years which was the root cause of this cyberattack, namely that the NSA is not disclosing so-called zero-day vulnerabilities (zero-days are ones that aren’t yet known so companies can fix them):
First, America’s own National Security Agency (NSA) found the vulnerability in Microsoft Windows that would permit a hacker to gain control of a device. When the agency found that vulnerability, it should have told Microsoft right away, so that the error could have been fixed as part of the regular monthly “patching” program without calling attention to it.
Yep. The NSA should have told Microsoft right away so they could patch the vulnerability but then the NSA couldn’t use it themselves. The NSA has a long history of not disclosing vulnerabilities though the NSA chief claims they do disclose 91% of them (which means they likely keep the good stuff, the other 9% that are devastating like WannaCry has been when leaked, to themselves).
Clearly there needs to be a balance, as this Georgetown Security Studies article suggests, between national security and actions that cause national weakness, which I would argue the NSA is doing by keeping vulnerabilities to themselves. The NSA could go a long way toward protecting the American people by disclosing vulnerabilities that are obvious to them and potentially crippling to our nation, as well as not being breached and having their tools stolen.
That Georgetown article had these words to say about the United States’ Vulnerabilities Equities Process (VEP) that should compel the NSA to be more forthcoming, but it contains a loophole that anything before 2014 doesn’t have to be disclosed (which is millions upon millions of computers and servers running older versions of operating systems and software):
Established under President Barack Obama in 2014, the Vulnerabilities Equities Process (VEP) is an interagency framework used to determine whether the US government and its contractors should disclose software and hardware vulnerabilities to the public and private sector or foreign allies.
The public and private sector have increasingly called for full transparency of the VEP and disclosure of all known exploits. According to the National Security Agency (NSA) Director Admiral Michael Rogers, the NSA shares more than 90% of the vulnerabilities it discovers. However, the VEP currently provides a loophole that exempts any vulnerabilities discovered before 2014 from the vetting process. This is problematic for transparency given the long shelf life of a zero-day.
Sadly, I don’t think the current White House administration will do anything to thwart the NSA’s runaway, do-anything-they-want agenda. Transparency is certainly not their forté so my expectations are low.
Let’s hope Congress steps-in and helps drive national cyber security a little harder when it comes to the NSA actually caring about national internet security vs. just performing signals intelligence while the nation’s I.T. infrastructure is hacked.
This WannaCry ransomware attack is a wakeup call to this nation (and the world) that all of the intelligence agencies (we’re looking at you too, CIA) had better start helping the world instead of acting like a bunch of high school hackers exploiting whatever weakness they can before they are found out and get caught.
Each year I donate to the Electronic Frontier Foundation (EFF) but did more in 2016 than ever before. You should donate too since they’re the ONLY digital legal watchdog that’s protecting our cyber rights!