Category: Security

Computer Security

Free encrypted webmail service Tutanota

Tutanota, meaning secure message in Latin, is a German based free webmail service with end to end encryption. Your email messages, attachments and subject are all encrypted in your browser using Javascript with a cipher combination of RSA 2048-bit and AES-128-bit before uploading data to Tutanota mail servers in Germany. The encryption keys remain in your power at all times, the company can’t see anything in plain text, they can’t restore your password or reset your account, anybody forgetting their password loses access to the messages.

If German authorities ever serve Tutanota with a court order to hand over a customer’s email inbox content, the company will of course comply with the warrant but all they will be able to deliver will be ciphered files with no decryption key. According to the email exchange I had with Matthias Pfau, one of Tutanota founders, they do not log IP addresses and only keep timestamps, the details are stored anonymously without any reference to your user account. Each mail in your inbox also contains the mail addresses of the recipients in clear text, kept until you delete the email, Tutanota has some ideas about how to hide the recipients address but it has not been implemented yet.

Encryped webmail Tutanota

You can open a Tutanota email account with minimal details, choose a username and password and that is it. During the very short registration you will find a link to a Wikipedia page with instructions on how to choose a strong password, a coloured meter on the page lets you know if your password is secure enough to withstand brute force attacks.

I appreciated the clean smooth webmail interface giving one click access to the different tabs and folders, with a security tab where you can see a list of of the successful and failed account logins with timestamps, no computer IPs are associated with customer accounts since no IP logs are kept.

Sending an encrypted email in Tutanota is effortless, it does not require customers to manage encryption keys or know much about security. The system is compatible with insecure email services like Gmail or Yahoo. When you send a secure email to somebody who is not on Tutanota, instead of receiving the full text, they receive a message with a link inviting that person to visit Tutanota servers to read the encrypted email, only readable with the correct password and decrypted locally in the browser.

By not sending the email message body, any organisation monitoring Internet traffic will not be able to intercept a copy of the encrypted data. A terrific way to stop mass surveillance on the Internet is to never let the data out on the wild web. The same security system that CIA director General Petraeus was using to communicate for an extramarital affair, he used a dead drop email account and never allowed messages to travel the Internet.

One can assume that the CIA director has classified knowledge to know how to best avoid surveillance, and presumably General Petraeus applied that privileged information to protect his own life, it is possible to learn a lot from observing the experts and copycat them.

Tutanota encrypted email exchange

Tutanota free email service is a major improvement over the dead letter box communication system, the company adds an encryption layer, and the people you communicate with do not have to change anything, they can securely reply to you using the same window where they are reading the received message.

Another important security fact about Tutanota is that they hired a German penetration testing company called SySS to try to find security vulnerabilities in their mail service, like cross site scripting. Tutanota was given an all clear certificate attesting that during the network scan and manual hacking that was attempted by security experts it was not possible for SySS to access any confidential data. If that is not reassuring enough, Tutanota source code is available for download released under the GPL license, you can use it to build your own email client or check it for bugs.

The zero knowledge approach of this email service, their no logs no decryption keys available policy, located outside of the UK and USA, very easy registration and utilization make Tutanota one of the best alternatives to Hushmail. If I have to complain about anything, is that, not being German myself, I do not like getting a .de email address (@tutanota.de), I prefer a .com domain to stop people from assuming I am German.

This security model is the future, spy agencies are not going to stop monitoring data travelling across the Internet, so, you just don’t send it, leave it on the server for others to fetch, superb.

Visit Tutanota homepage

5 September, 2014
Open source P2P EMP encrypted messaging

Recently released for testing, EMP, is a multi-platform P2P open source messaging system with encryption. There is no central server, everything runs in your computer and the technology is similar to that of Bitmessage.

EMP has a clean tabbed interface that opens in your Internet browser, the toolbar address is http://localhost:8080 (yourmachine:port), you will see tabs named Inbox, Outbox, Sent, MyAddresses. The Inbox tab contains a list of the messages you have sent with the timestamp and the cryptic EMP receiving address with a Status column indicating if the message has been read.

EMP Encrypted Messaging Protocol

I downloaded the Windows version of EMP in Windows Vista and I was only able to install it after right clicking on the program and running it as administrator, then you click on the desktop shortcut and your Internet browser launches asking you to enter username and password RPC credentials that “should be located” in ~/.config/emp/msg.conf .

The notice seems tailored to Linux users, after tinkering around Windows the real place where I found the msg.conf file was inside Program Files (x86)/EMP and editing it with Notepad shows “user = “rpcUser” pass = “rpcPass”. Another thing is that you will have to remove the software from your computer manually, I could not see any EMP uninstall in Windows control panel, if you want to delete this program from your computer go to /Program Files (x86) and erase the full EMP folder.

The main difference in between EMP and Bitmessage appears to be that EMP has been built for performance, the client has been written with Go, also called golang, a programming language designed for simplicity and EMP purges the network of read messages, EMP is also modular, it can be embedded with other applications as part of a communication suite. Bitmessage has on its favour that they hide metadata, I can’t tell if EMP also does it, at the moment they have no documentation.

Security wise, AES256 is used for encryption and being open source means that others can review the code to find bugs, it don’t think is a bad platform but I can’t recognize any substantial reason why an average person would want to switch from Bitmessage to this new platform.

Visit Encrypted Messaging Protocol

31 August, 2014
The best XMPP/Jabber servers for anonymous chat

Jabber/XMPP is a decentralised instant messenger using the open source XMPP protocol, there is no central server that could be compromised, the multiple nodes construct a resilient and hard to monitor infrastructure. Dozens of XMPP servers, encryption and its open source nature make XMPP much harder to wiretap or shut down than cloud based Google Hangouts, Yahoo Messenger or Skype, all USA companies known to have a NSA backdoor.

One of Jabber/XMPP main vulnerabilities is that the server you are connected to is not trustworthy, this is a list of XMPP servers with the best privacy policies:

5th July XMPP: Swedish privacy foundation promoting free speech worldwide, in between other services they provide an open XMPP server with Off-The-Record Messaging (OTR) support, hosted in Sweden and with logs tuned off. They warn you that file transfers are not encrypted, only text conversations are.

Calyx Institute: A not for profit privacy and cyber-security foundation running a public Jabber/XMPP server that does not create any records of who you communicate with or keep logs of the content of any communications, this server forces you to use OTR, Off-the-Record Messaging, a cryptographic plugin that stops the server administrator from accessing plain text of your communications.

Dismail.de: Free public server located in Germany, you can register for an account using the web interface or your Jabber client. The privacy policy is very clear about how long for each one of your details are stored, metadata has to be saved for Jabber to work, it would be impossible to communicate with your contacts without saving who they are and your Jabber ID is of course also saved. Personal details like the IP address used to create the account and the files you upload are erased after a month.

Pidgin Jabber XMPP setup

Neko IM: Running a public XMPP server located in Norway, they claim that no more information is collected and stored than what is absolutely necessary, TLS everywhere is enforced and Jabber clients need to support a strong cipher or they will not be able to connect to the network. Being a free volunteer run project, this server uptime comes accordingly to this and no guarantees are made about uptime other than “as much as possible“.

XMPP Gajim Jabber chat

Countermail: This is a paid for service from a Sweden based email privacy company that provides the XMPP server xmpp.counternet.com with TLS and SSL encryption only available to email account holders. The username and password are randomly generated, you can not create your own, however, all XMPP clients supports “alias” or “display name” that you can manually set up and this is what other Jabber users will see.

SystemLi: Jabber server managed by an anti-capitalist tech collective. They do not retain any kind of data and a .onion link is available for those using Tor. To avoid spam accounts registration is only possible with an Internet browser.

About Jabber/XMPP security

Any IM client that supports the XMPP protocol can interact with other Jabber users, a few of the best know Jabber compatible clients are Pidgin, Thunderbird and Jitsi, they can be used for videocalls and sending files, but always remember that encryption and end to end does not mean that your computer IP is hidden. Jabber will help you protect from wiretapping with encryption but the server you use could log what you do and your contact could find out your home IP if you are not on a proxy or VPN.

Another benefit of Jabber is that the same username and password can be used to connect with the social network Jappix, unlike Facebook, you don’t have to provide your real identity to take part in Jappix. Another way to protect your online privacy is running your own Jabber/XMPP server with a custom logs policy, it is not hard to set up an XMPP server with basic understanding of Unix, search for Prosody or Tigase to find XMPP server software to run.

I included XMPP servers with a clear privacy policy of minimum logging or being offshore, those are the claims that the server administrators make, there is no way to verify any of them. If you are social activist RiseUp and Austici provide anonymous Jabber chat servers for people fighting for world change but they are not on the list because they are strictly for political activists.

Sometimes privacy minded individuals set up their own XMPP server and open them to everybody, due to the nature of one man operations, instead of including here privacy servers that have little backing and less chances of long term survival it is best that you check out an updated list of all public XMMP servers at https://list.jabber.at/

10 August, 2014
Cold boot attack protection with YoNTMA

YoNTMA (You’ll Never Take Me Alive!) is an open source tool to enhance Windows Bitlocker and Mac FileVault full disk encryption. It has been designed to protect the user from cold boot attacks. A side channel attack where an intruder with physical access to a machine retrieves the encryption keys from RAM memory.

Cold boot attacks can be used to get access to a fully encrypted hard drive. They are very difficult to achieve once the computer has been shut down, data remanence lasts less than a minute after you power off your computer. In that time an attacker would have to open up the computer case, extract the RAM memory modules and cool them down with liquid nitrogen before extracting the keys.

Cold boot attacks are not normally carried out by law enforcement because of the complexity and timing needed, but a cold boot attack can be easily completed if a computer is only secured with a screen lock by a user that has gone for a quick bathroom break or cup of coffee, a self executable .bat forensics file, like Mandiant Memorize, could be executed to extract the RAM memory of a fully encrypted laptop plugging in a USB thumbdrive into the locked computer, YoNTMA aims to protect you from this.

cold boot attack RAM memory liquid nitrogen

You’ll Never Take Me Alive! runs in the background monitoring when your screen locks, if it detects that the power or Ethernet cable is disconnected while the machine is locked, YoNTMA immediately puts the computer into hibernation mode to remove the encryption keys from RAM, sending them to the page file on the hard drive to protect you from a thief stealing your fully encrypted laptop and extract the keys a while later. When a computer is hibernating it is not possible to execute a program from a CD drive USB port, it needs to wake up first.

I personally feel that, if your data is so important that you need full disk encryption, it doesn’t matter if you leave the computer for ten minutes or ten seconds, you should never leave it on with the screen lock and it should be you sending it to hibernation when you need a two minutes bathroom break. But if you are the forgetful kind of person, there is no harm running YoNTMA in your computer, small things sometimes save the day when you expect it less.

This tool will likely be the most useful for companies enforcing rules to lazy employees and not private citizens with discipline and attention to details when dealing with encrypted data.

Visit YoNTMA homepage

11 June, 2014
Best programs to change your DNS settings

Every time you enter a URL in your computer browser a DNS query takes places and asks your Internet Service Provider to translate the typed in letters into an IP address so that you can visit the website, this is what is called a DNS query and if you happen to be in a country that censors the Internet or practises mass surveillance the sites you visit can be watched in real time. It is also possible for a spy agency or malicious hacker to sit in the middle of DNS queries and show you a fake website when you try to visit certain URL, then proceed to capture your login and password or serve malware to your computer.

The most common use for DNS monitoring it is Internet filtering, schools and companies do this to fend off adult material and the Chinese Great Firewall does this to block news websites about the Tibet.

The programs below come preconfigured with dozens of free DNS servers, a few of them have built-in parental controls to protect your kids, others offer censorship free DNS queries and do not log any activity, with the most security conscious offering encrypted DNS queries. The advantage of using one of these programs to change your ISP DNS servers, over doing it manually, is that it only takes one click and you don’t have to search DuckDuckGo for free public DNS providers.

ChrisPC DNS Switch: It comes with more than two dozen free DNS providers, one drop down menu allows you to select the network adaptor and another drop down menu classifies the DNS providers into “Anonymous” (no logs), “Family Safe DNS” (URL filtering), “Secure DNS” (malware filtering), “Regular DNS” and “Custom DNS” where you can manually enter the name server you would like to use.

ChrisPC DNS Switch

DNSCrypt Windows Service Manager: A DNS encryption only DNS changer, it helps you configure your network adaptor with one of their supported DNS encryption providers. At the moment consisting of DNSCrypt.eu in Europe and claiming to keep no logs, OpenDNS in the USA, CloudNS in Australia and OpenNIC in Japan. You are also given the option to choose UDP/TCP and IPv4 or IPv6.

DNSCrypt Windows Service Manager

QuickSet DNS: A minimalist Windows utility to change the DNS settings of your computer or router. This is one of the few DNS changing utilities that allows you to change your router DNS using a graphical interface. Optionally you can also use QuickDNS from the command line.

QuickSetDNS

DNSJumper: Windows DNS graphical interface where you can select the DNS of your choice out of a long list of public DNS servers (Comodo DNS, Norton DNS, Google DNS, etc). To change DNS settings often the program lets you flush the previously applied name servers with the click of a button.Clicking on the “Fastest DNS” button will automatically find the most expeditious name servers for you.

Name Server changer DNSJumper

If you are using a VPN to encrypt your connection your ISP could still be able to see what sites you visit monitoring the DNS servers, this is know as DNS leak. To avoid this risk you should change the default DNS servers in your router or computer. For extra security you should select a DNS provider that encrypts queries, it is the equivalent of HTTPS for DNS.

Note: If the DNS program does not have a DNS flushing button you can flush your DNS cache manually in Windows with: ipconfig /flushdns

20 May, 2014
Secure encrypted mobile and desktop messenger IONU

IONU is a new messaging tool for Windows, Mac OS, Android and iPhone, the program can be used by individuals or an organization that needs central administration capabilities.

During the Windows installation you will be given a warning that the digital signature is not valid and the publisher can not be verified, the installer will also automatically download Microsoft Visual C++ runtime libraries if they are not present in your system.

Secure private messenger IONU

Account creation was relatively easy, just pick a username and a passphrase. IONU will force you to utilize a minimum of 8 characters password that combines letters and numbers. You will have to add three security questions for password recovery and a link is sent to your email where you have to click to confirm that you own that inbox. If you use IONU in multiple devices, like mobile and desktop, data will be synced across them without you doing anything, a central IONU server manages the data and updates your client when you first login.

In order for people to be able to find you in the messenger, you will have to set up an account identifier with your email address, name and phone number, if somebody wishes to connect with you they only need to search for this information and send you a friend request. It is not necessary to make visible your phone number an email, you can just use a nickname, privacy options can be managed in the client settings.

You can only communicate with people added to your contacts list, this stops spam. Chat messages and file transfers are encrypted, IONU says that they have no way to read the chat even if they wanted to and you get delivery and read reports, with an optional “Vanish” function that sets an expiry date to your messages, after which they will no longer be readable. The program can also be used to encrypt data to the cloud, it supports Dropbox and Box.

I could not find any detailed explanation about IONU security specs and a central server forwarding the messages is always a concern in case it is ever compromised, adding that IONU is an American company and the history that USA companies have of being subject to NSA spy gagging orders. The company says it is not viable for them to decrypt anything for anybody but I was not totally convinced that a government can not force them to mess with their server to download malware or something else to a target customer .

Android encrypted messenger IONU

Assuming you trust IONU claims that they aren’t able to read anything and you trust the encryption scheme they are using is safe, it seems like a good app to have private conversations out of the reach of malicious hackers sniffing packets on your network and a good way to protect your privacy by sending lapsing messages that can not be saved, although metadata should still be available in IONU servers, like login connection times and computer IPs.

If your main concern is protection from criminals, IONU is a far better option than WhatsApp or Yahoo Messenger, if you are up against the NSA, I would look for another solution like the Torsion messenger for anonymous chat over Tor, or a program that has no central server managing messages.

Visit IONU homepage

13 May, 2014
GPG email encryption hardware device Kinko

Kinko is an crowd funded project building an external hardware device for email encryption and decryption that will work in the background with any operating system using well established open source technologies like GnuPG and OpenSSH.

The Kinko Project supports Intel and ARM architectures, translated into plain English this means desktop and single board devices like the BeagleBoard. A pocket sized Kinko prototype already exists and it has a microSD slot for data storage, 512 DDR3 RAM and a fanless design with a Rhombus Tech ARM A10 Cortex-A8 CPU.

Kinko comes with a front end to manage GnuPG keys, a simple to use webmailer running Dovecot, offline IMAP and SSH. It is like running your own small email service at home with support for up to 10 people. Kinko is compatible with any email client but it will not work with webmail services, the only way to send email through a web interface is by means of Kinko’s build in webmailer.

Kinko GPG hardware email encryption

There is no central server with access to your encryption keys, when you receive an encrypted PGP email Kinko will automatically decrypt it using the keys manually added to the box, detecting public keys attached in the email message or fetching them from a keyserver. User intervention is kept to a minimum, you will only be asked if a recognized public PGP key should be accepted or not.

What Kinko can not do for you is to encrypt email metadata, this is impossible due to OpenPGP specifications but you have the option to replace email subjects with a standard innocuous phrase.

Email messages are sync in between your computer and the Kinko box with IMAP, the connection is secured with TLS and a private encryption key that only Kinko knows. To access your email outside your home Kinko can be tunnelled to the public Internet with OpenSSH and accessed with any email client supporting IMAP or a web browser.

The price of the Kinko box is not yet known but I am elated with the specs and initial presentation. I only see two downsides, one is having to plugin yet another device to my collection of computer hardware, and the other one is storing my email messages at home.

PGP email encryption Kinko Project

All data is encrypted and password protected when you first set up Kinko, but that will not stop physical threats to hand over the password from anybody breaking into my house, adding that in some countries it is illegal to withhold your password from law enforcement.

I think that the device is extremely user friendly and time saving but something Kinko will not do for you is convincing or training your friends and colleagues about the importance of email encryption. Until people is willing to use PGP for email, it won’t matter how comfortably you can encrypt and decrypt messages, there will be no mass adoption.

Kinko is something that small businesses might want to look into, private users will have to consider first what are the chances of abusive law enforcement breaking into their home and demanding the password for their encrypted Kinko email box.

Visit Kinko Project homepage

27 April, 2014