Feeds:
Posts
Comments

Posts Tagged ‘encryption’

Submitted by CWZ on Sun, 09/15/2013 – 15:11

Now that we have enough details about how the >NSA eavesdrops on the Internet, including today’s disclosures of the NSA’s deliberate weakening of cryptographic systems, we can finally start to figure out how to protect ourselves.

For the past two weeks, I have been working with the Guardian on NSA stories, and have read hundreds of top-secret NSA documents provided by whistleblower Edward Snowden. I wasn’t part of today’s story — it was in process well before I showed up — but everything I read confirms what the Guardian is reporting.

At this point, I feel I can provide some advice for keeping secure against such an adversary.

The primary way the NSA eavesdrops on Internet communications is in the network. That’s where their capabilities best scale. They have invested in enormous programs to automatically collect and analyze network traffic. Anything that requires them to attack individual endpoint computers is significantly more costly and risky for them, and they will do those things carefully and sparingly.

Leveraging its secret agreements with telecommunications companies—all the US and UK ones, and many other “partners” around the world — the NSA gets access to the communications trunks that move Internet traffic. In cases where it doesn’t have that sort of friendly access, it does its best to surreptitiously monitor communications channels: tapping undersea cables, intercepting satellite communications, and so on.

That’s an enormous amount of data, and the NSA has equivalently enormous capabilities to quickly sift through it all, looking for interesting traffic. “Interesting” can be defined in many ways: by the source, the destination, the content, the individuals involved, and so on. This data is funneled into the vast NSA system for future analysis.

The NSA collects much more metadata about Internet traffic: who is talking to whom, when, how much, and by what mode of communication. Metadata is a lot easier to store and analyze than content. It can be extremely personal to the individual, and is enormously valuable intelligence.

The Systems Intelligence Directorate is in charge of data collection, and the resources it devotes to this is staggering. I read status report after status report about these programs, discussing capabilities, operational details, planned upgrades, and so on. Each individual problem — recovering electronic signals from fiber, keeping up with the terabyte streams as they go by, filtering out the interesting stuff — has its own group dedicated to solving it. Its reach is global.

The NSA also attacks network devices directly: routers, switches, firewalls, etc. Most of these devices have surveillance capabilities already built in; the trick is to surreptitiously turn them on. This is an especially fruitful avenue of attack; routers are updated less frequently, tend not to have security software installed on them, and are generally ignored as a vulnerability.

The NSA also devotes considerable resources to attacking endpoint computers. This kind of thing is done by its TAO — Tailored Access Operations — group. TAO has a menu of exploits it can serve up against your computer — whether you’re running Windows, Mac OS, Linux, iOS, or something else — and a variety of tricks to get them on to your computer. Your anti-virus software won’t detect them, and you’d have trouble finding them even if you knew where to look. These are hacker tools designed by hackers with an essentially unlimited budget. What I took away from reading the Snowden documents was that if the NSA wants in to your computer, it’s in. Period.

The NSA deals with any encrypted data it encounters more by subverting the underlying cryptography than by leveraging any secret mathematical breakthroughs. First, there’s a lot of bad cryptography out there. If it finds an Internet connection protected by MS-CHAP, for example, that’s easy to break and recover the key. It exploits poorly chosen user passwords, using the same dictionary attacks hackers use in the unclassified world.

As was revealed today, the NSA also works with security product vendors to ensure that commercial encryption products are broken in secret ways that only it knows about. We know this has happened historically: CryptoAG and Lotus Notes are the most public examples, and there is evidence of a back door in Windows. A few people have told me some recent stories about their experiences, and I plan to write about them soon. Basically, the NSA asks companies to subtly change their products in undetectable ways: making the random number generator less random, leaking the key somehow, adding a common exponent to a public-key exchange protocol, and so on. If the back door is discovered, it’s explained away as a mistake. And as we now know, the NSA has enjoyed enormous success from this program.

TAO also hacks into computers to recover long-term keys. So if you’re running a VPN that uses a complex shared secret to protect your data and the NSA decides it cares, it might try to steal that secret. This kind of thing is only done against high-value targets.

How do you communicate securely against such an adversary? Snowden said it in an online Q&A soon after he made his first document public: “Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on.”

I believe this is true, despite today’s revelations and tantalizing hints of “groundbreaking cryptanalytic capabilities” made by James Clapper, the director of national intelligence in another top-secret document. Those capabilities involve deliberately weakening the cryptography.

Snowden’s follow-on sentence is equally important: “Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it.”

Endpoint means the software you’re using, the computer you’re using it on, and the local network you’re using it in. If the NSA can modify the encryption algorithm or drop a Trojan on your computer, all the cryptography in the world doesn’t matter at all. If you want to remain secure against the NSA, you need to do your best to ensure that the encryption can operate unimpeded.

With all this in mind, I have five pieces of advice:

  1. Hide in the network. Implement hidden services. Use Tor to anonymize yourself. Yes, the NSA targets Tor users, but it’s work for them. The less obvious you are, the safer you are. 
  2. Encrypt your communications. Use TLS. Use IPsec. Again, while it’s true that the NSA targets encrypted connections — and it may have explicit exploits against these protocols — you’re much better protected than if you communicate in the clear. 
  3. Assume that while your computer can be compromised, it would take work and risk on the part of the NSA — so it probably isn’t. If you have something really important, use an air gap. Since I started working with the Snowden documents, I bought a new computer that has never been connected to the Internet. If I want to transfer a file, I encrypt the file on the secure computer and walk it over to my Internet computer, using a USB stick. To decrypt something, I reverse the process. This might not be bulletproof, but it’s pretty good. 
  4. Be suspicious of commercial encryption software, especially from large vendors. My guess is that most encryption products from large US companies have NSA-friendly back doors, and many foreign ones probably do as well. It’s prudent to assume that foreign products also have foreign-installed backdoors. Closed-source software is easier for the NSA to backdoor than open-source software. Systems relying on master secrets are vulnerable to the NSA, through either legal or more clandestine means. 
  5. Try to use public-domain encryption that has to be compatible with other implementations. For example, it’s harder for the NSA to backdoor TLS than BitLocker, because any vendor’s TLS has to be compatible with every other vendor’s TLS, while BitLocker only has to be compatible with itself, giving the NSA a lot more freedom to make changes. And because BitLocker is proprietary, it’s far less likely those changes will be discovered. Prefer symmetric cryptography over public-key cryptography. Prefer conventional discrete-log-based systems over elliptic-curve systems; the latter have constants that the NSA influences when they can.

Since I started working with Snowden’s documents, I have been using GPG, Silent Circle, Tails, OTR, TrueCrypt, BleachBit, and a few other things I’m not going to write about. There’s an undocumented encryption feature in my Password Safe program from the command line; I’ve been using that as well.

I understand that most of this is impossible for the typical Internet user. Even I don’t use all these tools for most everything I am working on. And I’m still primarily on Windows, unfortunately. Linux would be safer.

The NSA has turned the fabric of the Internet into a vast surveillance platform, but they are not magical. They’re limited by the same economic realities as the rest of us, and our best defense is to make surveillance of us as expensive as possible.

Trust the math. Encryption is your friend. Use it well, and do your best to ensure that nothing can compromise it. That’s how you can remain secure even in the face of the NSA.

This essay previously appeared in the Guardian.

Read Full Post »

Screenshot from mega.co.nz

Screenshot from mega.co.nz

Kim Dotcom’s Mega.co.nz is working on a highly-secure email service to run on a non-US-based server. It comes as the US squeezes email providers that offer encryption and Mega’s CEO calls Lavabit’s shutdown an “honorable act of Privacy Seppuku.”

Mega’s Chief Executive Vikram Kumar, who is heading the development of the company’s own end-to-end encryption technology to protect the privacy of the future email’s users, has reacted to the Lavabit founder’s decision to suspend his service’s operations – an act, which was shortly followed by voluntary closing down of another secure email service, Silent Circle.

“These are acts of ‘Privacy Seppuku’ – honorably and publicly shutting down (“suicide”) rather than being forced to comply with laws and courts intent on violating people’s privacy,” Kumar said in his blog post.

The concept he was referring to was developed by secure service providers such as Cryptocloud, which made a ‘corporate seppuku’ pledge to oppose the mass surveillance and shield the privacy of their users’ data. The name for the move apparently derives from a Japanese ritual suicide, which was originally practiced by samurai to preserve honor.

According to Cryptocloud team’s board post cited by Kumar, “corporate seppuku” is “shutting down a company rather than agreeing to become an extension of the massive, ever-expanding, secretive global surveillance network organized by the US National Security Agency.”

This way, if the company receives a secret order from the NSA “to become a real-time participant in ongoing, blanket, secret surveillance of its customers,” it will not be forced into doing it. The pledge it made to its users will make it terminate itself instead, thus making the data mining impossible.

Such a policy manifests that “there is always a choice” for any company approached by the agents, while at the same time placing the users’ security in the highest priority.

Owner and operator of Lavabit.com Ladar Levison on Thursday wrote that his nine-year-old encrypted email service was shutting down in order to avoid becoming “complicit in crimes against the American people.”

“We see the writing the wall, and we have decided that it is best for us to shut down Silent Mail now,” Silent Circle founder Jon Callas then wrote in a blog post.

But as Cryptocloud urged all the companies to make an ultimate privacy-protecting pledge, NSA leaker Edward Snowden said in an email to The Guardian that the internet giants are unlikely to join such action – although it could yield much greater results. He called for Google and Facebook to question their current stance, calling Lavabit’s owner decision “inspiring.”

“Employees and leaders at Google, Facebook, Microsoft, Yahoo, Apple, and the rest of our internet titans must ask themselves why they aren’t fighting for our interests the same way small businesses are. The defense they have offered to this point is that they were compelled by laws they do not agree with, but one day of downtime for the coalition of their services could achieve what a hundred Lavabits could not,” Snowden said.

Mega doing ‘true crypto work for masses’

Meanwhile, Kumar has been involved in an email service project with what he says is exceptional level of encryption.

Mega has been doing an “exciting” but “very hard” and time-consuming job of developing both highly-secure and functional email service, Kumar told ZDNet.

“The biggest tech hurdle is providing email functionality that people expect, such as searching emails, that are trivial to provide if emails are stored in plain text (or available in plain text) on the server side. If all the server can see is encrypted text, as is the case with true end-to-end encryption, then all the functionality has to be built client side,” he explained, adding that even Silent Circle did not try to achieve such a feat.

“On this and other fronts, Mega is doing some hugely cutting-edge stuff. There is probably no one in the world who takes the Mega approach of making true crypto work for the masses, our core proposition,” Kumar said.

According to the company’s founder Dotcom, Mega doesn’t hold decryption keys to customer accounts and “never will”, thus making it impossible for it to read the emails. This also means that Mega by design cannot be forced to rat on its users by intelligence agencies.

However, Dotcom earlier told TorrentFreak that a new spy legislation being pushed by the US and its Five Eyes alliance partners – UK, Canada, Australia and New Zealand – may force Mega to relocate its servers to some country exempt from such jurisdictions, such as Iceland.

The New Zealand government is already “aggressively” eyeing legislation that will compel all internet service providers in the country to design a “secret decryption access” for the intelligence agencies, he said.

Original link

Read Full Post »

From thehonestreviews.com

 

Image1IPVanish is one of the newer VPN service companies which started out in 2012, but don’t let that discourage you. It seems like they know what they are doing because I’m loving them. IPVanish currently has 3500+ IPs on 90+ servers in 41 different countries which is already better then the majority of the VPN service provider out there.

 

IPVanish Features

  • 3500+ IPs on 90+ servers in 41 different countries
  • Unlimited VPN traffic and uncapped bandwidth
  • High Speed Connection
  • FREE IPVanish VPN Software
  • OpenVPN, L2TP, and PPTP Protocols
  • Prevent Hot Spot Dangers
  • Secure & safe browsing
  • 24/7 Support

IPVanish Pricing

Here are the current VPN packages at IPVanish:

  • 1 Month – $10 (17% savings)
  • 3 Month – $26.99 (25% savings)
  • 1 Year – $77.99 (46% savings)

If you pick the yearly plan, it will only cost you $6.49/month which comes out to a huge 46% in savings. $6.49 is as cheap as it gets for a premium VPN service so you are definitely getting your money’s worth. You also have the option of signing up for the 1 month plan then upgrading to the yearly plan after if you want.

There is a 7 days money back guarantee on all of the plans so if you aren’t happy for any reason within 7 days of signing up, you can request a cancellation and you will get a full refund.

FREE IPVanish Software
The VPN IPVanish software is free and it’s available in your account’s control panel. Here are some noteworthy features:

  • List of servers when online/offline status
  • Automatically reconnect if disconnected
  • Able to connect when Windows start
  • Can automatically connect to IPVanish once the software starts
  • Lets you know your response time for each server

I really like the Auto-Reconnect feature as it will reconnect if you disconnect from the servers. The only downfall is that your real IP will be shown for a few seconds while it reconnects itself to the IPVanish servers.

IPVanish GUI

It’s a basic VPN software which lets you connect to IPVanish VPN servers with a few noteworthy features. You do not need to use this software to connect to their servers as this software is only optional. IPVanish provides detailed directions for other methods to connect to their servers as well.

Compatible Devices

  • Windows
  • MAC OS X
  • UBuntu
  • iPhone, iPad, Android
  • DD-WRT compatible routers
  • Any devices that lets you use PPTP and L2TP

IPVanish Speed Test

Speed is important when choosing a VPN service provider and IPVanish doesn’t disappoint. Here’s a result from my speed test using IPVanish.

That’s my max download/upload speed for my ISP which is great. You won’t even notice that you are behind a VPN connection. This means watching videos on sites such as YouTube will be quick.

Bandwidth is not capped and you are allowed unlimited VPN traffic which means you can keep the VPN connection on 24/7 if you wanted to.

How Many Computers Can You Use IPVanish On?

You are allowed to installed and use IPVanish on an unlimited number of computers and devices, but you are only allowed to have two devices connected to IPVanish at the same time. Also, you are only allowed to connect to 1 OpenVPN and 1 other connection (L2TP or PPTP) at the same time. This means you cannot have 2 OpenVPN connections connected to IPVanish at a time.

For example, your computer can be connect to IPVanish using OpenVPN while your mobile phone is connected to either L2TP or PPTP.

Type Of IP Addresses

IPVanish offers dynamic IP addresses which means you will get a new IP address every time you connect to their servers. This offers you the best anonymity because your traffic will be spread throughout their 3500+ IP addresses instead of being associated with just one IP address.

Since you are sharing IP addresses with other IPVanish users, your traffic will merge with their traffic making it impossible to find out which traffic belongs to which user.

Data Encryption

You do not have to worry about your ISP or even hackers spying on you as IPVanish provides 256-bit encryption for OpenVPN and 128-bit encryption for PPTP and L2TP.

Logging Policy

IPVanish only logs when you connect and disconnect from their VPN servers. They do not log what websites you visit, what you download or who you chat to. Some type of logging is require for all VPN service providers to stay in business so I wouldn’t worry about it.

Money Back Guarantee

IPVanish offers a 7 day money back guarantee for all of their VPN plans.

IPVanish Support

Support by email is 24/7 while live support chat is available M-F during business hours. IPVanish also offers support by forum.

Final Thoughts

IPVanish does a great job as a VPN service provider even though they just started this year. The speed, price and reliability is outstanding. The price is great for the service they provide and it’s a lot better than using free proxies and definitely better than the majority of VPN providers on the market. I honestly can’t find anything I hate about them especially for the price and speed.

 

Read Full Post »

Image1Everything you need to safely browse the Internet. This package requires no installation. Just extract it and run.

Want Tor to really work?

You need to change some of your habits, as some things won’t work exactly as you are used to.

1. Use the Tor Browser Tor does not protect all of your computer’s Internet traffic when you run it. Tor only protects your applications that are properly configured to send their Internet traffic through Tor. To avoid problems with Tor configuration, we strongly recommend you use the Tor Browser Bundle. It is pre-configured to protect your privacy and anonymity on the web as long as you’re browsing with the Tor Browser itself. Almost any other web browser configuration is likely to be unsafe to use with Tor.

2. Don’t enable or install browser plugins The Tor Browser will block browser plugins such as Flash, RealPlayer, Quicktime, and others: they can be manipulated into revealing your IP address. Similarly, we do not recommend installing additional addons or plugins into the Tor Browser, as these may bypass Tor or otherwise harm your anonymity and privacy. The lack of plugins means that Youtube videos are blocked by default, but Youtube does provide an experimental opt-in feature (enable it here) that works for some videos.

3. Use HTTPS versions of websites Tor will encrypt your traffic to and within the Tor network, but the encryption of your traffic to the final destination website depends upon on that website. To help ensure private encryption to websites, the Tor Browser Bundle includes HTTPS Everywhere to force the use of HTTPS encryption with major websites that support it. However, you should still watch the browser URL bar to ensure that websites you provide sensitive information to display a blue or green URL bar button, include https:// in the URL, and display the proper expected name for the website.

4. Don’t open documents downloaded through Tor while online The Tor Browser will warn you before automatically opening documents that are handled by external applications. DO NOT IGNORE THIS WARNING. You should be very careful when downloading documents via Tor (especially DOC and PDF files) as these documents can contain Internet resources that will be downloaded outside of Tor by the application that opens them. This will reveal your non-Tor IP address. If you must work with DOC and/or PDF files, we strongly recommend either using a disconnected computer, downloading the free VirtualBox and using it with a virtual machine image with networking disabled, or using Tails. Under no circumstances is it safe to use BitTorrent and Tor together, however.

5. Use bridges and/or find company Tor tries to prevent attackers from learning what destination websites you connect to. However, by default, it does not prevent somebody watching your Internet traffic from learning that you’re using Tor. If this matters to you, you can reduce this risk by configuring Tor to use a Tor bridge relay rather than connecting directly to the public Tor network. Ultimately the best protection is a social approach: the more Tor users there are near you and the more diverse their interests, the less dangerous it will be that you are one of them. Convince other people to use Tor, too!

Read Full Post »

From null-byte

Big name individual hackers and hacker groups everywhere in the news are getting caught and thrown in jail. Everytime I see something like this happen, I won’t lie, I get a little sad. Then I wonder, how are these guys getting caught?

If a group like LulzSec, with all the fame and “1337-ness” can get caught, I think my hacker comrades are doing something wrong.

When members of LulzSec started getting captured, it was because proxy and VPN services complied to federal request and handed over the private information of its users. I think this is wrong for a number of reasons—foremost, people should be able to have their own privacy respected. Today’s Null Byte will be demonstrating one of the methods around this: Chaining VPNs.

A VPN allows you to connect to a remote network, and over all ports, encrypt and forward your traffic. This also changes your IP address. Chaining VPNs is a tricky task, though there is a simple and uncommon method I know of. Using multiple VPNs together has the huge perk of being completely anonymous.

How Does Chaining VPNs Work?

First, a person would connect to the VPN. Then, when connected to the first VPN, you chain to the second, and since a bunch of people share the same IP, the second VPN has no way of knowing who tunneled to it. An even better scenario is where you use an eastern VPN as your first, because our country has no jurisdiction to retrieve the logs from them, thus increasing your security.

However, to chain VPNs, the second VPN would need to know how the first VPN’s traffic was encrypted. This flaw makes it impossible to chain them in this method, unless you own both VPNs (not very likely).

So, how can we chain VPNs then? I’ll show you how by using a virtual machine!

Requirements

Step 1 Install OpenVPN & a VirtualBox Computer

Text in bold is a terminal command.

First, we need to install the VPN client for Linux users. Windows users can download the program here and here, and run the installer normally. Mac users can use this GUI for OpenVPN for Mac.

  1. Change to the Downloads directory.
  2. Configure the installation.
    ./configure
  3. Compile and install.
    make && sudo make install
  4. Now we need to install VirtualBox. This will allow us to have a virtual operating systems running from within our computer. Download VirtualBox: Windows, Mac, Linux.
  5. Install a virtual machine of your choice for Windows or Linux and Mac, then install OpenVPN to it.

Step 2 Chain the VPNs

Start up your virtual machine, and configure them both.

  1. For Windows users using the default VPN client, use this guide to connect to a VPN. Linux and Mac users, go here.
  2. Connect to VPN A with your host OS.
  3. Start up your virtual machine of choice, and connect to VPN B with it.
  4. Operate from within your virtual machine, and you will be safe from prying eyes. If you need to delete the virtual machine, make sure you securely delete it, and your information will be safe.

Read Full Post »

The Cocoon toolbar includes a number of features and services to ensure the highest levels of privacy and security. Cocoon prevents advertisers and companies from monitoring online activity by blocking cookie tracking.

To prevent intrusions from Internet downloads, the smart proxy software instantly scans files downloaded for viruses, malware or malicious code before it reaches a user’s computer. Additionally, Cocoon offers disposable email addresses so that personal email boxes do not get jammed with spam.

Main Features
* Truly Anonymous Browsing
* Stops Online Tracking
* Anti-Virus Protection
* Secure Connection on Public WiFi
* Privacy on Shared Computers
* Browsing History Encrypted
* History Accessible on Multiple Devices
* Blocks Drive-by Malware Attacks
* Secures Webmail Access
* Cookies Stored off Your Computer
* Anonymous Email Addresses

Get Cocoon here

Read Full Post »

Operation Encrypt Everything (OpE^2) was started in 2012 by members of the Pirate Party of Canada to counteract the increasing threat of total communications surveillance by governments and private industry.

It is intended to bring together information about protecting your data and privacy online, and making easily-understood instructions available to our digital comrades.

By getting in the habit of using good encryption practices, you can ensure that your financial records, web surfing history, conversations with friends, and photos of your loved ones are private, and not endangered by your national government, a foreign government, major corporations like Facebook or Google, or even malicious hackers.

Visit Encrypt Everything here.

Read Full Post »

Older Posts »