It Seemed Like a Popular Chat App. It’s Secretly a Spy Tool. - The New York Times

It Seemed Like a Popular Chat App. It’s Secretly a Spy Tool. - The New York Times

It Seemed Like a Popular Chat App. It’s Secretly a Spy Tool. - The New York Times

Posted: 22 Dec 2019 11:35 AM PST

WASHINGTON — It is billed as an easy and secure way to chat by video or text message with friends and family, even in a country that has restricted popular messaging services like WhatsApp and Skype.

But the service, ToTok, is actually a spying tool, according to American officials familiar with a classified intelligence assessment and a New York Times investigation into the app and its developers. It is used by the government of the United Arab Emirates to try to track every conversation, movement, relationship, appointment, sound and image of those who install it on their phones.

ToTok, introduced only months ago, was downloaded millions of times from the Apple and Google app stores by users throughout the Middle East, Europe, Asia, Africa and North America. While the majority of its users are in the Emirates, ToTok surged to become one of the most downloaded social apps in the United States last week, according to app rankings and App Annie, a research firm.

ToTok amounts to the latest escalation in a digital arms race among wealthy authoritarian governments, interviews with current and former American foreign officials and a forensic investigation showed. The governments are pursuing more effective and convenient methods to spy on foreign adversaries, criminal and terrorist networks, journalists and critics — efforts that have ensnared people all over the world in their surveillance nets.

Persian Gulf nations like Saudi Arabia, the Emirates and Qatar previously turned to private firms — including Israeli and American contractors — to hack rivals and, increasingly, their own citizens. The development of ToTok, experts said, showed that the governments can cut out the intermediary to spy directly on their targets, who voluntarily, if unwittingly, hand over their information.

A technical analysis and interviews with computer security experts showed that the firm behind ToTok, Breej Holding, is most likely a front company affiliated with DarkMatter, an Abu Dhabi-based cyberintelligence and hacking firm where Emirati intelligence officials, former National Security Agency employees and former Israeli military intelligence operatives work. DarkMatter is under F.B.I. investigation, according to former employees and law enforcement officials, for possible cybercrimes. The American intelligence assessment and the technical analysis also linked ToTok to Pax AI, an Abu Dhabi-based data mining firm that appears to be tied to DarkMatter.

Pax AI's headquarters operate from the same Abu Dhabi building as the Emirates' signals intelligence agency, which until recently was where DarkMatter was based.

The U.A.E. is one of America's closest allies in the Middle East, seen by the Trump administration as a bulwark against Iran and a close counterterrorism partner. Its ruling family promotes the country as an example of a modern, moderate Arab nation, but it has also been at the forefront of using surveillance technology to crack down on internal dissent — including hacking Western journalists, emptying the banking accounts of critics, and holding human rights activists in prolonged solitary confinement over Facebook posts.

The government blocks specific functions of apps like WhatsApp and Skype, a reality that has made ToTok particularly appealing in the country. Huawei, the Chinese telecom giant, recently promoted ToTok in advertisements.

Spokesmen for the C.I.A. and the Emirati government declined to comment. Calls to a phone number for Breej Holding rang unanswered, and Pax employees did not respond to emails and messages. An F.B.I. spokeswoman said that "while the F.B.I. does not comment on specific apps, we always want to make users aware of the potential risks and vulnerabilities that these mechanisms can pose."

When The Times initially contacted Apple and Google representatives with questions about ToTok's connection to the Emirati government, they said they would investigate. On Thursday, Google removed the app from its Play store after determining ToTok violated unspecified policies. Apple removed ToTok from its App Store on Friday and was still researching the app, a spokesman said. ToTok users who already downloaded the app will still be able to use it until they remove it from their phones.

It was unclear when American intelligence services first determined that ToTok was a tool of Emirati intelligence, but one person familiar with the assessment said that American officials have warned some allies about its dangers. It is not clear whether American officials have confronted their counterparts in the Emirati government about the app. One digital security expert in the Middle East, speaking on the condition of anonymity to discuss powerful hacking tools, said that senior Emirati officials told him that ToTok was indeed an app developed to track its users in the Emirates and beyond.

ToTok appears to have been relatively easy to develop, according to a forensic analysis performed for The Times by Patrick Wardle, a former National Security Agency hacker who works as a private security researcher. It appears to be a copy of a Chinese messaging app offering free video calls, YeeCall, slightly customized for English and Arabic audiences.

ToTok is a cleverly designed tool for mass surveillance, according to the technical analysis and interviews, in that it functions much like the myriad other Apple and Android apps that track users' location and contacts.

On the surface, ToTok tracks users' location by offering an accurate weather forecast. It hunts for new contacts any time a user opens the app, under the pretense that it is helping connect with their friends, much like how Instagram flags Facebook friends. It has access to users' microphones, cameras, calendar and other phone data. Even its name is an apparent play on the popular Chinese app TikTok.

Though billed as "fast and secure," ToTok makes no claim of end-to-end encryption, like WhatsApp, Signal or Skype. The only hint that the app discloses user data is buried in the privacy policy: "We may share your personal data with group companies."

So instead of paying hackers to gain access to a target's phone — the going rate is up to $2.5 million for a hacking tool that can remotely access Android phones, according to recent price lists — ToTok gave the Emirati government a way to persuade millions of users to hand over their most personal information for free.

"There is a beauty in this approach," said Mr. Wardle, now a security researcher at Jamf, a software company. "You don't need to hack people to spy on them if you can get people to willingly download this app to their phone. By uploading contacts, video chats, location, what more intelligence do you need?"

In an intelligence-gathering operation, Mr. Wardle said, ToTok would be Phase 1. Much like the National Security Agency's bulk metadata collection program — which was quietly shut down this year — ToTok allows intelligence analysts to analyze users' calls and contacts in search of patterns, though its collection is far more invasive. It is unclear whether ToTok allows the Emiratis to record video or audio calls of its users.

Each day, billions of people freely forgo privacy for the convenience of using apps on their phones. The Privacy Project by the Times's Opinion section published an investigation last week revealing how app makers and third parties track the minute-by-minute movements of mobile phone users.

Private companies collected that data for targeted marketing. In ToTok's case — according to current and former officials and digital crumbs the developers left behind — much of the information is funneled to intelligence analysts working on behalf of the Emirati state.

In recent months, semiofficial state publications began promoting ToTok as the free app long sought by Emiratis. This month, users of a messaging service in the Emirates requiring paid subscriptions, Botim, received an alert telling users to switch to ToTok — which it called a "free, fast and secure" messaging app. Accompanying the message was a link to install it.

The marketing seems to have paid off.

In reviews, Emiratis expressed gratitude to ToTok's developers for finally bringing them a free messaging app. "Blessings! Your app is the best App so far that has enable me and my family to stay connected!!!" one wrote. "Kudos," another wrote. "Finally, an app that works in the UAE!"

ToTok's popularity extended beyond the Emirates. According to recent Google Play rankings, it was among the top 50 free apps in Saudi Arabia, Britain, India, Sweden and other countries. Some analysts said it was particularly popular in the Middle East because — at least on the surface — it was unaffiliated with a large, powerful nation.

Though the app is a tool for the Emirati government, the exact relationship between the firms behind it is murky. Pax employees are made up of European, Asian and Emirati data scientists, and the company is run by Andrew Jackson, an Irish data scientist who previously worked at Palantir, a Silicon Valley firm that works with the Pentagon and American spy agencies.

Its affiliate company, DarkMatter, is in effect an arm of the Emirati government. Its operations have included hacking government ministries in Iran, Qatar and Turkey; executives of FIFA, the world soccer organization; journalists and dissidents.

Last month, the Emirati government announced that DarkMatter would combine with two dozen other companies to create a defense conglomerate focused on repelling cyberattacks.

The F.B.I. is investigating American employees of DarkMatter for possible cybercrimes, according to people familiar with the investigation. The inquiry intensified after former National Security Agency hackers working for the company grew concerned about its activities and contacted the bureau. Reuters first reported the program they worked on, Project Raven.

At Pax, data scientists openly brag about their work on LinkedIn. One who listed his title as "data science team lead" said he had created a "message intelligence platform" that reads billions of messages to answer four questions: "who you are, what you do, how do you think, and what is your relationship with others."

"With the answers to these four questions, we know everything about one person," wrote the data scientist, Jingyan Wang.

Other Pax employees describe their experience creating tools that can search government data sets for faces from billions of video feeds and pinpoint Arabic dialects from transcribed video messages.

None mention an affiliation with ToTok.

Mark Mazzetti reported from Washington, Nicole Perlroth from San Francisco and Ronen Bergman from Tel Aviv. Adam Goldman contributed reporting from Washington, and Ben Hubbard from Beirut, Lebanon.

Criptext Encrypted Email Service Lets You Control Your Email Communications - TWCN Tech News

Posted: 08 Dec 2019 12:00 AM PST

Everyone reading this blog would have had that one 'oops' moment in life when they clicked "Send" on an email and repented a fraction of a second later. Maybe you forgot to remove a section in the email, maybe you sent it to the wrong person, with the wrong subject line. Or maybe you sent the wrong attachment. Well, that's one terrible moment when you know it's gone, and there's nothing you can do to reverse it. To save yourself from such moments, try Criptext encrypted email service.

Criptext encrypted email service

Criptext encrypted email service

Criptext encrypted email service is a free email service for Windows, Linux, macOS, Android, and iOS. This service allows you to encrypt, track, and unsend emails – Totally on your terms.

With Criptext, you can revoke access to a message, set a timer to revoke access after a certain amount of time, and so on. It also has some additional features, like being able to send larger attachments than Gmail's usual limitation, or activating read receipts. In addition to this, Criptext encrypted email service doesn't collect and store your data. All your emails are completely stored on your device which, ensures maximum privacy and control. Beyond privacy, Criptext is the only email service to claim the coveted Signal encryption, making it quite possibly the most secure email service ever. Below mentioned are the top features of this tool:

  • End-to-end Encryption –The emails are locked with a unique key that is generated and stored on the user's device alone, which means only the user and their recipient read the sent email.
  • Signal Protocol – The Criptext encrypted email service uses the open-source Signal Protocol library to encrypt the user's emails.
  • No Cloud Storage – Contrasting every other email service available, this service doesn't store the user's email over its servers. Instead, the entire inbox of the user is stored exclusively on their device, this ensures there is no data collection happening.
  • Open Source – Criptext's source code is open to the complete privacy community to see how it actually works.
  • Simple to use – Their app is designed to work as simple as any other email application.

Some more powerful features that get you the desired control:

  • Unsend Email – Criptext encrypted email service allows you to take back an email within an hour from the time it was sent. So, if you sent an email by mistake, you can quickly reverse your action.
  • Real-time Email tracking – With real-time tracking feature you can know once your email is read.

With so many amazing features, this email service looks like worth trying.

Free Private & secure email provider

Follow the next process to use Criptext encrypted email service.

  1. Sign-up for Criptext
  2. Sync mailboxes

Let's look at each of these steps in more detail.

1] Sign-up for Criptext

You will need to install the desktop program or the mobile app and use the same to sign-up. Once done, the applications start creating the encryption/decryption keys for your account on your device in use.

To download the desktop program, go to Criptext's official website and click on the 'Download Now' button. Mobile versions are available on the respective iOS and Android stores, simply search for 'Criptext Secure Email' and download the same on your device.

Free Private & secure email provider

After downloading, follow these steps:

1] Wait for your download to finish

2] Run 'Criptext-latest.exe' to start the installation

3] Wait for the installation to finish. Criptext will automatically launch once the installation is complete.

4] If you have not registered before hit 'Sign Up'.

Criptext encrypted email service

5] Now fill in the required fields, check 'Terms and Conditions' checkbox and hit 'Create Account' to complete the Sign-up process.

Criptext encrypted email service

Done!

When signing up for an account, you have an option to enter a recovery email address. Make sure you correctly enter the same as this may be needed at the time when you want to reset the password of your account.

2] Sync Mailboxes

We wanted to see how we could sign in to an existing account on a new device. So, we downloaded the application on our mobile device; in doing so the desktop application prompted us to use the mobile client to approve the sign-in, but then it did offer an option to sign-in with the password.

Criptext encrypted email service

We approved the request to sync mailboxes across devices.

Criptext encrypted email service syncs the mailbox across devices, hence if the user sends an email from their mobile device, it will sync the same to the desktop program's sent folder and vice-versa. The incoming email messages are delivered to all the devices. Here are some highlights of this feature:

  • Sync up mails up to 10 devices
  • Attachments have a 25MB size-limit

There are no limits on the number of attachments you can send.

Unsending an email

Users can unsend an email that they sent to contact; they have up to 60 minutes to reverse their actions. But, there a catch here, users can unsend emails sent only to other Criptext email accounts.

When an email is sent to a non Criptext email address, reverse action is not possible. Hence this service is useful only if your contacts are majority using Criptext.

Tracking an email

Criptext encrypted email service tells you when your sent email is opened, but only for the first time. It means the subsequent opening of the same email isn't notified. Criptext send you notification on the mobile application when the email is opened, also the send tick mark appearing on the email turns blue when the email is read; you can also view the notification in the activity feed.

Criptext encrypted email service

Taking back-up of the mailbox with Criptext encrypted email service

Users can back up their mailbox locally on the device or manually store it in the cloud. The backup is encrypted with a passphrase that is specified by the user himself. You can email set your backup priorities from 'Settings'.

Criptext encrypted email service

In the end…

Criptext encrypted email service looks amazing, but it comes with its own set of restrictions. Criptext isn't for casual users as it can't encrypt emails that are being sent to addresses belonging to other services. The privacy and security that encryption provides are its primary features. But unless you manage really manage to influence your contacts to shift to this platform – you won't be able to use it every day.
-

Comments

Post a Comment

Popular Posts

6 Anti-forensic techniques that every cyber investigator dreads | EC-Council Official Blog - EC-Council Blog

Image
6 Anti-forensic techniques that every cyber investigator dreads | EC-Council Official Blog - EC-Council Blog 6 Anti-forensic techniques that every cyber investigator dreads | EC-Council Official Blog - EC-Council Blog 5 best TrueCrypt alternatives | Encrypt your computer with these apps - proprivacy.com The Best Way to Encrypt Email in Outlook - Security Boulevard 6 Anti-forensic techniques that every cyber investigator dreads | EC-Council Official Blog - EC-Council Blog Posted: 23 Nov 2019 12:00 AM PST Anti-forensic techniques can make a computer investigator's life difficult. From committing fraud in an organization to stealing crucial data, cybercriminals can perform a wide range of nefarious activities. In some cases, these perpetrators try to cover their tracks by deleting browser history, cache memory, and even cookies. But with an upward trend , it is now much convenient for cyber attackers to use already progr...
Read more

Harry Dunn's parents to meet Anne Sacoolas as immunity row continues - The Guardian

Image
Harry Dunn's parents to meet Anne Sacoolas as immunity row continues - The Guardian Harry Dunn's parents to meet Anne Sacoolas as immunity row continues - The Guardian Posted: 13 Oct 2019 06:58 AM PDT Anne Sacoolas, the wife of a US intelligence official who was involved in the road collision that killed 19-year-old Harry Dunn, has agreed to meet with his grieving parents and cooperate with a British police inquiry. But amid continuing questions over her right to diplomatic immunity, it is not clear if she will return to the UK to fulfil a promise to answer police questions about her role in the car crash. The reversal of position on a meeting appears to have come after lawyers specialising in diplomatic immunity started to advise Dunn's parents last week, leading them to say they would pursue Sacoolas in the US courts for a civil claim. Mark Stephens, one of the legal specialists advising the parents, told the Guar...
Read more

A Look At Blockchain Smartphones Available Now - I4U News

Image
A Look At Blockchain Smartphones Available Now - I4U News A Look At Blockchain Smartphones Available Now - I4U News Posted: 09 Oct 2019 06:19 AM PDT There is probably no one in the world who has not heard of cryptocurrencies. In the past few years, the general public's awareness of the likes of Bitcoin and Ethereum has skyrocketed. This has happened to such a degree that there are literally millions of us using Bitcoin wallets offered by Luno and other well established names in the industry. On the other hand, blockchain is not necessarily that well known and its capabilities maybe a little less. So although we know that blockchain is the basis of cryptocurrencies, many of us know little more than that. Anyways, this technology is extremely adaptable and is being applied to many industries/sectors from health to disaster recovery. So that it will come as no surprise that blockchain is shifting its attention to mobile. This has resul...
Read more