Private-Mail Review & Rating - PCMag.com

Private-Mail Review & Rating - PCMag.com

Private-Mail Review & Rating - PCMag.com

Posted: 09 Jan 2020 01:36 PM PST

Nobody pays for email these days. Big companies like Google and Yahoo give it away for free. So how do those companies pay for the necessary server farms and other resources? They monetize the information they can glean from your use of the service, that's how. As they say, if you're not paying, you are the product. But fear not; you can take charge of your email privacy using an encrypted email product like Private-Mail. You'll pay in cash rather than by giving up your privacy, but for many that's the right choice.

Similar Products

Private-Mail is owned by the makers of TorGuard VPN, which is rated four stars by PCMag. In fact, if you choose Private-Mail's Legacy Login, you reach a page with TorGuard branding. Perhaps this is a trend? ProtonVPN also has a secure email system, called ProtonMail.

Pricing and Features

If you're willing to accept some limitations, you can use Private-Mail for free (though you do have to register a credit card to claim your free account). The free level gives you 100MB of storage for your emails and 100MB of cloud storage for your encrypted files, and it uses the same encryption protocols as the paid editions.

For $69.99 per year you can move up to the Standard tier, which raises email and file storage to 10GB. At this level, you can use the mobile app, define a custom email calendar, and sync your contacts and calendar between devices. You also get priority support, and five email identities (more about those below). The Pro tier simply raises the numbers. It costs twice as much, and gives you 20GB of email and file storage, and 20 email identities.

Private-Mail Console

Private-Mail offers a wide variety of billing cycles. You can choose to pay $8.95 per month for the Standard plan, if you're not sure about the commitment. Quarterly, semi-annual, and annual plans cost less per month. Note, though, that if you pay for two years, the price is simply twice the one-year price—there's no volume discount.

Even using yearly pricing, Private-Mail is on the expensive side. StartMail goes for $59.95 per year, and ProtonMail costs $48 per year. Like Private-Mail, ProtonMail has a free, feature-limited tier. As you'll see, though, Private-Mail does offer some features not found in its competitors.

Keep Your Identity Private

Private-Mail's email identities feature, also called email aliases in some materials, lets you define different email addresses that all feed into the same Inbox. It's a limited version of a Disposable Email Address (DEA) service. The idea is that you give out an alias in your online transactions, rather than exposing your actual email. If the alias starts getting spam, you delete it. StartMail offers a similar feature.

Other products focus on DEAs, not on encrypting messages. With a $29.99 per year Burner Mail subscription, you can create as many DEAs as you need. The same is true of ManyMe, which is totally free.

At $39 per year, Abine Blur Premium costs more than Burner Mail or ManyMe, but does much more. In addition to masking your personal email address, it masks credit cards and phone numbers. Beyond that, it actively blocks ad trackers, manages your passwords, and more.

Private-Mail's limit of five email identities means you can't really use it in the expected fashion. If you create a different DEA for every site you interact with, you'll use up those five quickly. Even the 20 identities that come with the more expensive Pro account won't be enough for an active online presence. Yet if you don't use a separate alias for each site, you can't just cut off one site if the alias gets sold to spammers. You'll be cutting off every site that contacts you through that alias. StartMail has a similar limitation, in that you can only have 10 permanent aliases at a time. It does allow an unlimited number of time-limited temporary addresses, good for up to two weeks.

Private-Mail Identity

There's one more thing that's worth noting. When I tried to use this feature, I found that while I could enter a different display name for a new identity, the field to enter a new email was locked. It doesn't help to have a display name of "Baby Yoda" when the underlying email isn't changed. My company contact explained that using a different email address requires a registration step that, at present, is only available for business users.

A Rocky Start With Private-Mail

Signing up for a Private-Mail account is simple enough. First, you choose an account name that's unique across the service (a standard requirement). I was mildly surprised to find [email protected] available. You supply an ordinary email account for activation and recovery, enter a strong password to protect your account, and fill in your credit card details. As noted, this last step is required even for free accounts. Once you respond to a verification email, you're ready to go.

I clicked the New Message button and encountered a WYSIWYG editor much like StartMail's. It lets you choose a font (from a small collection), change text color, insert pictures, and mark text with bold, italic, underline, or strikethrough, for example. I composed a message and sent it to a non-Private-Mail address. I didn't see a button to encrypt the text using a password, the way I did with StartMail and ProtonMail, and indeed, the message arrived unencrypted.

Digging into settings, I found I needed to turn on use of OpenPGP. The program suggested turning off AutoSave of drafts, since drafts would be saved unencrypted on the server; that's good advice. Trying to turn on OpenPGP revealed a need to create a PGP key pair based on a passphrase. I had to run through a similar process to get StartMail encrypting.

When I tried again to create and encrypt a message, I found a new button in the message editor marked PGP Sign/Encrypt. Clicking it displayed a disappointing alert: Private-Mail must strip out all formatting for encrypted messages. StartMail and ProtonMail both encrypt rich messages including formatting and even images.

I clicked to continue and hit a password prompt, leaving me to wonder if it meant my account password or the PGP passphrase (account password proved correct). At this point Private-Mail complained that it didn't have a public key on record for the recipient. I realized I needed to go through the process of setting up OpenPGP on both accounts.

I switched to my other Private-Mail test account, enabled OpenPGP, and switched back. When I tried to send to that account using encryption, it still griped about lacking a public key for that account. As it turns out, Private-Mail doesn't automate key exchange between users of the service. I brought up the OpenPGP settings page, clicked to view my public key, and clicked Send to send it to my alternate account.

When the key didn't arrive after five minutes, I switched back to the main account. Here, I found an email "bounce" message saying that Private-Mail rejected a dangerous attachment. Right. It rejected the public key generated and sent by another instance of itself, because it chose to send the text file with a .com extension. (For the younger audience, .com used to be an executable file format in early DOS versions.)

I exchanged public keys by copy / pasting into a text file and then copy / pasting the text into the other instance of Private-Mail. This process proved to be the opposite of automated. My company contact did explain that the key rejection problem is "in the process of being rectified."

Encrypted Messaging

Whew! With the key exchange completed, I found that I could exchange encrypted mail between my accounts. As noted, OpenPGP strips out formatting, so I could only exchange plain text. To decrypt a received message, I had to enter the passphrase used to create my account's public / private key pair.

`Private-Mail Encrypt

To send a secure message, Private-Mail encrypts it using the recipient's public key, and the recipient decrypts it using the corresponding private key. You can flip this process to digitally sign a message, proving that it came from you without any tampering. You simply choose the Sign option and enter the PGP passphrase for your account. Private-Mail encrypts the message using your private key. The fact that the recipient can decrypt it using your public key proves that it came from you with no tampering.

Encrypted Files

Unlike the other encrypted email solutions I've evaluated, Private-Mail also serves to store and sync encrypted files. You can store files without encryption as well, though I'm not sure why you would.

When I tried to drop a file into the Encrypted folder in the Files area, I got a warning, "You have enabled encryption of uploaded files, but haven't set any encryption key." I found that odd, since I had been successfully exchanging encrypted emails.

It turns out that file encryption uses its own separate key, reached by selecting Paranoid Encryption from the Settings menu. You supply a name for the key (your account email by default) and enter a password to protect it. Once the key is created, Private-Mail advises exporting it and storing in a safe place. I found that it stored the key using my account email as the name, meaning the filename ended in .com. As noted, Windows still treats such files as ancient DOS executables, so I renamed it and added .txt at the end.

Private-Mail Files

Two Factor Authentication

Like StartMail, ProtonMail, and Burner Mail, Private-Mail supports two-factor authentication. You do need Google Authenticator or another authenticator that supports standard Time-based One-Time Password (TOTP) authentication.

In Account Settings, click the button to enable two-factor authentication. Private-Mail will display a QR code. Snap the QR code with your app and enter the returned code back in StartMail. You can also use the alphanumeric Secret Key for setup. That's it. Now each time you log in you'll need both your password and the latest code from your authentication app. More importantly, a hacker who stole your password couldn't use it to log in without getting that code from the device in your pocket.

Secure File Sharing

You've seen that Private-Mail lets you store encrypted files online. You can also use the service to share these files by invoking the Secure Share feature. With Secure Share, you can choose to encrypt either using public key cryptography or by defining a password. Note that StartMail and ProtonMail give you a similar choice for encrypted email messages, meaning they let you encrypt mail even if you don't have the recipient's public key.

If you choose a recipient for whom you don't have a key, the public key option is disabled. When I tried this mode, Private-Mail generated a link and a password, with the option to send the link via email, and a note that you must send the password separately. Don't click away without copying the password, as you can't get it back. The recipient simply clicks the link, pastes in the password that you sent separately, and downloads the decrypted file.

Private-Mail Sharing

When sending a file to a recipient using a public key you've imported, the process is a bit simpler. Private-Mail still generates a link and lets you send it via email, but you don't have to transmit a password. And naturally it sends the email in encrypted form.

Extended Features

Private-Mail includes a full-scale calendar that lets you record appointments or set up tasks you can check off when finished. It's dandy if you just plan to use the service on one device. Setting up sync with your mobile devices is more complex than even I would attempt.

In the Settings, you can choose from five different themes. If you'll be out of the office, you can set a simple autoresponder message, though it doesn't have Gmail's ability to define a start and end for application of the out-of-office message.

Filters are what Outlook users know as rules, but simpler. You can filter on the From, To, or Subject field, looking for messages that contain, don't contain, or exactly match the text you specify. And you can have it delete matching messages permanently or move them to the folder of your choice. ProtonMail and StartMail offer a similar filter system.

Private-Mail plans to offer apps for Windows, macOS, Android, and iOS. However, if you go to the downloads page, you'll find they're all marked "coming soon." Well, all except Android. I loaded up the Android app and took a quick look. When I found that I'd need to export all my keys and import them on the Android device, I decided to just hold off and take another look after release of all the platform-specific apps.

Other Avenues

Encrypting your email messages and shared files is one way to protect your privacy, but it's not the only way. As noted earlier, another technique involves protecting your actual email address from spammers and trackers by using Disposable Email Addresses, or DEAs. A service like Burner Mail let you generate a different DEA for each site or individual you interact with online. Messages come to your Inbox, and you can reply as usual, but the recipient never sees your actual email address. If one of your DEAs starts receiving spam, you can just delete it, and maybe look for a merchant who won't sell your email to spammers. Private-Mail's email identities feature offers a limited form of DEA management, but products that focus on DEAs do a better job.

ManyMe offers a different approach to DEAs. Each of what it calls FlyBy addresses includes your unique account identifier, so you don't have to register the address in advance. In an in-person meeting, you can give someone an address like [email protected] without having to load up the app and create the disposable address in advance.

SecurityWatch

Abine Blur piles on the privacy features like no other. In addition to masking your email address, it can mask your credit card and even your phone number. It has a password manager built in, actively prevents ads from tracking you, and more.

Of course, if your email address is already exposed here and there online, you can't really do anything about it. Or can you? Abine Abine DeleteMe is a service that tracks dozens of personal information aggregators and handles opting you out of any site where it finds your data. This process can't be fully automated; it requires some human interaction. That explains the relatively high price of $129 per year.

Ups and Downs

Private-Mail totally handles the task of exchanging encrypted emails, and it includes uncommon features like a built-in calendar and the ability to store and securely share encrypted files. However, unlike StartMail and ProtonMail, it can only share plain-text messages, and the process of setting up for encrypted message exchange involves a lot of manual labor, where competitors automate the process. It does include the option to create disposable email addresses, but only a few, and at present this feature only works properly for business users. With platform-specific apps still in the works, it's clear this product has room to grow. We'll revisit it at its next evolution.

While encrypting your email is a good way to protect your privacy, it's just one way. Abine Blur lets you shop online without ever exposing your email address, credit card number, or phone number. It includes a complete (if basic) password manager, and its active Do Not Track feature prevents advertisers and others from tracking you online. Abine Blur remains our Editors' Choice in the varied field of privacy products.

This Week In Security: ToTok, Edgium, Chrome Checks Your Passwords, And More - Hackaday

Posted: 03 Jan 2020 12:00 AM PST

Merry Christmas and happy New Year! After a week off, we have quite a few stories to cover, starting with an unexpected Christmas gift from Apple. Apple has run an invitation-only bug bounty program for years, but it only covered iOS, and the maximum payout topped out at $200K. The new program is open to the public, covers the entire Apple product lineup, and has a maximum payout of $1.5 million. Go forth and find vulnerabilities, and make sure to let us know what you find.

ToTok

The United Arab Emirates had an odd policy regarding VoIP communications. At least on mobile networks, it seems that all VoIP calls are blocked — unless you're using a particular app: ToTok. Does that sound odd? Is your "Security Spider Sense" tingling? It probably should. The New York Times covered ToTok, claiming it was actually a tool for spying on citizens.

While that coverage is interesting, more meat can be found in [Patrick Wardle]'s research on the app. What's most notable, however, is the distinct lack of evidence found in the app itself. Sure, ToTok can read your files, uploads your contact book to a centralized server, and tries to send the device's GPS coordinates. This really isn't too far removed from what other apps already do, all in the name of convenience.

It seems that ToTok lacks end-to-end encryption, which means that calls could be easily decrypted by whoever is behind the app. The lack of malicious code in the app itself makes it difficult to emphatically call it a spy tool, but it's hard to imagine a better way to capture VoIP calls. Since those articles ran, ToTok has been removed from both the Apple and Google's app stores.

SMS Keys to the Kingdom

Have you noticed how many services treat your mobile number as a positive form of authentication? Need a password reset? Just type in the six-digit code sent in a text. Prove it's you? We sent you a text. [Joakim Bech] discovered a weakness that takes this a step further: all he needs is access to a single SMS message, and he can control your burglar alarm from anywhere. Well, at least if you have a security system from Alert Alarm in Sweden.

The control messages are sent over SMS, making them fairly accessible to an attacker. AES encryption is used for encryption, but a series of errors seriously reduces the effectiveness of that encryption. The first being the key. To build the 128-bit encryption key, the app takes the user's four-digit PIN, and pads it with zeros, so it's essentially a 13 bit encryption key. Even worse, there is no message authentication built in to the system at all. An attacker with a single captured SMS message can brute force the user's PIN, modify the message, and easily send spoofed commands that are treated as valid.

Microsoft Chrome

You may have seen the news, Microsoft is giving up on their Edge browser code, and will soon begin shipping a Chromium based Edge. While that has been a source of entertainment all on its own, some have already begun taking advantage of the new bug bounty program for Chromium Edge (Edgium?). It's an odd bounty program, in that Microsoft has no interest in paying for bugs found in Google's code. As a result, only bugs in the Edge-exclusive features qualify for payout from Microsoft.

As [Abdulrahman Al-Qabandi] puts it, that's a very small attack surface. Even so, he managed to find a vulnerability that qualified, and it's unique. One of the additions Microsoft has made to Edgium is a custom new tab page. Similar to other browsers, that new tab page shows the user their most visited websites. The problem is that the site's title is shown on that page, but without any sanity checking. If your site's title field happens to include Javascript, that too is injected into the new tab page.

The full exploit has a few extra steps, but the essence is that once a website makes it to the new tab page, it can take over that page, and maybe even escape the browser sandbox.

Chrome Password Checkup

This story is a bit older, but really grabbed my attention. Google has rolled a feature out in Chrome that automatically compares your saved passwords to past data breaches. How does that work without being a security nightmare? It's clever. A three-byte hash of each username is sent to Google, and compared to the hashes of the compromised accounts. A encrypted database of potential matches is sent to your machine. Your saved passwords, already encrypted with your key, is encrypted a second time with a Google key, and sent back along with the database of possible matches, also encrypted with the same Google key. The clever bit is that once your machine decrypts your database, it now has two sets of credentials, both encrypted with the same Google key. Since this encryption is deterministic, the encrypted data can be compared without decryption. In the end, your passwords aren't exposed to Google, and Google hasn't given away their data set either.

The Password Queue

Password changes are a pain, but not usually this much of a pain. A university in Germany suffered a severe malware infection, and took the precaution of resetting the passwords for every student's account. Their solution for bootstrapping those password changes? The students had to come to the office in person with a valid ID to receive their new passwords. The school cited German legal requirements as a primary cause of the odd solution. Still, you can't beat that for a secure delivery method.

Encryption for Android (Guide) | 3 ways to Secure your Android phone - https://proprivacy.com/

Posted: 02 May 2019 12:00 AM PDT

Encryption in its most basic form is the process of changing information into illegible code to prevent people from accessing your data.

As of Android 7.0 Nougat, which was first released in March 2016, almost all Android phones come pre-encrypted. However, this encryption is not without problems. In this article, we show you several ways of encrypting your Android phone.

3 ways to encrypt your Android phone

  1. Use Third-party file Android encryption apps

    If you store highly sensitive data on your phone then, you really shouldn't trust Android's encryption. What you can do, though, is secure your data using third-party apps. 

    EDS/ EDS Lite is an open source app that allows you to store files in a secure VeraCrypt (or LUKS, EncFS, or CyberSafe) container on your phone. Cryptomator will encrypt data locally as well as securely syncing it to the cloud.
    High-end Samsung users also have the built-in Secure Folder feature, which allows you to store files and apps in a specially encrypted folder protected by the Samsung Knox security platform. Similar features are available on Huawei, OnePlus, Oppo, Viovo, and Xiaomi phones.
    Note that numerous third-party app locker apps exist, but as far as we are aware these do not actually encrypt data stored by the locked app.

  2. Enable Lockdown mode

    Android 9.0 Pie has introduced a neat feature aimed at stopping people from forcing you to unlock your phone.

    Once enabled, "Lockdown mode" brings up an "Enter Lockdown" option when you long-press the power button. Selecting it disables biometric authentication methods such as fingerprint scanning and Smart Lock (which can open your phone when connected to an authenticated WiFi network or Bluetooth device, for example). 

    To enable Lockdown mode in Android Pie 9.0 Pie:

    1. go to Settings
    2. click on security Lock screen preferences
    3. click on lock Screen Secure Lock Settings
    4. click on Show lockdown option on Samsung phones

  3. Encrypting SD Cards on Android

    Most phone manufacturers no longer support external SD card storage. A notable exception is Samsung, although others also exist. If your phone supports expandable storage then it should be possible to encrypt it.

    On a Samsung S9+, this is simply done by going to Settings, selecting Biometrics & security and choosing to Encrypt your SD card, but may vary by device. 

    SD card encryption is completely transparent in use, as long as you access encrypted files from the phone you encrypted them on.

    The files cannot now be accessed in any other way, though. If you lose or break the phone used to encrypt the SD card, you will not be able to recover data stored on it.  

Current Android Encryption

Before Android 7.0, data was protected using dm-crypt full disk encryption (FDE).

An open source transparent disk encryption subsystem used in Linux, dm-crypt is commonly used for desktop encryption. This approach works quite well on desktop computers, but not so well in Android as users rarely power their devices down.

Android enforced strong lock screen protection (via either password or fingerprint) to mitigate against this problem, but this could never be as secure as the 128-bit AES-CBC with essiv:sha256 encryption used to secure data when the device was off.

If an adversary could bypass the lock screen, a not impossible task, then the encryption keys would just be sitting there in the memory for them to grab.

Final thoughts

These days, high and mid-range Android phones all come encrypted straight out-of-the-box, and this should also soon be true of low-end Android phones. 

This is undoubtedly a step forward for the security of most phone users' personal data, but if you store sensitive files on your phone, then you should further encrypt them using something like EDS. 
-

Comments

Post a Comment

Popular Posts

6 Anti-forensic techniques that every cyber investigator dreads | EC-Council Official Blog - EC-Council Blog

Image
6 Anti-forensic techniques that every cyber investigator dreads | EC-Council Official Blog - EC-Council Blog 6 Anti-forensic techniques that every cyber investigator dreads | EC-Council Official Blog - EC-Council Blog 5 best TrueCrypt alternatives | Encrypt your computer with these apps - proprivacy.com The Best Way to Encrypt Email in Outlook - Security Boulevard 6 Anti-forensic techniques that every cyber investigator dreads | EC-Council Official Blog - EC-Council Blog Posted: 23 Nov 2019 12:00 AM PST Anti-forensic techniques can make a computer investigator's life difficult. From committing fraud in an organization to stealing crucial data, cybercriminals can perform a wide range of nefarious activities. In some cases, these perpetrators try to cover their tracks by deleting browser history, cache memory, and even cookies. But with an upward trend , it is now much convenient for cyber attackers to use already progr...
Read more

How to Encrypt Your iPhone or iPad Backup - MUO - MakeUseOf

Image
How to Encrypt Your iPhone or iPad Backup - MUO - MakeUseOf How to Encrypt Your iPhone or iPad Backup - MUO - MakeUseOf Physical and Digital Safety: Arrest and detention - CPJ Press Freedom Online Mobile Encryption Market – Key Players, Size, Trends, Growth Opportunities, Analysis and Forecast To 2027 – The Courier - The Courier Fleeing WhatsApp for Better Privacy? Don't Turn to Telegram - WIRED How to Encrypt Your iPhone or iPad Backup - MUO - MakeUseOf Posted: 23 Feb 2021 12:00 PM PST [unable to retrieve full-text content] How to Encrypt Your iPhone or iPad Backup    MUO - MakeUseOf Physical and Digital Safety: Arrest and detention - CPJ Press Freedom Online Posted: 24 Feb 2021 06:14 AM PST Share this: Covering certain stories–such as human rights abuses, corruption, or civil unrest–can place you at a higher risk of arrest and detention, particularly...
Read more

A Look At Blockchain Smartphones Available Now - I4U News

Image
A Look At Blockchain Smartphones Available Now - I4U News A Look At Blockchain Smartphones Available Now - I4U News Posted: 09 Oct 2019 06:19 AM PDT There is probably no one in the world who has not heard of cryptocurrencies. In the past few years, the general public's awareness of the likes of Bitcoin and Ethereum has skyrocketed. This has happened to such a degree that there are literally millions of us using Bitcoin wallets offered by Luno and other well established names in the industry. On the other hand, blockchain is not necessarily that well known and its capabilities maybe a little less. So although we know that blockchain is the basis of cryptocurrencies, many of us know little more than that. Anyways, this technology is extremely adaptable and is being applied to many industries/sectors from health to disaster recovery. So that it will come as no surprise that blockchain is shifting its attention to mobile. This has resul...
Read more