Texting or e-mail: Which gives you more secure communication? - USA TODAY

Texting or e-mail: Which gives you more secure communication? - USA TODAY

Texting or e-mail: Which gives you more secure communication? - USA TODAY

Posted: 13 Oct 2019 12:00 AM PDT

CLOSE

WhatsApp, text or email – which is the most secure option when your conversation really has to be locked down? 

The recent private-messages-going-public news with Congress scouring the messages obtained from diplomats as part of its impeachment inquiry again has private exchanges top of mind and offers a good jumping-off point to discuss what options you have with the tools you use most.

There are varying degrees of privacy or protection among the chat and communication platforms. Ultimately, there are precautions you can take. 

Encryption, says Apple on its website, is used to protect trillions of online transactions every day, for shopping, paying bills and communicating with programs like its own iMessage or FaceTime, or Facebook's Whatsapp. Encryption, says Apple,  "turns your data into indecipherable text."   

And this has been a hot topic in Washington. Attorney General William Barr wrote to Facebook, asking it to change its encryption policy for Whatsapp.  

"We must find a way to balance the need to secure data with public safety and the need for law enforcement to access the information they need to safeguard the public, investigate crimes, and prevent future criminal activity," Barr said. 

Facebook opposes Barr's request.

Meanwhile, how to encrypt your communication? 

Start with e-mail 

Messages written via popular web programs like Google's Gmail, Microsoft's free version of Outlook or Yahoo Mail are not encrypted by default, nor is government or corporate e-mail. (There are ways to send encrypted Gmail, but only to other Gmail users, via a third party plug-in.) The free webmail programs are both easy to track, both by subpoena and by the companies offering the free tools, says Micah Lee, director of information security for the Intercept website. "E-mail is the easiest to spy on," he says. 

That said, there are a handful of startups offering encrypted e-mail, including Switzerland-based Proton, while Microsoft offers the ability to encrypt Outlook (for paying subscribers), but it's complicated. You essentially turn it into gibberish and send a "digital key" to the recipient to unlock it and make it readable. 

Prying eyes: Why the government doesn't want Facebook to encrypt your messages

So you want to turn to the phone and secure text messages 

"But you shouldn't use a company device," says Lee. "Many of these have corporate spyware and can take screenshots of what you're doing. Only use your personal phone." 

If your personal phone is a Samsung, it offers a feature to encrypt data after it's been generated and have it stored on an external SD card for Galaxy phones. To use this feature for text messages, download the Messages app for Android and move them there. Know that once you encrypt the data, you're able to decrypt the data only on the same device. Samsung notes that you won't be able to read it anywhere else. 

Additionally, the iPhone has a feature that can prevent outside forces like law enforcement or the government from using a USB device to tap into your phone and grab your unencrypted data. Go to Settings, Touch ID & Passcode, and scroll to the bottom for USB Accessories, to click off and prevent USB accessories from connecting when the iPhone has been locked for more than an hour. 

Traditional SMS text messages on your phone 

Texts sent on the iPhone, the most used digital device in the United States, to another iPhone, are encrypted, and thus, wouldn't be able to be read without decoding, according to Apple. The company says text messages stored on its iCloud service will be encrypted as well, as long as the user has opted in for two-factor authentication sign-ins.  Note that if the person on the other end doesn't have an iPhone, the message is no longer encrypted. (Android phones don't encrypt SMS messages by default, says Lee, but as we noted, backing them to an external card and opt to encrypt the data manually.) 

Encrypted chat apps

Signal, Wire, Rakuten Viber and Whatsapp are popular apps to look to for secure encrypted written and spoken conversations. Yes, the same Whatsapp that's owned by Facebook, the company that's apologized many times for security breaches. 

Because Whatsapp is the most popular chat program in the world, used by over 1 billion users, the odds are high that the person you want to speak to currently uses it. That's a huge bonus for being able to communicate freely and privately, says Lee. And it makes a big deal on its website about how messages are encrypted and not read by company officials. 

However, Facebook does have access to your metadata and can determine who you spoke to and when, adds Lee. 

—The app Signal does not have Facebook ownership issues and is considered the go-to app for the most secure form of communication. Even Edward Snowden, the former U.S. whistleblower who has been hiding in Russia since 2013, offers a testimonial on Signal's home page. 

"Signal messages and calls are always end-to-end encrypted and painstakingly engineered to keep your communication safe," the company says. "We can't read your messages or see your calls, and no one else can either."

Signal says it doesn't accept advertising and is supported by grants and donations. 

—Germany-based Wire says it provides the "strongest security" for organizations and their workers, but it's not free, starting at around $6.50 monthly. "End-to-end encryption gives you the confidence to talk, message, and share across teams and with clients, through a single app that's available on all of your devices," the company says. 

—Rakuten Viber, based in Japan, points out on its website that it offers a "Secret Chats" feature that lets users set a self-destruct timer, so just like on "Mission: Impossible" or SnapChat, after the message is read, "it is automatically deleted from the Viber chat."

Facebook Messenger

These messages are not encrypted by default, but they can be. Facebook offers a feature called "Secret Conversation" for private chatting, but both sides have to turn it on for it to work. (Click the word "Secret" at the top right side of the screen on iPhone or the lock icon in the same place on Android.)

Authenticity can be proven during the conversation by both sides checking their digital ID keys (stored under the person's names) and making sure they match. 

But privacy is in the eye of the beholder, as the person on the other end of this encrypted conversation can easily make a screenshot and share it with the world. 

Still, Facebook says the messages are intended "just for you and the other person – not anyone else, including us."

Meanwhile, Lee understands why the diplomats may have opted for texting. "It's quicker and more convenient. Who wants to wait for the e-mail to arrive?"

Follow USA TODAY's Jefferson Graham (@jeffersongraham) on Twitter

Read or Share this story: https://www.usatoday.com/story/tech/2019/10/13/how-keep-your-chats-private-whatsapp-signal-viber/3909981002/

Google and Apple remove alleged UAE spy app ToTok - BBC News

Posted: 23 Dec 2019 12:00 AM PST

A screenshot of ToTok.Image copyright ToTok
Image caption The ToTok app has been removed from Apple and Google's app stores

Google and Apple have removed an Emirati messaging app called ToTok amid claims that it is used for state spying.

Not to be confused with China's TikTok, ToTok markets itself as an easy and secure way to chat by video or text.

However, The New York Times (NYT) has reported allegations that the WhatsApp-lookalike is a spy tool for the United Arab Emirates government.

ToTok has told users that it will be back in the app stores soon.

In a blog, it wrote that it is "temporarily unavailable" on the Apple App Store and the Google Play Store because of a "technical issue".

Citing American officials as sources, the NYT reported that ToTok gives UAE spies access to citizen's conversations, movements, and other personal information like photos.

Google removed the app last Thursday and Apple pulled it the following day. However, ToTok users, who already have the app on their phone, can carry on using it.

Millions of users

ToTok is only several months old but it has been downloaded by users in the Middle East, Europe, Asia, Africa, and North America, according to the NYT.

Google Play Store showed that it had five million Android downloads alone before it was removed, while app-tracker App Annie said that ToTok was one of the most downloaded social apps in the US last week.

The NYT reports that the app's publisher, Breej Holding Ltd, is affiliated with DarkMatter, which is an Abu Dhabi-based intelligence and hacking firm that is allegedly under investigation by the FBI for possible cyber-crimes.

DarkMatter employs Emirati intelligence officials, former National Security Agency employees and former Israeli military intelligence operatives, according to the NYT.

ToTok, DarkMatter, and the Embassy of United Arab Emirates in London did not immediately respond to a request for comment.

"While the existing ToTok users continue to enjoy our service without interruption, we would like to inform our new users that we are well engaged with Google and Apple to address the issue," ToTok said in a blog.

It pointed out that new users with Samsung, Huawei, Xiaomi and Oppo phones could still download ToTok on the phone maker's own app stores.

The company promised to be back "in the near future" with new features such as payment, news, commerce, and entertainment.

Other messaging services like WhatsApp and Skype, which offer end-to-end encryption, are restricted in the UAE. While they can be used for messaging, they can't be used for video calls.

ToTok's privacy policy states that it may share people's personal data with "law enforcement, officials, regulatory agencies and other lawful access requests".

It also states: "We may share your personal data with group companies."

However, there is no specific mention of the United Arab Emirates government.

Decrypting the app

Security firm Objective-See says that it worked with the NYT on the investigation.

In a blog, the company explained that it performed an analysis of ToTok's iOS app on a "jailbroken" iPhone - ie one which had been altered to bypass manufacturer restrictions. Analysts decrypted the ToTok app and the app's "network traffic".

The analysts said that the legitimacy of the app is "really the genius of the whole mass surveillance operation".

They noted that they found no backdoors, no malware, and no exploits in the app.

Signal Review | Is it worth it? - https://proprivacy.com/

Posted: 19 Jun 2018 12:00 AM PDT

Douglas Crawford

Signal

Summary

Signal messenger is widely regarded as the most secure and private way to communicate over distance yet devised. The brainchild of privacy legend Moxie Marlinspike, Signal replaces your default SMS messenger app, making it almost seamless to use.

Visit Signal

What is Signal?

Signal is primarily a secure and open source messaging app that replaces your Android phone or iPhone's regular SMS app. Messages to and from other Signal users are sent over the internet and protected by very strong end-to-end encryption.

Messages to and from non-Signal contacts are sent using regular SMS text messaging and are not secure. When sending an insecure text message you are warned that it is insecure and are encouraged to invite your contact to use Signal.

This setup ensures that Signal is seamless to use when sending text messages to both other Signal users and to non-users. Because it is designed to replace your regular SMS client, Signal requires that you register with a valid phone number. I will discuss this issue more a little later.

The beauty of this system is that Signal is almost transparent in use, which should make it easier to convince friends, family, and colleagues to use the app!

In addition to text and SMS messaging, Signal also supports secure voice (VoIP) and video calls between users. Although mainly a mobile app, a desktop version also exists.

Get Signal

Is Signal open source?

Open source software is software whose source code has been made publicly available by its copyright holder. This means that it can be independently audited for errors and to ensure that it isn't doing something it shouldn't. Signal was fully independently audited in 2016 and was found to be cryptographically secure.

With closed source code there is no way to know what the code is really doing, and so closed source code cannot be trusted to keep your communications secure. For this reason, you should only trust open source apps such as Signal to keep your communications secure and private.  For further discussion on this subject please see Why Open Source is so Important.

Signal uses end-to-end encryption

All secure Signal messages are encrypted on your phone before being sent, and can only be decrypted by the intended recipient(s).

This removes the need to trust any third party to keep your data safe, and no third party can access the messages in transit. The only way for an adversary to access messages sent by Signal is if it has direct physical access to your or the recipient's phone.

Even then, Signal includes the option to encrypt all stored messages, which make it impossible to access them unless the phone owner can somehow be coerced into revealing their passcode.

Just remember that messages sent to non-Signal users are not secure!

Get Signal

Is Signal Private Messenger secure?

Secure Signal messages are encrypted using the Signal Protocol, which is arguably the most secure text messaging protocol ever developed. It amalgamates the Extended Triple Diffie-Hellman (X3DH) key agreement protocol, Double Ratchet algorithm, pre-keys, and uses Curve25519, AES-256, and HMAC-SHA256 as cryptographic primitives.

A great breakdown of what all this means is available here, and as noted earlier, a formal audit has found the Signal protocol to be cryptographically sound.

As of March 2017, Signal's voice and video calls are encrypted using the same Signal Protocol that secures text messages.

Additional security features

Messages and notifications can be locked with a passphrase, and you can opt to use an "incognito keyboard" that will not learn from your typing. Signal also features disappearing messages, which is similar to Snapchat's defining feature.

Signal Security Features

Importantly, Signal provides a mechanism to verify the identity of your contacts. Each conversation has a unique safety number (fingerprint) which you can compare with other participants and mark as verified when you are sure of their identity.

Issues With Signal Private Messenger

The following design decisions by Signal have come under criticism, although Signal has gone a long towards answering them.

Contact discovery

In order to seamlessly replace your phone's SMS messenger with the Signal app, Signal uses real phone numbers to match up contacts. This is regarded by some as a privacy risk, who would prefer a system of contact discovery based on email addresses or anonymous usernames.

There are, however, two very strong mitigating factors in Signal's favor on this issue:

  1. Signal cannot see your contacts, and your contact list cannot be accessed by anyone other than you.
  2. You can register using a disposable "burner" phone or SIM card. Once registered, the Signal app does not need to run on the phone it was registered with.

Google Play Services

Until last year Signal for Android was only available from the Google Play Store, and therefore required Google Play Services to run. Although Moxie Marlinspike robustly defended this decision, many considered it a major security issue as this proprietary software gives Google the ability to perform extensive low-level surveillance on users' devices.

Signal still recommends that you download the app via the Google Play Store, but it is now also possible to download a Google-free .apk of Signal directly from the official website.

Does Signal Keep Metadata

The Signal Protocol does not prevent a company from retaining information about when and with whom users communicate. The only metadata information that Signal itself retains is "the date and time a user registered with Signal and the last date of a user's connectivity to the Signal service." This claim has been proven in court.

Other companies that have incorporated the Signal Protocol into their products, however, may not have such a robust attitude to users' privacy.

Funding

As with other high profile open source privacy projects such as LEAP (which is used to run RiseUp.net), WikiLeaks-alike GlobaLeaks (endorsed by Tor devs such as Jacob Applebaum), the Guardian Project (makers of ChatSecure and Orbot) , and the Tor Project itself, Signal's parent company, Whisper Systems, receives generous financial assistance from US government funded agencies.

Many privacy activists and open source developers argue that good math is good math regardless of where the funding comes from, and that the funding necessary to develop secure systems is otherwise very hard to come by.

This question of funding has, however, led some to question the integrity of such claims. For an excellent discussion on this subject, please see Internet privacy, funded by spooks: A brief history of the BBG by Yasha Levine.

Despite these concerns (which affect almost all major open source security projects), Signal appears to be among the most secure applications currently available. You pays your money (or not in this case), and you takes your chances…

The baseband processor

Inside every mobile phone ever built is a proprietary closed-source chip called a baseband processor.  Given the nature of what little is known about this closed source chip, there is every reason to believe it could allow mobile providers to bypass any encryption used by any app running on a mobile phone.

They could readily access all content on a phone in cleartext and in realtime by the simple expedient of accessing it at the point it becomes encrypted/decrypted.

Or at least that is the theory. No evidence of this actually happening has ever been reported. It should be stressed that none of this is Signal's, fault, and is a potential flaw in all mobile security software.

It should also be stressed that an adversary using such methods to spy on smartphone users' encrypted communications would have to be very powerful (e.g. the NSA), and would almost certainly have to specifically target a known individual's phone (so no blanket spying).

Blocking

In response to being blocked by Egypt in December 2016, Signal introduced domain fronting. This allows Signal users in certain countries to circumvent censorship by making it look like they are connecting to a different Internet-based service.

Domain fronting is currently enabled by default in Egypt, the UAE, Oman, and Qatar, so users in those countries can access Signal as normal.

Unfortunately, users in Iran are not so lucky. Signal's domain fronting feature relies on the Google App Engine service which is not available in Iran due to Google's compliance with US sanctions.

How to Use Signal

When you install Signal it replaces your default SMS messenger. By default all your old messages and message history are imported, and Signal makes use of your default dialler contact list.

In use it acts just like your regular SMS messenger when dealing with non-Signal users, except for displaying an option to invite them to Signal. As usual, SMs messages cost whenever your mobile provider and payment plan specify.

How to Use Signal

When you message other Signal users you are alerted to the fact, and messages are securely encrypted. You can also start a voice, video, or group chat with them. Secure Signal conversations are transmitted over the internet and (other than any bandwidth charges from your ISP or mobile provider that might apply) are free.

Other apps that use the Signal Protocol

Thanks to its formidable reputation for secure end-to-end encryption, a number of other high profile messaging apps now also use the Signal Protocol. This includes WhatsApp, Facebook Messenger, and Skype.

Broadly speaking this can be considered a major win for privacy, as it brings secure end-to-end encrypted messaging to millions of ordinary users who would not otherwise care about privacy issues.

Do please be aware, however, that although they use the same underlying Signal Protocol, these third party apps are not as secure or private as using the Signal app itself. This is because:

  • These apps are closed source so there is no way to know for sure what they are doing. It is probably unlikely, but they could, for example, send a copy of your encryption keys back to Facebook or Microsoft.
  • As already noted, although companies cannot know the contents of your communications when they are encrypted with the Signal protocol, they can collect metadata related to them (who, when, where). And let's face it, Facebook (which also owns WhatsApp) and Microsoft are known to be anathema to privacy.

That said, you probably have a lot of friends who already use WhatsApp, Facebook Messenger and Skype, so are therefore more likely actually encrypt their messages using these apps…

Signal Private Messenger: Conclusion

Signal has revolutionized private chat by introducing highly secure open source end-to-end encrypted messaging that is as easy and seamless to use as sending regular SMS text messages. Its use of real phone numbers for contact discovery does concern some, but this is heavily mitigated against.

Quite simply, if you want secure private conversations, then there is no real competition to Signal.

Get Signal

Written by: Douglas Crawford

Has worked for almost six years as senior staff writer and resident tech and VPN industry expert at ProPrivacy.com. Widely quoted on issues relating cybersecurity and digital privacy in the UK national press (The Independent & Daily Mail Online) and international technology publications such as Ars Technica.

Recommended Reading
-

Comments

Post a Comment

Popular Posts

6 Anti-forensic techniques that every cyber investigator dreads | EC-Council Official Blog - EC-Council Blog

Image
6 Anti-forensic techniques that every cyber investigator dreads | EC-Council Official Blog - EC-Council Blog 6 Anti-forensic techniques that every cyber investigator dreads | EC-Council Official Blog - EC-Council Blog 5 best TrueCrypt alternatives | Encrypt your computer with these apps - proprivacy.com The Best Way to Encrypt Email in Outlook - Security Boulevard 6 Anti-forensic techniques that every cyber investigator dreads | EC-Council Official Blog - EC-Council Blog Posted: 23 Nov 2019 12:00 AM PST Anti-forensic techniques can make a computer investigator's life difficult. From committing fraud in an organization to stealing crucial data, cybercriminals can perform a wide range of nefarious activities. In some cases, these perpetrators try to cover their tracks by deleting browser history, cache memory, and even cookies. But with an upward trend , it is now much convenient for cyber attackers to use already progr...
Read more

How to Encrypt Your iPhone or iPad Backup - MUO - MakeUseOf

Image
How to Encrypt Your iPhone or iPad Backup - MUO - MakeUseOf How to Encrypt Your iPhone or iPad Backup - MUO - MakeUseOf Physical and Digital Safety: Arrest and detention - CPJ Press Freedom Online Mobile Encryption Market – Key Players, Size, Trends, Growth Opportunities, Analysis and Forecast To 2027 – The Courier - The Courier Fleeing WhatsApp for Better Privacy? Don't Turn to Telegram - WIRED How to Encrypt Your iPhone or iPad Backup - MUO - MakeUseOf Posted: 23 Feb 2021 12:00 PM PST [unable to retrieve full-text content] How to Encrypt Your iPhone or iPad Backup    MUO - MakeUseOf Physical and Digital Safety: Arrest and detention - CPJ Press Freedom Online Posted: 24 Feb 2021 06:14 AM PST Share this: Covering certain stories–such as human rights abuses, corruption, or civil unrest–can place you at a higher risk of arrest and detention, particularly...
Read more

A Look At Blockchain Smartphones Available Now - I4U News

Image
A Look At Blockchain Smartphones Available Now - I4U News A Look At Blockchain Smartphones Available Now - I4U News Posted: 09 Oct 2019 06:19 AM PDT There is probably no one in the world who has not heard of cryptocurrencies. In the past few years, the general public's awareness of the likes of Bitcoin and Ethereum has skyrocketed. This has happened to such a degree that there are literally millions of us using Bitcoin wallets offered by Luno and other well established names in the industry. On the other hand, blockchain is not necessarily that well known and its capabilities maybe a little less. So although we know that blockchain is the basis of cryptocurrencies, many of us know little more than that. Anyways, this technology is extremely adaptable and is being applied to many industries/sectors from health to disaster recovery. So that it will come as no surprise that blockchain is shifting its attention to mobile. This has resul...
Read more