Digital Security and Privacy

Email Is Among the Least Secured Channels of Communication!

Email vulnerabilities—sketch by Mohammad Tauheed

[I sketched that stupid thing. It is ok to steal, just mention where you stole it from]

Email is an archaic technology that has not been improved much ever since the protocols were created back in the early days of the Internet. Email is among the most frequently used least secured mode of digital communications today.

In general, emails are not encrypted. All emails are stored as open plain text in the server. Anyone (including your web administrator, internet service provider, web-hosting provider, server admins—depending on where it is hosted, and protocol/port it was transferred with) can read and also EDIT all your emails, without even having to know your password. This includes about 99% of emails we use, including Gmail, Yahoo, Hotmail and specially your office/university/work emails. Typically your work emails are hosted on servers with even weaker infrastructure and security, and they are managed by “semi-professional IT guys;”—yes, they can read and edit all your official emails, and they don’t have to know your password.

Any private communication that is not end-to-end (E2E) encrypted, falls into the shaky territory of trusting the guys who are running the servers. Email protocols—by the way they were originally designed—do not have E2E. Oftentimes, they do not even have a basic TLS (Transfer Layer Security—an encryption protocol that keeps your emails undecipherable “on the way” to and from the servers). No matter what, emails are readable and editable by the person(s) who has access to the server.

I always wonder, how and why emails are often held as authentic legal documents, whereas it is a completely unreliable technology with shabby security and authenticity. By the time a court subpoena an email, it can be already edited without leaving a trace.

Another big issue with email is its authentic ‘origin’—if the email actually came from where it claims to be coming from. There are very limited ways to verify that. You can literally send emails posing as anyone to anyone. A simple PHP mailer script will let you send emails to your friends as if the email is going from [email protected], and you offer them a billion dollar since you have too much money to keep. Over the time there have been some improvements in this front about verifying the origin of an email before it gets delivered to your inbox, however, they are not foolproof, and not universally enforced. These techniques include DKIM (DomainKeys Identified Mail—a method of using a public signature key for a domain to verify if the email is originating form that domain name, it does not authenticate an email at personal level though,) and SPF (Sender Policy Framework), if you are curious, search and explore more about these technology.

Given that, if you ever receive any email from a “friend” (generally someone using a friend’s email) asking for money or offering you money, asking for some password or OTP code or luring you into downloading and opening an unsolicited attachment, always verify it by an alternative mode of communication other than email, i.e: call them up to check. If they may have “lost their phone,” tell them to call you from a phone booth, before you take any action. “Any action” includes downloading/clicking/opening any attachment “they” send.

There is one not-so-easy way to encrypt your emails end to end, using PGP encryption. You can install OpenPGP package on your computer and email client to encrypt your existing email addresses. There are also some webmail services that has built-in PGP encryption like Protonmail or Tutanota, although they come with some inherent limitations, like the E2E works only if both parties—the sender and the receiver of an email have PGP enabled emails. If you would like to learn more about their encryption techniques comparing Protonmail vs Tutanota—check out this post. Both of these services also offer hosting your custom domain emails, i.e: you can move your business entire email to their encrypted servers.

The bottomline is, if you are communicating anything private or sensitive, do not use email to begin with. Use one of the end-to-end encrypted messaging services instead.


Meanwhile, if you want to learn more about the basics of the overall digital security and privacy for everyday use, sign up for the weeklong Digital Security and Privacy—101 course that I teach almost every other months.

You Thought Zoom Is Insecure?—So Is (Almost) Every Other Group Video Calling Service!

Group video calls

[Stock photo stolen from TechCrunch]

Recently you may have heard about Zoom’s security issues. They are true. Zoom’s video calls are not secure, they are not fully encrypted. But the bigger truth is, neither the others!—except Apple’s FaceTime.

One-to-one video calls are secure on a few platforms (like Signal). But group video calls are difficult to encrypt end-to-end (E2E). Often it is not just about the will of the service provider, it is also a technology limitation.

If you know the concept of E2E, it is not supposed to reveal absolutely anything on the way to and from the recipients of data, not even to the servers—now think how group video calls are managed by an app, it zooms in or highlights the person who is talking, right?—it means the “server knows” who is talking!—hence it is most certainly not an E2E technology, and for the same reason, it is difficult to make a group video calls E2E in general, as the server needs to know who is talking when to organise the video streams and bandwidth allocation. In most cases there may be Transfer Layer Security (TLS/HTTPS) enforced, that encrypts the calls on the way to and from the servers, but the server itself can listen, record, archive the calls as open unencrypted videos, and most probably you have already given the consent for recording and also automated transcribing by clicking some “I agree” jargons that nobody reads. And those recordings can be subpoenaed by the government agencies depending on your local laws.

Now how to know if your conversation is secure:

Is it a group video call? Then assume by default that it is not secure, and you should be careful about what you are saying. It does not matter if you are on Zoom, Google Meet, Facebook Messenger, WhatsApp, Skype, Viber, StreamYard etc.—nothing, nobody has E2E security on group video calls (except FaceTime).

An open-source platform called Jitsi is now gaining traction, you can use their Jitsi Meet platform for group video calls (still not fully encrypted, but they are testing E2E option for group calls). Good thing about Jitsi is calls on their platform is often routed peer to peer avoiding a central server. Jitsi can be also scaled and hosted independently in your own server, which makes it more secure by eliminating the issue of trusting third party servers for storing and routing video calls.

The bottomline for everyday practice, remember, group video calls are not secure in general; it does not matter which platform you are using.

Do you feel unsafe online?

Do you feel unsafe online digital security and privacy

A quick digital security guide: 4 tips to keep you safe

Mohammad Tauheed and Sarah-Jane Saltmarsh

The world that emerges at the end of 2020 is going to be starkly different from what we have been used to, and these changes are happening too rapidly for many to keep up. There has never been a better time to instill good digital security practices into your life. Here are a few tips (Part 1 of 2):

(1) Spot misinformation

Crises are times of large information gaps. We are impatient, so we often fill these blanks with unfounded theories, made up by people taking the chance to fabricate information for a ready audience. Recent months have brought an infodemic with them — a surge of misinformation, unfounded theories and unqualified experts.

Here is an example of a headline which is likely to be fake; ‘Remedy for Covid-19: [Insert medicine name] Cures Covid-19’.

All of our knowledge about Covid-19 is so far gathered from general observation, previous knowledge of similar viruses, and speculation. We have not had enough time to confirm anything through standard scientific ways of researching, testing and publishing, so a headline not containing some sort of doubt in it is likely to be false.

Here is an example of a headline which is more likely to have some truth in it; “A group of doctors claim [insert medicine name] is helping some patients”.

Always check sources of all news, dates, authors and the source of sources. Memes or random people making YouTube videos are not credible sources. In a rush to constantly create more content, even news outlets are basing reports on social media posts, e.g. the news about dolphins in Venice canals. If research is cited, check where it came from, and, if possible, who funded it. Watch for lobby groups with misleading names paid to push agendas. Check if a reputable newspaper has covered the issue yet. Our trusted media sources include the Guardian, BBC, New York Times, Economist, Telegraph, Hindustan Times, Japan Times and Al Jazeera.

If you are looking for COVID-19 updates, it is better to refer to WHO-run websites, or your country’s official website.

(2) Choose your news

Do not just rely on your social media feed for news, otherwise you will only see content that your algorithm thinks you should see.

Each time you click and search from a browser, your activity is logged as your ‘interest’, and added to your personal algorithm, which creates your bubble of information (content which is consistent with what you have already searched for).

Take control of your news sources: make a habit of visiting the homepages of a few trusted news sites, such as the ones cited above. This also ensures that your traffic supports these news sites, rather than social media giants (remember that every click/second spent browsing the internet is monitored and worth money).

(3) Encrypt your communication

Encryption is the holy grail of security on the Internet today. There are two types of encryption you need to know about:

TLS/SSL encryption, displayed as a lock sign next to the URL in a browser, is the bare minimum of security that we should ensure is enabled every time you are writing on a webpage, such as email, Google Docs and sign-up forms. This means that your device encrypts your data to and from the server. The server itself can read it or use it, but nothing can be stolen on the way to and from the server.

End to End Encryption (E2E) is more advanced encryption; a technique of transferring data between two devices where even the server (or anything/anyone else) cannot decrypt it.

Most of us are aware now that conversations held over platforms owned by social media giants can be archived, recorded and used for advertisement targeting or be used against us. They are an obvious target for hackers and governments for surveillance.

Generally, all social media has TLS encryption, but unless they have E2E, the messages are open and saved as plain text in the server; i.e: they can be read, analysed, sold for ads or subpoenaed by the government.

Two platforms which offer strong E2E and becoming increasingly popular and user-friendly are Signal and iMessage/Facetime.

(4) Exercise caution with group calls

Group video calls are difficult to encrypt because of the nature of the technology. The server needs to know who is talking, so it can highlight one speaker at a time — so it needs access to the group activity to manage a call, making E2E difficult.

You may want to stop using Facebook and Google (and anything which is owned by them, e.g. Instagram and Facebook Messenger, Meet, Hangouts etc.) for private conversations; almost all governments have some sort of agreement or backdoor access to them. Skype has bad reputation for security. Zoom is not end-to-end encrypted, they have suspended encryption for free calls recently and some of their admin features has been criticised of being too invasive (the host can track if you are attentive to the meeting window or not etc.).

Jitsi is a more secure option. Create a URL from meet.jit.si and send it to your peers, no account or information is required and you can set a password. Jitsi is completely free, unlimited, open-source and encrypted. They also have an API, so you can also integrate Jitsi inside your team/corporate apps/software.

__

Mohammad Tauheed is an editor, architect and technology consultant and Sarah-Jane Saltmarsh specialises in storytelling, communications and branding, in Australia and Bangladesh. We both believe that a better world is possible — both in real and digital life, and that all the tools to make it happen already exist.

Originally published on Sarah-Jane Saltmarsh’s Medium

How to Stop Your Facebook Account from Being “Hacked”

Facebook security

In the wake of an epidemic of hacked Facebook accounts, here are my suggestions about saving your account from getting “hacked”

Understanding:

1. Often, your Facebook doesn’t get hacked, it is not about your Facebook’s password either, rather possibly it is your email or your phone that gets ‘hacked’. It simply begins with asking Facebook to reset your password using your name, username, your most commonly known email address etc. Then the password reset key is sent to your email or 2FA codes to your sms. These get stolen by hacking your email or spoofing your phone.

2. Oftentimes, these “hackings” are done by people who somehow know you, i.e: people who might possibly know some information about you, like your email address, phone number, date of birth etc. verifiable information. This group include people who have a copy of your NID or passport—like a stupid concert that asked for ID for entry, a Facebook group or page you shared your information with, a security guard whom you gave your full name, phone number and email address to enter a building, the IT support guy who helped you install your anti-virus, all of them are your possible attackers. Hacking an absolutely random, unknown account is way more difficult than accounts of whom you have certain information about.

Here is the most effective way to prevent your Facebook account from being hacked as far I have tried and tested:

Pre-requisites:

1. Install Authy for Two Factor Authentication (2FA) code generation. Ideally, use a password manager app, I recommend: Dashlane, or Bitwarden.

2. Immediately turn on Two-factor Authentication [on Facebook, go to Settings > Security and Login > Two-Factor Authentication]. Use Authy for generating code, avoid codes by SMS.

3. Go to Facebook settings > Apps and Websites, ideally remove everything from here, or keep only the apps/services/games that you must keep. Give up on the habit of “log in with Facebook” completely, use your email address for opening accounts in various websites and services.

4. Do not leave your computer or phone open, EVER, not at home, not at work, religiously lock your computer before you leave your desk (on Windows it’s Windows+L, on Mac it’s ⌘+Control+q to lock) even if it is for a few seconds. On your work machines insist for a personal account on the computer, do not share its password with anyone; your office’s IT team can have their own admin account on the computer for maintenance, but they never need your personal account’s password. If your employer disagrees about it, quit the job.

5. Do not login to your account from random computers/phones, not even of your friends’, family’s or your office computers unless you already have a “computer user account” on that machine. If you don’t, and if you must use your Facebook, then use a “Guest” account on the machine, or at least an incognito/private window, and be sure to carefully check the address bar of your browser if it is with a lock sign and the URL is exactly https://www.facebook.com/ and nothing else at the end or middle (if the full URL is not visible, click on the address bar to see the full form of the URL), to make sure you are not putting your ID and password in a fake phishing website.

Steps to Secure Your Facebook:

1. Create a new encrypted email address dedicated for Facebook. Use Protonmail for making the new address. Ideally do not share this email address with anyone, avoid using it publicly.

2. Go to Facebook settings > General > Contact. Add your new Protonmail address as the primary email. You must remove every other email address from your account.

3. Check where you are logged in, remove any unknown, or unnecessary device from the list.

4. On Protonmail go to Settings > Security: Turn on Two Factor Authentication, as always use Authy, avoid SMS.

5. (On Protonmail) now go to Settings > Keys: Click the dropdown arrow next to your email address, click on Actions: Export, select “Public Key.” It will download an ASC file. Open the ASC file with Notepad (or TextEdit on Mac). Select all, copy everything from the file.

6. Now, go to Facebook settings > security and login > scroll down to Encrypted notification emails. Paste the text here. Check in the box for “Use this public key to encrypt notification emails that Facebook sends you?” Save.
It might send a test email to your Protonmail to check if the encryption key is working. This email might land in your spam of Protonmail. Click on the “Yes, encrypt notification emails sent to me from Facebook.” to confirm.
Now your Facebook settings for Encrypted notification email should show “On”.

7. Memorise your Protonmail login password, or use Dashlane to save your password. Now go to Protonmail settings > Account > Disable the “Allow password reset” option. Remember that, it means, if you forget Protonmail password, it is not recoverable, you are screwed. But this is the final layer of security.

You are all set. It will now be super-duper difficult for anyone to hack into your Facebook account.

If you need any further help about this write to [email protected]
I recommend you take the Digital Security and Privacy—101 course that I conduct, almost every other month for one week.

We are already naked

We are already naked, to some of the tech giants. Now before you signup with another new service or install another new app on your phone that asks for a lot of unreasonable access, you must think twice, before you undo your pants to yet another company.

There are two approaches for amateurs for hiding their asses across online ecosystems.

1.You sell yourself to a maximum two tech companies and their ecosystems. Give them everything, drop your pants. And never use these services to login to other websites.

Personally I somewhat trust two companies, Google and Apple. I’m naked to them. And I’ve learned to accept it, for the ease and services they provide. But I am very careful about giving access to certain things to any other service. Those are my contacts book, my live-location, shopping and search habits.

I still hide two things from Google in particular. 1. my search habit, I always use incognito VPN enabled windows for searching, and I often avoid Google for searching altogether. I try to use DuckDuckGo (they suck) or Bing (they suck a little less). When I must use Google, I take precautions. 2. My voice. I recently have completely shut down microphone access to all Google owned services. I don’t trust Google with my voice.

2Divide and rule: Don’t put all your eggs in the same basket. If you are giving away your location to one company, don’t give them your voice. If you are giving away your camera and photos to one, don’t give the same one your location. So that there is always less than enough meta information and data points about you, if one system is compromised. Similarly, when you are communicating individual set of sensitive information, split the communication, i.e: send the username via iMessage and give the password over a phone call or a Signal text, without giving much context to any of the individual communications.