Email Encryption Options

Q.  I have a client who wants us to use encryption for emails and attachments (not voice). Do you have a solution?

A. Thanks for asking. Your client has a number of fairly easy and low cost options.

• If they use Microsoft Office Outlook have them read this.
• Mac Mail. Read this.
• Thunderbird. Read this.
• Google Apps. Read this.
• Here are the 2015 reviews for the "Top Ten" 3rd-party email encryption programs.
• This is a good article on how to implement email encryption.

Not knowing the client, their needs, IT expertise, etc. I can't point them to anything specific, but the above links will certainly get them started.

Hope this helps,
Kevin

Security Director Alert - China Travel and Email

Users of Microsoft's Outlook email service in China had their accounts hacked on Saturday 17 January by the Chinese government, according to web monitoring website GreatFire.org.

The attacks affected people using email clients such as Outlook, Mozilla's Thunderbird and apps on their smartphones that use the SMTP and IMAP protocols, but did not affect the browser versions such as www.outlook.com.

The man-in-the-middle attack used by the hackers allowed them to intercept conversations between victims, which appear to be private but are in fact controlled by the hackers.

GreatFire.org was able to reproduce the results seen by victims, including the fake certificates used by the hackers to pretend they were the intended recipient.

"If our accusation is correct, this new attack signals that the Chinese authorities are intent on further cracking down on communication methods that they cannot readily monitor," a blog post said on Monday 19 January.

The attack on Outlook comes just a month after the Chinese government blocked the use of Google's Gmail service in the country.
(more)

A Guide to Electronically Stored Information Preservation Responsibilities

The litigation-related duty to preserve relevant evidence, including electronically stored information (ESI), is well established and widely known in the legal community and the business world...

In today’s legal climate, even a company’s seemingly innocent delay in implementing an appropriate method to preserve ESI may be catastrophic...

This white paper guides litigants through their responsibilities to preserve evidence and provides valuable information on implementing a defensible legal hold process. (more) (pdf)

Your Email is Hacked - Now What?

The State Department has suspended its unclassified email system in response to a suspected hacking attack. 

The unprecedented shutdown on Friday was reportedly applied to give technicians an opportunity to repair possible damage, as well as to apply security improvements. (more) 

But, what if it's your email? You don't have "technicians" to turn to. Techlicious to the rescue...

Step #1: Change your password. 
Step #2: Reclaim your account. 
Step #3: Enable two-factor authentication. 
Step #4: Check your email settings. 
Step #5: Scan your computer for malware. 
Step #6: Find out what else has been compromised. 
Step #7: Humbly beg for forgiveness from your friends. 
Step #8: Prevent it from happening again.

Full details for each step are outlined here.

alt.eMail - Send Spyproof Messages

Beepip uses your own computer's power to scramble messages. It then blasts these encrypted messages out over a peer-to-peer network and only descrambles them when they arrive at the right beepip address. Because no central server is involved, there is no chance of snooping.
Encrypted email isn't secure.
Unlike traditional email and instant messaging which leave data trails that companies and governments can access, the security and anonymity built into Beepip means that no outside force—not even the team that built Beepip—can see your messages or track down senders or receivers of messages.

Simply Beepip.
Beepip’s easy-to-use interface brings cryptography and secure communication to non-expert users, but also achieving military-grade security against hackers.
Whisper or shout Beepips.
A beepip can be sent to an individual or a whole group of subscribers. Broadcasts are messages that are sent out to any group of Beepip users that are listening. In this way, organisations or individuals can get information out to their subscribers anonymously if they choose. (more)

Murray Security Tip #416 - Evil Photo Double Extension Trick

                     Isn't this the cutest kitty?

Click CuteKitty.jpg to enlarge.

DON'T CLICK, it might be the old double extension trick. 

Although this photo does NOT contain a virus, others might.

Many Windows computers will display emailed CuteKitty.jpg.exe – an executable program – as CuteKitty.jpg – which seems harmless.

When you click, you might be shown a cute kitty... while a virus is loading in the background.

Tip 1 - Don't click on stuff if you don't know where it has been. 
Tip 2 - If you want to click anyway, open Windows search; enter "folder options"; select Folder Options; View tab, uncheck "Hide extensions for known file types." Check for the double extension trick.

Amateur Spies - Surgeon Accused of Spying on Ex with Software

TX - A pioneer in cancer research is facing a second degree felony charge in an alleged plot to spy on his ex-wife while they were going through their divorce.

According to prosecutors, Dr. Steven Curley plotted with a computer expert to install a program called eBlaster. (more)

IA - ...the Iowa City landlord found guilty last year of spying on his tenants (six counts) through bathroom peepholes in 2012, has motioned for a new trial... (speed bump) ...The city’s Housing and Inspections Services office says the city’s housing code doesn’t address cases such as this, therefore Miller is able to continue to own and manage the properties. (more) 

PA - Forty-three years after the mysterious theft of up to 1,000 documents from an FBI office outside Philadelphia, three former political activists are publicly confessing to the brazen burglary, calling it an act of “resistance” that exposed “massive illegal surveillance and intimidation.”... Members of the burglary team, armed with little more than a crowbar and wearing  suits and ties, then walked off undetected with suitcases stuffed with sensitive bureau files that revealed a domestic FBI spying operation known as COINTELPRO. (more)

Canada - A St. Albert man who surreptitiously took pictures of young girls in change rooms at five Alberta recreational facilities... was sentenced to two years in prison Tuesday. (more)

FL - A St. Augustine man and former Putnam County deputy (and St. Johns County reserve deputy) accused of using his cellphone to record a tanning room at the U.S. 1 South World Gym was sentenced Tuesday to 300 days in jail... a woman reported that a gym employee put a cellphone in the closet of the tanning room to record people getting in and out of the booth... (more)

The Point
Anyone can be a spy. The technology is cheap, and easy to use. Just add motivation. 

FutureWatch
This will become a real workplace issue in 2014. 
And now, a very creepy moment of spy Zen...

Not to be Out-Spooked by the NSA...

The FBI is expected to reveal Thursday that because of the rise of Web-based e-mail and social networks, it's "increasingly unable" to conduct certain types of surveillance that would be possible on cellular and traditional telephones.

FBI general counsel Valerie Caproni will outline what the bureau is calling the "Going Dark" problem, meaning that police can be thwarted when conducting court-authorized eavesdropping because Internet companies aren't required to build in backdoors in advance, or because technology doesn't permit it.

Any solution, according to a copy of Caproni's prepared comments obtained by CNET, should include a way for police armed with wiretap orders to conduct surveillance of "Web-based e-mail, social networking sites, and peer-to-peer communications technology." (more)

Encryptor's Unite! - From Those Wonderful Folks Who Brought You Lavabit & Silent Circle

Our Mission - To bring the world our unique end-to-end encrypted protocol and architecture that is the 'next-generation' of private and secure email.

As founding partners of The Dark Mail Alliance, both Silent Circle and Lavabit will work to bring other members into the alliance, assist them in implementing the new protocol and jointly work to proliferate the worlds first end-to-end encrypted 'Email 3.0' throughout the world's email providers. 

Our goal is to open source the protocol and architecture and help others implement this new technology to address privacy concerns against surveillance and back door threats of any kind. (more)

Citing "Terrifying" Surveillance Tactics, Yet Another U.S. Privacy Service Shuts Down

Yet another American Internet privacy service has bitten the dust, prompted by fears about broad government surveillance demands.

San Francisco-based CryptoSeal, a provider of virtual private networks that can be used to browse the Internet anonymously, has closed its doors to users of its private VPN service. 

In a statement posted online, CryptoSeal announced that a key factor in the closure was the government’s recently revealed attempt to force email provider Lavabit to turn over its private encryption keys. Lavabit shut down in August as part of an effort to resist a surveillance demand believed to involve NSA whistle-blower Edward Snowden, who was a Lavabit customer. Lavabit was ordered to turn over its master encryption keys in a way that could have potentially compromised thousands of users’ private data. (more)

Russia's Herculean Feat - Eavesdrop on All Olympic Communications

Russia is preparing to monitor the communications of athletes and others taking part in the Sochi Winter Olympics at an unprecedented level, according to official documents.

Government tender documents indicate all communications equipment at the Black Sea resort will be tapped, including wi-fi and mobile phone networks, to allow eavesdropping through the Russian SORM (System for Operative Investigative Activities) interception system, The Guardian reported.

Documents seen by Russian journalists Andrei Soldatov and Irinia Borogan point to deep packet inspection (DPI) being used to filter all communications around Sochi, with intelligence agencies being able to sort these, search for keywords and identify and monitor people.

The monitoring plans were discovered on the Russian government Zakupki ("purchases") procurement agency website. By law, all Russian government agencies must buy equipment through Zakupki. This includes the country's intelligence agencies. (more)

Industrialists Hit by Cyber Espionage

India - Cyber espionage, the practice of spying to obtain secret information like proprietary or classified details, confidential sales data, turnover, clients' contacts, diplomatic reports and records of military or political nature, have hit city industrialists.

"Cyber espionage is the new trend of cyber crime that is threatening mid-scale and small-scale industries in Ludhiana. Here one could target his business competitors or simply steal other company's details to sell it further in the market. Ludhiana offers them a ready-made market as many start-ups and small scale companies are operational here," said Tanmay Sinha, a cyber expert and an entrepreneur based in Ludhiana.

"In most of the instances, cyber espionage attempts benefit the attacker as these attacks are not random but are well-planned and targeted towards one group. Moreover, these are done by the criminals after studying the history of the target," he added.

Ludhiana police cyber cell has received more than 10 complaints of cyber espionage in the last two months. (more)

Hello Federal! Give Me No Second Hand

Despite the pervasiveness of law enforcement surveillance of digital communication, the FBI still has a difficult time monitoring Gmail, Google Voice, and Dropbox in real time. 

But that may change soon, because the bureau says it has made gaining more powers to wiretap all forms of Internet conversation and cloud storage a “top priority” this year.

Last week, during a talk for the American Bar Association in Washington, D.C., FBI general counsel Andrew Weissmann discussed some of the pressing surveillance and national security issues facing the bureau. He gave a few updates on the FBI’s efforts to address what it calls the “going dark” problem—how the rise in popularity of email and social networks has stifled its ability to monitor communications as they are being transmitted. It’s no secret that under the Electronic Communications Privacy Act, the feds can easily obtain archive copies of emails. When it comes to spying on emails or Gchat in real time, however, it’s a different story. (more)

Zombie Privacy Bills Struggle to Become Laws

Just two days after new legislative reform on e-mail privacy was re-introduced in Congress, another privacy bill was brought back from years past.

On Thursday, three members of the House (two Republicans and a Democrat) and two bipartisan senators introduced the GPS Act, which would require law enforcement to obtain a probable cause-driven warrant before accessing a suspect’s geolocation information. The bill had originally been introduced nearly two years ago by the same group of legislators. 
  
The new GPS bill as it stands (PDF) contains exceptions for emergencies, including "national security" under the Foreign Intelligence Surveillance Act, but otherwise requires a warrant for covert government-issued tracking devices. The proposed penalty for violating this new provision could come with fines and/or five years in prison.
(more)

Express Scripts vs. E&Y - Trade Secret Theft Allegations

Express Scripts Inc. sued the accounting firm Ernst & Young LLP and one of its partners for the alleged theft of trade secrets and misappropriation of the pharmacy benefit manager’s confidential and proprietary data.

The Express Scripts Holding Co. unit said in a complaint filed yesterday in state court in Clayton, Missouri, that it learned last year that accounting firm partner Don Gravlin had been “sneaking” into its St. Louis headquarters and e-mailing documents to a private Google account via the account of an Ernst & Young consultant...

The accountants allegedly took the equivalent of more than 20,000 pages of data, including pricing information, business strategy, projections and “performance metrics” documents, to aid development of Ernst & Young’s own health-care business segment, which includes Express Scripts and Medco Health Solutions Inc., which it acquired last year, as well as some of their competitors. (more)

Mechanic Hits Emails at Rival Limo Firm

A Las Vegas limousine company executive was convicted Friday of hacking into the emails of his former employer. 

John Sinagra, vice president and general manager of VIP Limousines of Nevada, was indicted last year on charges of obtaining information from a protected computer and aggravated identity theft.
 
Federal prosecutors alleged that Sinagra, who once was charged as a mob hitman in a sensational New York murder case, hacked into the emails of rival Las Vegas Limousines, owned by Frias Transportation, and stole key information. (more) (The Mechanic)

Authorities... "No probing all the way. Promise."

The U.K. plans to install an unspecified number of spy devices along the country’s telecommunications network to monitor Britons’ use of overseas services such as Facebook and Twitter, according to a report published Tuesday by Parliament’s Intelligence and Security Committee.

The devices — referred to as “probes” in the report — are meant to underpin a nationwide surveillance regime aimed at logging nearly everything Britons do online, from Skype calls with family members to visits to pornographic websites. The government argues that swift access to communications data is critical to the fight against terrorism and other high-level crime.

Authorities have been at pains to stress that they’re not seeking unfettered access to the content of emails or recordings of phone calls, but rather what many have described as “outside of the envelope” information: Who sends a message, where and how it is sent, and who receives it. (more) ...for now.

Repeat after me, class, "Emails are postcards."

The Senate has sent legislation to President Obama that strips out an amendment that would have forced law enforcement to obtain warrants before reading the emails of U.S. citizens stored in the cloud. 

The new measure is a tweak to the Video Privacy Protection Act, which outlaws the disclosure of video-rental information unless given consent by customers. The act was adopted in 1988 after failed Supreme Court nominee Robert Bork's rental history was leaked to the Washington City Paper. (more)

This Week in Spy News

The chairman of Stow College in Glasgow has resigned after a row over a recorded conversation on a device branded a "spy-pen". (more)
 
Outdated laws have created loopholes that allow government and law enforcement agencies to request information and conduct electronic surveillance without warrants. The piece of legislation at the heart of the issue is the Electronic Communications Privacy Act, passed in 1986. (more)
 
Ex-British spy, turning 90, happily living in Russia... 
The spy, George Blake, betrayed British intelligence starting in the 1950s; he was found out in 1961 and sentenced to 42 years in prison. But he escaped five years later using a rope ladder made of knitting needles, made his way to the Soviet Union and has been living out his last years serenely in a cottage outside Moscow. (more)

Two Simple Spy Tricks That David Petraeus Could Have Used To Hide His Affair...
Does the head of the world's top spy agency really think he can hide behind a Gmail account and a pseudonym? Apparently so. Even bumbling Boris Badenov from "Rocky and Bullwinkle" would have known better. (more)

The Maryland Transit Administration is bugging buses in Baltimore, and the bugged buses are what’s bugging civil rights advocates. Buses already have cameras, but ten buses now have microphones that are supposed to add to security by recording what’s said between passengers and the drivers. (more)

How to Stop Spies from Digging Up Your Personal Information...
The spies in our lives aren't like the ones in movies—they take the form of a suspicious lover, obsessive coworker, or jealous "friend." While you can't distrust everyone you meet and lead a happy life, you can protect your personal information from falling into the wrong hands. Here's how to guard yourself from spies without slipping into a state of constant paranoia. (more)

The chairman of Pirelli, Marco Tronchetti Provera, will go to trial over a long-running probe into alleged use of Telecom Italia data to snoop on Italy's elite, a judicial source said on Monday. ( more)

How to Snap Top Secret Photos Without Anyone Noticing...
Ever needed to snap a picture in a quiet building without anyone noticing? Or maybe you need to document misbehavior without getting caught? Taking snapshots on the sly isn't easy, but a few tricks can help you capture a moment without another soul noticing. (more)
 

Steampunk Spy-Fi: Real-life gadgets perfect for a Victorian Era James Bond...
What if the majesty of On Her Majesty's Secret Service was Queen Victoria? (more)

In France, a Mission to Return the Military's Carrier Pigeons to Active Duty...
Grounded After Modern Communication Devices Soared, Birds May Offer Low-Tech Solutions; No Round Trips (more)

Email Security - The Petraeus Case

...via Zack Whittaker
There's no such thing as a truly 'anonymous' email account, and no matter how much you try to encrypt the contents of the email you are sending, little fragments of data are attached by email servers and messaging companies. It's how email works and it's entirely unavoidable...which first led the FBI on a path that led up to the very door of Petraeus' office door in Langley, Virginia.

Ultimately, only Google had access to the emails. Because it's a private company, it does not fall under the scope of the Fourth Amendment. If the U.S. government or one of its law enforcement agencies wanted to access the private Petraeus email account, it would have to serve up a warrant.

In this case, however, the Foreign Intelligence Services Act (FISA) would not apply. Even the Patriot Act would not necessarily apply in this case, even though it does allow the FBI and other authorized agencies to search email. However, in this case, above all else, the Stored Communications Act does apply -- part of the Electronic Communications Privacy Act.

The act allows for any electronic data to be read if it has been stored for less than 180 days. In this case, the law was specifically designed -- albeit quite some time before email became a mainstream communications medium -- to allow server- or computer-stored data to be accessed by law enforcement.

However, a court order must be issued after the 180 days, and in this case it was...

Once it knew Ms. Broadwell was the sender of the threatening messages, the FBI got a warrant that gave it covert access to the anonymous email account. And that's how they do it. (more)