Private Internet Access for iOS

During the writing of Your Ultimate Security Guide: iOS I had the opportunity to work with a lot of products that I probably wouldn’t have otherwise considered.  One of these is Private Internet Access for iOS (affiliate link).  Though over the years I have used a virtual private network on my iPhone and other mobile devices, and I have used Private Internet Access rather heavily, I had never used the two together until recently.  The Private Internet Access app for iOS is one of the most convenient VPNs I have used to date and the VPN that I will continue to rely on for my phones.

Private Internet Access for iOS
The iOS app’s homescreen. The PIA app is incredibly easy to use.

The PIA app is a certificate-authenticated VPN which means that installing the app also installs an authentication certificate on your device.  VPNs of this nature can be set to be always on, rather than credential based VPNs which must be manually reconnected each time you unlock the phone.  Though certificate-based VPNs are notorious for draining batteries rapidly, PIA has found a rather ingenous solution to this.  Rather than remaining always connected to the VPN server (which is the reason “always on” VPNs are notorious for killing batteries) PIA does not always remain connected.  Rather, it drops the connection when the device goes to sleep.  Upon unlocking the device, though, data connections are blocked until the connection is automatically reestablished.  Though your battery will not last as long as it would with a very judiciously used credential (username and password) authenticated VPN, the security PIA provides is well worth the shortened battery life.

Private Internet Access for iOS
Some of PIA’s exit server options from the iOS app.

I have written previously about the security and privacy benefits of using a VPN.  Private Internet Access provides all of these benefits, including encrypted traffic to and from the VPN server and mulitple exit servers in mulitple countries to choose from.  As I have also written before, PIA also allows you a number of anonymous payment options including BitCoin and redeeming store gift cards.  Yes, store gift cards, meaning if you have an old Starbuck or Home Depot gift card with a balance on it you can cash it in for VPN service.  Not only does this give you a way to use those small balances left on those gift cards at the bottom of the junk drawer, it also allows even the low-tech a way of purchasing VPN service anonymously.

Private Internet Access stores NO logs, allows unlimited bandwidth and five devices connected simultaneously, and costs just $40/per year.

ProtonMail Update: v2.0

My favorite encrypted email service, ProtonMail has moved into a new phase in its beta rollout.  Last week ProtonMail rolled out beta version 2.0.  The full details can be found on the ProtonMail blog, but there are several significant upgrades that I would like to point out here.

https://protonmail.ch
https://protonmail.ch

Encrypted Attachments to Outside Users:  ProtonMail now allows you to encrypt attachments and to outside users, not just to other ProtonMail users.  This is one of the features I wrote that I would like to see in my last post about ProtonMail (not that I think I had anything to do with the decision to add this feature).

Public Key Download:  ProtonMail now offers you the ability to download your public key.  This allows you to share it with PGP users, and allows them to send encrypted messages to your ProtonMail account.  I also wrote about this last time, but I would still like to see this feature upgraded to allow the import of others’ public keys.

Event Logging:  Under ProtonMail’s “Security” tab (in Settings) is an option to log authentication events (logins, logouts, and unsuccessful login attempts).  The Advanced Logging feature displays the event, a time and date stamp, and the IP address from which the event occurred, while the Basic Logging only displays the event and a time/date stamp.  Event logging can also be disabled completely, allowing you to (theoretically) prevent ProtonMail from recording your login times and IP addresses.  According to ProtonMail the event logs are only available in the user’s mailbox, which means they are encrypted.

The most exciting feature won’t be around until a little later this week though: on August 20th ProtonMail will release beta apps for both iOS and Android.

I am very happy to see ProtonMail adding features like these. I would still very much like to have a two-factor authentication option, and I am told that we should expect one late this year.  Updates to follow.

Your Ultimate Security Guide: iOS

I am thrilled to announce the upcoming August 20th release of Your Ultimate Security Guide: iOS!  The second book in the series, Your Ultimate Security Guide: iOS is intended to help the layman with both basic digital security and in the development of a comprehensive digital security perimeter.  Written in plain English, Your Ultimate Security Guide: iOS takes a step-by-step approach to enhancing mobile device security, and will help you reclaim some privacy in both the physical and digital realms.

Your Ultimate Security Guide IOS - 3DSome of the techniques readers of this book will understand how to employ include:

  • Harden the iOS operating system by manipulating nearly every setting that impacts security and/or privacy
  • Use password managers to create and use strong usernames, passwords, and to employ two-factor authentication
  • Use apps that provide end-to-end encryption for your text, voice, email, and chat communications, and take steps to mitigate location tracking and other metadata collection
  • Use “disposable” phone numbers to protect your real number from data marketers, telemarketers, and lower your online profile
  • Lock down your Wi-Fi network and protect your internet traffic using virtual private networks
  • Replace a variety of insecure native apps with security- and privacy-focused alternatives
  • Protect your sensitive online accounts through a comprehensive, systematic approach
  • Employ best practices to lower online exposure and minimize your attack surface

Look for Your Ultimate Security Guide: iOS on Amazon on August 20th.

Paper v. Plastic: The Case for Cash

The adage that I’ve used several other times on this blog, my books, and one that is nearly a personal credo: convenience is inversely proportional to security.  This seems to apply equally well to personal privacy.  Said another way, the more convenient something is, the more personal privacy and control of your identity you are probably sacrificing.  Credit and debit cards are one such convenience.  Though it is certainly more convenient to swipe a credit card for purchases that in is to use cash it also creates a tangible record of each transaction.  With cash you have to make time to visit an ATM, carry bills, manage change, etc.  Making matters worse, all of these inconvenience factors are compounded if you make multiple small purchases throughout the day.

shutterstock_110580023

Despite its inconveniences, making multiple small purchases throughout the day is precisely the reason you should use cash.  Your purchases record a wealth of data about you, including your location and movement, purchases, interests, hobbies, and a plethora of other information about us.  I didn’t fully realize the extent to which my personal pattern of life was spelled out in black in white until I bought my first home.  One of the requirements for the loan application was to submit three months of statements for all bank and credit accounts.  I was very, very disheartened when I had to submit statements for several accounts that looked something like this:

Date Transaction Description Amount
07/01/15 Debit – Local Grocery Store #1 $17.35
07/01/15 Debit – Local Grocery Store#2 $31.53
07/02/15 Debit – National Coffee Chain near Work $4.88
07/02/15 Debit – Convenience Store near Work $2.37
07/02/15 Debit – Lunch Restaurant near Work $12.72
07/02/15 Debit – Gas Station $43.68
07/02/15 Debit – Local Grocery Store #2 $8.19
07/03/15 ATM Withdrawal $60.00
07/04/15 Debit – National Coffee Chain near Work $4.88
07/04/15 Debit – Big-Box Department Store $81.41
07/04/15 Debit – Local Dinner Place near Home $27.12
07/04/15 Debit – Large National Bookstore $27.19
07/05/15 Debit – Fast Food Place near Work $6.01
And on, and on, and on….

Unfortunately, years prior I had subscribed to the philosophy that plastic is easier to use and somehow inherently better than paper.  What I did not realize was that I was sharing a ton of personal details about my life with others.  The packet I handed over to the loan officer painted a very thorough picture of my pattern of life for the three months prior to my loan application (which could be extrapolated to the last few years).  Though there was nothing “shady” on my cards, it was a little embarrassing to share such granular level of detail about my life with strangers.  The sickening realization that I had been sharing all of this information with my bank and creditors for years sank in that day, too.

Purchasing with cash offers much more anonymity.  Unless you are purchasing something that requires you provide your real name, firearms and cars being obvious exceptions that come easily to mind, purchases with cash are about as close to anonymous as you can get.  There is no paper trail, no bank statement, and no overarching record of your life and activities.  If I had it to do over again (and I do going forward) I would have made some changes in my personal habits.  My account statements would have reflected the same period of time a bit more succinctly, like this:

Date Transaction Description Amount
07/01/15 ATM Withdrawal $400.00
07/08/15 ATM Withdrawal $400.00
07/20/15 ATM Withdrawal $500.00

You will notice that because I used cash, this brief statement covers a period over four times as long as the above example, while still being eight lines shorter.  Not only is this statement more compact, it also reveals very little about me.  It does not reveal where I buy my groceries or how often, or the location my favorite coffee, lunch, and dinner restaurants, or my culinary preferences.  It does not associate my name to any of my purchases.

I attempt to use cash as much as possible but I realize I will never be able to fully eliminate credit cards from my life.  Air travel, rental cars, and hotels require credit cards.  I still find myself in locations where I don’t want to pay exorbitant ATM fees, and end up using my card.  But I use it a lot less, which is what I am truly advocating: using more cash and less plastic.  This reduces the amount of information about yourself that you give over to your bank, your lenders, anyone curious enough to swipe a statement out of your mailbox (assuming you don’t use a P.O. Box), and yes, maybe even the NSA.

Using cash isn’t bulletproof, and it won’t make you totally anonymous.  But it will lower your signature, offer you a lot more anonymity, and make an attacker’s job a bit harder.  Every little bit helps.

Complete Privacy and Security with Michael Bazzell

I am proud to announce that I am currently co-writing a book with well-known author and privacy expert Michael Bazzell.  Michael is the author of several privacy- and security-related works including Hiding from the Internet and Personal Digital Security: Protecting Yourself from Online Crime, as well as the immensely popular Open Source Intelligence Techniques.  The idea for this project has been a long time coming and we are well underway with the process.

Large3D

The working title is currently The Complete Privacy and Security Desk Reference.  This 600+ page work is intended to a be an all-inclusive privacy and security resource for law enforcement, special operations and intelligence personnel, victims of identity theft and domestic violence, and those with an avid interest in privacy and security.  The book will draw from our collective experiences and previous writings and will contain a myriad of new material and techniques.  Our intent is to provide the reader with a book that will 

“explain how to be digitally invisible. You will make your communications private, internet connections anonymous, computers hardened, identity guarded, purchases secret, accounts secured, and home address hidden. You will remove all personal details from public view and will reclaim your right to privacy. You will no longer give away your intimate details and you will remove yourself from the system. When taken to the extreme, you will be impossible to compromise.”

The Complete Privacy and Security Desk Reference is due for release in January 2016.  An accompanying five-day live training course with Justin Carroll and Michael Bazzell will also be available beginning in 2016.

 

Tutanota Encrypted Email

I love encrypted email, and I love writing about it.  In researching the next book in the Your Ultimate Security Guide series, Your Ultimate Security Guide: iOS, I decided to give Tutanota a try and I’m glad I did.

Tutanota_logo

 

The name “Tutanota” comes from the Latin words “tuta” (secure) and “nota” (message).  Tutanota offers free, end-to-end encrypted email accounts.  No personal information at all is required to create an account, and account creation is allowed through the Tor network.  Tutanota encrypts your message including the subject line, and any attachments and stores all of your emails in an encrypted state.  When you log in with your username and password, an encrypted version of your password is stored on Tutanota’s servers for the duration of your session.  If you lose your password it cannot be reset.  Tutanota also allows you to send encrypted emails to non-Tutanota users

Tutanota is incredibly streamlined and user-friendly and Tutanota apps are available for both iOS and Android, and Tutanota also offers a premium level of service for €1 per month.  Premium accounts offers some expanded functionality including the ability to create and use up to five aliases (alternate email addresses), unlimited outgoing emails (free accounts are capped at 100 per day), and the option to use your own domain.  Both free and paid accounts offer only 1Gb of storage but more (up to 1Tb) will be available for purchase soon.

Unfortunately Tutanota lacks several features that most of us have come to expect in an email service.  First, it does not allow you to save drafts (and as a result does not have a “Drafts” folder).  It also lacks a search function and the ability to assign labels (an important feature for email power-users).  Because of this I see it being used only for exchanging encrypted emails and not a day-to-day, Gmail-replacement system.

Though I am a fan of Protonmail and have been using it much longer, I do like the look and feel of Tutanota and will work it into my daily email routine.

AxCrypt – File Encryption Made Simple

Immediately after finishing Your Ultimate Security Guide: Windows 7 Edition a close friend who’d bought the book called me and asked why I hadn’t included AxCrypt.  The answer I gave him was that I was unfamiliar with the program.  After looking into it and testing it for a few weeks I’m sorry that I didn’t include it; it will definitely be included in Your Ultimate Security Guide: Windows 10.

AxCrypt 256x256 logo

AxCrypt uses the AES encryption algorithm (128-bit) and operates entirely from the right-click context menu.  When you want to encrypt a file right-click it, find AxCrypt in the context menu, and hover until the flyout appears.  The flyout menu allows you the option to Encrypt, Encrypt a Copy, and Enrypt to .EXE, among several other options.  Encrypt does exactly what you would think – it encrypts the file.  Encrypt a copy creates a new, encrypted copy of the file and leaves the original unencrypted.  Encrypt to .EXE allows you to create an executable file that can be opened on a computer that does not have AxCrypt installed.  AxCrypt also offers you the ability to use keyfiles in addition to a password, though it restricts the types of files that may be used to keyfiles generated by AxCrypt.  If you’ve read Your Ultimate Security Guide: Windows 7 Edition,  you know I’m a fan of keyfiles.

Opening a file encrypted with AxCrypt is even easier – just double-click and enter the password (and keyfile if necessary).  The file will open where you may view and edit it; closing the file will revert it back to its encrypted state.  If you wish to decrypt the file permanently, right click on it, hover on AxCrypt, and select Decrypt from the flyout.  After you enter the correct password the file will be decrypted and written in plain text to your hard drive.

AxCrypt also has a “Secure Delete” function that overwrites files with a single, pseudo-random pass.   After speaking to Axantum Software founder Svante Seleborg I also learned that it can be configured to do a seven-pass overwrite via the registry, but I will  stick to using Eraser for my data erasure needs due to its flexibility and convenience.

If you are looking for a simple, painless application for encrypting individual files AxCrypt is definitely worth considering.  AxCrypt is free and available from http://www.axantum.com/AxCrypt/.

Blur: The One-Stop Privacy Shop

As any of my readers know I hesitate to give out any personal information.  Using the same physical address, email address, phone number, and credit card number helps data marketers build very thorough profiles about us and I do everything I can to undermine this.  A service that is relatively new (at least to me) helps to make it much easier to avoid giving out this information.  This service is called Blur.

Before moving on it should be pointed out that Blur is a paid service.  Though there is a free version available, its functionality is very limited.  Blur Premium costs a very reasonable $39/year with discounts for purchasing multiple years ($59/2 years and $79/3 years).  For the features Blur provides the cost is totally worth it, and most of the features described below require a premium subscription.

full_MaskMe_512x512@2x

Blur helps to protect your privacy through a number of features including Masked Emails, Masked Phones, and Masked Cards.  The Masked Emails function works similarly to services like notsharingmy.info and 33mail.  When you create a masked email, Blur will give you a randomly-generated email address that will forward your mail to your real account.  You can create as many masked email addresses as you like, allowing you to have unique usernames on your accounts and protect your real address.  Masked Emails even protect your email address when you reply, a feature not currently offered by notsharingmy.info and only offered as a paid feature in 33mail.  Blur allows you to cancel forwarding to any masked email at any time, so if you sign up for a service that is bombarding you with junk mail you can simply login to your account and toggle forwarding to “off”, or delete the address entirely.

Blur also has a built-in username and password generator.  When you sign up for a new account or service and generate a username with Blur it will be a masked email address.  Unfortunately the passwords generated by Blur are only 12 characters long (though they are complex) and I have found no way to change this.  Masked Phone is another interesting feature that allows you to generate a phone number through Blur that will forward calls and text messages to your phone.  Unfortunately you can only have one Masked Number at a time, and the cost to change your masked number is $7; additionally there is a $.01 charge for each incoming call, for each minute used, and for each incoming text.  At this time you cannot send outgoing text messages from your masked number.

Blur’s most exciting feature by far is Masked Cards.  Blur allows you to create masked credit cards for online purchasing.  When you wish to make an online purchase you log into Blur and create a new masked card.  The amount of purchase will be charged to your “real” card, and the masked card works much like a pre-paid gift card.  Blur will give you a credit card number, expiration date, CCV, and billing address, and you can choose the name and shipping address.  This limits the amount of information that retailers, credit card companies, and third-parties can accumulate about your purchases, the benefits of which are obvious.  It also limits the exposure of your real credit card number on the internet.

With the ability to obscure your email address and phone number, create masked credit cards, generate unique, complex usernames and passwords, and manage it all in one place, Blur is almost a one-stop-privacy solution.  Your Blur account can be protected with very strong passwords (I haven’t found a length limit yet) and two-factor authentication and can be accessed through your browser, Blur’s add-on for Firefox/Chrome, or their Android/iOS app.

Letting Go of Google

I have used Google for years, mostly in the form of Gmail.  In Your Ultimate Security Guide: Windows 7 Edition I wrote about Gmail.  I threw in some well-deserved praise about Google’s security; it is very, very good.  Google offers one of the most user-friendly two-factor systems I have used.  They alert you when your account is logged into from a new IP and browser.  Your entire sessions is HTTPS encrypted, and encrypted inside of Google.  From a security standpoint it’s hard to complain about Google.  Privacy is another matter completely.

As Bruce Schneier recently pointed out, Google wants you to be secure from everyone except Google.  Google keeps your data safe from hackers and the NSA (they say), but they don’t keep it safe from themselves.  Google scans all your emails, records all your searches, remembers what videos you’ve watched, and what sites you go to when you leave Google.  And it never forgets.  Though I never created a Google + account, don’t log into YouTube, and don’t upload files to Google Drive, Google still knows an incredible amount of information about me.  That information will be remembered forever.  It will be accessible with warrants.  It may be seen if Google is hacked (Google holds a lot – a lot – of data and is a target because of it).  It will still be sold to advertisers.  And I don’t like that.

DDG_Full_Vertical.2x

I have managed to subvert much of Google’s ability to track me through with several tools.  I don’t use Google’s browser, Chrome.  Instead of searching through Google I use DuckDuckGo, a search engine that doesn’t collect or store data about its users.  Another very good tool is Disconnect Private Search, a browser add-on for Firefox and Chrome that routes all your searches through a “light” VPN.  Google doesn’t know who sent the request and can’t track me (Disconnect Search also allows you to use Bing, DuckDuckGo, and Yahoo!).  I also configure my browsers to delete history and cookies each time it is closed and I close it frequently.  I run BleachBit or CCleaner several times a day, too.

I have also been a fairly heavy Google Voice user.  I liked Google Voice because I could give out a GV number instead of my “real” number.  I could get calls, texts, and voicemail from my phone or computer, and the most compelling feature was its price: free.  I have managed to subvert this, too, through Silent Circle.  Though I have to pay for it Silent Circle offers me security from everyone, not everyone-but-them.

These steps seem simple in comparison to finding a suitable substitute for Gmail.  Other “mainstream” (read: free) email providers scrape emails, too, and unfortunately I don’t have the confidence in my own technical accumen to run my own email server.  Through the last several months, however, I have managed to piece together a workable email solution.  Unfortunately there is no sole-source replacement for Gmail, but with paid services like KolabNow and free ones like ProtonMail I know my communications are, if not more secure, at least more private.

You should also know that if you contact me, your communications are stored privately and securely on email servers that are not scraped for advertisments.  The email address to which the contact form on this site links is a ProtonMail email address.  Additionally, I have removed Google Analytics from this site.  I do not have access to any data about the individuals who visit my site, whether specifically or in aggregate.  When I initially set up this blog I thought it would be a good idea to see how often the site was visited, but I quickly realized that I had become part of the problem.  This is my mea culpa.

Thoughts on the LastPass Breach

I have a couple of thoughts regarding the breach on the popular password manager LastPass earlier this week.  Initially I was disheartened to hear about the breach but was very glad that LastPass dealt with it swiftly and responsibly.  I actually learned of the breach from LastPass, with an email alerting me to change my master password.  Additionally LastPass is verifying all intial post-breach logins via email unless two-factor authentication is enabled on the account. I was also glad to hear that the attackers were unable to make off with anything more substantial than very strongly hashed (encrypted) master passwords, cryptographic salts, and email addresses.  Though certainly less than ideal, the attackers were still unable to capture plaintext password vaults.

LastPassLogo822x100

Though I don’t use LastPass anymore I did for several years and because of this and my comfort with it, I recommended it in Your Ultimate Security Guide: Windows 7 Edition and plan to in the upcoming iOS 8.3 Edition.  The two big take-aways from this breach (at least in my mind) are:

Cloud-based password managers are inherently risky.  This may be a provocative statement because many people use web-based password managers without incident.  But for how long?  Because of the treasure trove of information a password manager contains they are naturally a target.  Secondly, because they are a more complex system than a host-based password manager like Password Safe there are more potential points of failure.  The data must transit the internet, back and forth from your computer to the internet, be decrypted locally to be used, be re-encrypted before being re-uploaded to the cloud server, etc.  A lot of things have to be done correctly for it to be secure throughout the entire process.

Two-factor authentication is important.  When I first saw the email from LastPass about the breach my heart sank.  I no longer use LastPass but I know a lot of people who do.  Fortunately I know that msot of them also use two-factor authentication and as I learned more about the breach I realized that accounts protected with two-factor were still safe.  I gave high praise to LastPass in Your Ultimate Security Guide: Windows 7 Edition for the multitudinous two-factor options it offers: “The Grid” (my favorite), Google Authenticator, fingerprints, Yubikey, etc.  With two-factor enabled my friends were able to rest easy that their passwords had not been breached.  This is the kind of confidence I want in an internet system, especially one with which so much critical data is entrusted.

As I said earlier, I would still recommend LastPass to anyone who is determined to have a web-based password manager.  The convenience of the system is hard to deny, but personally, I’d rather have the security of knowing exactly where all of my passwords are stored.