We cover the VPN space all year round and there is almost always a sale going on. VPN providers, just like other service providers offer different packages that, when scrutinized, are all essentially the same. The only reason why one sale ends, is so another can start tomorrow – saving you a whole lot of nothing! To make the choice easier for you, we have looked at the pricing for a few providers over the last couple of months to see which deals are worth considering. Spoiler Alert: Most of them aren’t that is why our list is rather short! Just as a side note, a VPN subscription also makes a great gift, especially when you need it last minute. It only takes a second…

So lets dive right in:

ProtonVPN

One of our favorite VPN providers is ProtonVPN from the makers of ProtonMail, the world’s largest encrypted email provider headquartered in Geneva, Switzerland.

ProtonVPN isn’t inexpensive and they don’t’ offer many discounts throughout the year, so if you want to great deal on ProtonVPN now through the end of the November is your chance to save up to 50% of the full price. The Plus Plan (usually USD 8.00/month billed as $96) currently is on sale for USD 3.25/month for one year (billed as $39), or USD 3.00/month if you want to subscribe for 2 years (billed as $72). You’ll get the biggest bang for the buck if you subscribe to the ProtonMail and ProtonVPN bundle for 2 years at USD 7.50/month (billed as $180).

What makes ProtonVPN stand out?

ProtonVPN uses only encryption cyphers that do not have any known vulnerabilities to keep your Internet activities safe and secure from prying eyes. Next to standard VPN features, ProtonVPN keeps no logs, uses perfect forward secrecy, routes DNS queries through the VPN tunnel and thereby preventing DNS leaks, Tor over VPN and Secure Core, where ProtonVPN routes your traffic through special, hardened servers before it reaches the end server in a country of your choice.

If you want one of the most secure VPNs currently on the market at a great price, be sure to subscribe before the end of the month!

Get 50% Off of Proton VPN

IPVanish

If you are into P2P and streaming IPVanish is a great option to mask your true location, protect your identity and stop your ISP from throttling your connection speed. IPVanish is a US-based VPN provider that keeps no logs, offers unlimited bandwidth, great speeds and up to 10 simultaneous connections, so your entire family only needs a single subscription. Their pricing is already competitive, but until December 3rd you can save up to 73% over their regular pricing. Their annual plan is on sale for only USD 3.25/month (billed as $39) which is a whooping 73% off, the quarterly plan costs USD 4.50/month (billed as $13.50) for the first 3 months, and the monthly plan is only USD 5.00 for the first month.

While the quarterly and monthly offer looks cheap, please keep in mind that after the offer period ends, you will be billed the regular price, hence our tip for IPVanish is to subscribe for a year because the other options get rather pricey after the discounted pricing expires!

Get IPVanish VPN for $3.25/month

The post Black Friday VPN Deals 2019 appeared first on Invisibler.

Summary

If you don’t want to read the whole review, here are the highlights:

• ProtonVPN is based out of Switzerland, which has strong privacy protections
• No logs
• ProtonVPN has an impressive array of privacy and security features, such as physically protected servers, strong encryption, the option to route your traffic through several VPN servers or Tor, perfect forward secrecy, DNS Leak protection…
• Prices range from free, to USD 4/month for a basic plan, USD 8/month for the standard package, to USD 24/month for the super duper plan.
• ProtonVPN offers native apps for many operating systems and getting started is point and click
• As of this writing they have 347 servers spread over 31 countries.
• You can watch US Netflix
• Only supports Credit Card and PayPal payments at this time.

ProtonVPN Servers

Full Review of ProtonVPN

ProtonVPN is a primarily community supported and community developed VPN, based out of Switzerland. It is a feature-rich VPN brought to you by the same group of people who developed ProtonMail. As with ProtonMail, they are taking privacy and security serious, seriously serious.

Here is how they keep your data and web traffic secure:

Strong Encryption

ProtonVPN encrypts their network traffic using AES–256, uses 2048-bit RSA for key exchange and HMAC with SHA256 for message authentication, which is about as good as it gets. To prevent people from getting hold of your data at a later time the implemented perfect forward secrecy.

Forward Secrecy

To enhance the privacy and security of ProtonVPN’s encrypted traffic, ProtonVPN selected encryption cypher suites that have perfect forward secrecy. This means they generate a new encryption key with every connection making it almost impossible to compromise any given tunnelling session. All of that means very little if the protocols you use aren’t secure to begin with, so they limit the protocols you can use on the network.

Protocols

ProtonVPN only supports OpenVPN and IKEv2/IPsec, because those are the two most reliable protocols.

Talking about reliability, and we all know just how reliable our smartphones and computers really are, ProtonVPN has a few features that protect your privacy in case something goes wrong.

Kill Switch and Always-on VPN

This ProtonVPN features does exactly what it sounds like, it ’kills your Internet connection (blocks all your internet traffic) and automatically reconnects to a VPN server. The advantage of these two functions is that your real IP address is never revealed to anyone only, thereby protecting your privacy.

DNS Leak Prevention

DNS Leak prevention means that ProtonVPN routes DNS queries through the encrypted tunnel to their own DNS servers, making sure your browsing activity is only exposed to ProtonVPN DNS servers.

So far so good, but where ProtonVPN really sets itself apart from the competition is in a feature they call Secure Core.

ProtonVPN’s Secure Core

ProtonVPN offers a service they call ‘Secure Core’ to their Plus and Visionary customers. Typically a VPN connection is routed through a single VPN server, at least that is how most VPN providers do it. Secure Core passes traffic through ‘multiple’ servers (the exact number isn’t specified, but it would have to be at least two by definition) to protect against an adversary that has gained control of a VPN server, such as a state surveillance agency that coerced a VPN provider into assisting with their network monitoring. ProtonVPN placed their Secure Core servers in secure countries (Switzerland, Sweden, and Iceland) and locations, to provide customers with a level of security that other providers just cannot achieve with their current configurations.

And just in case you don’t trust ProtonVPN 100% or you would like to access onion websites, you can also connect to Tor from right within your VPN session.

Tor over VPN

ProtonVPN has Tor already built in, so you can route your traffic not only through Proton’s VPN network but also through the Tor Network . An additional benefit of this functionality is that you can access Onion sites with a single click.

No Logs

If you followed the VPN space carefully, you might have noticed that a couple of ‘no-log’ VPN providers mysteriously were able to provide those non-existing logs to law enforcement. We are looking at you HMA, IPVanish, PureVPN!

Here’s my opinion on that, and I wouldn’t fault you if you don’t agree with me. No-one in their right mind endorses criminal activity, but the definition of ‘criminal’ or ‘illegal’ is a matter of interpretation; therefore I won’t get into that discussion. However, if your terms and conditions state that you ’ do not keep logs’ then that is what you committed yourself to do and you should NOT be able to provide said logs to law enforcement, period!

I firmly believe in looking at what people and companies do and not what they say. For that reason I cannot endorse HMA, IPVanish or PureVPN. It really is that simple.

ProtonVPN’s No-Log policy is pretty simple: ‘ProtonVPN respects its users’ privacy and enforces a No Logs policy. This means your VPN connections remain private and we do not store information about your connections or the websites you visit.’

While we are dealing with the legal stuff, let’s have a quick look at ProtonVPN’s terms of service and Privacy Policy.

Terms of Service

ProtonVPN’s terms and conditions are relatively short. They state the basics, don’t do anything illegal, don’t hold us responsible if anything goes wrong, how their 30-day money back guarantee works, and that everything is governed by the laws of Switzerland. The Switzerland part is important, because if anyone even wanted to try to get information about you, they’d have to do that within the Swiss legal system, which has pretty good privacy protections. Which brings us to the next point:

Privacy Policy

The Privacy Policy is equally as easy to read stating that ProtonVPN does not log your activity in regards to your VPN usage, except for timestamps, your last login attempt to prevent brute force hacking. This timestamp is overwritten the moment of your next login.

Their privacy policy also covers the use of the website, setting up an account and paying for their service. I didn’t find anything out of the ordinary reading through this information, except for your ability to request that all of your data associated with your ProtonVPN account can be deleted per your request.

How does ProtonVPN work?

I signed up with ProtonVPN end of November and have been using it since. I installed the service on my Mac, my iPad and my iPhone and the installation was a breeze on each device.

After logging in, connecting to their servers is fast and easy and worked flawlessly. Other than doing my work primarily online, I use the Internet like an average user, listen to music, watch videos, upload photos and short movies, and all of this worked perfectly. Connection speeds are slower than my Internet connection without VPN; however, that is to be expected. Engaging Secure Core slowed it down again, and yes, that too was to be expected, because now the traffic goes through at least one additional server. What is important though is that in either case I was still able to use my Internet connection as I normally would without noticing any difference.

ProtonVPN No VPN Speed

ProtonVPN Speed

How much does it cost?

ProtonVPN’s price is slightly higher than the average VPN service; however, you get what you pay for, a solid product that simply works. ProtonVPN has 3 pricing tiers, just like everyone else, a Basic version with limited features for USD 4/month, a Plus version for USD 8/month which gives you all of their VPN features and the ability to use 5 devices, and a Visionary version which will set you back USD 24/month that offers use on 10 devices and includes a ProtonMail account.

ProtonVPN Pricing

If your VPN needs are very basic, you just want to test their service, or you are just looking for a backup VPN in case your preferred provider isn’t available at the time, they also offer a Free version which limits your access to 3 countries, a single device and lower speeds.

Payment Methods

Currently ProtonVPN accepts PayPal, Credit Card and Bitcoin payments. While paying via PayPal and Credit Card is straight forward, for Bitcoin payments you need to have an existing account or contact ProtonVPN directly via a link you can find on their support pages. That leaves only one question remaining, and that is how do you sign up?

ProtonVPN Payment Methods

Money Back Guarantee

ProtonVPN offers a 30-day money back guarantee for the unused portion of your subscription period. The way to do it is to first downgrade your plan to the Free version and then request a refund. Easy!

How to get ProtonVPN?

Signing up for ProtonVPN is easy, even easier if you already have a ProtonMail account as you can just add ProtonVPN to it. Just download the ProtonVPN client native to your device and log in with your ProtonMail username and password, it couldn’t be easier.

If you want privacy, ProtonVPN offers a great product for a good price. Their secure core feature and optional Tor routing seriously enhance privacy and help set ProtonVPN apart from the rest of the VPN providers, making it a serious contender in the VPN space. I appreciate that they keep no logs and that they give users the option to request deletion all of their data from ProtonVPN’s servers. However, reading through their Threat Model, it is clear that they have thought things through and aren’t afraid to tell things like who they really are. There is no 100% security or privacy, a sufficiently motivated (and funded) adversary still has a chance to uncover what they are looking for; the trick is to make that as difficult and costly as possible.

With that in mind, sign up for ProtonVPN to protect your privacy and data in a world that is becoming ever more adversarial by the day.

We’d love to hear what you think about ProtonVPN. Please comment below!

Image Credit: Binary Koala

The post What Sets ProtonVPN Apart From The Rest of the VPNs? appeared first on Invisibler.

Crypto currencies are the latest craze, the second coming of the Internet. There are plenty of blockchains, but the one everybody seems to have at least an opinion about is Bitcoin, which interestingly is neither a bit nor a coin… then again, neither are the others. But I am getting ahead of myself, so let’s back up a bit:

What is a Currency?

If you have never wasted a thought on what a currency is, not to worry, it is simply a medium for exchanging something of value, like money. Humans have exchanged everything from sea shells, to silver, gold, coins, paper, and today bits. Money makes it easy to value different items such as goods and services, so that they can be exchanged freely for other items. For example if you need a pair of shoes, but the shoe maker already has tons of the apples you have on offer, you’d be screwed. But, through the medium of a currency, you can buy the shoes in exchange for money and the shoe maker in turn can buy whatever he desires. Everybody wins.

One more term I need to clarify before heading on is ‘fiat currency.’ This has little to do with the Italian car maker, their cars aren’t the most reliable in my opinion, instead it refers to a form of money that in itself is worthless, think of a dollar bill, or those previously mentioned cars… The value of a fiat currency is often established by government regulation, and thereby also controlled by said government, something that has been the topic of many debates, in particular the government’s ability to print more money and thereby making the money you have less valuable, the benign sounding term for this is inflation, but you may also call it theft.

Interestingly supporters of crypto currencies present their inventions as an alternative to fiat money, which seems ironic as in case of a bitcoin you don’t even get the, already worthless, paper… However, the better argument would be that the value of crypto currencies can’t be censored or manipulated by governments, well, at least not at the moment, but rest assured they would if they could, and you just have to put your faith into an algorithm, or better the guys and gals who write the software. Another point would be the speed at which transactions validate compared to the established banking system or the comparatively low fees to execute transactions…

The million dollar question: What is Bitcoin?

Think of the Bitcoin blockchain as a ledger that keeps track of which bitcoin address owns how much Bitcoin, that makes sure that Bitcoin can’t be spent twice and that keeps a record of every transaction in a way so that it can’t be altered after the fact. Bitcoin does all of this using a decentralized network, where many servers have a complete transaction history, thereby securing it against malicious attacks from hackers or influence from hostile governments.

What is really ingenious though, is that all of this is accomplished through a network of independent servers in a trustless environment. The brilliance of blockchains lies in their consensus algorithms that manage to agree on the state of the system at any point in time, eliminating the need for a central authority (such as the bank) keeping the system synchronized.

What’s all the hype about?

You now know more than 95% of people about Bitcoin. After this rather anticlimactic explanation you may be asking yourself what all the hype is really about? It is a good question.

To understand the hype lets recap what we know:

• Bitcoin is a medium of exchange
• Bitcoin is decentralized
• Bitcoin can’t be manipulated by governments
• Bitcoin’s purpose is to facilitate electronic payments between willing participants

Bitcoin wasn’t the first electronic currency, but it is the first that, at least as of this writing, succeeded. Initially Bitcoin was something only computer geeks knew about and tinkered with, and a Bitcoin was basically worthless. Then on May 22, 2010 a Florida man, Laszlo Hanyecz, made the first real bitcoin transaction, exchanging bitcoin for two Papa John’s pizzas, two really expensive pizzas by today’s valuation…

The idea of using crypto tokens as a form of payment quickly caught on and, based on hype, misunderstanding, supply and demand, the value of Bitcoin slowly increased, even though, years later, it is still relatively difficult to actually pay for something with Bitcoin. Nevertheless people saw an opportunity to make money and a whole new industry was born, complete with experts, startups, exchanges, analysts etc… and within a short time crypto currencies were hailed as the second coming of the Internet.

Today blockchains are seen as the magic bullet for just about anything, even though their utility is limited to specific use cases, but who cares when there is money to be made? … and money they made, a lot of it, at least some people. Of course, this money had to come from somewhere, hence some people made money and some, the vast majority, lost money inadvertently financing the bonanza.

The future of blockchain?

Sadly, and you might have guessed it, blockchains will not magically bring about world peace or infinite riches for everyone, but they offer something different, something worth considering, and that is a different concept of governance. Satoshi Nakamoto wrote a white paper that is clear, scientific, written with authority, describing a new idea, Bitcoin, a borderless, decentralized, world-wide, peer-to-peer payment system. Within it he/she/they described how computer code could be used to align the interests of parties with diverging interests that do not trust each other to come to a consensus to make the whole system work for all participants.

You may think I oversimplified things and you would be correct, you may not agree with my opinion and I wouldn’t blame you, but in spite of all of it, I invite you to think about Bitcoin’s implications. Satoshi Nakamoto wrote the, now famous, white paper in response to the 2008 banking crisis. He had a problem with the way capitalistic greed almost crashed the world’s economy. The idea to take the control of money out of government’s hands, sidestep the corrupt banking system and create an online payment system that can be accessed by anyone with an Internet connection, proposed a viable alternative to the status quo.

10 years later we know a lot more. Bitcoin isn’t perfect, it has vulnerabilities, it isn’t as anonymous as originally thought, the blockchain itself is getting too big, transaction speeds are too slow, etc… but it has initiated a new way of thinking, started a conversation worth having, much like Ford’s Model T. The car was available in any color your liked, as long as it was black, but today, 110 years later and thanks to Elon Musk, we have Tesla, and yes, in any color you like.

Image Credit: Martin Dinse

The post What you should have known before investing in Bitcoin… appeared first on Invisibler.

Invisibler is all about protecting your privacy (and ours), therefore this post will seem like heresy for the very simple reason that it is!

OK, with this warning out of the way lets look at something else you can do with a VPN, something many people haven’t yet thought of, but something that can come in handy, especially if you are into streaming content such as movies and TV shows, and that is virtually residing in a different country.

Copyright and VPN

The reason why this might come in handy has do with the convoluted and overly complicated licensing of entertainment content, you know the stuff the RIAA and MPAA want you to pay a lot of money for, music and movies. So, why sell something once when you can make money with it over and over again? Welcome to the world of entertainment and copyright.

For Netflix to offer you movies and TV shows they have to either produce those themselves, which they are doing quite well thank you, or license it from studios and TV stations around the globe. Most of those licenses are region specific and because you can stream Netflix from anywhere where you have an Internet connection licensing has become really complicated.

That’s where it gets tricky…

Netflix’s catalogue differs vastly from region to region (i.e country to country) with the majority of the good stuff available in just a few places, mainly the US, Canada and Europe.

So why not move there? Virtually that is…

Customers picked up on this rather quickly, even before Netflix was widely available around the globe. You can easily circumvent those pesky region restrictions by virtually moving to a different country with the help of, yes you guessed it, a VPN. Some people went to great length to make this work, and it worked really well; so well indeed that the MPAA demanded from Netflix to enforce those previously mentioned region restrictions.

In an effort to enforce their contractual obligations, Netflix was forced to stop subscribers who had been using a VPN to hide their real location from accessing the service. They accomplished this by blocking IP addresses from known VPN servers, leaving everyone connecting through those servers hanging out to dry, a virtual game of whack-a-mole if you wish. A VPN provider sets up a new server, it works for a while for streaming, Netflix blocks the IP address, nothing new here…

Take a deep breath, there is a solution…

HideMyAss (aka HMA), one of the world’s largest VPN providers, has come up with a solution to allow you to access Netflix from outside the US once again. If you live outside the US simply connect to their Liberty Island server, which you can find under cities in HMA’s app, and voila, problem solved!

Does it work?

We put it to the test and, much to our surprise, it works perfectly. But knowing how quickly Netflix blocks new VPN servers we reached out to HMA to make sure this isn’t just a short-term fix and they confirmed that they found a way to circumvent Netflix’s blocking attempts. They were a little vague about how exactly they are doing it…

Heresy!

It almost pains me to suggest that you should subscribe to HMA! Pro VPN to watch Netflix or other streaming services, especially from outside the US. But privacy isn’t an issue here and considering the subscription price you will be saving money even after streaming just a few movies throughout the year that you now won’t have to purchase.

To sweeten the deal HMA is offering their service at a reduced price starting on May 3rd and lasting until May 31st:

1 month $9.99 (13% off)
6 month $39.96 (42% off)
12 month $59.88 (57% off)

Stream away and let us know how it is working for you in the comments!

The post HMA! Pro VPN Supports Netflix appeared first on Invisibler.

Why care about your ISP?

Your ISP has access to absolutely everything you do online, including your name address and billing information. And you thought Google, Facebook and the NSA were bad? Well, they are, but with some crucial differences:

• Google and Facebook are websites you are free to use or not and they must go to great length to incite you to share information about yourself; but you can choose not to. For example Google and Facebook know when you access their website and from where, but they don’t generally know of other sites you are visiting, at least not directly. In contrast, your ISP knows about every site you access, not unlike the NSA…
• The NSA collects absolutely everything we do, but, being a government entity, it isn’t at all interested in selling your personal data for monetary gain.
• Your ISP on the other hand exists solely for monetary purposes, and worst of all, in many parts of the country you might not even have a choice which company to use, so you can’t vote with your wallet. No wonder then, that industry groups are heavily lobbying to repeal the FCC Privacy Rules, making it easier for them to profit not only from the ridiculously high subscription fees (those are much lower for better service in other parts of the world, Europe for example) but also from selling your personal information to the highest bidder for advertising or other nefarious purposes, double dipping so to speak…

What’s more…

Reading through those FCC Rules it is quite clear that the FCC knows what’s at stake, as it laboriously defines every item worth consideration from customer acquisition, via Internet network architecture, packet contents to what happens to accumulated data after a customer decides to leave a BIAS, it’s all there. So, when the US government discusses repealing these rules, they know exactly what they are doing, putting an ISP’s profit over your, the customer’s and tax payer’s, privacy.

It is also pretty clear who benefits from this ruling, nobody other than the major ISPs in this country. You will probably read a lot of confusing nonsense about edge providers, or about ISPs claiming that they see less than everything you do online, which is surprisingly true, because they don’t see what you do when you are connected through a different provider (then the other provider sees and sells that, oh crap). However, it doesn’t change the fact that your ISP sees all traffic coming from and going to your IP address and and they want to make opting out of their private data collection as difficult as possible, besides collecting your personal data in yet another 100% secure and absolutely non-hackable database, right….

What can we do?

May I suggest “Wholesale Panic” and “blanket noncooperation”?

The obvious answer is to call your congressman and express your concerns. While that might be successful, most people won’t care enough about the issue to take action…

A safer approach is to take matters into your own hands and start using a VPN, that way you and I don’t depend on the government suddenly start making the right decisions. I have written about VPNs at length, from describing what they are, their pros and cons, alternative technologies, to reviews to give you some tools to decide which of the providers may be the best choice for you. Interestingly I wrote those articles with a focus on privacy regarding the NSA, which is, I am happy to tell you, a lot more difficult to accomplish that hiding your Internet activity from your everyday ISP.

While your ISP has access to all of your Internet activities you can easily install a VPN on your home router and encrypt everything going through that router, making it impossible for your ISP to see any more than the amount of traffic coming from and going to your IP address; game over.

What’s the drawback?

It costs money and may impact your Internet speeds. While it is true that there are free VPNs, even ones build directly into browsers, there is no such thing as free. If you don’t pay for a service, you are the product and not the customer. See Google’s business model… I have found very few exceptions to this rule.

I have used VPNs for years, primarily to protect my personal data when traveling. Some of us have to work and can’t afford spilling our private and business information all over the Internet. To protect my privacy I have used a lot of different VPNs, many of which don’t even exist anymore. When it comes to VPNs I have two clear favorites:

I have IP Vanish installed on my router at home and it works great. While setting it up yourself isn’t all that difficult, they offer routers with their VPN pre-installed for those not technically inclined.

IPVanish (US)

IPVanish is reliable, fast, and anonymous. They use 256-bit AES encryption and keep no logs of user activity. You can subscribe to their VPN for 10 USD/month or less if you subscribe to a longer term. Any subscription is good for up to 5 devices per account.

Tunnelbear (Canada)

Tunnelbear is the other VPN I am really fond of and not just because of their cute animations. It is installed on all of my mobile devices. Tunnelbear offers fast, reliable connections with 256-bit AES encryption for up to 5 devices. Pricing is the same as for IPVanish and 10 USD/month get you connected, but their yearly subscription is significantly cheaper than IPVanish.

Why two VPNs?

You don’t need two! However, I found that when traveling sometimes one VPN will just not work, but the other provider works just fine. This could be caused by a multitude of reason and I just don’t want to spend the time troubleshooting it. When I am at 36,000 feet and paying USD 14.95 for an already crappy Internet connection I just want to get things done and not have to deal with technical support.

What if I don’t want to use a VPN?

I looked at HTTPS-Everywhere, and while that encrypts your connection with the target website, it doesn’t hide the URL you are navigating to from your ISP, leaving you just as exposed as before, you ISP will still see you heading to your favorite adult entertainment site, just not what you are doing once you get there….

Installing the Opera Browser is another option, and while Opera is the product of a European company its parent company is Chinese and I am not sure how comfortable I am with that. The Chinese copy everything, except for human rights…. The other drawback of Opera is that it, by design, only protects what you are doing within the browser, so everything else, downloading email for example, is still quite visible to your ISP making it, at best, only a partial solution.

Another great option is to install Tor, also know as The Onion Router. Tor, just like a VPN, establishes an encrypted connection between you and another server somewhere online, making it impossible for your ISP to know what you are doing. Unfortunately, while Tor is free,  just like with the Opera browser only what you do within the Tor browser is hidden from your ISP, again, only a partial solution.

In Summary…

Unless you plan on ditching your ISP and/or mobile provider and crawling back under some rock chances are your Internet activities will be sold to the highest bidder. Sadly, after reading this far you probably know more about what’s at stake than the people who just sold us out.

The best defense against their nefarious tactics is to install a VPN on your home router and all of your mobile devices. HTTPS, Tor and Opera will work, but have serious limitations. Then of course there is your new home under that rock you’ve had your eyes on….

Whatever your choice, its worth considering what is at stake. Do you really want your ISP to be able to sell your Health Insurance company your Google searches so that they have better data to deny you coverage? An extreme example, for sure, but not an impossible one, and just maybe, they are already getting this information from Google… We’re screwed!

Screwed maybe, but not dead yet.

Thanks for reading and happy surfing!

We love to hear what you think, please share your thoughts in the comments.

You can find our comment policy here.

The post Things You Ought to Know About Your ISP appeared first on Invisibler.

But enough with the scare mongering…

If you want to learn about the basics behind email (and I strongly suggest you do!) read this article. Next read the introduction I wrote about how to secure your email. You can find it here. Go ahead, I’ll wait…

I’m waiting!

OK, now that you are back let’s continue. In this article I will provide you with some practical options to secure your email.

How much do you really need to know about email?

Technology is constantly changing, but only very few technologies pass the test of time. The older a technology is, the more likely it is to stick around. Yes, email is one of those! Not because it is elegant, liked or secure, but because it’s useful.

Email has been around since the 1960’s.

Before email, there was only snail mail. It sucked, but we, somehow, managed. Email is faster, cheaper, and more convenient than its predecessor, but sadly it is less secure and, in its current implementation, certainly not private.

We are all familiar with email, but there are a few things you might have overlooked:

1. There are are least 2 copies of every email (sender + receiver), but
   probably more.
2. In most cases the sender and receiver of an email are known (metadata).
3. If not encrypted the content of an email is public.
4. Some emails will always be insecure and reveal information about you, such as emails from your bank and retailers you do business with.

Did you know the US Postal Service takes a picture of every piece of mail- about 160 Billion pieces- in 2012 according to an article in The New York Times?

Depending on your security needs you might not care about either. But if you do -and you should- there are several avenues you can take to secure your communications.

Before going into the details, let’s make things a bit easier by introducing three people, Alice (A), Bob (B) and Eve (E). Alice wants to send a message to Bob and evil Eve wants to intercept it.

What are your options?

Let’s start with the simplest of cases, keeping the content of your emails secure by using encryption. Encryption requires that Alice and Bob exchange public keys and encrypt the contents of their email using each others public keys. This is safe, because only the person who has the private key can decrypt such properly encrypted messages (Public and Private keys are generated together and only one private key will correspond to one public key). GPG works great for this purpose and is relatively easy to use, even for novices. Keep in mind that GPG doesn’t encrypt the subject line of your emails, so don’t put anything personal or important into the subject line.

GPG

What you do is to install GPG on your computer, generate a key pair, exchange public keys with the people you want to communicate with, then use their public key to encrypt your email and send it.

For Alice and Bob this means that Alice will generate a key pair and email her public key to Bob. Bob then uses Alice’s public key to encrypt his emails to Alice, and because Alice is the only person who has the private key corresponding to her public key, she is the only person who can read Bob’s email. It sounds more complicated than it is, because your email client will take care of it behind the scenes.

You can also upload your public key to a public key server, so people can look it up and download your public key as needed. I am not fond of this option. Why? If you email your public key only to those you want to communicate with, it makes identifying legitimate emails easier.

It is a great idea to backup your keys in general and your private key specifically. You’ll need it to read past emails. Should you ever lose it, not even you will be able to read those old emails. Brilliant!

Backup your encryption keys!

While it is fairly simple to encrypt the content of your email, the sender and receiver of an email will still remain public, simply because that’s how email works. If you want to conceal the sender and receiver’s identities, one option is to setup anonymous email accounts. Again, this is easy to do, but you need to be careful.

Anonymous Email Accounts

If you follow the news, you might have heard about high-profile cases where anonymous email accounts have been traced back to real people, General Petraeus and his mistress for example. The Petraeus case illustrates how even a person with high-level security clearances, who should know at least a little something about privacy and anonymity – in particular how to secure his communication – can slip up and leave himself open to identification. In the Petraeus case law enforcement correlated credit card swipes with Gmail logins to identify the owner of the anonymous email account…Metadata! Well done mon General!

General, hiding your identity online is easy. Use a Virtual Private Network or VPN in combination with Tor, which is even better. Doing so will make it almost impossible to determine your real IP address and your identity, but you need to be vigilant. You must use VPN and Tor at all times, when you set up the accounts and when you access them. You must share your anonymous email only via secure channels-you can’t use a recovery address that can be traced back to you-and everyone who contacts you at that address must use the same security precautions or the entire endeavor will be futile from the start. And, in case you haven’t considered this already, you need to encrypt the content of those emails!

If this sounds complicated to you, that’s because remaining anonymous kinda is. However, it is possible to ensure private and even anonymous communications using an insecure medium if you use the proper tools and precautions…it just isn’t easy. It is cumbersome, inconvenient and easy to screw up.

Despair not, there is another option. Enter secure email…

Secure Email

Edward Snowden used Lavabit to communicate with Glenn Greenwald and Laura Poitras. Ladar Levison, the owner and operator of Lavabit, chose to shut down his service when faced with a National Security Letter to surrender the encryption keys for his service rather than decrypting all emails of all users for US law enforcement. Since then several secure email services have popped up, some of which have already gone under.

There are different flavors of service, ranging from encrypted email to all-around secure communications solutions including secure chat and secure file storage. Let’s be frank though, any solution that doesn’t offer end-to-end encryption requires careful scrutiny. End-to-end encryption means that only the sender and receiver have the means to encrypt and decrypt a message (or file); no other party will have access to your communications no matter what.

In other words, pay attention to who has access to your encryption keys! To keep your communications or files confidential, encryption keys should be under your control.

Do not trust anyone under any circumstances!

We have already established that an attacker needs both, the email and the decryption key to read said email. This means any service that holds both, your emails and the keys to encrypt those has the means to read your private communications and can be compelled by law to turn both over to law enforcement. On the other hand, any service that does not have access to your encryption keys has nothing to give to law enforcement. Even if this service would be hacked, and they are attractive targets, there is nothing to find and your communications remain protected.

When I did the research for this article I was astounded by the number of solutions available. Clearly, there is a market for private communications. To better understand these services it helps to look at how they protect your communications.

You can broadly categorize secure email services into 4 categories:

1. Email services that don’t require any personally identifiable information to setup an account, don’t log IPs, and store your email in encrypted format. This type of service leaves it up to you to encrypt your communications.
2. Providers that handle the encryption for you and integrate with your current email service (EaaS).
3. Secure email providers that encrypt, transport and store your messages.
4. Email-like services.

Lets look at some of the available solutions:

Riseup

Riseup is a free email service geared towards secure communications for people and groups working toward liberal social change. To protect the privacy of their users, Riseup doesn’t log IP addresses and keeps emails stored only in encrypted format. Riseup only provides a regular email service, encrypting of messages is up to you and you are encouraged to do so.

Riseup has a very succinct and strict privacy policy, leaving little to the imagination. While they temporarily log some information, those logs are deleted either immediately after a session ends or at the end of the day. Laura Poitras used Riseup to communicate with Edward Snowden anonymously.

SIGAINT

SIGAINT <– Can only be reached via Tor or similar browsers. SIGAINT is a free dark web email service with an option to upgrade the account to their Pro service for a lifetime fee of USD30 in bitcoins. Upgrading gets you extra storage, complete SMTPS/IMAPS/POP3S support, bitmessage support, easier PGP integration, and priority technical support.

SIGAINT is an anonymous email service and requires their users to provide their own encryption, such as GPG.

SIGAINT does not publish terms of service or a privacy policy.

Sendinc

Sendinc is a subsidiary of MX Force, LLC, a Dallas, TX based company. Sendinc provides email encryption, including plug-ins for MS Outlook and Gmail. After a 7-day free trial it will cost USD $4/month, paid annually.

While they are advertising military-strength encryption and bringing your email in compliance with GLBA, HIPPA, and SOX, a laudable effort for sure, I found this little gem in their Privacy Policy. In the Security section it states: “Email processing is done by automatic processes. Sendinc employees do not examine the contents of customer email except when Sendinc in its discretion determines that it is required by law or government agency, or as permitted by the customer.” So much for Sendinc not being able to read your email!

The other interesting point is that every message recipient must log into Sendinc’s service to read an encrypted message. If you don’t have an account, you must set one up before you get access to your message.

S-Mail Secure Email

S-Mail.Com provides secure email. While their web page looks a bit outdated, OK – very outdated, their service is still operational and I received a quick response when I contacted support. S-Mail uses end-to-end encryption and stores your password-protected private key on a secure private key server.

S-Mail offers a free Standard account and pre-paid Premium account starting at USD 5.00/month. The Premium account offers more storage and basically makes the account usable for day-to-day communications. Their list of features for both account types is entertaining, to say the least…

S-Mail’s privacy policy is pretty standard for most web services. They log IP addresses, keep logs on site visitors etc., but because of their end-to-end encryption, they are not able to read the content of your message. Keep in mind that they would be able to provide meta data if required…

SaluSafe

SaluSafe is a Canada-based online security provider, offering secure email, secure online storage and secure messaging. Their previous service Cryptoheaven is still running and operational. SaluSafe is essentially the same service under a different brand and with a more polished interface.

SaluSafe has software clients for Windows, Mac, Linux, Android and Blackberry, but not for iOS. Pricing starts at USD 7.99/month for the ‘basic’ plan and goes up to USD 27.99 for ‘premium’ service. Annual billing options are available at a discount.

SaluSafe employs end-to-end encryption for both the email itself and the transmission thereof. Secure SMS works only between SaluSafe subscribers.

SaluSafe’s privacy policy is a short read. It states that they will not share personal data they have collected during account setup, that any IP logs etc. are destroyed after one month and that they don’t have access to the content of your communications.

Virtru

Virtru is a US-based company that provides encryption as a service (EaaS). The concept is simple: Virtu takes care of the encryption, user authentication and decryption, you and your recipient’s email clients do the rest, composing, encrypting, transmitting, decrypting, and displaying your content. The selling point is that Virtu handles key management (and holds the keys) but doesn’t have access to your content, which was encrypted on your device and sent through your email provider. Centralized key management offers Virtu the ability to expire emails or stop recipients from forwarding them. However, a properly authorized recipient could still copy your email and paste it into an unprotected email that he is then free to distribute and read at will.

Virtru’s privacy policy spells out what information they collect, in general and in regard to using their encryption technology. I didn’t see anything unusual when reading through the privacy policy. In their FAQs they elaborate on several aspects of privacy, in particular government surveillance. Because Virtru is a US-based company, they would have to comply with lawful requests for user data, or more specifically they could be asked to provide technical assistance decrypting messages held by other services. They promise to fight any such request to the fullest extent possible to protect their user’s privacy.

Quick note: I didn’t elaborate on jurisdiction in this article. Jurisdiction determines who can legally ask for what. International cooperation on legal matters is a tricky subject. Generally speaking, the more countries that are involved, the more difficult it will be to get a proper court order, hence potential access to information. Ideally you want to do business with companies with good privacy protections outside of the country where you live.

Safe-Mail

Safe-Mail is powered by BadAss, which is probably best described as a secure hosting service based in the Netherlands. Safe-Mail offers secure, and, if you are so inclined, anonymous email. The sign-up process is simple enough and while they are asking for personal information we all know you can give whatever information you you feel comfortable providing.

Safe-Mail’s terms of service are on the sign-up page and very basic. As of this writing I could not find a privacy policy. Signing up is free and gives you access to a small account with basic features. Paid accounts add disc space and mobile access starting at 2 Euro/month. While primarily marketed as a secure email service, accounts include a nifty calendar, online storage and encrypted chat.

StartMail

StartMail is a Netherlands-based secure email service. While I am not a fan of trusting anyone with my encryption keys, they offer an interesting solution. StartMail uses a mix of open source and proprietary software to simplify OpenPGP encryption and make it accessible to even novice users. The key to their security solution is what they call the user’s vault. Only the subscriber has access to their vault via a password that StartMail does not store. Instead, when the user logs in, they will attempt to unlock the vault, and if successful, the password was correct, otherwise it was not and the user will be locked out after too many unsuccessful attempts.

After an initial 7 day free trial, StartMail costs USD 59.95/year. This includes one full account and two limited companion accounts.

StartMail’s privacy policy states it will not track or log user activity and will even stop trackers commonly found in emails. Their privacy policy is written in easy-to-understand language and clearly states it will only comply with proper legal requests for user information from Dutch authorities.

Pryvate

Pryvate is a British company and offers encryption as a service (EaaS). In addition to encrypted email, Pryvate also offers encrypted voice, conference and video calls, IM, picture sharing, file transfer and file storage. You can subscribe to a rather limited plan for free,but anything useful starts at USD 5.62/month and the enterprise version will set you back USD 13.99 per user per month.

The key to encryption as a service is that the company provides the encryption and manages the encryption keys while you hold the data, meaning data and encryption keys are never located on the same device making one useless without the other.

Pryvate is a subsidiary of Criptyque Limited, a UK-based company. Their privacy policy takes a while to read, clearly states all the ways they will track you and how they are going to use that information. It does, however, not state how Pryvate will respond to legal inquiries. Cryptique’s website was unreachable as of this writing.

Enlocked

Enlocked offers encryption as a service (EaaS) with you and your recipient using your own email providers. Encryption and decryption is handled on your devices and the service is free as long as you send less than 10 emails per month, up to 2000 messages per month will cost USD 20/month, 10,000 messages USD 30/month (reading is free).

You need to be aware of the following paragraph found in Enlocked’s privacy policy:
“We also collect certain limited information about how you use our services, including users’ IP addresses, recipients’ email addresses, date/time stamp, Message Headers and Message Access Data.” They will delete this data per your request if you stop using their service.
Enlocked stores recipient’s public keys (required to encrypt emails), but does not have access to your private encryption key or the actual email message, therefore Enlocked has no access to the content of your message.

Protonmail

Protonmail, is a Switzerland-based, free, end-to-end encrypted email service with a growing user base of over 500,000+ users. Originally conceived after the Snowden revelations in 2013 in Cern, it is one of the premier secure email services available. Signing up is easy and does not require any personal identifiable information. It takes between a few days and a few weeks for the account to become active depending on the length of the wait-list.

Protonmail uses end-to-end encryption, hence has no access to your encryption keys. Protonmail does not require or log personally identifiable information allowing you to remain completely anonymous if you wish.

Proton Mail’s terms and conditions are short and easy to read, nothing exciting. Their privacy policy is equally as entertaining-they will comply with local court orders-but they can’t share what they don’t have. ProtonMail is exempt from the Swiss requirement to provide technical means for lawful interception as it is not an Internet Service Provider (ISP).

Bitmessage

Bitmessage is a decentralized, encrypted, peer-to-peer communications protocol, similar to bitcoin. Any user can send a message to any other user or group of users, and all messages sent this way are available to all users, but only the recipient is able to decrypt and read the message.

Bitmessage’s terms and conditions, while lengthy, basically state that you are responsible for your use of the service and that they won’t take any responsibility that their service works. Because they are based in Switzerland neither US nor EU laws apply. Bitmessage does not have a privacy policy, which makes sense because they give users the option to ‘nuke’ their own account. Nuking an account means your account and all messages will be deleted and the email address including private keys will be published online, meaning anyone could have sent a message – plausible deniability.

My Opinion

100% security is difficult, if not impossible, to achieve, but you can get pretty close. A sufficiently motivated attacker, such as the NSA or GCHQ, with almost unlimited resources, will ultimately find a way to identify you, simply because we humans aren’t perfect!

Secure email services are great, and I wish everyone would use them, but that is not going to happen. Why? People are lazy. It is hard enough to get uncle Bob to respond to email, let alone getting all of your contacts to use the same secure email system. It reminds me of the time when Facebook was just one of several social media sites and all my friends were scattered across many social networks that didn’t inter-operate. Until secure email providers figure out how to exchange messages between different services anonymously, or one provider becomes the de facto standard, even secure email isn’t the ultimate solution, but it is a temporary option for limited use cases or the notoriously paranoid, like me

There are a few key ideas to keep in mind to protect your communications and make it at least expensive to learn more about you:

1. If you use public key encryption your emails can’t easily be read by third parties, so even if your email account is compromised or individual emails are intercepted, content will remain personal. You can use any email provider if you use a mail client, although web mail is trickier.
2. Public-key encryption does NOT make you anonymous!
3. If you and your important contacts use the same encrypted email solution, something like Protonmail or StartMail for example, both the content of your emails and potential metadata are protected (Snowden and Lavabit). If nothing else, you are reducing the amount of metadata available about you, because your email doesn’t traverse the Internet.
4. Anonymous email accounts are probably best used in very specific situations between people who know what they are doing, and hence are at low risk of exposing themselves through simple mistakes. You can use any email service that doesn’t require and verify personal data to setup an account (Riseup or SIGAINT for example).
5. I strongly encourage you to read every service’s terms and conditions AND privacy policy BEFORE signing up. Either they will have access to your communications or they won’t, but often you have to read between the lines to figure that out. Personally I’d stay away from anything that even remotely sounds fishy!

It doesn’t take much social engineering to figure out who your family and friends are, so even a large number of emails exchanged between you and your spouse won’t raise any suspicion – in this case metadata will reveal very little about you. By all means use public email accounts for these types of communication, but encrypt the contents.

It will actually work against you to use your anonymous accounts with friends and family, because your family ties can be used to guess who the owner of an anonymous account might be. Start thinking like your adversaries! Twisted, I know…

What do you do now?

In a dictatorship the people are transparent to the government, in a democracy the government is transparent to the people and it – the government – knows nothing about the private affairs of its citizens. Well, at least in theory that is…

We can all do our part to ensure a certain level of privacy even when facing blatant government overreach.

But proper precautions don’t only protect you from nosy government snoops, they also shield your communications from corporations that house and transmit your email (Gmail, Outlook, Yahoo, etc.) as well as hackers with most likely more nefarious agendas than just advertising the crap out of you or selling your secrets back to said government snoops.

Your first step should always be to assess your privacy needs. For most people, encrypting their emails (yes, all of them) will be a great first step. Of course hiding potential meta-data would be a great second step. Sadly, staying anonymous and not providing any public meta-data, isn’t easy and isn’t convenient, at least not at this time.

GPG is free and easy to use with any email service. While it won’t make you anonymous, it will protect the confidentiality of your communications and make it more difficult to generate elaborate marketing and social profiles about you.

So, which service should I use?

GPG is a no-brainer, it’s free, it’s easy to install and set up, and it protects the content of your emails from third parties. Beyond that, it really depends on who you are. Are you a corporation, a journalist, a whistle-blower, a concerned citizen,or do you live under an oppressive regime? Have a look at the options described above, they range from encryption with GPG to, what can be best described as, an Outlook-style organizer suite like Safe-Mail. There is an option for every need and pocket book. Interestingly, two of the most secure options, ProtonMail and Bitmessage, are free.

Of course, if everyone were to encrypt their communications, it would be a lot harder to snoop on us and surely governments would start screaming bloody murder; you know, the sky is falling, terrorists will take over the world, child porn will be everywhere, illegal drugs will be sold at your local corner store, and everyone will have an unregistered gun. We’ve all heard that before, nothing new…

Remember: “Those who sacrifice Liberty for Security deserve neither.” Benjamin Franklin, very smart man. Enough said!

I’d love to read your thoughts and suggestions. What services do you use? Please put them in the comments below. At the very least encrypt your email and use 2-factor authentication wherever possible.

Image Credit: Beck Gusler
Image Credit: Chris Baranski

The post How to: Use Email and Protect Your Privacy appeared first on Invisibler.

Well, there is a way to do that and it is called Virtual Private Network or VPN for short. It is a technology that puts a third party server between you and the Internet. It allows you to remain anonymous online. So if you can download whatever you want, stream content from anywhere, make anonymous comments, hide your identity (basically all the good stuff) why is it not illegal?

Great question ! The answer can be both easy and complicated. Let’s start with the really complicated and, by far, my favorite answer. It was written by Stan Hanks on Quora and, while I am confident his answer makes sense, I have only a vague idea what he really said. That is entirely my fault, I am sure. His basic premise is that you can legislate against the use of VPNs but trying to enforce that legislation would be futile. He then continues with a technical explanation why he believes that is the case.

First, let’s look at what a VPN really is.

Simply put a Virtual Private Network (or VPN) is software that enables you to establish an encrypted connection to a server. This server then forwards your traffic to the Internet or any other destination of your choosing (a corporate network for example) and channels responses back to you, allowing you to remain anonymous and the data sent to remain private between you and your VPN server.

What do people commonly use VPNs for?

In contrast to what you might think, most people use VPNs to access region restricted content or download copyrighted entertainment, basically the stuff the copyright police is all up in arms about.

Other uses are protecting the privacy of your Internet connection, circumventing firewalls, securely accessing corporate networks, hiding your real identity and the like…

So, if it is not illegal, does that mean using a VPN is legal?

In the strictest sense of the law the answer is clearly “yes.” The problem is that the question is vague and therefore the answer probably meaningless. However, the question is important because it can mean the difference between freedom and, for some people, prosecution.

In the strictest sense “legal” refers to the law and laws are specific to each country. This means there is no single answer to the legality of VPNs, because the answer is country specific. Fortunately there are very few countries that legally forbid the use of VPNs. If you live in one of those countries you probably already know. For the rest, and vast majority, of us encrypting our Internet traffic is completely legal.

But I can use it for illegal purposes?

Yes you could – just as you can legally own and use a gun to protect yourself, which is perfectly legal at least in the US, or choose to murder someone with it, which is clearly illegal. Just because a technology can be used for illegal purposes, doesn’t make the technology itself illegal. Let your moral compass be the judge.

So what about downloading copyrighted content?

Many people are unaware that the Digital Millennium Copyright Act is a US-specific law, signed into effect by US President Bill Clinton in 1998. While copyright holders love to make it appear as if the DMCA applies worldwide, that is simply not the case; therefore, unless you are in the United States you will not be getting any DMCA notices…ever!

This does not mean that you can safely pirate copyrighted material, but it makes it very difficult for US-based copyright holders to pursue illegal downloaders outside the United States because they will have to go through the legal process of the country the pirate is located in, which in most cases isn’t worth the effort.

But I got a letter from a lawyer demanding money?

Then there is the issue of copyright trolls. Copyright trolls are entities that either own copyrights or represent copyright holders (or claim to do so), often in an unduly aggressive and opportunistic manner, for the sole purpose of making money through litigation.

They often send cleverly written, threatening letters offering an out of court settlement for a reduced fine instead of a scary-sounding lawsuit with an unpredictable outcome.

The best thing you can do if you receive such a letter is to toss it. Yes I said it…toss it! Let them pursue their phony claims in court. Chances are they won’t, as it’s just too much work to deal with troublemakers like you!

Isn’t violating terms and conditions illegal?

Violating a company’s terms and conditions is not the same as breaking the law (unless of course you are committing an illegal offense in the process). Which brings us to streaming content that wasn’t intended for you, or, in other words, watching content that isn’t available in your part of the world can be a violation of a company’s terms. For example, using a VPN in Germany is legal, but accessing the BBC’s iPlayer from Germany in the UK violates the BBC’s iPlayer terms and conditions. Streaming the US version of Netflix outside the US is another great example, a practice Netflix publicly condemns, but also earns money from.

There are many more examples of violating a company’s terms and conditions: examples are downloading copyrighted movies from torrent sites, sending SPAM, illegal computer hacking, any type of fraud, executing DDoS attacks, dealing drugs, selling arms… you get the idea. Many of those cases are clearly spelled out on your VPN provider’s terms and conditions page. But, bluntly put, even your VPN provider is making money off people who are violating their terms and conditions and certainly reserve the right to suspend or even terminate an offender’s account, and yes, it does happen.

However, all of these companies are walking a tight line between legal and illegal uses of their services that they have to balance with protecting their user’s privacy and, of course, company profits. So, where does that leave us?

Conclusion

Using a VPN is perfectly legal unless you live in one of those few countries that has laws that prohibit the use of it (Iran or Saudi Arabia for example), but don’t let clever rhetoric confuse you. Even if it were illegal, enforcement would be difficult, if not impossible, to accomplish.

What you use a legal technology for is, as always, entirely up to you. Just like with guns in the US, you can use a VPN for legal or illegal purposes, and you do so at your own peril.

Be aware of the difference between breaking the law and violating a company’s terms and conditions. Breaking the law can land you in jail while violating some company’s terms might get your account suspended.

In the coming months and years we will see a flurry of articles and legislative proposals surrounding these issues. Content providers are already lobbying heavily for legislation protecting their profits in many parts of the world (currently in Australia, where Netflix just opened up shop), trying to enlist ISPs to do their bidding, attempting to outlaw VPN services, criminalizing circumventing geo-restrictions etc. The Internet doesn’t work that way and unless they update their business models to better reflect the current state of affairs, they will, sooner or later, be out of said, not models, but business. Chances are they will win a few battles, but I predict they will loose the war.

Image Credit: Tori Rector

The post Wait…is it legal for you to use a VPN? appeared first on Invisibler.

The bug was detected by Kaspersky Lab. Kaspersky Lab is a security research and software firm from Woburn, MA. According to Kaspersky Lab, DarkHotel is operated by a highly sophisticated entity with superior coding and crypto-graphical skills. The attackers are using two approaches; the first is to infect as many machines as possible using P2P probably to use them as bots, and the second, a highly specific approach targeting high-value travelers. The attackers infect the machines when the targets provide their name and room number to log on to a hotel’s Wi-Fi network. Instead of being directly connected to the Internet the attackers prompt the target to install a legitimate looking software update circumventing built-in defenses by using forged security certificates. Once a target’s computer is infected the attacker can command the infected device and/or gain access to confidential information such as login information, sensitive documents, etc., potentially causing millions of dollars in damages.

Currently the attack is ongoing, so are the efforts to stop it. It’s not clear how many hotel networks are affected. If you are part of the target group, and are traveling to Asia, your best defense is to either: not connect to public (hotel) Wi-Fi, or when you do connect, to be vigilant and use a VPN. Needless to say, installing software updates – no matter how legit they may look – is never a good idea while in non-secure environments.

For more information visit the Kaspersky Lab website and/or the relevant article on SecureList.

Image Credit: Roman Boed

The post DarkHotel – Hacking High Value Target at Expensive Hotels appeared first on Invisibler.

Achieving perfect security of your email is difficult, but there are a few things you can do to make it at least much more difficult for third parties to get access to your communications. With a little bit of effort it is fairly easy to protect the privacy of your emails; however, protecting your and your receiver’s identity is more difficult to achieve.

Before getting into the details of how to encrypt your email communications lets have a look at how a typical email exchange works. I’ll point out vulnerabilities along the way.

The Nuts and Bolts of Email

(If you already know the ins and outs of the technical steps involved in composing, delivering and reading email feel free to just skim this part and continue reading at ‘Confidentiality.’ )

Sender

Email privacy starts with securing the device you use to compose your email. That means access control, encrypting the storage on it, installing software that will safeguard it against malware, and preferably not using shared devices.

Once you click send your email program will establish a connection with your email provider’s email server. Interesting to note is that more than 50% of all emails are not encrypted!

Sender’s email server

SMTP, the protocol used to send (and receive) email does not require a secure connection between the user and the email server; however, because of security concerns most email providers now do.

TLS/SSL and HTTPS encrypt the connection between you and your email provider, making it impossible for your Internet Service Provider (ISP) or anyone eavesdropping on your connection to decipher what is being send back and forth. However, once your email has reached the server it is available for the server’s administrator to read, log and index.

Cloud

Your email then travels the Internet, or more precisely, the network and devices your email must transit to reach the receiver’s email server. Your email, the envelope, message header and content can be read, logged and indexed at any point of this journey by anyone with access. This is where the NSA gets most of its information.

This part of an email’s journey is generally not encrypted and completely out of the user’s control.

Receiver’s server

The receiver’s server discards your email’s envelope after it places the message into the recipient’s inbox; that’s why you never see it.

The server administrator has full access to all data transferred through the server, for example an admin could access your email account or forward your email without your knowledge to a separate mailbox. Any unencrypted content can be read.

Receiver

The receiver either logs into a webmail account or downloads your email from the mail server using POP or IMAP. This process is identical to you establishing a connection with your email host and can either take place encrypted or without encryption. If the receiver does not use encryption to download email, your message can be intercepted and read by a third party if the body was not encrypted.

The recipient can choose to download your email and delete the copy on the server or download a copy and leave a copy on the server. Any emails left on the server can be accessed by an administrator or an intruder. In the US any email older than 180 days is considered abandoned and as such accessed without a warrant!

Let’s assume your recipient decrypts and reads your message, he is now free to do with your email whatever he chooses, for example forward the decrypted content or store it anywhere.

Confidentiality

After reading this far, it should be obvious that sending a plain text (not encrypted) message isn’t any more secure than dropping a postcard in the mail. Anyone with access can read, log and index your message.

However, if you encrypt the content, reading your mail is no longer possible without the matching decryption key. Properly implemented encryption also ensures the message wasn’t tampered with during transit (integrity) and the person you think the email came from is the actual sender (authenticity).

Encryption

The desire to protect one’s communications is as old as humanity itself. Encryption refers to the process of encoding a message using an encryption key in such a way that only the intended parties can read it. Decryption refers to the decoding of a message and requires a decryption key.

Public key encryption requires two keys, one private and one public. The idea is to distribute Alice’s (your) public key for Bob (others) to encrypt messages sent to Alice. Alice will then use her private key do decrypt them.

As a side note, digital signatures are strings of characters that uniquely identify the signer of an electronic message. The recipient of a properly signed message can verify that the message was in fact sent from the purported sender and that the message wasn’t tampered with during transit.

How do you Encrypt your email?

The most popular email encryption standards are:

S/MIME
OpenPGP

Both are similar services that differ in their trust model. S/MIME requires the user to obtain a certificate from a so called Certificate Authority (CA), requiring all users to trust this authority. For example, Alice would trust Bob if Bob’s “chain of trust” can be traced back to the central authority.
OpenPGP uses the “web of trust” model and any user can be the authority to verify another, thereby eliminating the need for a third party. For example, if Alice and Bob think she is Carol then that is good enough for me.

S/MIME

Secure/Multipurpose Internet Mail Extensions (S/MIME) is a standard for public key encryption and signing of MIME data as specified by the Internet Engineering Task Force (IETF) in RFCs 3369, 3370, 3850 and 3851. It was originally developed by RSA Security, Inc.

Most email software already supports S/MIME encryption. The actual protocol is derived from the PKCS#7 data format used to sign and encrypt data under PKI. You first get a certificate from a Certificate Authority, then download your certificate, a file with a .p7s extension, and add it to your email program. This gives you the ability to sign and encrypt messages. The receiver of your email can verify that the email came from you and now has your public key. He can now use your public key to send an encrypted message to you that you can decrypt with your private key.

GPG

The more popular way to encrypt email is using PGP (aka Pretty Good Privacy, or more precisely, OpenPGP). PGP is a commercial program sold for email encryption. Gnu makes a free version known as GPG, or Gnu Privacy Guard.

GPG, just as S/MIME, uses public key cryptography to secure your message, but instead of having to obtain a certificate from a public Certificate Authority, you create your own certificate. You can then upload your public key to a key server or share it with the people you communicate with directly. Because there is no central authority guaranteeing the validity of your certificate there is no guarantee of authenticity. Users are welcome to have other users sign their certificates to increase their trust value. Practically speaking though, even a certificate authority doesn’t verify a user’s real identity, just that he or she owns the email address they requested a certificate for.

GPG doesn’t directly integrate with mail clients. Instead, users use a 3rd party application (available for most platforms at the link provided) to generate the key pairs they then import into their email clients and distribute as described with S/MIME.

Message Integrity

The content of a properly encrypted email cannot be read, edited or amended by intruders making it impossible to alter the original message without being detected; hence, proper encryption guarantees message integrity.

Authenticity

Assuming you trust the keys you exchanged with others, a properly signed email guarantees that it originated from the email address used in the certificate.

Indexing, Logging, Storing of email

Electronic messages can be indexed, logged, and stored at many points during their transit from sender to receiver. This isn’t specific to email. All plain text can be read.

Let us assume sender and receiver know how to properly encrypt email then your message can still be logged, indexed and stored; however, the content of your message remains private between you and the receiver.

Even if you properly encrypt the content of your message as described above, the envelope information is still public. In most cases that means the sender address ‘From’ and the receiver ‘To’ address are known and can be logged while flowing through third party switches and servers.

Anonymity

In certain circumstances hiding the content of a message isn’t enough and a sender and/or receiver might have the need to hide their identity; imagine a whistle blower contacting a journalist, or a general and his mistress.

The simple fact that two people are communicating with each other might be reason enough to get them into trouble. In this case the concept of confidentiality needs to be extended to include keeping the identity of the sender and/or receiver private. Currently the only way to achieve this is by setting up an anonymous email account.

Please note that providing false information during the sign-up process for an email account often violates the provider’s terms and conditions and generally isn’t sufficient to hide your identity. To achieve a higher level of anonymity you must also hide your IP address during the signup process as well as every time you access your anonymous email account. You can easily do this by using a VPN (Virtual Private Network) or Tor, a free anonymizing service run by a network of volunteers around the world.

Perfect anonymity is difficult to maintain because a simple oversight or mistake along the way will blow your anonymity right out of the water. For example, if you use email software to access your anonymous email account and your device is compromised, then your anonymous email account might no longer be anonymous.

It makes sense to only use webmail to access your secret accounts. Unfortunately, this also makes it harder to encrypt your message, unless you use a third party application such as Mailvelope to encrypt messages inside your browser.

What Actions Should I Take Now?

The reason why the current email system is hopelessly insecure is not that it isn’t possible to achieve a reasonable level of security, it is that most users don’t know, don’t want to spend the time, or simply don’t care about email security.

If you are uncomfortable with the thought of all your communications being as secure as the proverbial postcard dropped in the mail, it is time to learn how to secure your email. I hope I have been able to explain the basic concepts behind email security and give you a solid foundation from which to start protecting your electronic communications.

If you are totally paranoid or your life depends on it your best option is to not use email, use a secure messaging app with perfect forward secrecy instead, but this is a topic for another post…

Further Reading

If you would like to have Ed Snowden explain email security to you and show you how to secure your email check out Ed Snowden’s instruction to Glenn Greenwald on how to use GPG on Vimeo.

Ladar Levison, the gentleman who got into trouble with the US government when he refused to comply with the government’s demand to hand over the encryption keys to his anonymous email service Lavabit during the ‘summer of Snowden’ is working with the founders of Silent Circle (also voluntarily shut down because of security concerns) on the Dark Mail Alliance, a non-profit aiming to change email from a non-secure system to a secure system by default. This Techcrunch article summarizes the details. Mr. Levison provides further details in this Kickstarter video. The group is working on using XMPP and Elliptical Curve Encryption to enable end-to-end email encryption.

Image Credit: RaHuL Rodriguez

The post How to Encrypt Your Email – What You Need to Know appeared first on Invisibler.

We recently learned that our phones are tracked and tapped, every step of the way. However, our phones can only work when they know where they are and constantly inform the phone company about it. That’s not surveillance, that’s just how the technology works.

The Internet must also know who you are and where you are located. It does that through a number your Internet Service Provider (ISP) assigns to you, your Internet Protocol address, better known simply as your IP address.

What is an IP address?

Computers need to speak a common language, that language is called Internet Protocol. They communicate by sending packets of information that include the IP address of the destination computer. Simply put an IP address is a big number that identifies a computer on the Internet. Currently the majority of Internet traffic is routed using Internet Protocol Version 4, or IPv4. This addressing scheme was adopted by the IETF in 1981, and consists of 32-bit numbers organized in 4 octets, 74.125.227.99 (google.com) for example.

Vint Cerf, now an Internet Evangelist at Google, could not have foreseen the number of IP addresses needed when he picked the 32 bit address space. Even though roughly 4.3 billion IPv4 addresses exist, only about 14% of them are in active use according to an article from 2011. This number is probably higher today, but nowhere near 100%! Originally they were handed out in large chunks  for free to anyone who showed interest (IBM, Apple, AT&T, DoD, etc.), leaving millions of IP addresses unused. While some organizations are voluntarily returning their unused address space to ARIN, others aren’t.

The IETF formalized the successor protocol IPv6 in 1999. IPv6 addresses are 128-bit numbers displayed in 8 groups of 16. This allows for 340 undecillion (3.4×10³⁸) IP addresses, about 100 addresses for every atom on the surface of the earth. Based on Google’s traffic analysis, at this time about 96% of Internet traffic is routed using IPv4, and the other 4% is routed via IPv6. Because the headers of IPv4 packets differ significantly from IPv6 headers, the two protocols are not interoperable and it is expected they will be used side-by-side for the foreseeable future.

What information can be gleaned from an IP address?

Every device connected to a network must have an IP address to receive data. This is not much different than a postal address or phone number – without an address or phone number nothing can be routed to the intended recipient. Interestingly, the domain name system (DNS) is an extension of this system to make addresses easier for humans to remember (google.com translates into 74.125.227.99).

The important point here is that IP addresses (IPv4 and IPv6) are assigned, therefore there is a trail leading from the highest assigning authority (ARIN) to your ISP and from your ISP to you, or, more simply put, your IP address uniquely identifies your device on the Internet just like your fingerprint identifies you offline. Your IP address becomes your identity on the Internet.

IP addresses serve many useful functions, but they can be used against you. Therefore, it is smart to know how they are being used and how you can use IP addresses to your advantage.

Network Information

Internet Service Providers (ISP) usually own a range of IP addresses that they purchased and registered through ARIN. Time Warner Cable Internet LLC, for example, owns 24.92.0.0 through 24.92.143.255. Consequently, if you are a Time Warner Cable customer you will be assigned an IP address within that range.

Anyone with access to your IP address can easily look up the network you are connecting from by searching ARIN’s registry entries.

Location

Not surprisingly your IP address indicates your location. If you’ve ever gotten a message from Youtube that some content isn’t available for your location, then you know what I mean. While this isn’t 100% accurate, it is accurate enough to use IP addresses to restrict content to certain locations. Entertainment streaming sites like Hulu and Pandora use your IP address to determine if you are eligible to use their service. Let’s call that Macro-Location to distinguish it from the more precise Micro-Locations.

Your Macro-Location is determined by converting an IP address into an IP number and then looking up the IP number (the result of the calculation) in an IP-Country database.

Some websites show your location on a map, sometimes with astonishing accuracy (Micro-Location). However, this isn’t a function of your IP address itself, rather it is a function of cross-referencing data points from different sources using your IP address as the common denominator. The accuracy varies greatly depending on the number of data points available to the specific site.

How can you use IP Addresses to your advantage?

All devices connected to the Internet must have an IP address, otherwise the Internet would stop working the way it does. Every server, every router, and every switch must know where to forward the packet to, therefore every device has access to the origin and destination IP addresses. Again, this is not surveillance, it’s the way this technology works. Many devices on the route your information travels are potentially capable of logging and storing this information.

While you can change your real IP Address (by restarting your cable modem, for example), you will still have an IP address that can be traced back to you and which correctly identifies your Macro-Location.

To hide your real IP address all you need to do is to put a proxy-server between you and the rest of the Internet. Instead of your computer sending out requests with your IP address to the Internet, your computer sends your requests to the proxy server which replaces your IP address with its own then sends your requests to the internet and then channels responses back to you. This technique allows anyone to bypass region and content restrictions, and to hide their identity from prying eyes. How does one do that, you ask?

Proxy Server

A proxy server is a server or an application that acts as an intermediary for clients (such as your computer) to request resources from other servers (a web server for example).

Proxies can perform many functions such as security, caching, filtering of data and content, translation, logging and eavesdropping, bypassing filters and censorship, or accessing services anonymously. For the purposes of this article only anonymizing proxies, also called web proxies, are of interest.

By connecting to the Internet via a web proxy you can change your IP address to that of the proxy server, thereby bypassing region restrictions and hiding your real IP address.

VPN

A Virtual Private Network (VPN) is a private network within a public network; private, because you need login credentials to connect, and public, because you connect through the Internet. VPNs are a hot item since the days of Edward Snowden, and you have literally hundreds of options to choose from – free or paid, anonymous or not so anonymous – but more about that later. VPNs function essentially like a proxy server but offer better security because the connection between you and the server is encrypted, making it impossible to eavesdrop on your Internet activity.

While just about anyone can run a proxy server, VPN servers are usually owned by businesses, therefore eliminating – to some extend – the mystery of whom you are doing business with and trusting with your data. However, keep in mind that every rule has exceptions and only connect to proxy servers, including VPNs, run by people you trust!

Tor

The Onion Router, known as Tor, is a free service comprised of the Tor Network and the Tor Software. After connecting to the Tor network the Tor software randomly chooses a minimum of three relay points – think of them as proxies – to establish an untraceable route for each data transfer. Information packages are wrapped in layers of encryption – like an onion – for each relay point, or node, to peel off just one layer in such a way that no node knows the entire route, effectively hiding the origin of the request and the destination the response will be sent to.

Similar to a VPN your HTTP request is sent via an encrypted connection to a Tor entry node, then takes a random path through the Tor network to a Tor exit node from where your request is sent openly (not encrypted) via the Internet. However, in contrast to a VPN you don’t control the location of the exit node, therefore Tor is less useful to navigate geo-fencing, but is great at anonymizing Internet traffic, hence used by many who have a vital need for privacy.

Summary

Your IP address, your unique online ID, serves many useful functions, but also imposes limitations because it provides location information about you and can ultimately be traced back to you personally, fortunately (in most cases), not without a court order or similar legal premise.

Hiding your real IP address is easily done by establishing a connection to a server or service – known as a proxy – that acts as an intermediary between you and the Internet.

Proxy servers offer the most basic way to hide your IP address and your location. However, proxies also pose the highest risk as they are easy to setup and, unless you trust the person or organization who runs it, are not very secure.

VPNs offer higher levels of security, high speed, and the option to choose the location of your proxy (VPN server). They vary in price and features and the extent of their network from a presence in just a handful of countries with a limited pool of IP addresses to worldwide presence with thousands of IP addresses to hide behind.

Tor is probably the most secure service to choose if you want to hide your real IP. It’s free, run by volunteers, but it doesn’t let you choose your IP address location. Because of the elaborate encryption and routing process, Tor is slow compared to VPNs.

In the early days of the Internet changing IP addresses was limited to the few technically astute among us whereas today it is easily available to everyone. I hope you now have a clear understanding of what an IP address is and how you can change it to fit your purposes. For more information check out the references provided.

Reference Articles

Seeing Like a Network

Image Credit: Timo Newton-Syms

The post What is an IP Address? appeared first on Invisibler.