Making The Switch To Encrypted Emails

This past February a US judge ordered Microsoft, an American based tech company, to honor the search warrants of American law enforcement agencies requiring the company to hand over any/all data, emails and the like which the company stores on servers located overseas. The ruling came in direct contradiction to a previous ruling from a Federal Appeals Court in August of 2016, which upheld a US Circuit court ruling from July 2016, prohibiting the US Government from seizing data stored on servers located outside of US borders.

The principle behind this case is very simple to understand, does the United States Government have the right to demand foreign businesses located outside of the United States hand over their records to the United States Government if that company happens to do business with a US citizen? In other words, are foreign nations forced to abide by US law and comply with all US based legal requests? Well, according to the most recent ruling, as of February 2017, at least as far as US courts are concerned, the answer is “yes.

What Other “Authority” Does The US Government Have?

Let’s use the world’s most popular email service provider as a quick example – Gmail. Quite literally, everything you do on your Gmail account is accessible by Google at any given moment in time. After-all, you are using their service. If the US Government ever wants to see your account or any of the information on it, then all they have to do is pull up the file of a generic document, insert your name on top of it, print it out and just like that they magically have a “subpoena” to obtain all of your information from Google.

Despite how simple of a process this is, it is all groundbreaking stuff too. Believe it or not, it was not until May 2016 that the US government even needed to get a warrant or legal document of any kind to search through all of your personal emails. Don’t believe me?

Read More – Email Privacy Act of 2016: https://www.congress.gov/bill/114th-congress/house-bill/699

For you international folk out there, the news isn’t much better. You see, the US Government has its own private court known as a FISC court which, historically speaking, blindly grants “99.96%” of all warrant request brought in front of it – but who’s counting, right?

With that out of the way, all of the information above only goes to show how easy it is for the US Governments to go about obtaining all your data “legally.” But as I think we are all aware by now, agencies like the NSA or CIA do not necessarily care about US law and have the very real authority to act outside of it – #PatriotAct. To be fair, this does not necessarily mean that someone working for the US Government is literally watching/reading every single email you write every minute of the day, but they theoretically could be if/whenever they wanted to.

To that very point, early in 2016 Google came out with a press release addressing how “state-sponsored hackers” had breached over 1 million Gmail accounts over the course of that year. This was also not an isolated incident and it’s not just Google which has been targeted by these types of breaches. Literally hundreds of millions of Yahoo and Hotmail accounts have also been exposed over the years.

Read More – 3 Billion Yahoo User Accounts Hacked, Including 500 Million Email Addresses: http://money.cnn.com/2017/10/03/technology/business/yahoo-breach-3-billion-accounts/index.html

So far I have only addressed how easy it is for the US Government and/or law enforcement agencies to access all of your personal accounts/information, this does not even account for all of the non-Government organizations or hackers out there or oppressive regimes located in countries all over the world. In fact, I am willing to bet that at least 95% of all hackers worldwide are non-Government affiliated. Moreover, Hillary Clinton, the DNC, CIA, John Brennan and John Podesta should all serve as evidence for just how easy it can be for hackers to compromise anyone’s email account if they really want to – even some of the most powerful people in society.

Quite frankly, there is a reason why politicians and members of the Armed Forces are told never to use their own personal or private email accounts, because none of these services are properly protected or encrypted! While members of the Government and Armed Forces use their own private versions of encrypted email services which are NOT open or available to the public sector, thankfully, there are a number of free and paid email encryption services out there open to the general public.

For Example:

Mailfence

Mailfence is a relatively new company globally, but one which I have already placed at the top of all encrypted email service providers. Mailfence operates their servers out of Belgium, a country internationally renown for having some of the strongest and most resolute privacy laws in the world. Unlike the United States, every surveillance request or request for information inside Belgium, including on Mailfence’s servers, must be legally brought in front of a Belgium judge and proven in court as legitimate. In this way Belgium protects user data and business confidentiality in a way that no other country in the world does.

Sign Up/Create an Account Here: https://mailfence.com

ProtonMail

This email service provider offers free end to end encryption and hosts its servers in Switzerland, outside of US jurisdiction – theoretically. When signing up, at no point in time are you asked for any personal information and you do not need to attach any other emails account or phone numbers in order to register. This service also utilizes 2-factor authentication to log in, preventing hacking attempts. ProtonMail has also partnered with humanitarian organizations around the world, such as Amnesty International, in order to help fight back against Government surveillance and cyber censorship in developing countries around the world.

On a lighter note, if you are a fan of the Television drama “Mr. Robot” this is Elliot’s email provider of choice on the show.

Sign Up/Create an Account Here: https://protonmail.com/

Tutanota

This is another free encrypted email service that has become quite popular in recent times. In fact, earlier in 2016 Tutanota officially surpassed 1 million accounts – becoming the world’s largest encrypted email service provider. In 2017, Tutanota then went on to surpass 2 million accounts, furthering the countries rock solid reputation as an industry leader.

What makes Tutanota unique is that the company makes their source code “open source,” meaning that security researches investigate for themselves the level of encryption they are receiving. For all you n00bs out there, making your source code public record and still not having it hacked proves just how good the code really is.

Sign Up/Create an Account Here: https://tutanota.com/

Tutorial: Learning How To Write & Remember Un-Hackable Passwords

Before we begin, why should learning how to write strong passwords be of much more importance to you? Believe it or not, it is a statistical fact that more people are hacked as a result of weak passwords than any other single factor. This is also why encryption – aka passwords – should be much more important to you. With that said, learning how to read, write and remember strong passwords is not nearly as hard or complicated as people might think, in fact it is rather easy once you understand the core concepts.

Lesson 1 – Password Length:

To unlock someone’s password, “law enforcement authorities” and/or “hackers” will either run something known as a “Brute Force Attack” or “Dictionary Attack” against it, in an attempt to break or de-crypt the numbers, letters and symbols contained within the password itself. One by one over time, these software programs will slowly decrypt the password, just like cracking the numbers to open a vault or safe.

Quite simply, the more complicated/randomized the sequence of numbers, letters and symbols in your password are, and the longer the password is, the longer it takes hackers to break. Moreover, each letter, number or symbol you add on to the end of your password literally makes it exponentially harder for even the most sophisticated programs to crack. For example, here are estimates from the FBI regarding how long it takes them to crack lengthier encrypted passwords.

  • seven-digit passcodes will take up to 9.2 days, and on average 4.6 days, to crack
  • eight-digit passcodes will take up to three months, and on average 46 days, to crack
  • nine-digit passcodes will take up to 2.5 years, and on average 1.2 years, to crack
  • 10-digit passcodes will take up to 25 years, and on average 12.6 years, to crack
  • 11-digit passcodes will take up to 253 years, and on average 127 years, to crack
  • 12-digit passcodes will take up to 2,536 years, and on average 1,268 years, to crack
  • 13-digit passcodes will take up to 25,367 years, and on average 12,683 years, to crack

Lesson 2: LEET or “1337” Language:

L33t Language is a way of replacing letters with numbers and symbols in everyday sentences and it is perhaps the most basic form of encoding used to encrypt messages. To understand how it works, here are some quick examples:

Normal Statement v 1337 Version:

BankruptMedi4 – 84nkru97M3di4
TheDailyProletariat – 7h3D@i1y9r0L37@Ri@7
Elitepassword – 31it3p4$$w0rd
Activism – 4ctivi$m
Encryption – 3ncry9ti0n
Brian Dunn – 8ri4nDunn

It doesn’t necessarily have to be that complicated and you don’t necessarily have to replace as many letters with numbers and symbols, those are just examples of how it works. You can run any attack your little heart desires at “84nkru97M3di4” or “7h3D@i1y9r0L37@Ri@7” all day long, go ahead – have fun. To make the password even stronger mix in capitalized and un-capitalized letters throughout.

I think I have explained the concept easily enough? To make an un-hackable password simply take a name, phrase, short sentence – et cetera – that is personable to you and convert it into l33t language, then use that as your new password. Not only will it be impossible to break, but it should be fairly easy for you to remember. And as always, use two-factor-authentication whenever possible.

Lesson 3: Two-Factor Authentication

I’ve always understood that 2-Factor Authentication (2FA) is a concept lost on most “normal people” in society right now, but a new statistic really puts it all into perspective. This would be the news that, according to Google’s own statistics, less than 10% of all Gmail or Google business owners currently have enabled 2-Factor Authentication for their online accounts. Considering that Google is estimated to host well over 2 billion accounts globally, this means that there are over 2 billion insecure accounts floating around the internet right now – and that’s just from Google alone!

This is not to mention the fact that there are literally billions of email addresses, along with their passwords, currently available on the Deep Web and DarkNet for search. For example, there are single websites around the internet that are currently selling the log in credentials of 1.4 billion people and if anyone of those people simply just enable 2-factor authentication for their accounts, all the information stored on those would become utterly useless.

Responding to the news last week Grzegorz Milka, a Google software engineer, said that the company’s latest statistics “demonstrates the lack of awareness of cyber threats and the way to mitigate them.” Adding that he believes more people don’t or haven’t “configured 2-Factor Authentication for their accounts” because “many users believe 2FA can make their experience worse,” or at least more of a hassle. To do everything they could to mitigate the problem from their end, Google also took the occasion/platform to release a 2-Factor Authentication tutorial of their own, imploring Google users to immediately begin securing their accounts in this way.

Google 2FA Tutorial: https://myaccount.google.com/signinoptions/two-step-verification/enroll-welcome

As for what 2-Factor Authentication is, does or means, it’s not nearly as complex or complicated as people think. In fact, it only adds about 10 seconds to the amount of time it already takes you to log into your accounts anyways. Essentially, as soon as you type in your password and press enter you will receive a text message on your phone, which will have a short code for you to type in. Without that secondary code no one is allowed to login, even you. That’s it – literally. That’s the amount of “hassle” it will take you to begin practicing strong cyber security in the future. Again, despite the simplicity of it all, less than ten percent of people in society have taken this step.

2-Factor Authentication should be available for nearly every App or account you own, and you can find/enable it by searching for it in your account(s) settings. As I also once explained in a different article on this subject earlier last year, even if someone already knows your password, “close to 100% of hackers will be prevented from successfully hacking into your social media accounts if you simply enable 2-Factor Authentication” for them – and I still believe this holds true today.

Interestingly/Coincidentally Enough?

As I was in the process of writing this article I got a text message informing me of new log in codes to verify, because someone had somehow managed to brute-force their way past my password – which no one has ever been able to do before. Put another way, my site was literally saved from being hacked/hijacked by malicious cyber actors, all because I once enabled 2-factor authentication on my account(s) months ago. To put the importance of 2-Factor Authentication into focus, I’ve invested thousands upon thousands of hours of my personal time into this website, and it took me less than one minute to turn on and verify 2-Factor Authentication for it – certainly worth the time/effort!

Online Tutorial: Phone Security

1.) Encryption

Encrypt your entire Operating System (OS). Phone encryption is the first line of defense for whichever phone you happen to use, ensuring that no one can even so much as turn on your device without the proper credentials. It is important to understand that encrypting your phone and setting a screen lock for it are not the same thing. It is also important to understand that, depending on the type of phone you have and who manufactured it, screen locks can be bypassed by 3rd parties – such as hackers – as well as through different back-doors found within various software applications/programs you’ve installed on it. Encrypting your phone on the other hand encrypts your entire operating system all at once, requiring password authentication for the phone to even boot up and power on in the first place – ensuring that no App, program or file can be exploited or corrupted to gain full access to your phone.

Depending on what type of phone you have, your settings might come with a built in feature allowing to encrypt individual Apps. If not, you can install a firewall application for that – more on this later on in the article. If you are unfamiliar where to find your phones encryption options, they are available in the “security” section under the main settings menu. Please note that it can take an hour or more to fully encrypt your phone, so it’s important to always begin with a fully charged battery.

Select an appropriate screen lock. Screen locks are a different form of encryption in a sense, ensuring that no one can use/operate your phone when you lose it, are away from it or leave it out in public. As far as how you set it up, there are 4 different options to choose from – each one having its pro’s and cons.

  • Password Lock. Users will be required to enter a unique password consisting of letters, numbers and symbols to unlock your device. Personally, I believe password protection to be by far the most secure of all options. However, for the same reason, it could be considered the most “inconvenient, because it requires the most amount of time/attention to enter every time you wish to unlock your device.
  • Pin Lock. Pin locks work exactly like password protections, only they exclude letters and symbols. Meaning that users will be required to enter a pass-code of random numbers in order to unlock your phone. For the very reason that pins exclude letters and symbols, they are a little less secure than passwords, exponentially decreasing the theoretical number of guesses it would take to crack/unlock your device.
  • Pattern Lock. I am finding that this is becoming the most “trendy” screen lock these days, simply requiring users to use their fingers to “connect the dots” and draw a unique pattern on the front of their screen before it unlocks. However, I find pattern locks to be less secure than some of the other options, because there is a much higher probability of successfully drawing a random pattern to unlock a device than their is guessing an advanced password or pin.
  • Biometrics. The newest “craze” is security is using your own fingerprints, eyes, face or facial expressions to unlock different devices. However, while these options may be the most convenient and fastest, they are also by far the least secure. I say this because multiple studies have proven how easy it is to trick biometric security measures, and often times the pictures off your own social media accounts are enough to bypass them.

Password/Pin protect your SIMor SSID card. It is important to understand that encrypting your operating system and setting a screen lock will do nothing to protect your data cards or memory chips, securing those is an entirely separate matter. So lastly, you are going to want to encrypt/password protect your SIM and/or SSID card. To do this simply enter into the security options within your phones main settings menu, find/select your memory chips and create a unique pin lock for them. This ensures that no matter where your memory chip goes or whatever phone/device it’s plugged into, no one will be allowed to access your contacts, photos, videos, messages, files or data without entering the correct pin code first.

If you would like help learning how to build strong and easy to remember passwords to encrypt your accounts/devices, please read more in the tutorial provided below.

How To Write Un-Hackable Passwords: https://roguesec.co/how-to-write-un-hackable-passwords/

2.) Firewalls

Some phones come pre-installed with various firewall options, but if yours does not then there is a sizeable number of firewall Apps to choose from. Firewalls are critically important to security because they allow users to seal off or block different Apps, limiting the possible points of entry for hackers or other 3rd parties. Depending on the type of firewall you select, you may also have the option to encrypt individual Apps on your phone, adding a 4th layer of encryption to your device while ensuring that even if someone is able to unlock it, they will not be allowed to use selected Apps without further permissions. This is particularly important/helpful if you utilize different types of chatrooms, group chats for work or VoIP services.

Perhaps most importantly, firewalls severely limit potential abuses of your phone. You can select different options to completely seal off individual Apps altogether, or seal off different settings/areas of your phone from outside sources.Not only does this prevent hackers from using selected Apps to compromise your phone, but at the same time it prevents App owners themselves and other 3rd parties from gaining access to your phone all the same. Firewalls also protect against unwarranted data collection of your phone, including call/text history and general phone usage. More importantly, building a strong firewall and sealing off selected Apps can free up memory space/data usage, both speeding up your phone and saving battery life. If there are Apps on your phone that you’ve never used a single day in your life, or you feel may be spying on you/invading your privacy, simply use your firewall to disable them altogether with the click of a button.

On a similar but side note, never blindly give every App different permissions just because they ask for them. For example, when first navigating a new phone you might find that you are regularly asked to allow different Apps to do random things, such as collect data or record audio/video. It might seem harmless, but think about it for a second. What the hell does the Google Chrome web browser possibly need to record audio for? The simple answer is it doesn’t, you are only being set up to have your phone hacked by authorities and/or law enforcement officials at a later date in time – should they ever feel the need. By checking these options and blindly granting permission to different Apps, your are secretly granting 3rd parties the permission to ‘flip the switch‘ so to speak and turn your phone into a spy/recording device whenever they want. So, don’t fall for it. There is literally no need to give different developers that much permission over your phone.

3.) Manage Security Certificates

Similarly, you should seriously check out the security certificates or “Trusted Credentials” list which came pre-installed on your phone. On my Android ZTE for example, my phone was handed to me with over 100 different security certificates installed on it, some of which grant different Government agencies/offices direct root access to my phone without requiring legal documents or warrants of any kind – no exaggeration. You might not have been told about this when you bought your phone, buy they are there. Just a short list of some of the organizations which have direct root access to my phone; China Financial Certification Authority, CyberTrust, Deutsche Telekom, Hellenic Academic Research Institute, HongKong Post, Japanese Government, VISA, TurkTrust,Wells Fargo, as well as countless other organizations operating under different Government umbrellas.

Thankfully though, you do have the ability to revoke these certificates/permissions if you like. Simply find where these certificates are under your settings menu and disable whichever ones you desire. Just note that disabling some of the most fundamental ones, such as those issues by your telecommunications provider, may break access to different areas of your phone – but this is always reversible.

4.) Internet Security & Antivirus

Most people are always surprised to learn that the same measures used to secure your computer can often times be transferred directly to your phone, this includes things like VPN’s and antivirus. For the purposes of this section of the article, I would like to discuss different measures you can install to help protect your phone and keep your data that much more private/secured.

  • VPN’s: I am not going to get into a breakdown of what VPN’s are and how they work, it is just important to understand that you can install and utilize a VPN connection on your phone all the same as a computer. If you already own a paid VPN account, simply install the service providers App on your phone and establish a new connection through it. Your IP Address and internet connection will be secured all the same, just note that the internet speed of your phone will be effected a little more significantly than a computer, simply because a phone can not process as much information as fast as a computer can.
  • Proxy’s: It is another common misconception that you can’t utilize proxy connections or the Tor network on your phone, this is simply untrue. You can either hide your IP address and internet activity by installing the Tor App directly, or you can install something known as Orbot – developed by The Tor Project. Orbot transfers all data/network activity from your phone across various tor relays, essentially turning the Tor network itself into a giant VPN connection/encryption setting for all of your data and every last thing you do on your phone. Unlike Tor, Orbot doesn’t just simply protect internet activity – even the Apps developers profess itself to be a “full phone VPN.
  • Re-Route DNS: Another way to protect against data spying, 3rd party abuses or intrusive hackers is to re-route your DNS through different service providers. For example, I personally route all of my network activity through Cloudflare DNS servers for added privacy and security. IBM’s Quad 9 DNS service is another good option, blocking you from gaining access to known malicious websites while preventing your device from ever becoming part of or wrapped up in a botnet. You can do your own research to find other options which may be more suitable, but another popular option is Google’s public DNS service.
  • Install Different Browsers: Just as with computers, you can choose a whole host of different browser options, many of which are far more secure and private than Google Chrome or the built in web browser found on your phone. If you would like to learn more about browsers, as well as the different/added benefits of each, please utilize the following link: https://roguesec.co/building-selecting-safer-web-browsers/
  • Antivirus: Phone antivirus programs essentially work the same as computer antivirus’, only they are far simpler and much cheaper. A good antivirus program for your phone should cost anywhere from $2-5$ per month, and will protect your phone against malicious hyperlinks, scan all downloads for viruses, as well as prevent all of the most common/basic forms of cyber attack. Some phone based antivirus service providers, such as Kaspersky Lab, also come with built in VPN connections to secure your internet activity at the same time.

5.) VoIP Services

While VoIP services are not necessarily essential for everyday phone use, they do offer critical protections for political activists, journalists, researchers and citizens living under oppressive regimes all around the world. VoIP stands for “Voice over Internet Protocol,” which is just a fancy way of saying they transport all calls and messages over established internet connections, rather than routing them through your telecommunications or phone service provider – such as AT&T or Verizon. For this reason, VoIp services prevent your data from being intercepted, recorded or stolen by telecommunications companies and other 3rd parties, such as Governments, thus protecting any information you send across them. VoIP services also offer the ability to encrypt messages or calls between like users, further protecting your privacy. By comparison, both of these options are not available on standard text messages or phone calls. In politically oppressive countries, VoIp services offer a critical means to bypass Government imposed restrictions or blockades on national telecommunications. VoIP services also let you make international calls for free.

While this might sound a bit complex or advanced, once installed, operating a VoIP connection/application is no more different or complicated than making a regular phone call or sending traditional text messages. Lastly, VoIP connections also offer a secondary means to reach contacts, should your phone lose service, go out of range or come under blackout. Rather than relying on the signal strength of your network service provider, all you need to use VoIP services is an active internet connection.

The Best/Top VoIP Service Providers:

97% of American Failed This Basic Cyber Security Test, Myself Included

For the first time in my life, I am actually a part of the majority. What I’m referring to are results from a new cyber security test launched by Google developers designed to see how well Americans are able to pick up on subtle security warnings/threats online. While I didn’t necessarily take the test seriously at the time and rushed through them just to see how it was structured, I did fail it nonetheless – despite writing extensive tutorials on phishing attacks, email security and website security. Maybe that explains why Rogue Security Labs doesn’t have a single customer, but who whom knows – right?

Conduced throughout the course of March 2019 and consisting of over 2,000 American adults over the age of 16, Google discovered that….

– Despite 55% of Americans saying they would grade themselves as A level experience in cyber security, 97% got at least one question wrong on a basic, six-question security test
48% of Americans say they would like to build their own websites in the future
45% say their websites would be designed around business, while 43% say their websites would be for hobby
– Only 20% of Americans have actually built a website at one point or another in the past
64% of internet users never realized they could be re-directed to a false website without their knowledge/consent simply by clicking on a link
42% of internet users didn’t realize there is a security difference between websites with http and https
29% of internet users have no idea what the “s” in https stands for, nevermind look for it

See Full Results & Take The Test: https://safe.page/survey

Understanding The Mystery Surrounding Julian Assange’s Encrypted Torrent File

Over the course of the last few days I’ve been picking up on a lot of “chatter” surrounding a so-called “Deadman’s Switch” affiliated to Julian Assanges website and social platform. Before moving forward, for those of you whom do not know what this means, a deadman’s switch is a protection that hackers use to protect valuable information in the event of their deaths, arrests or disappearances. It works by encrypting a given set of data on a time switch. It’s simple really, if a code is not entered in before the time allotted expires, the encrypted data is automatically unlocked, decrypted and/or published online for the world to see. It is a sort of insurance that hackers employ to secure themselves and their persons.

To be honest, I first heard of this Thursday night – but essentially brushed it off as nothing more than nonsense. However, it wasn’t until last night that I came to understand Assange’s deadman’s switch is actually a real thing. If you need proof of this fact as I did, then go back and revisit a Wikileaks posting from June 3rd 2016 entitled “Protection for upcoming publications. TORRENT Wikileaks Insurance (88GB Encrypted).

Upon further investigation, it appears as though the torrent contains bits and pieces of information left out of previous leaks dating back to and including Chelsea Manning’s leaks from the US Army in 2010. Apparently, the now 88GB of data either contains information too sensitive to responsibly leak online, or compilations of random data that were never important enough to leak online in the first place – and theoretically everything in between. As no one but Assange knows for sure though, it’s anyones guess at this point – really.  However, considering that Assange has stated that he has seen information too dangerous for him to leak online in the past, including information implicating the Kremlin, I would be willing to bet the information contained within the torrent file is much more dangerous to the world than not. Consequentially, this would also explain why Assange has been holding the file over everyone’s head as insurance for so long.

With that established, no one knows for sure when the deadman’s switch will finally flip – but some are speculating that the decryption key could be posted online any day/minute now. For the time being, if you would like to own the encrypted data so that it may be unlocked whenever the time is necessary, you are invited to download the file below. Enjoy!

Download Wikileaks Encrypted Torrent File: https://file.wikileaks.org/torrent/2016-06-03_insurance.aes256.torrent

Russia Aims To Create Backup To The World-Wide-Web, Create Its Own National Internet Infrastructure

Back in November 2016 I remember writing a story covering the Russian Federations decision to abandon all Microsoft products for Government use throughout the future. The decision was made on the heels of the now infamous FBI v Apple encryption case earlier that year, which set legal precedent allowing the US Government to compromise any and all electronic devices produced by US-based companies – mandating software backdoor’s to undermine encryption rights. At the time, Dmitry Perskov, a Kremlin spokesperson, described making the switch away from Microsoft as “a matter of National security.” Explaining how “it is believed that Microsoft products could be used to hide secret bugs or back-doors in their systems” that could be used to spy on its users. Considering that nearly all Government systems in Russia ran on Microsoft products at the time, this made swapping them out a top priority for Vladimir Putin and the Kremlin.

Russia was also not the first country to arrive at this conclusion. Dating back to 2014, following the release of leaked documents from former NSA contractor Edward Snowden, Microsoft products have been banned for Government use inside China just as well. Perhaps most importantly, at least for the purposes of this article, was Russia’s plan to go about replacing Microsoft products in the future by creating an entirely new system of computing based on Russian coding (software), hardware and product development. The goal was to essentially create an entirely new computer model sourced domestically, exclusively from Russian developers/programmers. This would ensure that no other country in the world would have access to their systems, or be able to replicate their design – creating truly unique systems specifically designed for the Russian Government.

I bring this up because earlier this week I came across a new bill being proposed in Russia, attempting to create an entirely new backup system to the global “World Wide Web.” In some ways, think of it much like creating a modern or 21st century version of Minitel, only exclusive to Russia.

Given the current state of both Cyber and Informational warfare being waged across the planet in 2018, Russian lawmakers fear that rival countries may one day soon attempt to cut off, limit or restrict Russia’s access to the World-Wide-Web. As a result, Russian lawmakers feel as though it is paramount to begin creating a back up or emergency plan of action should this ever occur.

With this in mind, as was reported by Russia Today on December 14th 2018, “Russian lawmakers have introduced legislation designed to reduce the country’s internet resources’ dependence on foreign infrastructure.” Explaining how “the main goal is to significantly decrease dependence of the Russian internet sector on foreign infrastructure by setting up national groundwork to keep Russia’s internet functional, even if servers abroad become unavailable for any reason.” Adding that, among other things, this will also entail “the creation of an entirely new system of national domain names.

We’re not creating our own internet. We’re just setting up a backup infrastructure. We’re duplicating it locally, so that our citizens would have access to the internet in case of any emergencyDuma deputy Andrey Lugovoy explained. To date the proposed initiative has been given full backing by Russia’s Ministry of Communications, though it remains unclear if/when the bill will eventually be passed into law. Moreover, according to Oleg Ivanov, deputy Minister of Communications, even if the bill was approved it would still “take several” years to build the necessary infrastructure to pull it off, and there is currently no “realistic time-frame” for how long this would take – merely indicating that this initiative is part of a much broader, long term vision for the country.

Lastly, the proposed bill calls for the entirety of Russia’s cyberspace to come under the centralized governance/command of Roscomnadzor – the countries top telecommunications watchdog. To make everything work, the legislation also proposes mandates on all Russian based Internet Service Providers (ISP’s), requiring them to set up equipment with the ability to detect and trace the source of any internet traffic as to better monitor and defend against cyber based attacks from abroad in the future.

Legislation Submitted to State Duma: http://sozd.duma.gov.ru/bill/608767-7

Full Text of Bill:

[pdf-embedder url=”https://roguemedia.co/wp-content/uploads/2018/12/138234916.pdf” title=”-138234916″]

Online Activists Begin Spreading Around #OpFrance Care Package 2018

In response to the recent wave of protestors taking to the streets in participation with the #YellowVest movement and in support for those partaking in #GiletesJaunes online, similar in nature to the #OpISIS care package of 2016, online activists working in coordination with Anonymous have begun circulating an #OpFrance care package throughout the course of this week. Found below, the care package instructs internet users how to keep a safe, secure and private identity online, along with instructions on how to go about doing so.

The care package itself is rather straight forward in nature, but in its spirit I too will release some more information on how to secure yourself online.

OpFrance Care Package: https://pastebin.com/hrTA8UKK
How To Keep an Anonymous Identity Online: https://anonhq.com/anonymous-security-guide-2-0/
Cyber Security Tutorials: https://roguesecuritylabs.ltd/online-tutorials/

https://twitter.com/yellowvestanons/status/1072798051914403840?s=19

Dutch Authorities Seize Encrypted IronChat Servers, Arrest Owners

Earlier this year I wrote an article explaining why country of origin is particularly important when either installing a security service or buying security products from an international company. In it, I explain how the Netherlands has recently lost the respect/trust of the cyber security community, essentially doing a complete 180 on their stance towards the cyber security industry over the course of the last 3 years – drastically cutting down on internet privacy/security companies operating out of their country. This includes the closing of Ghostmail servers in 2015 and the raiding/confiscation of servers belonging to Dutch VPN service providers in 2016.

Imagine my surprise then when I come across another headline this morning explaining how Dutch authorities have once again raided/confiscated the private servers of another security based company – Ironchat. In a press release made available to the public on November 6th 2018, Dutch authorities announced that they had arrested “a 46-year-old man from Lingewaard, and his partner, a 52-year-old man from Boxtel.” Explaining how police have already been able to decrypt the data, giving them access to over 258,000 chat messages sent across the server – revealing countless illegal activities and opening the door to numerous new investigations in the future.

For example, about the arrests in question, according to Aart Garssen, Head of the Regional Investigation Service in the Eastern Netherlands, “we rolled up a drug lab in Enschede. We have also found more than € 90,000 in cash in various campaigns, automatic weapons and large quantities of hard drugs (including MDMA and cocaine). In addition, we received an imminent retaliatory action in the criminal circuit of Twente. Four arrests have been made this morning. This brings the total number of arrests today to 14.” This is also just the tip of the iceberg, police have already indicated that the data uncovered today is only going to be “used to start new criminal investigations.

Unfortunately, there is no justifying the behavior of IronChat, their owners or what they used their encrypted service/servers for. As an outspoken and self proclaimed “privacy hawk,” it is just unfortunate to see another group of thugs soil the industries reputation. It only serves to undermine the trust of legitimate privacy/security companies trying to make a name for ourselves and do the right thing. Needless to say though, IronChat’s website and servers have been taken offline, and will remain offline permanently.

Fact-Sheet Prepared by Dutch Police:

[pdf-embedder url=”https://roguemedia.co/wp-content/uploads/2018/11/Netherlands.pdf”]

EFF Suing San Bernardino County Over Stingray Records

Earlier this week, on October 23rd 2015, the Electronic Frontier Foundation (EFF) filed a lawsuit against San Bernardino County over their prevalent use of Stingrays over the course of the last 4 years. More specifically, the EFF is demanding the release of Stingray warrants, the date range of the searches, the nature of their investigations, what items to be searched for, as well as any other relevant data that was targeted or obtained as a result of these searches. According to California State Law, such information is supposed to be considered “public record,” but the EFF is alleging that the San Bernardino Sheriffs office has failed to adequately release these records to the public.

For anyone whom might not be aware, Stingrays work by mimicking cell phone towers in order to intercept, record and store telecommunications data. Once deployed, every cell phone call or text message sent within a given range is picked up and recorded, before the data is downloaded and transported for analysis. It is important to understand that there is theoretically no limit on the number of people which can be compromised or recorded by Stingrays once deployed, which is exactly why their use for law enforcement is considered so controversial. For example, even if police use a Stingray warrant for one individual, the data of everything single person in that town or county will be intercepted along with that one person. For this very reason, multiple US courts around the country have declared Stingray use illegal and un-Constitutional. This is important to understand because many people in this country believe that the San Bernardino County office, and countless other law enforcement agencies like them, are grossly overusing these devices. For example, San Bernardino police officers have deployed Stingrays approximately 303 times between the dates of January 1, 2014 and May 7, 2015 – all without seeking a warrant.

It should also be noted that San Bernardino has a particularly bad track record when it comes to illegal data interception and hacking devices without warrants. As you might remember, it was this same San Bernardino police office, along with the US Federal Bureau of Investigation, which found itself in a court case with Apple after the company refused to decrypt their device. As history would have it, San Bernardino and the FBI eventually did win the case, setting precedent to make it illegal for any US based company to fully encrypt any devices they produce without offering a decryption key or backdoor for law enforcement authorities/the US Government. However, it should also be noted that well before this case finally concluded, the FBI paid Cellebrite, an Israel based tech firm, one million dollars to illegally hack Apples IOS encryption.

EFF’s Lawsuit Against San Bernardino County:

[pdf-embedder url=”https://roguemedia.co/wp-content/uploads/2018/10/Eff-v-San-Bernadino-Petition-for-Writ-of-Mandate.pdf”]

 

Tech Review: Mailfence Encrypted Email

In my line of work, secure, private and encrypted emails are becoming an everyday necessity, especially these days. While the major players in the game remain ProtonMail and Tutanota, earlier this year I learned of a new up and coming provider operating out of Belgium – Mailfence – and decided to test the service out for myself. Here’s what I learned, and why I now run my business through their servers.

Customer Service

The first thing to catch my attention about Mailfence was their responsiveness to customer service inquires, even on social media and when dealing with free account holders. For example, even whilst hosting a free account on their service I received messages back from customer support within 24 hours time. Not only this, but their social media channels remain open to the public and are very responsive to messages. By comparison, other email service providers do not have any open lines of communication through social media, and most will only provide support to paying customers.

Accounts & Plans

Mailfence offers a wide range of account services including, free, entry, pro and business level plans. If you would like to learn more about each individual plan, as well as the added costs/benefits between them, please utilize the following link.

View All Plans Here: https://mailfence.com/#register

Even though the company operates out of Belgium, they do accept payments through foreign currency, including the American dollar, and perform the currency exchange on their end. This is important to understand because not every European based company is willing to do this. For example, in 2014 I was unable to register for Perfect Privacy VPN out of the Netherlands due to their reluctance to accept anything other than Euros. Perhaps most notably, even after submitting my debit card for payment, Mailfence enacted a delay on processing the payment in order to review my account/purchase – clearly indicating that the company isn’t just after some quick cash grab, but instead has a set of moral standards in place governing what they do and who they do business with. I know, imagine that – right?

Additionally, each Mailfence email address comes with built in data storage, acting as a de fecto Cloud storage account for all your important documents. Personally, I keep all of my most important documentation backed up through Mailfence. By comparison, I refuse to keep this sort of information stored on any other data hosting platform – especially Google.

Data Servers & Security

Mailfence‘s largest claim to fame, and what separates them from their competition, is the fact that the company hosts their data servers in and operates their business out of Belgium, which is known to have literally THE strictest privacy laws of any country in the world. Not only this, but Mailfence also goes out of its way to protect its website using TLS and SSL certificates which ensure that “no American certification authority is involved in the certification chain” – something I have personally never even seen before. Their site also enforces HSTS security headers and features state of the art encryption on all messages – more on that later on.

Data servers and country of origin is important to understand. As I have pointed out in a previous article on this subject, different countries have different laws when it comes to data storage and business/customer confidentially. Moreover, while countries like Switzerland would have you believe they hold the most secured privacy laws due to their world renown banking system, this just simply isn’t the case when it comes to cyber security. For example, ProtonMail tries to bank on Switzerland’s historic reputation, but ProtonMail was developed in part by researches at the Massachusetts Institute of Technology (MIT) and their relationship to/with the NSA and US Government is more than just rumor at this point. The fact of the matter is that, at the present moment in time, Belgium does more to protect customer privacy and data confidentially than any other country in the world – period, end of story.

Image may contain: text

Encryption Measures are Second To None

While there is a lot of competition out there on the encrypted email market these days, I have not seen one company offer more options to encrypt individual emails as Mailfence now does. For example, not only does Mailfence offer end to end encryption for all of its users, but the service also allows its users to create digital signatures, implements Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM) – preventing email forging and ensuring all emails attached to your domain/account are exclusively sent via Mailfence servers. These are options which simply do not exist on other encrypted mail service platforms.

On top of this, Mailfence also implements two-factor authentication for all account holders using something known as “Time-based One-time Password” algorithms – also something I had never seen before. This technology ties a unique bar-code to an individual device or cell phone, ensuring that only that one device can have the means of generating a secondary code necessary for login. Combining their sign in methods with the sites security, along with their email encryption options, from login to transit, no email company I’ve ever seen does more to protect data/privacy than Mailfence now does.

Belgium Is The Future – IMO

While Mailfence is a relatively new and upcoming name, they have already sold me and I am happy to make the investment in the future. Moreover, reading international security headlines for a living such as I do, I am noticing an increase trend in the exploitation of encrypted email services for illegal means. For example, Tutanota accounts are behind nearly every single major ransomware related incident over the course of the last two years, and it is a general fact that all of the world most famous hackers and hacking groups operate through ProtonMail accounts.

Not all publicity is good publicity. The fact that nearly all major hacking and hacking related incidents are being conducted through ProtonMail and Tutanota servers is not a good look for business, and the longer this behavior continues the more likely it is that international authorities are going to compromise these services in one way or another – if they haven’t already quietly done so. As I have already pointed out, Mailfence is careful to choose who they do business with and whom they do not, and given that they are a relatively new service globally, ensures that their reputation has not been tarnished. As a new business owner myself, I feel much more comfortable attaching my name to Mailfence than I am any of its competitors.

Lastly, with the Netherlands essentially out of the privacy/security game and the pressure slowly mounting on all of these Swiss based companies, I see Belgium as the future leaders of cyber security over the course of the next 5-10 years. Not only is Belgium at the literal center of the European Union, which enacted revolutionary new data privacy laws in 2018, but some of the worlds most innovative security companies are starting to emerge there. This is true of services like Mailfence and DNSBelgium, which is leading the charge towards blockchain dns, which has the possibility changing the course of internet history. Given the way the country structures its laws, I see several major computer or cyber security based companies either starting up in or moving to Belgium in the years to come.

Bug In WordPress Encryption Redirects Visitors To WP-Admin

Lately I’ve been struggling with the direction I want to take my website and business in general. What I mean to say is that I want as many people as possible to see and read my security tutorials, but I don’t want to simply just give away all of my advice/research for free. After-all, what is the point of even trying to start or run a business if you simply give away all of your expertise for nothing? At the same time though, I’m not sure how I can gain a foothold or start to compete if people don’t know who I am, or what I am capable of producing. Finding a happy medium between the two still eludes me.

However, my struggles in this area have also led me to accidentally uncover a major security glitch in the way that WordPress password protects (encrypts) individual site pages attached to an account owners domain name. For example, I’ve gone back and forth between encrypting and de-crypting all of my security tutorials for weeks now. Due to theme related issues, I now publish all “Blog Posts” as “Site Pages,” and in order to access them requires password authentication – the codes to which can be obtained via email request (editor@roguesecuritylabs.ltd).

However, what I’ve since discovered is that if you encrypt/password protect a site page and enter the correct credentials as a website visitor, you are re-directed to blank screen attached to the owners wp-admin dashboard – rather than the article/page URL you were trying to read/decrypt. For example, I encrypted my Securing WordPress tutorial and when you type in the correct credentials to access it – W0rd9r3$$31it3 – this is the page that appears….

No automatic alt text available.

^^^ I’ve tested it out, and this happens on both phones and computers, no matter which browser you use. This is not the way that password protection was designed to work, and represents a serious bug/flaw in the design of WordPress‘s site security. For people who do not go through as much trouble to secure their site as I do, this flaw essentially offers a backdoor straight into a WordPress owners wp-admin panel. As of 9/21/2018 the bug has been reported to both WordPress Security and the Hacker One bug bounty initiative, but a patch has not been issued.

Phone Security

1.) Encryption

Encrypt your entire Operating System (OS). Phone encoryption is the first line of defense for whichever phone you happen to use, ensuring that no one can even so much as turn on your device without the proper credentials. It is important to understand that encrypting your phone and setting a screen lock for it are not the same thing. It is also important to understand that, depending on the type of phone you have and who manufactured it, screen locks can be bypassed by 3rd parties – such as hackers – as well as through different backdoors found within various software applications/programs you’ve installed on it. Encrypting your phone on the other hand encrypts your entire operating system all at once, requiring password authentication for the phone to even boot up and power on in the first place – ensuring that no App, program or file can be exploited or corrupted to gain full access to your phone.

Depending on what type of phone you have, your settings might come with a built in feature allowing to encrypt individual Apps. If not, you can install a firewall application for that – more on this later on in the article. If you are unfamiliar where to find your phones encryption options, they are available in the “security” section under the main settings menu. Please note that it can take an hour or more to fully encrypt your phone, so it’s important to always begin with a fully charged battery.

Select an appropriate screen lock. Screen locks are a different form of encryption in a sense, ensuring that no one can use/operate your phone when you lose it, are away from it or leave it out in public. As far as how you set it up, there are 4 different options to choose from – each one having its pro’s and cons.

  • Password Lock. Users will be required to enter a unique password consisting of letters, numbers and symbols to unlock your device. Personally, I believe password protection to be by far the most secure of all options. However, for the same reason, it could be considered the most “inconvenient,” because it requires the most amount of time/attention to enter every time you wish to unlock your device.
  • Pin Lock. Pin locks work exactly like password protections, only they exclude letters and symbols. Meaning that users will be required to enter a pass-code of random numbers in order to unlock your phone. For the very reason that pins exclude letters and symbols, they are a little less secure than passwords, exponentially decreasing the theoretical number of guesses it would take to crack/unlock your device.
  • Patter Lock. I am finding that this is becoming the most “trendy” screen lock these days, simply requiring users to use their fingers to “connect the dots” and draw a unique pattern on the front of their screen before it unlocks. However, I find pattern locks to be less secure than some of the other options, because there is a much higher probability of successfully drawing a random pattern to unlock a device than their is guessing an advanced password or pin.
  • Biometrics. The newest “craze” is security is using your own fingerprints, eyes, face or facial expressions to unlock different devices. However, while these options may be the most convenient and fastest, they are also by far the least secure. I say this because multiple studies have proven how easy it is to trick biometric security measures, and often times the pictures off your own social media accounts are enough to bypass them.

Password/Pin protect your SIMor SSID card. It is important to understand that encrypting your operating system and setting a screen lock will do nothing to protect your data cards or memory chips, securing those is an entirely separate matter. So lastly, you are going to want to encrypt/password protect your SIM and/or SSID card. To do this simply enter into the security options within your phones main settings menu, find/select your memory chips and create a unique pin lock for them. This ensures that no matter where your memory chip goes or whatever phone/device it’s plugged into, no one will be allowed to access your contacts, photos, videos, messages, files or data without entering the correct pin code first.

If you would like help learning how to build strong and easy to remember passwords to encrypt your accounts/devices, please read more in the tutorial provided below.

How To Write Un-Hackable Passwords: https://roguesec.co/how-to-write-un-hackable-passwords/

2.) Firewalls

Some phones come pre-installed with various firewall options, but if yours does not then there is a sizeable number of firewall Apps to choose from. Firewalls are critically important to security because they allow users to seal off or block different Apps, limiting the possible points of entry for hackers or other 3rd parties. Depending on the type of firewall you select, you may also have the option to encrypt individual Apps on your phone, adding a 4th layer of encryption to your device while ensuring that even if someone is able to unlock it, they will not be allowed to use selected Apps without further permissions. This is particularly important/helpful if you utilize different types of chatrooms, group chats for work or VoIP services.

Perhaps most importantly, firewalls severely limit potential abuses of your phone. You can select different options to completely seal off individual Apps altogether, or seal off different settings/areas of your phone from outside sources.Not only does this prevent hackers from using selected Apps to compromise your phone, but at the same time it prevents App owners themselves and other 3rd parties from gaining access to your phone all the same. Firewalls also protect against unwarranted data collection of your phone, including call/text history and general phone usage. More importantly, building a strong firewall and sealing off selected Apps can free up memory space/data usage, both speeding up your phone and saving battery life. If there are Apps on your phone that you’ve never used a single day in your life, or you feel may be spying on you/invading your privacy, simply use your firewall to disable them altogether with the click of a button.

On a similar but side note, never blindly give every App different permissions just because they ask for them. For example, when first navigating a new phone you might find that you are regularly asked to allow different Apps to do random things, such as collect data or record audio/video. It might seem harmless, but think about it for a second. What the hell does the Google Chrome web browser possibly need to record audio for? The simple answer is it doesn’t, you are only being set up to have your phone hacked by authorities and/or law enforcement officials at a later date in time – should they ever feel the need. By checking these options and blindly granting permission to different Apps, your are secretly granting 3rd parties the permission to ‘flip the switch‘ so to speak and turn your phone into a spy/recording device whenever they want. So, don’t fall for it. There is literally no need to give different developers that much permission over your phone.

3.) Manage Security Certificates

Similarly, you should seriously check out the security certificates or “Trusted Credentials” list which came pre-installed on your phone. On my Android ZTE for example, my phone was handed to me with over 100 different security certificates installed on it, some of which grant different Government agencies/offices direct root access to my phone without requiring legal documents or warrants of any kind – no exaggeration. You might not have been told about this when you bought your phone, buy they are there. Just a short list of some of the organizations which have direct root access to my phone; China Financial Certification Authority, CyberTrust, Deutsche Telekom, Hellenic Academic Research Institute, HongKong Post, Japanese Government, VISA, TurkTrust,Wells Fargo, as well as countless other organizations operating under different Government umbrellas.

Thankfully though, you do have the ability to revoke these certificates/permissions if you like. Simply find where these certificates are under your settings menu and disable whichever ones you desire. Just note that disabling some of the most fundamental ones, such as those issues by your telecommunications provider, may break access to different areas of your phone – but this is always reversible.

4.) Internet Security & Antivirus

Most people are always surprised to learn that the same measures used to secure your computer can often times be transferred directly to your phone, this includes things like VPN’s and antivirus. For the purposes of this section of the article, I would like to discuss different measures you can install to help protect your phone and keep your data that much more private/secured.

  • VPN’s: I am not going to get into a breakdown of what VPN’s are and how they work, it is just important to understand that you can install and utilize a VPN connection on your phone all the same as a computer. If you already own a paid VPN account, simply install the service providers App on your phone and establish a new connection through it. Your IP Address and internet connection will be secured all the same, just note that the internet speed of your phone will be effected a little more significantly than a computer, simply because a phone can not process as much information as fast as a computer can.
  • Proxy’s: It is another common misconception that you can’t utilize proxy connections or the Tor network on your phone, this is simply untrue. You can either hide your IP address and internet activity by installing the Tor App directly, or you can install something known as Orbot – developed by The Tor Project. Orbot transfers all data/network activity from your phone across various tor relays, essentially turning the Tor network itself into a giant VPN connection/encryption setting for all of your data and every last thing you do on your phone. Unlike Tor, Orbot doesn’t just simply protect internet activity – even the Apps developers profess itself to be a “full phone VPN.”
  • Re-Route DNS: Another way to protect against data spying, 3rd party abuses or intrusive hackers is to re-route your DNS through different service providers. For example, I personally route all of my network activity through Cloudflare DNS servers for added privacy and security. IBM’s Quad 9 DNS service is another good option, blocking you from gaining access to known malicious websites while preventing your device from ever becoming part of or wrapped up in a botnet. You can do your own research to find other options which may be more suitable, but another popular option is Google’s public DNS service.
  • Install Different Browsers: Just as with computers, you can choose a whole host of different browser options, many of which are far more secure and private than Google Chrome or the built in web browser found on your phone. If you would like to learn more about browsers, as well as the different/added benefits of each, please utilize the following link: https://roguesec.co/building-selecting-safer-web-browsers/
  • Antivirus: Phone antivirus programs essentially work the same as computer antivirus’, only they are far simpler and much cheaper. A good antivirus program for your phone should cost anywhere from $2-5$ per month, and will protect your phone against malicious hyperlinks, scan all downloads for viruses, as well as prevent all of the most common/basic forms of cyber attack. Some phone based antivirus service providers, such as Kaspersky Lab, also come with built in VPN connections to secure your internet activity at the same time.

5.) VoIP Services

While VoIP services are not necessarily essential for everyday phone use, they do offer critical protections for political activists, journalists, researchers and citizens living under oppressive regimes all around the world. VoIP stands for “Voice over Internet Protocol,” which is just a fancy way of saying they transport all calls and messages over established internet connections, rather than routing them through your telecommunications or phone service provider – such as AT&T or Verizon. For this reason, VoIp services prevent your data from being intercepted, recorded or stolen by telecommunications companies and other 3rd parties, such as Governments, thus protecting any information you send across them. VoIP services also offer the ability to encrypt messages or calls between like users, further protecting your privacy. By comparison, both of these options are not available on standard text messages or phone calls. In politically oppressive countries, VoIp services offer a critical means to bypass Government imposed restrictions or blockades on national telecommunications. VoIP services also let you make international calls for free.

While this might sound a bit complex or advanced, once installed, operating a VoIP connection/application is no more different or complicated than making a regular phone call or sending traditional text messages. Lastly, VoIP connections also offer a secondary means to reach contacts, should your phone lose service, go out of range or come under blackout. Rather than relying on the signal strength of your network service provider, all you need to use VoIP services is an active internet connection.

The Best/Top VoIP Service Providers: