Gwebs Cryptographer

Social networking seems to be pop right now, how many people you know that they use / don’t use social network applications like Facebook, Twitter, MySpace, Orkut, XiaoNei (校内 in China), or other ones. Can you honestly say that you have never even heard of these applications ? Yeah, that’s what I thought.. These apps are integrating to our daily life, and eventually someone will ask “How we kept in touch with our friends before social networks?” Just like my friend’s kid asked me once that “What you were doing at work before internet?”. I think these questions will make people to think that how dependent they really are about technology and services.

But more interesting is that how many people really trusts into these open and free networks. Some time ago Facebook got so much publicity when they announced that all data what users have put in it will be theirs, so basically all the personal data, pictures, videos, etc. Then just a bit later, they told to users that there are no worries, that everything will be just fine. And now, hardly no-one even remembers that anymore.

It seems to be that internet is so full about different kinds of social networks and applications which are collecting users private data. And I think it will be only the matter of time when someone will steal all that data, ’cause normally these services are not having so strong security. One reason might be the money issue, although I guess nowadays quite many people will be interested to pay a bit for example the usage of Facebook, if they can be sure that all their data is secured. But on the other hand, there are plenty of users who think beforehand that what information they are willing to share and which information not. And just like Barack Obama advised kids, that be aware that once you post something into the internet, you can be sure that I will be digged up later, if it can be used against you. So maybe it will be nice to take a look for Facebook Etiquette as well, although most of these things are more or less self-evident, but I think still worth of reading through.

I read a couple of articles some days ago about privacy and security issues in social networks/webs, just like Facebook, MySpace, Twitter, and so on. (Links to the articles at the end.) These articles are mostly pointing out the same issues which I wrote above, that it’s really users own responsibility what to share and for whom to share it. So many instances are following social networks also like friends, colleagues and family, everybody you like but also quite many you maybe haven’t thought about. Like your boss, different organizations and companies, so basically if you’re planning to apply for a new job, it might be that your profile will be checked through before you will get invitation to the interview. And also talking about that in social network, might make your boss feel unease.

But that’s not everything about privacy issues, there’s also some other things to point out as well. Nowadays, it seems to be that mobile phones are getting closer to laptops and vice versa, so it’s quite normal to update social network profiles through mobile phone. And for up-to-date user it might be self-evident to have anti-virus software also in a mobile phone, but I can tell for sure that most of the users don’t have, any kind security software in their mobiles “I don’t need it, this is Just a phone”, but anyway the users are using all the same programs and applications as with computers. So, basically all the data what user is keeping in secret in his/hers computer, user will freely use in mobile, without thinking that the same “evil”-internet is waiting there as well.

The thing which I brought up the mobile phones into this also, is that what makes people think that if they use one secured system in one place, it won’t be useful, if they use same data with non-secured systems elsewhere. And this includes everything, not only social networks, but emails, contacts, files, pictures, etc.

A while ago there was news about new type of identity / private data phishing, basically there are some applications within social networks, which are collecting different kind of data from users. And then some identity thiefs have been using that data to create virtual-friends for users. So the main idea is that these virtual-friends are sharing something common with user, belonging to same groups or have same interests, then they’re sending friend requests to users. And if user will accept their request, then they will collect all data from that user, what they think is useful for them. Maybe email addresses, phone numbers, street addresses, photos, videos, etc.  So nowadays it’s really recommended for people to check what kind of information they are sharing from themselves and are they really willing to tell all their secrets or thoughts to everyone.

I personally like social networks a lot, and I like that there’s some place where I can enter almost from anywhere to check how my friends are doing and letting them know what’s up in my life as well. I haven’t paid much attention for security issues in social networks, but now after reading these articles, I might take another look for some apps properties and privacy options.

Some of you might think now, that what will be my result to solve these privacy issues, well frankly speaking there is no solution. I can only encourage everyone to think twice before posting anything to social networks,  text, comments, pictures, video, files, etc. what ever is on your mind. Sometimes you might think that with this post your friends appreciate you more or you will get publicity, but be aware that all that data will be saved somewhere and it might pop-up later, when you cannot expect it to happen.

Here are the links for the articles I mentioned earlier:
Fast Company’s article: Privacy and Security Issues in Social Networking
Computer World’s article: Protect your privacy on Facebook and Twitter

Some other articles related to this topic:
Google Warns of Privacy Issues on the Social Web
Exclusive: U.S. Spies Buy Stake in Firm That Monitors Blogs, Tweets

Security, email, personal, privacy, software application, email, Facebook, Mobile, myspace, orkut, privacy, Security, social network, software, twitter, xiaonei

Almost every week I can read news about smaller or bigger scandals about passwords or private data exposures. What’s wrong with today’s users ? Lack of common sense or are people just getting more and more stupid ? So many times I have faced these situations that someone is asking my email address and password, just for checking my address book. Or then the Microsoft Messenger trick “See who have blocked you from their MSN”. Or the one with credit card number “So many credit card numbers are exposed, check if your one is on the list”.

Come on, how easy can average user really be ?
I really think that people are getting more and more reliable on internet and all the services, but they really cannot see that there are also thiefs and other “bad people” around. So many of us are thinking that of course it’s safe, because it’s somehow related to service what user is using. But at the same time on the streets when someone is humbly asking to borrow their phone they get scared that the person will steal it or use it for illegal activities. Why this question never comes into their minds when acting in internet ?

At this time, a bit more than a week ago, Google’s Gmail and Yahoo’s Mail were also targeted by a large-scale phishing attack, perhaps the same one that harvested at least 10,000 passwords from Microsoft’s Windows Live Hotmail, according to a report by the BBC.

The BBC also said it has seen a list of some 20,000 hijacked e-mail accounts; the list included accounts from Gmail, Yahoo Mail, AOL, Comcast and EarthLink. The latter two are major U.S. Internet service providers.

I assume that when people are reading these news, they are first over sensitive, maybe one week, after that paying attention what they do online and where they use their passwords, max. one month. And after this, they start acting like before. Maybe that one month they haven’t seen any progress of safety or increased privacy, so “it’s okay to continue the old style, no-one is interested about MY emails and passwords“. But this way of thinking is just that what might lead to scandals. Everyone’s email account is interesting, not necessarily the emails or the content itself, but all Your addresses, contacts, your passwords and login info for everywhere else, because still on these days normally the login infos are posted to one’s email, when starting to use new services.

And also one other thing, which I think is very important here, is that so many users used to use same passwords for different places. I know by myself, that it will be very difficult to remember all the passwords if they are just randomly made. For example 20 passwords for tools at work, 5 for your own emails, 20 for other services online (social networks, online banking, bookstores, games, etc.) And I’m not encouraging people to write them down, but just inventing some patterns to remember them or then using some other tools for securing all those passwords. I know that there are so many nice software available, which are taking care of your passwords, but for me, I don’t know can I trust them or not.

Here are links for more information about this scandal:
http://www.infoworld.com/d/security-central/gmail-and-yahoo-mail-passwords-exposed-737
http://www.techradar.com/news/internet/exposed-the-great-password-scandal-596064
http://www.computerworld.com/s/article/9139000/Gmail_Yahoo_Mail_join_Hotmail_passwords_exposed

Here is nice collection of hints and tips for boosting online security:
http://www.techradar.com/news/internet/10-easy-ways-to-boost-your-online-security-591191

Security, email, google, personal, privacy AOL, BBC, email, gmail, Hotmail, Internet Security, microsoft, MSN Live!, privacy, Yahoo! Mail

This guide will help you understand the basic facts about email security — what it is and why you need it.

What is Email Security?
On one level, email security is ensuring that your emails are secure: that is, it involves the maintenance of the basic information security concepts:

• Integrity - ensuring that your message has not had unauthorized alteration
• Confidentiality - ensuring that no unauthorized person (or process) has viewed the content
• Accountability - being able to prove who wrote the email
• Availability - ensuring that the email can be sent/received
• Non-repudiability - being able to prove that the recipient really did receive it

But more than the email itself is involved in email security. It also involves:

• Ensuring that you neither receive nor send malware hidden within the email or any attachments
• Minimizing the receipt of spam, scams, phishing expeditions and illegal content
• Ensuring that staff neither accidentally nor with malicious intent allow or send confidential, sensitive or illegal content within or outside of the company

Why do I need Email Security?

You need email security simply because failure to do so has both commercial and legal ramifications. An example that can illustrate both aspects would be infection with a highly destructive and virulent virus. Let us assume that your own systems are infected, and the virus payload is delayed but destructive: that is, you manage to infect, say, a competitor before this virus destroys your system.

The commercial implication is obvious: loss of your systems, data, records, etc. will be severely damaging if not fatal. But on the legal side, many lawyers believe that you could be held liable for any loss suffered by a third party that you infect, whether intentionally or even knowingly or not. If that third party were a competitor, then it would have little incentive not to sue the elbow off you.

And the history of internet litigation is already strewn with examples of both staff and competitors suing companies that have allowed compromising information to circulate within, or worse, to escape from, the company network.

It would be much safer to ensure your email is secure rather than risk the potential problems of insecure emails.

What do I need in Email Security?

Since so much is involved in email security, it is not surprising that you will be lucky to find everything you need in a single product. Just on the basis of the above discussion, you will need:

• Anti-virus software (to ward off viruses and worms)
• Anti-spyware software (to ward off trojans, adware and spyware)
• Anti-spam, -phishing, -scam software (to cut down on wasted staff time)
• Content security software (to make sure confidential, sensitive or illegal content is neither circulated within nor leaked from the company)
• A company email usage policy (to reduce staff misuse of the email, and give you some redress for when they do misuse it)
• And last but not least, a secure email (as opposed to email security) capability

The secure email system is possibly the hardest of all. The problem is that it inevitably involves encryption - and the only form of encryption that does not create administrative problems between the sender and the receiver is a Public Key Infrastructure (PKI). But PKI is expensive to run and administer - and gets you involved with even more requirements. For example, if you operate a PKI, then you need to consider identity management software and provisioning software. Nevertheless, if you are a large company with lots of sensitive data, then PKI is the obvious route. For single user RSA (which stands for Rivest, Shamir and Adleman who first publicly described it) encryption method is a bit simplier and lighter to use. Quite many free encryption softwares are using RSA instead of PKI. The encryption is still “hack-proof”, which means that cracking it, it takes more than 100 years.

In particular, PKI and RSA can demonstrably provide four of the five security basics we noted at the outset of this article: integrity, confidentiality, accountability, availability, non-repudiability (availability is the one not specifically provided by PKI).

Where do I get Email Security?

If you are looking for email security software then you have a basic choice: you can look for best of breed point products in all of the above; you can look for an email security specialist that bundles different aspects within a single product or suite; or you can go for a hosted service. Or then you can just download our MailCloak-software from our company’s website (www.gwebs.com/mailcloak.html). Yes, it’s free!

Other related topics:

Encryption for Dummies
http://opsec.spaces.live.com/blog/cns!62F870188540FB1E!1097.entry

Public Key Infrastucture, PKI, encryption for dummies
http://www.networkworld.com/news/64452_05-17-1999.html

Public Key Infrastructure, PKI (Wikipedia)
http://en.wikipedia.org/wiki/Public_key_infrastructure

RSA encryption (Wikipedia)
http://en.wikipedia.org/wiki/RSA

Terminology and encryption algorithms
http://www.easeus.com/resource/encryption-algorithms.htm

Gwebs, PGP, Security, email, encryption, how to, personal, privacy email, encryption, guide, MailCloak, PKI, RSA, Security

Security issues have been at the news recently and all the time more and more things are coming up. So many people are interested about their own security, when spending time with online societies and communicating with others, but just so few people are really using any software which is offering better security. The most of these people are just waiting the easiest one to use and cheapest one to buy, the whole field of Internet security seems to be offering too many options and choices. “Do I really need this? Which one is best for me? It’s too difficult to use, isn’t it ?” These questions are common among people, who have interest but don’t know where to start.

It seems to be that the most of the people have a belief that “e-mail is pretty secured service”, and “anyway no-one is interested about my e-mails”, but in fact there are so many people who have interest for normal users’ accounts, and information. And e-mail itself, is not secured at all. Even if the user’s own computer is having anti-virus software and firewall doesn’t guarantee that outgoing or incoming messages are secured. The following table (Table 1.) shows a little comparison between postcard, e-mail, registered letter and encrypted e-mail. This kind of comparison is quite common while talking about security issues among delivering messages from person to another. In my humble opinion I think this comparison is pretty close to truth, and gives you the idea, how messages are really going “out-there”.

The following picture (Pic.1.) shows how message can change on the way and how come neither sender or receiver cannot be sure that if the message has been tampered or not, if any kind of encryption is not used. This case represents also the postcard. Posting a letter or encrypted e-mail, then the possibility that message changes on the way is decreasing significantly, it’s represented in a picture (Pic.2.).

Pic 1. Postcard / E-mail without encryption

Pic 2. Letter / E-mail with encryption

The animations above are representing the situations of sending a message via postcard and letter / or e-mail with and without encryption. In both cases sender and receiver are not aware which kind of picture the other one is seeing. They can just believe that “This is the picture the receiver will see. / This is the picture the sender wanted me to see.” So it is very difficult to prove afterwards that was the message changing on the way or not. Well, common sense says: “How about I give him/her a call and ask about this?” But are people really willing to do it after every single message? I am not. Then the whole idea about sending an email is basically useless, if it’s not sure whether the message is going through without changing on the way.

Whenever people are sending their personal information, job applications, contracts, what ever that contains any piece of personal information, like name, social security number, address, phone number, etc. Why not using encryption ? Well, at least I’m not willing to put those pieces of information to the postcard, are You ?

There was earlier a bit similar post in our blog: “The Difference Between A Stolen Mailbox and a Steel Envelope: An interview with gWebs CTO Anderson Jin.” Please check it through also!

MailCloak, Security, email, email encryption, encryption, personal comparison, email, Email Encryption, email encryption software, Email Security, encryption, letter, MailCloak, postcard

Here at Gwebs, the makers of the world’s easiest encryption software, we’ve been hard at work on a new, completely re-written and altogether better version of WebmailSafety. So much about this product has changed that we’re even changing the name!

Gwebs WebmailSafety, which offers email encryption for Webmail and desktop clients, is now called MailCloak, and with version 3.0 on the way webmail users are in for some great surprises.

Like what?

The world’s easiest encryption software just got even easier!

Here are the basic features:

• Free!
• Automatic protection for emails and attachments.
• Supports Internet Explorer、Firefox and Outlook.
• Supports Gmail, Hotmail, Live mail, AOL Mail, Yahoo mail, 126 mail, QQ mail and 163 mail.
• Auto-update keeps you secure with the latest features and bug-fixes installed as soon as they are available.
• Simplified backup.
• Automatic Key Management.
• No Adware, Spyware, or Malware.
• Easy invitations.
• Automatic draft encryption.
• Enable/Disable with a single click.
• Supports English, Simplified Chinese, Traditional Chinese and French.

Read more…

Security, email, email encryption, encryption, google, personal Email Encryption, Email Security

Facebook, if you didn’t know already, asks you for your email address and password when you create an account, or even if you don’t. It’s a highly visible link on their homepage. The stated reason is so that you can send invite letters to your contact list. And you can’t blame the peeps for trying, right? We all gots our hustle. It’s just that Facebook’s particular hustle leaves a lot of room for doubt. It could be Facebook doing exactly what they claim to do and nothing else, or it could be that the largest data mining company in the world is applying to email what Nigerian scammers have been doing with bank accounts for years.

But it’s also a royal pain in the tuches to have to invite every one of your friends to your social networking site manually, and with the importance of social networking sites to many businesses, people in fields that require a little publicity, and people who really like attention, this is a useful feature.

Which is why this article from blogger Dragon’s Flag caught our eye. It’s not just a plug for our product (although an independent testimonial to how awesome we are it certainly is), it’s also a fantastic little piece of know-how that makes you kick yourself for not thinking of it. And so here it is, translated for your edification:

On National Day (October 1st), 2007, I created a Facebook profile, and as part of the registration process, Facebook asked for my email account and password. To test if Facebook poses a threat to social networks by doing this, I gave them my password. I can hand out my password to pretty much anyone who asks for it, but can you?

My email address is dragonflag@gmail.com, and there are over 3000 emails inside. (Facebook supports most of the major services, including gmail, hotmail, live, yahoo, aol, etc.) Before uploading my password, I changed it to 123456.

I’m a longtime user of the notable Gwebs WebmailSafety software. I have more than 50 people in my address list there, and all the email we’ve sent back and forth is stored on Google’s servers is encrypted using a RSA+AES mixed cipher. I’m definitely not worried about Facebook searching or selling my email, because they can’t understand a word of it.

So after I gave my password to Facebook, those 50-odd received their invitation letters, and after 30 minutes I changed it back. Everything was alright, and now Facebook and don’t owe each other anything, nor do we have to be concerned about one another.

I also used the same method to register at the domestic (mainland Chinese) social networking site XING.com, without any apparent danger to my privacy or data. My advice when dealing with commercial web service companies like this is not to trust them lightly. Their promises to you don’t mean a thing, and it’s never a bad idea to have some basic self-protection in place.

So take my advice, especially if you’re one of those people who haven’t invited their email contacts because you’re afraid of your email being searched or revealed.

Italicized text added by translator.

Encrypting his email, we approve of, and using our product to do it, we approve of even more. But another important step he’s taken is:

Before uploading my password, I changed it to 123456…and after 30 minutes I changed it back

This is very important, because people are often predictable when they create passwords, and even if you use “rules” to create less breakable passwords and change them regularly, if someone gets a sample or two of your work, they can figure out your formula, and you’re right back where you started. Change your password to a no-brainer before giving it to someone, and change it back as soon as possible.

The best advice here, though, is not to let a company that makes its living by selling highly specialized user data to advertisers rummage through your inbox. Using Gwebs WebmailSafety; which is free, remember; or any of the other programs on the market means that your email is safe from advertisers as well as hackers.

Security, email, encryption, marketing, passwords, personal, privacy address book, data mining, email, encryption, Facebook, password guessing, privacy, XING.com

One of the reasons we (yes, it’s a we now) at the Cryptographer are in this business is because we get to laugh at the messes we ourselves will never get into. Take, for example, Guo Li, a Hangzhou lawyer whose email was inadvertently “hung out to dry” online by Baidu (China’s search giant) and WanWang (one of China’s largest hosting providers). He sued for 1,000,000RMB (around $120,000), and the results speak for themselves.

I have translated the following article specifically for this blog.

Private Emails “Hung Out to Dry” for a Month, Victim Sues Baidu for
Violation of Privacy.
8-12-2007 3:35 A.M., Beijing Morning Post
After his private emails hosted in a Baidu (百度) account were posted online for more than a month, Hangzhou lawyer Guo Li (郭力) decided to sue Baidu Inc. and email services provider WanWang (万网) for 1,000,000 yuan in damages, claiming his communication privacy rights were violated. A judgment will be issued tomorrow at the Haidian District Court on this so-called “national precedent-setting email privacy case.” Guo Li stated at the conclusion of the trial, “It’s entirely possible to look into other people’s inboxes online, I’ve searched the information myself. This won’t be the last trial of this type.”

Read more…

Security, email, encryption, government, law, personal, privacy Baidu, email, email server, Internet Security, law, lawyer, privacy, search engine, Wanwang, 万网, 晒, 海淀区, 百度, 郭力, 金道律师事务所

Today I was helping my mom setup new Gmail and AIM accounts, (now that gmail chat and AIM are linked, its essential to have an account on AIM and gmail, and to link them) and I was horrified to discover that she keeps all of her passwords, including her bank, email, credit card, web and domain hosting, and other crucial sites, in a word doc on the root of her laptop’s hard drive. AHHHHHA! What a recipe for disaster! “But what should I do?” she asked me. Her passwords are myriad, and all different (good), but she can remember none of them (bad!).

Here are several ways to keep your passwords safe (and the pitfalls):

1) Do like my mom, and keep all your passwords different, and in one “password file”, but encrypt that file with PGP, GWEBS WebmailSafety, or some other asymmetric encryption.

Pitfalls: A) You could forget your PGP password. B) You could lose your private key or your password file. C) Someone could steal your private key and your password file and guess your password. D) Someone could steal your password file and crack your private key.

Avoiding Pitfalls: A) Write down your pgp password somewhere, but don’t label it “PGP password” and keep it safe and long. B) Keep both a copy of your private key and your password file backed up and offsite, but not on someone else’s systems. C) Not likely, but again, you have to keep your password long and secure. D) Even less likely. Use a high bit rate algorithm. WebmailSafety, for example, uses 2048 bit RSA, and you would need to string together several of today’s most powerful supercomputers to crack that within your grandchildren’s life time.

2) Use a commercial password keeper, like Apple’s keychain or similar.

Pitfalls: these password keepers are only as secure as their implementations – and the user must decide which software to trust. Apparently Apple’s keychain is pretty secure, but you should always find out as much as you can about critical security software.

3) Use several passwords that you can remember, but different passwords on important or often-used sites. And never write any passwords down. For example Password A for email, password b for your online bank and password C for everything non-mission critical.

Pitfalls: The more you use a password, the less secure it is, and the more places you use, the less secure it is.

Avoiding pitfalls: For daily use and important passwords, choose long, strong, and hard to guess passwords, enter them manually and change them often. Daily use passwords are easy to remember because you are entering them all the time, and repetition breeds memories. Your non-mission critical passwords may be guessed, and if the intruder guesses one, they know them all, but again, these passwords are non mission critical, so this isn’t such a big problem.

Well, there are three solutions that I recommend. This is a big topic, so I look forward to user comments. Tell me what you do. How you keep your passwords secure, and if I missed some pitfalls, help me fill those in too!

PGP, passwords, personal, privacy encryption, IT, PGP, Security

I am in LA visiting family for a few days – flew here Sunday – and am flying back to Beijing, via Seoul, on Thursday. My grandmother died. She was 92 years old, and lived a thoroughly long and heroic life. Her funeral service today was beautiful. My stepfather, a lawyer who takes two days off a week and is studying to be a rabbi intoned a beautiful prayer, my uncle Mark, a violinist, hired a solo cellist, and that performance too was haunting. My mother, her two brothers, my grandma’s rabbi, and several others, all eulogized my grandmother, and though I have asked her and others to tell me her personal history many times, today I got the most complete version of the story.

Elizabeth (Lisl) Shapiro was born in Budapest, Hungary in 1915, at the beginning of a time of great change and disaster in Europe. Her father, an engineer, was summoned to Moscow to work on the construction of that city’s subway, and Grandma began medical school there. When Stalin arrived, they moved to Vienna, but then Hitler decided to pay a visit. Her father was interned at Dachau, but her mother found a way to get him out. At that time everyone realized it was necessary to leave Austria, but everyone in the family had been born in different countries, so getting visas together was impossible. I don’t know where everyone else went, but grandma’s uncle, my name-sake, got her a visa to come to London as a domestic servant (just in time for The Blitz) and, so the story goes, she began knitting diamonds into hollow sweater buttons to provide exiles with a means of carrying their wealth with them when they fled the Third Reich.

When grandma went to London, her brother Otto found his way to Trenton, NJ, and when the time came, he found a way to bring her over. There, she met my grandfather at a party, where he was playing violin, and the two moved to Hollywood, where my mom and my two uncles were born. They then moved to Inglewood, and there my grandma stayed until she was 90.

personal

Last Thursday when I was sitting around the Thanksgiving table with my friends and family, (and they asked me what my new job was about), I was surprised to find out that many of them didn’t know the word encryption – but they all knew what it was – and many of them had seen encryption in the movies.

First: What is Encryption?

Encryption is the mathematical process (or algorithm) of taking data and modifying it so it becomes unreadable. Decryption is the process of taking the unreadable encrypted data and running it through an algorithm that returns it to readable form.

Often encrypted data or encryption keys (passwords) will be called “code” but I don’t like to use that word because it’s vague, and has many other meanings in the computer world.

Ok, so now that we know what encryption is, (and here’s the fun part), here are some great movies that feature encryption, and may jog your memory a little more:

Sneakers (with Sidney Poitier, Robert Redford, Dan Akroyd and River Phoenix) is a movie featuring a universal encryption cracker – and the people who steal it. Obviously a box that can crack any “code” is mathematically impossible, but without it there would be no plot… and that would have been a shame cause

Sneakers was a terrific usual-suspects-esq movie.

Read more…

Security, encryption, fun, personal encryption