Gmail Can Encrypt Connections Automatically

Gmail has a new feature to always encrypt connections. It’s always been possible but not everyone uses it.

What’s encryption? Say you’re at work (or at school, or at a library or an internet cafe) and using a computer to read Gmail – it’s technically possible for someone to monitor everything going out to the internet. Encryption protects your privacy in this situation, making it difficult for someone to monitor your internet usage.

How do you use it? Inside Gmail go to the Settings menu. You get the following options:

  1. Always use https (select this option to use encryption)
  2. Don’t always use https

https

Pros:

  • It provides a good level of privacy, especially if you’re using someone else’s network. This is great for public networks (e.g. libraries), offices, and internet cafes.
  • It’s easy to use. Just turn it on, never think about it again.

Cons:

  • It slows Gmail down a bit (every single part of your Gmail emails needs to be encrypted then decrypted, this takes a small amount of time).

I strongly encourage you to use this feature. Every little bit of additional security helps, especially when it’s so easy to use.

Note that using this form of encryption only protects your privacy between the computer you’re using and Gmail. Emails were never meant to be secure or private.

Legally Installed Spyware

In December last year I wrote about Germany’s police wanting to install spyware on people’s computers when they deem it necessary. The legislation has now been approved, at least  in the German state of Bavaria.

What this means to you:

If you live in Bavaria, either as a resident or as a visitor, keep in mind that authorities can now legally install spyware on any computer you use if they suspect you of being a terrorist, or posing other serious criminal threats. This sounds fairly general and could apply to a lot of situations.

If the police can’t install spyware on your computer remotely they also have the authority to enter your premises and install the spyware directly onto any computers you use.

No judicial warrants are required.

So if you have any data you wish to keep private (assuming you have a perfectly legitimate reason to do so) you’ll have to start being creative. You could take your business elsewhere, be paranoid about what computer or operating systems you use (hint: popular systems are usually easier targets), and keep informed on the latest computer spying and hacking techniques.

This article’s aim is to raise awareness that governments can and do spy on people’s computers.

More information here.

Iran Invaded – Malicious Emails

Some emails have been seen with headlines such as:

  • World War III has started
  • US has invaded Iran

The email looks like it has a link to a video.

bombing In the background it installs a variant of the Storm trojan, probably the most widely spread and malicious trojan to date. Your PC will then be under the control of others without your knowledge. It’s bad. Estimates vary but there are between 1 million and 10 million PCs in the world that are currently under the control of Storm.

So don’t open this email. At this time Iran has not been invaded (and hopefully no country ever will be). Delete it, and let others know.

Gmail and Yahoo Mail blocking fake eBay emails

keys Yahoo owns some technology called DomainKeys that can verify the sender of some emails. One thing it can do is recognise real and fake emails from eBay and PayPal. This is good because quite a few phishing emails claim to be from eBay or PayPal, intended to trick people into providing their login details.

Google has just implemented the technology for Gmail. So if safe email is of concern to you, your best bets are to use either Yahoo or Gmail for your emailing.

More technical information here.

TrueCrypt 6.0

TrueCrypt is an encryption program we wrote about earlier. It lets you do things like "whole disk encryption" (good for people who carry around laptops full of confidential files), and other encryption functions.

Version 6.0 came out a few days ago. It’s open source, meaning everyone is free to review the source code. It’s available for Windows (Vista, XP, 2000), Mac OS X, and Linux.

http://www.truecrypt.org/

New Gmail security feature

Gmail has a new security feature. If you log into Gmail more than once (at the same time) it now tells you. Then it’s up to you to decide if you did this intentionally or if someone has stolen your account details.

At the bottom of your inbox is a summary of the last activity and whether it’s open from another location. Then clicking on the Details link shows more details on all your connections.

630,000 Laptops Lost at Airports Each Year

Another amazing statistic – across 46 states in USA there were more than 630,000 laptop computers reported lost in the past year. That’s more than 12,000 a week. And when you consider that most people still keep documents on their laptop computer when they travel they haven’t just lost a piece of hardware, they’ve potentially lost control of private and confidential documents.

What can you do?

airport1 Laptops can be insured. Anyone who carries a laptop around for work would have it insured, it’s just a cost of doing business. Nothing new here.

As for the documents stored on them, delete them before you travel!. If this sounds extreme then you need to wake up and realise what’s happening in the world.

At many airport security checkpoints customs officers now have the authority to look at the contents of your laptop’s hard drive before they let you board the plane or enter a country. And they don’t always just "look" – sometimes they make a copy of your hard drive so they can look more closely at a later time. Is this legal? Yes, in some places (including most US airports today). Read more about this in this article.

So you now have two reasons to delete all documents from a laptop before travelling:

  1. You could lose your laptop (like 630,000 other people each year in one country alone).
  2. You could be asked to hand over your laptop’s data to customs officers.

What a lot of large organisations do these days is hand their employees "clean" laptops that have no documents on them. Employees are given VPN access, so when they arrive at their destination they can access their office network and carry on with their regular work. If you’re new to the concept of a VPN read our previous article on its benefits. Another trick is to carry your files on a USB flash drive, and hide it in your wallet or luggage. This could be encrypted as well for security, in case you lose it.

Whole disk encryption is another technology that can help you with lost laptops. Whole disk encryption makes the entire contents of the laptop useless without a password. There’s no known way to recover the data. There are still two risks with this method:

  • You need the support of your IT department to ensure your organisation can restore your data in case you lose the password. Encryption management is not difficult for IT departments. For individuals it can be a burden.
  • If customs officers insist on seeing the contents of your laptop’s files you need to hand over the password, and they get to read and even copy your files. This is legal in most western countries, it’s not enough to tell them you forgot the password.

Now if you’re thinking that your laptop needs a password to startup and that this is enough to stop people, remember that the files on your laptop’s hard drive can be copied without a password. You just need to pull out the hard drive (easy to do with laptops). Whole disk encryption is the only effective password protection for laptops.

airport2 And while we’re talking about travelling now’s a good time to remind you not to trust free or hotel wireless networks. You never know who’s monitoring the network traffic (read our previous article on this).

Read the study on lost laptops here, sponsored by Dell.

So in summary:

  • Insure your laptop to recover the cost of the hardware and software
  • Delete all files from the laptop before you travel. Use another technique to gain access to them when you arrive (either a VPN or a hidden and encrypted USB flash drive).

Windows Steady State

If you use Window XP or Windows Vista, Microsoft has a tool that could be useful to some people. It’s meant more for shared computers, or for any PC that’s at greater risk of infection.

tools What it does is fairly simple. Every time you reboot the PC, Steady State will restore it to how it was before. So no matter how many viruses, spyware and adware you end up accidentally installing. it becomes fresh and anew.

You need to install it and set it up correctly, and for most people it might be a good idea to get some advice from someone who’s IT savvy, just to make sure you take full advantage of this great tool.

Best of all is that it’s free, as long as you have a genuine Windows XP or Vista license.

While you should still be responsible with how you use a computer, what you download and which web sites you visit, this tool is great tool for certain people.

More info and a download link here.

Bluetooth Patching

blue background Microsoft has just released June’s lot of Windows patches for XP and Vista. Among the latest patches is one to fix a vulnerability in the Bluetooth stack.

If your computer uses Windows XP or Vista and it has Bluetooth then you need this patch. If your computer doesn’t automatically download and install patches you’ll need to go to Internet Explorer, go to the Tools menu and select Windows Update. Until then you should turn off Bluetooth, otherwise someone could take control of your computer.

Bluetooth has always had security problems from the start. There have been a few fixes along the way but overall it’s an insecure technology.

Technical details about this patch here.