Steganos Blog

Gabriel Yoran
Gabriel Yoran, founder and CEO of Steganos Software GmbH

The most surprising thing about the Anglo-American eavesdropping programs is that hardly anyone is really surprised. In February, Steganos conducted a survey of its users in which 61% said that government agencies could or would want to read their communications in any form.

“Knew that anyway”, “I’m not surprised”, “Did you expect anything else?” – these are some typical reactions from Steganos users. Outrage has been reserved for the politicians trying to take advantage of these overseas surveillance activities for their election campaigns.

Of more concern is the general disinterest: the surveillance is a long way away, I’ve got nothing to hide – and if the intelligence agencies want to, they’ll always find a way. That sounds like resignation.

But it’s totally misplaced. For 16 years, we have been fighting for attention for our admittedly brittle topic: privacy. And it’s never had such a big stage. The question as to why friends spy on each other is being discussed at the highest level. “And the paradigms are falling like flies”, is the initial explanation given by the CSU or “data protection party“. On the first day of the hearing into the future of the data retention, European judges berated the representatives of systematic connection data storage: it has not been proven that such disproportionate measures really do help to solve or even prevent really serious crimes.

Julian Assange, of WikiLeaks fame, reminded us in the Guardian on Tuesday of the increase in historical significance encryption has experienced in recent years. Encryption is the only scientifically proven protection against surveillance, no matter by whom.

Our communications are recorded so shamelessly because we, the Internet users, have made it so easy for the intelligence services. We send our data in plain form over the Internet. Let’s surprise our local spying agencies by encrypting our emails and files, regardless of the software we use to do it. Dare to show that you have not given up being a citizen that fights for your right to privacy. And it only takes a few mouse clicks.

Anyone who surfs the Internet, leaves a mark

Everything you do on the Internet, click and download, including your IP address can be associated and tracked. Data collectors earn money with your surfing behaviour and hackers steal your passwords. In addition, many websites and online services in many countries are only partially useable. The fact that the network changes and a shift has taken place, the users become aware. They are part of the World Wide Web. Content is created and shaped by them. The Internet is interactive. Anyone can communicate with anyone, whenever, anywhere. But that is where the new dangers arise. If you can find each and everything, then theoretically he, himself can be found by everyone else. A recent survey of internetworld.de shows that more than 50 percent of respondents classified public hotspots as a risk. What is left with you when surfing, is a stale aftertaste and a constant feeling of insecurity.

That is nothing new! And he who was has nothing to hide, has nothing to fear!

This carelessness is exactly what hackers take advantage of. If you think an antivirus program and a firewall is enough to protect you and your data from the World Wide Web, you are sadly mistaken. Cyber criminals have been able to easily target, and easily deal with the issue of security on a network. A recent project carried out by our experiment showed how many insecure wireless networks there still are. In the latest issue of “Computer Bild”, this experiment is the main theme.

Steganos Online Shield 365 featured on the cover of “Computer Bild”

No Risk – More Fun

Our answer to insecure wireless networks, blocked websites and hackers is to use the Steganos Online Shield 365 VPN software. VPN stands for Virtual Private Network. Using a secure tunnel to surf on the specially secured Steganos high-speed server. To top that, your Internet connection is encrypted, and your data will remain invisible to the eyes of others. No one can track your downloads create a log of your surfing and earn money from your data.

A VPN has, in addition to the safety factor, two more advantages for you

Firstly, the VPN software allows you to bypass locks on the Internet, and access blocked content, to use services that you could not previously use from the IP address from your country. Editors of the Web Project OpenDataCity determined earlier this year that more than 60 percent of the 1,000 most popular music videos cannot be watched on YouTube using a German IP address. The reason for this is on-going dispute, since 2009, between Google’s Youtube with GEMA. Second place in the rankings for countries with the most blocked YouTube videos is South Sudan with approximately 15 percent blocked. When you surf through a VPN, you can choose to use IP addresses from different countries. To bypass YouTube’s Geosphere and use streaming services such as Hulu or Netflix. What else would be possible, only from America. On the other hand a VPN gives you a different perspective on the Internet and its content. Search engine queries from Germany often provide different results than ones provided using an IP from the United States. This allows you to perform more effective research and competitive analysis. Even more evident, is the advantage of being able to choose the IP address for free, through IP-based price segmentation. Hotels, car hire and for example, concert tickets booked from European countries can cost up to 40 percent more. With Steganos Online Shield 365 we will give you a very easy program to use, which combines all the advantages of VPN software. To make surfing more fun and offer a lot more options – at minimum risk.

Steganos Online Shield

 

Steganos Online Shield

We are constantly online. In the office, at home, in a café, or on the road. Briefly checking your balance, reading e-mails and the news, or posting on Facebook – we are on the Internet, anytime and anywhere.

The fact that we and our personal data are exposed to constant threats online is nothing new. Hardly anyone is foolish enough to use a PC without up-to-date anti-virus software. We are aware that an active firewall is important and that there are viruses and Trojans on the Net, which we must protect ourselves from. An anti-virus program acts like a security service and the firewall is like a door lock. When the computer becomes infected by malware, the installed virus scanner hits the alarm and tries to eliminate the malicious software. But a lock can be broken and a security service can be outsmarted.

With Steganos Online Shield 365, you now have the ability to encrypt you entire Internet connection. Therefore you are perceived by potential attackers as firstly not so much of a potential victim. You are now one step ahead of the cyber criminals, instead of blindly trusting that an attack on your data is hopefully detected.

The dangers have changed

Anti-virus is now no longer an obstacle for hackers, data collectors and cyber criminals. Long have these criminals found ways to identify gaps in your defence and exploit them. The manufacturers of anti-virus software only respond to new developments and machinations of hackers. Until the updates arrive, it is often too late. Your accounts could have been hacked, your credit card misused. The new Steganos Online Shield 365 protects you comprehensively and continuously on the Internet – while surfing, shopping and downloading. Within a only a single click you can lock out hackers and reliably encrypt your entire Internet connection. To not become such an easy victim.

Steganos Online Shield encrypts your Internet connection

How does Steganos Online Shield 365 work?

With Steganos Online Shield 365 you can secure your connection at home, in the office and even in public Wi-Fi hotspots – whether you access the Internet wired or wirelessly. All entered data such as passwords, addresses; credit card numbers are transmitted only in encrypted form. The data is flowing through fast and secure external Steganos servers in Germany, Britain, France, the U.S. and Switzerland. So you can surf safely on unknown sites that may not have their own protective defences.

With Steganos Online Shield 365 you can get your own private, encrypted and anonymous connection to the Internet and directly from your computer via secure data centres. Here your unique IP address is exchanged for a random IP address from the huge Steganos stock. So your real IP address is being protected from abuse. And this is not just in your browser, but also in other Internet applications, such as download programs.

The features of Steganos Online Shield 365

  • Protect your Internet connection through encryption – with just one click
  • Visit unknown website safely – thanks to IP address protection
  • Prevent password, credit card and identity theft
  • Protect yourself from snoopers on public Wi-Fi hotspots, for example in hotels, cafes, airports or offices
  • Unlimited backup data traffic without artificial speed reduction
  • Bypass censorship projects and call blocking on unharmed sites in your country
  • Fast and secure external server in Germany, Britain, France, the U.S. and Switzerland
  • One price, no confusing pricing, no hidden costs

Einbrechen in fremde Facebook-Profile - einfach per Handy
Breaking into foreign Facebook profiles – easily done via smartphone

An Android phone and a freely available web app, which is normally used to test security vulnerabilities in wireless networks is all it takes for someone to read your private emails and Facebook messages.

An employee from the Steganos server team drew the security app dSploit to our attention. The tool, which is still in the beta phase, is actually to be used by IT security experts to analyse networks to simulate attacks and to expose breaches in security. Supposedly anyone with a rooted Android smartphone could gain access to a WLAN. The app shows other smartphones, tablet computers or just those surfing the Internet through the network. And then you could supposedly read which passwords and user information would be shared.

Surfing in public WLANs is not safe and significant security risks existing with the hotspot providers, is nothing new. Years ago, the authorities and the press warned of encrypted networks and the use of secure routers. There is a general impression that this advice had been processed and any weaknesses touched up. Finally though, the operator of the WLAN, bears all the legal risk of abuse and crime.

At Steganos we have been working now for over a decade in the protection of privacy and security within the digital network. So we went to look after our colleagues and tested if a Wi-Fi could be hacked, even with something as simple as a mobile phone. Primarily: it was shockingly easy.

Equipped with a notebook and a commercial rooted Samsung Galaxy S II, onto which we had installed the app dSploit, we went on our way from the Steganos office in the Prenzlauer Berg district of Berlin, to Alexanderplatz. We decided to ask at the front desk of a hotel in the centre for a password to use the hotel’s wireless network. Although we were obviously not guests of the hotel, we got granted access by a hotel employee. We logged ourselves into the wireless network of the hotel on both our laptop and also on a well-prepared mobile phone.

In addition to the laptops and smartphones of the hotels guests, our laptop was listed, on which we had a webmail account open. Using this account we had direct access via the mobile phone. We could read the full inbox, compose and delete emails. On the computer itself this could not have been noticed until it would be too late. As you can imagine, sending joke emails to the boss, would be one of the more benign scenarios.

On the second tab, we had opened the Facebook account of a colleague. Again, taking over from our Android phone session. Again we were able to easily read and search through all their private messages. Whilst also being able to compose new messages and posts.

We could not have taken any SSL-protected session from each computer which at the same time was also on the hotel’s Wi-Fi.

You never know whether you are in danger

After having successfully conducted an experiment of Wi-Fi hacking in a café in Prenzlauer Berg, we failed the test on the WLAN of the Adlon Hotel, Starbucks and McDonald’s.

The reason that it was not possible for us to take over sessions in all wireless networks were the different routers.

The attack carried out using dSploit is called a “man-in-the-middle attack”. The software accesses data and passwords from between the computer and the routers. The router has integrated Stateful Packet Inspection, a method used to allocate transmitted date packets for each session, to which the attack is detected and blocked. Most current routers have this additional security of data transmission. Whether you are surfing as users of public WLANs over a secure or insecure router is not apparent for individuals. Also insurmountable to dSploit were pages with SSL encryption.

How do you protect yourself?

If you surf on a public wireless, you are putting your own data at risk. Our email accounts and our Facebook accounts are full of the most private information. Hackers steal our credit card details, so that they can shop at your expense. Criminals that reach sensitive information, can use us for blackmail, not to mention the disgusting feeling , when a stranger reads our secrets.

Our experiment has clearly shown that it is easy to get such information and that for the person concerned, and that whether he is currently in danger or not is unclear. The hacking of private accounts could be very damaging. Now, the CeBit hotels of Hannover will be filled with fair-goers. You should definitely think twice before you go onto a site using a wireless connection to the Internet, if you are unsure whether the connection might be at risk.

One way to protect yourself ready for CeBit: use Steganos Online Shield 365.

With just one click, the software encrypts the entire Internet connection, both wired and wirelessly – available 05.03.2013. Data transmission via a fast and secure external Steganos server in Germany, Britain, France, the U.S. and Switzerland. So you can always surf safely, even on unknown sites and possibly unsafe routers that do not have the necessary safeguards.

Nothing to hide – much to fear from
Steganos online survey with surprising results

Berlin based security experts Steganos have asked 4.873 PC users

Show me your hard disc and I will tell you who you are
Personal documents, banking data, private videos: Our computer is our diary, our photo album, the cabinet and the window on the world.
Of course we do not want to leave that window open to everybody.

Nowadays having an anti-virus program only is not enough to save one’s digital privacy.
Furthermore VPN Tools are used more often: They encrypt the user’s whole Internet connection.

„If you have nothing to hide you have nothing to fear from“
Users of VPN software often are blamed by that silly accusation, although to protect your private data is a claimed human right.

The result of an anonymous online survey, which Steganos sent to 4.873 customers, was a surprise:
Those polled were way more afraid that someone could have stolen their own PC or notebook than they have feared the danger of being admonished because of any illegal online behaviour.

The sample of the survey’s biggest fear were attacks by cyber criminals and hackers. They were less concerned about colleagues, superiors or family members could see what was not meant for their eyes to see.

Bottom line

It is surprising that the theft of one’s computer is nearly the most threatening danger, although PC users know the risk of online crime and still perceive it the biggest threat.

Digital life and reality are one.

The respondents claim self-protection the most important thing – and not the concealment of one’s own activities.

Steganos Logo

The attack on PGP, BitLocker and TrueCrypt described by the Russian developer Vladimir Katalov described in his blog is in part possible due to a typical vulnerability of whole disk encryption tools. What appears to be maximum security – everything is encrypted all the time – actually is the opposite: Everything is accessible all the time (at least as long as the disk is decrypted, and obviously even in standby mode).

At Steganos, we do not offer whole disk encryption, but volume encryption, for example in our Steganos Safe or Steganos Privacy Suite products. The technology used there works in a totally different way:

How safely encrypted is your hard disk?
Source: Alchemist-hp • www.pse-mendelejew.de

1st: As Vladimir points out, “[i]t’s important that encrypted volumes are mounted at the time a memory dump is obtained or the PC goes to sleep; otherwise, the decryption keys are destroyed and the content of encrypted volumes cannot be decrypted without knowing the original plain-text password.”

Therefore, the users of Steganos Safe or Privacy Suite only opens and closes the encrypted volume (the “Safe”) when they need it. There is no need to keep it open all the time.

2nd: When the computer goes into standby (or sleep/hibernation) the Safe is automatically closed. Therefore there is no way to access its contents.

It should also be said that, if an attacker does gain access to the user’s computer to run such an attack while an encrypted volume is open, the attacker could simply steal the user’s data, since at this point in time, user data is simply not encrypted.

Learnings: Whole disk encryption can be a risk, since unencrypted data is available to the user – and an attacker – all the time. Software which does not close encrypted volumes before hibernation is a problem, too (Steganos Safe and Steganos Privacy Suite are not affected by this issue).

Some might call it scandalous that the head of the World Conference on International Telecommunications (WCIT), Mohamed Nasser al Ghanim, singlehandedly pushed through the resolution that allows the ITU to handle Internet-related work in the future. He did this without a vote and without the permission of western countries. His decision was based on „a feeling in the room“, as he called it.
His resolution allows every country to justify international interventions to the country’s Internet usage.

During the last few weeks in Dubai, the ITU debated the new International Telecommunication Regulations, known as the ITR.
Internet usage was one of the points of discussion. From the get-go, there were a large number of people who doubted the new guidelines. They were afraid that Russia and China, supported by the biggest Internet providers, could enforce two main points:
monitoring data flow and changing regulations concerning what data you have to pay for.

The western states have largly established at the convention. They spoke out against limiting the Internet’s freedom and against the ITU guidelines.
U.S. Ambassador Terry Kramer said that signing the contract was impossible for the United States.
55 additional states, including Germany, took a stand against the contract and wouldn‘t sign it either. Based on this overwhelming opposition, the WCIT can be considered a failure.

It remains to be seen what this means for the future.

There’s no doubt that the Internet is one of the greatest inventions of mankind. During the last 20 years, it has become the most popular way of communicating and the easiest way to find any kind of information.
Search engines such as Google, Bing and Yahoo guide us through a mountain of data. Skype, Facebook and Twitter keep us connected, anywhere and at any time. We’re able to share our opinions with a large number of people and to be at several places at the same time.
People become millionaires, stars, revolutionaries and leaders through the Internet.

Everyone has the possibility to raise his or her voice and get heard.
And that’s precisely the fear of many undemocratic systems and regimes.
Pretending to protect one’s own people from the Internet’s dangerous influences, governments censor or block websites, and information gets filtered, manipulated and deleted. Users get put under surveillance and are threatened if they behave suspiciously.

Our online future decided in Dubai

Last week, the International Telecommunication Union (ITU) hosted the World Conference on International Telecommunications in Dubai. The ITU, an institution of the United Nations (U.N.), suggests guidelines for worldwide telecommunications, decides who owns what radio frequency, and determines how toll calls will be paid. As a special institution of the U.N., member states can influence the ITU directly.

Old-fashioned telecommunications have become less important over the last few years. The big question is: Should the ITU attempt to control the Internet and its data flow?

What can you do?

One way to surf the Internet anonymously is via so-called Virtual Private Network (VPN) services. With VPN, you obtain a new IP address and surf on the provider’s server. The link to the Web sites you visit is like a tunnel, shielded and protected from access by third parties. Even in public WiFi hotspots at bars, restaurants and airports, your data is protected.
But is VPN software actually legal?
The answer is short and simple: Yes! It is legal to conceal this connection and your data transmission, as well as to circumvent geographically-imposed barriers to web access. Anyone who decides to use a VPN to encrypt their data needs to trust the service, of course. Steganos’ VPN products are respected both for their effectiveness, as well as for the company’s overall privacy policy.
Although the conference in Dubai is over, you can still make your voice heard. Whoever wants to sign a petition against possible control of the Internet can do so via avaaz.org: http://www.avaaz.org/en/hands_off_our_internet_i/

The scandal involving the Director of the U.S. Central Intelligence Agency (CIA), David Petraeus, shocked the nation. But is it because yet another powerful man was brought down by a sexual affair, or is it because he was brought down by our everyday internet tools like Gmail & Co.?

Were you aware how carelessly certain Internet tools like Gmail treat our data? The infographic below illustrates their terms of service.

The 7 Biggest Privacy Offenders - Terms of Service

As a four-star general of the U.S. Army, Mr. Petraeus was treated as an American hero and a role model for the nation. Then, everybody knows what followed.

Mr. Petraeus chose to conceal his e-mails to his mistress Paula Broadwell with a simple trick. This trick is used by terrorist organizations and teenagers alike to avoid leaving traces on the Internet. Rather than sending e-mails from one Gmail account to another, they saved their written messages as a draft. When Mr. Petraeus decided to send a message, he’d log in to his Gmail account via Google, type a message and save it as a draft to the drafts folder When Ms. Broadwell wanted to read his message, she’d use the very same log-in data for the same Gmail account, and would find the message in the drafts folder.

Is this technique more secure than sending e-mails from one in-box to another? Yes, because no connection to another server (Yahoo, Hotmail, yourwebsite.com) is being established that could be intercepted. But is it completely secure? No. Although Gmail uses “https://” encryption to secure your e-mails, legal authorities have the right to contact all of our everyday service providers to request personal information such as IP-addresses, messages, locations, recipients (basically everything you’ve posted to the Internet). How often do they do this? According to an article from Startribune, Google received 12,300 requests from legal authorities in 2011. How many of them were processed? A frighteningly 90+% of all requests! A subpoena is sufficient to require service providers to unveil personal user information.

Special attention is paid to the Terms of Gmail: “Google sometimes may be legally required to share information with law enforcement…”. Apart from the trivialised wording “Google sometimes may be legally required […]” the question arises, what Google really means with this sentence. Is there an official court decision so that they are legally required to share information? How does that subpoena work? These and more questions will be answered in our next blog posts.

So how can you protect your privacy better than Mr. Petraeus?

Your e-mail is nobody’s business except yours! Two hack-proof ways to send your messages are e-mail encryption or via virtual private network services (VPN). E-mail encryption allows you to encrypt messages to your recipient with the 256-bit Advanced Encryption Standard (AES-256). This standard is used by the U.S. government for documents containing confidential information. So far, the algorithm has not been cracked. While it’s possible to detect the use of encryption software on your computer, the decryption of e-mails you’ve sent is virtually impossible if you choose a safe password.

Another possibility is to use a VPN. These are used by banks and insurance companies but also are designed for home use. A VPN creates a secure tunnel between your computer and the websites you visit. True to the motto, “Data thieves cannot steal what they do not see,” your identity is masked by the tunnel’s data encryption, so you can send e-mails and surf the Web carefree. Even in public WiFi hotspots at bars, restaurants, hotels and airports, your identity remains safe from prying eyes. WiFi hotspots are a potential source of massive data theft, if you are not suitably protected. Hiding sensitive information in images is another way to protect yourself from identity thieves. Steganos Software became popular for this 15 years ago.

Gabriel Yoran, founder and managing director of Steganos Software, says: “On their journey through the internet e-mails are easy to intercept. E-mails that are hosted at freemail providers (Gmail, Yahoo, Mail.com) may be looked through by providers and legal authorities without a warrant and without the knowledge of the account holder. This data espionage both by the state as well as Internet services like Google is steadily increasing– without the user really noticing. After all, isn’t everyone already overwhelmed by dozens of pages of terms and conditions? We will therefore continue  to make easy-to-use privacy products available to our users, which protect their data and online activities from prying eyes.”

So many active users do the biggest privacy offenders have:

Dropbox (2012): 100 million active users

Skype (2012): 250 million active users 

Facebook (2012): 901 million active users

MSN Live (2012): 325 million active users

Google (2012): 100 million active users

Twitter (2012): 170 million active users

Subcategories

Page 7 of 7