New Anti-targeting Tool: Extremely Secure Email

Anyone who has ever been targeted by sophisticated ‘players’ as a ‘person of interest’ can tell you that all manner of mischief and trouble can arise from email snooping and tampering, things extremely difficult to deter by normal means. Let’s go abnormal!

by H. Michael Sweeney proparanoid.wordpress.com   Facebook   proparanoid.net 

Dateline, April, 18, 2019, from the Olympic Peninsula, in the shadow of Microsoft

copyright © 2019, all rights reserved. Permission to repost hereby granted provided entire post with all links in tact, including this notice and byline, are included. Quote freely, links requested. Please comment any such repost or quote link to original posting.

 

Reading, you will learn:

• of many weaknesses in the email system which can be exploited;
• mail can be snooped, deflected, deleted, rerouted, altered, or spoofed;
• that encryption and other defenses don’t always work;
• that there is a unique new solution with additionally new and remarkable benefits.

Disclaimer: in the spirit of full disclosure, this author is not a flaming cyber-security specialist. As privacy/security consultant and computer industry player at microcomputer to supercomputer level, from hardware and software design to repair and even teaching digital electronics and computer courses at college level, however, I do have some swag on topic. Regardless, if the reader has a severe Web security issue with significant risk of harms, my advice should likely be augmented with additional consultation with a cyber-security specialist, if at all possible.

 

The Problem

The Political Solution to email privacy problems: http://www.freedomworks.org/content/theres-quick-fix-protect-our-email-privacy

As privacy/security consultant I can’t tell you how many thousands of times I’ve heard horror stories about email snooping and manipulation. Almost any email account can be compromised by multiple means, including my own, which has been, more than once. It can be done in the users computer with virus/hack/backdoor schemes, either by trojan horse or direct physical access (‘black bag’ job*). It can be done at the users’ ISP host system or the email service providers’ system (if one uses a Web-based service, aka ‘Webmail’) through similar means… or at any common point along the series of server ‘hops’ which all Web transactions take to get from point A to B, including the destination user’s mail service, ISP, and their computer. The problem is, that copies of the email can remain on each server’s storage systems at each and every point between the two ISP servers, for up to 30 days, before it is purged. It potentially remains forever (according to user preferences and any manual intercession by the user) on the user’s computer and any Web email service (which can include the ISP’s Webmail service.)

Any server on the Web may be subject to a lawful or unlawful government surveillance program. FBI has several tools which, under warrant, can be installed directly on any commercial server, which filters all emails looking for (we are told) specific user email traffic. Therefore, latent emails at all these sites are at risk of compromise. And, there is more: if not using Webmail of some sort, but a dedicated mail application like Microsoft Mail, those software packages can be vulnerable to hacking/virus/trojan and phishing attacks. And again, FBI (and other Agencies) have their own versions of these tools, as well, presumably not employed unless obtaining a warrant. The user, themselves, often prove to be the weakest link in email security, by failing to employ decent password policies, or falling for spoofing, phishing, or trojan horse email attacks, and literally partnering in the attack through carelessness.

These attacks trick you into actions which give away your passwords or other useful data (i.e., credit card info, Social Security number, phone number, address). Spoofing email is an email ‘spoofing you’ that they are some official entity contacting you on official business when they are not who they claim to be. This is either a fishing expedition for such information (phishing), or to trick you into downloading something disguised as something you think you want (i.e., an image or other file), but which is actually a trojan horse attack… the true source of the Democrat Party’s server’s alleged Russian hacking; their server was never hacked, in the truest sense of the word, and it was not a politically motivated government hack, but a common hack sent blindly to to untold numbers of persons, in and out of the Party.

From https://cjpia.org/news/news-and-updates/news-and-updates/2018/01/11/spotting-a-phishing-scam

*At the height of my battles with rogue ex-CIA fronts, both my home and workplace computers were subject to direct access multiple times. At work, I showed up one day to find everything in my office moved away from the wall far enough to walk around the room and stoop to access the baseboards and electrical outlets, a common place to hide surveillance devices. In another incident, security encountered a man at the computers in my office with a set of tools laid out, and attempting to open one of the machines. He claimed to be an IBM repairman, but had no work order, and as result, he was escorted out. Funny… the computer was not an IBM, it was a Macintosh. At my home, they attempted to gain entry three nights in a row, and eventually, on a day no one was at home, all hard drives on both computers at home and three computers at the office, suffered fatal hard-drive crashes. In time, when I did not cease my investigations into the activities of illegal CIA fronts, all my computers at home, and every single floppy disc and writable storage system disk or drive were stolen (save those I had well hidden)… but they didn’t take very expensive new software CDs (over $1K each), or cash and a valuable collector wild-west pistol which were right out in the open. And yes, when I still did not stop, threats and actual attempts on my life were made. All this is variously detailed in several of my books.

Password policy? Ideally, passwords should be changed regularly, and should not be written down, or used with multiple accounts, Web sites, or software packages. They should be relatively complex with 7-9 or more characters to include upper and lower case letters, symbols, and numbers, and should not be ‘easy to remember’ passwords based on information about you or your family, etc… the first thing hackers will attempt to employ. There is an easy trick to provide a supply of easy to remember passwords, however, of my own devise. Choose someone famous from history, perhaps a bit obscure, such as Demetrius, Joan of Arc, or Marlene Dietrich. Use their wiki page as your ‘supply source’. Find specific factoids about their life to be used as a password, based on an important date and key word relating to that date, a word with letters which can be substituted with symbols.

Example: The first line of Marlene’s wiki says “Dietrich was born on 27 December 1901 at Leberstraße…” If I chose to sub [ for the letter a, ? for s (ß = ss), I might create a PW = 2712Leber?tr[??e. When needing to use the PW, if I can’t remember it, I just drop over to the wiki page and ‘collect it.’ To update, I might change it to Leber?tr[??e1901, or go to some other data point at wiki to start a new PW construct from scratch. This scheme addresses recall issues while providing a ‘written’ record no one else can discern.

Almost all email systems offer some form of encryption, but the user typically must choose to use it, and that can involve technical matters they can’t fathom. Even when used, encryption is not particularly a problem for really sophisticated and powerful Agencies, however. Double encryption can be established by the user by encrypting content, first, and including it as an attachment to an encrypted email… or selecting an email provider or email software package who/which adds a second layer of encryption. But at best, that only delays any decryption-based snoop. Here’s why…

The problem is, the government is so paranoid and interested in snooping 100% of all communications at the NSA (National Security Agency, aka No Such Agency), that by law, all encryption must meet and not exceed standards which their supercomputer algorithms can quickly decode. Of course, government itself employs superior encryption intended to defy solution, even by top-notch foreign governments. We are denied that luxury, and not even major corporations can have it, unless their work is deemed of national security importance by the government.

Ironically, perhaps, hackers CAN, often devising their own solutions. In theory, on the Dark Web, you might be able to purchase such encryption, but to use it outside of the Dark Web, you would likely get caught… and risk getting caught in the Dark Web, as well… since you would not be using other hacker smarts to evade. Or, maybe I don’t know what I’m talking about on the Dark Web — I won’t touch it with a ten-foot pole, or anyone who does, unless I trusted them implicitly.

To be clear, though, we don’t worry about NSA snooping as a rule, because short of Edward Snowden’s revelations of more advanced snooping taking place from within the greater intelligence community, NSA is typically only interested in looking for keywords that could lead to uncovering national security threats (so, avoid frequent use of words like “bomb”). I say that, but I have been targeted more directly by NSA, (which was kind of fair, as I’ve caused them some troubles, too — with some dirty tricks of my own), and their tools can be accessed indirectly by other Agencies in certain situations — so it can happen. The real problem is, decryption algorithms are not difficult for supercomputers, which are in wide-spread use throughout government agencies, and elsewhere. There are also brute-force decoding methods used by hacker types, who have plenty of time on their hands, such that they don’t need a super computer to effect a decode.

 

Aftermath

A compromise can take many forms, some of which can be recognized, and some which are not typically detectible. Naturally, covert access to sensitive information can prove very damaging in detectible ways, but unless the snoop makes use of the information in an overt manner, the owner may never have reasons to suspect the snoop, certainly not before it is too late. In fact, information can sometimes prove so valuable that any gain from overt use and the risk of exposure, thereby, would be deemed unprofitable. This is less likely an issue for personal email users, unless involved in multi-million dollar situations at work, or personally. A lot of personal email is targeted because of one’s work; a home computer is a softer target, than would be a corporate system.

But other forms are easy to detect: altering content*; deleting copies from storage; diverting to other, or additional recipients (who might comment in reply); deleting recipients (who might comment they didn’t get it), or simply delaying or blocking transmission. And, if all that were not enough, the email source can be spoofed, such that if you reply, the party at the other end has no idea as to what’s going on… which results in angry relationships, especially if the spoofed email was intended to anger you. That, is a fairly common dirty trick used on targeted individuals to sabotage any chance of getting help from me, their friends, family, etc. I see that way too often, in fact, used to sabotage client relationships — the very thing which prompted this post.

* When my book set, Fatal Rebirth, was in editing process, my Editor (in another State) worked with me collaboratively using Adobe Acrobat Professional, which is designed for such uses, allowing notes and comments to be tagged to selected words or passages in a hide/reveal manner. (sidebar note: That was, btw, the problem with Obama’s birth certificate… the changes made to it were detectible in AAP, proving it had been altered, and was fake.) My book project was a threat to many illegal endeavors of the New World Order, including illegal fronts within intelligence communities — and in fact, more than two years in advance, revealed a false-flag attack scenario to bring down the WTC with jetliner terrorism, resulting in a series of Middle East Oil Wars (and other things), all of which came to pass. I’m thinking that accounts for why almost every email between my editor and I resulted in alterations between the copy sent, and the copy received, typically delayed in transit some three to five days… enough time to analyze for changes, and to effect them.

Once a problem is detected or suspected, the solutions available typically involve a long series of technical steps which can be cumbersome and scary for the non-geek among us, time consuming and inconvenient, and with some potential risk of some data loss. I used to offer a simpler approach: install a pick proof deadbolt on the main entrance, and insure all other entrances are secure against covert access (the enemy rarely breaks and enters), and switch to a used Macintosh just for email (at least that use) and employ encrypted service — but the weaknesses elsewhere in the email system are still unaddressed with that level of defense. And that can still leave the user with a PC full of problems in need of a complex-step solution…

The less that is known about the method of attack, the more such steps must be undertaken in order to be certain to address the problem usefully. In addition to backing up data, wiping the hard drive(s), reinstalling the OS and applications from their original sources, and reinstalling the backed-up data, it may require creating new accounts, obtaining new ISP providers, and beefing up site security, to include pick-proof locks and, possibly video and/or alarm systems. It can even mean performing professional-level TSCM (Technical Security CounterMeasures) security checks of the home or office (or both), looking for hi-tech surveillance equipment.

If physical access via black bag job is suspected, it can also result in a need to replace hardware which had been physically modified to enable back-door data capture (keyboards and keyboard cables, and communication cards — when coms is not on the motherboard, as is often the case in PC towers). The worst news, is the cost of all that, and TSCM sweeps alone can cost many tens of thousands of dollars.

 

Magic tricks!

There is another simpler preventative step, however, which I have also advised to my clients, along with beefing up security, and use of proper pass wording behavior. My idea is to avoid having any copy of the email stored on any system outside of the user’s computers at both ends of the exchange. As strange and impossible as that may sound, there is a very simple way to do that: both users simply use the same Web-based service, and set their preferences to delete emails from their servers once downloaded at the other end (the sender might want to archive a copy to their own computer, first). Some Web services include a notification feature which shows when an email was read, to more easily facilitate such deletions without the recipient having to so notify, in some way.

In such a scheme, where both users have an email account at xyzmail.com (fictional) for instance, no email is actually sent, anywhere. One simply logs into their account, and uses a Web form to create the email. There it sits, perhaps not even then in actual email form, because the server will know the recipient is also a user client. The recipient next logs on, and reads the email in a Web form, as well. Delete at both ends. Done. The data in the Web form still does travel from the service provider to the recipient along the hops described earlier, but it is not transmitted as recognizable email packets, and therefore, email snooping tools don’t see it. It is merely another Web page, and email snoops can’t look at web pages.

Well, yes, it is possible to track a targeted user’s Web use. Usually, such tracking involves only tracking when and where you visited. If entities doing such tracking took particular interest in a given URL (your email provider is so identifiable), they could in theory go to much extra effort to attempt to see the actual content of said URL, or to read your screen, directly. There are very exotic technologies for that. But all Web mail services are HTTPS URLs, which means they are encrypted, too. While we might argue that sophisticated opponents could access emails for snooping purposes, it is not likely, and it would be virtually impossible to sabotage the process in the way normal email can experience.

From https://pages.queens.ox.ac.uk/it/get-connected/vpn/

But assuming that was of concern, there is yet one more layer of protection against URL snoops: VPN. A Virtual Private Network can be established for untraceable online access (save one remote possibility, next paragraph). A VPN masks your identity on the Web, and can establish yet another encryption level. VPN can be established online by use of a software package or web-service (which will include a software component). The only fly in this ointment is one which applies to all Web-based product/service providers: are they certified to be part of the solution… or do they have ties to the types of sophisticated snoops, such as the intelligence community, who would have a natural interest in what anyone using a VPN was doing, and seek direct access through a backdoor-equipped VPN service. Shop wisely, and check the company’s history and the background of their Officers, Board of Directors, business partners, and investors.

And if all this was not enough to worry about, it is possible to simply read whatever appears on your monitor, remotely. If the enemy is truly sophisticated (i.e., a spy agency), it is possible to use special equipment to capture the EMF (Electro=Magnetic Field) RF (Radio Frequency) signals from your computer and/or monitor. If they know the make and model and hardware makeup of your systems (typically by covert access to the unit), those signals can be decoded using signal processing to duplicate your keystrokes or whatever is visible on your screen.

The solution for that is, once more, beefed up site security, and the use of a faraday cage or good RF/EMF shielding, and being on the lookout for suspicious vans parked nearby whenever you are using your computer. Fortunately, this is pretty rare, typically seen only in true national security operations. But for the paranoid among us (that’s “me,” after all), it is something to be aware of.

Fortunately, there is something new out there which pretty much eliminates almost all of the above technical considerations and issues, and greatly simplifies defenses with superior protection, and a few new benefits, as well.

 

Defensive armor!

This is badly needed good news for any targeted party. A new start up company has come up with a new hardware tool to improve email security to insanely high levels. It is about the price of a larger hard drive, and about the size of a cubed tissue box (image). The company, Helm (the ancient word for helmet), makes the Helm Personal (email) Server. While it is a bit costly at $500 (plus a $99 annual fee after the first year), it includes a lot of value, including 128GB of solid-state storage space. It functionally makes you both your own ISP (for email purposes) and your own Web-based email server… and in reality, your own Web site server, if you have such a need (but such use might require a business-level ISP upgrade to insure you had enough bandwidth, if a terribly popular Web site).

The important thing to understand about this option is: it is its own unique domain name (you choose the name, perhaps your existing Web site… and there is also a way to link it to existing email accounts elsewhere). By marrying the Helm solution with creation of email addresses for yourself and anyone you regularly communicate with for which email security is of concern… there is once more no email file being sent, anywhere. Add a VPN to that equation, and good site security, and it is the closest to government-level security possible, at any price. Helm will soon offer their own VPN, by the way, and I have investigated the company and those associated with it: they get a clean bill of health and have no ties of any concern to me. I would (and likely will) use this product, myself.

There are additional functionalities and features inherent within Helm’s device which enhance its value, and increase security. Only time will tell if there are hacking vulnerabilities as are common to all new Web-tech products (hardware or software), but like most such products, such threats tend to be detected and addressed before they become a systemic issue likely to threaten any given user. The odds are in your favor, even if you know you are a target in someone’s crosshairs. To learn more, visit their Web site, and search the Web for what others are saying.

Understand, you can do the same thing with a used Mac mini configured as a Web server, which includes its own email services. It would cost about the same money, but you would skip the annual fee, and it would be more secure against external hacker assaults. In fact, it is virtually unheard of that a Mac can be hacked without direct physical access to the machine (site security!). Apple Computer connected its Cray supercomputer with all proprietary secrets, business plans, sensitive financial and employee data, and corporate operational tools… directly to the Internet through an ordinary unmodified Macintosh. No hardware or software firewall. Every Apple employee’s computer accessed the internet (when needed) through the same portal. Never hacked, despite a huge cash award if anyone could do so.

I’m somewhat a flaming Mac expert, having owned a chain of Apple Stores and worked professionally in all aspects of Mac use, sales, service (certified technician), and personal use, since day one. But I would not attempt setting up the system (tried and failed). You would have to find someone who has expertise in setting up Macintosh servers, and you might want to pay them to teach you how to best use and maintain it in some of the more important operational aspects of a server. The benefit, then, of the Helm, is that all of that is automated and handled for you in a turn-key and transparently invisible manner.