Secure messaging app Threema and NIST SP 800-90A

Recently the RSA, a major US computer security firm, told its customers that a random number generator, Dual EC DRBG (NIST 800-90A) used in its software may contain a NSA backdoor and advised it’s customers to discontinue its use: Deliberately flawed? RSA Security tells customers to drop NSA-related encryption algorithm. As this is one of a number of random number generators used in elliptic curve cryptography used in secure messaging app Threema we contacted the Kasper Systems to check this wasn’t a known flaw in their service, see their response below:

Image

While not revealing the random number generator used, it does offer some reassurance that this particular vulnerability isn’t included in the software. Further details of the encryption used can be found in the Threema FAQ.

Prism, CarrierIQ and your mobile device.

Back in 2011 Trevor Eckhart broke the story that mobile phone logging software CarrierIQ was quietly transmitting data about users handset use without their knowledge. The software reports¬†keystrokes, browser data, and text messages’ content, and location. The extent of the data transmitted back allegedly depends largely in the install. He explains this in detail on his YouTube channel, click here to watch.

At the time many dismissed this as being used for development purposes (to remove software bugs, improve mobile coverage, etc…) but in light of the Prism revelations many now wish to revisit whether they want their activities monitored. According to the Chpwn blog the iPhone install only reports location data, however, if you wish to stop this the process is relatively easy.

1. Go into your settings “app”.
2. Scroll down to “General”.
3. Click “About”.
4. Scroll down to “Diagnostics & Usage”
5. Select “Don’t Send”.

This should prevent any further logs being sent via CarrierIQ to Apple, who in turn probably share it with the NSA/GCHQ via Prism.

The process for checking whether the software is installed on Android devices, and how to remove it, is a little more complicated but is explained in full on the Tech Crunch website.

Prism: there are alternatives

Since the Prism surveillance scandal broke in the Guardian and revealed the extent of government access to internet users data, many including myself have been looking for alternatives. The Prism Break website has listed a huge number of these, which is great but a number of these aren’t particularly user friendly so I’m using this blog to highlight my picks all of which are available free.

Browser
Prior to the revelations I had been a committed (Google) Chrome user, it offered faster feeling experience than IE and had the then innovative omnibar which allowed Google searches to be undertaken without visiting the search engines home page. The best alternative to this is Mozilla Firefox; it’s free, open source and customisable and available for Windows, OS X, Linux and Android.

The Omnibar add-on gives you the ability to search straight from the browser address box, as per Chrome. DoNotTrackMe and Adblock Plus are also must adds, which block both annoying ads and hidden java script, which track your movements across the internet.

Mobile Web Browser
Again wanting to ditch Chrome from my iPhone, I tried Opera and Dolphin; both of which are available for iOS and Android. While Opera offered data compression features it seemed to freeze when data coverage was poor. Dolphin on the other hand seems slick and is easily customisable to force searches through the privacy conscious DuckDuckGo (see below).

Search
If you want to get away from the dominant Google, Bing and Yahoo, worth trying are the European StartPage or the US based DuckDuckGo, both of which promise no logging or tracking of searches. Both offer good web search but lack the niche video, news and blog searches of the established players. StartPage, however, does have a reasonable image search.

Cloud Storage
The best alternative to Google Drive, and (Microsoft) Skydrive I’ve found is the 256 bit AES encrypted Spider Oak. The service is hosted in the US but the level of encryption means even their staff don’t have unencrypted access to your data, the downside to this is if you lose/forget your password there’s no way of recovering your back-up. They offer 2gb for free to anyone, or those clicking through this link should get a 1gb referral bonus (3gb).

Mapping
Open Source Routing Machine finds the fastest car route in seconds, the only quirk for UK users is that postcodes need to be separated correctly unlike Google Maps. A slight downside is that it doesn’t offer walking or cycling directions.

Mobile Messaging
The Wickr app for iOS offers free encrypted messaging that self erase within a predefined time, which can be set up to 5 days. It’s unbelievably easy to use and Mashable reports it has been approved by IT security consultant Dan Kaminsky but the developers reluctance to release the source code has left some doubtful of its claims. My take on it is, can it be any worse than iMessage which is archived and probably accessible by the NSA. An Android version is promised in future.

It would be foolish to believe you could ever fully escape a security services or police investigation, but this software should stop or limit the wholesale archiving of our digital lives, help us regain our privacy, and send a message to the established players that their are consequences of breaching our trust.

Please feel free to comment below and follow on twitter: @madeupnamethree