How to send sensitive data

How should you send sensitive data like passwords?

  • Putting them in an email and praying that nobody finds it is very much not the best way to do it.
  • Encrypting your email with PGP is secure (and recommended), but most people don’t have the technical knowhow to set that up and use it properly.
  • Texting is a little better than email, but still could be hacked.
  • Encrypted texting with an app like Signal is better, IF both you and the recipient use Signal.
  • Sharing them through your password manager (LastPass, KeePass, etc) is good, IF both you and the recipient use the same password manager.
  • A phone call can be inconvenient.

We’ve recently started using one of several services (that we are currently aware of) which generate a random web address which you send to the recipient. The notes are encrypted using a key that is never stored on the server. Only the valid URL can display the notes – it is the key.  The resulting web page can only be opened and viewed a specific number of times or for a specific duration, then the data is wiped forever from the server.  (Or at least that’s what the operators of the services tell us. We have no way of verifying that they actually do …or don’t.)

https://1ty.me/ – one time read; you can set it to notify you by email when it has been read.

https://privnote.com/ – can notify you when opened, allows you to set a password for reading the page, allows either automatic expiration (1 hr to 30 days) OR deletion on first reading.

https://onetimesecret.com/ – allows you to set a password for reading the page, allows you to set an automatic expiration (5 min to 7 days), and allows you to delete the data before it has been read.

https://safenote.co/– allows you to set a password for reading the page, allows you to set an automatic expiration (1 hr to 14 days) OR deletion after it has been read a specific number of times (not both, but if you set 3 times and it’s only read twice it will still be auto-destroyed after 14 days), and allows you to delete the data before it has been read.

Disclaimer: ProtectYourWP.com has no connection to any of the above, and takes no responsibility should your data be lost or leaked.

IMPORTANT UPDATE: Make sure that you’re using the correct site.  There are imposter sites such as “privnotes”, “privnoté” and “prívnote” which are dangerous. https://krebsonsecurity.com/2020/06/privnotes-com-is-phishing-bitcoin-from-users-of-private-messaging-service-privnote-com/ and https://twitter.com/briankrebs/status/1275120887633715201

iOS Mail Zero-day

UPDATE: A patch has been issued in iOS 13.4.5 beta, with an expected final release soon.  No word on patches for earlier iOS versions.

Source: https://threatpost.com/apple-patches-two-ios-zero-days-abused-for-years/155042/

A zero-day exploit has been discovered in the iOS Mail app.  The security hole has existed as far back as iOS 6 (September 2012), and extends to the current iOS (13.x).

As of today (4/22/2020) this has NOT been patched.  It is recommended that you DISABLE iOS mail at this time.

We advise that you update as soon as an iOS patch is available.

Full details at https://blog.zecops.com/vulnerabilities/unassisted-ios-attacks-via-mobilemail-maild-in-the-wild/

 

Definition: Fleeceware

Fleeceware:  Apps which are marketed as “free”, but which then trick the user into subscribing for paid services (which are available free elsewhere), often for excessive fees.

Common examples are horoscope apps, QR code or barcode scanners, and face filter apps targeted at younger users. Publishers of fleeceware target users who may be less cognizant or sensitive to initial fees and reoccurring charges.

Often users are hooked in by free trials, which turn out to be difficult to extricate yourself from after the “free” period has lapsed.

These are currently most common on phone apps (both iPhone and Android), but the same techniques can be found with some desktop applications as well.