Details

This time on the show - How to encrypt your email the easy way. Then, backing up your Gmail Account using your Ubuntu PC. Plus, Text Messaging your WiFi Pineapple. All that and more, this time on Hak5!

Download HD Download MP4

Email Encryption the Easy Way

We're going to learn Email Encryption the easy way

A lot of times on Hak5 we go really in depth for weeks at a time on a complex subject like SSH exploring every nook and cranny. That's not this segment. Today we're taking a high level, practical approach at Email Encryption. This is the segment you send to all your friends, techy or not, who should be using strong encryption on their email.

The Basics: In 1991 Phil Zimmermann created PGP, or Pretty Good Privacy. It's a program for encrypting and decrypting texts, emails, files - even whole hard drives. There's a pretty good read on wikipedia so I encourage you to check it out.

PGP uses various methods for encryption - one in particular we're interested in called Public Key Cryptography.

Rather than simply having a single password used to encrypt and decrypt data, it uses a combination of a public key and private key. The idea basically breaks down to this:

  • The public key is used to encrypt the message and can be freely given to anyone
  • The private key is used to decrypt the message and is stored securely

On Linux you can setup GnuPG (or GPG) and OpenPGP compliant open source tool, along with Enigmail, a plugin for Thunderbird -- and that's great -- but in the world of webmail there's an easier alternative:

OpenPGP.js is is an open source project that brings the power of OpenPGP to web browsers in Javascript, and it is used by Mailvelope -- a Plugin for Firefox or Extension for Chrome which enables email encryption for webmail services like Gmail, Yahoo Mail, Outlook.com and GMX.

If you're wondering why this is important or how it applies to you keep in mind that the ECPA or Electronic Communications Privacy Act states that "email stored on a third party server for more than 180 days is considered by the law to be abandoned, and all that is required to obtain the content of the emails by a law enforcement agency is a written statement certifying that the information is relevant to an investigation" -- there is absolutely no judicial review. no need for a warrant. nothing. The ECPA was written in the 80s, and the world has changed. So while the lobbyist, activists, civil rights organizations and our government quibble over the law we can protect ourselves using strong encryption. In fact we should encrypt all the things regardless -- it's simply good practice.

Setting up PGP encryption for webmail with Mailvelope

    Get Mailvelope

Install the Mailvelope Chrome Extension or if you're using Firefox you can try out the beta of the Mailvelope Firefox Plugin.

    Generate your key pair

      *3. Send friend your public key
      4. Get public key from your friend and install it
      *5. Send your first encrypted email
      6. Decrypt your first encrypted email
      *Note - General > Always add primary key to list of recipients. This way you'll be able to open mail you've sent later....say if you backup your email to your computer and want to read it in the future
      That's all folks. What do you use? Email feedback@hak5.org or leave a comment.
      In a bit Shannon will be backing up Gmail on Ubuntu

      How to Backup Your Gmail Account Using Your Ubuntu PC

      Apocolypse! What do you do if Google's mail servers go down? Unlikely, but could happen...
      Use this tool in Ubuntu to backup Gmail acct!
      Getmail avail. in Ubuntu Software System. Works in any Linux distro though. Install.
      Make a directory for the mbox (gmail inbox) file. -m 0700 changes the permissions. 7= read, write, execute for owner. 0= no permissions for group or other users.
      mkdir –m 0700 $HOME/.getmail
      Second command sets up directory for the .mbox file to store your inbox messages.
      mkdir –m 0700 $HOME/gmail-archive
      Third command creates the .mbox file in the gmail backup directory. Touch creates new files easily.
      touch ~/gmail-archive/gmail-backup.mbox
      In gedit, create config file to tell Getmail to get your Gmail mail:
      [retriever]type = SimplePOP3SSLRetriever
      server = pop.gmail.com
      username = yourname@gmail.com<-- change this
      password = yourpassword<-- change this
      [destination]type = Mboxrd
      path = ~/gmail-archive/gmail-backup.mbox<-- change this if needed.
      [options]
      verbose = 2
      message_log = ~/.getmail/gmail.log
      Save as .getmail/getmailrc in your new directory.
      Close, open terminal and run 'getmail'. Script may take a while to download inbox. When done close out.
      New mbox file can be saved for use in Thunderbird, Outlook, etc. Create a shell script w/ timed cron job to enhance efficiency and automatically download at timed intervals.
      If it stops before finished, restart w/ the same getmail command to run it. Gmail Labels are supposed to be a part of the .mbox download. Archived messages are downloaded as well. Deleted msg are not backed up. I suggest using two-factor auth with app specific pw, because your pw is saved in clear text.

      Feedback

      Frozen Java sends in this video of his Texting WiFi Pineapple: ""This is just a PoC video of my texting pineapple. The goal here is to be able to activate karma, dns spoof, or what ever from your phone's texting app so If you are in a location where you can't pull up ssh or the web interface you can just look like you are having a normal conversation with a human.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

16 Comments

  • Brandon 1 year ago

    I love the idea of allowing a plugin to pgp my web based email, but do you know of a way to encrypt all incoming email. If necessary email could be forwarded to a server that had my public key and then forwarded to an email account that was never directly published. This way only all email stored on the server would be encrypted, not just the email from the people that I can convince to use pgp.

    • Even if you are able to do this, since the email was not encrypted on the sender/source side means you will have unencrypted copy there and will break your purpose.

  • captainkurt 1 year ago

    I see one issue not covered in Mailvelope, that is if there is a system crash. Is there a way to recover/store private key on secondary media?

    • You can save them in notepad, and keep the file save.

  • marty 1 year ago

    Alas! Unfortunately!

  • Boost 1 year ago

    A follow up to my MikroTik duct tape wireless link setup.
    It ran solid for about a month or two until a fiber line was finally installed. Only thing was as the bridges was installed in the window the sun made the tape glue soft and the thing would get loose and kill the signal. Moar tape to the rescue! Clients ran fine (50Mbps easily and 2-10 ms ping) and I even trunked all our VLANs through it.

    • Rob Emmons 1 year ago

      Regarding taping things up. Try foam tape — but be aware that it is difficult to remove.

  • Export key by mail breaks cause I guess you dont have any mail client installed. It does not break on my PC,
    Thunderbird opens fine to send the key, but its just coincidence that I have mail client, I never use it.
    So kinda this option is usles (if I wasnt prefering usign mail client I would use Enigmail not the browser extension:))

    Bug that I’m facing is if I sent mail to more recipients, add more pub keys to encrypt. Message gets encrypted only for the first key added.
    Canot read sent mails although I have added myself to Always add primary key to list of recipients. (Allows to decrypt sent mails) cause of the same bug.

    Besides Mailvelope, there are these two chrome extensions WebPG and Mymail-Crypt. Both have tons of bugs, you send encrypted mail and it fails to decrypt it.

    Option that Mailvelope does not have and is usefull is PKI management (Use gpg4win/Kleopatra). You can generate certificate from your keys, create revocation certificate, add more email addresses
    under same key and publish your key to a public Key Server. This way you dont have to send email to exchange your pub key, you can put your key ID in your mail signature, then if somebody wants to mail you
    can check yoru ID from old unencrypted mail and look for your pub key on a Key Server.

  • Justin 1 year ago

    gah.

    / is not a backslash. \ is a backslash

    / is just a slash

    • Rob Emmons 1 year ago

      Regarding backing up gmail. Consider using Thunderbird and Enigmal. You can setup thunderbird to leave mail on the server and only download new mail so you have multiple full copies both on the server and on your local thunderbird copy. Plus you can decrypt it with Enigmail automatically when needed. It’s also a good way remove and archive your mail too — just setup one of your systems to download and then delete the server mail — while all of the others just download.

      • One other comment. Reguarding networking. For DSL setup the DSL router to bridging, then setup a spearate router behind it using PPPoE. This works great as long as your provider uses PPP over Ethernet (some at lease used to use PPPoA). I use DD-WRT routers (one of the netgear open source firmware supported routers) for this and for a bunch of other stuff.

  • Electronic Communications Privacy Act of 1986 (ECPA, codified at 18 U.S.C. §§ 2510–2522)

    Criticism:
    For instance, email that is stored on a third party’s server for more than 180 days is considered by the
    law to be abandoned, and all that is required to obtain the content of the emails by a law enforcement
    agency, is a written statement certifying that the information is relevant to an investigation, with
    absolutely no judicial review required whatsoever.

    Links:
    en.wikipedia.org/wiki/Electronic_Communications_Privacy_Act
    en.wikipedia.org/wiki/Stored_Communications_Act