cc: INTERNET, MOBILE, SECURITY, SN_INTEL

https://www.kuketz-blog.de/mailbox-org-entdeckt-

unverschluesselte-passwortuebertragung-in-mymail/

Severe safety issue in mymail app found.

Google Translate yields --

mailbox.org discovers unencrypted password transmission in myMail

The mailbox.org team recently discovered a critical
vulnerability in the myMail client for iOS, which leads to
unencrypted transmission of user passwords and emails.

mailbox.org became aware of the problem after customers pointed
out transmission errors in the user forum that occurred when
sending emails via the myMail client. After examining the logs,
the team found that the myMail app was attempting to transmit
passwords without the otherwise required TLS encryption . After
the connection was established, the app did not send the usual STARTTLS-Kommando, but instead continued to transmit the user's
unencrypted login data. This enabled mailbox.org to extract or
read the passwords from the connection logs.

According to Peer Heinlein, managing director of mailbox.org,
their e-mail servers consistently reject such unencrypted
connections in order to ensure user security. This is the only
reason why the connection attempts of the myMail app failed, so
that users and postmasters of mailbox.org were taken aback.

This problem is not only relevant for mailbox.org customers: It
also represents a general security risk for all users who use
the myMail client. Content and passwords can be read and tapped
by third parties, especially if the users are in an open
network (e.g. WiFi airport, train, etc.). If other providers
allow unencrypted connections and are used in connection with
the current version of the myMail app, attackers can also read
the content of the unencrypted e-mails.

Therefore, mailbox.org strongly recommends not using the myMail
client in connection with their service or other e-mail
providers until the developers of the app have fixed the
security problems. There are numerous alternative email clients
that offer higher security standards and protect privacy
better. At the same time, the current incident once again
underlines the importance of communicating exclusively via
systems that are configured securely and enforce encryption.


--- OpenXP 5.0.57
* Origin: A turtle that surfs the dark web. [o] A TORtoise (2:221/1.58)

More:

https://www.businessinsider.com/google-can-give-police-keyword-data-from-search-histories-2020-10

Documents from an arson attack linked to the R Kelly investigation show how Google hands 'keyword' search data to police

Isobel Asher Hamilton

5-6 minutes

A court document relating to an alleged associate of singer
R Kelly show that police investigators sent something
called a "keyword warrant" to Google. Police were looking
into an arson attack on a car outside the home of a witness
in the R Kelly case. Google provided IP addresses of
everyone who'd searched for the arson victim's address
within a certain timeframe, which allowed police to
pinpoint a suspect. The arson victim is a witness involved
in the ongoing sexual racketeering case against R Kelly.
The suspect, Michael Williams, is a family relation of R
Kelly's former publicist. The warrant shows how police are
increasingly able to issue broad warrants to tech
companies, rather than focusing on individuals.

A newly unsealed court document related to an alleged associate
of singer R Kelly shows how Google can hand over data about
what people search to the police.

The court filing was submitted in July but unsealed on
Wednesday. It details a police investigation into an arson
attack on a car outside of the home of a witness involved in
the ongoing sexual racketeering case against R Kelly.

The court document showed that investigators linked Michael
Williams - a family relation of R Kelly's former publicist - to
the arson by sending something called a "keyword warrant" to
Google. Specifically, police asked Google for any data on
"users who had searched the address of the residence close in
time to the arson."

Google sent a list of IP addresses that had searched for the
arson victim's address. Two IP addresses were linked to
Williams' phone number, which police then used to track the
phone's location. They were then able to determine the device
was near the victim's car at the time of the arson attack.

Per CNET, investigators then obtained a warrant for Williams'
personal search history, which showed he'd searched for the
terms: "where can i buy a .50 custom machine gun," "witness
intimidation," and "countries that don't have extradition with
the United States."

Although requests for broad data sets to tech giants from
police are not new, this case lays out exactly how tech
companies co-operate with officers.

"We require a warrant and push to narrow the scope of these
particular demands when overly broad, including by objecting in
court when appropriate," Richard Salgado, Google's director of
law enforcement and information security, told CNET.

"These data demands represent less than 1% of total warrants
and a small fraction of the overall legal demands for user data
that we currently receive," he added.

The original warrant sent to Google has not yet been unsealed,
but Williams' attorney Todd Spodek said he planned to challenge
its legality, per CNET. "Think of the ramifications in the
future if everyone who searched something in the privacy of
their own home was subject to interviews by federal agents,"
Spodek said.

Albert Fox Cahn, the executive director of the Surveillance
Technology Oversight Project, also told CNET he thought keyword
warrants could be in violation of the Fourth Amendment.

"When a court authorizes a data dump of every person who
searched for a specific term or address, it's likely
unconstitutional," said Cahn.
--
../|ug

--- OpenXP 5.0.57
* Origin: A turtle that surfs the dark web. [o] A TORtoise (2:221/1.58)