Steganos Blog

Gabriel Yoran
Gabriel Yoran, founder and CEO of Steganos GmbH

For the last several months, the Guardian and other media have been publishing snippets of confidential information revealed by former NSA contractor, Edward Snowden. This deluge of classified material has become background noise, to the extent that a general impression has now been formed that the US and UK intelligence services can pretty much do anything, and that no one is safe from their reach.

As a manufacturer of security software, we see it as our obligation to at least shed some more light on the subject. The data available for the task is limited since it is assumed that, with governments being involved, some details have been deliberately withheld so as not to endanger national security.

Can the NSA crack all encryptions?

The most important question first: Can the NSA (or its partners) crack all encryptions? We assume they cannot. But the NSA doesn’t have to. A large part of its work consists of intercepting data before or after it is encrypted. If the NSA had bugged your PC (which we can generally assume is not the case) the best encryption in the world would be useless, because the NSA Trojans would record the data in advance. So a “clean” PC is the prerequisite for successful encryption.

As a further measure, the NSA apparently attempts to persuade companies to deliberately incorporate errors or backdoors into their products in exchange for cash payments. This has never happened at Steganos. Steganos has never received any such request, nor does it implement backdoors, master passwords or similar devices into its products. Steganos is a German limited liability company based in Berlin and is not subject to any influence by the US, UK or any other country. Germany has strict data protection laws and does not currently have any regulations on the retention of data (a related lawsuit brought by the European Commission against Germany has yet to be decided). This situation makes Germany a good location for providers of security products. We very much hope that the political situation will not deteriorate here, but that, on the contrary, this location’s advantage is recognized and actively encouraged.

Personal guarantees by employees against infiltration

Based on these framework conditions, every Steganos employee is also obligated (as part of his or her employment or service contract) to abide by the German Federal Data Protection Act. They sign agreements based on United Nations’ transparency regulations to prevent outside influence and infiltration of the company by a third party.

Furthermore, Steganos has strict data protection guidelines that should also be as transparent for our users as possible. By the way, the guidelines for our VPN product, Steganos Online Shield, have just been called “pleasingly specific” by c’t magazine (issue 20/2013). Our product was given the best review of all those tested.

Beware of the ‘five-eyes’ countries and generally take precautions

All these measures can only work if no unencrypted data is stored on or transferred via servers in the US, Canada, UK, France, Australia or New Zealand. These countries have what is known as the five-eyes agreement that permits close cooperation between the respective countries intelligence services. If you want to play it safe in any of these lands, you should consider the following:

(a) If you use a VPN product, choose the Steganos Online Shield or OkayFreedom servers that are not located in any of the five-eyes countries (there are a wide variety of alternatives). Even though Steganos servers located in data centers maintained within these regions are safe, determining what happens to the data after it has been channeled through such areas is not always clear. Nor is it completely clear what occurs in other countries. Therefore, it is generally recommended that both the route as well as the user data are encrypted.

(b) Use encryption software to encrypt e-mails, cloud content and files. For example, the Steganos Privacy Suite encrypts the data on your local PC before it reaches the Internet.

Encryption is your friend

Whether you’re sending emails, attachments or using cloud storage, encryption is your friend. Trust the math, as security legend Bruce Schneier once said. There have never been any known attacks on correctly-implemented modern encryption procedures (such as AES 256 bit). Edward Snowden said in the Guardian: “Encryption works.” It makes no business or financial sense to go to the effort of implementing or paying for software containing backdoors. Cracking good encryption (with good passwords) is highly complicated and time consuming. It requires huge numbers of supercomputers connected in a series. Even then the outcome of such concerted attacks is uncertain.

But often the effort is not even necessary, since most users don’t encrypt their data. The NSA has approached security firms, email providers, cloud storage service providers and social networks. The US companies that (have to) help the NSA in any way are not allowed to discuss it – not just in the way they help, but even the act of collaboration in itself. Google, Microsoft, Yahoo, and now Facebook have filed lawsuits against this regulation. No such regulations exist in Germany.

Independence from governments and services

Another possibility for intelligence services to gather data is to tap into a local (W)LAN, in cooperation with network providers via their data centers or directly from deep sea cables. Advisable in all of these cases is a good encryption service that encrypts the data and, ideally, the transport route as well. TLS/SSL is a suitable process for the latter. This is performed inside Steganos Online Shield, Steganos Internet Anonym and OkayFreedom. The Snowden reports suggest that the NSA compromised the certificates necessary for secure encryption using this process. As a result, Steganos itself signs the certificates it uses in the products named above – without relying on American or other service providers who may have been forced to cooperate with the NSA.

We hope to have brought some clarity to this complex matter. The ongoing horror stories about the methods used by the intelligence agencies should not dissuade us from protecting our data using the best available methods or discontinue to work of making these complex techniques comprehensible and available for as many people as possible – free of political influence, backdoors and predetermined breaking points.

Gabriel Yoran
Gabriel Yoran, founder and CEO of Steganos Software GmbH

The most surprising thing about the Anglo-American eavesdropping programs is that hardly anyone is really surprised. In February, Steganos conducted a survey of its users in which 61% said that government agencies could or would want to read their communications in any form.

“Knew that anyway”, “I’m not surprised”, “Did you expect anything else?” – these are some typical reactions from Steganos users. Outrage has been reserved for the politicians trying to take advantage of these overseas surveillance activities for their election campaigns.

Of more concern is the general disinterest: the surveillance is a long way away, I’ve got nothing to hide – and if the intelligence agencies want to, they’ll always find a way. That sounds like resignation.

But it’s totally misplaced. For 16 years, we have been fighting for attention for our admittedly brittle topic: privacy. And it’s never had such a big stage. The question as to why friends spy on each other is being discussed at the highest level. “And the paradigms are falling like flies”, is the initial explanation given by the CSU or “data protection party“. On the first day of the hearing into the future of the data retention, European judges berated the representatives of systematic connection data storage: it has not been proven that such disproportionate measures really do help to solve or even prevent really serious crimes.

Julian Assange, of WikiLeaks fame, reminded us in the Guardian on Tuesday of the increase in historical significance encryption has experienced in recent years. Encryption is the only scientifically proven protection against surveillance, no matter by whom.

Our communications are recorded so shamelessly because we, the Internet users, have made it so easy for the intelligence services. We send our data in plain form over the Internet. Let’s surprise our local spying agencies by encrypting our emails and files, regardless of the software we use to do it. Dare to show that you have not given up being a citizen that fights for your right to privacy. And it only takes a few mouse clicks.

Anyone who surfs the Internet, leaves a mark

Everything you do on the Internet, click and download, including your IP address can be associated and tracked. Data collectors earn money with your surfing behaviour and hackers steal your passwords. In addition, many websites and online services in many countries are only partially useable. The fact that the network changes and a shift has taken place, the users become aware. They are part of the World Wide Web. Content is created and shaped by them. The Internet is interactive. Anyone can communicate with anyone, whenever, anywhere. But that is where the new dangers arise. If you can find each and everything, then theoretically he, himself can be found by everyone else. A recent survey of shows that more than 50 percent of respondents classified public hotspots as a risk. What is left with you when surfing, is a stale aftertaste and a constant feeling of insecurity.

That is nothing new! And he who was has nothing to hide, has nothing to fear!

This carelessness is exactly what hackers take advantage of. If you think an antivirus program and a firewall is enough to protect you and your data from the World Wide Web, you are sadly mistaken. Cyber criminals have been able to easily target, and easily deal with the issue of security on a network. A recent project carried out by our experiment showed how many insecure wireless networks there still are. In the latest issue of “Computer Bild”, this experiment is the main theme.

Steganos Online Shield 365 featured on the cover of “Computer Bild”

No Risk – More Fun

Our answer to insecure wireless networks, blocked websites and hackers is to use the Steganos Online Shield 365 VPN software. VPN stands for Virtual Private Network. Using a secure tunnel to surf on the specially secured Steganos high-speed server. To top that, your Internet connection is encrypted, and your data will remain invisible to the eyes of others. No one can track your downloads create a log of your surfing and earn money from your data.

A VPN has, in addition to the safety factor, two more advantages for you

Firstly, the VPN software allows you to bypass locks on the Internet, and access blocked content, to use services that you could not previously use from the IP address from your country. Editors of the Web Project OpenDataCity determined earlier this year that more than 60 percent of the 1,000 most popular music videos cannot be watched on YouTube using a German IP address. The reason for this is on-going dispute, since 2009, between Google’s Youtube with GEMA. Second place in the rankings for countries with the most blocked YouTube videos is South Sudan with approximately 15 percent blocked. When you surf through a VPN, you can choose to use IP addresses from different countries. To bypass YouTube’s Geosphere and use streaming services such as Hulu or Netflix. What else would be possible, only from America. On the other hand a VPN gives you a different perspective on the Internet and its content. Search engine queries from Germany often provide different results than ones provided using an IP from the United States. This allows you to perform more effective research and competitive analysis. Even more evident, is the advantage of being able to choose the IP address for free, through IP-based price segmentation. Hotels, car hire and for example, concert tickets booked from European countries can cost up to 40 percent more. With Steganos Online Shield 365 we will give you a very easy program to use, which combines all the advantages of VPN software. To make surfing more fun and offer a lot more options – at minimum risk.

Steganos Online Shield


Steganos Online Shield

We are constantly online. In the office, at home, in a café, or on the road. Briefly checking your balance, reading e-mails and the news, or posting on Facebook – we are on the Internet, anytime and anywhere.

The fact that we and our personal data are exposed to constant threats online is nothing new. Hardly anyone is foolish enough to use a PC without up-to-date anti-virus software. We are aware that an active firewall is important and that there are viruses and Trojans on the Net, which we must protect ourselves from. An anti-virus program acts like a security service and the firewall is like a door lock. When the computer becomes infected by malware, the installed virus scanner hits the alarm and tries to eliminate the malicious software. But a lock can be broken and a security service can be outsmarted.

With Steganos Online Shield 365, you now have the ability to encrypt you entire Internet connection. Therefore you are perceived by potential attackers as firstly not so much of a potential victim. You are now one step ahead of the cyber criminals, instead of blindly trusting that an attack on your data is hopefully detected.

The dangers have changed

Anti-virus is now no longer an obstacle for hackers, data collectors and cyber criminals. Long have these criminals found ways to identify gaps in your defence and exploit them. The manufacturers of anti-virus software only respond to new developments and machinations of hackers. Until the updates arrive, it is often too late. Your accounts could have been hacked, your credit card misused. The new Steganos Online Shield 365 protects you comprehensively and continuously on the Internet – while surfing, shopping and downloading. Within a only a single click you can lock out hackers and reliably encrypt your entire Internet connection. To not become such an easy victim.

Steganos Online Shield encrypts your Internet connection

How does Steganos Online Shield 365 work?

With Steganos Online Shield 365 you can secure your connection at home, in the office and even in public Wi-Fi hotspots – whether you access the Internet wired or wirelessly. All entered data such as passwords, addresses; credit card numbers are transmitted only in encrypted form. The data is flowing through fast and secure external Steganos servers in Germany, Britain, France, the U.S. and Switzerland. So you can surf safely on unknown sites that may not have their own protective defences.

With Steganos Online Shield 365 you can get your own private, encrypted and anonymous connection to the Internet and directly from your computer via secure data centres. Here your unique IP address is exchanged for a random IP address from the huge Steganos stock. So your real IP address is being protected from abuse. And this is not just in your browser, but also in other Internet applications, such as download programs.

The features of Steganos Online Shield 365

  • Protect your Internet connection through encryption – with just one click
  • Visit unknown website safely – thanks to IP address protection
  • Prevent password, credit card and identity theft
  • Protect yourself from snoopers on public Wi-Fi hotspots, for example in hotels, cafes, airports or offices
  • Unlimited backup data traffic without artificial speed reduction
  • Bypass censorship projects and call blocking on unharmed sites in your country
  • Fast and secure external server in Germany, Britain, France, the U.S. and Switzerland
  • One price, no confusing pricing, no hidden costs

Einbrechen in fremde Facebook-Profile - einfach per Handy
Breaking into foreign Facebook profiles – easily done via smartphone

An Android phone and a freely available web app, which is normally used to test security vulnerabilities in wireless networks is all it takes for someone to read your private emails and Facebook messages.

An employee from the Steganos server team drew the security app dSploit to our attention. The tool, which is still in the beta phase, is actually to be used by IT security experts to analyse networks to simulate attacks and to expose breaches in security. Supposedly anyone with a rooted Android smartphone could gain access to a WLAN. The app shows other smartphones, tablet computers or just those surfing the Internet through the network. And then you could supposedly read which passwords and user information would be shared.

Surfing in public WLANs is not safe and significant security risks existing with the hotspot providers, is nothing new. Years ago, the authorities and the press warned of encrypted networks and the use of secure routers. There is a general impression that this advice had been processed and any weaknesses touched up. Finally though, the operator of the WLAN, bears all the legal risk of abuse and crime.

At Steganos we have been working now for over a decade in the protection of privacy and security within the digital network. So we went to look after our colleagues and tested if a Wi-Fi could be hacked, even with something as simple as a mobile phone. Primarily: it was shockingly easy.

Equipped with a notebook and a commercial rooted Samsung Galaxy S II, onto which we had installed the app dSploit, we went on our way from the Steganos office in the Prenzlauer Berg district of Berlin, to Alexanderplatz. We decided to ask at the front desk of a hotel in the centre for a password to use the hotel’s wireless network. Although we were obviously not guests of the hotel, we got granted access by a hotel employee. We logged ourselves into the wireless network of the hotel on both our laptop and also on a well-prepared mobile phone.

In addition to the laptops and smartphones of the hotels guests, our laptop was listed, on which we had a webmail account open. Using this account we had direct access via the mobile phone. We could read the full inbox, compose and delete emails. On the computer itself this could not have been noticed until it would be too late. As you can imagine, sending joke emails to the boss, would be one of the more benign scenarios.

On the second tab, we had opened the Facebook account of a colleague. Again, taking over from our Android phone session. Again we were able to easily read and search through all their private messages. Whilst also being able to compose new messages and posts.

We could not have taken any SSL-protected session from each computer which at the same time was also on the hotel’s Wi-Fi.

You never know whether you are in danger

After having successfully conducted an experiment of Wi-Fi hacking in a café in Prenzlauer Berg, we failed the test on the WLAN of the Adlon Hotel, Starbucks and McDonald’s.

The reason that it was not possible for us to take over sessions in all wireless networks were the different routers.

The attack carried out using dSploit is called a “man-in-the-middle attack”. The software accesses data and passwords from between the computer and the routers. The router has integrated Stateful Packet Inspection, a method used to allocate transmitted date packets for each session, to which the attack is detected and blocked. Most current routers have this additional security of data transmission. Whether you are surfing as users of public WLANs over a secure or insecure router is not apparent for individuals. Also insurmountable to dSploit were pages with SSL encryption.

How do you protect yourself?

If you surf on a public wireless, you are putting your own data at risk. Our email accounts and our Facebook accounts are full of the most private information. Hackers steal our credit card details, so that they can shop at your expense. Criminals that reach sensitive information, can use us for blackmail, not to mention the disgusting feeling , when a stranger reads our secrets.

Our experiment has clearly shown that it is easy to get such information and that for the person concerned, and that whether he is currently in danger or not is unclear. The hacking of private accounts could be very damaging. Now, the CeBit hotels of Hannover will be filled with fair-goers. You should definitely think twice before you go onto a site using a wireless connection to the Internet, if you are unsure whether the connection might be at risk.

One way to protect yourself ready for CeBit: use Steganos Online Shield 365.

With just one click, the software encrypts the entire Internet connection, both wired and wirelessly – available 05.03.2013. Data transmission via a fast and secure external Steganos server in Germany, Britain, France, the U.S. and Switzerland. So you can always surf safely, even on unknown sites and possibly unsafe routers that do not have the necessary safeguards.

Nothing to hide – much to fear from
Steganos online survey with surprising results

Berlin based security experts Steganos have asked 4.873 PC users

Show me your hard disc and I will tell you who you are
Personal documents, banking data, private videos: Our computer is our diary, our photo album, the cabinet and the window on the world.
Of course we do not want to leave that window open to everybody.

Nowadays having an anti-virus program only is not enough to save one’s digital privacy.
Furthermore VPN Tools are used more often: They encrypt the user’s whole Internet connection.

„If you have nothing to hide you have nothing to fear from“
Users of VPN software often are blamed by that silly accusation, although to protect your private data is a claimed human right.

The result of an anonymous online survey, which Steganos sent to 4.873 customers, was a surprise:
Those polled were way more afraid that someone could have stolen their own PC or notebook than they have feared the danger of being admonished because of any illegal online behaviour.

The sample of the survey’s biggest fear were attacks by cyber criminals and hackers. They were less concerned about colleagues, superiors or family members could see what was not meant for their eyes to see.

Bottom line

It is surprising that the theft of one’s computer is nearly the most threatening danger, although PC users know the risk of online crime and still perceive it the biggest threat.

Digital life and reality are one.

The respondents claim self-protection the most important thing – and not the concealment of one’s own activities.

Steganos Logo

The attack on PGP, BitLocker and TrueCrypt described by the Russian developer Vladimir Katalov described in his blog is in part possible due to a typical vulnerability of whole disk encryption tools. What appears to be maximum security – everything is encrypted all the time – actually is the opposite: Everything is accessible all the time (at least as long as the disk is decrypted, and obviously even in standby mode).

At Steganos, we do not offer whole disk encryption, but volume encryption, for example in our Steganos Safe or Steganos Privacy Suite products. The technology used there works in a totally different way:

How safely encrypted is your hard disk?
Source: Alchemist-hp •

1st: As Vladimir points out, “[i]t’s important that encrypted volumes are mounted at the time a memory dump is obtained or the PC goes to sleep; otherwise, the decryption keys are destroyed and the content of encrypted volumes cannot be decrypted without knowing the original plain-text password.”

Therefore, the users of Steganos Safe or Privacy Suite only opens and closes the encrypted volume (the “Safe”) when they need it. There is no need to keep it open all the time.

2nd: When the computer goes into standby (or sleep/hibernation) the Safe is automatically closed. Therefore there is no way to access its contents.

It should also be said that, if an attacker does gain access to the user’s computer to run such an attack while an encrypted volume is open, the attacker could simply steal the user’s data, since at this point in time, user data is simply not encrypted.

Learnings: Whole disk encryption can be a risk, since unencrypted data is available to the user – and an attacker – all the time. Software which does not close encrypted volumes before hibernation is a problem, too (Steganos Safe and Steganos Privacy Suite are not affected by this issue).

Some might call it scandalous that the head of the World Conference on International Telecommunications (WCIT), Mohamed Nasser al Ghanim, singlehandedly pushed through the resolution that allows the ITU to handle Internet-related work in the future. He did this without a vote and without the permission of western countries. His decision was based on „a feeling in the room“, as he called it.
His resolution allows every country to justify international interventions to the country’s Internet usage.

During the last few weeks in Dubai, the ITU debated the new International Telecommunication Regulations, known as the ITR.
Internet usage was one of the points of discussion. From the get-go, there were a large number of people who doubted the new guidelines. They were afraid that Russia and China, supported by the biggest Internet providers, could enforce two main points:
monitoring data flow and changing regulations concerning what data you have to pay for.

The western states have largly established at the convention. They spoke out against limiting the Internet’s freedom and against the ITU guidelines.
U.S. Ambassador Terry Kramer said that signing the contract was impossible for the United States.
55 additional states, including Germany, took a stand against the contract and wouldn‘t sign it either. Based on this overwhelming opposition, the WCIT can be considered a failure.

It remains to be seen what this means for the future.

There’s no doubt that the Internet is one of the greatest inventions of mankind. During the last 20 years, it has become the most popular way of communicating and the easiest way to find any kind of information.
Search engines such as Google, Bing and Yahoo guide us through a mountain of data. Skype, Facebook and Twitter keep us connected, anywhere and at any time. We’re able to share our opinions with a large number of people and to be at several places at the same time.
People become millionaires, stars, revolutionaries and leaders through the Internet.

Everyone has the possibility to raise his or her voice and get heard.
And that’s precisely the fear of many undemocratic systems and regimes.
Pretending to protect one’s own people from the Internet’s dangerous influences, governments censor or block websites, and information gets filtered, manipulated and deleted. Users get put under surveillance and are threatened if they behave suspiciously.

Our online future decided in Dubai

Last week, the International Telecommunication Union (ITU) hosted the World Conference on International Telecommunications in Dubai. The ITU, an institution of the United Nations (U.N.), suggests guidelines for worldwide telecommunications, decides who owns what radio frequency, and determines how toll calls will be paid. As a special institution of the U.N., member states can influence the ITU directly.

Old-fashioned telecommunications have become less important over the last few years. The big question is: Should the ITU attempt to control the Internet and its data flow?

What can you do?

One way to surf the Internet anonymously is via so-called Virtual Private Network (VPN) services. With VPN, you obtain a new IP address and surf on the provider’s server. The link to the Web sites you visit is like a tunnel, shielded and protected from access by third parties. Even in public WiFi hotspots at bars, restaurants and airports, your data is protected.
But is VPN software actually legal?
The answer is short and simple: Yes! It is legal to conceal this connection and your data transmission, as well as to circumvent geographically-imposed barriers to web access. Anyone who decides to use a VPN to encrypt their data needs to trust the service, of course. Steganos’ VPN products are respected both for their effectiveness, as well as for the company’s overall privacy policy.
Although the conference in Dubai is over, you can still make your voice heard. Whoever wants to sign a petition against possible control of the Internet can do so via


Page 7 of 8