Facebook has stopped gathering WhatsApp user data in Europe following pressure from regulators, the Financial Times reports
Thursday, 17 November 2016
Top messaging application - WhatsApp recently introduced the free encrypted video calling service. This will increase their user base upto to a considerable number. Like other applications, WhatsApp also collects a lot user data during its use. Few months ago, WhatsApp announced that it will share the data with its Parent company - Facebook. It received a lot of criticism from users as well as the regulators.
The internet giant will no longer collect the data of WhatsApp users due to the pressure from the Information office of Europe. But, strictly said, it just the temporary measure.
Facebook’s decision to halt data collection may only be a temporary measure, however, as it continues “detailed conversations with the UK Information Commissioner’s Office and other data protection officials.” Facebook said that it remained open to “working collaboratively to address their questions.”
Please share your thoughts with me if you are also concerned with the data gathering and sharing of Facebook owned WhatsApp.
Wednesday, 13 April 2016
Company's blog. All types of your communication either its text, group or media sharing is now protected by AES 256. Whitepaper on the WhatsApp end-to-end encryption can be found here.
This announcement by WhatsApp diverted the attention of the privacy and security advocates from FBI vs Apple towards WhatsApp. But according to Jonathan Zdziarski, a leading independent security researcher and forensics expert.
End to end encryption is a good thing, but it’s really just the beginning of good securityWhen WhatsApp announced this, Lot of people think that "o my goodness, I'm too much secure now and no one can read my WhatsApp chat now." But trust me its not like that. You are still vulnerable.
Tunnel is secure but not the endpoints: When experts look deeply into the cryptographic functions used by the WhatsApp, they found that the transferring of messages is secured by the Encryption but not the data storage in the devices - the endpoints unlike the Apple's iPhone. In simple words, If you are carrying a secret device in a truck then the truck is secure but not the point from where you loaded the truck and the point where you will unload it.
Feds care about Metadata not the Content: Your metadata is sent unencrypted which contains the information like to whom you are sending this message, at what time, how many messages etc. This information is enough for the Federal agents to eavesdrop into your messages.
Feel free to ask any queries.
Thursday, 25 February 2016
With the increasing trend of surveillance from governments agencies, Especially journalists must have to be very attentive about their communication mediums. Their sources always require the confidentiality of the identity and non-disclosure of the message content. Federal agencies always keep an eye on journalists who have sources among anti-state and sometimes government houses as well.
Encryption is the solution for this technique. Encryption can be simply defined as the scrambling of data using a sophisticated algorithm and the only way to understand this message is via password used to encrypt the message.
But the functional specialty of journalists don't make them to understand the sophistication the Encryption. But Yes! there are some good possibilities available which journalists can use. But before going to know about them. Let's nail some of the big so-called encrypted email service providers.
Hushmail have a backdoor
Most of the journalists and other privacy-concerned people use Hushmail - self-claimed encrypted email provider. But unfortunately it is not true. A story published in Weird, when Hushmail provided email copies to the fed agencies.
Ghostmail is partially encrypted
Ghostmail claims to offer the encrypted emails but their solutions partially works. Because when you are sending email to non-ghostmail user, it goes unencrypted. Ghostmail encryption only works when you both are on same email server.
SafeGmail is not secure
SafeGmail is a chrome extension which enables you to encrypt your message inside Gmail. As you can see here that several times a year Google Chrome get compromised and sometimes its extensions also loads Malware in your browser which can influence other extensions as well. So don't really want to rely on a single browser extension.
In coming articles, I will discuss some of the ways which you can use to send encrypted texts. Keep connected with me.
Sunday, 7 February 2016
With the increase rate of Data Breaches in recent years, clients are worried to become customer of any big company. The Data breach have affected every big industry Including IoTs manufacturers, Health Industry and Banks. Last year, most of the money spent was on the breach in health industry and ransomware or trojan in Banking systems.
Companies are bit more concerned to Information Security now and looking for solutions to convince their clients especially those which are recently affected by data breaches.
What is ISMS?
ISMS refers to the Information Security Management System. This is the strategic system which can be used by a company to establish and maintain and Information Security System.
What is ISO/IEC 27001:2013?
ISO 27001:2013 is best-known standard for Information Security Management System Developed by International Organization for Standardization also known as ISO. ISO is a non-government International Organization with 162 national standards body members.
The ISO 27001:2013 have all the legal, technical and physical procedures for the risk management of Information Systems. According to its documentation:
provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system.
This specification is based on the following 6 points:
- Define the Security Policy
- Define the Scope of ISMS
- Conduct a Risk Assessment
- Manage Identified Risks
- Select control objectives and controls to be implemented.
- Prepare a statement of applicability.
|According to the survey Conducted by ISO in 2014|
What does ISO 27001 Provides?
You can use this specification for two purposes:
- To use it for the risk assessment and management of your Information Systems.
- Certification is not obligatory but you can have it to reassure your clients that you are following the guidelines which are mentioned in this standard.
Scope of This Standard?
This international standard is intended for any organization irrespective of their size, type or nature. This will help in the establishment, maintenance and response to the Information security risks to your systems.
Friday, 5 February 2016
Data breaches of 2015 wasn't lacking any surprises. We need to get ready ourselves for Information Security challenges in 2016. InfoSec conferences are the best way to get the valuable updates in the developments of this field. Following are the 10 must-attend information security conferences in 2016. Dates are not announced by some of these organizers so make sure to check their websites listed below.
1. Defcon Hacking Conference
Defcon Information security conference is equally liked by the security professionals and hackers as well. It was started in 1993 and Now they arrange their events all around the globe. Defcon attendees involves security researchers, hackers, journalists and lawyers who have taste to learn and update themselves about the developments in the field of information security. In 2013, Defcon founder Jeff Moss, aka The Dark Tangent Said about the Federal agents attending this event,
When it comes to sharing and socializing with feds, recent revelations have made many in the community uncomfortable about this relationship. Therefore, I think it would be best for everyone involved if the feds call a "time-out" and not attend DEF CON this year.
2. RSA Conference USA 2016
RSA Conference 2016 is going to be organized in last week of February and the venue will be San Francisco. This conference is famous for their learning labs and crowdsourced sessions. This year's speakers includes Candy Alexander, Parham Eftekhari, Mathew Green and Bahador Ghahramani.
3. InfoSec World Conference and Expo 2016
This conference is going to be held in April 2016, Florida. This conference is organized by MIS Training Institute and sponsored by HP, Dell, MalwareBytes and others. This year's speakers includes Simon Singh, Lance James, Jeffery Ritter and Marcus Sachs. George Dolicker, CISO, INC Research said,
I've been attending InfoSec World since 1997 and always find good value and content that I can immediately put to use when I get home.In 2015, Event had 1200 attendees and over 75 speakers. Topics ranged from IoT, cloud, threat intelligence, mobile, insider threats, and software development, just to name a few.
4. Infosecurity Europe 2016
This is the Europe's main show for Information Security. This is going to take place in London this June. Their speaker count exceeds the 260 according to the audit done by ABC.
5. Black Hat Asia 2016
Black Hat Asia is going to be held in Singapore in the last week of March. This event will also spread its magic in Las Vegas and London as well. The topics of discussion ranges from Increasing Market of Commercial Android Spywares to Hacking in Professionally-built drones.
6. SANS Information Security Training
Among the other 100+ Information security related events going to be organized near you, SANS Orlando 2016 is best of them. This includes the total 43 one-day and two-day courses. Courses ranges from Cyber Threat Intelligence to Cyber Security in Health Care.
|Early Year Events by SANS - Screenshot grabbed from here|
7. Bsides Security Conferences
Bsides is a community-driven organization arranging free-to-attend Security Conferences around the globe. Cost is tolerated by the sponsors. Their events are organized all around the globe including Mexico, Japan, China, Iceland and India.
8. IBM InterConnect 2016
Organized by the IBM, InterConnect 2016 is going to be held in Las Vegas, last week of February. This is best for Chief Information Security Officers. This conference features the following topics:
- Security Intelligence & Analytics
- Advanced Threat Protection & Research
- Fraud & Cybercrime Protection
- Identity Management & Governance
- Application & Data Protection
- Endpoint Security & Management
9. Global Privacy Conference Washington, DC
Organized by IAPP a non-profit organization founded in 2000. This privacy conference is best attended by the Lawyers and Policy makers. Their sponsors includes the AT&T and Microsoft as well.
10. Cyber Secure Pakistan, 2016
How Can I forget about this one, CSP annual conference is the pioneer Information Security Conference organized by the PISA and UltraSpectra. From trainings, hacking games like Capture the flag to discussion on Cyber Law of the Country in the perspective of Changing horizon of the Information Security World. I found everything there. If you are from Pakistan than you must attend it either you are blogger, hacker, CISO or lawyer.
Thursday, 28 January 2016
We witnessed a lot of astonishing hacks in 2015. According to a study conducted by IBM says "the average total cost of a data breach increased from $3.52 million in 2014 to $3.79 million." and it will be increased to $1.9 trillion in 2019. Chief Information Security Officers are now most important personnel of any organization dealing with computers and internet. This is the best time to inform the Cyber Security policy makers and CISOs about the Cyber Security Predictions for 2016. Average, a firm spends 9% on Cyber security, but now it have to be increased to 11% at least.
Predictions for 2016
Just five years, our security experts were well aware that more the devices will connected to the cloud of internet, more vulnerable the security will be. But the "storm" of breach was more than expected in these years. Hackers are always one step ahead of us. My predictions of Cyber Security hacks in 2016 are based on the rational study of cases and advancement in the tools and tactics used by the hackers.
1. Iot emerging but still less secure
Internet of things are bringing new revolution in the human lives as " the rise of machines". Security researchers hacked into the medical devices, barbie dolls and jeeps as well which were connected to internet. Every electronics company trying to IoT its products. But no one willing to spent some extra bucks to make the protocol encrypted. According to the Chris Rouland - A cyber Security entrepreneur,
“2015 has been the pivotal year when we saw awareness and vulnerability discoveries published about ‘things’,”
If these "things" will remain unprotected than the hackers will be also able to kill people as demonstrated by the students of South Albama university during a cyber security class when they hacked into the body of iStan - most advanced patient simulator. Students break into its cardiovascular pacemaker and turned it down.
Soon these kind of devices will be installed into the bodies of real humans also in 2016. Read 5 IoT that can already be hacked.
Ransomware will become exclusive and attackers will use the cloud services to launch attacks at bigger scales. Script kiddies will be very useful for hackers to spread their ransomware-loaded malware. "Hostage" malware will not only effect the personal computers but the IoT and wearable as well. Evolution of Cryptowall and RansomJS will be very disturbing for security professionals. McAfee Labs researchers saw more than 4 million samples of ransomware in the second quarter of 2015, including 1.2 million that were new, and expects those instances to grow in 2016. That compares to fewer than 1.5 million total samples in the third quarter 2013, when fewer than 400,000 were new.
These groups are not only recruiting attackers but the criminals also for the collection and transfer of stolen funds. This trend of gangs formation will be more effective by the cybercriminals in 2016.
3. Organized Cybercrimes
Cyber criminals are gathering together in form of different mobs headed by criminal bosses. Hackers are behind the major attacks are not just a nerd with a computer in the basement. We now face full-blown organizations that are organized like startup companies. According to the CSO,
the average age of a cybercriminal is 35 years old. Additionally, 80 percent of black-hat hackers are affiliated with organized crime, working as part of closed groups.
These groups are not only recruiting attackers but the criminals also for the collection and transfer of stolen funds. This trend of gangs formation will be more effective by the cybercriminals in 2016.
Doxing is going to evolve once again by the use of stolen data from different sites. The data hacked by the attackers is very useful for the cyberbullies. You will no longer find the torrent file of hacked data on the internet but it will be sold in the underground market (which is more common and less exclusive). Every wearable and IoT is somehow accessed by the smartphones forming a central hub. Doxing will be more valuable now as compared to the previous years. Android especially do not patch up the security vulnerabilities especially in the previous versions making it vulnerable to attackers. They simply hack into it and gather a lot of data to bully their victim.
According to the Business Value Exchange,
2015 saw a rise in the number of DOXing, public shaming and extortion attacks, as everyone from Hactivists to nation states embraced the strategic dumping of private pictures, information, customer lists, and code to shame their targets. Sadly, Kaspersky Lab expects this practice to continue to rise exponentially in 2016.
5. Biometric isn't the solution
Internet is moving towards "no password" scheme using the Biometric methods to login the devices. Most of the organizations are moving towards these biometric identification techniques. But still it seems to be use because all these data is stored on the same hardware that can be breached as in the case of OPM Hack in which 5.6 million of fingerprints were stolen along with other data.
For example now if we use the voice recognition system for login than the security researchers also have to compete with those malware that can intercept your calls and record your voice details.
Monday, 25 January 2016
Since last week, I've been working in shifting my blog from WordPress to Blogger and now it is successfully shifted. Before giving you the procedure that how I shifted it, You must know my reasons of the shift.
Why you should shift from WordPress yo Blogger?
If you are good with WordPress than do not go for the shift to blogger, because the customization and features that are offered by the WordPress are unmatched. I made that shift because I didn't have time in maintaining and developing my blog. It requires time to update the plugins, themes and maintain the security.
Security was my main concern basically. New vulnerabilities were found weekly in WordPress and third-party extensions and certainly being a Cyber Security speaker, I made my decision to shift something more secure where I can spend my time in writing and speaking to my audience rather than developing and maintaining my own blog all the time.
What Problems will you face?
Blogger and WordPress are two different platforms which have different functional specialty. Shifting from Blogger to WordPress is an easy task but not the WordPress to blogger. Following are some problems that I faced during the shift.
- Simple export/import don't work here
- Formatting lost
- Images lost
- Internal-linking malfunction
- 404 due to permalinks change
How to made the shift?
Knowing about all the complications during the shift, this is how I made it successful.
Step 1 : Change your WordPress permalink structure to year/month/post-name.html
Step 2 : Install Permalink Finder Plugin to avoid 404s
Step 3 : Go to blogger.com and make your blog with yourname.blogspot.com
Step 4 : Download the export file of posts from WordPress tools.
Step 5 : Change the file format from WordPress to blogger using this tool.
Step 6 : Import the file in the Blogger.
Step 7 : Edit each post individually, repair formatting and upload images again.
Step 8: Add custom domain in the Blogger.
My blog was consisted on few posts but still it took three days and 5 cups of coffee to shift from the blogger to WordPress. If you feel any ambiguity or the better solution for the shift, Feel free to comment.
Thursday, 14 January 2016
Information technology is now merged with every field of life from banking to medical. We have witnessed a lot of more advancement in IT sector in previous year 2015. Things in this sector are not just getting better but complicated as well. As the good guys busy building and developing new tools and services, bad boys a.k.a hackers are equally busy in finding new ways to hack these things. 2015 witnessed some major computer security hacks in hacks ranging from the data breaches to denial of services. Millions of users were affected in result of these hacks and breaches. Most amazing fact about the hacks of 2015 was that most of them were not targeted to financial organizations but people personal information and health industry was the main target of the hackers. This also provides a horizon for our cyber security priorities in coming years. Top 10 Computer Security Breaches of 2015 are following:
AshleyMadison.com is online since 2001 owned by a Canadian firm Avid Life Media claims to have 40 million users. This is a premier cheating site for married people seeking partners. Hackers broke into their system and leaked the 30 GB data including personal information of their users, chats, memos and even the website’s source code as well. This allowed more hackers to attack their system after knowing the vulnerabilities in their source code. While talking about the chats, user photos and employee emails with Motherboard, hacker said “1/3 of pictures are d**k pictures and we won’t dump,” they told Motherboard. “Not dumping most employee emails either. Maybe other executives.” It was also found from the hacked data that Ashley Madison is also cheating with their customers as well, most of the female account on the website were bots. This hack greatly impacted not only ALM’s business but other dating websites as well. Some script kiddies also established some sites to offer the services to find whether your name is in that breach or not but ALM’s did their best to block such websites. More at WIRED
Second most amazing hack encountered by the Internal Revenue Service. In this hack, hackers gained the access to the tax returns data of around 300,000 citizens. Hackers went through the multifactor authentication system using the information – social security number, date of birth and address etc. Hackers tried to attack 170,000 which was failed. The breach does not involve the main IRS computer system that handles tax filing submissions. "That system remains secure," the IRS said. The hackers were then able to use the information to file for bogus tax refunds, resulting in criminals obtaining $50 million in federal funds. IRS also faced several lawsuits against them due to their failure to handle the people’s information with proper security. This hack was due to an app on their website which the functionality of “Get transcript” but the IT team informed the corresponding authorities and people as well when they found some suspicious activity with their accounts.
This company makes the spyware which lets to spy over your employees, kids and partners by installing software in their iOS, Android or Windows based devices. You can then have the record of calls, texts, contacts, WhatsApp and more. This hack includes the data of their 400,000 users uploaded on tor – anonymous network. This data included the apple IDs, Passwords, Tracked locations, Photos and more. Company initially denied the hacked but then claimed it. This data was hundreds of gigabytes including corporative emails and private conversations as well. No clue found about the hack or any footprints about the hackers but company assured their customers that they will make sure to prevent such kind of breaches in the future. 40% of their users are parents who want to eavesdrop on their kids but unintentionally this let their kids to be the victim of predators and bullies.
Hackers turned their canons towards the easier targets like the health industry. CareFirst is one the biggest health agencies in the U.S. In 2015, they encountered a breach resulting the leakage of personal data of their 1.1 million accounts. CareFirst claimed that hackers got access to the names, phones numbers and email addresses but not the sensitive information like the social security numbers, medical histories and financial details. Federal offices of the United States referred this hack as the state-sponsored and maligned the China for it conventionally. In a statement, CareFirst said at the time it was believed they "had contained the attack and prevented any actual access to member information." To compensate the privacy espionage of their users, CareFirst offered two years of free credit monitoring and identity theft protection services for those members affected.
AdultFriendFinder.com is owned by the FriendFinder Network Inc. They claim to have the 700,000,000+ users on their different social networking portals. The hack was reported in May, 2015. This hack leaked the user data of around 3.9 million users of this network. Hackers not only hacked their system but also made their data available on the internet to free download. The data included the usernames, email addresses, sexual priorities and answers to many dirty question which are asked to complete the profiles. This hack created more stir when it also the email addresses of some corporate and government personnel. This information was a gold mine for the phishers, blackmailers and predators. Information also revealed. The company responded to this attack in no time and performed immediate steps like disabling the feature of “search by username”. Company also announced a team to investigate the footsteps of the hackers and vulnerability which causes that attack but didn’t released any details at least during the writing of this article.
June 2015, Hackers attacked the United States office of Personnel management. According to the federal agency, the sensitive data of more than 21 million people including their social security numbers were available on the darkweb for download. The stolen data also included the usernames, passwords and fingerprints of many federal employees as well. In response, the office accepted that they failed to protect their computers and offer proper security measures to their people. They said “we are going to send a package of guidance to the effected people”. Initially the hack was started in the 2014 but it was the incompetency of the security sector of that office that they failed to know about that for a whole year and until that millions of people were on stake. OPM announced the formation of a team of forensics specialists to get to know about the breach and possible attackers behind that attack.
Anthem is the second-largest health insurance company in the United States which encountered one of the biggest corporate data breaches of the history. During the hack the sensitive data of around 80 million people was stolen. Data stolen includes names, birthdates, email addresses, Social Security Numbers, and medical IDs. Company claims that there are no evidence that credit information and medical records of their users are stolen. The Company offers healthcare plans to 14 different states and the breach effected all of them. Investigation was started right after the attack and conventionally like all other attacks, China was blamed this time also. The investigation lead to no conclusion. Company offered two years of identity theft repair assistance, credit monitoring, identity theft insurance and fraud detection.
TalkTalk is one of the top Phone and BroadBand Service Providers in the United Kingdom. Hackers breached their systems and hacked the customer data of 4 million people around UK. This data included the names, email address, residence, TalkTalk account information and Bank details of their customers. Worst thing in that attack was, different affiliated companies and TalkTalk as well received messages from the hackers asking for ransom. The “Russian jihadists hackers” claimed the responsibility of that attack. Asked by the BBC whether customers’ bank details had been encrypted by TalkTalk, CEO of TalkTalk said: “The awful truth is, I don’t know”. Company hired some security professionals to figure out the vulnerability and verify the claim of Russian Jihadists group about that breach.
LoopPay is the subsidiary of Samsung Electronics, it’s a mobile payment system which was hacked in October 2015 and Chinese hackers blamed for this purpose. Hackers hacked into the corporate systems of the company but not the “Samsung Pay”. LoopPay actually bought by the Samsung to compete its competitor Apple Pay in February 2016.
Another critical vulnerability found in the famous smart series of Samsung – Galaxy. This flaw was found in all models between S3 to S6. Security researchers in the NowSecure security firm found them in their keyboard. This flaw could made the phone vulnerable to spying if it is connected to the public wifi. NowSecure advised the Samsung to patch their vulnerability and then made their findings public.
FBI have an information sharing portal to synchronize the information about criminals and on-going investigations with the local law enforcement agencies. Hacking group CWA alleged for hacking the AOL account of Chief CIA took responsibility for hacking this portal also. They dumped the information of 2400 national and international employees online and threatened the authorities to do more. In a tweet he said, “Just to clear this up, CWA did, indeed, have access to everybody in USA private information, now imagine if we was Russia or China.. “ While talking to the WIRED, one of them claimed that they accessed the data of 3000 data of employees working for this federal agency.