www.infysec.com
Demystifying Innovations
If you found out that someone has been watching you the entire time how would you feel, reading every incoming-outbound messages from your cell phone and computer? This was not meant you scare you nevertheless, but millions of people feel the same way as you are right now. In June 2013 when a former National Security Agency contractor named Edward Snowden dropped the bomb on the agency and the government face – many people felt same about them being watched. Privacy fears aren’t limited to North America. During the summers of 2013 Research In Motion, a mother company of Blackberry gave away the tools to the Indian government to read the Blackberry messenger conversations. Likewise, Kakao Talk passed on the user messaging records to the Korean government following the lawful orders to take action, which led numerous customers to switch to Kakao Talk.
These types of changes have generated a surge of texting app providers that claim their software cannot be hacked. They state they utilize unique privacy technologies to guarantee the security of one’s data and prevent interception. Many say they incorporate industry-acknowledged security programs and open standard protocols for the overall safety of instant messages. Such security networks range from standard level to military grade. The traditional security technique is end-to-end encryption. And the way it works makes it unique. To put it simply – the information or your content gets locked in with unique value that is as soon as it leaves the sender’s cellphone or tablet – and it only gets unencrypted once the intended person receives it with verification that follows. These sophisticated privacy methods help prevent the most common workarounds for cracking the encoded information when in transit.
But, do not lose your confidence in online messaging tools yet. If you want to carry on chats minus anybody snooping, give consideration to trying out the following secure messaging applications listed below:-
1) Wickr
This spot-on messenger for iOS and Android enable users to exchange end-to-end encrypted plus messages that can delete themselves (given the timeframe), including photos and files. It was made to ensure encryption and privacy and keeping the transparency for its users and keeps no data to its servers, plus it doesn’t maintain any information on its clients, and that all messages and transactions are encoded with no way to decrypt them.
2) Cryptocat
Available for iPhone the software uses the Off-the-Record Messaging (OTR) protocol for protecting personal texting, allowing two people to converse in private. Cryptocat always utilizes its special team messaging protocol to allow for group instant messaging interactions. Because Cryptocat produces new key sets for every chat(s), it implements a form of best forward privacy. The application also offers protected file and photo transfer, letting users send documents and images to each other using end-to-end encryption.
Furthermore, they also provide internet browser extensions. Cryptocat is currently compatible withGoogle Chrome, Mozilla Firefox, Apple Safari, Opera and also offers a program for iOS devices.
3) Threema
Available on iOS, Andriod & Windows this paid application employs a user ID, created once the application is launched by the user (they key is always random). However, instead than requiring a connected email or a personal number to send messages a person can provide the random key to the individual they wish to speak with. One can also find out may users by utilizing their phone book. Users can dispatch messages, images, videos, allow their location to be shown, send voice messages and send any type of file up to a max of twenty megabytes every single transfer. There is a function of creating polls in the group chats that can be used for business purposes.
4) Silent Text
Available on both the iOS & Andriod this app comes with in-app purchases ranging from $9.95 a month to $39.95 the software has received points for having communications protected while they are still in transit, getting messages encrypted, making it possible for customers to verify their correspondent’s identity independently also making past interactions safe, if the key or the password is hacked.
5) Surespot
Surespot is an instant messaging software for Android and iOS platforms which also uses end-to-end security layer by default. It removes any form of messages from the device if the recipient intends it to be that way. Much like TOR browser the app also offers multiple identities that can be switched at any given time. Unlike some software that were not mentioned on this list but are available on the market, it also supports sending and receiving pictures, as well as audio messages.
It’s not just the U.S. government that would like to get its hands on Apple’s source code — China has asked the iPhone-maker for the code during the last two years, but naturally the company refused.
The news came to light at a hearing in Washington, D.C., where Apple’s general counsel and Senior Vice President of Legal and Government Affairs, Bruce Sewell, disclosed the information in response to law enforcement officials’ claims that the company was handing over information to the Chinese government for business reasons, according to Reuters.
At the hearing before the House Energy and Commerce subcommittee, Captain Charles Cohen of the Indiana State Police said Apple has quietly cooperated with Beijing. Representative Anna Eshoo, D-CA., asked Cohen to report a source for his information. But he could only cite news reports.
“That takes my breath away,” Eshoo said, according to Reuters. “That is a huge allegation.”
Apple testified, as did the FBI, over encryption and the company’s refusal to weaken its security on iPhones to allow access. The argument erupted over the iPhone of San Bernardino shooter Syed Farook, who killed 14 people at a holiday party in December 2015. The iPhone was locked, and the FBI wanted to get in — so it issued a court order, demanding Apple to create special code that would allow the FBI to access the information on the device.
Apple refused, arguing that in the wrong hands, the tool could threaten the security and privacy of its customers. The FBI dropped the case, after it was able to unlock the phone thanks to professional “gray hat” hackers, but the anti-encryption war isn’t over as the Justice Department said it still needs Apple’s help in another case.
The hearing also saw the FBI defending its use of a third-party to unlock the iPhone — saying that the agency relies on them due to the fast-changing nature of technology, according to the New York Times.
“These types of solutions that we may employ require a lot of highly skilled, specialized resources that we may not have immediately available to us,” said Amy Hess, the FBI’s executive assistant director for science and technology.
But subcommittee members expressed their discomfort with the use of these “gray hat” hackers, and Representative Diana DeGette, D-Co., asked if the use of third-party hackers was ethical, and if it potentially could open more security risks.
Law enforcement across the country are struggling in investigations, as growing numbers of commercial devices have encryption turned on by default. That limits the access investigators have when trying to pry into criminal’s phones, which could potentially hold useful information.
Thomas Galati, the New York Police Department’s chief of intelligence, testified to the importance of anti-encryption legislation, saying that his department hasn’t been able to open 67 Apple devices from October 2015 to March 2016. The phones are being stored as evidence for homicides, rapes, and violent crimes.
Apple’s top lawyer reiterated the argument the company has stood by all along — an argument with which an overwhelming amount of tech, legal, cryptology, and cyber security experts agree — that weakening encryption would threaten the security and privacy of “one hundred percent” of its users.
Reform Government Surveillance, the Computer & Communications Industry Association, the Internet Infrastructure Coalition, and the Entertainment Software Association sent a letter to the two U.S. senators heading the anti-encryption bill — Senator Diane Feinstein, D-Ca., and Senator Richard Burr, R-N.C. Burr and Feinstein hold the position of chairman and vice chairman of the Select Committee on Intelligence, respectively.
“Any mandatory decryption requirement, such as that included in the discussion draft of the bill that you authored, will to lead to unintended consequences,” the letter reads. “The effect of such a requirement will force companies to prioritize government access over other considerations, including digital security. As a result, when designing products or services, technology companies could be forced to make decisions that would create opportunities for exploitation by bad actors seeking to harm our customers and whom we all want to stop. ”
With Windows 10, Microsoft is also working on a new ‘Blue Screen of Death’ messages incorporating QR codes for easier redress for issues.
Microsoft’s dreaded ‘Blue Screen of Death’ for Windows 10 is being provided a nice makeover in that a QR Code will now be containing all the information that led to the crash along with possible remedies to turn things around.
Users will be able to scan the QR codes using smartphones or other compatible devices to better understand what led to the crash. The codes will also be hiding a URL, which is supposed to lead to the site that can help sort out the issues.
That for sure makes for a much-simplified approach compared to the BSOD’s of yore which usually contained a lot of technical details much of which were indiscernible to the general populace. While that was replaced with the frown face for the first time in Windows 8, the QR codes are expected to make things even more user-friendly.
However, the new BSOD incorporating QR code are part of the latest Windows 10 Insider Preview builds and is only expected to be incorporated in the Windows 10 Anniversary update that is due out later this summer.
However, the said makeover for BSOD could also open up new security vulnerabilities if it isn’t properly implemented. A possible security risk being envisioned is that malware could easily fake a system crash and launch the BSOD complete with a QR code.
The code, in turn, could be enough to mislead a user into believing all the wrong stuff to lure them into downloading the wrong patch, possibly containing malware. Let’s hope such a security scenario does not go undetected with the Microsoft engineers.
The FBI recently announced it had figured out how to crack into the security of the San Bernardino terrorist’s iPhone, and now Apple desperately wants to find out how the feds did it.
The Department of Justice officially withdrew its case against Apple, saying it no longer needed help from Apple, as it had secured assistance from an unnamed third-party, The Los Angeles Times reports.
But now, Apple is panicking at the prospect its iPhone 5c can easily be breached by outside parties at seemingly the drop of a hat. The FBI is totally uninterested in responding to Apple’s pleas, especially given the fact that Apple CEO Tim Cook said he would fight the DOJ every step of the way in court. That sort of no holds barred opposition from Apple has not engendered much support in the federal government.
“One way or another, Apple needs to figure out the details,” Justin Olsson, product counsel at AVG Technologies, told The Los Angeles Times. “The responsible thing for the government to do is privately disclose the vulnerability to Apple so they can continue hardening security on their devices.”
End-to-end data encryption on WhatsApp will no doubt endear the service to users who mind so much about their security and privacy, but not with governments that are struggling to battle the growing threat of terrorism. If one of them isn't, group chats will be unencrypted.
Let's explain this in WhatsApp's own words.
He added that the latest version of the app will encrypt every call, message, photo, video, file and voice message that is sent on the platform by default, including group chats.
WhatsApp's use of encryption has already caused friction in Brazil, where authorities recently arrested and then released a Facebook Inc. executive after the company said it was unable to unscramble a user's encrypted messages.
Now, WhatsApp has made a decision to take a major stand against both law enforcement, cybercriminals, and hackers.
'Do not take companies promises to keep your data safe seriously, even if Whatsapp means well, this article highlights details on WhatsApp end-to-end encryption that everyone else is afraid to tell you, ' he writes.
Jan Koum, WhatsApp's co-founder, who grew up in Soviet-era Ukraine, said: 'The desire to protect people's private communication is one of the core beliefs we have at WhatsApp and for me it's personal. However, WhatsApp claims the actual content of the messages is not held on the servers at all. WhatsApp started rolling out its end-to-end encryption feature.
The Criminal Procedure Code in Singapore requires technology companies to disclose information, or any codes they may have to unlock locked or encrypted information.
Yes, that's good news for those indulging in sending across images of their nether regions. But there's a downside to the encryption business too.
Der Spiegel notes that end-to-end encryption is only available if all the participants in a conversation are using the latest version of the software. Koum and Acton have touched upon this topic also. But it also underscores the way the growing availability of encryption to consumers is expanding the scope of the debate over how law enforcement should deal with data secured by the technology.
Is end-to-end encryption as foolproof as it’s cracked up to be?
It's a catch-22 situation.
The FBI and the Justice department didn't comment on this new action from the company, but it has been noted that WhatsApp's services were used to facilitate certain criminal acts, such as the Paris attacks previous year. That means even if someone cracks one key they will most probably get only a part of the conversation and cannot use that key to decrypt the rest of the messages in that conversation. Closing the system lets terrorists run amok.
In recent months, Mozilla developers were actively improving and modifying the user interface associated with security and privacy in the Firefox browser. The screenshot shows the changes that have affected output of notifications in the browser address bar.
The first change, which draws attention, is bringing the same general appearance of icons for sites protected by DV certificate and the EV certificate. Historically, in Mozilla Firefox padlock icon for sites protected by DV-certificate was somewhat different in their color theme from the same icons for sites with EV-certificates, which raised many questions from poorly informed user. In the updated version, all inconsistencies were eliminated - icons of locks have become the same.
Changes also affected the sites where the mixed content is loaded. As seen from the screenshot, notice of it have been revised and become more understandable.
Thanks to the new design improvements, users now are able to determine whether to trust the site or avoid it.
Google Chrome also was actively improving. Browser developers are planning to notify their users when the page of the site is insecure (http). Going forward, Google Chrome will mark all unencrypted sites padlock icon with a red cross in the address bar. For this purpose, Google Chrome will mark all padlock icons of unencrypted sites with a red cross in the address bar.
Google makes it clear that the web moves to the full transition to https. Many large companies and organizations supported the initiative, named «Encrypt All The Things», the essence of which boils down to the abandonment of traditional, less secure HTTP protocol and transition to HTTPS.
Google announced plan for a full transition to HTTPS back in 2014. At that time one of the Chrome Security Team members suggested to mark all HTTP-sites as "unsafe".
This change will bring more attention to sites that could be potentially unsafe.
It is currently remains unclear whether marking all HTTP-pages will be implemented by default in Google Chrome. However, now you can test it by typing in the browser "chrome: // flags" and selecting «mark non-secure origins as non-secure».
Today several Windows user has reported that their system has been infected withPetya Ransomwareand as a result they have become unable to access their files as well as its data in its original format. Generally it infiltrates targeted computer when user click or download infectious attachments come from unknown sources. You must know that it is one of the severe Ransomware that can affect Windows based system completely and make your files like .jpg, .mkv, .mp3, .doc, .xls, .gif etc and make them encrypted. In order to make data inaccessible it uses AES 256 encryption algorithm and it can not be decrypt without unique key. After being installed on the targeted computer Petya Ransomware will download Zemot, CMSrute and other malware infection without taking your approval. Apart from that it is also possible that you may face several unknown applications and programs to ruin system performance in complete manner.
After being infected with Petya Ransomware, user may find unknown and unwanted message on the computer screen because it install on txt file inside the encrypted folder. Due to this README.txt file you may receive ransom note on the computer screen saying that you files on the disk has been encrypted and you have to pay money in order to get back your files in its original format. Sometimes after getting such messages innocent users get scare and pay the demanded money. But the bad news is that even after paying money situation remain same and still files are encrypted. Therefore it is advised that not to do as it says and mustremove Petya Ransomwarefrom the computer as soon as you can.
This past weekend security researcher and “artful hacker” Mike Olsen discovered that surveillance cameras he purchased through Amazon were embedded with malware. Olsen had purchased the USG Sony Chip HD 6 Cameras, marketed as “Affordable High Definition CCTV Video Surveilance” to provide outdoor surveillance for a friend’s home. In keeping with the marketing pitch, he thought the 6 cameras and recording equipment were a good deal.
In a blog post, Olsen describes how he received the cameras and experienced trouble as soon as he tried logging into the administrator page to configure the system. “First of all something seemed a bit off, the interface showed the camera feed but none of the normal controls or settings were available.” Since Olsen is a software engineer, he began to investigate the underlying CSS code of the page which is supposed to contain the camera’s settings. He thought a simple flaw was hiding the settings he required to configure the surveillance system. Instead, he found an iframe emedded linking to a suspicious website.
The website in question was brenz.pl which has been associated with distributing malware for years. Accordingly the site was being used to distribute malware as far back as 2009. Since this surveillance system has the malware link embedded in its administrator page, malware targeting the system could potentially be used to steal data from the device or infect the user’s computer in other ways.
The method of infecting users with malware by hiding it inside devices is not wholly unexpected, though most of us would expect a purchase from Amazon to be relatively safe. In this case one of the people who purchased the device, Mike Olsen, had the necessary skills to uncover the problem with the device. As more people integrate internet-connected devices into their homes, more cybercriminals will use it as an opportunity to compromise home networks.
What is Swift?
Swift is Apple’s new programming language, which has been in development for the past four years and which looks to replace Objective-C as the main language for app development on Apple’s platforms, OSX and iOS.
It’s a major departure from the syntax of Objective-C and takes a lot of cues from other languages, such as Haskell, C#, Ruby and Python, which Apple presumably hopes will make it appealing to bright young coders, keen on modern languages.
Although it’s a major departure, Apple have taken a lot of trouble to make the transition to Swift as painless as possible. It is fully binary compatible with existing Objective-C libraries and maintains a close relationship with the Cocoa frameworks.
That means that developers can introduce Swift into their apps at their own pace, by writing discrete modules that should seamlessly interoperate with their existing Objective-C code.
What are the improvements around Objective-C?
Type Inference
In Swift there is no need to annotate variables with type information as the compiler can infer type based on the value a variable is being set to. Due to the dynamic nature of Objective-C, type is not truly known at compile time because methods may be added to existing classes, entirely new classes added or instance type changed all at runtime.
Type Safety
With Swift, the compiler can be more helpful in catching subtle type related bugs. As the compiler knows more about type in any method call, it can optimise certain call sites and jump directly to the implementation using C++ style vtable dispatch, rather than going through dynamic dispatch as in Objective-C. This enables smart optimisations that can make code run faster.
Control Flow
The humble switch statement has undergone a radical overhaul in Swift and can now match against ranges, list of elements, boolean expression, enums amongst others. It doesn’t fall through by default, and is further enhanced by Swift’s flexible pattern matching.
Optionals
An optional type is a type that might contain a value of a type. It allows you to more easily convert between types and avoid null checks. Optionals can be chained together to protect from exceptions when calling multiple methods or properties in a chain where one call might return “nil”.
Strings
Strings are now easier to deal with in Swift, with a cleaner syntax than Objective-C, eg: concatenate strings using “+=“.
Here are three tips that can help in the selection process of a developer:
1. Hire for DNA first, then work experience.
When I hire web developers, their personal DNA is the most important consideration. While experience is important, the bigger predictor of success is someone's innate DNA and how it fits your company. Are drive, determination, persistence, curiosity, important to you culture? Or, are you more low-key and relaxed about time management and deadlines? Whatever characteristics make up your culture, you want to ensure that the web developer will fit in.
For example, a brilliant web developer who has worked at a large financial institution may not do well at a startup. Why? A startup typically requires traits like versatility, adaptability, risk-taking and a self-starter personality, but these may be less important at a large company.
So, make a list of your company's DNA requirements. Do you foster an environment of relentless drive? Do you want great team players? If you come up with five requirements, make sure the interviewee matches at least three. Hiring for DNA also can help you to start to define a company culture and ensure that your team will work well together.
Of course, it's easy for some people to fake it in an interview, so you may need to evaluate them in other ways to ensure they're a good fit.
2. Try out a new developer with a small project first.
Although you might think you've identified your ideal candidate, just to be sure you should give him or her a small, non-critical project. That can let you observe the person in action and provide additional information beyond the job interview.
You can see how efficient the candidate is in delivering products and how buggy the final product is. Did he or she go above and beyond to get the product delivered? How creative was the solution? How well did he or she work in a team and communicate problems and delays?
3. Pick a developer with aptitude, not a particular skill set.
In the tech space, skills become obsolete every two years, give or take. So, it's better to hire a web developer who can learn new technologies easily rather than someone who knows a specific technology now but may not adapt when a new one comes along.
- The easiest way to detect whether someone will adapt well to change is to ask questions that will reveal whether a Web developer has a love for learning. For example:
- What new programming languages did you learn recently?
- What are your go-to places for learning new tech tips and tricks?
- What are your favorite technology conferences?