Showing posts with label Privacy. Show all posts
Showing posts with label Privacy. Show all posts

Tuesday, December 6, 2016

Microsoft, YouTube, Facebook & Twitter - Working On Anti-Terrorism Database


Four of the biggest social networks, Twitter, Microsoft, YouTube and Facebook are going to be working together to build a database of photos and videos used to recruit people into terrorist organizations.

This shared database will identify images via a unique digital footprint, making it easier for them to identify and remove any imagery related to terrorism. Shared hashes will be used to help identify potential terrorist content on the mentioned social networks.
They said that hopefully this collaboration will lead to greater efficiency of helping to curb the global issue of terrorist content online.
A joint blog post by the 4 companies states:
“There is no place for content that promotes terrorism on our hosted consumer services. When alerted, we take swift action against this kind of content in accordance with our respective policies”.

Not the First Collaboration of Its Kind:

Exactly an year earlier, these big names had collaborated before as well to identify and remove child pornography from the internet using a similar technique. This technique was developed by the UK’s Internet Watch Foundation.
The companies said that the content flagged by the database will not be automatically removed from the platform, but instead it will be reviewed by each company, and by reviewing its policies it will be decided whether if it violates the company’s terms of service.
The companies also said that throughout this collaboration they will do their best to protect the users’ privacy and their ability to express themselves freely and safely on each of the mentioned platforms.
“We also seek to engage with the wider community of interested stakeholders in a transparent, thoughtful and responsible way as we further our shared objective to prevent the spread of terrorist content online while respecting human rights”
via The Verge 

Wednesday, November 16, 2016

Whatsapp introduces Video Calling, 2 Factor Authentication and other new features



WhatsApp has finaly introduced the most awaited features Video Calling & 2 Factor Authentication (2FA) out of Beta version, we have reported earlier. The world’s most used instant messaging service has been getting new features recently. The updated GIF support, document sharing and different emoji for example. These quality of life changes were not in a particularly high demand, unlike video calling. 

The Most Demanded Feature:  

WhatsApp users have demanded video calling ever since the option to call other WhatsApp users has become available. It had some issues at the beginning but they were eventually resolved or diminished to some extent. The small changes mentioned earlier have been coming to the instant messaging app over the past few weeks. However these changes didn’t warrant as much attention as video calling is getting now.

WhatsApp has introduced a new security feature which is most popular with the security named "2 Factor Authentication" that fixes a loophole in the popular messaging platform.

WhatsApp allows users to sign up to the app using their phone number, so if an attacker wants to hijack your WhatsApp account, they would require an OTP (One time password) send to your phone number.

The attacker can grab this OTP by diverting the SMS containing the passcode to their own computer or phone, using either a malicious app or SS7 vulnerability, and then log into the victim's WhatsApp account. The attack even works in case the phone is locked.

So in order to fix this issue, WhatsApp has now introduced Two-Step Verification (2SV) password feature for its Beta version for Android, which will help you lock down the WhatsApp set-up mechanism.


In other words, to reconfigure the WhatsApp account with two-step verification enabled, one must require not just OTP but also a 6-digit 2SV passcode set by the user.


How to Enable Two-Step Verification:



To enable two-step verification (2SV), you need to sign for the WhatsApp's Beta version, and follow these simple steps:

  1. Go to WhatsApp Settings → Account → Two-step verification.
  2. Click enable, set a 6-digit passcode and re-confirm it.
  3. On next screen, enter your email ID (optional) to enable passcode recovery via email. (It's recommended to use email as backup so that you're not locked out of your account if you forget your passcode.)
  4. Hit "Done, " and you are all set to go.
So, next time when you reconfigure your WhatsApp account on your new phone or want to add a new phone number to your account, the messaging app will require you to enter and confirm this six-digit secret code.

Providing your email address is optional, which if enabled, will help you reset your passcode when you forget it. Here's what WhatsApp explained about email option:

"We do not verify this email address to confirm its accuracy. We highly recommend you provide an accurate email address so that you are not locked out of your account if you forget your passcode. If you receive an email to disable two-step verification but did not request this, do not click on the link. Someone could be attempting to verify your phone number on WhatsApp."


Forget your passcode after setting it months ago?

For helping you remember your 2SV passcode, WhatsApp will periodically ask you to enter your passcode, and there is no option to opt out of this without disabling the 2SV feature.


For now, the feature is available only on WhatsApp beta version, and the company will start rolling out two-step verification with the release of a stable version for both the iOS and Android for over 1 Billion users in the coming weeks.


To enjoy two-step verification, you can sign up to become a beta tester and update to WhatsApp (Beta) version 2.16.346 straight from the Google Play Store.


Once signed up, your smartphone will be automatically updated to the WhatsApp Beta version in the next app update cycle.

Thursday, October 13, 2016

Yahoo ! Disabled Email Forwarding - No way to go out


Yahoo! has disabled automatic email forwarding -- a feature that lets its users forward a copy of incoming emails from one account to another.

The company has faced lots of bad news regarding its email service in past few weeks. Last month, the company admitted a massive 2014 data breach that exposed account details of over 500 Million Yahoo users.


If this wasn't enough for users to quit the service, another shocking revelation came last week that the company scanned the emails of hundreds of millions of its users at the request of a U.S. intelligence service last year.

That's enough for making a loyal Yahoo Mail user to switch for other rival alternatives, like Google Gmail, or Microsoft's Outlook.


Yahoo Mail Disables Auto-Forwarding; Making It Hard to Leave


But as Yahoo Mail users are trying to leave the email service, the company is making it more difficult for them to transition to another email service.


That's because since the beginning of October, the company has disabled Yahoo Mail's automatic email forwarding feature that would allow users to automatically redirect incoming emails from their Yahoo account to another account, reported by the Associated Press.


All of a sudden it's under development? Here's what a post on the company's help page reads about the feature's status:


"This feature is under development. While we work to improve it, we've temporarily disabled the ability to turn on Mail Forwarding for new forwarding addresses. If you've already enabled Mail Forwarding in the past, your email will continue to forward to the address you previously configured."

In other words, only users who already had the feature turned ON in the past are out of this trouble, but users who are trying to turn ON automatic email forwarding now have no option.

Yahoo has shared the following statement about the recent move:


"We're working to get auto-forward back up and running as soon as possible because we know how useful it can be to our users. The feature was temporary disabled as part of previously planned maintenance to improve its functionality between a user’s various accounts. Users can expect an update to the auto-forward functionality soon. In the meantime, we continue to support multiple account management."

Yahoo is trying to save its Verizon Acquisition Deal


The move to turn off the email forwarding option could be an attempt to keep its customers’ accounts active because any damage to the company at this time is crucial when Yahoo seeks to sell itself to Verizon.


The Yahoo acquisition deal has not yet closed, and Verizon Communications has reportedly asked for a $1 Billion discount off of Yahoo's $4.83 Billion sales price.


As a workaround, you could switch on your vacation responder instead to automatically reply to emails with a note about your new email address.


Delete Your Yahoo Account Before It's Too Late


You can also forego the forwarding process and simply delete your Yahoo Mail account entirely, until and unless Yahoo disables that option, too.


As the Reg media reports that British Telecoms customers, whose email had been outsourced to Yahoo, have not been able to set up automatic email forwarding or even access the option to delete their accounts.

"Sorry, the delete feature is currently unavailable. This feature will become available by the end of September," the error message reads.

Hackers are spreading Malware through Fake Security Tools


Over the past few years, Internet users globally have grown increasingly aware of online privacy and security issues due to mass monitoring and surveillance by government agencies, making them adopt encryption software and services.

But it turns out that hackers are taking advantage of this opportunity by creating and distributing fake versions of encryption tools in order to infect as many victims as possible.


Kaspersky Lab has revealed an advanced persistent threat (APT) group, nicknamed StrongPity, which has put a lot of efforts in targeting users of software designed for encrypting data and communications.

The StrongPity APT group has been using watering-hole attacks, infected installers, and malware for many years to target users of encryption software by compromising legitimate sites or setting up their own malicious copycat sites.


Watering hole attacks are designed to lure specific groups of users to their interest-based sites that typically house malicious files or redirect them to attacker-controlled downloads.


The StrongPity APT group has managed to infect users in Europe, Northern Africa, and the Middle East and targeted two free encryption utilities in different attacks: WinRAR and TrueCrypt.


WinRAR and TrueCrypt are long popular within security and privacy conscious users. WinRAR is best known for its archiving capabilities that encrypting files with AES-256 crypto, while TrueCrypt is a full-disk encryption utility that locks all files on a hard drive.

By setting up fake distribution sites that closely mimic legitimate download sites, StrongPity is able to trick users into downloading malicious versions of these encryption apps in hopes that users encrypt their data using a trojanized version of WinRAR or TrueCrypt apps, allowing attackers to spy on encrypted data before encryption occurred.

"The problem with people depending on tools like this isn’t the strength of the crypto, but more about how it's distributed," says Kurt Baumgartner, principal security researcher at Kaspersky Lab. "This is that problem that StrongPity is taking advantage of."

Booby-Trapped WinRAR and TrueCrypt Downloads:


The APT group previously set up TrueCrypt-themed watering holes in late 2015, but their malicious activity surged in end of summer 2016.


Between July and September, dozens of visitors have redirected from tamindir[.]com to true-crypt[.]com with unsurprisingly almost all of the focus on computer systems in Turkey, with some victims in the Netherlands.


However, in WinRAR case, instead of redirecting victims to a website controlled by StrongPity, the group hijacked the legitimate winrar.it website to host a malicious version of the file themselves.


The winrar.it website infected users mostly in Italy, with some victims in countries like Belgium, Algeria, Tunisia, France, Morocco and Cote D'Ivoire, while the attackers controlled site, winrar.be, infected users in Belgium, Algeria, Morocco, the Netherlands, and Canada.

Top Countries infected with StrongPity APT malware:


According to Kaspersky, more than 1,000 systems infected with StrongPity malware this year. The top five countries affected by the group are Italy, Turkey, Belgium, Algeria and France.


The StrongPity APT's dropper malware was signed with "unusual digital certificates," but the group didn't re-use its fake digital certificates. It downloaded components include a backdoor, keyloggers, data stealers and other crypto-related software programs, including the putty SSH client, the filezilla FTP client, the Winscp secure file transfer program and remote desktop clients.


The dropper malware not only provides the hackers control of the system, but also allows them to steal disk contents and download other malware that would steal communication and contact information.


Therefore, users visiting sites and downloading encryption-enabled software are advised to verify both the validity of the distribution website as well as the integrity of the downloaded file itself.


Download sites that not use PGP or any strong digital code signing certificate are required to re-examine the necessity of doing so for the benefits of them as well as their own customers, explained Baumgartner.

Wednesday, October 5, 2016

The Internet Has a New Controlling Authority & It’s Not the U.S


The Government of United States has handed over the control of the Internet Assigned Numbers Authority (the internet’s address book) to ICANN, an independent international body made up of a number of governments, corporations and individual users.


What is Internet Assigned Numbers Authority (IANA)?

The IANA manages the allotment of IP addresses all over the globe. It also delegates five regional Internet registries (RIRs) to allocate IP address blocks to local Internet registries (Internet service providers) and other entities.
In simple terms, the IANA is a database that stores all the domain names on the internet. For example, if you type “propakistani.pk”, the IANA is responsible for directing you to our website.

Who owns the IANA now?

Initially, IANA was established as an informal way to reference to various technical functions for the ARPANET by Jon Postel and Joyce K. Reynolds. They alone were responsible for managing the IANA from 1988 to 1998.
In 1998, the Department of Commerce created ICANN, a nonprofit organization that is responsible for coordinating the maintenance and procedures of several databases. With participants from all over the globe, the organization’s purpose is to keep the Internet secure, stable and interoperable.
After Postel’s death in 1998, they granted ICANN a contract to manage the IANA. ICANN was to get the full ownership of IANA eventually, but the process was bogged down due to politics. Numerous political leaders from the Republican Party, including Ted Cruz, have opposed this move. However, ICANN finally approved a transition plan this year.
On the 1st of October, a judge ruled in favor of the plan, allowing it to move forward. As of this moment, the ICANN is now the official owner of the IANA.

Thursday, September 29, 2016

Apple Tracks Chatting using iMessage & Shares Data with Police


Doing conversations with your friend on iMessage and thinking that they are safe and out of reach from anyone else other than you and your friend? No, it's not.


End-to-end encryption doesn't mean that your iMessages are secure enough to hide your trace because Apple not only stores a lot of information about your iMessages that could reveal your contacts and location, but even share that information with law enforcement via court orders.


According to a new document obtained by The Intercept, Apple records a log of which phone numbers you typed into their iPhone for a message conversation, along with the date and time when you entered those numbers as well as your IP address, which could be used to identify your location.

Actually, every time a user type a phone number into their iPhone for a message conversation, iMessage contacts Apple servers to find out whether to route a given message over the iMessage system.

"Apple records each query in which your phone calls home to see who's in the iMessage system and who's not," The Intercept reports.

Moreover, the company is compelled to turn over this information to law enforcement with a valid court order — generally "pen registers" or "tap and trace devices" warrants that are very easy to obtain.


Pen register warrants are routinely being used to compel telephone companies to provide metadata about customers' phone calls to law enforcement.


Apple Logs Your IP Address (Location)


But it’s surprising that Apple, which has positioned itself as a staunch defender of its user privacy by refusing the federal officials to provide encryption backdoors into its products, hands over its users' information on iMessage contacts under such warrants.


The report also points out that keeping logs of users IP address that could be used to reveal one’s actual location is contrary to Apple's 2013 claim that the company "do not store data related to customers' location."


The Intercept obtained the document, titled 'iMessage FAQ for Law Enforcement,' about Apple's iMessage logs as part of a much larger cache originating from within a state police agency, "The Florida Department of Law Enforcement's Electronic Surveillance Support Team."

The team facilitates mass data collection for law enforcement using controversial tools such as Stingrays, along with the help of conventional techniques like pen registers and tap and trace devices warrants.


Although your iMessages are end-to-end encrypted, it doesn’t mean that all Apple users are enjoying the company's so-called privacy benefit.


If you have enabled iCloud Backup on your Apple devices to keep a backup of your data, the copies of all your messages, photographs and every important data stored on your device, are encrypted on iCloud using a key controlled by Apple, and not you.


So, Apple can still read your end-to-end encrypted iMessages, if it wants.


Even if you trust the company that it won't provide your decrypted data to law enforcement (just don't forget San Bernardino case in which Apple helped the FBI with the iCloud backup of the Shooter's iPhone), anyone who breaks into your iCloud account could see your personal and confidential data.


Apple deliberately Weakens Backup Encryption


Fortunately, it is possible to store your backups locally through iTunes, though it is not such an obvious choice for an average user.


What's even worse is that a recent issue in the local password-protected iTunes backups affects the encryption strength for backups of devices on iOS 10, allowing attackers to brute-force the password for a user's local backup 2,500 faster than was possible on iOS 9.


Apple has already confirmed that the issue exists and that a fix would be included in an upcoming update.


However, in response to the latest report about iMessage logs, Apple provided the following statement:


"When law enforcement presents us with a valid subpoena or court order, we provide the requested information if it is in our possession. Because iMessage is encrypted end-to-end, we do not have access to the contents of those communications. In some cases, we are able to provide data from server logs that are generated from customers accessing certain apps on their devices. We work closely with law enforcement to help them understand what we can provide and make clear these query logs don’t contain the contents of conversations or prove that any communication actually took place."


The Florida Department of Law Enforcement still has to comment on the matter.

Friday, August 26, 2016

WhatsApp to share User data with Facebook - 30 Days Left to stop it



Nothing comes for Free, as "Free" is just a relative term used by companies to develop a strong user base and then use it for their own benefits.


The same has been done by the secure messaging app WhatsApp, which has now made it crystal clearthat the popular messaging service will begin sharing its users’ data with its parent company, Facebook.


However, WhatsApp is offering a partial opt-out for Facebook targeted ads and product related purposes, which I will let you know later in this article, but completely opting out of the data-sharing does not seem to be possible.


Let's know what the company has decided to do with your data.
Of course, Facebook is willing to use your data to sell more targeted advertisements.




WhatsApp introduced some significant changes to its privacy policy and T&Cs today which, if accepted once, gives it permission to connect users' Facebook accounts to WhatsApp accounts for the first time, giving Facebook more data about users for delivering more relevant ads on the social network.


The messaging service will also begin pushing users to share some of their account details, including phone numbers, with Facebook, allowing the social network to suggest phone contacts as friends.


When Facebook acquired WhatsApp for $19 Billion in 2014, users were worried about the company's commitment to protecting its users' privacy. But, WhatsApp reassured them that their privacy would not be compromised in any way.

"Respect for your privacy is coded into our DNA, and we built WhatsApp around the goal of knowing as little about you as possible," said WhatsApp co-founder Jan Koum in a blog post published at that time.

Now the WhatsApp users are feeling betrayed by the company's latest move.


However, you need not to worry about the contents of your WhatsApp messages, like words and images, as they are end-to-end encrypted, meaning that even the company cannot read them.


Ultimately, the two companies will be sharing, what they called, a limited amount of user data, which includes phone numbers and other information about users.



No Option to Completely Opt-Out of Data Sharing


If you think WhatsApp is more privacy conscious than Facebook’s Messenger, it is not anymore.


WhatsApp is offering a solution partially to opt out the data sharing, specifically for Facebook ad targeting and product-related purposes.


However, the company notes that data will still be shared "for other purposes such as improving infrastructure and delivery systems, understanding how our services or theirs are used, securing systems, and fighting spam, abuse, or infringement activities."


So, those who are thinking to opt out of the data-sharing entirely: There's no possible way to opt totally out.


Though one short solution is to stop using WhatsApp.



Here's How to opt -out of sharing data for Facebook ad-targeting purpose:


The company has outlined two ways to opt out of the exchange of information with Facebook on its blog.


One way is for those users who have not yet agreed to the new terms of service and privacy policy, so before agreeing to the new terms, follow these simple steps:


  • When prompted to accept the updated T&Cs, tap Read to expand the full text.
  • A checkbox option at the bottom of the policy for sharing your data on Facebook will appear.
  • Untick this option before hitting Agree. This will let you opt out of the data-sharing.

The second option is for those who have already accepted the new T&Cs without unchecking the box to share their information with Facebook.


WhatsApp is also offering a thirty-day window for users to make the same choice via the settings page in the app. To exercise your opt-out in this scenario you need to follow these steps:


  • Go to Settings → Account → Share my account info in the WhatsApp app
  • Uncheck the box displayed there within 30 days, as after that this partial opt-out window will expire.
However, WhatsApp states Facebook will still receive your data in some situations.

After introducing end-to-end encryption, WhatsApp has become one of the most popular secure messaging apps, but this sudden shift in its privacy policy may force some users to switch to other secure apps like Telegram and Signal.