Category Archives: Surveillance

Passwords – True Guards or False Friends?

Photo by Markus Spiske on Unsplash

One of the numerous issues with the increasingly more digitalized contemporary reality is the sense of false security that it so easily instills in people. We are lulled into feeling that our passwords are keeping our data safe, our bank accounts are linked to our e-mail, our phones unlock with our unique fingerprints, and so on.

We are not here to argue that the 21st century is a fantastic, breathtaking time to be alive – it is indeed, with all the diversity, amazing technology and freedom that it offers. But there’s a price tag on everything, including the convenience and ease of many everyday tasks that can be undertaken online (or in many cases can exclusively be conducted), and, in this case, the price are the digital threats, such as identity theft, the ever-increasing danger of privacy intrusion, cyber-bullying, personal information leaks, bank fraud and other numerous potential security breaches that may range from unpleasant to life-threatening.

Passwords are one of the chief security walls between a device or application user and the potential threats posed by hackers and malware, among other issues. Or are they? Are they merely a veil that creates a false sense of security?

Basic password rules

Well, certainly if a top-level hacker sets a goal to get into your e-mail, provided that you’re not a top-level hacker yourself, it’ll most likely be a matter of minutes, or hours at the most. However, since this is an unlikely case scenario, we’d say that passwords are a relatively reliable defense against an average break-in attempt. So it does make perfect sense to learn the basics of proper password creation, namely:

  • Random is better than predictable;
  • Complex is better than simple;
  • Long is better than short.

Avoid:

  • Reusing old passwords / Using the same password on different websites /Keyboard patterns / Doubling up the password to meet length requirements;
  • Two-step verification should be used where available.

And here’s another piece of advice that’s so obvious that it almost seems ridiculous – do not ever use the passwords like 123456 and password. These are the first to be cracked by the most amateur hackers, and denote your complete oblivion to the basic digital safety rules. Common pop-culture terms, numbers in their regular or reverse order, letmein, qwerty, iloveyou, admin, welcome, whatever and login top the “most popular passwords” lists for years on end – never mind the fact that in a perfectly sound digital world there should not be any such lists to begin with. According to one of the latest Splashdata compilations, the newest 2017 addition is, ironically, trustno1.

A password manager app is actually a great way to store passwords in a secure manner, and generate new ones if you’re all out of ideas.

How vulnerable are we?

As the number of our activities shifting to the digital zone is increasing with the speed of lightning, the number of threats that we encounter grows at approximately the same rate, so we need to be aware of how vulnerable we are and do whatever we can to become at least somewhat less vulnerable.

There is a lot of frightening information out in the open about hackers being able to crack up to 90% of 16-character strong passwords. This is possible primarily due to the relatively insecure cryptographic method called hashing, which is most commonly used. The passwords are ran through a one-way mathematical function, which creates a hash, or a unique string of numbers and letters. The hash can be then converted back into a plain text password.

The first stage of an attack usually cracks over 50% of the passwords, while the later attempts are increasingly more complicated, utilizing so-called Markov attacks, brute-force attacks and wordlist attacks, and reveal a smaller and smaller number of passwords. There isn’t much than a regular user can do about the way that a website treats their password. However, making sure that you’ve complied the relatively simple basic rules will indeed protect you from break-ins – at least to a certain extent.

Do Smartphones Know too Much about Us?

Image Credit: Josh Felise / Unsplash

Our smartphones hold so much information about practically all aspects of our lives – it’s scary to even start thinking about it. Contact phone numbers, photos, videos, location history, banking passwords, personal messages and e-mails – this is just the standard list, there is definitely more significant and intimate information on your device than you’re willing to share with anyone, let alone the criminals that may have stolen your phone.

There are numerous programs that can be installed on a smartphone, known as spy apps, which will grant you control over the phone and online activities of a troublesome teenager or an unscrupulous employee. They basically allow a similar degree of control over their electronic devices as a thief would have over yours in case of theft. Let’s assume you are not planning to take advantage of the information you find on a child’s or an employee’s phone and will only use it for their benefit in the former case, and for the benefit of your company – in the latter. There are still moral issues to be considered, but here, at least, there is no criminal activity involved.

The secret life of a stolen phone

What happens, though, when your phone with that wealth of personal information floats out into the ocean of distinctly criminal activity? Unpleasant, to say the least, but very disturbing and downright dangerous in the worst-case scenario. After his iPhone got stolen, Dutch filmmaker Anthony van der Meer decided to see what would happen to another phone, which he rigged especially for the theft by installation of Cerberus, an app that lets you be the guard of your own phone if it is stolen. The range of this app options is strikingly similar to spying apps – it allows to trace location history, take photographs and record video remotely, control the internet connection, phone calls and contact list updates. It also allows you to backup or wipe your data remotely, which certainly sounds useful. This anti-theft program basically allows you to spy on your own phone. With a little bit of extra work, which entailed installing the app in the system memory segment, instead of the user segment, van der Meer made sure that the program can survive a full phone wipe. He also made it run under the radar by changing the app name and making it more inconspicuous, as well as forbade automating updates or flashing.

Then he placed himself in a situation where he provoked the theft of the phone (it actually took four days of work, which is reason for optimism), and began his investigation, filming himself in the process and revealing some of his counterpart’s activities, but not his face. What he observed over the course of the next weeks was not particularly eventful, but that’s not quite the point of this real-time low-budget tech thriller. The point seems to be more in the exploration of the psychological relationship we have with our devices and the disturbing feeling we get when they are stolen, since they have grown to be practically parts of our selves. The film also explores the unusual one-sided relationship that the filmmaker began to form with the thief in possession of his phone. Strangely enough, issues of privacy emerged as van der Meer felt that he may be invading the privacy of the alleged thief. This is an issue that also arises with spying apps, which are not unambiguous from a moral standpoint.

Protect yourself!

The Find my Phone film is a curious exploration, but don’t just stop at watching it and musing on the concept. If you are genuinely concerned about the security of personal data that your phone contains, installing an anti-theft app is a very good idea – before it’s too late. Not many of us want to conduct as thorough an investigation as van der Meer did, most of us just want to be protected from identity theft, people meddling in our private stuff and banking accounts and other types of unpleasant activity that may ensue.

Smartphone Sensors – a Growing Security Threat

Image Credit: Ponsulak / Getty Images / iStockphoto

As our everyday activities shift more and more to the virtual realm, both risks and advantages emerge. The advantages are apparent, and, were it not for them, there would be no problem to discuss. Communication, work, running errands of different scale, entertaining yourself, monitoring your health and sports activity, finding your way through unknown territory, making purchases – what can’t you do on your smartphone nowadays? The convenience and time savings are incredible, but there’s always a price tag on everything, and this process is no exception.

What are the threats that a regular user going about his or her regular activities faces? First and foremost, it is the threat of privacy intrusions, which can lead to extremely dire consequences. One of the ways that data can be collected, aside from phishing apps, network sniffing, viral attacks, and many other hacking tools, there are sensor-related threats.

Types of sensors

Modern smartphones are stuffed with all kinds of sensors that are able to read incredible amounts of data related to our body, our phone usage and the environment, making them perfect access points for malicious surveillance and attacks. There are as many as 25 sensors typically installed on a modern smartphone, and their most common types are:

  • Proximity (measures the distance of various objects from the touchscreen),
  • Light (measures the light level at the location),
  • Fingerprint/Touch ID (scans fingerprints),
  • Accelerometer (measures the speed and vibration rate),
  • Barometer (measures air pressure),
  • Gyroscope (assesses device rotation degree and direction),
  • Magnetism (evaluates the intensity of the ambient magnetic field),
  • Gravity (reports the force of gravity).

The versatility provided by modern devices is amazing, and while we are mostly aware of how our data may be compromised via spying apps, the more recent development in this segment is sensor-based spying. User privacy may soon fall under another wave of new-type attacks. How can sensors give away more information about us than we would suspect?

Let’s take, for example, a set of data that would be extremely useful for potential invaders, namely, the user’s taps on the touchscreen. Seemingly innocent sensor data, such as shifts in the phone movement, easily betrays what they are typing – from passwords to intimate messages to sensitive company correspondence. The sensor-reading spyware is usually self-learning, so it’s only bound to get better at discerning your personal habits and patterns as time goes along.

While this type of malicious threat is not exceptionally widespread just yet, it’s merely a step away. Scientists have already created the apps that were thoroughly tested on volunteers, and which were able to reveal an incredible amount of information about their owners. From 70% of passwords on first guess to as many as 100% on the fifth attempt were cracked during the study conducted at Newcastle University.

Risk awareness and prevention of malicious access

Google has already removed dozens of potentially dangerous apps, which required suspicious amounts of access to sensor data seemingly unrelated to the purpose of the app itself, from its GooglePlay app store. Of course, new ones are bound to appear, and they are likely to get ever more intricate and harder to filter through, so it’s up to the user to pay attention to what is going on inside their device.

Image Credit: Rooksecurity.com

Users are generally more aware of the more apparent risks that GPS data and spying through the camera and microphone pose, rather than heeding attention to the silent sensors. However, the silent sensors do not usually require explicit user permission to read the data, unlike camera, GPS and microphone, which makes them even more open for malicious access. Combined with the ever-more increasing computational ability of central processing units, the sensor data will reveal an increasing amount of data that we would most likely want to keep private.

Now that the public is growing more aware of the threat, the next question is – how to avoid subtle spying? Can we prevent the sensors from betraying our private matters to criminals? Well, there’s quite a bit we can do, but these are the same old tips that have been recommended by security experts in the past.

  • Do change passwords and PINs on a regular basis.
  • Uninstall unused apps.
  • Close all unneeded apps running in the background.
  • Don’t install applications from outside official app stores.
  • Examine permission requests from all apps before installation.
  • Scrutinize the app permissions already in place.
  • Keep your operating system up to date.
  • Update installed applications regularly.
  • Consider using fingerprint authentication whenever possible.

Are Backup Extractors New Cell Phone Tracker Apps?

Image Credit: Alejandro Escamilla / unsplash.com

While cell phone tracking applications are growing in numbers and popularity, the discussions around the ethical and moral issues of their usage don’t stop either. However, popularity can’t compensate for certain limitations of the software – all such apps require physical access to a target phone to be effective.

Surely, the existing options are pretty much sufficient for many users, but how much better would it be if physical access was optional? Mobile tracking at entirely new level, almost DIY hacking for beginners. Yet, are there any such options already present in the market?

We have recently reviewed two backup extractors on our website – Auto Forward and DDI utilities. We did it because we had several reasons.

  • These seemingly unrelated products have gained our attention due to the fact that both of them proposed:

1. for iPhone

2. for Android

 

  • Which is quite extraordinary, by the way, considering the fact that all backup extractors require connection to a phone, regardless of the original backup location (i.e. iCloud or iPhone device itself.) These applications state that they don’t. They actually claim that no physical access is required; however, it is quite hard to understand how they actually work.
  • Besides, both websites offer pretty much the same options as most cell phone spyware programs do – they grant access to all the backup data on the target phone, calls and text messages, media files and all. Well?..
  • It’s also curious that Auto Forward used to be Auto Forward Spy and now changed its course. DDI Utilities hasn’t been noticed in any monitoring activity before; however, its website resembles Auto Forward in a number of ways, and they do have the same information when it comes to the payment step. So, is there any chance they are related?..

While there are are dozens of mobile tracking applications available today: mSpy, HighsterMobile, FlexiSpy, TeenSafe and SpyEra, and so on, none of them can be used absolutely remotely – the app has to be installed on a target phone right at the beginning for it to actually work.

If the aforementioned applications can access a target phone remotely, it’s fascinating, for one thing, and a matter for concern, for another. As a backup extractor such an app won’t provide its user with real-time information, live calls and keylogging option, however, it gives a sufficient opportunity to access all the past information that can be accessed. And it’s something to think of, really.

Most backup extractors are very useful and convenient apps that can save someone’s life, in fact. However, it seems the same application can be used in many ways. If “Enter the Apple ID and password of the device you want to” is all you have to know – you might actually do more than backup or recover YOUR data.

Needless to say, none of these applications claim to be mobile tracking software; however, there’s definitely a certain potential.

How to Withdraw from the Internet

hide online, disappear online

Image Credit: Elizabeth Lies / unsplash.com

The last decade’s social network euphoria has prompted many of us to ladle out personal information, which can be compromised and used against us. This may be the last thing you think about right now. However, as the euphoria subsides, privacy becomes a primary concern. We begin to realize that there is personal information we should not have posted, because it can cause us a lot of trouble if and when it falls into the wrong hands. Once you discover you do not want your personal information to show up online any more, you can take steps to mute your ‘fame’.

Cut down on social networks

Sites like Facebook, Twitter, Google+, etc., make us want to share tons of personal information. It may include names, job positions, social status, pictures, avatars, etc. Therefore, your accounts should be the first meat for the grinder, if you are really concerned about your privacy.

If it is Facebook, Twitter, Google+, and LinkedIn, they have options, which allow you to terminate your use of them. Select them and follow further instructions.

This is not only about social networks. We also share personal data when registering on other websites and forums. Some users have registered on dozens and even hundreds of resources, so they have trouble remembering them all. An average American user has over a hundred accounts and profiles per email address! Too much for human memory to handle, isn’t it? In this case, it is advisable to use a tool or service to track all your accounts and have them erased automatically.

Get them off your back

There is one thing you should be aware of: it will not disappear immediately from search engines. With Facebook, Twitter, LinkedIn, Google+, etc., it may take weeks for your profile data to disappear completely. Well, as long as the process continues, you can use other ways to mask your footprints.

Request search engines to delete results, which refer to your personal data. For example, you can use Googles’s URL removal tool. Once a result is removed from the database, the search engine will never show it.

Type in your name in a search engine and look where it pops up. Bookmark places where it appears. Because you cannot delete the floating content immediately, all you can do now is contact the resource and ask them politely to remove the data as soon as possible. This can be your employer’s website with your name still dancing on it, your relative’s website or blog, where he or she has posted images with you, etc.

Image Credit: William Iven / unsplash.com

Because you cannot remove everything right away, and not all websites remove your data upon your request, do some cover-up tricks to distract users from your personal data. For example, you can create several profiles on same popular sites without posting any details on them except some general information, which cannot be compromised. Your ill-wishers will see nothing but blank pages and there will be nothing they can do about it.

If there are accounts you cannot delete, you can change them beyond recognition and trick visitors into thinking that you live in another city, have a different name, work at a different company, etc. use your creative potential!

Go the automated way!

As mentioned above, there are tools and services, which can help you deal with your accounts, if you have accumulated ton of them, in less than a few minutes. You know that not everything can be removed manually. Happily, there are websites, which can do the job for you. These services take great care about your privacy, and they use every chance to erase data instantly upon your request.

There you can find any network or resource, where you might have registered years ago, and the system will do the mop-up and give you the much-longed-for freedom and peace.

Popular Flash Keyboard Appeared to Be a Spy Program

flashIn accordance with the recent news a very popular Flash-board disclosed some functions of data collection and transfer to third party servers.

Fkash Keyboard is one of the numerous Android application that has become popular due to its functionality as well as multilingual support and also due to nice design. It was positioned as “extremely adaptive” as well as easy to use in any situation. The total number of downloads as well as installs for this app actually exceeded the ones for WhatsApp; and that’s saying something.

However, it seems that the keyboard was not only useful for its users. As the research by Pentest shows, it actually asked for more permissions than necessary and got access to some private data of its users. For example:

  • the app got access to a camera of the device;
  • it was also able to replace the lock screen with the ad one;
  • it sent alert messages;
  • was able to terminate some of the background processes (e.g. antivirus apps);
  • it also seems to send the collected data (mostly data about the device model, manufactur, GPS location data as well as IMEI number) to the serves in the US, China and the Netherlands. Pentest believes that these data might have been used for analytics platforms.

Surely, such services are not threatening in their nature; however, the excessive permissions as well as excessive data are one of the things that can always be misused by someone.

It is believed that the app was not developed to be a tracking one intentionally; however, it is rather strange that the Hong Kong-based developer of Flash Kewboard DotC United refused to comment the situation when asked for it by several media resources.

As of late, the application was taken down and is no longer available in Google Play Store; however, a new analogous keyboard developed by the same company is now available for general public. Let’s hope, it does not use the same tricks.

 

How Americans See Surveillance

Most Americans are familiar with U.S. surveillance programs.

In accordance with the PEW research carried out in the previous year most Americans are aware about government surveillance programs; however, the attitude of general public greatly differs.

As the study showed, about 31% of all the U.S. population know (and 56% sort of suspect) that the government uses various strategies to monitor terrorist activity in the first place; and that these strategies involve cell phone and email monitoring as well as other means of communication.

Men are better aware of the fact, as the research showed – 37% vs. 26%; and college graduates have more information on the account than people who have only graduated from high school.

Who Cares

Another aspect that was studied in the PEW research is the level of public concern about the surveillance fact. Again, the answers differed to a degree. About 17% of the answers depicted “high” level of concern with the issue, 35% have “some” concern; 33% have “very little” concern over the issue and 13% are “not at all” concerned.

However, most people showed far more concern when it came to the issue of surveillance that related to their own activities (not some governmental terrorist monitoring programs). The reasons and spheres of concern here differ with different groups that were questioned.

  • Search engine concerns gathered about 39%.
  • Email monitoring collected about 38% of concerned answers.
  • Cell phone monitoring issues bothers about 37% of the U.S. citizens.
  • Facebook or Twitter and other social network monitoring by the government find concern in 31% of the audience questioned.
  • Mobile apps monitoring represent concern for about 29% of people.

The statistic also shows that women are less likely to have concerns about government surveillance than men. However, they are much more concerned about the monitoring activities then the question is about their own private matters.

The U.S. citizens also more comfortable with the idea of targeted surveillance of others but only when it doesn’t concern their own matters.

Majority of Americans see targeted surveillance as a necessity in the light of all the terrorist events; they also see it acceptable to have leaders of the country under the radar, at least some part of the population finds it so.

  • Monitoring of the terrorists under suspicion is ok with 82% of Americans.
  • 60% find it right to be aware of the American leaders’ communications.
  • 60% fins it normal to monitor foreign leaders.
  • Communications from foreign citizens is not something to hide – supposes about 54% of Americans.

However, only 40% of the population inquired finds it unacceptable for the government to monitor their own people; about 57% find it downright unacceptable.

The research revealed several interesting patterns in the answers of the people questioned. The major pattern is that those people who are better aware of the situation with monitoring and government’s potential in this sphere are less likely to approve the idea in general, no matter the target – foreign or home citizens. The same refers to the difference in age groups – younger generations find it much less appropriate and acceptable than older ones.

To Cap It All

All in all, here is a brief summary:

  • 77% of all American adult population is in favor of the government’s monitoring activities when the case is about a person who “ has visited a child pornography website”.
  • 68% find it ok to have “someone who exchanged emails with an imam who preached against infidels” under the radar.
  • 67% are in favor of the idea that a person with ties and connections to “known anti-American groups” should be monitored.
  • For 65% it is acceptable to have a person with weapon-related keywords in the search engines monitored.
  • 51% even find it ok to monitor a person with “unusual withdrawal” withdrawals from a bank.
  • The usage of encryption software is a reason for monitoring activity for about 49% of people.
  • 49% think usage of “hateful language about American leaders” is the reason sufficient enough for such a person’s activity to be monitored.

More information and full report can be acquired on the official PEW website.

Continue reading

FBI Warns about a USB devices/Keyloggers

keysweeperAs of FBI official information there appeared a number of USB/charging devices that work a keyloggers and are able to read and transmit all the information from the wireless keyboards.

Everyone who follows the new in the sphere should remember KeySweeper by Samy Kamkar that represented a normally-looking USB-charger.

The device works as a wireless sniffer, it actually is able to decode, store and send any keystrokes detected from a wireless keyboard. All the interested audience was able to check the vitality of a product as well as to follow the stages of its creation on the blog of its creator.

It is pretty hard to get why FBI decided that it’s high time to take measures to the device that appeared a year ago; but be it as it may, KeySweeper is now closely monitored by the law enforcement officials.

One of the major issues that FBI names with regards to such devices is that they are pretty easy to use, or, rather, misuse. They look totally normal to the eye, can be placed anywhere around an office or any other place where wireless keyboard or other devices are used. Thus, cybercriminal are able to steal everything with regards to personally identifiable information or intellectual property, any login/password info, trade secrets, and other confidential information.

The problem is that decoded information is transferred at such speed that it is quite hard even to understand that something crucial was stolen.

FBI report also claim that the aforementioned data was received in the course of some classified investigation. In accordance with the journalists’ who contacted Samy Kamkar the latter had given no information to the aforementioned organization in the first place.

There has never been reported any of the attacks with the usage of such USB-turns-Keylogger device; however, FBI suppose that the one who is forewarned is forearmed.

Office Security and Mobile Apps

Technology is created for our benefit and we surely do use it to make a world better in its turn. The same refers to various mobile applications that employees bring to their working places. There appears to be a risk to the office security system as well as many other problems that are bound to arise.

One of the things that many organizations have started to practice – BYOD (Bring Your Own Device) systems or adding stealth monitoring software to make sure that everything is all right. However, not everything is very smooth about such practice.

Recent report created by Gartner that was carried in 2015 proved that the majority of such mobile tracking apps have no adequate security protocols that would make their use safe and secure especially for the use inside of an organization and especially a large enterprise.

BYOD policy does not guarantee security and if your organization complies with this policy, it is high time to improve security testing of all mobile apps. The thing is that organizations are sometimes are either ignorant or unaware of the threat that might come with the mobile apps; however, there are a lot of things that an organization is better to be protected from.

Recommendations for Avoiding Problems

  • It is essential that companies should update their SAST and DAST (static application security testing, dynamic application security testing). Why is it essential? The thing is that it is necessary that a company’s tests should be compliant with all mobile devices. Surely, the task is not really easy as apps multiply by day.
  • All employers should have access to the background monitoring process options in order to be able to prevent any unwelcome activities.
  • All the server and devices should be tested and protected, especially the ones that are connected with mobile devices on a regular basis.
  • Only the apps that have passed the security testing should be admitted and allowed for download.
  • Wrapping as well as SDKs for application containment usage are advised for companies for better data protection.

More than 90 percent of the businesses today rely on third-party apps for their BYOD policies. This is why, according to Gartner, the year 2017 will start seeing a shift of enterprise security towards mobile app security. Endpoint breaches will have more focus on smartphones and 75% security threats will be because of mobile apps.

At the present moment there are more than 90% of companies that rely on BYOD policies. However, the shift to mobile security is coming and fast. It makes sense to pay better and closer attention to mobile apps as they are likely to pose a stronger threat with time. They become better and with this more complicated as well as with regards to enterprise security. It is high time to pay closer attention to applications that will protect a company’s data.

Encrypted Smartphone and Consumers’ Reaction

Image Credit: silentcircle.com

In the light of all the interesting information revealed about the NSA actually spying on their own citizens, the problem of mobile security got more attention. It has become known that the National Security Agency was involved in various surveillance activities that included cell phones’ tracking and the like. In this respect the appearance of the new device – an encrypted smartphone is probably not surprising to anyone.

Taking into consideration the fact that the idea and device are new and it is hard to predict the number of customers who can potentially be interested in buying such a smartphone.

Blackphone – What Is It?

The new encrypted device got the name of the Blackphone and is a creation of Silent Circle. The company specializes in encryption and cell phone security and as they claim, the created a product that can be relied on. In accordance with their words the best effort was made to make sure that a user’s privacy is secured and that no side control over the device is possible. In the light of the recent revelations is it quite clear that many smartphone users feel uneasy and less secure about their mobile devices and there are great expectations that the new Blackphone will gain popularity pretty soon.

The main goal of the Blackphone creation was to make a cell phone that could send and receive encrypted messages and calls without the risk of the latter being intercepted and interpreted. The smartphone is claimed to be easy to use and familiar with the customers in terms of interface and applications and general appearance.

The Blackphone is surely to draw the attention of those users who are involved in the spheres with high security levels necessity as well as businessmen and so on. It will be also of interest to general public as in the light of the NSA recent activity, many people are not really happy about the perspective of being tracked or overheard, and stripped of their privacy. As long as the devise has just recently been launched, it is hard to make any definite prediction about its mass market perspectives or the like. Besides, it is really not very clear whether the Blackphone is really as reliable as the promises sound.

One thing is for sure, the Blackphone is a new word in mobile world and it definitely has much better encryption for security among the existing mobile phone models; however, unless it becomes more available for general public and proves that it works the way it should, it is hardly likely that the model won’t stay the choice of only narrow circle of interested people.