Secure browsing with Chrome and Firefox

Google is leading the push to an encrypted and more secure internet. The Chrome browser’s security team is changing the way Google Chrome handles web pages, with Firefox playing catchup.

Have you noticed that little padlock icon that often appears on your browser’s address bar? Look at the left end of the navigation bar. What do you see?

On Chrome: 

On Firefox: 

On Internet Explorer (to the right): 


With the default HTTP protocol (the S stands for ‘secure’) all information is sent in plain text (unencrypted); any computer in between the sender and receiver can read the traffic. The padlock with the HTTPS means that the connection between your computer and the computer at the other end is secure, i.e. the traffic is encrypted and information cannot be snooped by a third party in transit. This is why people who build websites in a responsible fashion have at least ensured that their login pages and sensitive information (such as credit card information) is served over HTTPS instead of HTTP.

If you click on the padlock, you might see some more information that helps verify that the site is indeed owned by those who claim to own it. Like so:

Nevertheless, few people actually watch out for the padlock to see whether the sites that they login to are secure. We need something simpler. This is what Chrome and Firefox have done: when a user goes to a page that requires sensitive information to be put in, it checks whether the connection is over HTTPS. If it is not, they warn the user that the page is not secure.

See what happens when I click the ‘login’ box for Qantas’ site.



What if a technically-informed user tries to force the website to use HTTPS, but the site tries to ‘downgrade’ to HTTP? See the example when I navigate to

On Chrome:

On Firefox:

Also notice how different these warnings are from equivalent warnings in Internet Explorer:

While it does look ugly and slightly menacing, we have come across them enough times, especially at our workplaces, that we have learned to click through the warning to reach the sites that we wish to reach. Chrome and Firefox makes the clicking a little bit more difficult in order to secure their users.

The major browsers, including Safari and IE/Edge have gone further for sites that they consider to be actually malicious. They block them to prevent the user from unintentionally accessing them.

The long-term goal from Google is to make all sites use HTTPS so that our browsing is generally more secure. Google will give HTTPS-using sites an advantage over sites that do not use it in their search results. The plan was announced in advance so that website owners would have the time to make the required changes. It has also given Mozilla time to catch up and join the plan.


What can you do to improve your browsing security?

  1. Use a modern browser such as Chrome or Firefox (stop using Internet Explorer) that puts in the effort to protect you.
  2. Use the ‘HTTPS Everywhere’ add-on from EFF (Electronic Frontier Foundation) to force sites to use HTTPS if there is an HTTPS version.
  3. Use an ad-blocker to prevent malicious advertisements from showing up.

Also see:


Securing yourself online

My blog has been slightly inactive on account of my travels. Here is a little Christmas gift. This article contains points that I have distilled from a presentation that I have made for the same purpose, i.e. educating people about what they can do to make their online lives more secure.

There are a number of things that we can do to keep our valuable data private and available to us when we need it. Here are a bunch of them that I apply in my personal life. They start from the simple and free and go towards the technically complex and paid. Note that I have avoided putting in details on how to do each item as the article is already long. Doing a search on Google (or DuckDuckGo) with the heading should provide you with more details on each item.

Caveat: none of the advice below guarantees your security. If the NSA wants to see what you’re doing, they probably will. Security requires ‘defence in depth’. If one measure is surmountable, it helps to have another measure to back you up. If a malicious entity somehow breaks the security of your VPN, they may be set back by your HTTPS connections; if they sniff/steal your password, they may be set back by your 2FA token. Those of us in the information security industry hope for (and work toward) a future where the layman does not need to have sophisticated IT knowledge in order to secure their lives. Read on!

Some stuff is too valuable to have only one copy of. In the event that a hard disk fails, you will want to have a backup in another hard disk or on the cloud. Every article that I write is initially typed up on my computer / online storage before it is copied into my website. Additional hard disks for storing large volumes of photos and videos is now cheap.

Password locking & password managers
If your computer connects to the internet, it can be easily accessed remotely and it needs a password. Make it at least 15 characters and do not reuse the same password anywhere else. Read this series of posts about password management and stop trying to memorise all your passwords. Get a password manager to remember passwords for you. Make the passwords in your password manager totally random, long, distinct (do not use the same one in two places) and unmemorable. One password for your computer, one for your phone and one for the password manager should be all you need to remember – these few can use simple but long passphrases instead.

I have also come across recommendations (there is no consensus) to not use  security questions that allow you to recover your account if you should forget your password. They fill the security question field with gibberish. Security questions to help reset passwords are a weakness that allows people to access accounts without cracking their passwords. Of course, there will be difficulty if you lose your password and lose access to your account.

Windows update (and other autoupdates)
This is a critical and fundamental security measure. Ensure that automatic updates are turned on by default for your Windows and other software on your computer. The browsers that you use and MS Office are critical. Java and Flash are notorious for their vulnerabilities and need frequent updates. Any time a vulnerability is found, there is a race between manufacturers trying to push updates to users and malicious actors attempting to exploit the vulnerability. Enabling auto updates keeps you on the safer side of the curve.

Windows firewall
The default firewall on your computer should be enabled. More precisely, do not disable it.

This is something fundamental. It should not give you a sense of security, but having antivirus or antimalware software is a minimum security requirement. Plenty of free and paid antivirus software are available. The fact that you pay for it does not necessarily make it better.

Pirated software and jailbroken devices
Using pirated software is a good way to introduce malware into your computer yourself. The act of jailbreaking a device to give it features that the manufacturers did not intend it to have necessarily requires breaking the security of the device. Avoid doing these things. Get software that is free to use or buy commercial software.

Mobile phones
If your phone allows biometric authentication, enable it and use it. Your secondary authentication mechanism must be a long PIN / password (10+ characters minimum, 14+ optimal). The PIN might be slightly easier to use on account of the bigger size of the buttons. Ensure that your secondary authentication (e.g. a PIN) is not easily visible to others who are looking at your phone. Drawing patterns are easily observed by shoulder surfing and easily broken by technical means. Do not leave the phone where others can physically access it.

Laptops and other portables
These devices should not be left in places where other people can access them. It is possible for someone malicious to fry your computer by plugging something nasty into its USB drive in seconds (see USBKILL) and walk away. It is also possible for someone to gain control of a locked computer, again by sticking something into the USB port, in seconds. The cost of gaining access? A $5 device (see PoisonTap). The previously mentioned advice about HTTPS also helps with the last item.

Encrypt the hard disks of devices (including phones) to protect data from theft in the event that the device is physically taken. Encryption is not a panacea. It is effective if the device is switched off, but it might be possible for a skilled attacker to extract data from a powered-on device.

Connecting to WIFI
Never connect to free insecure WIFI is the general security advice. Some people go further, choosing to always carry their personal WIFI router with them when they travel. Having a VPN connection enabled by default may be a mitigating measure to connect to insecure WIFI (see below).

Avoid clicking on links on opening attachments sent to you by email. This is the easiest way people get hacked – not through fancy technical mumbo-jumbo, but though stuff sent to you by email. Avoid forwarding any email that asks you to forward it.

USB drives
USB is infamous for being fundamentally insecure. At a basic level, never plug in an unknown USB stick into your computer, especially if you find it in the car park or on your desk. This includes tablets and phones that need to be charged – i.e. anything that has a hard disk. Don’t do it as a favour to someone that you do not know (some of us would not do it as a favour to people whom we do know). Disable autorunning of USB devices. You can find a number of articles explaining how to do this for your operating system. Also recollect the two items (USBKill and PoisonTap) mentioned in the section about keeping portable devices physically secure.

Software and apps
In general, install software and apps only from trusted parties. Do not install mobile apps from outside the standard app stores. For mobile phones, be wary of apps that ask for many permissions to function. The newest versions of IOS and Android allow users to give the app permissions only when it actually needs them.

Browser & websites

Any site that you login to must use HTTPS. Do not enter credentials or personal information such as date of birth, credit card information or ID information into a site that has no HTTPS. Add on the HTTPS Everywhere free plugin to your browser to force all sites that have more secure encrypted versions to provide you with the encrypted version of the site. Using HTTPS does not ensure security (it requires a slightly technical and much longer article), but without it one can not expect web browsing security.

Automatically clear your cache when you close the browser. This may be hard to get used to, but it makes it significantly harder for third parties (and first party sites) to track you. This can prevent websites from showing you the inflated prices that they showed you the first time you visited – since they no longer know that you had already visited. Enable the do not track feature. Use an ad blocker to block advertisements. Advertisements are a way for malware to spread through web browsers and to slow down your browsing. The site owner usually has no control over what content is provided to you in advertisements. A year ago, Forbes spread malware to its readers through advertisements.

Use a different browser for stuff like your email and social media that require you to log in and another browser for all other browsing. This can prevent Facebook from knowing that you’re planning a vacation to Iceland and providing you with ads. It can also prevent a malicious site that you happen to be on from reading information that you provide another site.

Control what is on your social media
Periodically check privacy settings on social media to understand how the content that belongs to you is used by companies such as Facebook, LinkedIn and Twitter. Tagging your face on pictures makes it easy for software to identify your face resulting in consequences that may be positive or negative. In general, do not post things on social media that you may regret if someone reads it out of context. It is easy for someone to screenshot your post and paste it elsewhere, minus the context. Avoid giving out information such as your date of birth and family members as this information may be used by your bank or a government to authenticate you. (When was the last time you had to tell someone on the phone your birth date or your mother’s maiden name to convince them that you were you? It can’t have been very long ago.)

Home router
Critical: change the default username and password for the WIFI router. This is typically something like ‘admin’ for username and password. In many cases you can reach the settings page by typing in “” or “” into your browser. Change the SSID (i.e. the WIFI name) and if possible disable access point broadcasting. Default SSIDs make it trivial to find the kind of WIFI router and makes it that much easier to attack. I have known wireless printers to be unable to connect if you disable AP broadcasting, so it might not always be possible. Use WPA2-PSK security with a long password for connecting to the WIFI (note that this is different from the router admin password). Periodically update the router software (every half year is a good bet for the layman).

SMS and phone calls
Understand that the providers of your mobile connection have all information about the numbers that you dial and the contents of the SMSs that you send. They can also listen to your calls. If this concerns you, you might want to use encrypted messaging (see ‘different providers’ section) and encrypted calling services. They function in a foolproof manner only when both people use the service and the encryption is end to end, but encrypting content to the service provider gives some amount of privacy as well.

Use a VPN
Virtual private networks (VPNs) are commonly used to create an encrypted remote connection between a person and his office environment when he is not on site. This technology can be used to protect your internet browsing data as well. VPNs can be used to protect your browsing if you need to connect to weakly protected WIFI networks and to mask your location from thisa  parties. VPN software typically require payment, but can be cheap.

Edit 2 (31 Jan 2017): I have removed this recommendation altogether because using the wrong VPN provider can cause greater risk to the user than not using a VPN at all. Too high a proportion of VPNs are implemented insecurely / have a shady business model for this recommendation to stand [research paper].
Edit: VPN caveats: Not all VPNs are created equal. Understand their business model and whether they do actually value your privacy. Obviously, the VPN provider has the ability to read data when it enters and leaves the tunnel (prior to any VPN encryption) unless the traffic is encrypted even before it goes into the VPN (e.g. all your Facebook and Gmail traffic). If the VPN is available for free, ask why. Does their business model depend upon selling user information?

Use different providers altogether
Use providers of services who respect your privacy and do not use your information for their own benefit. Try DuckDuckGo for search instead of Google; secure email services instead of Gmail (which reads your mail) or Live mail / Outlook (which can read your mail). If you are still using Yahoo!, please stop now! (right now!) The same goes for messaging tools and VOIP. See the Electronic Frontier Foundation’s (EFF) secure messaging scorecard regarding security and privacy. You may be pleased to know that the most common messaging application, Whatsapp, is quite good at the moment.


Edit (4 Jul 2020): Updated links and a few critical items based on current knowledge. Note that this is still a 2016 article.

Using the Gartner magic quadrant when buying security products

The Gartner magic quadrant is ubiquitous at security sales presentations. Being featured in the quadrant, the leaders quadrant in particular, is a part of the vendor pitch and the recognition that it provides may have an impact on the purchasing decision. Is it of such significance and should it impact your purchase decision?

Gartner does provide useful analysis of security products, their penetration into markets and their product maturity. I occasionally check out Anton Chuvakin’s blog on SIEM as I find it a useful resource in my own specialisation. Knowing the quality of the output (at least in the SIEM blog), I have some faith that the MQ delivers what it promises to deliver. This is what one needs to note: is the MQ’s judgement criteria relevant to your purchase decision?

In very few sales presentations that I have attended have I seen an actual quote from Gartner’s analysis provided by the vendor. They have contented themselves to put up the MQ itself to allow potential clients to assume that that means it is a fantastic product or, if the product is the highest and rightmost on the chart, the best product. The clients for their part appear to fall for the assumption. This is not what the MQ is meant for. While the MQ does say something about the market penetration, the vision and coverage of the product and vendor, it says very little about whether the product fits your business. Users look for products in the top-right quadrant, when in fact a product in the top-left may be a much better fit for your environment.

Gartner explains their methodology for the magic quadrants here.

Gartner is very open in stating that the quadrants talk about the capabilities of the technology providers in executing and envisioning the future for the type of product. It says nothing about the technology solution on offer and does not pretend to. Gartner’s critical capabilities articles are much more useful when considering products provided by the vendor. More importantly, use this as no more than as a starting point when considering dealing with a vendor / product. There might even be a chance that the best-fitting product is not there in the quadrant or that there is no quadrant for the kind of product that will fit your requirement.

Gartner’s analysis is inadequate to inform you as to whether the product will work for you. Get your vendors to come up with a proposal to fit your requirements and perform a proof of concept with a few vendors and with you security team to really understand the product for your decision making.

You might also find these articles interesting:
The horror of the security product presentation
Comparing SIEMs for your environment

I am speaking at the CSX 2016 Asia Pacific conference (14-16th November 2016) on SIEM. Check it out:

Review: No place to hide – Edward Snowden, the NSA, and the US surveillance state

Glenn Greenwald is the reporter who, along with Laura Poitras, broke Edward Snowden’s leaks about the NSA’s mass-surveillance program in 2013. In “No place to hide” Greenwald tells the story of how the leak happened, from the first contacts with Snowden to the aftermath in the next year. Greenwald also devotes a chapter to explaining why the ordinary person should care about mass government surveillance.

The big story is about the content of Snowden’s leaks, but the reader also gets to understand and appreciate Edward Snowden. Snowden’s motivations for putting his entire future at risk is probably the significant reveal of the book. Snowden has no significant character flaws that suggest that he might want to bring down the establishment. He is a person who might be considered to have a “decent middle-class” upbringing and was working highly-paid jobs when he stole the classified documents. He even created a manifesto that includes “While I pray that public awareness and debate will lead to reform, bear in mind that the policies of men change in time, and even the Constitution is subverted when the appetites of power demand it. In words from history: Let us speak no more of faith in man, but bind him down from mischief by the chains of cryptography.” – paraphrasing Thomas Jefferson who said “In questions of power then, let no more be heard of confidence in man, but bind him down from mischief by the chains of the Constitution.”

Many pages of the book are spent on the details, the illegality, the implications and the lack of necessity of the bulk data collection of the NSA. This data is collected from and shared with the partners in the five eyes: UK, Australia, New Zealand and Canada. Greenwald argues that targeted data collection of specific individuals is adequate and effective and that bulk data collection has been useless in preventing terrorist attacks. Also, despite the stated goal being terrorism prevention, surveillance has been put to use for economic and diplomatic advantage of the United States. This is precisely what the US has hypocritically asked China to stop doing. And “who watches the watchers?” The FISA court, created to oversee covert operations, is nothing more than a rubber stamp that has not denied a single surveillance request.

Most people who are habituated to living in the society where they think allowing the government to read their emails (or pancake recipes) is harmless. “I am too boring to be worth surveillance.” Greenwald has a reply to people holding these attitudes. He explains that most people who would do nothing to challenge the establishment would not feel threatened, but when something that the establishment prefers to keep hidden is in one’s possession, one becomes a target. This has nothing to do with threats to national security; just having opinions or publishing facts that disagree with the establishment can cause a person under such a government much difficulty. In a democracy the ability to criticise the establishment is a freedom that we have that is being eroded by having your privacy taken away from us. A response for the “boring” people who will never criticise the establishment: they will be impelled to change their normal behaviour if they felt that they were being watched. Our conversations and whom we talk to are being recorded. Does that not affect what we write about? Also: one closes one’s doors before having sex. This has nothing to do with sex being illegal or immoral and everything to do with humans needing privacy for some activities. We should expect privacy in what we write about in private communications.

The book’s last chapter describes how the American news media have become pliant – willing allies serving the needs of the political establishment instead of the public’s. It is a fascinating read and enlightens the reader to be more politically aware and aware of how precious one’s privacy is.

This book informs us that we need to take conscious political choices in order to protect personal privacy as a fundamental right. Snowden and other whistleblowers before and after him have faced prosecution from the “liberal” administration of Obama. The choice is between a world where no one has privacy and one where the NSA can abuse their surveillance powers at will. It is a must-read to understand the political and technological abuses of power that go on in our modern world and why conscious usage of technology such as encryption can be a political statement and not just a privacy tool.

Review: Ghost in the wires

‘Ghost in the wires’ is the autobiography of Kevin Mitnick, the “world’s most wanted hacker”. The book came out in 2011. Mitnick now claims to be reformed and has his own security consulting company.

Kevin Mitnick, as a teenager, was curious about breaking into computer systems. He did so, explains in the book how broke in mainly by using social engineering methods, and eventually got caught and was sent to a juvenile correctional facility. With this began a cycle that would repeat itself many times over the book.

The book is best in the early parts when Kevin describes one of his hacks. He understood that any system has weaknesses, technical or human. He would find a weakness and exploit it. He would persist if initially unsuccessful. The hacker mindset on display as he attempts to break into something just for the fun of it is something that people would do well to understand. Also, the ease with which systems built by hundreds of people can be subverted using very low-tech methods is something to know about.

As a person with some technical knowledge, I was able to follow a great deal of the technical hacking described in the book. A lot of what is described (“getting root”, “exploit [noun]”, etc.) is incomprehensible for the layman – my father gave the book a try. Surprisingly, the book gets boring after a while. Within the first hundred pages, one learns everything there is to know about Kevin’s non-technical social engineering skills. What follows is a repetition of what already happened: Kevin decides to break into something; he calls someone pretending to be someone else, elicits and easily gets required information from them; he breaks in; he learns that law enforcement may have gotten wind of it; he tries to cover his tracks and breaks into something else to get more information. The cycle continues, occasionally punctuated by visits from the police.

The discussion regarding law enforcement becomes complicated by the fact that they (and criminal prosecution) do not appear to have a good grasp on what Kevin has actually done (according to him), accuse him of crimes that he did not commit (according to Kevin) and prosecute him for the same. This is another interesting thing about the book that everyone trying to stay on the right side of the law in a fully internet-connected world should appreciate.

A serious problem with the book is Kevin’s lack of contrition. He is repeatedly sorry for the harm he did to his loved ones, but has no feelings whatsoever for the companies that he broke into, their employees, or for the people whom he insults with snide remarks in his book. His language, as a man in his forties (when the book was written), shows an immaturity that should have ended with teenage. Kevin repeatedly refers to the man who caught him, Tsutomu Shimomura, as “Shimmy”; he calls people “bastards”; he unnecessarily names and shames a colleague who may have wanted to have sex with him; etc.

The casual reader would learn much about the vulnerability of the devices and infrastructure that we use from going through about 100 pages of the book. 300+ pages is way too much to read about one egoistic hacker who may not have learned his lessons.

Feeling secure vs being secure

When talking security with individuals one often observes a distinction in language that completely changes the meaning of the topic: people talk about wanting to feel secure, which is a very different matter from actually being secure.

Humans are poor at understanding security and risk: they overestimate the danger from scary and infrequent events (such as terrorist attacks) and underestimate the dangers of common events (such as road accidents and nutrition-related illnesses).

Humans are also prone to live by the falsehood that “something needs to be done” to remedy real and perceived problems, when it might actually be more pragmatic to not do anything at the time. Security expert Bruce Schneier has written extensively about this, on how the TSA is a multi-billion dollar harm inflicted upon people travelling within the United States after the very successful terrorist attacks on September 11, 2001. The fact that they put travellers through a lot of misery gives people the impression that travel in the United States is safe, when in fact it is not proven to be any safer than it was before 9/11.

This false sense of security is a problem. It causes organisations to spend billions of dollars on security products that do not solve their problems. It causes people to go through unnecessary suffering at airports because they are trained to believe that it is “for their own safety”. At the same time, the companies and people remain vulnerable to the same problems that they believed they were protected from.

A false sense of security can make someone perform a riskier action than they would under normal circumstances – think of the American rules football players, heavily padded and helmeted, who would strike in a more dangerous fashion under the impression that their artificial paddings would protect them against injury. This is the biggest problem with feeling secure: it can actually cause you to be less secure.

How do we guard against responding poorly to perceived risks in these fashions? A measured and thoughtful approach to security that avoids knee-jerk measures helps. Education is key, as is the recognition that there is no silver bullet that rapidly provides security. Security requires a combination of people, processes and technology to function in harmony. All three must come in place and people must recognise that no system is perfectly secure. This is fine. It is not worth the trouble to make something perfectly secure. Live your lives.

Blocking internet access for cyber security: Will it work?

“The only secure computer is one that’s unplugged, locked in a safe, and buried 20 feet under the ground in a secret location… and I’m not even too sure about that one.” —Dennis Hughes, FBI [attributed]

From May 2017, the Singapore government intends to block internet connectivity for the work computers of its 100,000-strong force of public servants. The government has opted for the drastic measure on account of security concerns. Is it really necessary and is this the best way of keeping things safe?

A key principle that information security managers learn is that security must work to enable business and not prevent it. Attempts to add security that appear to work against the normal functioning of the business are doomed to fail. This will be critical to whether the Singapore government’s efforts succeed or fail. It is not only the technological aspect of this new setup that must be taken care of, but also the ‘people’ and ‘process’ aspects. The latter appear to be lacking, at least in what has been covered in the news.

Did the government get the technology aspect right? Among other things, companies that have information security-aware management perform a ‘blacklisting’: for instance file-sharing activity, chatting, pornography sites and known malware sites and activity may be blacklisted and cannot be accessed by employees. Some security experts recommend a tougher measure called ‘whitelisting’: only the specific sites in the whitelist may be accessed by employees. This list could contain the top 1000 sites on the internet known to be safe and, upon business justification, additional sites could be added to the list. Entirely blocking internet access is the toughest possible measure and might be a bit heavy-handed.

Disconnecting a computer from the internet is called air-gapping. It is a legitimate security measure for the very paranoid / persons under surveillance. Security expert Bruce Schneier explains here what he did to stay secure from the NSA while working on the Snowden documents. Air-gapping requires a huge amount of effort to get right, primarily because the information that you work with tends to come through the internet. Air-gapping will make life harder for an attacker who wishes to access information in/through your computer. Information on one’s computer may still be accessible in certain ways, but accessing the office network through that device does get considerably more difficult for an attacker.

Air-gapping is not foolproof. An air-gapped computer owned by a non-technical person is less likely to be updated with security patches than one that is connected to the internet. It may make the device more susceptible to attacks through vectors outside of the internet. Targeted attacks have been carried out against air-gapped devices as long ago as 2010 using USB drives. The Singapore government currently does allow its employees to use the USB ports on their devices. USB drives are well-known transmission vectors for malware and many companies prevent their usage by locking them down. This would be a pragmatic step to take before the more desperate measure of taking away internet access.

The initial announcement of the upcoming policy also stated that employees would be allowed access to the internet on their personal devices and devices kept specifically for internet use. The Infocomm Development Authority (IDA) clarified in a Facebook post that “only unclassified emails for purposes such as accessing URLs” could be forwarded to private email accounts. This is going to be tricky. An employee who has habituated himself to transferring emails between his work and personal emails is going to do more and more work when directly connected to the internet on their personal devices, especially when the work requires research or benefits from information found on the internet. This in turn could lead to the personal devices becoming targets of attack, reducing the need to attack the office-issued devices in the first place. Considerable effort will need to be made to ensure that employees are aware of what information may absolutely not be transferred to devices outside the office-issued computers. These are serious flaws in the ‘people’ and ‘process’ aspects of the new policy.

I have already encountered people discussing how to subvert this ‘problem’ of no internet access. Singaporeans are technically savvy enough to get the internet that they need. The government has to ensure that their work does not get too painful and that access is had where they require it or the subversion will eliminate the positive security effects of removing internet access.

What about that Whatsapp privacy policy change?

You may have heard recently that Whatsapp’s privacy policy has changed ‘for the worse’ and that it is now sharing user account information with Facebook. What’s that all about and what should you do about it?

Whatsapp is a mobile phone app that provides messaging services between users of the app. Whatsapp accounts are linked to phone numbers. Facebook is an online social media platform with 1.7 billion monthly users (as of June 2016). Facebook bought Whatsapp for US $19 billion in 2014 and now Whatsapp has over 1 billion users. Prior to its acquisition, Whatsapp charged a fee to its users – a nominal $1. After the acquisition, the fee was eliminated, leaving the company’s business model unclear to users. Whatsapp announced earlier this year that they would introduce tools to let businesses connect to users.

One of the founders of Whatsapp, Jan Koum, was born in Soviet-era Ukraine and the matter of privacy is said to be personal to him. Whatsapp now encrypts all messages that are sent between users using updated versions of the app, meaning not even the company can read messages that are sent through the app.

Why then are we so concerned? The information that Whatsapp does have is metadata – data about data. Whatsapp has the contacts on your mobile phone (required to provide its service), the time you last checked the app, the person whom you messaged, when you messaged them, how many times, etc. Go back three years and you might recall that this is the kind of data collection by the NSA that caused a huge uproar when Edward Snowden blew the lid on it.

A record of phone calls or messages between you and a specialist doctor may reveal medical concerns of yours. Phone records between two parties may allow for inferences where nothing may be relevant – or they may give away something about one’s life that one prefers to keep private. The choice of whether these matters are made known to others belong to the people whom they concern – not to an internet / communications company, the government or advertising firms. You will lose that choice if your Whatsapp account data is transferred to Facebook. Facebook is an advertising company and the metadata is going to be used to serve you with advertisements from businesses.

What causes more worry is the manner in which this has been implemented. We have the option to opt out of the sharing of account data. The opt out is designed to be easy to miss. You still have 30 days to go back and update your settings, but after that the choice to opt out is removed entirely.

But does it really matter? Many of us do share a lot of information about ourselves publicly on our social media profiles. Even the content that is restricted to ‘friends’ can be copied, screenshotted and shared by our contacts. A certain level of sagacity is called for when sharing matters that one may think are not public and that is upto your own judgement.

Take the following steps now to take control of your Whatsapp account data:

Security buzzwords – zero day and APT

Information security / cybersecurity is all over the news these days with a serious hack / breach reported just about every week. News reporters and salesmen are happy to capitalise with catchy headlines and spreading of fear. On occasion, the truth gets lost while this is going on. Here are a few buzzwords / buzz-phrases that you may have come across, that may not mean what you think:

Zero day
A ‘zero-day vulnerability’ is a vulnerability that the maker of the product does not know about, but an attacker does. Once information about this vulnerability is known, the vendor has 0 days to fix it before it affects their customers. Plenty of vulnerabilities these days are discovered by ‘good guys’ – white-hat researchers – who report their findings to the producers of the software and give them a reasonable period (such as 90 days) before the information is made public. These vulnerabilities are not zero-days because the wider community (and malicious players in particular) typically learn about them only after the patch is released. A ‘zero-day exploit’ would be the use of such a vulnerability before the vendor learned of its existence.

Examples of misuse:
Vulnerability in LastPass misreported as zero-day by many reputable news sites:
Nonsensical title talking about a ‘patched zero-day’:

APT / advanced persistent threat
An advanced persistent threat (APT) is a higher grade attacker than the usual. APT attacks tend to be targeted, stealthy, may involve a large number of steps, with multiple devices being infected and data being exfiltrated only in the later stages. Some of these will be so effective that they will remain undetected for years. On occasion, they can also reach computers that are not connected to a network. The level of sophistication is said to be such that only nation-states and big criminal organisations are said to have the expertise to carry out such attacks.

Some of the top names in security have ‘APT’ solutions. Do they work? They do detect some threats that traditional methods do not, but advanced persistent threats? No. Claims to detect APTs must be taken with some amount of caution. Malware testing company NSS labs came up with a few tests of increasing difficulty where none of the tested products detected the stealthy test. Their conclusion: “Novel anti-APT tools can be bypassed with moderate effort…” They were able to develop the test samples without having access to the APT solutions during test development and “resourceful attackers who may be able to buy these products will also be able to develop similar samples or even better ones.” Our takeaway from this: Make sure that the vendors claims are supported by evidence and seek unbiased sources when trying to find out more information.

Also check out this previous article: The horror of the security product presentation

The password-reuse attack

There was news very recently about an online storage provider named Carbonite being “breached” through a password reuse attack. What might that be?

It is just as it sounds like: an attacker reusing a password that they already have. This obviously requires no technical skills. One doesn’t have to “hack” in order to do a password reuse attack.

Is this even an attack? How did the attacker gain the password in the first place? There was an actual attack by people who may have had technical skills at one point. They would have tried hacking a popular site or application (a recently publicised example: LinkedIn). They may have gotten the usernames and passwords of a large number of users if they were successful. It appears that Mark Zuckerberg’s Twitter and Pinterest accounts were accessed this way.

Given that they already had this list of credentials, they could proceed to use the username – password combination on other sites. How many people can tell that they do not use the same credentials in at least a few sites?

What can you do to prevent this?

Simple and obvious: use different passwords for different sites. Do not reuse them.

But I can’t remember so many different passwords! 

Of course you can’t. And you shouldn’t try! Use a password manager. I have written a whole bunch of articles about them. Once you start, you can safely give up on remembering a whole bunch of long and complex passwords.

Lessons from Target on password complexity
Choosing your password manager
Passwords ain’t nothing but trouble