How to encrypt your Facebook messages with Secret Conversations


Good news, privacy enthusiasts: Facebook’s one-on-one encrypted messaging feature called Secret Conversations is now live for all Android and iOS users. 

Secret Conversations allows Messenger users to send end-to-end encrypted messages to their Facebook friends. There are a few caveats, however. First, it only works on a single device. Facebook says it doesn’t have the infrastructure in place to distribute encryption keys across your phone, tablet, and PCs.

A beta version of Secret Conversations on iOS.

You also have to explicitly start a Secret Conversation in Messenger. Encryption isn’t the default mode, and encrypted messages are not integrated into the primary thread of your conversations with a given contact.

In other words, if Alice and Bob have been chatting for years on Messenger, they’ll have to start a separate encrypted thread, and that encrypted thread will never integrate with their original, unencrypted thread.

That approach is very unlike what Facebook-owned WhatsApp is doing. The popular messaging platform automatically encrypts messages for all users if they have an encryption-compatible version of WhatsApp on their phone.

The final caveat for Facebook Messenger is that encrypted messaging only works in one-to-one messaging. Group conversations are not included in Secret Conversations.

Now that we’ve got the preamble out of the way, here’s how to use Secret Conversations. For our example, we’re using Messenger for Android but Messenger on iOS works similarly.

How to use Secret Conversations


From the Messenger landing page, tap on your profile section, which is the person icon on the upper right of the screen. Scroll down until you see Secret Conversations and tap it. On the next screen, make sure the Secret Conversations slider is activated. Once it is, Secret Conversations are enabled for your device.

Source link

HP's new privacy protecting laptop screen thwarts would-be spies


HP just introduced a new technology to fight back against the feeling that somebody’s watching you.

HP’s EliteBook 1040 and EliteBook 840 laptops now have an option to add a new one-touch solution called SureView that combats what the company calls “visual hacking.” SureView was developed with 3M privacy technology, and HP first showed off the technology during CES in January.

To call this activity “hacking”, however, is a bit of a stretch. What we’re really talking about is someone who’s literally peeking over you shoulder to read the information on your screen.

Regardless, SureView sounds like a pretty cool feature. All you do is tap F2 on the laptop’s keyboard and SureView “reduces up to 95 percent of visible light when viewed at an angle.” With SureView enabled, HP says those pesky eavesdroppers will have a much harder time reading your TPS reports.

Hey, hey, hey. Eyes off the screen you nosy parker.

HP’s positioning SureView an ideal solution for young (I refuse to use the “m” word) corporate drones who might unwittingly display sensitive company data at public places like Starbucks or the airport. In reality, SureView could be ideal for people of any age to keep email, usernames, account numbers, and other sensitive data private while you’re in public.

The impact on you at home: How real is the threat of “visual hacking?” 3M sponsored a study that showed visual hacking is easy enough, which anyone who’s ever walked by a laptop in public already knows. It’s not clear how often visual hacking has resulted in real damage, but it really doesn’t matter. I’m sure many people have experienced a feeling of “exposure” when viewing private information on a laptop while in a public place. We haven’t tested HP’s technology yet. But from the sounds of it SureView could go a long way to alleviating real or imagined spying so you can work more confidently while sipping on that delicious mocha double no-foam latte.

Source link

Opera's free VPN app expands to Android


Opera is expanding the reach of its free, mobile VPN app. The browser maker recently announced that Opera VPN is now available for Android in Google Play. The new app is similar to the iOS version Opera released in May.

Opera provides five virtual server locations to choose from including the United States, Canada, Germany, Singapore, and the Netherlands. These server locations can either help you stay secure while you’re using a public Wi-Fi hotspot or evade regional restrictions—just don’t count on fooling Netflix.

For this latest app Opera added a new feature that is not part of the iOS app, called the “Wi-Fi security test tool.”

Opera VPN for Android’s Wi-Fi security test.

This feature tests the Wi-Fi network you’re connected to in order to see how secure it is. Testing my home network, Opera VPN gave me a B+. I lost points for having an exposed IP address, being at risk for Wi-Fi sniffing, and at risk for eavesdropping by my Internet service provider. No doubt that last risk is always there unless you activate Opera’s VPN, which the Protect WiFi button helpfully turns on for you.

The Android version also has a feature called Guardian that blocks ad trackers for you. Guardian is not on by default. The iOS version also blocks ad trackers for added privacy, but the feature is on by default and doesn’t have a fancy name like Guardian.

Overall the app is very simple to use. It only has three basic features: the VPN, the Wi-Fi test, and Guardian. When you first install the app it asks permission to use Android’s built-in VPN features, which then allows you to use Opera’s free VPN with a single tap.

The impact on you at home: As we discussed with Opera’s iOS app, this free VPN does collect information from your device, which you can read about in the company’s privacy policy. Ultra privacy-conscious users will want to take note that the VPN may collect web addresses you visit (but not page content), IP address locations, as well as information about your device type, browser type, and operating system type.

Previously, Opera told us it collects some of this information in order to “use anonymous market insights derived from customer usage to help support the service. We make this information available to third parties who are interested in better understanding the mobile ecosystem and how it’s evolving.”

Source link

How to turn on Twitter's quality filters and silence trolls


Twitter has finally come up with a solution to muzzle trolls.

The company published a blog post on Thursday announcing two new controls for filtering your notifications. Twitter notifications are the primary method through which trolls can contact and harass users.

The first new setting reduces the noise in your notifications stream. By default, anyone who mentions your Twitter username with the “@” symbol shows up in your Twitter notifications. It doesn’t matter if they’re asking a simple question, offering constructive criticism, or threatening to cut your head off. Everyone shows up.

The new setting filters your notification down to solely people you follow. The new filter works on Twitter’s apps and the website. It’s not clear if third-party Twitter apps can also apply it.

Why this matters: Many—perhaps most—Twitter users don’t really have a need for this kind of filtering. But for people such as celebrities, politicians, or outspoken feminists, Twitter notifications can be a very dark place. For these people personal threats and other objectionable comments from random Twitter users are commonplace. The new notifications filters will make Twitter a more hospitable place for anyone who wants to speak their mind without having to sort through a deluge of hate.

The unfortunate side effect of this, however, is that people who are being targeted for online harassment are effectively putting themselves in a bubble. In other words, the long-held idea of using Twitter as an “online water cooler” to chat and share ideas with strangers will be over—if it ever truly existed in the first place.

It’s all about quality

Twitter’s two new notifications filters.

The second new setting is called a quality filter. This setting, which was turned on by default for my account, removes what Twitter calls “lower-quality content.” This low-brow stuff can be things like duplicate tweets or bot-generated content. The quality filter affects your notifications and “other parts of your Twitter experience.” Presumably, that means your primary timeline. The low-quality filter never restricts people you follow or those whom you’ve recently interacted with—don’t feed the trolls, folks.

How to turn on the new settings


Click the Settings link in your Notifications tab on to get started.

Getting to the new settings is easy on Twitter’s website. First login to the service and then click on the Notifications tab. To the right of your mentions, click the new Settings link.

Source link

Disable WPAD now or have your accounts and private data compromised


The Web Proxy Auto-Discovery Protocol (WPAD), enabled by default on Windows and supported by other operating systems, can expose computer users’ online accounts, web searches, and other private data, security researchers warn.

Man-in-the-middle attackers can abuse the WPAD protocol to hijack people’s online accounts and steal their sensitive information even when they access websites over encrypted HTTPS or VPN connections, said Alex Chapman and Paul Stone, researchers with U.K.-based Context Information Security, during the DEF CON security conference this week.

WPAD is a protocol, developed in 1999 by people from Microsoft and other technology companies, that allows computers to automatically discover which web proxy they should use. The proxy is defined in a JavaScript file called a proxy auto-config (PAC) file.

The location of PAC files can be discovered through WPAD in several ways: through a special Dynamic Host Configuration Protocol (DHCP) option, through local Domain Name System (DNS) lookups, or through Link-Local Multicast Name Resolution (LLMNR).

Attackers can abuse these options to supply computers on a local network with a PAC file that specifies a rogue web proxy under their control. This can be done on an open wireless network or if the attackers compromise a router or access point.

Compromising the computer’s original network is optional because computers will still try to use WPAD for proxy discovery when they’re taken outside and are connected to other networks, like public wireless hotspots. And even though WPAD is mostly used in corporate environments, it is enabled by default on all Windows computers, even those running home editions.

Lucian Constantin

On Windows, WPAD is used when the “automatically detect settings” option is checked in this configuration panel.

A rogue web proxy would allow attackers to intercept and modify non-encrypted HTTP traffic, which wouldn’t normally be a big deal because most major websites today use HTTPS (HTTP Secure).

However, because PAC files allow defining different proxies for particular URLs and can also force DNS lookup for those URLs, Chapman and Stone created a script that leaks all HTTPS URLs via DNS lookups to a rogue server they control.

Source link

Stealing payment card data and PINs from POS systems is dead easy


Many of the large payment card breaches that hit retail and hospitality businesses in recent years were the result of attackers infecting point-of-sale systems with memory-scraping malware. But there are easier ways to steal this sort of data, due to a lack of authentication and encryption between card readers and the POS payment applications.

POS systems are specialized computers. They typically run Windows and have peripherals like keyboards, touch screens, barcode scanners and card readers with PIN pads. They also have specialized payment applications installed to handle transactions.

One of the common methods used by attackers to steal payment card data from PoS systems is to infect them with malware, via stolen remote support credentials or other techniques. These malware programs are known as memory or RAM scrapers because they scan the system’s memory for credit card data when it’s processed by the payment application on the POS system.

Target: gas pumps

But on Tuesday at the BSides conference in Las Vegas, security researchers Nir Valtman and Patrick Watson, from U.S.-based POS and ATM manufacturer NCR, demonstrated a stealthier and more effective attack technique that works against most “payment points of interaction,” including card readers with PIN pads and even gas pump payment terminals.

The main issue shared by all of these devices is that they don’t use authentication and encryption when sending data back to the POS payment software. This exposes them to man-in-the-middle attacks through external devices that tap the network or serial connection or through “shim software” running the POS system itself.

For their demo, the researchers used a Raspberry Pi device with traffic capture software that taps the data cable between a PIN pad, and a laptop with a payment app simulator. The PIN pad had a custom top cover to hide its make and model; the researchers didn’t want to single out a particular vendor since many of them are affected.

While the demo used an external device that could be installed by an insider or a person posing as a technician, attackers can also simply modify a DLL (dynamic-link library) file of the payment app to do the data interception inside the OS itself, if they get remote access to it. A modified DLL that’s loaded by the legitimate payment software would be much harder to detect than memory-scraping malware.

Lucian Constantin

Researchers Patrick Watson and Nir Valtman cause a payment terminal to display a fake re-enter PIN prompt.

The NCR researchers showed that not only can attackers use this attack technique to steal the data encoded on a card’s magnetic stripe, which can be used to clone it, but they can also trick cardholders to expose their PIN numbers and even the security codes printed on the back of the cards.

Source link

How to remove your email address from Windows 10's login screen


We’re just weeks away from the Anniversary Update for Windows 10, which includes all kinds of new features. But along with all the big stuff like better inking and a beefed up Cortana, there are also small touches that many people will appreciate.

Today we’re going to look at a new nice touch that controls what kind of information you display on the sign-in screen, specifically your email address.

Right now, when you land on the login screen on a Windows 10 PC it displays your name and the email address associated with your Microsoft account. When you’re at home that’s no big deal, but you may not want that information displayed where someone might sneak a peek, such as at a coffee shop or in a business meeting.

In my tests with the latest Insider builds this information was taken off the login screen by default. It’s not clear if the same will be true for people upgrading from a previous version of the operating system.

Regardless, accessing the setting is pretty easy if you end up needing to hide this data or, conversely, want to to display it again.

A one-click setting makes it easy to hide your email address.

In my tests with build 14388, you go to Start > Settings > Accounts > Sign-in options. There, under the Privacy subheading, you’ll have one slider labeled Show account details (e.g. email address) on sign-in screen. Flip that on or off depending on your needs, and that’s it.

This new feature has been around for months so presumably it will remain once the official Anniversary Update rolls out. If it doesn’t we’ll adjust this article accordingly.

Source link

Pokémon Go update for iOS now available, clarifies access to Google data


If you have Pokémon Go fever, but you’re concerned about the controversy surrounding the app and access to your Google data, you’ll want to install the Pokémon Go update. Even if you didn’t use Google to sign into the game, you’ll want the update, since it has bug fixes.

The 1.0.1 update is now available in the App Store. Before you perform the update, sign out of the game. You can do this in Pokémon Go by going into the app settings and tapping Sign Out at the bottom of the screen. (If you don’t sign out before updating the app, that’s OK. You’ll need to do so when you launch the update.)

To update the game directly on your iPhone, tap on the App Store app, and then tap the Updates tab on the bottom navigation bar. When you see the update appear on the list, tap the Update button. You can also install the update via iTunes on your Mac, with your iPhone connected.

After the update is installed, launch the app and sign in as usual. If you sign in using Google, you’ll see this new screen.

pokemon go update google disclosure

If you go to the web and check your Google account for your connected apps, you should see a change in what Pokémon Go accesses. If you don’t sign out and then sign back into the game as mentioned earlier, you may not see this updated status.

pokemon go google access

Niantic, the developer of the game, released a statement on Monday, clarifying what the company can access in relation to google accounts. Niantic’s complete statement:

We recently discovered that the Pokémon GO account creation process on iOS erroneously requests full access permission for the user’s Google account. However, Pokémon GO only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon GO or Niantic. Google will soon reduce Pokémon GO’s permission to only the basic profile data that Pokémon GO needs, and users do not need to take any actions themselves.For more information, please review Niantic’s Privacy Policy here:

Source link

Facebook brings end-to-end encryption to Messenger with ‘secret conversations’


Facebook’s following the encrypted messaging trend set by other apps including Facebook-owned WhatsApp, Viber, and Google’s Allo. On Friday, the social network announced a limited beta version of Messenger for Android and iOS with an end-to-end encryption (E2EE) feature dubbed secret conversations.

Secret conversations will only be available to a limited number of users at first, with a wider roll out planned for later this summer. The feature name “secret conversations” first surfaced in March.

Secret conversations in Messenger for iOS.

Messenger’s secret conversations won’t be like WhatsApp, which offers complete E2EE for all messages when all users in the conversation have a compatible version of the app. Instead, secret conversations will allow Messenger users to encrypt one-on-one conversations on the fly. Group messaging will not be covered.

When encrypted, the messages will only be accessible to the two conversation participants. While the message is in transit from one device to the other it won’t be possible for third parties—including Facebook—to decipher the message.

Facebook is also adding a Snapchat-like self-destruct setting that allows secret conversations to disappear after a predetermined amount of time. Rumors about Facebook’s plans for a Snapchat-like feature for Messenger first surfaced in May.

Each secret conversation will also exist in its own section of the app for each Messenger contact. Secret conversations will not be integrated with the main conversation thread for that person. 

The biggest limitation of secret conversations is that new feature will only work on one device. Facebook told Wired it doesn’t have a system in place to distribute encryption keys (bits of information that encrypt and decrypt messages) across multiple devices. 

secret conversations

Secret conversations will also start with a slimmed down feature set, leaving out support for animated GIFs, video, Facebook’s payments system, and other features.

Source link

How to tell if your Android phone has spyware


A reader whom I won’t name worries that his cousin watches what he does on his Android phone. The cousin actually told him so.

It’s possible that your cousin is just messing with your head. Ask for proof—such as texts you’ve sent and received.

On the other hand, they may actually be spying on your phone. There are a surprising number of Android apps that can do just that.

[Have a tech question? As Answer Line transitions from Lincoln Spector to Josh Norem, you can still send your query to]

But first, let me clarify one thing: No one is tracking you via your phone’s IP address. Take your phone on a morning jog, and its IP address  will change three or four times before you get home.

In order to track your phone, someone would need to install a spying app onto it. That could come in the form of malware such as the recently discovered Godless, which can be downloaded as part of a seemingly innocent app.

And then there are spyware apps that don’t pretend to be anything else; tools such as GPS Phone Tracker. And yes, you can download them from the Play Store.

Why doesn’t Google block these apps? Because they have legitimate purposes. If your employer assigns you a company phone, they have every right to see what you do with it. And parents should monitor kids’ Internet use

Source link