Home Tags Facebook Messenger

Tag: Facebook Messenger

Skype goes all Snapchat with Highlights, its own riff on Stories

Microsoftrsquo;s messaging app follows in footsteps of Instagram and Facebook Messenger.

IT threat evolution Q1 2017

Wersquo;ve become accustomed to seeing a steady stream of security breaches month after month; and this quarter has been no exception, including attacks on Barts Health Trust, Sports Direct, Intercontinental Hotels Group and ABTA.

Google Duo’s audio call feature is now available for all users...

It didn't take long for Duo to become more than just a video-chat app.

Breaking The Weakest Link Of The Strongest Chain

Around July last year, more than a 100 Israeli servicemen were hit by a cunning threat actor.

The attack compromised their devices and exfiltrated data to the attackers’ C&C.
In addition, the compromised devices were pushed Trojan updates.

The operation remains active at the time of writing this post.

Ransomware: How A Security Inconvenience Became The Industry's Most-Feared Vulnerability

There are all sorts of ways to curb ransomware, so why has it spread so successfully? The word "ransomware" conjures up images of dark cloaks and even darker alleys, and not surprisingly, the level of media attention has been unprecedented.

The fact that news stories measure the affect of ransomware in terms of cash helps grab the public's attention. (One analysis estimates more than $1 billion in ransoms were paid out in 2016). The most frightening thing about ransomware is that its success is built on trust. Ransomware often gains access by way of a clever email designed with the sole intention of winning the victim's confidence. "My skill is in my ability to get a bunch of people to click on the attachment," explains a malicious actor in a YouTube primer. Ransomware perpetrators have even started copying incentive tactics from legal industries.

There's the Christmas discount for victims who pay up, and a pyramid scheme offer, described in the press as "innovative": "If you pass this link and two or more people pay, we will decrypt your files for free!" This sophistication and business savvy speaks to ransomware's growth as an industry, and IT has had to take notice.

A recent survey of IT professionals from around the globe found that more than 50% of IT staff and more than 70% of CIOs see defending against ransomware as their #1 priority for 2017. What made ransomware into such a strong threat? Is it really a greater malice than traditional security threats or data theft? Or is it just more buzzworthy because the consequences are more dramatic? What's enabling the epidemic, and what produced the conditions for ransomware to flourish? The Patching ConundrumIn a way, the rise of ransomware in 2016 was in the works for a long time.
Vulnerability patching has been a significant IT challenge for several years — among industrial control systems, 516 of 1,552 vulnerabilities discovered between 2010 and 2015 didn't have a vendor fix at the time of disclosure.

A full third of known "ways in" had to wait for a patch to be developed, providing ample time for criminals to do their worst. Reliance on distributed security appliances has only exacerbated the problem.

Even after patches become available, there's still a significant lag.

A combination of staff shortages, the volume of devices deployed across today's business networks, and distance has dramatically lengthened patch rollout times.
Varying reports put the gap between 100 days to 18 months. Before ransomware even became a trend, the stage had been set for adversaries to gain access. It Should Be Easy to StopFrom an IT perspective, one of the most aggravating things about ransomware is that even after the attack gains a foothold, it should be relatively easy to stop.

The file encryption — which actually does the damage — is the final stage of a multistep process.
In fact, there are several opportunities to block the attack before it affects valuable data.

First, if the attack is caught by URL filters or secure Web gateways, it will be averted. The second step is where the initial malware "drop" downloads the ransomware program.

To do this, it must connect back to the attacker's server from within the compromised network.
It's only after the ransomware program itself deploys inside the victim's environment that it encrypts local and network server files.

And still, before the process can launch, most ransomware must connect to a command-and-control server, to create the public-private key pair that encrypts the data. At any point in the process, a network security stack has ample chance to block the malicious program from making these connections, and data lockdowns would never happen. With all these opportunities to stop the attack, how has ransomware been so successful? Complexity upon ComplexityIn November, security researchers discovered a mutation to exploit Scalable Vector Graphics (SVG), and this may provide a clue.
SVG is an XML-based vector image format supported by Web-based browsers and applications.

Attackers were able to embed SVG files sent on Facebook Messenger with malicious JavaScript, ostensibly to take advantage of users' inclination to view interactive images. The way these files were manipulated is of much greater concern than either the app that was targeted, or the breach of users' trust: The SVG file had been loaded with obfuscated JavaScript code (see Figure 1).

These files automatically redirect users to malicious websites and open the door to eventual endpoint infection.

The obfuscation tricks detection engines, and signature-based detection will always fall behind as code morphs to new signatures for the same threat. Figure 1: The string "vqnpxl" is the obfuscation function.Source: Cato Networks The above attack spotlights an urgent need to simplify. Modern networks see their vulnerability go up thanks to a patchwork of point solutions.
It's not sustainable to expect IT pros to update each point solution, and patch every existing firewall, when each new attack vector comes about.
Skilled attackers will always build new threats faster than IT can defend against them.

For ransomware, the critical test is, "how fast can you roll defenses out?" Higher StakesWhen prevention is the only true cure, it's no wonder ransomware goes to the front of CIOs' agendas for 2017.

But the predominant trend toward cloud-based security and the promise of a "patch once, fix all" model are starting to correct the problem.

Cloud defenses promote quicker adaptation to ransomware mutations.

The idea is to consolidate all traffic from physical locations and mobile users, and integrate a single firewall service as a permanent "line of sight" between any given user, any given device, and a potential threat source.
In this respect, the cloud is not just about saving work, but also about improving speed to security. 2016 was the year that IT's reluctance to use the cloud backfired, and it played right into ransomware's hands.

Familiarity, comfort, and experience with using the cloud to keep networks safe may improve outcomes in 2017. Related Content:   Gur is co-founder and CTO of Cato Networks. Prior to Cato Networks, he was the co-founder and CEO of Incapsula Inc., a cloud-based Web applications security and acceleration company.

Before Incaspula, Gur was Director of Product Development, Vice President of Engineering and ...
View Full Bio More Insights

Report: Egypt Censors Encrypted Signal App

Developer Open Whisper Systems says the country is censoring its messaging and voice calling program.

Egypt has reportedly censored encrypted chat service Signal.

App developer Open Whisper Systems on Monday confirmed the transcontinental country is censoring its messaging and voice calling program.

We'll begin deploying censorship circumvention in Signal over the next several weeks. Until then, Tor or a VPN can be used to access Signal.

— Open Whisper Systems (@whispersystems) December 19, 2016

The issue surfaced on Saturday, when IT specialist Ahmed Gharbeia tweeted about "wide reports" of Signal failure in Egypt.

"Everything is functioning normally on our end," Open Whisper Systems wrote in response, suggesting "something might be up" on the local network.

The firm reached out to the Open Observatory of Network Interference (OONI)—a global organization operating under the Tor Project to detect censorship, surveillance, and traffic manipulation on the Internet.

The project last week released two new software tests designed to examine the blocking of WhatsApp and Facebook Messenger, allowing anyone to monitor the accessibility of the apps and collect data as evidence.

Signal, a free app for Android, iOS, and desktop, is one of several messaging services to support end-to-end encryption—including Facebook's WhatsApp and Messenger. It is also one of several to come under fire from law enforcement officials who can't keep tabs on the conversations of suspected criminals.

Further details on the alleged censorship were not revealed; Open Whisper Systems did not immediately respond to PCMag's request for comment.

Constraints to encrypted social media are not new in Egypt: Facebook's free Internet service was shut down in December 2015 because the country's government could not spy on the browsing activities of local users.

The Egyptian Ministry of Communications and Information Technology also did not respond to a request for comment.

Open Whisper Systems recently ruffled some more government feathers with added support for disappearing messages. Users can determine how long—from five seconds to one week—a chat message is available to recipients before it self-destructs.

Facebook charged with misleading EU over $22 billion WhatsApp takeover

samazgorreader comments 13 Share this story Facebook has been accused of misleading the European Commission over its $22 billion takeover of WhatsApp in 2014—when the Mark Zuckerberg-run company claimed that it wouldn't be able to knit together user IDs, thereby combining the data of the two services. Brussels' competition officials issued a charge sheet against Facebook on Tuesday, in which it is alleged that the free content ad network failed to disclose that "the technical possibility of automatically matching Facebook users' IDs with WhatsApp users' IDs already existed" at the time of the merger. Antitrust chief Margerthe Vestager said that companies must provide "accurate information" during routine competition probes into planned acquisitions. "They must take this obligation seriously," she said. "In this specific case, the commission's preliminary view is that Facebook gave us incorrect or misleading information during the investigation into its acquisition of WhatsApp.

Facebook now has the opportunity to respond." Facebook has been slapped with a so-called Statement of Objections by the commission, which claims that the multinational "intentionally, or negligently, submitted incorrect or misleading information" to the competition wing of the EC, thereby allegedly breaching its obligations under the EU Merger Regulation. It comes after WhatsApp confirmed in August that it planned to merge user phone numbers with Facebook user accounts—much to the chagrin of privacy campaigners in Europe. At the time, it claimed that the information would be used to offer users "more relevant" Facebook ads, new "ways for people to communicate with businesses" via the app, and new friend suggestions. By mid-November, Facebook had stopped sharing WhatsApp user data across Europe, after it was forced to respond to regulatory pressure in the UK and Germany. Weeks earlier, data watchdogs across the EU who sit on the Article 29 Working Group urged Facebook "not to proceed with the sharing of users' data until the appropriate legal protections can be assured." Now Vestager's office has separately entered the fray with tentative charges brought against Facebook that could lead to it being fined up to one percent of its annual turnover. The commission also explained the rationale behind its decision to wave through Facebook's buyout of WhatsApp unchallenged in late 2014.
It said: With respect to consumer communications services, the commission found that Facebook Messenger and WhatsApp were not close competitors and that consumers would continue to have a wide choice of alternative consumer communications apps post-merger.

Although consumer communications apps are characterised by network effects, the investigation showed that a number of factors mitigated the network effects in that case. As regards social networking services the commission concluded that, no matter what the precise boundaries of the market for social networking services are and whether or not WhatsApp is considered a social network, the companies are, if anything, distant competitors. With respect to online advertising, the commission concluded that, regardless of whether Facebook would introduce advertising on WhatsApp and/or start collecting WhatsApp user data for advertising purposes, the transaction raised no competition concerns.

This is because, besides Facebook, a number of alternative providers would continue to offer targeted advertising after the transaction, and a large amount of Internet user data that are valuable for advertising purposes are not within Facebook's exclusive control. Facebook now has until the end of January to respond to the EC's charge sheet. "We respect the commission's process and are confident that a full review of the facts will confirm Facebook has acted in good faith," Facebook said. "We've consistently provided accurate information about our technical capabilities and plans, including in submissions about the WhatsApp acquisition and in voluntary briefings before WhatsApp's privacy policy update this year." It added: "We're pleased that the commission stands by its clearance decision, and we will continue to cooperate and share information officials need to resolve their questions." Vestager warned at the start of this year that she was eyeballing US tech giants that hoard vast amounts of user data.
She said that following close scrutiny, Google's acquisition of DoubleClick and Facebook's buyout of WhatsApp both got the go-ahead, adding that data issues did not, and should not, be linked only to investigations into alleged privacy abuses. However, her concerns about the lack of clarity around how much data is being used by online services, such as messaging apps and video-streaming sites, clearly left the commission flat-footed given that it has only now spotted an alleged discrepancy with Facebook's takeover of WhatsApp. This post originated on Ars Technica UK

App developers not ready for iOS transport security requirements

A month before Apple is expected to enforce stricter security requirements for app communications in iOS, enterprise developers don’t seem ready to embrace them, a new study shows. The study was performed by security firm Appthority on the most common 200 apps installed on iOS devices in enterprise environments.

The researchers looked at how well these apps conform to Apple’s App Transport Security (ATS) requirements. ATS was first introduced and was enabled by default in iOS 9.
It forces all apps to communicate with Internet servers using encrypted HTTPS (HTTP over SSL/TLS) connections and ensures that only industry-standard encryption protocols and ciphers without known weaknesses are used.

For example, SSL version 3 is not allowed and neither is the RC4 stream cipher, due to known vulnerabilities. Before ATS, app developers implemented HTTPS using third-party frameworks, but configuring SSL/TLS properly is hard so implementation errors were common.

These weakened the protection that the protocol is supposed to provide against traffic snooping and other man-in-the-middle attacks. Currently iOS provides a method for apps to opt out of ATS entirely or to use it only for specific connections, but Apple wants to change that.

At its Worldwide Developers’ Conference in June, the company announced that it will require all apps published on the App Store to turn on ATS by the end of this year. The requirement won’t be enforced at the OS level, but through the App Store review process. Using some of the ATS exceptions will still be possible, but developers will have to provide a “reasonable justification” for using them if they want their apps to be approved. During their study, the Appthority researchers found that 97 percent of the analyzed apps—193 out of 200—used exceptions and other settings that weakened the default ATS configuration. “Among the top 200 iOS apps that we analyzed, 166 apps (83 percent) bypass at least some ATS requirements by setting ‘NSAllowsArbitraryLoads’ attribute to ‘true’ in their Info.plist files,” the Appthority researchers said in their report. “However, not all of them bypass ATS requirements for all network connections.

For instance, a company can still support ATS requirements for network connections with its domain, while allowing ATS to bypass all other connections.” Among the apps that didn’t use HTTPS for all of their connections were popular ones like Facebook, Twitter, LinkedIn, Facebook Messenger, Skype, Viber, WhatsApp, Fox News, CNN, BBC, Netflix, ESPN, Hulu, Pandora, Amazon Cloud Player, Word, Excel, PowerPoint, and OneNote, but also utility apps like Flashlight, QR code readers and games. While it could be argued that some connections don’t need HTTPS because they aren’t used to transfer sensitive data, the Appthority researchers found 10 applications that did send device IDs, email addresses, physical addresses, zip codes, geolocation information and even passwords or secret keys over unencrypted HTTP links. There are many reasons why developers can’t turn on ATS for all connections and are likely to request ATS exceptions during the app review process.

For example, many apps don’t talk only to their developers’ servers, but also to third-party advertising, market research, analytics and image or video hosting services.

The use of HTTPS on these external services are out of app developers’ control. ATS provides fine-grained exceptions like “NSAllowsArbitraryLoadsInMedia,” which can, for example, be used to allow the streaming of video or audio content over HTTP, while encrypting all other connections. However, based on Appthority’s analysis, it seems that so far developers have preferred using the more generic “NSAllowsArbitraryLoads” which disables ATS for all connections, when dealing with such problems. The company didn’t find any app that used the “NSAllowsArbitraryLoadsInMedia” or the “NSAllowsArbitraryLoadsInWebContent” attributes to limit the scope of ATS exceptions.
It hopes that Apple’s new requirements will change that. Many apps that do use ATS disable some of its security features.

For example, none of the apps analyzed by Appthority used Certificate Transparency, which is available in ATS. Furthermore, seven of them disabled SSL certificate validation and 46 didn’t use certificate pinning.

Thirty-eight apps disabled Forward Secrecy and eight apps set the allowed TLS protocol version to 1.0 or 1.1, even though the secure default in ATS is TLS 1.2. “We still expect iOS apps with unencrypted data in enterprise environments, even after January 1,” the Appthority researchers said. “When Apple approves such apps for the App Store, there will still be the security risks associated with unencrypted data for some connections, so it’s important for enterprises to have visibility into and management of the risks related to apps with those exceptions.”

A beginner’s guide to beefing up your privacy and security online

Enlarge / Unfortunately, it's easier to stick a lock on the Brooklyn Bridge than it is to secure your data. We can at least try to help, though.Andrew Cunningham reader comments 47 Share this story With Thanksgiving behind us, the holiday season in the US is officially underway.
If you're reading Ars, that can only mean one thing: you'll be answering technical questions that your relatives have been saving since the last time you visited home. This year in addition to doing the regular hardware upgrades, virus scans, and printer troubleshooting, consider trying to advise the people in your life about better safeguarding their security and privacy. Keeping your data safe from attackers is one of the most important things you can do, and keeping your communications and browsing habits private can keep that data from being used to track your activities. This is not a comprehensive guide to security, nor should it be considered good enough for professional activists or people who suspect they may be under targeted surveillance.

This is for people who use their phones and computers for work and in their personal lives every single day and who want to reduce the chances that those devices and the accounts used by those devices will be compromised.

And while security often comes at some cost to usability, we've also done our best not to impact the fundamental utility and convenience of your devices. These recommendations simply don't represent the absolute best in security and privacy—the Electronic Frontier Foundation (EFF) has excellent, more in-depth guides on security for activists and protesters that you can read if you want to get even further out into the weeds.

But these are all good, basic best practices you can use if, like so many of us, you want to protect yourself against security breaches and trolls.

Feel free to share it directly with those in your life who insist on doing the computer work themselves. Protecting your devices Install updates, especially for your operating system and your browser This ought to be self-evident, but: install updates for your phones, tablets, and computers as soon as you can when they’re made available.

The most important kinds of software updates are those for the operating system itself and for your browser, since Chrome, Firefox, Safari, Edge, and the rest are common points of entry for attackers. Updates for password managers and other apps on your system are also important, though, so don't ignore those update prompts when you see them. Waiting a day or two to make sure these updates don’t break anything major is fine, but don’t ignore update prompts for days or weeks at a time.

By the time an update exists for a security flaw, it is often already being used in attacks, which is why it’s important to install updates as quickly as possible. On this note, also be careful about using Android phones, which often run out-of-date software without current security patches.

Google’s Nexus and Pixel phones, which get software updates promptly and directly from Google, are the best way to make sure you’re up to date; while Samsung’s newer smartphones are also patched relatively promptly, everything else in the Android ecosystem is hit or miss. Use strong passwords and passcodes Having your accounts hacked is what you should be the most worried about—more on this later—but it’s also important to secure the devices you’re using to access those accounts. It goes without saying that you should use a good, strong password to protect every single user account on any PCs or Macs. On smartphones, you should use as strong a PIN or password as you reasonably can.
If your phone uses a fingerprint reader, take advantage of that added convenience by locking your phone with a strong alphanumeric password.

Target a 12- to 14-character minimum, since shorter passwords are more susceptible to brute force attacks. Encrypt your phones and computers If you need an oversimplified but easily understood way to explain "encryption" to someone, think of it as a massively complex decoder ring; when data is encrypted, it can only be accessed and read by a person or device that has the “key” needed to translate it back into its original form.
It’s important to encrypt your communications, and it’s also important to encrypt the devices you use to access any sensitive data since that data can be stored on them locally whether you realize it or not. The basic encryption guide we ran last year is still current; I’ll cover basic guidelines here, but refer to that for fuller details. iPhones and iPads are encrypted by default. Use a strong passcode and you’ll generally be fine. Macs are not encrypted by default, but FileVault disk encryption is fairly easy to enable in the Security section of the System Preferences. Some newer Android phones are encrypted by default, but go to the Settings and check under Security to confirm (this may differ depending on the phone you use).
If the phone isn’t encrypted, it’s fairly easy to turn it on in the Security settings; protect the phone with a strong passcode afterward. Older phones and tablets may suffer a performance hit, but anything made in the last two or so years should have no major problems. Windows PCs tend not to be encrypted by default, and it’s only easy to enable encryption on newer PCs with the more expensive “Pro” versions of Windows. Windows can be encrypted by default, but only by supporting an esoteric list of requirements that few PCs meet. Protecting your accounts Two-factor authentication The most significant thing you can do to protect your e-mail, bank, Apple, Facebook, Twitter, Google, Amazon, Dropbox, and other accounts is still to enable two-factor authentication (sometimes called two-step authentication or 2FA).

This means using a combination of multiple credentials to get into your account, usually a password and a six-digit code sent to your phone or generated by an authenticator app. There are three primary types of authentication: something you know (i.e. a password), something you have (i.e. your phone or a secure key), or something you are (i.e. your fingerprint or face).

To be considered “true” two-factor authentication, each factor needs to be from a different one of those three categories.
So, for instance, something that requires a password plus your phone is two-factor authentication.
Something that just asks you for two passwords is not, since they’re both something you know. SMS texts sent to your phone are relatively easy to hijack for determined attackers, so you should definitely use an authenticator app whenever possible.
I prefer Authy, but Google Authenticator is also widely used. When you enable two-factor authentication on an account, the first time you log in to an account on a new phone or computer, you’ll generally be asked to enter a special code after you enter your password.

Anyone who has your password but doesn’t have the code can’t get into your accounts. You may also need to sign back in on all of your other devices before you can use them with your account again. Here are instructions for setting up two-factor authentication for a variety of services; if you can’t find yours on this list, Google is your friend; twofactorauth.org is also a helpful resource. Apple Google Microsoft Twitter Facebook Dropbox Slack Amazon Paypal Venmo Stripe Using a password manager (and good password practices) Two-factor authentication is great, but it’s only extra protection on top of good, strong passwords and password practices.
Security researcher Brian Krebs has a good primer on password security here, but the most important things to remember are: Don’t use the same password for multiple sites/services, especially if you use those sites/services to store personal data. Change your password regularly, and change it immediately if you suspect that the service has been hacked or that someone else has tried to use your account. Use the strongest passwords you can. Using various characters (capital and lowercase letters, numbers, punctuation) is important, but password length is also important.

Consider a 12-to-14-character password to be a useful minimum, depending on the site’s password policies. Remembering passwords is annoying, especially if you’re changing them all the time. One solution to this problem is to use a password manager.

These are apps that generate long, random, complex passwords and store them for you in encrypted form either on your device or in the cloud. You have to set and remember one strong master password (we recommend perhaps writing this down and putting it in a safe and secure place), but the app does the rest. There are lots of password managers available, but 1Password is probably the best known and best supported.
It costs $2.99 a month for one person and $4.99 a month for a family of up to five people, and there’s a 30-day free trial available as well. LastPass is also an OK free alternative, though this sort of protection is worth the cost.
It’s also generally a good idea to support companies that do security- and privacy-related work going forward. Protecting your communications and Internet use Enlarge / WhatsApp is one messaging service that features end-to-end encryption, though it's no longer your best option. Andrew Cunningham Using Signal for SMS and voice calls Protecting your communications from being intercepted and read is one of the most important things you can do, but it’s also more difficult than other security measures we've discussed so far. Using an encrypted messaging service is the best way to protect your texts from prying eyes.
If you’re using Apple’s iMessage service (i.e. blue bubbles), you’re already using an encrypted service, but the downside is that it only works between two Apple devices and that Apple may still be able to hand out your data if asked. For communications between an iPhone and an Android phone or between two Android phones, your best option is Signal, a secure SMS app by Open Whisper Systems that provides encryption for both texting and voice calls.

Both you and your recipient will need to have Signal installed for it to work, but the app makes it easy to send out download links to your recipients and it’s easy to set up and use.

The EFF has detailed installation instructions for iOS and for Android. Another encrypted messaging service you may have heard of is WhatsApp, but the company’s acquisition by Facebook in early 2014 has given rise to some concerns among security and privacy advocates.
Still, depending on what the people you know already use, it could be better than just plain SMS or other chat services. Using VPNs, especially on public Wi-Fi You know those unsecured public networks that you log into when you’re at the cafe or coffee shop? Not only can anyone also get on that network and potentially exploit it, but attackers with relatively simple, inexpensive tools can see all of the data that travels between your phone or laptop and the wireless router.

Even networks with passwords (like those you’d use at work or in a hotel, for instance) can expose your data to other people who have the network password. The answer here is to use a Virtual Private Network, or VPN.
If you think of the streams of data going between a router and everything connected to it as an actual stream, then a VPN is a sort of straw or tube that keeps your stream separate from everyone else’s.
VPN services can also hide your browsing data from your Internet service provider, and they can give you some degree of protection from trackers used by websites and ad networks. (Again, like most measures, this is not a guaranteed way to achieve perfect security.) Subscribing to a VPN does cost money, but there are many options that will run $10 or less per month. Private Internet Access offers support for Windows, macOS, iOS, Android, and Linux; will let you use the service on up to five devices simultaneously; and costs a relatively inexpensive $6.95 a month or $39.95 a year (which breaks down to $3.33 a month).
If you use public wireless networks with any frequency at all, a VPN is a must-have and well worth the cost. VPNs aren't cure-alls, since some public networks are set up to keep them from working—sometimes on purpose so they can show you ads, sometimes by accident because they want to keep the networks from being used for anything other than basic Internet. Using a Mi-Fi hotspot or your phone's tethering features when you're in public can be expensive, but it can also provide some peace of mind when you're having trouble getting your VPN to work on a public network. E-mail security (is hard to do) E-mail security is difficult, and both of our security experts on staff have described it to me as a "lost cause" and "fundamentally broken." The primary problem is that even if you take precautions to protect your end of the conversation, you can do little to secure the servers and clients in between and on the receiving end.
Some services like Gmail offer enabled-by-default encryption between your computer and their servers, but sending a message from one server to another is still often unencrypted. Paid services like ProtonMail are promising—it promises enhanced security and privacy and they won't read your messages or scrape data from them so they can sell ads to you—but it hasn't been thoroughly audited, and it only really works as intended when sending mail between ProtonMail accounts. And longstanding e-mail encryption tools like PGP ("Pretty Good Privacy") are notoriously difficult to set up and use. You should definitely do what you can to secure your e-mail from casual snooping, and you should protect your account with the tools we've already mentioned—using an account from a major provider like Google, Microsoft, or Yahoo with a strong password and two-factor authentication enabled is a good way to start.

But for truly sensitive communications that you want to keep private, using Signal or WhatsApp or even Facebook Messenger's "Secret Conversations" feature is a better way to do it. Deleting old e-mails Another mitigating factor for the e-mail problem is message retention—someone with ten years' worth of data to dig through is naturally going to reveal more about themselves than someone who only has six months of messages. Even free e-mail providers often give you so much storage space that it can be tempting to be a digital packrat and just keep everything, both for nostalgic reasons and just in case you ever need it for something.

But the more communications you store, the more information that companies, law enforcement, and hackers have to track your wheelings and dealings. Consider how important or sensitive your communications are, and consider how often you actually need old e-mails.

Consider deleting e-mails at regular intervals—deleting things after one year or even six months can be a good way to start if this is something you’re worried about, and think about deleting unimportant messages even more frequently. Next steps If you’ve done all of these things and you’re looking to do more, the EFF’s Surveillance Self-Defense page is a good resource.
It has more in-depth technical explanations for many of the concepts discussed here, as well as further recommendations.

The EFF also offers Chrome and Firefox plugins like Privacy Badger and HTTPS Everywhere, which (respectively) attempt to keep ads from tracking you across multiple sties and load content over an encrypted HTTPS connection rather than a standard HTTP connection whenever HTTPS is available. You could also look into things like the Tor project, which goes to greater lengths to obstruct surveillance and ensure privacy.

Poison .JPG spreading ransomware through Facebook Messenger

Cick-to-self-p0wn attack sneaks Locky ransomware past Zuck's security model Checkpoint has found an image obfuscation trick it thinks may be behind a recent massive phishing campaign on Facebook that's distributing the dangerous Locky ransomware. The security firm has not released technical details as the flaw it relies on still impacts Facebook and LinkedIn, among other unnamed web properties. The flaw as described is, in this writer's opinion, ultimately of little risk to El Reg's tech savvy readers, but folks who can be conned into downloading and running unknown executables are at risk. The attack is also significant in that it breaks Facebook's security controls. In a proof-of-concept video by Checkpoint researchers Roman Ziakin and Dikla Barda, an attacker is shown exploiting the flaw by sending a .jpg image file through Facebook Messenger. The victim must click the attachment, an act that generates a Windows save file prompt asking the victim for the save directory to which the now .hta file will be downloaded. Images sent over Messenger appear as previews, not attachments. They must then double-click the saved .hta file to unleash the Locky ransomware. While the attack is not automated and, it does break Facebook's hypervigilant security model and is fairly regarded by Checkpoint as a Facebook "misconfiguration". Facebook will undoubtedly fix the flaw; The Social Network™ already warns users who open a browser javascript console to protect against malicious code. Checkpoint's chaps says the attack is useful because Facebook is a trusted asset. “As more people spend time on social networking sites, hackers have turned their focus to find a way into these platforms,” Ziakin and Barda write. “Cyber criminals understand these sites are usually white listed, and for this reason, they are continually searching for new techniques to use social media as hosts for their malicious activities." Facebook's javascript console warning. Those users who do open the hta file will unleash one of the worst ransomware variants in mass circulation, encrypting their local files in a way that leaves backup restoration or ransom payment as the only options available to them. There is no decryption method for Locky, and most victims will find their backup files also deleted. Locky is under active development. Its authors have recently switched to the .zzzzz encrypted file extension with a new downloader that has lower antivirus detection rates. ® Youtube Video Sponsored: Customer Identity and Access Management

Security researcher Morgan Marquis-Boire explains “data contraception”

reader comments 12 Share this story For the eighth episode of Ars Technica Live, we're joined by security researcher Morgan Marquis-Boire. Ars security editor Dan Goodin and I talked to Marquis-Boire about his experiences working in computer security, from his origins running an anonymous remailer in New Zealand, to his current gig protecting journalists at First Look Media. Marquis-Boire is slightly unusual among infosec researchers because his background is in political science. He got interested in hacking because he discovered open source software and loved the idea. As a college student he was part of a hacker group in New Zealand and was lucky enough to get a full time job doing similar things after he graduated. His work has taken him from smaller projects to Google and now to doing research on state-sponsored surveillance and hacking with organizations like Electronic Frontier Foundation and First Look Media. Given the state of global politics, we jumped right into a discussion of how to spot signs of digital authoritarianism. Marquis-Boire emphasized that "digital authoritarianism" is just an extension of the usual "mundane" activities of authoritarian governments. There is no hard line between the digital world and the so-called real world. They're completely linked, and so the political atmosphere in one will spill over into the other. In some ways, he's more worried about secret courts than he is about "cyber." Still, there are steps that citizens can take to protect themselves, especially if they are protesting their governments. Marquis-Boire said people should think about how the fact that their phones can be seized by police, or simply used to track them and their friends. "Think about turning it off," if you're going to a protest, he said. Or take a burner phone with you. Also, most importantly, he said we need to practice "data contraception," which is to say don't spew a bunch of data everywhere. Don't take pictures that implicate you or your friends in subversive activities. We also talked about which kinds of programs he'd recommend that people use if they're concerned about surveillance. Obviously Signal is great, he said, but also consider using Facebook Messenger, which now has end-to-end encryption. That's because it's a lot harder for a country to shut off access to Messenger. Signal is a small project, so it's relatively simple for a government to shut down Signal traffic if they want to crack down on subversives. Marquis-Boire also told us about the difference between doing security for a company like Google vs. First Look Media. First Look is the company that owns The Intercept, which has published Snowden documents. So part of his job is protecting those documents, as well as the journalists reporting on them and similarly sensitive information. It sounds difficult, but one of the first things he realized was that he could just store things off the network. That never would have been an option at Google. We also talked about the DNC hacks, as well as a number of other ways to think about digital security in different contexts. Watch the video to see more! Ars Technica Live is taking a break in December, but we'll be back in January with a whole year of cool speakers. Look out for us in 2017! Also, you get an early holiday present from us because we've turned all of the Ars Live videos from 2016 into podcasts, which you can listen to at your leisure while you're commuting, playing with wires, or cleaning the cat box. The podcast feed can be accessed in these fine places: iTunes: https://itunes.apple.com/us/podcast/the-ars-technicast/id522504024?mt=2 RSS: http://arstechnica.libsyn.com/rss Stitcher http://www.stitcher.com/podcast/ars-technicast/the-ars-technicast Libsyn: http://directory.libsyn.com/shows/view/id/arstechnica Soundcloud: https://soundcloud.com/arstechnica/sets/ars-technica-live

Hello |FNAME|, this is the Obama-bot Drupal chat module speaking

White House open-sources presidential Facebook Messenger chatbot The White House has open-sourced the bot that president Obama uses to automatically respond to messages sent on Facebook Messenger Yours for the forking on GitHub the bot is, says White House chief digital officer Jason Goldman, “a Drupal module, complete with easy steps and boiler plate code.” “This will enable Drupal 8 developers to quickly launch a Facebook Messenger bot. We also left a few lines in the repository describing our hopes for the future of the code and encouraging members of the developer community to get involved.” Among those “few lines” are one calling for future forkers to “Refactor as much of the code as possible to be usable in a generalPHP context, outside of Drupal.” Another says “It would be great to see someone from the community polish the code and contribute it to [drupal.org].” Perhaps unsettlingly, the repository's README says the module could do with better documentation on “fetching and storing a user's info from Facebook.” The Register is yet to find Republican objections to the bot, but we imagine a 'coder' movement suggesting Obama was never in fact human can't be far off. When that theory emerges we will ignore it, as is proper for the liberal media as part of our efforts to actively rig the election. ® Bootnote: Last paragraph is satire. Probably.

Because who knows how deep this conspiracy goes?