It’s Time to Make Our Privacy Tools Easier to Find

Last week showed how much more work we need to do to enforce our policies and help people understand how Facebook works and the choices they have over their data. We’ve heard loud and clear that privacy settings and other important tools are too hard to find and that we must do more to keep people informed. So in addition to Mark Zuckerberg’s announcements last week – cracking down on abuse of the Facebook platform, strengthening our policies, and making it easier for people to revoke apps’ ability to use your data – we’re taking additional steps in the coming weeks to put people more in control of their privacy. Most of these updates have been in the works for some time, but the events of the past several days underscore their importance.

Making Data Settings and Tools Easier to Find

Controls that are easier to find and use. We’ve redesigned our entire settings menu on mobile devices from top to bottom to make things easier to find. Instead of having settings spread across nearly 20 different screens, they’re now accessible from a single place. We’ve also cleaned up outdated settings so it’s clear what information can and can’t be shared with apps.

A comparison of the old settings menu (left) and new settings menu (right).

New Privacy Shortcuts menu. People have also told us that information about privacy, security, and ads should be much easier to find. The new Privacy Shortcuts is a menu where you can control your data in just a few taps, with clearer explanations of how our controls work. The experience is now clearer, more visual, and easy-to-find. From here you can:

  • Make your account more secure: You can add more layers of protection to your account, like two-factor authentication. If you turn this on and someone tries to log into your account from a device we don’t recognize, you’ll be asked to confirm whether it was you.
  • Control your personal information: You can review what you’ve shared and delete it if you want to. This includes posts you’ve shared or reacted to, friend requests you’ve sent, and things you’ve searched for on Facebook.
  • Control the ads you see: You can manage the information we use to show you ads. Ad preferences explains how ads work and the options you have.
  • Manage who sees your posts and profile information: You own what you share on Facebook, and you can manage things like who sees your posts and the information you choose to include on your profile.

Tools to find, download and delete your Facebook data. It’s one thing to have a policy explaining what data we collect and use, but it’s even more useful when people see and manage their own information. Some people want to delete things they’ve shared in the past, while others are just curious about the information Facebook has. So we’re introducing Access Your Information – a secure way for people to access and manage their information, such as posts, reactions, comments, and things you’ve searched for. You can go here to delete anything from your timeline or profile that you no longer want on Facebook.

We’re also making it easier to download the data you’ve shared with Facebook – it’s your data, after all. You can download a secure copy and even move it to another service. This includes photos you’ve uploaded, contacts you’ve added to your account, posts on your timeline, and more.

The Road Ahead

It’s also our responsibility to tell you how we collect and use your data in language that’s detailed, but also easy to understand. In the coming weeks, we’ll be proposing updates to Facebook’s terms of service that include our commitments to people. We’ll also update our data policy to better spell out what data we collect and how we use it. These updates are about transparency – not about gaining new rights to collect, use, or share data.

We’ve worked with regulators, legislators and privacy experts on these tools and updates. We’ll have more to share in the coming weeks..

What does the National Cybercrime Security Centre (NCSC) think of password managers?

 People keep asking the NCSC if it’s OK for them to use password managers (sometimes called password vaults). If so, which ones? Who should use them – private citizens, small businesses, massive enterprises? And how should people use them? Is it safe to put all your crucial passwords into a password manager, and forget trying to remember any at all?

This is a big topic, so we’re chunking it up. This blog explains what I think about password managers in general, and how I use them myself. This might be helpful if you’re an individual deciding whether and how to use a password manager for your personal use. If you’re looking for business use, this blog post won’t hold all the answers you need (look out for more from the NCSC on this soon).

Should I use a password manager?

Yes. Password managers are a good thing.

They give you huge advantages in a world where there’s far too many passwords for anyone to remember. For example:

  • they make it easy for you to use long, complex, unique passwords across different sites and services, with no memory burden
  • they are better than humans at spotting fake websites, so they can help prevent you falling for phishing attacks
  • they can generate new passwords when you need them and automatically paste them into the right places
  • they can sync your passwords across all your devices, so you’ll have them with you whether you’re on your laptop, phone or tablet

All these things are full of win. They reduce security friction – making security easier and more convenient.  If security is difficult, tedious, appears to add no value or gets in the way of the main task we’re trying to do, then we tend to find (insecure) ways around it. And then we end up less protected.

Well, that all sounds great. Where’s the catch?

You might be thinking “If password managers are this good, why haven’t you recommended them before now?”

Well, they do have some drawbacks:

  • Password managers are attractive targets in themselves. They’ve been successfully attacked in the past, and realistically they will be again. So all your passwords could get stolen in one go.
  • If you forget the master password for your password manager, you will not be able to get back in. You will have to try and access all your accounts individually, or recreate/reset them from scratch. This will hurt.
  • You can’t use them for everything. Some service providers (such as certain banks) don’t support the use of password managers. If you tell them you’ve put your banking passwords into one (or written them down in any way at all) they might not give you your money back if you are the victim of cyber crime. If your bank is one that takes this stance, you’ll need to think about how you’re going to manage critical passwords without writing them down. On the brighter side, this is much easier to do once you’ve got most of your passwords out of your head and into the password manager.

Should I use a browser-based password manager?

Many web browsers now come with password managers built in, and they can be a very good choice. They are very convenient to use, as they are fully integrated with the web browser – so they know when you’re on a website that needs a password, and they just pop up and do their thing. You don’t even have to remember a separate master password. So feel free to use the built-in password manager, provided that:

  1. You keep your web browser up-to-date.
  2. You have some kind of access control on your device such as a PIN/password/biometric
    …two things you should be doing anyway!

One drawback with browser-based password managers is that your passwords may not automatically sync between all your devices if these use different operating systems. So, if you have a Windows laptop, an iPad and an Android smartphone, your passwords may not follow you around everywhere – unless you use the same web-browser on all your devices and log into it. Also, if more than one person uses a device on the same user profile, they would all have access to the same password-protected content. You may not want that.

Should I use a standalone password manager?

Compared to browser-based managers, standalone password managers tend to do a better job of keeping your passwords available to you on all your different devices, no matter what platform they’re on. They give you a little more control over when and where you use your passwords, as you get to press a button to say ‘I want to use the password please’, rather than the web page in the browser requesting one when it feels like it. Importantly, with a standalone password manager you do have to create and remember a long master passphrase (unlike with a browser-based one). Standalone password managers may also include more advanced features, such as:

  • notifications about compromised websites
  • flagging up reused or weak passwords
  • prompting you to change old passwords*
  • helping you change passwords for some websites, by integrating with your browser
  • multi-factor authentication

How do I do this, then?

As with many things, there are lots of different ways of going about this. This is what I do myself:

  1. First, try and cut down the number of passwords in your life, and reduce how much you rely on those passwords to prove who you are. Use multi-factor authentication or single sign-on where available. For infrequently-used passwords, use a password reset mechanism when you need to log in (instead of making any attempt to recall or store the password). But take really good care of the email account that the password reset emails are sent to.
  2. Consider biometrics. Fingerprint readers on smartphones are generally good enough to protect your phone and the data on it, and they are very usable. So feel free to use them. Turn on encryption (if it’s not already on) for extra protection.
  3. Decide whether to use a browser-based or a standalone password manager. Personally, I use both, for different things.
  4. If you use a standalone password manager, make its master passphrase the best you possibly can. We suggest a passphrase rather than a password as it’s much easier to make it really long, and adding length gives much more protection than adding complexity. Make it hard for someone who knows you to guess in 20 attempts, and make it totally different from any password or passphrase you’ve ever used anywhere else.
  5. Memorise your passphrase. Yes, you really do have to, sorry! If it helps, write it on a piece of paper until it’s firmly lodged in your memory. Keep the piece of paper very safe, and destroy it when you’ve memorised the password.
  6. Don’t put any work passwords into your personal password manager unless you’ve got permission from your employer.

Finally, think about how important each password is to you for each account. If someone discovered this password, would it result in

  • your life being ruined?
  • your bank refusing to refund any lossesIf the answer to either is ‘yes’, then I wouldn’t put it in a password manager. For these cases, a password shouldn’t be the only thing that the security of your account rests on. So look at extra defences such as multi-factor authentication.

For other, less important accounts, having the password stolen might be massively inconvenient, but there would be no real permanent damage done. Passwords for these accounts should be OK to go into your password manager. Some accounts have very low value. For instance, an online forum that requires a password, but doesn’t actually hold any personal information you care about. These passwords can be stored in a password manager without a second thought.

A future without passwords?

Long-term, I think the success of password managers shows  – yet again –  that password-based authentication has outstayed its welcome. Passwords are supposed to be ‘something you know’, but now we’re saying the best way to manage them is not to know them (because your password manager knows them all for you). Passwords have taken us a long way, but now it’s really time to move on. The NCSC is working to help us all reduce our reliance on passwords, and to move towards a future where we make greater use of better, more secure, more usable authentication mechanisms instead. In the meantime, we’re also working on some guidance on how best to use password managers in organisations – look out for this soon.

Password managers are a good thing – for now. But we hope not forever.

Source: What does the NCSC think of password managers? – NCSC Site

The top 8 frauds to watch out for in 2018

A new report from NatWest has identified the top ways they expect fraudsters will try and get their hands-on people’s cash in 2018. NatWest has worked with research agency The Future Laboratory to analyse data from the last 18 months to predict eight frauds expected to emerge in 2018.

Eight scams to watch out for in 2018 

  1. Social media spying. People might not realise how much information they are giving away, but to a fraudster the posts can be very helpful in setting up a scam.
  2.  Malicious software on smartphones. It is expected that malware or malicious software threats will grow among mobile devices.
  3. Bogus Brexit investments. Consumers should be wary of fake investment opportunities. For example, fraudsters may email customers, warning Brexit will affect their savings, and that they urgently need to move them into a seemingly plausible, but actually fake, investment product.
  4. Fraudsters preying on World Cup excitement. Some fraudsters will sell football tickets that are either fake or will never arrive. It is also expected that “package trips” will be offered by fake travel companies. Always buy tickets from a reputable source.
  5. Money mules. Mule recruiters may trawl social media for potential targets, particularly cash-strapped students in university towns, and use them to inadvertently launder money. Money mules receive the stolen funds into their account, they are then asked to withdraw it and send the money to a different account, often one overseas, keeping some of the money for themselves.
  6. Wedding excitement. Experts fear couples could be easy prey for fraudsters who tempt victims with extravagant offers at bargain prices. Fraudsters can set up fake websites for elements of the big day like venue hire, catering, or wedding dresses that appear very realistic. Fake wedding planners will take people’s money and then disappear.
  7. Romance scams. Criminals create fake profiles to form a relationship with their victims. They use messaging to mine victims’ personal details to use for identity fraud. Or, just when the victim thinks they have met the perfect partner the fraudsters asks them for money.
  8. Scams aimed at first-time buyers. Computer hackers monitor emails sent by a solicitor to a first-time buyer and then they pounce, pretending to be the solicitor and telling them the solicitors’ bank account details have changed in order to steal cash.

Julie McArdle, NatWest security manager said: “Scammers are dogged in their attempts to get their hands on people’s money and are always looking for new ways to get ahead. This means banks and customers need to evolve alongside scammers too. By being aware and staying ahead of scammers, we can stop them winning and keep the country’s money safe and secure.”

If you think you have been a victim of fraud you should report it to Action Fraud by calling 0300 123 20 40 or by using the online reporting tool.

No excuses: how to tighten up your online security in 10 minutes | Cyber Aware | The Guardian

It’s one of those “it’ll never happen to me” things. Sure, we’ve all got a friend whose cousin had their identity stolen online, but cybercrime is so uncommon, isn’t it?

Not according to an Office for National Statistics survey. There were 3.7 million victims of fraud and computer misuse in the year ending September 2017, meaning you are 35 times more likely to encounter it than robbery. The good news is there are very simple things you can do to tighten up your online security right now, according to the government’s Cyber Aware campaign, which has been set up to help the public and small businesses better protect themselves from cybercrime.

Don’t say ‘remind me later’ to updates
It’s tempting to flick away a software or app update reminder, telling yourself you’ll do it tomorrow, but updates are crucial to help protect devices from viruses and hackers. They’re designed to fix weaknesses in software and apps that hackers could potentially take advantage of. Set up your devices so updates are done automatically or, even better, at night when you’re sleeping.

Pa55word! is not gonna cut it any more
Cyber Aware says passwords are prime territory for hackers – so it’s high time you gave up using your dog’s name. Make sure you use strong, separate passwords for your most important accounts like your email, so that if hackers do manage to steal your password for, say, your fitness app, they can’t use it to access your banking app. Try using three random words which you can supplement with numbers and symbols, for example, 4wartschickenbath32£.

You should also use two-factor authentication, when available, to protect your email account, a handy tool to give it an extra layer of security. New research from Experian and Cyber Aware reveals that over half of all those surveyed aged 18-25 reuse their email password for other accounts – putting their cybersecurity and identity at risk. As a result, they’re urging Brits to help protect their email accounts from hackers with a strong and separate email password through the just-launched #OneReset campaign.

Set up screen locks
Did we say dead simple? Yes, this is about as easy as it gets in making your online security watertight. All devices should go to lock mode when you’re not using them. Pins, patterns or passwords to unlock them shouldn’t be easy to guess, like 1, 2, 3, 4 or an L shape (we’ve been through this, you’re better than that).

Back up, back up, back up
The one golden rule of smart online behaviour is to back up your data regularly. If your device is infected by a virus, malware or is hacked, you may not be able to access your data as it could be damaged, deleted or held to ransom. Use an external hard drive or the cloud to save copies of your photos and documents, but make sure the external hard drive is not permanently connected to the device – either physically or over a wifi connection – as it could become infected too.

Not all wifi is created equal
We all love a bit of free wifi, but be careful about using public hotspots to transfer sensitive information like credit card details. Hackers can set up networks, enabling them to intercept information you’re sending online. So it’s best to do your online banking and shopping on a trusted network.

‘Jailbreaking’ is a no-no
Here’s one for the more tech-savvy. “Jailbreaking” or “rooting” your smartphone means disabling software restrictions set up by the manufacturer so you can download apps and tools which aren’t available through official app stores. Doing so leaves your phone vulnerable to malware and invalidates the warranty of the device. You will also stop receiving software updates, which, if you’ve been paying attention, is bad news.

Spot the imposters
Cybercriminals can set up fake websites that look very similar to the real thing, in an effort to get you to share sensitive information such as your bank details. There might even be a padlock or “https” in the address bar but check thoroughly for misspelled names, and logos and design features that don’t quite look right. Wherever possible, type the address of the website directly into the browser yourself, or find the website using a search engine. If you notice something is up, get out quickly.

Resist the urge to open suspicious links or attachments
Haven’t heard from your cousin John in eons and he’s now sent an email with a link to win a free iPhone? Back away. Even if something arrives in your inbox supposedly from someone you know or a company you trust, it could be fake. Never respond to suspicious or unexpected emails, as this will let the sender know your email address is active. Flag it as spam and send it to trash where it belongs.

For advice on simple ways to be more secure online, visit the Cyber Aware website

Source: No excuses: how to tighten up your online security in 10 minutes | Cyber Aware | The Guardian

Common fraud threats

Being aware of common threats, knowing how they work and what to look out for can help to protect you against falling victim to fraud.

Here are some of the common techniques fraudsters attempt to use to trick you into giving away your personal information, banking details or even access to your computer.

Scam emails, texts or social media messages (Also known as Phishing and Malware)

Fraudsters send fake messages which appear to be authentic and from legitimate organisations.

Scam telephone calls (Vishing)

Fraudsters may phone you out of the blue and claim to be from the bank, police, or other reputable organisations, in an attempt to obtain your personal information and banking details.

 Investment scams

Investment scams or get rich quick scams happen when fraudsters pose as pushy salespeople and trick you into putting your money into a fake investment.

 

 

Pension scams

Pension scams happen when fraudsters pose as pension advisors and trick you into releasing your pension early or transferring your money into bogus investments that are guaranteed to grow in value and make you lavish returns.

Romance Fraud Scams

Online dating can be a wonderful way to get to know someone and find love, but it’s also a common way for fraudsters to scam you.

 

Invoice re-direction scams

Invoice re-direction scams can result in losses that run into hundreds of thousands of pounds. It happens when a fraudster tricks a business into changing bank account payee details for a known supplier.

How to protect your browser from Unicode domain phishing attacks

 𝖨𝗍’𝗌 𝖾𝖺𝗌𝗒 𝗍𝗈 𝖻𝖾 𝗍𝗋𝗂𝖼𝗄𝖾𝖽 𝖻𝗒 𝖺 𝖴𝗇𝗂𝖼𝗈𝖽𝖾 𝖴𝖱𝖫.
Author: Graham Cluley

Published February 22, 2018 6:11 pm in Phishing, Vulnerability, Web Browsers 8

Do you trust аpple.com?

Of course you do! So, do you feel okay about visiting the website at https://www.аpple.com?

 

The URL I’ve linked to isn’t the real Apple technology company that makes shiny iPhones, Homepods, and iMacs. Instead, it’s a Unicode domain which
rather than using the conventional ASCII characters that make up the vast majority of websites you’re likely to visit – contains foreign characters.

So the “а” of аpple.com is actually a Cyrillic “а” (U+0430) rather than the ASCII character “a” (U+0061).

What’s that? You couldn’t tell the difference? No, neither can I. And, as we’ve described before, that’s a problem that phishers and online crooks are only too happy to take advantage of in their pursuit of your passwords and other sensitive information. You see, it’s not just “а” and “a” that can be mixed up. There are countless ways in which bad guys can take advantage of the many Unicode characters that look remarkably similar to common ASCII characters. Which means that you and I are at risk of visiting a site believing it to be legitimate, when in fact it’s designed to scam us in what is known as an IDN Homograph attack.

Browsers are beginning to get better at warning users when they visit a site with an internationalized domain name (IDN), with some now displaying the URL in the browser bar in its Punycode form. That means you might spot you’re visiting xn–pple-43d.com rather than the real apple.com But human nature means that we will more-often-than-not fail to check the browser bar, and not notice that we’re not on the website we intended. For that reason, I strongly recommend that you get some help.

There are a range of browser extensions and plugins that can warn you when you visit a website with an internationalized domain name. Having tried a few solutions, my preference is for a browser add-on called IDN Safe.IDN Safe not only warns you that you are visiting a URL with an internationalized domain name, but it also *blocks* the webpage (which is far more likely to grab your attention!).

Of course, if you *did* want to visit that URL it would be a nuisance if you were now being blocked from reaching it. So, IDN Safe includes a whitelist feature to allow you to visit specific sites that you decide are legitimate.

IDN Safe isn’t for everyone. In particular, if you are – say – Chinese and in the habit of visiting websites that take advantage of internationalized domain names you may find it a ruddy nuisance. But, for most of us, I think it’s a sensible addition to our security toolbox – and may stop you from being phished or scammed one day.

Furthermore, Firefox users may benefit from making a change to their browser settings which will force the Punycode version of the URL to be displayed in their browser bar.

Martin Lewis slams new Facebook Messenger scam using his name and picture – what to watch out for

MoneySavingExpert.com founder Martin Lewis has said he’s “sickened” by a new scam which tries to trick victims using his name and profile picture on Facebook Messenger.

The worrying new con, which involves the trickster pretending to be Martin and privately messaging people, is the latest disturbing twist in the trend of fakers using Martin’s reputation to try and fool victims into signing up for things such as binary trading scams, or dodgy investments.

Update 7pm Tue 13 Feb. We’re pleased to hear that Facebook has now disabled the account in question for violating its policies. It says: “Fraudulent or misleading activity is not allowed on Facebook and we’re constantly working to detect and shut it down using a combination of automated and manual systems.” However we’re continuing to warn users in case it happens again – let us know if you spot a scam at news@moneysavingexpert.com.

See our Fake Martin Lewis Ads guide for a list of scams we’ve seen and what to watch out for.

Martin: ‘This isn’t me – please help me spread the message’

Martin said: “I’m sickened that yet again people are trying to take my good name and reputation and con vulnerable people.

“I don’t use private messages with anybody. Please help me spread the word that this is not me, these people should not be trusted, they are liars and possibly thieves and nobody should have anything to do with them or engage with them in anyway.

“While we have reported this to Facebook I don’t have much faith in its mechanisms to deal with this, and so we have to rely on spreading the message among each other.”

‘No, you’re not Martin’: how the scam unfolded

We were quickly alerted to this latest scam by some savvy MoneySavers, who saw through the con. Here are some of the messages they received:

To be clear, this WASN’T a message from the real Martin, he doesn’t use private messages on Facebook and the messages are completely bogus.

Here’s how to report a message to Facebook

You can report and block dodgy messages you receive in Facebook, but how you do it depends on whether you’re using Facebook itself or its Messenger app:

  • To report a message on Facebook… open the conversation you want to report and click the settings icon, then click ‘report’ and a message will pop up saying you can fill out a full report in the Help Centre. Afterwards you can open the message, click settings and click ‘block’.
  • To report a message on Messenger… you can report a conversation by filling out this form. To block messages, open the conversation, click on the person’s name at the top and then ‘block’.

What are we doing about it?

Unfortunately we get many reports about firms and individuals either impersonating or claiming fake endorsements from Martin and MoneySavingExpert.com and leeching off the hard-earned trust people have in us.

We have reported this latest scam to Facebook, the Financial Conduct Authority and Action Fraud, and are continuing to warn people as quickly as possible about any new tricks such as this one.

We regularly update the Fake Martin Lewis Ads guide with examples of scams we’ve seen. If you spot a scam using Martin’s name or image, please email our news team.

Source: Martin Lewis slams new Facebook Messenger scam using his name and picture – what to watch out for

Over 700,000 bad apps removed from Google Play store in 2017 – Naked Security

There were a number of stories last year about malicious apps, or those with massive security holes, making their way to Android phones via the Google Play store.

It seems like those high profile stories were just the tip of the iceberg. In an announcement earlier this week, Google said that last year alone it removed 700,000 ‘bad apps’ and stopped 100,000 bad app developers from sharing their apps on the Google Play store. If the app number sounds high, it is: It’s a 70% jump from 2016.

Google classifies ‘bad apps’ as those that have inappropriate content (like pornography), install malware on target operating systems or steal data, or are copycats of other legitimate apps.

Last August, Google rolled out Google Play Protect to stop the ever-increasing number of malicious apps from popping up in Play. Play Protect uses machine learning to continuously figure out what kinds of behaviors bad apps adapt, to try and spot them in the wild.

We reported on a number of the bad apps in the Android ecosystem last year: Some of them installed malware with malicious, persistent pop-up ads, other apps used malware like SonicSpy to steal private data from their users, others went even further and behaved like ransomware on the phone, holding data hostage. These apps often impersonated legitimate, popular apps like WhatsApp and Pokemon GO to convince unwitting users to download and install them, which is why copycat apps aren’t just an intellectual property issue.

What to do?

  • Stick to Google Play. In the post, Google writes that 99% of apps with abusive content were discovered and removed before anyone even downloaded them. Although that still leaves 7,000 bad apps that got through last year, it’s still safest to download apps from the Google Play store than to go rogue and download apps elsewhere online. Many alternative markets are little more than a free-for-all where app creators can upload anything they want, and frequently do.
  • Consider using an Android anti-virus. By blocking the install of malicious and unwanted apps, you’ll be protected even if something slips through the cracks and into the Play store.
  • Avoid apps with a low reputation. If no one knows anything about a new app yet, don’t install it on a work phone, because your IT department won’t thank you if something goes wrong.
  • Patch early, patch often. When buying a new phone model, check the vendor’s attitude to updates and the speed that patches arrive. Why not put “faster, more effective patching” on your list of desirable features.

Source: Over 700,000 bad apps removed from Google Play store in 2017 – Naked Security

We are the Cyber Champions

The certification of 21 new Cyber Champions has followed an event staged by Nuneaton & Bedworth Neighbourhood Watch Association (N&BNWA). All are active volunteers in their own localities serving their neighbours by helping protect them from harm.

When it first started in 982 its focus was very much on enabling neighbours, by banding together and working closely with their local police, to protect themselves from the impact of threats such as burglary, criminal damage and vehicle crimes. How things have changed! Although those original threats have not gone away the greatest current threat is cybercrime.

Responding to this developing threat began in earnest by N&BNWA followed a challenge issued at its 2015 AGM by then Deputy Police & Crime Commissioner Dr Eric Wood – “…… and what are you going to do about it?” We began by making use of DISC (Database & Intranet for Safer Communities) to improve the efficacy of our communication network.

This was followed in 2016 by the organisation, in conjunction with NW colleagues from across Warwickshire, of a Combating Cybercrime Conference. Its aim was that each of the five district NW associations would be able to develop and implement and effective action plan.

By early 2017 N&BNWA had developed and adopted a Combating Cybercrime Policy supported by an operable, rolling action plan. Alert messages and advisory cybersecurity information items are posted regularly on DISC, on Twitter @NunBed and on website www.nbnwa.net Very recently the launch of a Nuneaton wide network of interlinked, closed Facebook groups has considerable enhanced capability to successfully deliver the Combating Cybercrime Action Plan.

And following the Community Champion’s event, so excellently facilitated by Warwickshire County Council Cybercrime Advisor Sam Slemensk, N&BNWA now has a cadre of up-skilled volunteers to support the delivery of the action plan

WhatsApp group chats not as secure as users might believe

Researchers have discovered flaws in the way WhatsApp,is messaging app handle secure (encrypted) group communication,which could result in unauthorized users getting added to closed groups and monitoring future conversations within them.

The problem with WhatsApp:
Paul Rösler, Christian Mainka, and Jörg Schwenk analysed the three widely used protocols and their implementations, and found that if someone – e.g., nation-state backed hackers (illegally), or law enforcement or intelligence agencies (legally) – gains control of WhatsApp’s servers, they could easily insert a new member in a private group without the permission of the group’s administrator(s).

The other participants will get a notification about a new user joining the group, but they have no way of knowing whether the new member was invited by the administrator(s). Also, if the attacker controls the server, he or she can block the messages sent by users who might question the new addition or warn others about it.

As noted cryptographer and Johns Hopkins University professor Matthew Green explained, the vulnerability stems from the fact that the WhatsApp server plays a significant role in group management, and that group management messages are not end-to-end encrypted or signed.

“When an administrator wishes to add a member to a group, it sends a message to the server identifying the group and the member to add. The server then checks that the user is authorized to administer that group, and (if so), it sends a message to every member of the group indicating that they should add that user. The flaw here is obvious: since the group management messages are not signed by the administrator, a malicious WhatsApp server can add any user it wants into the group. This means the privacy of your end-to-end encrypted group chat is only guaranteed if you actually trust the WhatsApp server.”

What now?
The main problem is this: end-to-end encryption, which WhatsApp purports to offer, should not depend on uncompromised servers. “We haven’t entirely achieved this yet, thanks to things like key servers. But we are making progress. This bug is a step back, and it’s one a sophisticated attacker potentially could exploit,” Green noted.

The researchers disclosed their findings to WatsApp last summer. WhatsApp said that the “group invitation bug” is a theoretical danger that’s additionally minimized by the fact that users will receive a notification about a new user joining the group. Also, the spokesperson noted, administrators could warn users about the new, unauthorized addition via private messages. That seems to be enough for them at the moment, especially because a fix for the flaw could end up breaking the convenient “group invite link” feature.