Thursday, June 26, 2014

Incognito mode for Phone calls ?

Your phone call-log reveals lot about you: Your Phone call-log is equally important as your emails, online accounts as it can reveal huge amount of information about you. What kind of person you are and what you do. What you work on and to whom you talk to frequently. Over the time it grows and maintains critical info about you, your relationships, your work, your friends, your business, your food orders and your health.



Your phone call-log is not private any more:
This info can be used in multiple ways to map your identity and people you communicate too.  And it's too easy to capture this info and send it across to third-party. You just have to install an app(e.g. games on android) that reads your call log and send it to third-party server; which happens behind the scene while you enjoy games. Thereon your call-log can be sold/shared/investigated and can become public information.

Your call-log can provide sensitive info based on where you work. Companies provide BYOD (Bring your own device) policies for employees and secure it with PIN and encrypted emails. However call log is still available games employees install and play and can be passed on to third-party. Are you working in defense, research, mission critical projects, marketing, sales ?  You better maintain your call-log!

Call-log gets backed up:
Many of the apps do backup your call-log so as to provide a backup service to you. Again this info is stored on servers and multiple copies are maintained. If your on-line account to that maintains backup is hacked all your info is then in hands of hackers and thus public.

Solution is to maintain privacy and be aware about your call-log: 
1. Ensure that you are not installing apps that needs permission to you call log and other personal data
2. Ensure you delete/hide call log of important calls. Use 'Private Call' app. This app auto-deletes call-log for incoming/outgoing/missed call and no data is available for anyone to see or any app to read.

Idea behind Private Call app: Auto-delete call log entries of private conversations and provide incognito mode for your phone calls.

How Private Call app works:
- It auto-deletes call-log for specified private contacts
- Incoming / outgoing and missed call-log get deleted at the end of call
- Provides password access to private contact list and private call-log
- You can hide the this app(using other icon hide app) and still launch it using ##PIN in dial pad
- Its free! If you need to add more than 5 private contacts then it provides in-app purchase to go-premium

Various purposes you can use Private Call for: You can think of any discussions e.g.  private calls, business Calls, secret/research projects calls, relationship calls, marketing and sales deals that happen over series of phone calls.

Google Play link : https://play.google.com/store/apps/details?id=com.petalapps.privatecall




Monday, June 16, 2014

3 Key privacy settings in Facebook you should care about

Facebook is now the social networking norm and everyone connecting to internet is on Facebook or soon will get on it. No big deal with having a Facebook account and actively using it daily. Kids start Facebook at 13 (officially) and will go till you are alive. It's going to capture all your life events and map it in its timeline.

You are one of those Facebook users who share things, who over-share or under-share. But you do share! If you don’t then your friends share info about you by means of tagging. Ultimately there is info about you shared directly or indirectly.

There is ton of info that can be shared and people do share it without a second thought. And this gets into Facebook permanently(even if you delete your account).  This info can then be used by public/friends and is no more private.

Knowing that you will hold Facebook account for lifetime, it's important to review privacy settings and manage who can see your shared info. Here are the key privacy settings that you should set

1. Who can see my stuff? 

Manage who can see all that you post on Facebook with this settings. Mark it to 'Friends' only when you share instead of public. Facebook also allows you to control this settings per post that you share so keep a close eye on what you are sharing and whom do you wish that to be seen. Do review your existing post for friends/public sharing.

Facebook > Settings > Privacy


Review sharing option when you are about to post your new photo or status


2. Manage photos that your friends tag you in:

Photo tagging feature is great. It lets your friends tag you in photos they share. Good thing Facebook does is that it lets you control your photos before it gets to anyone. You can get selectively in adding photos to your timeline even though your friends shared those publicly. Each photo a friend shares of you can be allowed/hidden by you before it gets seen by anyone. Unless you allow, no one will see those or appear in any search results by your friends.



3. Review how others see your timeline:

Facebook provides mechanism for you to see how others (public/friends) see your profile. It is very useful to know how your profile/timeline looks when third-party or your friends see it. It will help you hide few things or promote few things in case you missed category.





Hope this helps to keep your private info with your friends rather than making it public. Do post in for your comments below.

Tuesday, June 10, 2014

iOS8 Randomize MAC address for privacy - Great Win!

Apple announced bunch of privacy & security features in their 2014 WWDC keynote and one of them is randomizing MAC address. This alone is a great feature and would like to see this become industry standard.

With iOS8 all Apple handheld devices will generate random MAC address while it scans for Wi-Fi network. Doing this protects your privacy by on the go as no one can track you uniquely at a given location. Read my other blog on Wi-Fi tracking to know more on how MAC address can be used to map your location.

So what is MAC Address anyway? 
MAC address is unique hardware address of your network device. These are unique within network to identify a device and route network traffic to correct device. It is a 6 byte long ID that maps your network device (iPhone, iPad, Android, Laptop, desktop,  TV, and all devices that connects to network) on network. This does not change and is set by device manufacturer.

How is MAC address used ? 
When your device does connect to any network, it uses MAC address to uniquely identify itself and uses it to communicate over network. With Wi-Fi enabled, your device scans for known Wi-Fi networks that you often connect. When a Wi-Fi scan is done, it sends out your devices MAC address to check if Wi-Fi network is available and if so Wi-Fi router will send you message back to your MAC address.

With continuous Wi-Fi scan, your MAC (unique address is broadcasted) and that can be tracked by anyone around you to know your presence.

Privacy Issue with MAC Address:
As MAC address is unique and does not change, this is actively used to know more about people and track them as they carry smartphone or ipod/ipad. Your device always sends out network packet in air to scan for Wi-Fi network and leaves behind the traces of your device and indirectly you. Any mall or airport or hotel you visit knows you have been there and how long by mere presence of your smartphone.

This data about your smartphone can then be shared among multiple malls/hotels to trace you as an individual and track your footprints. A major privacy issue!

What's the advantage of MAC address randomizing? 

  • Apple device now will generate unique MAC address and thus no one can track your presence and map it to you. You gain high level of privacy by not allowing anyone to know you were present at any location.
  • Malls use Wi-Fi tracking to know more about customers visiting and how long they are in store and how often they visit. This data can then be shared. With MAC randomizing, your individual mapping is broken and there by giving you privacy on the move. 

 
My earlier blog details about Wi-Fi tracking and this solution from Apple works great. Solution detailed by Apple is going to add privacy support for individuals. I am sure this will be adopted by Android and Microsoft too. Great work Apple!

Monday, June 9, 2014

Secure your confidential emails using PGP encryption

Email is the here to stay for long time, though we have moved to chat, voice call, video /skype calls, twitter and Facebook messages. Good amount of information is communicated over emails and that is part of our daily routine.

Many times we do need to send confidential information via email and we do share critical info using email. This info is then maintained on servers forever - one copy on your account and other on receivers account and can be read / sniffed by people who owns the servers/data. Also servers are backed up and they do ensure users emails are not lost in case of any failure. In practice your confidential info has many copies around the globe that can land up in anyone's hand.

We all do use popular email services like, gmail/outlook/yahoo/etc. and they do provide secure login over HTTPS/SSL. Email you sent is encrypted from your computer to gmail (as example) server. This email is then forwarded to receivers email server in clear text(un-encrypted format) and can be sniffed by various networking tools.

Web emails (Gmail, yahoo, outlook, etc.) store your emails as you draft/compose them. Every line you type gets backed up immediately. Any confidential info that you typed gets stored on server and even if you remove/delete those lines, there is already a backup created on servers to refer for Google (example). Thus even if you wipe out confidential content from your email before you send, its still now maintained on server forever and you cant remove it!

How do you then send confidential info that only receiver can read it ? How can you ensure that you email stored on servers is encrypted ?

Solution is to use PGP (Pretty Good Privacy) technology which was invented in 1991 by Phil Zimmermann. Yes, its been long time that technology to secure emails is available, however its complicated setup that keeps people away from usage. There are right set of tools available for you to make it easy and send secure emails right from your browser.

With extensive internet usage in our daily routine and our data in cloud, you need to protect your confidential data in all forms. You need to manage your confidential data the way its transferred & stored. PGP comes in handy here and learning it will help you in long run.

How it works?
PGP uses modern day Public-Private key encryption model combined with conventional secret key for faster encryption.  People who wish to send secure emails, need to create a public & private key pair using tools(listed below). Public/private key is nothing but a big mathematical value used to encrypt and decrypt a message. Public-key part of it can be shared with everyone whereas private-key part is to be stored securely and not to be disclosed to anyone. Any message/text, encrypted by public-key can be decrypted only with Private-key is the rule.

To use PGP, you need to first generate public-private key pair. You then need to share your public-key to people so that they can encrypt their message using your public-key and you can then decrypt that message using private-key. If you wish to send secure email, then you need to get receivers public key for encrypting the message.

In PGP, a session key or secret-key is also involved. This is to speed up encryption/decryption of your email. This secret-key is generated randomly when you send email and is only used for that email communication. Secret-key is then encrypted using receivers public key.



What do you achieve using PGP ?

  • Only receiver can read your emails 
  • No one with access to email servers can read / decrypt your emails or modify it 
  • Your data is secure while its transferred from one server to another 
  • With additional PGP setup, you can ensure that the email is coming from trusted friend and that no one on the route has seen or modified it. 

 
What are high level steps that I need to take ?

  • Create Public-Private Key pair using tools 
  • Share public-key with friends 
  • Store Private-key securely and no one should have access to it 
  • Use PGP tools to encrypt emails and send it 

 
Mailvelope as browser extension tool for PGP: 
There are couple of client side tools that you need to use to create public/private keys and then use them in local email client(outlook/thunderbird/etc.). Instead of that there is a better option - Mailvelope. This addon is available for Chrome and Firefox. https://www.mailvelope.com/

Mailvelope has resolved the complexity behind PGP and made it easy for every day internet users. Here is video that explain how to setup and use Mailvelope




How to secure you public/private keys:

  • You should be using password manager for storing your passwords. These password managers generally provide secure notes or text boxes for additional notes. Use them to store your public/private keys. Do export keys from Mailvelope and store them in your password manager. 
  • Do not setup Mailvelope on public computer. Uninstall mailvelope if you no longer use laptop to send / receive emails 

Monday, May 26, 2014

Don't open short URLs if you get from unknown / un-trusted sources!

Many of us on internet have already came across short URLS/links that when clicked take it actual webpage. In many cases you would have wondered what this link is and where is it going to take me?  e.g. http://goo.gl/dFr2Xp which point to my another blog article.



What are short URLs? 

URL shortening is technique used on internet to shorten the long URL/link to a smaller one and that redirects to actual URL when clicked. Its very useful in many cases, e.g. for twitter wherein message length is small and you wish to share a link.  Or you bought a book and it has website references using short URLs.
Long URLs are the way websites are developed and needs extra descriptive parameters and values that needs to be passed. E.g. see URL for this blog above, its the way blogger creates a link based on blog title. By shortening URLs, it becomes easy to pass on and type without errors
 

Advantages it brings in:


  • Short in nature and easy to type in from non-digital media (books, billboards, banners, posters, etc.) 
  • Takes small size and looks neat instead of long URLs 

List of popular services that provide short URL:  

http://bit.ly
http://tinyurl.com
http://goo.gl (From Google)
http://t.co (From Twitter)

Issues due to short URL: 

Don’t know what's hiding behind the short URL: This is one of the most dangerous part of short URLs. It may be a safe link and serves the purpose for you, or it may land up in malware and unwanted websites which you never wished to visit. There is no way for user to know if you may face any issue by clicking a link. This is the main advantage which is exploited by hackers and malware writes to  hide behind a cute looking  URL.  

There has been many more services which has been closed down just due to the fact that users used it extensively to redirect users to po-rn or malicious websites.

If short URL comes from unknown/un-trusted sources, its better to not click/open it.
 
Privacy issue : With four to five major players in this field of short URL, and many websites/users using it, it poses privacy issues to users. Webservers providing short-url can track you as user and collect info about you to know which sites you visit and pass on this info to third-party. It can track your computer address (IP), links you clicked over time and your behavior with short-urls.

TinyUrl.com was known to distribute Spyware: Not all short-URL services are safe and you cannot trust them. Tinyurl.com has been known for distributing spyware as per wikipedia reports. Files may get downloaded automatically as you navigate with short-url and if you open them, it monitors all your actions and note the keys you type in.

Websites have stopped using short url in post: Wikipedia and few more websites have stopped using short-urls due to above reasons. Any short URLs entered get ignored and post cannot be saved.

Solution :


  • Don’t be click master. Avoid clicking on short URL believing everything is going to be safe.  
  • If you get short-URL from unknown/untrusted sources, then better not click it. 
  • Do no click short URLs in SMS, IM, Whatsapp, emails, blogs and Facebook post. 
  • McAfee also offers short-URL service which can be accessed using this link, You can create your own short URLs safely. http://mcaf.ee/ 

Tuesday, May 20, 2014

10 Ways your computer can get infected by viruses and how to avoid that

Getting infected by Virus on your laptop/desktop is easy as you read below. There is no one good way to be protected against all of them and thus you need to be cautious enough to keep your data and laptop secure. On other hand you don't need to be super paranoid or require geeky skills to be protected - just be aware about your actions and apply common sense.


1. USB/Pen-Drive: 

The biggest reason to get infected is using extensively using USB/Pen drives to share data across multiple machines. This is the most exploited method use by viruses to spread and autorun on machines when inserted.

This is not restraned only to USB/Pen-drive, but all devices that exposes USB interface to connect to computer. E.g Camera which provides USB to copy photos/videos to your computer, or your mobile phones to copy music/files, Kindle to copy books and external hard-disk that host huge data.

Any USB/Pen-drive when connected to computer auto-runs set of files and viruses gets the entry point into computer. Viruses hooks on to auto-run applications and launches themselves to run automatically to then infect the machine. Alternatively a machine which is infected monitors any new USB/Pen-drive connected to machine and copies itself to USB to spread itself.

With USB port becoming standard for mobiles/ camera/ kindle/ mouse/ speaker/ keyboard, viruses can hook on to any of those and spread themselves easily.

Solution-  

  • Disable Windows Auto-run to start programs automatically. This will prevent any virus to start as you insert the infected Pen drive. Here is a short video https://www.youtube.com/watch?v=U6ubWhGVF2U 
  • Always run a Anti-Virus scan when you insert the pen-drive before you start using it. If you have good Anti-virus, most likely it will start as soon as it detects new Pen Drive and prompt you to start scan 
  • Avoid extensive use of pen drive to transfer data between 2-3 computers. If you wish to share file within home, use network storage or web(Google drive, dropbox etc.). Ensure you scan files once you download them from any sources 
  • Avoid connecting your Pen drive to any public computer for data exchange 
  • If you find a Pen Drive in public places then there are high chances that its left behind for infecting machines. Avoid falling into traps with free Pen Drives lying on the road 


 2. Downloading applications from any sources: 

Windows comes with predefined apps and that's enough for most of the time, however if you are extensive user of your computer, you need good editor, or image editor or video editor, movie player, good browsers, and lots of free goodies available online. There is no one good trusted location that is available and thus most of us has to download apps from various sources.  With Windows store and app store, its getting better now that people only visit couple of places to download and install apps.

However with Windows OS there are huge set of apps that are not available on store for users to download freely and use securely. Many apps still needs to be downloaded from web and then manually installed. This will continue for good long duration and not going to change in a year or so.  Result is viruses getting downloaded and installed by you.

Of course there are rich set of applications which are open-source and free and are maintained by developers around the world which ensures no malicious code gets into products and provide secure applications. Problem here is source from where you download - if its available from well known  open-source websites then that should be good enough as the site ensures first level of safely. However if you download same application from a totally different location, then its not guaranteed that its equally good. Trusted source matters most from where you download. Open-source apps can be modified by hackers and re-compiled to be hosted on their sites; which you may download.

Solution: 

  • Scan for all downloads with Anti-Virus 
  • Never download apps from un-trusted sites 
  • Most of websites provide download verification method (signature) which you can use to ensure the file you downloaded is same as provided by manufacturer and not modified on its way  
  • Check for online apps instead of locally downloaded version. If you wish to edit images or videos, there are websites that provide you free online editing with rich set of tools online. You don't need to download and install image editor at all to risk your data and computer 
  • While downloading files, ensure your browser is not flagging red alert for website 
  • Clean up your download folder regularly. Your downloads may be legitimate, however an infected Pen-Drive may write to programs downloaded and when you execute those app, viruses gets loaded. This is about avoiding good applications (downloaded) getting injected with bad code and giving an opportunity for viruses to hide.  

3. Email attachments: 

This is another critical point of exploit by viruses/hackers. Emails with intuite/catchy subject line and an attachment is likely to be opened up by users. Attachments can be anything like a image(jpg/png/bmp/etc), document, ppt, xls, PDF, exe, bat, com, msi, zip, inf, gzip and more. In many cases you will never notice anything suspicious as you open the file and execute it and it may still do the damage behind the scene.

Solution: 

  • Never open email attachments from unknown person/banks/institutes 
  • Download and scan with Anti-Virus if its must for you to open up attachments 
  • Avoid forwarding emails with attachments 

 4. OS and application updates: 

Hackers around the world target OS loopholes to get into your machine or Apps that are installed on your computer to get into as backdoor entry. These are security holes that are unintentional and not found by OS developer (e.g. Microsoft) or application developers (e.g. Adobe). Hackers target these security issues and create viruses that exploit them. As more and more security issues are found in wild, they do get patched up and you get a software update based on those. Major reason for software updates are performance issues, security issues and new enhancements.

With more and more apps you download and install on your machine, there is high likely that some or the other app/OS will have a security issues and there will be patch available from vendor to address those. If you disable auto-updates then you are keeping these security holes open for viruses to get into your computer and do their job.

Solution: 

  • Always update your OS and apps that you use.  
  • Keep the OS with minimal set of third-party apps that are must for your usage.  
  • Do notice newer update alert and ensure you download and install them if required 

5. Browser plugins / add-ons : 

Browser plugins/Add-ons and toolbars that hook onto your browser has access to all that you do online. Every email, every password you type can be captured by addons/toolbars. The most preferred way you get these addon installed is by installing third-party products that does one thing, but installs toolbars for their partners. These unwanted/unused toolbars sit in your browser and can do all sorts of things behind the scene. You need to be extra causious with any toolbar/add-on that gets in to your browser. The most nasty viruses hooks onto browsers and hide underneath; they may not have any UI elements or icons and stil do all malicious their job behind the browser.

Solution: 

  • Review installation of any application. Installation wizard generally provides a hint to what its going to install on your browser. Turn the check-box off to avoid installation 
  • Review all installed toolbars/add-ons/plugins/extension on your favourite browser and keep only the one keep the one you use 
  • Use Google Chrome for that matter to enable/disable add-ons.  
  • Use Private browsing to disables unwanted add-ons during your secret work 

 6. Visiting malicious websites: 

You  may visit a website to download a cool screensaver or wallpaper, or may just visit to read an interesting articles, or view all kinds of photos. And we all that we navigate using search results that google/bing and other search engine gives us. Not all websites are safe to browse. There can be array of attacks that can just happen by visiting a website. E.g a download may start automatically, or your Facebook may start showing posts that you never posted, or more similar activities. With newer web technologies (HTML 5), browsers and websites can do more behind the scene which you may not notice and leave your laptop infected.

Solution:  

  • Use browser add-on that provides you website rating in the form of red/green/yellow status.  You can safely visit websites with green status and avoid navigating to red. Checkout WOT and McAfee Siteadvisor add-on 
  • Don't be click master on your IM links, email links, website links if you are not sure if they are safe.  It may just take one click for bad to happen on your laptop 
  • Install adblock plus browser add-on. It not only blocks all ads, but also filters out any websites that can perform task behind the scene 
  • Configure OpenDNS for free and prevent against fraudulant websites. TBD  

7. Pirating software / movies / music: 


We all love movies, music and games. Many of us download it for free using torrent. In addition to piracy of copyright content you are promoting hackers and viruses to spread if you do download using torrent.  Torrent as technology is great, and there is nothing wrong with torrent in itself. It is the content you download/share which matters most.

Many of the movies and music needs special codecs and applications to be installed first before you can play on your laptop. These codecs are by and large bad. You download and install a codec and then you find the movie is not playing and was waste of time and resources; behind the scene your laptop is already infected and working against your.

Latest or best movies are often promoted by hackers/virus writers for you to fall in trap and make it easy for them. Its a carrot!

Solution: 

  • Review what you are downloading using torrent  
  • Review the file format and scan it with anti-virus before you take any action 
  • Do not download any extra audio/video codec to make the movie play 
  • Prefer Youtube/Netflix and other popular methods to watch movies online safely 

  8. Fake anti-virus that pops up and tell your machine is infected: 

As you browse internet, you landup in popup saying you computer is running slow or is infected with red big icons. These are just websites that render webpages and show up fake alerts. If you click and download then your laptop is the prey. Fake Anti-Virus looks exactly like McAfee/Norton/Kaspersky/Other and scare you with fake virus alerts or promise you to improve your computer performance. All that is just to get you download and install their product which does totally different thing. Here is a good article to read about -
http://www.microsoft.com/security/pc-security/antivirus-rogue.aspx

Solution: 

  • Use ad-block browser add-on to avoid any popups and ads. 
  • Never download any app from these fake popups 
  • If you need to install Anti-Virus, then go to popular Anti-Virus vendors like McAfee / Norton / Kaspersky / Trend micro / or the one recommended by your technical guidance. If you don’t buy medicines on your own and do consult doctor then why not do same for your laptop/network before you install an Anti-Virus? Do search on internet and read before you download and install legitimate Anti-Virus/Firewall. Below are some good references for you to compare and help you select right AV for you  

 9. No Anti-Virus(AV) and firewall or NO up-to-date virus signature : 

As you read above, in all of the instances you need a good Anti-Virus/Firewall installed and enabled. You also need to keep it up-to-date as most of the Anti-Virus products download latest virus signatures to detect newer viruses that are found.

Windows 7 and Windows 8, comes with Microsoft Windows Defender & Firewall by default. I would recommend a non-Microsoft solution here as they are the experts in security industry and huge amount of research go in to make better security products. If you look av-comparatives.org (an independent AV testing organization) and their reports they don’t mention Microsoft AV/Firewall anywhere.

http://www.av-test.org/ is another independent AV testing and its one of the most important certification/rating that Anti-Virus companies look for. You now should be able to review yourself which AV is good enough and where to download from.

10. Using Windows XP: 

Yes using Windows XP is known to be worst for security and can get your machine infected easily. Its an old OS and not designed for security in mind. Microsoft has stopped supporting Windows XP this year and will not patch for any security issues reported. You need to upgrade to newer Windows OS.

Switch to Ubuntu Linux or Windows8 for better security. If your computer is old enough then likely Win8 will not be supported due to minimal hardware requirement. Do install Ubuntu or any other Linux distribution as detailed here.

Conclusion:  

As you read, there are various ways your computer can get infected. You need to keep an eye and be aware of actions you take and implications on your computer/data. Setting up good Anti-Virus, using right browser with add-ons and following best practices listed above should keep your computer/data secure.

Saturday, May 17, 2014

Know the unknown phone caller with TrueCaller

You got a phone call from unknown number and you wonder who the person is. A very common scenario for all of us; with marketing calls on rise you never know if its sales call or important call that you should be attending. You wish to keep your phone silent and block all unwanted calls? Solution is to use TrueCaller app (Android/iPhone).




Know who called you: 
TrueCaller maintains a huge database of contacts and help your display name and phone number of people who called you, even if that contact is not in your phone book.

Truecaller integrates with phone-call to show name and number of person if its unknown and helps you decide to receive the call or reject it.

In case you get a miss-call from unknown number, TrueCaller show you name/number of this caller. You don't need to return a call or text back to know who the person is.



How does TrueCaller gets this data: 
As per TrueCaller, they get it from public sources, yellow pages, people who wish to submit info about people from whom they got calls. TrueCaller do NOT use your phone book to send info to them for their usage.

When you register to TrueCaller, your number gets added to their database. People can know that you call calling, if they too have TrueCaller installed. You too get advantage to let people know that your are calling them even if people don't have your contact details in their phone book.




Block unwanted spam calls & Text :
Marketing and sales calls are common. You may register to 'Do not call me' and avoid people calling you in first place, however its not standardise and globally available. You may still get spam calls. Best way to avoid spam calls is to use TrueCaller. It guards you with regional spam list and blocks all calls/message.

You can add custom list of contacts that you wish to block for calls/text.

TrueCaller database for spam numbers will continue to grow as users around the globe submit data, you will get the benefit of it and all unwanted calls get blocked automatically.






Privacy on Truecaller:
Your are exposing your name and number on TrueCaller. They get a valid phone number which is maintained in their database. Even if you don't install, your contact details may get added by your friends or third-party as they interact with you. You can always choose to remove your contact details from TrueCaller website by visiting here -

You are installing an app that gives away your name/phone-number to public website. You need to configure in such a way that only your friends should be able to search you and not general public. Enable below settings in TrueCaller after you install it.

TrueCaller request for login using facebook/google credentials. I would recommend NOT to use facebook/googe+ account as it post status on behalf of you on your facebook wall. Also it can get access to all your Facebook data (friends/location/email) which is too much of ask by TrueCaller app.

How to get TrueCaller:
Download TrueCaller on Android/iPhone/Windows phone http://www.truecaller.com/


Thursday, May 15, 2014

Be Bond online - Privacy on public network & computers

Browsing online brings in privacy and security issues. Browsing on public network or public computer, brings in higher level of privacy issues. What you browse, emails you send/receive , what you chat, your username/passwords all can be known to others by going online on public network/computer. Of course you don’t want all these to be known by others and used against you. So don’t use public network or public computers at all?



Solution is to use "Tails Linux" operating system running on your USB drive(Laptop/Desktop). Its that easy. Tails(The Amnesic Incognitivo Live System) is a Linux distribution crafted for privacy and security. Its built on free and open source software that everyone can use. Tails Linux gives privacy to anyone anywhere.

Tails Linux is around five year old and built on top of Debian Linux which itself is known for its high security standards. Purpose of Tails is to provide ready to use Operating system for people which is secure out-of-the box. Below are the notable scenarios that are covered by Tails and why its getting popular(700,000 people use Tails daily).

Screenshot of Tails Linux


Public network anonymity: 
Public Wi-Fi is everywhere and will continue to grow. Café, Airports, Hotels, Restaurants, Malls, Bus/trains and many more public places that Wi-Fi is readily available for people to connect, and people do use it actively.

Tails use "Tor Network" which is free software and open-network that helps people against network tracking and analysis and give privacy. Network traffic travels across multiple networks and it becomes hard for anyone to track source machine. A unique method now used widely for privacy. More on Tor network is here -

As you reboot laptop, Tails connect to Tor-network and from there on any site you browse will not know which machine/location you are browsing from. No one on web can track you back to the public Wi-Fi that you are connected to.

Hiding Machine fingerprint: 
Every network device has a unique address called MAC address. Its built into your hardware and is unique globally and does not change. This MAC address is know to all Wi-Fi routers around you even if you are not connected to it. This machine-fingerprint is used in many ways to track users. Read my Wi-Fi tracking article for details. Anyone can track your entry and exit in an area based on MAC address just because you have Wi-Fi enabled on your devices (Smartphone/tablet/Laptop).
 
Tails solve this problem(on laptop) by changing MAC address every time you boot the machine. Random MAC address is generated every time and makes it difficult for anyone to track you back. This is enabled by default and done automatically behind the scene.
 
Website anonymity:
Websites you visit, plants a cookie in your browser to track it for future reference. Once you go back to that website, it exactly know when was last time you visited the site and can map all your activities on that site. You then start getting a personalized by showing you content that you may like more - This is to enguage user on their website and in-turn make business (ads, marketing/promotions). Websites thus captures your behavior on their site and this data is generally shared/sold across web-sites. All your browsing history is thus tracked and maintained by websites.

Tails boots as Live Linux CD and thus every time you start the machine it gives you a fresh OS which seems to be booting first time. Any website cookies that are planted gets wiped out as no data is persistent by default. Its similar to private-browsing mode in OS. Websites will consider you as new user and will be not be able to track you based on your earlier visits thus giving you privacy.

Also as pointed about with 'Tor-network', websites you visit cannot track back the source, making it hard to filter our area specific info. You will see totally different web content on same website, when you browse using Tails OS as compared to your regular OS. Websites, use network address (IP address) to track sources, this address will be different every time you visit a site, making it hard for website to track you.

Encrypted email and chat: 
Email and chat are common way of communication on internet. However every email or chat message you send/receive is known by your email/chat provider(google for example). You cannot keep a conversation private with current mechanism. Somewhere some body can read your content and can be used against you.

Tails OS provide Email and chat client applications that  provides privacy. You can encrypt emails/chats and send it to intended person. Only that person will be able to read the content and no one else will. Also, receiving person can be sure enough that its coming from you and no one has seen/modified the content in between. Tails OS provide Clawn Email and Pidgin chat client that ease out setup for privacy (PGP - Pretty Good Privacy) which works on secure public/private key concept.

Virus protection:
Tails is Live Linux CD which means nothing can persist once you reboot. Even if you get infected by virus as you browse, no viruses can continue after reboot. Secondly Linux is secure by design which makes it hard for Virus to infect and live long. Lastly administrator account is disabled by default in Tails which ensure that no access is granted to anyone by anyway. This makes it rock solid OS and you don’t need to worry about Viruses.

Tails is built on top of Debian Linux which ensures that no malicious code is built into OS in first place. No malicious code can get into open-source software as its been reviewed thoroughly by multiple people around the globe to keep it secure. This adds to the confidence of a strong and secure OS that Tails inherits.

You cannot download & install any software. It might seem as limitation, however that brings is safety as no third-party untrusted app can go unnoticed. Below is set of apps preinstalled for you to use an for most of the cases that should suffice regular user.

Secure/Encrypted Storage:
You may have data that you wish to carry with you and work on that data. May be some confidential data or personal photos that you wish to read/see. Windows OS does not encrypt any data on your hard-disk by default and that leaves your data available to people if your laptop is stolen. Your data is most important to you and with mobile/laptop theft it can land up in wrong hands.

Tails OS address this issue by providing a mechanism to create encrypted storage/volume on your USB with a strong password. You can then load this volume with password and read/write it. If you wish only to read the content then Tails load this data in read-only mode and no damage can be made in case something weird happens.


Key logger protection:
Accessing public computers for any kind of browsing is risky as it can record all your keyboard inputs (emails, username/password and chats) and send it to unintended people. These keyboard tracking can be done by software or hardware mechanism and called as keylogger. There are applications that can capture all your keyboard inputs and store it for later use, or there can be hardware key logging devices that might be connected. In any case keylogger is hidden from you and silently listening to you.

Tails solve this by providing a on screen keyboard that you can use for username/passwords or any sensitive info you are typing. No hardware can trace that; and as there is no keylogger software that is installed or can be installed, no question of software tracking.

Browser protection: 
Browser is what you extensively use online and that needs to be secure enough. Tails run version of Mozilla Firefox browser called Iceweasel which is built for security. In addition it has built in security plugins to make every network connection secure(HTTPs Everywhere and NoScript).

Rich set of applications to server you:
Surely you may need more than thus browser or email/chat client on OS to use. Tails provide you with full set of Office like apps to use. It has OpenOffice apps as replacement for Word, Excel and Powerpoint.  

KeepassX is installed as password manager for offline storage of your passwords. KeePassX is open-source, award winning app for password management and has all required functionality you need. You can maintain your passwords on encrypted storage and use it with KeePassX.

Other minor features: 
Tails can bootup looking exactly like Windows XP. User interface (Wallpaper, Icons, buttons) is rendered like XP which can deceive anyone around you to think you are using old XP machine which can be easily hacked (actually not). XP looks also can also help windows user feel like home and don’t need to worry about Linux underneath.

Tails OS is loaded in RAM memory and gets cleaned up as you reboot. No traces are left behind on hard-disk. Even RAM memory is forcefully zeroed up to clean up and leave no traces on reboot (there are instances where in RAM memory can be accessed after few seconds on machine shutdown).


Tails OS showcasing XP look and feel


Download and Installation
You can install Tails on USB/Pen Drive or CD and boot your machine using same
Here is download link. Here is installation guide from Windows


Conclusion: 
Tails Linux brings is rich set of functionality to give you privacy from various aspects. Protects your data and prevents you from getting tracked. On the top, its free for anyone to download and install.

Hope this helps you be like Bond online :-)

Sunday, May 11, 2014

2 Important settings for your Wi-Fi router

Wi-Fi has been successful due to its ease of setup, speed it provides and area it covers. Its perfect for home usage and most of us enjoy that daily. Various network devices (Smartphone, Kindle, Mac, laptops, tablets, XBOX) are Wi-Fi enabled and we connect them happily to Wi-Fi router to get internet access.



Wi-Fi however comes with two security issues. Wireless nature of Wi-Fi can hide all the security holes that a Wi-Fi router has opened up behind the scene.

Here are two must have settings for Wi-Fi router - 


  1. Wi-Fi network password - That encrypts all data going from your device to Wi-Fi router and no body around can sniff what goes on wireless. 
  2. Wi-Fi router password - This is the password that you use to login to Wi-Fi router to configure using web interface. This is the point which is most forgotten about and can cause major security issues.  


 1. Wi-Fi network password set to WPA2: With newer Wi-Fi routers, it comes in with unique password setup that you have to use on smartphone to connect. This password is generally printed below the router and ready for you to use.

Wi-Fi network password is secret key that is used between your phone and Wi-Fi router. Communication done over wireless media needs to be encrypted so that no one around you can sniff the wireless signals to see what you are doing. There are 3 encryption standards (WEP, WPA and WPA2) and the best one to configure is WPA2.

You can easily find out if your Wi-Fi connection is using WEP / WPA / WPA2 by navigating to Wi-Fi settings on your phone/tablet and opening Wi-Fi network details you are connected to. If it says WEP/WPA then its better to change to WPA2.  You will need to login to your Wi-Fi router and change the settings. This depends on router you are using and you will have to google how to setup WPA2 on your router make. A sample Linksys method is shown in below image.

WEP & WPA are older standards and can be cracked by your neighbors in 15-30 minutes to gain free internet access or see all your shared files on other machines. WPA2 comes with highest encryption standards and said to be un-cracked.



2. Wi-Fi router Web-Page password: This is the login password to configure your Wi-Fi router. All of the routers comes with pre-defined default password. You can look at default password of your router here. http://www.routerpasswords.com/

With default password available in public, its becomes easy to crack the password, and all that can happen as your browse internet at home.  Here is a recent  report on Chameleon Virus that infects Wi-Fi router.

A website can change the software/firmware on your router as you browse and reset all settings.  New software/firmware may take 1-2 minutes to reboot your Wi-Fi router and then it can do all sorts of things which you may never notice. It can provide backdoor to your network to anyone, or can be used as email server to spam other users on internet, or it can change your webpages to show mode ads dynamically. And many more things. Wi-Fi router is small enough (3-4mb) and thus downloading and installing that on router may just take couple of minutes to make it work as required.

Easy way to protect your Wi-Fi router is to change the default password to something strong. Changing the password on router depended on device you got. You need to search for "Changing default Wi-Fi router password for <your device name>" or refer user manual for your device.

Changing default password on router makes it difficult for anyone to modify the software on router or change settings on it dynamically. In case you forgot the router password, you can reset the router using 'reset' button on it. Refer router manual for details.

Here is sample page to change router password for Linksys router



Some other settings that you should also consider :
  1. Change Wi-Fi network name from default to something more meaningful
  2. Change Wi-Fi password once in six months
Monitor which devices connects to your router:
If you have android device then you can install app that can scan your Wi-Fi network and list the number of devices connected. Download and install 'Net scan' free app from Google Play.

If you think there are unknown devices, then its time to change Wi-Fi network password and reconnect all your known devices with new password. Any one outside/neighbors will get kicked off as they don't have your new network password to connect.




Hope this helps. Feel free to post comments or queries below.


Friday, May 9, 2014

5 Reason to use Linux on Pen Drive

By now you would have heard about Linux Operating system (OS), (if not then do a quick read here).  Open source and free nature of Linux has given birth to many Linux distribution, each catered for different reason.

Linux has matured, stabilized and grown so much that its the most used operating system in world now. Huge number of servers has Linux, Your TV, setup-box, Washing machine, Wi-Fi router, Android, Car, Camera, Flight entertainment system, and many more system run Linux under the hood. This is all capable due to building blocks that open-source and Linux has provide for developers.

This blog talks about customizing Linux and installing it on Pen Drive and using it for various reasons. If you are new to Linux then you will have to read some more articles around Linux and give a try to install and run couple of Linux distros. You will learn lot in the process and know how system works. If you are Intermediate/geek then lot of things below will come easy to understand and work on.



Linux Distros/Distributions - As pointed above, Linux comes in various shapes and sizes and people have customized it to make it run for various purposes. Many software engineers around world have tweaked Linux and created a new distro. Check out Ubuntu, Linux Mint, Fedora and more here. http://distrowatch.com/

Why Linux ? 

  • Secure by default. Its a modern OS and implements the right architecture to make it secure
  • Customizable - Linux is the most customizable OS I have ever seen. Look at the number of distros and UI options it provides to user.  You can get easy to use Linux (Ubuntu / Fedora or Mint) or get a raw Linux that you can setup yourself if you are geek.
  • Free apps via 'Software repositories'. Huge set of apps available for free with single place to install. You can be sure of security and price as its installed from one place from trusted source
  • Linux is the most worked on Operating system by developers around the world. Source code is open to all can that benefits Linux to get issues fixed rapidly
  • Fast - Installing Linux on any laptop/desktop can make you realize how fast your system responds to you as compared to Windows. No unwanted software, best usage of hardware resources, and customization to suite low & high-end hardware. Try installing Linux on your old laptop to give it a new life.
  • Free & Open source - Its totally free and open-source. You can use Linux distros for personal and commercial purposes for free. Open-source nature has attracted developers around globe to work on cool technology and make it better everyday. You get advantage of fast pace development of Linux which no other operating system in world provides.  
  • It provides building blocks to make your own Linux catered for specific usage. Look at various devices Linux runs in and that should give you a picture how Linux can be shaped and made to work in variety of hardware 


Why YOU should learn/use Linux ?
1. Linux is not for geeks. Ubuntu / Fedora / Mint Linux has been developed for every day use and you can just start using it with all set of applications installed for you. Apps similar to Word, Excel & PowerPoint all setup for you and you don't need to pay to anyone to use it. No license or fees required!

2. Linux is way to go forward as it provides ton of customizations. You will be using Linux in one or other form and learning/using Linux will help you in long run    

3. Buying Windows machine with all set of third-party apps preloaded is going to charge you more. If you are buying new laptop, go for OS free machine and then setup Ubuntu / Fedora / Mint. You will avoid all unwanted apps and promotional software

Give it a try with Linux Live CD:
All Linux Distros provide mechanism for users to try out Linux before you install it - That's called Linux Live CD. You need to download a CD format of Linux and burn it on CD/DVD. You then need to reboot your machine with CD option and you should be able to test drive Linux on your machine. Running Linux-Live does NOT impact your machine in anyway. You can then decide to install if you are happy with the applications and user interface.



Screenshot showing Ubuntu 14.04 LTS

Here are five reasons why you should install Linux on Pen Drive and use it. 


1. Scan and Clean Windows Viruses:  
Windows viruses can go deep and infect badly. Viruses can hide themselves and no one can find them (e.g. rootkits). These can be better cleaned by loading Linux OS and then scanning your Windows machine. AntiVirus programs on Windows can detect Windows Viruses and clean them up. Install ClamAV or AVG Linux AntiVirus on you Linux Distro and scan all mounted drives, then reboot to cleaner version of Windows.

2. Boot your desktop environment on public/friends computer for privacy: 

Once you get Linux on your Pen Drive, you can boot to your own Linux environment using USB boot. All modern computers (5-7 year old) do provide boot option which you can enable. Linux from Pen Drive will boot up with all your apps. This will not impact the host Windows OS. There will not be any traces left of browser history or passwords or your files on your friends PC as you operate on your own Linux environment.

As you own your Linux environment, you can have all your favourite apps and thus you don't need to install/uninstall any software on friends computer - I think its a better way to just use the machine as keyboard and screen and not all the software/OS.

3. Boot to safe environment (No key loggers): 
With Linux Distro and applications you install from 'Software repository' its unlikely that your Linux environment can get infected with Keyloggers. Keyloggers are viruses which capture all your keyboard inputes and sends to server, this will include all your emails, username, passwords and credit card info that you enter online.

Booting from your Pen Drive Linux, no keyloggers from public/friends computer will run and that will ensure everything you type will be safe and not be passed anywhere.

4. Backup Data from hard-disk if it fails to boot Windows: 
Hard disk are not lifelong. They come with their max age of usage and using beyond is risky. If your Windows PC is old enough then there are changes that hard-disk can fail and your data may get trapped. Your Windows machine may not boot up and you may not get a chance to backup. Good way to give it a try is to boot using your Linux from Pen Drive. Once your boot Linux, you can try mounting your Windows drive and repair it. You may be able to see files and be able to copy them to external hard-disk. Booting from USB come to rescue when your data is in risk.

5. Save your Laptop/data from  theft: 
If you can carry entire Linux environment with you in Pen drive then you don;t need a laptop. You can use any public/friends computer for sometime and boot to your favorite environment. A good way to avoid carring laptop/tablet and risk of getting it stolen in public places.

If you lose your USB, your data on it still can be secure enough. You can encrypt your users home drive while installation and thus to open any file, it will need a password. For a thief or anyone your drive is just an blank USB which can be reused.

System requirements before you start:  Minimum 2 GB Pen Drive & 1 GB of RAM

How to Install Linux on Pen Drive & use it: 
Here is step by step guide do install Ubuntu Linux on Pen Drive. I would prefer using Lubuntu OS, as its stable and lightweight http://www.ubuntu.com/download/desktop/create-a-usb-stick-on-windows

Once you create USB drive with Linux, reboot your machine and select USB boot from your boot setup. Here is how. http://lifehacker.com/5991848/how-to-boot-from-a-cd-or-usb-drive-on-any-pc

Feel free to post comments or queries. I will be able to help you out setup your pen-drive or point you to right set of steps if you are facing problem.






Wednesday, May 7, 2014

Password - The weakest factor online

Passwords has been a proven way to protect your account and keep your info secure and private.  
Passwords are common and we do use it everyday. Access emails, your system,  Facebook, unlocking your phone, access bank online,  and many more. An average of 10 passwords are used by any individual (like you) everyday as per reports.  

With internet and the number of things you can do online, password has been a common practice. To play a game or post review, you need an account and thus the password. Concept of an account has been strongly developed in internet so that you can log back in anytime and continue to access the information back where you left. An account maps your work, activity on that website which can be saved and later referred back. Now that there is data associated with you account, websites wants to protect users data and thus the password which forms the easies way to authenticate a user.  

Hackers and malware are on their peek and always looking for access to your account more than anytime before. Password thus has became the weakest factor online. Your privacy, your work, your money, your data and your friends are all maintained by a password. 

Password statistics:
  • 90% of passwords are vulnerable to hacking. More details here. 
  • With top 10,000 most common passwords, 98% of accounts would be accessed 
  • 70% of the people do NOT use unique password for different websites. Report here.  
  • Around 82% of people have forgotten password used on a website 
  • 80% of people do not change bank card PIN. Report here 

Here are top 500 passwords which forms the 80% of the passwords. Bigger the size, more frequently they are used. 




Why username and passwords required everywhere? 

Why a website that you just need to provide review/rating about hotel/movie/restaurant needs you to create a new user account ?  There are many such scenarios where in account creation is just not required, however users are forced to do so. 

In most of the cases password does make sense, however in many of the cases, password ideally is an overkill; websites do have commercial reasons attached to force users to create account or access their site using Facebook/Google+ profiles. Every company wants to grow their user base and that directly maps to their profits and business. No wonder why a site that is just asking you to provide a review/rating also needs you to register as user.  

Thus looking at web trend, passwords are more going to be asked by websites and you are going to create either new accounts or use your Facebook/Google+ profiles to register. Either of this puts you in trouble as to maintain a good password for new website or keep an eye on usage of your Facebook/Google+ profile by this website.   

Everyone wants your email ID. Almost all websites now uses email ID as user name. You activate website functionality by validating your email address and thus website gains your email address to send more stuff or remind to revisit the site. Thus account creation becomes the primary requirement on such websites and this is common trend with big and small players on web.   


Same passwords for multiple sites? 
Its hard to remember strong passwords and that tends to use same password again and again on different websites. A very common trend that needs a change. Using right tools and practice its doable.  Below are some techniques to help you generate strong passwords and either remember them or maintain them securely. 

Email ID as user name : 
Email address as user name is common trend. Your email ID is known to world by different ways and thus half of the info about credentials is exposed. The other half is your password. It then becomes mandatory for your password be strong enough to fight hackers around world as they already know your email ID. 

Many of us use 1 or 2 primary email IDs. We share these IDs with people to communicate and use same for user name. Thus your email ID has become part of your identity on internet and you share it freely with friends and many offline registrations forms. Any one that now has your name and email ID can give a try to hack your accounts with most common passwords available online. 


Strong password difficult to remember ? 

Here are some techniques to create strong passwords and remember them  
  • Create a pass phrase rather than just a password. It can be your favorite line from book or song. There are plenty of songs that you love and sing 
  • Be creative and imaginative to create unique characters that don’t exist 
  • Use Book title, serial name or food dish  
  • Combination of Multiple cities/places 
  • Combination of company names, car models or sports person 
  • Combination of name, place or year 

Avoid using these for passwords 
  • Wife, girlfriend, mom, kids, pets names 
  • Place where you live 
  • Date of birth of your favorite people 
  • Common passwords  

Listed below are tools to help you generate strong passwords and maintain them. These tools have been proven and are industry standards which you should leverage to ease out creating strong passwords and then remembering them.  

Google and Facebook as common method to login: 

Social network has provided a new and unique way of login and that is leveraged by many websites. You don’t need to create account on every websites, however use Google+ or facebook login method provided on third-party websites. These websites integrate with social networking authentication mechanism to validate a user and then provide you access to functionality. 

It’s a easy and quick way to gain access to website content/functionality without creating new account. However you have to be careful here are you are exposing lot of data to these websites than you should be. Your email ID, name, where you live, your friend list, your work place, and also an option to post on your wall when they want. That’s too much of info for too little. You may better end up creating a new account rather than giving access to above info to be secure.  

One advantage with Social authentication is that you can go back to facebook/google+ and revert the access to third-party apps/websites anytime. those apps will never be able to gain your updated info or friend list or post on your wall. But they do have your old info which you can not revert. 


Better ways to solve the password problem:  


Two factor authentication -  
In simple terms you can consider two factor authentication as "Two Locks" for your account. You need to open both the locks before your get into your account. And to open two locks you of course need two separate keys.  

Two factor authentication is security process in which you use your userID+Password and physical token. Its "something you know" and "Something you have". E.g. If you wish to login to your email account, your email ID & password is what "You know" and an addition short numeric code(Verification code) that is available on your phone which acts as "You have". 

Two factor authentication has became industry standard to protect your account and now is provided by many websites. Here is my detailed blog  on two factor authentication -http://softwaresecurityforyou.blogspot.com/2014/04/securing-your-account-with-password.html


Lastpass and Keepass - Password managers you need 

Lastpass is a browser plugin that manages(stores) your passwords and provides strong security model around itself to avoid exposing your passwords to other. It allows you to create strong passwords by auto-generating complex passwords and then maintaining them for you. Anytime later you revisit that site and navigate to login page, it will populate your username/password once you enter master-password. www.lastpass.com 

You just have to remember one password after that; and that is of lastpass itself. Lastpass provides good integration with websites and browsers. Also all your data is encrypted and maintained online and thus your password storage is available for you anytime. They provide web and mobile app for ease of use. 

Ensure you use two-factor authentication with lastpass to make it max secured and give you peace of mind enough though all your passwords are stored online. 

Here is short video on what is lastpass 



Keepass & KeepassX password manager -

Keepass is free, open-source and easy-to-use password manager.  It maintains data locally in encrypted fashion and also has master-password to access all your lasswords. KeepassX is linux version of it.
Keepass provides strong password generator functionality and maintenance of it. It create a file that you can take it with you and use on other computer. Keepass is purely local installation and does not talk to server or sends your passwords to server. 

Security model used by Keepass and its functionality has gained high number of award and is very well known by professionals around. http://keepass.info/index.html  




Common sense about passwords : 

  • Create unique passwords for every website 
  • Don’t write down your password 
  • Don’t share your password with anyone 
  • Don’t store password on public computer 
  • Change your password every 6 months 
  • Use two-factor authentication for your important web accounts 
  • Change your password immediately, if you think it is compromised 
  • Don’t use common passwords. Create strong passwords 
  • Use password managers  

Conclusion: 
With Internet, your accounts can be access globally and that's great. However hackers around globe too can give it a try to hack your account and steal the info and you will never notice. With more accounts required online, you need to have a long term strategy to maintain passwords and follow practices around it. Above article list the ground rules that everyone on internet should follow to maintain high level privacy & security. 

Transform your $15 router to $200 security router for FREE

Technology is evolving faster and there are more IoT devices at home/office than a few years back. Software Security companies are movi...