Thursday, June 26, 2014

Incognito mode for Phone calls ?

Your phone call-log reveals lot about you: Your Phone call-log is equally important as your emails, online accounts as it can reveal huge amount of information about you. What kind of person you are and what you do. What you work on and to whom you talk to frequently. Over the time it grows and maintains critical info about you, your relationships, your work, your friends, your business, your food orders and your health.

Your phone call-log is not private any more:
This info can be used in multiple ways to map your identity and people you communicate too.  And it's too easy to capture this info and send it across to third-party. You just have to install an app(e.g. games on android) that reads your call log and send it to third-party server; which happens behind the scene while you enjoy games. Thereon your call-log can be sold/shared/investigated and can become public information.

Your call-log can provide sensitive info based on where you work. Companies provide BYOD (Bring your own device) policies for employees and secure it with PIN and encrypted emails. However call log is still available games employees install and play and can be passed on to third-party. Are you working in defense, research, mission critical projects, marketing, sales ?  You better maintain your call-log!

Call-log gets backed up:
Many of the apps do backup your call-log so as to provide a backup service to you. Again this info is stored on servers and multiple copies are maintained. If your on-line account to that maintains backup is hacked all your info is then in hands of hackers and thus public.

Solution is to maintain privacy and be aware about your call-log: 
1. Ensure that you are not installing apps that needs permission to you call log and other personal data
2. Ensure you delete/hide call log of important calls. Use 'Private Call' app. This app auto-deletes call-log for incoming/outgoing/missed call and no data is available for anyone to see or any app to read.

Idea behind Private Call app: Auto-delete call log entries of private conversations and provide incognito mode for your phone calls.

How Private Call app works:
- It auto-deletes call-log for specified private contacts
- Incoming / outgoing and missed call-log get deleted at the end of call
- Provides password access to private contact list and private call-log
- You can hide the this app(using other icon hide app) and still launch it using ##PIN in dial pad
- Its free! If you need to add more than 5 private contacts then it provides in-app purchase to go-premium

Various purposes you can use Private Call for: You can think of any discussions e.g.  private calls, business Calls, secret/research projects calls, relationship calls, marketing and sales deals that happen over series of phone calls.

Google Play link :

Monday, June 16, 2014

3 Key privacy settings in Facebook you should care about

Facebook is now the social networking norm and everyone connecting to internet is on Facebook or soon will get on it. No big deal with having a Facebook account and actively using it daily. Kids start Facebook at 13 (officially) and will go till you are alive. It's going to capture all your life events and map it in its timeline.

You are one of those Facebook users who share things, who over-share or under-share. But you do share! If you don’t then your friends share info about you by means of tagging. Ultimately there is info about you shared directly or indirectly.

There is ton of info that can be shared and people do share it without a second thought. And this gets into Facebook permanently(even if you delete your account).  This info can then be used by public/friends and is no more private.

Knowing that you will hold Facebook account for lifetime, it's important to review privacy settings and manage who can see your shared info. Here are the key privacy settings that you should set

1. Who can see my stuff? 

Manage who can see all that you post on Facebook with this settings. Mark it to 'Friends' only when you share instead of public. Facebook also allows you to control this settings per post that you share so keep a close eye on what you are sharing and whom do you wish that to be seen. Do review your existing post for friends/public sharing.

Facebook > Settings > Privacy

Review sharing option when you are about to post your new photo or status

2. Manage photos that your friends tag you in:

Photo tagging feature is great. It lets your friends tag you in photos they share. Good thing Facebook does is that it lets you control your photos before it gets to anyone. You can get selectively in adding photos to your timeline even though your friends shared those publicly. Each photo a friend shares of you can be allowed/hidden by you before it gets seen by anyone. Unless you allow, no one will see those or appear in any search results by your friends.

3. Review how others see your timeline:

Facebook provides mechanism for you to see how others (public/friends) see your profile. It is very useful to know how your profile/timeline looks when third-party or your friends see it. It will help you hide few things or promote few things in case you missed category.

Hope this helps to keep your private info with your friends rather than making it public. Do post in for your comments below.

Tuesday, June 10, 2014

iOS8 Randomize MAC address for privacy - Great Win!

Apple announced bunch of privacy & security features in their 2014 WWDC keynote and one of them is randomizing MAC address. This alone is a great feature and would like to see this become industry standard.

With iOS8 all Apple handheld devices will generate random MAC address while it scans for Wi-Fi network. Doing this protects your privacy by on the go as no one can track you uniquely at a given location. Read my other blog on Wi-Fi tracking to know more on how MAC address can be used to map your location.

So what is MAC Address anyway? 
MAC address is unique hardware address of your network device. These are unique within network to identify a device and route network traffic to correct device. It is a 6 byte long ID that maps your network device (iPhone, iPad, Android, Laptop, desktop,  TV, and all devices that connects to network) on network. This does not change and is set by device manufacturer.

How is MAC address used ? 
When your device does connect to any network, it uses MAC address to uniquely identify itself and uses it to communicate over network. With Wi-Fi enabled, your device scans for known Wi-Fi networks that you often connect. When a Wi-Fi scan is done, it sends out your devices MAC address to check if Wi-Fi network is available and if so Wi-Fi router will send you message back to your MAC address.

With continuous Wi-Fi scan, your MAC (unique address is broadcasted) and that can be tracked by anyone around you to know your presence.

Privacy Issue with MAC Address:
As MAC address is unique and does not change, this is actively used to know more about people and track them as they carry smartphone or ipod/ipad. Your device always sends out network packet in air to scan for Wi-Fi network and leaves behind the traces of your device and indirectly you. Any mall or airport or hotel you visit knows you have been there and how long by mere presence of your smartphone.

This data about your smartphone can then be shared among multiple malls/hotels to trace you as an individual and track your footprints. A major privacy issue!

What's the advantage of MAC address randomizing? 

  • Apple device now will generate unique MAC address and thus no one can track your presence and map it to you. You gain high level of privacy by not allowing anyone to know you were present at any location.
  • Malls use Wi-Fi tracking to know more about customers visiting and how long they are in store and how often they visit. This data can then be shared. With MAC randomizing, your individual mapping is broken and there by giving you privacy on the move. 

My earlier blog details about Wi-Fi tracking and this solution from Apple works great. Solution detailed by Apple is going to add privacy support for individuals. I am sure this will be adopted by Android and Microsoft too. Great work Apple!

Monday, June 9, 2014

Secure your confidential emails using PGP encryption

Email is the here to stay for long time, though we have moved to chat, voice call, video /skype calls, twitter and Facebook messages. Good amount of information is communicated over emails and that is part of our daily routine.

Many times we do need to send confidential information via email and we do share critical info using email. This info is then maintained on servers forever - one copy on your account and other on receivers account and can be read / sniffed by people who owns the servers/data. Also servers are backed up and they do ensure users emails are not lost in case of any failure. In practice your confidential info has many copies around the globe that can land up in anyone's hand.

We all do use popular email services like, gmail/outlook/yahoo/etc. and they do provide secure login over HTTPS/SSL. Email you sent is encrypted from your computer to gmail (as example) server. This email is then forwarded to receivers email server in clear text(un-encrypted format) and can be sniffed by various networking tools.

Web emails (Gmail, yahoo, outlook, etc.) store your emails as you draft/compose them. Every line you type gets backed up immediately. Any confidential info that you typed gets stored on server and even if you remove/delete those lines, there is already a backup created on servers to refer for Google (example). Thus even if you wipe out confidential content from your email before you send, its still now maintained on server forever and you cant remove it!

How do you then send confidential info that only receiver can read it ? How can you ensure that you email stored on servers is encrypted ?

Solution is to use PGP (Pretty Good Privacy) technology which was invented in 1991 by Phil Zimmermann. Yes, its been long time that technology to secure emails is available, however its complicated setup that keeps people away from usage. There are right set of tools available for you to make it easy and send secure emails right from your browser.

With extensive internet usage in our daily routine and our data in cloud, you need to protect your confidential data in all forms. You need to manage your confidential data the way its transferred & stored. PGP comes in handy here and learning it will help you in long run.

How it works?
PGP uses modern day Public-Private key encryption model combined with conventional secret key for faster encryption.  People who wish to send secure emails, need to create a public & private key pair using tools(listed below). Public/private key is nothing but a big mathematical value used to encrypt and decrypt a message. Public-key part of it can be shared with everyone whereas private-key part is to be stored securely and not to be disclosed to anyone. Any message/text, encrypted by public-key can be decrypted only with Private-key is the rule.

To use PGP, you need to first generate public-private key pair. You then need to share your public-key to people so that they can encrypt their message using your public-key and you can then decrypt that message using private-key. If you wish to send secure email, then you need to get receivers public key for encrypting the message.

In PGP, a session key or secret-key is also involved. This is to speed up encryption/decryption of your email. This secret-key is generated randomly when you send email and is only used for that email communication. Secret-key is then encrypted using receivers public key.

What do you achieve using PGP ?

  • Only receiver can read your emails 
  • No one with access to email servers can read / decrypt your emails or modify it 
  • Your data is secure while its transferred from one server to another 
  • With additional PGP setup, you can ensure that the email is coming from trusted friend and that no one on the route has seen or modified it. 

What are high level steps that I need to take ?

  • Create Public-Private Key pair using tools 
  • Share public-key with friends 
  • Store Private-key securely and no one should have access to it 
  • Use PGP tools to encrypt emails and send it 

Mailvelope as browser extension tool for PGP: 
There are couple of client side tools that you need to use to create public/private keys and then use them in local email client(outlook/thunderbird/etc.). Instead of that there is a better option - Mailvelope. This addon is available for Chrome and Firefox.

Mailvelope has resolved the complexity behind PGP and made it easy for every day internet users. Here is video that explain how to setup and use Mailvelope

How to secure you public/private keys:

  • You should be using password manager for storing your passwords. These password managers generally provide secure notes or text boxes for additional notes. Use them to store your public/private keys. Do export keys from Mailvelope and store them in your password manager. 
  • Do not setup Mailvelope on public computer. Uninstall mailvelope if you no longer use laptop to send / receive emails 

Transform your $15 router to $200 security router for FREE

Technology is evolving faster and there are more IoT devices at home/office than a few years back. Software Security companies are movi...